Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Vendors in fsouza/docker-client, docker/docker and
a few more related. Of particular note, changes to the TweakCapabilities()
function from docker/docker along with the parse.IDMappingOptions() function
from Buildah. Please pay particular attention to the related changes in
the call from libpod to those functions during the review.
Passes baseline tests.
integration of healthcheck into create and run as well as inspect.
healthcheck enhancements are as follows:
* add the following options to create|run so that non-docker images can
define healthchecks at the container level.
* --healthcheck-command
* --healthcheck-retries
* --healthcheck-interval
* --healthcheck-start-period
* podman create|run --healthcheck-command=none disables healthcheck as
described by an image.
* the healthcheck itself and the healthcheck "history" can now be
observed in podman inspect
* added the wiring for healthcheck history which logs the health history
of the container, the current failed streak attempts, and log entries
for the last five attempts which themselves have start and stop times,
result, and a 500 character truncated (if needed) log of stderr/stdout.
The timings themselves are not implemented in this PR but will be in
future enablement (i.e. next).
Signed-off-by: baude <bbaude@redhat.com>
Currently if you turn on --net=host on a rootless container
and have selinux-policy installed in the image, tools running with
SELinux will see that the system is SELinux enabled in rootless mode.
This patch mounts a tmpfs over /sys/fs/selinux blocking this behaviour.
This patch also fixes the fact that if you shared --pid=host we were not
masking over certin /proc paths.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Add the ability to manually run a container's healthcheck command.
This is only the first phase of implementing the healthcheck.
Subsequent pull requests will deal with the exposing the results and
history of healthchecks as well as the scheduling.
Signed-off-by: baude <bbaude@redhat.com>
If user specifies network namespace and the /etc/netns/XXX/resolv.conf
exists, we should use this rather then /etc/resolv.conf
Also fail cleaner if the user specifies an invalid Network Namespace.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
iFix builtin volumes to work with podman volume
Currently builtin volumes are not recored in podman volumes when
they are created automatically. This patch fixes this.
Remove container volumes when requested
Currently the --volume option on podman remove does nothing.
This will implement the changes needed to remove the volumes
if the user requests it.
When removing a volume make sure that no container uses the volume.
Signed-off-by: Daniel J Walsh dwalsh@redhat.com
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
At present, when manually detaching from an attached container
(using the detach hotkeys, default C-p C-q), Podman will still
wait for the container to exit to obtain its exit code (so we can
set Podman's exit code to match). This is correct in the case
where attach finished because the container exited, but very
wrong for the manual detach case.
As a result of this, we can no longer guarantee that the cleanup
and --rm functions will fire at the end of 'podman run' - we may
be exiting before we get that far. Cleanup is easy enough - we
swap to unconditionally using the cleanup processes we've used
for detached and rootless containers all along. To duplicate --rm
we need to also teach 'podman cleanup' to optionally remove
containers instead of cleaning them up.
(There is an argument for just using 'podman rm' instead of
'podman cleanup --rm', but cleanup does have different semantics
given that we only ever expect it to run when the container has
just exited. I think it might be useful to keep the two separate
for things like 'podman events'...)
Signed-off-by: Matthew Heon <mheon@redhat.com>
when running in rootless mode we were unconditionally overriding
/dev/pts to take ride of gid=5. This is not needed when multiple gids
are present in the namespace, which is always the case except when
running the tests suite with only one mapping. So change it to check
how many gids are present before overriding the default mount.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
When using --pid=host don't try to cover /proc paths, as they are
coming from the /proc bind mounted from the host.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
when defining containers, we missed the conditional logic to allow
the container to be defined with "WithPod" and so forth. I had to
slightly modify the createcontainer process to pass a libpod.Pod
that could override things; use nil as no pod.
Signed-off-by: baude <bbaude@redhat.com>
the rootless container storage is always mounted in a different mount
namespace, owned by the unprivileged user. Even if it is mounted, a
process running in another namespace cannot reuse the already mounted
storage.
Make sure the storage is always cleaned up once the container
terminates.
This has worked with vfs since there is no real mounted storage.
Closes: https://github.com/containers/libpod/issues/2112
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Apply the default AppArmor profile at container initialization to cover
all possible code paths (i.e., podman-{start,run}) before executing the
runtime. This allows moving most of the logic into pkg/apparmor.
Also make the loading and application of the default AppArmor profile
versio-indepenent by checking for the `libpod-default-` prefix and
over-writing the profile in the run-time spec if needed.
The intitial run-time spec of the container differs a bit from the
applied one when having started the container, which results in
displaying a potentially outdated AppArmor profile when inspecting
a container. To fix that, load the container config from the file
system if present and use it to display the data.
Fixes: #2107
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Updating the vendor or runc to pull in some fixes that we need.
In order to get this vendor to work, we needed to update the vendor
of docker/docker, which causes all sorts of issues, just to fix
the docker/pkg/sysinfo. Rather then doing this, I pulled in pkg/sysinfo
into libpod and fixed the code locally.
I then switched the use of docker/pkg/sysinfo to libpod/pkg/sysinfo.
I also switched out the docker/pkg/mount to containers/storage/pkg/mount
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Add support for executing an init binary as PID 1 in a container to
forward signals and reap processes. When the `--init` flag is set for
podman-create or podman-run, the init binary is bind-mounted to
`/dev/init` in the container and "/dev/init --" is prepended to the
container's command.
The default base path of the container-init binary is `/usr/libexec/podman`
while the default binary is catatonit [1]. This default can be changed
permanently via the `init_path` field in the `libpod.conf` configuration
file (which is recommended for packaging) or temporarily via the
`--init-path` flag of podman-create and podman-run.
[1] https://github.com/openSUSE/catatonitFixes: #1670
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
We had two problems with /dev/shm, first, you mount the
container read/only then /dev/shm was mounted read/only.
This is a bug a tmpfs directory should be read/write within
a read-only container.
The second problem is we were ignoring users mounted /dev/shm
from the host.
If user specified
podman run -d -v /dev/shm:/dev/shm ...
We were dropping this mount and still using the internal mount.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Podman will search through the directory and will add any device
nodes that it finds. If no devices are found we return an error.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
when a user specifies --pod to podman create|run, we should create that pod
automatically. the port bindings from the container are then inherited by
the infra container. this signicantly improves the workflow of running
containers inside pods with podman. the user is still encouraged to use
podman pod create to have more granular control of the pod create options.
Signed-off-by: baude <bbaude@redhat.com>
we need to allow users to expose ports to the host for the purposes
of networking, like a webserver. the port exposure must be done at
the time the pod is created.
strictly speaking, the port exposure occurs on the infra container.
Signed-off-by: baude <bbaude@redhat.com>
We are still requiring oci-systemd-hook to be installed in order to run
systemd within a container. This patch properly mounts
/sys/fs/cgroup/systemd/libpod_parent/libpod-UUID on /sys/fs/cgroup/systemd inside of container.
Since we need the UUID of the container, we needed to move Systemd to be a config option of the
container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
As of now, there is no way to debug podman clean up processes.
They are started by conmon with no stdout/stderr and log nowhere.
This allows us to actually figure out what is going on when a
cleanup process runs.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Add the --ip flag back with bash completions. Manpages still
missing.
Add plumbing to pass appropriate the appropriate option down to
libpod to connect the flag to backend logic added in the previous
commits.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Also update some missing fields libpod.conf obtions in man pages.
Fix sort order of security options and add a note about disabling
labeling.
When a process requests a new label. libpod needs to reserve all
labels to make sure that their are no conflicts.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1406
Approved by: mheon
Firstly, when adding the privileged catch-all resource device,
first remove the spec's default catch-all resource device.
Second, remove our default rootfs propogation config - Docker
does not set this by default, so I don't think we should either.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #1491
Approved by: TomSweeneyRedHat
This matches Docker behavior more closely and should resolve an
issue we were seeing with /sys mounts
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #1465
Approved by: rhatdan
This is an incomplete fix, as it would be best for the libpod library to be in charge of coordinating the container's dependencies on the infra container. A TODO was left as such. UTS is a special case, because the docker library that namespace handling is based off of doesn't recognize a UTS based on another container as valid, despite the library being able to handle it correctly. Thus, it is left in the old way.
Signed-off-by: haircommander <pehunt@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1347
Approved by: mheon
