summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* EXPERIMENTAL: Do not call out to runc for syncMatthew Heon2018-11-07
| | | | | | | | | | | | | | | When syncing container state, we normally call out to runc to see the container's status. This does have significant performance implications, though, and we've seen issues with large amounts of runc processes being spawned. This patch attempts to use stat calls on the container exit file created by Conmon instead to sync state. This massively decreases the cost of calling updateContainer (it has gone from an almost-unconditional fork/exec of runc to a single stat call that can be avoided in most states). Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Actually save changes from post-stop syncMatthew Heon2018-11-07
| | | | | | | | | | After stopping containers, we run updateContainerStatus to sync our state with runc (pick up exit code, for example). Then we proceed to not save this to the database, requiring us to grab it again on the next sync. This should remove the need to read the exit file more than once. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Merge pull request #1731 from afbjorklund/versionOpenShift Merge Robot2018-10-31
|\ | | | | Fix setting of version information
| * Fix setting of version informationAnders F Björklund2018-10-31
| | | | | | | | | | | | | | It was setting the wrong variable (CamelCase) in the wrong module ("main", not "libpod")... Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
* | rootless: avoid hang on failed slirp4netnsGiuseppe Scrivano2018-10-31
| | | | | | | | | | | | | | | | If for any reason slirp4netns fails at startup, podman waits indefinitely. Check every second if the process is still running so that we avoid to hang. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #1704 from giuseppe/attach-cuid-too-longOpenShift Merge Robot2018-10-30
|\ \ | | | | | | attach: fix attach when cuid is too long
| * | attach: fix attach when cuid is too longGiuseppe Scrivano2018-10-30
| |/ | | | | | | | | | | | | | | | | | | | | | | conmon creates a symlink to avoid using a too long UNIX path. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1641800 There is still one issue when the path length of the symlink has the same length of the attach socket parent directory since conmon fails to create the symlink, but that must be addressed in conmon first. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #1715 from baude/getusergroupOpenShift Merge Robot2018-10-30
|\ \ | | | | | | get user and group information using securejoin and runc's user library
| * | get user and group information using securejoin and runc's user librarybaude2018-10-29
| |/ | | | | | | | | | | | | | | | | | | | | for the purposes of performance and security, we use securejoin to contstruct the root fs's path so that symlinks are what they appear to be and no pointing to something naughty. then instead of chrooting to parse /etc/passwd|/etc/group, we now use the runc user/group methods which saves us quite a bit of performance. Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #1721 from vrothberg/fix-1695OpenShift Merge Robot2018-10-29
|\ \ | | | | | | unmount: fix error logic
| * | unmount: fix error logicValentin Rothberg2018-10-29
| |/ | | | | | | | | | | | | | | | | Only return `ErrCtrStateInvalid` errors when the mount counter is equal to 1. Also fix the "can't unmount [...] last mount[..]" error which hasn't been returned when the error passed to `errors.Errorf()` is nil. Fixes: #1695 Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
* / Sync default config with libpod.confAnders F Björklund2018-10-29
|/ | | | | | Only changed libpod.conf file, which might not even be in use. Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
* Merge pull request #1699 from baude/rundOpenShift Merge Robot2018-10-25
|\ | | | | run performance improvements
| * run prepare in parallelbaude2018-10-25
| | | | | | | | | | | | | | run prepare() -- which consists of creating a network namespace and mounting the container image is now run in parallel. This saves 25-40ms. Signed-off-by: baude <bbaude@redhat.com>
* | Increase security and performance when looking up groupsbaude2018-10-25
|/ | | | | | | | | | We implement the securejoin method to make sure the paths to /etc/passwd and /etc/group are not symlinks to something naughty or outside the container image. And then instead of actually chrooting, we use the runc functions to get information about a user. The net result is increased security and a a performance gain from 41ms to 100us. Signed-off-by: baude <bbaude@redhat.com>
* create: fix writing cidfile when using rootlessGiuseppe Scrivano2018-10-23
| | | | | | | | | | prevent opening the same file twice, since we re-exec podman in rootless mode. While at it, also solve a possible race between the check for the file and writing to it. Another process could have created the file in the meanwhile and we would just end up overwriting it. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* read conmon output and convert to json in two stepsbaude2018-10-23
| | | | | | | | | when reading the output from conmon using the JSON methods, it appears that JSON marshalling is higher in pprof than it really is because the pipe is "waiting" for a response. this gives us a clearer look at the real CPU/time consumers. Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #1687 from rhatdan/vendorOpenShift Merge Robot2018-10-23
|\ | | | | Move selinux label reservations to containers storage.
| * Allow containers/storage to handle on SELinux labelingDaniel J Walsh2018-10-23
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #1638 from baude/fastpsOpenShift Merge Robot2018-10-23
|\ \ | | | | | | Make podman ps fast
| * | Make podman ps fastbaude2018-10-23
| | | | | | | | | | | | | | | | | | Like Ricky Bobby, we want to go fast. Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #1686 from mheon/rootless_firewallOpenShift Merge Robot2018-10-23
|\ \ \ | | | | | | | | Use more reliable check for rootless for firewall init
| * | | Use more reliable check for rootless for firewall initMatthew Heon2018-10-23
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | We probably won't be able to initialize a firewall plugin when we are not running as root, so we shouldn't even try. Replace the less-effect EUID check with the rootless package's better check to make sure we don't accidentally set up the firewall in these cases. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | | Merge pull request #1627 from adrianreber/criuOpenShift Merge Robot2018-10-23
|\ \ \ | |/ / |/| | Add CRIU version check for checkpoint and restore
| * | Use the CRIU version check in checkpoint/restoreAdrian Reber2018-10-23
| |/ | | | | | | | | | | | | | | The newly introduced CRIU version check is now used to make sure checkpointing and restoring is only used if the CRIU version is new enough. Signed-off-by: Adrian Reber <areber@redhat.com>
* / oci: cleanup process statusGiuseppe Scrivano2018-10-23
|/ | | | | | | | I've seen a runc zombie process hanging around, it is caused by not cleaning up the "$OCI status" process. Also adjust another location that has the same issue. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Move rootless directory handling to the libpod/pkg/util directoryDaniel J Walsh2018-10-22
| | | | | | This should allow us to share this code with buildah. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Vendor in new new buildah/cibaude2018-10-17
| | | | | | | libpod requires new buildah and container image versions to resolve bug #1640298 Signed-off-by: baude <bbaude@redhat.com>
* Fix CGroup paths used for systemd CGroup mountMatthew Heon2018-10-17
| | | | | | | We already have functions for retrieving the container's CGroup path, so use them instead of manually generating a path. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Merge pull request #1650 from rhatdan/systemdMatthew Heon2018-10-16
|\ | | | | Mount proper cgroup for systemd to manage inside of the container.
| * Mount proper cgroup for systemd to manage inside of the container.Daniel J Walsh2018-10-15
| | | | | | | | | | | | | | | | | | | | | | | | We are still requiring oci-systemd-hook to be installed in order to run systemd within a container. This patch properly mounts /sys/fs/cgroup/systemd/libpod_parent/libpod-UUID on /sys/fs/cgroup/systemd inside of container. Since we need the UUID of the container, we needed to move Systemd to be a config option of the container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #1609 from giuseppe/fix-volume-rootlessMatthew Heon2018-10-16
|\ \ | |/ |/| volume: resolve symlink paths in volumes
| * volume: resolve symlinks in pathsGiuseppe Scrivano2018-10-14
| | | | | | | | | | | | | | | | | | | | ensure the volume paths are resolved in the mountpoint scope. Otherwise we might end up using host paths. Closes: https://github.com/containers/libpod/issues/1608 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * volume: write the correct ID of the container in error messagesGiuseppe Scrivano2018-10-14
| | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Touchup fileo typoTomSweeneyRedHat2018-10-15
|/ | | | Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
* Generate a passwd file for users not in containerDaniel J Walsh2018-10-12
| | | | | | | If someone runs podman as a user (uid) that is not defined in the container we want generate a passwd file so that getpwuid() will work inside of container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #1623 from mheon/static_ipOpenShift Merge Robot2018-10-11
|\ | | | | Add ability to specify static IPs with --ip flag
| * Fix gofmtMatthew Heon2018-10-11
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Add --ip flag and plumbing into libpodMatthew Heon2018-10-11
| | | | | | | | | | | | | | | | | | | | | | Add the --ip flag back with bash completions. Manpages still missing. Add plumbing to pass appropriate the appropriate option down to libpod to connect the flag to backend logic added in the previous commits. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Temporary commit to swap branchesMatthew Heon2018-10-11
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | Log an otherwise ignored error from joining a net nsMatthew Heon2018-10-11
|/ | | | Signed-off-by: Matthew Heon <mheon@redhat.com>
* Ensure resolv.conf has the right label and pathMatthew Heon2018-10-04
| | | | | | | | Adds a few missing things from writeStringToRundir() to the new resolv.conf function, specifically relabelling and returning a path compatible with rootless podman Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Drop libnetwork vendor and move the code into pkg/Matthew Heon2018-10-04
| | | | | | | | | | | The vendoring issues with libnetwork were significant (it was dragging in massive amounts of code) and were just not worth spending the time to work through. Highly unlikely we'll ever end up needing to update this code, so move it directly into pkg/ so we don't need to vendor libnetwork. Make a few small changes to remove the need for the remainder of libnetwork. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Switch to using libnetwork's resolvconf packageMatthew Heon2018-10-04
| | | | | | | | | Libnetwork provides a well-tested package for generating resolv.conf from the host's that has some features our current implementation does not. Swap to using their code and remove our built-in implementation. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Merge pull request #1570 from giuseppe/fix-gvisorOpenShift Merge Robot2018-10-04
|\ | | | | podman: allow usage of gVisor as OCI runtime
| * oci: split the stdout and stderr pipesGiuseppe Scrivano2018-10-03
| | | | | | | | | | | | | | read the OCI status from stdout, not the combined stdout+stderr stream. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * oci: always set XDG_RUNTIME_DIRGiuseppe Scrivano2018-10-03
| | | | | | | | | | | | | | | | | | Fix an issue when using gVisor that couldn't start the container since the XDG_RUNTIME_DIR env variable used for the "create" and "start" commands is different. Set the environment variable for each command so that the OCI runtime gets always the same value. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Add support to checkpoint/restore containersAdrian Reber2018-10-03
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | runc uses CRIU to support checkpoint and restore of containers. This brings an initial checkpoint/restore implementation to podman. None of the additional runc flags are yet supported and container migration optimization (pre-copy/post-copy) is also left for the future. The current status is that it is possible to checkpoint and restore a container. I am testing on RHEL-7.x and as the combination of RHEL-7 and CRIU has seccomp troubles I have to create the container without seccomp. With the following steps I am able to checkpoint and restore a container: # podman run --security-opt="seccomp=unconfined" -d registry.fedoraproject.org/f27/httpd # curl -I 10.22.0.78:8080 HTTP/1.1 403 Forbidden # <-- this is actually a good answer # podman container checkpoint <container> # curl -I 10.22.0.78:8080 curl: (7) Failed connect to 10.22.0.78:8080; No route to host # podman container restore <container> # curl -I 10.22.0.78:8080 HTTP/1.1 403 Forbidden I am using CRIU, runc and conmon from git. All required changes for checkpoint/restore support in podman have been merged in the corresponding projects. To have the same IP address in the restored container as before checkpointing, CNI is told which IP address to use. If the saved network configuration cannot be found during restore, the container is restored with a new IP address. For CRIU to restore established TCP connections the IP address of the network namespace used for restore needs to be the same. For TCP connections in the listening state the IP address can change. During restore only one network interface with one IP address is handled correctly. Support to restore containers with more advanced network configuration will be implemented later. v2: * comment typo * print debug messages during cleanup of restore files * use createContainer() instead of createOCIContainer() * introduce helper CheckpointPath() * do not try to restore a container that is paused * use existing helper functions for cleanup * restructure code flow for better readability * do not try to restore if checkpoint/inventory.img is missing * git add checkpoint.go restore.go v3: * move checkpoint/restore under 'podman container' v4: * incorporated changes from latest reviews Signed-off-by: Adrian Reber <areber@redhat.com>
* Merge pull request #1578 from baude/addubuntuciOpenShift Merge Robot2018-10-03
|\ | | | | Add Ubuntu-18.04 to CI testing
| * Add ability for ubuntu to be testedbaude2018-10-03
| | | | | | | | | | | | | | | | unfortunately the papr CI system cannot test ubuntu as a VM; therefore, this PR still keeps travis. but it does include fixes that will be required for running on modern versions of ubuntu. Signed-off-by: baude <bbaude@redhat.com>