| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CRIU supports to leave processes running after checkpointing:
-R|--leave-running leave tasks in running state after checkpoint
runc also support to leave containers running after checkpointing:
--leave-running leave the process running after checkpointing
With this commit the support to leave a container running after
checkpointing is brought to Podman:
--leave-running, -R leave the container running after writing checkpoint to disk
Now it is possible to checkpoint a container at some point in time
without stopping the container. This can be used to rollback the
container to an early state:
$ podman run --tmpfs /tmp --name podman-criu-test -d docker://docker.io/yovfiatbeb/podman-criu-test
$ curl 10.88.64.253:8080/examples/servlets/servlet/HelloWorldExample
3
$ podman container checkpoint -R -l
$ curl 10.88.64.253:8080/examples/servlets/servlet/HelloWorldExample
4
$ curl 10.88.64.253:8080/examples/servlets/servlet/HelloWorldExample
5
$ podman stop -l
$ podman container restore -l
$ curl 10.88.64.253:8080/examples/servlets/servlet/HelloWorldExample
4
So after checkpointing the container kept running and was stopped after
some time. Restoring this container will restore the state right at the
checkpoint.
Signed-off-by: Adrian Reber <areber@redhat.com>
|
|
|
|
|
|
|
|
|
| |
For upcoming changes to the Checkpoint() functions this commit switches
checkpoint options from a boolean to a struct, so that additional
options can be passed easily to Checkpoint() without changing the
function parameters all the time.
Signed-off-by: Adrian Reber <areber@redhat.com>
|
|
|
|
| |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\
| |
| | |
Update metalinter dependency
|
| |
| |
| |
| |
| |
| | |
Addressing goconst warning: 3 other occurrence(s) of "Unknown" found
Signed-off-by: Šimon Lukašík <slukasik@redhat.com>
|
| |
| |
| |
| |
| |
| |
| | |
Addressing:
ineffectual assignment to err (ineffassign)
Signed-off-by: Šimon Lukašík <slukasik@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Redefining err by := operator within block makes this err variable block local.
Addressing lint:
libpod/oci.go:368:3:warning: ineffectual assignment to err (ineffassign)
Signed-off-by: Šimon Lukašík <slukasik@redhat.com>
|
|/
|
|
|
|
|
|
|
|
|
| |
At scale, it appears that we sometimes hit the 1000ms timeout to create
the PID file when a container is created or executed.
Increasing the value to 60s should help when running a lot of containers
in heavy-loaded environment.
Related #1495
Fixes #1816
Signed-off-by: Emilien Macchi <emilien@redhat.com>
|
|\
| |
| | |
rm -f now removes a paused container
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We now can remove a paused container by sending it a kill signal while it
is paused. We then unpause the container and it is immediately killed.
Also, reworked how the parallelWorker results are handled to provide a
more consistent approach to how each subcommand implements it. It also
fixes a bug where if one container errors, the error message is duplicated
when printed out.
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \
| | |
| | | |
Accurately update state if prepare() partially fails
|
| |/
| |
| |
| |
| |
| |
| |
| |
| | |
We are seeing some issues where, when part of prepare() fails
(originally noticed due to a bad static IP), the other half does
not successfully clean up, and the state can be left in a bad
place (not knowing about an active SHM mount for example).
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add a rootless field to the info data (e.g., `podman info`) to indicate
if the executing user is root or not. In most cases, this can be
guessed but now it is clear and may aid in debugging, reporting and
understanding certain issues.
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
|
|\ \
| | |
| | | |
correct assignment of networkStatus
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| | |
once we changed configureNetNS to return a result beyond an error,
we need to make sure that we used locals instead of ctr attributes
when determining networks.
Resolves #1752
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \
| |/
|/| |
Do not hide errors when creating container with UserNSRoot
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This one is tricky. By using `:=` operator we have made err variable to be local
in the gorutine and different from `err` variable in the surrounding function.
And thus `createContainer` function returned always nil, even in cases when
some error occurred in the gorutine.
Signed-off-by: Šimon Lukašík <slukasik@redhat.com>
|
|\ \
| | |
| | | |
Don't fail if /etc/passwd or /etc/group does not exists
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Container images can be created without passwd or group file, currently
if one of these containers gets run with a --user flag the container blows
up complaining about t a missing /etc/passwd file.
We just need to check if the error on read is ENOEXIST then allow the
read to return, not fail.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \
| | |
| | | |
move defer'd function declaration ahead of prepare error return
|
| |/
| |
| |
| | |
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \
| | |
| | | |
Do not call out to runc for sync
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When we read the conmon error status file, if Atoi fails to parse
the string we read from the file as an int, print the string as
part of the error message so we know what might have gone wrong.
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Instead of running a full sync after starting a container to pick
up its PID, grab it from Conmon instead.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When we scan a container in runc and see that it no longer
exists, we already set ContainerStatusExited to indicate that it
no longer exists in runc. Now, also set an exit code and exit
time, so PS output will make some sense.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When syncing container state, we normally call out to runc to see
the container's status. This does have significant performance
implications, though, and we've seen issues with large amounts of
runc processes being spawned.
This patch attempts to use stat calls on the container exit file
created by Conmon instead to sync state. This massively decreases
the cost of calling updateContainer (it has gone from an
almost-unconditional fork/exec of runc to a single stat call that
can be avoided in most states).
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| | |
After stopping containers, we run updateContainerStatus to sync
our state with runc (pick up exit code, for example). Then we
proceed to not save this to the database, requiring us to grab it
again on the next sync. This should remove the need to read the
exit file more than once.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
|\ \
| | |
| | | |
Remove conmon cgroup before pod cgroup for cgroupfs
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| | |
For pods using cgroupfs, we were seeing some error messages in CI
from an inability to remove the pod CGroup, which was traced down
to the conmon cgroup still being present as a child. Try to
remove these error messages and ensure successful CGroup deletion
by removing the conmon CGroup first, then the pod cgroup.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
|\ \
| | |
| | | |
rootless: don't bind mount /sys/fs/cgroup/systemd in systemd mode
|
| | |
| | |
| | |
| | |
| | |
| | | |
systemd requires /sys/fs/cgroup/systemd to be writeable.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |/
| |
| |
| |
| |
| |
| | |
it is not writeable by non-root users so there is no point in having
access to it from a container.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|/
|
|
| |
Signed-off-by: Qi Wang <qiwan@redhat.com>
|
|\
| |
| | |
Fix setting of version information
|
| |
| |
| |
| |
| |
| |
| | |
It was setting the wrong variable (CamelCase)
in the wrong module ("main", not "libpod")...
Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
|
| |
| |
| |
| |
| |
| |
| |
| | |
If for any reason slirp4netns fails at startup, podman waits
indefinitely. Check every second if the process is still running so
that we avoid to hang.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \
| | |
| | | |
attach: fix attach when cuid is too long
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
conmon creates a symlink to avoid using a too long UNIX path.
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1641800
There is still one issue when the path length of the symlink has the
same length of the attach socket parent directory since conmon fails
to create the symlink, but that must be addressed in conmon first.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \
| | |
| | | |
get user and group information using securejoin and runc's user library
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
for the purposes of performance and security, we use securejoin to contstruct
the root fs's path so that symlinks are what they appear to be and no pointing
to something naughty.
then instead of chrooting to parse /etc/passwd|/etc/group, we now use the runc user/group
methods which saves us quite a bit of performance.
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \
| | |
| | | |
unmount: fix error logic
|
| |/
| |
| |
| |
| |
| |
| |
| |
| | |
Only return `ErrCtrStateInvalid` errors when the mount counter is equal
to 1. Also fix the "can't unmount [...] last mount[..]" error which
hasn't been returned when the error passed to `errors.Errorf()` is nil.
Fixes: #1695
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
|
|/
|
|
|
|
| |
Only changed libpod.conf file, which might not even be in use.
Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
|
|\
| |
| | |
run performance improvements
|
| |
| |
| |
| |
| |
| |
| | |
run prepare() -- which consists of creating a network namespace and
mounting the container image is now run in parallel. This saves 25-40ms.
Signed-off-by: baude <bbaude@redhat.com>
|
|/
|
|
|
|
|
|
|
|
| |
We implement the securejoin method to make sure the paths to /etc/passwd and
/etc/group are not symlinks to something naughty or outside the container
image. And then instead of actually chrooting, we use the runc functions to
get information about a user. The net result is increased security and
a a performance gain from 41ms to 100us.
Signed-off-by: baude <bbaude@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
prevent opening the same file twice, since we re-exec podman in
rootless mode. While at it, also solve a possible race between the
check for the file and writing to it. Another process could have
created the file in the meanwhile and we would just end up overwriting
it.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|
|
|
|
|
|
|
|
| |
when reading the output from conmon using the JSON methods, it appears that
JSON marshalling is higher in pprof than it really is because the pipe is
"waiting" for a response. this gives us a clearer look at the real CPU/time
consumers.
Signed-off-by: baude <bbaude@redhat.com>
|