| Commit message (Collapse) | Author | Age |
|\
| |
| | |
Add support to migrate containers
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The option to restore a container from an external checkpoint archive
(podman container restore -i /tmp/checkpoint.tar.gz) restores a
container with the same name and same ID as id had before checkpointing.
This commit adds the option '--name,-n' to 'podman container restore'.
With this option the restored container gets the name specified after
'--name,-n' and a new ID. This way it is possible to restore one
container multiple times.
If a container is restored with a new name Podman will not try to
request the same IP address for the container as it had during
checkpointing. This implicitly assumes that if a container is restored
from a checkpoint archive with a different name, that it will be
restored multiple times and restoring a container multiple times with
the same IP address will fail as each IP address can only be used once.
Signed-off-by: Adrian Reber <areber@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This commit adds an option to the checkpoint command to export a
checkpoint into a tar.gz file as well as importing a checkpoint tar.gz
file during restore. With all checkpoint artifacts in one file it is
possible to easily transfer a checkpoint and thus enabling container
migration in Podman. With the following steps it is possible to migrate
a running container from one system (source) to another (destination).
Source system:
* podman container checkpoint -l -e /tmp/checkpoint.tar.gz
* scp /tmp/checkpoint.tar.gz destination:/tmp
Destination system:
* podman pull 'container-image-as-on-source-system'
* podman container restore -i /tmp/checkpoint.tar.gz
The exported tar.gz file contains the checkpoint image as created by
CRIU and a few additional JSON files describing the state of the
checkpointed container.
Now the container is running on the destination system with the same
state just as during checkpointing. If the container is kept running
on the source system with the checkpoint flag '-R', the result will be
that the same container is running on two different hosts.
Signed-off-by: Adrian Reber <areber@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| | |
This adds a couple of function in structure members needed in the next
commit to make container migration actually work. This just splits of
the function which are not modifying existing code.
Signed-off-by: Adrian Reber <areber@redhat.com>
|
|/
|
|
| |
Signed-off-by: Lawrence Chan <element103@gmail.com>
|
|\
| |
| | |
Add libpod journald logging
|
| |
| |
| |
| | |
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| |
| |
| |
| | |
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Add a journald reader that translates the journald entry to a k8s-file formatted line, to be added as a log line
Note: --follow with journald hasn't been implemented. It's going to be a larger undertaking that can wait.
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| |
| |
| |
| | |
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
|\ \
| | |
| | | |
rootless: new function to join existing conmon processes
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
since we now enter the user namespace prior to read the conmon.pid, we
can write the conmon.pid file again to the runtime dir.
This reverts commit 6c6a8654363457a9638d58265d0a7e8743575d7a.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \ \
| |_|/
|/| | |
runtime: unlock the alive lock only once
|
| |/
| |
| |
| |
| |
| |
| | |
Unlock the alive lock only once in the deferred func call.
Fixes: #3207
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|\ \
| |/
|/| |
Apparmor fixes
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Commit 27f9e23a0b9e already prevents setting the profile when creating
the spec but we also need to avoid loading and setting the profile when
creating the container.
Fixes: #3112
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|\ \
| |/
|/| |
rootless: fix top huser and hgroup
|
| |
| |
| |
| |
| |
| |
| | |
when running in rootless mode, be sure psgo is honoring the user
namespace settings for huser and hgroup.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \
| |/
|/| |
Fix a 'generate kube' bug on ctrs with named volumes
|
| |
| |
| |
| | |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
| |
| |
| | |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\ \
| | |
| | | |
libpod: prefer WaitForFile to polling
|
| |/
| |
| |
| |
| |
| |
| | |
replace two usage of kwait.ExponentialBackoff in favor of WaitForFile
that uses inotify when possible.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \
| | |
| | | |
rootless: use a pause process to keep namespaces alive
|
| | |
| | |
| | |
| | | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
use a pause process to keep the user and mount namespace alive.
The pause process is created immediately on reload, and all successive
Podman processes will refer to it for joining the user&mount
namespace.
This solves all the race conditions we had on joining the correct
namespaces using the conmon processes.
As a fallback if the join fails for any reason (e.g. the pause process
was killed), then we try to join the running containers as we were
doing before.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
this leaves the containers stopped but we won't risk to use the wrong
user namespace.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \ \
| |_|/
|/| | |
Update vendor of buildah and containers/images
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Mainly add support for podman build using --overlay mounts.
Updates containers/image also adds better support for new registries.conf
file.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | | |
let the writer of the channel close it.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
enable polling also when using inotify. It is generally useful to
have it as under high load inotify can lose notifications. It also
solves a race condition where the file is created while the watcher
is configured and it'd wait until the timeout and fail.
Closes: https://github.com/containers/libpod/issues/2942
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|/
|
|
|
|
|
|
|
| |
`string.Split()` splits into slice of size greater than 2
which may result in loss of environment variables
fixes #3132
Signed-off-by: Divyansh Kamboj <kambojdivyansh2000@gmail.com>
|
|\
| |
| | |
network: raise a clearer error when using CNI
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
print a clearer error message when an unprivileged user attempts to
create a network using CNI.
Closes: https://github.com/containers/libpod/issues/3118
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \
| | |
| | | |
Ensure that start() in StartAndAttach() is locked
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
StartAndAttach() runs start() in a goroutine, which can allow it
to fire after the caller returns - and thus, after the defer to
unlock the container lock has fired.
The start() call _must_ occur while the container is locked, or
else state inconsistencies may occur.
Fixes #3114
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\ \
| | |
| | | |
When removing pods, free their locks
|
| |/
| |
| |
| |
| |
| |
| | |
Without this we leak allocated locks, which is definitely not a
good thing.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|/
|
|
|
|
|
| |
once the default event logger was removed from libpod.conf, we need to
set the default based on whether the systemd build tag is used or not.
Signed-off-by: baude <bbaude@redhat.com>
|
|\
| |
| | |
Add `systemd` build tag
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If the systemd development files are not present on the system which
builds podman, then `podman events` will error on runtime creation.
Beside this, a warning will be printed when compiling podman.
This commit mainly exists because projects which depend on libpod
would not need the podman event support and therefore do not need to
rely on the systemd headers.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
|
|/
|
|
|
|
|
| |
clean up the reporting of a benign error that can occur when a container
is first stopped and then removed.
Signed-off-by: baude <bbaude@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using CGroupfs, we see races during pod removal between
removing the CGroup and the cleanup process starting (in the
CGroup, thus preventing removal).
The simplest way to avoid this is to prevent the forking of the
cleanup process. Conveniently, we can do this via the CGroup that
we already created for Conmon - we just need to update the PID
limit to 0, which completely inhibits new forks.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|
|
|
|
|
|
| |
Instead of rewriting the logic, reuse the standard logic we use
for removing containers, which is much better tested.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\
| |
| | |
Improve robustness of pod removal
|
| |
| |
| |
| |
| |
| |
| |
| | |
Ensure that, if an error occurs somewhere along the way when we
remove a pod, it's preserved until the end and returned, even as
we continue to remove the pod.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Removing a pod must first removal all containers in the pod.
Libpod requires the state to remain consistent at all times, so
references to a deleted pod must all be cleansed first.
Pods can have many containers in them. We presently iterate
through all of them, and if an error occurs trying to clean up
and remove any single container, we abort the entire operation
(but cannot recover anything already removed - pod removal is not
an atomic operation).
Because of this, if a removal error occurs partway through, we
can end up with a pod in an inconsistent state that is no longer
usable. What's worse, if the error is in the infra container, and
it's persistent, we get zombie pods - completely unable to be
removed.
When we saw some of these same issues with containers not in
pods, we modified the removal code there to aggressively purge
containers from the database, then try to clean up afterwards.
Take the same approach here, and make cleanup errors nonfatal.
Once we've gone ahead and removed containers, we need to see
pod deletion through to the end - we'll log errors but keep
going.
Also, fix some other small things (most notably, we didn't make
events for the containers removed).
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
| |
| |
| |
| |
| |
| | |
first pass at enabling a swath of integration tests for the
remote-client.
Signed-off-by: baude <bbaude@redhat.com>
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
| |
After a reboot, when we refresh Podman's state, we retrieved the
lock from the fresh SHM instance, but we did not mark it as
allocated to prevent it being handed out to other containers and
pods.
Provide a method for marking locks as in-use, and use it when we
refresh Podman state after a reboot.
Fixes #2900
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\
| |
| | |
Add restart policy for containers
|