summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* correct assignment of networkStatusbaude2018-11-08
| | | | | | | | | | once we changed configureNetNS to return a result beyond an error, we need to make sure that we used locals instead of ctr attributes when determining networks. Resolves #1752 Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #1764 from rhatdan/nopasswdOpenShift Merge Robot2018-11-07
|\ | | | | Don't fail if /etc/passwd or /etc/group does not exists
| * Don't fail if /etc/passwd or /etc/group does not existsDaniel J Walsh2018-11-07
| | | | | | | | | | | | | | | | | | | | | | Container images can be created without passwd or group file, currently if one of these containers gets run with a --user flag the container blows up complaining about t a missing /etc/passwd file. We just need to check if the error on read is ENOEXIST then allow the read to return, not fail. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #1771 from baude/prepareOpenShift Merge Robot2018-11-07
|\ \ | | | | | | move defer'd function declaration ahead of prepare error return
| * | move defer'd function declaration ahead of prepare error returnbaude2018-11-07
| |/ | | | | | | Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #1689 from mheon/add_runc_timeoutOpenShift Merge Robot2018-11-07
|\ \ | | | | | | Do not call out to runc for sync
| * | Print error status code if we fail to parse itMatthew Heon2018-11-07
| | | | | | | | | | | | | | | | | | | | | | | | When we read the conmon error status file, if Atoi fails to parse the string we read from the file as an int, print the string as part of the error message so we know what might have gone wrong. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | Properly set Running state when starting containersMatthew Heon2018-11-07
| | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * | Fix misspellingMatthew Heon2018-11-07
| | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * | Retrieve container PID from conmonMatthew Heon2018-11-07
| | | | | | | | | | | | | | | | | | | | | Instead of running a full sync after starting a container to pick up its PID, grab it from Conmon instead. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * | If a container ceases to exist in runc, set exit statusMatthew Heon2018-11-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | When we scan a container in runc and see that it no longer exists, we already set ContainerStatusExited to indicate that it no longer exists in runc. Now, also set an exit code and exit time, so PS output will make some sense. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * | EXPERIMENTAL: Do not call out to runc for syncMatthew Heon2018-11-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When syncing container state, we normally call out to runc to see the container's status. This does have significant performance implications, though, and we've seen issues with large amounts of runc processes being spawned. This patch attempts to use stat calls on the container exit file created by Conmon instead to sync state. This massively decreases the cost of calling updateContainer (it has gone from an almost-unconditional fork/exec of runc to a single stat call that can be avoided in most states). Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * | Actually save changes from post-stop syncMatthew Heon2018-11-07
| |/ | | | | | | | | | | | | | | | | | | After stopping containers, we run updateContainerStatus to sync our state with runc (pick up exit code, for example). Then we proceed to not save this to the database, requiring us to grab it again on the next sync. This should remove the need to read the exit file more than once. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | Merge pull request #1767 from mheon/remove_conmon_cgroup_firstOpenShift Merge Robot2018-11-07
|\ \ | | | | | | Remove conmon cgroup before pod cgroup for cgroupfs
| * | Remove conmon cgroup before pod cgroup for cgroupfsMatthew Heon2018-11-07
| |/ | | | | | | | | | | | | | | | | | | For pods using cgroupfs, we were seeing some error messages in CI from an inability to remove the pod CGroup, which was traced down to the conmon cgroup still being present as a child. Try to remove these error messages and ensure successful CGroup deletion by removing the conmon CGroup first, then the pod cgroup. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | Merge pull request #1761 from giuseppe/rootless-systemdOpenShift Merge Robot2018-11-07
|\ \ | | | | | | rootless: don't bind mount /sys/fs/cgroup/systemd in systemd mode
| * | rootless: mount /sys/fs/cgroup/systemd from the hostGiuseppe Scrivano2018-11-07
| | | | | | | | | | | | | | | | | | systemd requires /sys/fs/cgroup/systemd to be writeable. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | rootless: don't bind mount /sys/fs/cgroup/systemd in systemd modeGiuseppe Scrivano2018-11-07
| |/ | | | | | | | | | | | | it is not writeable by non-root users so there is no point in having access to it from a container. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / Add hostname to /etc/hostsQi Wang2018-11-07
|/ | | | Signed-off-by: Qi Wang <qiwan@redhat.com>
* Merge pull request #1731 from afbjorklund/versionOpenShift Merge Robot2018-10-31
|\ | | | | Fix setting of version information
| * Fix setting of version informationAnders F Björklund2018-10-31
| | | | | | | | | | | | | | It was setting the wrong variable (CamelCase) in the wrong module ("main", not "libpod")... Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
* | rootless: avoid hang on failed slirp4netnsGiuseppe Scrivano2018-10-31
| | | | | | | | | | | | | | | | If for any reason slirp4netns fails at startup, podman waits indefinitely. Check every second if the process is still running so that we avoid to hang. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #1704 from giuseppe/attach-cuid-too-longOpenShift Merge Robot2018-10-30
|\ \ | | | | | | attach: fix attach when cuid is too long
| * | attach: fix attach when cuid is too longGiuseppe Scrivano2018-10-30
| |/ | | | | | | | | | | | | | | | | | | | | | | conmon creates a symlink to avoid using a too long UNIX path. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1641800 There is still one issue when the path length of the symlink has the same length of the attach socket parent directory since conmon fails to create the symlink, but that must be addressed in conmon first. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #1715 from baude/getusergroupOpenShift Merge Robot2018-10-30
|\ \ | | | | | | get user and group information using securejoin and runc's user library
| * | get user and group information using securejoin and runc's user librarybaude2018-10-29
| |/ | | | | | | | | | | | | | | | | | | | | for the purposes of performance and security, we use securejoin to contstruct the root fs's path so that symlinks are what they appear to be and no pointing to something naughty. then instead of chrooting to parse /etc/passwd|/etc/group, we now use the runc user/group methods which saves us quite a bit of performance. Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #1721 from vrothberg/fix-1695OpenShift Merge Robot2018-10-29
|\ \ | | | | | | unmount: fix error logic
| * | unmount: fix error logicValentin Rothberg2018-10-29
| |/ | | | | | | | | | | | | | | | | Only return `ErrCtrStateInvalid` errors when the mount counter is equal to 1. Also fix the "can't unmount [...] last mount[..]" error which hasn't been returned when the error passed to `errors.Errorf()` is nil. Fixes: #1695 Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
* / Sync default config with libpod.confAnders F Björklund2018-10-29
|/ | | | | | Only changed libpod.conf file, which might not even be in use. Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
* Merge pull request #1699 from baude/rundOpenShift Merge Robot2018-10-25
|\ | | | | run performance improvements
| * run prepare in parallelbaude2018-10-25
| | | | | | | | | | | | | | run prepare() -- which consists of creating a network namespace and mounting the container image is now run in parallel. This saves 25-40ms. Signed-off-by: baude <bbaude@redhat.com>
* | Increase security and performance when looking up groupsbaude2018-10-25
|/ | | | | | | | | | We implement the securejoin method to make sure the paths to /etc/passwd and /etc/group are not symlinks to something naughty or outside the container image. And then instead of actually chrooting, we use the runc functions to get information about a user. The net result is increased security and a a performance gain from 41ms to 100us. Signed-off-by: baude <bbaude@redhat.com>
* create: fix writing cidfile when using rootlessGiuseppe Scrivano2018-10-23
| | | | | | | | | | prevent opening the same file twice, since we re-exec podman in rootless mode. While at it, also solve a possible race between the check for the file and writing to it. Another process could have created the file in the meanwhile and we would just end up overwriting it. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* read conmon output and convert to json in two stepsbaude2018-10-23
| | | | | | | | | when reading the output from conmon using the JSON methods, it appears that JSON marshalling is higher in pprof than it really is because the pipe is "waiting" for a response. this gives us a clearer look at the real CPU/time consumers. Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #1687 from rhatdan/vendorOpenShift Merge Robot2018-10-23
|\ | | | | Move selinux label reservations to containers storage.
| * Allow containers/storage to handle on SELinux labelingDaniel J Walsh2018-10-23
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #1638 from baude/fastpsOpenShift Merge Robot2018-10-23
|\ \ | | | | | | Make podman ps fast
| * | Make podman ps fastbaude2018-10-23
| | | | | | | | | | | | | | | | | | Like Ricky Bobby, we want to go fast. Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #1686 from mheon/rootless_firewallOpenShift Merge Robot2018-10-23
|\ \ \ | | | | | | | | Use more reliable check for rootless for firewall init
| * | | Use more reliable check for rootless for firewall initMatthew Heon2018-10-23
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | We probably won't be able to initialize a firewall plugin when we are not running as root, so we shouldn't even try. Replace the less-effect EUID check with the rootless package's better check to make sure we don't accidentally set up the firewall in these cases. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | | Merge pull request #1627 from adrianreber/criuOpenShift Merge Robot2018-10-23
|\ \ \ | |/ / |/| | Add CRIU version check for checkpoint and restore
| * | Use the CRIU version check in checkpoint/restoreAdrian Reber2018-10-23
| |/ | | | | | | | | | | | | | | The newly introduced CRIU version check is now used to make sure checkpointing and restoring is only used if the CRIU version is new enough. Signed-off-by: Adrian Reber <areber@redhat.com>
* / oci: cleanup process statusGiuseppe Scrivano2018-10-23
|/ | | | | | | | I've seen a runc zombie process hanging around, it is caused by not cleaning up the "$OCI status" process. Also adjust another location that has the same issue. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Move rootless directory handling to the libpod/pkg/util directoryDaniel J Walsh2018-10-22
| | | | | | This should allow us to share this code with buildah. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Vendor in new new buildah/cibaude2018-10-17
| | | | | | | libpod requires new buildah and container image versions to resolve bug #1640298 Signed-off-by: baude <bbaude@redhat.com>
* Fix CGroup paths used for systemd CGroup mountMatthew Heon2018-10-17
| | | | | | | We already have functions for retrieving the container's CGroup path, so use them instead of manually generating a path. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Merge pull request #1650 from rhatdan/systemdMatthew Heon2018-10-16
|\ | | | | Mount proper cgroup for systemd to manage inside of the container.
| * Mount proper cgroup for systemd to manage inside of the container.Daniel J Walsh2018-10-15
| | | | | | | | | | | | | | | | | | | | | | | | We are still requiring oci-systemd-hook to be installed in order to run systemd within a container. This patch properly mounts /sys/fs/cgroup/systemd/libpod_parent/libpod-UUID on /sys/fs/cgroup/systemd inside of container. Since we need the UUID of the container, we needed to move Systemd to be a config option of the container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #1609 from giuseppe/fix-volume-rootlessMatthew Heon2018-10-16
|\ \ | |/ |/| volume: resolve symlink paths in volumes
| * volume: resolve symlinks in pathsGiuseppe Scrivano2018-10-14
| | | | | | | | | | | | | | | | | | | | ensure the volume paths are resolved in the mountpoint scope. Otherwise we might end up using host paths. Closes: https://github.com/containers/libpod/issues/1608 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>