Fix an error message, and always set Privileged if the container
is also privileged.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #412
Approved by: baude
Currently, we will error if the DB is configured with the default
containers/storage config, and then opened by a libpod which has
explicitly set the defaults. This is due to us using an empty
config by default (to tell c/storage to use its defaults).
This patch changes our handling so that unset storage config
(using the default) and explicitly setting the defaults are both
compatible.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #423
Approved by: baude
add registries and insecure registries to the podman info output. this gives us
some capatibility with other container runtimes.
Resolves issue #420
Signed-off-by: baude <bbaude@redhat.com>
Closes: #422
Approved by: mheon
Add networking information to podman stats output. Also correct an issue filed
where memory constraints of the cgroup were not reflected in the stats output. And
finally, fix issue with PID count.
Resolves issue #364
Signed-off-by: baude <bbaude@redhat.com>
Closes: #417
Approved by: mheon
Also consider "/usr/lib/cni" as a potential directory for CNI plugins.
On some distributions, e.g., on openSUSE, %{_libexecdir} evaluates to
"/usr/lib".
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #416
Approved by: mheon
Due to the way ps arguments work, it was possible to display pids
that dont below to the container in top output. We now filter pids
that dont belong to the container out of the output. This also means
the pid column must be present in the output or we throw an error.
This resolves issue #391
Signed-off-by: baude <bbaude@redhat.com>
Closes: #400
Approved by: rhatdan
When performing a podman load, if there were no repotags in the image, podman would panic. In
the case that the incoming image does have repotags, it should be imported as a none:none image
so it can still be used by the user.
Resolves issue #403
Signed-off-by: baude <bbaude@redhat.com>
Closes: #405
Approved by: baude
The packages in Lokesh's ppa that is currently used for podman puts the
conmon and runc binaries in /usr/lib/crio/bin/conmon and /usr/lib/cri-o-runc/sbin/runc
respectively.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #406
Approved by: baude
Podman should not override users mounts with default mounts
for /etc/hostname, /etc/resolv.conf, and /etc/hosts.
Resolves issue #388
Signed-off-by: baude <bbaude@redhat.com>
Closes: #401
Approved by: mheon
When creating container storage by name, if that name is a tagged image then the storage
could not be found. We now use the image id which seems more reliable. Also added an
integration test to protect against regression.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #393
Approved by: mheon
--image-volumes tells podman what to do with the image volumes in the image config
There are 3 options: bind, tmpfs, and ignore
bind puts the volume contents in /var/lib/containers/storage/container-id/volumes/vol-dir
and bind mounts it into the container at /vol-dir
tmpfs mounts /vol-dir as a tmps into the container
ignore doesn't mount the image volumes onto the container
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #377
Approved by: rhatdan
Previous code was using slow routines to collect some of the information
needed to output images. Specifically size was being calculated instead
of using the cached, already known size already available. Also, straight-
lined several of the code paths. Overall assessment is that these
improvements cut the time for images in half.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #365
Approved by: mheon
Change logic for refreshing our state using runc to only poll
for conmon exit files when we first transition to the Stopped
state. After that, we should already have the exit code stored in
the database, so we don't need to look it up again.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #363
Approved by: TomSweeneyRedHat
Currently we unconditionally roll back transactions after error,
even if a commit has already been attempted. Commit is guaranteed
to end a transaction, though, whether by successfully committing
or by rolling back if that fails. As such, we attempt a double
rollback if a transaction fails at commit (for example, for a
constraint violation), which doesn't error but does log angry
warning messages. Ensure we don't try rolling back after commit
runs to prevent this.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #327
Approved by: rhatdan
Now, we don't need to use the global ID registry to iterate - we
can iterate only through containers or only through pods, without
having to iterate through both.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #184
Approved by: baude
This solves some dependency problems in the state, and makes
sense from a design standpoint.
Containers not in a pod can still depend on the namespaces of
containers joined to a pod, which we might also want to change in
the future.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #184
Approved by: baude
This allows us to JSON it and stuff it in the DB - previously,
all pod fields were private, so JSON couldn't encode them. This
allows us to keep all pod fields private by having a substruct
with public fields.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #184
Approved by: baude
Changing these fields caused the output of podman inspect to more
closely match docker inspect.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #306
Approved by: mheon
Rename finished_amd64 to finished64.go to more accurately reflect
that it covers all 64bit arches.
Also, bumped the EPOCH for gitvalidation to speed up validations.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #318
Approved by: mheon
This ensures that there is only one canonical place where
containers in a pod are stored, in the state itself.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #268
Approved by: rhatdan
In order to have sd_notify from systemd to work in containers
we need to pass down the NOTIFY_SOCKET environment variable to
the container.
LISTEN_FDS, tells the application inside of the container to use
socket activation and grab the FDS that are leaked into the container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #271
Approved by: umohnani8
Migrate create and commit bats tests to the ginkgo
test suite. In doing so, some structures had to be
moved to pkg/podmanstructs/podmanstructs.go so we
could do better verification of test results.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #286
Approved by: rhatdan
To account for more path possibilities, we now iterate
a string array of possible paths to try and find paths
to runc and conmon.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #278
Approved by: baude
Migrate ps, pull, push, and rm from bats to ginkgo.
Also, fixed a conditional issue with adding ports
when an image defines the port and the user wants
to override it.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #277
Approved by: baude
Ubuntu installs runc to /usr/sbin/runc so we now account
for that. Also, added small check when creating a new
runtime that if we cannot find the runc binary, we bail
out.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #276
Approved by: baude
The container's hostname should be set as an environment
variable for the container.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #273
Approved by: baude
Normal Stop should not need a timeout, and should use the default
Add a function that does accept a timeout aside it
Signed-off-by: Matthew Heon <mheon@redhat.com>
Closes: #272
Approved by: rhatdan
QE found issues with formatting the go template and
the man page was lacking information.
Changed the format of the output to match latest docker.
Add shortID function that returns the truncated ID
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #258
Approved by: rhatdan
When trying to determine if a user-provided string that describes
an image (ID, fq name, shortname, tagged), there were some
inefficiencies where we looked up images multiple times to derive
information about local images.
Signed-off-by: baude <bbaude@redhat.com>
Matt Heon and I found that a defer statement was costing podman
run dearly. We dont think the defer function was working (nor
needed) and was timing out as well. Removing this defer statement
decreased podman runtime by 1.5s or more.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #253
Approved by: baude
QE pointed out a few things missing/wrong with ps
This PR addresses those issues.
Added functionality for getting mounts and size also
Fixed a few issues with the --filter params, for
example filter with partial information.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #250
Approved by: rhatdan
When an image has a port to expose, we need to expose it. User's input overrides the
image's port information.
Also, enable port information in ps so we can see which random port is assigned.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #249
Approved by: rhatdan
Adds the ability to override the container's hostname. Also, uses
the first twelve characters of the container ID as the default hostname
if none is provided.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #248
Approved by: baude
Set up nbetworking ports for the following use cases:
* bind the same port between host and container
* bind a specific host port to a different container port
* bind a random host port to a specific container port
Signed-off-by: baude <bbaude@redhat.com>
Closes: #214
Approved by: baude
Fix errors when containers are not running.
--all, --latest, containers can not be used at same time.
Should match the output of docker stats, 0 values replaced by "--"
Should return stats right away if container is not running.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #244
Approved by: TomSweeneyRedHat
Each of these options are destructive in nature, meaning if the user
adds one of them, all current ones are removed from the produced
resolv.conf.
* dns-server allows the user to specify dns servers.
* dns-opt allows the user to specify special resolv.conf options
* dns-search allows the user to specify search domains
The add-host option is not destructive and truly just adds the host
to /etc/hosts.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #231
Approved by: mheon
Weighing in at ~1700 lines, container.go is just too big. Split
it into three files: core structs and accessors (container.go),
public API (container_api.go), and internal functions
(container_internal.go).
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
If user does not specify seccomp file or seccomp file does not exist,
then use the default seccomp settings.
Still need to not hard code /etc/crio/seccomp.json, should move this to
/usr/share/seccomp/seccomp.json
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #233
Approved by: baude
Add new functions to update pods and add/remove containers from them
Use these new functions in place of manually modifying pods
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #229
Approved by: rhatdan
This won't matter during batched operatins, but if the container
leaks outside of the Batch() function it will segfault if asked
to do any operation that locks unless this is applied
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #226
Approved by: rhatdan
Also prevent containers with dependencies from being removed from
in memory states. SQLite already enforced this via FOREIGN KEY
constraints.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #220
Approved by: rhatdan
Remove existing code for sharing namespaces and replace with use
of this API
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #220
Approved by: rhatdan
If we start a container and it does not error, we can assume the
container is now running. Subsequent API calls will sync for us
to see if it died, so we can just set ContainerStateRunning
instead of launching the runtime to explicitly get state.
The same logic applies to pause and unpause.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #223
Approved by: rhatdan
Also moves port mappings out of the SQL DB and into a file on
disk. These could get very sizable (hundred to thousands of
ports) so moving them out to a file will keep the DB small and
fast.
Finally, add a foreign key reference from container ID to
container state ID. This ensures we never get into an
inconsistent state where we have data in one table but not the
other.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #225
Approved by: baude
Disabling locking/syncing in a batched operation not yet implemented
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #222
Approved by: rhatdan
It is desirable to have a --latest switch on the podman wait
command so we can wait on the latest container created to end.
Also, fixes a panic with latest where no containers are available.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #201
Approved by: baude
This can now be handled by CNI plugins, so let them manage ports
instead.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #189
Approved by: mheon
With certain short name usages, rmi still was unable to delete
certain images. This was also reflected in several commit tests
that were temporarily disabled.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #200
Approved by: rhatdan
It is desirable to have a shortcut for the most
recently created container. We can now use "**latest"
to represent the most recent container instead of its
container ID or name. For example:
Signed-off-by: baude <bbaude@redhat.com>
Closes: #179
Approved by: baude
Removing by shortname was not working. Also pruned
container storage's remove func from rmi and moved it into
an image.Remove func, which consolidates our usage of cs.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #188
Approved by: baude
While pulling by shortname (fedora-minimal) worked, running a container
by the short name did not due to a logic error.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #182
Approved by: rhatdan
This should help with performance when executing many operations
on a single container
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #185
Approved by: rhatdan
We don't want libkpod overrides for conmon's path to misdirect
the already set path for conmon from libpod.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #181
Approved by: baude
We should be pulling information out of the image to set the
defaults to use when setting up the container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #110
Approved by: mheon
In cases, like Ubuntu, where it uses systemd resolve
for DNS then do not copy /etc/resolv.conf but instead
the resolv.conf in the systemd resolve /run dir.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #177
Approved by: rhatdan
podman run/create have the ability to set the stop timeout flag.
We need to stop it in the database.
Also Allowing negative time for stop timeout makes no sense, so switching
to timeout of uint, allows user to specify huge timeout values.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #158
Approved by: TomSweeneyRedHat
podman commit allows the user to commit containers
as images with options of tagging th image, setting
a commit message, setting the auther, and making
changes to the instructions.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #143
Approved by: rhatdan
Stop Signal from kpod create/run was not fully plumbed in,
This will pass the stopsignal into the container database on
create and run of containers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #156
Approved by: mheon
Also add --quiet option to kpod create/run since
this will help with writing tests.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #140
Approved by: TomSweeneyRedHat
User can select from 3 manifest types: oci, v2s1, or v2s2
e.g kpod push --format v2s2 alpine dir:my-directory
Added "compress" flag to enable compression when true
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #126
Approved by: rhatdan
Given that we don't have a good way of cleaning up locks, these
could potential cause issues if we ever reuse a container or pod
ID
Also changes locks dir to use tmpfs, as we can't directly clean
up locks
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #138
Approved by: rhatdan
Also includes misc other fixes - adding labels, fixing pod names
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #138
Approved by: rhatdan
For DNS to work properly, we need to copy the host's /etc/resolv.conf
into the container during Init(). We do this by copying it into the
containers rundir and then bind mounting it into the container.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #130
Approved by: baude
kpod inspect now uses the new libpod container state
and closely matches the output of docker inspect
some aspects of it are still WIP as the libpod container state
is still being worked on
Signed-off-by: umohnani8 <umohnani@redhat.com>
When loading an image, kpod load would print something like
"Trying to pull docker.io/library/alpine...", which is misleading
and makes it sound like its pulling it form the registry.
Fixed this by removing these print statements for kpod load
Signed-off-by: umohnani8 <umohnani@redhat.com>
Initial wiring of kpod exec. We wont support the following options
for exec:
* detach -- unsure of use case
* detach-keys -- not supported by runc
* interactive -- all terminals will be interactive
Not adding exec tests as we need to think about how to support a
test that requires console access but our CI tests have no console.
Signed-off-by: baude <bbaude@redhat.com>
Create an artifacts directory in the container's
static directory so store container information
coming from outside of libpod to specified files
An example is to hold data from user specified flags
in kpod run/create such as --cap-add, --ipcMode, etc...
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #108
Approved by: mheon
There are still two places that don't use the new function,
export and mount, but both can probably be converted to it
in the future.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #99
Approved by: rhatdan
Allow kpod create/run to create contianers in different network namespaces, uts namespaces and
IPC Namespaces.
This patch just handles the simple join the host, or another containers namespaces.
Lots more work needed to full integrate --net
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #64
Approved by: mheon
This ensures we don't open a DB with an earlier schema or a
config that differs from ours
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #86
Approved by: rhatdan