summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Remove GetStore function from LibpodMatthew Heon2021-07-08
| | | | | | | | | | | | We should not be exposing the store outside of Libpod. We want to encapsulate it as an internal implementation detail - there's no reason functions outside of Libpod should directly be manipulating container storage. Convert the last use to invoke a method on Libpod instead, and remove the function. [NO TESTS NEEDED] as this is just a refactor. Signed-off-by: Matthew Heon <mheon@redhat.com>
* Make rootless-cni setup more robustPaul Holzinger2021-07-06
| | | | | | | | | | | | | | | | | | | The rootless cni namespace needs a valid /etc/resolv.conf file. On some distros is a symlink to somewhere under /run. Because the kernel will follow the symlink before mounting, it is not possible to mount a file at exactly /etc/resolv.conf. We have to ensure that the link target will be available in the rootless cni mount ns. Fixes #10855 Also fixed a bug in the /var/lib/cni directory lookup logic. It used `filepath.Base` instead of `filepath.Dir` and thus looping infinitely. Fixes #10857 [NO TESTS NEEDED] Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Merge pull request #10836 from Luap99/diffOpenShift Merge Robot2021-07-03
|\ | | | | podman diff accept two images or containers
| * podman diff accept two images or containersPaul Holzinger2021-07-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | First, make podman diff accept optionally a second argument. This allows the user to specify a second image/container to compare the first with. If it is not set the parent layer will be used as before. Second, podman container diff should only use containers and podman image diff should only use images. Previously, podman container diff would use the image when both an image and container with this name exists. To make this work two new parameters have been added to the api. If they are not used the previous behaviour is used. The same applies to the bindings. Fixes #10649 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | podman service reaperPaul Holzinger2021-07-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a new service reaper package. Podman currently does not reap all child processes. The slirp4netns and rootlesskit processes are not reaped. The is not a problem for local podman since the podman process dies before the other processes and then init will reap them for us. However with podman system service it is possible that the podman process is still alive after slirp died. In this case podman has to reap it or the slirp process will be a zombie until the service is stopped. The service reaper will listen in an extra goroutine on SIGCHLD. Once it receives this signal it will try to reap all pids that were added with `AddPID()`. While I would like to just reap all children this is not possible because many parts of the code use `os/exec` with `cmd.Wait()`. If we reap before `cmd.Wait()` things can break, so reaping everything is not an option. [NO TESTS NEEDED] Fixes #9777 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Implement --archive flag for podman cpMatej Vasek2021-07-01
|/ | | | Signed-off-by: Matej Vasek <mvasek@redhat.com>
* remove `pkg/registries`Valentin Rothberg2021-06-25
| | | | | | | | | | | | | | Pull the trigger on the `pkg/registries` package which acted as a proxy for `c/image/pkg/sysregistriesv2`. Callers should be using the packages from c/image directly, if needed at all. Also make use of libimage's SystemContext() method which returns a copy of a system context, further reducing the risk of unintentionally altering global data. [NO TESTS NEEDED] Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #10765 from umohnani8/mtabOpenShift Merge Robot2021-06-23
|\ | | | | Create /etc/mtab with the correct ownership
| * [NO TESTS NEEDED] Create /etc/mtab with the correct ownershipUrvashi Mohnani2021-06-23
| | | | | | | | | | | | | | | | | | | | Create the /etc and /etc/mtab directories with the correct ownership based on what the UID and GID is for the container. This was causing issue when starting the infra container with userns as the /etc directory wasn't being created with the correct ownership. Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
* | Merge pull request #10716 from cdoern/podFlagsOpenShift Merge Robot2021-06-23
|\ \ | | | | | | Podman Pod Create --cpus and --cpuset-cpus flags
| * | Podman Pod Create --cpus and --cpuset-cpus flagscdoern2021-06-23
| |/ | | | | | | | | | | | | | | | | | | | | | | Added logic and handling for two new Podman pod create Flags. --cpus specifies the total number of cores on which the pod can execute, this is a combination of the period and quota for the CPU. --cpuset-cpus is a string value which determines of these available cores, how many we will truly execute on. Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
* | Merge pull request #10696 from cdoern/libpodStatsOpenShift Merge Robot2021-06-23
|\ \ | |/ |/| Podman Stats additional features
| * Podman Stats additional featurescdoern2021-06-23
| | | | | | | | | | | | | | | | added Avg Cpu calculation and CPU up time to podman stats. Adding different feature sets in different PRs, CPU first. resolves #9258 Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
* | Merge pull request #10754 from Luap99/sync-lockOpenShift Merge Robot2021-06-23
|\ \ | | | | | | getContainerNetworkInfo: lock netNsCtr before sync
| * | getContainerNetworkInfo: lock netNsCtr before syncPaul Holzinger2021-06-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | `syncContainer()` requires the container to be locked, otherwise we can end up with undefined behavior. [NO TESTS NEEDED] Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | Do not use inotify for OCICNIPaul Holzinger2021-06-22
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Podman does not need to watch the cni config directory. If a network is not found in the cache, OCICNI will reload the networks anyway and thus even podman system service should work as expected. Also include a change to not mount a "new" /var by default in the rootless cni ns, instead try to use /var/lib/cni first and then the parent dir. This allows users to store cni configs under /var/... which is the case for the CI compose test. [NO TESTS NEEDED] Fixes #10686 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #10742 from vrothberg/fix-10675OpenShift Merge Robot2021-06-21
|\ \ | | | | | | logs: k8s-file: restore poll sleep
| * | logs: k8s-file: restore poll sleepValentin Rothberg2021-06-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 84b55eec2796 attempted to fix a race waiting for the container died event. Previously, Podman slept for duration of the polling frequence which I considerred to be a mistake. As it turns out, I was mistaken since the file logger will, in fact, NOT read until EOF and then stop logging but stop logging immediately _after_ it woke up. [NO TESTS NEEDED] as the race condition cannot be hit reliably. Fixes: #10675 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * | logs: k8s-file: fix spurious error logsValentin Rothberg2021-06-21
| | | | | | | | | | | | | | | | | | | | | Fix the suprious "Error: nil" messages. Also add some more context to logged error messages which makes error sources more obvious. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #10734 from mgoltzsche/fix-dns-detectionOpenShift Merge Robot2021-06-21
|\ \ \ | |/ / |/| | Fix systemd-resolved detection.
| * | Fix systemd-resolved detection.Max Goltzsche2021-06-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously podman failed when run in an environment where 127.0.0.53 is the only nameserver but systemd-resolved is not used directly. In practice this happened when podman was run within an alpine container that used the host's network and the host was running systemd-resolved. This fix makes podman ignore a file not found error when reading /run/systemd/resolve/resolv.conf. Closes #10733 [NO TESTS NEEDED] Signed-off-by: Max Goltzsche <max.goltzsche@gmail.com>
* | | fix systemcontext to use correct TMPDIRDaniel J Walsh2021-06-18
|/ / | | | | | | | | | | | | | | | | | | | | Users are complaining about read/only /var/tmp failing even if TMPDIR=/tmp is set. This PR Fixes: https://github.com/containers/podman/issues/10698 [NO TESTS NEEDED] No way to test this. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #10683 from Luap99/exec-resizeOpenShift Merge Robot2021-06-16
|\ \ | | | | | | Fix resize race with podman exec -it
| * | Fix resize race with podman exec -itPaul Holzinger2021-06-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When starting a process with `podman exec -it` the terminal is resized after the process is started. To fix this allow exec start to accept the terminal height and width as parameter and let it resize right before the process is started. Fixes #10560 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | Merge pull request #10684 from Luap99/slirp-hostsOpenShift Merge Robot2021-06-16
|\ \ \ | | | | | | | | add correct slirp ip to /etc/hosts
| * | | add correct slirp ip to /etc/hostsPaul Holzinger2021-06-15
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | The container name should have the slirp interface ip set in /etc/hosts and not the gateway ip. Commit c8dfcce6db0a introduced this regression. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1972073 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* / / Fix permissions on initially created named volumesDaniel J Walsh2021-06-14
|/ / | | | | | | | | | | | | | | Permission of volume should match the directory it is being mounted on. Fixes: https://github.com/containers/podman/issues/10188 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #10635 from adrianreber/2021-06-04-privilegedOpenShift Merge Robot2021-06-12
|\ \ | | | | | | Fix restoring of privileged containers
| * | Fix restoring of privileged containersAdrian Reber2021-06-10
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | Checkpointed containers started with --privileged fail during restore with: Error: error creating container storage: ProcessLabel and Mountlabel must either not be specified or both specified This commit fixes it by not setting the labels when restoring a privileged container. [NO TESTS NEEDED] Signed-off-by: Adrian Reber <areber@redhat.com>
* | Merge pull request #10654 from Luap99/net-connectOpenShift Merge Robot2021-06-12
|\ \ | | | | | | Fix network connect race with docker-compose
| * | Fix network connect race with docker-composePaul Holzinger2021-06-11
| |/ | | | | | | | | | | | | | | | | | | | | Network connect/disconnect has to call the cni plugins when the network namespace is already configured. This is the case for `ContainerStateRunning` and `ContainerStateCreated`. This is important otherwise the network is not attached to this network namespace and libpod will throw errors like `network inspection mismatch...` This problem happened when using `docker-compose up` in attached mode. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #10405 from mheon/always_cleanup_execOpenShift Merge Robot2021-06-11
|\ \ | | | | | | Always spawn a cleanup process with exec
| * | Add ExecDied event and use it to retrieve exit codesMatthew Heon2021-06-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When making Exec Cleanup processes mandatory, I introduced a race wherein attached exec sessions could be cleaned up and removed by the cleanup process before the frontend had a chance to get their exit code. Fortunately, we've dealt with this issue before in containers, and the same solution can be applied here. I added an event for an exec session's process exiting, `exec_died` (Docker has an identical event, so this actually improves our compatibility there) that includes the exit code of the exec session. If the race happens and the exec session no longer exists when we go to remove it, pick up exit code from the event and exit cleanly. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | Always spawn a cleanup process with execMatthew Heon2021-06-10
| |/ | | | | | | | | | | | | | | | | | | | | | | We were previously only doing this for detached exec. I don't know why we did that, but I don't see any reason not to extend it to all exec sessions - it guarantees that we will always clean up exec sessions, even if the original `podman exec` process died. [NO TESTS NEEDED] because I don't really know how to test this one. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #10638 from Luap99/volumeOpenShift Merge Robot2021-06-11
|\ \ | | | | | | Fix volumes with uid and gid options
| * | Fix volumes with uid and gid optionsPaul Holzinger2021-06-11
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Podman uses the volume option map to check if it has to mount the volume or not when the container is started. Commit 28138dafcc39 added to uid and gid options to this map, however when only uid/gid is set we cannot mount this volume because there is no filesystem or device specified. Make sure we do not try to mount the volume when only the uid/gid option is set since this is a simple chown operation. Also when a uid/gid is explicity set, do not chown the volume based on the container user when the volume is used for the first time. Fixes #10620 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #10609 from giuseppe/ignore-named-hierarchiesOpenShift Merge Robot2021-06-10
|\ \ | | | | | | container: ignore named hierarchies
| * | container: ignore named hierarchiesGiuseppe Scrivano2021-06-10
| |/ | | | | | | | | | | | | | | | | | | when looking up the container cgroup, ignore named hierarchies since containers running systemd as payload will create a sub-cgroup and move themselves there. Closes: https://github.com/containers/podman/issues/10602 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / Fix pre-checkpointingAdrian Reber2021-06-10
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Unfortunately --pre-checkpointing never worked as intended and recent changes to runc have shown that it is broken. To create a pre-checkpoint CRIU expects the paths between the pre-checkpoints to be a relative path. If having a previous checkpoint it needs the be referenced like this: --prev-images-dir ../parent Unfortunately Podman was giving runc (and CRIU) an absolute path. Unfortunately, again, until March 2021 CRIU silently ignored if the path was not relative and switch back to normal checkpointing. This has been now fixed in CRIU and runc and running pre-checkpoint with the latest runc fails, because runc already sees that the path is absolute and returns an error. This commit fixes this by giving runc a relative path. This commit also fixes a second pre-checkpointing error which was just recently introduced. So summarizing: pre-checkpointing never worked correctly because CRIU ignored wrong parameters and recent changes broke it even more. Now both errors should be fixed. [NO TESTS NEEDED] Signed-off-by: Adrian Reber <areber@redhat.com> Signed-off-by: Adrian Reber <adrian@lisas.de>
* Merge pull request #10600 from vrothberg/fix-10596OpenShift Merge Robot2021-06-08
|\ | | | | logs: k8s-file: fix race
| * logs: k8s-file: fix raceValentin Rothberg2021-06-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix a race in the k8s-file logs driver. When "following" the logs, Podman will print the container's logs until the end. Previously, Podman logged until the state transitioned into something non-running which opened up a race with the container still running, possibly in the "stopping" state. To fix the race, log until we've seen the wait event for the specific container. In that case, conmon will have finished writing all logs to the file, and Podman will read it until EOF. Further tweak the integration tests for testing `logs -f` on a running container. Previously, the test only checked for one of two lines stating that there was a race. Indeed the race was in using `run --rm` where a log file may be removed before we could fully read it. Fixes: #10596 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Improve systemd-resolved detectionPaul Holzinger2021-06-08
| | | | | | | | | | | | | | | | | | | | | | | | | | When 127.0.0.53 is the only nameserver in /etc/resolv.conf assume systemd-resolved is used. This is better because /etc/resolv.conf does not have to be symlinked to /run/systemd/resolve/stub-resolv.conf in order to use systemd-resolved. [NO TESTS NEEDED] Fixes: #10570 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Add parameter to specify checkpoint archive compressionAdrian Reber2021-06-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The checkpoint archive compression was hardcoded to `archive.Gzip`. There have been requests to make the used compression algorithm selectable. There was especially the request to not compress the checkpoint archive to be able to create faster checkpoints when not compressing it. This also changes the default from `gzip` to `zstd`. This change should not break anything as the restore code path automatically handles whatever compression the user provides during restore. Signed-off-by: Adrian Reber <areber@redhat.com>
* | add ipv6 nameservers only when the container has ipv6 enabledPaul Holzinger2021-06-03
|/ | | | | | | | | | | | | | | The containers /etc/resolv.conf allways preserved the ipv6 nameserves from the host even when the container did not supported ipv6. Check if the cni result contains an ipv6 address or slirp4netns has ipv6 support enabled and only add the ipv6 nameservers when this is the case. The test needs to have an ipv6 nameserver in the hosts /etc/hosts but we should never mess with this file on the host. Therefore the test is skipped when no ipv6 is detected. Fixes #10158 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Merge pull request #10514 from vrothberg/fix-10507OpenShift Merge Robot2021-06-02
|\ | | | | events: support disjunctive filters
| * events: support disjunctive filtersValentin Rothberg2021-06-02
| | | | | | | | | | | | | | | | | | While different filters are applied in conjunction, the same filter (but with different values) should be applied in disjunction. This allows, for instance, to query the events of two containers. Fixes: #10507 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Enable port forwarding on hostBrent Baude2021-06-01
|/ | | | | | | | | | | Using the gvproxy application on the host, we can now port forward from the machine vm on the host. It requires that 'gvproxy' be installed in an executable location. gvproxy can be found in the containers/gvisor-tap-vsock github repo. [NO TESTS NEEDED] Signed-off-by: Brent Baude <bbaude@redhat.com>
* create libimage-events channel in main routineValentin Rothberg2021-05-27
| | | | | | | | | | | Move the creation of the channel outside of the sub-routine to fix a data race between writing the channel (implicitly by calling EventChannel()) and using that channel in libimage. [NO TESTS NEEDED] Fixes: #10459 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #10476 from mheon/ensure_exists_on_removeOpenShift Merge Robot2021-05-27
|\ | | | | Ensure that container still exists when removing
| * Ensure that container still exists when removingMatthew Heon2021-05-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | After #8906, there is a potential race condition in container removal of running containers with `--rm`. Running containers must first be stopped, which was changed to unlock the container to allow commands like `podman ps` to continue to run while stopping; however, this also means that the cleanup process can potentially run before we re-lock, and remove the container from under us, resulting in error messages from `podman rm`. The end result is unchanged, the container is still cleanly removed, but the `podman rm` command will seem to have failed. Work around this by pinging the database after we stop the container to make sure it still exists. If it doesn't, our job is done and we can exit cleanly. Signed-off-by: Matthew Heon <mheon@redhat.com>