This also then bumps github.com/opencontainers/runtime-spec to v1.3.0
which contains breaking changes of the pid type as such we had to update
all the podman callers.
And tags.cncf.io/container-device-interface also used some changed
types from it and they have been updated in main so bump to the latest
commit there as well in order to get podman to compile properly.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Fixes: #26588
For use cases like HPC, where `podman exec` is called in rapid succession, the standard exec process can become a bottleneck due to container locking and database I/O for session tracking.
This commit introduces a new `--no-session` flag to `podman exec`. When used, this flag invokes a new, lightweight backend implementation that:
- Skips container locking, reducing lock contention
- Bypasses the creation, tracking, and removal of exec sessions in the database
- Executes the command directly and retrieves the exit code without persisting session state
- Maintains consistency with regular exec for container lookup, TTY handling, and environment setup
- Shares implementation with health check execution to avoid code duplication
The implementation addresses all performance bottlenecks while preserving compatibility with existing exec functionality including --latest flag support and proper exit code handling.
Changes include:
- Add --no-session flag to cmd/podman/containers/exec.go
- Implement lightweight execution path in libpod/container_exec.go
- Ensure consistent container validation and environment setup
- Add comprehensive exit code testing including signal handling (exit 137)
- Optimize configuration to skip unnecessary exit command setup
Signed-off-by: Ryan McCann <ryan_mccann@student.uml.edu>
Signed-off-by: ryanmccann1024 <ryan_mccann@student.uml.edu>
The old location is deprecated and has been removed in v0.6.0 even. I
did this as extra commit to make cherry-picking easier.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This also includes a number of significant changes to the SQLite
state made possible by removal of the legacy DB.
1. Enable database unit tests for SQLite state, with numerous
tweaks to get tests passing. Most notable changes are to
container removal - where we previously didn't return an error
if there was no container to remove - and RemovePodContainers,
which I don't think ever worked properly from my reading of
the failures.
2. Removal of AddContainerToPod/RemoveContainerToPod. On SQLite,
these functions are identical to AddContainer/RemoveContainer
and there is no reason to retain duplicates.
3. Removal of SafeRewriteContainerConfig - it's identical to
RewriteContainerConfig in SQLite, no reason to have duplicate
entrypoints.
As an exciting side-note, this removes Podman's requirement that
containers and pods cannot share a name, which was a BoltDB
restriction only.
Signed-off-by: Matt Heon <matthew.heon@pm.me>
Tremendous amount of changes in here, but all should amount to
the same thing: changing Go import paths from v5 to v6.
Also bumped go.mod to github.com/containers/podman/v6 and updated
version to v6.0.0-dev.
Signed-off-by: Matt Heon <mheon@redhat.com>
We started logging this in 5.6. In 5.7, we up to a warning. The
upcoming 5.8 will up the warnings further to errors.
Required as we're removing BoltDB support in 6.0 next Spring.
Signed-off-by: Matt Heon <matthew.heon@pm.me>
Problem: While removing cgroupsv1 code, I noticed my neovim Go config
automatically changed fileperms to the new octal format and I didn't
want that polluting my diffs.
Decision: I thought it best to switch to the new octal format in a dedicated PR.
Action:
- Cursor switched to new octal format for all fileperm ocurrences in Go
source and test files.
- vendor/, docs/ and non-Go files were ignored.
- Reviewed manually.
Ref: https://go.dev/ref/spec#Go_1.13
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
Include an explicit container state check. Otherwise the
containers/stats endpoint will return all-zero stats for a stopped
container even when in non-streaming mode, which breaks some consumers
of the API, particularly nomad's podman driver.
Implement the interface by just returning the number of host CPUs. A
bit more sophisticated would be to fetch the jail's cpuset, but it's not
very important for now.
Signed-off-by: Mark Johnston <mark.johnston@klarasystems.com>
Using golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize
+ some manual cleanup in libpod/lock/shm/shm_lock_test.go as it
generated an unused variable
+ restored one removed comment
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The `cleanupExecBundle` function was only meant to be called on a
locked container, as it does some state mutation operations. It
also has a timed wait (if the directory is busy and can't be
removed yet, give it a few milliseconds) in which it deliberately
yields the lock to not block the container for that time.
The `healthCheckExec()` function calls `cleanupExecBundle` out of
a `defer` block. This is after the `defer c.lock.Unlock()` so it
fires afterwards when the function returns, so we're normally
fine - the container is still locked when our defer runs. The
problem is that `healthCheckExec()` also unlocks the container
during the expensive exec operation, and can actually fail and
return while not holding the lock - meaning our `defer` can fire
on an unlocked container, leading to a potential double unlock
in `cleanupExecBundle`.
We could, potentially, re-lock the container after the exec
occurs, but we're actually waiting for a `select` to trigger to
end the function, so that's not a good solution. Instead, just
re-lock (if necessary) in the defer, before invoking
`cleanupExecBundle()`. The `defer c.lock.Unlock()` will fire
right after and unlock after us.
Fixes#26968
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
At one point, we created multiple jails per container in order to enable
network configuration from outside the container jail. On FreeBSD 14.x
and later this is not necessary and there is only one jail per
container. In this case, return the correct jail name.
Signed-off-by: Mark Johnston <mark.johnston@klarasystems.com>
FreeBSD's ps ignores -J if -a is specified, so "podman top" would
effectively just run ps -a, not terribly useful. But there's no need to
specify -a when specifying a selector such as -J (or -G or -U, etc.).
Signed-off-by: Mark Johnston <mark.johnston@klarasystems.com>
Starting with runc 1.3.0 it errors when we pass unknown mount options to
the runtime, the copy/nocopy options are specific to podman when we
mount the volume and are not valid mount options for the runtime.
Fixes: #26938
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Starting with runc 1.3.0 it errors when we pass unknown mount options to
the runtime, the volume-opt options are specifc to the volume we create
and should not be passed to the mount in the oci spec.
Fixes: #26938
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
In the journald driver there is a bug where the network event
attributes are not preserved. This causes the network driver to be
missing and that in turn causes the ToHumanReadable() function to print
an empty line. Fix it by making sure we preserve the network driver in
the event attributes.
Fixes: https://issues.redhat.com/browse/RHEL-109790
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Right now, only log-level=info, so not shown by default. We can
continue to up this in subsequent releases to convince folks of
the urgency of switching.
Resolves https://issues.redhat.com/browse/RUN-3343
Signed-off-by: Matt Heon <mheon@redhat.com>
Added log_path variable in containers/common, User sets default log path in containers.conf under the `[containers]` section.
The directory has to exist beforehand. Container logs go under this directory, sub-directories named with the container id
and inside the sub-directory a ctr.log file will be created where the container logs for the corresponding container will go.
This path can be overridden by using the `--log-opt` flag.
Signed-off-by: Joshua Arrevillaga <2004jarrevillaga@gmail.com>
