`multi-user.target` doesn't exist in the systemd *user* instance.
We can't hook up the startup of a user unit to a system target.
Doing so causes systemd to error out in Fedora CoreOS builds
during presets.
Make it depend on `default.target` instead.
(Having the same unit in both system and user sessions has some
tricky bits like this)
Signed-off-by: Colin Walters <walters@verbum.org>
even if the system is using cgroups v2, rootless is not able to setup
limits when the cgroup-manager is not systemd.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Changes include: Containerfile by default, add --device flags to bud, allow buildah bud to be called without
arguments, and a couple of small typo corrections.
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Default path should be ${XDG_RUNTIME_DIR}/containers/auth.json according
to the docs.
This regressed to ${XDG_RUNTIME_DIR}/auth.json in #3760.
Fixes: #4227
Signed-off-by: Hunor Csomortáni <csomh@redhat.com>
Previously, `podman checkport restore` with exported containers,
when told to create a new container based on the exported
checkpoint, would create a new container, with a new container
ID, but not reset CGroup path - which contained the ID of the
original container.
If this was done multiple times, the result was two containers
with the same cgroup paths. Operations on these containers would
this have a chance of crossing over to affect the other one; the
most notable was `podman rm` once it was changed to use the --all
flag when stopping the container; all processes in the cgroup,
including the ones in the other container, would be stopped.
Reset cgroups on restore to ensure that the path matches the ID
of the container actually being run.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
This is a horrible hack to work around issues with Fedora 31, but
other distros might need it to, so we'll move it upstream.
I do not recommend this functionality for general use, and the
manpages and other documentation will reflect this. But for some
upgrade cases, it will be the only thing that allows for a
working system.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
For future work, we need multiple implementations of the OCI
runtime, not just a Conmon-wrapped runtime matching the runc CLI.
As part of this, do some refactoring on the interface for exec
(move to a struct, not a massive list of arguments). Also, add
'all' support to Kill and Stop (supported by runc and used a bit
internally for removing containers).
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
it enforces the systemd mode also when the command name doesn't match
/usr/sbin/init or systemd.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
"init" is a quite common name for the command executed in a container
image and Podman ends up using the systemd mode also when not
required.
Be stricter on enabling the systemd mode and not enable it
automatically when the basename is "init" but expect the full path
"/usr/sbin/init".
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
when runc returns an error about not being v2 complient, catch the error
and logrus an actionable message for users.
Signed-off-by: baude <bbaude@redhat.com>
if the pause process cannot be joined, remove the pause.pid while
keeping a lock on it, and try to recreate it.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
When executing 'make remotesystem' testing, a varlink process is started
up but it's stdio is dumped due to the production of excessive data.
However, this also means if the process has a problem, any errors will
not be accessible.
Instead, grab only the last 100 lines and direct them into a file. Also
update automation's log collection to retrieve this file when the
`$REMOTE_CLIENT` env. var. is `true`.
Signed-off-by: Chris Evich <cevich@redhat.com>
Using `Also=` means that the target unit will also be
installed/uninstalled together with our unit. Doing
`Also=multi-user.target` essentially says: disable `multi-user.target`
if `io.podman.socket` is disabled, which sounds... not at all like
what we want.
In practice, systemd thankfully ignores this (likely because it's the
default target). I think having `Also=io.podman.socket` in the
`io.podman.service` already does what we want here: it gets installed
under `sockets.target` whenever the service is. (And the fact that
systemd ignored this means that it wasn't actually playing a role in
resolving #3998.)
This was causing `systemctl preset-all` to dump core in Fedora CoreOS:
https://github.com/coreos/fedora-coreos-tracker/issues/290
(Likely there's a systemd bug around here too.)
Signed-off-by: Jonathan Lebon <jonathan@jlebon.com>
This task was to enable cross-environment testing of crun. However it
was decided to only run testing w/ crun on F31. Since F31 release is
imminent, remove this task.
Signed-off-by: Chris Evich <cevich@redhat.com>
This is needed because older versions of podman (1.5.1) do not
automatically install the new conmon package.
Also, include removal of `/usr/libexec/podman/conmon` when preparing to
install and test podman built from source.
Signed-off-by: Chris Evich <cevich@redhat.com>
CRI-O defaults to 1024 for the maximum pids in a container. Podman
should have a similar limit. Once we have a containers.conf, we can
set the limit in this file, and have it easily customizable.
Currently the documentation says that -1 sets pids-limit=max, but -1 fails.
This patch allows -1, but also indicates that 0 also sets the max pids limit.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This requires updating all import paths throughout, and a matching
buildah update to interoperate.
I can't figure out the reason for go.mod tracking
github.com/containers/image v3.0.2+incompatible // indirect
((go mod graph) lists it as a direct dependency of libpod, but
(go list -json -m all) lists it as an indirect dependency),
but at least looking at the vendor subdirectory, it doesn't seem
to be actually used in the built binaries.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This ensures that containers that didn't require an evict will be
dealt with normally, and we only break out evict for containers
that refuse to be removed by normal means.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
