summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* libpod: rootful close binded portsPaul Holzinger2021-09-16
| | | | | | | | | | | | | | | | | For rootful users ports are forwarded via iptables. To make sure no other process tries to use them, libpod will bind the ports and pass the fds to conmon. There seems to be race when a container is restarted because libpod tries to bind the port before the conmon process exited. The problem only hapens with the podman service because it keeps the connection open. Once we have the fd and passed it to conmon the podman service should close the connection. To verify run `sudo ss -tulpn` and check that only the conmon process keeps the port open. Previously you would also see the podman server process listed. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* fix restart always with rootlessportPaul Holzinger2021-09-16
| | | | | | | | When a container is automatically restarted due its restart policy and the container uses rootless cni networking with ports forwarded we have to start a new rootlessport process since it exits with conmon. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* test: enable --cgroup-parent testGiuseppe Scrivano2021-09-16
| | | | | | | | and fix it for running with runc. Closes: https://github.com/containers/podman/issues/11165 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Remove pod create options `--cpus` and `--cpuset-cpus`Matthew Heon2021-09-16
| | | | | | | These are not presently functional - we need a rewrite of how the pod cgroup is handled first. Signed-off-by: Matthew Heon <mheon@redhat.com>
* Revert "logs: adjust handling around partial log messages"Paul Holzinger2021-09-14
| | | | | | | | | | This reverts commit 21f396de6f5024abbf6edd2ca63edcb1525eefcc. Changing the log endpoint is a breaking change we should not do in 3.4. [NO TESTS NEEDED] Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Merge pull request #11323 from umohnani8/initOpenShift Merge Robot2021-09-10
|\ | | | | Add init containers to generate and play kube
| * Add init containers to generate and play kubeUrvashi Mohnani2021-09-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Kubernetes has a concept of init containers that run and exit before the regular containers in a pod are started. We added init containers to podman pods as well. This patch adds support for generating init containers in the kube yaml when a pod we are converting had init containers. When playing a kube yaml, it detects an init container and creates such a container in podman accordingly. Note, only init containers created with the init type set to "always" will be generated as the "once" option deletes the init container after it has run and exited. Play kube will always creates init containers with the "always" init container type. Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
* | Merge pull request #11509 from ↵OpenShift Merge Robot2021-09-10
|\ \ | | | | | | | | | | | | containers/dependabot/go_modules/github.com/containers/psgo-1.6.0 Bump github.com/containers/psgo from 1.5.2 to 1.6.0
| * | Bump github.com/containers/psgo from 1.5.2 to 1.6.0dependabot[bot]2021-09-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github.com/containers/psgo](https://github.com/containers/psgo) from 1.5.2 to 1.6.0. - [Release notes](https://github.com/containers/psgo/releases) - [Commits](https://github.com/containers/psgo/compare/v1.5.2...v1.6.0) --- updated-dependencies: - dependency-name: github.com/containers/psgo dependency-type: direct:production update-type: version-update:semver-minor ... [NO TESTS NEEDED] since it's migrating to a new version. Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #11506 from giuseppe/fix-stats-restart-containerOpenShift Merge Robot2021-09-10
|\ \ \ | |_|/ |/| | stats: detect container restart and allow paused containers
| * | stats: detect containers restartGiuseppe Scrivano2021-09-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | if the current cpu usage time is lower than what previously recorded, then it means the container was restarted and now it runs in a new cgroup. When this happens, reset the prevStats. Closes: https://github.com/containers/podman/issues/11469 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | stats: allow to read stats for paused containersGiuseppe Scrivano2021-09-10
| | | | | | | | | | | | | | | | | | paused containers still a cgroup we can use to grab the stats. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | try to create the runroot before we warn that it is not writablePaul Holzinger2021-09-10
|/ / | | | | | | | | | | | | | | | | | | | | | | | | The rootless integration tests show the XDG_RUNTIME_DIR warning without any reasons. Podman runs without problems in these and yet the warning is shown. I think the problem is that we check the permission before we create the runroot directory. [NO TESTS NEEDED] Fixes #11521 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* / Fix conmon attach socket buffer sizePaul Holzinger2021-09-09
|/ | | | | | | | | | | | | | | The conmon buffer size is 8192, however the attach socket needs two extra bytes. The first byte of each message will be the STREAM type. The last byte is a null byte. So when we want to read 8192 message bytes we need to read 8193 bytes since the first one is special. check https://github.com/containers/conmon/blob/1ef246896b4f6566964ed861b98cd32d0e7bf7a2/src/ctr_stdio.c#L101-L107 This problem can be seen in podman-remote run/exec when it prints output with 8192 or more bytes. The output will miss the 8192 byte. Fixes #11496 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Add logDriver to podman infoDaniel J Walsh2021-09-08
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #11327 from flouthoc/warn-non-writeable-xdg-runtimeOpenShift Merge Robot2021-09-08
|\ | | | | runtime: Warn if `XDG_RUNTIME_DIR` is set but is not writable.
| * runtime: Warn if XDG_RUNTIME_DIR is set but is not writable.flouthoc2021-08-30
| | | | | | | | | | | | [NO TESTS NEEDED] Signed-off-by: Aditya Rajan <flouthoc.git@gmail.com>
* | Add Checkpointed bool to InspectMatthew Heon2021-09-07
| | | | | | | | | | | | | | | | When inspecting a container, we now report whether the container was stopped by a `podman checkpoint` operation via a new bool in the State portion of inspected, `Checkpointed`. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | logs -f: file: fix dead lockValentin Rothberg2021-09-07
| | | | | | | | | | | | | | | | Fix a dead lock in the file log driver where one goroutine would wait on the tail to hit EOF but reading is blocked for the function to return. Fixes: 11461 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | feat: add localhost into hosts if the networking mode is not hostParham Alvani2021-09-04
| | | | | | | | Signed-off-by: Parham Alvani <1995parham@tuta.io>
* | Drop dependency on iproutePaul Holzinger2021-09-02
| | | | | | | | | | | | | | | | | | | | | | We only use the `ip` util to remove a network interface. We can do this directly via the netlink lib, no need to call a external binary. [NO TESTS NEEDED] Fixes #11403 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #11391 from Luap99/rootlessport-socketOpenShift Merge Robot2021-09-01
|\ \ | | | | | | rootlessport: allow socket paths with more than 108 chars
| * | rootlessport: allow socket paths with more than 108 charsPaul Holzinger2021-09-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Creating the rootlessport socket can fail with `bind: invalid argument` when the socket path is longer than 108 chars. This is the case for users with a long runtime directory. Since the kernel does not allow to use socket paths with more then 108 chars use a workaround to open the socket path. [NO TESTS NEEDED] Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | Merge pull request #11376 from ashley-cui/envsecOpenShift Merge Robot2021-09-01
|\ \ \ | |/ / |/| | Make secret env var available to exec session
| * | Make secret env var available to exec sessionAshley Cui2021-08-31
| | | | | | | | | | | | | | | | | | | | | Secret environment variables were only available to a podman run/start. This commit makes sure that exec sessions can see them as well. Signed-off-by: Ashley Cui <acui@redhat.com>
* | | pass LISTEN_* environment into containerValentin Rothberg2021-08-31
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | Make sure that Podman passes the LISTEN_* environment into containers. Similar to runc, LISTEN_PID is set to 1. Also remove conditionally passing the LISTEN_FDS as extra files. The condition was wrong (inverted) and introduced to fix #3572 which related to running under varlink which has been dropped entirely with Podman 3.0. Note that the NOTIFY_SOCKET and LISTEN_* variables are cleared when running `system service`. Fixes: #10443 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #11353 from flouthoc/resolve-workdir-after-mountsOpenShift Merge Robot2021-08-30
|\ \ | | | | | | container: resolve workdir during initialization after all the mounts are completed.
| * | container: resolve workdir after all the mounts happen.flouthoc2021-08-30
| | | | | | | | | | | | | | | | | | | | | | | | There are use-cases where users would want to use overlay-mounts as workdir. For such cases workdir should be resolved after all the mounts are completed during the container init process. Signed-off-by: Aditya Rajan <arajan@redhat.com>
* | | rootless cni: resolve absolute symlinks correctlyPaul Holzinger2021-08-30
|/ / | | | | | | | | | | | | | | | | | | | | When /etc/resolv.conf is a symlink to an absolute path use it and not join it the the previous path. [NO TESTS NEEDED] This depends on the host layout. Fixes #11358 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #11333 from rhatdan/http-proxyOpenShift Merge Robot2021-08-27
|\ \ | | | | | | Globally replace http:// with https://
| * | Globally replace http:// with https://Daniel J Walsh2021-08-27
| | | | | | | | | | | | | | | | | | [NO TESTS NEEDED] Hopefully existing tests will find issues. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | InfraContainer Reworkcdoern2021-08-26
|/ / | | | | | | | | | | | | | | | | | | InfraContainer should go through the same creation process as regular containers. This change was from the cmd level down, involving new container CLI opts and specgen creating functions. What now happens is that both container and pod cli options are populated in cmd and used to create a podSpecgen and a containerSpecgen. The process then goes as follows FillOutSpecGen (infra) -> MapSpec (podOpts -> infraOpts) -> PodCreate -> MakePod -> createPodOptions -> NewPod -> CompleteSpec (infra) -> MakeContainer -> NewContainer -> newContainer -> AddInfra (to pod state) Signed-off-by: cdoern <cdoern@redhat.com>
* | Merge pull request #11218 from cdoern/untilBugOpenShift Merge Robot2021-08-26
|\ \ | |/ |/| logFile until flag issue, negative duration replaced with positive
| * logFile until flag issuecdoern2021-08-23
| | | | | | | | | | | | | | | | | | we were adding a negative duration in podman events, causing inputs like -5s to be correct and 5s to be incorrect. fixes #11158 Signed-off-by: cdoern <cdoern@redhat.com>
* | Merge pull request #11314 from Luap99/expose-portsOpenShift Merge Robot2021-08-25
|\ \ | | | | | | podman inspect show exposed ports
| * | podman inspect show exposed portsPaul Holzinger2021-08-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Podman inspect has to show exposed ports to match docker. This requires storing the exposed ports in the container config. A exposed port is shown as `"80/tcp": null` while a forwarded port is shown as `"80/tcp": [{"HostIp": "", "HostPort": "8080" }]`. Also make sure to add the exposed ports to the new image when the container is commited. Fixes #10777 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | Merge pull request #11263 from nalind/journal-readOpenShift Merge Robot2021-08-24
|\ \ \ | | | | | | | | libpod/Container.readFromJournal(): don't skip the first entry
| * | | logs: adjust handling around partial log messagesNalin Dahyabhai2021-08-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In libpod/logs.LogLine.Write(), don't write a newline to stdout/stderr when the log message is only part of a line. In libpod.ConmonOCIRuntime.HTTPAttach(), don't send a newline over the HTTP connection when the log message is only part of a line. In pkg/api/handlers/compat.LogsFromContainer(), don't send a newline over the HTTP connection when the log message is only part of a line, and don't make doing so conditional on whether or not the client used the docker or podman endpoint. In pkg/domain/infra/tunnel.ContainerEngine.ContainerLogs(), don't add our own newline to log messages, since they already come through from the server when they need to. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
| * | | libpod/Container.readFromJournal(): don't skip the first entryNalin Dahyabhai2021-08-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When reading log entries from the journal, don't skip past the first matching entry after we've positioned the cursor at it. Make the first blank-line entry that we logged so that the container would always have at least one log entry for us to find (until it gets vacuumed out, at least) a fake history entry, so that `logs` doesn't pass it on for display. CI already has tests that exercise journal-based logging, so [NO TESTS NEEDED] Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
| * | | Switch eventlogger to journald by defaultDaniel J Walsh2021-08-23
| | | | | | | | | | | | | | | | | | | | | | | | [NO TESTS NEEDED] Since we are just testing the default. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Network interfacePaul Holzinger2021-08-24
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Implement a new network interface to abstract CNI from libpod. The interface is implemented for the CNI backend but in the future we can add more backends. The code is structured in three new packages: - `libpod/network/types`: contains the interface definition and the necessary types for it. - `libpod/network/cni` contains the interface implementation for the CNI backend. - `libpod/network/util` a set of utility functions related to networking. The CNI package uses ginkgo style unit tests. To test Setup/Teardown the test must be run as root. Each test will run in their own namespace to make the test independent from the host environment. New features with the CNI backend: - The default network will be created in memory if it does not exists on disk. - It can set more than one static IP per container network. - Networks are loaded once from disk and only if this interface is used, e.g. for commands such as `podman info` networks are not loaded. This reduces unnecessary disk IO. This commit only adds the interface it is not wired into libpod. This requires a lot of breaking changes which will be done in a followup commit. Once this is integrated into libpod the current network code under `libpod/network` should be removed. Also the dependency on OCICNI should be dropped. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | Merge pull request #11290 from flouthoc/volume-exportOpenShift Merge Robot2021-08-23
|\ \ \ | |/ / |/| | volumes: Add support for `volume export` which allows exporting content to external path.
| * | volumes: Add support for exporting volumes to external tarflouthoc2021-08-23
| | | | | | | | | | | | | | | | | | | | | Adds support for transferring data between systems and backing up systems. Use cases: recover from disasters or move data between machines. Signed-off-by: flouthoc <flouthoc.git@gmail.com>
* | | Merge pull request #11286 from jwhonce/issues/11227OpenShift Merge Robot2021-08-20
|\ \ \ | | | | | | | | Update /version endpoint to add components
| * | | Update /version endpoint to add componentsJhon Honce2021-08-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Include OCI and conmon information as components Fixes #11227 Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | | | Merge pull request #11289 from Luap99/net-alias-idOpenShift Merge Robot2021-08-20
|\ \ \ \ | | | | | | | | | | Fix network aliases with network id
| * | | | Fix network aliases with network idPaul Holzinger2021-08-20
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When a network id is used to create a container we translate it to use the name internally for the db. The network aliases are also stored with the network name as key so we have to also translate them for the db. Also removed some outdated skips from the e2e tests. Fixes #11285 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* / | | Implement SD-NOTIFY proxy in conmonDaniel J Walsh2021-08-20
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This leverages conmon's ability to proxy the SD-NOTIFY socket. This prevents locking caused by OCI runtime blocking, waiting for SD-NOTIFY messages, and instead passes the messages directly up to the host. NOTE: Also re-enable the auto-update tests which has been disabled due to flakiness. With this change, Podman properly integrates into systemd. Fixes: #7316 Signed-off-by: Joseph Gooch <mrwizard@dok.org> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* / / Podman info output plugin informationPaul Holzinger2021-08-19
|/ / | | | | | | | | | | | | | | | | For docker compat include information about available volume, log and network drivers which should be listed under the plugins key. Fixes #11265 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Volumes: Only remove from DB if plugin removal succeedsMatthew Heon2021-08-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Originally, Podman would unconditionally remove volumes from the DB, even if they failed to be removed from the volume plugin; this was a safety measure to ensure that `volume rm` can always remove a volume from the database, even if the plugin is misbehaving. However, this is a significant deivation from Docker, which refuses to remove if the plugin errors. These errors can be legitimate configuration issues which the user should address before the volume is removed, so Podman should also use this behaviour. Fixes #11214 Signed-off-by: Matthew Heon <mheon@redhat.com>