due to a lack of "locking" on cni operations, we could get ourselves in trouble when doing rapid creation or removal of networks. added a simple file lock to deal with the collision and because it is not considered a performent path, use of the file lock should be ok. if proven otherwise in the future, some generic shared memory lock should be implemented for libpod and also used here.
moved pkog/network to libpod/network because libpod is now being pulled into the package and it has therefore lost its generic nature. this will make it easier to absorb into libpod as we try to make the network closer to core operations.
Fixes: #7807
Signed-off-by: baude <bbaude@redhat.com>
Make Podman pod operations that do not involve starting
containers (which needs to be done in a specific order) use the
same parallel operation code we use to make `podman stop` on
large numbers of containers fast. We were previously stopping
containers in a pod serially, which could take up to the timeout
(default 15 seconds) for each container - stopping 100 containers
that do not respond to SIGTERM would take 25 minutes.
To do this, refactor the parallel operation code a bit to remove
its dependency on libpod (damn circular import restrictions...)
and use parallel functions that just re-use the standard
container API operations - maximizes code reuse (previously each
pod handler had a separate implementation of the container
function it performed).
This is a bit of a palate cleanser after fighting CI for two
days - nice to be able to return to a land of sanity.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
We do not populate the hostname field with the IP Address
when running within a user namespace.
Fixes https://github.com/containers/podman/issues/7490
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
While reviewing #6784 I found myself having a lot of trouble
with this script: it was a complicated mix of case statement
and helper functions, requiring a reader to jump back and
forth between the two.
This PR defines a convention such that a given TEST_FLAVOR=foo
must have a corresponding _run_foo() handler function. The
goal is to have all TEST_FLAVOR-related code in one place,
or at least less scattered (integration and system tests
still rely on other helper functions).
Signed-off-by: Ed Santiago <santiago@redhat.com>
1. Check the path validity before trying to read the cgroup.controllers.
2. Do not hardcode "/sys/fs/cgroup".
3. Simplify creating the "+this +that" string.
4. Do not wrap ioutil.WriteFile error.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This commit is courtesy of
```
for f in $(git ls-files *.go | grep -v ^vendor/); do \
sed -i 's/\(errors\..*\)"Error /\1"error /' $f;
done
for f in $(git ls-files *.go | grep -v ^vendor/); do \
sed -i 's/\(errors\..*\)"Failed to /\1"failed to /' $f;
done
```
etc.
Self-reviewed using `git diff --word-diff`, found no issues.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
In case os.Open[File], os.Mkdir[All], ioutil.ReadFile and the like
fails, the error message already contains the file name and the
operation that fails, so there is no need to wrap the error with
something like "open %s failed".
While at it
- replace a few places with os.Open, ioutil.ReadAll with
ioutil.ReadFile.
- replace errors.Wrapf with errors.Wrap for cases where there
are no %-style arguments.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Docker supports log-opt max_size and so does conmon (ALthough poorly).
Adding support for this allows users to at least make sure their containers
logs do not become a DOS vector.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
- Fixes issue where remote attach and exec only signaled the IdleTracker
on errors. Needs to done anytime after connection has been hijacked
- Fixes trying to send multiple http status codes to client
- Changes pprof and API server shutdowns to run in parallel
- Changes shutdown to run in sync.Once block
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Previous to this commit, the entire suite of CI tasks run in a PR, run
again for every merge (a.k.a. branch push). This wastes time and
resources with substantively overlapping testing. The primary reason
to test on branch-push, is providing coverage for merge-semantics.
In other words, problems introduced due to the sequence of PR merging.
For this purpose, the vast majority of problems can be caught quickly by
a small subset of automated tests. If deeper debugging is necessary,
then opening a test-PR is a small price to ask for the enormous amount
of time/resource savings with more limited branch-push testing.
Signed-off-by: Chris Evich <cevich@redhat.com>
(that got accidentally dropped in the new Cirrus makeover).
Note that 'dotest' does not actually 'do tests', it's
only used for a small subset of tests.
Also, make logformatter work better in the new Cirrus setup.
Remove duplicate test/subtest, remove no-longer-used SPECIALMODE,
and make the Cirrus build/task display a little cleaner.
Signed-off-by: Ed Santiago <santiago@redhat.com>
If I have multiple ranges of UIDs specified in the /etc/subuid, this check
blows up and incorrectly blocks the use of --user flag.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When validating code on a branch, determining a starting commit to check
from isn't as straightforward as it would seem. Default to using the
SHA from last time CI was green. If for some reason that isn't
available, use an obviously wrong value to cause an intentional
failure. Entirely skip this check on tag-push, since determining a
starting point is incredibly difficult to do automatically.
Signed-off-by: Chris Evich <cevich@redhat.com>
All containers within a Pod need to run with the same SELinux
label, unless overwritten by the user.
Also added a bunch of SELinux tests to make sure selinux labels
are correct on namespaces.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Reimplement CI-automation to remove accumulated technical-debt and
optimize workflow. The task-dependency graph designed goal was to
shorten it's depth and increase width (i.e. more parallelism). A
reduction in redundant building (and 3rd party module download) was
also realized by caching `$GOPATH` and `$GOCACHE` early on. This
cache is then reused in favor of a fresh clone of the repository
(when possible).
Note: The system tests typically execute MUCH faster than the
integration tests. However, contrary to a fail-fast/fail-early
principal, they are executed last. This was implemented due to
debug-ability related concerns/preferences of the primary
(golang-centric) project developers.
Signed-off-by: Chris Evich <cevich@redhat.com>
OpenShift Merge Robot
Jhon Honce
baude
Daniel J Walsh
Matthew Heon
Matthew Heon
Ed Santiago
zhangguanzhang
Kir Kolyshkin
Chris Evich
Andy Librian