summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* libpod: improve check to create conmon cgroupGiuseppe Scrivano2022-06-15
| | | | | | | | | | | | | | | | | | | | commit 1951ff168a63157fa2f4711fde283edfc4981ed3 introduced a check so that conmon is not moved to a new cgroup when podman is running inside of a systemd service. This is helpful to integrate podman in systemd so that the spawned conmon lives in the same cgroup as the service that created it. Unfortunately this breaks when podman daemon is running in a systemd service since the same check is in place thus all the conmon processes end up in the same cgroup as the podman daemon. When the podman daemon systemd service stops the conmon processes are also terminated as well as the containers they monitor. Improve the check to exclude podman running as a daemon. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2052697 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #14220 from Luap99/resolvconfOpenShift Merge Robot2022-06-07
|\ | | | | use resolvconf package from c/common/libnetwork
| * use resolvconf package from c/common/libnetworkPaul Holzinger2022-06-07
| | | | | | | | | | | | | | | | | | | | | | | | | | Podman and Buildah should use the same code the generate the resolv.conf file. This mostly moved the podman code into c/common and created a better API for it so buildah can use it as well. [NO NEW TESTS NEEDED] All existing tests should continue to pass. Fixes #13599 (There is no way to test this in CI without breaking the hosts resolv.conf) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #14483 from ↵OpenShift Merge Robot2022-06-07
|\ \ | | | | | | | | | | | | jakecorrenti/restart-privelaged-containers-after-host-device-change Privileged containers can now restart if the host devices change
| * | Privileged containers can now restart if the host devices changeJake Correnti2022-06-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If a privileged container is running, stops, and the devices on the host change, such as a USB device is unplugged, then a container would no longer start. Previously, the devices from the host were only being added to the container once: when the container was created. Now, this happens every time the container starts. I did this by adding a boolean to the container config that indicates whether to mount all of the devices or not, which can be set via an option. During spec generation, if the `MountAllDevices` option is set in the container config, all host devices are added to the container. Additionally, a couple of functions from `pkg/specgen/generate/config_linux.go` were moved into `pkg/util/utils_linux.go` as they were needed in multiple packages. Closes #13899 Signed-off-by: Jake Correnti <jcorrenti13@gmail.com>
* | | libpod: store network status when userns is usedPaul Holzinger2022-06-07
| |/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When a container with a userns is created the network setup is special. Normally the netns is setup before the oci runtime container is created, however with a userns the container is created first and then the network is setup. In the second case we never saved the container state afterwards. Because of it, podman inspect would not show the network info and network teardown will not happen. This worked with local podman because there was a save() call later in the code path which then also saved the network status. But in the podman API code path this save never happened thus all containers started via API had this problem. Fixes #14465 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #14499 from giuseppe/make-error-clearerOpenShift Merge Robot2022-06-07
|\ \ | | | | | | runtime: make error clearer
| * | runtime: make error clearerGiuseppe Scrivano2022-06-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | make the error clearer and state that images created by other tools might not be visible to Podman when it overrides the graph driver. Closes: https://github.com/containers/podman/issues/13970 [NO NEW TESTS NEEDED] Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | overlay-volumes: add support for non-volatile upperdir,workdir for anonymous ↵Aditya R2022-06-06
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | volumes Similar feature was added for named overlay volumes here: https://github.com/containers/podman/pull/12712 Following PR just mimics similar feature for anonymous volumes. Often users want their anonymous overlayed volumes to be `non-volatile` in nature that means that same `upper` dir can be re-used by one or more containers but overall of nature of volumes still have to be overlay so work done is still on a overlay not on the actual volume. Following PR adds support for more advanced options i.e custom `workdir` and `upperdir` for overlayed volumes. So that users can re-use `workdir` and `upperdir` across new containers as well. Usage ```console podman run -it -v /some/path:/data:O,upperdir=/path/persistant/upper,workdir=/path/persistant/work alpine sh ``` Signed-off-by: Aditya R <arajan@redhat.com>
* | Merge pull request #14477 from Luap99/partial-logsOpenShift Merge Robot2022-06-03
|\ \ | | | | | | podman logs k8s-file: do not reassemble partial log lines
| * | podman logs k8s-file: do not reassemble partial log linesPaul Holzinger2022-06-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The backend should not convert partial lines to full log lines. While this works for most cases it cannot work when the last line is partial since it will just be lost. The frontend logic can already display partial lines correctly. The journald driver also works correctly since it does not such conversion. Fixes #14458 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | Merge pull request #14466 from mheon/fix_9075OpenShift Merge Robot2022-06-03
|\ \ \ | |/ / |/| | Improve robustness of `podman system reset`
| * | Improve robustness of `podman system reset`Matthew Heon2022-06-03
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Firstly, reset is now managed by the runtime itself as a part of initialization. This ensures that it can be used even with runtimes that would otherwise fail to be created - most notably, when the user has changed a core path (runroot/root/tmpdir/staticdir). Secondly, we now attempt a best-effort removal even if the store completely fails to be configured. Third, we now hold the alive lock for the entire reset operation. This ensures that no other Podman process can start while we are running a system reset, and removes any possibility of a race where a user tries to create containers or pull images while we are trying to perform a reset. [NO NEW TESTS NEEDED] we do not test reset last I checked. Fixes #9075 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #14384 from mheon/move_attachOpenShift Merge Robot2022-06-02
|\ \ | | | | | | Move Attach under the OCI Runtime interface
| * | Move Attach under the OCI Runtime interfaceMatthew Heon2022-05-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | With conmon-rs on the horizon, we need to disentangle Libpod from legacy Conmon to the greatest extent possible. There are definitely opportunities for codesharing between the two, but we have to assume the implementations will be largely disjoint given the different architectures. Fortunately, most of the work has already been done in the past. The conmon-managed OCI runtime mostly sits behind an interface, with a few exceptions - the most notable of those being attach. This PR thus moves Attach behind the interface, to ensure that we can have attach implementations that don't use our existing unix socket streaming if necessary. Still to-do is conmon cleanup. There's a lot of code that removes Conmon-specific files, or kills the Conmon PID, and all of it will need to be refactored behind the interface. [NO NEW TESTS NEEDED] Just moving some things around. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #14395 from vrothberg/healthcheck-fixOpenShift Merge Robot2022-06-02
|\ \ \ | | | | | | | | healthcheck: wait for systemd operations
| * | | healthcheck: wait for systemd operationsValentin Rothberg2022-05-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Make sure to wait for the systemd operations to finish when starting/stopping healtcheck timers and services. Also make sure to stop the timer before the service to avoid a race with the timer. [NO NEW TESTS NEEDED] since it is a non-functional change and existing tests are expected to pass. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | | | Merge pull request #14421 from Luap99/statsOpenShift Merge Robot2022-06-02
|\ \ \ \ | |_|_|/ |/| | | podman stats: work with network connect/disconnect
| * | | podman stats: work with network connect/disconnectPaul Holzinger2022-05-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Hardcoding the interface name is a bad idea. We have no control over the actual interface name since the user can change it. The correct thing is to read them from the network status. Since the contianer can have more than one interface we have to add the RX/TX values. The other values are currently not used. For podman 5.0 we should change it so that the API can return the statistics per interface and the client should sum the TX/RX for the command output. This is what docker is doing. Fixes #13824 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | | fix podman container restore without CreateNetNSPaul Holzinger2022-05-31
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When a container does not use the default podman netns, for example --network none or --network ns:/path a restore would fail because the specgen check validates that c.config.StaticMAC is nil but the unmarshaller sets it to an empty slice. While we could make the check use len() > 0 I feel like it is more common to check with != nil for ip and mac addresses. Adding omitempty tag makes the json marshal/unmarshal work correctly. This should not cause any issues. Fixes #14389 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | Merge pull request #14383 from jwhonce/wip/info_todoOpenShift Merge Robot2022-05-27
|\ \ \ | | | | | | | | Add Authorization field to Plugins for Info
| * | | Refactor populating uptimeJhon Honce2022-05-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Refactor populating uptime field to use standard library parsing and math for populating the hour, minute, seconds fields. Note: the go-humanize package does not cover time.Duration just time.time. ```release-note NONE ``` [NO NEW TESTS NEEDED] Signed-off-by: Jhon Honce <jhonce@redhat.com>
| * | | Add Authorixation field to Plugins for InfoJhon Honce2022-05-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The Authorization field lists the plugins for granting access to the Docker daemon. This field will always be nil for Podman as there is no daemon. The field is included for compatibility. ```release-note NONE ``` [NO NEW TESTS NEEDED] Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | | | Add API support for NoOverwriteDirNonDirJhon Honce2022-05-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Update method signatures and structs to pass option to buildah code ```release-note NONE ``` [NO NEW TESTS NEEDED] Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | | | Fix swagger model of `InspectPodResponse`Jakob Ahrer2022-05-26
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | `net.IP` gets marshalled as `string` and not `[]uint8` [NO TESTS NEEDED] [NO NEW TESTS NEEDED] Signed-off-by: Jakob Ahrer <jakob@ahrer.dev>
* | | Merge pull request #14369 from mheon/fixmes_2OpenShift Merge Robot2022-05-26
|\ \ \ | | | | | | | | Remove more FIXMEs
| * | | Remove more FIXMEsMatthew Heon2022-05-25
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | Mostly, just removing the comments. These either have been done, or are no longer a good idea. No code changes. [NO NEW TESTS NEEDED] as such. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* / | First batch of resolutions to FIXMEsMatthew Heon2022-05-25
|/ / | | | | | | | | | | | | | | | | Most of these are no longer relevant, just drop the comments. Most notable change: allow `podman kill` on paused containers. Works just fine when I test it. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #14358 from vrothberg/todo-part-2OpenShift Merge Robot2022-05-25
|\ \ | |/ |/| Todo part 2
| * libpod/pod_top_linux.go: s/TODO/NOTE/Valentin Rothberg2022-05-25
| | | | | | | | | | | | As it really is a note and not a TODO item. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
| * events: drop TODO commentValentin Rothberg2022-05-25
| | | | | | | | | | | | | | We can evaluate a solution in case adding more events really turns into a problem. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | Merge pull request #14308 from n1hility/root-cgroupOpenShift Merge Robot2022-05-25
|\ \ | | | | | | Support running podman under a root v2 cgroup
| * | Support running podman under a root v2 cgroupJason T. Greene2022-05-21
| | | | | | | | | | | | Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
* | | work queue: simplify and use a wait groupValentin Rothberg2022-05-25
| |/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Simplify the work-queue implementation by using a wait group. Once all queued work items are done, the channel can be closed. The system tests revealed a flake (i.e., #14351) which indicated that the service container does not always get stopped which suggests a race condition when queuing items. Those items are queued in a goroutine to prevent potential dead locks if the queue ever filled up too quickly. The race condition in question is that if a work item queues another, the goroutine for queuing may not be scheduled fast enough and the runtime shuts down; it seems to happen fairly easily on the slow CI machines. The wait group fixes this race and allows for simplifying the code. Also increase the queue's buffer size to 10 to make things slightly faster. [NO NEW TESTS NEEDED] as we are fixing a flake. Fixes: #14351 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | Merge pull request #14327 from rhatdan/commonOpenShift Merge Robot2022-05-24
|\ \ | | | | | | Use containers/common/pkg/util.StringToSlice
| * | Use containers/common/pkg/util.StringToSliceDaniel J Walsh2022-05-23
| | | | | | | | | | | | | | | | | | [NO NEW TESTS NEEDED] Just code cleanup for better reuse Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | contain_top_linux.go: s/TODO/NOTE/Valentin Rothberg2022-05-24
| | | | | | | | | | | | | | | | | | | | | Change the TODO note to NOTE to actually reflect what it is: breadcrumbs in case we want to add filtering the future. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | | Merge pull request #14321 from mheon/no_error_on_danglingOpenShift Merge Robot2022-05-23
|\ \ \ | |/ / |/| | Instead of erroring, clean up after dangling IDs in DB
| * | Instead of erroring, clean up after dangling IDs in DBMatthew Heon2022-05-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For various (mostly legacy) reasons, Podman presently maintains a unified namespace for pods and containers - IE, we cannot have both a pod and a container named "test" at the same time. To implement this, we use a global database table of every pod and container ID (and another of every pod and container name). These entries should be added when containers/pods are added, and removed when containers/pods are removed, with the database's transactional integrity providing a guarantee that this is batched with the overall removal and that the DB should remain sane and consistent no matter what. As such, we treat a dangling ID as a hard error that stops the use of Podman. Unfortunately, we have someone run into this last Friday. I'm still not certain how exactly their DB got into this state, but without further clarification there, we can consider removing the error and making Podman instead clean up and remove any dangling IDs, which should restore Podman to a serviceable state. Drop an error message if we do this, though, because people should know that the DB is in a bad state. [NO NEW TESTS NEEDED] it is deliberately impossible to produce a configuration that would test this without hex-editing the DB file. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge pull request #14281 from vrothberg/fix-14251OpenShift Merge Robot2022-05-23
|\ \ \ | | | | | | | | fix --init with /dev bind mount
| * | | fix --init with /dev bind mountValentin Rothberg2022-05-23
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | The init binary until now has been bind-mounted to /dev/init which breaks when bind-mounting to /dev. Instead mount the init to /run/podman-init. The reasoning for using /run is that it is already used for other runtime data such as secrets. Fixes: #14251 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* / | auto update: create an eventValentin Rothberg2022-05-23
|/ / | | | | | | | | | | | | | | | | Create an auto-update event for each invocation, independent if images and containers are updated or not. Those events will be indicated in the events already but users will now know why. Fixes: #14283 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | Merge pull request #14272 from Luap99/completion2OpenShift Merge Robot2022-05-19
|\ \ | | | | | | shell completion: use more constants in the code
| * | shell completion: fix podman event --filter valuesPaul Holzinger2022-05-19
| | | | | | | | | | | | | | | | | | | | | | | | The completion suggested incorrect values for `podman events --filter type=` . It should only list types not the event status. Also make sure to use the constants instead of duplicating the strings. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | linter: enable unconvert linterValentin Rothberg2022-05-19
| | | | | | | | | | | | | | | | | | | | | Detects unneccessary type conversions and helps in keeping the code base cleaner. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | | Merge pull request #14256 from vrothberg/run-1287OpenShift Merge Robot2022-05-18
|\ \ \ | |/ / |/| | k8systemd: run k8s workloads in systemd
| * | k8systemd: run k8s workloads in systemdValentin Rothberg2022-05-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Support running `podman play kube` in systemd by exploiting the previously added "service containers". During `play kube`, a service container is started before all the pods and containers, and is stopped last. The service container communicates its conmon PID via sdnotify. Add a new systemd template to dispatch such k8s workloads. The argument of the template is the path to the k8s file. Note that the path must be escaped for systemd not to bark: Let's assume we have a `top.yaml` file in the home directory: ``` $ escaped=$(systemd-escape ~/top.yaml) $ systemctl --user start podman-play-kube@$escaped.service ``` Closes: https://issues.redhat.com/browse/RUN-1287 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | | Merge pull request #14258 from mheon/no_hard_error_on_exec_cleanupOpenShift Merge Robot2022-05-17
|\ \ \ | | | | | | | | Make errors on removing exec sessions nonfatal
| * | | Make errors on removing exec sessions nonfatalMatthew Heon2022-05-16
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Removing exec sessions is guaranteed to evict them from the DB, but in the case of a zombie process (or similar) it may error and block removal of the container. A subsequent run of `podman rm` would succeed (because the exec sessions have been purged from the DB), which is potentially confusing to users. So let's just continue, instead of erroring out, if removing exec sessions fails. [NO NEW TESTS NEEDED] I wouldn't want to spawn a zombie in our test VMs even if I could. Fixes #14252 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #14255 from hiredman/pr-for-14249OpenShift Merge Robot2022-05-17
|\ \ \ | |/ / |/| | Don't complain about XDG_RUNTIME_DIR, Closes #1424