When linting for freebsd, Stat_t Bsize is always uint64, thus the
following warning:
> libpod/info.go:234:21: unnecessary conversion (unconvert)
> allocated := uint64(grStats.Bsize) * grStats.Blocks
> ^
Use an intermediate variable to save on linter annotations.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This fixes the following warning:
> libpod/networking_freebsd.go:148:19: ST1005: error strings should not be capitalized (staticcheck)
> return "", nil, fmt.Errorf("Failed to create vnet jail %s for container %s: %w", netns, ctr.ID(), err)
> ^
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This one:
> libpod/container_internal_freebsd.go:393:37: SA1012: do not pass a nil Context, even if a function permits it; pass context.TODO if you are unsure about which Context to use (staticcheck)
> inspectData, err := image.Inspect(nil, nil)
> ^
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
These two:
> libpod/container_internal_freebsd.go:183:33: Error return value of `c.runtime.state.UpdateContainer` is not checked (errcheck)
> c.runtime.state.UpdateContainer(nsCtr)
> ^
> pkg/specgen/generate/config_freebsd.go:51:12: Error return value is not checked (errcheck)
> addDevice(g, resolvedDevicePath)
> ^
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Shuffle the code around to eliminate "unused" warnings when linting
with various GOOS and build tags.
The only change in functionality should be that now NewEventer
returns ErrNoJournaldLogging (rather than "unknown event logger type")
on freebsd when journald is requested.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This was added by commit 84e42877a ("make lint: re-enable revive"),
making nolintlint became almost useless.
Remove the ungodly amount of unused nolint annotations.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
These:
> libpod/container_copy_common.go:34:16: QF1011: could omit type bool from declaration; it will be inferred from the right-hand side (staticcheck)
> locked bool = true
> ^
> libpod/container_internal_common.go:793:3: QF1006: could lift into loop condition (staticcheck)
> if maxSymLinks > 40 {
> ^
> libpod/oci_conmon_linux.go:170:2: QF1007: could merge conditional assignment into variable declaration (staticcheck)
> mustCreateCgroup := true
> ^
Should not result in any change of logic.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This commit adds new --cdi-spec-dir global option. This
option is used to add additional CDI spec paths.
Signed-off-by: Micah Chambers (eos) <mchambers@anduril.com>
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
This commit adds new annotation called:
io.podman.annotations.pids-limit/$ctrname
This annotation is used to define the PIDsLimit for
a particular pod. It is also automatically defined
when newly added --pids-limit option is used.
Fixes: #24418
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
Trying to generate a Pod yaml file when we are using --mount with
SubPath does not generate a VolumeMount with SubPath. This patch fixes
that.
Note that kube play does support SubPath since 95cc7e052, see:
https://github.com/containers/podman/pull/16803
Signed-off-by: Victor Toso <victortoso@redhat.com>
The --env is used to add new environment variable to container or
override the existing one. The --unsetenv is used to remove
the environment variable.
It is done by sharing "env" and "unsetenv" flags between both
"update" and "create" commands and later handling these flags
in the "update" command handler.
The list of environment variables to add/remove is stored
in newly added variables in the ContainerUpdateOptions.
The Container.Update API call is refactored to take
the ContainerUpdateOptions as an input to limit the number of its
arguments.
The Env and UnsetEnv lists are later handled using the envLib
package and the Container is updated.
The remote API is also extended to handle Env and EnvUnset.
Fixes: #24875
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
when the code was first added, there was no securejoin.OpenInRoot().
Since there is a function already provided by a dependency and already
used in libpod, replace the custom code with securejoin.OpenInRoot().
The new version does not report a symlink that points outside the
root, but it is still resolved relative to the specified mountpoint,
since that is the openat2 semantic. It does not affect the security
of the function.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Have one function without a `defer lock.unlock()` as one of the
commands in it calls a function that also takes the same lock,
so the unlock has to happen prior to function completion.
Unfortunately, this is prone to errors, like the one here: I
missed a case, and we could return without unlocking, causing a
deadlock later in the cleanup code as we tried to take the same
lock again.
Refactor the command to use `defer unlock()` to simplify and
avoid any further errors of this type.
Introduced by e66b788a51 - this
should be included in any backports of that commit.
Fixes#25585
Signed-off-by: Matt Heon <mheon@redhat.com>
do not run the expensive pmount.GetMounts() function if it is not
needed.
As a follow-up for commit c9c44d400c, do
not restore the propagation flag for the parent mount to shared unless
it was changed to slave first.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
AS pointed out by Valentin on #25491, it is not an actual bug but this
is makes it more clear how it works and should not confuse readers why
this case has no return.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
GoLang sets unset values to the default value of the type. This means that the destination of the log is an empty string and the count and size are set to 0. However, this means that size and count are unbounded, and this is not the default behavior.
Fixes: https://github.com/containers/podman/issues/25473
Fixes: https://issues.redhat.com/browse/RHEL-83262
Signed-off-by: Jan Rodák <hony.com@seznam.cz>
Add a new option to allow for mounting artifacts in the container, the
syntax is added to the existing --mount option:
type=artifact,src=$artifactName,dest=/path[,digest=x][,title=x]
This works very similar to image mounts. The name is passed down into
the container config and then on each start we lookup the artifact and
the figure out which blobs to mount. There is no protaction against a
user removing the artifact while still being used in a container. When
the container is running the bind mounted files will stay there (as the
kernel keeps the mounts active even if the bind source was deleted).
On the next start it will fail to start as if it does not find the
artifact. The good thing is that this technically allows someone to
update the artifact with the new file by creating a new artifact with
the same name.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Instead of duplicating the NewArtifactStore() call in many places and
having to make sure we always pass the same path to it define it as
function on the runtime. This allows any caller with access to the
libpod runtime to create the store easily.
This is suing a sync.OnceValues() function so the store is initialized
only once and only when actually needed.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
There are multiple concurrent goroutinces which produce result and they
race agains each other, while producing different results.
This commit addresses at least a part of the problem - producing
different results for competing "sources".
Fixes: #25479
Signed-off-by: Yuri Timenkov <yuri@timenkov.pro>
When waiting for container to be not-running, sometimes wait retuns code
-1 with an empty error instead of actual exit code.
It turned out that syncContainer returns ErrCtrRemoved for a removed
container instead of ErrNoSuchCtr, while data can still be pulled from
the database.
This fixes the issue by taking into account both codes.
Fixes: #25479
Signed-off-by: Yuri Timenkov <yuri@timenkov.pro>
When starting a container consider healthcheck errors fatal. That way
user know when systemd-run failed to setup the timer to run the
healthcheck and we don't get into a state where the container is running
but not the healthcheck.
This also fixes the broken error reporting from the systemd-run exec, if
the binary could not be run the output was just empty leaving the users
with no idea what failed.
Fixes#25034
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This commit adds the "secret" Event type and emits
"create" and "remove" events for this Event type
when Secret is created or removed.
This can be used for example by podman interfaces to
view and manage secrets.
Fixes: #24030
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
This resolves an ordering issue that prevented quotas from being
applied. XFS quotas are applied recursively, but only for
subdirectories created after the quota is applied; if we create
`_data` before the quota, and then use `_data` for all data in
the volume, the quota will never be used by the volume.
Also, add a test that volume quotas are working as designed using
an XFS formatted loop device in the system tests. This should
prevent any further regressions on basic quota functionality,
such as quotas being shared between volumes.
Fixes#25368
Signed-off-by: Matt Heon <mheon@redhat.com>
This greatly simplifies the locking around these two functions,
and things end up looking a lot more elegant. This should prevent
the race flakes we were seeing before.
Fixes#25289
Signed-off-by: Matt Heon <mheon@redhat.com>
This seems to have been added as part of the cleanup of our
handling of OOM files, but code was never added to remove it, so
we leaked a single directory with an exit file and OOM file per
container run. Apparently have been doing this for a while - I'd
guess since March of '23 - so I'm surprised more people didn't
notice.
Fixes#25291
Signed-off-by: Matt Heon <mheon@redhat.com>
Kir Kolyshkin