For rootful users ports are forwarded via iptables. To make sure no
other process tries to use them, libpod will bind the ports and pass the
fds to conmon. There seems to be race when a container is restarted
because libpod tries to bind the port before the conmon process exited.
The problem only hapens with the podman service because it keeps the
connection open. Once we have the fd and passed it to conmon the
podman service should close the connection.
To verify run `sudo ss -tulpn` and check that only the conmon process
keeps the port open. Previously you would also see the podman server
process listed.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Allows users to specify a readonly rootfs with :O, in exchange podman will create a writable overlay.
bump builah to v1.22.1-0.20210823173221-da2b428c56ce
[NO TESTS NEEDED]
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
When a container is automatically restarted due its restart policy and
the container uses rootless cni networking with ports forwarded we have
to start a new rootlessport process since it exits with conmon.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When we restart a container via podman restart or restart policy the
rootlessport process fails with `address already in use` because the
socketfile still exists.
This is a regression and was introduced in commit abdedc31a25e.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
`setConsoleMode` should do nothing if the handle is not a terminal. The proposed change is [exactly what `golang.org/x/term/IsTerminal()` does on Windows](https://cs.opensource.google/go/x/term/+/6886f2df:term_windows.go).
[NO TESTS NEEDED]
Signed-off-by: Anton Tykhyy <atykhyy@gmail.com>
The short option 'a' for the --all-tags option in the pull
page is not valid, remove it.
Addresses: #11536
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
* To aid in debugging log API request and response bodies at trace
level. Events can be correlated using the X-Reference-Id.
* Server now echos X-Reference-Id from client if set, otherwise
generates an unique id.
* Move logic for X-Reference-Id into middleware
* Change uses of Header.Add() to Set() when setting Content-Type
* Log API operations in Apache format using gorilla middleware
* Port server code to use BaseContext and ConnContext
Fixes#10053
Signed-off-by: Jhon Honce <jhonce@redhat.com>
We should only print unhealthy if the check fails. Currently this is
filling logs when users are running lots of healthchecks.
Improves: https://github.com/containers/podman/issues/11157
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Kubernetes has a concept of init containers that run and exit before
the regular containers in a pod are started. We added init containers
to podman pods as well. This patch adds support for generating init
containers in the kube yaml when a pod we are converting had init
containers. When playing a kube yaml, it detects an init container
and creates such a container in podman accordingly.
Note, only init containers created with the init type set to "always"
will be generated as the "once" option deletes the init container after
it has run and exited. Play kube will always creates init containers
with the "always" init container type.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
In case the command inside the podman unshare env failed podman unshare
always exits with 125 and prints `Error: exit status 125`. This is a
bad user experience and makes it difficult to use in scripts which could
expect certain exit codes.
This commit makes sure podman unshare uses the same exit code as the
command and does not print the useless `exit status X` message.
Also to match podman run/exec it should return 126 for EPERM
and 127 for ENOENT.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Include the response schema for a succesful request in the
/containers/stats API documentation
Additionally remove http 409 from /libpod/containers/stats docs, the
documentation was copied from the deprecated stats endpoint, when a
container is unavailabe the endpoint returns an empty list and no 409.
Signed-off-by: Jelle van der Waa <jvanderwaa@redhat.com>
The rootless integration tests show the XDG_RUNTIME_DIR warning without
any reasons. Podman runs without problems in these and yet the warning
is shown. I think the problem is that we check the permission before we
create the runroot directory.
[NO TESTS NEEDED]
Fixes#11521
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
By popular request, turn decimals to octal. Most eyes are trained to
parse file permissions in octal.
[NO TESTS NEEDED] since machine isn't tested yet.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Enforce "docker.io" to be the only search registry. Short-name
resolution for remote clients is not fully supported since there is no
means to prompt. Enforcing a single registry works around the problem
since prompting only fires with more than one search registry.
Fixes: #11489
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
if the current cpu usage time is lower than what previously recorded,
then it means the container was restarted and now it runs in a new
cgroup. When this happens, reset the prevStats.
Closes: https://github.com/containers/podman/issues/11469
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
override the outer scope variable instead of creating a local one.
Otherwise the wrong variable would be used for the next iterations.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
