for the purposes of performance and security, we use securejoin to contstruct
the root fs's path so that symlinks are what they appear to be and no pointing
to something naughty.
then instead of chrooting to parse /etc/passwd|/etc/group, we now use the runc user/group
methods which saves us quite a bit of performance.
Signed-off-by: baude <bbaude@redhat.com>
Add a section about describing changes in commit messages. GitHub tends
to drive the large part of discussions and change descriptions to the
corresponding pull requests and issues, but such information is lost in
the git history. Not providing sufficient information in commit
messages is painful for reviewing and can cause issues while debugging.
It also complicates studying source code, where reading commit messages
and the code's git history is a common approach to better understand the
code.
Following the descriptions should be enforced by the maintainers of the
libpod project. Pull requests containing commits without proper
descriptions should not be merged.
This change bases on the documentation of the Linux kernel v4.17:
https://www.kernel.org/doc/html/v4.17/process/submitting-patches.html
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
add a global flag for --max-workers so users can limit the number
of parallel operations for a given function. also, when not limited
by max-workers, we implement a heuristic function that returns the
number of preferred parallel workers based on the number of CPUs and
the given operation.
Signed-off-by: baude <bbaude@redhat.com>
We implement the securejoin method to make sure the paths to /etc/passwd and
/etc/group are not symlinks to something naughty or outside the container
image. And then instead of actually chrooting, we use the runc functions to
get information about a user. The net result is increased security and
a a performance gain from 41ms to 100us.
Signed-off-by: baude <bbaude@redhat.com>
run prepare() -- which consists of creating a network namespace and
mounting the container image is now run in parallel. This saves 25-40ms.
Signed-off-by: baude <bbaude@redhat.com>
As discussed [1], the runlabel command should execute any command
specified in a label. The reasoning behind is that we cannot restrict
which options are passed to Podman which thereby has full access to the
host (runlabels must be used with care).
With the updated semantics, runlabel will substitute the commands with a
basepath equal to "docker" or "podman" with "/proc/self/exe", and
otherwise leave the command unchanged to execute any other command on
the host.
[1] https://github.com/containers/libpod/pull/1607#issuecomment-428321382
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
prevent opening the same file twice, since we re-exec podman in
rootless mode. While at it, also solve a possible race between the
check for the file and writing to it. Another process could have
created the file in the meanwhile and we would just end up overwriting
it.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
when reading the output from conmon using the JSON methods, it appears that
JSON marshalling is higher in pprof than it really is because the pipe is
"waiting" for a response. this gives us a clearer look at the real CPU/time
consumers.
Signed-off-by: baude <bbaude@redhat.com>
This removes duplicate code paths which has been previously factored out
as getAllOrLatestContainers().
Signed-off-by: Adrian Reber <areber@redhat.com>
Instead of duplicating the same code in multiple commands this uses the
newly added function checkAllAndLatest() instead.
Signed-off-by: Adrian Reber <areber@redhat.com>
Just as the checkAllAndLatest() function the new code in
getAllOrLatestContainers() is used in some commands and duplicated. This
factors out this code to be used in other places without duplicating it.
Signed-off-by: Adrian Reber <areber@redhat.com>
The check about the --all and --latest option is used and repeated and
some commands. Factor it out and put it into common.
Signed-off-by: Adrian Reber <areber@redhat.com>
* Added tox configuration to test python 3.4, 3.5 and 3.6.
Tox testing not enabled on every PR
* Updated MANIFEST.ini to support tox
* Correct comments
Fixes#1641
Signed-off-by: Jhon Honce <jhonce@redhat.com>
