summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* slirp: fix setup on ipv6 disabled systemsPaul Holzinger2022-03-14
| | | | | | | | | | | | | | | | | When enable_ipv6=true is set for slirp4netns (default since podman v4), we will try to set the accept sysctl. This sysctl will not exist on systems that have ipv6 disabled. In this case we should not error and just ignore the extra ipv6 setup. Also the current logic to wait for the slirp4 setup was kinda broken, it did not actually wait until the sysctl was set before starting slirp. This should now be fixed by using two `sync.WaitGroup`s. [NO NEW TESTS NEEDED] Fixes #13388 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Add support for --chrootdirsLStandman2022-03-14
| | | | Signed-off-by: LStandman <65296484+LStandman@users.noreply.github.com>
* Inspect network info of a joined network namespace😎 Mostafa Emami2022-03-08
| | | | | Closes: https://github.com/containers/podman/issues/13150 Signed-off-by: 😎 Mostafa Emami <mustafaemami@gmail.com>
* Merge pull request #13413 from giuseppe/pod-no-use-cgroups-if-disabledOpenShift Merge Robot2022-03-04
|\ | | | | libpod: pods do not use cgroups if --cgroups=disabled
| * libpod: pods do not use cgroups if --cgroups=disabledGiuseppe Scrivano2022-03-03
| | | | | | | | | | | | | | | | | | do not attempt to use cgroups with pods if the cgroups are disabled. A similar check is already in place for containers. Closes: https://github.com/containers/podman/issues/13411 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | container: workdir resolution must consider symlink if explicitly configuredAditya R2022-03-02
|/ | | | | | | | | | | | | | | | | | | | | | | While resolving `workdir` we mostly create a `workdir` when `stat` fails with `ENOENT` or `ErrNotExist` however following cases are not true when user explicitly specifies a `workdir` while `running` using `--workdir` which tells `podman` to only use workdir if its exists on the container. Following configuration is implicity set with other `run` mechanism like `podman play kube` Problem with explicit `--workdir` or similar implicit config in `podman play kube` is that currently podman ignores the fact that workdir can also be a `symlink` and actual `link` could be valid. Hence following commit ensures that in such scenarios when a `workdir` is not found and we cannot create a `workdir` podman must perform a check to ensure that if `workdir` is a `symlink` and `link` is resolved successfully and resolved link is present on the container then we return as it is. Docker performs a similar behviour. Signed-off-by: Aditya R <arajan@redhat.com>
* Merge pull request #13362 from keonchennl/pod-logs-add-flagOpenShift Merge Robot2022-03-01
|\ | | | | Add the names flag for pod logs
| * Add the names flag for pod logsXueyuan Chen2022-03-01
| | | | | | | | | | | | Fixes containers#13261 Signed-off-by: Xueyuan Chen <X.Chen-47@student.tudelft.nl>
* | Add podman volume mount supportDaniel J Walsh2022-02-28
|/ | | | | | Fixes: https://github.com/containers/podman/issues/12768 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Show version of the deb package in info outputAnders F Björklund2022-02-24
| | | | | | | | | Previously just showing name of the package, followed by the path repeated again (already stated on the line above) [NO NEW TESTS NEEDED] Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
* Merge pull request #13314 from flouthoc/container-commit-squashOpenShift Merge Robot2022-02-23
|\ | | | | container-commit: support `--squash` to squash layers into one if users want.
| * container-commit: support --squash to squash layers into oneAditya R2022-02-23
| | | | | | | | | | | | | | | | | | | | | | Allow users to commit containers into a single layer. Usage ```bash podman container commit --squash <name> ``` Signed-off-by: Aditya R <arajan@redhat.com>
* | Merge pull request #13232 from rhatdan/volumesOpenShift Merge Robot2022-02-23
|\ \ | | | | | | Don't log errors on removing volumes inuse, if container --volumes-from
| * | Don't log errors on removing volumes inuse, if container --volumes-fromDaniel J Walsh2022-02-21
| |/ | | | | | | | | | | | | | | | | | | | | When removing a container created with a --volumes-from a container created with a built in volume, we complain if the original container still exists. Since this is an expected state, we should not complain about it. Fixes: https://github.com/containers/podman/issues/12808 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Remove the runtime lockMatthew Heon2022-02-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This primarily served to protect us against shutting down the Libpod runtime while operations (like creating a container) were happening. However, it was very inconsistently implemented (a lot of our longer-lived functions, like pulling images, just didn't implement it at all...) and I'm not sure how much we really care about this very-specific error case? Removing it also removes a lot of potential deadlocks, which is nice. [NO NEW TESTS NEEDED] Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #13059 from cdoern/cloneOpenShift Merge Robot2022-02-22
|\ \ | |/ |/| Implement Podman Container Clone
| * Implement Podman Container Clonecdoern2022-02-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | podman container clone takes the id of an existing continer and creates a specgen from the given container's config recreating all proper namespaces and overriding spec options like resource limits and the container name if given in the cli options this command utilizes the common function DefineCreateFlags meaning that we can funnel as many create options as we want into clone over time allowing the user to clone with as much or as little of the original config as they want. container clone takes a second argument which is a new name and a third argument which is an image name to use instead of the original container's the current supported flags are: --destroy (remove the original container) --name (new ctr name) --cpus (sets cpu period and quota) --cpuset-cpus --cpu-period --cpu-rt-period --cpu-rt-runtime --cpu-shares --cpuset-mems --memory --run resolves #10875 Signed-off-by: cdoern <cdoern@redhat.com> Signed-off-by: cdoern <cbdoer23@g.holycross.edu> Signed-off-by: cdoern <cdoern@redhat.com>
* | Propagate $CONTAINERS_CONF to conmonDavid Gibson2022-02-18
|/ | | | | | | | | | | | | | | | | | | | | The CONTAINERS_CONF environment variable can be used to override the configuration file, which is useful for testing. However, at the moment this variable is not propagated to conmon. That means in particular, that conmon can't propagate it back to podman when invoking its --exit-command. The mismatch in configuration between the starting and cleaning up podman instances can cause a variety of errors. This patch also adds two related test cases. One checks explicitly that the correct CONTAINERS_CONF value appears in conmon's environment. The other checks for a possible specific impact of this bug: if we use a nonstandard name for the runtime (even if its path is just a regular crun), then the podman container cleanup invoked at container exit will fail. That has the effect of meaning that a container started with -d --rm won't be correctly removed once complete. Fixes #12917 Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
* Fix checkpoint/restore pod testsAdrian Reber2022-02-11
| | | | | | | | | Checkpoint/restore pod tests are not running with an older runc and now that runc 1.1.0 appears in the repositories it was detected that the tests were failing. This was not detected in CI as CI was not using runc 1.1.0 yet. Signed-off-by: Adrian Reber <areber@redhat.com>
* Modify /etc/resolv.conf when connecting/disconnectingMatthew Heon2022-02-10
| | | | | | | | | | | | | | | | | | The `podman network connect` and `podman network disconnect` commands give containers access to different networks than the ones they were created with; these networks can also have DNS servers associated with them. Until now, however, we did not modify resolv.conf as network membership changed. With this PR, `podman network connect` will add any new nameservers supported by the new network to the container's /etc/resolv.conf, and `podman network disconnect` command will do the opposite, removing the network's nameservers from `/etc/resolv.conf`. Fixes #9603 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #13163 from myml/myml/fix-durationOpenShift Merge Robot2022-02-08
|\ | | | | fix: Multiplication of durations
| * fix: Multiplication of durationsmyml2022-02-08
| | | | | | | | | | | | | | 'killContainerTimeout' is already 5 second [NO NEW TESTS NEEDED] Signed-off-by: myml <wurongjie1@gmail.com>
* | Merge pull request #13159 from Luap99/slirp4-scopeOpenShift Merge Robot2022-02-08
|\ \ | |/ |/| move rootless netns slirp4netns process to systemd user.slice
| * move rootless netns slirp4netns process to systemd user.slicePaul Holzinger2022-02-07
| | | | | | | | | | | | | | | | | | | | | | | | | | When running podman inside systemd user units, it is possible that systemd kills the rootless netns slirp4netns process because it was started in the default unit cgroup. When the unit is stopped all processes in that cgroup are killed. Since the slirp4netns process is run once for all containers it should not be killed. To make sure systemd will not kill the process we move it to the user.slice. Fixes #13153 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #13129 from flouthoc/healthcheck-session-read-from-pipeOpenShift Merge Robot2022-02-07
|\ \ | |/ |/| healthcheck, libpod: Read healthcheck event output from os pipe
| * healthcheck, libpod: Read healthcheck event output from os pipeAditya R2022-02-04
| | | | | | | | | | | | | | | | | | | | It seems we are ignoring output from healthcheck session. Open a valid pipe to healthcheck session in order read its output. Use common pipe for both `stdout/stderr` since that was the previous behviour as well. Signed-off-by: Aditya R <arajan@redhat.com>
* | Fix: Do not print error when parsing journald log failsmyml2022-02-07
| | | | | | | | | | | | | | foramtError was written as err [NO NEW TESTS NEEDED] Signed-off-by: myml <wurongjie1@gmail.com>
* | Merge pull request #13143 from Luap99/dnsOpenShift Merge Robot2022-02-04
|\ \ | | | | | | append podman dns search domain
| * | append podman dns search domainPaul Holzinger2022-02-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Append the podman dns seach domain to the host search domains when we use the dnsname/aardvark server. Previously it would only use podman seach domains and discard the host domains. Fixes #13103 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | Merge pull request #12930 from cdoern/podCgroupOpenShift Merge Robot2022-02-04
|\ \ \ | |/ / |/| | Podman pod create --share-parent vs --share=cgroup
| * | Podman pod create --share-parent vs --share=cgroupcdoern2022-02-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | separated cgroupNS sharing from setting the pod as the cgroup parent, made a new flag --share-parent which sets the pod as the cgroup parent for all containers entering the pod remove cgroup from the default kernel namespaces since we want the same default behavior as before which is just the cgroup parent. resolves #12765 Signed-off-by: cdoern <cdoern@redhat.com> Signed-off-by: cdoern <cbdoer23@g.holycross.edu> Signed-off-by: cdoern <cdoern@redhat.com>
* | | system prune: remove all networksPaul Holzinger2022-02-03
| |/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | podman system prune should also remove all networks. When we want to users to migrate to the new network stack we recommend to run podman system reset. However this did not remove networks and if there were still networks around we would continue to use cni since this was considered an old system. There is one exception for the default network. It should not be removed since this could cause other issues when it no longer exists. The network backend detection logic ignores the default network so this is fine. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | libpod: enforce noexec,nosuid,nodev for /dev/shmGiuseppe Scrivano2022-02-02
| | | | | | | | | | | | | | these mount flags are already used for the /dev/shm mount on the host, but they are not set for the bind mount itself. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | libpod: report slirp4netns network statsGiuseppe Scrivano2022-02-01
| | | | | | | | | | | | | | | | | | by default slirp4netns uses the tap0 device. When slirp4netns is used, use that device by default instead of eth0. Closes: https://github.com/containers/podman/issues/11695 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | volume: add support for non-volatile upperdir,workdir for overlay volumesAditya Rajan2022-01-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Often users want their overlayed volumes to be `non-volatile` in nature that means that same `upper` dir can be re-used by one or more containers but overall of nature of volumes still have to be `overlay` so work done is still on a overlay not on the actual volume. Following PR adds support for more advanced options i.e custom `workdir` and `upperdir` for overlayed volumes. So that users can re-use `workdir` and `upperdir` across new containers as well. Usage ```console $ podman run -it -v myvol:/data:O,upperdir=/path/persistant/upper,workdir=/path/persistant/work alpine sh ``` Signed-off-by: Aditya R <arajan@redhat.com>
* | Merge pull request #12857 from giuseppe/fix-rm-dir-not-emptyOpenShift Merge Robot2022-01-25
|\ \ | | | | | | exec: retry rm -rf on ENOTEMPTY and EBUSY
| * | exec: retry rm -rf on ENOTEMPTY and EBUSYGiuseppe Scrivano2022-01-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | when running on NFS, a RemoveAll could cause EBUSY because of some unlinked files that are still kept open and "silly renamed" to .nfs$ID. This is only half of the fix, as conmon needs to be fixed too. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2040379 Related: https://github.com/containers/conmon/pull/319 [NO NEW TESTS NEEDED] as it requires NFS as the underlying storage. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | libpod: fix leaking fdGiuseppe Scrivano2022-01-24
| | | | | | | | | | | | | | | | | | | | | | | | the config.json file for the OCI runtime is never closed, this is a problem when running on NFS, since it leaves around stale files that cannot be unlinked. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | libpod: fix connection leakGiuseppe Scrivano2022-01-24
| | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | container create: do not check for network dns supportPaul Holzinger2022-01-24
|/ / | | | | | | | | | | | | | | | | | | | | We should not check if the network supports dns when we create a container with network aliases. This could be the case for containers created by docker-compose for example if the dnsname plugin is not installed or the user uses a macvlan config where we do not support dns. Fixes #12972 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Run codespell on codeDaniel J Walsh2022-01-21
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Show package version when running on alpineAnders F Björklund2022-01-19
| | | | | | | | | | | | | | | | Tested manually. [NO NEW TESTS NEEDED] Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
* | compat attach: fix write on closed channelValentin Rothberg2022-01-18
|/ | | | | | | | | Waiting on an initialized sync.WaitGroup returns immediately. Hence, move the goroutine to wait and close *after* reading the logs. Fixes: #12904 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* bump go module to version 4Valentin Rothberg2022-01-18
| | | | | | | | | | | | | Automated for .go files via gomove [1]: `gomove github.com/containers/podman/v3 github.com/containers/podman/v4` Remaining files via vgrep [2]: `vgrep github.com/containers/podman/v3` [1] https://github.com/KSubedi/gomove [2] https://github.com/vrothberg/vgrep Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #12684 from mheon/remap_statesOpenShift Merge Robot2022-01-18
|\ | | | | Revamp Libpod state strings for Docker compat
| * Revamp Libpod state strings for Docker compatMatthew Heon2022-01-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Improve our compatibility with Docker by better handling the state strings that we print in `podman ps`. Docker capitalizes all states in `ps` (we do not) - fix this in our PS code. Also, stop normalizing ContainerStateConfigured to the "Created" state, and instead make it always be Created, with the existing Created state becoming Initialized. I didn't rename the actual states because I'm somewhat reticent to make such a large change a day before we leave for break. It's somewhat confusing that ContainerStateConfigured now returns Created, but internally and externally we're still consistent. [NO NEW TESTS NEEDED] existing tests should catch anything that broke. I also consider this a breaking change. I will flag appropriately on Github. Fixes RHBZ#2010432 and RHBZ#2032561 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #12870 from rhatdan/userns1OpenShift Merge Robot2022-01-18
|\ \ | |/ |/| Use PODMAN_USERNS environment variable when running as a service
| * Use PODMAN_USERNS environment variable when running as a serviceDaniel J Walsh2022-01-17
| | | | | | | | | | | | | | | | Fixes: https://github.com/containers/podman/issues/11350#issuecomment-1011562526 Also add inspect information about the idmappings if they exists. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Standardize on capatalized CgroupsDaniel J Walsh2022-01-14
|/ | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Use new CDI APIEvan Lezar2022-01-14
| | | | | | | This change updates the CDI API to commit 46367ec063fda9da931d050b308ccd768e824364 which addresses some inconistencies in the previous implementation. Signed-off-by: Evan Lezar <elezar@nvidia.com>