integration of healthcheck into create and run as well as inspect.
healthcheck enhancements are as follows:
* add the following options to create|run so that non-docker images can
define healthchecks at the container level.
* --healthcheck-command
* --healthcheck-retries
* --healthcheck-interval
* --healthcheck-start-period
* podman create|run --healthcheck-command=none disables healthcheck as
described by an image.
* the healthcheck itself and the healthcheck "history" can now be
observed in podman inspect
* added the wiring for healthcheck history which logs the health history
of the container, the current failed streak attempts, and log entries
for the last five attempts which themselves have start and stop times,
result, and a 500 character truncated (if needed) log of stderr/stdout.
The timings themselves are not implemented in this PR but will be in
future enablement (i.e. next).
Signed-off-by: baude <bbaude@redhat.com>
we were playing safe and not allowed any container to have less than
65536 mappings. There are a couple of reasons to change it:
- it blocked libpod to work in an environment where
newuidmap/newgidmap are not available, or not configured.
- not allowed to use different partitions of subuids, where each user
has less than 65536 ids available.
Hopefully this change in containers/storage:
https://github.com/containers/storage/pull/303
will make error clearers if there are not enough IDs for the image
that is being used.
Closes: https://github.com/containers/libpod/issues/1651
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
join the user namespace where the pod is running, so that we can both
manage the storage and correctly send the kill signal to a process
which is not running as root in the namespace.
Closes: https://github.com/containers/libpod/issues/2577
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
let the process running as euid != 0 pass down an argument to the
process running in the user namespace. This will be useful for
commands like rm -a that needs to join different namespaces, so that
we can re-exec separately for each of them.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Trying to remove circular dependencies between libpod and buildah.
First step to move pkg content from libpod to buildah.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
this is the final enablement for the pod subcommand. it includes the
ability to run podman-remote pod top and stats.
Signed-off-by: baude <bbaude@redhat.com>
Add the ability to manually run a container's healthcheck command.
This is only the first phase of implementing the healthcheck.
Subsequent pull requests will deal with the exposing the results and
history of healthchecks as well as the scheduling.
Signed-off-by: baude <bbaude@redhat.com>
from the clone man page:
On the cris and s390 architectures, the order of the first two
arguments is reversed:
long clone(void *child_stack, unsigned long flags,
int *ptid, int *ctid,
unsigned long newtls);
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1672714
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
The Golang standard library implementation of RFC3339Nano will
trim trailing 0s from the nanoseconds portion of timestamps. This
is undesirable for lining everything up nicely during terminal
output. As the Golang developers have not seen fit to give us a
better way, use the one that was proposed on the issue tracker
but rejected.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
When we log time timestamps, don't print a new timestamp for each
input - instead, print one at the start of every line, and then
wait until we hit a newline to print a new timestamp.
This still doesn't exactly mirror the Docker behavior (they don't
print until they receive an entire line, while we print any time
the logs file is appended to - so you can see partial lines being
typed in our system). Also, timestamps are recorded as the start
of a line being typed, as opposed to when the enter key is
pressed (on Docker).
(Worth noting that, while characters are printed as they are
typed, logs does respect the backspace key - so you'll also see
them disappear as the person typing realizes they've made a
mistake and retypes their command).
This is the closest we can get to Docker without major surgery on
the Kubernetes log-printing library, so I'm content to call this
an adequate solution.
Signed-off-by: Matthew Heon <mheon@redhat.com>
When writing logs with timestamps to the terminal, ensure that
each line is newline-terminated, so we don't end up with an
unreadable mess with timestamps interspersed with the actual
content being displayed.
Signed-off-by: Matthew Heon <mheon@redhat.com>
* Clean up adapter code
* Add GetContainersByContext to Varlink API
* Add missing comments
* Restore save command
* Restore error type mapping when using varlink
Signed-off-by: Jhon Honce <jhonce@redhat.com>
if any of the mapping tools for setting up the user namespace fail,
then include their output in the error message.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
When using a user namespace, we create the mount point under
`mountPrefix` so that the uid != 0 can access that directory.
Change the addFIPSModeSecret code to honor that, and also ensure we
are creating the directories with the right ownership.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
No reason to do it in util/ anymore. It's always going to be a
subdirectory of c/storage graph root by default, so we can just
set it after the return.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
There are some cases where we might not be properly adjusting the
volume path after setting the storage graph root. Ensure that we
always set volume path to be a child of graph root.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
If user specifies network namespace and the /etc/netns/XXX/resolv.conf
exists, we should use this rather then /etc/resolv.conf
Also fail cleaner if the user specifies an invalid Network Namespace.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
when joining an existing namespace, we were not maintaining the
current working directory, causing commands like export -o to fail
when they weren't referring to absolute paths.
Closes: https://github.com/containers/libpod/issues/2381
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
the remote-client is currently weak for carrying error messages
over the varlink interface and displaying something useful to users
and developers for the purposes of debug. this is a starting point
to improve that user experience.
Signed-off-by: baude <bbaude@redhat.com>
enable the remote client to be able to inspect a pod. also, bonus of
enabling the podman pod exists command which returns a 0 or 1 depending
on whether the given pod exists.
Signed-off-by: baude <bbaude@redhat.com>
