summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* Pass on events-backend config to cleanup processesMatthew Heon2019-08-01
| | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Retrieve exit codes for containers via eventsMatthew Heon2019-07-31
| | | | | | | | As we previously removed our exit code retrieval code to stop a memory leak, we need a new way of doing this. Fortunately, events is able to do the job for us. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* podman: fix memleak caused by renaming and not deletingMatthew Heon2019-07-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | the exit file If the container exit code needs to be retained, it cannot be retained in tmpfs, because libpod runs in a memcg itself so it can't leave traces with a daemon-less design. This wasn't a memleak detectable by kmemleak for example. The kernel never lost track of the memory and there was no erroneous refcounting either. The reference count dependencies however are not easy to track because when a refcount is increased, there's no way to tell who's still holding the reference. In this case it was a single page of tmpfs pagecache holding a refcount that kept pinned a whole hierarchy of dying memcg, slab kmem, cgropups, unrechable kernfs nodes and the respective dentries and inodes. Such a problem wouldn't happen if the exit file was stored in a regular filesystem because the pagecache could be reclaimed in such case under memory pressure. The tmpfs page can be swapped out, but that's not enough to release the memcg with CONFIG_MEMCG_SWAP_ENABLED=y. No amount of more aggressive kernel slab shrinking could have solved this. Not even assigning slab kmem of dying cgroups to alive cgroup would fully solve this. The only way to free the memory of a dying cgroup when a struct page still references it, would be to loop over all "struct page" in the kernel to find which one is associated with the dying cgroup which is a O(N) operation (where N is the number of pages and can reach billions). Linking all the tmpfs pages to the memcg would cost less during memcg offlining, but it would waste lots of memory and CPU globally. So this can't be optimized in the kernel. A cronjob running this command can act as workaround and will allow all slab cache to be released, not just the single tmpfs pages. rm -f /run/libpod/exits/* This patch solved the memleak with a reproducer, booting with cgroup.memory=nokmem and with selinux disabled. The reason memcg kmem and selinux were disabled for testing of this fix, is because kmem greatly decreases the kernel effectiveness in reusing partial slab objects. cgroup.memory=nokmem is strongly recommended at least for workstation usage. selinux needs to be further analyzed because it causes further slab allocations. The upstream podman commit used for testing is 1fe2965e4f672674f7b66648e9973a0ed5434bb4 (v1.4.4). The upstream kernel commit used for testing is f16fea666898dbdd7812ce94068c76da3e3fcf1e (v5.2-rc6). Reported-by: Michele Baldessari <michele@redhat.com> Signed-off-by: Andrea Arcangeli <aarcange@redhat.com> <Applied with small tweaks to comments> Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #3639 from giuseppe/user-ns-containerOpenShift Merge Robot2019-07-26
|\ | | | | podman: support --userns=ns|container
| * podman: support --userns=ns|containerGiuseppe Scrivano2019-07-25
| | | | | | | | | | | | | | | | allow to join the user namespace of another container. Closes: https://github.com/containers/libpod/issues/3629 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * pods: do not to join a userns if there is not anyGiuseppe Scrivano2019-07-25
| | | | | | | | | | | | | | do not attempt to join the user namespace if the pod is running in the host user namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Improved hooks monitoringsamc242019-07-25
|/ | | | | | | | | | | | | ...to work for specific edge cases with a simpler solution. Re-reads hooks directories after any changes are detected by the watchers. Added monitoring test for adding a different invalid hook to primary directory. Some issues with prior code: - ReadDir would stop when it encounters an invalid hook, rather than registering an error but continuing to read the valid hook. - Wouldn’t account for Rename and Chmod events. - After doing a mv of the hooks file instead of rm, it would still think the hooks file is in the directory, but it has been moved to another location. - If a hook file was renamed, it would register the renamed file as a separate hook and not delete the original, so it would then execute the hook twice - once for the renamed file, and once for the original name which it did not delete. Signed-off-by: samc24 <sam.chaturvedi24@gmail.com>
* Merge pull request #3624 from haircommander/conmon-exec-with-remote-execOpenShift Merge Robot2019-07-24
|\ | | | | Add remote exec
| * refactor to reduce duplicated error parsingPeter Hunt2019-07-23
| | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * remove debug printsPeter Hunt2019-07-23
| | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * always send generic error in case io failsPeter Hunt2019-07-23
| | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * only use stdin if specifiedPeter Hunt2019-07-23
| | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * buffer errChanPeter Hunt2019-07-23
| | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * move handleTerminalAttach to generic buildPeter Hunt2019-07-23
| | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * remove unnecessary conversionsPeter Hunt2019-07-23
| | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * add detach keys support for remotePeter Hunt2019-07-23
| | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * move editing of exitCode to runtimePeter Hunt2019-07-23
| | | | | | | | | | | | | | | | | | There's no way to get the error if we successfully get an exit code (as it's just printed to stderr instead). instead of relying on the error to be passed to podman, and edit based on the error code, process it on the varlink side instead Also move error codes to define package Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * Update e2e tests for remote execPeter Hunt2019-07-23
| | | | | | | | | | | | | | including changing -l to the container id and separating a case of setting the env that remote can't handle Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * Finish up remote exec implementationPeter Hunt2019-07-23
| | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | Re-add int64 casts for ctimeMatthew Heon2019-07-23
|/ | | | | | | | | The variables here are 64-bit on 64-bit builds, so the linter recommends stripping them. Unfortunately, they're 32-bit on 32-bit builds, so stripping them breaks that. Readd with a nolint to convince it to not break. Signed-off-by: Matthew Heon <mheon@redhat.com>
* golangci-lint cleanupbaude2019-07-23
| | | | | | | a PR slipped through without running the new linter. this cleans things up for the master branch. Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #3621 from baude/golangcilint4OpenShift Merge Robot2019-07-23
|\ | | | | golangci-lint phase 4
| * golangci-lint phase 4baude2019-07-22
| | | | | | | | | | | | | | | | | | | | | | clean up some final linter issues and add a make target for golangci-lint. in addition, begin running the tests are part of the gating tasks in cirrus ci. we cannot fully shift over to the new linter until we fix the image on the openshift side. for short term, we will use both Signed-off-by: baude <bbaude@redhat.com>
* | Implement conmon execPeter Hunt2019-07-22
|/ | | | | | | | | | | | | | | | | | | | | | This includes: Implement exec -i and fix some typos in description of -i docs pass failed runtime status to caller Add resize handling for a terminal connection Customize exec systemd-cgroup slice fix healthcheck fix top add --detach-keys Implement podman-remote exec (jhonce) * Cleanup some orphaned code (jhonce) adapt remote exec for conmon exec (pehunt) Fix healthcheck and exec to match docs Introduce two new OCIRuntime errors to more comprehensively describe situations in which the runtime can error Use these different errors in branching for exit code in healthcheck and exec Set conmon to use new api version Signed-off-by: Jhon Honce <jhonce@redhat.com> Signed-off-by: Peter Hunt <pehunt@redhat.com>
* Merge pull request #3562 from baude/golangcilint3OpenShift Merge Robot2019-07-22
|\ | | | | golangci-lint round #3
| * golangci-lint round #3baude2019-07-21
| | | | | | | | | | | | | | this is the third round of preparing to use the golangci-lint on our code base. Signed-off-by: baude <bbaude@redhat.com>
* | Remove debug messageDaniel J Walsh2019-07-20
|/ | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Add support for listing read/only and read/write imagesDaniel J Walsh2019-07-19
| | | | | | | When removing --all images prune images only attempt to remove read/write images, ignore read/only images Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #3443 from adrianreber/rootfs-changes-migrationOpenShift Merge Robot2019-07-19
|\ | | | | Include changes to the container's root file-system in the checkpoint archive
| * Add --ignore-rootfs option for checkpoint/restoreAdrian Reber2019-07-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The newly added functionality to include the container's root file-system changes into the checkpoint archive can now be explicitly disabled. Either during checkpoint or during restore. If a container changes a lot of files during its runtime it might be more effective to migrated the root file-system changes in some other way and to not needlessly increase the size of the checkpoint archive. If a checkpoint archive does not contain the root file-system changes information it will automatically be skipped. If the root file-system changes are part of the checkpoint archive it is also possible to tell Podman to ignore these changes. Signed-off-by: Adrian Reber <areber@redhat.com>
| * Include root file-system changes in container migrationAdrian Reber2019-07-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | One of the last limitations when migrating a container using Podman's 'podman container checkpoint --export=/path/to/archive.tar.gz' was that it was necessary to manually handle changes to the container's root file-system. The recommendation was to mount everything as --tmpfs where the root file-system was changed. This extends the checkpoint export functionality to also include all changes to the root file-system in the checkpoint archive. The checkpoint archive now includes a tarstream of the result from 'podman diff'. This tarstream will be applied to the restored container before restoring the container. With this any container can now be migrated, even it there are changes to the root file-system. There was some discussion before implementing this to base the root file-system migration on 'podman commit', but it seemed wrong to do a 'podman commit' before the migration as that would change the parent layer the restored container is referencing. Probably not really a problem, but it would have meant that a migrated container will always reference another storage top layer than it used to reference during initial creation. Signed-off-by: Adrian Reber <areber@redhat.com>
* | Merge pull request #3593 from giuseppe/rootless-privileged-devicesOpenShift Merge Robot2019-07-18
|\ \ | | | | | | rootless: add host devices with --privileged
| * | rootless: add rw devices with --privilegedGiuseppe Scrivano2019-07-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | when --privileged is specified, add all the devices that are usable by the user. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1730773 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #3584 from QiWang19/pssizeOpenShift Merge Robot2019-07-18
|\ \ \ | | | | | | | | podman-remote make --size optional in ps
| * | | podman-remote make --size optional in psQi Wang2019-07-18
| | | | | | | | | | | | | | | | | | | | | | | | Close #3578 Add `size` field to PsOpts in podman remote to receive size as an option. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | | Merge pull request #3509 from giuseppe/cgroup-namespaceOpenShift Merge Robot2019-07-18
|\ \ \ \ | | | | | | | | | | libpod: support for cgroup namespace
| * | | | libpod: support for cgroup namespaceGiuseppe Scrivano2019-07-18
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | allow a container to run in a new cgroup namespace. When running in a new cgroup namespace, the current cgroup appears to be the root, so that there is no way for the container to access cgroups outside of its own subtree. By default it uses --cgroup=host to keep the previous behavior. To create a new namespace, --cgroup=private must be provided. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / | | Add DefaultContent API to retrieve apparmor profile contentSascha Grunert2019-07-18
|/ / / | | | | | | | | | | | | | | | | | | | | | The default apparmor profile is not stored on disk which causes confusion when debugging the content of the profile. To solve this, we now add an additional API which returns the profile as byte slice. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* | | Merge pull request #3522 from mheon/nix_the_artifactOpenShift Merge Robot2019-07-18
|\ \ \ | | | | | | | | Move the HostConfig portion of Inspect inside libpod
| * | | Populate inspect with security-opt settingsMatthew Heon2019-07-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We can infer no-new-privileges. For now, manually populate seccomp (can't infer what file we sourced from) and SELinux/Apparmor (hard to tell if they're enabled or not). Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | | Move the HostConfig portion of Inspect inside libpodMatthew Heon2019-07-17
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When we first began writing Podman, we ran into a major issue when implementing Inspect. Libpod deliberately does not tie its internal data structures to Docker, and stores most information about containers encoded within the OCI spec. However, Podman must present a CLI compatible with Docker, which means it must expose all the information in 'docker inspect' - most of which is not contained in the OCI spec or libpod's Config struct. Our solution at the time was the create artifact. We JSON'd the complete CreateConfig (a parsed form of the CLI arguments to 'podman run') and stored it with the container, restoring it when we needed to run commands that required the extra info. Over the past month, I've been looking more at Inspect, and refactored large portions of it into Libpod - generating them from what we know about the OCI config and libpod's (now much expanded, versus previously) container configuration. This path comes close to completing the process, moving the last part of inspect into libpod and removing the need for the create artifact. This improves libpod's compatability with non-Podman containers. We no longer require an arbitrarily-formatted JSON blob to be present to run inspect. Fixes: #3500 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #3588 from haircommander/play-kube-commandOpenShift Merge Robot2019-07-18
|\ \ \ | |/ / |/| | Fix play kube command
| * | Fix play kube commandPeter Hunt2019-07-17
| | | | | | | | | | | | | | | | | | | | | Before, play kube wasn't properly setting the command. Fix this Also, begin a dedicated test suite for play kube to catch regressions like this in the future Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | spec: rework --ulimit hostGiuseppe Scrivano2019-07-17
|/ / | | | | | | | | | | | | it seems enough to not specify any ulimit block to maintain the host limits. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #3531 from haraldh/fix_ReplySendFileOpenShift Merge Robot2019-07-15
|\ \ | | | | | | Fix the double replySendFile()
| * | Fix the double replySendFile()Harald Hoyer2019-07-12
| | | | | | | | | | | | Signed-off-by: Harald Hoyer <harald@redhat.com>
* | | Merge pull request #3564 from giuseppe/cgroupsv2-no-controllers-last-pathOpenShift Merge Robot2019-07-13
|\ \ \ | | | | | | | | cgroupsv2: do not enable controllers for the last component
| * | | cgroupsv2: do not enable controllers for the last componentGiuseppe Scrivano2019-07-12
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | do not automatically enable the controllers for the last path component. It is necessary as once there are enabled controllers in a cgroup, it won't possible to add processes to it. Fix conmon being moved to the correct cgroup path when using --cgroup-manager cgroupfs. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #3563 from giuseppe/fix-single-mapping-rootlessOpenShift Merge Robot2019-07-12
|\ \ \ | | | | | | | | spec: fix userns with less than 5 gids
| * | | spec: fix userns with less than 5 gidsGiuseppe Scrivano2019-07-12
| |/ / | | | | | | | | | | | | | | | | | | when the container is running in a user namespace, check if gid=5 is available, otherwise drop the option gid=5 for /dev/pts. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>