This should simplify the db logic. We no longer need a extra db bucket
for the netns, it is still supported in read only mode for backwards
compat. The old version required us to always open the netns before we
could attach it to the container state struct which caused problem in
some cases were the netns was no longer valid.
Now we use the netns as string throughout the code, this allow us to
only open it when needed reducing possible errors.
[NO NEW TESTS NEEDED] Existing tests should cover it and it is only a
flake so hard to reproduce the error.
Fixes#16140
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We should have done this much earlier, most of the times CNI networks
just mean networks so I changed this and also fixed some function
names. This should make it more clear what actually refers to CNI and
what is just general network backend stuff.
[NO NEW TESTS NEEDED]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When we read logs there can be full or partial lines, when it is full we
need to append a newline, thus the message length must be incremented by
one.
Fixes#16856
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Also update vendor of containers/storage and image
Cleanup display of added/dropped capabilties as well
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Also fix a number of duplicate words. Yet disable the new `dupword`
linter as it displays too many false positives.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Now that the OCI runtime specs have support for idmapped mounts, let's
use them instead of relying on the custom annotation in crun.
Also add the mechanism to specify the mapping to use. Pick the same
format used by crun so it won't be a breaking change for users that
are already using it.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Init containers are removed once they exit, but podman
reports and error that the container does not exist, when
it was previously removed. Stop reporting missing containers
when removing.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
With the 4.0 network rewrite I introduced a regression in 094e1d70de.
It only covered the case where a checkpoint is restored via --import.
The normal restore path was not covered since the static ip/mac are now
part in an extra db bucket. This commit fixes that by changing the config
in the db.
Note that there were no test for --ignore-static-ip/mac so I added a big
system test which should cover all cases (even the ones that already
work). This is not exactly pretty but I don't have to enough time to
come up with something better at the moment.
Fixes#16666
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
subpath allows for only a subdirecty of a volumes data to be mounted in the container
add support for the named volume type sub path with others to follow.
resolves#12929
Signed-off-by: Charlie Doern <cbddoern@gmail.com>
When stopping the transient systemd timer/unit which powers running
health checks, make sure to ignore its dependencies. It turns out
that we're otherwise running into a timeout when running a container in
a systemd unit and reboot.
An alternative may be to further tweak some attributes/options when
creating the timer/unit via systemd-run but it seems safe to just ignore
the dependencies and stop.
[NO NEW TESTS NEEDED] - we don't yet have means to test reboots.
Fixes: #14531
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
When labes map is too big we may get syslog entry truncated.
This breaks JSON parsing making event loading impossible.
[NO NEW TESTS NEEDED]
Signed-off-by: Matej Vasek <mvasek@redhat.com>
The podman healthchecks are implemented using systemd timers, this works
great but it will never work on non systemd distros. Currently the logic
always assumes systemd is available and will fail with an error, so users
are forced to always run with `--no-healthcheck` to disable healthchecks
that are defined in an image for example. This is annoying and IMO
unnecessary, we should just default to no healthcheck on these systems.
First, use the systemd build tag to disable it at build time if this tag
is not used.
Second, use make sure systemd is used as init before trying
to use healthchecks. This could be the case when we are run in a container.
[NO NEW TESTS NEEDED] We do not have any non systemd VMs in CI AFAIK.
Fixes#16644
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This just calls GC on the local storage, which will remove any leftover
directories from previous containers that are not in the podman db anymore.
This is useful primarily for transient store mode, but can also help in
the case of an unclean shutdown.
Also adds some e2e test to ensure prune --external works.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
This brings a performance improvement to `podman run` on top of the
other transient_store improvements in containers/storage:
Transient mode without transient bolt_db:
Benchmark 1: bin/podman run --transient-store=true --rm --pull=never --network=host --security-opt seccomp=unconfined fedora true
Time (mean ± σ): 130.6 ms ± 5.8 ms [User: 44.4 ms, System: 25.9 ms]
Range (min … max): 122.6 ms … 143.7 ms 21 runs
Transient mode with transient bolt_db:
Benchmark 1: bin/podman run --transient-store=true --rm --pull=never --network=host --security-opt seccomp=unconfined fedora true
Time (mean ± σ): 100.3 ms ± 5.3 ms [User: 40.5 ms, System: 24.9 ms]
Range (min … max): 93.0 ms … 111.6 ms 29 runs
Signed-off-by: Alexander Larsson <alexl@redhat.com>
This handles the transient store options from the container/storage
configuration in the runtime/engine.
Changes are:
* Print transient store status in `podman info`
* Print transient store status in runtime debug output
* Add --transient-store argument to override config option
* Propagate config state to conmon cleanup args so the callback podman
gets the same config.
Note: This doesn't really change any behaviour yet (other than the changes
in containers/storage).
Signed-off-by: Alexander Larsson <alexl@redhat.com>
Later changes will need to access it earlier, so move its creation to
just after the creation of StaticDir.
Note: For whatever reason this we created twice before, but we now
only do it once.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
The containers should be able to write to tmpfs mounted directories.
Also cleanup output of podman kube generate to not show default values.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When the new `events_container_create_inspect_data` option is enabled in
containers.conf set the `ContainersInspectData` event field for each
container-create event.
The data was requested for the purpose of auditing (e.g., intrusion
detection).
Jira: https://issues.redhat.com/browse/RUN-1702
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Startup healthchecks are similar to K8S startup probes, in that
they are a separate check from the regular healthcheck that runs
before it. If the startup healthcheck fails repeatedly, the
associated container is restarted.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Fix swapped NetInput and NetOutput container stats. This resulted
in `podman stats` showing outgoing traffic as NetInput and incoming
traffic as NetOutput. This change might be visible or cause problems
for users who are actively relying on those stats for monitoring reasons.
[NO NEW TEST NEEDED]
Signed-off-by: Ingo Becker <ingo@orgizm.net>
Since mountStorage and createNetNS run in parallel, the directory file
descriptors used by mountStorage were (rarely) propagated to the CNI
plugins. On FreeBSD, the CNI bridge plugin needs to make changes to the
network jail. This fails if there are any descriptors to open directories
to protect against host directories being visible to the jail's chroot.
Adding O_CLOEXEC to the unix.Open call in openDirectory ensures that these
descriptors are not visible to podman's child processes.
[NO NEW TESTS NEEDED]
Signed-off-by: Doug Rabson <dfr@rabson.org>
When restarting a container, clean up the healthcheck state by removing
the old log on disk. Carrying over the old state can lead to various
issues, for instance, in a wrong failing streak and hence wrong
behaviour after the restart.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2144754
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Some error reporting logic got lost from (*Container).prepare during the
port. This adds the missing logic, similar to the Linux version.
[NO NEW TESTS NEEDED]
Signed-off-by: Doug Rabson <dfr@rabson.org>
Including the RawInput in the API output is meaningless.
Fixes: #16497
[NO NEW TESTS NEEDED]
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
when reading from the /proc/$PID/cgroup file, treat ESRCH in the same
way as ENOENT since the kernel returns ESRCH if the file was opened
correctly but the target process exited before the open could be
performed.
Closes: https://github.com/containers/podman/issues/16383
[NO NEW TESTS NEEDED] it is a race condition that is difficult to
reproduce.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
On FreeBSD, the path argument to shm_open is not a filesystem path and we
must use shm_unlink to remove it. This changes the Linux build to also use
shm_unlink which avoids assuming that shared memory segments live in
/dev/shm.
Signed-off-by: Doug Rabson <dfr@rabson.org>
