summaryrefslogtreecommitdiff
path: root/libpod/oci_conmon_linux.go
Commit message (Collapse)AuthorAge
* add OCI Runtime name to errorsDaniel J Walsh2022-01-06
| | | | | | | | | It would be easier to diagnose OCI runtime errors if the error actually had the name of the OCI runtime that produced the error. [NO NEW TESTS NEEDED] Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Update vendor or containers/common moving pkg/cgroups thereDaniel J Walsh2021-12-07
| | | | | | | [NO NEW TESTS NEEDED] This is just moving pkg/cgroups out so existing tests should be fine. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* checkpoint do not modify XDG_RUNTIME_DIRPaul Holzinger2021-11-24
| | | | | | | | | | We should not modify the XDG_RUNTIME_DIR env value during runtime of libpod, this can cause hard to find bugs. Only set it for the OCI runtime, this matches the other commands such as start, stop, kill... [NO NEW TESTS NEEDED] Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* libpod: leave thread locked on errorsGiuseppe Scrivano2021-11-24
| | | | | | | | | | if the SELinux label could not be restored correctly, leave the OS thread locked so that it is terminated once it returns to the threads pool. [NO NEW TESTS NEEDED] the failure is hard to reproduce Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Unset SocketLabel after system finishes checkpointingDaniel J Walsh2021-11-23
| | | | | | | | | | | | This should fix the SELinux issue we are seeing with talking to /run/systemd/private. Fixes: https://github.com/containers/podman/issues/12362 Also unset the XDG_RUNTIME_DIR if set, since we don't know when running as a service if this will cause issue.s Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Warn on failing to update container statusMatthew Heon2021-11-23
| | | | | | | | | | | | | failed to send a signal to the container's PID1, but ignored the results of that update. That's generally bad practice, since even if we can't directly take action on an error, we should still make an effort to report it for debugging purposes. I used Infof instead of something more serious to avoid duplicate reporting to the user if something has gone seriously wrong. [NO NEW TESTS NEEDED] this is just adding additional error reporting. Signed-off-by: Matthew Heon <mheon@redhat.com>
* oci: ack crun output when container is not thereAditya Rajan2021-11-23
| | | | | | | | | `crun status ctrid` outputs `No such file or directory` when container is not there so podman much ack it. [NO NEW TESTS NEEDED] Signed-off-by: Aditya Rajan <arajan@redhat.com>
* oci: exit gracefully if container is already deadAditya Rajan2021-11-23
| | | | | | | | | | While trying to kill a container with a `signal` we cant do anything if container is already dead so `exit` gracefully instead of trying to delete container again. Get container status from runtime. [ NO NEW TESTS NEEDED ] Signed-off-by: Aditya Rajan <arajan@redhat.com>
* Merge pull request #12354 from Luap99/exit-commandOpenShift Merge Robot2021-11-18
|\ | | | | Do not store the exit command in container config
| * Do not store the exit command in container configPaul Holzinger2021-11-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There is a problem with creating and storing the exit command when the container was created. It only contains the options the container was created with but NOT the options the container is started with. One example would be a CNI network config. If I start a container once, then change the cni config dir with `--cni-config-dir` ans start it a second time it will start successfully. However the exit command still contains the wrong `--cni-config-dir` because it was not updated. To fix this we do not want to store the exit command at all. Instead we create it every time the conmon process for the container is startet. This guarantees us that the container cleanup process is startet with the correct settings. [NO NEW TESTS NEEDED] Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Add --file-locks checkpoint/restore optionRadostin Stoyanov2021-11-18
|/ | | | | | | | CRIU supports checkpoint/restore of file locks. This feature is required to checkpoint/restore containers running applications such as MySQL. Signed-off-by: Radostin Stoyanov <radostin@redhat.com>
* Added optional container restore statisticsAdrian Reber2021-11-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds the parameter '--print-stats' to 'podman container restore'. With '--print-stats' Podman will measure how long Podman itself, the OCI runtime and CRIU requires to restore a checkpoint and print out these information. CRIU already creates process restore statistics which are just read in addition to the added measurements. In contrast to just printing out the ID of the restored container, Podman will now print out JSON: # podman container restore --latest --print-stats { "podman_restore_duration": 305871, "container_statistics": [ { "Id": "47b02e1d474b5d5fe917825e91ac653efa757c91e5a81a368d771a78f6b5ed20", "runtime_restore_duration": 140614, "criu_statistics": { "forking_time": 5, "restore_time": 67672, "pages_restored": 14 } } ] } The output contains 'podman_restore_duration' which contains the number of microseconds Podman required to restore the checkpoint. The output also includes 'runtime_restore_duration' which is the time the runtime needed to restore that specific container. Each container also includes 'criu_statistics' which displays the timing information collected by CRIU. Signed-off-by: Adrian Reber <areber@redhat.com>
* Added optional container checkpointing statisticsAdrian Reber2021-11-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds the parameter '--print-stats' to 'podman container checkpoint'. With '--print-stats' Podman will measure how long Podman itself, the OCI runtime and CRIU requires to create a checkpoint and print out these information. CRIU already creates checkpointing statistics which are just read in addition to the added measurements. In contrast to just printing out the ID of the checkpointed container, Podman will now print out JSON: # podman container checkpoint --latest --print-stats { "podman_checkpoint_duration": 360749, "container_statistics": [ { "Id": "25244244bf2efbef30fb6857ddea8cb2e5489f07eb6659e20dda117f0c466808", "runtime_checkpoint_duration": 177222, "criu_statistics": { "freezing_time": 100657, "frozen_time": 60700, "memdump_time": 8162, "memwrite_time": 4224, "pages_scanned": 20561, "pages_written": 2129 } } ] } The output contains 'podman_checkpoint_duration' which contains the number of microseconds Podman required to create the checkpoint. The output also includes 'runtime_checkpoint_duration' which is the time the runtime needed to checkpoint that specific container. Each container also includes 'criu_statistics' which displays the timing information collected by CRIU. Signed-off-by: Adrian Reber <areber@redhat.com>
* oci: rename sub-cgroup to runtime instead of supervisorGiuseppe Scrivano2021-10-28
| | | | | | | | | | | | | we are having a hard time figuring out a failure in the CI: https://github.com/containers/podman/issues/11191 Rename the sub-cgroup created here, so we can be certain the error is caused by this part. [NO NEW TESTS NEEDED] we need this for the CI. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Warn if podman stop timeout expires that sigkill was sentDaniel J Walsh2021-10-08
| | | | | | | | | Note: the Warning message will not come to podman-remote. It would be difficult to plumb, and not really worth the effort. Fixes: https://github.com/containers/podman/issues/11854 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #11878 from mheon/stop_stoppingOpenShift Merge Robot2021-10-06
|\ | | | | Allow `podman stop` to be run on Stopping containers
| * Ensure `podman ps --sync` functionsMatthew Heon2021-10-06
| | | | | | | | | | | | | | | | | | | | | | | | The backend for `ps --sync` has been nonfunctional for a long while now - probably since v2.0. It's questionable how useful the flag is in modern Podman (the original case it was intended to catch, Conmon gone via SIGKILL, should be handled now via pinging the process with a signal to ensure it's still alive) but having the ability to force a refresh of container state from the OCI runtime is still useful. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | libpod: fix race when closing STDINPaul Holzinger2021-10-06
|/ | | | | | | | | | | | | | | | There is a race where `conn.Close()` was called before `conn.CloseWrite()`. In this case `CloseWrite` will fail and an useless error is printed. To fix this we move the the `CloseWrite()` call to the same goroutine to remove the race. This ensures that `CloseWrite()` is called before `Close()` and never afterwards. Also fixed podman-remote run where the STDIN was never was closed. This is causing flakes in CI testing. [NO TESTS NEEDED] Fixes #11856 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Merge pull request #11390 from giuseppe/logging-passthroughOpenShift Merge Robot2021-09-29
|\ | | | | logging: new mode -l passthrough
| * logging: new mode -l passthroughGiuseppe Scrivano2021-09-27
| | | | | | | | | | | | | | | | | | | | it allows to pass the current std streams down to the container. conmon support: https://github.com/containers/conmon/pull/289 [NO TESTS NEEDED] it needs a new conmon. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | libpod: do not call (*container).Config()Valentin Rothberg2021-09-28
|/ | | | | | | | | | | | Access the container's config field directly inside of libpod instead of calling `Config()` which in turn creates expensive JSON deep copies. Accessing the field directly drops memory consumption of a simple `podman run --rm busybox true` from 1245kB to 410kB. [NO TESTS NEEDED] Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* standardize logrus messages to upper caseDaniel J Walsh2021-09-22
| | | | | | | | Remove ERROR: Error stutter from logrus messages also. [ NO TESTS NEEDED] This is just code cleanup. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* libpod: rootful close binded portsPaul Holzinger2021-09-14
| | | | | | | | | | | | | | | | | For rootful users ports are forwarded via iptables. To make sure no other process tries to use them, libpod will bind the ports and pass the fds to conmon. There seems to be race when a container is restarted because libpod tries to bind the port before the conmon process exited. The problem only hapens with the podman service because it keeps the connection open. Once we have the fd and passed it to conmon the podman service should close the connection. To verify run `sudo ss -tulpn` and check that only the conmon process keeps the port open. Previously you would also see the podman server process listed. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Fix conmon attach socket buffer sizePaul Holzinger2021-09-09
| | | | | | | | | | | | | | | The conmon buffer size is 8192, however the attach socket needs two extra bytes. The first byte of each message will be the STREAM type. The last byte is a null byte. So when we want to read 8192 message bytes we need to read 8193 bytes since the first one is special. check https://github.com/containers/conmon/blob/1ef246896b4f6566964ed861b98cd32d0e7bf7a2/src/ctr_stdio.c#L101-L107 This problem can be seen in podman-remote run/exec when it prints output with 8192 or more bytes. The output will miss the 8192 byte. Fixes #11496 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* pass LISTEN_* environment into containerValentin Rothberg2021-08-31
| | | | | | | | | | | | | | | Make sure that Podman passes the LISTEN_* environment into containers. Similar to runc, LISTEN_PID is set to 1. Also remove conditionally passing the LISTEN_FDS as extra files. The condition was wrong (inverted) and introduced to fix #3572 which related to running under varlink which has been dropped entirely with Podman 3.0. Note that the NOTIFY_SOCKET and LISTEN_* variables are cleared when running `system service`. Fixes: #10443 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* logs: adjust handling around partial log messagesNalin Dahyabhai2021-08-23
| | | | | | | | | | | | | | | | | | | In libpod/logs.LogLine.Write(), don't write a newline to stdout/stderr when the log message is only part of a line. In libpod.ConmonOCIRuntime.HTTPAttach(), don't send a newline over the HTTP connection when the log message is only part of a line. In pkg/api/handlers/compat.LogsFromContainer(), don't send a newline over the HTTP connection when the log message is only part of a line, and don't make doing so conditional on whether or not the client used the docker or podman endpoint. In pkg/domain/infra/tunnel.ContainerEngine.ContainerLogs(), don't add our own newline to log messages, since they already come through from the server when they need to. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* Implement SD-NOTIFY proxy in conmonDaniel J Walsh2021-08-20
| | | | | | | | | | | | | | | | This leverages conmon's ability to proxy the SD-NOTIFY socket. This prevents locking caused by OCI runtime blocking, waiting for SD-NOTIFY messages, and instead passes the messages directly up to the host. NOTE: Also re-enable the auto-update tests which has been disabled due to flakiness. With this change, Podman properly integrates into systemd. Fixes: #7316 Signed-off-by: Joseph Gooch <mrwizard@dok.org> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Support checkpoint/restore with podsAdrian Reber2021-07-27
| | | | | | | | | | | | | | | | | | | This adds support to checkpoint containers out of pods and restore container into pods. It is only possible to restore a container into a pod if it has been checkpointed out of pod. It is also not possible to restore a non pod container into a pod. The main reason this does not work is the PID namespace. If a non pod container is being restored in a pod with a shared PID namespace, at least one process in the restored container uses PID 1 which is already in use by the infrastructure container. If someone tries to restore container from a pod with a shared PID namespace without a shared PID namespace it will also fail because the resulting PID namespace will not have a PID 1. Signed-off-by: Adrian Reber <areber@redhat.com>
* Fix pre-checkpointingAdrian Reber2021-06-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Unfortunately --pre-checkpointing never worked as intended and recent changes to runc have shown that it is broken. To create a pre-checkpoint CRIU expects the paths between the pre-checkpoints to be a relative path. If having a previous checkpoint it needs the be referenced like this: --prev-images-dir ../parent Unfortunately Podman was giving runc (and CRIU) an absolute path. Unfortunately, again, until March 2021 CRIU silently ignored if the path was not relative and switch back to normal checkpointing. This has been now fixed in CRIU and runc and running pre-checkpoint with the latest runc fails, because runc already sees that the path is absolute and returns an error. This commit fixes this by giving runc a relative path. This commit also fixes a second pre-checkpointing error which was just recently introduced. So summarizing: pre-checkpointing never worked correctly because CRIU ignored wrong parameters and recent changes broke it even more. Now both errors should be fixed. [NO TESTS NEEDED] Signed-off-by: Adrian Reber <areber@redhat.com> Signed-off-by: Adrian Reber <adrian@lisas.de>
* fix container startup for empty pidfilePaul Holzinger2021-05-10
| | | | | | | | | | | | | | Commit 728b73d7c418 introduced a regression. Containers created with a previous version do no longer start successfully. The problem is that the PidFile in the container config is empty for those containers. If the PidFile is empty we have to set it to the previous default. [NO TESTS NEEDED] We should investigate why the system upgrade test did not caught this. Fixes #10274 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Add podman run --timeout optionDaniel J Walsh2021-04-23
| | | | | | | | | This option allows users to specify the maximum amount of time to run before conmon sends the kill signal to the container. Fixes: https://github.com/containers/podman/issues/6412 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #8979 from haircommander/full-attach-pathOpenShift Merge Robot2021-04-21
|\ | | | | Use full attach path, rather than a symlink
| * oci: use `--full-path` option for conmonPeter Hunt2021-04-16
| | | | | | | | | | | | and stop relying on socket path Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | set pidfile default value int containerconfigchenkang2021-04-17
| | | | | | | | Signed-off-by: chenkang <kongchen28@gmail.com>
* | add flag "--pidfile" for podman create/runwuhua.ck2021-04-16
|/ | | | Signed-off-by: chenkang <kongchen28@gmail.com>
* Fix message about runtime to show only the actual runtimeDaniel J Walsh2021-04-13
| | | | | | | | | | | | | | Currently the debug line shows every runtime up until it finds the correct one, confusing users on which runtime it is using. Also move missing OCI runtime from containers/conf down to Debug level and improved the debug message, to not report error. [NO TESTS NEEDED] Since this is just debug. Triggered by https://github.com/containers/podman/issues/4854 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Ensure that `--userns=keep-id` sets user in configMatthew Heon2021-04-06
| | | | | | | | | | | | | | | | | | | | | | | One of the side-effects of the `--userns=keep-id` command is switching the default user of the container to the UID of the user running Podman (though this can still be overridden by the `--user` flag). However, it did this by setting the UID and GID in the OCI spec, and not by informing Libpod of its intention to switch users via the `WithUser()` option. Because of this, a lot of the code that should have triggered when the container ran with a non-root user was not triggering. In the case of the issue that this fixed, the code to remove capabilities from non-root users was not triggering. Adjust the keep-id code to properly inform Libpod of our intention to use a non-root user to fix this. Also, fix an annoying race around short-running exec sessions where Podman would always print a warning that the exec session had already stopped. Fixes #9919 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* security: use the bounding caps with --privilegedGiuseppe Scrivano2021-03-19
| | | | | | | | | when --privileged is used, make sure to not request more capabilities than currently available in the current context. [NO TESTS NEEDED] since it fixes existing tests. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Check for supportsKVM based on basename of the runtimeDaniel J Walsh2021-03-03
| | | | | | | | | | | Fixes: https://github.com/containers/podman/issues/9582 This PR also adds tests to make sure SELinux labels match the runtime, or if init is specified works with the correct label. Add tests for selinux kvm/init labels Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Move checkpoint/restore code to pkg/checkpoint/crutilsAdrian Reber2021-03-02
| | | | | | | | | | | To be able to reuse common checkpoint/restore functions this commit moves code to pkg/checkpoint/crutils. This commit has not functional changes. It only moves code around. [NO TESTS NEEDED] - only moving code around Signed-off-by: Adrian Reber <areber@redhat.com>
* prune remotecommand dependencybaude2021-02-25
| | | | | | | | | | | prune a dependency that was only being used for a simple struct. Should correct checksum issue on tarballs [NO TESTS NEEDED] Fixes: #9355 Signed-off-by: baude <bbaude@redhat.com>
* bump go module to v3Valentin Rothberg2021-02-22
| | | | | | | | | We missed bumping the go module, so let's do it now :) * Automated go code with github.com/sirkon/go-imports-rename * Manually via `vgrep podman/v2` the rest Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Enable whitespace linterPaul Holzinger2021-02-11
| | | | | | | | Use the whitespace linter and fix the reported problems. [NO TESTS NEEDED] Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Merge pull request #8947 from Luap99/cleanup-codeOpenShift Merge Robot2021-01-12
|\ | | | | Fix problems reported by staticcheck
| * Fix problems reported by staticcheckPaul Holzinger2021-01-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | `staticcheck` is a golang code analysis tool. https://staticcheck.io/ This commit fixes a lot of problems found in our code. Common problems are: - unnecessary use of fmt.Sprintf - duplicated imports with different names - unnecessary check that a key exists before a delete call There are still a lot of reported problems in the test files but I have not looked at those. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Merge pull request #8819 from chen-zhuohan/add-pre-checkpointOpenShift Merge Robot2021-01-12
|\ \ | | | | | | Add pre-checkpoint and restore with previous
| * | add pre checkpointunknown2021-01-10
| | | | | | | | | | | | Signed-off-by: Zhuohan Chen <chen_zhuohan@163.com>
* | | Merge pull request #8933 from giuseppe/use-O_PATH-for-unix-sockOpenShift Merge Robot2021-01-12
|\ \ \ | |_|/ |/| | oci: use /proc/self/fd/FD to open unix socket
| * | oci: use /proc/self/fd/FD to open unix socketGiuseppe Scrivano2021-01-12
| |/ | | | | | | | | | | | | | | | | | | | | instead of opening directly the UNIX socket path, grab a reference to it through a O_PATH file descriptor and use the fixed size string "/proc/self/fd/%d" to open the UNIX socket. In this way it won't hit the 108 chars length limit. Closes: https://github.com/containers/podman/issues/8798 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / oci: keep LC_ env variables to conmonGiuseppe Scrivano2021-01-11
|/ | | | | | | | | | it is necessary for conmon to deal with the correct locale, otherwise it uses C as a fallback. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1893567 Requires: https://github.com/containers/conmon/pull/215 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>