Currently we unconditionally roll back transactions after error,
even if a commit has already been attempted. Commit is guaranteed
to end a transaction, though, whether by successfully committing
or by rolling back if that fails. As such, we attempt a double
rollback if a transaction fails at commit (for example, for a
constraint violation), which doesn't error but does log angry
warning messages. Ensure we don't try rolling back after commit
runs to prevent this.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #327
Approved by: rhatdan
Now, we don't need to use the global ID registry to iterate - we
can iterate only through containers or only through pods, without
having to iterate through both.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #184
Approved by: baude
This solves some dependency problems in the state, and makes
sense from a design standpoint.
Containers not in a pod can still depend on the namespaces of
containers joined to a pod, which we might also want to change in
the future.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #184
Approved by: baude
This allows us to JSON it and stuff it in the DB - previously,
all pod fields were private, so JSON couldn't encode them. This
allows us to keep all pod fields private by having a substruct
with public fields.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #184
Approved by: baude
Changing these fields caused the output of podman inspect to more
closely match docker inspect.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #306
Approved by: mheon
Rename finished_amd64 to finished64.go to more accurately reflect
that it covers all 64bit arches.
Also, bumped the EPOCH for gitvalidation to speed up validations.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #318
Approved by: mheon
This ensures that there is only one canonical place where
containers in a pod are stored, in the state itself.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #268
Approved by: rhatdan
In order to have sd_notify from systemd to work in containers
we need to pass down the NOTIFY_SOCKET environment variable to
the container.
LISTEN_FDS, tells the application inside of the container to use
socket activation and grab the FDS that are leaked into the container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #271
Approved by: umohnani8
Migrate create and commit bats tests to the ginkgo
test suite. In doing so, some structures had to be
moved to pkg/podmanstructs/podmanstructs.go so we
could do better verification of test results.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #286
Approved by: rhatdan
To account for more path possibilities, we now iterate
a string array of possible paths to try and find paths
to runc and conmon.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #278
Approved by: baude
Migrate ps, pull, push, and rm from bats to ginkgo.
Also, fixed a conditional issue with adding ports
when an image defines the port and the user wants
to override it.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #277
Approved by: baude
Ubuntu installs runc to /usr/sbin/runc so we now account
for that. Also, added small check when creating a new
runtime that if we cannot find the runc binary, we bail
out.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #276
Approved by: baude
The container's hostname should be set as an environment
variable for the container.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #273
Approved by: baude
Normal Stop should not need a timeout, and should use the default
Add a function that does accept a timeout aside it
Signed-off-by: Matthew Heon <mheon@redhat.com>
Closes: #272
Approved by: rhatdan
QE found issues with formatting the go template and
the man page was lacking information.
Changed the format of the output to match latest docker.
Add shortID function that returns the truncated ID
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #258
Approved by: rhatdan
When trying to determine if a user-provided string that describes
an image (ID, fq name, shortname, tagged), there were some
inefficiencies where we looked up images multiple times to derive
information about local images.
Signed-off-by: baude <bbaude@redhat.com>
Matt Heon and I found that a defer statement was costing podman
run dearly. We dont think the defer function was working (nor
needed) and was timing out as well. Removing this defer statement
decreased podman runtime by 1.5s or more.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #253
Approved by: baude
QE pointed out a few things missing/wrong with ps
This PR addresses those issues.
Added functionality for getting mounts and size also
Fixed a few issues with the --filter params, for
example filter with partial information.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #250
Approved by: rhatdan
When an image has a port to expose, we need to expose it. User's input overrides the
image's port information.
Also, enable port information in ps so we can see which random port is assigned.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #249
Approved by: rhatdan
Adds the ability to override the container's hostname. Also, uses
the first twelve characters of the container ID as the default hostname
if none is provided.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #248
Approved by: baude
Set up nbetworking ports for the following use cases:
* bind the same port between host and container
* bind a specific host port to a different container port
* bind a random host port to a specific container port
Signed-off-by: baude <bbaude@redhat.com>
Closes: #214
Approved by: baude
Fix errors when containers are not running.
--all, --latest, containers can not be used at same time.
Should match the output of docker stats, 0 values replaced by "--"
Should return stats right away if container is not running.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #244
Approved by: TomSweeneyRedHat
Each of these options are destructive in nature, meaning if the user
adds one of them, all current ones are removed from the produced
resolv.conf.
* dns-server allows the user to specify dns servers.
* dns-opt allows the user to specify special resolv.conf options
* dns-search allows the user to specify search domains
The add-host option is not destructive and truly just adds the host
to /etc/hosts.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #231
Approved by: mheon
Weighing in at ~1700 lines, container.go is just too big. Split
it into three files: core structs and accessors (container.go),
public API (container_api.go), and internal functions
(container_internal.go).
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
If user does not specify seccomp file or seccomp file does not exist,
then use the default seccomp settings.
Still need to not hard code /etc/crio/seccomp.json, should move this to
/usr/share/seccomp/seccomp.json
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #233
Approved by: baude
Add new functions to update pods and add/remove containers from them
Use these new functions in place of manually modifying pods
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #229
Approved by: rhatdan
This won't matter during batched operatins, but if the container
leaks outside of the Batch() function it will segfault if asked
to do any operation that locks unless this is applied
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #226
Approved by: rhatdan
Also prevent containers with dependencies from being removed from
in memory states. SQLite already enforced this via FOREIGN KEY
constraints.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #220
Approved by: rhatdan
Remove existing code for sharing namespaces and replace with use
of this API
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #220
Approved by: rhatdan
If we start a container and it does not error, we can assume the
container is now running. Subsequent API calls will sync for us
to see if it died, so we can just set ContainerStateRunning
instead of launching the runtime to explicitly get state.
The same logic applies to pause and unpause.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #223
Approved by: rhatdan
Also moves port mappings out of the SQL DB and into a file on
disk. These could get very sizable (hundred to thousands of
ports) so moving them out to a file will keep the DB small and
fast.
Finally, add a foreign key reference from container ID to
container state ID. This ensures we never get into an
inconsistent state where we have data in one table but not the
other.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #225
Approved by: baude
Disabling locking/syncing in a batched operation not yet implemented
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #222
Approved by: rhatdan
It is desirable to have a --latest switch on the podman wait
command so we can wait on the latest container created to end.
Also, fixes a panic with latest where no containers are available.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #201
Approved by: baude
This can now be handled by CNI plugins, so let them manage ports
instead.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #189
Approved by: mheon
With certain short name usages, rmi still was unable to delete
certain images. This was also reflected in several commit tests
that were temporarily disabled.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #200
Approved by: rhatdan
It is desirable to have a shortcut for the most
recently created container. We can now use "**latest"
to represent the most recent container instead of its
container ID or name. For example:
Signed-off-by: baude <bbaude@redhat.com>
Closes: #179
Approved by: baude
Removing by shortname was not working. Also pruned
container storage's remove func from rmi and moved it into
an image.Remove func, which consolidates our usage of cs.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #188
Approved by: baude
While pulling by shortname (fedora-minimal) worked, running a container
by the short name did not due to a logic error.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #182
Approved by: rhatdan
This should help with performance when executing many operations
on a single container
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #185
Approved by: rhatdan
We don't want libkpod overrides for conmon's path to misdirect
the already set path for conmon from libpod.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #181
Approved by: baude
We should be pulling information out of the image to set the
defaults to use when setting up the container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #110
Approved by: mheon
In cases, like Ubuntu, where it uses systemd resolve
for DNS then do not copy /etc/resolv.conf but instead
the resolv.conf in the systemd resolve /run dir.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #177
Approved by: rhatdan
podman run/create have the ability to set the stop timeout flag.
We need to stop it in the database.
Also Allowing negative time for stop timeout makes no sense, so switching
to timeout of uint, allows user to specify huge timeout values.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #158
Approved by: TomSweeneyRedHat
podman commit allows the user to commit containers
as images with options of tagging th image, setting
a commit message, setting the auther, and making
changes to the instructions.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #143
Approved by: rhatdan
Stop Signal from kpod create/run was not fully plumbed in,
This will pass the stopsignal into the container database on
create and run of containers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #156
Approved by: mheon
Also add --quiet option to kpod create/run since
this will help with writing tests.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #140
Approved by: TomSweeneyRedHat
User can select from 3 manifest types: oci, v2s1, or v2s2
e.g kpod push --format v2s2 alpine dir:my-directory
Added "compress" flag to enable compression when true
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #126
Approved by: rhatdan
Given that we don't have a good way of cleaning up locks, these
could potential cause issues if we ever reuse a container or pod
ID
Also changes locks dir to use tmpfs, as we can't directly clean
up locks
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #138
Approved by: rhatdan
Also includes misc other fixes - adding labels, fixing pod names
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #138
Approved by: rhatdan
For DNS to work properly, we need to copy the host's /etc/resolv.conf
into the container during Init(). We do this by copying it into the
containers rundir and then bind mounting it into the container.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #130
Approved by: baude
kpod inspect now uses the new libpod container state
and closely matches the output of docker inspect
some aspects of it are still WIP as the libpod container state
is still being worked on
Signed-off-by: umohnani8 <umohnani@redhat.com>
When loading an image, kpod load would print something like
"Trying to pull docker.io/library/alpine...", which is misleading
and makes it sound like its pulling it form the registry.
Fixed this by removing these print statements for kpod load
Signed-off-by: umohnani8 <umohnani@redhat.com>
Initial wiring of kpod exec. We wont support the following options
for exec:
* detach -- unsure of use case
* detach-keys -- not supported by runc
* interactive -- all terminals will be interactive
Not adding exec tests as we need to think about how to support a
test that requires console access but our CI tests have no console.
Signed-off-by: baude <bbaude@redhat.com>
Create an artifacts directory in the container's
static directory so store container information
coming from outside of libpod to specified files
An example is to hold data from user specified flags
in kpod run/create such as --cap-add, --ipcMode, etc...
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #108
Approved by: mheon
There are still two places that don't use the new function,
export and mount, but both can probably be converted to it
in the future.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #99
Approved by: rhatdan
Allow kpod create/run to create contianers in different network namespaces, uts namespaces and
IPC Namespaces.
This patch just handles the simple join the host, or another containers namespaces.
Lots more work needed to full integrate --net
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #64
Approved by: mheon
This ensures we don't open a DB with an earlier schema or a
config that differs from ours
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #86
Approved by: rhatdan
Also migrates kpod kill and kpod stop to libpod to use the new code
Fixes force removing containers, and actually deletes containers in runc when
removing them
Start is now capable of starting even when the container is unmounted
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #68
Approved by: rhatdan
As reported in Issue #50, we need to be able to run
or create a container based on an image ID (as well
as name).
Signed-off-by: baude <bbaude@redhat.com>
Closes: #76
Approved by: rhatdan
The new state for containers has been added
moved kpod mount and umount over to use it
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Closes: #57
Approved by: rhatdan
Wire this in to all state-bound container operations to ensure
syncronization of container state.
Also exposes PID of running containers via API.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #56
Approved by: rhatdan
The PR contains several enhancements to our CI testing.
- enable lint testing on Fedora
- add Centos Atomic as test platform
- integration tests on run on the OS natively (uncontainerized)
- builds are done in containers
- inclusion of Vagrant file for local testing
Signed-off-by: baude <bbaude@redhat.com>
Closes: #18
Approved by: mheon
Re-order the startup of a new container via run from
initialize > start > attach to initialize > attach > start.
This fixes output when running:
kpod run -i -t IMAGE command
and
kpod run IMAGE command
Signed-off-by: baude <bbaude@redhat.com>
Fixed the logic where we observed different performance
results when running an image by its fqname vs a shortname. In
the case of the latter, we resolve the name without using the
network.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #37
Approved by: rhatdan
When setting the `kpod load -q` flag, output was still going to the
screen. This patch adds a check to not output to the terminal unless
there is an io.Writer specified, and then to write to the io.Writer.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #23
Approved by: rhatdan
This should turn on handling of SELinux, NoNewPrivs, seccomp and Apparmor
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #15
Approved by: rhatdan