| Commit message (Collapse) | Author | Age |
|\
| |
| | |
update seccomp.json
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Merge the following changes from the upstream Moby seccomp profile:
* commit b2a907c8cab6 ("Whitelist statx syscall for libseccomp-2.3.3
onward")
* commit 47dfff68e436 ("Whitelist syscalls linked to CAP_SYS_NICE in
default seccomp profile")
* commit ccd22ffcc8b5 ("Move the syslog syscall to be gated by
CAP_SYS_ADMIN or CAP_SYSLOG")
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
|
|\ \
| | |
| | | |
Touch up --log* options and daemons in man pages
|
|/ /
| |
| |
| | |
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
|
|\ \
| | |
| | | |
Fix run --hostname test that started failing post-merge
|
|/ /
| |
| |
| | |
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
|\ \
| | |
| | | |
Don't fail if /etc/passwd or /etc/group does not exists
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Container images can be created without passwd or group file, currently
if one of these containers gets run with a --user flag the container blows
up complaining about t a missing /etc/passwd file.
We just need to check if the error on read is ENOEXIST then allow the
read to return, not fail.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \ \
| | | |
| | | | |
move defer'd function declaration ahead of prepare error return
|
| |/ /
| | |
| | |
| | | |
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \ \
| | | |
| | | | |
Do not call out to runc for sync
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
When we read the conmon error status file, if Atoi fails to parse
the string we read from the file as an int, print the string as
part of the error message so we know what might have gone wrong.
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Instead of running a full sync after starting a container to pick
up its PID, grab it from Conmon instead.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
When we scan a container in runc and see that it no longer
exists, we already set ContainerStatusExited to indicate that it
no longer exists in runc. Now, also set an exit code and exit
time, so PS output will make some sense.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
When syncing container state, we normally call out to runc to see
the container's status. This does have significant performance
implications, though, and we've seen issues with large amounts of
runc processes being spawned.
This patch attempts to use stat calls on the container exit file
created by Conmon instead to sync state. This massively decreases
the cost of calling updateContainer (it has gone from an
almost-unconditional fork/exec of runc to a single stat call that
can be avoided in most states).
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
After stopping containers, we run updateContainerStatus to sync
our state with runc (pick up exit code, for example). Then we
proceed to not save this to the database, requiring us to grab it
again on the next sync. This should remove the need to read the
exit file more than once.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
|\ \ \
| | | |
| | | | |
Remove conmon cgroup before pod cgroup for cgroupfs
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
For pods using cgroupfs, we were seeing some error messages in CI
from an inability to remove the pod CGroup, which was traced down
to the conmon cgroup still being present as a child. Try to
remove these error messages and ensure successful CGroup deletion
by removing the conmon CGroup first, then the pod cgroup.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
|\ \ \ \
| | | | |
| | | | | |
rootless: don't bind mount /sys/fs/cgroup/systemd in systemd mode
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
systemd requires /sys/fs/cgroup/systemd to be writeable.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
it is not writeable by non-root users so there is no point in having
access to it from a container.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \ \ \
| |_|/ /
|/| | | |
Add hostname to /etc/hosts
|
| | |/
| |/|
| | |
| | | |
Signed-off-by: Qi Wang <qiwan@redhat.com>
|
|\ \ \
| | | |
| | | | |
Temporarily fix the Python tests to fix some PRs
|
| | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The Python podman bindings have issues around kill - specifically
attempting to make it act like stop, when it should not. We
provide no guarantee of what state a container if in after kill -
it should be stopped, but we might have sent something that's not
SIGKILL. If you want a container or pod stopped, guaranteed, use
Stop().
The Python code attempted to ensure a container was actually
stopped after kill was run, which runs counter the above. This
was holding up some PRs that caused changes in how libpod obtains
its state, so for now, change pod kill to pod stop until the
proper changes in the Python code can be made.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
|\ \ \
| |/ /
|/| | |
Cirrus-CI: Add option to run system-tests
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Normally, we would not run system-tests as part of PR-level CI, they're
simply too heavy-weight and complex. However, in some instances it may
be desirable to provide a quick feedback loop, prior to release packaging
and official testing. Enable this by executing the system-tests when
a magic string is present in the PR description:
``***CIRRUS: SYSTEM TEST***``
Signed-off-by: Chris Evich <cevich@redhat.com>
|
|\ \ \
| |_|/
|/| | |
Fix cleanup for "Pause a bunch of running containers"
|
|/ /
| |
| |
| |
| |
| |
| |
| | |
When running integration tests in our CI, we observe a problem where paused containers
are not able to be stopped; and therefore cannot be cleaned up. This leaves dangling mounts
and sometimes zombied conmon processes.
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \
| | |
| | | |
Add ChangeAction to parse sub-options from --change
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Covers both commit and import commands
* Cleaned up export command
* Removed unneeded calls to super().__init__()
Fixes #1702
Signed-off-by: Jhon Honce <jhonce@redhat.com>
|
|\ \ \
| | | |
| | | | |
`--interactive` shall keep STDIN attached even when not explicitly set
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Addressing:
podman run -it -a STDERR --rm alpine /bin/ash
hanging. As we droped stdin as soon as -a was used. Notice this is contrary to
what D-tool does and contrary to what podman help implies:
podman run --help | grep interact
--interactive, -i Keep STDIN open even if not attached
Signed-off-by: Šimon Lukašík <slukasik@redhat.com>
|
|\ \ \ \
| |/ / /
|/| | | |
Do never override podman with docker
|
|/ / /
| | |
| | |
| | | |
Signed-off-by: Šimon Lukašík <slukasik@redhat.com>
|
|\ \ \
| | | |
| | | | |
Fix long image name handling
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* Fixed issue where podman printed '<none>' and pypodman
skipped the image
* Fixed issue where port was printed in place of tags
Signed-off-by: Jhon Honce <jhonce@redhat.com>
|
|\ \ \ \
| | | | |
| | | | | |
Make kill, pause, and unpause parallel.
|
|/ / / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Operations like kill, pause, and unpause -- which can operation on one or
more containers -- can greatly benefit from parallizing its main job (eq kill).
In the case of pauseand unpause, an --all option as was added. pause --all will
pause all **running** containers. And unpause --all will unpause all **paused**
containers.
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \ \ \
| |/ / /
|/| | | |
Make restart parallel and add --all
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
When attempting to restart many containers, we can benefit from making
the restarts parallel. For convenience, two new options are added:
--all attempts to restart all containers
--run-only when used with --all will attempt to restart only running containers
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \ \ \
| |_|/ /
|/| | | |
replace quay.io/baude to quay.io/libpod
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
images used for our integration suite have moved from my work account
to a group organization called libpod.
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \ \ \
| | | | |
| | | | | |
Cirrus: Enable updating F28 image
|
| | |_|/
| |/| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Previously this was disabled as some package was breaking networking on
GCE after updating + rebooting. This is fixed now, so we should update
packages when building the fedora test VM image.
https://pagure.io/cloud-sig/issue/292
Signed-off-by: Chris Evich <cevich@redhat.com>
|
|\ \ \ \
| | | | |
| | | | | |
Fix Cirrus/Packer VM image building
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Given frequent merges, it doesn't make sense to rebuild the VM testing
images every time. Instead, monitor the PR title and description for
a magic string, only triggering builds on a match:
***CIRRUS: REBUILD IMAGES***
Signed-off-by: Chris Evich <cevich@redhat.com>
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Normally cirrus will abort jobs if another push is made to a branch.
However, with image builds, other VMs are created/managed by packer.
Therefor if cirrus aborts a task, it's possible some packer managed VMs
will be left behind. Disable this behavior for image-building only.
Signed-off-by: Chris Evich <cevich@redhat.com>
|