summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Merge pull request #2272 from adrianreber/migrationOpenShift Merge Robot2019-06-07
|\ | | | | Add support to migrate containers
| * migration: add possibility to restore a container with a new nameAdrian Reber2019-06-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The option to restore a container from an external checkpoint archive (podman container restore -i /tmp/checkpoint.tar.gz) restores a container with the same name and same ID as id had before checkpointing. This commit adds the option '--name,-n' to 'podman container restore'. With this option the restored container gets the name specified after '--name,-n' and a new ID. This way it is possible to restore one container multiple times. If a container is restored with a new name Podman will not try to request the same IP address for the container as it had during checkpointing. This implicitly assumes that if a container is restored from a checkpoint archive with a different name, that it will be restored multiple times and restoring a container multiple times with the same IP address will fail as each IP address can only be used once. Signed-off-by: Adrian Reber <areber@redhat.com>
| * Added support to migrate containersAdrian Reber2019-06-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit adds an option to the checkpoint command to export a checkpoint into a tar.gz file as well as importing a checkpoint tar.gz file during restore. With all checkpoint artifacts in one file it is possible to easily transfer a checkpoint and thus enabling container migration in Podman. With the following steps it is possible to migrate a running container from one system (source) to another (destination). Source system: * podman container checkpoint -l -e /tmp/checkpoint.tar.gz * scp /tmp/checkpoint.tar.gz destination:/tmp Destination system: * podman pull 'container-image-as-on-source-system' * podman container restore -i /tmp/checkpoint.tar.gz The exported tar.gz file contains the checkpoint image as created by CRIU and a few additional JSON files describing the state of the checkpointed container. Now the container is running on the destination system with the same state just as during checkpointing. If the container is kept running on the source system with the checkpoint flag '-R', the result will be that the same container is running on two different hosts. Signed-off-by: Adrian Reber <areber@redhat.com>
| * Added helper functions for container migrationAdrian Reber2019-06-03
| | | | | | | | | | | | | | | | This adds a couple of function in structure members needed in the next commit to make container migration actually work. This just splits of the function which are not modifying existing code. Signed-off-by: Adrian Reber <areber@redhat.com>
* | Inherit rootless init_path from system libpod.confLawrence Chan2019-06-03
|/ | | | Signed-off-by: Lawrence Chan <element103@gmail.com>
* Merge pull request #2709 from haircommander/journaldOpenShift Merge Robot2019-05-29
|\ | | | | Add libpod journald logging
| * Add --follow to journald ctr loggingPeter Hunt2019-05-28
| | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * Address commentsPeter Hunt2019-05-28
| | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * Implement podman logs with log-driver journaldPeter Hunt2019-05-28
| | | | | | | | | | | | | | | | Add a journald reader that translates the journald entry to a k8s-file formatted line, to be added as a log line Note: --follow with journald hasn't been implemented. It's going to be a larger undertaking that can wait. Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * Added --log-driver and journald loggingPeter Hunt2019-05-28
| | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | Merge pull request #3188 from giuseppe/fix-join-existing-containersOpenShift Merge Robot2019-05-29
|\ \ | | | | | | rootless: new function to join existing conmon processes
| * | Revert "rootless: change default path for conmon.pid"Giuseppe Scrivano2019-05-25
| | | | | | | | | | | | | | | | | | | | | | | | | | | since we now enter the user namespace prior to read the conmon.pid, we can write the conmon.pid file again to the runtime dir. This reverts commit 6c6a8654363457a9638d58265d0a7e8743575d7a. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #3208 from vrothberg/fix-3207OpenShift Merge Robot2019-05-28
|\ \ \ | |_|/ |/| | runtime: unlock the alive lock only once
| * | runtime: unlock the alive lock only onceValentin Rothberg2019-05-28
| |/ | | | | | | | | | | | | Unlock the alive lock only once in the deferred func call. Fixes: #3207 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #3189 from vrothberg/apparmor-fixesOpenShift Merge Robot2019-05-28
|\ \ | |/ |/| Apparmor fixes
| * apparmor: don't load/set profile in privileged modeValentin Rothberg2019-05-23
| | | | | | | | | | | | | | | | | | Commit 27f9e23a0b9e already prevents setting the profile when creating the spec but we also need to avoid loading and setting the profile when creating the container. Fixes: #3112 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #3190 from giuseppe/fix-userns-psgoOpenShift Merge Robot2019-05-23
|\ \ | |/ |/| rootless: fix top huser and hgroup
| * rootless: fix top huser and hgroupGiuseppe Scrivano2019-05-23
| | | | | | | | | | | | | | when running in rootless mode, be sure psgo is honoring the user namespace settings for huser and hgroup. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #3178 from mheon/fix_gen_kubeOpenShift Merge Robot2019-05-22
|\ \ | |/ |/| Fix a 'generate kube' bug on ctrs with named volumes
| * Remove unused return statement in kube volume codeMatthew Heon2019-05-21
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Fix a 'generate kube' bug on ctrs with named volumesMatthew Heon2019-05-21
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #3173 from giuseppe/use-wait-for-fileOpenShift Merge Robot2019-05-21
|\ \ | | | | | | libpod: prefer WaitForFile to polling
| * | libpod: prefer WaitForFile to pollingGiuseppe Scrivano2019-05-21
| |/ | | | | | | | | | | | | replace two usage of kwait.ExponentialBackoff in favor of WaitForFile that uses inotify when possible. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #3084 from giuseppe/rootless-pause-processOpenShift Merge Robot2019-05-21
|\ \ | | | | | | rootless: use a pause process to keep namespaces alive
| * | system: migrate stops the pause processGiuseppe Scrivano2019-05-17
| | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | rootless: use a pause processGiuseppe Scrivano2019-05-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | use a pause process to keep the user and mount namespace alive. The pause process is created immediately on reload, and all successive Podman processes will refer to it for joining the user&mount namespace. This solves all the race conditions we had on joining the correct namespaces using the conmon processes. As a fallback if the join fails for any reason (e.g. the pause process was killed), then we try to join the running containers as we were doing before. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | migrate: not create a new namespaceGiuseppe Scrivano2019-05-17
| | | | | | | | | | | | | | | | | | | | | this leaves the containers stopped but we won't risk to use the wrong user namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #3168 from rhatdan/vendorMatthew Heon2019-05-21
|\ \ \ | |_|/ |/| | Update vendor of buildah and containers/images
| * | Update vendor of buildah and containers/imagesDaniel J Walsh2019-05-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | Mainly add support for podman build using --overlay mounts. Updates containers/image also adds better support for new registries.conf file. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | container: move channel close to its writerGiuseppe Scrivano2019-05-20
| | | | | | | | | | | | | | | | | | let the writer of the channel close it. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | util: fix race condition in WaitForFileGiuseppe Scrivano2019-05-20
|/ / | | | | | | | | | | | | | | | | | | | | enable polling also when using inotify. It is generally useful to have it as under high load inotify can lose notifications. It also solves a race condition where the file is created while the watcher is configured and it'd wait until the timeout and fail. Closes: https://github.com/containers/libpod/issues/2942 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / Minor fix splitting env vars in podman-commitDivyansh Kamboj2019-05-19
|/ | | | | | | | | `string.Split()` splits into slice of size greater than 2 which may result in loss of environment variables fixes #3132 Signed-off-by: Divyansh Kamboj <kambojdivyansh2000@gmail.com>
* Merge pull request #3121 from giuseppe/rootless-error-cniOpenShift Merge Robot2019-05-16
|\ | | | | network: raise a clearer error when using CNI
| * network: raise a clearer error when using CNIGiuseppe Scrivano2019-05-14
| | | | | | | | | | | | | | | | | | print a clearer error message when an unprivileged user attempts to create a network using CNI. Closes: https://github.com/containers/libpod/issues/3118 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #3127 from mheon/fix_start_raceOpenShift Merge Robot2019-05-16
|\ \ | | | | | | Ensure that start() in StartAndAttach() is locked
| * | Ensure that start() in StartAndAttach() is lockedMatthew Heon2019-05-14
| |/ | | | | | | | | | | | | | | | | | | | | | | | | StartAndAttach() runs start() in a goroutine, which can allow it to fire after the caller returns - and thus, after the defer to unlock the container lock has fired. The start() call _must_ occur while the container is locked, or else state inconsistencies may occur. Fixes #3114 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #3124 from mheon/remove_pod_lockOpenShift Merge Robot2019-05-15
|\ \ | | | | | | When removing pods, free their locks
| * | When removing pods, free their locksMatthew Heon2019-05-14
| |/ | | | | | | | | | | | | Without this we leak allocated locks, which is definitely not a good thing. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* / set default event logger based on build tagsbaude2019-05-14
|/ | | | | | | once the default event logger was removed from libpod.conf, we need to set the default based on whether the systemd build tag is used or not. Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #3083 from openSUSE/systemd-optionalOpenShift Merge Robot2019-05-13
|\ | | | | Add `systemd` build tag
| * Add `systemd` build tagSascha Grunert2019-05-13
| | | | | | | | | | | | | | | | | | | | | | | | If the systemd development files are not present on the system which builds podman, then `podman events` will error on runtime creation. Beside this, a warning will be printed when compiling podman. This commit mainly exists because projects which depend on libpod would not need the podman event support and therefore do not need to rely on the systemd headers. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* | healthcheck benign errorbaude2019-05-13
|/ | | | | | | clean up the reporting of a benign error that can occur when a container is first stopped and then removed. Signed-off-by: baude <bbaude@redhat.com>
* When removing a pod with CGroupfs, set pids limit to 0Matthew Heon2019-05-12
| | | | | | | | | | | | | When using CGroupfs, we see races during pod removal between removing the CGroup and the cleanup process starting (in the CGroup, thus preventing removal). The simplest way to avoid this is to prevent the forking of the cleanup process. Conveniently, we can do this via the CGroup that we already created for Conmon - we just need to update the PID limit to 0, which completely inhibits new forks. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Use standard remove functions for removing pod ctrsMatthew Heon2019-05-10
| | | | | | | Instead of rewriting the logic, reuse the standard logic we use for removing containers, which is much better tested. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #3082 from mheon/pod_removal_reliabilityOpenShift Merge Robot2019-05-08
|\ | | | | Improve robustness of pod removal
| * Preserve errors returned by removing podsMatthew Heon2019-05-07
| | | | | | | | | | | | | | | | Ensure that, if an error occurs somewhere along the way when we remove a pod, it's preserved until the end and returned, even as we continue to remove the pod. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Improve robustness of pod removalMatthew Heon2019-05-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Removing a pod must first removal all containers in the pod. Libpod requires the state to remain consistent at all times, so references to a deleted pod must all be cleansed first. Pods can have many containers in them. We presently iterate through all of them, and if an error occurs trying to clean up and remove any single container, we abort the entire operation (but cannot recover anything already removed - pod removal is not an atomic operation). Because of this, if a removal error occurs partway through, we can end up with a pod in an inconsistent state that is no longer usable. What's worse, if the error is in the infra container, and it's persistent, we get zombie pods - completely unable to be removed. When we saw some of these same issues with containers not in pods, we modified the removal code there to aggressively purge containers from the database, then try to clean up afterwards. Take the same approach here, and make cleanup errors nonfatal. Once we've gone ahead and removed containers, we need to see pod deletion through to the end - we'll log errors but keep going. Also, fix some other small things (most notably, we didn't make events for the containers removed). Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | enable integration tests for remote-clientbaude2019-05-07
| | | | | | | | | | | | | | first pass at enabling a swath of integration tests for the remote-client. Signed-off-by: baude <bbaude@redhat.com>
* | When refreshing after a reboot, force lock allocationMatthew Heon2019-05-06
|/ | | | | | | | | | | | | | After a reboot, when we refresh Podman's state, we retrieved the lock from the fresh SHM instance, but we did not mark it as allocated to prevent it being handed out to other containers and pods. Provide a method for marking locks as in-use, and use it when we refresh Podman state after a reboot. Fixes #2900 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #2826 from mheon/restart_policyOpenShift Merge Robot2019-05-03
|\ | | | | Add restart policy for containers