summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* container creation: don't apply reserved annotations from imageValentin Rothberg2021-12-23
| | | | | | | | | | Do not apply reserved annotations from the image to the container. Reserved annotations are applied during container creation to retrieve certain information (e.g., custom seccomp profile or autoremoval) once a container has been created. Context: #12671 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #12599 from rhatdan/kernelmemoryOpenShift Merge Robot2021-12-23
|\ | | | | Warn on use of --kernel-memory
| * Warn on use of --kernel-memoryDaniel J Walsh2021-12-22
| | | | | | | | | | | | | | | | | | It has been deprecated and is no longer supported. Fully remove it and only print a warning if a user uses it. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2011695 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Enable checkpoint/restore for /dev/shmRadostin Stoyanov2021-12-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When Podman is running a container in private IPC mode (default), it creates a bind mount for /dev/shm that is then attached to a tmpfs folder on the host file system. However, checkpointing a container has the side-effect of stopping that container and unmount the tmpfs used for /dev/shm. As a result, after checkpoint all files stored in the container's /dev/shm would be lost and the container might fail to restore from checkpoint. To address this problem, this patch creates a tar file with the content of /dev/shm that is included in the container checkpoint and used to restore the container. Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
* | Always run passwd management code when DB value is nilMatthew Heon2021-12-22
| | | | | | | | | | | | | | | | | | | | | | | | This ensures that existing containers will still manage `/etc/passwd` by default, as they have been doing until now. New containers that explicitly set `false` will still have passwd management disabled, but otherwise the code will run. [NO NEW TESTS NEEDED] This will only be caught on upgrade and I don't really know how to write update tests - and Ed is on PTO. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #12375 from rhatdan/hostsOpenShift Merge Robot2021-12-22
|\ \ | |/ |/| Use hosts public ip address in rootless containers
| * Use hosts public ip address in rootless containersDaniel J Walsh2021-12-21
| | | | | | | | | | | | | | | | | | Add first non localhost ipv4 of all host interfaces as destination for host.contaners.internal for rootless containers. Fixes: https://github.com/containers/podman/issues/12000 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #12668 from vrothberg/fix-12667OpenShift Merge Robot2021-12-22
|\ \ | | | | | | support hosts without /etc/hosts
| * | support hosts without /etc/hostsValentin Rothberg2021-12-22
| |/ | | | | | | | | Fixes: #12667 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #12664 from cdoern/noManagePasswdOpenShift Merge Robot2021-12-22
|\ \ | |/ |/| Podman run --passwd
| * Podman run --passwdcdoern2021-12-21
| | | | | | | | | | | | | | | | | | added support for a new flag --passwd which, when false prohibits podman from creating entries in /etc/passwd and /etc/groups allowing users to modify those files in the container entrypoint resolves #11805 Signed-off-by: cdoern <cdoern@redhat.com>
* | Merge pull request #12648 from ttys3/fix-generate-kube-env-missingOpenShift Merge Robot2021-12-20
|\ \ | |/ |/| fix(generate): fix up podman generate kube missing env field bug
| * fix(generate): fix up podman generate kube missing env field bug荒野無燈2021-12-18
| | | | | | | | | | | | | | | | the logic is: if the process env vars key exists in podman default or in image defined, and the value is equal, skip the env var key. the typo make it compare to itself -_- so, here comes the simple fixup. Signed-off-by: 荒野無燈 <ttys3.rust@gmail.com>
* | Merge pull request #12626 from vrothberg/may-the-force-be-with-removalDaniel J Walsh2021-12-19
|\ \ | |/ |/| image rm: allow for force-remove infra images
| * image rm: allow for force-remove infra imagesValentin Rothberg2021-12-17
| | | | | | | | | | | | | | | | | | | | | | Force removal of images will also remove associated containers. Historically, infra containers have been excluded resulting in rather annoying errors, for instance, when running `rmi -af`. Since there is not reasons to exclude infra containers, allow for removing the entire pod when an infra image is force removed. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #12625 from adrianreber/2021-12-16-podman-inspectOpenShift Merge Robot2021-12-17
|\ \ | | | | | | Add more checkpoint/restore information to 'inspect'
| * | Add more checkpoint/restore information to 'inspect'Adrian Reber2021-12-17
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds the following information to the output of 'podman inspect': * CheckpointedAt - time the container was checkpointed Only set if the container has been checkpointed * RestoredAt - time the container was restored Only set if the container has been restored * CheckpointLog - path to the checkpoint log file (CRIU's dump.log) Only set if the log file exists (--keep) * RestoreLog - path to the restore log file (CRIU's restore.log) Only set if the log file exists (--keep) * CheckpointPath - path to the actual (CRIU) checkpoint files Only set if the checkpoint files exists (--keep) * Restored - set to true if the container has been restored Only set if the container has been restored Signed-off-by: Adrian Reber <areber@redhat.com>
* / Removed .service file for healthchecksBrent Baude2021-12-16
|/ | | | | | | | | | when a container with healthchecks exits due to stopping or failure, we need the cleanup process to remove both the timer file and the service file. Bz#:2024229 Signed-off-by: Brent Baude <bbaude@redhat.com>
* container restore/import: store networks from dbPaul Holzinger2021-12-14
| | | | | | | | It is important that we store the current networks from the db in the config. Also make sure to properly handle aliases and ignore static ip/mac addresses. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Add new networks format to spegecenPaul Holzinger2021-12-14
| | | | | | | | Add the new networks format to specgen. For api users cni_networks is still supported to make migration easier however the static ip and mac fields are removed. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* network connect allow ip, ipv6 and mac addressPaul Holzinger2021-12-14
| | | | | | | | | Network connect now supports setting a static ipv4, ipv6 and mac address for the container network. The options are added to the cli and api. Fixes #9883 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* network db: add new strucutre to container createPaul Holzinger2021-12-14
| | | | | | | | | | Make sure we create new containers in the db with the correct structure. Also remove some unneeded code for alias handling. We no longer need this functions. The specgen format has not been changed for now. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* remove unneeded return value from c.Networks()Paul Holzinger2021-12-14
| | | | | | We do not need to return a extra bool. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* network db rewrite: migrate existing settingsPaul Holzinger2021-12-14
| | | | | | | | | | | | | | The new network db structure stores everything in the networks bucket. Previously some network settings were not written the the network bucket and only stored in the container config. Instead of the old format which used the container ID as value in the networks buckets we now use the PerNetworkoptions struct there. To migrate existing users we use the state.GetNetworks() function. If it fails to read the new format it will automatically migrate the old config format to the new one. This is allows a flawless migration path. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* inotify: make sure to remove filesValentin Rothberg2021-12-09
| | | | | | | | | | | | | | | | Issue #11825 suggests that *rootless* Podman can run into situations where too many inotify fds are open. Indeed, rootless Podman has a slightly higher usage of inotify watchers than the root counterpart when using slirp4netns Make sure to not only close all watchers but to also remove the files from being watched. Otherwise, the fds only get closed when the files are removed. [NO NEW TESTS NEEDED] since we don't have a way to test it. Fixes: #11825 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #12524 from Luap99/resolve-symlinkOpenShift Merge Robot2021-12-07
|\ | | | | rootless netns: resolve all path components for resolv.conf
| * rootless netns: resolve all path components for resolv.confPaul Holzinger2021-12-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We need to follow all symlinks in the /etc/resolv.conf path. Currently we would only check the last file but it is possible that any directory before that is also a link. Unfortunately this code is very hard to maintain and not well tested. I will try to come up with a unit test when I have more time. I think we could utilize some for of chroot for this. For now we are stucked with the default setup in the fedora/ubunutu test VMs. [NO NEW TESTS NEEDED] Fixes #12461 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #12498 from rhatdan/cgroupsOpenShift Merge Robot2021-12-07
|\ \ | | | | | | Update vendor or containers/common moving pkg/cgroups there
| * | Update vendor or containers/common moving pkg/cgroups thereDaniel J Walsh2021-12-07
| |/ | | | | | | | | | | | | [NO NEW TESTS NEEDED] This is just moving pkg/cgroups out so existing tests should be fine. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / volume: apply exact permission of target directory without adding extra 0111Aditya Rajan2021-12-07
|/ | | | | | | | While trying to match permissions of target directory podman adds extra `0111` which should not be needed if target path does not have execute permission. Signed-off-by: Aditya Rajan <arajan@redhat.com>
* Merge pull request #12365 from mtrmac/randomOpenShift Merge Robot2021-12-02
|\ | | | | Don't use a global RNG, and avoid conflicts, when generating NodePorts
| * Ensure the generated NodePort values are uniqueMiloslav Trmač2021-11-30
| | | | | | | | | | | | | | | | | | | | | | ... at least within a single service. [NO NEW TESTS NEEDED] because testing RNGs is problematic. (We _could_ probably inject a mock RNG implementation that always returns the same value, or something like that.) Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Allow containerPortsToServicePorts to failMiloslav Trmač2021-11-30
| | | | | | | | | | | | | | | | Add an error return to it and affected callers. Should not affect behavior, the function can't currently fail. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Don't use the global math/rand RNG for service portsMiloslav Trmač2021-11-30
| | | | | | | | | | | | | | | | | | | | Use a private RNG with the desired seed, don't interfere with the other uses. Introducing the servicePortState type is rather overkill for the single member, but we'll add another one immediately. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Move a comment to the relevant placeMiloslav Trmač2021-11-30
| | | | | | | | Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | Merge pull request #12469 from Luap99/ns-teardown-flakeOpenShift Merge Robot2021-12-02
|\ \ | | | | | | Fix possible rootless netns cleanup race
| * | Fix possible rootless netns cleanup racePaul Holzinger2021-12-01
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | rootlessNetNS.Cleanup() has an issue with how it detects if cleanup is needed, reading the container state is not good ebough because containers are first stopped and than cleanup will be called. So at one time two containers could wait for cleanup but the second one will fail because the first one triggered already the cleanup thus making rootless netns unavailable for the second container resulting in an teardown error. Instead of checking the container state we need to check the netns state. Secondly, podman unshare --rootless-netns should not do the cleanup. This causes more issues than it is worth fixing. Users also might want to use this to setup the namespace in a special way. If unshare also cleans this up right away we cannot do this. [NO NEW TESTS NEEDED] Fixes #12459 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #12464 from giuseppe/fix-race-reading-cgroup-fileOpenShift Merge Robot2021-12-01
|\ \ | | | | | | container, cgroup: detect pid termination
| * | container, cgroup: detect pid terminationGiuseppe Scrivano2021-12-01
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | If the /proc/$PID/cgroup file doesn't exist, then it is likely the container was terminated in the meanwhile so report ErrCtrStopped that is already handled instead of ENOENT. commit a66f40b4df039e94572fa38c070207a435cfa466 introduced the regression. Closes: https://github.com/containers/podman/issues/12457 [NO NEW TESTS NEEDED] it solves a race in the CI that is difficult to reproduce. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / top: parse ps(1) args correctlyValentin Rothberg2021-12-01
|/ | | | | | | The arguments of ps(1) should be shlexed. Fixes: #12452 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #12406 from Luap99/xdg-checkpointOpenShift Merge Robot2021-11-25
|\ | | | | checkpoint do not modify XDG_RUNTIME_DIR
| * checkpoint do not modify XDG_RUNTIME_DIRPaul Holzinger2021-11-24
| | | | | | | | | | | | | | | | | | | | We should not modify the XDG_RUNTIME_DIR env value during runtime of libpod, this can cause hard to find bugs. Only set it for the OCI runtime, this matches the other commands such as start, stop, kill... [NO NEW TESTS NEEDED] Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #12403 from giuseppe/improve-cgroup-detectionOpenShift Merge Robot2021-11-25
|\ \ | |/ |/| libpod: improve heuristic to detect cgroup
| * libpod: improve heuristic to detect cgroupGiuseppe Scrivano2021-11-24
| | | | | | | | | | | | | | | | | | | | | | improve the heuristic to detect the scope that was created for the container. This is necessary with systemd running as PID 1, since it moves itself to a different sub-cgroup, thus stats would not account for other processes in the same container. Closes: https://github.com/containers/podman/issues/12400 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * libpod, inspect: export cgroup pathGiuseppe Scrivano2021-11-24
| | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * stats: get the memory limit from the specGiuseppe Scrivano2021-11-24
| | | | | | | | | | | | | | | | | | | | OCI runtimes may set the memory limits in different ways, e.g., crun creates a sub-cgroup where the limits are applied, while runc applies them directly on the created cgroup. Since there is standardization on the cgroup path to use, just use the limit specified in the spec file. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | libpod: leave thread locked on errorsGiuseppe Scrivano2021-11-24
|/ | | | | | | | | | if the SELinux label could not be restored correctly, leave the OS thread locked so that it is terminated once it returns to the threads pool. [NO NEW TESTS NEEDED] the failure is hard to reproduce Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Unset SocketLabel after system finishes checkpointingDaniel J Walsh2021-11-23
| | | | | | | | | | | | This should fix the SELinux issue we are seeing with talking to /run/systemd/private. Fixes: https://github.com/containers/podman/issues/12362 Also unset the XDG_RUNTIME_DIR if set, since we don't know when running as a service if this will cause issue.s Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Warn on failing to update container statusMatthew Heon2021-11-23
| | | | | | | | | | | | | failed to send a signal to the container's PID1, but ignored the results of that update. That's generally bad practice, since even if we can't directly take action on an error, we should still make an effort to report it for debugging purposes. I used Infof instead of something more serious to avoid duplicate reporting to the user if something has gone seriously wrong. [NO NEW TESTS NEEDED] this is just adding additional error reporting. Signed-off-by: Matthew Heon <mheon@redhat.com>
* oci: ack crun output when container is not thereAditya Rajan2021-11-23
| | | | | | | | | `crun status ctrid` outputs `No such file or directory` when container is not there so podman much ack it. [NO NEW TESTS NEEDED] Signed-off-by: Aditya Rajan <arajan@redhat.com>