An artifact without the title annoation just gets the digest as name
which is less than ideal. While it is a decent default to avoid
conflicts users would like to configure the name.
With the name=abc option we will call the file abc in case of a signle
artifact and otherwise we use abc-x where x is the layer index starting
at 0 to avoid conflicts.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
If the artifact has a single blob then use the dst path directly as
mount in case it does not exist.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
podman system check --quick currently only skips layer contents, but
practically it's not much quicker than without the flag.
This changes the flag to also skip checking layer digests which speed up
the check significantly.
In some cases, it is useful to opt for a quicker check if we prioritize
detecting and fixing severe corruption and can tolerate minor damage.
The check option is derived from CRI-O's internal repair:
9e4d86d823/internal/lib/container_server.go (L860)
Signed-off-by: Sonny Sasaka <sonnysasaka@gmail.com>
Added support for "podman buildx inspect". The goal was to replicate the default output from "docker buildx inspect" as
much as possible but a problem encountered was podman not supporting BuildKit. To replicate the output I resorted to
printing the statements with default values but only changed the driver name to use podman instead of docker. Since
there was no buildkit, gave it the value of "N/A" to depict it's not supported. For Platforms, I resorted to using
the emulated architectures found on your linux system + the host architecture of your local machine or podman server. The
bootstrap flag was also added but is considered a NOP since there is no buildkit container to run before running inspect.
An extra field was added to the HostInfo struct so when you run "podman info" the emulated architectures will show, this
was used so you can grab the information from the podman engine.
Fixes#13014
Signed-off-by: Joshua Arrevillaga <2004jarrevillaga@gmail.com>
We like to append the host servers in that case so that we do not only
force dns.podman.
Fixes: #24713
Fixes: https://issues.redhat.com/browse/RHEL-83787
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Specifically, this does two things:
1. Turn on case-sensitive LIKE queries. Technically, this is not
specific to volumes, as it will also affect container and pod
lookups - but there, it only affects IDs. So `podman rm abc123`
will not be the same as `podman rm ABC123` but I don't think
anyone was manually entering uppercase SHA256 hash IDs so it
shouldn't matter.
2. Escape the _ and % characters in volume lookup queries. These
are SQLite wildcards, and meant that `podman volume rm test_1`
would also match `podman volume rm testa2` (or any character in
place of the underscore). This isn't done with pod and container
lookups, but again those just use LIKE for IDs - so technically
`podman volume rm abc_123` probably works and removes containers
with an ID matching that pattern... I don't think that matters
though.
Fixes#26168
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
After the system reboot, the Rootfs for infra-container can
be removed. This can happen when it is stored on tmpfs.
This commit recreates the infra-container directory which is
used for Rootfs for infra-container before mounting it.
Fixes: #26190
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
getAllDependencies() skips recursing into dependencies that are already
running, but BuildContainerGraph() expects a *complete* set of inputs
and returns an error if any are missing. Thus, podman will fail to start
a container with already-running direct dependencies that, in turn, have
their own dependencies.
None of the other callers of BuildContainerGraph() omit anything from
their list of containers, so follow the same approach here, and just
let startNode figure out if a start is actually needed.
Fixes: containers/podman-compose#921
Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>
This commit adds two new annotations named
io.podman.annotations.cpuset/$ctrname and
io.podman.annotations.memory-nodes/$ctrname
The first one allows restricting a container's execution to specific
CPU cores while the second restricts memory allocations to specific
NUMA memory nodes. They are also added automatically when the
--cpuset-cpus and --cpuset-mems options are used.
Fixes: containers#26172
Signed-off-by: François Poirotte <clicky@erebot.net>
The count function for / and /proc results in the same value so the
order is not guaranteed. We must ensure that a / mount is always first
in the spec so that other mounts are not overshadowed by it.
Fixes: #26161
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The conditions are always true so they can be removed. And in the case
of exportCheckpoint() the scope means addToTarFiles was overwritten and
thus when it looped over it later the slice was always empty.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Previously, the HealthCheck exec session would not terminate on timeout, allowing the healthcheck to run indefinitely.
Fixes: https://issues.redhat.com/browse/RHEL-86096
Signed-off-by: Jan Rodák <hony.com@seznam.cz>
When container is being removed, podman iterates
through its exec sessions and checks whether exec
session pid is still alive.
The problem is that the pid can be reused for other processes,
so that it may not belong to exec session.
In this scenario podman may kill another process
This commit prevents it by doing following changes:
- Adds the PIDData string to ExecSession struct. This string
is used to store additional context for a PID to later verify
that the PID killed by the podman is really the one started by
it.
- Adds new package called pidhandle which implements the methods
generating the PIDData, and killing the PID with the PIDData
ensuring the right PID is killed by verifying the metadata.
The new code uses pidfd_open and name_to_handle_at when available.
It fallbacks to process start-time get using the gopsutil package.
Fixes: #25104
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
Cgroup block I/O limits cannot be applied to character devices.
Ignore character devices in the inspect output.
Update the API tests to use the null block device `/dev/nullb0` (if
available) instead of `/dev/zero` for testing I/O limits.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
The Docker `-XDELETE image/$name?force=true` endpoint only removes
containers using an image if they are in a non running state.
In Podman, when forcefully removing images we also forcefully delete
containers using the image including running containers.
This patch changes the Docker image force delete compat API to act like the
Docker API while maintaining commands like `podman rmi -f $imagename`
It also corrects the API return code returned when an image is requested
to be deleted with running containers using it.
Fixes: https://github.com/containers/podman/issues/25871
Signed-off-by: Lewis Roy <lewis@redhat.com>
This commit removes the code to build a local pause
image from the Containerfile. It is replaced with
code to find the catatonit binary and include it in
the Rootfs.
This removes the need to build a local pause container
image.
The same logic is also applied to createServiceContainer
which is originally also based on the pause image.
Fixes: #23292
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
The openDirectory function is missing the unix.O_CLOEXEC flag.
As a result, this file descriptor can leak into the aardvark-dns
process which can then block the umount of rootfs - in this case,
the umount fails with "Device or Resource busy" error message.
This commits adds the unix.O_CLOEXEC to unix.Open call, resulting
in this fd to be closed on aardvark-dns exec.
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
Stat() actually ignored ENOENT errors so there is no point in matching
them, instead of Stat() does not find a valid cgroup file it returns
ErrStatCgroup so match that instead.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
create the /etc/passwd and /etc/group files before any user/group
lookup so that the entries added dynamically are found by --user.
As a side effect, do not automatically create the group with same
value as the uid when not specified, since it is expected to run with
gid=0.
Closes: https://github.com/containers/podman/issues/25805
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Networks are stored in two ways in the DB, first a static network list
which holds all the network with its option for the container. Second,
the network status which hold the actual network result from netavark
but only when the container is running.
If the container is running they must be in sync and podman inspect has
checks to ensure that as well it errors out of there is a desync between
the two.
As the adding to the db and doing actual networking configuration are
diffeent parts it possible that one worked while the other failed which
triggers the desync. To avoid this make the network connect/disconnect
code more robust against partial failures. When the network calls fail
we update the db again to remove/add the network back.
Fixes: https://issues.redhat.com/browse/RHEL-78037
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This is related to #23292 and is needed to replace
pause image container with pause container based
on the rootfs.
Without this change, the GIDs and UIDs are not mapped
in the rootfs container which use overlay if --userns=auto
is used. This leads to an error mounting /dev/pts with gid=5,
becuase GID 5 simply does not exist in the pause container
using rootfs.
All the tests pass with this change, but I have to admit
I did not find out why the original code has been introduced.
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
This one:
> libpod/container_internal_freebsd.go:255:2: assigned to foundUTS, but reassigned without using the value (wastedassign)
> foundUTS := false
> ^
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
When linting for freebsd, Stat_t Bsize is always uint64, thus the
following warning:
> libpod/info.go:234:21: unnecessary conversion (unconvert)
> allocated := uint64(grStats.Bsize) * grStats.Blocks
> ^
Use an intermediate variable to save on linter annotations.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This fixes the following warning:
> libpod/networking_freebsd.go:148:19: ST1005: error strings should not be capitalized (staticcheck)
> return "", nil, fmt.Errorf("Failed to create vnet jail %s for container %s: %w", netns, ctr.ID(), err)
> ^
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This one:
> libpod/container_internal_freebsd.go:393:37: SA1012: do not pass a nil Context, even if a function permits it; pass context.TODO if you are unsure about which Context to use (staticcheck)
> inspectData, err := image.Inspect(nil, nil)
> ^
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
These two:
> libpod/container_internal_freebsd.go:183:33: Error return value of `c.runtime.state.UpdateContainer` is not checked (errcheck)
> c.runtime.state.UpdateContainer(nsCtr)
> ^
> pkg/specgen/generate/config_freebsd.go:51:12: Error return value is not checked (errcheck)
> addDevice(g, resolvedDevicePath)
> ^
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Aaron Ang
Paul Holzinger
openshift-merge-bot[bot]
Giuseppe Scrivano
Sonny Sasaka
Joshua Arrevillaga
Matthew Heon
Jan Kaluza
Ryan Gonzalez
François Poirotte
Jan Rodák
Lewis Roy
timesince
Kir Kolyshkin
flouthoc