When Podman is running a container in private IPC mode (default), it
creates a bind mount for /dev/shm that is then attached to a tmpfs
folder on the host file system. However, checkpointing a container has
the side-effect of stopping that container and unmount the tmpfs used
for /dev/shm. As a result, after checkpoint all files stored in the
container's /dev/shm would be lost and the container might fail to
restore from checkpoint.
To address this problem, this patch creates a tar file with the
content of /dev/shm that is included in the container checkpoint and
used to restore the container.
Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
DevShmCheckpointTar constant has been recently introduced in
checkpointctl. This constant will be used in subsequent patch and this
patch contains auto-generated changes with the following commands:
go get github.com/checkpoint-restore/checkpointctl
go mod tidy
go mod vendor
Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
This ensures that existing containers will still manage
`/etc/passwd` by default, as they have been doing until now. New
containers that explicitly set `false` will still have passwd
management disabled, but otherwise the code will run.
[NO NEW TESTS NEEDED] This will only be caught on upgrade and I
don't really know how to write update tests - and Ed is on PTO.
Signed-off-by: Matthew Heon <mheon@redhat.com>
added support for a new flag --passwd which, when false prohibits podman from creating entries in
/etc/passwd and /etc/groups allowing users to modify those files in the container entrypoint
resolves#11805
Signed-off-by: cdoern <cdoern@redhat.com>
Add first non localhost ipv4 of all host interfaces as destination
for host.contaners.internal for rootless containers.
Fixes: https://github.com/containers/podman/issues/12000
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When normalizing image names on the compat API, make sure to take the
`sha256:` prefix into account when matching against the image ID.
Otherwise, the name will mistakingly be subject to docker.io
normalization.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
when using the default userns value, make sure its value is parsed so
that userns=auto is parsed and the options for the storage are filled.
Closes: https://github.com/containers/podman/issues/12615
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
At some places the checkpoint restore man pages were using the markdown
modifier `**` inside `*..*`. This does not seem to work as intended and
results in markdown modifiers present in the final man page. Switching
to `__` inside of `*..*` seems to fix this.
Signed-off-by: Adrian Reber <areber@redhat.com>
Checkpoint a container using systemd as entrypoint will probably result
in an error as CRIU cannot handle all the resources latest systemd uses.
This updates the checkpoint man page with this information.
Signed-off-by: Adrian Reber <areber@redhat.com>
libsubid changes its ABI in version 4. Account for the different name
in the configure script.
Closes: https://github.com/containers/podman/issues/12654
[NO NEW TESTS NEEDED] it is a change in the build script
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
the logic is: if the process env vars key exists in podman default or in image defined, and the value is equal, skip the env var key.
the typo make it compare to itself -_-
so, here comes the simple fixup.
Signed-off-by: 荒野無燈 <ttys3.rust@gmail.com>
include the arguments used to create the user namespace to help
debugging.
[NO NEW TESTS NEEDED] it changes a debug message
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
The quay.io/libpod/testimage:20210610 is known not to change and to
remain stable over time. While the same should apply for alpine image
on quay.io/libpod, we've seen it flake and return the wrong image.
The reasons for that observation are unknown.
Fixes: #12631
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Force removal of images will also remove associated containers.
Historically, infra containers have been excluded resulting in
rather annoying errors, for instance, when running `rmi -af`.
Since there is not reasons to exclude infra containers, allow for
removing the entire pod when an infra image is force removed.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Old build tests were expecting genric error code `125` however another
commit in this PR ensures that we relay exact exit code from build to
registry.
Hence adjusting tests
Signed-off-by: Aditya Rajan <arajan@redhat.com>
This extends one of the checkpoint/restore tests to see if the
newly introduced checkpoint specific fields in 'inspect' work as
intended.
Signed-off-by: Adrian Reber <areber@redhat.com>
This adds the following information to the output of 'podman inspect':
* CheckpointedAt - time the container was checkpointed
Only set if the container has been checkpointed
* RestoredAt - time the container was restored
Only set if the container has been restored
* CheckpointLog - path to the checkpoint log file (CRIU's dump.log)
Only set if the log file exists (--keep)
* RestoreLog - path to the restore log file (CRIU's restore.log)
Only set if the log file exists (--keep)
* CheckpointPath - path to the actual (CRIU) checkpoint files
Only set if the checkpoint files exists (--keep)
* Restored - set to true if the container has been restored
Only set if the container has been restored
Signed-off-by: Adrian Reber <areber@redhat.com>
Podman does not relay exit code from buildah instead returns a generic
error code `125`. Following PR allows `podman` to relay exit code from
`imagebuildah` to `registry` as it is.
Signed-off-by: Aditya Rajan <arajan@redhat.com>
when a container with healthchecks exits due to stopping or failure, we
need the cleanup process to remove both the timer file and the service
file.
Bz#:2024229
Signed-off-by: Brent Baude <bbaude@redhat.com>
Added an option to podman machine init to declare the timezone of the
resulting machine. the default is to use the value of the host name or
else a given timezone name like America/Chicago.
Fixes: #11895
Signed-off-by: Brent Baude <bbaude@redhat.com>
[NO NEW TESTS NEEDED]
Signed-off-by: Brent Baude <bbaude@redhat.com>
Instead of using math/rand we can use crypto/rand which we do not have
to seed. crypto/rand uses getrandom(2)
Also instead of adding an int to the scope name we add a 4 byte hex
string.
[NO NEW TESTS NEEDED]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The libpod/images/remove endpoint is not very REST-ish but, after some
debate, was decided to be implemented as for the following reasons.
First, it allows for batch removing images which improves performance
significantly. Note that Docker does support `rmi -a`!
Second, it allows for hiding the logic of setting the right exit code to
use from the client and keep all the logic on the server.
Hence, when removing an image that does not exist, the server will
return a 200. The response, however, includes the error message to be
used *and* the exit code that podman-remote will use.
Fixes: #12441
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
we are not using any of the metadata in the new format, so we have
only the downside that is more annoying to fill.
[CI:DOCS] no need to run the CI
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Radostin Stoyanov
OpenShift Merge Robot
Matthew Heon
Valentin Rothberg
cdoern
Giuseppe Scrivano
Daniel J Walsh
Adrian Reber
荒野無燈
Aditya Rajan
Brent Baude
Paul Holzinger