summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* Add support to checkpoint/restore containersAdrian Reber2018-10-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | runc uses CRIU to support checkpoint and restore of containers. This brings an initial checkpoint/restore implementation to podman. None of the additional runc flags are yet supported and container migration optimization (pre-copy/post-copy) is also left for the future. The current status is that it is possible to checkpoint and restore a container. I am testing on RHEL-7.x and as the combination of RHEL-7 and CRIU has seccomp troubles I have to create the container without seccomp. With the following steps I am able to checkpoint and restore a container: # podman run --security-opt="seccomp=unconfined" -d registry.fedoraproject.org/f27/httpd # curl -I 10.22.0.78:8080 HTTP/1.1 403 Forbidden # <-- this is actually a good answer # podman container checkpoint <container> # curl -I 10.22.0.78:8080 curl: (7) Failed connect to 10.22.0.78:8080; No route to host # podman container restore <container> # curl -I 10.22.0.78:8080 HTTP/1.1 403 Forbidden I am using CRIU, runc and conmon from git. All required changes for checkpoint/restore support in podman have been merged in the corresponding projects. To have the same IP address in the restored container as before checkpointing, CNI is told which IP address to use. If the saved network configuration cannot be found during restore, the container is restored with a new IP address. For CRIU to restore established TCP connections the IP address of the network namespace used for restore needs to be the same. For TCP connections in the listening state the IP address can change. During restore only one network interface with one IP address is handled correctly. Support to restore containers with more advanced network configuration will be implemented later. v2: * comment typo * print debug messages during cleanup of restore files * use createContainer() instead of createOCIContainer() * introduce helper CheckpointPath() * do not try to restore a container that is paused * use existing helper functions for cleanup * restructure code flow for better readability * do not try to restore if checkpoint/inventory.img is missing * git add checkpoint.go restore.go v3: * move checkpoint/restore under 'podman container' v4: * incorporated changes from latest reviews Signed-off-by: Adrian Reber <areber@redhat.com>
* Merge pull request #1578 from baude/addubuntuciOpenShift Merge Robot2018-10-03
|\ | | | | Add Ubuntu-18.04 to CI testing
| * Add ability for ubuntu to be testedbaude2018-10-03
| | | | | | | | | | | | | | | | unfortunately the papr CI system cannot test ubuntu as a VM; therefore, this PR still keeps travis. but it does include fixes that will be required for running on modern versions of ubuntu. Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #1584 from giuseppe/drop-superflous-relabelOpenShift Merge Robot2018-10-03
|\ \ | |/ |/| selinux: drop superflous relabel
| * selinux: drop superflous relabelGiuseppe Scrivano2018-10-03
|/ | | | | | | | | | The same relabel is already done in writeStringToRundir so we don't need to do it twice. The version in writeStringToRundir takes into account the correct file path when using user namespaces. Closes: https://github.com/containers/libpod/pull/1584 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #1580 from giuseppe/rootless-always-set-XDG_RUNTIME_DIROpenShift Merge Robot2018-10-03
|\ | | | | rootless: always set XDG_RUNTIME_DIR
| * rootless: always set XDG_RUNTIME_DIRGiuseppe Scrivano2018-10-03
| | | | | | | | | | | | | | | | it is used internally by containers/image to locate the auth file. Closes: https://github.com/containers/libpod/issues/1457 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #1531 from mheon/add_exited_stateOpenShift Merge Robot2018-10-03
|\ \ | |/ |/| Add ContainerStateExited and OCI delete() in cleanup()
| * Fix python testsMatthew Heon2018-10-02
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Fix Wait() to allow Exited state as well as StoppedMatthew Heon2018-10-02
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Fix cleanupRuntime to only save if container is validMatthew Heon2018-10-02
| | | | | | | | | | | | | | | | | | | | | | We call cleanup() (which calls cleanupRuntime()) as part of removing containers, after the container has already been removed from the database. cleanupRuntime() tries to update and save the state, which obviously fails if the container no longer exists. Make the save() conditional on the container not being in the process of being removed. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Fix bug with exited state and container removeMatthew Heon2018-10-02
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Address review comments and fix ps outputMatthew Heon2018-10-02
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Add ContainerStateExited and OCI delete() in cleanup()Matthew Heon2018-10-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To work better with Kata containers, we need to delete() from the OCI runtime as a part of cleanup, to ensure resources aren't retained longer than they need to be. To enable this, we need to add a new state to containers, ContainerStateExited. Containers transition from ContainerStateStopped to ContainerStateExited via cleanupRuntime which is invoked as part of cleanup(). A container in the Exited state is identical to Stopped, except it has been removed from the OCI runtime and thus will be handled differently when initializing the container. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | Merge pull request #1528 from baude/runlabelOpenShift Merge Robot2018-10-02
|\ \ | | | | | | Add container runlabel command
| * | Add container runlabel commandbaude2018-09-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Execute the command as described by a container image. The value of the label is processed into a command by: 1. Ensuring the first argument of the command is podman. 2. Substituting any variables with those defined by the environment or otherwise. If no label exists in the container image, nothing is done. podman container runlabel LABEL IMAGE extra_args Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #1562 from mheon/update_install_instructionsOpenShift Merge Robot2018-10-02
|\ \ \ | | | | | | | | Update docs to build a runc that works with systemd
| * | | Update docs to build a runc that works with systemdMatthew Heon2018-10-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Runc disables systemd cgroup support when build statically, so don't tell people to do that now that we're defaulting to systemd for cgroup management. Also, fix some error messages to use the proper ID() call for containers. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | | | Merge pull request #1576 from rhatdan/labelOpenShift Merge Robot2018-10-02
|\ \ \ \ | |_|_|/ |/| | | Disable SELinux labeling if --privileged
| * | | Disable SELinux labeling if --privilegedDaniel J Walsh2018-10-02
| | | | | | | | | | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #1563 from jwhonce/wip/podsOpenShift Merge Robot2018-10-02
|\ \ \ \ | | | | | | | | | | Implement pod varlink bindings
| * | | | * Update documenationJhon Honce2018-10-01
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Jhon Honce <jhonce@redhat.com>
| * | | | Implement pod varlink bindingsJhon Honce2018-10-01
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Update varlink document * Add NoContainersInPod error in go and python * Add support for varlink pod interface * New code passes pylint * Fix bug in test_runner.sh * Update integration tests for race condition on status check * Add missing port config file support Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | | | Merge pull request #1577 from rhatdan/hooksOpenShift Merge Robot2018-10-02
|\ \ \ \ | | | | | | | | | | Need to allocate memory for hook struct
| * | | | Need to allocate memory for hook structDaniel J Walsh2018-10-02
| | |/ / | |/| | | | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #1547 from giuseppe/rootless-error-on-invalid-resourcesOpenShift Merge Robot2018-10-02
|\ \ \ \ | |/ / / |/| | | rootless: raise an error when trying to use cgroups
| * | | rootless: raise an error when trying to use cgroupsGiuseppe Scrivano2018-10-01
| | | | | | | | | | | | | | | | | | | | | | | | https://github.com/containers/libpod/issues/1429#issuecomment-424040416 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | Merge pull request #1568 from rhatdan/killOpenShift Merge Robot2018-10-01
|\ \ \ \ | |_|/ / |/| | | Add --all flag to podman kill
| * | | Add --all flag to podman killDaniel J Walsh2018-09-30
| | | | | | | | | | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #1571 from giuseppe/runtime-fix-runc-msgOpenShift Merge Robot2018-10-01
|\ \ \ \ | |_|/ / |/| | | runtime: fix message which assumes the runtime is runc
| * | | runtime: fix message which assumes the runtime is runcGiuseppe Scrivano2018-10-01
|/ / / | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #1569 from TomSweeneyRedHat/dev/tsweeney/readme.ioOpenShift Merge Robot2018-09-29
|\ \ \ | |/ / |/| | Add podman.io to README.md
| * | Add podman.io to README.mdTomSweeneyRedHat2018-09-29
|/ / | | | | | | Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
* | Merge pull request #1567 from rhatdan/vendorOpenShift Merge Robot2018-09-29
|\ \ | |/ |/| Vendor in the latest containers/storage, image and buildah
| * Vendor in the latest containers/storage, image and buildahDaniel J Walsh2018-09-29
|/ | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #1551 from baude/complexnamesOpenShift Merge Robot2018-09-28
|\ | | | | run complex image names with short names
| * run complex image names with short namesbaude2018-09-28
| | | | | | | | | | | | | | | | | | | | | | | | | | In cases where the image name is more complex like: quay/baude/alpine_nginx:latest and is not from the docker registry, we need to be able to run the image by its shortname such as baude/alpine_nginx. The same goes when the image is not from a registry but instead has the localhost repository. This resolves buildah issue #1034 Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #1561 from baude/addbuildahdisttoinfoOpenShift Merge Robot2018-09-28
|\ \ | |/ |/| Add buildah version and distribution to info
| * Add buildah version and distribution to infobaude2018-09-28
|/ | | | | | | | For the sake of debug and problem reporting, we would benefit from knowing what buildah version was vendored into podman. Also, knowing the distribution and distribution version would also be handy. Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #1556 from baude/disablecentos7OpenShift Merge Robot2018-09-28
|\ | | | | Disable CentOS7 VM testing
| * Disable Fedora 29 and CentOS7 VM testingbaude2018-09-27
|/ | | | | | | | Due to packaging levels of container-selinux, we have a systemic failure in the podman integration tests. We have decided to disable this test until the this problem can be sorted out. Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #1559 from rhatdan/spcMatthew Heon2018-09-27
|\ | | | | podman runs disabled containers and privileged containers as spc_t
| * podman runs disabled containers and privileged containers as spc_tDaniel J Walsh2018-09-27
|/ | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #1549 from mheon/update_ownersDaniel J Walsh2018-09-27
|\ | | | | Update the OWNERS file so bot assigns sane reviewers
| * Update the OWNERS file so bot assigns sane reviewersMatthew Heon2018-09-26
| | | | | | | | | | | | | | | | | | The Openshift bot assigns reviewers to each PR seemingly based on this file, which means right now it's picking runcom and jwhonce to review every PR, not our maintainers. Set said maintainers as reviewers instead. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | Merge pull request #818 from wking/python-2-cleanMatthew Heon2018-09-27
|\ \ | |/ |/| Makefile: Call contrib/python's clean regardless of HAS_PYTHON3
| * contrib/python/*/Makefile: Fallback to unversioned 'python'W. Trevor King2018-09-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | And pull these from the PATH by default. This way systems like CentOS that don't have a python3 can still execute 'make clean', which doesn't care about the Python major version. The setup.py shebang, mode change, and ./ prefixing helps address cases where PYTHON is empty. This could be the result of improper user configuration: $ make PYTHON='' clean It could also be the state on systems with no Python installed, in which case you'll see: $ make PYTHON='' clean ./setup.py clean --all /usr/bin/env: 'python': No such file or directory make: *** [Makefile:13: clean] Error 127 I've also shifted the Python invocations to the end of the clean recipies so that as much as possible gets cleaned up even on systems without Python installed. Signed-off-by: W. Trevor King <wking@tremily.us>
| * Makefile: Drop PYTHONW. Trevor King2018-09-13
| | | | | | | | | | | | | | This line landed in 8493dba2 (Initial varlink implementation, 2018-03-26, #627), but this Makefile has never consumed that variable. Signed-off-by: W. Trevor King <wking@tremily.us>
| * Makefile: Call contrib/python's clean regardless of HAS_PYTHON3W. Trevor King2018-09-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The only Python dependency in contrib/python's clean is: $(PYTHON) setup.py clean --all and our setup.pys work on both major Python versions: $ make -C contrib/python/podman PYTHON=python2 clean make: Entering directory `/.../libpod/contrib/python/podman' python2 setup.py clean --all /usr/lib64/python2.7/distutils/dist.py:267: UserWarning: Unknown distribution option: 'python_requires' warnings.warn(msg) running clean 'build/lib' does not exist -- can't clean it 'build/bdist.linux-x86_64' does not exist -- can't clean it 'build/scripts-2.7' does not exist -- can't clean it rm -rf podman.egg-info dist find . -depth -name __pycache__ -exec rm -rf {} \; find . -depth -name \*.pyc -exec rm -f {} \; make: Leaving directory `/.../libpod/contrib/python/podman' $ echo $? 0 $ make -C contrib/python/pypodman PYTHON=python2 clean make: Entering directory `/.../libpod/contrib/python/pypodman' python2 setup.py clean --all /usr/lib64/python2.7/distutils/dist.py:267: UserWarning: Unknown distribution option: 'python_requires' warnings.warn(msg) running clean removing 'build/lib' (and everything under it) removing 'build/bdist.linux-x86_64' (and everything under it) 'build/scripts-2.7' does not exist -- can't clean it removing 'build' rm -rf pypodman.egg-info dist find . -depth -name __pycache__ -exec rm -rf {} \; find . -depth -name \*.pyc -exec rm -f {} \; make: Leaving directory `/.../libpod/contrib/python/pypodman' $ echo $? 0 This rolls back part of 390bd16d (tidy up the copr spec, 2018-05-20, #813). I've also shifted the submake cleans to the end of the main clean recipe. That way, if one of the submake cleans dies (e.g. because the system lacks Python entirely), the temp-file removal will still happen. The way I have it setup now, the podman clean dying will keep any of the pypodman clean from happening. You could probably work around that with something like: $(MAKE) -C contrib/python/podman clean & \ $(MAKE) -C contrib/python/pypodman clean & \ wait but that seems too fancy for such a corner case. Signed-off-by: W. Trevor King <wking@tremily.us>
* | rework CI tests to test on VMsbaude2018-09-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This PR makes several key changes to our CI testing. Firstly, we now test podman on fedora 28, fedora 29, and centos VMS (rather than containers). Any of these that having failing tests are not marked as required yet. We still preserve the podman in podman and podman in docker tests as well and they are marked as required. The lint and validate work is now done on a openshift container. We also removed the rpm verification on papr and perform this test under the "images" test on the openshift ci. This PR exposes integration test fails on some of our OSs. My expectation is we will fix those in additional PRs and as they are fixed, we should be flipping the boolean bit to required. Signed-off-by: baude <bbaude@redhat.com> Closes: #1492 Approved by: mheon