| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
| |
As we previously removed our exit code retrieval code to stop a
memory leak, we need a new way of doing this. Fortunately, events
is able to do the job for us.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the exit file
If the container exit code needs to be retained, it cannot be retained
in tmpfs, because libpod runs in a memcg itself so it can't leave
traces with a daemon-less design.
This wasn't a memleak detectable by kmemleak for example. The kernel
never lost track of the memory and there was no erroneous refcounting
either. The reference count dependencies however are not easy to track
because when a refcount is increased, there's no way to tell who's
still holding the reference. In this case it was a single page of
tmpfs pagecache holding a refcount that kept pinned a whole hierarchy
of dying memcg, slab kmem, cgropups, unrechable kernfs nodes and the
respective dentries and inodes. Such a problem wouldn't happen if the
exit file was stored in a regular filesystem because the pagecache
could be reclaimed in such case under memory pressure. The tmpfs page
can be swapped out, but that's not enough to release the memcg with
CONFIG_MEMCG_SWAP_ENABLED=y.
No amount of more aggressive kernel slab shrinking could have solved
this. Not even assigning slab kmem of dying cgroups to alive cgroup
would fully solve this. The only way to free the memory of a dying
cgroup when a struct page still references it, would be to loop over
all "struct page" in the kernel to find which one is associated with
the dying cgroup which is a O(N) operation (where N is the number of
pages and can reach billions). Linking all the tmpfs pages to the
memcg would cost less during memcg offlining, but it would waste lots
of memory and CPU globally. So this can't be optimized in the kernel.
A cronjob running this command can act as workaround and will allow
all slab cache to be released, not just the single tmpfs pages.
rm -f /run/libpod/exits/*
This patch solved the memleak with a reproducer, booting with
cgroup.memory=nokmem and with selinux disabled. The reason memcg kmem
and selinux were disabled for testing of this fix, is because kmem
greatly decreases the kernel effectiveness in reusing partial slab
objects. cgroup.memory=nokmem is strongly recommended at least for
workstation usage. selinux needs to be further analyzed because it
causes further slab allocations.
The upstream podman commit used for testing is
1fe2965e4f672674f7b66648e9973a0ed5434bb4 (v1.4.4).
The upstream kernel commit used for testing is
f16fea666898dbdd7812ce94068c76da3e3fcf1e (v5.2-rc6).
Reported-by: Michele Baldessari <michele@redhat.com>
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
<Applied with small tweaks to comments>
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |\
| |
| | |
podman: support --userns=ns|container
|
| | |
| |
| |
| |
| |
| |
| |
| | |
allow to join the user namespace of another container.
Closes: https://github.com/containers/libpod/issues/3629
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| | |
do not attempt to join the user namespace if the pod is running in the
host user namespace.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |/
|
|
|
|
|
|
|
|
|
|
|
| |
...to work for specific edge cases with a simpler solution.
Re-reads hooks directories after any changes are detected by the watchers.
Added monitoring test for adding a different invalid hook to primary directory.
Some issues with prior code:
- ReadDir would stop when it encounters an invalid hook, rather than registering an error but continuing to read the valid hook.
- Wouldn’t account for Rename and Chmod events.
- After doing a mv of the hooks file instead of rm, it would still think the hooks file is in the directory, but it has been moved to another location.
- If a hook file was renamed, it would register the renamed file as a separate hook and not delete the original, so it would then execute the hook twice - once for the renamed file, and once for the original name which it did not delete.
Signed-off-by: samc24 <sam.chaturvedi24@gmail.com>
|
| |\
| |
| | |
Add remote exec
|
| | |
| |
| |
| | |
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
There's no way to get the error if we successfully get an exit code (as it's just printed to stderr instead).
instead of relying on the error to be passed to podman, and edit based on the error code, process it on the varlink side instead
Also move error codes to define package
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| | |
including changing -l to the container id
and separating a case of setting the env that remote can't handle
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| |/
|
|
|
|
|
|
|
| |
The variables here are 64-bit on 64-bit builds, so the linter
recommends stripping them. Unfortunately, they're 32-bit on
32-bit builds, so stripping them breaks that. Readd with a nolint
to convince it to not break.
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |
|
|
|
|
|
| |
a PR slipped through without running the new linter. this cleans things
up for the master branch.
Signed-off-by: baude <bbaude@redhat.com>
|
| |\
| |
| | |
golangci-lint phase 4
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
clean up some final linter issues and add a make target for
golangci-lint. in addition, begin running the tests are part of the
gating tasks in cirrus ci.
we cannot fully shift over to the new linter until we fix the image on
the openshift side. for short term, we will use both
Signed-off-by: baude <bbaude@redhat.com>
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This includes:
Implement exec -i and fix some typos in description of -i docs
pass failed runtime status to caller
Add resize handling for a terminal connection
Customize exec systemd-cgroup slice
fix healthcheck
fix top
add --detach-keys
Implement podman-remote exec (jhonce)
* Cleanup some orphaned code (jhonce)
adapt remote exec for conmon exec (pehunt)
Fix healthcheck and exec to match docs
Introduce two new OCIRuntime errors to more comprehensively describe situations in which the runtime can error
Use these different errors in branching for exit code in healthcheck and exec
Set conmon to use new api version
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| |\
| |
| | |
golangci-lint round #3
|
| | |
| |
| |
| |
| |
| |
| | |
this is the third round of preparing to use the golangci-lint on our
code base.
Signed-off-by: baude <bbaude@redhat.com>
|
| |/
|
|
| |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |
|
|
|
|
|
| |
When removing --all images prune images only attempt to remove read/write images,
ignore read/only images
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |\
| |
| | |
Include changes to the container's root file-system in the checkpoint archive
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The newly added functionality to include the container's root
file-system changes into the checkpoint archive can now be explicitly
disabled. Either during checkpoint or during restore.
If a container changes a lot of files during its runtime it might be
more effective to migrated the root file-system changes in some other
way and to not needlessly increase the size of the checkpoint archive.
If a checkpoint archive does not contain the root file-system changes
information it will automatically be skipped. If the root file-system
changes are part of the checkpoint archive it is also possible to tell
Podman to ignore these changes.
Signed-off-by: Adrian Reber <areber@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
One of the last limitations when migrating a container using Podman's
'podman container checkpoint --export=/path/to/archive.tar.gz' was
that it was necessary to manually handle changes to the container's root
file-system. The recommendation was to mount everything as --tmpfs where
the root file-system was changed.
This extends the checkpoint export functionality to also include all
changes to the root file-system in the checkpoint archive. The
checkpoint archive now includes a tarstream of the result from 'podman
diff'. This tarstream will be applied to the restored container before
restoring the container.
With this any container can now be migrated, even it there are changes
to the root file-system.
There was some discussion before implementing this to base the root
file-system migration on 'podman commit', but it seemed wrong to do
a 'podman commit' before the migration as that would change the parent
layer the restored container is referencing. Probably not really a
problem, but it would have meant that a migrated container will always
reference another storage top layer than it used to reference during
initial creation.
Signed-off-by: Adrian Reber <areber@redhat.com>
|
| |\ \
| | |
| | | |
rootless: add host devices with --privileged
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
when --privileged is specified, add all the devices that are usable by
the user.
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1730773
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |\ \ \
| | | |
| | | | |
podman-remote make --size optional in ps
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Close #3578 Add `size` field to PsOpts in podman remote to receive size as an option.
Signed-off-by: Qi Wang <qiwan@redhat.com>
|
| |\ \ \ \
| | | | |
| | | | | |
libpod: support for cgroup namespace
|
| | | |/ /
| |/| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
allow a container to run in a new cgroup namespace.
When running in a new cgroup namespace, the current cgroup appears to
be the root, so that there is no way for the container to access
cgroups outside of its own subtree.
By default it uses --cgroup=host to keep the previous behavior.
To create a new namespace, --cgroup=private must be provided.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The default apparmor profile is not stored on disk which causes
confusion when debugging the content of the profile. To solve this, we
now add an additional API which returns the profile as byte slice.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
|
| |\ \ \
| | | |
| | | | |
Move the HostConfig portion of Inspect inside libpod
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
We can infer no-new-privileges. For now, manually populate
seccomp (can't infer what file we sourced from) and
SELinux/Apparmor (hard to tell if they're enabled or not).
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When we first began writing Podman, we ran into a major issue
when implementing Inspect. Libpod deliberately does not tie its
internal data structures to Docker, and stores most information
about containers encoded within the OCI spec. However, Podman
must present a CLI compatible with Docker, which means it must
expose all the information in 'docker inspect' - most of which is
not contained in the OCI spec or libpod's Config struct.
Our solution at the time was the create artifact. We JSON'd the
complete CreateConfig (a parsed form of the CLI arguments to
'podman run') and stored it with the container, restoring it when
we needed to run commands that required the extra info.
Over the past month, I've been looking more at Inspect, and
refactored large portions of it into Libpod - generating them
from what we know about the OCI config and libpod's (now much
expanded, versus previously) container configuration. This path
comes close to completing the process, moving the last part of
inspect into libpod and removing the need for the create
artifact.
This improves libpod's compatability with non-Podman containers.
We no longer require an arbitrarily-formatted JSON blob to be
present to run inspect.
Fixes: #3500
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |\ \ \
| |/ /
|/| | |
Fix play kube command
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Before, play kube wasn't properly setting the command. Fix this
Also, begin a dedicated test suite for play kube to catch regressions like this in the future
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| |/ /
| |
| |
| |
| |
| |
| | |
it seems enough to not specify any ulimit block to maintain the host
limits.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |\ \
| | |
| | | |
Fix the double replySendFile()
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Harald Hoyer <harald@redhat.com>
|
| |\ \ \
| | | |
| | | | |
cgroupsv2: do not enable controllers for the last component
|
| | | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
do not automatically enable the controllers for the last path
component. It is necessary as once there are enabled controllers in a
cgroup, it won't possible to add processes to it.
Fix conmon being moved to the correct cgroup path when using
--cgroup-manager cgroupfs.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |\ \ \
| | | |
| | | | |
spec: fix userns with less than 5 gids
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | | |
when the container is running in a user namespace, check if gid=5 is
available, otherwise drop the option gid=5 for /dev/pts.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |\ \ \
| |_|/
|/| | |
fix bug convert volume host path to absolute
|
