Ostree already has functionality to extract images as non-root user. This involves changing OSTree's checkout mode to USER (only if the image's repo was created with BARE_USER mode).
Atomic will then ignore calls to mount_path since there is no need to run the mount systemcall since ostree checkout already takes care of thata.
Also added changes to allow atomic to unmount an image previously mounted by non-root user. This involves a patch to atomic mount to change permissions of the image once mounted. It then removes symbolic links before removing all the subdirectories in the specified mount directory.
Closes: #509
Approved by: rhatdan
Allow atomic users to sign an images that has been pulled
from a repository. This uses GPG, skopeo, and friends and
creates a local signature file for a image that has been
pulled locally. Signatures are stored in the dir:
/var/lib/atomic/containers/registry/image_name@sha256:image_id/
Individual signature files are then stored as:
../signature-(INTEGER)
where INTEGER is incremented each time a signature
is added.
Closes: #539
Approved by: baude
As we add more commands related to containers, IE Trim, we need to make
containers be a subcommand and add verbs like list, and trim
Closes: #579
Approved by: giuseppe
Check respectively that runc and bwrap-oci are available before showing
'install --system' and 'install --user'.
bwrap-oci is still not packaged and may not be available immediately on
RHEL. The check for runc is added for completeness.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #567
Approved by: rhatdan
Check whether /run/ostree-booted file exists. If it does then
add the host commands to the atomic command.
Also fix some of the descriptions in atomic man page.
Closes: #561
Approved by: cgwalters
When trying to script `atomic` via Ansible, in order to implement
idempotence we need the ability to introspect the current state
in a machine-readable way.
`ps` already has `--json`, so teach `images list` about it too;
the implementation is trivial.
Closes: #548
Approved by: rhatdan
Also breakout images handling into a separate python file.
Atomic/images.py
I have switched atomic images generate to generate an images
mtree file for each image in the system.
Closes: #534
Approved by: giuseppe
Add --rootfs=ROOTFS to atomic install, which allows users to specify
an existing exploded container or existing rootfs location as ROOTFS.
The existing rootfs will be used as a read-only rootfs for the new
container to be installed, and therefore the new container would
only contain configuration files. (Note: currently all system
containers must have a read-only rootfs by default).
A use case for this would be using existing container's rootfs
through NFS, etc to serve as the rootfs for many containers running
the same image. This avoids duplicate storage of having a container
on each machine in a cluster.
A user can update only the remote container's config file parameters
with 'atomic update', and uninstalling a remote container does not
affect the rootfs specified in ROOTFS.
Closes: #527
Approved by: giuseppe
Integrate go-mtree tool into atomic CLI command, `atomic verify -V <imagename>`.
(Note that `gomtree` is still in development and thus we would need some way of
obtaining updated gomtree binaries) When a user does an atomic pull,
validation manifests for that system image's layers are created and stored in
/var/lib/atomic. When user does `atomic verify -V <system image>`, these manifests
are then validated against the image that is on disk (which would be stored in ostree).
Signed-off-by: Stephen Chung <schung@redhat.com>
Closes: #531
Approved by: rhatdan
Pull to the user repo by default when running as non root user
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #524
Approved by: rhatdan
Add the following sub-commands to "atomic images list"
--all: show all images, including intermediate images
--filter: filter output based on given filters
--quiet: only display image IDs
and corresponding bash auto-complete, tests, and documentation.
Closes: #502
Approved by: rhatdan
Add the following sub-commands to ps:
--filter: filter output based on given VAR=VALUE
--no-trunc: do not truncate output
--quiet: only display container IDs
and corresponding bash auto-complete, tests, and documentation.
Closes: #493
Approved by: rhatdan
It is used to query the installed or running containers.
Unify in the same output Docker containers and system containers.
Also support --json to output the information in a machine readable
way.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #422
Approved by: rhatdan
When you run atomic images, we now indicate which images
have been used by a container. The indicator is the
'>' character and it preceeds the image name in the listing.
Also improved some output problems with long repository names.
Updated atomic images man page to reflect this change.
Closes: #394
Approved by: rhatdan
atomic modify can be used to add devices to the storage backend.
It can also be used to switch the backend storage driver.
Closes: #385
Approved by: rhatdan
https://github.com/projectatomic/atomic/issues/378 points out that
when an rpm diff is done with --names-only, the output messaging was
not clear enough. Reworked the man page, --help, and output message
to clarify that when --names-only is used, it only compares RPMs
based on names and NOT versions.
Nice find by Micah.
Closes: #381
Approved by: rhatdan
Also moved atomic migrate to atomic storage.
Currently we support
atomic storage export
atomic storage import
atomic storage reset
Closes: #365
Approved by: rhatdan
Add the ability for atomic scan to deal with chroots on the host's
filesystem. You can now pass a list of chroots to --rootfs and your
scanner will process them as if they were containers or images. This
works with VMs too.
$ sudo virt-filesystems -d rhel7
/dev/sda1
/dev/sdb1
/dev/sdb2
/dev/rhel/home
/dev/rhel/root
$ sudo guestmount -d rhel7 -m /dev/rhel/root --ro /tmp/rhel
$ sudo ./atomic scan --rootfs /tmp/rhel
...
Updated the man pages for atomic scan as well as it had fallen out of
date.
Small update that makes sure the host's os.environ is passed into
scanning container.
Closes: #371
Approved by: rhatdan
As more scanners besides openscap become available, atomic
can now begin to leverage them. The new scan function has
been broken out into its on file (scan.py).
The scan command itself now defaults to openscap but can
also be switched to blackduck with --scanner.
Atomic now can use a configuration file which is stored
in /etc/atomic.conf. The location of the atomic conf
file can be overriden with the environment variable
'ATOMIC_CONF'. In the case of the scan function,
we need the scanner defined in the configuration file
as well as the fully qualified image name and the
scan arguments. Optionally, you can provide additional
custom docker arguments for the scanner as well
It's nicer for branding the command. The more correct thing would be
to add it to the rpm-ostree daemon and pass through there, but we have
more important problems to fix for the production code path. This is
just for local development, so the slightly dirty way is just fine.
