summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Merge pull request #15757 from mheon/fix_15526OpenShift Merge Robot2022-09-15
|\ | | | | Introduce graph-based pod container removal
| * Introduce graph-based pod container removalMatthew Heon2022-09-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Originally, during pod removal, we locked every container in the pod at once, did a number of validity checks to ensure everything was safe, and then removed all the containers in the pod. A deadlock was recently discovered with this approach. In brief, we cannot lock the entire pod (or much more than a single container at a time) without causing a deadlock. As such, we converted to an approach where we just looped over each container in the pod, removing them individually. Unfortunately, this removed a lot of the validity checking of the earlier approach, allowing for a lot of unintended bad things. Infra containers could be removed while containers in the pod still depended on them, for example. There's no easy way to do validity checks while in a simple loop, so I implemented a version of our graph-traversal logic that currently handles pod start. This version acts in the reverse order of startup: startup starts from containers which depend on nothing and moves outwards, while removal acts on containers which have nothing depend on them and moves inwards. By doing graph traversal, we can guarantee that nothing is removed while something that depends on it still exists - so the infra container should be the last thing in a pod that is removed, for example. In the (unlikely) case that a graph of the pod's containers cannot be built (most likely impossible without database editing) the old method of pod removal has been retained to ensure that even misbehaving pods can be forcibly evicted from the state. I'm fairly confident that this resolves the problem, but there are a lot of assumptions around dependency structure built into the original pod removal code and I am not 100% sure I have captured all of them. Fixes #15526 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | libpod: Make getContainerInspectData work on FreeBSDDoug Rabson2022-09-15
| | | | | | | | | | | | | | | | | | | | This makes setting EffectiveCaps and BoundingCaps conditional on whether the capabilites field in the spec is non-nil. This allows 'podman inspect' to work on FreeBSD. [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
* | libpod: Factor out platform-specfic code from generateInspectContainerHostConfigDoug Rabson2022-09-15
| | | | | | | | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
* | Merge pull request #15799 from mheon/fix_2126697OpenShift Merge Robot2022-09-14
|\ \ | | | | | | Ensure that a broken OCI spec does not break inspect
| * | Ensure that a broken OCI spec does not break inspectMatthew Heon2022-09-14
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The process of saving the OCI spec is not particularly reboot-safe. Normally, this doesn't matter, because we recreate the spec every time a container starts, but if one was to reboot (or SIGKILL, or otherwise fatally interrupt) Podman in the middle of writing the spec to disk, we can end up with a malformed spec that sticks around until the container is next started. Some Podman commands want to read the latest version of the spec off disk (to get information only populated after a container is started), and will break in the case that a partially populated spec is present. Swap to just ignoring these errors (with a logged warning, to let folks know something went wrong) so we don't break important commands like `podman inspect` in these cases. [NO NEW TESTS NEEDED] Provided reproducer involves repeatedly rebooting the system Signed-off-by: Matthew Heon <mheon@redhat.com>
* | libpod: fix lookup for subpath in volumesGiuseppe Scrivano2022-09-14
| | | | | | | | | | | | | | | | | | a subdirectory that is below a mount destination is detected as a subpath. Closes: https://github.com/containers/podman/issues/15789 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | libpod: rename functionGiuseppe Scrivano2022-09-14
|/ | | | | | | the function checks if a path is under any mount, not just bind mounts. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #15788 from kolyshkin/non-crypto-idOpenShift Merge Robot2022-09-14
|\ | | | | all: stop using deprecated GenerateNonCryptoID
| * all: stop using deprecated GenerateNonCryptoIDKir Kolyshkin2022-09-13
| | | | | | | | | | | | | | | | | | | | In view of https://github.com/containers/storage/pull/1337, do this: for f in $(git grep -l stringid.GenerateNonCryptoID | grep -v '^vendor/'); do sed -i 's/stringid.GenerateNonCryptoID/stringid.GenerateRandomID/g' $f; done Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
* | libpod: Add support for 'podman stats' on FreeBSDDoug Rabson2022-09-14
| | | | | | | | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
* | libpod: Split out the common code from GetContainerStatsDoug Rabson2022-09-14
| | | | | | | | | | | | | | | | This moves the cgroups code to a new method getPlatformContainerStats. [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
* | libpod: Move stats.go to stats_linux.go for consistencyDoug Rabson2022-09-14
|/ | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
* Merge pull request #15752 from vrothberg/fix-15691OpenShift Merge Robot2022-09-13
|\ | | | | health checks: restart timers
| * health checks: restart timersValentin Rothberg2022-09-13
| | | | | | | | | | | | | | | | | | | | | | | | Restart the health-check timers instead of starting them. This will surpress annoying errors stating that an already running timer cannot be started anymore. Also make sure that the transient units/timers are stopped and removed when stopping a container. Fixes: #15691 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | events: Fix spelling of newNullEventerDoug Rabson2022-09-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This function changed from public to private which broke the FreeBSD build. Sadly, adding FreeBSD to the cross build isn't currently possible since github.com/godbus/dbus relies on cgo on FreeBSD. I've tried to fix this upstream but my PR is going nowhere - I think this dependency is only needed for systemd which isn't a thing on FreeBSD so it might be possible to work around the problem in libpod by making the systemd code conditional on linux. [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
* | Merge pull request #15749 from dfr/freebsd-networkingOpenShift Merge Robot2022-09-12
|\ \ | | | | | | Add support for networking on FreeBSD
| * | libpod: Move ocicniPortsToNetTypesPorts and compareOCICNIPorts to ↵Doug Rabson2022-09-12
| | | | | | | | | | | | | | | | | | | | | | | | networking_common.go [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
| * | libpod: Move NetworkDisconnect and NetworkConnect to networking_common.goDoug Rabson2022-09-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This also moves Runtime methods ConnectContainerToNetwork and DisconnectContainerFromNetwork as well as support functions getFreeInterfaceName and normalizeNetworkName. [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org> libpod: Move (Connect|Disconnect)Container(To|From)Network and normalizeNetworkName to networking_common.go [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
| * | libpod: Move resultToBasicNetworkConfig to networking_common.goDoug Rabson2022-09-12
| | | | | | | | | | | | | | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
| * | libpod: Add support for getContainerNetworkInfo on FreeBSDDoug Rabson2022-09-12
| | | | | | | | | | | | | | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
| * | libpod: Move getContainerNetworkInfo to networking_common.goDoug Rabson2022-09-12
| | | | | | | | | | | | | | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
| * | libpod: Move isBridgeNetMode and reloadContainerNetwork to networking_common.goDoug Rabson2022-09-12
| | | | | | | | | | | | | | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
| * | libpod: Move teardownNetwork and teardownCNI to networking_common.goDoug Rabson2022-09-12
| | | | | | | | | | | | | | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
| * | libpod: Move setUpNetwork and getCNIPodName to networking_common.goDoug Rabson2022-09-12
| | | | | | | | | | | | | | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
| * | libpod: Move convertPortMappings and getNetworkOptions to networking_common.goDoug Rabson2022-09-12
| | | | | | | | | | | | | | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
| * | libpod: Add FreeBSD implementation of container networkingDoug Rabson2022-09-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This uses a jail to manage the container's network. Container jails for all containers in a pod are nested within this and share the network resources. There is some code in networking_freebsd.go which is common with networking_linux.go. Subsequent commits will move the shared code to networking_common.go to reduce this duplication. [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
| * | libpod: Re-work the container's network state to help code sharingDoug Rabson2022-09-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This replaces the NetworkJail string field with a struct pointer named NetNS. This does not try to emulate the complete NetNS interface but does help to re-use code that just refers to c.state.NetNS. [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
| * | libpod: Move platform-specific bind mounts to a per-platform methodDoug Rabson2022-09-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | This adds a new per-platform method makePlatformBindMounts and moves the /etc/hostname mount. This file is only needed on Linux. [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
| * | libpod: Avoid a nil dereference when generating resolv.conf on FreeBSDDoug Rabson2022-09-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | The code which generates resolv.conf dereferenced c.config.Spec.Linux and this field is not set for FreeBSD containers. [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
* | | set default EventsLogFilePath on first runPaul Holzinger2022-09-12
| | | | | | | | | | | | | | | | | | | | | | | | The current code only sets EventsLogFilePath when the tmp is overwritten from the db. We should always set the default when no path was set in containers.conf. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | libpod: runtime newEventer() cleanupPaul Holzinger2022-09-12
| | | | | | | | | | | | | | | | | | | | | There is no reason to create a new eventer every time. The libpod runtime already has one attached which should be used instead. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | event backend journald: fix problem with empty journalPaul Holzinger2022-09-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently podman events will just fail with `Error: failed to get journal cursor: failed to get cursor: cannot assign requested address` when the journal contains zero podman events. The problem is that we are using the journal accessors wrong. There is no need to call GetCursor() and compare them manually. The Next() return an integer which tells if it moved to the next or not. This means the we can remove GetCursor() which would fail when there is no entry. This also includes another bug fix. Previously the logic called Next() twice for the first entry which caused us to miss the first entry. To reproduce this issue you can run the following commands: ``` sudo journalctl --rotate sudo journalctl --vacuum-time=1s ``` Note that this will delete the full journal. Now run podman events and it fails but with this patch it works. Now generate a single event, i.e. podman pull alpine, and run podman events --until 1s. I am not sure how to get a reliable test into CI, I really do not want to delete the journal and developer or CI systems. Fixes second part of #15688 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | event backend none: return an error when reading eventsPaul Holzinger2022-09-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | podman --events-backend none events should return with an error since it will never be able to actually list events. Fixes part three of #15688 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | fix hang with podman events file loggerPaul Holzinger2022-09-12
|/ / | | | | | | | | | | | | | | | | | | | | | | | | podman --events-backend file events --stream=false should never hang. The problem is that our tail library will wait for the file to be created which makes sense when we do not run with --stream=false. To fix this we can just always create the file when the logger is initialized. This would also help to report errors early on in case the file is not accessible. Fixes part one from #15688 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #15511 from rhatdan/codespellOpenShift Merge Robot2022-09-12
|\ \ | |/ |/| Fix stutters
| * Fix stuttersDaniel J Walsh2022-09-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Podman adds an Error: to every error message. So starting an error message with "error" ends up being reported to the user as Error: error ... This patch removes the stutter. Also ioutil.ReadFile errors report the Path, so wrapping the err message with the path causes a stutter. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #15737 from Juneezee/refactor/os.ReadDirOpenShift Merge Robot2022-09-12
|\ \ | | | | | | refactor: use `os.ReadDir` for lightweight directory reading
| * | refactor: use `os.ReadDir` for lightweight directory readingEng Zer Jun2022-09-11
| |/ | | | | | | | | | | | | | | `os.ReadDir` was added in Go 1.16 as part of the deprecation of `ioutil` package. It is a more efficient implementation than `ioutil.ReadDir`. Reference: https://pkg.go.dev/io/ioutil#ReadDir Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
* | Merge pull request #15734 from KenMacD/add-pathOpenShift Merge Robot2022-09-12
|\ \ | |/ |/| Include PATH in conmon env.
| * Include more environment variables in conmon env.Kenny MacDermid2022-09-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Include the path and helper binary dir so that the podman environment more closely matches when conmon calls it as an exit command. Also match the CONTAINERS_CONF lookup to the codestyle of other environment lookups. [NO NEW TESTS NEEDED] Resolves #15707 Signed-off-by: Kenny MacDermid <kenny@macdermid.ca>
* | Merge pull request #15716 from vrothberg/fix-15661OpenShift Merge Robot2022-09-09
|\ \ | | | | | | stop: fix error handling
| * | stop: fix error handlingValentin Rothberg2022-09-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix the error handling in the fallback logic of `stop` when Podman resorts to killing a container; the error message wrapped the wrong error. [NO NEW TESTS NEEDED] as it is a rare flake in the tests and I do not know how to reliably reproduce it. Fixes: #15661 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | | Merge pull request #15687 from vrothberg/RUN-1639OpenShift Merge Robot2022-09-09
|\ \ \ | | | | | | | | health check: add on-failure actions
| * | | health check: add on-failure actionsValentin Rothberg2022-09-09
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For systems that have extreme robustness requirements (edge devices, particularly those in difficult to access environments), it is important that applications continue running in all circumstances. When the application fails, Podman must restart it automatically to provide this robustness. Otherwise, these devices may require customer IT to physically gain access to restart, which can be prohibitively difficult. Add a new `--on-failure` flag that supports four actions: - **none**: Take no action. - **kill**: Kill the container. - **restart**: Restart the container. Do not combine the `restart` action with the `--restart` flag. When running inside of a systemd unit, consider using the `kill` or `stop` action instead to make use of systemd's restart policy. - **stop**: Stop the container. To remain backwards compatible, **none** is the default action. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* / / generate, kube: plug HostUsersGiuseppe Scrivano2022-09-08
|/ / | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #15607 from fpoirotte/mainOpenShift Merge Robot2022-09-08
|\ \ | | | | | | Fix #15243 Set AutomountServiceAccountToken to false
| * | Fix #15243 Set AutomountServiceAccountToken to falseFrançois Poirotte2022-09-04
| | | | | | | | | | | | | | | | | | | | | podman does not use any service account token, so we set the automount flag to false in podman generate kube. Signed-off-by: François Poirotte <clicky@erebot.net>
* | | Merge pull request #15668 from giuseppe/skip-sys-fs-cgroup-systemd-if-missingOpenShift Merge Robot2022-09-07
|\ \ \ | | | | | | | | podman: skip /sys/fs/cgroup/systemd if not present
| * | | podman: skip /sys/fs/cgroup/systemd if not presentGiuseppe Scrivano2022-09-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | skip adding the /sys/fs/cgroup/systemd bind mount if it is not already present on the host. [NO NEW TESTS NEEDED] requires a system without systemd. Closes: https://github.com/containers/podman/issues/15647 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>