diff options
-rw-r--r-- | cmd/podman/shared/create_cli.go | 14 | ||||
-rw-r--r-- | libpod/container_api.go | 4 | ||||
-rw-r--r-- | libpod/container_internal.go | 21 | ||||
-rw-r--r-- | libpod/pod_api.go | 2 | ||||
-rw-r--r-- | libpod/runtime_ctr.go | 2 |
5 files changed, 23 insertions, 20 deletions
diff --git a/cmd/podman/shared/create_cli.go b/cmd/podman/shared/create_cli.go index 08a40b206..00b83906d 100644 --- a/cmd/podman/shared/create_cli.go +++ b/cmd/podman/shared/create_cli.go @@ -12,11 +12,6 @@ import ( "github.com/sirupsen/logrus" ) -const ( - // It's not kernel limit, we want this 4M limit to supply a reasonable functional container - linuxMinMemory = 4194304 -) - // GetAllLabels ... func GetAllLabels(labelFile, inputLabels []string) (map[string]string, error) { labels := make(map[string]string) @@ -86,9 +81,6 @@ func verifyContainerResources(config *cc.CreateConfig, update bool) ([]string, e sysInfo := sysinfo.New(true) // memory subsystem checks and adjustments - if config.Resources.Memory != 0 && config.Resources.Memory < linuxMinMemory { - return warnings, fmt.Errorf("minimum memory limit allowed is 4MB") - } if config.Resources.Memory > 0 && !sysInfo.MemoryLimit { warnings = addWarning(warnings, "Your kernel does not support memory limit capabilities or the cgroup is not mounted. Limitation discarded.") config.Resources.Memory = 0 @@ -120,9 +112,6 @@ func verifyContainerResources(config *cc.CreateConfig, update bool) ([]string, e warnings = addWarning(warnings, "Your kernel does not support memory soft limit capabilities or the cgroup is not mounted. Limitation discarded.") config.Resources.MemoryReservation = 0 } - if config.Resources.MemoryReservation > 0 && config.Resources.MemoryReservation < linuxMinMemory { - return warnings, fmt.Errorf("minimum memory reservation allowed is 4MB") - } if config.Resources.Memory > 0 && config.Resources.MemoryReservation > 0 && config.Resources.Memory < config.Resources.MemoryReservation { return warnings, fmt.Errorf("minimum memory limit cannot be less than memory reservation limit, see usage") } @@ -130,9 +119,6 @@ func verifyContainerResources(config *cc.CreateConfig, update bool) ([]string, e warnings = addWarning(warnings, "Your kernel does not support kernel memory limit capabilities or the cgroup is not mounted. Limitation discarded.") config.Resources.KernelMemory = 0 } - if config.Resources.KernelMemory > 0 && config.Resources.KernelMemory < linuxMinMemory { - return warnings, fmt.Errorf("minimum kernel memory limit allowed is 4MB") - } if config.Resources.DisableOomKiller && !sysInfo.OomKillDisable { // only produce warnings if the setting wasn't to *disable* the OOM Kill; no point // warning the caller if they already wanted the feature to be off diff --git a/libpod/container_api.go b/libpod/container_api.go index 5168dbc68..e36623529 100644 --- a/libpod/container_api.go +++ b/libpod/container_api.go @@ -183,7 +183,7 @@ func (c *Container) StopWithTimeout(timeout uint) error { return errors.Wrapf(define.ErrCtrStateInvalid, "can only stop created or running containers. %s is in state %s", c.ID(), c.state.State.String()) } - return c.stop(timeout, false) + return c.stop(timeout) } // Kill sends a signal to a container @@ -715,7 +715,7 @@ func (c *Container) Refresh(ctx context.Context) error { // Next, if the container is running, stop it if c.state.State == define.ContainerStateRunning { - if err := c.stop(c.config.StopTimeout, false); err != nil { + if err := c.stop(c.config.StopTimeout); err != nil { return err } } diff --git a/libpod/container_internal.go b/libpod/container_internal.go index 37801162a..9d97ac5d6 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -1129,9 +1129,14 @@ func (c *Container) start() error { } // Internal, non-locking function to stop container -func (c *Container) stop(timeout uint, all bool) error { +func (c *Container) stop(timeout uint) error { logrus.Debugf("Stopping ctr %s (timeout %d)", c.ID(), timeout) + // If the container is running in a PID Namespace, then killing the + // primary pid is enough to kill the container. If it is not running in + // a pid namespace then the OCI Runtime needs to kill ALL processes in + // the containers cgroup in order to make sure the container is stopped. + all := !c.hasNamespace(spec.PIDNamespace) // We can't use --all if CGroups aren't present. // Rootless containers with CGroups v1 and NoCgroups are both cases // where this can happen. @@ -1225,7 +1230,7 @@ func (c *Container) restartWithTimeout(ctx context.Context, timeout uint) (err e if c.state.State == define.ContainerStateRunning { conmonPID := c.state.ConmonPID - if err := c.stop(timeout, false); err != nil { + if err := c.stop(timeout); err != nil { return err } // Old versions of conmon have a bug where they create the exit file before @@ -1895,3 +1900,15 @@ func (c *Container) reapExecSessions() error { } return lastErr } + +func (c *Container) hasNamespace(namespace spec.LinuxNamespaceType) bool { + if c.config.Spec == nil || c.config.Spec.Linux == nil { + return false + } + for _, n := range c.config.Spec.Linux.Namespaces { + if n.Type == namespace { + return true + } + } + return false +} diff --git a/libpod/pod_api.go b/libpod/pod_api.go index b27257004..cb04f7411 100644 --- a/libpod/pod_api.go +++ b/libpod/pod_api.go @@ -123,7 +123,7 @@ func (p *Pod) StopWithTimeout(ctx context.Context, cleanup bool, timeout int) (m if timeout > -1 { stopTimeout = uint(timeout) } - if err := ctr.stop(stopTimeout, false); err != nil { + if err := ctr.stop(stopTimeout); err != nil { ctr.lock.Unlock() ctrErrors[ctr.ID()] = err continue diff --git a/libpod/runtime_ctr.go b/libpod/runtime_ctr.go index d272e4549..3cf70f417 100644 --- a/libpod/runtime_ctr.go +++ b/libpod/runtime_ctr.go @@ -463,7 +463,7 @@ func (r *Runtime) removeContainer(ctx context.Context, c *Container, force bool, // Check that the container's in a good state to be removed if c.state.State == define.ContainerStateRunning { - if err := c.stop(c.StopTimeout(), true); err != nil { + if err := c.stop(c.StopTimeout()); err != nil { return errors.Wrapf(err, "cannot remove container %s as it could not be stopped", c.ID()) } } |