summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Merge pull request #3692 from haircommander/play-capsOpenShift Merge Robot2019-08-02
|\ | | | | Add Capability support to play kube
| * Add capability functionality to play kubePeter Hunt2019-08-01
| | | | | | | | | | | | | | Take capabilities written in a kube and add to a container adapt test suite and write cap-add/drop tests Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * Deduplicate capabilities in generate kubePeter Hunt2019-08-01
| | | | | | | | | | | | capabilities that were added and dropped were several times duplicated. Fix this Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | Merge pull request #3551 from mheon/fix_memory_leakOpenShift Merge Robot2019-08-02
|\ \ | | | | | | Fix memory leak with exit files
| * | Use "none" instead of "null" for the null eventerMatthew Heon2019-08-01
| | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * | Ensure we generate a 'stopped' event on force-removeMatthew Heon2019-07-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When forcibly removing a container, we are initiating an explicit stop of the container, which is not reflected in 'podman events'. Swap to using our standard 'stop()' function instead of a custom one for force-remove, and move the event into the internal stop function (so internal calls also register it). This does add one more database save() to `podman remove`. This should not be a terribly serious performance hit, and does have the desirable side effect of making things generally safer. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * | System events are valid, don't error on themMatthew Heon2019-07-31
| | | | | | | | | | | | | | | | | | The logfile driver was not aware that system events existed. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * | Expose Null eventer and allow its use in the Podman CLIMatthew Heon2019-07-31
| | | | | | | | | | | | | | | | | | | | | | | | We need this specifically for tests, but others may find it useful if they don't explicitly need events and don't want the performance implications of using them. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * | Add a flag to set events logger typeMatthew Heon2019-07-31
| | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * | podman: fix memleak caused by renaming and not deletingMatthew Heon2019-07-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | the exit file If the container exit code needs to be retained, it cannot be retained in tmpfs, because libpod runs in a memcg itself so it can't leave traces with a daemon-less design. This wasn't a memleak detectable by kmemleak for example. The kernel never lost track of the memory and there was no erroneous refcounting either. The reference count dependencies however are not easy to track because when a refcount is increased, there's no way to tell who's still holding the reference. In this case it was a single page of tmpfs pagecache holding a refcount that kept pinned a whole hierarchy of dying memcg, slab kmem, cgropups, unrechable kernfs nodes and the respective dentries and inodes. Such a problem wouldn't happen if the exit file was stored in a regular filesystem because the pagecache could be reclaimed in such case under memory pressure. The tmpfs page can be swapped out, but that's not enough to release the memcg with CONFIG_MEMCG_SWAP_ENABLED=y. No amount of more aggressive kernel slab shrinking could have solved this. Not even assigning slab kmem of dying cgroups to alive cgroup would fully solve this. The only way to free the memory of a dying cgroup when a struct page still references it, would be to loop over all "struct page" in the kernel to find which one is associated with the dying cgroup which is a O(N) operation (where N is the number of pages and can reach billions). Linking all the tmpfs pages to the memcg would cost less during memcg offlining, but it would waste lots of memory and CPU globally. So this can't be optimized in the kernel. A cronjob running this command can act as workaround and will allow all slab cache to be released, not just the single tmpfs pages. rm -f /run/libpod/exits/* This patch solved the memleak with a reproducer, booting with cgroup.memory=nokmem and with selinux disabled. The reason memcg kmem and selinux were disabled for testing of this fix, is because kmem greatly decreases the kernel effectiveness in reusing partial slab objects. cgroup.memory=nokmem is strongly recommended at least for workstation usage. selinux needs to be further analyzed because it causes further slab allocations. The upstream podman commit used for testing is 1fe2965e4f672674f7b66648e9973a0ed5434bb4 (v1.4.4). The upstream kernel commit used for testing is f16fea666898dbdd7812ce94068c76da3e3fcf1e (v5.2-rc6). Reported-by: Michele Baldessari <michele@redhat.com> Signed-off-by: Andrea Arcangeli <aarcange@redhat.com> <Applied with small tweaks to comments> Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #3693 from QiWang19/searchOpenShift Merge Robot2019-08-02
|\ \ \ | | | | | | | | fix search output limit
| * | | fix search output limitQi Wang2019-08-01
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | close https://bugzilla.redhat.com/show_bug.cgi?id=1732280 From the bug Podman search returns 25 results even when limit option `--limit` is larger than 25(maxQueries). They want Podman to return `--limit` results. This PR fixes the number of output result. if --limit not set, return MIN(maxQueries, len(res)) if --limit is set, return MIN(option, len(res)) Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | Merge pull request #3688 from mheon/print_podOpenShift Merge Robot2019-08-01
|\ \ \ | |_|/ |/| | Print Pod ID in `podman inspect` output
| * | Print Pod ID in `podman inspect` outputMatthew Heon2019-08-01
| |/ | | | | | | | | | | | | Somehow this managed to slip through the cracks, but this is definitely something inspect should print. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #3677 from giuseppe/systemd-cgroupsv2OpenShift Merge Robot2019-08-01
|\ \ | | | | | | systemd, cgroupsv2: not bind mount /sys/fs/cgroup/systemd
| * | systemd, cgroupsv2: not bind mount /sys/fs/cgroup/systemdGiuseppe Scrivano2019-08-01
| |/ | | | | | | | | | | | | | | when running on a cgroups v2 system, do not bind mount the named hierarchy /sys/fs/cgroup/systemd as it doesn't exist anymore. Instead bind mount the entire /sys/fs/cgroup. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #3671 from openSUSE/runtime-path-discoveryOpenShift Merge Robot2019-08-01
|\ \ | | | | | | Add runtime and conmon path discovery
| * | Add runtime and conmon path discoverySascha Grunert2019-08-01
| |/ | | | | | | | | | | | | | | The `$PATH` environment variable will now used as fallback if no valid runtime or conmon path matches. The debug logs has been updated to state the used executable. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* / Vendor in buildah 1.9.2Daniel J Walsh2019-07-30
|/ | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #3672 from petejohanson/32bit-build-fixesOpenShift Merge Robot2019-07-30
|\ | | | | Build fix for 32-bit systems.
| * Build fix for 32-bit systems.Pete Johanson2019-07-30
| | | | | | | | | | | | * Fixes #3664. Signed-off-by: Pete Johanson <peter@peterjohanson.com>
* | Merge pull request #3661 from openSUSE/nixos-friendly-configOpenShift Merge Robot2019-07-30
|\ \ | |/ |/| Update libpod.conf to be more friendly to NixOS
| * Update libpod.conf to be NixOS friendlySascha Grunert2019-07-30
| | | | | | | | | | | | | | | | NixOS links the current system state to `/run/current-system`, so we have to add these paths to the configuration files as well to work out of the box. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* | Merge pull request #3656 from jwhonce/wip/envOpenShift Merge Robot2019-07-29
|\ \ | | | | | | Fix commit --changes env=X=Y
| * | Fix commit --changes env=X=YJhon Honce2019-07-26
| |/ | | | | | | Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | Merge pull request #3233 from ↵OpenShift Merge Robot2019-07-29
|\ \ | |/ |/| | | | | wking/fatal-requested-hook-directory-does-not-exist libpod/container_internal: Make all errors loading explicitly configured hook dirs fatal
| * libpod/container_internal: Make all errors loading explicitly configured ↵W. Trevor King2019-05-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | hook dirs fatal Remove this IsNotExist out which was added along with the rest of this block in f6a2b6bf2b (hooks: Add pre-create hooks for runtime-config manipulation, 2018-11-19, #1830). Besides the obvious "hook directory does not exist", it was swallowing the less-obvious "hook command does not exist". And either way, folks are likely going to want non-zero podman exits when we fail to load a hook directory they explicitly pointed us towards. Signed-off-by: W. Trevor King <wking@tremily.us>
* | Merge pull request #3639 from giuseppe/user-ns-containerOpenShift Merge Robot2019-07-26
|\ \ | | | | | | podman: support --userns=ns|container
| * | podman: support --userns=ns|containerGiuseppe Scrivano2019-07-25
| | | | | | | | | | | | | | | | | | | | | | | | allow to join the user namespace of another container. Closes: https://github.com/containers/libpod/issues/3629 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Fix possible runtime panic if image history len is zeroSascha Grunert2019-07-25
|/ / | | | | | | | | | | | | We now return an empty string for the `Comment` field if an OCI v1 image contains no history. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* | When retrieving volumes, only use exact namesMatthew Heon2019-07-24
| | | | | | | | | | | | | | | | | | | | We should not be fuzzy matching on volume names. Docker doesn't do it, and it doesn't make much sense. Everything requires exact matches for names - only IDs allow partial matches. Fixes #3635 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #3626 from mheon/fix_ps_segfaultOpenShift Merge Robot2019-07-24
|\ \ | | | | | | Fix a segfault on Podman no-store commands with refresh
| * | Fix a segfault on Podman no-store commands with refreshMatthew Heon2019-07-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When a command (like `ps`) requests no store be created, but also requires a refresh be performed, we have to ignore its request and initialize the store anyways to prevent segfaults. This work was done in #3532, but that missed one thing - initializing a storage service. Without the storage service, Podman will still segfault. Fix that oversight here. Fixes #3625 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | refactor to reduce duplicated error parsingPeter Hunt2019-07-23
| | | | | | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | move editing of exitCode to runtimePeter Hunt2019-07-23
|/ / | | | | | | | | | | | | | | | | There's no way to get the error if we successfully get an exit code (as it's just printed to stderr instead). instead of relying on the error to be passed to podman, and edit based on the error code, process it on the varlink side instead Also move error codes to define package Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | golangci-lint cleanupbaude2019-07-23
| | | | | | | | | | | | | | a PR slipped through without running the new linter. this cleans things up for the master branch. Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #3621 from baude/golangcilint4OpenShift Merge Robot2019-07-23
|\ \ | | | | | | golangci-lint phase 4
| * | golangci-lint phase 4baude2019-07-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | clean up some final linter issues and add a make target for golangci-lint. in addition, begin running the tests are part of the gating tasks in cirrus ci. we cannot fully shift over to the new linter until we fix the image on the openshift side. for short term, we will use both Signed-off-by: baude <bbaude@redhat.com>
* | | Implement conmon execPeter Hunt2019-07-22
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This includes: Implement exec -i and fix some typos in description of -i docs pass failed runtime status to caller Add resize handling for a terminal connection Customize exec systemd-cgroup slice fix healthcheck fix top add --detach-keys Implement podman-remote exec (jhonce) * Cleanup some orphaned code (jhonce) adapt remote exec for conmon exec (pehunt) Fix healthcheck and exec to match docs Introduce two new OCIRuntime errors to more comprehensively describe situations in which the runtime can error Use these different errors in branching for exit code in healthcheck and exec Set conmon to use new api version Signed-off-by: Jhon Honce <jhonce@redhat.com> Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | golangci-lint round #3baude2019-07-21
| | | | | | | | | | | | | | this is the third round of preparing to use the golangci-lint on our code base. Signed-off-by: baude <bbaude@redhat.com>
* | Cleanup Pull MessageDaniel J Walsh2019-07-20
| | | | | | | | | | | | | | | | | | | | Currently the pull message on failure is UGLY. This patch removes a lot of the noice when pulling an image from multiple registries to make the user experience better. Our current messages are way too verbose and need to be dampened down. Still has verbose mode if you turn on log-level=debug. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Add support for listing read/only and read/write imagesDaniel J Walsh2019-07-19
| | | | | | | | | | | | | | When removing --all images prune images only attempt to remove read/write images, ignore read/only images Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #3443 from adrianreber/rootfs-changes-migrationOpenShift Merge Robot2019-07-19
|\ \ | | | | | | Include changes to the container's root file-system in the checkpoint archive
| * | Add --ignore-rootfs option for checkpoint/restoreAdrian Reber2019-07-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The newly added functionality to include the container's root file-system changes into the checkpoint archive can now be explicitly disabled. Either during checkpoint or during restore. If a container changes a lot of files during its runtime it might be more effective to migrated the root file-system changes in some other way and to not needlessly increase the size of the checkpoint archive. If a checkpoint archive does not contain the root file-system changes information it will automatically be skipped. If the root file-system changes are part of the checkpoint archive it is also possible to tell Podman to ignore these changes. Signed-off-by: Adrian Reber <areber@redhat.com>
| * | Fix typo in checkpoint/restore related textsAdrian Reber2019-07-11
| | | | | | | | | | | | Signed-off-by: Adrian Reber <areber@redhat.com>
| * | Include root file-system changes in container migrationAdrian Reber2019-07-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | One of the last limitations when migrating a container using Podman's 'podman container checkpoint --export=/path/to/archive.tar.gz' was that it was necessary to manually handle changes to the container's root file-system. The recommendation was to mount everything as --tmpfs where the root file-system was changed. This extends the checkpoint export functionality to also include all changes to the root file-system in the checkpoint archive. The checkpoint archive now includes a tarstream of the result from 'podman diff'. This tarstream will be applied to the restored container before restoring the container. With this any container can now be migrated, even it there are changes to the root file-system. There was some discussion before implementing this to base the root file-system migration on 'podman commit', but it seemed wrong to do a 'podman commit' before the migration as that would change the parent layer the restored container is referencing. Probably not really a problem, but it would have meant that a migrated container will always reference another storage top layer than it used to reference during initial creation. Signed-off-by: Adrian Reber <areber@redhat.com>
| * | Add function to get a filtered tarstream diffAdrian Reber2019-07-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The newly added function GetDiffTarStream() mirrors the GetDiff() function. It tries to get the correct layer ID from getLayerID() and it filters out containerMounts from the tarstream. Thus the behavior is the same as GetDiff(), but it returns a tarstream. This also adds the function ApplyDiffTarStream() to apply the tarstream generated by GetDiffTarStream(). These functions are targeted to support container migration with root file-system changes. Signed-off-by: Adrian Reber <areber@redhat.com>
* | | Merge pull request #3595 from mheon/fix_exec_leakOpenShift Merge Robot2019-07-18
|\ \ \ | | | | | | | | Remove exec PID files after use to prevent memory leaks
| * | | Remove exec PID files after use to prevent memory leaksMatthew Heon2019-07-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We have another patch running to do the same for exit files, with a much more in-depth explanation of why it's necessary. Suffice to say that persistent files in tmpfs tied to container CGroups lead to significant memory allocations that last for the lifetime of the file. Based on a patch by Andrea Arcangeli (aarcange@redhat.com). Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | | Populate inspect with security-opt settingsMatthew Heon2019-07-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We can infer no-new-privileges. For now, manually populate seccomp (can't infer what file we sourced from) and SELinux/Apparmor (hard to tell if they're enabled or not). Signed-off-by: Matthew Heon <mheon@redhat.com>