Shortcuts like unix:path and unix:/path do not work everywhere,
so make sure to use unix://path when quoting the url (or address)
Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
`podman system service` + TCP is not a configuration we should be
recommending. There was already language about this in the
manpages, but it was not sufficient in explaining how bad of an
idea this is. Expand the manpage warnings, add a dedicated
heading so people notice, and add a warning every time the
service starts with a TCP URL that directs people to the manpage
to see that explanation.
Signed-off-by: Matt Heon <mheon@redhat.com>
Disable leaking the LISTEN_* variables into containers which are
observed to be passed by systemd even without being socket activated as
described in https://access.redhat.com/solutions/6512011.
[NO NEW TESTS NEEDED] - Ultimately, the solution 6512011 should be updated.
Fixes: bugzilla.redhat.com/show_bug.cgi?id=2180483
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
This adds the 'system service' command to the build on FreeBSD and
suppresses the call to servicereaper.Start which is only needed to
support slirp4netns on Linux. A stub for compat.StatsContainer is also
added - stats are still supported via the libpod.StatsContainer API
call.
[NO NEW TESTS NEEDED]
Signed-off-by: Doug Rabson <dfr@rabson.org>
Most of the code moved there so if from there and remove it here.
Some extra changes are required here. This is a bit of a mess. The pipe
handling makes this a bit more difficult.
[NO NEW TESTS NEEDED] This is just a rework, existing tests must pass.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
when running rootless on cgroupv1, Podman+OCI runtime do not setup a
separate cgroup for the container. Spawned containers will run in the
same cgroup as the podman system service process, thus will be killed
when the cgroup is destroyed, as it is the case when running as a
systemd service.
[NO NEW TESTS NEEDED]
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2170444
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Since we open /dev/null to set it as STDIN we can close it after the
dup2() call. Using defer is not good enough since this function will
never exit since the http server will block. This is not a problem but
it reduces the open fds from the service by one.
[NO NEW TESTS NEEDED]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
if we are running in a container in the root cgroup, Podman tries to
move itself to a sub-cgroup. This could be a problem in a setup where
the cgroups are not writeable, so just log a debug message and
continue, since anyway it is a best-effort operation.
Closes: https://github.com/containers/podman/issues/15498
[NO NEW TESTS NEEDED]
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
at startup, when running on a cgroup v2 system, check if the current
process is running in the root cgroup and move it to a sub-cgroup,
otherwise Podman is not able to create cgroups and move processes
there.
Closes: https://github.com/containers/podman/issues/14573
[NO NEW TESTS NEEDED] it needs nested podman
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
We now use the golang error wrapping format specifier `%w` instead of
the deprecated github.com/pkg/errors package.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Commit 5fa6f686db added a regression which was fixed in eb71712626.
Apply the same fix again to prevent a panic and return a proper error
instead.
To not regress again I added a e2e test which makes sure we do not panic.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Rather than assuming a filesystem path, the API service URI is recorded
in the libpod runtime configuration and then reported as requested.
Note: All schemes other than "unix" are hard-coded to report URI exists.
Fixes#12023
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Increase timeout for tests to 10s
* To aid in debugging add PID to shutdown package logging
* Added new message for forced service shutdown
* Always wait for HTTP server to shutdown, duration of 0 not friendly
to clients
Note: The log event
"IdleTracker: StateClosed transition by connection marked un-managed"
denotes a TCP connection has been initiated but no HTTP request was sent.
And is expected during these tests.
Fixes#11921
Signed-off-by: Jhon Honce <jhonce@redhat.com>
* Refactor sidecar HTTP service for /debug/pprof endpoints to use a TCP
address given via new podman system service --pprof-address flag
* Allow same URL parsing in "system service" as bindings/connection.go
* Refactor NewServerWithSettings() to use entities.ServiceOptions
in place of deleted server.Options
* Updated godoc for impacted functions and types
* Fixed API service Shutdown() to do an orderly shutdown when
terminated and running with --time=0
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Add a new service reaper package. Podman currently does not reap all
child processes. The slirp4netns and rootlesskit processes are not
reaped. The is not a problem for local podman since the podman process
dies before the other processes and then init will reap them for us.
However with podman system service it is possible that the podman
process is still alive after slirp died. In this case podman has to reap
it or the slirp process will be a zombie until the service is stopped.
The service reaper will listen in an extra goroutine on SIGCHLD. Once it
receives this signal it will try to reap all pids that were added with
`AddPID()`. While I would like to just reap all children this is not
possible because many parts of the code use `os/exec` with `cmd.Wait()`.
If we reap before `cmd.Wait()` things can break, so reaping everything
is not an option.
[NO TESTS NEEDED]
Fixes#9777
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
if LISTEN_FDS is specified by systemd, we need to use the first fd
after the std files (so fd=3) to read from the activation socket
instead of manually opening the UNIX socket.
[NO TESTS NEEDED]
Closes: https://github.com/containers/podman/issues/9251
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
We missed bumping the go module, so let's do it now :)
* Automated go code with github.com/sirkon/go-imports-rename
* Manually via `vgrep podman/v2` the rest
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Currently the service is attempting to prompt on shortname expansion if you run
with a terminal. This change will cause the service to default to no terminal
and not prompt.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
this enables the ability to connect and disconnect a container from a
given network. it is only for the compatibility layer. some code had to
be refactored to avoid circular imports.
additionally, tests are being deferred temporarily due to some
incompatibility/bug in either docker-py or our stack.
Signed-off-by: baude <bbaude@redhat.com>
Stop over wrapping API Calls
The API calls will return an appropriate error, and this wrapping
just makes the error message look like it is stuttering and a
big mess.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
With the advent of Podman 2.0.0 we crossed the magical barrier of go
modules. While we were able to continue importing all packages inside
of the project, the project could not be vendored anymore from the
outside.
Move the go module to new major version and change all imports to
`github.com/containers/libpod/v2`. The renaming of the imports
was done via `gomove` [1].
[1] https://github.com/KSubedi/gomove
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
We need to default to building podman. If you specify no build
tags you will not build podman, not podman-remote.
Just using remote flag to indicate podman-remote and !remote for
podman.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
While this commit was initially meant to fix#5847, it has turned into a
bigger refactoring which I did not manage to break into smaller pieces:
* Fix#5847 by refactoring the image-removal logic.
* Make the api handler for image-removal use the ABI code. This way,
both (i.e., ABI and Tunnel) end up using the same code. Achieving
this code share required to move some code around to prevent circular
dependencies.
* Everything in pkg/api (excluding pkg/api/types) must now only be
accessed from code using `ABISupport`.
* Avoid imports from entities on handlers to prevent circular
dependencies.
* Move `podman system service` logic into `cmd` to prevent circular
dependencies - it depends on pkg/api.
* Also remove the build header from infra/abi files. It will otherwise
confuse swagger and other tools; errors we cannot fix as go doesn't
expose a build-tag env variable.
Fixes: #5847
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Anders F Björklund
Matt Heon
Valentin Rothberg
Doug Rabson
Paul Holzinger
Giuseppe Scrivano
Boaz Shuster
openshift-ci[bot]
Sascha Grunert
Daniel J Walsh
Valentin Rothberg
Jhon Honce
baude
Qi Wang