Currently pause process blocks all signals which may cause its
termination, including SIGTERM. This behavior hangs init(1) during
system shutdown, until pause process gets SIGKILLed after some grace
period. To avoid this hanging, SIGTERM is excluded from list of blocked
signals.
Fixes#3440
Signed-off-by: Danila Kiver <danila.kiver@mail.ru>
at least on Fedora 30 it creates the /run/user/UID directory for the
user logged in via ssh.
This needs to be done very early so that every other check when we
create the default configuration file will point to the correct
location.
Closes: https://github.com/containers/libpod/issues/3410
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Turn of go modules to avoid breaking build environments to accidentally
try pulling the dependencies instead of using the ./vendor directory.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Building/installing dependencies from fixed source-version ensures
testing is reliable, but introduces a maintenance burden and
risks testing far outside of a real-world environment. The
sensible alternative is to install dependencies from distro-packaging
systems.
Install all development and testing dependencies at VM cache-image build
time, to help ensure testing remains stable. The existing cache-image
build workflow can be utilized at any future time to build/test
with updated packages.
***N/B***: This does not update any dockerfiles used by testing, that is
left up to future efforts.
Signed-off-by: Chris Evich <cevich@redhat.com>
we had a regression where the rootless user tried to use the global
configuration file. We should not try to use the global configuration
when running in rootless but only cherry-pick some settings from there
when creating the file for the first time.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Conmon has moved out of cri-o and into it's own dedicated repository.
This commit updates configuration and definitions which referenced
the old cri-o based paths.
Signed-off-by: Chris Evich <cevich@redhat.com>
This fixes some of our handling of images which have no layers, i.e.,
those whose TopLayer is set to an empty value.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
This is an initial implementation of cgroup v2 support for
pkg/cgroups. It currently works with crun, with this patch:
https://github.com/giuseppe/crun/pull/49).
It adds the pieces for:
- set PID limit to 1
- retrieve stats so that "podman stats" work.
the only missing part is the support for reading per
CPU stats (that is cpuacct.usage_percpu on cgroup v1), so for now it
always returns an empty result.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
provide a package for managing cgroups. This is not supposed to be a
complete implementation with all the features supported by cgroups,
but it is a minimal implementation designed around what libpod needs
and it is currently using.
For example, it is currently possible to Apply only the pids limit,
as it is used by libpod for stopping containers, any other Apply will
just fail.
The main goal here is to have a minimal library where we have full
control, so we can start playing with cgroup v2.
When the need arises, we can add more features.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
The version of blackfriday is causing that we cannot build go-md2man any
more within CRI-O. This commit removes the dependency since is not
needed at all.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
When a container is attached upon start, the WaitGroup counter may
never be decremented if an error is raised before start, causing
the caller to hang.
Synchronize with the start & attach goroutine using a channel, to be
able to detect failures before start.
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
With StringSlice, we're seeing individual options added and
parsed separately, so `tmpfs:nosuid,nodev` turns into three tmpfs
mounts passed into pkg/sec (tmpfs:, nosuid, nodev). Swap to
StringArray to tell cobra this can't be split on commas.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
When Host IP is not set in podman-remote.conf, error is printed out.
When Username is not set in podman-remote.conf, default username is used.
Signed-off-by: Ashley Cui <ashleycui16@gmail.com>
the compilation demands of having libpod in main is a burden for the
remote client compilations. to combat this, we should move the use of
libpod structs, vars, constants, and functions into the adapter code
where it will only be compiled by the local client.
this should result in cleaner code organization and smaller binaries. it
should also help if we ever need to compile the remote client on
non-Linux operating systems natively (not cross-compiled).
Signed-off-by: baude <bbaude@redhat.com>
A container restored from a checkpoint archive used to have the root
file-system mounted with a wrong (new) SELinux label. This made it, for
example, impossible to use 'podman exec' on a restored container.
This test tests exactly this. 'podman exec' after 'podman container restore'.
Unfortunately this test does not fail, even without the patch that fixes
it as the test seems to run in an environment where the SELinux label of
the container root file-system is not relevant. Somehow.
Signed-off-by: Adrian Reber <areber@redhat.com>
OutputToString() was mangling newlines, which made YAML parsers
very, very angry. But not angry enough to actually error, that
would be too easy. Just angry enough to silently not decode
anything.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Restoring a container from a checkpoint archive creates a complete
new root file-system. This file-system needs to have the correct SELinux
label or most things in that restored container will fail. Running
processes are not as problematic as newly exec()'d process (internally
or via 'podman exec').
This patch tells the storage setup which label should be used to mount
the container's root file-system.
Signed-off-by: Adrian Reber <areber@redhat.com>
