summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Added option to keep containers running after checkpointingAdrian Reber2018-11-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | CRIU supports to leave processes running after checkpointing: -R|--leave-running leave tasks in running state after checkpoint runc also support to leave containers running after checkpointing: --leave-running leave the process running after checkpointing With this commit the support to leave a container running after checkpointing is brought to Podman: --leave-running, -R leave the container running after writing checkpoint to disk Now it is possible to checkpoint a container at some point in time without stopping the container. This can be used to rollback the container to an early state: $ podman run --tmpfs /tmp --name podman-criu-test -d docker://docker.io/yovfiatbeb/podman-criu-test $ curl 10.88.64.253:8080/examples/servlets/servlet/HelloWorldExample 3 $ podman container checkpoint -R -l $ curl 10.88.64.253:8080/examples/servlets/servlet/HelloWorldExample 4 $ curl 10.88.64.253:8080/examples/servlets/servlet/HelloWorldExample 5 $ podman stop -l $ podman container restore -l $ curl 10.88.64.253:8080/examples/servlets/servlet/HelloWorldExample 4 So after checkpointing the container kept running and was stopped after some time. Restoring this container will restore the state right at the checkpoint. Signed-off-by: Adrian Reber <areber@redhat.com>
* Use a struct to pass options to Checkpoint()Adrian Reber2018-11-20
| | | | | | | | | For upcoming changes to the Checkpoint() functions this commit switches checkpoint options from a boolean to a struct, so that additional options can be passed easily to Checkpoint() without changing the function parameters all the time. Signed-off-by: Adrian Reber <areber@redhat.com>
* rootless: create libpod.conf when it doesn't existGiuseppe Scrivano2018-11-19
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #1756 from isimluk/update-dependent-metalinterOpenShift Merge Robot2018-11-16
|\ | | | | Update metalinter dependency
| * Lint: Extract constant unknownPackageŠimon Lukašík2018-11-10
| | | | | | | | | | | | Addressing goconst warning: 3 other occurrence(s) of "Unknown" found Signed-off-by: Šimon Lukašík <slukasik@redhat.com>
| * Lint: Tests: add missing assertionsŠimon Lukašík2018-11-10
| | | | | | | | | | | | | | Addressing: ineffectual assignment to err (ineffassign) Signed-off-by: Šimon Lukašík <slukasik@redhat.com>
| * Lint: Do not ignore errors from docker run command when selinux enabledŠimon Lukašík2018-11-10
| | | | | | | | | | | | | | | | | | Redefining err by := operator within block makes this err variable block local. Addressing lint: libpod/oci.go:368:3:warning: ineffectual assignment to err (ineffassign) Signed-off-by: Šimon Lukašík <slukasik@redhat.com>
* | Increase pidWaitTimeout to 60sEmilien Macchi2018-11-15
|/ | | | | | | | | | | At scale, it appears that we sometimes hit the 1000ms timeout to create the PID file when a container is created or executed. Increasing the value to 60s should help when running a lot of containers in heavy-loaded environment. Related #1495 Fixes #1816 Signed-off-by: Emilien Macchi <emilien@redhat.com>
* Merge pull request #1772 from baude/rmdelpausedOpenShift Merge Robot2018-11-09
|\ | | | | rm -f now removes a paused container
| * rm -f now removes a paused containerbaude2018-11-08
| | | | | | | | | | | | | | | | | | | | | | | | We now can remove a paused container by sending it a kill signal while it is paused. We then unpause the container and it is immediately killed. Also, reworked how the parallelWorker results are handled to provide a more consistent approach to how each subcommand implements it. It also fixes a bug where if one container errors, the error message is duplicated when printed out. Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #1789 from mheon/fix_add_hosts_testOpenShift Merge Robot2018-11-09
|\ \ | | | | | | Accurately update state if prepare() partially fails
| * | Accurately update state if prepare() partially failsMatthew Heon2018-11-08
| |/ | | | | | | | | | | | | | | | | We are seeing some issues where, when part of prepare() fails (originally noticed due to a bad static IP), the other half does not successfully clean up, and the state can be left in a bad place (not knowing about an active SHM mount for example). Signed-off-by: Matthew Heon <mheon@redhat.com>
* | info: add rootless fieldValentin Rothberg2018-11-09
| | | | | | | | | | | | | | | | | | Add a rootless field to the info data (e.g., `podman info`) to indicate if the executing user is root or not. In most cases, this can be guessed but now it is clear and may aid in debugging, reporting and understanding certain issues. Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
* | Merge pull request #1787 from baude/netstatusreworkOpenShift Merge Robot2018-11-08
|\ \ | | | | | | correct assignment of networkStatus
| * | correct assignment of networkStatusbaude2018-11-08
| |/ | | | | | | | | | | | | | | | | | | once we changed configureNetNS to return a result beyond an error, we need to make sure that we used locals instead of ctr attributes when determining networks. Resolves #1752 Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #1790 from isimluk/beware-of-goroutine-localsOpenShift Merge Robot2018-11-08
|\ \ | |/ |/| Do not hide errors when creating container with UserNSRoot
| * Do not hide errors when creating container with UserNSRootŠimon Lukašík2018-11-08
| | | | | | | | | | | | | | | | | | This one is tricky. By using `:=` operator we have made err variable to be local in the gorutine and different from `err` variable in the surrounding function. And thus `createContainer` function returned always nil, even in cases when some error occurred in the gorutine. Signed-off-by: Šimon Lukašík <slukasik@redhat.com>
* | Merge pull request #1764 from rhatdan/nopasswdOpenShift Merge Robot2018-11-07
|\ \ | | | | | | Don't fail if /etc/passwd or /etc/group does not exists
| * | Don't fail if /etc/passwd or /etc/group does not existsDaniel J Walsh2018-11-07
| |/ | | | | | | | | | | | | | | | | | | | | Container images can be created without passwd or group file, currently if one of these containers gets run with a --user flag the container blows up complaining about t a missing /etc/passwd file. We just need to check if the error on read is ENOEXIST then allow the read to return, not fail. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #1771 from baude/prepareOpenShift Merge Robot2018-11-07
|\ \ | | | | | | move defer'd function declaration ahead of prepare error return
| * | move defer'd function declaration ahead of prepare error returnbaude2018-11-07
| |/ | | | | | | Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #1689 from mheon/add_runc_timeoutOpenShift Merge Robot2018-11-07
|\ \ | | | | | | Do not call out to runc for sync
| * | Print error status code if we fail to parse itMatthew Heon2018-11-07
| | | | | | | | | | | | | | | | | | | | | | | | When we read the conmon error status file, if Atoi fails to parse the string we read from the file as an int, print the string as part of the error message so we know what might have gone wrong. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | Properly set Running state when starting containersMatthew Heon2018-11-07
| | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * | Fix misspellingMatthew Heon2018-11-07
| | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * | Retrieve container PID from conmonMatthew Heon2018-11-07
| | | | | | | | | | | | | | | | | | | | | Instead of running a full sync after starting a container to pick up its PID, grab it from Conmon instead. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * | If a container ceases to exist in runc, set exit statusMatthew Heon2018-11-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | When we scan a container in runc and see that it no longer exists, we already set ContainerStatusExited to indicate that it no longer exists in runc. Now, also set an exit code and exit time, so PS output will make some sense. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * | EXPERIMENTAL: Do not call out to runc for syncMatthew Heon2018-11-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When syncing container state, we normally call out to runc to see the container's status. This does have significant performance implications, though, and we've seen issues with large amounts of runc processes being spawned. This patch attempts to use stat calls on the container exit file created by Conmon instead to sync state. This massively decreases the cost of calling updateContainer (it has gone from an almost-unconditional fork/exec of runc to a single stat call that can be avoided in most states). Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * | Actually save changes from post-stop syncMatthew Heon2018-11-07
| |/ | | | | | | | | | | | | | | | | | | After stopping containers, we run updateContainerStatus to sync our state with runc (pick up exit code, for example). Then we proceed to not save this to the database, requiring us to grab it again on the next sync. This should remove the need to read the exit file more than once. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | Merge pull request #1767 from mheon/remove_conmon_cgroup_firstOpenShift Merge Robot2018-11-07
|\ \ | | | | | | Remove conmon cgroup before pod cgroup for cgroupfs
| * | Remove conmon cgroup before pod cgroup for cgroupfsMatthew Heon2018-11-07
| |/ | | | | | | | | | | | | | | | | | | For pods using cgroupfs, we were seeing some error messages in CI from an inability to remove the pod CGroup, which was traced down to the conmon cgroup still being present as a child. Try to remove these error messages and ensure successful CGroup deletion by removing the conmon CGroup first, then the pod cgroup. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | Merge pull request #1761 from giuseppe/rootless-systemdOpenShift Merge Robot2018-11-07
|\ \ | | | | | | rootless: don't bind mount /sys/fs/cgroup/systemd in systemd mode
| * | rootless: mount /sys/fs/cgroup/systemd from the hostGiuseppe Scrivano2018-11-07
| | | | | | | | | | | | | | | | | | systemd requires /sys/fs/cgroup/systemd to be writeable. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | rootless: don't bind mount /sys/fs/cgroup/systemd in systemd modeGiuseppe Scrivano2018-11-07
| |/ | | | | | | | | | | | | it is not writeable by non-root users so there is no point in having access to it from a container. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / Add hostname to /etc/hostsQi Wang2018-11-07
|/ | | | Signed-off-by: Qi Wang <qiwan@redhat.com>
* Merge pull request #1731 from afbjorklund/versionOpenShift Merge Robot2018-10-31
|\ | | | | Fix setting of version information
| * Fix setting of version informationAnders F Björklund2018-10-31
| | | | | | | | | | | | | | It was setting the wrong variable (CamelCase) in the wrong module ("main", not "libpod")... Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
* | rootless: avoid hang on failed slirp4netnsGiuseppe Scrivano2018-10-31
| | | | | | | | | | | | | | | | If for any reason slirp4netns fails at startup, podman waits indefinitely. Check every second if the process is still running so that we avoid to hang. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #1704 from giuseppe/attach-cuid-too-longOpenShift Merge Robot2018-10-30
|\ \ | | | | | | attach: fix attach when cuid is too long
| * | attach: fix attach when cuid is too longGiuseppe Scrivano2018-10-30
| |/ | | | | | | | | | | | | | | | | | | | | | | conmon creates a symlink to avoid using a too long UNIX path. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1641800 There is still one issue when the path length of the symlink has the same length of the attach socket parent directory since conmon fails to create the symlink, but that must be addressed in conmon first. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #1715 from baude/getusergroupOpenShift Merge Robot2018-10-30
|\ \ | | | | | | get user and group information using securejoin and runc's user library
| * | get user and group information using securejoin and runc's user librarybaude2018-10-29
| |/ | | | | | | | | | | | | | | | | | | | | for the purposes of performance and security, we use securejoin to contstruct the root fs's path so that symlinks are what they appear to be and no pointing to something naughty. then instead of chrooting to parse /etc/passwd|/etc/group, we now use the runc user/group methods which saves us quite a bit of performance. Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #1721 from vrothberg/fix-1695OpenShift Merge Robot2018-10-29
|\ \ | | | | | | unmount: fix error logic
| * | unmount: fix error logicValentin Rothberg2018-10-29
| |/ | | | | | | | | | | | | | | | | Only return `ErrCtrStateInvalid` errors when the mount counter is equal to 1. Also fix the "can't unmount [...] last mount[..]" error which hasn't been returned when the error passed to `errors.Errorf()` is nil. Fixes: #1695 Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
* / Sync default config with libpod.confAnders F Björklund2018-10-29
|/ | | | | | Only changed libpod.conf file, which might not even be in use. Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
* Merge pull request #1699 from baude/rundOpenShift Merge Robot2018-10-25
|\ | | | | run performance improvements
| * run prepare in parallelbaude2018-10-25
| | | | | | | | | | | | | | run prepare() -- which consists of creating a network namespace and mounting the container image is now run in parallel. This saves 25-40ms. Signed-off-by: baude <bbaude@redhat.com>
* | Increase security and performance when looking up groupsbaude2018-10-25
|/ | | | | | | | | | We implement the securejoin method to make sure the paths to /etc/passwd and /etc/group are not symlinks to something naughty or outside the container image. And then instead of actually chrooting, we use the runc functions to get information about a user. The net result is increased security and a a performance gain from 41ms to 100us. Signed-off-by: baude <bbaude@redhat.com>
* create: fix writing cidfile when using rootlessGiuseppe Scrivano2018-10-23
| | | | | | | | | | prevent opening the same file twice, since we re-exec podman in rootless mode. While at it, also solve a possible race between the check for the file and writing to it. Another process could have created the file in the meanwhile and we would just end up overwriting it. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* read conmon output and convert to json in two stepsbaude2018-10-23
| | | | | | | | | when reading the output from conmon using the JSON methods, it appears that JSON marshalling is higher in pprof than it really is because the pipe is "waiting" for a response. this gives us a clearer look at the real CPU/time consumers. Signed-off-by: baude <bbaude@redhat.com>