There are two fields I'm worried about: shared namespaces and pod
containers. Both are generated via loops over maps and are thus
non-deterministic in ordering. Throw a sort on each to fix the
order so we can actually diff `podman pod inspect` output.
Signed-off-by: Matt Heon <mheon@redhat.com>
The code checks for isPathOnVolume and isPathOnMount so we can just use
the SecureJoin here directly to check for path existance.
Then instead of walking symlinks and trying to guess if they are on a
mount just assume if it is a link (path is different from the normal
joined one) then don't error out early and let the OCI runtime deal with
it. The runtime does produce a less readable error but it still fails
and we have much less fragile code.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
MkdirAll can fail with EEXIST when the path is a symlink and the target
doesn't exist. As such we should ignore the error.
Note there is something fundemantal wrong here with the path access as
it is following the symlink to the host, however it is only for a
stat() so it is not an security issue here.
Fixes: 637c264e2e ("fix issues found by nilness")
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
- Update documentation: Differentiate `unless-stopped` from `always` - containers stopped by the user before a reboot will not restart.
- Add `should-start-on-boot` filter: Identify containers that require a restart after a system reboot.
- Update command documentation: Add `restart-policy` and `label!` filters to the documentation for container commands (rm, ps, start, stop, pause, unpause, restart).
- Add `restart-policy` and `shoud-start-on-boot` to completions.
- Update service: Update `podman-restart.service` to use the `needs-restart=true` filter.
- Preserve state: Preserve the `StoppedByUser` state across reboots.
- Update API: Add a `ShouldStartOnBoot()` method to the Container API.
- Update documentation: Add descriptions for the `should-start-on-boot` filter.
Fixes: https://issues.redhat.com/browse/RHEL-129405
Fixes: https://github.com/containers/podman/issues/20418
Signed-off-by: Jan Rodák <hony.com@seznam.cz>
By default, systemd sets a limit of how many times a service can start,
which means that if you have a healthcheck that runs more often than the
limits, systemd will refuse to start it with a message like "Start request
repeated too quickly." emitted to the journal.
Signed-off-by: Winter M <winter@antithesis.com>
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This also then bumps github.com/opencontainers/runtime-spec to v1.3.0
which contains breaking changes of the pid type as such we had to update
all the podman callers.
And tags.cncf.io/container-device-interface also used some changed
types from it and they have been updated in main so bump to the latest
commit there as well in order to get podman to compile properly.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Fixes: #26588
For use cases like HPC, where `podman exec` is called in rapid succession, the standard exec process can become a bottleneck due to container locking and database I/O for session tracking.
This commit introduces a new `--no-session` flag to `podman exec`. When used, this flag invokes a new, lightweight backend implementation that:
- Skips container locking, reducing lock contention
- Bypasses the creation, tracking, and removal of exec sessions in the database
- Executes the command directly and retrieves the exit code without persisting session state
- Maintains consistency with regular exec for container lookup, TTY handling, and environment setup
- Shares implementation with health check execution to avoid code duplication
The implementation addresses all performance bottlenecks while preserving compatibility with existing exec functionality including --latest flag support and proper exit code handling.
Changes include:
- Add --no-session flag to cmd/podman/containers/exec.go
- Implement lightweight execution path in libpod/container_exec.go
- Ensure consistent container validation and environment setup
- Add comprehensive exit code testing including signal handling (exit 137)
- Optimize configuration to skip unnecessary exit command setup
Signed-off-by: Ryan McCann <ryan_mccann@student.uml.edu>
Signed-off-by: ryanmccann1024 <ryan_mccann@student.uml.edu>
The old location is deprecated and has been removed in v0.6.0 even. I
did this as extra commit to make cherry-picking easier.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This also includes a number of significant changes to the SQLite
state made possible by removal of the legacy DB.
1. Enable database unit tests for SQLite state, with numerous
tweaks to get tests passing. Most notable changes are to
container removal - where we previously didn't return an error
if there was no container to remove - and RemovePodContainers,
which I don't think ever worked properly from my reading of
the failures.
2. Removal of AddContainerToPod/RemoveContainerToPod. On SQLite,
these functions are identical to AddContainer/RemoveContainer
and there is no reason to retain duplicates.
3. Removal of SafeRewriteContainerConfig - it's identical to
RewriteContainerConfig in SQLite, no reason to have duplicate
entrypoints.
As an exciting side-note, this removes Podman's requirement that
containers and pods cannot share a name, which was a BoltDB
restriction only.
Signed-off-by: Matt Heon <matthew.heon@pm.me>
Tremendous amount of changes in here, but all should amount to
the same thing: changing Go import paths from v5 to v6.
Also bumped go.mod to github.com/containers/podman/v6 and updated
version to v6.0.0-dev.
Signed-off-by: Matt Heon <mheon@redhat.com>
We started logging this in 5.6. In 5.7, we up to a warning. The
upcoming 5.8 will up the warnings further to errors.
Required as we're removing BoltDB support in 6.0 next Spring.
Signed-off-by: Matt Heon <matthew.heon@pm.me>
Problem: While removing cgroupsv1 code, I noticed my neovim Go config
automatically changed fileperms to the new octal format and I didn't
want that polluting my diffs.
Decision: I thought it best to switch to the new octal format in a dedicated PR.
Action:
- Cursor switched to new octal format for all fileperm ocurrences in Go
source and test files.
- vendor/, docs/ and non-Go files were ignored.
- Reviewed manually.
Ref: https://go.dev/ref/spec#Go_1.13
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
Include an explicit container state check. Otherwise the
containers/stats endpoint will return all-zero stats for a stopped
container even when in non-streaming mode, which breaks some consumers
of the API, particularly nomad's podman driver.
Implement the interface by just returning the number of host CPUs. A
bit more sophisticated would be to fetch the jail's cpuset, but it's not
very important for now.
Signed-off-by: Mark Johnston <mark.johnston@klarasystems.com>
Using golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize
+ some manual cleanup in libpod/lock/shm/shm_lock_test.go as it
generated an unused variable
+ restored one removed comment
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The `cleanupExecBundle` function was only meant to be called on a
locked container, as it does some state mutation operations. It
also has a timed wait (if the directory is busy and can't be
removed yet, give it a few milliseconds) in which it deliberately
yields the lock to not block the container for that time.
The `healthCheckExec()` function calls `cleanupExecBundle` out of
a `defer` block. This is after the `defer c.lock.Unlock()` so it
fires afterwards when the function returns, so we're normally
fine - the container is still locked when our defer runs. The
problem is that `healthCheckExec()` also unlocks the container
during the expensive exec operation, and can actually fail and
return while not holding the lock - meaning our `defer` can fire
on an unlocked container, leading to a potential double unlock
in `cleanupExecBundle`.
We could, potentially, re-lock the container after the exec
occurs, but we're actually waiting for a `select` to trigger to
end the function, so that's not a good solution. Instead, just
re-lock (if necessary) in the defer, before invoking
`cleanupExecBundle()`. The `defer c.lock.Unlock()` will fire
right after and unlock after us.
Fixes#26968
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
At one point, we created multiple jails per container in order to enable
network configuration from outside the container jail. On FreeBSD 14.x
and later this is not necessary and there is only one jail per
container. In this case, return the correct jail name.
Signed-off-by: Mark Johnston <mark.johnston@klarasystems.com>
