diff options
| -rw-r--r-- | cmd/podman/common/completion.go | 2 | ||||
| -rw-r--r-- | cmd/podman/pods/create.go | 7 | ||||
| -rw-r--r-- | docs/source/markdown/podman-pod-create.1.md | 20 | ||||
| -rw-r--r-- | libpod/container_internal_linux.go | 2 | ||||
| -rw-r--r-- | libpod/runtime.go | 14 | ||||
| -rw-r--r-- | libpod/runtime_worker.go | 33 | ||||
| -rw-r--r-- | pkg/api/handlers/compat/images_build.go | 2 | ||||
| -rw-r--r-- | pkg/machine/qemu/machine.go | 2 | ||||
| -rw-r--r-- | pkg/machine/wsl/machine.go | 8 | ||||
| -rw-r--r-- | pkg/specgen/generate/validate.go | 9 | ||||
| -rw-r--r-- | pkg/util/utils.go | 2 | ||||
| -rw-r--r-- | test/system/200-pod.bats | 7 | ||||
| -rw-r--r-- | utils/testdata/cgroup.empty | 0 | ||||
| -rw-r--r-- | utils/testdata/cgroup.other | 1 | ||||
| -rw-r--r-- | utils/testdata/cgroup.root | 1 | ||||
| -rw-r--r-- | utils/utils_supported.go | 14 | ||||
| -rw-r--r-- | utils/utils_test.go | 26 | ||||
| -rw-r--r-- | utils/utils_windows.go | 4 |
18 files changed, 93 insertions, 61 deletions
diff --git a/cmd/podman/common/completion.go b/cmd/podman/common/completion.go index 285cab1b9..3720e9608 100644 --- a/cmd/podman/common/completion.go +++ b/cmd/podman/common/completion.go @@ -1171,7 +1171,7 @@ func getMethodNames(f reflect.Value, prefix string) []formatSuggestion { if kind == reflect.Struct || kind == reflect.Map { suffix = "." } - // From a template users POV it is not importent when the use a struct field or method. + // From a template users POV it is not important when the use a struct field or method. // They only notice the difference when the function requires arguments. // So lets be nice and let the user know that this method requires arguments via the help text. // Note since this is actually a method on a type the first argument is always fix so we should skip it. diff --git a/cmd/podman/pods/create.go b/cmd/podman/pods/create.go index eaf6dd9d5..e2f80bdbc 100644 --- a/cmd/podman/pods/create.go +++ b/cmd/podman/pods/create.go @@ -166,7 +166,12 @@ func create(cmd *cobra.Command, args []string) error { if strings.Contains(share, "cgroup") && shareParent { return errors.Wrapf(define.ErrInvalidArg, "cannot define the pod as the cgroup parent at the same time as joining the infra container's cgroupNS") } - createOptions.Share = strings.Split(share, ",") + + if strings.HasPrefix(share, "+") { + createOptions.Share = append(createOptions.Share, strings.Split(specgen.DefaultKernelNamespaces, ",")...) + share = share[1:] + } + createOptions.Share = append(createOptions.Share, strings.Split(share, ",")...) createOptions.ShareParent = &shareParent if cmd.Flag("infra-command").Changed { // Only send content to server side if user changed defaults diff --git a/docs/source/markdown/podman-pod-create.1.md b/docs/source/markdown/podman-pod-create.1.md index acccc832d..cf749efda 100644 --- a/docs/source/markdown/podman-pod-create.1.md +++ b/docs/source/markdown/podman-pod-create.1.md @@ -14,6 +14,15 @@ is not given a random name is generated. The pod id is printed to STDOUT. You can then use **podman create --pod `<pod_id|pod_name>` ...** to add containers to the pod, and **podman pod start `<pod_id|pod_name>`** to start the pod. +The operator can identify a pod in three ways: +UUID long identifier (“f78375b1c487e03c9438c729345e54db9d20cfa2ac1fc3494b6eb60872e74778”) +UUID short identifier (“f78375b1c487”) +Name (“jonah”) + +podman generates a UUID for each pod, and if a name is not assigned +to the container with **--name** then a random string name will be generated +for it. The name is useful any place you need to identify a pod. + ## OPTIONS #### **--add-host**=_host_:_ip_ @@ -267,16 +276,7 @@ Note: Labeling can be disabled for all containers by setting label=false in the #### **--share**=*namespace* -A comma-separated list of kernel namespaces to share. If none or "" is specified, no namespaces will be shared. The namespaces to choose from are cgroup, ipc, net, pid, uts. - -The operator can identify a pod in three ways: -UUID long identifier (“f78375b1c487e03c9438c729345e54db9d20cfa2ac1fc3494b6eb60872e74778”) -UUID short identifier (“f78375b1c487”) -Name (“jonah”) - -podman generates a UUID for each pod, and if a name is not assigned -to the container with **--name** then a random string name will be generated -for it. The name is useful any place you need to identify a pod. +A comma-separated list of kernel namespaces to share. If none or "" is specified, no namespaces will be shared. The namespaces to choose from are cgroup, ipc, net, pid, uts. If the option is prefixed with a "+" then the namespace is appended to the default list, otherwise it replaces the default list. Defaults matches Kubernetes default (ipc, net, uts) #### **--share-parent** diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index 82e5fa992..298eb1947 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -3109,7 +3109,7 @@ func (c *Container) getOCICgroupPath() (string, error) { case c.config.NoCgroups: return "", nil case c.config.CgroupsMode == cgroupSplit: - selfCgroup, err := utils.GetOwnCgroup() + selfCgroup, err := utils.GetOwnCgroupDisallowRoot() if err != nil { return "", err } diff --git a/libpod/runtime.go b/libpod/runtime.go index 4efa7b8e8..00fa2fe88 100644 --- a/libpod/runtime.go +++ b/libpod/runtime.go @@ -11,6 +11,7 @@ import ( "regexp" "strconv" "strings" + "sync" "syscall" "time" @@ -87,8 +88,8 @@ type Runtime struct { lockManager lock.Manager // Worker - workerShutdown chan bool - workerChannel chan func() + workerChannel chan func() + workerGroup sync.WaitGroup // syslog describes whenever logrus should log to the syslog as well. // Note that the syslog hook will be enabled early in cmd/podman/syslog_linux.go @@ -823,12 +824,9 @@ func (r *Runtime) Shutdown(force bool) error { return define.ErrRuntimeStopped } - if r.workerShutdown != nil { - // Signal the worker routine to shutdown. The routine will - // process all pending work items and then read from the - // channel; we're blocked until all work items have been - // processed. - r.workerShutdown <- true + if r.workerChannel != nil { + r.workerGroup.Wait() + close(r.workerChannel) } r.valid = false diff --git a/libpod/runtime_worker.go b/libpod/runtime_worker.go index ca44a27f7..9d41321b2 100644 --- a/libpod/runtime_worker.go +++ b/libpod/runtime_worker.go @@ -1,40 +1,17 @@ package libpod -import ( - "time" -) - func (r *Runtime) startWorker() { - if r.workerChannel == nil { - r.workerChannel = make(chan func(), 1) - r.workerShutdown = make(chan bool) - } + r.workerChannel = make(chan func(), 10) go func() { - for { - // Make sure to read all workers before - // checking if we're about to shutdown. - for len(r.workerChannel) > 0 { - w := <-r.workerChannel - w() - } - - select { - // We'll read from the shutdown channel only when all - // items above have been processed. - // - // (*Runtime).Shutdown() will block until until the - // item is read. - case <-r.workerShutdown: - return - - default: - time.Sleep(100 * time.Millisecond) - } + for w := range r.workerChannel { + w() + r.workerGroup.Done() } }() } func (r *Runtime) queueWork(f func()) { + r.workerGroup.Add(1) go func() { r.workerChannel <- f }() diff --git a/pkg/api/handlers/compat/images_build.go b/pkg/api/handlers/compat/images_build.go index 0a1bc941d..ba6764e91 100644 --- a/pkg/api/handlers/compat/images_build.go +++ b/pkg/api/handlers/compat/images_build.go @@ -170,7 +170,7 @@ func BuildImage(w http.ResponseWriter, r *http.Request) { // convert addcaps formats containerFiles := []string{} - // Tells if query paramemter `dockerfile` is set or not. + // Tells if query parameter `dockerfile` is set or not. dockerFileSet := false if utils.IsLibpodRequest(r) && query.Remote != "" { // The context directory could be a URL. Try to handle that. diff --git a/pkg/machine/qemu/machine.go b/pkg/machine/qemu/machine.go index 6e36b0886..e3fb3b970 100644 --- a/pkg/machine/qemu/machine.go +++ b/pkg/machine/qemu/machine.go @@ -1545,7 +1545,7 @@ func (v *MachineVM) editCmdLine(flag string, value string) { } } -// RemoveAndCleanMachines removes all machine and cleans up any other files associatied with podman machine +// RemoveAndCleanMachines removes all machine and cleans up any other files associated with podman machine func (p *Provider) RemoveAndCleanMachines() error { var ( vm machine.VM diff --git a/pkg/machine/wsl/machine.go b/pkg/machine/wsl/machine.go index 0b2874baf..06020aded 100644 --- a/pkg/machine/wsl/machine.go +++ b/pkg/machine/wsl/machine.go @@ -831,16 +831,16 @@ func (v *MachineVM) Set(_ string, opts machine.SetOptions) ([]error, error) { } if opts.CPUs != nil { - setErrors = append(setErrors, errors.Errorf("changing CPUs not suppored for WSL machines")) + setErrors = append(setErrors, errors.Errorf("changing CPUs not supported for WSL machines")) } if opts.Memory != nil { - setErrors = append(setErrors, errors.Errorf("changing memory not suppored for WSL machines")) + setErrors = append(setErrors, errors.Errorf("changing memory not supported for WSL machines")) } if opts.DiskSize != nil { - setErrors = append(setErrors, errors.Errorf("changing Disk Size not suppored for WSL machines")) + setErrors = append(setErrors, errors.Errorf("changing Disk Size not supported for WSL machines")) } return setErrors, v.writeConfig() @@ -1477,7 +1477,7 @@ func (v *MachineVM) getResources() (resources machine.ResourceConfig) { return } -// RemoveAndCleanMachines removes all machine and cleans up any other files associatied with podman machine +// RemoveAndCleanMachines removes all machine and cleans up any other files associated with podman machine func (p *Provider) RemoveAndCleanMachines() error { var ( vm machine.VM diff --git a/pkg/specgen/generate/validate.go b/pkg/specgen/generate/validate.go index 44c7818e7..a1affef31 100644 --- a/pkg/specgen/generate/validate.go +++ b/pkg/specgen/generate/validate.go @@ -1,6 +1,7 @@ package generate import ( + "io/ioutil" "os" "path/filepath" @@ -166,6 +167,14 @@ func verifyContainerResourcesCgroupV2(s *specgen.SpecGenerator) ([]string, error if err != nil { return warnings, err } + + if own == "/" { + // If running under the root cgroup try to create or reuse a "probe" cgroup to read memory values + own = "podman_probe" + _ = os.MkdirAll(filepath.Join("/sys/fs/cgroup", own), 0o755) + _ = ioutil.WriteFile("/sys/fs/cgroup/cgroup.subtree_control", []byte("+memory"), 0o644) + } + memoryMax := filepath.Join("/sys/fs/cgroup", own, "memory.max") memorySwapMax := filepath.Join("/sys/fs/cgroup", own, "memory.swap.max") _, errMemoryMax := os.Stat(memoryMax) diff --git a/pkg/util/utils.go b/pkg/util/utils.go index 1b7663330..ad5db9a1a 100644 --- a/pkg/util/utils.go +++ b/pkg/util/utils.go @@ -79,7 +79,7 @@ func ParseRegistryCreds(creds string) (*types.DockerAuthConfig, error) { }, nil } -// StringInSlice is depracated, use containers/common/pkg/util/StringInSlice +// StringInSlice is deprecated, use containers/common/pkg/util/StringInSlice func StringInSlice(s string, sl []string) bool { return util.StringInSlice(s, sl) } diff --git a/test/system/200-pod.bats b/test/system/200-pod.bats index 8761b7131..404ad67ec 100644 --- a/test/system/200-pod.bats +++ b/test/system/200-pod.bats @@ -335,8 +335,15 @@ EOF is "$output" ".*Invalid kernel namespace to share: bogus. Options are: cgroup, ipc, net, pid, uts or none" \ "pod test for bogus --share option" run_podman pod create --share ipc --name $pod_name + run_podman pod inspect $pod_name --format "{{.SharedNamespaces}}" + is "$output" "[ipc]" run_podman run --rm --pod $pod_name --hostname foobar $IMAGE hostname is "$output" "foobar" "--hostname should work with non share UTS namespace" + run_podman pod create --share +pid --replace --name $pod_name + run_podman pod inspect $pod_name --format "{{.SharedNamespaces}}" + for ns in uts pid ipc net; do + is "$output" ".*$ns" + done } @test "podman pod create --pod new:$POD --hostname" { diff --git a/utils/testdata/cgroup.empty b/utils/testdata/cgroup.empty new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/utils/testdata/cgroup.empty diff --git a/utils/testdata/cgroup.other b/utils/testdata/cgroup.other new file mode 100644 index 000000000..239a7cded --- /dev/null +++ b/utils/testdata/cgroup.other @@ -0,0 +1 @@ +0::/other diff --git a/utils/testdata/cgroup.root b/utils/testdata/cgroup.root new file mode 100644 index 000000000..1e027b2a3 --- /dev/null +++ b/utils/testdata/cgroup.root @@ -0,0 +1 @@ +0::/ diff --git a/utils/utils_supported.go b/utils/utils_supported.go index 493ea61ce..c2dcc4631 100644 --- a/utils/utils_supported.go +++ b/utils/utils_supported.go @@ -64,7 +64,7 @@ func RunUnderSystemdScope(pid int, slice string, unitName string) error { return nil } -func getCgroupProcess(procFile string) (string, error) { +func getCgroupProcess(procFile string, allowRoot bool) (string, error) { f, err := os.Open(procFile) if err != nil { return "", err @@ -72,7 +72,7 @@ func getCgroupProcess(procFile string) (string, error) { defer f.Close() scanner := bufio.NewScanner(f) - cgroup := "/" + cgroup := "" for scanner.Scan() { line := scanner.Text() parts := strings.SplitN(line, ":", 3) @@ -87,7 +87,7 @@ func getCgroupProcess(procFile string) (string, error) { cgroup = parts[2] } } - if cgroup == "/" { + if len(cgroup) == 0 || (!allowRoot && cgroup == "/") { return "", errors.Errorf("could not find cgroup mount in %q", procFile) } return cgroup, nil @@ -95,12 +95,16 @@ func getCgroupProcess(procFile string) (string, error) { // GetOwnCgroup returns the cgroup for the current process. func GetOwnCgroup() (string, error) { - return getCgroupProcess("/proc/self/cgroup") + return getCgroupProcess("/proc/self/cgroup", true) +} + +func GetOwnCgroupDisallowRoot() (string, error) { + return getCgroupProcess("/proc/self/cgroup", false) } // GetCgroupProcess returns the cgroup for the specified process process. func GetCgroupProcess(pid int) (string, error) { - return getCgroupProcess(fmt.Sprintf("/proc/%d/cgroup", pid)) + return getCgroupProcess(fmt.Sprintf("/proc/%d/cgroup", pid), true) } // MoveUnderCgroupSubtree moves the PID under a cgroup subtree. diff --git a/utils/utils_test.go b/utils/utils_test.go new file mode 100644 index 000000000..f34dbdd7e --- /dev/null +++ b/utils/utils_test.go @@ -0,0 +1,26 @@ +//go:build linux || darwin +// +build linux darwin + +package utils + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestCgroupProcess(t *testing.T) { + val, err := getCgroupProcess("testdata/cgroup.root", true) + assert.Nil(t, err) + assert.Equal(t, "/", val) + + _, err = getCgroupProcess("testdata/cgroup.root", false) + assert.NotNil(t, err) + + val, err = getCgroupProcess("testdata/cgroup.other", true) + assert.Nil(t, err) + assert.Equal(t, "/other", val) + + _, err = getCgroupProcess("testdata/cgroup.empty", true) + assert.NotNil(t, err) +} diff --git a/utils/utils_windows.go b/utils/utils_windows.go index 2c159ab06..1d017f5ae 100644 --- a/utils/utils_windows.go +++ b/utils/utils_windows.go @@ -17,6 +17,10 @@ func GetOwnCgroup() (string, error) { return "", errors.New("not implemented for windows") } +func GetOwnCgroupDisallowRoot() (string, error) { + return "", errors.New("not implemented for windows") +} + func GetCgroupProcess(pid int) (string, error) { return "", errors.New("not implemented for windows") } |