| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make Podman more tolerant when parsing image volumes during container
creation and further fix an infinite loop when checking them.
Consider `VOLUME ['/etc/foo', '/etc/bar']` in a Containerfile. While
it looks correct to the human eye, the single quotes are wrong and yield
the two volumes to be `[/etc/foo,` and `/etc/bar]` in Podman and Docker.
When running the container, it'll create a directory `bar]` in `/etc`
and a directory `[` in `/` with two subdirectories `etc/foo,`. This
behavior is surprising to me but how Docker behaves. We may improve on
that in the future. Note that the correct way to syntax for volumes in
a Containerfile is `VOLUME /A /B /C` or `VOLUME ["/A", "/B", "/C"]`;
single quotes are not supported.
This change restores this behavior without breaking container creation
or ending up in an infinite loop.
BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2014149
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\
| |
| | |
remove need to download pause image
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
So far, the infra containers of pods required pulling down an image
rendering pods not usable in disconnected environments. Instead, build
an image locally which uses local pause binary.
Fixes: #10354
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Make sure to create the mounts for containers with an overlay root FS in
the runtime dir (e.g., /run/user/1000/...) to guarantee that we can
actually overlay mount on the specific path which is not the case for
the graph root.
[NO NEW TESTS NEEDED] since it is not a user-facing change.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\ \
| | |
| | | |
Slirp4netns with ipv6 set net.ipv6.conf.default.accept_dad=0
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Duplicate Address Detection slows the ipv6 setup down for 1-2 seconds.
Since slirp4netns is run it is own namespace and not directly routed
we can skip this to make the ipv6 address immediately available.
We change the default to make sure the slirp tap interface gets the
correct value assigned so DAD is disabled for it.
Also make sure to change this value back to the original after slirp4netns
is ready in case users rely on this sysctl.
Fixes #11062
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
| |\ \
| | |
| | | |
Fix a few problems in 'podman logs --tail' with journald driver
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The following problems regarding `logs --tail` with the journald log
driver are fixed:
- One more line than a specified value is displayed.
- '--tail 0' displays all lines while the other log drivers displays
nothing.
- Partial lines are not considered.
- If the journald events backend is used and a container has exited,
nothing is displayed.
Integration tests that should have detected the bugs are also fixed. The
tests are executed with json-file log driver three times without this
fix.
Signed-off-by: Hironori Shiina <shiina.hironori@jp.fujitsu.com>
|
| |\ \ \
| | | |
| | | | |
Allow 'container restore' with '--ipc host'
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Trying to restore a container that was started with '--ipc host' fails
with:
Error: error creating container storage: ProcessLabel and Mountlabel must either not be specified or both specified
We already fixed this exact same error message for containers started
with '--privileged'. The previous fix was to check if the to be restored
container is a privileged container (c.config.Privileged). Unfortunately
this does not work for containers started with '--ipc host'.
This commit changes the check for a privileged container to check if
both the ProcessLabel and the MountLabel is actually set and only then
re-uses those labels.
Signed-off-by: Adrian Reber <areber@redhat.com>
|
| | |_|/
|/| |
| | |
| | |
| | |
| | |
| | | |
Setting these environment variables can cause issues with custom CNI
plugins, see #12083.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| | |
This will change mount of /dev within container to noexec, making
containers slightly more secure.
[NO NEW TESTS NEEDED]
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
LGTM alert:
Off-by-one index comparison against length may lead to out-of-bounds read.
Signed-off-by: Stefan Weil <sw@weilnetz.de>
|
| | |
| |
| |
| | |
Signed-off-by: Stefan Weil <sw@weilnetz.de>
|
| |\ \
| | |
| | | |
Allow API to specify size and inode quota
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Fixes: https://github.com/containers/podman/issues/11016
[NO NEW TESTS NEEDED] We have no easy way to tests this in
CI/CD systems. Requires quota to be setup on directories to work.
Fixes: https://github.com/containers/podman/issues/11016
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |\ \ \
| |_|/
|/| | |
Generate Kube should not print default structs
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If podman uses Workdir="/" or the workdir specified in the image, it
should not add it to the yaml.
If Podman find environment variables in the image, they should not
get added to the yaml.
If the container or pod do not have changes to SELinux we should not
print seLinuxOpt{}
If the container or pod do not change any dns options the yaml should
not have a dnsOption={}
If the container is not privileged it should not have privileged=false
in the yaml.
Fixes: https://github.com/containers/podman/issues/11995
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If we interrupt pod removal between removing containers and
removing the whole pod, the infra ID was still in the DB, and
most pod operations would try to retrieve the infra container
(and would this fail). Clear the infra ID from the DB just before
we remove all containers to prevent this.
Fixes #12034
[NO NEW TESTS NEEDED] This is a very narrow race and I have no
idea how to repro it.
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |\ \
| | |
| | | |
Pod Rm Infra Handling Improvements
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Made changes so that if the pod contains all exited containers and only infra is running, remove the pod.
resolves #11713
Signed-off-by: cdoern <cdoern@redhat.com>
|
| |\ \ \
| | | |
| | | | |
Use exponential backoff when waiting for a journal entry
|
| | | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When looking for a cursor that matches the first journal entry for a
given container, wait and try to find it using exponential backoff.
[NO NEW TESTS NEEDED]
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| | |
external rootfs
Allow chainging ownership of mountpoint created on top external overlay
rootfs to support use-cases when custom --uidmap and --gidmap are
specified.
Signed-off-by: Aditya Rajan <arajan@redhat.com>
|
| |\ \
| | |
| | | |
We should only be relabeling when on first run
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
On the second runs, the labels should be the same so no
need to relabel.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2013548
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |/ /
| |
| |
| |
| |
| |
| |
| | |
Following commit ensures not dandling mounts are left behind when we are
creating an overlay on top of external rootfs.
Co-authored-by: Valentin Rothberg <rothberg@redhat.com>
Signed-off-by: Aditya Rajan <arajan@redhat.com>
|
| |\ \
| | |
| | | |
Set targetPort to the port value in the kube yaml
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When the targetPort is not defined, it is supposed to
be set to the port value according to the k8s docs.
Add tests for targetPort.
Update tests to be able to check the Service yaml that
is generated.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
|
| |\ \ \
| | | |
| | | | |
Don't include ctr.log if not using file logging
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Checkpoint is blowing up when you use --log-driver=none
[NO NEW TESTS NEEDED] No way currently to test checkpoint restore.
Fixes: https://github.com/containers/podman/issues/11974
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| | |
As the default protocol in k8s is TCP, don't add it
to the generate yaml when using protocol.
Add UDP to the protocol of the generated yaml when udp
is being used.
Add tests for this as well.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
|
| | |
| |
| |
| |
| |
| | |
[NO NEW TESTS NEEDED]
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If no entrypoint or command is set in the podman create
command, and the image command or entrypoint is being
used as the default, then do not add the image command or
entrypoint to the generated kube yaml.
Kubernetes knows to default to the image command and/or
entrypoint settings when not defined in the kube yaml.
Add and modify tests for this case.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
|
| |\ \
| | |
| | | |
Kube Gen run as user/group issues
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Removed the inclusion of RunAsUser or RunAsGroup unless a container is run with the --user flag. When building from an image
the user will be pulled from there anyway
resolves #11914
Signed-off-by: cdoern <cdoern@redhat.com>
|
| |\ \ \
| | | |
| | | | |
CNI: fix network create --ip-range
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The --ip-range option did not work correctly. The endIP was accidentally
assigned to the start IP. New tests are added to make sure it works.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
| |\ \ \ \
| | | | |
| | | | | |
codespell code
|
| | |/ / /
| | | |
| | | |
| | | | |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |\ \ \ \
| | | | |
| | | | | |
rootlessport: reduce memory usage of the process
|
| | |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Don't use reexec for the rootlessport process, instead make it a
separate binary to reduce the memory usage. The problem with reexec is
that it will import all packages that podman uses and therefore loads a
lot of stuff into the heap. The rootlessport process however only needs
the rootlesskit library.
The memory usage is a concern since the rootlessport process will spawn
two process per container which has ports forwarded. The processes stay
until the container dies. On my laptop the current reexec version uses
47800 KB RSS. The new separate binary only uses 4540 KB RSS. This is
more than a 90% improvement.
The Makefile has been updated to compile the new binary and install it
to the libexec directory.
Fixes #10790
[NO TESTS NEEDED]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
| |\ \ \ \
| |/ / /
|/| | | |
No space in kube annotations for bind mounts
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Kubernetes fails to deal with an annotation that has a space in it.
Trim these strings to remove spaces.
Fixes: #11929
Signed-off-by: Brent Baude <bbaude@redhat.com>
[NO TESTS NEEDED]
|
| |\ \ \
| | | |
| | | | |
Remove a volume with --force if container is running
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Currently we are not passing the force flag down to the removal of
the running container. If the container is running, and we set
--force when removing the volume, the container should be stopped.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Increase timeout for tests to 10s
* To aid in debugging add PID to shutdown package logging
* Added new message for forced service shutdown
* Always wait for HTTP server to shutdown, duration of 0 not friendly
to clients
Note: The log event
"IdleTracker: StateClosed transition by connection marked un-managed"
denotes a TCP connection has been initiated but no HTTP request was sent.
And is expected during these tests.
Fixes #11921
Signed-off-by: Jhon Honce <jhonce@redhat.com>
|
| |\ \
| | |
| | | |
Enable /debug/pprof API service endpoints
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Refactor sidecar HTTP service for /debug/pprof endpoints to use a TCP
address given via new podman system service --pprof-address flag
* Allow same URL parsing in "system service" as bindings/connection.go
* Refactor NewServerWithSettings() to use entities.ServiceOptions
in place of deleted server.Options
* Updated godoc for impacted functions and types
* Fixed API service Shutdown() to do an orderly shutdown when
terminated and running with --time=0
Signed-off-by: Jhon Honce <jhonce@redhat.com>
|
| |\ \ \
| | | |
| | | | |
Warn if podman stop timeout expires that sigkill was sent
|
