We call cleanup() (which calls cleanupRuntime()) as part of
removing containers, after the container has already been removed
from the database. cleanupRuntime() tries to update and save the
state, which obviously fails if the container no longer exists.
Make the save() conditional on the container not being in the
process of being removed.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
To work better with Kata containers, we need to delete() from the
OCI runtime as a part of cleanup, to ensure resources aren't
retained longer than they need to be.
To enable this, we need to add a new state to containers,
ContainerStateExited. Containers transition from
ContainerStateStopped to ContainerStateExited via cleanupRuntime
which is invoked as part of cleanup(). A container in the Exited
state is identical to Stopped, except it has been removed from
the OCI runtime and thus will be handled differently when
initializing the container.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Runc disables systemd cgroup support when build statically, so
don't tell people to do that now that we're defaulting to systemd
for cgroup management.
Also, fix some error messages to use the proper ID() call for
containers.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Execute the command as described by a container image. The value of the label is processed
into a command by:
1. Ensuring the first argument of the command is podman.
2. Substituting any variables with those defined by the environment or otherwise.
If no label exists in the container image, nothing is done.
podman container runlabel LABEL IMAGE extra_args
Signed-off-by: baude <bbaude@redhat.com>
In cases where the image name is more complex like:
quay/baude/alpine_nginx:latest and is not from the docker
registry, we need to be able to run the image by its shortname
such as baude/alpine_nginx. The same goes when the image is
not from a registry but instead has the localhost repository.
This resolves buildah issue #1034
Signed-off-by: baude <bbaude@redhat.com>
For the sake of debug and problem reporting, we would benefit from knowing
what buildah version was vendored into podman. Also, knowing the distribution
and distribution version would also be handy.
Signed-off-by: baude <bbaude@redhat.com>
We added a timeout for convenience, but most invocations don't
care about it. Refactor it into WaitWithTimeout() and add a
Wait() that doesn't require a timeout and uses the default.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #1527
Approved by: mheon
There is a group of inodes that get created when running a container
if they do not exist.
containerMounts = map[string]bool{
"/dev": true,
"/etc/hostname": true,
"/etc/hosts": true,
"/etc/resolv.conf": true,
"/proc": true,
"/run": true,
"/run/.containerenv": true,
"/run/secrets": true,
"/sys": true,
}
If the destination inode does not exist, libpod/runc will create the inode.
This can cause programs like podman diff to see the image as having changed,
when actually it has not. This patch ignores changes in these inodes.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1508
Approved by: giuseppe
Also update some missing fields libpod.conf obtions in man pages.
Fix sort order of security options and add a note about disabling
labeling.
When a process requests a new label. libpod needs to reserve all
labels to make sure that their are no conflicts.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1406
Approved by: mheon
We don't want to allow users to write to /etc/resolv.conf or /etc/hosts if in read
only mode.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1510
Approved by: TomSweeneyRedHat
When managing the containers with systemd, it takes a bit more than
250ms to have podman creating the pidfile.
Increasing the value to 1 second will avoid timeout issues when running
a lot of containers managed by systemd.
This patch was tested in a VM with 56 services (OpenStack) deployed by
TripleO and managed by systemd.
Fixes#1495
Signed-off-by: Emilien Macchi <emilien@redhat.com>
Closes: #1497
Approved by: rhatdan
ALso cleanup files section or podman man page
Add description of policy.json
Sort alphabetically.
Add more info on oci hooks
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1487
Approved by: umohnani8
We were already writing these to our debug logs. But collecting them
and including them in the error message will make it easier for
callers who don't have debugging enabled to figure out what's going
wrong.
Using multierror gives us both pretty formatting (when we print this
for the user) and programmatic access (for any callers that need to
inspect the constituent errors). With this commit and a config like:
$ cat /etc/containers/registries.conf
[registries.search]
registries = ['registry.access.redhat.com', 'quay.io', 'docker.io']
pulling an unqualified missing image looks like:
$ podman pull does-not/exist
Trying to pull registry.access.redhat.com/does-not/exist:latest...Failed
Trying to pull quay.io/does-not/exist:latest...Failed
Trying to pull docker.io/does-not/exist:latest...Failed
error pulling image "does-not/exist": unable to pull does-not/exist: 3 errors occurred:
* Error determining manifest MIME type for docker://registry.access.redhat.com/does-not/exist:latest: Error reading manifest latest in registry.access.redhat.com/does-not/exist: unknown: Not Found
* Error determining manifest MIME type for docker://quay.io/does-not/exist:latest: Error reading manifest latest in quay.io/does-not/exist: unauthorized: access to the requested resource is not authorized
* Error determining manifest MIME type for docker://does-not/exist:latest: Error reading manifest latest in docker.io/does-not/exist: errors:
denied: requested access to the resource is denied
unauthorized: authentication required
A qualified image looks like:
$ podman pull quay.io/does-not/exist
Trying to pull quay.io/does-not/exist...Failed
error pulling image "quay.io/does-not/exist": unable to pull quay.io/does-not/exist: unable to pull image: Error determining manifest MIME type for docker://quay.io/does-not/exist:latest: Error reading manifest latest in quay.io/does-not/exist: unauthorized: access to the requested resource is not authorized
If one of the searched repositories was offline, you'd get a more
useful routing error for that specific registry. For example:
$ cat /etc/hosts
127.0.0.1 quay.io
$ podman pull does-not/exist
Trying to pull registry.access.redhat.com/does-not/exist:latest...Failed
Trying to pull quay.io/does-not/exist:latest...Failed
Trying to pull docker.io/does-not/exist:latest...Failed
error pulling image "does-not/exist": unable to pull does-not/exist: 3 errors occurred:
* Error determining manifest MIME type for docker://registry.access.redhat.com/does-not/exist:latest: Error reading manifest latest in registry.access.redhat.com/does-not/exist: unknown: Not Found
* Error determining manifest MIME type for docker://quay.io/does-not/exist:latest: pinging docker registry returned: Get https://quay.io/v2/: dial tcp 127.0.0.1:443: connect: connection refused
* Error determining manifest MIME type for docker://does-not/exist:latest: Error reading manifest latest in docker.io/does-not/exist: errors:
denied: requested access to the resource is denied
unauthorized: authentication required
This is our first direct dependency on multierror, but we've been
vendoring it for a while now because opencontainers/runtime-tools uses
it for config validation.
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #1456
Approved by: rhatdan
We've increased the default rlimits to allow Podman to hold many
ports open without hitting limits and crashing, but this doesn't
solve the amount of memory that holding open potentially
thousands of ports will use. Offer a switch to optionally disable
port reservation for performance- and memory-constrained use
cases.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Waiting uses a lot of CPU, so drop back to checking once/second
and allow user to pass in the interval.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This is an incomplete fix, as it would be best for the libpod library to be in charge of coordinating the container's dependencies on the infra container. A TODO was left as such. UTS is a special case, because the docker library that namespace handling is based off of doesn't recognize a UTS based on another container as valid, despite the library being able to handle it correctly. Thus, it is left in the old way.
Signed-off-by: haircommander <pehunt@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1347
Approved by: mheon
Use the new firewall code vendored from CNI to replace the
existing iptables rule addition handler we had in place. This
adds proper support for firewalld and should be much better at
interacting with the firewall.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #1431
Approved by: baude
The upstream CNI project has a PR open for adding iptables and
firewalld support, but this has been stalled for the better part
of a year upstream.
On advice of several maintainers, we are vendoring this code into
libpod, to perform the relevant firewall configuration ourselves.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #1431
Approved by: baude
When we create a pod that also has an infra container, we should
start the infra container automatically. This allows users to add
running containers to the pod immediately.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1415
Approved by: rhatdan
We need to vendor in the latest containerd/cgroups for a fix related to
slice delegation and systemd <= 239. The opencontainer/runtime-spec is
brought along for the ride.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1414
Approved by: mheon
Right now, we don't print errors from c/image while trying to
pull images. This prints the errors when log-level=debug is set
so we can debug errors while pulling.
Signed-off-by: Matthew Heon <mheon@redhat.com>
Closes: #1409
Approved by: baude
change the tests to use chroot to set a numeric UID/GID.
Go syscall.Credential doesn't change the effective UID/GID of the
process.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1372
Approved by: mheon
be sure to be in an userns for a rootless process before initializing
the runtime. In case we are not running as uid==0, take advantage of
"podman info" that creates the runtime.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1372
Approved by: mheon
Currently `podman pull rhel7/rhel-tools` is failing because it
sees rhel7 as a registry. This change will verify that the returned
registry from the parser is actually a registry and not a repo,
if a repo it will return the correct content, and we will pull the image.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1387
Approved by: mtrmac
Prior to this patch, we were polling continuously to check if a
container had died. This patch changes this to poll 10 times a
second, which should be more than sufficient and drastically
reduce CPU utilization.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
since we have a way for joining an existing userns use it instead of
nsenter.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1371
Approved by: rhatdan
In some cases, /etc/resolv.conf can be a symlink to something like
/run/systemd/resolve/resolv.conf. We currently check for that file
and if it exists, use it instead of /etc/resolv.conf. However, we are
no seeing cases where the systemd resolv.conf exists but /etc/resolv.conf
is NOT a symlink.
Therefore, we now obtain the endpoint for /etc/resolv.conf whether it is a
symlink or not. That endpoint is now what is read to generate a container's
resolv.conf.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1368
Approved by: rhatdan
Manage the case where the main process of the container creates and
joins a new user namespace.
In this case we want to join only the first child in the new
hierarchy, which is the user namespace that was used to create the
container.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1331
Approved by: rhatdan
We cannot re-exec into a new user namespace to gain privileges and
access an existing as the new namespace is not the owner of the
existing container.
"unshare" is used to join the user namespace of the target container.
The current implementation assumes that the main process of the
container didn't create a new user namespace.
Since in the setup phase we are not running with euid=0, we must skip
the setup for containers/storage.
Closes: https://github.com/containers/libpod/issues/1329
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1331
Approved by: rhatdan
FFJSON has serialization differences versus stock Go - namely, it
does not respect the MarshalText() and UnmarshalText() methods,
particularly on []byte, which causes incompatability with
pre-FFJSON containers which contained DNS servers.
EasyJSON does not have these issues, and might even be slightly
faster.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #1322
Approved by: mheon
