As outlined in #16076, a subsequent BARRIER *may* follow the READY
message sent by a container. To correctly imitate the behavior of
systemd's NOTIFY_SOCKET, the notify proxies span up by `kube play` must
hence process messages for the entirety of the workload.
We know that the workload is done and that all containers and pods have
exited when the service container exits. Hence, all proxies are closed
at that time.
The above changes imply that Podman runs for the entirety of the
workload and will henceforth act as the MAINPID when running inside of
systemd. Prior to this change, the service container acted as the
MAINPID which is now not possible anymore; Podman would be killed
immediately on exit of the service container and could not clean up.
The kube template now correctly transitions to in-active instead of
failed in systemd.
Fixes: #16076Fixes: #16515
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
This changes references to `/etc/containers/storage.conf` (and similar) to
links to `containers-storage.conf(5)`, as there are alternative locations
for this file.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
- podman generate kube inheritents the proxy environment valiable by default.
Therefore, Env field is not empty if it is set.
- systemd-socket-acrivate needs to pass an proxy environment variable.
- busybox wget with an proxy doesn't work.
Network tests should use not wget but curl.
https://gitlab.alpinelinux.org/alpine/aports/-/issues/10446
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
The podman healthchecks are implemented using systemd timers, this works
great but it will never work on non systemd distros. Currently the logic
always assumes systemd is available and will fail with an error, so users
are forced to always run with `--no-healthcheck` to disable healthchecks
that are defined in an image for example. This is annoying and IMO
unnecessary, we should just default to no healthcheck on these systems.
First, use the systemd build tag to disable it at build time if this tag
is not used.
Second, use make sure systemd is used as init before trying
to use healthchecks. This could be the case when we are run in a container.
[NO NEW TESTS NEEDED] We do not have any non systemd VMs in CI AFAIK.
Fixes#16644
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Move the handling of userns keys from ConvertContainer to a separate method
Adjust the method according to the different supported values
Use the new method in both ConvertContainer and ConvertKube
Pass isUser to ConvertKube as well
Add tests
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
This just calls GC on the local storage, which will remove any leftover
directories from previous containers that are not in the podman db anymore.
This is useful primarily for transient store mode, but can also help in
the case of an unclean shutdown.
Also adds some e2e test to ensure prune --external works.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
This brings a performance improvement to `podman run` on top of the
other transient_store improvements in containers/storage:
Transient mode without transient bolt_db:
Benchmark 1: bin/podman run --transient-store=true --rm --pull=never --network=host --security-opt seccomp=unconfined fedora true
Time (mean ± σ): 130.6 ms ± 5.8 ms [User: 44.4 ms, System: 25.9 ms]
Range (min … max): 122.6 ms … 143.7 ms 21 runs
Transient mode with transient bolt_db:
Benchmark 1: bin/podman run --transient-store=true --rm --pull=never --network=host --security-opt seccomp=unconfined fedora true
Time (mean ± σ): 100.3 ms ± 5.3 ms [User: 40.5 ms, System: 24.9 ms]
Range (min … max): 93.0 ms … 111.6 ms 29 runs
Signed-off-by: Alexander Larsson <alexl@redhat.com>
This handles the transient store options from the container/storage
configuration in the runtime/engine.
Changes are:
* Print transient store status in `podman info`
* Print transient store status in runtime debug output
* Add --transient-store argument to override config option
* Propagate config state to conmon cleanup args so the callback podman
gets the same config.
Note: This doesn't really change any behaviour yet (other than the changes
in containers/storage).
Signed-off-by: Alexander Larsson <alexl@redhat.com>
Later changes will need to access it earlier, so move its creation to
just after the creation of StaticDir.
Note: For whatever reason this we created twice before, but we now
only do it once.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
docker-compose sets the mac address in the container config and not the
network endpoint config. This is ugly when you have more than one
network, in this case docker just chooses the first network.
Fixes#16411
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The flake in #16076 is likely related to the notify message not being
delivered/read correctly. Move sending the message into an exec session
such that flakes will reveal an error message.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Since https://github.com/containers/podman/pull/16394 was merged
we now always delete the cid file if --replace=true was specified,
so we can avoid this extra command being launched.
[NO NEW TESTS NEEDED] Already tested in above PR.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
The containers should be able to write to tmpfs mounted directories.
Also cleanup output of podman kube generate to not show default values.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This patch extends the podman run command with support for checkpoint
images. When `podman run` is invoked with an image that contains
a checkpoint, it would restore the container from that checkpoint.
Example:
podman run -d --name looper busybox /bin/sh -c \
'i=0; while true; do echo $i; i=$(expr $i + 1); sleep 1; done'
podman container checkpoint --create-image checkpoint-image-1 looper
podman run checkpoint-image-1
Signed-off-by: Radostin Stoyanov <radostin@redhat.com>
These tests were unintentionally removed in commit
b47b48f (Revert "Add checkpoint image tests"). They
verify the functionality of the `--create-image` option for
`podman container checkpoint`.
Signed-off-by: Radostin Stoyanov <radostin@redhat.com>
The passthrough_env function was unnecessarily complicated,
hence fragile. Clean it up, and add regression tests.
For future reference: CI broke horribly because of this.
Rootless tests all failed with missing CI_DESIRED_NETWORK.
Root cause was that CIRRUS_CHANGE_TITLE had a trailing
space which, because of shell indirection, passthrough_env()
wrote as trailing backslash (not backslash-space) in the
/etc/ci_environment file, which then caused the next line
in the file to get glommed onto CIRRUS_CHANGE_TITLE.
Signed-off-by: Ed Santiago <santiago@redhat.com>
