summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* Swap 'volume inspect' frontend to use the new backendMatthew Heon2019-08-02
| | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Implement backend for 'volume inspect'Matthew Heon2019-08-02
| | | | | | | | | Begin to separate the internal structures and frontend for inspect on volumes. We can't rely on keeping internal data structures for external presentation - separating presentation and internal data format is good practice. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #3692 from haircommander/play-capsOpenShift Merge Robot2019-08-02
|\ | | | | Add Capability support to play kube
| * Add capability functionality to play kubePeter Hunt2019-08-01
| | | | | | | | | | | | | | Take capabilities written in a kube and add to a container adapt test suite and write cap-add/drop tests Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | Merge pull request #3551 from mheon/fix_memory_leakOpenShift Merge Robot2019-08-02
|\ \ | | | | | | Fix memory leak with exit files
| * | Pass on events-backend config to cleanup processesMatthew Heon2019-08-01
| | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * | Retrieve exit codes for containers via eventsMatthew Heon2019-07-31
| | | | | | | | | | | | | | | | | | | | | | | | As we previously removed our exit code retrieval code to stop a memory leak, we need a new way of doing this. Fortunately, events is able to do the job for us. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * | podman: fix memleak caused by renaming and not deletingMatthew Heon2019-07-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | the exit file If the container exit code needs to be retained, it cannot be retained in tmpfs, because libpod runs in a memcg itself so it can't leave traces with a daemon-less design. This wasn't a memleak detectable by kmemleak for example. The kernel never lost track of the memory and there was no erroneous refcounting either. The reference count dependencies however are not easy to track because when a refcount is increased, there's no way to tell who's still holding the reference. In this case it was a single page of tmpfs pagecache holding a refcount that kept pinned a whole hierarchy of dying memcg, slab kmem, cgropups, unrechable kernfs nodes and the respective dentries and inodes. Such a problem wouldn't happen if the exit file was stored in a regular filesystem because the pagecache could be reclaimed in such case under memory pressure. The tmpfs page can be swapped out, but that's not enough to release the memcg with CONFIG_MEMCG_SWAP_ENABLED=y. No amount of more aggressive kernel slab shrinking could have solved this. Not even assigning slab kmem of dying cgroups to alive cgroup would fully solve this. The only way to free the memory of a dying cgroup when a struct page still references it, would be to loop over all "struct page" in the kernel to find which one is associated with the dying cgroup which is a O(N) operation (where N is the number of pages and can reach billions). Linking all the tmpfs pages to the memcg would cost less during memcg offlining, but it would waste lots of memory and CPU globally. So this can't be optimized in the kernel. A cronjob running this command can act as workaround and will allow all slab cache to be released, not just the single tmpfs pages. rm -f /run/libpod/exits/* This patch solved the memleak with a reproducer, booting with cgroup.memory=nokmem and with selinux disabled. The reason memcg kmem and selinux were disabled for testing of this fix, is because kmem greatly decreases the kernel effectiveness in reusing partial slab objects. cgroup.memory=nokmem is strongly recommended at least for workstation usage. selinux needs to be further analyzed because it causes further slab allocations. The upstream podman commit used for testing is 1fe2965e4f672674f7b66648e9973a0ed5434bb4 (v1.4.4). The upstream kernel commit used for testing is f16fea666898dbdd7812ce94068c76da3e3fcf1e (v5.2-rc6). Reported-by: Michele Baldessari <michele@redhat.com> Signed-off-by: Andrea Arcangeli <aarcange@redhat.com> <Applied with small tweaks to comments> Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #3458 from rhatdan/volumeOpenShift Merge Robot2019-08-01
|\ \ \ | |_|/ |/| | Use buildah/pkg/parse volume parsing rather then internal version
| * | Use buildah/pkg/parse volume parsing rather then internal versionDaniel J Walsh2019-08-01
| | | | | | | | | | | | | | | | | | | | | We share this code with buildah, so we should eliminate the podman version. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #3341 from rhatdan/exitOpenShift Merge Robot2019-08-01
|\ \ \ | |/ / |/| | Add new exit codes to rm & rmi for running containers & dependencies
| * | Add new exit codes to rm & rmi for running containers & dependenciesDaniel J Walsh2019-08-01
| |/ | | | | | | | | | | | | | | | | | | | | | | This enables programs and scripts wrapping the podman command to handle 'podman rm' and 'podman rmi' failures caused by paused or running containers or due to images having other child images or dependent containers. These errors are common enough that it makes sense to have a more machine readable way of detecting them than parsing the standard error output. Signed-off-by: Ondrej Zoder <ozoder@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / Vendor in buildah 1.9.2Daniel J Walsh2019-07-30
|/ | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #3639 from giuseppe/user-ns-containerOpenShift Merge Robot2019-07-26
|\ | | | | podman: support --userns=ns|container
| * podman: support --userns=ns|containerGiuseppe Scrivano2019-07-25
| | | | | | | | | | | | | | | | allow to join the user namespace of another container. Closes: https://github.com/containers/libpod/issues/3629 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * pods: do not to join a userns if there is not anyGiuseppe Scrivano2019-07-25
| | | | | | | | | | | | | | do not attempt to join the user namespace if the pod is running in the host user namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Improved hooks monitoringsamc242019-07-25
|/ | | | | | | | | | | | | ...to work for specific edge cases with a simpler solution. Re-reads hooks directories after any changes are detected by the watchers. Added monitoring test for adding a different invalid hook to primary directory. Some issues with prior code: - ReadDir would stop when it encounters an invalid hook, rather than registering an error but continuing to read the valid hook. - Wouldn’t account for Rename and Chmod events. - After doing a mv of the hooks file instead of rm, it would still think the hooks file is in the directory, but it has been moved to another location. - If a hook file was renamed, it would register the renamed file as a separate hook and not delete the original, so it would then execute the hook twice - once for the renamed file, and once for the original name which it did not delete. Signed-off-by: samc24 <sam.chaturvedi24@gmail.com>
* Merge pull request #3624 from haircommander/conmon-exec-with-remote-execOpenShift Merge Robot2019-07-24
|\ | | | | Add remote exec
| * refactor to reduce duplicated error parsingPeter Hunt2019-07-23
| | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * remove debug printsPeter Hunt2019-07-23
| | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * always send generic error in case io failsPeter Hunt2019-07-23
| | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * only use stdin if specifiedPeter Hunt2019-07-23
| | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * buffer errChanPeter Hunt2019-07-23
| | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * move handleTerminalAttach to generic buildPeter Hunt2019-07-23
| | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * remove unnecessary conversionsPeter Hunt2019-07-23
| | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * add detach keys support for remotePeter Hunt2019-07-23
| | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * move editing of exitCode to runtimePeter Hunt2019-07-23
| | | | | | | | | | | | | | | | | | There's no way to get the error if we successfully get an exit code (as it's just printed to stderr instead). instead of relying on the error to be passed to podman, and edit based on the error code, process it on the varlink side instead Also move error codes to define package Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * Update e2e tests for remote execPeter Hunt2019-07-23
| | | | | | | | | | | | | | including changing -l to the container id and separating a case of setting the env that remote can't handle Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * Finish up remote exec implementationPeter Hunt2019-07-23
| | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | Re-add int64 casts for ctimeMatthew Heon2019-07-23
|/ | | | | | | | | The variables here are 64-bit on 64-bit builds, so the linter recommends stripping them. Unfortunately, they're 32-bit on 32-bit builds, so stripping them breaks that. Readd with a nolint to convince it to not break. Signed-off-by: Matthew Heon <mheon@redhat.com>
* golangci-lint cleanupbaude2019-07-23
| | | | | | | a PR slipped through without running the new linter. this cleans things up for the master branch. Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #3621 from baude/golangcilint4OpenShift Merge Robot2019-07-23
|\ | | | | golangci-lint phase 4
| * golangci-lint phase 4baude2019-07-22
| | | | | | | | | | | | | | | | | | | | | | clean up some final linter issues and add a make target for golangci-lint. in addition, begin running the tests are part of the gating tasks in cirrus ci. we cannot fully shift over to the new linter until we fix the image on the openshift side. for short term, we will use both Signed-off-by: baude <bbaude@redhat.com>
* | Implement conmon execPeter Hunt2019-07-22
|/ | | | | | | | | | | | | | | | | | | | | | This includes: Implement exec -i and fix some typos in description of -i docs pass failed runtime status to caller Add resize handling for a terminal connection Customize exec systemd-cgroup slice fix healthcheck fix top add --detach-keys Implement podman-remote exec (jhonce) * Cleanup some orphaned code (jhonce) adapt remote exec for conmon exec (pehunt) Fix healthcheck and exec to match docs Introduce two new OCIRuntime errors to more comprehensively describe situations in which the runtime can error Use these different errors in branching for exit code in healthcheck and exec Set conmon to use new api version Signed-off-by: Jhon Honce <jhonce@redhat.com> Signed-off-by: Peter Hunt <pehunt@redhat.com>
* Merge pull request #3562 from baude/golangcilint3OpenShift Merge Robot2019-07-22
|\ | | | | golangci-lint round #3
| * golangci-lint round #3baude2019-07-21
| | | | | | | | | | | | | | this is the third round of preparing to use the golangci-lint on our code base. Signed-off-by: baude <bbaude@redhat.com>
* | Remove debug messageDaniel J Walsh2019-07-20
|/ | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Add support for listing read/only and read/write imagesDaniel J Walsh2019-07-19
| | | | | | | When removing --all images prune images only attempt to remove read/write images, ignore read/only images Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #3443 from adrianreber/rootfs-changes-migrationOpenShift Merge Robot2019-07-19
|\ | | | | Include changes to the container's root file-system in the checkpoint archive
| * Add --ignore-rootfs option for checkpoint/restoreAdrian Reber2019-07-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The newly added functionality to include the container's root file-system changes into the checkpoint archive can now be explicitly disabled. Either during checkpoint or during restore. If a container changes a lot of files during its runtime it might be more effective to migrated the root file-system changes in some other way and to not needlessly increase the size of the checkpoint archive. If a checkpoint archive does not contain the root file-system changes information it will automatically be skipped. If the root file-system changes are part of the checkpoint archive it is also possible to tell Podman to ignore these changes. Signed-off-by: Adrian Reber <areber@redhat.com>
| * Include root file-system changes in container migrationAdrian Reber2019-07-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | One of the last limitations when migrating a container using Podman's 'podman container checkpoint --export=/path/to/archive.tar.gz' was that it was necessary to manually handle changes to the container's root file-system. The recommendation was to mount everything as --tmpfs where the root file-system was changed. This extends the checkpoint export functionality to also include all changes to the root file-system in the checkpoint archive. The checkpoint archive now includes a tarstream of the result from 'podman diff'. This tarstream will be applied to the restored container before restoring the container. With this any container can now be migrated, even it there are changes to the root file-system. There was some discussion before implementing this to base the root file-system migration on 'podman commit', but it seemed wrong to do a 'podman commit' before the migration as that would change the parent layer the restored container is referencing. Probably not really a problem, but it would have meant that a migrated container will always reference another storage top layer than it used to reference during initial creation. Signed-off-by: Adrian Reber <areber@redhat.com>
* | Merge pull request #3593 from giuseppe/rootless-privileged-devicesOpenShift Merge Robot2019-07-18
|\ \ | | | | | | rootless: add host devices with --privileged
| * | rootless: add rw devices with --privilegedGiuseppe Scrivano2019-07-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | when --privileged is specified, add all the devices that are usable by the user. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1730773 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #3584 from QiWang19/pssizeOpenShift Merge Robot2019-07-18
|\ \ \ | | | | | | | | podman-remote make --size optional in ps
| * | | podman-remote make --size optional in psQi Wang2019-07-18
| | | | | | | | | | | | | | | | | | | | | | | | Close #3578 Add `size` field to PsOpts in podman remote to receive size as an option. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | | Merge pull request #3509 from giuseppe/cgroup-namespaceOpenShift Merge Robot2019-07-18
|\ \ \ \ | | | | | | | | | | libpod: support for cgroup namespace
| * | | | libpod: support for cgroup namespaceGiuseppe Scrivano2019-07-18
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | allow a container to run in a new cgroup namespace. When running in a new cgroup namespace, the current cgroup appears to be the root, so that there is no way for the container to access cgroups outside of its own subtree. By default it uses --cgroup=host to keep the previous behavior. To create a new namespace, --cgroup=private must be provided. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / | | Add DefaultContent API to retrieve apparmor profile contentSascha Grunert2019-07-18
|/ / / | | | | | | | | | | | | | | | | | | | | | The default apparmor profile is not stored on disk which causes confusion when debugging the content of the profile. To solve this, we now add an additional API which returns the profile as byte slice. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* | | Merge pull request #3522 from mheon/nix_the_artifactOpenShift Merge Robot2019-07-18
|\ \ \ | | | | | | | | Move the HostConfig portion of Inspect inside libpod
| * | | Populate inspect with security-opt settingsMatthew Heon2019-07-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We can infer no-new-privileges. For now, manually populate seccomp (can't infer what file we sourced from) and SELinux/Apparmor (hard to tell if they're enabled or not). Signed-off-by: Matthew Heon <mheon@redhat.com>