summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* network db: add new strucutre to container createPaul Holzinger2021-12-14
| | | | | | | | | | Make sure we create new containers in the db with the correct structure. Also remove some unneeded code for alias handling. We no longer need this functions. The specgen format has not been changed for now. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* remove unneeded return value from c.Networks()Paul Holzinger2021-12-14
| | | | | | We do not need to return a extra bool. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* network db rewrite: migrate existing settingsPaul Holzinger2021-12-14
| | | | | | | | | | | | | | The new network db structure stores everything in the networks bucket. Previously some network settings were not written the the network bucket and only stored in the container config. Instead of the old format which used the container ID as value in the networks buckets we now use the PerNetworkoptions struct there. To migrate existing users we use the state.GetNetworks() function. If it fails to read the new format it will automatically migrate the old config format to the new one. This is allows a flawless migration path. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* inotify: make sure to remove filesValentin Rothberg2021-12-09
| | | | | | | | | | | | | | | | Issue #11825 suggests that *rootless* Podman can run into situations where too many inotify fds are open. Indeed, rootless Podman has a slightly higher usage of inotify watchers than the root counterpart when using slirp4netns Make sure to not only close all watchers but to also remove the files from being watched. Otherwise, the fds only get closed when the files are removed. [NO NEW TESTS NEEDED] since we don't have a way to test it. Fixes: #11825 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #12524 from Luap99/resolve-symlinkOpenShift Merge Robot2021-12-07
|\ | | | | rootless netns: resolve all path components for resolv.conf
| * rootless netns: resolve all path components for resolv.confPaul Holzinger2021-12-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We need to follow all symlinks in the /etc/resolv.conf path. Currently we would only check the last file but it is possible that any directory before that is also a link. Unfortunately this code is very hard to maintain and not well tested. I will try to come up with a unit test when I have more time. I think we could utilize some for of chroot for this. For now we are stucked with the default setup in the fedora/ubunutu test VMs. [NO NEW TESTS NEEDED] Fixes #12461 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #12498 from rhatdan/cgroupsOpenShift Merge Robot2021-12-07
|\ \ | | | | | | Update vendor or containers/common moving pkg/cgroups there
| * | Update vendor or containers/common moving pkg/cgroups thereDaniel J Walsh2021-12-07
| |/ | | | | | | | | | | | | [NO NEW TESTS NEEDED] This is just moving pkg/cgroups out so existing tests should be fine. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / volume: apply exact permission of target directory without adding extra 0111Aditya Rajan2021-12-07
|/ | | | | | | | While trying to match permissions of target directory podman adds extra `0111` which should not be needed if target path does not have execute permission. Signed-off-by: Aditya Rajan <arajan@redhat.com>
* Merge pull request #12365 from mtrmac/randomOpenShift Merge Robot2021-12-02
|\ | | | | Don't use a global RNG, and avoid conflicts, when generating NodePorts
| * Ensure the generated NodePort values are uniqueMiloslav Trmač2021-11-30
| | | | | | | | | | | | | | | | | | | | | | ... at least within a single service. [NO NEW TESTS NEEDED] because testing RNGs is problematic. (We _could_ probably inject a mock RNG implementation that always returns the same value, or something like that.) Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Allow containerPortsToServicePorts to failMiloslav Trmač2021-11-30
| | | | | | | | | | | | | | | | Add an error return to it and affected callers. Should not affect behavior, the function can't currently fail. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Don't use the global math/rand RNG for service portsMiloslav Trmač2021-11-30
| | | | | | | | | | | | | | | | | | | | Use a private RNG with the desired seed, don't interfere with the other uses. Introducing the servicePortState type is rather overkill for the single member, but we'll add another one immediately. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Move a comment to the relevant placeMiloslav Trmač2021-11-30
| | | | | | | | Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | Merge pull request #12469 from Luap99/ns-teardown-flakeOpenShift Merge Robot2021-12-02
|\ \ | | | | | | Fix possible rootless netns cleanup race
| * | Fix possible rootless netns cleanup racePaul Holzinger2021-12-01
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | rootlessNetNS.Cleanup() has an issue with how it detects if cleanup is needed, reading the container state is not good ebough because containers are first stopped and than cleanup will be called. So at one time two containers could wait for cleanup but the second one will fail because the first one triggered already the cleanup thus making rootless netns unavailable for the second container resulting in an teardown error. Instead of checking the container state we need to check the netns state. Secondly, podman unshare --rootless-netns should not do the cleanup. This causes more issues than it is worth fixing. Users also might want to use this to setup the namespace in a special way. If unshare also cleans this up right away we cannot do this. [NO NEW TESTS NEEDED] Fixes #12459 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #12464 from giuseppe/fix-race-reading-cgroup-fileOpenShift Merge Robot2021-12-01
|\ \ | | | | | | container, cgroup: detect pid termination
| * | container, cgroup: detect pid terminationGiuseppe Scrivano2021-12-01
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | If the /proc/$PID/cgroup file doesn't exist, then it is likely the container was terminated in the meanwhile so report ErrCtrStopped that is already handled instead of ENOENT. commit a66f40b4df039e94572fa38c070207a435cfa466 introduced the regression. Closes: https://github.com/containers/podman/issues/12457 [NO NEW TESTS NEEDED] it solves a race in the CI that is difficult to reproduce. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / top: parse ps(1) args correctlyValentin Rothberg2021-12-01
|/ | | | | | | The arguments of ps(1) should be shlexed. Fixes: #12452 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #12406 from Luap99/xdg-checkpointOpenShift Merge Robot2021-11-25
|\ | | | | checkpoint do not modify XDG_RUNTIME_DIR
| * checkpoint do not modify XDG_RUNTIME_DIRPaul Holzinger2021-11-24
| | | | | | | | | | | | | | | | | | | | We should not modify the XDG_RUNTIME_DIR env value during runtime of libpod, this can cause hard to find bugs. Only set it for the OCI runtime, this matches the other commands such as start, stop, kill... [NO NEW TESTS NEEDED] Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #12403 from giuseppe/improve-cgroup-detectionOpenShift Merge Robot2021-11-25
|\ \ | |/ |/| libpod: improve heuristic to detect cgroup
| * libpod: improve heuristic to detect cgroupGiuseppe Scrivano2021-11-24
| | | | | | | | | | | | | | | | | | | | | | improve the heuristic to detect the scope that was created for the container. This is necessary with systemd running as PID 1, since it moves itself to a different sub-cgroup, thus stats would not account for other processes in the same container. Closes: https://github.com/containers/podman/issues/12400 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * libpod, inspect: export cgroup pathGiuseppe Scrivano2021-11-24
| | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * stats: get the memory limit from the specGiuseppe Scrivano2021-11-24
| | | | | | | | | | | | | | | | | | | | OCI runtimes may set the memory limits in different ways, e.g., crun creates a sub-cgroup where the limits are applied, while runc applies them directly on the created cgroup. Since there is standardization on the cgroup path to use, just use the limit specified in the spec file. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | libpod: leave thread locked on errorsGiuseppe Scrivano2021-11-24
|/ | | | | | | | | | if the SELinux label could not be restored correctly, leave the OS thread locked so that it is terminated once it returns to the threads pool. [NO NEW TESTS NEEDED] the failure is hard to reproduce Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Unset SocketLabel after system finishes checkpointingDaniel J Walsh2021-11-23
| | | | | | | | | | | | This should fix the SELinux issue we are seeing with talking to /run/systemd/private. Fixes: https://github.com/containers/podman/issues/12362 Also unset the XDG_RUNTIME_DIR if set, since we don't know when running as a service if this will cause issue.s Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Warn on failing to update container statusMatthew Heon2021-11-23
| | | | | | | | | | | | | failed to send a signal to the container's PID1, but ignored the results of that update. That's generally bad practice, since even if we can't directly take action on an error, we should still make an effort to report it for debugging purposes. I used Infof instead of something more serious to avoid duplicate reporting to the user if something has gone seriously wrong. [NO NEW TESTS NEEDED] this is just adding additional error reporting. Signed-off-by: Matthew Heon <mheon@redhat.com>
* oci: ack crun output when container is not thereAditya Rajan2021-11-23
| | | | | | | | | `crun status ctrid` outputs `No such file or directory` when container is not there so podman much ack it. [NO NEW TESTS NEEDED] Signed-off-by: Aditya Rajan <arajan@redhat.com>
* oci: exit gracefully if container is already deadAditya Rajan2021-11-23
| | | | | | | | | | While trying to kill a container with a `signal` we cant do anything if container is already dead so `exit` gracefully instead of trying to delete container again. Get container status from runtime. [ NO NEW TESTS NEEDED ] Signed-off-by: Aditya Rajan <arajan@redhat.com>
* Merge pull request #12386 from baude/playkuberenameDaniel J Walsh2021-11-22
|\ | | | | Rename pod on generate of container
| * Rename pod on generate of containerBrent Baude2021-11-22
| | | | | | | | | | | | | | | | | | When generating kube of a container, the podname and container name in the yaml are identical. This offends rules in podman where pods and containers cannot have the same name. We now append _pod to the podname to avoid that collision. Signed-off-by: Brent Baude <bbaude@redhat.com>
* | Fix netavark error handling and teardown issuePaul Holzinger2021-11-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The return error was not returned by podman , instead a different error was created. Also make sure to free assigned ips on an error to not leak them. Lastly podman container cleanup uses the default network backend instead of the provided one, we need to add `--network-backend` to the exit command. [NO NEW TESTS NEEDED] Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Force iptables driver for netavark testsPaul Holzinger2021-11-19
| | | | | | | | | | | | | | | | Firewalld cannot be used because it can connect to the dbus api but talks to firewalld in the host namespace. This will affact your host badly and also causes tests to fail. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Make sure netavark output is logged to the syslogPaul Holzinger2021-11-19
|/ | | | | | | Create a custom writer which logs the netavark output to logrus. This will log to the syslog when it is enabled. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Merge pull request #12174 from ↵OpenShift Merge Robot2021-11-19
|\ | | | | | | | | fgimenez/fix-docker-networksettings-type-discrepancy Introduces Address type to be used in secondary IPv4 and IPv6 inspect data structure
| * Introduce Address type to be used in secondary IPv4 and IPv6 inspect dataFederico Gimenez2021-11-18
| | | | | | | | | | | | | | | | | | | | | | | | structure. Resolves a discrepancy between the types used in inspect for docker and podman. This causes a panic when using the docker client against podman when the secondary IP fields in the `NetworkSettings` inspect field are populated. Fixes containers#12165 Signed-off-by: Federico Gimenez <fgimenez@redhat.com>
* | Merge pull request #12354 from Luap99/exit-commandOpenShift Merge Robot2021-11-18
|\ \ | | | | | | Do not store the exit command in container config
| * | Do not store the exit command in container configPaul Holzinger2021-11-18
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There is a problem with creating and storing the exit command when the container was created. It only contains the options the container was created with but NOT the options the container is started with. One example would be a CNI network config. If I start a container once, then change the cni config dir with `--cni-config-dir` ans start it a second time it will start successfully. However the exit command still contains the wrong `--cni-config-dir` because it was not updated. To fix this we do not want to store the exit command at all. Instead we create it every time the conmon process for the container is startet. This guarantees us that the container cleanup process is startet with the correct settings. [NO NEW TESTS NEEDED] Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #12348 from Luap99/rootless-netnsOpenShift Merge Robot2021-11-18
|\ \ | | | | | | rootless netns, one netns per libpod tmp dir
| * | rootless netns, one netns per libpod tmp dirPaul Holzinger2021-11-18
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The netns cleanup code is checking if there are running containers, this can fail if you run several libpod instances with diffrent root/runroot. To fix it we use one netns for each libpod instances. To prevent name conflicts we use a hash from the static dir as part of the name. Previously this worked because we would use the CNI files to check if the netns was still in use. but this is no longer possible with netavark. [NO NEW TESTS NEEDED] Fixes #12306 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* / Add --file-locks checkpoint/restore optionRadostin Stoyanov2021-11-18
|/ | | | | | | | CRIU supports checkpoint/restore of file locks. This feature is required to checkpoint/restore containers running applications such as MySQL. Signed-off-by: Radostin Stoyanov <radostin@redhat.com>
* rename libpod nettypes fieldsPaul Holzinger2021-11-16
| | | | | | | | | | Some field names are confusing. Change them so that they make more sense to the reader. Since these fields are only in the main branch we can safely rename them without worrying about backwards compatibility. Note we have to change the field names in netavark too. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Merge pull request #12100 from rhatdan/envOpenShift Merge Robot2021-11-16
|\ | | | | Add option --unsetenv to remove default environment variables
| * Add --unsetenv & --unsetenv-all to remove def environment variablesDaniel J Walsh2021-11-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Podman adds a few environment variables by default, and currently there is no way to get rid of them from your container. This option will allow you to specify which defaults you don't want. --unsetenv-all will remove all default environment variables. Default environment variables can come from podman builtin, containers.conf or from the container image. Fixes: https://github.com/containers/podman/issues/11836 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #12283 from Luap99/machine-portsOpenShift Merge Robot2021-11-16
|\ \ | | | | | | podman machine improve port forwarding
| * | podman machine improve port forwardingPaul Holzinger2021-11-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commits adds port forwarding logic directly into podman. The podman-machine cni plugin is no longer needed. The following new features are supported: - works with cni, netavark and slirp4netns - ports can use the hostIP to bind instead of hard coding 0.0.0.0 - gvproxy no longer listens on 0.0.0.0:7777 (requires a new gvproxy version) - support the udp protocol With this we no longer need podman-machine-cni and should remove it from the packaging. There is also a change to make sure we are backwards compatible with old config which include this plugin. Fixes #11528 Fixes #11728 [NO NEW TESTS NEEDED] We have no podman machine test at the moment. Please test this manually on your system. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | Merge pull request #12294 from flouthoc/secret-mount-targetOpenShift Merge Robot2021-11-16
|\ \ \ | | | | | | | | secret: honor custom `target=` for secrets with `type=mount` for ctr.
| * | | secret: honor custom target for secrets with runAditya Rajan2021-11-15
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Honor custom `target` if specified while running or creating containers with secret `type=mount`. Example: `podman run -it --secret token,type=mount,target=TOKEN ubi8/ubi:latest bash` Signed-off-by: Aditya Rajan <arajan@redhat.com>
* | | Merge pull request #12285 from nalind/journal-follow-not-earlyOpenShift Merge Robot2021-11-15
|\ \ \ | |_|/ |/| | journald logs: keep reading until the journal's end