summaryrefslogtreecommitdiff
path: root/pkg/domain
Commit message (Collapse)AuthorAge
* pods: move code to a new functionGiuseppe Scrivano2022-06-28
| | | | | | it is a preparatory change for the next commit. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* libpod: fix wait and exit-code logicValentin Rothberg2022-06-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit addresses three intertwined bugs to fix an issue when using Gitlab runner on Podman. The three bug fixes are not split into separate commits as tests won't pass otherwise; avoidable noise when bisecting future issues. 1) Podman conflated states: even when asking to wait for the `exited` state, Podman returned as soon as a container transitioned to `stopped`. The issues surfaced in Gitlab tests to fail [1] as `conmon`'s buffers have not (yet) been emptied when attaching to a container right after a wait. The race window was extremely narrow, and I only managed to reproduce with the Gitlab runner [1] unit tests. 2) The clearer separation between `exited` and `stopped` revealed a race condition predating the changes. If a container is configured for autoremoval (e.g., via `run --rm`), the "run" process competes with the "cleanup" process running in the background. The window of the race condition was sufficiently large that the "cleanup" process has already removed the container and storage before the "run" process could read the exit code and hence waited indefinitely. Address the exit-code race condition by recording exit codes in the main libpod database. Exit codes can now be read from a database. When waiting for a container to exit, Podman first waits for the container to transition to `exited` and will then query the database for its exit code. Outdated exit codes are pruned during cleanup (i.e., non-performance critical) and when refreshing the database after a reboot. An exit code is considered outdated when it is older than 5 minutes. While the race condition predates this change, the waiting process has apparently always been fast enough in catching the exit code due to issue 1): `exited` and `stopped` were conflated. The waiting process hence caught the exit code after the container transitioned to `stopped` but before it `exited` and got removed. 3) With 1) and 2), Podman is now waiting for a container to properly transition to the `exited` state. Some tests did not pass after 1) and 2) which revealed the third bug: `conmon` was executed with its working directory pointing to the OCI runtime bundle of the container. The changed working directory broke resolving relative paths in the "cleanup" process. The "cleanup" process error'ed before actually cleaning up the container and waiting "main" process ran indefinitely - or until hitting a timeout. Fix the issue by executing `conmon` with the same working directory as Podman. Note that fixing 3) *may* address a number of issues we have seen in the past where for *some* reason cleanup processes did not fire. [1] https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27119#note_970712864 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com> [MH: Minor reword of commit message] Signed-off-by: Matthew Heon <mheon@redhat.com>
* Fix spelling "setup" -> "set up" and similarErik Sjölund2022-06-22
| | | | | | | | | | * Replace "setup", "lookup", "cleanup", "backup" with "set up", "look up", "clean up", "back up" when used as verbs. Replace also variations of those. * Improve language in a few places. Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
* Merge pull request #14642 from rhatdan/VENDORopenshift-ci[bot]2022-06-21
|\ | | | | Update to use gopkg.in/yaml.v3
| * Update to use gopkg.in/yaml.v3Daniel J Walsh2022-06-17
| | | | | | | | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #14643 from clobrano/feature/network/list/dangling/devopenshift-ci[bot]2022-06-21
|\ \ | | | | | | allow filter networks by dangling status
| * | allow filter networks by dangling statusCarlo Lobrano2022-06-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | add the ability to filter networks by their dangling status via: `network ls --filter dangling=true/false` Fixes: #14595 Signed-off-by: Carlo Lobrano <c.lobrano@gmail.com>
* | | rootless: attempt to join all specified pathsGiuseppe Scrivano2022-06-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | when there are multiple paths specified, attempt to join them all before returning an error. Previously we were failing on the first pid found. [NO NEW TESTS NEEDED] Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #14556 from sstosh/system-prune-networkopenshift-ci[bot]2022-06-20
|\ \ \ | |_|/ |/| | podman system prune support prune unused networks
| * | podman system prune support prune unused networksToshiki Sonoda2022-06-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is an enhancement for the podman system prune feature. In this issue, it is mentioned that 'network prune' should be wired into 'podman system prune' https://github.com/containers/podman/issues/8673 Therefore, I add the function to remove unused networks. Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
* | | linter fix from #14299cdoern2022-06-16
| | | | | | | | | | | | | | | | | | | | | [NO NEW TESTS NEEDED] podman pod clone somehow snuck by the new linter code that went in while it was in flight fix that here Signed-off-by: cdoern <cdoern@redhat.com>
* | | Merge pull request #14299 from cdoern/podCloneopenshift-ci[bot]2022-06-16
|\ \ \ | | | | | | | | implement podman pod clone
| * | | podman pod clonecdoern2022-06-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | implement podman pod clone, a command to create an exact copy of a pod while changing certain config elements current supported flags are: --name change the pod name --destroy remove the original pod --start run the new pod on creation and all infra-container related flags from podman pod create (namespaces etc) resolves #12843 Signed-off-by: cdoern <cdoern@redhat.com>
* | | | golangci-lint: enable nolintlintPaul Holzinger2022-06-14
| |_|/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | The nolintlint linter does not deny the use of `//nolint` Instead it allows us to enforce a common nolint style: - force that a linter name must be specified - do not add a space between `//` and `nolint` - make sure nolint is only used when there is actually a problem Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | Merge pull request #14560 from rhatdan/remoteOpenShift Merge Robot2022-06-13
|\ \ \ | |_|/ |/| | podman-remote push --remove-signatures support
| * | podman-remote push --remove-signatures supportDaniel J Walsh2022-06-10
| |/ | | | | | | | | | | | | | | | | I don't see a reason why we don't support --remove-signatures from remote push, so adding support. Fixes: https://github.com/containers/podman/issues/14558 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / podman cp: do not overwrite non-dirs with dirs and vice versaValentin Rothberg2022-06-10
|/ | | | | | | | | | Add a new `--overwrite` flag to `podman cp` to allow for overwriting in case existing users depend on the behavior; they will have a workaround. By default, the flag is turned off to be compatible with Docker and to have a more sane behavior. Fixes: #14420 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* Pass '--file-locks' to OCI runtime at restoringHironori Shiina2022-06-09
| | | | | | | | `podman container restore --file-locks` does not restore file locks because this option is not passed to OCI runtime. This patch fixes this issue. Signed-off-by: Hironori Shiina <shiina.hironori@jp.fujitsu.com>
* Merge pull request #14466 from mheon/fix_9075OpenShift Merge Robot2022-06-03
|\ | | | | Improve robustness of `podman system reset`
| * Improve robustness of `podman system reset`Matthew Heon2022-06-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Firstly, reset is now managed by the runtime itself as a part of initialization. This ensures that it can be used even with runtimes that would otherwise fail to be created - most notably, when the user has changed a core path (runroot/root/tmpdir/staticdir). Secondly, we now attempt a best-effort removal even if the store completely fails to be configured. Third, we now hold the alive lock for the entire reset operation. This ensures that no other Podman process can start while we are running a system reset, and removes any possibility of a race where a user tries to create containers or pull images while we are trying to perform a reset. [NO NEW TESTS NEEDED] we do not test reset last I checked. Fixes #9075 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | fix bad import path for cmd/podman/utilsPaul Holzinger2022-05-30
|/ | | | | | | | | Libpod or packages under /pkg should never import from /cmd/... This will quickly result in import cycles and weird code paths. Also there is no reason to use this special code we can just use syscall.SIGHUB as SIGNAL. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Add API support for NoOverwriteDirNonDirJhon Honce2022-05-26
| | | | | | | | | | | | Update method signatures and structs to pass option to buildah code ```release-note NONE ``` [NO NEW TESTS NEEDED] Signed-off-by: Jhon Honce <jhonce@redhat.com>
* Remove unused archive flag from diff commandsJhon Honce2022-05-25
| | | | | | | | | | | | | * Option left in images/diff.go CLI as comment implies it is needed for backwards compatibility. ```release-note NONE ``` [NO NEW TESTS NEEDED] Signed-off-by: Jhon Honce <jhonce@redhat.com>
* Merge pull request #14327 from rhatdan/commonOpenShift Merge Robot2022-05-24
|\ | | | | Use containers/common/pkg/util.StringToSlice
| * Use containers/common/pkg/util.StringToSliceDaniel J Walsh2022-05-23
| | | | | | | | | | | | [NO NEW TESTS NEEDED] Just code cleanup for better reuse Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | go format previosly touched filesValentin Rothberg2022-05-24
| | | | | | | | Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | pkg/domain/infra/abi/images_test.go: remove commented codeValentin Rothberg2022-05-24
| | | | | | | | Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | image list: remove unused ConfigDigestValentin Rothberg2022-05-24
| | | | | | | | | | | | | | | | | | Remove the `ConfigDigest` field from `entities.ImageSummary` which has never been populated (or documented) until now. Unless there is a specific request or need to support it, remove the TODO that was added during the libimage migration. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | podman image mount: print pretty tableValentin Rothberg2022-05-24
|/ | | | | | | | | Make sure that `podman image mount` prints a pretty table unless there is only argument passed and without a custom format. Fixing a TODO item brought me to the specific code location and revealed the fart in the logic. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* Swagger refactor/cleanupJhon Honce2022-05-19
| | | | | | | | | | | | | | | | | | * Remove duplicate or unused types and constants * Move all documetation-only models and responses into swagger package * Remove all unecessary names, go-swagger will determine names from struct declarations * Use Libpod suffix to differentiate between compat and libpod models and responses. Taken from swagger:operation declarations. * Models and responses that start with lowercase are for swagger use only while uppercase are used "as is" in the code and swagger comments * Used gofumpt on new code ```release-note ``` Signed-off-by: Jhon Honce <jhonce@redhat.com>
* linter: enable unconvert linterValentin Rothberg2022-05-19
| | | | | | | Detects unneccessary type conversions and helps in keeping the code base cleaner. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* k8systemd: run k8s workloads in systemdValentin Rothberg2022-05-17
| | | | | | | | | | | | | | | | | | | | Support running `podman play kube` in systemd by exploiting the previously added "service containers". During `play kube`, a service container is started before all the pods and containers, and is stopped last. The service container communicates its conmon PID via sdnotify. Add a new systemd template to dispatch such k8s workloads. The argument of the template is the path to the k8s file. Note that the path must be escaped for systemd not to bark: Let's assume we have a `top.yaml` file in the home directory: ``` $ escaped=$(systemd-escape ~/top.yaml) $ systemctl --user start podman-play-kube@$escaped.service ``` Closes: https://issues.redhat.com/browse/RUN-1287 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* play kube: service containerValentin Rothberg2022-05-12
| | | | | | | | | | | | | | | | | | | | Add the notion of a "service container" to play kube. A service container is started before the pods in play kube and is (reverse) linked to them. The service container is stopped/removed *after* all pods it is associated with are stopped/removed. In other words, a service container tracks the entire life cycle of a service started via `podman play kube`. This is required to enable `play kube` in a systemd unit file. The service container is only used when the `--service-container` flag is set on the CLI. This flag has been marked as hidden as it is not meant to be used outside the context of `play kube`. It is further not supported on the remote client. The wiring with systemd will be done in a later commit. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* kube: add support for --userns=Giuseppe Scrivano2022-05-10
| | | | | | | | add support to override the user namespace to use for the pod. Closes: https://github.com/containers/podman/issues/7504 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* kube: honor pod security context IDsGiuseppe Scrivano2022-05-10
| | | | | | | | If the RunAsUser, RunAsGroup, SupplementalGroups settings are not overriden in the container security context, then take the value from the pod security context. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #14059 from cdoern/cloneOpenShift Merge Robot2022-05-05
|\ | | | | pass networks to container clone
| * pass networks to container clonecdoern2022-05-03
| | | | | | | | | | | | | | | | | | since the network config is a string map, json.unmarshal does not recognize the config and spec as the same entity, need to map this option manually resolves #13713 Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
* | Merge pull request #14037 from rhatdan/remoteuriOpenShift Merge Robot2022-05-04
|\ \ | | | | | | Report correct RemoteURI
| * | Report correct RemoteURIDaniel J Walsh2022-05-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Rather than assuming a filesystem path, the API service URI is recorded in the libpod runtime configuration and then reported as requested. Note: All schemes other than "unix" are hard-coded to report URI exists. Fixes #12023 Signed-off-by: Jhon Honce <jhonce@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Add more unit testsBrent Baude2022-05-04
|/ / | | | | | | | | | | Improve "code coverage" with more unit-tests. Signed-off-by: Brent Baude <bbaude@redhat.com>
* | pod: add exit policiesValentin Rothberg2022-05-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add the notion of an "exit policy" to a pod. This policy controls the behaviour when the last container of pod exits. Initially, there are two policies: - "continue" : the pod continues running. This is the default policy when creating a pod. - "stop" : stop the pod when the last container exits. This is the default behaviour for `play kube`. In order to implement the deferred stop of a pod, add a worker queue to the libpod runtime. The queue will pick up work items and in this case helps resolve dead locks that would otherwise occur if we attempted to stop a pod during container cleanup. Note that the default restart policy of `play kube` is "Always". Hence, in order to really solve #13464, the YAML files must set a custom restart policy; the tests use "OnFailure". Fixes: #13464 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | enable errcheck linterPaul Holzinger2022-04-29
|/ | | | | | | | The errcheck linter makes sure that errors are always check and not ignored by accident. It spotted a lot of unchecked errors, mostly in the tests but also some real problem in the code. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* volume: add new option -o o=noquotaGiuseppe Scrivano2022-04-28
| | | | | | | | | | | | | | | | | add a new option to completely disable xfs quota usage for a volume. xfs quota set on a volume, even just for tracking disk usage, can cause weird errors if the volume is later re-used by a container with a different quota projid. More specifically, link(2) and rename(2) might fail with EXDEV if the source file has a projid that is different from the parent directory. To prevent such kind of issues, the volume should be created beforehand with `podman volume create -o o=noquota $ID` Closes: https://github.com/containers/podman/issues/14049 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #14023 from rhatdan/kubeOpenShift Merge Robot2022-04-27
|\ | | | | Truncate annotations when generating kubernetes yaml files
| * Truncate annotations when generating kubernetes yaml filesDaniel J Walsh2022-04-27
| | | | | | | | | | | | | | | | | | | | | | | | Kubernetes only allows 63 characters in an annotation. Make sure that we only add 63 or less charaters when generating kube. Warn if containers or pods have longer length and truncate. Discussion: https://github.com/containers/podman/discussions/13901 Fixes: https://github.com/containers/podman/issues/13962 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | play kube respect hostNetworkPaul Holzinger2022-04-27
| | | | | | | | | | | | | | | | | | | | | | We need to use the host network when it is set in the config and --network was not used. This regression was added in 3e9af2029f1f. Fixes #14015 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | play kube: do not skip containers by namePaul Holzinger2022-04-26
| | | | | | | | | | | | | | | | We should not exclude contianers by name. If a users has a container with the name "inf" it is currently skipped. This is wrong. The k8s yaml does not contain infra containers so we do not have to skip them. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | enable gocritic linterPaul Holzinger2022-04-26
|/ | | | | | | | | | | | | | | | | | | | | | The linter ensures a common code style. - use switch/case instead of else if - use if instead of switch/case for single case statement - add space between comment and text - detect the use of defer with os.Exit() - use short form var += "..." instead of var = var + "..." - detect problems with append() ``` newSlice := append(orgSlice, val) ``` This could lead to nasty bugs because the orgSlice will be changed in place if it has enough capacity too hold the new elements. Thus we newSlice might not be a copy. Of course most of the changes are just cosmetic and do not cause any logic errors but I think it is a good idea to enforce a common style. This should help maintainability. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Merge pull request #13978 from Luap99/unparamOpenShift Merge Robot2022-04-25
|\ | | | | enable unparam linter
| * enable unparam linterPaul Holzinger2022-04-25
| | | | | | | | | | | | | | The unparam linter is useful to detect unused function parameters and return values. Signed-off-by: Paul Holzinger <pholzing@redhat.com>