Have one function without a `defer lock.unlock()` as one of the
commands in it calls a function that also takes the same lock,
so the unlock has to happen prior to function completion.
Unfortunately, this is prone to errors, like the one here: I
missed a case, and we could return without unlocking, causing a
deadlock later in the cleanup code as we tried to take the same
lock again.
Refactor the command to use `defer unlock()` to simplify and
avoid any further errors of this type.
Introduced by e66b788a514fb8df2c8b8d3c000e0d543bbd60df - this
should be included in any backports of that commit.
Fixes#25585
Signed-off-by: Matt Heon <mheon@redhat.com>
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
(cherry picked from commit c9c44d400c2870e9a6c966647be1c414dc773b66)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
unify the error codes returned by runc and crun.
Fix the tests to work with both runtimes, as well as the
https://github.com/containers/crun/pull/1672 changes in progress for
crun.
Follow-up for https://github.com/containers/podman/pull/25340
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
(cherry picked from commit 4695564730abf8432102f8a07546afc9f87f855b)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Needed-by: https://github.com/containers/crun/pull/1672
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
(cherry picked from commit c65bb903b63c60a1ef2ccd3c21e118c4784d2f6b)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
"podman run exit ExecErrorCodeCannotInvoke" does the same thing.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
(cherry picked from commit 35d2a65e3ac2326c33242101f1344134136feb7e)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This is simpler as we don't have to rely on an external command. The
retry loop is need as we check for a container porcess connection, and
while we know podman binds the port before returning there is no way to
know whenthe contianer application bound the port so we must retry a
bit.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit bcc2063e9e701b2dd87998ac5756b2830a10665b)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
nc can be provided by either ncat (nmap) or netcat (OpenBSD), we only
work with the nmap version so make sure we always use that one and not
the short alias which can be resolved to either one.
It is not clear to me what changed on rawhide but it seemsv netcat is
preferred even though we have nmap-ncat installed.
Note this only changes the host side nc calls, the Alpine based images
only have nc as command so we must continue to use it inside.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit f8787bb219b3a25d689f6afc292e3abc19644869)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
GoLang sets unset values to the default value of the type. This means that the destination of the log is an empty string and the count and size are set to 0. However, this means that size and count are unbounded, and this is not the default behavior.
Fixes: https://github.com/containers/podman/issues/25473
Fixes: https://issues.redhat.com/browse/RHEL-83262
Signed-off-by: Jan Rodák <hony.com@seznam.cz>
When no containers could be started we need to make sure the unit status
reflects this. This means we should not send the READ=1 message and not
keep the service container running when we were unable to start any
container.
There is the question what should happen when only a subset was started.
For systemd we can only be either running or failed. And as podman kube
play also just keeps the partial started pods running I opted to let
systemd keep considering this as success.
Fixes#20667
Fixes https://issues.redhat.com/browse/RHEL-80471
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This resolves an ordering issue that prevented quotas from being
applied. XFS quotas are applied recursively, but only for
subdirectories created after the quota is applied; if we create
`_data` before the quota, and then use `_data` for all data in
the volume, the quota will never be used by the volume.
Also, add a test that volume quotas are working as designed using
an XFS formatted loop device in the system tests. This should
prevent any further regressions on basic quota functionality,
such as quotas being shared between volumes.
Fixes#25368
Fixes https://issues.redhat.com/browse/RHEL-82198
Fixes https://issues.redhat.com/browse/RHEL-82199
Signed-off-by: Matt Heon <mheon@redhat.com>
fixed a bug in the artifact code where --retry-delay was being
discarded.
Fixes: https://issues.redhat.com/browse/RUN-2511
Signed-off-by: Brent Baude <bbaude@redhat.com>
As part of our database init, we perform a check of the current
values for a few fields (graph driver, graph root, static dir,
and a few more) to validate that Libpod is being started with a
sane & sensible config, and the user's containers can actually be
expected to work. Basically, we take the current runtime config
and compare against values cached in the database from the first
time Podman was run.
We've had some issues with this logic before this year around
symlink resolution, but this is a new edge case. Somehow, the
database is being loaded with the empty string for some fields
(at least graph driver) which is causing comparisons to fail
because we will never compare against "" for those fields - we
insert the default value instead, assuming we have one.
Having a value of "" in the database largely invalidates the
check so arguably we could just drop it, but what BoltDB did -
and what SQLite does after this patch - is to use the default
value for comparison instead of "". This should still catch some
edge cases, and shouldn't be too harmful.
What this does not do is identify or solve the reason that we are
seeing the empty string in the database at all. From my read on
the logic, it must mean that the graph driver is explicitly set
to "" in the c/storage config at the time Podman is first run and
I'm not precisely sure how that happens.
Fixes#24738
Signed-off-by: Matt Heon <mheon@redhat.com>
BuildOrigin is a field that can be set at build time by packagers. This helps us trace how and where the binary was built and installed from, allowing us to see if the issue is due to a specfic installation or a general podman bug. This field shows up in podman version and in podman info when populated. Note that podman info has a new field, Client, that only appears when running podman info using the remote client.
Automatically set the BuildOrigin field when building the macOS pkginstaller to pkginstaller.
Usage: make podman-remote BUILD_ORIGIN="mypackaging"
Signed-off-by: Ashley Cui <acui@redhat.com>
Allowing for multiple manifest per artifact just makes the code and cli
design harder to work with it. It is not clear how mounting, extracting
or edit on a multi manifest artifact should have worked.
A single manifest should make the code much easier to work with.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
like images and containers, it could be handy to have a --noheading
option that removes the headings on the output.
Signed-off-by: Brent Baude <bbaude@redhat.com>
added a --no-trunc flag to artifact ls, which follows what images has
done. by default now, the ls output will have the shortened 12
character digest. the --no-trunc will output the full digest.
Signed-off-by: Brent Baude <bbaude@redhat.com>
podman artifact add now supports two new command line switches.
--type string that describes the type of artifact
--annotation string slice in the form of key=val
These new options allow users to "tag" information in on their artifacts
for any number of purposes down the line
RUN-2446
Signed-off-by: Brent Baude <bbaude@redhat.com>
They are new and failing on remote, needs to be looked at (#25138)
For now skip them so we can have a proper buildah vendored for rc2.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The `podman system prune` command is able to remove build containers that were created during the build, but were not removed because the build terminated unexpectedly.
By default, build containers are not removed to prevent interference with builds in progress. Use the **--build** flag when running the command to remove build containers as well.
Fixes: https://issues.redhat.com/browse/RHEL-62009
Signed-off-by: Jan Rodák <hony.com@seznam.cz>
The test `podman selinux: check unsupported relabel` has been failing
recently on Fedora rawhide.
This is due to a regression in the `ls` command itself. Workaround for
now is to switch to `getfattr -n security.selinux ...`.
Ref: https://github.com/containers/podman/issues/25132#issuecomment-2615744915Fixes: #25132
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
This is a generalization of PodmanExitCleanly, scalable
to an arbitrary number of possible options.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
It seems this utility is not all that generally useful,
so eliminate it from the global namespace and use
PodmanWithOptions directly.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Instaed, inline the implementation into callers, calling
PodmanWithOptions directly, demonstrating how to use
PodmanWithOptions.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
... and, to an extent, centralize the PodmanSessionIntegration
creation in that function.
This reduces duplication, and we will further eliminate
some of the callers.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Pass exactly the same PodmanExecOptions to makeOptions
and to PodmanExecBaseWithOptions. This will allow
simplifying the code further.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Eliminate this helper / indirection, and pass around
PodmanExecOptions explicitly.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This will make it easier to structure the API, at the cost
of making it a bit more opaque about which parts of PodmanExecOptions
are implemented where.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
... replacing the many parameters with a struct with named fields.
This makes the meaning of parameters more explicit, and more importantly
it makes it easier to just edit _one_ of the parameters without requiring
specialized wrappers for every single case.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This should be set only by podman as it is used for the podman generate
systemd --new command. For the api it was set to the system service
command which is simply pointless. It must be empty in these cases.
Fixes#25026
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
the podman artifact verb is used to manage OCI artifacts. the following
verbs were added to `podman artifact`:
* add
* inspect
* ls
* pull
* push
* rm
Notable items with this PR:
* all artifact commands and their output are subject to change. i.e.
consider all of this tech preview
* there is no way to add a file to an artifact that already exists in
the store. you would need to delete and recreate the artifact.
* all references to artifacts names should be fully qualified names in
the form of repo/name:tag (i.e. quay.io/artifact/foobar:latest)
* i understand that we will likely want to be able to attribute things
like arch, etc to artifact files. this function is not available yet.
Many thanks to Paul Holzinger for autocompletion PRs and review PRs that
fixed issues early on.
Also fix up some Args function to specify the correct number of args.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Signed-off-by: Brent Baude <bbaude@redhat.com>
Fixes: https://github.com/containers/podman/issues/25002
Also add the ability to inspect containers for
UseImageHosts and UseImageHostname.
Finally fixed some bugs in handling of --no-hosts for Pods,
which I descovered.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
