summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Merge pull request #3188 from giuseppe/fix-join-existing-containersOpenShift Merge Robot2019-05-29
|\ | | | | rootless: new function to join existing conmon processes
| * Revert "rootless: change default path for conmon.pid"Giuseppe Scrivano2019-05-25
| | | | | | | | | | | | | | | | | | since we now enter the user namespace prior to read the conmon.pid, we can write the conmon.pid file again to the runtime dir. This reverts commit 6c6a8654363457a9638d58265d0a7e8743575d7a. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #3208 from vrothberg/fix-3207OpenShift Merge Robot2019-05-28
|\ \ | | | | | | runtime: unlock the alive lock only once
| * | runtime: unlock the alive lock only onceValentin Rothberg2019-05-28
| |/ | | | | | | | | | | | | Unlock the alive lock only once in the deferred func call. Fixes: #3207 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #3189 from vrothberg/apparmor-fixesOpenShift Merge Robot2019-05-28
|\ \ | |/ |/| Apparmor fixes
| * apparmor: don't load/set profile in privileged modeValentin Rothberg2019-05-23
| | | | | | | | | | | | | | | | | | Commit 27f9e23a0b9e already prevents setting the profile when creating the spec but we also need to avoid loading and setting the profile when creating the container. Fixes: #3112 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #3190 from giuseppe/fix-userns-psgoOpenShift Merge Robot2019-05-23
|\ \ | |/ |/| rootless: fix top huser and hgroup
| * rootless: fix top huser and hgroupGiuseppe Scrivano2019-05-23
| | | | | | | | | | | | | | when running in rootless mode, be sure psgo is honoring the user namespace settings for huser and hgroup. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #3178 from mheon/fix_gen_kubeOpenShift Merge Robot2019-05-22
|\ \ | |/ |/| Fix a 'generate kube' bug on ctrs with named volumes
| * Remove unused return statement in kube volume codeMatthew Heon2019-05-21
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Fix a 'generate kube' bug on ctrs with named volumesMatthew Heon2019-05-21
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #3173 from giuseppe/use-wait-for-fileOpenShift Merge Robot2019-05-21
|\ \ | | | | | | libpod: prefer WaitForFile to polling
| * | libpod: prefer WaitForFile to pollingGiuseppe Scrivano2019-05-21
| |/ | | | | | | | | | | | | replace two usage of kwait.ExponentialBackoff in favor of WaitForFile that uses inotify when possible. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #3084 from giuseppe/rootless-pause-processOpenShift Merge Robot2019-05-21
|\ \ | | | | | | rootless: use a pause process to keep namespaces alive
| * | system: migrate stops the pause processGiuseppe Scrivano2019-05-17
| | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | rootless: use a pause processGiuseppe Scrivano2019-05-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | use a pause process to keep the user and mount namespace alive. The pause process is created immediately on reload, and all successive Podman processes will refer to it for joining the user&mount namespace. This solves all the race conditions we had on joining the correct namespaces using the conmon processes. As a fallback if the join fails for any reason (e.g. the pause process was killed), then we try to join the running containers as we were doing before. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | migrate: not create a new namespaceGiuseppe Scrivano2019-05-17
| | | | | | | | | | | | | | | | | | | | | this leaves the containers stopped but we won't risk to use the wrong user namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #3168 from rhatdan/vendorMatthew Heon2019-05-21
|\ \ \ | |_|/ |/| | Update vendor of buildah and containers/images
| * | Update vendor of buildah and containers/imagesDaniel J Walsh2019-05-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | Mainly add support for podman build using --overlay mounts. Updates containers/image also adds better support for new registries.conf file. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | container: move channel close to its writerGiuseppe Scrivano2019-05-20
| | | | | | | | | | | | | | | | | | let the writer of the channel close it. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | util: fix race condition in WaitForFileGiuseppe Scrivano2019-05-20
|/ / | | | | | | | | | | | | | | | | | | | | enable polling also when using inotify. It is generally useful to have it as under high load inotify can lose notifications. It also solves a race condition where the file is created while the watcher is configured and it'd wait until the timeout and fail. Closes: https://github.com/containers/libpod/issues/2942 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / Minor fix splitting env vars in podman-commitDivyansh Kamboj2019-05-19
|/ | | | | | | | | `string.Split()` splits into slice of size greater than 2 which may result in loss of environment variables fixes #3132 Signed-off-by: Divyansh Kamboj <kambojdivyansh2000@gmail.com>
* Merge pull request #3121 from giuseppe/rootless-error-cniOpenShift Merge Robot2019-05-16
|\ | | | | network: raise a clearer error when using CNI
| * network: raise a clearer error when using CNIGiuseppe Scrivano2019-05-14
| | | | | | | | | | | | | | | | | | print a clearer error message when an unprivileged user attempts to create a network using CNI. Closes: https://github.com/containers/libpod/issues/3118 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #3127 from mheon/fix_start_raceOpenShift Merge Robot2019-05-16
|\ \ | | | | | | Ensure that start() in StartAndAttach() is locked
| * | Ensure that start() in StartAndAttach() is lockedMatthew Heon2019-05-14
| |/ | | | | | | | | | | | | | | | | | | | | | | | | StartAndAttach() runs start() in a goroutine, which can allow it to fire after the caller returns - and thus, after the defer to unlock the container lock has fired. The start() call _must_ occur while the container is locked, or else state inconsistencies may occur. Fixes #3114 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #3124 from mheon/remove_pod_lockOpenShift Merge Robot2019-05-15
|\ \ | | | | | | When removing pods, free their locks
| * | When removing pods, free their locksMatthew Heon2019-05-14
| |/ | | | | | | | | | | | | Without this we leak allocated locks, which is definitely not a good thing. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* / set default event logger based on build tagsbaude2019-05-14
|/ | | | | | | once the default event logger was removed from libpod.conf, we need to set the default based on whether the systemd build tag is used or not. Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #3083 from openSUSE/systemd-optionalOpenShift Merge Robot2019-05-13
|\ | | | | Add `systemd` build tag
| * Add `systemd` build tagSascha Grunert2019-05-13
| | | | | | | | | | | | | | | | | | | | | | | | If the systemd development files are not present on the system which builds podman, then `podman events` will error on runtime creation. Beside this, a warning will be printed when compiling podman. This commit mainly exists because projects which depend on libpod would not need the podman event support and therefore do not need to rely on the systemd headers. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* | healthcheck benign errorbaude2019-05-13
|/ | | | | | | clean up the reporting of a benign error that can occur when a container is first stopped and then removed. Signed-off-by: baude <bbaude@redhat.com>
* When removing a pod with CGroupfs, set pids limit to 0Matthew Heon2019-05-12
| | | | | | | | | | | | | When using CGroupfs, we see races during pod removal between removing the CGroup and the cleanup process starting (in the CGroup, thus preventing removal). The simplest way to avoid this is to prevent the forking of the cleanup process. Conveniently, we can do this via the CGroup that we already created for Conmon - we just need to update the PID limit to 0, which completely inhibits new forks. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Use standard remove functions for removing pod ctrsMatthew Heon2019-05-10
| | | | | | | Instead of rewriting the logic, reuse the standard logic we use for removing containers, which is much better tested. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #3082 from mheon/pod_removal_reliabilityOpenShift Merge Robot2019-05-08
|\ | | | | Improve robustness of pod removal
| * Preserve errors returned by removing podsMatthew Heon2019-05-07
| | | | | | | | | | | | | | | | Ensure that, if an error occurs somewhere along the way when we remove a pod, it's preserved until the end and returned, even as we continue to remove the pod. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Improve robustness of pod removalMatthew Heon2019-05-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Removing a pod must first removal all containers in the pod. Libpod requires the state to remain consistent at all times, so references to a deleted pod must all be cleansed first. Pods can have many containers in them. We presently iterate through all of them, and if an error occurs trying to clean up and remove any single container, we abort the entire operation (but cannot recover anything already removed - pod removal is not an atomic operation). Because of this, if a removal error occurs partway through, we can end up with a pod in an inconsistent state that is no longer usable. What's worse, if the error is in the infra container, and it's persistent, we get zombie pods - completely unable to be removed. When we saw some of these same issues with containers not in pods, we modified the removal code there to aggressively purge containers from the database, then try to clean up afterwards. Take the same approach here, and make cleanup errors nonfatal. Once we've gone ahead and removed containers, we need to see pod deletion through to the end - we'll log errors but keep going. Also, fix some other small things (most notably, we didn't make events for the containers removed). Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | enable integration tests for remote-clientbaude2019-05-07
| | | | | | | | | | | | | | first pass at enabling a swath of integration tests for the remote-client. Signed-off-by: baude <bbaude@redhat.com>
* | When refreshing after a reboot, force lock allocationMatthew Heon2019-05-06
|/ | | | | | | | | | | | | | After a reboot, when we refresh Podman's state, we retrieved the lock from the fresh SHM instance, but we did not mark it as allocated to prevent it being handed out to other containers and pods. Provide a method for marking locks as in-use, and use it when we refresh Podman state after a reboot. Fixes #2900 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #2826 from mheon/restart_policyOpenShift Merge Robot2019-05-03
|\ | | | | Add restart policy for containers
| * Small code fixMatthew Heon2019-05-03
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Fix 'restart' event in journaldMatthew Heon2019-05-03
| | | | | | | | | | | | | | Ensure that we can decode the restart event with the new journald events. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Address review comments on restart policyMatthew Heon2019-05-03
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Add a restart event, and make one during restart policyMatthew Heon2019-05-03
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Restart policy should not run if a container is runningMatthew Heon2019-05-03
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Move to using constants for valid restart policy typesMatthew Heon2019-05-03
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Add support for retry count with --restart flagMatthew Heon2019-05-03
| | | | | | | | | | | | | | | | | | The on-failure restart option supports restarting only a given number of times. To do this, we need one additional field in the DB to track restart count (which conveniently fills a field in Inspect we weren't populating), plus some plumbing logic. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Sending signals to containers prevents restart policyMatthew Heon2019-05-03
| | | | | | | | | | | | Noticed this when testing some behavior with Docker. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Add container restart policy to Libpod & PodmanMatthew Heon2019-05-03
| | | | | | | | | | | | | | This initial version does not support restart count, but it works as advertised otherwise. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Add a StoppedByUser field to the DBMatthew Heon2019-05-03
| | | | | | | | | | | | | | | | This field indicates that a container was explciitly stopped by an API call, and did not exit naturally. It's used when implementing restart policy for containers. Signed-off-by: Matthew Heon <matthew.heon@pm.me>