summaryrefslogtreecommitdiff
path: root/libpod/container_internal.go
Commit message (Collapse)AuthorAge
* pod: add exit policiesValentin Rothberg2022-05-02
| | | | | | | | | | | | | | | | | | | | | | | | Add the notion of an "exit policy" to a pod. This policy controls the behaviour when the last container of pod exits. Initially, there are two policies: - "continue" : the pod continues running. This is the default policy when creating a pod. - "stop" : stop the pod when the last container exits. This is the default behaviour for `play kube`. In order to implement the deferred stop of a pod, add a worker queue to the libpod runtime. The queue will pick up work items and in this case helps resolve dead locks that would otherwise occur if we attempted to stop a pod during container cleanup. Note that the default restart policy of `play kube` is "Always". Hence, in order to really solve #13464, the YAML files must set a custom restart policy; the tests use "OnFailure". Fixes: #13464 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* Merge pull request #13973 from Luap99/linter-reviveOpenShift Merge Robot2022-04-23
|\ | | | | replace golint with revive linter
| * replace golint with revive linterPaul Holzinger2022-04-22
| | | | | | | | | | | | | | | | | | | | | | | | golint, scopelint and interfacer are deprecated. golint is replaced by revive. This linter is better because it will also check for our error style: `error strings should not be capitalized or end with punctuation or a newline` scopelint is replaced by exportloopref (already endabled) interfacer has no replacement but I do not think this linter is important. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | use etchosts package from c/commonPaul Holzinger2022-04-22
|/ | | | | | | | | | | | | | | | | | | | Use the new logic from c/common to create the hosts file. This will help to better allign the hosts files between buildah and podman. Also this fixes several bugs: - remove host entries when container is stopped and has a netNsCtr - add entries for containers in a pod - do not duplicate entries in the hosts file - use the correct slirp ip when an userns is used Features: - configure host.containers.internal entry in containers.conf - configure base hosts file in containers.conf Fixes #12003 Fixes #13224 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Add support for checkpoint imageRadostin Stoyanov2022-04-20
| | | | | | | | | | | | | | | | | | | | | | | | This is an enhancement proposal for the checkpoint / restore feature of Podman that enables container migration across multiple systems with standard image distribution infrastructure. A new option `--create-image <image>` has been added to the `podman container checkpoint` command. This option tells Podman to create a container image. This is a standard image with a single layer, tar archive, that that contains all checkpoint files. This is similar to the current approach with checkpoint `--export`/`--import`. This image can be pushed to a container registry and pulled on a different system. It can also be exported locally with `podman image save` and inspected with `podman inspect`. Inspecting the image would display additional information about the host and the versions of Podman, criu, crun/runc, kernel, etc. `podman container restore` has also been extended to support image name or ID as input. Suggested-by: Adrian Reber <areber@redhat.com> Signed-off-by: Radostin Stoyanov <radostin@redhat.com>
* Add support for ipc namespace modes "none, private, sharable"Daniel J Walsh2022-04-12
| | | | | | Fixes: #13265 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* fix pod volume passing and alter infra inheritancecdoern2022-03-29
| | | | | | | | | | | | | the infra Inherit function was not properly passing pod volume information to new containers alter the inherit function and struct to use the new `ConfigToSpec` function used in clone pick and choose the proper entities from a temp spec and validate them on the spegen side rather than passing directly to a config resolves #13548 Signed-off-by: cdoern <cbdoer23@g.holycross.edu> Signed-off-by: cdoern <cdoern@redhat.com> Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
* Switch all calls to filepath.Walk to filepath.WalkDirDaniel J Walsh2022-03-27
| | | | | | | | | WalkDir should be faster the Walk, since we often do not need to stat files. [NO NEW TESTS NEEDED] Existing tests should find errors. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #13585 from flouthoc/fix-no-healthcheckOpenShift Merge Robot2022-03-22
|\ | | | | healthcheck: stop showing wrong status when `--no-healthcheck` is set
| * healthcheck: stop showing wrong status when --no-healthcheck is setAditya R2022-03-22
| | | | | | | | | | | | | | | | | | | | | | Containers started with `--no-healthcheck` are configured to contain no healthcheck and test configured as `NONE`. Podman shows wrong status as such use cases. Following commit fixes the faulty behavior of stauts field for containers started with `--no-healthcheck` Signed-off-by: Aditya R <arajan@redhat.com>
* | libpod: drop warning for Fedora 31Giuseppe Scrivano2022-03-21
|/ | | | | | | | drop a warning for runc not supporting cgroup v2 on Fedora 31. [NO NEW TESTS NEEDED] Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Implement Podman Container Clonecdoern2022-02-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | podman container clone takes the id of an existing continer and creates a specgen from the given container's config recreating all proper namespaces and overriding spec options like resource limits and the container name if given in the cli options this command utilizes the common function DefineCreateFlags meaning that we can funnel as many create options as we want into clone over time allowing the user to clone with as much or as little of the original config as they want. container clone takes a second argument which is a new name and a third argument which is an image name to use instead of the original container's the current supported flags are: --destroy (remove the original container) --name (new ctr name) --cpus (sets cpu period and quota) --cpuset-cpus --cpu-period --cpu-rt-period --cpu-rt-runtime --cpu-shares --cpuset-mems --memory --run resolves #10875 Signed-off-by: cdoern <cdoern@redhat.com> Signed-off-by: cdoern <cbdoer23@g.holycross.edu> Signed-off-by: cdoern <cdoern@redhat.com>
* bump go module to version 4Valentin Rothberg2022-01-18
| | | | | | | | | | | | | Automated for .go files via gomove [1]: `gomove github.com/containers/podman/v3 github.com/containers/podman/v4` Remaining files via vgrep [2]: `vgrep github.com/containers/podman/v3` [1] https://github.com/KSubedi/gomove [2] https://github.com/vrothberg/vgrep Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Standardize on capatalized CgroupsDaniel J Walsh2022-01-14
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #12733 from rhatdan/copyOpenShift Merge Robot2022-01-07
|\ | | | | Set volume NeedsCopyUp to false iff data was copied up
| * Set volume NeedsCopyUp to false iff data was copied upDaniel J Walsh2022-01-06
| | | | | | | | | | | | | | | | | | | | | | | | Currently Docker copies up the first volume on a mountpoint with data. Fixes: https://github.com/containers/podman/issues/12714 Also added NeedsCopyUP, NeedsChown and MountCount to the podman volume inspect code. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Prevent double decoding of storage optionsRiyad Preukschas2022-01-07
|/ | | | | | [NO NEW TESTS NEEDED] see #11991 Signed-off-by: Riyad Preukschas <riyad@informatik.uni-bremen.de>
* Support all volume mounts for rootless containersDaniel J Walsh2022-01-04
| | | | | | | | | | | | | Fix handling of "bind" and "tmpfs" olumes to actually work. Allow bind, tmpfs local volumes to work in rootless mode. Also removed the string "error" from all error messages that begine with it. All Podman commands are printed with Error:, so this causes an ugly stutter. Fixes: https://github.com/containers/podman/issues/12013 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #12625 from adrianreber/2021-12-16-podman-inspectOpenShift Merge Robot2021-12-17
|\ | | | | Add more checkpoint/restore information to 'inspect'
| * Add more checkpoint/restore information to 'inspect'Adrian Reber2021-12-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds the following information to the output of 'podman inspect': * CheckpointedAt - time the container was checkpointed Only set if the container has been checkpointed * RestoredAt - time the container was restored Only set if the container has been restored * CheckpointLog - path to the checkpoint log file (CRIU's dump.log) Only set if the log file exists (--keep) * RestoreLog - path to the restore log file (CRIU's restore.log) Only set if the log file exists (--keep) * CheckpointPath - path to the actual (CRIU) checkpoint files Only set if the checkpoint files exists (--keep) * Restored - set to true if the container has been restored Only set if the container has been restored Signed-off-by: Adrian Reber <areber@redhat.com>
* | Removed .service file for healthchecksBrent Baude2021-12-16
|/ | | | | | | | | | when a container with healthchecks exits due to stopping or failure, we need the cleanup process to remove both the timer file and the service file. Bz#:2024229 Signed-off-by: Brent Baude <bbaude@redhat.com>
* container restore/import: store networks from dbPaul Holzinger2021-12-14
| | | | | | | | It is important that we store the current networks from the db in the config. Also make sure to properly handle aliases and ignore static ip/mac addresses. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Update vendor or containers/common moving pkg/cgroups thereDaniel J Walsh2021-12-07
| | | | | | | [NO NEW TESTS NEEDED] This is just moving pkg/cgroups out so existing tests should be fine. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* rename libpod nettypes fieldsPaul Holzinger2021-11-16
| | | | | | | | | | Some field names are confusing. Change them so that they make more sense to the reader. Since these fields are only in the main branch we can safely rename them without worrying about backwards compatibility. Note we have to change the field names in netavark too. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Added optional container restore statisticsAdrian Reber2021-11-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds the parameter '--print-stats' to 'podman container restore'. With '--print-stats' Podman will measure how long Podman itself, the OCI runtime and CRIU requires to restore a checkpoint and print out these information. CRIU already creates process restore statistics which are just read in addition to the added measurements. In contrast to just printing out the ID of the restored container, Podman will now print out JSON: # podman container restore --latest --print-stats { "podman_restore_duration": 305871, "container_statistics": [ { "Id": "47b02e1d474b5d5fe917825e91ac653efa757c91e5a81a368d771a78f6b5ed20", "runtime_restore_duration": 140614, "criu_statistics": { "forking_time": 5, "restore_time": 67672, "pages_restored": 14 } } ] } The output contains 'podman_restore_duration' which contains the number of microseconds Podman required to restore the checkpoint. The output also includes 'runtime_restore_duration' which is the time the runtime needed to restore that specific container. Each container also includes 'criu_statistics' which displays the timing information collected by CRIU. Signed-off-by: Adrian Reber <areber@redhat.com>
* libpod: create /etc/mtab safelyGiuseppe Scrivano2021-11-11
| | | | | | | | | | | make sure the /etc/mtab symlink is created inside the rootfs when /etc is a symlink. Closes: https://github.com/containers/podman/issues/12189 [NO NEW TESTS NEEDED] there is already a test case Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Fix rootless networking with userns and portsPaul Holzinger2021-11-09
| | | | | | | | A rootless container created with a custom userns and forwarded ports did not work. I refactored the network setup to make the setup logic more clear. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* pod/container create: resolve conflicts of generated namesValentin Rothberg2021-11-08
| | | | | | | | | | | Address the TOCTOU when generating random names by having at most 10 attempts to assign a random name when creating a pod or container. [NO TESTS NEEDED] since I do not know a way to force a conflict with randomly generated names in a reasonable time frame. Fixes: #11735 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* libpod: deduplicate ports in dbPaul Holzinger2021-10-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The OCICNI port format has one big problem: It does not support ranges. So if a users forwards a range of 1k ports with podman run -p 1001-2000 we have to store each of the thousand ports individually as array element. This bloats the db and makes the JSON encoding and decoding much slower. In many places we already use a better port struct type which supports ranges, e.g. `pkg/specgen` or the new network interface. Because of this we have to do many runtime conversions between the two port formats. If everything uses the new format we can skip the runtime conversions. This commit adds logic to replace all occurrences of the old format with the new one. The database will automatically migrate the ports to new format when the container config is read for the first time after the update. The `ParsePortMapping` function is `pkg/specgen/generate` has been reworked to better work with the new format. The new logic is able to deduplicate the given ports. This is necessary the ensure we store them efficiently in the DB. The new code should also be more performant than the old one. To prove that the code is fast enough I added go benchmarks. Parsing 1 million ports took less than 0.5 seconds on my laptop. Benchmark normalize PortMappings in specgen: Please note that the 1 million ports are actually 20x 50k ranges because we cannot have bigger ranges than 65535 ports. ``` $ go test -bench=. -benchmem ./pkg/specgen/generate/ goos: linux goarch: amd64 pkg: github.com/containers/podman/v3/pkg/specgen/generate cpu: Intel(R) Core(TM) i7-10850H CPU @ 2.70GHz BenchmarkParsePortMappingNoPorts-12 480821532 2.230 ns/op 0 B/op 0 allocs/op BenchmarkParsePortMapping1-12 38972 30183 ns/op 131584 B/op 9 allocs/op BenchmarkParsePortMapping100-12 18752 60688 ns/op 141088 B/op 315 allocs/op BenchmarkParsePortMapping1k-12 3104 331719 ns/op 223840 B/op 3018 allocs/op BenchmarkParsePortMapping10k-12 376 3122930 ns/op 1223650 B/op 30027 allocs/op BenchmarkParsePortMapping1m-12 3 390869926 ns/op 124593840 B/op 4000624 allocs/op BenchmarkParsePortMappingReverse100-12 18940 63414 ns/op 141088 B/op 315 allocs/op BenchmarkParsePortMappingReverse1k-12 3015 362500 ns/op 223841 B/op 3018 allocs/op BenchmarkParsePortMappingReverse10k-12 343 3318135 ns/op 1223650 B/op 30027 allocs/op BenchmarkParsePortMappingReverse1m-12 3 403392469 ns/op 124593840 B/op 4000624 allocs/op BenchmarkParsePortMappingRange1-12 37635 28756 ns/op 131584 B/op 9 allocs/op BenchmarkParsePortMappingRange100-12 39604 28935 ns/op 131584 B/op 9 allocs/op BenchmarkParsePortMappingRange1k-12 38384 29921 ns/op 131584 B/op 9 allocs/op BenchmarkParsePortMappingRange10k-12 29479 40381 ns/op 131584 B/op 9 allocs/op BenchmarkParsePortMappingRange1m-12 927 1279369 ns/op 143022 B/op 164 allocs/op PASS ok github.com/containers/podman/v3/pkg/specgen/generate 25.492s ``` Benchmark convert old port format to new one: ``` go test -bench=. -benchmem ./libpod/ goos: linux goarch: amd64 pkg: github.com/containers/podman/v3/libpod cpu: Intel(R) Core(TM) i7-10850H CPU @ 2.70GHz Benchmark_ocicniPortsToNetTypesPortsNoPorts-12 663526126 1.663 ns/op 0 B/op 0 allocs/op Benchmark_ocicniPortsToNetTypesPorts1-12 7858082 141.9 ns/op 72 B/op 2 allocs/op Benchmark_ocicniPortsToNetTypesPorts10-12 2065347 571.0 ns/op 536 B/op 4 allocs/op Benchmark_ocicniPortsToNetTypesPorts100-12 138478 8641 ns/op 4216 B/op 4 allocs/op Benchmark_ocicniPortsToNetTypesPorts1k-12 9414 120964 ns/op 41080 B/op 4 allocs/op Benchmark_ocicniPortsToNetTypesPorts10k-12 781 1490526 ns/op 401528 B/op 4 allocs/op Benchmark_ocicniPortsToNetTypesPorts1m-12 4 250579010 ns/op 40001656 B/op 4 allocs/op PASS ok github.com/containers/podman/v3/libpod 11.727s ``` Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Merge pull request #11956 from vrothberg/pauseOpenShift Merge Robot2021-10-27
|\ | | | | remove need to download pause image
| * overlay root fs: create mount on runtime dirValentin Rothberg2021-10-26
| | | | | | | | | | | | | | | | | | | | | | Make sure to create the mounts for containers with an overlay root FS in the runtime dir (e.g., /run/user/1000/...) to guarantee that we can actually overlay mount on the specific path which is not the case for the graph root. [NO NEW TESTS NEEDED] since it is not a user-facing change. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Allow 'container restore' with '--ipc host'Adrian Reber2021-10-26
|/ | | | | | | | | | | | | | | | | | Trying to restore a container that was started with '--ipc host' fails with: Error: error creating container storage: ProcessLabel and Mountlabel must either not be specified or both specified We already fixed this exact same error message for containers started with '--privileged'. The previous fix was to check if the to be restored container is a privileged container (c.config.Privileged). Unfortunately this does not work for containers started with '--ipc host'. This commit changes the check for a privileged container to check if both the ProcessLabel and the MountLabel is actually set and only then re-uses those labels. Signed-off-by: Adrian Reber <areber@redhat.com>
* Merge pull request #11991 from rhatdan/sizeOpenShift Merge Robot2021-10-22
|\ | | | | Allow API to specify size and inode quota
| * Allow API to specify size and inode quotaDaniel J Walsh2021-10-18
| | | | | | | | | | | | | | | | | | | | | | Fixes: https://github.com/containers/podman/issues/11016 [NO NEW TESTS NEEDED] We have no easy way to tests this in CI/CD systems. Requires quota to be setup on directories to work. Fixes: https://github.com/containers/podman/issues/11016 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #11851 from cdoern/podRmOpenShift Merge Robot2021-10-20
|\ \ | | | | | | Pod Rm Infra Handling Improvements
| * | Pod Rm Infra Improvementscdoern2021-10-18
| | | | | | | | | | | | | | | | | | | | | | | | Made changes so that if the pod contains all exited containers and only infra is running, remove the pod. resolves #11713 Signed-off-by: cdoern <cdoern@redhat.com>
* | | libpod: change mountpoint ownership c.Root when using overlay on top of ↵Aditya Rajan2021-10-19
| |/ |/| | | | | | | | | | | | | | | | | external rootfs Allow chainging ownership of mountpoint created on top external overlay rootfs to support use-cases when custom --uidmap and --gidmap are specified. Signed-off-by: Aditya Rajan <arajan@redhat.com>
* | rootfs-overlay: fix overlaybase path for cleanupsAditya Rajan2021-10-18
|/ | | | | | | | Following commit ensures not dandling mounts are left behind when we are creating an overlay on top of external rootfs. Co-authored-by: Valentin Rothberg <rothberg@redhat.com> Signed-off-by: Aditya Rajan <arajan@redhat.com>
* libpod: do not call (*container).Spec()Valentin Rothberg2021-09-29
| | | | | | | | | | | | Access the container's spec field directly inside of libpod instead of calling Spec() which in turn creates expensive JSON deep copies. Accessing the field directly drops memory consumption of a simple podman run --rm busybox true from ~700kB to ~600kB. [NO TESTS NEEDED] Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* libpod: do not call (*container).Config()Valentin Rothberg2021-09-28
| | | | | | | | | | | | Access the container's config field directly inside of libpod instead of calling `Config()` which in turn creates expensive JSON deep copies. Accessing the field directly drops memory consumption of a simple `podman run --rm busybox true` from 1245kB to 410kB. [NO TESTS NEEDED] Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* standardize logrus messages to upper caseDaniel J Walsh2021-09-22
| | | | | | | | Remove ERROR: Error stutter from logrus messages also. [ NO TESTS NEEDED] This is just code cleanup. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Wire network interface into libpodPaul Holzinger2021-09-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Make use of the new network interface in libpod. This commit contains several breaking changes: - podman network create only outputs the new network name and not file path. - podman network ls shows the network driver instead of the cni version and plugins. - podman network inspect outputs the new network struct and not the cni conflist. - The bindings and libpod api endpoints have been changed to use the new network structure. The container network status is stored in a new field in the state. The status should be received with the new `c.getNetworkStatus`. This will migrate the old status to the new format. Therefore old containers should contine to work correctly in all cases even when network connect/ disconnect is used. New features: - podman network reload keeps the ip and mac for more than one network. - podman container restore keeps the ip and mac for more than one network. - The network create compat endpoint can now use more than one ipam config. The man pages and the swagger doc are updated to reflect the latest changes. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Merge pull request #11170 from flouthoc/support-rootfs-overlayOpenShift Merge Robot2021-09-14
|\ | | | | rootfs: Add support for rootfs-overlay.
| * rootfs: Add support for rootfs-overlay and bump to buildah v1.22.1-0.202108flouthoc2021-09-14
| | | | | | | | | | | | | | | | | | | | Allows users to specify a readonly rootfs with :O, in exchange podman will create a writable overlay. bump builah to v1.22.1-0.20210823173221-da2b428c56ce [NO TESTS NEEDED] Signed-off-by: flouthoc <flouthoc.git@gmail.com>
* | fix restart always with rootlessportPaul Holzinger2021-09-13
|/ | | | | | | | When a container is automatically restarted due its restart policy and the container uses rootless cni networking with ports forwarded we have to start a new rootlessport process since it exits with conmon. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Add Checkpointed bool to InspectMatthew Heon2021-09-07
| | | | | | | | When inspecting a container, we now report whether the container was stopped by a `podman checkpoint` operation via a new bool in the State portion of inspected, `Checkpointed`. Signed-off-by: Matthew Heon <mheon@redhat.com>
* container: resolve workdir after all the mounts happen.flouthoc2021-08-30
| | | | | | | | There are use-cases where users would want to use overlay-mounts as workdir. For such cases workdir should be resolved after all the mounts are completed during the container init process. Signed-off-by: Aditya Rajan <arajan@redhat.com>
* InfraContainer Reworkcdoern2021-08-26
| | | | | | | | | | InfraContainer should go through the same creation process as regular containers. This change was from the cmd level down, involving new container CLI opts and specgen creating functions. What now happens is that both container and pod cli options are populated in cmd and used to create a podSpecgen and a containerSpecgen. The process then goes as follows FillOutSpecGen (infra) -> MapSpec (podOpts -> infraOpts) -> PodCreate -> MakePod -> createPodOptions -> NewPod -> CompleteSpec (infra) -> MakeContainer -> NewContainer -> newContainer -> AddInfra (to pod state) Signed-off-by: cdoern <cdoern@redhat.com>
* Add support for pod inside of user namespace.Daniel J Walsh2021-08-09
| | | | | | | | | | | | | Add the --userns flag to podman pod create and keep track of the userns setting that pod was created with so that all containers created within the pod will inherit that userns setting. Specifically we need to be able to launch a pod with --userns=keep-id Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
* Fix handling of user specified container labelsDaniel J Walsh2021-08-02
| | | | | | | | | | | Currently we override the SELinux labels specified by the user if the container is runing a kata container or systemd container. This PR fixes to use the label specified by the user. Fixes: https://github.com/containers/podman/issues/11100 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>