profile
viewpoint
Giuseppe Scrivano giuseppe Red Hat https://www.scrivano.org Software engineer at Red Hat Inc.

containers/libpod 4800

libpod is a library used to create container pods. Home of Podman.

containers/buildah 3060

A tool that facilitates building OCI images

cri-o/cri-o 2505

Open Container Initiative-based implementation of Kubernetes Container Runtime Interface

containers/skopeo 2311

Work with remote images registries - retrieving information, images, signing content

containers/crun 465

A fast and lightweight fully featured OCI runtime and C library for running containers

containers/toolbox 389

Unprivileged development environment

containers/fuse-overlayfs 151

FUSE implementation for overlayfs

containers/conmon 125

An OCI container runtime monitor.

containers/libocispec 23

a C library for accessing OCI runtime and image spec files

issue commentopencontainers/runtime-spec

Prepare / Tag v1.0.3 (or v1.1.0) release

And yeah, #1040 should definitely wait -- I don't want to rush adding more logic to cgroup configuration until we're sure it makes sense.

I'd prefer if it has not to wait so much longer, without #1040 the cgroup v2 support is limited to the same features present in cgroup v1

thaJeztah

comment created time in 42 minutes

pull request commentcri-o/cri-o

contrib, cgroup v2: use kubernetes master

/test e2e_cgroupv2

giuseppe

comment created time in an hour

pull request commentcontainers/crun

Add crun.1 file to dist tar ball

I agree it is painful to require go just to generate the man page. That is why I suggest we add it to the git repo. It will siginficantly simplies the nix builder as well

kloczek

comment created time in 2 hours

pull request commentcontainers/crun

Add crun.1 file to dist tar ball

with your patch, if I try to build without go-md2man now I get:

make[2]: *** No rule to make target 'crun.1', needed by 'all-am'.  Stop.
kloczek

comment created time in 2 hours

pull request commentcontainers/crun

Add crun.1 file to dist tar ball

but how will the crun.1 file be generated without go-md2man?

It is currently guarded with if HAVE_MD2MAN and you'd like to move it outside of this block?

kloczek

comment created time in 2 hours

issue commentcontainers/crun

0.14: test suite is failing

[tkloczko@barrel crun-0.14]$ ldd tests/init linux-vdso.so.1 (0x00007ffcb96c3000) libc.so.6 => /lib64/libc.so.6 (0x00007ff9d2c13000) /lib64/ld-linux-x86-64.so.2 (0x00007ff9d2e1c000)

the issue you are seeing then is caused by the init binary not built statically.

What do you see if you do rm -f tests/init && make V=1 tests/init

kloczek

comment created time in 2 hours

push eventgiuseppe/cri-o

Giuseppe Scrivano

commit sha 047c8eafdf1dea52b16fc148f4fcbb97b3296896

server, root: unset XDG_RUNTIME_DIR, DBUS_SESSION_BUS_ADDRESS Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

view details

Giuseppe Scrivano

commit sha 1dbd7530b25de3698636e33f51baa1b1ed3f1d75

contrib, e2e: force systemd system session Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

view details

push time in 2 hours

pull request commentcontainers/buildah

Allow "readonly" as alias to "ro" in mount options

bors retry

mariushoch

comment created time in 3 hours

pull request commentcri-o/cri-o

contrib, cgroup v2: use kubernetes master

/test e2e_cgroupv2

giuseppe

comment created time in 3 hours

push eventgiuseppe/cri-o

Giuseppe Scrivano

commit sha fda0167226f04eefe9c4b84dd5fbe52eba184608

server, root: unset XDG_RUNTIME_DIR, DBUS_SESSION_BUS_ADDRESS Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

view details

push time in 4 hours

push eventgiuseppe/cri-o

Giuseppe Scrivano

commit sha d08e7fa77165673f9af9505b9b49cb103ad3227a

crun: update to 0.14 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

view details

Giuseppe Scrivano

commit sha b7ab9fb09dceaaae1ce1b92880c42ee48cb43a4c

pods.bats: force usage of the system bus Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

view details

Giuseppe Scrivano

commit sha d801a4ca2442a9bcacceeee8ccab087a2b6a1dcc

contrib, cgroup v2: use kubernetes master Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

view details

Giuseppe Scrivano

commit sha 68a7d49d617197f3877afa82a71c94ce244468a1

contrib, e2e: force systemd system session Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

view details

push time in 4 hours

pull request commentcri-o/cri-o

contrib, cgroup v2: use kubernetes master

/test e2e_fedora

giuseppe

comment created time in 4 hours

push eventgiuseppe/cri-o

Giuseppe Scrivano

commit sha 63785f8729ec93f9f34d6a2b152089714cb10dbd

contrib, cgroup v2: use kubernetes master Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

view details

push time in 4 hours

push eventgiuseppe/cri-o

Giuseppe Scrivano

commit sha ee811b4741db68468e303ac3db78c1609a373dd5

contrib, cgroup v2: use kubernetes master Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

view details

push time in 4 hours

push eventgiuseppe/cri-o

Anders F Björklund

commit sha 6b6a604e26aa55ce0e9e3e3eb5a6e0418cab0d9e

Restore version output from crio --version The version was missing from the first output line, ldd warnings were printed and the link information was missing (due to reusing the $LDFLAGS variable). This broke compatibility with earlier crio versions. Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com> (cherry picked from commit 9bb2344363242637cff0ecb0926cbbdf0d60e6ef)

view details

Fabiano Fidêncio

commit sha 56140296bba5cbb4e215b33dfe66086926bd7be7

sandbox_run_linux: Use libconfig alias Let's use the "libconfig" alias when importing "github.com/cri-o/cri-o/pkg/config", as in the near future other parts of the code can take advantage of this. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

view details

Fabiano Fidêncio

commit sha bb54e152e342e1080e40dc0e795d3fd28d762bcb

runtime_vm: Apply the correct label before the sandbox is created Although the current code does apply the correct label, it does it too late, after the Sandbox has been created and the processes already being ran. Let's move this logic to runPodSanbox() and ensure the correct label will be applied before newSandbox() is called on kata side. It's important to note that although leaving the code as it is now - applying the correct label to processes inside the VM - doesn't cause any harm, it doesn't bring any benefit either, as kata doesn't apply any process label to containers within the VM. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

view details

OpenShift Merge Robot

commit sha 904ce0f1a13875afaf8db729d0be6dc773c5bed6

Merge pull request #3889 from fidencio/wip/kata-selinux runtime_vm: Apply the correct label before the sandbox is created

view details

Fabiano Fidêncio

commit sha 23193ea43643053d4b118daccd2d8c0e336f455b

Add runtime_type as an option of "--runtimes" Let's add a new field to the "--runtimes" option, allowing consumers of the cli to also define the type of the runtime. This is particularly useful to ease testing of the "vm" runtime, used by kata-containers. Mind that this PR does *not* break the command-line backwards compatibility as we do not mandate 4 fields to be defined, but in case a 4th field is define, it'll be treated as the runtime_type. Related: #3877 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

view details

OpenShift Merge Robot

commit sha 6b5c69f9e1a9740dce864af27c05524da6faee94

Merge pull request #3903 from fidencio/wip/pass-runtime-type-to-the-runtimes-option Add runtime_type as an option of "--runtimes"

view details

Peter Hunt

commit sha 83ec8f8ed6ab422fa8acce1b20ce67c8865074af

test: bump go version to 1.14 Signed-off-by: Peter Hunt <pehunt@redhat.com>

view details

OpenShift Merge Robot

commit sha 518e14790a996568d02fbd8dfde676af812e59c4

Merge pull request #3905 from haircommander/bump-go-1.14.4 test: bump go version to 1.14.4

view details

OpenShift Merge Robot

commit sha d0dc0d3076367f6a26c46fb6e72d1e582b552599

Merge pull request #3886 from afbjorklund/crio-version-master Restore version output from crio --version

view details

Giuseppe Scrivano

commit sha e0bae6bcf6ad2512d6244b088cdcaee44373a086

pods.bats: force usage of the system bus Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

view details

Giuseppe Scrivano

commit sha 7be0a2715f22c085b17f786dad04616af8271958

crun: update to current master Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

view details

Giuseppe Scrivano

commit sha 11cca00992226aa3912414b6be038b9a71f55d45

contrib, cgroup v2: use kubernetes master Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

view details

push time in 4 hours

pull request commentcri-o/cri-o

runtime_vm: Ignore ttrpc.ErrClosed when shutting the container down

/retest

LGTM

fidencio

comment created time in 5 hours

issue commentcontainers/crun

0.14: test suite is failing

and I see also an issue with /init not beling static.

What is the output for ldd tests/init ?

kloczek

comment created time in 8 hours

issue commentcontainers/crun

0.14: test suite is failing

thanks for the report. These tests require a newer kernel, we should skip them on older systems.

They require 5.3+. What kernel are you using?

kloczek

comment created time in 8 hours

pull request commentcontainers/crun

Add crun.1 file to dist tar ball

I am fine with the change, just should we add crun.1 to the git repo as well?

Otherwise we will break the build for systems where go-md2man is not available

kloczek

comment created time in 8 hours

issue commentopencontainers/runc

api, cgroupv2: skip setting the devices cgroup

the devices cgroup is not used at all by Kubernetes: https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/cm/container_manager_linux.go#L378-L385

Since the cost of running such eBPF program is close to 0, I am fine if the underlying issue is addressed instead of offering a different API.

giuseppe

comment created time in 9 hours

Pull request review commentcontainers/libpod

Set engine env from common config

 func persistentPreRunE(cmd *cobra.Command, args []string) error { 		return err 	} +	for _, env := range cfg.Engine.Env {+		splitEnv := strings.SplitN(env, "=", 2)+		if len(splitEnv) != 2 {+			return fmt.Errorf("invalid environment variable for engine %s, valid configuration is KEY=value pair", env)+		}+		if err := os.Setenv(splitEnv[0], splitEnv[0]); err != nil {

should this be os.Setenv(splitEnv[0], splitEnv[1]) ?

QiWang19

comment created time in 20 hours

push eventgiuseppe/buildah

TomSweeneyRedHat

commit sha 0abc9ac97bfb6fcbccf9e2bf53641f904bca85eb

Bump openshift/imagebuilder to v1.1.6 As the title says. Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>

view details

Daniel J Walsh

commit sha 2f04b7d7f700f8cfd1ce923ab81e899343a00c5b

Merge pull request #2430 from TomSweeneyRedHat/dev/tsweeney/ib_v1.1.6 Bump openshift/imagebuilder to v1.1.6

view details

Giuseppe Scrivano

commit sha 38edd8e48b1cff7fecef3938e7cc53a03bf78a4e

linux: skip errors from the runtime kill fix a race condition where the container process could exit before the runtime sends the signal, causing the command to fail. Part of: https://github.com/containers/crun/issues/422 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

view details

push time in 20 hours

issue commentcontainers/libpod

After podman 2 upgrade, ssh into rootless container no longer works on Ubuntu 20.04 host

I wasn't aware of the issue as I could have documented it better, but it seems that it is necessary to mount the named hierarchy in the host first:

# mkdir /sys/fs/cgroup/systemd && mount -t cgroup cgroup -o none,name=systemd,xattr /sys/fs/cgroup/systemd

also please enforce the systemd mode with --systemd always unless your init binary is /sbin/init or systemd

If you create a subcgroup like:

# mkdir /sys/fs/cgroup/systemd/1000
# chown 1000:1000 mkdir /sys/fs/cgroup/systemd/1000
# echo $ROOTLESS_TERMINAL_PROCESS_PID > /sys/fs/cgroup/systemd/1000/cgroup.procs

you'll be able to use the feature also as rootless (user 1000 assumed in my example above).

markstos

comment created time in 20 hours

created tagcontainers/crun

tag0.14

A fast and lightweight fully featured OCI runtime and C library for running containers

created time in 21 hours

issue commentcontainers/libpod

After podman 2 upgrade, ssh into rootless container no longer works on Ubuntu 20.04 host

You need to be root. It is a privileged operation

markstos

comment created time in a day

pull request commentcontainers/crun

NEWS: tag 0.14

moved part of the fix here: https://github.com/containers/buildah/pull/2434

giuseppe

comment created time in a day

PR opened containers/buildah

linux: skip errors from the runtime kill

fix a race condition where the container process could exit before the runtime sends the signal, causing the command to fail.

Part of: https://github.com/containers/crun/issues/422

Signed-off-by: Giuseppe Scrivano gscrivan@redhat.com

<!-- Thanks for sending a pull request!

Please make sure you've read and understood our contributing guidelines (https://github.com/containers/buildah/blob/master/CONTRIBUTING.md) as well as ensuring that all your commits are signed with git commit -s. -->

What type of PR is this?

<!-- Please label this pull request according to what type of issue you are addressing, especially if this is a release targeted pull request.

Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespace from that line: -->

/kind api-change /kind bug /kind cleanup /kind deprecation /kind design /kind documentation /kind failing-test /kind feature /kind flake /kind other

What this PR does / why we need it:

How to verify it

Which issue(s) this PR fixes:

<!-- Automatically closes linked issue when PR is merged. Uncomment the following comment block and include the issue number or None on one line. Usage: Fixes #<issue number>, or Fixes (paste link of issue), or None. -->

<!-- Fixes # or None -->

Special notes for your reviewer:

Does this PR introduce a user-facing change?

<!-- If no, just write None in the release-note block below. If yes, a release note is required: Enter your extended release note in the block below. If the PR requires additional action from users switching to the new release, include the string "action required".

For more information on release notes please follow the kubernetes model: https://git.k8s.io/community/contributors/guide/release-notes.md -->


+2 -7

0 comment

1 changed file

pr created time in a day

push eventgiuseppe/buildah

Giuseppe Scrivano

commit sha d5410e5ffbde11aab39460a6c776eacdd2b070e0

linux: skip errors from the runtime kill fix a race condition where the container process could exit before the runtime sends the signal, causing the command to fail. Part of: https://github.com/containers/crun/issues/422 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

view details

push time in a day

pull request commentcontainers/crun

NEWS: tag 0.14

@rhatdan I've added another patch :) Please take a look

giuseppe

comment created time in a day

Pull request review commentcontainers/libpod

Implement --sdnotify cmdline option to control sd-notify behavior

 func WithSystemd() CtrCreateOption { 	} } +// WithSystemd turns on systemd mode in the container

WithSdNotifyMode

goochjj

comment created time in a day

Pull request review commentcontainers/libpod

Implement --sdnotify cmdline option to control sd-notify behavior

 func (r *ConmonOCIRuntime) configureConmonEnv(runtimeDir string) ([]string, []*o 	env = append(env, fmt.Sprintf("HOME=%s", home))  	extraFiles := make([]*os.File, 0)-	if notify, ok := os.LookupEnv("NOTIFY_SOCKET"); ok {-		env = append(env, fmt.Sprintf("NOTIFY_SOCKET=%s", notify))+	if ctr.config.SdNotifyMode == define.SdNotifyModeContainer {+		if notify, ok := os.LookupEnv("NOTIFY_SOCKET"); ok {+			env = append(env, fmt.Sprintf("NOTIFY_SOCKET=%s", notify))

who will ensure the notify socket is accessible inside of the container?

goochjj

comment created time in a day

Pull request review commentcontainers/conmon

Refactor I/O and add SD_NOTIFY proxy support

 int main(int argc, char *argv[]) 		exit(0); 	} +	char *notify_socket_path = getenv("NOTIFY_SOCKET");+	if (notify_socket_path != NULL) {+		setup_notify_socket(notify_socket_path);+		int r = unsetenv("NOTIFY_SOCKET");

how would --sdnotify none work if we always unset NOTIFY_SOCKET?

And who will set the bind mount inside the container when we won't pass NOTIFY_SOCKET to the OCI runtime?

goochjj

comment created time in a day

issue commentcontainers/libpod

podman run MIGHT not be using the right credentials

To the build error:

ERRO[0000] systemd cgroup flag passed, but systemd support for managing cgroups is not available systemd cgroup flag passed, but systemd support for managing cgroups is not available

Circling back to @giuseppe for this one.

try with --cgroup-manager=cgroupfs. Looks like there is no systemd available but the default is still to use it.

x80486

comment created time in a day

issue commentcontainers/libpod

podman run with pod and uidmap: mount mqueue not permitted

@giuseppe Wow - the kernel is allowing that now?

I am using a dirty trick of creating the mount before creating the user namespace and then I mount it once I am in the user+mount namespace :-)

matpen

comment created time in a day

push eventgiuseppe/crun

Giuseppe Scrivano

commit sha 519fda86b2f42c0ead1359506604a09cab694074

linux: raise error if the pid cannot be found revert part of c06821d7024cdab1e52728252cc2dedfce2002ba Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

view details

Giuseppe Scrivano

commit sha ebc56fc9bcce4b3208bb0079636c80545122bf58

NEWS: tag 0.14 Closes: https://github.com/containers/crun/issues/398 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

view details

push time in a day

create barnchgiuseppe/buildah

branch : no-kill-error

created branch time in a day

issue commentcontainers/libpod

podman run with pod and uidmap: mount mqueue not permitted

crun 0.14 will permit doing it but it requires Linux 5.3+: https://github.com/containers/crun/pull/400

matpen

comment created time in a day

pull request commentcontainers/crun

status: do not fail delete if the process exited

this introduces a regression with containerd, I'll need to fix i

giuseppe

comment created time in a day

pull request commentcontainers/crun

NEWS: tag 0.14

@edsantiago are you fine with releasing a new version of crun or should I hold it?

giuseppe

comment created time in a day

issue commentcontainers/fuse-overlayfs

[Errno 2] No such file or directory after some unknown steps

I am running it in a loop and I've not encountered the issue even once with the current fuse-overlayfs master.

alxchk

comment created time in a day

pull request commentcontainers/crun

NEWS: tag 0.14

rebased on top of master

giuseppe

comment created time in a day

push eventgiuseppe/crun

Giuseppe Scrivano

commit sha c06821d7024cdab1e52728252cc2dedfce2002ba

status: do not fail delete if the process exited fix some race conditions where crun would fail if the process already exited. Closes: https://github.com/containers/crun/issues/422 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

view details

Daniel J Walsh

commit sha fe644cafa3f684d1c978e8ec1414219edc975250

Merge pull request #423 from giuseppe/dont-fail-delete-on-exited-container status: do not fail delete if the process exited

view details

Giuseppe Scrivano

commit sha 898a700be388735238bbf12b4ec2b4b0fdce7869

NEWS: tag 0.14 Closes: https://github.com/containers/crun/issues/398 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

view details

push time in a day

pull request commentcontainers/crun

NEWS: tag 0.14

Does crun --version report the right information?

yes we take that information at build time from the git version, and include it also in the released tarballs:

$ release-0.14/crun-0.14-static-x86_64 --version
crun version 0.14
commit: 58bf81a59d3233eb4957fda36917f9c76bbc5b11
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
giuseppe

comment created time in a day

create barnchgiuseppe/kubernetes

branch : fix-update-vendor-licenses

created branch time in a day

issue commentcontainers/fuse-overlayfs

[Errno 2] No such file or directory after some unknown steps

not sure there is any fix for this issue since 1.1.0.

Do you have a reproducer? Same steps as above?

alxchk

comment created time in a day

issue commentcontainers/crun

podman build: error opening file `.../cgroup.freeze`: No such device

PR here: https://github.com/containers/crun/pull/423

edsantiago

comment created time in a day

pull request commentcontainers/crun

NEWS: tag 0.14

blocked again on: https://github.com/containers/crun/pull/423

giuseppe

comment created time in a day

PR opened containers/crun

status: do not fail delete if the process exited

fix some race conditions where crun would fail if the process already exited.

Closes: https://github.com/containers/crun/issues/422

Signed-off-by: Giuseppe Scrivano gscrivan@redhat.com

+25 -9

0 comment

3 changed files

pr created time in a day

create barnchgiuseppe/crun

branch : dont-fail-delete-on-exited-container

created branch time in a day

issue commentcontainers/fuse-overlayfs

[Errno 2] No such file or directory after some unknown steps

are you using fuse-overlayfs 1.0.2?

alxchk

comment created time in a day

Pull request review commentcontainers/conmon

Refactor I/O and add SD_NOTIFY proxy support

 int main(int argc, char *argv[]) 		exit(0); 	} +	char *notify_socket_path = getenv("NOTIFY_SOCKET");

could we include the commit 52546c919be261e74847981b4db1227537c47345 into the commit that first introduced the change?

Also, I think we need a way to disable the notify socket to be handled by conmon, there are cases when it is helpful to use the handling in the OCI runtime. For example when the user needs $RUNTIME start $CTR to wait for the container to be ready.

goochjj

comment created time in a day

Pull request review commentcontainers/conmon

Refactor I/O and add SD_NOTIFY proxy support

 char *setup_attach_socket(void) 	if (listen(attach_socket_fd, 10) == -1) 		pexitf("Failed to listen on attach socket: %s", attach_sock_path); -	g_unix_fd_add(attach_socket_fd, G_IO_IN, attach_cb, NULL);+	g_unix_fd_add(attach_socket_fd, G_IO_IN, attach_cb, &rmt_attach_sock);  	return attach_symlink_dir_path; } -static gboolean attach_cb(int fd, G_GNUC_UNUSED GIOCondition condition, G_GNUC_UNUSED gpointer user_data)+void setup_notify_socket(char *socket_path)+{+	int notify_socket_fd = -1;+	struct sockaddr_un notify_addr = {0};+	notify_addr.sun_family = AF_UNIX;+	char cwd[1024];++	/* Connect to Host socket */+	if (lcl_notify_host_fd < 0) {+		lcl_notify_host_fd = socket(AF_UNIX, SOCK_DGRAM | SOCK_NONBLOCK | SOCK_CLOEXEC, 0);+		if (lcl_notify_host_fd == -1) {+			pexit("Failed to create notify socket");+		}+		lcl_notify_host_addr.sun_family = AF_UNIX;+		strncpy(lcl_notify_host_addr.sun_path, socket_path, sizeof(lcl_notify_host_addr.sun_path) - 1);+	}++	/*+	 * Create a symlink so we don't exceed unix domain socket+	 * path length limit.+	 */+	_cleanup_free_ char *notify_symlink_dir_path = g_build_filename(opt_socket_path, opt_cuuid, NULL);+	if (unlink(notify_symlink_dir_path) == -1 && errno != ENOENT)+		pexit("Failed to remove existing symlink for notify socket directory");++	/*+	 * This is to address a corner case where the symlink path length can end up being+	 * the same as the socket.  When it happens, the symlink prevents the socket from being+	 * be created.  This could still be a problem with other containers, but it is safe+	 * to assume the CUUIDs don't change length in the same directory.  As a workaround,+	 *  in such case, make the symlink one char shorter.+	 */+	if (strlen(notify_symlink_dir_path) == (sizeof(notify_addr.sun_path) - 1))+		notify_symlink_dir_path[sizeof(notify_addr.sun_path) - 2] = '\0';++	if (symlink(opt_bundle_path, notify_symlink_dir_path) == -1)+		pexit("Failed to create symlink for notify socket");++	_cleanup_free_ char *notify_sock_fullpath = g_build_filename(opt_socket_path, opt_cuuid, "notify/notify.sock", NULL);+	_cleanup_free_ char *notify_sock_path = g_build_filename(opt_cuuid, "notify/notify.sock", NULL);+	ninfof("notify sock path: %s", notify_sock_fullpath);++	strncpy(notify_addr.sun_path, notify_sock_path, sizeof(notify_addr.sun_path) - 1);+	ninfof("addr{sun_family=AF_UNIX, sun_path=%s}", notify_addr.sun_path);++	/*+	 * We make the socket non-blocking to avoid a race where client aborts connection+	 * before the server gets a chance to call accept. In that scenario, the server+	 * accept blocks till a new client connection comes in.+	 */+	if (getcwd(cwd, sizeof(cwd)) == NULL)

and here we can do: if ((cwd = getcwd(NULL, 0)) == NULL)

goochjj

comment created time in a day

Pull request review commentcontainers/conmon

Refactor I/O and add SD_NOTIFY proxy support

 char *setup_attach_socket(void) 	if (listen(attach_socket_fd, 10) == -1) 		pexitf("Failed to listen on attach socket: %s", attach_sock_path); -	g_unix_fd_add(attach_socket_fd, G_IO_IN, attach_cb, NULL);+	g_unix_fd_add(attach_socket_fd, G_IO_IN, attach_cb, &rmt_attach_sock);  	return attach_symlink_dir_path; } -static gboolean attach_cb(int fd, G_GNUC_UNUSED GIOCondition condition, G_GNUC_UNUSED gpointer user_data)+void setup_notify_socket(char *socket_path)+{+	int notify_socket_fd = -1;+	struct sockaddr_un notify_addr = {0};+	notify_addr.sun_family = AF_UNIX;+	char cwd[1024];

let's declare it as _cleanup_free_ char *cwd = NULL;

goochjj

comment created time in a day

pull request commentcontainers/crun

linux: honor mount-label for the notify socket

@giuseppe are you planning to do a build? If so I'd like to try another one shortly thereafter, to include a -tests subpackage.

I am planning to cut a new release: https://github.com/containers/crun/pull/416

Would that work or do we need to hold it?

giuseppe

comment created time in a day

issue commentcontainers/libpod

After podman 2 upgrade, ssh into rootless container no longer works on Ubuntu 20.04 host

if you are using the development version of crun, you could try adding an annotation run.oci.systemd.force_cgroup_v1=/sys/fs/cgroup to the container.

markstos

comment created time in a day

issue commentcontainers/libpod

After podman 2 upgrade, ssh into rootless container no longer works on Ubuntu 20.04 host

Supposedly there's a way to mount cgroups v1 into just the one container to enable it, but when we looked into it, it was a major pain.

crun 0.14 will allow to mount cgroup v1 inside of a container. It is just the name=systemd controller, but that is what systemd needs.

markstos

comment created time in a day

pull request commentcontainers/crun

NEWS: tag 0.14

@rhatdan PTAL

giuseppe

comment created time in 2 days

pull request commentcri-o/cri-o

disable asyncpreemptoff for go binaries

LGTM

haircommander

comment created time in 2 days

push eventgiuseppe/crun

Giuseppe Scrivano

commit sha 8ed3d8f04b107ab1442b2f61f1498ef7474f0e63

linux: fix lookup for paths containing '/' Closes: https://github.com/containers/crun/issues/417 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

view details

Wong Hoi Sing Edison

commit sha 4016ced3cf194e086abba18e6e5a2e43f65365b5

nix run -f channel:nixos-20.03 Switch from nix `channel:nixpkgs-unstable` to `channel:nixos-20.03` for better stability. Signed-off-by: Wong Hoi Sing Edison <hswong3i@gmail.com>

view details

Giuseppe Scrivano

commit sha 632ba9287afe0acadf3cb69dafc49a94d2dc924e

Merge pull request #420 from alvistack/master-linux-amd64 nix run -f channel:nixos-20.03

view details

Giuseppe Scrivano

commit sha 0fcf4e41ece93b310bbb11df5faa6a113fe8c26d

contrib: add notify-socket-server for testing Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

view details

Daniel J Walsh

commit sha d38b8c28fc50a14978a27fa6afc69a55bfdd2c11

Merge pull request #418 from giuseppe/fix-lookup-cwd linux: fix lookup for paths containing '/'

view details

Giuseppe Scrivano

commit sha 3cd4f0cf0cc2ccfe6c06aeacbecc62913875aa20

linux: honor mount-label for the notify socket Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

view details

Giuseppe Scrivano

commit sha c04fd1508ab51d8e62bb29d40cddaf23a87e6a44

linux: create the notify socket one level below so there is no risk of overriding another existing mount. If NOTIFY_SOCKET=/run/foo/bar the notify socket will be mounted at /run/foo/bar/notify in the container. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

view details

Giuseppe Scrivano

commit sha 65e35c5759e024f9abc2b672d4857aabf37eb1bf

Merge pull request #419 from giuseppe/label-notify-socket linux: honor mount-label for the notify socket

view details

Giuseppe Scrivano

commit sha 58bf81a59d3233eb4957fda36917f9c76bbc5b11

NEWS: tag 0.14 Closes: https://github.com/containers/crun/issues/398 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

view details

push time in 2 days

push eventcontainers/crun

Giuseppe Scrivano

commit sha 0fcf4e41ece93b310bbb11df5faa6a113fe8c26d

contrib: add notify-socket-server for testing Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

view details

Giuseppe Scrivano

commit sha 3cd4f0cf0cc2ccfe6c06aeacbecc62913875aa20

linux: honor mount-label for the notify socket Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

view details

Giuseppe Scrivano

commit sha c04fd1508ab51d8e62bb29d40cddaf23a87e6a44

linux: create the notify socket one level below so there is no risk of overriding another existing mount. If NOTIFY_SOCKET=/run/foo/bar the notify socket will be mounted at /run/foo/bar/notify in the container. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

view details

Giuseppe Scrivano

commit sha 65e35c5759e024f9abc2b672d4857aabf37eb1bf

Merge pull request #419 from giuseppe/label-notify-socket linux: honor mount-label for the notify socket

view details

push time in 2 days

PR merged containers/crun

linux: honor mount-label for the notify socket

Signed-off-by: Giuseppe Scrivano gscrivan@redhat.com

+158 -24

37 comments

6 changed files

giuseppe

pr closed time in 2 days

pull request commentcontainers/buildah

buildah, bud: support --jobs=N for parallel execution

bors retry

giuseppe

comment created time in 2 days

issue commentcontainers/crun

How to run crun under ARM architecture?

you need to have a cross-compile toolchain for that.

I've tried to do so with the nix builder but I encounter an error while building go-md2man

xy815661276

comment created time in 2 days

issue commentsystemd/systemd

Support delegating hugetlb (cgroup v2)

dup of https://github.com/systemd/systemd/issues/14662 ?

AkihiroSuda

comment created time in 2 days

pull request commentcontainers/buildah

buildah, bud: support --jobs=N for parallel execution

rebased and tests are green

giuseppe

comment created time in 2 days

issue commentcontainers/libpod

podman run --rootfs link/to//read/only/dir does not work

Is there any update on this?

what issue are you having with rootfs? The same issue as in the original post?

siscia

comment created time in 2 days

pull request commentcri-o/cri-o

contrib, cgroup v2: use kubernetes master

/retest

giuseppe

comment created time in 2 days

push eventgiuseppe/buildah

Chris Evich

commit sha 8a4646d584af5c2b39a15c5d1e2887b900118faf

Cirrus: Fix missing htpasswd in registry img Recently the registry image was updated significantly with breaking changes. Most were caught, this one was not. Instead of relying on the (clearly) unreliable container image, simply install the package providing the htpasswd command locally. Signed-off-by: Chris Evich <cevich@redhat.com>

view details

bors[bot]

commit sha 4fd881140d28e5cbf6ba3e7eb5397865ab7250d9

Merge #2427 2427: Cirrus: Fix missing htpasswd command in registry image r=rhatdan a=cevich Recently the registry image was updated significantly with breaking changes. Most were caught, this one was not. Instead of relying on the (clearly) unreliable container image, simply install the package providing the htpasswd command locally. Signed-off-by: Chris Evich <cevich@redhat.com> Co-authored-by: Chris Evich <cevich@redhat.com>

view details

Giuseppe Scrivano

commit sha 64077e1729386a4d66ff0a3f6a3255fccb76689c

executor: refactor build code inside new function Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

view details

Giuseppe Scrivano

commit sha 631ecf05622d6fd3722a8eed6aa050bb9e75ec12

buildah, bud: support --jobs=N for parallel execution it enables running multi stages Containerfiles in parallel. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

view details

push time in 2 days

issue commentcontainers/crun

How to run crun under ARM architecture?

you should be able to compile crun on ARM in the same way as specified in the README.md file.

Once you have all the dependencies installed, it is enough to run b./autogen.sh && ./configure && make.

What distro are you using?

xy815661276

comment created time in 2 days

issue commentsystemd/systemd

generic store for FDs

if I understand it correctly, FileDescriptorStoreMax= can be used only for services managed by systemd. Can an interactive process be able to use these FDs?

giuseppe

comment created time in 3 days

pull request commentcontainers/crun

linux: honor mount-label for the notify socket

@goochjj thanks for checking it out!

giuseppe

comment created time in 3 days

pull request commentcontainers/libpod

container: move volume chown after spec generation

I don't think the --mount type=bind is translated to a volume. That looks like a plain bind mount

giuseppe

comment created time in 3 days

pull request commentcontainers/libpod

container: move volume chown after spec generation

tests are green again

giuseppe

comment created time in 3 days

PR opened containers/libpod

utils: fix parsing of cgroup with : in the name

a cgroup can have ':' in its name. Make sure the parser doesn't split more than 3 fields and leave untouched the ':' in the cgroup name.

commit 6ee5f740a4ecb70636b888e78b02065ee984636c introduced the issue.

Signed-off-by: Giuseppe Scrivano gscrivan@redhat.com

+2 -2

0 comment

1 changed file

pr created time in 3 days

create barnchgiuseppe/libpod

branch : allow-cgroup-with-column-name

created branch time in 3 days

issue commentcontainers/libpod

pursuing conventional systemd+podman interaction

@jdoss you could specify it on the command line like podman --runtime /path/to/the/other/executable/crun .. or you can override its path from the containers.conf file

storrgie

comment created time in 3 days

pull request commentcontainers/libpod

container: move volume chown after spec generation

/retest

giuseppe

comment created time in 3 days

pull request commentcontainers/crun

linux: honor mount-label for the notify socket

@goochjj could you give it a last try? As soon as this PR is merged I'll prepare 0.14

giuseppe

comment created time in 3 days

issue commentcontainers/fuse-overlayfs

Latest release 1.1.2: fuse-overlayfs --version shows the wrong version

thanks for the report but it is too late to address it now ;( I'll keep the issue open so I won't repeat the mistake for the next release

manics

comment created time in 3 days

pull request commentcri-o/cri-o

contrib, cgroup v2: use kubernetes master

/retest

giuseppe

comment created time in 3 days

issue openedsystemd/systemd

generic store for FDs

Is your feature request related to a problem? Please describe.

Podman needs to run rootless containers in the same user+mount namespaces. Running all the containers in the same user namespace, instead of creating a new userns per container, is necessary in order to join namespaces created for other containers. e.g. Podman needs to join the same mount namespace in order to access existing mounts.

Since an unprivileged user is not able to pin an existing namespace to the file system (lack of CAP_SYS_ADMIN in the initial userns), Podman uses a "pause" process with the sole responsibility of keeping these two namespaces alive.

Describe the solution you'd like

I'd like to have a way to store the fds for these namespaces inside the user instance of systemd, so there is no need of running the "pause" process. Ideally it would be possible to store/fetch/remove these fds using the d-bus API with ("name", FD). The API should allow a way to specify whether the fd must be replaced if already existing, or return an error if a FD with the same name is already present in the store.

Describe alternatives you've considered

Running another process to keep these namespaces alive.

created time in 3 days

Pull request review commentcontainers/storage

Support remotely-mountable layers for speeding up image distribution

+// +build linux

is there any code coming from containerd and we need to maintain the copyright header?

ktock

comment created time in 3 days

issue commentcontainers/libpod

pursuing conventional systemd+podman interaction

Jun 29 21:32:21 mycool mycool-elasticsearch[2765]: Error: cannot set limits without cgroups: OCI runtime error

that is a problem in crun, that is fixed upstrem. I am going to cut a new release in the next days.

storrgie

comment created time in 3 days

issue commentcontainers/libpod

After podman 2 upgrade, ssh into rootless container no longer works

The change was to fix one or two dbus processes leaking at most. Considering the "fix" for that is causing show stopping container crashes for for a common case, one option is to revert the patch and get a 2.0.2 release out quickly, while continuing to look for a solution for solves the dbus process leak without introducing a crashing regression.

I think the change is correct as we should not try to use systemd when the cgroup manager is set to cgroupfs.

systemd only needs the name=systemd hierarchy to be usable. Can you show me the output for cat /proc/self/cgroup from the environment where the issue is happening?

Does it work if your wrap the podman command with systemd-run --scope --user podman ...?

markstos

comment created time in 3 days

pull request commentcontainers/buildah

buildah, bud: support --jobs=N for parallel execution

bors retry

giuseppe

comment created time in 3 days

pull request commentcontainers/buildah

buildah, bud: support --jobs=N for parallel execution

bors retry

giuseppe

comment created time in 3 days

Pull request review commentopencontainers/runtime-spec

cgroup: add cgroup v2 support

 You MUST specify at least one of the `hcaHandles` or `hcaObjects` in a given ent } ``` +## <a name="configLinuxUnified" />Unified++**`unified`** (object, OPTIONAL) allows cgroup v2 parameters to be modified at runtime for the container.++Each key in the map refers to a file in the cgroup unified hierarchy.++The OCI runtime MUST ensure that the needed cgroup controllers are enabled for the cgroup.++Configuration unknown to the runtime MUST still be written to the relevant file.

it was pointed out here: https://github.com/opencontainers/runtime-spec/pull/1040#discussion_r435832813

When the runtime finds a configuration like "$CONTROLLER.$NAME": "$VALUE", it must always try to write it to the $CONTROLLER.$NAME file in the hierarchy. This is mostly needed to prevent that the OCI runtime ignores any of the cgroup v2 settings.

giuseppe

comment created time in 3 days

push eventgiuseppe/runtime-spec

Giuseppe Scrivano

commit sha d1e680d97b79662bdcb6b1c366eb47294a09907f

cgroup: add cgroup v2 support allow users to specify cgroup v2 resources. Each element in the map refers to a file in the cgroup v2 hierarchy and the element value has its content. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

view details

push time in 3 days

Pull request review commentopencontainers/runtime-spec

cgroup: add cgroup v2 support

 You MUST specify at least one of the `hcaHandles` or `hcaObjects` in a given ent } ``` +## <a name="configLinuxUnified" />Unified++**`unified`** (object, OPTIONAL) allows cgroup v2 parameters to be modified at runtime for the container.

thanks, fixed

giuseppe

comment created time in 3 days

pull request commentcri-o/cri-o

contrib, cgroup v2: use kubernetes master

/retest

giuseppe

comment created time in 3 days

pull request commentcontainers/crun

linux: honor mount-label for the notify socket

updated package: https://bodhi.fedoraproject.org/updates/FEDORA-2020-9ec7a517d4

giuseppe

comment created time in 4 days

Pull request review commentcontainers/libpod

container: move volume chown after spec generation

 func (v *Volume) Anonymous() bool {  // UID returns the UID the volume will be created as. func (v *Volume) UID() int {+	if v.state.UIDChowned > 0 {

thanks, fixed in the new version

giuseppe

comment created time in 4 days

push eventgiuseppe/libpod

Qi Wang

commit sha f586c006f8428a04fce5a5c7ae6b921e6337ebe6

Reformat inspect network settings Reformat ports of inspect network settings to compatible with docker inspect. Close #5380 Signed-off-by: Qi Wang <qiwan@redhat.com>

view details

Ed Santiago

commit sha 6864a5547a774d19a7ccb9d50a7799b721fb66ef

BATS tests: new too-many-arguments test ...plus a few others. And fixes to actual parsing. If a command's usage message includes '...' in the argument list, assume it can take unlimited arguments. Nothing we can check. For all others, though, the ALL-CAPS part on the right-hand side of the usage message will define an upper bound on the number of arguments accepted by the command. So in our 'podman --help' test, generate N+1 args and run that command. We expect a 125 exit status and a suitably helpful error message. Not all podman commands or subcommands were checking, so I fixed that. And, fixed some broken usage messages (all-caps FLAGS, and '[flags]' at the end of 'ARGS'). Add new checks to the help test to prevent those in the future. Plus a little refactoring/cleanup where necessary. Signed-off-by: Ed Santiago <santiago@redhat.com>

view details

maybe-sybr

commit sha bfcfdfcb748ed2b183496e6d256564d68d20cac3

APIv2:doc: Fix swagger doc to refer to volumes Signed-off-by: Matt Brindley <58414429+maybe-sybr@users.noreply.github.com>

view details

Jhon Honce

commit sha 4e59fd77a80a6295eb8dbf79991e1648bc739302

Fix ssh-agent support * An identity of "" implies ssh-agent and user/password to be used * Fixed example Signed-off-by: Jhon Honce <jhonce@redhat.com>

view details

maybe-sybr

commit sha 5fbac502bd839587523be92e91e5a1cf461c41ac

APIv2:fix: Remove `/json` from compat network EPs Signed-off-by: Matt Brindley <58414429+maybe-sybr@users.noreply.github.com>

view details

maybe-sybr

commit sha 3430ca4df00981d0e0674f6b413c7a22af19ba94

APIv2: Return `StatusCreated` from volume creation The swagdoc in `register_volumes.go` already correctly notes that a 201 should be returned upon success, so we only need to change the handler to match the spec. Signed-off-by: Matt Brindley <58414429+maybe-sybr@users.noreply.github.com>

view details

Giuseppe Scrivano

commit sha 370195cf784967014dceee1f3da06f79170f033a

libpod: specify mappings to the storage specify the mappings in the container configuration to the storage when creating the container so that the correct mappings can be configured. Regression introduced with Podman 2.0. Closes: https://github.com/containers/libpod/issues/6735 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

view details

OpenShift Merge Robot

commit sha 0d26b8f24babcd847a7412907e622514925544a4

Merge pull request #6737 from maybe-sybr/maybe/doc/fix-volume-list-swagdoc APIv2:doc: Fix swagger doc to refer to volumes

view details

OpenShift Merge Robot

commit sha 3df30ef358e3211d4d6812ab08e9ceb1e31a771a

Merge pull request #6743 from giuseppe/specify-mappings-to-storage libpod: specify mappings to the storage

view details

OpenShift Merge Robot

commit sha b74238864fe4a6fe22f3a8a370e9a32ea21ee383

Merge pull request #6739 from jwhonce/wip/connection Fix ssh-agent support

view details

OpenShift Merge Robot

commit sha c48a5420135ecbff294e1fbce95be0adf9fc2931

Merge pull request #6733 from edsantiago/bats_help_extra_args BATS tests: new too-many-arguments test

view details

Matthew Heon

commit sha 7fe4c5204e7c0d98f87b0408b959f312b08177e3

Set stop signal to 15 when not explicitly set When going through the output of `podman inspect` to try and identify another issue, I noticed that Podman 2.0 was setting StopSignal to 0 on containers by default. After chasing it through the command line and SpecGen, I determined that we were actually not setting a default in Libpod, which is strange because I swear we used to do that. I re-added the disappeared default and now all is well again. Also, while I was looking for the bug in SpecGen, I found a bunch of TODOs that have already been done. Eliminate the comments for these. Signed-off-by: Matthew Heon <matthew.heon@pm.me>

view details

OpenShift Merge Robot

commit sha 179731bb1460f22cbe9b5d755562f598de8035d8

Merge pull request #6738 from maybe-sybr/maybe/apiv2/fix-network-compat-urls APIv2:fix: Remove `/json` from compat network EPs

view details

OpenShift Merge Robot

commit sha c07df63c45710729cc9a04b1bfdfc06cad7eccf7

Merge pull request #6741 from maybe-sybr/maybe/apiv2/fix-volume-create-code APIv2: Return `StatusCreated` from volume creation

view details

Valentin Rothberg

commit sha 1c6c12581ce0f2257a862e3a6a8dbaa7d0f32686

podman untag: error if tag doesn't exist Throw an error if a specified tag does not exist. Also make sure that the user input is normalized as we already do for `podman tag`. To prevent regressions, add a set of end-to-end and systemd tests. Last but not least, update the docs and add bash completions. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>

view details

OpenShift Merge Robot

commit sha 6bc5dcc2829c2bc08923df0b50f71582d5558fe8

Merge pull request #6729 from QiWang19/inspect-format Reformat inspect network settings

view details

Daniel J Walsh

commit sha 7330647cbd752274bd0b1826a24b68efd1cf5c1c

Fix inspect to display multiple label: changes If the user runs a container like podman run --security-opt seccomp=unconfined --security-opt label=type:spc_t --security-opt label=level:s0 ... Podman inspect was only showing the second option This change will show "SecurityOpt": [ "label=type:spc_t,label=level:s0:c60", "seccomp=unconfined" ], Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

view details

Giuseppe Scrivano

commit sha 061261ee058da403291e6cb325813b0cfd955a80

utils: drop default mapping when running uid!=0 this is a leftover from the first implementation of rootless. This code is never hit by podman rootless anymore as podman automatically creates a user namespace now. Fixes an issue with podman remote when used with uid != 0. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

view details

OpenShift Merge Robot

commit sha 988fd27541dfa852ee9543c2d8a916896ef0c774

Merge pull request #6746 from vrothberg/untag podman untag: error if tag doesn't exist

view details

OpenShift Merge Robot

commit sha b61e429f199ca0f164054a9d758e60f94aa4d81e

Merge pull request #6732 from mheon/fix_stopsignal_set Set stop signal to 15 when not explicitly set

view details

push time in 4 days

issue commentcontainers/libpod

pursuing conventional systemd+podman interaction

yes, we need to add Delegate=true under [Service] so podman is able to manage the cgroup. For rootless it should happen only with cgroup v2.

storrgie

comment created time in 4 days

pull request commentcri-o/cri-o

contrib, cgroup v2: use kubernetes master

/retest

giuseppe

comment created time in 4 days

created tagcontainers/fuse-overlayfs

tagv1.1.2

FUSE implementation for overlayfs

created time in 4 days

pull request commentcontainers/crun

linux: honor mount-label for the notify socket

it works if I use 6b721daa0b9ff46a444e174995e5ac6600604db5 for container-selinux

giuseppe

comment created time in 4 days

more