summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* podman: fix memleak caused by renaming and not deletingMatthew Heon2019-07-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | the exit file If the container exit code needs to be retained, it cannot be retained in tmpfs, because libpod runs in a memcg itself so it can't leave traces with a daemon-less design. This wasn't a memleak detectable by kmemleak for example. The kernel never lost track of the memory and there was no erroneous refcounting either. The reference count dependencies however are not easy to track because when a refcount is increased, there's no way to tell who's still holding the reference. In this case it was a single page of tmpfs pagecache holding a refcount that kept pinned a whole hierarchy of dying memcg, slab kmem, cgropups, unrechable kernfs nodes and the respective dentries and inodes. Such a problem wouldn't happen if the exit file was stored in a regular filesystem because the pagecache could be reclaimed in such case under memory pressure. The tmpfs page can be swapped out, but that's not enough to release the memcg with CONFIG_MEMCG_SWAP_ENABLED=y. No amount of more aggressive kernel slab shrinking could have solved this. Not even assigning slab kmem of dying cgroups to alive cgroup would fully solve this. The only way to free the memory of a dying cgroup when a struct page still references it, would be to loop over all "struct page" in the kernel to find which one is associated with the dying cgroup which is a O(N) operation (where N is the number of pages and can reach billions). Linking all the tmpfs pages to the memcg would cost less during memcg offlining, but it would waste lots of memory and CPU globally. So this can't be optimized in the kernel. A cronjob running this command can act as workaround and will allow all slab cache to be released, not just the single tmpfs pages. rm -f /run/libpod/exits/* This patch solved the memleak with a reproducer, booting with cgroup.memory=nokmem and with selinux disabled. The reason memcg kmem and selinux were disabled for testing of this fix, is because kmem greatly decreases the kernel effectiveness in reusing partial slab objects. cgroup.memory=nokmem is strongly recommended at least for workstation usage. selinux needs to be further analyzed because it causes further slab allocations. The upstream podman commit used for testing is 1fe2965e4f672674f7b66648e9973a0ed5434bb4 (v1.4.4). The upstream kernel commit used for testing is f16fea666898dbdd7812ce94068c76da3e3fcf1e (v5.2-rc6). Reported-by: Michele Baldessari <michele@redhat.com> Signed-off-by: Andrea Arcangeli <aarcange@redhat.com> <Applied with small tweaks to comments> Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #3682 from cevich/fix_release_rerunOpenShift Merge Robot2019-07-31
|\ | | | | Cirrus: Fix re-run of release task into no-op.
| * Cirrus: Fix release dependenciesChris Evich2019-07-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The release-task ***must*** always execute last, in order to guarantee a consistent cache of release archives from dependent tasks. It accomplishes this by verifying it's task-number matches one-less than the total number of tasks. Previous to this commit, a YAML anchor/alias was used to avoid duplication of the dependency list between 'success' and 'release' However, it's been observed that this opens the possibility for 'release' and 'success' tasks to race when running on a PR. Because YAML anchor/aliases cannot be used to modify lists, duplication is required to make 'release' actually depend upon 'success'. This duplication will introduce an additional maintenance burden. Though when adding a new task, it's already very easy to forget to update the 'depends_on' list. Assist both cases by the addition unit-tests to verify ``.cirrus.yml`` dependency contents and structure. Signed-off-by: Chris Evich <cevich@redhat.com>
| * Cirrus: Fix re-run of release task into no-op.Chris Evich2019-07-31
|/ | | | | | | | | | This task depends upon other tasks caching their binaries. If for whatever reason the `release` task is re-run and/or is out-of-order with it's dependents, the state of cache will be undefined. Previously this would result in an error, and failing of the release task. This commit alters this behavior to issue a warning instead. Signed-off-by: Chris Evich <cevich@redhat.com>
* Merge pull request #3672 from petejohanson/32bit-build-fixesOpenShift Merge Robot2019-07-30
|\ | | | | Build fix for 32-bit systems.
| * Build fix for 32-bit systems.Pete Johanson2019-07-30
| | | | | | | | | | | | * Fixes #3664. Signed-off-by: Pete Johanson <peter@peterjohanson.com>
* | Merge pull request #3665 from QiWang19/envOpenShift Merge Robot2019-07-30
|\ \ | | | | | | Set -env variables as appropriate
| * | Set -env variables as appropriateQi Wang2019-07-30
| | | | | | | | | | | | | | | | | | | | | | | | close #3648 podman create and podman run do not set --env variable if the environment is not present with a value Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | Merge pull request #3661 from openSUSE/nixos-friendly-configOpenShift Merge Robot2019-07-30
|\ \ \ | | | | | | | | Update libpod.conf to be more friendly to NixOS
| * | | Update libpod.conf to be NixOS friendlySascha Grunert2019-07-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | NixOS links the current system state to `/run/current-system`, so we have to add these paths to the configuration files as well to work out of the box. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* | | | Merge pull request #3668 from TomSweeneyRedHat/dev/tsweeney/adderrorOpenShift Merge Robot2019-07-30
|\ \ \ \ | |_|_|/ |/| | | Touch up input argument error on create
| * | | Touch up input argument error on createTomSweeneyRedHat2019-07-30
|/ / / | | | | | | | | | | | | | | | | | | Add an error when there are not enough input arguments for remote create. Addresses comments in #3656 Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
* | | Merge pull request #3667 from major/test-with-username-has-dashOpenShift Merge Robot2019-07-30
|\ \ \ | | | | | | | | Allow info test to work with usernames w/dash
| * | | Allow info test to work with usernames w/dashMajor Hayden2019-07-29
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | The regular expression used in the `info` test does not allow for usernames that have a dash, such as `test-user`. This patch adjusts the regex to allow for a dash. Fixes #3666. Signed-off-by: Major Hayden <major@redhat.com>
* | | Merge pull request #3656 from jwhonce/wip/envOpenShift Merge Robot2019-07-29
|\ \ \ | | | | | | | | Fix commit --changes env=X=Y
| * | | Fix commit --changes env=X=YJhon Honce2019-07-26
| | | | | | | | | | | | | | | | Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | | | Merge pull request #3660 from LaszloGombos/masterOpenShift Merge Robot2019-07-29
|\ \ \ \ | | | | | | | | | | Fix the syntax in the podman export documentation example
| * | | | Fix the syntax in the podman export documentation exampleLaszlo Gombos2019-07-29
| | |/ / | |/| | | | | | | | | | Signed-off-by: Laszlo Gombos <laszlo.gombos@gmail.com>
* | | | Merge pull request #3663 from adrianreber/random-test-ipOpenShift Merge Robot2019-07-29
|\ \ \ \ | |_|_|/ |/| | | Move random IP code for tests from checkpoint to common
| * | | Move random IP code for tests from checkpoint to commonAdrian Reber2019-07-29
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | The function to generate random IP addresses during ginkgo tests in the checkpoint test code is moved to common and all tests using hardcoded IP addresses have been changed to use random IP addresses to reduce test errors when running the tests in parallel. Signed-off-by: Adrian Reber <areber@redhat.com>
* | | Merge pull request #3646 from vrothberg/hi-scottOpenShift Merge Robot2019-07-29
|\ \ \ | | | | | | | | fix `podman -v` regression
| * | | fix `podman -v` regressionValentin Rothberg2019-07-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Re-add the shortflag for --version and add e2e tests to avoid regressing in the future. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | Merge pull request #3233 from ↵OpenShift Merge Robot2019-07-29
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | wking/fatal-requested-hook-directory-does-not-exist libpod/container_internal: Make all errors loading explicitly configured hook dirs fatal
| * | | | libpod/container_internal: Make all errors loading explicitly configured ↵W. Trevor King2019-05-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | hook dirs fatal Remove this IsNotExist out which was added along with the rest of this block in f6a2b6bf2b (hooks: Add pre-create hooks for runtime-config manipulation, 2018-11-19, #1830). Besides the obvious "hook directory does not exist", it was swallowing the less-obvious "hook command does not exist". And either way, folks are likely going to want non-zero podman exits when we fail to load a hook directory they explicitly pointed us towards. Signed-off-by: W. Trevor King <wking@tremily.us>
* | | | | Merge pull request #3650 from cevich/fix_clone_depthOpenShift Merge Robot2019-07-29
|\ \ \ \ \ | |_|_|/ / |/| | | | Cirrus: Remove fixed clone depth
| * | | | Cirrus: Remove fixed clone depthChris Evich2019-07-26
| | |_|/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It's been observed on several occasions, some tests fail in git clones with a "cannot find ref" type error. Especially in the depth=1 cases. Since there's really only one place where limiting the depth makes sense (build-each-commit), simply remove all the other limits. Signed-off-by: Chris Evich <cevich@redhat.com>
* | | | Merge pull request #3654 from TomSweeneyRedHat/dev/tsweeney/commandpauseOpenShift Merge Robot2019-07-28
|\ \ \ \ | |/ / / |/| | | Update pause/unpause video links and demo
| * | | Update pause/unpause video links and demoTomSweeneyRedHat2019-07-26
|/ / / | | | | | | | | | | | | | | | | | | | | | Update the links for the asciinema casts and the demo for the `podman pause` and `podman unpause` commands on the commands.md page. Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
* | | Merge pull request #3639 from giuseppe/user-ns-containerOpenShift Merge Robot2019-07-26
|\ \ \ | | | | | | | | podman: support --userns=ns|container
| * | | podman: support --userns=ns|containerGiuseppe Scrivano2019-07-25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | allow to join the user namespace of another container. Closes: https://github.com/containers/libpod/issues/3629 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | pods: do not to join a userns if there is not anyGiuseppe Scrivano2019-07-25
| | |/ | |/| | | | | | | | | | | | | | | | do not attempt to join the user namespace if the pod is running in the host user namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #3632 from cevich/small_cirrus_fixesOpenShift Merge Robot2019-07-26
|\ \ \ | | | | | | | | Small cirrus and image-build fixes
| * | | Cirrus: Bypass release during image-buildingChris Evich2019-07-25
| | | | | | | | | | | | | | | | Signed-off-by: Chris Evich <cevich@redhat.com>
| * | | Cirrus: Ubuntu: Set + Test for $RUNC_BINARYChris Evich2019-07-25
| | | | | | | | | | | | | | | | Signed-off-by: Chris Evich <cevich@redhat.com>
| * | | Cirrus: Simplify evil-unit check in imageChris Evich2019-07-25
| | | | | | | | | | | | | | | | Signed-off-by: Chris Evich <cevich@redhat.com>
| * | | Cirrus: Silence systemd-banish noiseChris Evich2019-07-25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It's somewhat hard to predict which units are certinly present for any given base-image. Therefore, at image-build time, it's distracting and unhelpful to see all the errors about units that don't exist, on every platform. Simply ignore them and rely on the `check_image.sh` test to confirm none are enabled. Signed-off-by: Chris Evich <cevich@redhat.com>
| * | | Cirrus: Fix image build metadata updateChris Evich2019-07-25
| | | | | | | | | | | | | | | | Signed-off-by: Chris Evich <cevich@redhat.com>
| * | | Cirrus: Fix missing -n on CentOSChris Evich2019-07-25
| | | | | | | | | | | | | | | | Signed-off-by: Chris Evich <cevich@redhat.com>
| * | | Cirrus: Remove disused COMMIT variablesChris Evich2019-07-25
| | | | | | | | | | | | | | | | Signed-off-by: Chris Evich <cevich@redhat.com>
* | | | Merge pull request #3627 from ashley-cui/rmdocsOpenShift Merge Robot2019-07-26
|\ \ \ \ | | | | | | | | | | Documenation & make tar.gz for remote
| * | | | Documenation & build automation for remote darwinAshley Cui2019-07-25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Created shell script to automatically compile remote-only docs & rename Added make brew-pkg to automatically package files needed for homebrew Add missing docs Signed-off-by: Ashley Cui <ashleycui16@gmail.com>
* | | | | Merge pull request #3645 from mheon/systemd_ubuntuOpenShift Merge Robot2019-07-26
|\ \ \ \ \ | | | | | | | | | | | | Use systemd cgroups for Ubuntu
| * | | | | Use systemd cgroups for UbuntuMatthew Heon2019-07-25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It seems like our VM images now support systemd CGroups with the Ubuntu LTS images. No reason to keep testing CGroupfs as such, systemd is much less racy (and CGroupfs on systemd-enabled systems can be iffy). Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | | | | Merge pull request #3580 from samc24/hookOpenShift Merge Robot2019-07-26
|\ \ \ \ \ \ | |_|_|/ / / |/| | | | | Improved hooks monitoring
| * | | | | Improved hooks monitoringsamc242019-07-25
| | |_|/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ...to work for specific edge cases with a simpler solution. Re-reads hooks directories after any changes are detected by the watchers. Added monitoring test for adding a different invalid hook to primary directory. Some issues with prior code: - ReadDir would stop when it encounters an invalid hook, rather than registering an error but continuing to read the valid hook. - Wouldn’t account for Rename and Chmod events. - After doing a mv of the hooks file instead of rm, it would still think the hooks file is in the directory, but it has been moved to another location. - If a hook file was renamed, it would register the renamed file as a separate hook and not delete the original, so it would then execute the hook twice - once for the renamed file, and once for the original name which it did not delete. Signed-off-by: samc24 <sam.chaturvedi24@gmail.com>
* | | | | Merge pull request #3643 from openSUSE/history-panicOpenShift Merge Robot2019-07-25
|\ \ \ \ \ | |_|/ / / |/| | | | Fix possible runtime panic if image history len is zero
| * | | | Fix possible runtime panic if image history len is zeroSascha Grunert2019-07-25
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | We now return an empty string for the `Comment` field if an OCI v1 image contains no history. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* | | | Merge pull request #3631 from TristanCacqueray/masterOpenShift Merge Robot2019-07-25
|\ \ \ \ | | | | | | | | | | Document SELinux label requirements for the rootfs argument
| * | | | Document SELinux label requirements for the rootfs argumentTristan Cacqueray2019-07-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When using the rootfs argument, SELinux systems fails silently when the files are not properly labeled. Related #3628 Signed-off-by: Tristan Cacqueray <tdecacqu@redhat.com>
* | | | | Merge pull request #3622 from QiWang19/checkurlOpenShift Merge Robot2019-07-25
|\ \ \ \ \ | |_|/ / / |/| | | | fix import not ignoring url path