| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
We have an issue where iptables command is being executed by podman
and attempted to run with a different label. This fix changes podman
to only change the label on the conmon command and then set the
SELinux interface back to the default.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #906
Approved by: giuseppe
|
| |
|
|
|
|
|
|
|
|
| |
There was a new line at the end of does not exist
which was causing this to fail.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #863
Approved by: baude
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If SELinux is enabled, we are leaking in pipes into the container
owned by conmon. The container processes are not allowed to use
these pipes, if the calling process is fully ranged. By changing
the level of the conmon process to s0, this allows container processes
to use the pipes.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #854
Approved by: mheon
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Instead of manually calling the individual functions that cleanup
uses to tear down a container's resources, just call the cleanup
function to make sure that cleanup only needs to happen in one
place.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #790
Approved by: rhatdan
|
| |
|
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #507
Approved by: baude
|
| |
|
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #507
Approved by: baude
|
| |
|
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #507
Approved by: baude
|
| |
|
|
|
|
|
|
|
|
| |
This prevents you from cleaning up the container database, if
some how runc and friends db gets screwed up.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #725
Approved by: mheon
|
| |
|
|
|
|
|
| |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #690
Approved by: mheon
|
| |
|
|
|
|
|
|
|
|
|
| |
If sending a signal fails, check if the container is alive. If it
is not, it probably stopped on its own before we could send the
signal, so don't error out.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #591
Approved by: rhatdan
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
so that it is possible to use systemd to automatically restart the
container:
[Service]
Type=forking
PIDFile=/run/awesome-service.pid
ExecStart=/usr/bin/podman run --conmon-pidfile=/run/awesome-service.pid --name awesome -d IMAGE /usr/bin/do-something
ExecStopPost=/usr/bin/podman rm awesome
Restart=always
Closes: https://github.com/projectatomic/libpod/issues/534
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #549
Approved by: rhatdan
|
| |
|
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #438
Approved by: rhatdan
|
| |
|
|
|
|
|
|
|
|
|
| |
Erroring can cause us to get into an state where a container
which has no exit file cannot be shown in PS, cannot be removed,
etc.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #438
Approved by: rhatdan
|
| |
|
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #412
Approved by: baude
|
| |
|
|
|
|
|
|
|
|
|
| |
This will behave better if we need to add anything to it at a
later date - we can add fields to the struct without breaking
existing BoltDB databases.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #412
Approved by: baude
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
For containers without --force set, an error will be returned
For containers with --force, all pids in the container will be
stopped, first with SIGTERM and then with SIGKILL after a timeout
(this mimics the behavior of stopping a container).
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #412
Approved by: baude
|
| |
|
|
|
|
|
|
|
|
|
| |
Exec sessions now have an ID generated and assigned to their PID
and stored in the database state. This allows us to track what
exec sessions are currently active.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #412
Approved by: baude
|
| |
|
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #412
Approved by: baude
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Change logic for refreshing our state using runc to only poll
for conmon exit files when we first transition to the Stopped
state. After that, we should already have the exit code stored in
the database, so we don't need to look it up again.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #363
Approved by: TomSweeneyRedHat
|
| |\
| |
| | |
Need to add LISTEN_PID environment variable to conmon command
|
| | |
| |
| |
| |
| |
| |
| | |
Without this field then conmon will not pass the proper data down to
the OCI Runtime.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |/
|
|
|
|
|
| |
Signed-off-by: Matthew Heon <mheon@redhat.com>
Closes: #299
Approved by: rhatdan
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to have sd_notify from systemd to work in containers
we need to pass down the NOTIFY_SOCKET environment variable to
the container.
LISTEN_FDS, tells the application inside of the container to use
socket activation and grab the FDS that are leaked into the container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #271
Approved by: umohnani8
|
| |
|
|
|
|
|
| |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #135
Approved by: mheon
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Matt Heon and I found that a defer statement was costing podman
run dearly. We dont think the defer function was working (nor
needed) and was timing out as well. Removing this defer statement
decreased podman runtime by 1.5s or more.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #253
Approved by: baude
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
podman run/create have the ability to set the stop timeout flag.
We need to stop it in the database.
Also Allowing negative time for stop timeout makes no sense, so switching
to timeout of uint, allows user to specify huge timeout values.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #158
Approved by: TomSweeneyRedHat
|
| |\
| |
| | |
Carry CRI-O #1206 to fix a potential runtime issue
|
| | |
| |
| |
| | |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
| |
Initial wiring of kpod exec. We wont support the following options
for exec:
* detach -- unsure of use case
* detach-keys -- not supported by runc
* interactive -- all terminals will be interactive
Not adding exec tests as we need to think about how to support a
test that requires console access but our CI tests have no console.
Signed-off-by: baude <bbaude@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow kpod create/run to create contianers in different network namespaces, uts namespaces and
IPC Namespaces.
This patch just handles the simple join the host, or another containers namespaces.
Lots more work needed to full integrate --net
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #64
Approved by: mheon
|
| |
|
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #78
Approved by: rhatdan
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also migrates kpod kill and kpod stop to libpod to use the new code
Fixes force removing containers, and actually deletes containers in runc when
removing them
Start is now capable of starting even when the container is unmounted
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #68
Approved by: rhatdan
|
| |
|
|
|
|
|
| |
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #66
Approved by: mheon
|
| |
|
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #56
Approved by: rhatdan
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Wire this in to all state-bound container operations to ensure
syncronization of container state.
Also exposes PID of running containers via API.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #56
Approved by: rhatdan
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PR contains several enhancements to our CI testing.
- enable lint testing on Fedora
- add Centos Atomic as test platform
- integration tests on run on the OS natively (uncontainerized)
- builds are done in containers
- inclusion of Vagrant file for local testing
Signed-off-by: baude <bbaude@redhat.com>
Closes: #18
Approved by: mheon
|
| |
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
|
|
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
