we are currently using something like /run/user/UID/run as runroot, as
it is already done by Buildah. This ends up with
/run/user/UID/run/runc for the runc directory. Change to drop the
additional /run so that runc will use /run/user/UID/runc.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
conmon creates a symlink to avoid using a too long UNIX path.
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1641800
There is still one issue when the path length of the symlink has the
same length of the attach socket parent directory since conmon fails
to create the symlink, but that must be addressed in conmon first.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
when the PS command was reworked for performance and formatting improvements,
i forgot to truncate the command field. Long container commands was throwing
the formatting off. we now truncated to 17 characters plus the elipses.
Signed-off-by: baude <bbaude@redhat.com>
Use image ubuntu-1804-bionic-v20180911-libpod-63a86a18 which was built
with RUNC_COMMIT 78ef28e63bec2ee4c139b5e3e0d691eb9bdc748d.
Signed-off-by: Chris Evich <cevich@redhat.com>
for backwards compatibility and auto-test, we needed a few changes
that slipped in when i reworked ps to be faster to be reverted. the
follow behaviours were reverted:
1. the is_infra column was redacted. that appears to be a mistake on my
part.
2. a newline after ps prints its format was added
3. a newline prior to printing the headers was removed.
Signed-off-by: baude <bbaude@redhat.com>
Ed has asked that we revert to using two spaces for padding between PS fields. I assume
this is for docker autotests.
Signed-off-by: baude <bbaude@redhat.com>
Only return `ErrCtrStateInvalid` errors when the mount counter is equal
to 1. Also fix the "can't unmount [...] last mount[..]" error which
hasn't been returned when the error passed to `errors.Errorf()` is nil.
Fixes: #1695
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
for the purposes of performance and security, we use securejoin to contstruct
the root fs's path so that symlinks are what they appear to be and no pointing
to something naughty.
then instead of chrooting to parse /etc/passwd|/etc/group, we now use the runc user/group
methods which saves us quite a bit of performance.
Signed-off-by: baude <bbaude@redhat.com>
Add a section about describing changes in commit messages. GitHub tends
to drive the large part of discussions and change descriptions to the
corresponding pull requests and issues, but such information is lost in
the git history. Not providing sufficient information in commit
messages is painful for reviewing and can cause issues while debugging.
It also complicates studying source code, where reading commit messages
and the code's git history is a common approach to better understand the
code.
Following the descriptions should be enforced by the maintainers of the
libpod project. Pull requests containing commits without proper
descriptions should not be merged.
This change bases on the documentation of the Linux kernel v4.17:
https://www.kernel.org/doc/html/v4.17/process/submitting-patches.html
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
add a global flag for --max-workers so users can limit the number
of parallel operations for a given function. also, when not limited
by max-workers, we implement a heuristic function that returns the
number of preferred parallel workers based on the number of CPUs and
the given operation.
Signed-off-by: baude <bbaude@redhat.com>
We implement the securejoin method to make sure the paths to /etc/passwd and
/etc/group are not symlinks to something naughty or outside the container
image. And then instead of actually chrooting, we use the runc functions to
get information about a user. The net result is increased security and
a a performance gain from 41ms to 100us.
Signed-off-by: baude <bbaude@redhat.com>
run prepare() -- which consists of creating a network namespace and
mounting the container image is now run in parallel. This saves 25-40ms.
Signed-off-by: baude <bbaude@redhat.com>
As discussed [1], the runlabel command should execute any command
specified in a label. The reasoning behind is that we cannot restrict
which options are passed to Podman which thereby has full access to the
host (runlabels must be used with care).
With the updated semantics, runlabel will substitute the commands with a
basepath equal to "docker" or "podman" with "/proc/self/exe", and
otherwise leave the command unchanged to execute any other command on
the host.
[1] https://github.com/containers/libpod/pull/1607#issuecomment-428321382
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
prevent opening the same file twice, since we re-exec podman in
rootless mode. While at it, also solve a possible race between the
check for the file and writing to it. Another process could have
created the file in the meanwhile and we would just end up overwriting
it.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Giuseppe Scrivano
OpenShift Merge Robot
baude
Chris Evich
Anders F Björklund
Valentin Rothberg
Qi Wang
Daniel J Walsh
Jhon Honce