summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Fix race conditions in rootless cni setupPaul Holzinger2021-07-15
| | | | | | | | | | | | | | | | | | | | There was an race condition when calling `GetRootlessCNINetNs()`. It created the rootless cni directory before it got locked. Therefore another process could have called cleanup and removed this directory before it was used resulting in errors. The lockfile got moved into the XDG_RUNTIME_DIR directory to prevent a panic when the parent dir was removed by cleanup. Fixes #10930 Fixes #10922 To make this even more robust `GetRootlessCNINetNs()` will now return locked. This guarantees that we can run `Do()` after `GetRootlessCNINetNs()` before another process could have called `Cleanup()` in between. [NO TESTS NEEDED] CI is flaking, hopefully this will fix it. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Merge pull request #10916 from mheon/fix_7360OpenShift Merge Robot2021-07-14
|\ | | | | Perform a one-sided close of HTTP attach conn on EOF
| * Perform a one-sided close of HTTP attach conn on EOFMatthew Heon2021-07-13
| | | | | | | | | | | | | | | | | | | | | | On EOF of STDIN, we need to perform a one-sided close of the attach connection on the client side, to ensure that STDIN finishing will also cause the exec session to terminate, instead of hang. Fixes #7360 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | fix: uid/gid for volume mounted to existing dirMatej Vasek2021-07-12
| | | | | | | | | | | | | | If mounting to existing directory the uid/gid should be preserved. Primary uid/gid of container shouldn't be used. Signed-off-by: Matej Vasek <mvasek@redhat.com>
* | Merge pull request #10868 from cdoern/untilLogOpenShift Merge Robot2021-07-10
|\ \ | | | | | | Implemented Until Query Parameter for Containers/logs
| * | Implemented Until Query Parameter for Containers/logscdoern2021-07-09
| | | | | | | | | | | | | | | | | | | | | | | | compat containers/logs was missing actual usage of until query param. fixes #10859 Signed-off-by: cdoern <cdoern@redhat.com>
* | | Remove GetStore function from LibpodMatthew Heon2021-07-08
| |/ |/| | | | | | | | | | | | | | | | | | | | | We should not be exposing the store outside of Libpod. We want to encapsulate it as an internal implementation detail - there's no reason functions outside of Libpod should directly be manipulating container storage. Convert the last use to invoke a method on Libpod instead, and remove the function. [NO TESTS NEEDED] as this is just a refactor. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Make rootless-cni setup more robustPaul Holzinger2021-07-06
|/ | | | | | | | | | | | | | | | | | | The rootless cni namespace needs a valid /etc/resolv.conf file. On some distros is a symlink to somewhere under /run. Because the kernel will follow the symlink before mounting, it is not possible to mount a file at exactly /etc/resolv.conf. We have to ensure that the link target will be available in the rootless cni mount ns. Fixes #10855 Also fixed a bug in the /var/lib/cni directory lookup logic. It used `filepath.Base` instead of `filepath.Dir` and thus looping infinitely. Fixes #10857 [NO TESTS NEEDED] Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Merge pull request #10836 from Luap99/diffOpenShift Merge Robot2021-07-03
|\ | | | | podman diff accept two images or containers
| * podman diff accept two images or containersPaul Holzinger2021-07-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | First, make podman diff accept optionally a second argument. This allows the user to specify a second image/container to compare the first with. If it is not set the parent layer will be used as before. Second, podman container diff should only use containers and podman image diff should only use images. Previously, podman container diff would use the image when both an image and container with this name exists. To make this work two new parameters have been added to the api. If they are not used the previous behaviour is used. The same applies to the bindings. Fixes #10649 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | podman service reaperPaul Holzinger2021-07-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a new service reaper package. Podman currently does not reap all child processes. The slirp4netns and rootlesskit processes are not reaped. The is not a problem for local podman since the podman process dies before the other processes and then init will reap them for us. However with podman system service it is possible that the podman process is still alive after slirp died. In this case podman has to reap it or the slirp process will be a zombie until the service is stopped. The service reaper will listen in an extra goroutine on SIGCHLD. Once it receives this signal it will try to reap all pids that were added with `AddPID()`. While I would like to just reap all children this is not possible because many parts of the code use `os/exec` with `cmd.Wait()`. If we reap before `cmd.Wait()` things can break, so reaping everything is not an option. [NO TESTS NEEDED] Fixes #9777 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Implement --archive flag for podman cpMatej Vasek2021-07-01
|/ | | | Signed-off-by: Matej Vasek <mvasek@redhat.com>
* remove `pkg/registries`Valentin Rothberg2021-06-25
| | | | | | | | | | | | | | Pull the trigger on the `pkg/registries` package which acted as a proxy for `c/image/pkg/sysregistriesv2`. Callers should be using the packages from c/image directly, if needed at all. Also make use of libimage's SystemContext() method which returns a copy of a system context, further reducing the risk of unintentionally altering global data. [NO TESTS NEEDED] Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #10765 from umohnani8/mtabOpenShift Merge Robot2021-06-23
|\ | | | | Create /etc/mtab with the correct ownership
| * [NO TESTS NEEDED] Create /etc/mtab with the correct ownershipUrvashi Mohnani2021-06-23
| | | | | | | | | | | | | | | | | | | | Create the /etc and /etc/mtab directories with the correct ownership based on what the UID and GID is for the container. This was causing issue when starting the infra container with userns as the /etc directory wasn't being created with the correct ownership. Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
* | Merge pull request #10716 from cdoern/podFlagsOpenShift Merge Robot2021-06-23
|\ \ | | | | | | Podman Pod Create --cpus and --cpuset-cpus flags
| * | Podman Pod Create --cpus and --cpuset-cpus flagscdoern2021-06-23
| |/ | | | | | | | | | | | | | | | | | | | | | | Added logic and handling for two new Podman pod create Flags. --cpus specifies the total number of cores on which the pod can execute, this is a combination of the period and quota for the CPU. --cpuset-cpus is a string value which determines of these available cores, how many we will truly execute on. Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
* | Merge pull request #10696 from cdoern/libpodStatsOpenShift Merge Robot2021-06-23
|\ \ | |/ |/| Podman Stats additional features
| * Podman Stats additional featurescdoern2021-06-23
| | | | | | | | | | | | | | | | added Avg Cpu calculation and CPU up time to podman stats. Adding different feature sets in different PRs, CPU first. resolves #9258 Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
* | Merge pull request #10754 from Luap99/sync-lockOpenShift Merge Robot2021-06-23
|\ \ | | | | | | getContainerNetworkInfo: lock netNsCtr before sync
| * | getContainerNetworkInfo: lock netNsCtr before syncPaul Holzinger2021-06-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | `syncContainer()` requires the container to be locked, otherwise we can end up with undefined behavior. [NO TESTS NEEDED] Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | Do not use inotify for OCICNIPaul Holzinger2021-06-22
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Podman does not need to watch the cni config directory. If a network is not found in the cache, OCICNI will reload the networks anyway and thus even podman system service should work as expected. Also include a change to not mount a "new" /var by default in the rootless cni ns, instead try to use /var/lib/cni first and then the parent dir. This allows users to store cni configs under /var/... which is the case for the CI compose test. [NO TESTS NEEDED] Fixes #10686 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #10742 from vrothberg/fix-10675OpenShift Merge Robot2021-06-21
|\ \ | | | | | | logs: k8s-file: restore poll sleep
| * | logs: k8s-file: restore poll sleepValentin Rothberg2021-06-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 84b55eec2796 attempted to fix a race waiting for the container died event. Previously, Podman slept for duration of the polling frequence which I considerred to be a mistake. As it turns out, I was mistaken since the file logger will, in fact, NOT read until EOF and then stop logging but stop logging immediately _after_ it woke up. [NO TESTS NEEDED] as the race condition cannot be hit reliably. Fixes: #10675 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * | logs: k8s-file: fix spurious error logsValentin Rothberg2021-06-21
| | | | | | | | | | | | | | | | | | | | | Fix the suprious "Error: nil" messages. Also add some more context to logged error messages which makes error sources more obvious. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #10734 from mgoltzsche/fix-dns-detectionOpenShift Merge Robot2021-06-21
|\ \ \ | |/ / |/| | Fix systemd-resolved detection.
| * | Fix systemd-resolved detection.Max Goltzsche2021-06-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously podman failed when run in an environment where 127.0.0.53 is the only nameserver but systemd-resolved is not used directly. In practice this happened when podman was run within an alpine container that used the host's network and the host was running systemd-resolved. This fix makes podman ignore a file not found error when reading /run/systemd/resolve/resolv.conf. Closes #10733 [NO TESTS NEEDED] Signed-off-by: Max Goltzsche <max.goltzsche@gmail.com>
* | | fix systemcontext to use correct TMPDIRDaniel J Walsh2021-06-18
|/ / | | | | | | | | | | | | | | | | | | | | Users are complaining about read/only /var/tmp failing even if TMPDIR=/tmp is set. This PR Fixes: https://github.com/containers/podman/issues/10698 [NO TESTS NEEDED] No way to test this. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #10683 from Luap99/exec-resizeOpenShift Merge Robot2021-06-16
|\ \ | | | | | | Fix resize race with podman exec -it
| * | Fix resize race with podman exec -itPaul Holzinger2021-06-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When starting a process with `podman exec -it` the terminal is resized after the process is started. To fix this allow exec start to accept the terminal height and width as parameter and let it resize right before the process is started. Fixes #10560 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | Merge pull request #10684 from Luap99/slirp-hostsOpenShift Merge Robot2021-06-16
|\ \ \ | | | | | | | | add correct slirp ip to /etc/hosts
| * | | add correct slirp ip to /etc/hostsPaul Holzinger2021-06-15
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | The container name should have the slirp interface ip set in /etc/hosts and not the gateway ip. Commit c8dfcce6db0a introduced this regression. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1972073 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* / / Fix permissions on initially created named volumesDaniel J Walsh2021-06-14
|/ / | | | | | | | | | | | | | | Permission of volume should match the directory it is being mounted on. Fixes: https://github.com/containers/podman/issues/10188 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #10635 from adrianreber/2021-06-04-privilegedOpenShift Merge Robot2021-06-12
|\ \ | | | | | | Fix restoring of privileged containers
| * | Fix restoring of privileged containersAdrian Reber2021-06-10
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | Checkpointed containers started with --privileged fail during restore with: Error: error creating container storage: ProcessLabel and Mountlabel must either not be specified or both specified This commit fixes it by not setting the labels when restoring a privileged container. [NO TESTS NEEDED] Signed-off-by: Adrian Reber <areber@redhat.com>
* | Merge pull request #10654 from Luap99/net-connectOpenShift Merge Robot2021-06-12
|\ \ | | | | | | Fix network connect race with docker-compose
| * | Fix network connect race with docker-composePaul Holzinger2021-06-11
| |/ | | | | | | | | | | | | | | | | | | | | Network connect/disconnect has to call the cni plugins when the network namespace is already configured. This is the case for `ContainerStateRunning` and `ContainerStateCreated`. This is important otherwise the network is not attached to this network namespace and libpod will throw errors like `network inspection mismatch...` This problem happened when using `docker-compose up` in attached mode. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #10405 from mheon/always_cleanup_execOpenShift Merge Robot2021-06-11
|\ \ | | | | | | Always spawn a cleanup process with exec
| * | Add ExecDied event and use it to retrieve exit codesMatthew Heon2021-06-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When making Exec Cleanup processes mandatory, I introduced a race wherein attached exec sessions could be cleaned up and removed by the cleanup process before the frontend had a chance to get their exit code. Fortunately, we've dealt with this issue before in containers, and the same solution can be applied here. I added an event for an exec session's process exiting, `exec_died` (Docker has an identical event, so this actually improves our compatibility there) that includes the exit code of the exec session. If the race happens and the exec session no longer exists when we go to remove it, pick up exit code from the event and exit cleanly. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | Always spawn a cleanup process with execMatthew Heon2021-06-10
| |/ | | | | | | | | | | | | | | | | | | | | | | We were previously only doing this for detached exec. I don't know why we did that, but I don't see any reason not to extend it to all exec sessions - it guarantees that we will always clean up exec sessions, even if the original `podman exec` process died. [NO TESTS NEEDED] because I don't really know how to test this one. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #10638 from Luap99/volumeOpenShift Merge Robot2021-06-11
|\ \ | | | | | | Fix volumes with uid and gid options
| * | Fix volumes with uid and gid optionsPaul Holzinger2021-06-11
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Podman uses the volume option map to check if it has to mount the volume or not when the container is started. Commit 28138dafcc39 added to uid and gid options to this map, however when only uid/gid is set we cannot mount this volume because there is no filesystem or device specified. Make sure we do not try to mount the volume when only the uid/gid option is set since this is a simple chown operation. Also when a uid/gid is explicity set, do not chown the volume based on the container user when the volume is used for the first time. Fixes #10620 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #10609 from giuseppe/ignore-named-hierarchiesOpenShift Merge Robot2021-06-10
|\ \ | | | | | | container: ignore named hierarchies
| * | container: ignore named hierarchiesGiuseppe Scrivano2021-06-10
| |/ | | | | | | | | | | | | | | | | | | when looking up the container cgroup, ignore named hierarchies since containers running systemd as payload will create a sub-cgroup and move themselves there. Closes: https://github.com/containers/podman/issues/10602 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / Fix pre-checkpointingAdrian Reber2021-06-10
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Unfortunately --pre-checkpointing never worked as intended and recent changes to runc have shown that it is broken. To create a pre-checkpoint CRIU expects the paths between the pre-checkpoints to be a relative path. If having a previous checkpoint it needs the be referenced like this: --prev-images-dir ../parent Unfortunately Podman was giving runc (and CRIU) an absolute path. Unfortunately, again, until March 2021 CRIU silently ignored if the path was not relative and switch back to normal checkpointing. This has been now fixed in CRIU and runc and running pre-checkpoint with the latest runc fails, because runc already sees that the path is absolute and returns an error. This commit fixes this by giving runc a relative path. This commit also fixes a second pre-checkpointing error which was just recently introduced. So summarizing: pre-checkpointing never worked correctly because CRIU ignored wrong parameters and recent changes broke it even more. Now both errors should be fixed. [NO TESTS NEEDED] Signed-off-by: Adrian Reber <areber@redhat.com> Signed-off-by: Adrian Reber <adrian@lisas.de>
* Merge pull request #10600 from vrothberg/fix-10596OpenShift Merge Robot2021-06-08
|\ | | | | logs: k8s-file: fix race
| * logs: k8s-file: fix raceValentin Rothberg2021-06-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix a race in the k8s-file logs driver. When "following" the logs, Podman will print the container's logs until the end. Previously, Podman logged until the state transitioned into something non-running which opened up a race with the container still running, possibly in the "stopping" state. To fix the race, log until we've seen the wait event for the specific container. In that case, conmon will have finished writing all logs to the file, and Podman will read it until EOF. Further tweak the integration tests for testing `logs -f` on a running container. Previously, the test only checked for one of two lines stating that there was a race. Indeed the race was in using `run --rm` where a log file may be removed before we could fully read it. Fixes: #10596 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Improve systemd-resolved detectionPaul Holzinger2021-06-08
| | | | | | | | | | | | | | | | | | | | | | | | | | When 127.0.0.53 is the only nameserver in /etc/resolv.conf assume systemd-resolved is used. This is better because /etc/resolv.conf does not have to be symlinked to /run/systemd/resolve/stub-resolv.conf in order to use systemd-resolved. [NO TESTS NEEDED] Fixes: #10570 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Add parameter to specify checkpoint archive compressionAdrian Reber2021-06-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The checkpoint archive compression was hardcoded to `archive.Gzip`. There have been requests to make the used compression algorithm selectable. There was especially the request to not compress the checkpoint archive to be able to create faster checkpoints when not compressing it. This also changes the default from `gzip` to `zstd`. This change should not break anything as the restore code path automatically handles whatever compression the user provides during restore. Signed-off-by: Adrian Reber <areber@redhat.com>
* | add ipv6 nameservers only when the container has ipv6 enabledPaul Holzinger2021-06-03
|/ | | | | | | | | | | | | | | The containers /etc/resolv.conf allways preserved the ipv6 nameserves from the host even when the container did not supported ipv6. Check if the cni result contains an ipv6 address or slirp4netns has ipv6 support enabled and only add the ipv6 nameservers when this is the case. The test needs to have an ipv6 nameserver in the hosts /etc/hosts but we should never mess with this file on the host. Therefore the test is skipped when no ipv6 is detected. Fixes #10158 Signed-off-by: Paul Holzinger <pholzing@redhat.com>