mirror of
				https://github.com/containers/podman.git
				synced 2025-10-27 03:06:22 +08:00 
			
		
		
		
	 62956ac192
			
		
	
	62956ac192
	
	
	
		
			
			I am seeing a weird flake in my parallel system test PR. The issue is that system units generated by podman systemd generate leave a container in the Removing state behind. As far as I can tell the porblems seems to be that the cleanup process is killed while it tries to remove the container from the db. Because the cidfile was removed before the ExecStopPost=podman rm ... process no longer had access to the cidfile and reported no error because it runs with --ignore. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
		
			
				
	
	
		
			1465 lines
		
	
	
		
			46 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			1465 lines
		
	
	
		
			46 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
| //go:build !remote
 | |
| 
 | |
| package libpod
 | |
| 
 | |
| import (
 | |
| 	"context"
 | |
| 	"errors"
 | |
| 	"fmt"
 | |
| 	"io/fs"
 | |
| 	"os"
 | |
| 	"path"
 | |
| 	"path/filepath"
 | |
| 	"slices"
 | |
| 	"strings"
 | |
| 	"time"
 | |
| 
 | |
| 	"github.com/containers/buildah"
 | |
| 	"github.com/containers/common/libnetwork/types"
 | |
| 	"github.com/containers/common/pkg/cgroups"
 | |
| 	"github.com/containers/common/pkg/config"
 | |
| 	"github.com/containers/podman/v5/libpod/define"
 | |
| 	"github.com/containers/podman/v5/libpod/events"
 | |
| 	"github.com/containers/podman/v5/libpod/shutdown"
 | |
| 	"github.com/containers/podman/v5/pkg/domain/entities/reports"
 | |
| 	"github.com/containers/podman/v5/pkg/rootless"
 | |
| 	"github.com/containers/podman/v5/pkg/specgen"
 | |
| 	"github.com/containers/podman/v5/pkg/util"
 | |
| 	"github.com/containers/storage"
 | |
| 	"github.com/containers/storage/pkg/stringid"
 | |
| 	"github.com/docker/go-units"
 | |
| 	spec "github.com/opencontainers/runtime-spec/specs-go"
 | |
| 	"github.com/opencontainers/runtime-tools/generate"
 | |
| 	"github.com/sirupsen/logrus"
 | |
| )
 | |
| 
 | |
| // Contains the public Runtime API for containers
 | |
| 
 | |
| // A CtrCreateOption is a functional option which alters the Container created
 | |
| // by NewContainer
 | |
| type CtrCreateOption func(*Container) error
 | |
| 
 | |
| // ContainerFilter is a function to determine whether a container is included
 | |
| // in command output. Containers to be outputted are tested using the function.
 | |
| // A true return will include the container, a false return will exclude it.
 | |
| type ContainerFilter func(*Container) bool
 | |
| 
 | |
| // NewContainer creates a new container from a given OCI config.
 | |
| func (r *Runtime) NewContainer(ctx context.Context, rSpec *spec.Spec, spec *specgen.SpecGenerator, infra bool, options ...CtrCreateOption) (*Container, error) {
 | |
| 	if !r.valid {
 | |
| 		return nil, define.ErrRuntimeStopped
 | |
| 	}
 | |
| 	if infra {
 | |
| 		options = append(options, withIsInfra())
 | |
| 	}
 | |
| 	return r.newContainer(ctx, rSpec, options...)
 | |
| }
 | |
| 
 | |
| func (r *Runtime) PrepareVolumeOnCreateContainer(ctx context.Context, ctr *Container) error {
 | |
| 	// Copy the content from the underlying image into the newly created
 | |
| 	// volume if configured to do so.
 | |
| 	if !r.config.Containers.PrepareVolumeOnCreate {
 | |
| 		return nil
 | |
| 	}
 | |
| 
 | |
| 	defer func() {
 | |
| 		if err := ctr.cleanupStorage(); err != nil {
 | |
| 			logrus.Errorf("Cleaning up container storage %s: %v", ctr.ID(), err)
 | |
| 		}
 | |
| 	}()
 | |
| 
 | |
| 	mountPoint, err := ctr.mountStorage()
 | |
| 	if err == nil {
 | |
| 		// Finish up mountStorage
 | |
| 		ctr.state.Mounted = true
 | |
| 		ctr.state.Mountpoint = mountPoint
 | |
| 		if err = ctr.save(); err != nil {
 | |
| 			logrus.Errorf("Saving container %s state: %v", ctr.ID(), err)
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	return err
 | |
| }
 | |
| 
 | |
| // RestoreContainer re-creates a container from an imported checkpoint
 | |
| func (r *Runtime) RestoreContainer(ctx context.Context, rSpec *spec.Spec, config *ContainerConfig) (*Container, error) {
 | |
| 	if !r.valid {
 | |
| 		return nil, define.ErrRuntimeStopped
 | |
| 	}
 | |
| 
 | |
| 	ctr, err := r.initContainerVariables(rSpec, config)
 | |
| 	if err != nil {
 | |
| 		return nil, fmt.Errorf("initializing container variables: %w", err)
 | |
| 	}
 | |
| 	// For an imported checkpoint no one has ever set the StartedTime. Set it now.
 | |
| 	ctr.state.StartedTime = time.Now()
 | |
| 
 | |
| 	// If the path to ConmonPidFile starts with the default value (RunRoot), then
 | |
| 	// the user has not specified '--conmon-pidfile' during run or create (probably).
 | |
| 	// In that case reset ConmonPidFile to be set to the default value later.
 | |
| 	if strings.HasPrefix(ctr.config.ConmonPidFile, r.storageConfig.RunRoot) {
 | |
| 		ctr.config.ConmonPidFile = ""
 | |
| 	}
 | |
| 
 | |
| 	// If the path to PidFile starts with the default value (RunRoot), then
 | |
| 	// the user has not specified '--pidfile' during run or create (probably).
 | |
| 	// In that case reset PidFile to be set to the default value later.
 | |
| 	if strings.HasPrefix(ctr.config.PidFile, r.storageConfig.RunRoot) {
 | |
| 		ctr.config.PidFile = ""
 | |
| 	}
 | |
| 
 | |
| 	return r.setupContainer(ctx, ctr)
 | |
| }
 | |
| 
 | |
| // RenameContainer renames the given container.
 | |
| // Returns a copy of the container that has been renamed if successful.
 | |
| func (r *Runtime) RenameContainer(ctx context.Context, ctr *Container, newName string) (*Container, error) {
 | |
| 	ctr.lock.Lock()
 | |
| 	defer ctr.lock.Unlock()
 | |
| 
 | |
| 	if err := ctr.syncContainer(); err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 
 | |
| 	newName = strings.TrimPrefix(newName, "/")
 | |
| 	if newName == "" || !define.NameRegex.MatchString(newName) {
 | |
| 		return nil, define.RegexError
 | |
| 	}
 | |
| 
 | |
| 	// We need to pull an updated config, in case another rename fired and
 | |
| 	// the config was re-written.
 | |
| 	newConf, err := r.state.GetContainerConfig(ctr.ID())
 | |
| 	if err != nil {
 | |
| 		return nil, fmt.Errorf("retrieving container %s configuration from DB to remove: %w", ctr.ID(), err)
 | |
| 	}
 | |
| 	ctr.config = newConf
 | |
| 
 | |
| 	logrus.Infof("Going to rename container %s from %q to %q", ctr.ID(), ctr.Name(), newName)
 | |
| 
 | |
| 	// Step 1: Alter the config. Save the old name, we need it to rewrite
 | |
| 	// the config.
 | |
| 	oldName := ctr.config.Name
 | |
| 	ctr.config.Name = newName
 | |
| 
 | |
| 	// Step 2: rewrite the old container's config in the DB.
 | |
| 	if err := r.state.SafeRewriteContainerConfig(ctr, oldName, ctr.config.Name, ctr.config); err != nil {
 | |
| 		// Assume the rename failed.
 | |
| 		// Set config back to the old name so reflect what is actually
 | |
| 		// present in the DB.
 | |
| 		ctr.config.Name = oldName
 | |
| 		return nil, fmt.Errorf("renaming container %s: %w", ctr.ID(), err)
 | |
| 	}
 | |
| 
 | |
| 	// Step 3: rename the container in c/storage.
 | |
| 	// This can fail if the name is already in use by a non-Podman
 | |
| 	// container. This puts us in a bad spot - we've already renamed the
 | |
| 	// container in Podman. We can swap the order, but then we have the
 | |
| 	// opposite problem. Atomicity is a real problem here, with no easy
 | |
| 	// solution.
 | |
| 	if err := r.store.SetNames(ctr.ID(), []string{ctr.Name()}); err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 
 | |
| 	ctr.newContainerEvent(events.Rename)
 | |
| 	return ctr, nil
 | |
| }
 | |
| 
 | |
| func (r *Runtime) initContainerVariables(rSpec *spec.Spec, config *ContainerConfig) (*Container, error) {
 | |
| 	if rSpec == nil {
 | |
| 		return nil, fmt.Errorf("must provide a valid runtime spec to create container: %w", define.ErrInvalidArg)
 | |
| 	}
 | |
| 	ctr := new(Container)
 | |
| 	ctr.config = new(ContainerConfig)
 | |
| 	ctr.state = new(ContainerState)
 | |
| 
 | |
| 	if config == nil {
 | |
| 		ctr.config.ID = stringid.GenerateRandomID()
 | |
| 		size, err := units.FromHumanSize(r.config.Containers.ShmSize)
 | |
| 		if useDevShm {
 | |
| 			if err != nil {
 | |
| 				return nil, fmt.Errorf("converting containers.conf ShmSize %s to an int: %w", r.config.Containers.ShmSize, err)
 | |
| 			}
 | |
| 			ctr.config.ShmSize = size
 | |
| 			ctr.config.NoShm = false
 | |
| 			ctr.config.NoShmShare = false
 | |
| 		} else {
 | |
| 			ctr.config.NoShm = true
 | |
| 			ctr.config.NoShmShare = true
 | |
| 		}
 | |
| 		ctr.config.StopSignal = 15
 | |
| 
 | |
| 		ctr.config.StopTimeout = r.config.Engine.StopTimeout
 | |
| 	} else {
 | |
| 		// This is a restore from an imported checkpoint
 | |
| 		ctr.restoreFromCheckpoint = true
 | |
| 		if err := JSONDeepCopy(config, ctr.config); err != nil {
 | |
| 			return nil, fmt.Errorf("copying container config for restore: %w", err)
 | |
| 		}
 | |
| 		// If the ID is empty a new name for the restored container was requested
 | |
| 		if ctr.config.ID == "" {
 | |
| 			ctr.config.ID = stringid.GenerateRandomID()
 | |
| 		}
 | |
| 		// Reset the log path to point to the default
 | |
| 		ctr.config.LogPath = ""
 | |
| 		// Later in validate() the check is for nil. JSONDeepCopy sets it to an empty
 | |
| 		// object. Resetting it to nil if it was nil before.
 | |
| 		if config.StaticMAC == nil {
 | |
| 			ctr.config.StaticMAC = nil
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	ctr.config.Spec = rSpec
 | |
| 	ctr.config.CreatedTime = time.Now()
 | |
| 
 | |
| 	ctr.state.BindMounts = make(map[string]string)
 | |
| 
 | |
| 	ctr.config.OCIRuntime = r.defaultOCIRuntime.Name()
 | |
| 
 | |
| 	// Set namespace based on current runtime namespace
 | |
| 	// Do so before options run so they can override it
 | |
| 	if r.config.Engine.Namespace != "" {
 | |
| 		ctr.config.Namespace = r.config.Engine.Namespace
 | |
| 	}
 | |
| 
 | |
| 	ctr.runtime = r
 | |
| 
 | |
| 	return ctr, nil
 | |
| }
 | |
| 
 | |
| func (r *Runtime) newContainer(ctx context.Context, rSpec *spec.Spec, options ...CtrCreateOption) (*Container, error) {
 | |
| 	var ctr *Container
 | |
| 	var err error
 | |
| 
 | |
| 	ctr, err = r.initContainerVariables(rSpec, nil)
 | |
| 
 | |
| 	if err != nil {
 | |
| 		return nil, fmt.Errorf("initializing container variables: %w", err)
 | |
| 	}
 | |
| 
 | |
| 	for _, option := range options {
 | |
| 		if err := option(ctr); err != nil {
 | |
| 			return nil, fmt.Errorf("running container create option: %w", err)
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	return r.setupContainer(ctx, ctr)
 | |
| }
 | |
| 
 | |
| func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (_ *Container, retErr error) {
 | |
| 	// normalize the networks to names
 | |
| 	// the db backend only knows about network names so we have to make
 | |
| 	// sure we do not use ids internally
 | |
| 	if len(ctr.config.Networks) > 0 {
 | |
| 		normalizeNetworks := make(map[string]types.PerNetworkOptions, len(ctr.config.Networks))
 | |
| 		// first get the already used interface names so we do not conflict
 | |
| 		usedIfNames := make([]string, 0, len(ctr.config.Networks))
 | |
| 		for _, opts := range ctr.config.Networks {
 | |
| 			if opts.InterfaceName != "" {
 | |
| 				// check that no name is assigned to more than network
 | |
| 				if slices.Contains(usedIfNames, opts.InterfaceName) {
 | |
| 					return nil, fmt.Errorf("network interface name %q is already assigned to another network", opts.InterfaceName)
 | |
| 				}
 | |
| 				usedIfNames = append(usedIfNames, opts.InterfaceName)
 | |
| 			}
 | |
| 		}
 | |
| 		i := 0
 | |
| 		for nameOrID, opts := range ctr.config.Networks {
 | |
| 			netName, nicName, err := r.normalizeNetworkName(nameOrID)
 | |
| 			if err != nil {
 | |
| 				return nil, err
 | |
| 			}
 | |
| 
 | |
| 			// check whether interface is to be named as the network_interface
 | |
| 			// when name left unspecified
 | |
| 			if opts.InterfaceName == "" {
 | |
| 				opts.InterfaceName = nicName
 | |
| 			}
 | |
| 
 | |
| 			// assign default interface name if empty
 | |
| 			if opts.InterfaceName == "" {
 | |
| 				for i < 100000 {
 | |
| 					ifName := fmt.Sprintf("eth%d", i)
 | |
| 					if !slices.Contains(usedIfNames, ifName) {
 | |
| 						opts.InterfaceName = ifName
 | |
| 						usedIfNames = append(usedIfNames, ifName)
 | |
| 						break
 | |
| 					}
 | |
| 					i++
 | |
| 				}
 | |
| 				// if still empty we did not find a free name
 | |
| 				if opts.InterfaceName == "" {
 | |
| 					return nil, errors.New("failed to find free network interface name")
 | |
| 				}
 | |
| 			}
 | |
| 			opts.Aliases = append(opts.Aliases, getExtraNetworkAliases(ctr)...)
 | |
| 
 | |
| 			normalizeNetworks[netName] = opts
 | |
| 		}
 | |
| 		ctr.config.Networks = normalizeNetworks
 | |
| 	}
 | |
| 
 | |
| 	// Validate the container
 | |
| 	if err := ctr.validate(); err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 	if ctr.config.IsInfra {
 | |
| 		ctr.config.StopTimeout = 10
 | |
| 	}
 | |
| 
 | |
| 	// Inhibit shutdown until creation succeeds
 | |
| 	shutdown.Inhibit()
 | |
| 	defer shutdown.Uninhibit()
 | |
| 
 | |
| 	// Allocate a lock for the container
 | |
| 	lock, err := r.lockManager.AllocateLock()
 | |
| 	if err != nil {
 | |
| 		return nil, fmt.Errorf("allocating lock for new container: %w", err)
 | |
| 	}
 | |
| 	ctr.lock = lock
 | |
| 	ctr.config.LockID = ctr.lock.ID()
 | |
| 	logrus.Debugf("Allocated lock %d for container %s", ctr.lock.ID(), ctr.ID())
 | |
| 
 | |
| 	defer func() {
 | |
| 		if retErr != nil {
 | |
| 			if err := ctr.lock.Free(); err != nil {
 | |
| 				logrus.Errorf("Freeing lock for container after creation failed: %v", err)
 | |
| 			}
 | |
| 		}
 | |
| 	}()
 | |
| 
 | |
| 	ctr.valid = true
 | |
| 	ctr.state.State = define.ContainerStateConfigured
 | |
| 	ctr.runtime = r
 | |
| 
 | |
| 	if ctr.config.OCIRuntime == "" {
 | |
| 		ctr.ociRuntime = r.defaultOCIRuntime
 | |
| 	} else {
 | |
| 		ociRuntime, ok := r.ociRuntimes[ctr.config.OCIRuntime]
 | |
| 		if !ok {
 | |
| 			return nil, fmt.Errorf("requested OCI runtime %s is not available: %w", ctr.config.OCIRuntime, define.ErrInvalidArg)
 | |
| 		}
 | |
| 		ctr.ociRuntime = ociRuntime
 | |
| 	}
 | |
| 
 | |
| 	// Check NoCgroups support
 | |
| 	if ctr.config.NoCgroups {
 | |
| 		if !ctr.ociRuntime.SupportsNoCgroups() {
 | |
| 			return nil, fmt.Errorf("requested OCI runtime %s is not compatible with NoCgroups: %w", ctr.ociRuntime.Name(), define.ErrInvalidArg)
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	var pod *Pod
 | |
| 	if ctr.config.Pod != "" {
 | |
| 		// Get the pod from state
 | |
| 		pod, err = r.state.Pod(ctr.config.Pod)
 | |
| 		if err != nil {
 | |
| 			return nil, fmt.Errorf("cannot add container %s to pod %s: %w", ctr.ID(), ctr.config.Pod, err)
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	// Check Cgroup parent sanity, and set it if it was not set.
 | |
| 	// Only if we're actually configuring Cgroups.
 | |
| 	if !ctr.config.NoCgroups {
 | |
| 		ctr.config.CgroupManager = r.config.Engine.CgroupManager
 | |
| 		switch r.config.Engine.CgroupManager {
 | |
| 		case config.CgroupfsCgroupsManager:
 | |
| 			if ctr.config.CgroupParent == "" {
 | |
| 				if pod != nil && pod.config.UsePodCgroup && !ctr.IsInfra() {
 | |
| 					podCgroup, err := pod.CgroupPath()
 | |
| 					if err != nil {
 | |
| 						return nil, fmt.Errorf("retrieving pod %s cgroup: %w", pod.ID(), err)
 | |
| 					}
 | |
| 					expectPodCgroup, err := ctr.expectPodCgroup()
 | |
| 					if err != nil {
 | |
| 						return nil, err
 | |
| 					}
 | |
| 					if expectPodCgroup && podCgroup == "" {
 | |
| 						return nil, fmt.Errorf("pod %s cgroup is not set: %w", pod.ID(), define.ErrInternal)
 | |
| 					}
 | |
| 					canUseCgroup := !rootless.IsRootless() || isRootlessCgroupSet(podCgroup)
 | |
| 					if canUseCgroup {
 | |
| 						ctr.config.CgroupParent = podCgroup
 | |
| 					}
 | |
| 				} else if !rootless.IsRootless() {
 | |
| 					ctr.config.CgroupParent = CgroupfsDefaultCgroupParent
 | |
| 				}
 | |
| 			} else if strings.HasSuffix(path.Base(ctr.config.CgroupParent), ".slice") {
 | |
| 				return nil, fmt.Errorf("systemd slice received as cgroup parent when using cgroupfs: %w", define.ErrInvalidArg)
 | |
| 			}
 | |
| 		case config.SystemdCgroupsManager:
 | |
| 			if ctr.config.CgroupParent == "" {
 | |
| 				switch {
 | |
| 				case pod != nil && pod.config.UsePodCgroup && !ctr.IsInfra():
 | |
| 					podCgroup, err := pod.CgroupPath()
 | |
| 					if err != nil {
 | |
| 						return nil, fmt.Errorf("retrieving pod %s cgroup: %w", pod.ID(), err)
 | |
| 					}
 | |
| 					expectPodCgroup, err := ctr.expectPodCgroup()
 | |
| 					if err != nil {
 | |
| 						return nil, err
 | |
| 					}
 | |
| 					if expectPodCgroup && podCgroup == "" {
 | |
| 						return nil, fmt.Errorf("pod %s cgroup is not set: %w", pod.ID(), define.ErrInternal)
 | |
| 					}
 | |
| 					ctr.config.CgroupParent = podCgroup
 | |
| 				case rootless.IsRootless() && ctr.config.CgroupsMode != cgroupSplit:
 | |
| 					ctr.config.CgroupParent = SystemdDefaultRootlessCgroupParent
 | |
| 				case ctr.config.CgroupsMode != cgroupSplit:
 | |
| 					ctr.config.CgroupParent = SystemdDefaultCgroupParent
 | |
| 				}
 | |
| 			} else if len(ctr.config.CgroupParent) < 6 || !strings.HasSuffix(path.Base(ctr.config.CgroupParent), ".slice") {
 | |
| 				return nil, fmt.Errorf("did not receive systemd slice as cgroup parent when using systemd to manage cgroups: %w", define.ErrInvalidArg)
 | |
| 			}
 | |
| 		default:
 | |
| 			return nil, fmt.Errorf("unsupported Cgroup manager: %s - cannot validate cgroup parent: %w", r.config.Engine.CgroupManager, define.ErrInvalidArg)
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	if ctr.config.Timezone == "" {
 | |
| 		ctr.config.Timezone = r.config.Containers.TZ
 | |
| 	}
 | |
| 
 | |
| 	if ctr.restoreFromCheckpoint {
 | |
| 		// Remove information about bind mount
 | |
| 		// for new container from imported checkpoint
 | |
| 
 | |
| 		// NewFromSpec() is deprecated according to its comment
 | |
| 		// however the recommended replace just causes a nil map panic
 | |
| 		g := generate.NewFromSpec(ctr.config.Spec)
 | |
| 		g.RemoveMount("/dev/shm")
 | |
| 		ctr.config.ShmDir = ""
 | |
| 		g.RemoveMount("/etc/resolv.conf")
 | |
| 		g.RemoveMount("/etc/hostname")
 | |
| 		g.RemoveMount("/etc/hosts")
 | |
| 		g.RemoveMount("/run/.containerenv")
 | |
| 		g.RemoveMount("/run/secrets")
 | |
| 		g.RemoveMount("/var/run/.containerenv")
 | |
| 		g.RemoveMount("/var/run/secrets")
 | |
| 
 | |
| 		// Regenerate Cgroup paths so they don't point to the old
 | |
| 		// container ID.
 | |
| 		cgroupPath, err := ctr.getOCICgroupPath()
 | |
| 		if err != nil {
 | |
| 			return nil, err
 | |
| 		}
 | |
| 		g.SetLinuxCgroupsPath(cgroupPath)
 | |
| 	}
 | |
| 
 | |
| 	// Set up storage for the container
 | |
| 	if err := ctr.setupStorage(ctx); err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 	defer func() {
 | |
| 		if retErr != nil {
 | |
| 			if err := ctr.teardownStorage(); err != nil {
 | |
| 				logrus.Errorf("Removing partially-created container root filesystem: %v", err)
 | |
| 			}
 | |
| 		}
 | |
| 	}()
 | |
| 
 | |
| 	ctr.config.SecretsPath = filepath.Join(ctr.config.StaticDir, "secrets")
 | |
| 	err = os.MkdirAll(ctr.config.SecretsPath, 0755)
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 	for _, secr := range ctr.config.Secrets {
 | |
| 		err = ctr.extractSecretToCtrStorage(secr)
 | |
| 		if err != nil {
 | |
| 			return nil, err
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	if ctr.config.ConmonPidFile == "" {
 | |
| 		ctr.config.ConmonPidFile = filepath.Join(ctr.state.RunDir, "conmon.pid")
 | |
| 	}
 | |
| 
 | |
| 	if ctr.config.PidFile == "" {
 | |
| 		ctr.config.PidFile = filepath.Join(ctr.state.RunDir, "pidfile")
 | |
| 	}
 | |
| 
 | |
| 	// Go through named volumes and add them.
 | |
| 	// If they don't exist they will be created using basic options.
 | |
| 	for _, vol := range ctr.config.NamedVolumes {
 | |
| 		isAnonymous := false
 | |
| 		if vol.Name == "" {
 | |
| 			// Anonymous volume. We'll need to create it.
 | |
| 			// It needs a name first.
 | |
| 			vol.Name = stringid.GenerateRandomID()
 | |
| 			isAnonymous = true
 | |
| 		} else {
 | |
| 			// Check if it already exists
 | |
| 			_, err := r.state.Volume(vol.Name)
 | |
| 			if err == nil {
 | |
| 				// The volume exists, we're good
 | |
| 				continue
 | |
| 			} else if !errors.Is(err, define.ErrNoSuchVolume) {
 | |
| 				return nil, fmt.Errorf("retrieving named volume %s for new container: %w", vol.Name, err)
 | |
| 			}
 | |
| 		}
 | |
| 		if vol.IsAnonymous {
 | |
| 			// If SetAnonymous is true, make this an anonymous volume
 | |
| 			// this is needed for emptyDir volumes from kube yamls
 | |
| 			isAnonymous = true
 | |
| 		}
 | |
| 
 | |
| 		logrus.Debugf("Creating new volume %s for container", vol.Name)
 | |
| 
 | |
| 		// The volume does not exist, so we need to create it.
 | |
| 		volOptions := []VolumeCreateOption{
 | |
| 			WithVolumeName(vol.Name),
 | |
| 			WithVolumeMountLabel(ctr.MountLabel()),
 | |
| 		}
 | |
| 		if isAnonymous {
 | |
| 			volOptions = append(volOptions, withSetAnon())
 | |
| 		}
 | |
| 
 | |
| 		needsChown := true
 | |
| 
 | |
| 		// If volume-opts are set, parse and add driver opts.
 | |
| 		if len(vol.Options) > 0 {
 | |
| 			isDriverOpts := false
 | |
| 			driverOpts := make(map[string]string)
 | |
| 			for _, opts := range vol.Options {
 | |
| 				if opts == "idmap" {
 | |
| 					needsChown = false
 | |
| 				}
 | |
| 				if strings.HasPrefix(opts, "volume-opt") {
 | |
| 					isDriverOpts = true
 | |
| 					driverOptKey, driverOptValue, err := util.ParseDriverOpts(opts)
 | |
| 					if err != nil {
 | |
| 						return nil, err
 | |
| 					}
 | |
| 					driverOpts[driverOptKey] = driverOptValue
 | |
| 				}
 | |
| 			}
 | |
| 			if isDriverOpts {
 | |
| 				parsedOptions := []VolumeCreateOption{WithVolumeOptions(driverOpts)}
 | |
| 				volOptions = append(volOptions, parsedOptions...)
 | |
| 			}
 | |
| 		}
 | |
| 
 | |
| 		if needsChown {
 | |
| 			volOptions = append(volOptions, WithVolumeUID(ctr.RootUID()), WithVolumeGID(ctr.RootGID()))
 | |
| 		} else {
 | |
| 			volOptions = append(volOptions, WithVolumeNoChown())
 | |
| 		}
 | |
| 
 | |
| 		_, err = r.newVolume(ctx, false, volOptions...)
 | |
| 		if err != nil {
 | |
| 			return nil, fmt.Errorf("creating named volume %q: %w", vol.Name, err)
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	switch ctr.config.LogDriver {
 | |
| 	case define.NoLogging, define.PassthroughLogging, define.JournaldLogging:
 | |
| 		break
 | |
| 	default:
 | |
| 		if ctr.config.LogPath == "" {
 | |
| 			ctr.config.LogPath = filepath.Join(ctr.config.StaticDir, "ctr.log")
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	if useDevShm && !MountExists(ctr.config.Spec.Mounts, "/dev/shm") && ctr.config.ShmDir == "" && !ctr.config.NoShm {
 | |
| 		ctr.config.ShmDir = filepath.Join(ctr.bundlePath(), "shm")
 | |
| 		if err := os.MkdirAll(ctr.config.ShmDir, 0700); err != nil {
 | |
| 			if !os.IsExist(err) {
 | |
| 				return nil, fmt.Errorf("unable to create shm dir: %w", err)
 | |
| 			}
 | |
| 		}
 | |
| 		ctr.config.Mounts = append(ctr.config.Mounts, ctr.config.ShmDir)
 | |
| 	}
 | |
| 
 | |
| 	// Add the container to the state
 | |
| 	// TODO: May be worth looking into recovering from name/ID collisions here
 | |
| 	if ctr.config.Pod != "" {
 | |
| 		// Lock the pod to ensure we can't add containers to pods
 | |
| 		// being removed
 | |
| 		pod.lock.Lock()
 | |
| 		defer pod.lock.Unlock()
 | |
| 
 | |
| 		if err := r.state.AddContainerToPod(pod, ctr); err != nil {
 | |
| 			return nil, err
 | |
| 		}
 | |
| 	} else if err := r.state.AddContainer(ctr); err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 
 | |
| 	if ctr.runtime.config.Engine.EventsContainerCreateInspectData {
 | |
| 		if err := ctr.newContainerEventWithInspectData(events.Create, "", true); err != nil {
 | |
| 			return nil, err
 | |
| 		}
 | |
| 	} else {
 | |
| 		ctr.newContainerEvent(events.Create)
 | |
| 	}
 | |
| 	return ctr, nil
 | |
| }
 | |
| 
 | |
| // RemoveContainer removes the given container. If force is true, the container
 | |
| // will be stopped first (otherwise, an error will be returned if the container
 | |
| // is running). If removeVolume is specified, anonymous named volumes used by the
 | |
| // container will be removed also (iff the container is the sole user of the
 | |
| // volumes). Timeout sets the stop timeout for the container if it is running.
 | |
| func (r *Runtime) RemoveContainer(ctx context.Context, c *Container, force bool, removeVolume bool, timeout *uint) error {
 | |
| 	opts := ctrRmOpts{
 | |
| 		Force:        force,
 | |
| 		RemoveVolume: removeVolume,
 | |
| 		Timeout:      timeout,
 | |
| 	}
 | |
| 
 | |
| 	// NOTE: container will be locked down the road. There is no unlocked
 | |
| 	// version of removeContainer.
 | |
| 	_, _, err := r.removeContainer(ctx, c, opts)
 | |
| 	return err
 | |
| }
 | |
| 
 | |
| // RemoveContainerAndDependencies removes the given container and all its
 | |
| // dependencies. This may include pods (if the container or any of its
 | |
| // dependencies is an infra or service container, the associated pod(s) will also
 | |
| // be removed). Otherwise, it functions identically to RemoveContainer.
 | |
| // Returns two arrays: containers removed, and pods removed. These arrays are
 | |
| // always returned, even if error is set, and indicate any containers that were
 | |
| // successfully removed prior to the error.
 | |
| func (r *Runtime) RemoveContainerAndDependencies(ctx context.Context, c *Container, force bool, removeVolume bool, timeout *uint) (map[string]error, map[string]error, error) {
 | |
| 	opts := ctrRmOpts{
 | |
| 		Force:        force,
 | |
| 		RemoveVolume: removeVolume,
 | |
| 		RemoveDeps:   true,
 | |
| 		Timeout:      timeout,
 | |
| 	}
 | |
| 
 | |
| 	// NOTE: container will be locked down the road. There is no unlocked
 | |
| 	// version of removeContainer.
 | |
| 	return r.removeContainer(ctx, c, opts)
 | |
| }
 | |
| 
 | |
| // Options for removeContainer
 | |
| type ctrRmOpts struct {
 | |
| 	// Whether to stop running container(s)
 | |
| 	Force bool
 | |
| 	// Whether to remove anonymous volumes used by removing the container
 | |
| 	RemoveVolume bool
 | |
| 	// Only set by `removePod` as `removeContainer` is being called as part
 | |
| 	// of removing a whole pod.
 | |
| 	RemovePod bool
 | |
| 	// Whether to ignore dependencies of the container when removing
 | |
| 	// (This is *DANGEROUS* and should not be used outside of non-graph
 | |
| 	// traversal pod removal code).
 | |
| 	IgnoreDeps bool
 | |
| 	// Remove all the dependencies associated with the container. Can cause
 | |
| 	// multiple containers, and possibly one or more pods, to be removed.
 | |
| 	RemoveDeps bool
 | |
| 	// Do not lock the pod that the container is part of (used only by
 | |
| 	// recursive calls of removeContainer, used when removing dependencies)
 | |
| 	NoLockPod bool
 | |
| 	// Timeout to use when stopping the container. Only used if `Force` is
 | |
| 	// true.
 | |
| 	Timeout *uint
 | |
| }
 | |
| 
 | |
| // Internal function to remove a container.
 | |
| // Locks the container, but does not lock the runtime.
 | |
| // removePod is used only when removing pods. It instructs Podman to ignore
 | |
| // infra container protections, and *not* remove from the database (as pod
 | |
| // remove will handle that).
 | |
| // ignoreDeps is *DANGEROUS* and should not be used outside of a very specific
 | |
| // context (alternate pod removal code, where graph traversal is not possible).
 | |
| // removeDeps instructs Podman to remove dependency containers (and possible
 | |
| // a dependency pod if an infra container is involved). removeDeps conflicts
 | |
| // with removePod - pods have their own dependency management.
 | |
| // noLockPod is used for recursive removeContainer calls when the pod is already
 | |
| // locked.
 | |
| // TODO: At this point we should just start accepting an options struct
 | |
| func (r *Runtime) removeContainer(ctx context.Context, c *Container, opts ctrRmOpts) (removedCtrs map[string]error, removedPods map[string]error, retErr error) {
 | |
| 	removedCtrs = make(map[string]error)
 | |
| 	removedPods = make(map[string]error)
 | |
| 
 | |
| 	if !c.valid {
 | |
| 		if ok, _ := r.state.HasContainer(c.ID()); !ok {
 | |
| 			// Container probably already removed
 | |
| 			// Or was never in the runtime to begin with
 | |
| 			removedCtrs[c.ID()] = nil
 | |
| 			return
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	if opts.RemovePod && opts.RemoveDeps {
 | |
| 		retErr = fmt.Errorf("cannot remove dependencies while also removing a pod: %w", define.ErrInvalidArg)
 | |
| 		return
 | |
| 	}
 | |
| 
 | |
| 	// We need to refresh container config from the DB, to ensure that any
 | |
| 	// changes (e.g. a rename) are picked up before we start removing.
 | |
| 	// Since HasContainer above succeeded, we can safely assume the
 | |
| 	// container exists.
 | |
| 	// This is *very iffy* but it should be OK because the container won't
 | |
| 	// exist once we're done.
 | |
| 	newConf, err := r.state.GetContainerConfig(c.ID())
 | |
| 	if err != nil {
 | |
| 		retErr = fmt.Errorf("retrieving container %s configuration from DB to remove: %w", c.ID(), err)
 | |
| 		return
 | |
| 	}
 | |
| 	c.config = newConf
 | |
| 
 | |
| 	logrus.Debugf("Removing container %s", c.ID())
 | |
| 
 | |
| 	// We need to lock the pod before we lock the container.
 | |
| 	// To avoid races around removing a container and the pod it is in.
 | |
| 	// Don't need to do this in pod removal case - we're evicting the entire
 | |
| 	// pod.
 | |
| 	var pod *Pod
 | |
| 	runtime := c.runtime
 | |
| 	if c.config.Pod != "" {
 | |
| 		pod, err = r.state.Pod(c.config.Pod)
 | |
| 		if err != nil {
 | |
| 			// There's a potential race here where the pod we are in
 | |
| 			// was already removed.
 | |
| 			// If so, this container is also removed, as pods take
 | |
| 			// all their containers with them.
 | |
| 			// So if it's already gone, check if we are too.
 | |
| 			if errors.Is(err, define.ErrNoSuchPod) {
 | |
| 				// We could check the DB to see if we still
 | |
| 				// exist, but that would be a serious violation
 | |
| 				// of DB integrity.
 | |
| 				// Mark this container as removed so there's no
 | |
| 				// confusion, though.
 | |
| 				removedCtrs[c.ID()] = nil
 | |
| 				return
 | |
| 			}
 | |
| 
 | |
| 			retErr = err
 | |
| 			return
 | |
| 		}
 | |
| 
 | |
| 		if !opts.RemovePod {
 | |
| 			// Lock the pod while we're removing container
 | |
| 			if pod.config.LockID == c.config.LockID {
 | |
| 				retErr = fmt.Errorf("container %s and pod %s share lock ID %d: %w", c.ID(), pod.ID(), c.config.LockID, define.ErrWillDeadlock)
 | |
| 				return
 | |
| 			}
 | |
| 			if !opts.NoLockPod {
 | |
| 				pod.lock.Lock()
 | |
| 				defer pod.lock.Unlock()
 | |
| 			}
 | |
| 			if err := pod.updatePod(); err != nil {
 | |
| 				// As above, there's a chance the pod was
 | |
| 				// already removed.
 | |
| 				if errors.Is(err, define.ErrNoSuchPod) {
 | |
| 					removedCtrs[c.ID()] = nil
 | |
| 					return
 | |
| 				}
 | |
| 
 | |
| 				retErr = err
 | |
| 				return
 | |
| 			}
 | |
| 
 | |
| 			infraID := pod.state.InfraContainerID
 | |
| 			if c.ID() == infraID && !opts.RemoveDeps {
 | |
| 				retErr = fmt.Errorf("container %s is the infra container of pod %s and cannot be removed without removing the pod", c.ID(), pod.ID())
 | |
| 				return
 | |
| 			}
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	// For pod removal, the container is already locked by the caller
 | |
| 	locked := false
 | |
| 	if !opts.RemovePod {
 | |
| 		c.lock.Lock()
 | |
| 		defer func() {
 | |
| 			if locked {
 | |
| 				c.lock.Unlock()
 | |
| 			}
 | |
| 		}()
 | |
| 		locked = true
 | |
| 	}
 | |
| 
 | |
| 	if !r.valid {
 | |
| 		retErr = define.ErrRuntimeStopped
 | |
| 		return
 | |
| 	}
 | |
| 
 | |
| 	// Update the container to get current state
 | |
| 	if err := c.syncContainer(); err != nil {
 | |
| 		retErr = err
 | |
| 		return
 | |
| 	}
 | |
| 
 | |
| 	serviceForPod := false
 | |
| 	if c.IsService() {
 | |
| 		for _, id := range c.state.Service.Pods {
 | |
| 			depPod, err := c.runtime.LookupPod(id)
 | |
| 			if err != nil {
 | |
| 				if errors.Is(err, define.ErrNoSuchPod) {
 | |
| 					continue
 | |
| 				}
 | |
| 				retErr = err
 | |
| 				return
 | |
| 			}
 | |
| 			if !opts.RemoveDeps {
 | |
| 				retErr = fmt.Errorf("container %s is the service container of pod(s) %s and cannot be removed without removing the pod(s)", c.ID(), strings.Join(c.state.Service.Pods, ","))
 | |
| 				return
 | |
| 			}
 | |
| 			// If we are the service container for the pod we are a
 | |
| 			// member of: we need to remove that pod last, since
 | |
| 			// this container is part of it.
 | |
| 			if pod != nil && pod.ID() == depPod.ID() {
 | |
| 				serviceForPod = true
 | |
| 				continue
 | |
| 			}
 | |
| 			logrus.Infof("Removing pod %s as container %s is its service container", depPod.ID(), c.ID())
 | |
| 			podRemovedCtrs, err := r.RemovePod(ctx, depPod, true, opts.Force, opts.Timeout)
 | |
| 			for ctr, err := range podRemovedCtrs {
 | |
| 				removedCtrs[ctr] = err
 | |
| 			}
 | |
| 			if err != nil && !errors.Is(err, define.ErrNoSuchPod) && !errors.Is(err, define.ErrPodRemoved) {
 | |
| 				removedPods[depPod.ID()] = err
 | |
| 				retErr = fmt.Errorf("error removing container %s dependency pods: %w", c.ID(), err)
 | |
| 				return
 | |
| 			}
 | |
| 			removedPods[depPod.ID()] = nil
 | |
| 		}
 | |
| 	}
 | |
| 	if (serviceForPod || c.config.IsInfra) && !opts.RemovePod {
 | |
| 		// We're going to remove the pod we are a part of.
 | |
| 		// This will get rid of us as well, so we can just return
 | |
| 		// immediately after.
 | |
| 		if locked {
 | |
| 			locked = false
 | |
| 			c.lock.Unlock()
 | |
| 		}
 | |
| 
 | |
| 		logrus.Infof("Removing pod %s (dependency of container %s)", pod.ID(), c.ID())
 | |
| 		podRemovedCtrs, err := r.removePod(ctx, pod, true, opts.Force, opts.Timeout)
 | |
| 		for ctr, err := range podRemovedCtrs {
 | |
| 			removedCtrs[ctr] = err
 | |
| 		}
 | |
| 		if err != nil && !errors.Is(err, define.ErrNoSuchPod) && !errors.Is(err, define.ErrPodRemoved) {
 | |
| 			removedPods[pod.ID()] = err
 | |
| 			retErr = fmt.Errorf("error removing container %s pod: %w", c.ID(), err)
 | |
| 			return
 | |
| 		}
 | |
| 		removedPods[pod.ID()] = nil
 | |
| 		return
 | |
| 	}
 | |
| 
 | |
| 	// If we're not force-removing, we need to check if we're in a good
 | |
| 	// state to remove.
 | |
| 	if !opts.Force {
 | |
| 		if err := c.checkReadyForRemoval(); err != nil {
 | |
| 			retErr = err
 | |
| 			return
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	if c.state.State == define.ContainerStatePaused {
 | |
| 		isV2, err := cgroups.IsCgroup2UnifiedMode()
 | |
| 		if err != nil {
 | |
| 			retErr = err
 | |
| 			return
 | |
| 		}
 | |
| 		// cgroups v1 and v2 handle signals on paused processes differently
 | |
| 		if !isV2 {
 | |
| 			if err := c.unpause(); err != nil {
 | |
| 				retErr = err
 | |
| 				return
 | |
| 			}
 | |
| 		}
 | |
| 		if err := c.ociRuntime.KillContainer(c, 9, false); err != nil {
 | |
| 			retErr = err
 | |
| 			return
 | |
| 		}
 | |
| 		// Need to update container state to make sure we know it's stopped
 | |
| 		if err := c.waitForExitFileAndSync(); err != nil {
 | |
| 			retErr = err
 | |
| 			return
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	// Check that no other containers depend on the container.
 | |
| 	// Only used if not removing a pod - pods guarantee that all
 | |
| 	// deps will be evicted at the same time.
 | |
| 	if !opts.IgnoreDeps {
 | |
| 		deps, err := r.state.ContainerInUse(c)
 | |
| 		if err != nil {
 | |
| 			retErr = err
 | |
| 			return
 | |
| 		}
 | |
| 		if !opts.RemoveDeps {
 | |
| 			if len(deps) != 0 {
 | |
| 				depsStr := strings.Join(deps, ", ")
 | |
| 				retErr = fmt.Errorf("container %s has dependent containers which must be removed before it: %s: %w", c.ID(), depsStr, define.ErrCtrExists)
 | |
| 				return
 | |
| 			}
 | |
| 		}
 | |
| 		for _, depCtr := range deps {
 | |
| 			dep, err := r.GetContainer(depCtr)
 | |
| 			if err != nil {
 | |
| 				retErr = err
 | |
| 				return
 | |
| 			}
 | |
| 			logrus.Infof("Removing container %s (dependency of container %s)", dep.ID(), c.ID())
 | |
| 			recursiveOpts := ctrRmOpts{
 | |
| 				Force:        opts.Force,
 | |
| 				RemoveVolume: opts.RemoveVolume,
 | |
| 				RemoveDeps:   true,
 | |
| 				NoLockPod:    true,
 | |
| 				Timeout:      opts.Timeout,
 | |
| 			}
 | |
| 			ctrs, pods, err := r.removeContainer(ctx, dep, recursiveOpts)
 | |
| 			for rmCtr, err := range ctrs {
 | |
| 				if errors.Is(err, define.ErrNoSuchCtr) || errors.Is(err, define.ErrCtrRemoved) {
 | |
| 					removedCtrs[rmCtr] = nil
 | |
| 				} else {
 | |
| 					removedCtrs[rmCtr] = err
 | |
| 				}
 | |
| 			}
 | |
| 			for rmPod, err := range pods {
 | |
| 				removedPods[rmPod] = err
 | |
| 			}
 | |
| 			if err != nil && !errors.Is(err, define.ErrNoSuchCtr) && !errors.Is(err, define.ErrCtrRemoved) {
 | |
| 				retErr = err
 | |
| 				return
 | |
| 			}
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	// Check that the container's in a good state to be removed.
 | |
| 	if c.ensureState(define.ContainerStateRunning, define.ContainerStateStopping) {
 | |
| 		time := c.StopTimeout()
 | |
| 		if opts.Timeout != nil {
 | |
| 			time = *opts.Timeout
 | |
| 		}
 | |
| 		// Ignore ErrConmonDead - we couldn't retrieve the container's
 | |
| 		// exit code properly, but it's still stopped.
 | |
| 		if err := c.stop(time); err != nil && !errors.Is(err, define.ErrConmonDead) {
 | |
| 			retErr = fmt.Errorf("cannot remove container %s as it could not be stopped: %w", c.ID(), err)
 | |
| 			return
 | |
| 		}
 | |
| 
 | |
| 		// We unlocked as part of stop() above - there's a chance someone
 | |
| 		// else got in and removed the container before we reacquired the
 | |
| 		// lock.
 | |
| 		// Do a quick ping of the database to check if the container
 | |
| 		// still exists.
 | |
| 		if ok, _ := r.state.HasContainer(c.ID()); !ok {
 | |
| 			// When the container has already been removed, the OCI runtime directory remains.
 | |
| 			if err := c.cleanupRuntime(ctx); err != nil {
 | |
| 				retErr = fmt.Errorf("cleaning up container %s from OCI runtime: %w", c.ID(), err)
 | |
| 				return
 | |
| 			}
 | |
| 			// Do not add to removed containers, someone else
 | |
| 			// removed it.
 | |
| 			return
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	reportErrorf := func(msg string, args ...any) {
 | |
| 		err := fmt.Errorf(msg, args...) // Always use fmt.Errorf instead of just logrus.Errorf(…) because the format string probably contains %w
 | |
| 		if retErr == nil {
 | |
| 			retErr = err
 | |
| 		} else {
 | |
| 			logrus.Errorf("%s", err.Error())
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	// Clean up network namespace, cgroups, mounts.
 | |
| 	// Do this before we set ContainerStateRemoving, to ensure that we can
 | |
| 	// actually remove from the OCI runtime.
 | |
| 	if err := c.cleanup(ctx); err != nil {
 | |
| 		reportErrorf("cleaning up container %s: %w", c.ID(), err)
 | |
| 	}
 | |
| 
 | |
| 	// Remove all active exec sessions
 | |
| 	// removing the exec sessions might temporarily unlock the container's lock.  Using it
 | |
| 	// after setting the state to ContainerStateRemoving will prevent that the container is
 | |
| 	// restarted
 | |
| 	if err := c.removeAllExecSessions(); err != nil {
 | |
| 		reportErrorf("removing exec sessions: %w", err)
 | |
| 	}
 | |
| 
 | |
| 	// Set ContainerStateRemoving as an intermediate state (we may get
 | |
| 	// killed at any time) and save the container.
 | |
| 	c.state.State = define.ContainerStateRemoving
 | |
| 
 | |
| 	if err := c.save(); err != nil {
 | |
| 		if !errors.Is(err, define.ErrCtrRemoved) {
 | |
| 			reportErrorf("saving container: %w", err)
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	// Stop the container's storage
 | |
| 	if err := c.teardownStorage(); err != nil {
 | |
| 		reportErrorf("cleaning up storage: %w", err)
 | |
| 	}
 | |
| 
 | |
| 	// Remove the container from the state
 | |
| 	if c.config.Pod != "" {
 | |
| 		// If we're removing the pod, the container will be evicted
 | |
| 		// from the state elsewhere
 | |
| 		if err := r.state.RemoveContainerFromPod(pod, c); err != nil {
 | |
| 			reportErrorf("removing container %s from database: %w", c.ID(), err)
 | |
| 		}
 | |
| 	} else {
 | |
| 		if err := r.state.RemoveContainer(c); err != nil {
 | |
| 			reportErrorf("removing container %s from database: %w", c.ID(), err)
 | |
| 		}
 | |
| 	}
 | |
| 	removedCtrs[c.ID()] = nil
 | |
| 
 | |
| 	// Remove the container's CID file on container removal.
 | |
| 	if cidFile, ok := c.config.Spec.Annotations[define.InspectAnnotationCIDFile]; ok {
 | |
| 		if err := os.Remove(cidFile); err != nil && !errors.Is(err, os.ErrNotExist) {
 | |
| 			reportErrorf("cleaning up CID file: %w", err)
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	// Deallocate the container's lock
 | |
| 	if err := c.lock.Free(); err != nil && !errors.Is(err, fs.ErrNotExist) {
 | |
| 		reportErrorf("freeing lock for container %s: %w", c.ID(), err)
 | |
| 	}
 | |
| 
 | |
| 	// Set container as invalid so it can no longer be used
 | |
| 	c.valid = false
 | |
| 
 | |
| 	c.newContainerEvent(events.Remove)
 | |
| 
 | |
| 	if !opts.RemoveVolume {
 | |
| 		return
 | |
| 	}
 | |
| 
 | |
| 	for _, v := range c.config.NamedVolumes {
 | |
| 		if volume, err := runtime.state.Volume(v.Name); err == nil {
 | |
| 			if !volume.Anonymous() {
 | |
| 				continue
 | |
| 			}
 | |
| 			if err := runtime.removeVolume(ctx, volume, false, opts.Timeout, false); err != nil && !errors.Is(err, define.ErrNoSuchVolume) {
 | |
| 				if errors.Is(err, define.ErrVolumeBeingUsed) {
 | |
| 					// Ignore error, since podman will report original error
 | |
| 					volumesFrom, _ := c.volumesFrom()
 | |
| 					if len(volumesFrom) > 0 {
 | |
| 						logrus.Debugf("Cleaning up volume not possible since volume is in use (%s)", v.Name)
 | |
| 						continue
 | |
| 					}
 | |
| 				}
 | |
| 				logrus.Errorf("Cleaning up volume (%s): %v", v.Name, err)
 | |
| 			}
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	//nolint:nakedret
 | |
| 	return
 | |
| }
 | |
| 
 | |
| // EvictContainer removes the given container partial or full ID or name, and
 | |
| // returns the full ID of the evicted container and any error encountered.
 | |
| // It should be used to remove a container when obtaining a Container struct
 | |
| // pointer has failed.
 | |
| // Running container will not be stopped.
 | |
| // If removeVolume is specified, named volumes used by the container will
 | |
| // be removed also if and only if the container is the sole user.
 | |
| func (r *Runtime) EvictContainer(ctx context.Context, idOrName string, removeVolume bool) (string, error) {
 | |
| 	return r.evictContainer(ctx, idOrName, removeVolume)
 | |
| }
 | |
| 
 | |
| // evictContainer is the internal function to handle container eviction based
 | |
| // on its partial or full ID or name.
 | |
| // It returns the full ID of the evicted container and any error encountered.
 | |
| // This does not lock the runtime nor the container.
 | |
| // removePod is used only when removing pods. It instructs Podman to ignore
 | |
| // infra container protections, and *not* remove from the database (as pod
 | |
| // remove will handle that).
 | |
| func (r *Runtime) evictContainer(ctx context.Context, idOrName string, removeVolume bool) (string, error) {
 | |
| 	var err error
 | |
| 	var timeout *uint
 | |
| 
 | |
| 	if !r.valid {
 | |
| 		return "", define.ErrRuntimeStopped
 | |
| 	}
 | |
| 
 | |
| 	id, err := r.state.LookupContainerID(idOrName)
 | |
| 	if err != nil {
 | |
| 		return "", err
 | |
| 	}
 | |
| 
 | |
| 	// Begin by trying a normal removal. Valid containers will be removed normally.
 | |
| 	tmpCtr, err := r.state.Container(id)
 | |
| 	if err == nil {
 | |
| 		logrus.Infof("Container %s successfully retrieved from state, attempting normal removal", id)
 | |
| 		// Assume force = true for the evict case
 | |
| 		opts := ctrRmOpts{
 | |
| 			Force:        true,
 | |
| 			RemoveVolume: removeVolume,
 | |
| 			Timeout:      timeout,
 | |
| 		}
 | |
| 		_, _, err = r.removeContainer(ctx, tmpCtr, opts)
 | |
| 		if !tmpCtr.valid {
 | |
| 			// If the container is marked invalid, remove succeeded
 | |
| 			// in kicking it out of the state - no need to continue.
 | |
| 			return id, err
 | |
| 		}
 | |
| 
 | |
| 		if err == nil {
 | |
| 			// Something has gone seriously wrong - no error but
 | |
| 			// container was not removed.
 | |
| 			logrus.Errorf("Container %s not removed with no error", id)
 | |
| 		} else {
 | |
| 			logrus.Warnf("Failed to removal container %s normally, proceeding with evict: %v", id, err)
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	// Error out if the container does not exist in libpod
 | |
| 	exists, err := r.state.HasContainer(id)
 | |
| 	if err != nil {
 | |
| 		return id, err
 | |
| 	}
 | |
| 	if !exists {
 | |
| 		return id, err
 | |
| 	}
 | |
| 
 | |
| 	// Re-create a container struct for removal purposes
 | |
| 	c := new(Container)
 | |
| 	c.config, err = r.state.GetContainerConfig(id)
 | |
| 	if err != nil {
 | |
| 		return id, fmt.Errorf("failed to retrieve config for ctr ID %q: %w", id, err)
 | |
| 	}
 | |
| 	c.state = new(ContainerState)
 | |
| 
 | |
| 	// We need to lock the pod before we lock the container.
 | |
| 	// To avoid races around removing a container and the pod it is in.
 | |
| 	// Don't need to do this in pod removal case - we're evicting the entire
 | |
| 	// pod.
 | |
| 	var pod *Pod
 | |
| 	if c.config.Pod != "" {
 | |
| 		pod, err = r.state.Pod(c.config.Pod)
 | |
| 		if err != nil {
 | |
| 			return id, fmt.Errorf("container %s is in pod %s, but pod cannot be retrieved: %w", c.ID(), pod.ID(), err)
 | |
| 		}
 | |
| 
 | |
| 		// Lock the pod while we're removing container
 | |
| 		pod.lock.Lock()
 | |
| 		defer pod.lock.Unlock()
 | |
| 		if err := pod.updatePod(); err != nil {
 | |
| 			return id, err
 | |
| 		}
 | |
| 
 | |
| 		infraID, err := pod.infraContainerID()
 | |
| 		if err != nil {
 | |
| 			return "", err
 | |
| 		}
 | |
| 		if c.ID() == infraID {
 | |
| 			return id, fmt.Errorf("container %s is the infra container of pod %s and cannot be removed without removing the pod", c.ID(), pod.ID())
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	if c.IsService() {
 | |
| 		report, err := c.canStopServiceContainer()
 | |
| 		if err != nil {
 | |
| 			return id, err
 | |
| 		}
 | |
| 		if !report.canBeStopped {
 | |
| 			return id, fmt.Errorf("container %s is the service container of pod(s) %s and cannot be removed without removing the pod(s)", c.ID(), strings.Join(c.state.Service.Pods, ","))
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	var cleanupErr error
 | |
| 	// Remove the container from the state
 | |
| 	if c.config.Pod != "" {
 | |
| 		// If we're removing the pod, the container will be evicted
 | |
| 		// from the state elsewhere
 | |
| 		if err := r.state.RemoveContainerFromPod(pod, c); err != nil {
 | |
| 			cleanupErr = err
 | |
| 		}
 | |
| 	} else {
 | |
| 		if err := r.state.RemoveContainer(c); err != nil {
 | |
| 			cleanupErr = err
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	// Unmount container mount points
 | |
| 	for _, mount := range c.config.Mounts {
 | |
| 		Unmount(mount)
 | |
| 	}
 | |
| 
 | |
| 	// Remove container from c/storage
 | |
| 	if err := r.RemoveStorageContainer(id, true); err != nil {
 | |
| 		if cleanupErr == nil {
 | |
| 			cleanupErr = err
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	if !removeVolume {
 | |
| 		return id, cleanupErr
 | |
| 	}
 | |
| 
 | |
| 	for _, v := range c.config.NamedVolumes {
 | |
| 		if volume, err := r.state.Volume(v.Name); err == nil {
 | |
| 			if !volume.Anonymous() {
 | |
| 				continue
 | |
| 			}
 | |
| 			if err := r.removeVolume(ctx, volume, false, timeout, false); err != nil && err != define.ErrNoSuchVolume && err != define.ErrVolumeBeingUsed {
 | |
| 				logrus.Errorf("Cleaning up volume (%s): %v", v.Name, err)
 | |
| 			}
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	return id, cleanupErr
 | |
| }
 | |
| 
 | |
| // GetContainer retrieves a container by its ID
 | |
| func (r *Runtime) GetContainer(id string) (*Container, error) {
 | |
| 	if !r.valid {
 | |
| 		return nil, define.ErrRuntimeStopped
 | |
| 	}
 | |
| 
 | |
| 	return r.state.Container(id)
 | |
| }
 | |
| 
 | |
| // HasContainer checks if a container with the given ID is present
 | |
| func (r *Runtime) HasContainer(id string) (bool, error) {
 | |
| 	if !r.valid {
 | |
| 		return false, define.ErrRuntimeStopped
 | |
| 	}
 | |
| 
 | |
| 	return r.state.HasContainer(id)
 | |
| }
 | |
| 
 | |
| // LookupContainer looks up a container by its name or a partial ID
 | |
| // If a partial ID is not unique, an error will be returned
 | |
| func (r *Runtime) LookupContainer(idOrName string) (*Container, error) {
 | |
| 	if !r.valid {
 | |
| 		return nil, define.ErrRuntimeStopped
 | |
| 	}
 | |
| 	return r.state.LookupContainer(idOrName)
 | |
| }
 | |
| 
 | |
| // LookupContainerId looks up a container id by its name or a partial ID
 | |
| // If a partial ID is not unique, an error will be returned
 | |
| func (r *Runtime) LookupContainerID(idOrName string) (string, error) {
 | |
| 	if !r.valid {
 | |
| 		return "", define.ErrRuntimeStopped
 | |
| 	}
 | |
| 	return r.state.LookupContainerID(idOrName)
 | |
| }
 | |
| 
 | |
| // GetContainers retrieves all containers from the state.
 | |
| // If `loadState` is set, the containers' state will be loaded as well.
 | |
| // Filters can be provided which will determine what containers are included in
 | |
| // the output. Multiple filters are handled by ANDing their output, so only
 | |
| // containers matching all filters are returned
 | |
| func (r *Runtime) GetContainers(loadState bool, filters ...ContainerFilter) ([]*Container, error) {
 | |
| 	if !r.valid {
 | |
| 		return nil, define.ErrRuntimeStopped
 | |
| 	}
 | |
| 
 | |
| 	ctrs, err := r.state.AllContainers(loadState)
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 
 | |
| 	ctrsFiltered := make([]*Container, 0, len(ctrs))
 | |
| 
 | |
| 	for _, ctr := range ctrs {
 | |
| 		include := true
 | |
| 		for _, filter := range filters {
 | |
| 			include = include && filter(ctr)
 | |
| 		}
 | |
| 
 | |
| 		if include {
 | |
| 			ctrsFiltered = append(ctrsFiltered, ctr)
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	return ctrsFiltered, nil
 | |
| }
 | |
| 
 | |
| // GetAllContainers is a helper function for GetContainers
 | |
| func (r *Runtime) GetAllContainers() ([]*Container, error) {
 | |
| 	return r.state.AllContainers(false)
 | |
| }
 | |
| 
 | |
| // GetRunningContainers is a helper function for GetContainers
 | |
| func (r *Runtime) GetRunningContainers() ([]*Container, error) {
 | |
| 	running := func(c *Container) bool {
 | |
| 		state, _ := c.State()
 | |
| 		return state == define.ContainerStateRunning
 | |
| 	}
 | |
| 	return r.GetContainers(false, running)
 | |
| }
 | |
| 
 | |
| // GetContainersByList is a helper function for GetContainers
 | |
| // which takes a []string of container IDs or names
 | |
| func (r *Runtime) GetContainersByList(containers []string) ([]*Container, error) {
 | |
| 	ctrs := make([]*Container, 0, len(containers))
 | |
| 	for _, inputContainer := range containers {
 | |
| 		ctr, err := r.LookupContainer(inputContainer)
 | |
| 		if err != nil {
 | |
| 			return ctrs, fmt.Errorf("unable to look up container %s: %w", inputContainer, err)
 | |
| 		}
 | |
| 		ctrs = append(ctrs, ctr)
 | |
| 	}
 | |
| 	return ctrs, nil
 | |
| }
 | |
| 
 | |
| // GetLatestContainer returns a container object of the latest created container.
 | |
| func (r *Runtime) GetLatestContainer() (*Container, error) {
 | |
| 	lastCreatedIndex := -1
 | |
| 	var lastCreatedTime time.Time
 | |
| 	ctrs, err := r.GetAllContainers()
 | |
| 	if err != nil {
 | |
| 		return nil, fmt.Errorf("unable to find latest container: %w", err)
 | |
| 	}
 | |
| 	if len(ctrs) == 0 {
 | |
| 		return nil, define.ErrNoSuchCtr
 | |
| 	}
 | |
| 	for containerIndex, ctr := range ctrs {
 | |
| 		createdTime := ctr.config.CreatedTime
 | |
| 		if createdTime.After(lastCreatedTime) {
 | |
| 			lastCreatedTime = createdTime
 | |
| 			lastCreatedIndex = containerIndex
 | |
| 		}
 | |
| 	}
 | |
| 	return ctrs[lastCreatedIndex], nil
 | |
| }
 | |
| 
 | |
| // GetExecSessionContainer gets the container that a given exec session ID is
 | |
| // attached to.
 | |
| func (r *Runtime) GetExecSessionContainer(id string) (*Container, error) {
 | |
| 	if !r.valid {
 | |
| 		return nil, define.ErrRuntimeStopped
 | |
| 	}
 | |
| 
 | |
| 	ctrID, err := r.state.GetExecSession(id)
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 
 | |
| 	return r.state.Container(ctrID)
 | |
| }
 | |
| 
 | |
| // PruneContainers removes stopped and exited containers from localstorage.  A set of optional filters
 | |
| // can be provided to be more granular.
 | |
| func (r *Runtime) PruneContainers(filterFuncs []ContainerFilter) ([]*reports.PruneReport, error) {
 | |
| 	preports := make([]*reports.PruneReport, 0)
 | |
| 	// We add getting the exited and stopped containers via a filter
 | |
| 	containerStateFilter := func(c *Container) bool {
 | |
| 		if c.PodID() != "" {
 | |
| 			return false
 | |
| 		}
 | |
| 		state, err := c.State()
 | |
| 		if err != nil {
 | |
| 			logrus.Error(err)
 | |
| 			return false
 | |
| 		}
 | |
| 		if state == define.ContainerStateStopped || state == define.ContainerStateExited ||
 | |
| 			state == define.ContainerStateCreated || state == define.ContainerStateConfigured {
 | |
| 			return true
 | |
| 		}
 | |
| 		return false
 | |
| 	}
 | |
| 	filterFuncs = append(filterFuncs, containerStateFilter)
 | |
| 	delContainers, err := r.GetContainers(false, filterFuncs...)
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 	for _, c := range delContainers {
 | |
| 		report := new(reports.PruneReport)
 | |
| 		report.Id = c.ID()
 | |
| 		report.Err = nil
 | |
| 		report.Size = 0
 | |
| 		size, err := c.RWSize()
 | |
| 		if err != nil {
 | |
| 			report.Err = err
 | |
| 			preports = append(preports, report)
 | |
| 			continue
 | |
| 		}
 | |
| 		var time *uint
 | |
| 		err = r.RemoveContainer(context.Background(), c, false, false, time)
 | |
| 		if err != nil {
 | |
| 			report.Err = err
 | |
| 		} else {
 | |
| 			report.Size = (uint64)(size)
 | |
| 		}
 | |
| 		preports = append(preports, report)
 | |
| 	}
 | |
| 	return preports, nil
 | |
| }
 | |
| 
 | |
| // MountStorageContainer mounts the storage container's root filesystem
 | |
| func (r *Runtime) MountStorageContainer(id string) (string, error) {
 | |
| 	if _, err := r.GetContainer(id); err == nil {
 | |
| 		return "", fmt.Errorf("ctr %s is a libpod container: %w", id, define.ErrCtrExists)
 | |
| 	}
 | |
| 	container, err := r.store.Container(id)
 | |
| 	if err != nil {
 | |
| 		return "", err
 | |
| 	}
 | |
| 	mountPoint, err := r.store.Mount(container.ID, "")
 | |
| 	if err != nil {
 | |
| 		return "", fmt.Errorf("mounting storage for container %s: %w", id, err)
 | |
| 	}
 | |
| 	return mountPoint, nil
 | |
| }
 | |
| 
 | |
| // UnmountStorageContainer unmounts the storage container's root filesystem
 | |
| func (r *Runtime) UnmountStorageContainer(id string, force bool) (bool, error) {
 | |
| 	if _, err := r.GetContainer(id); err == nil {
 | |
| 		return false, fmt.Errorf("ctr %s is a libpod container: %w", id, define.ErrCtrExists)
 | |
| 	}
 | |
| 	container, err := r.store.Container(id)
 | |
| 	if err != nil {
 | |
| 		return false, err
 | |
| 	}
 | |
| 	return r.store.Unmount(container.ID, force)
 | |
| }
 | |
| 
 | |
| // MountedStorageContainer returns whether a storage container is mounted
 | |
| // along with the mount path
 | |
| func (r *Runtime) IsStorageContainerMounted(id string) (bool, string, error) {
 | |
| 	var path string
 | |
| 	if _, err := r.GetContainer(id); err == nil {
 | |
| 		return false, "", fmt.Errorf("ctr %s is a libpod container: %w", id, define.ErrCtrExists)
 | |
| 	}
 | |
| 
 | |
| 	mountCnt, err := r.storageService.MountedContainerImage(id)
 | |
| 	if err != nil {
 | |
| 		return false, "", err
 | |
| 	}
 | |
| 	mounted := mountCnt > 0
 | |
| 	if mounted {
 | |
| 		path, err = r.storageService.GetMountpoint(id)
 | |
| 		if err != nil {
 | |
| 			return false, "", err
 | |
| 		}
 | |
| 	}
 | |
| 	return mounted, path, nil
 | |
| }
 | |
| 
 | |
| // StorageContainers returns a list of containers from containers/storage that
 | |
| // are not currently known to Podman.
 | |
| func (r *Runtime) StorageContainers() ([]storage.Container, error) {
 | |
| 	if r.store == nil {
 | |
| 		return nil, define.ErrStoreNotInitialized
 | |
| 	}
 | |
| 
 | |
| 	storeContainers, err := r.store.Containers()
 | |
| 	if err != nil {
 | |
| 		return nil, fmt.Errorf("reading list of all storage containers: %w", err)
 | |
| 	}
 | |
| 	retCtrs := []storage.Container{}
 | |
| 	for _, container := range storeContainers {
 | |
| 		exists, err := r.state.HasContainer(container.ID)
 | |
| 		if err != nil && err != define.ErrNoSuchCtr {
 | |
| 			return nil, fmt.Errorf("failed to check if %s container exists in database: %w", container.ID, err)
 | |
| 		}
 | |
| 		if exists {
 | |
| 			continue
 | |
| 		}
 | |
| 		retCtrs = append(retCtrs, container)
 | |
| 	}
 | |
| 
 | |
| 	return retCtrs, nil
 | |
| }
 | |
| 
 | |
| func (r *Runtime) IsBuildahContainer(id string) (bool, error) {
 | |
| 	return buildah.IsContainer(id, r.store)
 | |
| }
 |