This allows you to stop a container after a `podman stop` process
started, but did not finish, stopping the container (probably an
ignored stop signal, with no time to SIGKILL?). This is a very
narrow case, but once you're in it the only way to recover is a
`podman rm -f` of the container or extensive manual remediation
(you'd have to kill the container yourself, manually, and then
force a `podman ps --all --sync` to update its status from the
OCI runtime).
[NO NEW TESTS NEEDED] I have no idea how to verify this one -
we need to test that it actually started *during* the other stop
command, and that's nontrivial.
Signed-off-by: Matthew Heon <mheon@redhat.com>
The current implementation of the CNI network interface only loads the
networks on the first call and saves them in a map. This is done to safe
performance and not having to reload all configs every time which will be
costly for many networks.
The problem with this approach is that if a network is created by
another process it will not be picked up by the already running podman
process. This is not a problem for the short lived podman commands but
it is problematic for the podman service.
To make sure we always have the actual networks store the mtime of the
config directory. If it changed since the last read we have to read
again.
Fixes#11828
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Add --time flag to podman container rm
Add --time flag to podman pod rm
Add --time flag to podman volume rm
Add --time flag to podman network rm
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
added support for a volumes from container. this flag just required movement of the volumes-from flag declaration
out of the !IsInfra block, and minor modificaions to container_create.go
Signed-off-by: cdoern <cdoern@redhat.com>
When using play kube and generate kube, we need to support if bind
mounts have selinux options. As kubernetes does not support selinux in
this way, we tuck the selinux values into a pod annotation for
generation of the kube yaml. Then on play, we check annotations to see
if a value for the mount exists and apply it.
Fixes BZ #1984081
Signed-off-by: Brent Baude <bbaude@redhat.com>
Do not create an expensive deep copy for the provided spec.Spec
when creating a container. No API should be expected to create
deep copies of arguments unless explicitly documented.
This removes the last call to JSONDeepCopy in a simple
`podman run --rm -d busybox true`.
[NO TESTS NEEDED]
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Add a new function to libpod to directly access the runtime
configuration without creating an expensive deep copy. Further migrate
a number of callers to this new function.
This drops the number of calls to JSONDeepCopy from 4 to 1 in a simple
`podman run --rm -d busybox top`.
Future work: Please note that there are more callers of GetConfig() that
can me migrated to GetConfigNoCopy().
[NO TESTS NEEDED]
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
To avoid creating an expensive deep copy, create an internal function to
access the exec session.
[NO TESTS NEEDED]
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Access the container's spec field directly inside of libpod instead of
calling Spec() which in turn creates expensive JSON deep copies.
Accessing the field directly drops memory consumption of a simple
podman run --rm busybox true from ~700kB to ~600kB.
[NO TESTS NEEDED]
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
added the option for the user to specify a rate, in bytes, at which they would like to be able
to read from the device being added to the pod. This is the first in a line of pod device options.
WARNING: changed pod name json tag to pod_name to avoid confusion when marshaling with the containerspec's name
Signed-off-by: cdoern <cdoern@redhat.com>
As we were not updating the pod ID bucket, removing a pod with
containers still in it (including the infra container, which will
always suffer from this) will not properly update the name
registry to remove the name of any renamed containers. This
patch ensures that does not happen - all containers will be fully
removed, even if renamed.
Fixes#11750
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Access the container's config field directly inside of libpod instead of
calling `Config()` which in turn creates expensive JSON deep copies.
Accessing the field directly drops memory consumption of a simple
`podman run --rm busybox true` from 1245kB to 410kB.
[NO TESTS NEEDED]
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
When generating a kube yaml and there is a port configuration
add the configuration to the first regular container in the pod
and not to the init container.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Podman 4.0 currently errors when you use network aliases for a network which
has dns disabled. Because the error happens on network setup this can
cause regression for old working containers. The network backend should not
validate this. Instead podman should check this at container create time
and also for network connect.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This matches what docker does. Also make sure the net aliases are also
shown when the container is stopped.
docker-compose uses this special alias entry to check if it is already
correctly connected to the network. [1]
Because we do not support static ips on network connect at the moment
calling disconnect && connect will loose the static ip.
Fixes#11748
[1] 0bea52b18d/compose/service.py (L663-L667)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Make podman network rm more robust by checking for ENOENT if we cannot
remove the config file. If it does not exists there is no reason to
error. This is especially useful for podman network prune.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
it allows to pass the current std streams down to the container.
conmon support: https://github.com/containers/conmon/pull/289
[NO TESTS NEEDED] it needs a new conmon.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
The dnsname plugin tries to use XDG_RUNTIME_DIR to store files.
podman run will have XDG_RUNTIME_DIR set and thus the cni plugin can use
it. The problem is that XDG_RUNTIME_DIR is unset for the conmon process
for rootful users. This causes issues since the cleanup process is spawned
by conmon and thus not have XDG_RUNTIME_DIR set to same value as podman run.
Because of it dnsname will not find the config files and cannot correctly
cleanup.
To fix this we should also unset XDG_RUNTIME_DIR for the cni plugins as
rootful.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
podman inspect shows the healthcheck status in `.State.Healthcheck`,
docker uses `.State.Health`. To make sure docker scripts work we
should add the `Health` key. Because we do not want to display both keys
by default we only use the new `Health` key. This is a breaking change
for podman users but matches what docker does. To provide some form of
compatibility users can still use `--format {{.State.Healthcheck}}`. IT
is just not shown by default.
Fixes#11645
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
If the command came from the underlying image, then we should
not include it in the generate yaml file.
Fixes: https://github.com/containers/podman/issues/11672
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The health check result is stored in the container state. Since the
state can change or might not even be set we have to retrive the current
state before we try to read the health check result.
Fixes#11687
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This will make reading the fields easier in rust because we can
guarantee that the fields will be present in the json output.
[NO TESTS NEEDED]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Update CNI so we can match wrapped errors. This should silence ENOENT
warnings when trying to read the cni conflist files.
Fixes#10926
Because CNI v1.0.0 contains breaking changes we have to change some
import paths. Also we cannot update the CNI version used for the
conflist files created by `podman network create` because this would
require at least containernetwork-plugins v1.0.1 and a updated dnsname
plugin. Because this will take a while until it lands in most distros
we should not use this version. So keep using v0.4.0 for now.
The update from checkpoint-restore/checkpointctl is also required to
make sure it no longer uses CNI to read the network status.
[NO TESTS NEEDED]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Currently we add the default PATH, TERM and container from Podman
to every kubernetes.yaml file. These values should not be recorded
in the yaml files.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Following PR allows containers to create and mount overlays on top of
named volumes instead of mounting actual volumes via already documented `:O`.
Signed-off-by: Aditya Rajan <arajan@redhat.com>
added support for pod devices. The device gets added to the infra container and
recreated in all containers that join the pod.
This required a new container config item to keep track of the original device passed in by the user before
the path was parsed into the container device.
Signed-off-by: cdoern <cdoern@redhat.com>
Let the gvproxy dns server handle the host.containers.internal entry.
Support for this is already added to gvproxy. [1]
To make sure the container uses the dns response from gvproxy we should
not add host.containers.internal to /etc/hosts in this case.
[NO TESTS NEEDED] podman machine has no tests :/
Fixes#11642
[1] 1108ea4516
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The libpod package should only compile on linux. The remote client
should never try to import this package.
Since these files do not add any value we should remove them, this
prevents people from accidentally importing this package because it would
fail to compile on windows/macos.
[NO TESTS NEEDED]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
make sure the pause process is moved to its own scope as well as what
we do when we join an existing user+mount namespace.
Closes: https://github.com/containers/podman/issues/11560
[NO TESTS NEEDED]
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
The check for net=none was wrong. It just assumed when we do not create
the netns but have one set that we use the none mode. This however also
applies to a container which joins the pod netns.
To correctly check for the none mode use `config.NetMode.IsNone()`.
Fixes#11596
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Standardize on no-trunc through the code.
Alias notruncate where necessary.
Standardize on the man page display of no-trunc.
Fixes: https://github.com/containers/podman/issues/8941
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Add support for the ipvlan cni plugin. This allows us to create,
inspect and list ipvlan networks correctly.
Fixes#10478
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Support setting the macvlan mode with `podman network create -d macvlan
--opt mode=bridge`. This will correctly set the specified macvlan mode
in the cni conflist file.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Drivers should return the list of supported network drivers by this
plugin. This is useful for podman info.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We do not use the ocicni code anymore so let's get rid of it. Only the
port struct is used but we can copy this into libpod network types so
we can debloat the binary.
The next step is to remove the OCICNI port mapping form the container
config and use the better PortMapping struct everywhere.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Make use of the new network interface in libpod.
This commit contains several breaking changes:
- podman network create only outputs the new network name and not file
path.
- podman network ls shows the network driver instead of the cni version
and plugins.
- podman network inspect outputs the new network struct and not the cni
conflist.
- The bindings and libpod api endpoints have been changed to use the new
network structure.
The container network status is stored in a new field in the state. The
status should be received with the new `c.getNetworkStatus`. This will
migrate the old status to the new format. Therefore old containers should
contine to work correctly in all cases even when network connect/
disconnect is used.
New features:
- podman network reload keeps the ip and mac for more than one network.
- podman container restore keeps the ip and mac for more than one
network.
- The network create compat endpoint can now use more than one ipam
config.
The man pages and the swagger doc are updated to reflect the latest
changes.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When configs are loaded from disk we need to check if they contain a
ipv6 subnet and set ipv6 enables to true in this case.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The default network should not be validated against used subnets, we have to ensure
that this network can always be created even when a subnet is already used on the host.
This could happen if you run a container on this net, then the cni interface will be
created on the host and "block" this subnet from being used again.
Therefore the next podman command tries to create the default net again and it would
fail because it thinks the network is used on the host.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Check that the given subnet does not conflict with existing ones (other
configs or host interfaces).
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Along with the name (id) and the version(_id)
But only show the information if is available
Examples: Fedora CoreOS, Ubuntu Focal
[NO TESTS NEEDED]
Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
added support for the --volume flag in pods using the new infra container design.
users can specify all volume options they can with regular containers
resolves#10379
Signed-off-by: cdoern <cdoern@redhat.com>
For rootful users ports are forwarded via iptables. To make sure no
other process tries to use them, libpod will bind the ports and pass the
fds to conmon. There seems to be race when a container is restarted
because libpod tries to bind the port before the conmon process exited.
The problem only hapens with the podman service because it keeps the
connection open. Once we have the fd and passed it to conmon the
podman service should close the connection.
To verify run `sudo ss -tulpn` and check that only the conmon process
keeps the port open. Previously you would also see the podman server
process listed.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Allows users to specify a readonly rootfs with :O, in exchange podman will create a writable overlay.
bump builah to v1.22.1-0.20210823173221-da2b428c56ce
[NO TESTS NEEDED]
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
When a container is automatically restarted due its restart policy and
the container uses rootless cni networking with ports forwarded we have
to start a new rootlessport process since it exits with conmon.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Kubernetes has a concept of init containers that run and exit before
the regular containers in a pod are started. We added init containers
to podman pods as well. This patch adds support for generating init
containers in the kube yaml when a pod we are converting had init
containers. When playing a kube yaml, it detects an init container
and creates such a container in podman accordingly.
Note, only init containers created with the init type set to "always"
will be generated as the "once" option deletes the init container after
it has run and exited. Play kube will always creates init containers
with the "always" init container type.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
The rootless integration tests show the XDG_RUNTIME_DIR warning without
any reasons. Podman runs without problems in these and yet the warning
is shown. I think the problem is that we check the permission before we
create the runroot directory.
[NO TESTS NEEDED]
Fixes#11521
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
if the current cpu usage time is lower than what previously recorded,
then it means the container was restarted and now it runs in a new
cgroup. When this happens, reset the prevStats.
Closes: https://github.com/containers/podman/issues/11469
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
The conmon buffer size is 8192, however the attach socket needs two extra
bytes. The first byte of each message will be the STREAM type. The last
byte is a null byte. So when we want to read 8192 message bytes we need
to read 8193 bytes since the first one is special.
check 1ef246896b/src/ctr_stdio.c (L101-L107)
This problem can be seen in podman-remote run/exec when it prints output
with 8192 or more bytes. The output will miss the 8192 byte.
Fixes#11496
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When inspecting a container, we now report whether the container
was stopped by a `podman checkpoint` operation via a new bool in
the State portion of inspected, `Checkpointed`.
Signed-off-by: Matthew Heon <mheon@redhat.com>
Fix a dead lock in the file log driver where one goroutine would wait on
the tail to hit EOF but reading is blocked for the function to return.
Fixes: 11461
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
We only use the `ip` util to remove a network interface. We can do
this directly via the netlink lib, no need to call a external binary.
[NO TESTS NEEDED]
Fixes#11403
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Creating the rootlessport socket can fail with `bind: invalid argument`
when the socket path is longer than 108 chars. This is the case for
users with a long runtime directory.
Since the kernel does not allow to use socket paths with more then 108
chars use a workaround to open the socket path.
[NO TESTS NEEDED]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Secret environment variables were only available to a podman run/start.
This commit makes sure that exec sessions can see them as well.
Signed-off-by: Ashley Cui <acui@redhat.com>
Make sure that Podman passes the LISTEN_* environment into containers.
Similar to runc, LISTEN_PID is set to 1.
Also remove conditionally passing the LISTEN_FDS as extra files.
The condition was wrong (inverted) and introduced to fix#3572 which
related to running under varlink which has been dropped entirely
with Podman 3.0. Note that the NOTIFY_SOCKET and LISTEN_* variables
are cleared when running `system service`.
Fixes: #10443
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
When /etc/resolv.conf is a symlink to an absolute path use it and not
join it the the previous path.
[NO TESTS NEEDED] This depends on the host layout.
Fixes#11358
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
There are use-cases where users would want to use overlay-mounts as
workdir. For such cases workdir should be resolved after all the mounts
are completed during the container init process.
Signed-off-by: Aditya Rajan <arajan@redhat.com>
InfraContainer should go through the same creation process as regular containers. This change was from the cmd level
down, involving new container CLI opts and specgen creating functions. What now happens is that both container and pod
cli options are populated in cmd and used to create a podSpecgen and a containerSpecgen. The process then goes as follows
FillOutSpecGen (infra) -> MapSpec (podOpts -> infraOpts) -> PodCreate -> MakePod -> createPodOptions -> NewPod -> CompleteSpec (infra) -> MakeContainer -> NewContainer -> newContainer -> AddInfra (to pod state)
Signed-off-by: cdoern <cdoern@redhat.com>
Podman inspect has to show exposed ports to match docker. This requires
storing the exposed ports in the container config.
A exposed port is shown as `"80/tcp": null` while a forwarded port is
shown as `"80/tcp": [{"HostIp": "", "HostPort": "8080" }]`.
Also make sure to add the exposed ports to the new image when the
container is commited.
Fixes#10777
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Implement a new network interface to abstract CNI from libpod. The
interface is implemented for the CNI backend but in the future we can
add more backends.
The code is structured in three new packages:
- `libpod/network/types`: contains the interface definition
and the necessary types for it.
- `libpod/network/cni` contains the interface implementation for the CNI
backend.
- `libpod/network/util` a set of utility functions related to
networking.
The CNI package uses ginkgo style unit tests. To test Setup/Teardown the
test must be run as root. Each test will run in their own namespace to
make the test independent from the host environment.
New features with the CNI backend:
- The default network will be created in memory if it does not exists on
disk.
- It can set more than one static IP per container network.
- Networks are loaded once from disk and only if this interface is
used, e.g. for commands such as `podman info` networks are not loaded.
This reduces unnecessary disk IO.
This commit only adds the interface it is not wired into libpod. This
requires a lot of breaking changes which will be done in a followup
commit.
Once this is integrated into libpod the current network code under
`libpod/network` should be removed. Also the dependency on OCICNI
should be dropped.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
In libpod/logs.LogLine.Write(), don't write a newline to stdout/stderr
when the log message is only part of a line.
In libpod.ConmonOCIRuntime.HTTPAttach(), don't send a newline over the
HTTP connection when the log message is only part of a line.
In pkg/api/handlers/compat.LogsFromContainer(), don't send a newline
over the HTTP connection when the log message is only part of a line,
and don't make doing so conditional on whether or not the client used
the docker or podman endpoint.
In pkg/domain/infra/tunnel.ContainerEngine.ContainerLogs(), don't add
our own newline to log messages, since they already come through from
the server when they need to.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When reading log entries from the journal, don't skip past the first
matching entry after we've positioned the cursor at it.
Make the first blank-line entry that we logged so that the container
would always have at least one log entry for us to find (until it gets
vacuumed out, at least) a fake history entry, so that `logs` doesn't
pass it on for display.
CI already has tests that exercise journal-based logging, so
[NO TESTS NEEDED]
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
we were adding a negative duration in podman events, causing inputs like
-5s to be correct and 5s to be incorrect.
fixes#11158
Signed-off-by: cdoern <cdoern@redhat.com>
Adds support for transferring data between systems and backing up systems.
Use cases: recover from disasters or move data between machines.
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
This leverages conmon's ability to proxy the SD-NOTIFY socket.
This prevents locking caused by OCI runtime blocking, waiting for
SD-NOTIFY messages, and instead passes the messages directly up
to the host.
NOTE: Also re-enable the auto-update tests which has been disabled due
to flakiness. With this change, Podman properly integrates into
systemd.
Fixes: #7316
Signed-off-by: Joseph Gooch <mrwizard@dok.org>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
When a network id is used to create a container we translate it to use the
name internally for the db. The network aliases are also stored with the
network name as key so we have to also translate them for the db.
Also removed some outdated skips from the e2e tests.
Fixes#11285
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
For docker compat include information about available volume, log and
network drivers which should be listed under the plugins key.
Fixes#11265
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Originally, Podman would unconditionally remove volumes from the
DB, even if they failed to be removed from the volume plugin;
this was a safety measure to ensure that `volume rm` can always
remove a volume from the database, even if the plugin is
misbehaving.
However, this is a significant deivation from Docker, which
refuses to remove if the plugin errors. These errors can be
legitimate configuration issues which the user should address
before the volume is removed, so Podman should also use this
behaviour.
Fixes#11214
Signed-off-by: Matthew Heon <mheon@redhat.com>
Dealing with os.Signal channels seems more like an art than science
since signals may get lost. os.Notify doesn't block on an unbuffered
channel, so users are expected to know what they're doing or hope for
the best.
In the recent past, I've seen a number of flakes and BZs on non-amd64
architectures where I was under the impression that signals may got
lost, for instance, during stop and exec.
[NO TESTS NEEDED] since this is art.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
When a host uses systemd-resolved but not the resolved stub resolver the
following symlinks are created: `/etc/resolv.conf` ->
`/run/systemd/resolve/stub-resolv.conf` -> `/run/systemd/resolve/resolv.conf`.
Because the code uses filepath.EvalSymlinks we put the new resolv.conf
to `/run/systemd/resolve/resolv.conf` but the `/run/systemd/resolve/stub-resolv.conf`
link does not exists in the mount ns.
To fix this we will walk the symlinks manually until we reach the first
one under `/run` and use this for the resolv.conf file destination.
This fixes a regression which was introduced in e73d482990.
Fixes#11222
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
after the init containers pr merged, it was suggested to use `once`
instead of `oneshot` containers as it is more aligned with other
terminiology used similarily.
[NO TESTS NEEDED]
Signed-off-by: Brent Baude <bbaude@redhat.com>
Add the --userns flag to podman pod create and keep
track of the userns setting that pod was created with
so that all containers created within the pod will inherit
that userns setting.
Specifically we need to be able to launch a pod with
--userns=keep-id
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
The slirp4netns path can be set in the config file or with
--network-cmd-path. Podman info should read the version information
correctly and not use PATH in this case. Also show the slirp4netns
version information to root users.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
this is the first pass at implementing init containers for podman pods.
init containersare made popular by k8s as a way to run setup for pods
before the pods standard containers run.
unlike k8s, we support two styles of init containers: always and
oneshot. always means the container stays in the pod and starts
whenever a pod is started. this does not apply to pods restarting.
oneshot means the container runs onetime when the pod starts and then is
removed.
Signed-off-by: Brent Baude <bbaude@redhat.com>
To match Docker's behavior, in the `--net=host` case, we need to
use the host's `/etc/hosts` file, unmodified (without adding an
entry for the container). We will still respect hosts from
`--add-host` but will not make any automatic changes.
Fortuntely, this is strictly a matter of removal and refactoring
as we already base our `/etc/hosts` on the host's version - just
need to remove the code that added entries when net=host was set.
Fixes#10319
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
podman info takes >20s on Gentoo, because equery is s..l..o..w.
qfile is much faster and, I suspect, present in most Gentoo
installations, so let's try it first.
And, because packageVersion() was scarily unmaintainable,
refactor it. Define a simple (string) list of packaging tools
to query (rpm, dpkg, ...) and iterate until we find one that
works.
IMPORTANT NOTE: the Debian (and, presumably, Ubuntu) query does not
include version number! There is no standard way on Debian to get
a package version from a file path, you can only do it via pipes
of chained commands, and I have no desire to implement that.
Signed-off-by: Ed Santiago <santiago@redhat.com>
The rootlessport forwarder requires a child IP to be set. This must be a
valid ip in the container network namespace. The problem is that after a
network disconnect and connect the eth0 ip changed. Therefore the
packages are dropped since the source ip does no longer exists in the
netns.
One solution is to set the child IP to 127.0.0.1, however this is a
security problem. [1]
To fix this we have to recreate the ports after network connect and
disconnect. To make this work the rootlessport process exposes a socket
where podman network connect/disconnect connect to and send to new child
IP to rootlessport. The rootlessport process will remove all ports and
recreate them with the new correct child IP.
Also bump rootlesskit to v0.14.3 to fix a race with RemovePort().
Fixes#10052
[1] https://nvd.nist.gov/vuln/detail/CVE-2021-20199
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Currently we override the SELinux labels specified by the user
if the container is runing a kata container or systemd container.
This PR fixes to use the label specified by the user.
Fixes: https://github.com/containers/podman/issues/11100
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This adds support to checkpoint containers out of pods and restore
container into pods.
It is only possible to restore a container into a pod if it has been
checkpointed out of pod. It is also not possible to restore a non pod
container into a pod.
The main reason this does not work is the PID namespace. If a non pod
container is being restored in a pod with a shared PID namespace, at
least one process in the restored container uses PID 1 which is already
in use by the infrastructure container. If someone tries to restore
container from a pod with a shared PID namespace without a shared PID
namespace it will also fail because the resulting PID namespace will not
have a PID 1.
Signed-off-by: Adrian Reber <areber@redhat.com>
The upcoming commit to support checkpointing out of Pods requires CRIU
3.16. This changes the CRIU version check to support checking for
different versions.
Signed-off-by: Adrian Reber <areber@redhat.com>
Implement container to container copy. Previously data could only be
copied from/to the host.
Fixes: #7370
Co-authored-by: Mehul Arora <aroram18@mcmaster.ca>
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Make sure podman network create reads all subnets from existing cni configs
and not only the first one.
Fixes#11032
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
compat containers/logs was missing actual usage of until query param.
This led me to implement the until param for libpod's container logs as well. Added e2e tests.
Signed-off-by: cdoern <cdoern@redhat.com>
The global flag will work in either location, and this flag just breaks
users expectations, and is basically a noop.
Also fix global storage-opt so that podman-remote can use it.
[NO TESTS NEEDED] Since it would be difficult to test in ci/cd.
Fixes: https://github.com/containers/podman/issues/10264
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The `IgnorePlatform` options has been removed from the
`LookupImageOptions` in libimage to properly support multi-arch images.
Skip one buildah-bud test which requires updated CI images. This is
currently being done in github.com/containers/podman/pull/10829 but
we need to unblock merging common and buildah into podman.
[NO TESTS NEEDED]
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Adds the new --infra-name command line argument allowing users to define
the name of the infra container
Issue #10794
Signed-off-by: José Guilherme Vanz <jvanz@jvanz.com>
added support for --pid flag. User can specify ns:file, pod, private, or host.
container returns an error since you cannot point the ns of the pods infra container
to a container outside of the pod.
Signed-off-by: cdoern <cdoern@redhat.com>
There was an race condition when calling `GetRootlessCNINetNs()`. It
created the rootless cni directory before it got locked. Therefore
another process could have called cleanup and removed this directory
before it was used resulting in errors. The lockfile got moved into the
XDG_RUNTIME_DIR directory to prevent a panic when the parent dir was
removed by cleanup.
Fixes#10930Fixes#10922
To make this even more robust `GetRootlessCNINetNs()` will now return
locked. This guarantees that we can run `Do()` after `GetRootlessCNINetNs()`
before another process could have called `Cleanup()` in between.
[NO TESTS NEEDED] CI is flaking, hopefully this will fix it.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Fix issue 10929 : `[Regression in 3.2.0] CNI-in-slirp4netns DNS gets broken when running a rootful container after running a rootless container`
When /etc/resolv.conf on the host is a symlink to /run/systemd/resolve/stub-resolv.conf,
we have to mount an empty filesystem on /run/systemd/resolve in the child namespace,
so as to isolate the directory from the host mount namespace.
Otherwise our bind-mount for /run/systemd/resolve/stub-resolv.conf is unmounted
when systemd-resolved unlinks and recreates /run/systemd/resolve/stub-resolv.conf on the host.
[NO TESTS NEEDED]
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
On EOF of STDIN, we need to perform a one-sided close of the
attach connection on the client side, to ensure that STDIN
finishing will also cause the exec session to terminate, instead
of hang.
Fixes#7360
Signed-off-by: Matthew Heon <mheon@redhat.com>
If mounting to existing directory the uid/gid should be preserved.
Primary uid/gid of container shouldn't be used.
Signed-off-by: Matej Vasek <mvasek@redhat.com>
We should not be exposing the store outside of Libpod. We want to
encapsulate it as an internal implementation detail - there's no
reason functions outside of Libpod should directly be
manipulating container storage. Convert the last use to invoke a
method on Libpod instead, and remove the function.
[NO TESTS NEEDED] as this is just a refactor.
Signed-off-by: Matthew Heon <mheon@redhat.com>
The rootless cni namespace needs a valid /etc/resolv.conf file. On some
distros is a symlink to somewhere under /run. Because the kernel will
follow the symlink before mounting, it is not possible to mount a file
at exactly /etc/resolv.conf. We have to ensure that the link target will
be available in the rootless cni mount ns.
Fixes#10855
Also fixed a bug in the /var/lib/cni directory lookup logic. It used
`filepath.Base` instead of `filepath.Dir` and thus looping infinitely.
Fixes#10857
[NO TESTS NEEDED]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Add a new service reaper package. Podman currently does not reap all
child processes. The slirp4netns and rootlesskit processes are not
reaped. The is not a problem for local podman since the podman process
dies before the other processes and then init will reap them for us.
However with podman system service it is possible that the podman
process is still alive after slirp died. In this case podman has to reap
it or the slirp process will be a zombie until the service is stopped.
The service reaper will listen in an extra goroutine on SIGCHLD. Once it
receives this signal it will try to reap all pids that were added with
`AddPID()`. While I would like to just reap all children this is not
possible because many parts of the code use `os/exec` with `cmd.Wait()`.
If we reap before `cmd.Wait()` things can break, so reaping everything
is not an option.
[NO TESTS NEEDED]
Fixes#9777
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
First, make podman diff accept optionally a second argument. This allows
the user to specify a second image/container to compare the first with.
If it is not set the parent layer will be used as before.
Second, podman container diff should only use containers and podman
image diff should only use images. Previously, podman container diff
would use the image when both an image and container with this name
exists.
To make this work two new parameters have been added to the api. If they
are not used the previous behaviour is used. The same applies to the
bindings.
Fixes#10649
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Pull the trigger on the `pkg/registries` package which acted as a proxy
for `c/image/pkg/sysregistriesv2`. Callers should be using the packages
from c/image directly, if needed at all.
Also make use of libimage's SystemContext() method which returns a copy
of a system context, further reducing the risk of unintentionally
altering global data.
[NO TESTS NEEDED]
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Create the /etc and /etc/mtab directories with the
correct ownership based on what the UID and GID is
for the container. This was causing issue when starting
the infra container with userns as the /etc directory
wasn't being created with the correct ownership.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Added logic and handling for two new Podman pod create Flags.
--cpus specifies the total number of cores on which the pod can execute, this
is a combination of the period and quota for the CPU.
--cpuset-cpus is a string value which determines of these available cores,
how many we will truly execute on.
Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
added Avg Cpu calculation and CPU up time to podman stats. Adding different feature sets in different PRs, CPU first.
resolves#9258
Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
`syncContainer()` requires the container to be locked, otherwise we can
end up with undefined behavior.
[NO TESTS NEEDED]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Podman does not need to watch the cni config directory. If a network is
not found in the cache, OCICNI will reload the networks anyway and thus
even podman system service should work as expected.
Also include a change to not mount a "new" /var by default in the
rootless cni ns, instead try to use /var/lib/cni first and then the
parent dir. This allows users to store cni configs under /var/... which
is the case for the CI compose test.
[NO TESTS NEEDED]
Fixes#10686
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Commit 84b55eec27 attempted to fix a race waiting for the container
died event. Previously, Podman slept for duration of the polling
frequence which I considerred to be a mistake. As it turns out, I was
mistaken since the file logger will, in fact, NOT read until EOF and
then stop logging but stop logging immediately _after_ it woke up.
[NO TESTS NEEDED] as the race condition cannot be hit reliably.
Fixes: #10675
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Fix the suprious "Error: nil" messages. Also add some more context to
logged error messages which makes error sources more obvious.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Previously podman failed when run in an environment where 127.0.0.53 is
the only nameserver but systemd-resolved is not used directly.
In practice this happened when podman was run within an alpine container
that used the host's network and the host was running systemd-resolved.
This fix makes podman ignore a file not found error when reading /run/systemd/resolve/resolv.conf.
Closes#10733
[NO TESTS NEEDED]
Signed-off-by: Max Goltzsche <max.goltzsche@gmail.com>
Users are complaining about read/only /var/tmp failing
even if TMPDIR=/tmp is set.
This PR Fixes: https://github.com/containers/podman/issues/10698
[NO TESTS NEEDED] No way to test this.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When starting a process with `podman exec -it` the terminal is resized
after the process is started. To fix this allow exec start to accept the
terminal height and width as parameter and let it resize right before
the process is started.
Fixes#10560
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The container name should have the slirp interface ip set in /etc/hosts
and not the gateway ip. Commit c8dfcce6db introduced this regression.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1972073
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Matthew Heon
OpenShift Merge Robot
Paul Holzinger
Daniel J Walsh
cdoern
Ethan Soucy
Brent Baude
Valentin Rothberg
Matthew Heon
Urvashi Mohnani
Giuseppe Scrivano
Aditya Rajan
Anders F Björklund
flouthoc
dependabot[bot]
Parham Alvani
Ashley Cui
Nalin Dahyabhai
Jhon Honce
openshift-ci[bot]
Ed Santiago
Adrian Reber
Mehul Arora
Vikas Goel
José Guilherme Vanz
Akihiro Suda
Matej Vasek
cdoern
Max Goltzsche