profile
viewpoint

containers/libpod 4803

libpod is a library used to create container pods. Home of Podman.

cri-o/cri-o 2507

Open Container Initiative-based implementation of Kubernetes Container Runtime Interface

containers/conmon 125

An OCI container runtime monitor.

containers/podman.io 119

Repository for podman.io website using GitHub Pages.

containers/psgo 33

A ps(1) AIX-format compatible golang library

containers/common 13

Location for shared common files in github.com/containers repos.

containers/podman-py 13

Python bindings for Podman's v2 API

mheon/golang-seccomp 6

Go bindings for libseccomp

containers/automation 3

Automation scripts and configurations common across the containers org. repositories

containers/automation_sandbox 2

Test-repository for experimenting with in-repo automation tools/settings.

issue commentcontainers/libpod

API: Create container creates an invalid container configuration

That's correct - Podman does precompute port mappings at create time, rather than generating them at runtime. This may be slightly less reliable than Docker, but it's been done this way for three years without a bug report about it, so I don't think changing this is a priority unless this breaks something critical.

On Fri, Jul 3, 2020, 18:32 Sami Korhonen notifications@github.com wrote:

I'd imagine that resolves issue with publish all ports flag not publishing exposed ports.

Btw. I noted some differences in host port randomization. Docker seems to randomize ports on start while podman does it on create. I can see benefits in both approaches. I think that docker's solution is less likely to fail when starting container. If port is chosen on start, it's possible to ensure that host port is free.

I didn't check podman code yet, just noted that port information is available as soon as container had been created - docker required a start to reveal port. Is this behavioral difference worth reporting an issue or can you just discuss it internally?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/containers/libpod/issues/6799#issuecomment-653689455, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB3AOCDMAJXQB3FXEL6PO6LRZZL7HANCNFSM4OKCATAQ .

skorhone

comment created time in 22 minutes

issue commentcontainers/libpod

API: Create container creates an invalid container configuration

I'm working on converting the compat create endpoint to use the same codepath that libpod does, but it's slow going - there are a lot of parameters that need to be handled.

skorhone

comment created time in 19 hours

issue commentcontainers/libpod

Api: Exec start endpoint doesn't close upgraded http connection after execution has completed

The Conmon instances lingering are expected - they should clean themselves up after 5 minutes, mimicking Docker's handling of exec sessions. As long as the Conmon session is alive, the inspect endpoint for that exec session should be functional.

skorhone

comment created time in 19 hours

issue commentcontainers/libpod

Api: Exec start endpoint doesn't close upgraded http connection after execution has completed

Also, full server debug logs would be greatly helpful.

skorhone

comment created time in a day

issue commentcontainers/libpod

"Error: invalid configuration, cannot specify resource limits without cgroups v2 and --cgroup-manager=systemd"

That's really wierd, because the code path that leads to that error should be completely disabled in v2.0.0 and up...

avikivity

comment created time in 2 days

Pull request review commentcontainers/libpod

Set engine env from common config

 func persistentPreRunE(cmd *cobra.Command, args []string) error { 		return err 	} +	for _, env := range cfg.Engine.Env {+		splitEnv := strings.SplitN(env, "=", 2)

Do we want this to take precedence over actual OS environment? I imagine that if I have something set in containers.conf but later do a ENVVAR=value podman run ... I want the version passed there to take precedence.

If so, we should only define environment variables that are not already defined.

QiWang19

comment created time in 2 days

issue commentcontainers/libpod

Is COPY/ADD supposed to work with files in subdirectories?

@TomSweeneyRedHat PTAL

srcshelton

comment created time in 2 days

pull request commentcontainers/common

PidsLimit should return 0 if rootless and cgroupfs manager

LGTM

rhatdan

comment created time in 2 days

issue commentcontainers/libpod

"Error: invalid configuration, cannot specify resource limits without cgroups v2 and --cgroup-manager=systemd"

Can you provide the error message you're seeing? Also, are you on Fedora or FCOS?

avikivity

comment created time in 2 days

issue commentcontainers/libpod

created pods are not startable

@giuseppe Does the keyring issue look like a kernel issue to you? I think I recall that.

trusch

comment created time in 2 days

pull request commentcontainers/libpod

Pids-limit should only be set if the user set it

Ah, I think I know what's going on here. The code in containers/common for determining default limit is broken.

func (c *Config) PidsLimit() int64 {
        if unshare.IsRootless() {
                if c.Engine.CgroupManager == SystemdCgroupsManager {
                        cgroup2, _ := cgroupv2.Enabled()
                        if cgroup2 {
                                return c.Containers.PidsLimit
                        }
                        return 0
                }
        }
        return sysinfo.GetDefaultPidsLimit()
}

Notice that if cgroup manager is set to cgroupfs, we will drop through the conditionals and return sysinfo.GetDefaultPidsLimit - and v1 rootless defaults to cgroupfs.

rhatdan

comment created time in 2 days

pull request commentcontainers/libpod

Pids-limit should only be set if the user set it

Confirmed here as well.

rhatdan

comment created time in 2 days

issue commentcontainers/libpod

created pods are not startable

Also, any chance you can try using the crun OCI runtime, to see if it gives a different error?

trusch

comment created time in 2 days

issue commentcontainers/libpod

created pods are not startable

Fix for the error reporting part of this in #6846

trusch

comment created time in 2 days

PR opened containers/libpod

Print errors from individual containers in pods Backport to v2.0

The infra/abi code for pods was written in a flawed way, assuming that the map[string]error containing individual container errors was only set when the global error for the pod function was nil; that is not accurate, and we are actually guaranteed to set the global error when any individual container errors. Thus, we'd never actually include individual container errors, because the infra code assumed that err being set meant everything failed and no container operations were attempted.

We were originally setting the cause of the error to something nonsensical ("container already exists"), so I made a new error indicating that some containers in the pod failed. We can then ignore that error when building the report on the pod operation and actually return errors from individual containers.

Unfortunately, this exposed another weakness of the infra code, which was discarding the container IDs. Errors from individual containers are not guaranteed to identify which container they came from, hence the use of map[string]error in the Pod API functions. Rather than restructuring the structs we return from pkg/infra, I just wrapped the returned errors with a message including the ID of the container.

+28 -24

0 comment

3 changed files

pr created time in 2 days

create barnchmheon/libpod

branch : fix_pod_errors

created branch time in 2 days

issue commentcontainers/libpod

created pods are not startable

It looks like we do return the errors in question - they must be dropped somewhere.

Also, that error message is truly spectacularly bad - "container already exists" means absolutely nothing here. I think I was the one that wrote that bit, so... oops?

trusch

comment created time in 2 days

pull request commentcontainers/libpod

Fix `system service` panic from early hangup in events

/hold cancel

Things are green, I think we're good.

mheon

comment created time in 2 days

Pull request review commentcontainers/libpod

WIP: CI:DOCS: Add document for libpod release process

+(FIXME: Should this file live elsewhere?)++# Libpod/Podman/Podman-Remote Automated Release Workflow++1. Open a new PR.  The the `HEAD` commit *must* have a summary line matching the+   following regex: `Release (v\d+\.\d+(\.\d+(-[\w\-\.]+)?)?)`.++   * The second line of the commit text (after the summary and blank line), *must*+     match the following regex: `^\(prior release: (.+)\)`.  Where the content of

On upgrades in general - we're very lenient on this (RHEL means we have to be - we went from 1.0, to 1.4.2, to 1.6.4, to 1.9.3 - lots of skipping there). Given the way our internals work, at present it's doubtful we will need to implement a requirement that only major version N-1 be upgraded to new major version N.

cevich

comment created time in 2 days

Pull request review commentcontainers/libpod

WIP: CI:DOCS: Add document for libpod release process

+(FIXME: Should this file live elsewhere?)++# Libpod/Podman/Podman-Remote Automated Release Workflow++1. Open a new PR.  The the `HEAD` commit *must* have a summary line matching the+   following regex: `Release (v\d+\.\d+(\.\d+(-[\w\-\.]+)?)?)`.++   * The second line of the commit text (after the summary and blank line), *must*+     match the following regex: `^\(prior release: (.+)\)`.  Where the content of

Step 3 sounds dubious - we should always be tagging releases. Any version bump that is not -dev suffixed should make a tag.

cevich

comment created time in 2 days

pull request commentcontainers/libpod

Fix `system service` panic from early hangup in events

Looks like this is going green

@baude @vrothberg @giuseppe @TomSweeneyRedHat PTAL

mheon

comment created time in 2 days

pull request commentcontainers/libpod

stop podman service in e2e tests

LGTM

baude

comment created time in 2 days

issue commentcontainers/libpod

podman run with pod and uidmap: mount mqueue not permitted

@giuseppe Wow - the kernel is allowing that now?

Also, I only see proc/IPC listed - what about net? We're still broken if pods can't share network.

matpen

comment created time in 2 days

Pull request review commentcontainers/libpod

Pids-limit should only be set if the user set it

 func CompleteSpec(ctx context.Context, r *libpod.Runtime, s *specgen.SpecGenerat 		} 	} +	// If caller did not specify Pids Limits load default+	if s.ResourceLimits != nil && s.ResourceLimits.Pids == nil {

(I think this will be the case for rootless v2, for example)

rhatdan

comment created time in 2 days

Pull request review commentcontainers/libpod

Pids-limit should only be set if the user set it

 func CompleteSpec(ctx context.Context, r *libpod.Runtime, s *specgen.SpecGenerat 		} 	} +	// If caller did not specify Pids Limits load default+	if s.ResourceLimits != nil && s.ResourceLimits.Pids == nil {

Do we want to make ResourceLimits if it was null and Pids is not empty?

rhatdan

comment created time in 2 days

Pull request review commentcontainers/libpod

Pids-limit should only be set if the user set it

 func CompleteSpec(ctx context.Context, r *libpod.Runtime, s *specgen.SpecGenerat 		} 	} +	// If caller did not specify Pids Limits load default+	if s.ResourceLimits.Pids == nil {

This could null-pointer, I think - s.ResourceLimits may be null.

rhatdan

comment created time in 2 days

Pull request review commentcontainers/libpod

Pids-limit should only be set if the user set it

 func CompleteSpec(ctx context.Context, r *libpod.Runtime, s *specgen.SpecGenerat 		} 	} +	// If caller did not specify Pids Limits load default+	if s.ResourceLimits.Pids == nil {+		if s.CgroupsMode != "disabled" {

We also need to make sure we are not rootless + cgroups v1

rhatdan

comment created time in 2 days

issue commentcontainers/libpod

podman run with pod and uidmap: mount mqueue not permitted

This is a kernel-level restriction - you can't join namespaces not owned by your user namespace, so we can't join the uidmapped containers to the pod-level network namespace (which existed before the new container and its user namespace). I believe that the work @giuseppe did in crun is to enable the entire pod to share a single user namespace (which Podman still does not have support for, but could add at this point).

matpen

comment created time in 2 days

push eventmheon/libpod

Matthew Heon

commit sha 9e4cf6ca513fa0646f33ade14955e1fc4335e176

Fix `system service` panic from early hangup in events We weren't actually halting the goroutine that sent events, so it would continue sending even when the channel closed (the most notable cause being early hangup - e.g. Control-c on a curl session). Use a context to cancel the events goroutine and stop sending events. Fixes #6805 Signed-off-by: Matthew Heon <matthew.heon@pm.me>

view details

push time in 2 days

issue commentcontainers/libpod

podman run with pod and uidmap: mount mqueue not permitted

@rhatdan Good issue for an intern, I think

matpen

comment created time in 2 days

issue commentcontainers/libpod

podman run with pod and uidmap: mount mqueue not permitted

We do not presently support using --uidmap with pods. We're looking into enabling it at the pod level, but when we do, it's likely going to be a flag to give a configuration for the whole pod - I don't think it is possible to sanely support containers with varying mappings inside the same pod.

Besides that, though, is the fact that we just allowed this to happen without error, and happily handed off a container configuration that would never work to the OCI runtime, which handed back a not particularly relevant error. We should catch this earlier and error at the container creation stage with an error that actually makes sense.

matpen

comment created time in 2 days

push eventcontainers/libpod

Daniel J Walsh

commit sha 48ad0f4e8f36918406b95e498f6750e5d5cf749a

Don't disable selinux labels if user specifies a security opt Currenty if the user specifies --pid=host or --ipc=host or --privileged then we disable SELinux labeling. If the user however specifies --security-opt label:... Then we assume they want to leave SELinux enabled and know what they are doing. This PR will leave SELinux enabled if a user specifies a --security-opt label option. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

view details

Matthew Heon

commit sha 50d67e711edbd34aeb2b7e80b143cc3637ce3bba

Merge pull request #6832 from rhatdan/v1.6.4 Don't disable selinux labels if user specifies a security opt

view details

push time in 2 days

PR merged containers/libpod

Don't disable selinux labels if user specifies a security opt approved lgtm

Currenty if the user specifies --pid=host or --ipc=host or --privileged then we disable SELinux labeling. If the user however specifies --security-opt label:... Then we assume they want to leave SELinux enabled and know what they are doing.

This PR will leave SELinux enabled if a user specifies a --security-opt label option.

Signed-off-by: Daniel J Walsh dwalsh@redhat.com

+10 -10

7 comments

1 changed file

rhatdan

pr closed time in 2 days

pull request commentcontainers/libpod

Don't disable selinux labels if user specifies a security opt

I'm going to go ahead and merge - we can land further changes in additional PRs if we need to

rhatdan

comment created time in 2 days

pull request commentcontainers/libpod

Fix `system service` panic from early hangup in events

Repushed with Varlink fixes

mheon

comment created time in 2 days

pull request commentcontainers/libpod

Add --tz flag to create, run

Yeah, those should be fine

ashley-cui

comment created time in 2 days

push eventmheon/libpod

Matthew Heon

commit sha 7117d75d98f54cf1ecaf470b04e1718cb1775572

Fix `system service` panic from early hangup in events We weren't actually halting the goroutine that sent events, so it would continue sending even when the channel closed (the most notable cause being early hangup - e.g. Control-c on a curl session). Use a context to cancel the events goroutine and stop sending events. Fixes #6805 Signed-off-by: Matthew Heon <matthew.heon@pm.me>

view details

push time in 2 days

pull request commentcontainers/libpod

Pids-limit should only be set if the user set it

I don't see code for that anywhere. pkg/specgen takes the resource limits as they were given and uses them unmodified.

rhatdan

comment created time in 2 days

pull request commentcontainers/libpod

Add --tz flag to create, run

I see that a lot of the timezones are symlinks in non-Red Hat OSes; we might need to do some sort of resolution on the link to get the correct target. For example: In Debian, the GB timezone is a symlink (GB -> Europe/London). We should also have some sort of detection to ensure we don't accidentally mount in an entire folder if the user specifies Australia as a timezone, instead of Australia/Brisbane

ashley-cui

comment created time in 2 days

pull request commentcontainers/libpod

Pids-limit should only be set if the user set it

I don't like this because it disables the default PID limit entirely, even for root containers. We should preserve the default limit where possible (root and cgroups v2 rootless)

rhatdan

comment created time in 2 days

issue commentcontainers/libpod

After podman 2 upgrade, ssh into rootless container no longer works on Ubuntu 20.04 host

Yes - we've seen the same thing with RHEL/CentOS 7 on to of v2. Supposedly there's a way to mount cgroups v1 into just the one container to enable it, but when we looked into it, it was a major pain.

markstos

comment created time in 3 days

pull request commentcontainers/libpod

Fix `system service` panic from early hangup in events

Looks like this broke Varlink, but everything else still works. Neat.

mheon

comment created time in 3 days

push eventmheon/libpod

Matthew Heon

commit sha be430b3e48c4d4ad263f5b34143cc6114d97cd52

Fix `system service` panic from early hangup in events We weren't actually halting the goroutine that sent events, so it would continue sending even when the channel closed (the most notable cause being early hangup - e.g. Control-c on a curl session). Use a context to cancel the events goroutine and stop sending events. Fixes #6805 Signed-off-by: Matthew Heon <matthew.heon@pm.me>

view details

push time in 3 days

pull request commentcontainers/libpod

WIP: CI:DOCS: Add document for libpod release process

It's three commits across two PRs.

Commit 1, PR 1: Update release notes with all changes of note

Wait until that merges, then rebase, making sure that commit is included.

Commit 1, PR 2: Bump to vA.B.C (the actual release, signed) Commit 2, PR 2: Bump to vA.B.(C+1)-dev (Bump to a development version, so further builds do not show as vA.B.C in podman info - makes absolutely sure only the release commit is identified as a full release, not a prerelease.)

cevich

comment created time in 3 days

Pull request review commentcontainers/libpod

WIP: CI:DOCS: Add document for libpod release process

+(FIXME: Should this file live elsewhere?)++# Libpod/Podman/Podman-Remote Automated Release Workflow++1. Open a new PR.  The the `HEAD` commit *must* have a summary line matching the

It's probably not going to be HEAD but HEAD~1 - the format is Release commit, then -dev release commit (bumping to a fresh development version)

cevich

comment created time in 3 days

Pull request review commentcontainers/libpod

WIP: CI:DOCS: Add document for libpod release process

+(FIXME: Should this file live elsewhere?)++# Libpod/Podman/Podman-Remote Automated Release Workflow++1. Open a new PR.  The the `HEAD` commit *must* have a summary line matching the+   following regex: `Release (v\d+\.\d+(\.\d+(-[\w\-\.]+)?)?)`.++   * The second line of the commit text (after the summary and blank line), *must*+     match the following regex: `^\(prior release: (.+)\)`.  Where the content of

Do we need this? I would think we can programmatically determine this, given we're strict semantic-versioning now.

cevich

comment created time in 3 days

Pull request review commentcontainers/libpod

WIP: CI:DOCS: Add document for libpod release process

+# Libpod/Podman/Podman Remote Release Checklist++0. Make a new branch using the name format <1.2.3>[-<epic>]

The biggest thing is that pre-releases must mark the Github release as "pre-release", and do not need to build Windows/OS X/etc binaries (but it's not necessarily bad if it does build them).

cevich

comment created time in 3 days

PR opened containers/libpod

Fix `system service` panic from early hangup in events

We weren't actually halting the goroutine that sent events, so it would continue sending even when the channel closed (the most notable cause being early hangup - e.g. Control-c on a curl session). Use a context to cancel the events goroutine and stop sending events.

Fixes #6805

+38 -15

0 comment

8 changed files

pr created time in 3 days

create barnchmheon/libpod

branch : fix_panic_events

created branch time in 3 days

Pull request review commentcontainers/libpod

Add --tz flag to create, run

 USER mail` 		Expect(session.ExitCode()).To(Equal(0)) 		Expect(strings.Contains(session.OutputToString(), groupName)).To(BeTrue()) 	})++	It("podman run --tz", func() {+		session := podmanTest.Podman([]string{"run", "--tz", "foo", "--rm", ALPINE, "date"})

Can we verify this inside the container as well, make sure the timezone has been correctly detected?

ashley-cui

comment created time in 3 days

Pull request review commentcontainers/libpod

Add --tz flag to create, run

 type ContainerBasicConfig struct { 	// passed will be 3 + PreserveFDs. 	// set tags as `json:"-"` for not supported remote 	PreserveFDs uint `json:"-"`++	TZ string `json:"timezone,omitempty"`

Needs a comment

ashley-cui

comment created time in 3 days

Pull request review commentcontainers/libpod

Add --tz flag to create, run

 func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen. 		options = append(options, libpod.WithStdin()) 	} +	if s.TZ != "" {+		if s.TZ != "local" {+			zonePath := filepath.Join("/usr/share/zoneinfo", s.TZ)+			_, err := os.Stat(zonePath)+			if err != nil {+				return nil, err

More descriptive error here would be very nice

ashley-cui

comment created time in 3 days

Pull request review commentcontainers/libpod

Add --tz flag to create, run

 func withSetAnon() VolumeCreateOption { 	} } +func WithTZ(path string) CtrCreateOption {+	return func(ctr *Container) error {+		if ctr.valid {+			return define.ErrCtrFinalized+		}+		ctr.config.TZ = path

We should validate here that the given timezone actually exists.

ashley-cui

comment created time in 3 days

Pull request review commentcontainers/libpod

Add --tz flag to create, run

 func (c *Container) getOCICgroupPath() (string, error) { 		return "", errors.Wrapf(define.ErrInvalidArg, "invalid cgroup manager %s requested", c.runtime.config.Engine.CgroupManager) 	} }++func (c *Container) copyTimezoneFile(zonePath string) (string, error) {+	var localtimeCopy string = filepath.Join(c.state.RunDir, "localtime")+	if _, err := os.Stat(zonePath); err != nil {+		return "", err+	}+	src, err := os.Open(zonePath)+	if err != nil {+		return "", err+	}+	defer src.Close()+	dest, err := os.Create(localtimeCopy)+	if err != nil {+		return "", err+	}+	defer dest.Close()+	_, err = io.Copy(dest, src)+	if err != nil {+		return "", err+	}++	//Copy SELinux location file permissions+	copylabel, err := selinux.FileLabel(zonePath)+	if err := label.Relabel(localtimeCopy, copylabel, false); err != nil {

Also, ensure this is chown'd to c.RootUID() and c.RootGID()

ashley-cui

comment created time in 3 days

Pull request review commentcontainers/libpod

Add --tz flag to create, run

 func (c *Container) getOCICgroupPath() (string, error) { 		return "", errors.Wrapf(define.ErrInvalidArg, "invalid cgroup manager %s requested", c.runtime.config.Engine.CgroupManager) 	} }++func (c *Container) copyTimezoneFile(zonePath string) (string, error) {+	var localtimeCopy string = filepath.Join(c.state.RunDir, "localtime")+	if _, err := os.Stat(zonePath); err != nil {+		return "", err+	}+	src, err := os.Open(zonePath)+	if err != nil {+		return "", err+	}+	defer src.Close()+	dest, err := os.Create(localtimeCopy)+	if err != nil {+		return "", err+	}+	defer dest.Close()+	_, err = io.Copy(dest, src)+	if err != nil {+		return "", err+	}++	//Copy SELinux location file permissions+	copylabel, err := selinux.FileLabel(zonePath)+	if err := label.Relabel(localtimeCopy, copylabel, false); err != nil {

Please use c.config.MountLabel instead for the label

ashley-cui

comment created time in 3 days

Pull request review commentcontainers/libpod

Add --tz flag to create, run

 func (c *Container) makeBindMounts() error { 		c.state.BindMounts["/etc/hostname"] = hostnamePath 	} +	// Make /etc/localtime+	if _, ok := c.state.BindMounts["/etc/localtime"]; !ok {

Only do this is timezone is not set to "" - we should not modify behavior for containers not explicitly passing the flag.

ashley-cui

comment created time in 3 days

Pull request review commentcontainers/libpod

Add --tz flag to create, run

 type ContainerConfig struct { 	// to 0, 1, 2) that will be passed to the executed process. The total FDs 	// passed will be 3 + PreserveFDs. 	PreserveFDs uint `json:"preserveFds,omitempty"`++	//Tz is the timezone inside the container+	TZ string `json:"timezone"`

Please rename to "Timezone" as part of this struct - brevity is good for CLI options, not good for code clarity.

ashley-cui

comment created time in 3 days

Pull request review commentcontainers/libpod

Add --tz flag to create, run

 func (c *Container) AutoRemove() bool { 	} 	return c.Spec().Annotations[define.InspectAnnotationAutoremove] == define.InspectResponseTrue }++func (c *Container) TZ() string {

Needs a comment

ashley-cui

comment created time in 3 days

Pull request review commentcontainers/libpod

Add --tz flag to create, run

 interactive shell. The default is false. Note: The **-t** option is incompatible with a redirection of the Podman client standard input. +**--tz**=*timezone*++Set timezone in container. This flag takes area-based timezones, GMT time, as well as `host`, which sets the timezone in the container to match the host machine. See `/usr/share/zoneinfo/` for valid timezones.++$ podman create --tz=host

Examples should go at the bottom of the manpage

ashley-cui

comment created time in 3 days

pull request commentcontainers/libpod

In rootless + cgroupsv1, resource limits are an error

@goochjj This seems to work on my Debian Testing cgroupsv1 machine, but I'd appreciate it if you verify as well.

mheon

comment created time in 3 days

push eventmheon/libpod

Matthew Heon

commit sha 5a7b910f93f2712618807c9eaf97392dcaa07592

In rootless + cgroupsv1, resource limits are an error However, in some cases (unset limits), we can completely remove the limit and avoid errors. This works around a bug where the Podman frontend is setting a Pids limit of 0 on some rootless systems. For now, this is only implemented for the PID limit. It can easily be extended to other resource limits, but it is a fair bit of code to do so, so I leave that exercise to someone else. Fixes #6834 Signed-off-by: Matthew Heon <matthew.heon@pm.me>

view details

push time in 3 days

issue commentcontainers/libpod

podman run failure on cgroupsv1 rootless related to --pids-limit

https://github.com/containers/libpod/pull/6837 should fix it.

goochjj

comment created time in 3 days

PR opened containers/libpod

In rootless + cgroupsv1, resource limits are an error

However, in some cases (unset limits), we can completely remove the limit and avoid errors. This works around a bug where the Podman frontend is setting a Pids limit of 0 on some rootless systems.

For now, this is only implemented for the PID limit. It can easily be extended to other resource limits, but it is a fair bit of code to do so, so I leave that exercise to someone else.

Fixes #6834

+21 -30

0 comment

2 changed files

pr created time in 3 days

create barnchmheon/libpod

branch : drop_pids_cgroup

created branch time in 3 days

issue commentcontainers/libpod

podman run failure on cgroupsv1 rootless related to --pids-limit

@rhatdan It's set to 0, but having it set to anything is the problem. crun seems to discard any OCI spec that tries to set resource limits, even empty limits.

goochjj

comment created time in 3 days

issue commentcontainers/libpod

podman run failure on cgroupsv1 rootless related to --pids-limit

Alright, this one is honestly kind of bizarre. It worked fine when I built directly from master. In order to confirm code was running, I added a single logrus.Errorf() and now it started to reproduce.

goochjj

comment created time in 3 days

issue commentcontainers/libpod

podman run failure on cgroupsv1 rootless related to --pids-limit

I don't think so. I think this is specific to us trying to mimic the system PID limit.

goochjj

comment created time in 3 days

Pull request review commentcontainers/libpod

Add username to /etc/passwd inside of container if --userns keep-id

 type ContainerConfig struct { 	User string `json:"user,omitempty"` 	// Additional groups to add 	Groups []string `json:"groups,omitempty"`+	// AddCurrentUserPasswdEntry indicates that the current user passwd entry+	// should be added to the /etc/passwd within the container+	AddCurrentUserPasswdEntry bool

Can this have an omitempty so we minimize the amount of stuff saved to the DB?

rhatdan

comment created time in 3 days

pull request commentcontainers/libpod

WIP: Volume Plugins

NFS volumes are a separate issues and have been working for a while (Podman 1.7 or 1.8, I forget which)

mheon

comment created time in 3 days

pull request commentcontainers/podman.io

Add a blog on Podman v2.0's REST API and version compat

It doesn't look like the fancy markdown footnote syntax is working, regrettably. Might have to restructure this a bit.

mheon

comment created time in 3 days

PR opened containers/podman.io

Add a blog on Podman v2.0's REST API and version compat

New blog on Podman's REST API and Docker compatibility

+17 -0

0 comment

1 changed file

pr created time in 3 days

create barnchmheon/podman.io

branch : httpd_blog

created branch time in 3 days

issue commentcontainers/libpod

podman run failure on cgroupsv1 rootless related to --pids-limit

I'll take a look after lunch, see if I can't chase this down.

goochjj

comment created time in 3 days

pull request commentcontainers/libpod

Bump github.com/containers/common from 0.14.3 to 0.15.1

I presume we don't want this in 2.0.x so we don't diverge from buildah & others?

Regardless /lgtm

dependabot-preview[bot]

comment created time in 3 days

issue commentcontainers/libpod

pursuing conventional systemd+podman interaction

This is definitely a bug. Is this 2.0? pkg/spec is deprecated, we've moved to pkg/specgen/generate - so the offending code likely lives there.

storrgie

comment created time in 3 days

pull request commentcontainers/libpod

Bump k8s.io/api from 0.18.4 to 0.18.5

Well, too much to hope it would be that smart, I guess

dependabot-preview[bot]

comment created time in 3 days

pull request commentcontainers/libpod

Bump k8s.io/api from 0.18.4 to 0.18.5

Let's see if this works... @dependabot rebase

dependabot-preview[bot]

comment created time in 3 days

issue commentcontainers/libpod

pursuing conventional systemd+podman interaction

I believe that's a requirement forced on us by cgroups v1 not being safe for rootless use, unless I'm greatly misunderstanding?

storrgie

comment created time in 3 days

pull request commentcontainers/libpod

Don't disable selinux labels if user specifies a security opt

LGTM

rhatdan

comment created time in 3 days

PR closed containers/libpod

Reviewers
Do not disable labelling on pid=host if overridden approved

If the user manually provides SELinux security opts, prefer those to unconditionally disabling when --pid=host and --ipc=host are passed.

+24 -24

2 comments

1 changed file

mheon

pr closed time in 3 days

pull request commentcontainers/libpod

Do not disable labelling on pid=host if overridden

Closing in favor of #6832

mheon

comment created time in 3 days

PR opened containers/libpod

Do not disable labelling on pid=host if overridden

If the user manually provides SELinux security opts, prefer those to unconditionally disabling when --pid=host and --ipc=host are passed.

+24 -24

0 comment

1 changed file

pr created time in 3 days

create barnchmheon/libpod

branch : 16_selinux_pidhost

created branch time in 3 days

pull request commentcontainers/libpod

APIv2: Add docker compatible volume endpoints

LGTM - lot of TODOs, but we can sort them in the future. Nice work!

@baude @rhatdan @vrothberg PTAL

maybe-sybr

comment created time in 4 days

PR closed containers/libpod

Reviewers
Fix event cleanup when client closes connection approved

Supercedes #6680

+109 -77

4 comments

11 changed files

mheon

pr closed time in 4 days

pull request commentcontainers/libpod

Fix event cleanup when client closes connection

@edsantiago No need, I don't think I'm brave enough to try and salvage this. I'll go with a different approach.

mheon

comment created time in 4 days

pull request commentcontainers/libpod

Fix event cleanup when client closes connection

@edsantiago Any chance you remember if these are the same errors #6680 saw?

mheon

comment created time in 4 days

push eventmheon/libpod

Matthew Heon

commit sha 9eb5ebb46d64d893e3f26f3cb06442915d98a358

Small readme change to kick CI Signed-off-by: Matthew Heon <mheon@redhat.com>

view details

push time in 4 days

Pull request review commentcontainers/libpod

Add username to /etc/passwd inside of container if --userns keep-id

 func WithPIDNSFrom(nsCtr *Container) CtrCreateOption { 	} } +// WithUserNSKeepID indicates that container should add user entry to passwd+// file, since the UID will be mapped into the container, via user namespace+func WithUserNSKeepId() CtrCreateOption {

Can we rename this? Maybe "WithAddCurrentUserToPasswd" or something more clear about what it does?

rhatdan

comment created time in 4 days

Pull request review commentcontainers/libpod

Add username to /etc/passwd inside of container if --userns keep-id

 type ContainerConfig struct { 	// NetNsCtr conflicts with the CreateNetNS bool 	// These containers are considered dependencies of the given container 	// They must be started before the given container is started-	IPCNsCtr    string `json:"ipcNsCtr,omitempty"`-	MountNsCtr  string `json:"mountNsCtr,omitempty"`-	NetNsCtr    string `json:"netNsCtr,omitempty"`-	PIDNsCtr    string `json:"pidNsCtr,omitempty"`-	UserNsCtr   string `json:"userNsCtr,omitempty"`-	UTSNsCtr    string `json:"utsNsCtr,omitempty"`-	CgroupNsCtr string `json:"cgroupNsCtr,omitempty"`+	IPCNsCtr     string `json:"ipcNsCtr,omitempty"`+	MountNsCtr   string `json:"mountNsCtr,omitempty"`+	NetNsCtr     string `json:"netNsCtr,omitempty"`+	PIDNsCtr     string `json:"pidNsCtr,omitempty"`+	UserNsCtr    string `json:"userNsCtr,omitempty"`+	UserNsKeepId bool

This should be elsewhere, have a JSON tag, and a comment describing what it does

rhatdan

comment created time in 4 days

PR opened containers/libpod

Fix event cleanup when client closes connection

Supercedes #6680

+108 -76

0 comment

10 changed files

pr created time in 4 days

create barnchmheon/libpod

branch : revised_6664

created branch time in 4 days

push eventcontainers/libpod

Daniel J Walsh

commit sha c734a6c44e1624dab786c85026bcd8a13e7f2b01

Disable SELinux labeling if privileged and user does not specify labels The previous patch mistakenly turned on SELinux even when --privileged. This patch will disable SELinux, if the user specified --privileged and did not specify any SELinux options. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

view details

Matthew Heon

commit sha 2ff8dc2fdcb714009f1563fe057919a187bde4c5

Merge pull request #6827 from rhatdan/v1.6.4 Disable SELinux labeling if privileged and user does not specify labels

view details

push time in 4 days

PR merged containers/libpod

Reviewers
Disable SELinux labeling if privileged and user does not specify labels approved

The previous patch mistakenly turned on SELinux even when --privileged.

This patch will disable SELinux, if the user specified --privileged and did not specify any SELinux options.

Signed-off-by: Daniel J Walsh dwalsh@redhat.com

+4 -6

5 comments

1 changed file

rhatdan

pr closed time in 4 days

pull request commentcontainers/libpod

Disable SELinux labeling if privileged and user does not specify labels

Force-merging since CI is down

rhatdan

comment created time in 4 days

issue commentcontainers/libpod

pursuing conventional systemd+podman interaction

The pids-limit is probably Podman automatically trying to set the maximum available for that rlimit - we should code that to only happen if cgroups are present.

storrgie

comment created time in 4 days

Pull request review commentcontainers/common

Add env to [engines] for engine to use

 type EngineConfig struct { 	// memory. 	EnablePortReservation bool `toml:"enable_port_reservation,omitempty"` +	// Environment variables to be used when running the container engine. For example "http_proxy=internal.proxy.company.com"

Yeah, that would be good!

QiWang19

comment created time in 4 days

pull request commentcontainers/libpod

container: move volume chown after spec generation

It's a bind mount of a Libpod-managed named volume. That's honestly bizarre, and not a good idea.

Also, there's no --user directive, so I question whether this patch would help - it looks like mysql is started as root, then drops caps and becomes an unprivileged user

giuseppe

comment created time in 4 days

more