| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There was an race condition when calling `GetRootlessCNINetNs()`. It
created the rootless cni directory before it got locked. Therefore
another process could have called cleanup and removed this directory
before it was used resulting in errors. The lockfile got moved into the
XDG_RUNTIME_DIR directory to prevent a panic when the parent dir was
removed by cleanup.
Fixes #10930
Fixes #10922
To make this even more robust `GetRootlessCNINetNs()` will now return
locked. This guarantees that we can run `Do()` after `GetRootlessCNINetNs()`
before another process could have called `Cleanup()` in between.
[NO TESTS NEEDED] CI is flaking, hopefully this will fix it.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
|\
| |
| | |
Perform a one-sided close of HTTP attach conn on EOF
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
On EOF of STDIN, we need to perform a one-sided close of the
attach connection on the client side, to ensure that STDIN
finishing will also cause the exec session to terminate, instead
of hang.
Fixes #7360
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |
| |
| |
| |
| |
| |
| | |
If mounting to existing directory the uid/gid should be preserved.
Primary uid/gid of container shouldn't be used.
Signed-off-by: Matej Vasek <mvasek@redhat.com>
|
|\ \
| | |
| | | |
Implemented Until Query Parameter for Containers/logs
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
compat containers/logs was missing actual usage of until query param.
fixes #10859
Signed-off-by: cdoern <cdoern@redhat.com>
|
| |/
|/|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We should not be exposing the store outside of Libpod. We want to
encapsulate it as an internal implementation detail - there's no
reason functions outside of Libpod should directly be
manipulating container storage. Convert the last use to invoke a
method on Libpod instead, and remove the function.
[NO TESTS NEEDED] as this is just a refactor.
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The rootless cni namespace needs a valid /etc/resolv.conf file. On some
distros is a symlink to somewhere under /run. Because the kernel will
follow the symlink before mounting, it is not possible to mount a file
at exactly /etc/resolv.conf. We have to ensure that the link target will
be available in the rootless cni mount ns.
Fixes #10855
Also fixed a bug in the /var/lib/cni directory lookup logic. It used
`filepath.Base` instead of `filepath.Dir` and thus looping infinitely.
Fixes #10857
[NO TESTS NEEDED]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
|\
| |
| | |
podman diff accept two images or containers
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
First, make podman diff accept optionally a second argument. This allows
the user to specify a second image/container to compare the first with.
If it is not set the parent layer will be used as before.
Second, podman container diff should only use containers and podman
image diff should only use images. Previously, podman container diff
would use the image when both an image and container with this name
exists.
To make this work two new parameters have been added to the api. If they
are not used the previous behaviour is used. The same applies to the
bindings.
Fixes #10649
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add a new service reaper package. Podman currently does not reap all
child processes. The slirp4netns and rootlesskit processes are not
reaped. The is not a problem for local podman since the podman process
dies before the other processes and then init will reap them for us.
However with podman system service it is possible that the podman
process is still alive after slirp died. In this case podman has to reap
it or the slirp process will be a zombie until the service is stopped.
The service reaper will listen in an extra goroutine on SIGCHLD. Once it
receives this signal it will try to reap all pids that were added with
`AddPID()`. While I would like to just reap all children this is not
possible because many parts of the code use `os/exec` with `cmd.Wait()`.
If we reap before `cmd.Wait()` things can break, so reaping everything
is not an option.
[NO TESTS NEEDED]
Fixes #9777
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
|/
|
|
| |
Signed-off-by: Matej Vasek <mvasek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pull the trigger on the `pkg/registries` package which acted as a proxy
for `c/image/pkg/sysregistriesv2`. Callers should be using the packages
from c/image directly, if needed at all.
Also make use of libimage's SystemContext() method which returns a copy
of a system context, further reducing the risk of unintentionally
altering global data.
[NO TESTS NEEDED]
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|\
| |
| | |
Create /etc/mtab with the correct ownership
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Create the /etc and /etc/mtab directories with the
correct ownership based on what the UID and GID is
for the container. This was causing issue when starting
the infra container with userns as the /etc directory
wasn't being created with the correct ownership.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
|
|\ \
| | |
| | | |
Podman Pod Create --cpus and --cpuset-cpus flags
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Added logic and handling for two new Podman pod create Flags.
--cpus specifies the total number of cores on which the pod can execute, this
is a combination of the period and quota for the CPU.
--cpuset-cpus is a string value which determines of these available cores,
how many we will truly execute on.
Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
|
|\ \
| |/
|/| |
Podman Stats additional features
|
| |
| |
| |
| |
| |
| |
| |
| | |
added Avg Cpu calculation and CPU up time to podman stats. Adding different feature sets in different PRs, CPU first.
resolves #9258
Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
|
|\ \
| | |
| | | |
getContainerNetworkInfo: lock netNsCtr before sync
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
`syncContainer()` requires the container to be locked, otherwise we can
end up with undefined behavior.
[NO TESTS NEEDED]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Podman does not need to watch the cni config directory. If a network is
not found in the cache, OCICNI will reload the networks anyway and thus
even podman system service should work as expected.
Also include a change to not mount a "new" /var by default in the
rootless cni ns, instead try to use /var/lib/cni first and then the
parent dir. This allows users to store cni configs under /var/... which
is the case for the CI compose test.
[NO TESTS NEEDED]
Fixes #10686
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
|\ \
| | |
| | | |
logs: k8s-file: restore poll sleep
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Commit 84b55eec2796 attempted to fix a race waiting for the container
died event. Previously, Podman slept for duration of the polling
frequence which I considerred to be a mistake. As it turns out, I was
mistaken since the file logger will, in fact, NOT read until EOF and
then stop logging but stop logging immediately _after_ it woke up.
[NO TESTS NEEDED] as the race condition cannot be hit reliably.
Fixes: #10675
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Fix the suprious "Error: nil" messages. Also add some more context to
logged error messages which makes error sources more obvious.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|\ \ \
| |/ /
|/| | |
Fix systemd-resolved detection.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Previously podman failed when run in an environment where 127.0.0.53 is
the only nameserver but systemd-resolved is not used directly.
In practice this happened when podman was run within an alpine container
that used the host's network and the host was running systemd-resolved.
This fix makes podman ignore a file not found error when reading /run/systemd/resolve/resolv.conf.
Closes #10733
[NO TESTS NEEDED]
Signed-off-by: Max Goltzsche <max.goltzsche@gmail.com>
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Users are complaining about read/only /var/tmp failing
even if TMPDIR=/tmp is set.
This PR Fixes: https://github.com/containers/podman/issues/10698
[NO TESTS NEEDED] No way to test this.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \
| | |
| | | |
Fix resize race with podman exec -it
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When starting a process with `podman exec -it` the terminal is resized
after the process is started. To fix this allow exec start to accept the
terminal height and width as parameter and let it resize right before
the process is started.
Fixes #10560
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
|\ \ \
| | | |
| | | | |
add correct slirp ip to /etc/hosts
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The container name should have the slirp interface ip set in /etc/hosts
and not the gateway ip. Commit c8dfcce6db0a introduced this regression.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1972073
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
|/ /
| |
| |
| |
| |
| |
| |
| | |
Permission of volume should match the directory it is being mounted on.
Fixes: https://github.com/containers/podman/issues/10188
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \
| | |
| | | |
Fix restoring of privileged containers
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Checkpointed containers started with --privileged fail during restore
with:
Error: error creating container storage: ProcessLabel and Mountlabel must either not be specified or both specified
This commit fixes it by not setting the labels when restoring a
privileged container.
[NO TESTS NEEDED]
Signed-off-by: Adrian Reber <areber@redhat.com>
|
|\ \
| | |
| | | |
Fix network connect race with docker-compose
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Network connect/disconnect has to call the cni plugins when the network
namespace is already configured. This is the case for `ContainerStateRunning`
and `ContainerStateCreated`. This is important otherwise the network is
not attached to this network namespace and libpod will throw errors like
`network inspection mismatch...` This problem happened when using
`docker-compose up` in attached mode.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
|\ \
| | |
| | | |
Always spawn a cleanup process with exec
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When making Exec Cleanup processes mandatory, I introduced a race
wherein attached exec sessions could be cleaned up and removed by
the cleanup process before the frontend had a chance to get their
exit code. Fortunately, we've dealt with this issue before in
containers, and the same solution can be applied here. I added an
event for an exec session's process exiting, `exec_died` (Docker
has an identical event, so this actually improves our
compatibility there) that includes the exit code of the exec
session. If the race happens and the exec session no longer
exists when we go to remove it, pick up exit code from the event
and exit cleanly.
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We were previously only doing this for detached exec. I don't
know why we did that, but I don't see any reason not to extend it
to all exec sessions - it guarantees that we will always clean up
exec sessions, even if the original `podman exec` process died.
[NO TESTS NEEDED] because I don't really know how to test this
one.
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
|\ \
| | |
| | | |
Fix volumes with uid and gid options
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Podman uses the volume option map to check if it has to mount the volume
or not when the container is started. Commit 28138dafcc39 added to uid
and gid options to this map, however when only uid/gid is set we cannot
mount this volume because there is no filesystem or device specified.
Make sure we do not try to mount the volume when only the uid/gid option
is set since this is a simple chown operation.
Also when a uid/gid is explicity set, do not chown the volume based on
the container user when the volume is used for the first time.
Fixes #10620
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
|\ \
| | |
| | | |
container: ignore named hierarchies
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| | |
when looking up the container cgroup, ignore named hierarchies since
containers running systemd as payload will create a sub-cgroup and
move themselves there.
Closes: https://github.com/containers/podman/issues/10602
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Unfortunately --pre-checkpointing never worked as intended and recent
changes to runc have shown that it is broken.
To create a pre-checkpoint CRIU expects the paths between the
pre-checkpoints to be a relative path. If having a previous checkpoint
it needs the be referenced like this: --prev-images-dir ../parent
Unfortunately Podman was giving runc (and CRIU) an absolute path.
Unfortunately, again, until March 2021 CRIU silently ignored if
the path was not relative and switch back to normal checkpointing.
This has been now fixed in CRIU and runc and running pre-checkpoint
with the latest runc fails, because runc already sees that the path is
absolute and returns an error.
This commit fixes this by giving runc a relative path.
This commit also fixes a second pre-checkpointing error which was just
recently introduced.
So summarizing: pre-checkpointing never worked correctly because CRIU
ignored wrong parameters and recent changes broke it even more.
Now both errors should be fixed.
[NO TESTS NEEDED]
Signed-off-by: Adrian Reber <areber@redhat.com>
Signed-off-by: Adrian Reber <adrian@lisas.de>
|
|\
| |
| | |
logs: k8s-file: fix race
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix a race in the k8s-file logs driver. When "following" the logs,
Podman will print the container's logs until the end. Previously,
Podman logged until the state transitioned into something non-running
which opened up a race with the container still running, possibly in
the "stopping" state.
To fix the race, log until we've seen the wait event for the specific
container. In that case, conmon will have finished writing all logs to
the file, and Podman will read it until EOF.
Further tweak the integration tests for testing `logs -f` on a running
container. Previously, the test only checked for one of two lines
stating that there was a race. Indeed the race was in using `run --rm`
where a log file may be removed before we could fully read it.
Fixes: #10596
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When 127.0.0.53 is the only nameserver in /etc/resolv.conf assume
systemd-resolved is used. This is better because /etc/resolv.conf does
not have to be symlinked to /run/systemd/resolve/stub-resolv.conf in
order to use systemd-resolved.
[NO TESTS NEEDED]
Fixes: #10570
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The checkpoint archive compression was hardcoded to `archive.Gzip`.
There have been requests to make the used compression algorithm
selectable. There was especially the request to not compress the
checkpoint archive to be able to create faster checkpoints when not
compressing it.
This also changes the default from `gzip` to `zstd`. This change should
not break anything as the restore code path automatically handles
whatever compression the user provides during restore.
Signed-off-by: Adrian Reber <areber@redhat.com>
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The containers /etc/resolv.conf allways preserved the ipv6 nameserves
from the host even when the container did not supported ipv6. Check
if the cni result contains an ipv6 address or slirp4netns has ipv6
support enabled and only add the ipv6 nameservers when this is the case.
The test needs to have an ipv6 nameserver in the hosts /etc/hosts but we
should never mess with this file on the host. Therefore the test is
skipped when no ipv6 is detected.
Fixes #10158
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|