Close#3553
This PR makes --dns, --dns-option, --dns-search, and --network not set to host flag mutually exclusive for podman build and create. Returns conflict error if both flags are set.
Signed-off-by: Qi Wang <qiwan@redhat.com>
We have another patch running to do the same for exit files, with
a much more in-depth explanation of why it's necessary. Suffice
to say that persistent files in tmpfs tied to container CGroups
lead to significant memory allocations that last for the lifetime
of the file.
Based on a patch by Andrea Arcangeli (aarcange@redhat.com).
Signed-off-by: Matthew Heon <mheon@redhat.com>
The default apparmor profile is not stored on disk which causes
confusion when debugging the content of the profile. To solve this, we
now add an additional API which returns the profile as byte slice.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
allow a container to run in a new cgroup namespace.
When running in a new cgroup namespace, the current cgroup appears to
be the root, so that there is no way for the container to access
cgroups outside of its own subtree.
By default it uses --cgroup=host to keep the previous behavior.
To create a new namespace, --cgroup=private must be provided.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This change tweaks the symlink commands that are invoked when libpod is
not on GOPATH. This has the following effects:
- If the working directory is not "libpod", it will still create the
symlink at the correct github.com/containers/libpod path.
- If the github.com/varlink directory/symlink already exists, it will
still create the symlink at the intended path.
Signed-off-by: Lawrence Chan <element103@gmail.com>
We can infer no-new-privileges. For now, manually populate
seccomp (can't infer what file we sourced from) and
SELinux/Apparmor (hard to tell if they're enabled or not).
Signed-off-by: Matthew Heon <mheon@redhat.com>
Our previous method (just read the PID that we spawned) doesn't
work - Conmon double-forks to daemonize, so we end up with a PID
pointing to the first process, which dies almost immediately.
Reading from the PID file gets us the real PID.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
When we first began writing Podman, we ran into a major issue
when implementing Inspect. Libpod deliberately does not tie its
internal data structures to Docker, and stores most information
about containers encoded within the OCI spec. However, Podman
must present a CLI compatible with Docker, which means it must
expose all the information in 'docker inspect' - most of which is
not contained in the OCI spec or libpod's Config struct.
Our solution at the time was the create artifact. We JSON'd the
complete CreateConfig (a parsed form of the CLI arguments to
'podman run') and stored it with the container, restoring it when
we needed to run commands that required the extra info.
Over the past month, I've been looking more at Inspect, and
refactored large portions of it into Libpod - generating them
from what we know about the OCI config and libpod's (now much
expanded, versus previously) container configuration. This path
comes close to completing the process, moving the last part of
inspect into libpod and removing the need for the create
artifact.
This improves libpod's compatability with non-Podman containers.
We no longer require an arbitrarily-formatted JSON blob to be
present to run inspect.
Fixes: #3500
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Before, play kube wasn't properly setting the command. Fix this
Also, begin a dedicated test suite for play kube to catch regressions like this in the future
Signed-off-by: Peter Hunt <pehunt@redhat.com>
For CI testing, it's important to remove as much variability from the
overall system as possible. This permits focusing just on problems
closely related to code-changes. To this end, and because VMs are very
short-lived (2 hours at most), disable all systemd services and timers
which perform periodic activities.
Signed-off-by: Chris Evich <cevich@redhat.com>
Change the script to generate two files. One including direct
dependencies, the other including direct and transitive dependencies.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Move the analyses scripts to the dependencies directory to avoid
scattering of the dependency management.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
The script allows for analyzing the symbols of a go binary passed as an
argument. The tabular output looks as follows:
336 unicode/utf8.DecodeLastRune
323 unicode/utf8.DecodeLastRuneInString
518 unicode/utf8.DecodeRune
518 unicode/utf8.DecodeRuneInString
337 unicode/utf8.EncodeRune
The first column indicates the size in bytes of the symbol in the second
column. Note that only text symbols are considered, other symbols from
the data or the bss segment are ignored to avoid information overload.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Analyse the size of all go-packages used during the build process via
the newly added `hack/analyses/go-archive-analysis.sh` script. The
script expects the `WORK` environment variable to be set, which points
to a temporary work directory generated by `go build`. To generate such
a work directory, set the `BUILDFLAGS="-work -a"`:
* `-work` for creating the work directory
* `-a` to force rebuilding all packages even when already cached
The workflow may look as follows:
```
$ BUILDFLAGS="-work -a" make podman
[...]
WORK=/tmp/go-build127001249
$ WORK=/tmp/go-build127001249 ./hack/analyses/go-archive-analysis.sh
```
The output of the script has the format `$SIZE $PACKAGE` where $SIZE is
the size of the compiled version of the go package (i.e., `.a` file) and
$PACKAGE for the corresponding package, for instance, `math/big` for a
stdlib package or vendor/... for vendored packages.
Credits to the authors of https://github.com/jondot/goweight, which
inspired this work.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Docker CLI calls the healthcheck flags "--health-*", instead of
"--healthcheck-*".
Introduce the former, in order to keep compatibility, and alias
the later, in order to avoid breaking current usage.
Change "--healthcheck-*" to "--health-*" in the docs and tests.
Signed-off-by: Hunor Csomortáni <csomh@redhat.com>
An image with "HEALTHCHECK CMD ['']" is valid but as there is no command
defined the healthcheck will fail. Reject such a configuration.
Fixes#3507
Signed-off-by: Stefan Becker <chemobejk@gmail.com>
If the image was built with "HEALTHCHECK NONE" then we should create a
container without healthcheck configuration. Otherwise executing the
healthcheck on the container will return "unhealthy" instead of the
correct error message that the container doesn't have a healthcheck.
We also ignore the healthcheck configuration if the command list is
empty or the command string is empty.
Fixes#3525
Signed-off-by: Stefan Becker <chemobejk@gmail.com>
If the image doesn't provide any options, e.g. interval, timeout, etc.,
then apply the Docker defaults when creating the container. Otherwise
the defaults will be left 0 and podman doesn't schedule the healtcheck
service & timer for the container or incorrectly reports unhealthy state
when the check is executed.
Fixes#3525
Signed-off-by: Stefan Becker <chemobejk@gmail.com>
- remove duplicate check, already called in HealthCheck()
- reject zero-length command list and empty command string as errorneous
- support all Docker command list keywords: NONE, CMD or CMD-SHELL
- use Docker default "/bin/sh -c" for CMD-SHELL
Fixes#3507
Signed-off-by: Stefan Becker <chemobejk@gmail.com>
