2018-01-18 16:37:41 +00:00
package libpod
import (
2018-05-31 18:47:17 +00:00
"bytes"
2018-04-18 20:48:35 +00:00
"context"
2018-01-18 16:37:41 +00:00
"fmt"
"io"
2018-01-19 14:51:59 +00:00
"io/ioutil"
2018-01-18 16:37:41 +00:00
"os"
"path/filepath"
2018-10-09 11:54:37 +00:00
"strconv"
2018-01-19 14:51:59 +00:00
"strings"
2018-10-19 20:02:14 +00:00
"time"
2018-01-18 16:37:41 +00:00
2019-06-24 20:48:34 +00:00
"github.com/containers/libpod/libpod/define"
2019-02-28 20:15:56 +00:00
"github.com/containers/libpod/libpod/events"
2018-10-19 20:02:14 +00:00
"github.com/containers/libpod/pkg/ctime"
2018-08-16 10:41:15 +00:00
"github.com/containers/libpod/pkg/hooks"
"github.com/containers/libpod/pkg/hooks/exec"
"github.com/containers/libpod/pkg/rootless"
2018-01-18 16:37:41 +00:00
"github.com/containers/storage"
"github.com/containers/storage/pkg/archive"
2018-08-10 18:46:59 +00:00
"github.com/containers/storage/pkg/mount"
2018-01-18 16:37:41 +00:00
spec "github.com/opencontainers/runtime-spec/specs-go"
2019-02-06 19:17:25 +00:00
"github.com/opencontainers/runtime-tools/generate"
2018-01-18 16:37:41 +00:00
"github.com/opencontainers/selinux/go-selinux/label"
2019-06-24 20:48:34 +00:00
"github.com/opentracing/opentracing-go"
2018-01-18 16:37:41 +00:00
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
)
2018-01-18 16:46:10 +00:00
const (
// name of the directory holding the artifacts
2019-07-01 17:55:03 +00:00
artifactsDir = "artifacts"
execDirPermission = 0755
2018-01-18 16:46:10 +00:00
)
2018-01-18 16:37:41 +00:00
// rootFsSize gets the size of the container's root filesystem
// A container FS is split into two parts. The first is the top layer, a
// mutable layer, and the rest is the RootFS: the set of immutable layers
// that make up the image on which the container is based.
func ( c * Container ) rootFsSize ( ) ( int64 , error ) {
2018-04-26 15:21:48 +00:00
if c . config . Rootfs != "" {
return 0 , nil
}
2019-03-19 09:38:56 +00:00
if c . runtime . store == nil {
return 0 , nil
}
2018-04-26 15:21:48 +00:00
2018-01-18 16:37:41 +00:00
container , err := c . runtime . store . Container ( c . ID ( ) )
if err != nil {
return 0 , err
}
// Ignore the size of the top layer. The top layer is a mutable RW layer
// and is not considered a part of the rootfs
rwLayer , err := c . runtime . store . Layer ( container . LayerID )
if err != nil {
return 0 , err
}
layer , err := c . runtime . store . Layer ( rwLayer . Parent )
if err != nil {
return 0 , err
}
size := int64 ( 0 )
for layer . Parent != "" {
layerSize , err := c . runtime . store . DiffSize ( layer . Parent , layer . ID )
if err != nil {
return size , errors . Wrapf ( err , "getting diffsize of layer %q and its parent %q" , layer . ID , layer . Parent )
}
size += layerSize
layer , err = c . runtime . store . Layer ( layer . Parent )
if err != nil {
return 0 , err
}
}
// Get the size of the last layer. Has to be outside of the loop
2018-05-25 00:50:37 +00:00
// because the parent of the last layer is "", and lstore.Get("")
2018-01-18 16:37:41 +00:00
// will return an error.
layerSize , err := c . runtime . store . DiffSize ( layer . Parent , layer . ID )
return size + layerSize , err
}
// rwSize Gets the size of the mutable top layer of the container.
func ( c * Container ) rwSize ( ) ( int64 , error ) {
2018-04-26 15:21:48 +00:00
if c . config . Rootfs != "" {
var size int64
err := filepath . Walk ( c . config . Rootfs , func ( path string , info os . FileInfo , err error ) error {
if err != nil {
return err
}
size += info . Size ( )
return nil
} )
return size , err
}
2018-01-18 16:37:41 +00:00
container , err := c . runtime . store . Container ( c . ID ( ) )
if err != nil {
return 0 , err
}
// Get the size of the top layer by calculating the size of the diff
// between the layer and its parent. The top layer of a container is
// the only RW layer, all others are immutable
layer , err := c . runtime . store . Layer ( container . LayerID )
if err != nil {
return 0 , err
}
return c . runtime . store . DiffSize ( layer . Parent , layer . ID )
}
2018-05-16 17:38:17 +00:00
// bundlePath returns the path to the container's root filesystem - where the OCI spec will be
2018-01-18 16:37:41 +00:00
// placed, amongst other things
func ( c * Container ) bundlePath ( ) string {
return c . config . StaticDir
}
2018-05-16 17:38:17 +00:00
// ControlSocketPath returns the path to the containers control socket for things like tty
// resizing
func ( c * Container ) ControlSocketPath ( ) string {
return filepath . Join ( c . bundlePath ( ) , "ctl" )
}
2018-09-18 09:56:19 +00:00
// CheckpointPath returns the path to the directory containing the checkpoint
func ( c * Container ) CheckpointPath ( ) string {
return filepath . Join ( c . bundlePath ( ) , "checkpoint" )
}
2018-05-16 17:38:17 +00:00
// AttachSocketPath retrieves the path of the container's attach socket
func ( c * Container ) AttachSocketPath ( ) string {
2019-06-19 21:08:43 +00:00
return filepath . Join ( c . ociRuntime . socketsDir , c . ID ( ) , "attach" )
2018-01-18 16:37:41 +00:00
}
2019-07-01 17:55:03 +00:00
// exitFilePath gets the path to the container's exit file
func ( c * Container ) exitFilePath ( ) string {
return filepath . Join ( c . ociRuntime . exitsDir , c . ID ( ) )
}
// create a bundle path and associated files for an exec session
func ( c * Container ) createExecBundle ( sessionID string ) ( err error ) {
bundlePath := c . execBundlePath ( sessionID )
if createErr := os . MkdirAll ( bundlePath , execDirPermission ) ; createErr != nil {
return createErr
}
defer func ( ) {
if err != nil {
if err2 := os . RemoveAll ( bundlePath ) ; err != nil {
logrus . Warnf ( "error removing exec bundle after creation caused another error: %v" , err2 )
}
}
} ( )
if err2 := os . MkdirAll ( c . execExitFileDir ( sessionID ) , execDirPermission ) ; err2 != nil {
// The directory is allowed to exist
if ! os . IsExist ( err2 ) {
err = errors . Wrapf ( err2 , "error creating OCI runtime exit file path %s" , c . execExitFileDir ( sessionID ) )
}
}
return
}
// cleanup an exec session after its done
func ( c * Container ) cleanupExecBundle ( sessionID string ) error {
return os . RemoveAll ( c . execBundlePath ( sessionID ) )
}
// the path to a containers exec session bundle
func ( c * Container ) execBundlePath ( sessionID string ) string {
return filepath . Join ( c . bundlePath ( ) , sessionID )
}
2018-02-27 18:51:43 +00:00
// Get PID file path for a container's exec session
func ( c * Container ) execPidPath ( sessionID string ) string {
2019-07-01 17:55:03 +00:00
return filepath . Join ( c . execBundlePath ( sessionID ) , "exec_pid" )
2018-02-27 18:51:43 +00:00
}
2019-07-01 17:55:03 +00:00
// the log path for an exec session
func ( c * Container ) execLogPath ( sessionID string ) string {
return filepath . Join ( c . execBundlePath ( sessionID ) , "exec_log" )
}
// the socket conmon creates for an exec session
func ( c * Container ) execAttachSocketPath ( sessionID string ) string {
return filepath . Join ( c . ociRuntime . socketsDir , sessionID , "attach" )
}
// execExitFileDir gets the path to the container's exit file
func ( c * Container ) execExitFileDir ( sessionID string ) string {
return filepath . Join ( c . execBundlePath ( sessionID ) , "exit" )
}
// execOCILog returns the file path for the exec sessions oci log
func ( c * Container ) execOCILog ( sessionID string ) string {
if ! c . ociRuntime . supportsJSON {
return ""
}
return filepath . Join ( c . execBundlePath ( sessionID ) , "oci-log" )
}
// readExecExitCode reads the exit file for an exec session and returns
// the exit code
func ( c * Container ) readExecExitCode ( sessionID string ) ( int , error ) {
exitFile := filepath . Join ( c . execExitFileDir ( sessionID ) , c . ID ( ) )
chWait := make ( chan error )
defer close ( chWait )
_ , err := WaitForFile ( exitFile , chWait , time . Second * 5 )
if err != nil {
return - 1 , err
}
ec , err := ioutil . ReadFile ( exitFile )
if err != nil {
return - 1 , err
}
ecInt , err := strconv . Atoi ( string ( ec ) )
if err != nil {
return - 1 , err
}
return ecInt , nil
2018-10-19 20:02:14 +00:00
}
// Wait for the container's exit file to appear.
// When it does, update our state based on it.
func ( c * Container ) waitForExitFileAndSync ( ) error {
exitFile := c . exitFilePath ( )
2019-05-21 08:01:29 +00:00
chWait := make ( chan error )
defer close ( chWait )
_ , err := WaitForFile ( exitFile , chWait , time . Second * 5 )
2018-10-19 20:02:14 +00:00
if err != nil {
// Exit file did not appear
// Reset our state
c . state . ExitCode = - 1
c . state . FinishedTime = time . Now ( )
2019-06-25 13:40:19 +00:00
c . state . State = define . ContainerStateStopped
2018-10-19 20:02:14 +00:00
if err2 := c . save ( ) ; err2 != nil {
logrus . Errorf ( "Error saving container %s state: %v" , c . ID ( ) , err2 )
}
return err
}
2019-06-19 21:08:43 +00:00
if err := c . ociRuntime . updateContainerStatus ( c , false ) ; err != nil {
2018-10-19 20:02:14 +00:00
return err
}
return c . save ( )
}
// Handle the container exit file.
// The exit file is used to supply container exit time and exit code.
// This assumes the exit file already exists.
func ( c * Container ) handleExitFile ( exitFile string , fi os . FileInfo ) error {
c . state . FinishedTime = ctime . Created ( fi )
statusCodeStr , err := ioutil . ReadFile ( exitFile )
if err != nil {
return errors . Wrapf ( err , "failed to read exit file for container %s" , c . ID ( ) )
}
statusCode , err := strconv . Atoi ( string ( statusCodeStr ) )
if err != nil {
2018-10-29 17:20:26 +00:00
return errors . Wrapf ( err , "error converting exit status code (%q) for container %s to int" ,
c . ID ( ) , statusCodeStr )
2018-10-19 20:02:14 +00:00
}
c . state . ExitCode = int32 ( statusCode )
oomFilePath := filepath . Join ( c . bundlePath ( ) , "oom" )
if _ , err = os . Stat ( oomFilePath ) ; err == nil {
c . state . OOMKilled = true
}
c . state . Exited = true
2019-03-12 20:12:09 +00:00
// Write an event for the container's death
c . newContainerExitedEvent ( c . state . ExitCode )
2018-10-19 20:02:14 +00:00
return nil
}
2019-04-01 19:22:32 +00:00
// Handle container restart policy.
// This is called when a container has exited, and was not explicitly stopped by
// an API call to stop the container or pod it is in.
2019-05-03 14:35:48 +00:00
func ( c * Container ) handleRestartPolicy ( ctx context . Context ) ( restarted bool , err error ) {
// If we did not get a restart policy match, exit immediately.
// Do the same if we're not a policy that restarts.
if ! c . state . RestartPolicyMatch ||
c . config . RestartPolicy == RestartPolicyNo ||
c . config . RestartPolicy == RestartPolicyNone {
return false , nil
}
// If we're RestartPolicyOnFailure, we need to check retries and exit
// code.
if c . config . RestartPolicy == RestartPolicyOnFailure {
if c . state . ExitCode == 0 {
return false , nil
}
// If we don't have a max retries set, continue
if c . config . RestartRetries > 0 {
if c . state . RestartCount < c . config . RestartRetries {
logrus . Debugf ( "Container %s restart policy trigger: on retry %d (of %d)" ,
c . ID ( ) , c . state . RestartCount , c . config . RestartRetries )
} else {
2019-05-03 15:42:34 +00:00
logrus . Debugf ( "Container %s restart policy trigger: retries exhausted" , c . ID ( ) )
2019-05-03 14:35:48 +00:00
return false , nil
}
}
}
2019-04-01 19:22:32 +00:00
logrus . Debugf ( "Restarting container %s due to restart policy %s" , c . ID ( ) , c . config . RestartPolicy )
// Need to check if dependencies are alive.
if err = c . checkDependenciesAndHandleError ( ctx ) ; err != nil {
2019-05-03 14:35:48 +00:00
return false , err
2019-04-01 19:22:32 +00:00
}
2019-04-03 14:24:35 +00:00
// Is the container running again?
// If so, we don't have to do anything
2019-06-25 13:40:19 +00:00
if c . state . State == define . ContainerStateRunning || c . state . State == define . ContainerStatePaused {
2019-05-03 14:35:48 +00:00
return false , nil
2019-06-25 13:40:19 +00:00
} else if c . state . State == define . ContainerStateUnknown {
2019-06-24 20:48:34 +00:00
return false , errors . Wrapf ( define . ErrInternal , "invalid container state encountered in restart attempt!" )
2019-04-03 14:24:35 +00:00
}
2019-04-03 18:17:02 +00:00
c . newContainerEvent ( events . Restart )
2019-04-01 23:20:03 +00:00
// Increment restart count
c . state . RestartCount = c . state . RestartCount + 1
logrus . Debugf ( "Container %s now on retry %d" , c . ID ( ) , c . state . RestartCount )
if err := c . save ( ) ; err != nil {
2019-05-03 14:35:48 +00:00
return false , err
2019-04-01 23:20:03 +00:00
}
2019-04-01 19:22:32 +00:00
defer func ( ) {
if err != nil {
if err2 := c . cleanup ( ctx ) ; err2 != nil {
logrus . Errorf ( "error cleaning up container %s: %v" , c . ID ( ) , err2 )
}
}
} ( )
if err := c . prepare ( ) ; err != nil {
2019-05-03 14:35:48 +00:00
return false , err
2019-04-01 19:22:32 +00:00
}
2019-06-25 13:40:19 +00:00
if c . state . State == define . ContainerStateStopped {
2019-04-01 19:22:32 +00:00
// Reinitialize the container if we need to
2019-04-01 23:20:03 +00:00
if err := c . reinit ( ctx , true ) ; err != nil {
2019-05-03 14:35:48 +00:00
return false , err
2019-04-01 19:22:32 +00:00
}
2019-06-25 13:40:19 +00:00
} else if c . state . State == define . ContainerStateConfigured ||
c . state . State == define . ContainerStateExited {
2019-04-01 19:22:32 +00:00
// Initialize the container
2019-04-01 23:20:03 +00:00
if err := c . init ( ctx , true ) ; err != nil {
2019-05-03 14:35:48 +00:00
return false , err
2019-04-01 19:22:32 +00:00
}
}
2019-05-03 14:35:48 +00:00
if err := c . start ( ) ; err != nil {
return false , err
}
return true , nil
2019-04-01 19:22:32 +00:00
}
2018-02-28 14:29:46 +00:00
// Sync this container with on-disk state and runtime status
2018-01-18 16:37:41 +00:00
// Should only be called with container lock held
// This function should suffice to ensure a container's state is accurate and
// it is valid for use.
func ( c * Container ) syncContainer ( ) error {
if err := c . runtime . state . UpdateContainer ( c ) ; err != nil {
return err
}
2018-02-28 14:29:46 +00:00
// If runtime knows about the container, update its status in runtime
2018-01-18 16:37:41 +00:00
// And then save back to disk
2019-06-25 13:40:19 +00:00
if ( c . state . State != define . ContainerStateUnknown ) &&
( c . state . State != define . ContainerStateConfigured ) &&
( c . state . State != define . ContainerStateExited ) {
2018-01-18 16:37:41 +00:00
oldState := c . state . State
// TODO: optionally replace this with a stat for the exit file
2019-06-19 21:08:43 +00:00
if err := c . ociRuntime . updateContainerStatus ( c , false ) ; err != nil {
2018-01-18 16:37:41 +00:00
return err
}
// Only save back to DB if state changed
if c . state . State != oldState {
2019-04-01 19:22:32 +00:00
// Check for a restart policy match
2019-04-01 23:45:23 +00:00
if c . config . RestartPolicy != RestartPolicyNone && c . config . RestartPolicy != RestartPolicyNo &&
2019-06-25 13:40:19 +00:00
( oldState == define . ContainerStateRunning || oldState == define . ContainerStatePaused ) &&
( c . state . State == define . ContainerStateStopped || c . state . State == define . ContainerStateExited ) &&
2019-04-01 19:22:32 +00:00
! c . state . StoppedByUser {
c . state . RestartPolicyMatch = true
}
2018-01-18 16:37:41 +00:00
if err := c . save ( ) ; err != nil {
return err
}
}
}
if ! c . valid {
2019-06-24 20:48:34 +00:00
return errors . Wrapf ( define . ErrCtrRemoved , "container %s is not valid" , c . ID ( ) )
2018-01-18 16:37:41 +00:00
}
return nil
}
// Create container root filesystem for use
2018-04-18 20:48:35 +00:00
func ( c * Container ) setupStorage ( ctx context . Context ) error {
2018-10-16 20:30:53 +00:00
span , _ := opentracing . StartSpanFromContext ( ctx , "setupStorage" )
span . SetTag ( "type" , "container" )
defer span . Finish ( )
2018-01-18 16:37:41 +00:00
if ! c . valid {
2019-06-24 20:48:34 +00:00
return errors . Wrapf ( define . ErrCtrRemoved , "container %s is not valid" , c . ID ( ) )
2018-01-18 16:37:41 +00:00
}
2019-06-25 13:40:19 +00:00
if c . state . State != define . ContainerStateConfigured {
2019-06-24 20:48:34 +00:00
return errors . Wrapf ( define . ErrCtrStateInvalid , "container %s must be in Configured state to have storage set up" , c . ID ( ) )
2018-01-18 16:37:41 +00:00
}
// Need both an image ID and image name, plus a bool telling us whether to use the image configuration
2018-04-26 15:21:48 +00:00
if c . config . Rootfs == "" && ( c . config . RootfsImageID == "" || c . config . RootfsImageName == "" ) {
2019-06-24 20:48:34 +00:00
return errors . Wrapf ( define . ErrInvalidArg , "must provide image ID and image name to use an image" )
2018-01-18 16:37:41 +00:00
}
2018-10-18 19:50:11 +00:00
options := storage . ContainerOptions {
IDMappingOptions : storage . IDMappingOptions {
HostUIDMapping : true ,
HostGIDMapping : true ,
} ,
LabelOpts : c . config . LabelOpts ,
}
2019-06-25 12:36:05 +00:00
if c . restoreFromCheckpoint {
// If restoring from a checkpoint, the root file-system
// needs to be mounted with the same SELinux labels as
// it was mounted previously.
if options . Flags == nil {
options . Flags = make ( map [ string ] interface { } )
}
options . Flags [ "ProcessLabel" ] = c . config . ProcessLabel
options . Flags [ "MountLabel" ] = c . config . MountLabel
}
2018-11-16 11:51:26 +00:00
if c . config . Privileged {
privOpt := func ( opt string ) bool {
for _ , privopt := range [ ] string { "nodev" , "nosuid" , "noexec" } {
if opt == privopt {
return true
}
}
return false
}
2019-05-31 02:01:25 +00:00
defOptions , err := storage . GetMountOptions ( c . runtime . store . GraphDriverName ( ) , c . runtime . store . GraphOptions ( ) )
2018-11-16 11:51:26 +00:00
if err != nil {
return errors . Wrapf ( err , "error getting default mount options" )
}
var newOptions [ ] string
for _ , opt := range defOptions {
if ! privOpt ( opt ) {
newOptions = append ( newOptions , opt )
}
}
options . MountOpts = newOptions
}
2018-06-03 19:08:07 +00:00
2018-10-18 19:50:11 +00:00
if c . config . Rootfs == "" {
options . IDMappingOptions = c . config . IDMappings
2018-06-03 19:08:07 +00:00
}
2018-10-18 19:50:11 +00:00
containerInfo , err := c . runtime . storageService . CreateContainerStorage ( ctx , c . runtime . imageContext , c . config . RootfsImageName , c . config . RootfsImageID , c . config . Name , c . config . ID , options )
2018-01-18 16:37:41 +00:00
if err != nil {
return errors . Wrapf ( err , "error creating container storage" )
}
2019-05-01 16:49:04 +00:00
if len ( c . config . IDMappings . UIDMap ) != 0 || len ( c . config . IDMappings . GIDMap ) != 0 {
2019-03-21 11:18:42 +00:00
if err := os . Chown ( containerInfo . RunDir , c . RootUID ( ) , c . RootGID ( ) ) ; err != nil {
2018-04-24 14:41:42 +00:00
return err
}
2019-03-21 11:18:42 +00:00
if err := os . Chown ( containerInfo . Dir , c . RootUID ( ) , c . RootGID ( ) ) ; err != nil {
return err
2018-04-24 14:41:42 +00:00
}
}
2018-10-18 19:50:11 +00:00
c . config . ProcessLabel = containerInfo . ProcessLabel
c . config . MountLabel = containerInfo . MountLabel
2018-01-18 16:37:41 +00:00
c . config . StaticDir = containerInfo . Dir
c . state . RunDir = containerInfo . RunDir
2018-05-01 16:08:52 +00:00
// Set the default Entrypoint and Command
2019-03-14 20:10:25 +00:00
if containerInfo . Config != nil {
if c . config . Entrypoint == nil {
c . config . Entrypoint = containerInfo . Config . Config . Entrypoint
}
if c . config . Command == nil {
c . config . Command = containerInfo . Config . Config . Cmd
}
2018-05-23 15:33:22 +00:00
}
2018-05-01 16:08:52 +00:00
2018-01-18 16:37:41 +00:00
artifacts := filepath . Join ( c . config . StaticDir , artifactsDir )
if err := os . MkdirAll ( artifacts , 0755 ) ; err != nil {
return errors . Wrapf ( err , "error creating artifacts directory %q" , artifacts )
}
return nil
}
// Tear down a container's storage prior to removal
func ( c * Container ) teardownStorage ( ) error {
2019-06-25 13:40:19 +00:00
if c . state . State == define . ContainerStateRunning || c . state . State == define . ContainerStatePaused {
2019-06-24 20:48:34 +00:00
return errors . Wrapf ( define . ErrCtrStateInvalid , "cannot remove storage for container %s as it is running or paused" , c . ID ( ) )
2018-01-18 16:37:41 +00:00
}
artifacts := filepath . Join ( c . config . StaticDir , artifactsDir )
if err := os . RemoveAll ( artifacts ) ; err != nil {
2019-04-11 13:51:26 +00:00
return errors . Wrapf ( err , "error removing container %s artifacts %q" , c . ID ( ) , artifacts )
2018-01-18 16:37:41 +00:00
}
if err := c . cleanupStorage ( ) ; err != nil {
return errors . Wrapf ( err , "failed to cleanup container %s storage" , c . ID ( ) )
}
if err := c . runtime . storageService . DeleteContainer ( c . ID ( ) ) ; err != nil {
2018-04-01 01:27:28 +00:00
// If the container has already been removed, warn but do not
// error - we wanted it gone, it is already gone.
// Potentially another tool using containers/storage already
// removed it?
2018-05-14 14:17:24 +00:00
if err == storage . ErrNotAContainer || err == storage . ErrContainerUnknown {
2018-04-02 13:10:52 +00:00
logrus . Warnf ( "Storage for container %s already removed" , c . ID ( ) )
2018-04-01 01:27:28 +00:00
return nil
}
2018-01-18 16:37:41 +00:00
return errors . Wrapf ( err , "error removing container %s root filesystem" , c . ID ( ) )
}
return nil
}
2018-06-21 13:45:03 +00:00
// Reset resets state fields to default values
// It is performed before a refresh and clears the state after a reboot
// It does not save the results - assumes the database will do that for us
2019-01-17 14:43:34 +00:00
func resetState ( state * ContainerState ) error {
2018-06-21 13:45:03 +00:00
state . PID = 0
2019-07-02 22:52:55 +00:00
state . ConmonPID = 0
2018-06-21 13:45:03 +00:00
state . Mountpoint = ""
state . Mounted = false
2019-06-25 13:40:19 +00:00
if state . State != define . ContainerStateExited {
state . State = define . ContainerStateConfigured
2019-02-05 20:37:56 +00:00
}
2018-06-21 13:45:03 +00:00
state . ExecSessions = make ( map [ string ] * ExecSession )
2018-07-12 14:51:31 +00:00
state . NetworkStatus = nil
2018-06-21 13:45:03 +00:00
state . BindMounts = make ( map [ string ] string )
2019-04-01 17:30:28 +00:00
state . StoppedByUser = false
2019-04-01 19:22:32 +00:00
state . RestartPolicyMatch = false
2019-04-01 23:20:03 +00:00
state . RestartCount = 0
2018-06-21 13:45:03 +00:00
return nil
}
2018-08-23 19:13:41 +00:00
// Refresh refreshes the container's state after a restart.
// Refresh cannot perform any operations that would lock another container.
// We cannot guarantee any other container has a valid lock at the time it is
// running.
2018-01-18 16:37:41 +00:00
func ( c * Container ) refresh ( ) error {
2018-07-31 13:26:06 +00:00
// Don't need a full sync, but we do need to update from the database to
// pick up potentially-missing container state
if err := c . runtime . state . UpdateContainer ( c ) ; err != nil {
return err
}
2018-01-18 16:37:41 +00:00
if ! c . valid {
2019-06-24 20:48:34 +00:00
return errors . Wrapf ( define . ErrCtrRemoved , "container %s is not valid - may have been removed" , c . ID ( ) )
2018-01-18 16:37:41 +00:00
}
// We need to get the container's temporary directory from c/storage
// It was lost in the reboot and must be recreated
dir , err := c . runtime . storageService . GetRunDir ( c . ID ( ) )
if err != nil {
return errors . Wrapf ( err , "error retrieving temporary directory for container %s" , c . ID ( ) )
}
2019-03-21 11:18:42 +00:00
c . state . RunDir = dir
2018-04-24 14:41:42 +00:00
if len ( c . config . IDMappings . UIDMap ) != 0 || len ( c . config . IDMappings . GIDMap ) != 0 {
info , err := os . Stat ( c . runtime . config . TmpDir )
if err != nil {
return errors . Wrapf ( err , "cannot stat `%s`" , c . runtime . config . TmpDir )
}
if err := os . Chmod ( c . runtime . config . TmpDir , info . Mode ( ) | 0111 ) ; err != nil {
return errors . Wrapf ( err , "cannot chmod `%s`" , c . runtime . config . TmpDir )
}
root := filepath . Join ( c . runtime . config . TmpDir , "containers-root" , c . ID ( ) )
if err := os . MkdirAll ( root , 0755 ) ; err != nil {
return errors . Wrapf ( err , "error creating userNS tmpdir for container %s" , c . ID ( ) )
}
if err := os . Chown ( root , c . RootUID ( ) , c . RootGID ( ) ) ; err != nil {
return err
}
}
2018-01-18 16:37:41 +00:00
2018-08-23 19:13:41 +00:00
// We need to pick up a new lock
2019-05-06 17:44:01 +00:00
lock , err := c . runtime . lockManager . AllocateAndRetrieveLock ( c . config . LockID )
2018-08-23 19:13:41 +00:00
if err != nil {
2019-06-21 20:00:39 +00:00
return errors . Wrapf ( err , "error acquiring lock %d for container %s" , c . config . LockID , c . ID ( ) )
2018-08-23 19:13:41 +00:00
}
c . lock = lock
2018-04-24 14:41:42 +00:00
if err := c . save ( ) ; err != nil {
2018-01-18 16:37:41 +00:00
return errors . Wrapf ( err , "error refreshing state for container %s" , c . ID ( ) )
}
2018-03-13 15:49:24 +00:00
// Remove ctl and attach files, which may persist across reboot
if err := c . removeConmonFiles ( ) ; err != nil {
return err
}
return nil
}
// Remove conmon attach socket and terminal resize FIFO
// This is necessary for restarting containers
func ( c * Container ) removeConmonFiles ( ) error {
// Files are allowed to not exist, so ignore ENOENT
attachFile := filepath . Join ( c . bundlePath ( ) , "attach" )
if err := os . Remove ( attachFile ) ; err != nil && ! os . IsNotExist ( err ) {
return errors . Wrapf ( err , "error removing container %s attach file" , c . ID ( ) )
}
ctlFile := filepath . Join ( c . bundlePath ( ) , "ctl" )
if err := os . Remove ( ctlFile ) ; err != nil && ! os . IsNotExist ( err ) {
return errors . Wrapf ( err , "error removing container %s ctl file" , c . ID ( ) )
}
oomFile := filepath . Join ( c . bundlePath ( ) , "oom" )
if err := os . Remove ( oomFile ) ; err != nil && ! os . IsNotExist ( err ) {
return errors . Wrapf ( err , "error removing container %s OOM file" , c . ID ( ) )
}
podman: fix memleak caused by renaming and not deleting
the exit file
If the container exit code needs to be retained, it cannot be retained
in tmpfs, because libpod runs in a memcg itself so it can't leave
traces with a daemon-less design.
This wasn't a memleak detectable by kmemleak for example. The kernel
never lost track of the memory and there was no erroneous refcounting
either. The reference count dependencies however are not easy to track
because when a refcount is increased, there's no way to tell who's
still holding the reference. In this case it was a single page of
tmpfs pagecache holding a refcount that kept pinned a whole hierarchy
of dying memcg, slab kmem, cgropups, unrechable kernfs nodes and the
respective dentries and inodes. Such a problem wouldn't happen if the
exit file was stored in a regular filesystem because the pagecache
could be reclaimed in such case under memory pressure. The tmpfs page
can be swapped out, but that's not enough to release the memcg with
CONFIG_MEMCG_SWAP_ENABLED=y.
No amount of more aggressive kernel slab shrinking could have solved
this. Not even assigning slab kmem of dying cgroups to alive cgroup
would fully solve this. The only way to free the memory of a dying
cgroup when a struct page still references it, would be to loop over
all "struct page" in the kernel to find which one is associated with
the dying cgroup which is a O(N) operation (where N is the number of
pages and can reach billions). Linking all the tmpfs pages to the
memcg would cost less during memcg offlining, but it would waste lots
of memory and CPU globally. So this can't be optimized in the kernel.
A cronjob running this command can act as workaround and will allow
all slab cache to be released, not just the single tmpfs pages.
rm -f /run/libpod/exits/*
This patch solved the memleak with a reproducer, booting with
cgroup.memory=nokmem and with selinux disabled. The reason memcg kmem
and selinux were disabled for testing of this fix, is because kmem
greatly decreases the kernel effectiveness in reusing partial slab
objects. cgroup.memory=nokmem is strongly recommended at least for
workstation usage. selinux needs to be further analyzed because it
causes further slab allocations.
The upstream podman commit used for testing is
1fe2965e4f672674f7b66648e9973a0ed5434bb4 (v1.4.4).
The upstream kernel commit used for testing is
f16fea666898dbdd7812ce94068c76da3e3fcf1e (v5.2-rc6).
Reported-by: Michele Baldessari <michele@redhat.com>
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
<Applied with small tweaks to comments>
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2019-07-10 19:09:33 +00:00
// Remove the exit file so we don't leak memory in tmpfs
2019-06-19 21:08:43 +00:00
exitFile := filepath . Join ( c . ociRuntime . exitsDir , c . ID ( ) )
2019-02-12 17:57:11 +00:00
if _ , err := os . Stat ( exitFile ) ; err != nil {
if ! os . IsNotExist ( err ) {
return errors . Wrapf ( err , "error running stat on container %s exit file" , c . ID ( ) )
}
2019-07-03 20:37:17 +00:00
} else {
podman: fix memleak caused by renaming and not deleting
the exit file
If the container exit code needs to be retained, it cannot be retained
in tmpfs, because libpod runs in a memcg itself so it can't leave
traces with a daemon-less design.
This wasn't a memleak detectable by kmemleak for example. The kernel
never lost track of the memory and there was no erroneous refcounting
either. The reference count dependencies however are not easy to track
because when a refcount is increased, there's no way to tell who's
still holding the reference. In this case it was a single page of
tmpfs pagecache holding a refcount that kept pinned a whole hierarchy
of dying memcg, slab kmem, cgropups, unrechable kernfs nodes and the
respective dentries and inodes. Such a problem wouldn't happen if the
exit file was stored in a regular filesystem because the pagecache
could be reclaimed in such case under memory pressure. The tmpfs page
can be swapped out, but that's not enough to release the memcg with
CONFIG_MEMCG_SWAP_ENABLED=y.
No amount of more aggressive kernel slab shrinking could have solved
this. Not even assigning slab kmem of dying cgroups to alive cgroup
would fully solve this. The only way to free the memory of a dying
cgroup when a struct page still references it, would be to loop over
all "struct page" in the kernel to find which one is associated with
the dying cgroup which is a O(N) operation (where N is the number of
pages and can reach billions). Linking all the tmpfs pages to the
memcg would cost less during memcg offlining, but it would waste lots
of memory and CPU globally. So this can't be optimized in the kernel.
A cronjob running this command can act as workaround and will allow
all slab cache to be released, not just the single tmpfs pages.
rm -f /run/libpod/exits/*
This patch solved the memleak with a reproducer, booting with
cgroup.memory=nokmem and with selinux disabled. The reason memcg kmem
and selinux were disabled for testing of this fix, is because kmem
greatly decreases the kernel effectiveness in reusing partial slab
objects. cgroup.memory=nokmem is strongly recommended at least for
workstation usage. selinux needs to be further analyzed because it
causes further slab allocations.
The upstream podman commit used for testing is
1fe2965e4f672674f7b66648e9973a0ed5434bb4 (v1.4.4).
The upstream kernel commit used for testing is
f16fea666898dbdd7812ce94068c76da3e3fcf1e (v5.2-rc6).
Reported-by: Michele Baldessari <michele@redhat.com>
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
<Applied with small tweaks to comments>
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2019-07-10 19:09:33 +00:00
if err := os . Remove ( exitFile ) ; err != nil {
return errors . Wrapf ( err , "error removing container %s exit file" , c . ID ( ) )
2019-02-12 17:57:11 +00:00
}
2018-03-13 15:49:24 +00:00
}
2018-01-18 16:37:41 +00:00
return nil
}
func ( c * Container ) export ( path string ) error {
mountPoint := c . state . Mountpoint
if ! c . state . Mounted {
2019-07-03 20:37:17 +00:00
containerMount , err := c . runtime . store . Mount ( c . ID ( ) , c . config . MountLabel )
2018-01-18 16:37:41 +00:00
if err != nil {
return errors . Wrapf ( err , "error mounting container %q" , c . ID ( ) )
}
2019-07-03 20:37:17 +00:00
mountPoint = containerMount
2018-01-18 16:37:41 +00:00
defer func ( ) {
2018-07-08 11:55:30 +00:00
if _ , err := c . runtime . store . Unmount ( c . ID ( ) , false ) ; err != nil {
2018-01-18 16:37:41 +00:00
logrus . Errorf ( "error unmounting container %q: %v" , c . ID ( ) , err )
}
} ( )
}
input , err := archive . Tar ( mountPoint , archive . Uncompressed )
if err != nil {
return errors . Wrapf ( err , "error reading container directory %q" , c . ID ( ) )
}
outFile , err := os . Create ( path )
if err != nil {
return errors . Wrapf ( err , "error creating file %q" , path )
}
defer outFile . Close ( )
_ , err = io . Copy ( outFile , input )
return err
}
// Get path of artifact with a given name for this container
func ( c * Container ) getArtifactPath ( name string ) string {
return filepath . Join ( c . config . StaticDir , artifactsDir , name )
}
// Used with Wait() to determine if a container has exited
func ( c * Container ) isStopped ( ) ( bool , error ) {
2018-04-14 21:32:49 +00:00
if ! c . batched {
2018-01-18 16:37:41 +00:00
c . lock . Lock ( )
defer c . lock . Unlock ( )
}
err := c . syncContainer ( )
if err != nil {
return true , err
}
2019-07-03 19:35:11 +00:00
return c . state . State != define . ContainerStateRunning && c . state . State != define . ContainerStatePaused , nil
2018-01-18 16:37:41 +00:00
}
// save container state to the database
func ( c * Container ) save ( ) error {
if err := c . runtime . state . SaveContainer ( c ) ; err != nil {
return errors . Wrapf ( err , "error saving container %s state" , c . ID ( ) )
}
return nil
}
2019-02-15 21:39:24 +00:00
// Checks the container is in the right state, then initializes the container in preparation to start the container.
// If recursive is true, each of the containers dependencies will be started.
// Otherwise, this function will return with error if there are dependencies of this container that aren't running.
func ( c * Container ) prepareToStart ( ctx context . Context , recursive bool ) ( err error ) {
// Container must be created or stopped to be started
2019-06-25 13:40:19 +00:00
if ! ( c . state . State == define . ContainerStateConfigured ||
c . state . State == define . ContainerStateCreated ||
c . state . State == define . ContainerStateStopped ||
c . state . State == define . ContainerStateExited ) {
2019-06-24 20:48:34 +00:00
return errors . Wrapf ( define . ErrCtrStateInvalid , "container %s must be in Created or Stopped state to be started" , c . ID ( ) )
2019-02-15 21:39:24 +00:00
}
if ! recursive {
if err := c . checkDependenciesAndHandleError ( ctx ) ; err != nil {
return err
}
} else {
if err := c . startDependencies ( ctx ) ; err != nil {
return err
}
}
defer func ( ) {
if err != nil {
if err2 := c . cleanup ( ctx ) ; err2 != nil {
logrus . Errorf ( "error cleaning up container %s: %v" , c . ID ( ) , err2 )
}
}
} ( )
if err := c . prepare ( ) ; err != nil {
return err
}
2019-06-25 13:40:19 +00:00
if c . state . State == define . ContainerStateStopped {
2019-02-15 21:39:24 +00:00
// Reinitialize the container if we need to
2019-04-01 23:20:03 +00:00
if err := c . reinit ( ctx , false ) ; err != nil {
2019-02-15 21:39:24 +00:00
return err
}
2019-06-25 13:40:19 +00:00
} else if c . state . State == define . ContainerStateConfigured ||
c . state . State == define . ContainerStateExited {
2019-02-15 21:39:24 +00:00
// Or initialize it if necessary
2019-04-01 23:20:03 +00:00
if err := c . init ( ctx , false ) ; err != nil {
2019-02-15 21:39:24 +00:00
return err
}
}
return nil
}
// checks dependencies are running and prints a helpful message
func ( c * Container ) checkDependenciesAndHandleError ( ctx context . Context ) error {
notRunning , err := c . checkDependenciesRunning ( )
if err != nil {
return errors . Wrapf ( err , "error checking dependencies for container %s" , c . ID ( ) )
}
if len ( notRunning ) > 0 {
depString := strings . Join ( notRunning , "," )
2019-06-24 20:48:34 +00:00
return errors . Wrapf ( define . ErrCtrStateInvalid , "some dependencies of container %s are not started: %s" , c . ID ( ) , depString )
2019-02-15 21:39:24 +00:00
}
return nil
}
// Recursively start all dependencies of a container so the container can be started.
func ( c * Container ) startDependencies ( ctx context . Context ) error {
depCtrIDs := c . Dependencies ( )
if len ( depCtrIDs ) == 0 {
return nil
}
depVisitedCtrs := make ( map [ string ] * Container )
if err := c . getAllDependencies ( depVisitedCtrs ) ; err != nil {
return errors . Wrapf ( err , "error starting dependency for container %s" , c . ID ( ) )
}
// Because of how Go handles passing slices through functions, a slice cannot grow between function calls
// without clunky syntax. Circumnavigate this by translating the map to a slice for buildContainerGraph
depCtrs := make ( [ ] * Container , 0 )
for _ , ctr := range depVisitedCtrs {
depCtrs = append ( depCtrs , ctr )
}
// Build a dependency graph of containers
2019-08-13 11:06:37 +00:00
graph , err := BuildContainerGraph ( depCtrs )
2019-02-15 21:39:24 +00:00
if err != nil {
return errors . Wrapf ( err , "error generating dependency graph for container %s" , c . ID ( ) )
}
// If there are no containers without dependencies, we can't start
// Error out
if len ( graph . noDepNodes ) == 0 {
2019-02-19 14:27:26 +00:00
// we have no dependencies that need starting, go ahead and return
if len ( graph . nodes ) == 0 {
return nil
}
2019-06-24 20:48:34 +00:00
return errors . Wrapf ( define . ErrNoSuchCtr , "All dependencies have dependencies of %s" , c . ID ( ) )
2019-02-15 21:39:24 +00:00
}
2019-02-19 14:27:26 +00:00
ctrErrors := make ( map [ string ] error )
ctrsVisited := make ( map [ string ] bool )
2019-02-15 21:39:24 +00:00
// Traverse the graph beginning at nodes with no dependencies
for _ , node := range graph . noDepNodes {
startNode ( ctx , node , false , ctrErrors , ctrsVisited , true )
}
if len ( ctrErrors ) > 0 {
logrus . Errorf ( "error starting some container dependencies" )
for _ , e := range ctrErrors {
logrus . Errorf ( "%q" , e )
}
2019-06-24 20:48:34 +00:00
return errors . Wrapf ( define . ErrInternal , "error starting some containers" )
2019-02-15 21:39:24 +00:00
}
return nil
}
// getAllDependencies is a precursor to starting dependencies.
// To start a container with all of its dependencies, we need to recursively find all dependencies
// a container has, as well as each of those containers' dependencies, and so on
// To do so, keep track of containers already visisted (so there aren't redundant state lookups),
// and recursively search until we have reached the leafs of every dependency node.
// Since we need to start all dependencies for our original container to successfully start, we propegate any errors
// in looking up dependencies.
// Note: this function is currently meant as a robust solution to a narrow problem: start an infra-container when
// a container in the pod is run. It has not been tested for performance past one level, so expansion of recursive start
// must be tested first.
func ( c * Container ) getAllDependencies ( visited map [ string ] * Container ) error {
depIDs := c . Dependencies ( )
if len ( depIDs ) == 0 {
return nil
}
for _ , depID := range depIDs {
if _ , ok := visited [ depID ] ; ! ok {
2019-04-12 14:21:45 +00:00
dep , err := c . runtime . state . Container ( depID )
2019-02-15 21:39:24 +00:00
if err != nil {
return err
}
2019-02-19 14:27:26 +00:00
status , err := dep . State ( )
if err != nil {
2019-02-15 21:39:24 +00:00
return err
}
2019-02-19 14:27:26 +00:00
// if the dependency is already running, we can assume its dependencies are also running
// so no need to add them to those we need to start
2019-06-25 13:40:19 +00:00
if status != define . ContainerStateRunning {
2019-02-19 14:27:26 +00:00
visited [ depID ] = dep
if err := dep . getAllDependencies ( visited ) ; err != nil {
return err
}
}
2019-02-15 21:39:24 +00:00
}
}
return nil
}
2018-04-02 16:23:19 +00:00
// Check if a container's dependencies are running
// Returns a []string containing the IDs of dependencies that are not running
func ( c * Container ) checkDependenciesRunning ( ) ( [ ] string , error ) {
2018-04-01 00:53:05 +00:00
deps := c . Dependencies ( )
2018-04-02 16:23:19 +00:00
notRunning := [ ] string { }
// We were not passed a set of dependency containers
// Make it ourselves
2018-04-01 00:53:05 +00:00
depCtrs := make ( map [ string ] * Container , len ( deps ) )
for _ , dep := range deps {
// Get the dependency container
depCtr , err := c . runtime . state . Container ( dep )
if err != nil {
2018-04-02 16:23:19 +00:00
return nil , errors . Wrapf ( err , "error retrieving dependency %s of container %s from state" , dep , c . ID ( ) )
2018-04-01 00:53:05 +00:00
}
// Check the status
state , err := depCtr . State ( )
if err != nil {
2018-04-02 16:23:19 +00:00
return nil , errors . Wrapf ( err , "error retrieving state of dependency %s of container %s" , dep , c . ID ( ) )
2018-04-01 00:53:05 +00:00
}
2019-06-25 13:40:19 +00:00
if state != define . ContainerStateRunning {
2018-04-02 16:23:19 +00:00
notRunning = append ( notRunning , dep )
2018-04-01 00:53:05 +00:00
}
depCtrs [ dep ] = depCtr
2018-04-02 16:23:19 +00:00
}
return notRunning , nil
}
2018-04-20 16:59:19 +00:00
func ( c * Container ) completeNetworkSetup ( ) error {
2018-12-06 19:56:57 +00:00
netDisabled , err := c . NetworkDisabled ( )
if err != nil {
return err
}
if ! c . config . PostConfigureNetNS || netDisabled {
2018-04-20 16:59:19 +00:00
return nil
}
if err := c . syncContainer ( ) ; err != nil {
return err
}
2018-11-26 20:31:06 +00:00
if c . config . NetMode == "slirp4netns" {
2018-07-25 13:15:13 +00:00
return c . runtime . setupRootlessNetNS ( c )
}
2018-04-20 16:59:19 +00:00
return c . runtime . setupNetNS ( c )
}
2018-04-02 16:23:19 +00:00
// Initialize a container, creating it in the runtime
2019-04-01 23:20:03 +00:00
func ( c * Container ) init ( ctx context . Context , retainRetries bool ) error {
2018-10-16 20:30:53 +00:00
span , _ := opentracing . StartSpanFromContext ( ctx , "init" )
span . SetTag ( "struct" , "container" )
defer span . Finish ( )
2019-07-03 20:37:17 +00:00
// Generate the OCI newSpec
newSpec , err := c . generateSpec ( ctx )
2018-03-12 19:32:10 +00:00
if err != nil {
return err
}
2019-07-03 20:37:17 +00:00
// Save the OCI newSpec to disk
if err := c . saveSpec ( newSpec ) ; err != nil {
2018-03-12 19:32:10 +00:00
return err
}
2019-07-01 17:55:03 +00:00
// With the spec complete, do an OCI create
if err := c . ociRuntime . createContainer ( c , nil ) ; err != nil {
2018-03-12 19:32:10 +00:00
return err
}
logrus . Debugf ( "Created container %s in OCI runtime" , c . ID ( ) )
2018-09-23 22:04:29 +00:00
c . state . ExitCode = 0
c . state . Exited = false
2019-06-25 13:40:19 +00:00
c . state . State = define . ContainerStateCreated
2019-04-01 17:30:28 +00:00
c . state . StoppedByUser = false
2019-04-01 19:22:32 +00:00
c . state . RestartPolicyMatch = false
2018-03-12 19:32:10 +00:00
2019-04-01 23:20:03 +00:00
if ! retainRetries {
c . state . RestartCount = 0
}
2018-04-20 16:59:19 +00:00
if err := c . save ( ) ; err != nil {
return err
}
2019-03-14 20:14:18 +00:00
if c . config . HealthCheckConfig != nil {
if err := c . createTimer ( ) ; err != nil {
logrus . Error ( err )
}
}
2019-02-28 20:15:56 +00:00
defer c . newContainerEvent ( events . Init )
2018-04-20 16:59:19 +00:00
return c . completeNetworkSetup ( )
2018-03-12 19:32:10 +00:00
}
2018-09-23 22:04:29 +00:00
// Clean up a container in the OCI runtime.
// Deletes the container in the runtime, and resets its state to Exited.
// The container can be restarted cleanly after this.
func ( c * Container ) cleanupRuntime ( ctx context . Context ) error {
2018-10-16 20:30:53 +00:00
span , _ := opentracing . StartSpanFromContext ( ctx , "cleanupRuntime" )
span . SetTag ( "struct" , "container" )
defer span . Finish ( )
2019-04-29 14:37:50 +00:00
// If the container is not ContainerStateStopped or
// ContainerStateCreated, do nothing.
2019-06-25 13:40:19 +00:00
if c . state . State != define . ContainerStateStopped && c . state . State != define . ContainerStateCreated {
2018-09-23 22:04:29 +00:00
return nil
}
2018-03-15 14:14:57 +00:00
2018-03-14 19:14:49 +00:00
// If necessary, delete attach and ctl files
if err := c . removeConmonFiles ( ) ; err != nil {
return err
}
2018-05-31 18:47:17 +00:00
if err := c . delete ( ctx ) ; err != nil {
return err
2018-03-14 19:14:49 +00:00
}
2018-05-31 18:47:17 +00:00
2019-04-29 14:37:50 +00:00
// If we were Stopped, we are now Exited, as we've removed ourself
// from the runtime.
// If we were Created, we are now Configured.
2019-06-25 13:40:19 +00:00
if c . state . State == define . ContainerStateStopped {
c . state . State = define . ContainerStateExited
} else if c . state . State == define . ContainerStateCreated {
c . state . State = define . ContainerStateConfigured
2019-04-29 14:37:50 +00:00
}
2018-10-02 17:39:33 +00:00
if c . valid {
if err := c . save ( ) ; err != nil {
return err
}
2018-03-14 19:14:49 +00:00
}
2018-03-15 14:14:57 +00:00
logrus . Debugf ( "Successfully cleaned up container %s" , c . ID ( ) )
2018-09-23 22:04:29 +00:00
return nil
}
// Reinitialize a container.
// Deletes and recreates a container in the runtime.
// Should only be done on ContainerStateStopped containers.
// Not necessary for ContainerStateExited - the container has already been
// removed from the runtime, so init() can proceed freely.
2019-04-01 23:20:03 +00:00
func ( c * Container ) reinit ( ctx context . Context , retainRetries bool ) error {
2018-10-16 20:30:53 +00:00
span , _ := opentracing . StartSpanFromContext ( ctx , "reinit" )
span . SetTag ( "struct" , "container" )
defer span . Finish ( )
2018-09-23 22:04:29 +00:00
logrus . Debugf ( "Recreating container %s in OCI runtime" , c . ID ( ) )
if err := c . cleanupRuntime ( ctx ) ; err != nil {
return err
}
2018-03-14 19:14:49 +00:00
// Initialize the container again
2019-04-01 23:20:03 +00:00
return c . init ( ctx , retainRetries )
2018-03-14 19:14:49 +00:00
}
2018-03-12 19:32:10 +00:00
// Initialize (if necessary) and start a container
// Performs all necessary steps to start a container that is not running
// Does not lock or check validity
2018-04-18 20:48:35 +00:00
func ( c * Container ) initAndStart ( ctx context . Context ) ( err error ) {
2018-03-12 19:32:10 +00:00
// If we are ContainerStateUnknown, throw an error
2019-06-25 13:40:19 +00:00
if c . state . State == define . ContainerStateUnknown {
2019-06-24 20:48:34 +00:00
return errors . Wrapf ( define . ErrCtrStateInvalid , "container %s is in an unknown state" , c . ID ( ) )
2018-03-12 19:32:10 +00:00
}
// If we are running, do nothing
2019-06-25 13:40:19 +00:00
if c . state . State == define . ContainerStateRunning {
2018-03-12 19:32:10 +00:00
return nil
}
// If we are paused, throw an error
2019-06-25 13:40:19 +00:00
if c . state . State == define . ContainerStatePaused {
2019-06-24 20:48:34 +00:00
return errors . Wrapf ( define . ErrCtrStateInvalid , "cannot start paused container %s" , c . ID ( ) )
2018-03-12 19:32:10 +00:00
}
defer func ( ) {
if err != nil {
2018-09-23 22:04:29 +00:00
if err2 := c . cleanup ( ctx ) ; err2 != nil {
2018-03-14 19:14:49 +00:00
logrus . Errorf ( "error cleaning up container %s: %v" , c . ID ( ) , err2 )
2018-03-12 19:32:10 +00:00
}
}
} ( )
2018-11-07 16:44:33 +00:00
if err := c . prepare ( ) ; err != nil {
return err
}
2018-03-13 15:49:24 +00:00
// If we are ContainerStateStopped we need to remove from runtime
// And reset to ContainerStateConfigured
2019-06-25 13:40:19 +00:00
if c . state . State == define . ContainerStateStopped {
2018-03-15 14:14:57 +00:00
logrus . Debugf ( "Recreating container %s in OCI runtime" , c . ID ( ) )
2019-04-01 23:20:03 +00:00
if err := c . reinit ( ctx , false ) ; err != nil {
2018-03-13 15:49:24 +00:00
return err
}
2019-06-25 13:40:19 +00:00
} else if c . state . State == define . ContainerStateConfigured ||
c . state . State == define . ContainerStateExited {
2019-04-01 23:20:03 +00:00
if err := c . init ( ctx , false ) ; err != nil {
2018-03-12 19:32:10 +00:00
return err
}
}
// Now start the container
return c . start ( )
}
// Internal, non-locking function to start a container
func ( c * Container ) start ( ) error {
2019-01-02 17:11:50 +00:00
if c . config . Spec . Process != nil {
logrus . Debugf ( "Starting container %s with command %v" , c . ID ( ) , c . config . Spec . Process . Args )
}
2019-06-19 21:08:43 +00:00
if err := c . ociRuntime . startContainer ( c ) ; err != nil {
2018-03-12 19:32:10 +00:00
return err
}
logrus . Debugf ( "Started container %s" , c . ID ( ) )
2019-06-25 13:40:19 +00:00
c . state . State = define . ContainerStateRunning
2018-03-12 19:32:10 +00:00
2019-03-14 20:14:18 +00:00
if c . config . HealthCheckConfig != nil {
if err := c . updateHealthStatus ( HealthCheckStarting ) ; err != nil {
logrus . Error ( err )
}
if err := c . startTimer ( ) ; err != nil {
logrus . Error ( err )
}
}
2019-03-12 20:12:09 +00:00
defer c . newContainerEvent ( events . Start )
2018-03-12 19:32:10 +00:00
return c . save ( )
}
2018-01-29 16:59:33 +00:00
// Internal, non-locking function to stop container
func ( c * Container ) stop ( timeout uint ) error {
2019-03-05 23:11:28 +00:00
logrus . Debugf ( "Stopping ctr %s (timeout %d)" , c . ID ( ) , timeout )
2018-01-29 16:59:33 +00:00
2019-06-19 21:08:43 +00:00
if err := c . ociRuntime . stopContainer ( c , timeout ) ; err != nil {
2018-01-29 16:59:33 +00:00
return err
}
2019-07-02 23:10:51 +00:00
c . state . PID = 0
c . state . ConmonPID = 0
2019-04-01 17:30:28 +00:00
c . state . StoppedByUser = true
if err := c . save ( ) ; err != nil {
return errors . Wrapf ( err , "error saving container %s state after stopping" , c . ID ( ) )
}
2018-10-19 20:02:14 +00:00
// Wait until we have an exit file, and sync once we do
2019-07-31 21:22:08 +00:00
if err := c . waitForExitFileAndSync ( ) ; err != nil {
return err
}
c . newContainerEvent ( events . Stop )
return nil
2018-01-29 16:59:33 +00:00
}
2018-06-21 13:45:03 +00:00
// Internal, non-locking function to pause a container
func ( c * Container ) pause ( ) error {
2019-06-19 21:08:43 +00:00
if err := c . ociRuntime . pauseContainer ( c ) ; err != nil {
2018-06-21 13:45:03 +00:00
return err
}
logrus . Debugf ( "Paused container %s" , c . ID ( ) )
2019-06-25 13:40:19 +00:00
c . state . State = define . ContainerStatePaused
2018-06-21 13:45:03 +00:00
return c . save ( )
}
// Internal, non-locking function to unpause a container
func ( c * Container ) unpause ( ) error {
2019-06-19 21:08:43 +00:00
if err := c . ociRuntime . unpauseContainer ( c ) ; err != nil {
2018-06-21 13:45:03 +00:00
return err
}
logrus . Debugf ( "Unpaused container %s" , c . ID ( ) )
2019-06-25 13:40:19 +00:00
c . state . State = define . ContainerStateRunning
2018-06-21 13:45:03 +00:00
return c . save ( )
}
2018-07-23 19:56:12 +00:00
// Internal, non-locking function to restart a container
func ( c * Container ) restartWithTimeout ( ctx context . Context , timeout uint ) ( err error ) {
2019-06-25 13:40:19 +00:00
if c . state . State == define . ContainerStateUnknown || c . state . State == define . ContainerStatePaused {
2019-06-24 20:48:34 +00:00
return errors . Wrapf ( define . ErrCtrStateInvalid , "unable to restart a container in a paused or unknown state" )
2018-07-23 19:56:12 +00:00
}
2019-04-03 18:17:02 +00:00
c . newContainerEvent ( events . Restart )
2019-06-25 13:40:19 +00:00
if c . state . State == define . ContainerStateRunning {
2019-08-02 14:27:50 +00:00
conmonPID := c . state . ConmonPID
2018-07-23 19:56:12 +00:00
if err := c . stop ( timeout ) ; err != nil {
return err
}
2019-08-02 14:27:50 +00:00
// Old versions of conmon have a bug where they create the exit file before
// closing open file descriptors causing a race condition when restarting
// containers with open ports since we cannot bind the ports as they're not
// yet closed by conmon.
//
// Killing the old conmon PID is ~okay since it forces the FDs of old conmons
// to be closed, while it's a NOP for newer versions which should have
// exited already.
if conmonPID != 0 {
// Ignore errors from FindProcess() as conmon could already have exited.
p , err := os . FindProcess ( conmonPID )
if p != nil && err == nil {
if err = p . Kill ( ) ; err != nil {
logrus . Debugf ( "error killing conmon process: %v" , err )
}
}
}
2018-07-23 19:56:12 +00:00
}
defer func ( ) {
if err != nil {
2018-09-23 22:04:29 +00:00
if err2 := c . cleanup ( ctx ) ; err2 != nil {
2018-07-23 19:56:12 +00:00
logrus . Errorf ( "error cleaning up container %s: %v" , c . ID ( ) , err2 )
}
}
} ( )
2018-11-07 16:44:33 +00:00
if err := c . prepare ( ) ; err != nil {
return err
}
2018-07-23 19:56:12 +00:00
2019-06-25 13:40:19 +00:00
if c . state . State == define . ContainerStateStopped {
2018-07-23 19:56:12 +00:00
// Reinitialize the container if we need to
2019-04-01 23:20:03 +00:00
if err := c . reinit ( ctx , false ) ; err != nil {
2018-07-23 19:56:12 +00:00
return err
}
2019-06-25 13:40:19 +00:00
} else if c . state . State == define . ContainerStateConfigured ||
c . state . State == define . ContainerStateExited {
2018-09-23 22:04:29 +00:00
// Initialize the container
2019-04-01 23:20:03 +00:00
if err := c . init ( ctx , false ) ; err != nil {
2018-07-23 19:56:12 +00:00
return err
}
}
return c . start ( )
}
2018-01-18 16:37:41 +00:00
// mountStorage sets up the container's root filesystem
// It mounts the image and any other requested mounts
// TODO: Add ability to override mount label so we can use this for Mount() too
// TODO: Can we use this for export? Copying SHM into the export might not be
// good
2019-09-03 19:03:44 +00:00
func ( c * Container ) mountStorage ( ) ( _ string , Err error ) {
2018-10-17 18:43:36 +00:00
var err error
2018-01-18 16:37:41 +00:00
// Container already mounted, nothing to do
if c . state . Mounted {
2018-10-17 18:43:36 +00:00
return c . state . Mountpoint , nil
2018-01-18 16:37:41 +00:00
}
2018-11-08 11:14:46 +00:00
mounted , err := mount . Mounted ( c . config . ShmDir )
if err != nil {
return "" , errors . Wrapf ( err , "unable to determine if %q is mounted" , c . config . ShmDir )
}
2018-06-01 11:10:14 +00:00
2018-12-24 11:55:24 +00:00
if ! mounted && ! MountExists ( c . config . Spec . Mounts , "/dev/shm" ) {
2018-11-08 11:14:46 +00:00
shmOptions := fmt . Sprintf ( "mode=1777,size=%d" , c . config . ShmSize )
if err := c . mountSHM ( shmOptions ) ; err != nil {
return "" , err
}
2018-04-24 00:42:53 +00:00
if err := os . Chown ( c . config . ShmDir , c . RootUID ( ) , c . RootGID ( ) ) ; err != nil {
2018-10-17 18:43:36 +00:00
return "" , errors . Wrapf ( err , "failed to chown %s" , c . config . ShmDir )
2018-04-24 00:42:53 +00:00
}
2019-09-03 19:03:44 +00:00
defer func ( ) {
if Err != nil {
if err := c . unmountSHM ( c . config . ShmDir ) ; err != nil {
logrus . Errorf ( "Error unmounting SHM for container %s after mount error: %v" , c . ID ( ) , err )
}
}
} ( )
}
// Request a mount of all named volumes
for _ , v := range c . config . NamedVolumes {
vol , err := c . runtime . state . Volume ( v . Name )
if err != nil {
return "" , errors . Wrapf ( err , "error retrieving named volume %s for container %s" , v . Name , c . ID ( ) )
}
if vol . needsMount ( ) {
vol . lock . Lock ( )
if err := vol . mount ( ) ; err != nil {
vol . lock . Unlock ( )
return "" , errors . Wrapf ( err , "error mounting volume %s for container %s" , vol . Name ( ) , c . ID ( ) )
}
vol . lock . Unlock ( )
defer func ( ) {
if Err == nil {
return
}
vol . lock . Lock ( )
if err := vol . unmount ( false ) ; err != nil {
logrus . Errorf ( "Error unmounting volume %s after error mounting container %s: %v" , vol . Name ( ) , c . ID ( ) , err )
}
2019-09-05 14:00:50 +00:00
vol . lock . Unlock ( )
2019-09-03 19:03:44 +00:00
} ( )
}
2018-01-18 16:37:41 +00:00
}
2018-11-08 11:14:46 +00:00
// TODO: generalize this mount code so it will mount every mount in ctr.config.Mounts
2018-04-26 15:21:48 +00:00
mountPoint := c . config . Rootfs
if mountPoint == "" {
2018-07-19 20:59:42 +00:00
mountPoint , err = c . mount ( )
2018-04-26 15:21:48 +00:00
if err != nil {
2018-10-17 18:43:36 +00:00
return "" , err
2018-04-26 15:21:48 +00:00
}
2018-01-18 16:37:41 +00:00
}
2018-10-17 18:43:36 +00:00
return mountPoint , nil
2018-01-18 16:37:41 +00:00
}
// cleanupStorage unmounts and cleans up the container's root filesystem
func ( c * Container ) cleanupStorage ( ) error {
if ! c . state . Mounted {
// Already unmounted, do nothing
2019-03-05 23:11:28 +00:00
logrus . Debugf ( "Container %s storage is already unmounted, skipping..." , c . ID ( ) )
2018-01-18 16:37:41 +00:00
return nil
}
2019-03-05 23:11:28 +00:00
2019-09-05 14:00:50 +00:00
var cleanupErr error
2019-07-03 20:37:17 +00:00
for _ , containerMount := range c . config . Mounts {
if err := c . unmountSHM ( containerMount ) ; err != nil {
2019-09-05 14:00:50 +00:00
if cleanupErr != nil {
logrus . Errorf ( "Error unmounting container %s: %v" , c . ID ( ) , cleanupErr )
}
cleanupErr = err
2018-01-18 16:37:41 +00:00
}
}
2019-03-05 23:11:28 +00:00
2018-04-26 15:21:48 +00:00
if c . config . Rootfs != "" {
2019-09-05 14:00:50 +00:00
return cleanupErr
2018-04-26 15:21:48 +00:00
}
2018-01-18 16:37:41 +00:00
2018-07-30 13:04:18 +00:00
if err := c . unmount ( false ) ; err != nil {
2018-05-14 14:17:24 +00:00
// If the container has already been removed, warn but don't
// error
// We still want to be able to kick the container out of the
// state
2019-03-11 09:08:31 +00:00
if errors . Cause ( err ) == storage . ErrNotAContainer || errors . Cause ( err ) == storage . ErrContainerUnknown {
2018-05-14 14:17:24 +00:00
logrus . Errorf ( "Storage for container %s has been removed" , c . ID ( ) )
2019-09-05 14:00:50 +00:00
} else {
if cleanupErr != nil {
logrus . Errorf ( "Error cleaning up container %s storage: %v" , c . ID ( ) , cleanupErr )
}
cleanupErr = err
2018-05-14 14:17:24 +00:00
}
2018-01-18 16:37:41 +00:00
}
2019-09-03 19:03:44 +00:00
// Request an unmount of all named volumes
for _ , v := range c . config . NamedVolumes {
vol , err := c . runtime . state . Volume ( v . Name )
if err != nil {
if cleanupErr != nil {
logrus . Errorf ( "Error unmounting container %s: %v" , c . ID ( ) , cleanupErr )
}
cleanupErr = errors . Wrapf ( err , "error retrieving named volume %s for container %s" , v . Name , c . ID ( ) )
// We need to try and unmount every volume, so continue
// if they fail.
continue
}
if vol . needsMount ( ) {
vol . lock . Lock ( )
if err := vol . unmount ( false ) ; err != nil {
if cleanupErr != nil {
logrus . Errorf ( "Error unmounting container %s: %v" , c . ID ( ) , cleanupErr )
}
cleanupErr = errors . Wrapf ( err , "error unmounting volume %s for container %s" , vol . Name ( ) , c . ID ( ) )
}
vol . lock . Unlock ( )
}
}
2018-01-18 16:37:41 +00:00
c . state . Mountpoint = ""
c . state . Mounted = false
2018-06-04 21:31:49 +00:00
if c . valid {
2019-09-03 19:03:44 +00:00
if err := c . save ( ) ; err != nil {
if cleanupErr != nil {
logrus . Errorf ( "Error unmounting container %s: %v" , c . ID ( ) , cleanupErr )
}
cleanupErr = err
}
2018-06-04 21:31:49 +00:00
}
2019-09-03 19:03:44 +00:00
return cleanupErr
2018-01-18 16:37:41 +00:00
}
2018-03-14 19:14:49 +00:00
// Unmount the a container and free its resources
2018-09-23 22:04:29 +00:00
func ( c * Container ) cleanup ( ctx context . Context ) error {
2018-03-14 19:14:49 +00:00
var lastError error
2018-10-16 20:30:53 +00:00
span , _ := opentracing . StartSpanFromContext ( ctx , "cleanup" )
span . SetTag ( "struct" , "container" )
defer span . Finish ( )
2018-05-09 20:33:31 +00:00
logrus . Debugf ( "Cleaning up container %s" , c . ID ( ) )
2019-03-14 20:14:18 +00:00
// Remove healthcheck unit/timer file if it execs
if c . config . HealthCheckConfig != nil {
if err := c . removeTimer ( ) ; err != nil {
2019-04-11 13:51:26 +00:00
logrus . Errorf ( "Error removing timer for container %s healthcheck: %v" , c . ID ( ) , err )
2019-03-14 20:14:18 +00:00
}
}
2018-03-14 19:14:49 +00:00
// Clean up network namespace, if present
if err := c . cleanupNetwork ( ) ; err != nil {
2019-04-11 13:51:26 +00:00
lastError = errors . Wrapf ( err , "error removing container %s network" , c . ID ( ) )
2018-03-14 19:14:49 +00:00
}
// Unmount storage
if err := c . cleanupStorage ( ) ; err != nil {
if lastError != nil {
logrus . Errorf ( "Error unmounting container %s storage: %v" , c . ID ( ) , err )
} else {
2019-04-11 13:51:26 +00:00
lastError = errors . Wrapf ( err , "error unmounting container %s storage" , c . ID ( ) )
2018-03-14 19:14:49 +00:00
}
}
2018-09-23 22:04:29 +00:00
// Remove the container from the runtime, if necessary
if err := c . cleanupRuntime ( ctx ) ; err != nil {
if lastError != nil {
logrus . Errorf ( "Error removing container %s from OCI runtime: %v" , c . ID ( ) , err )
} else {
lastError = err
}
}
2018-03-14 19:14:49 +00:00
return lastError
}
2018-05-31 18:47:17 +00:00
// delete deletes the container and runs any configured poststop
// hooks.
func ( c * Container ) delete ( ctx context . Context ) ( err error ) {
2018-10-16 20:30:53 +00:00
span , _ := opentracing . StartSpanFromContext ( ctx , "delete" )
span . SetTag ( "struct" , "container" )
defer span . Finish ( )
2019-06-19 21:08:43 +00:00
if err := c . ociRuntime . deleteContainer ( c ) ; err != nil {
2018-05-31 18:47:17 +00:00
return errors . Wrapf ( err , "error removing container %s from runtime" , c . ID ( ) )
}
if err := c . postDeleteHooks ( ctx ) ; err != nil {
return errors . Wrapf ( err , "container %s poststop hooks" , c . ID ( ) )
}
return nil
}
// postDeleteHooks runs the poststop hooks (if any) as specified by
// the OCI Runtime Specification (which requires them to run
// post-delete, despite the stage name).
func ( c * Container ) postDeleteHooks ( ctx context . Context ) ( err error ) {
2018-10-16 20:30:53 +00:00
span , _ := opentracing . StartSpanFromContext ( ctx , "postDeleteHooks" )
span . SetTag ( "struct" , "container" )
defer span . Finish ( )
2018-05-31 18:47:17 +00:00
if c . state . ExtensionStageHooks != nil {
extensionHooks , ok := c . state . ExtensionStageHooks [ "poststop" ]
if ok {
state , err := json . Marshal ( spec . State {
Version : spec . Version ,
ID : c . ID ( ) ,
Status : "stopped" ,
Bundle : c . bundlePath ( ) ,
Annotations : c . config . Spec . Annotations ,
} )
if err != nil {
return err
}
for i , hook := range extensionHooks {
2019-07-11 10:44:12 +00:00
hook := hook
2018-06-18 17:19:48 +00:00
logrus . Debugf ( "container %s: invoke poststop hook %d, path %s" , c . ID ( ) , i , hook . Path )
2018-05-31 18:47:17 +00:00
var stderr , stdout bytes . Buffer
hookErr , err := exec . Run ( ctx , & hook , state , & stdout , & stderr , exec . DefaultPostKillTimeout )
if err != nil {
logrus . Warnf ( "container %s: poststop hook %d: %v" , c . ID ( ) , i , err )
if hookErr != err {
logrus . Debugf ( "container %s: poststop hook %d (hook error): %v" , c . ID ( ) , i , hookErr )
}
stdoutString := stdout . String ( )
if stdoutString != "" {
logrus . Debugf ( "container %s: poststop hook %d: stdout:\n%s" , c . ID ( ) , i , stdoutString )
}
stderrString := stderr . String ( )
if stderrString != "" {
logrus . Debugf ( "container %s: poststop hook %d: stderr:\n%s" , c . ID ( ) , i , stderrString )
}
}
}
}
}
return nil
}
2018-03-07 16:17:42 +00:00
// writeStringToRundir copies the provided file to the runtimedir
func ( c * Container ) writeStringToRundir ( destFile , output string ) ( string , error ) {
2018-01-19 14:51:59 +00:00
destFileName := filepath . Join ( c . state . RunDir , destFile )
2018-04-24 14:41:42 +00:00
if err := os . Remove ( destFileName ) ; err != nil && ! os . IsNotExist ( err ) {
return "" , errors . Wrapf ( err , "error removing %s for container %s" , destFile , c . ID ( ) )
}
2018-01-19 14:51:59 +00:00
f , err := os . Create ( destFileName )
if err != nil {
return "" , errors . Wrapf ( err , "unable to create %s" , destFileName )
}
defer f . Close ( )
2018-06-11 14:03:34 +00:00
if err := f . Chown ( c . RootUID ( ) , c . RootGID ( ) ) ; err != nil {
return "" , err
2018-04-24 00:42:53 +00:00
}
if _ , err := f . WriteString ( output ) ; err != nil {
2018-01-19 14:51:59 +00:00
return "" , errors . Wrapf ( err , "unable to write %s" , destFileName )
2018-01-18 16:37:41 +00:00
}
// Relabel runDirResolv for the container
if err := label . Relabel ( destFileName , c . config . MountLabel , false ) ; err != nil {
return "" , err
}
2018-04-24 14:41:42 +00:00
2019-03-21 11:18:42 +00:00
return filepath . Join ( c . state . RunDir , destFile ) , nil
2018-01-18 16:37:41 +00:00
}
2018-01-19 14:51:59 +00:00
2019-03-04 03:54:41 +00:00
// appendStringToRundir appends the provided string to the runtimedir file
func ( c * Container ) appendStringToRundir ( destFile , output string ) ( string , error ) {
destFileName := filepath . Join ( c . state . RunDir , destFile )
f , err := os . OpenFile ( destFileName , os . O_APPEND | os . O_WRONLY , 0600 )
if err != nil {
return "" , errors . Wrapf ( err , "unable to open %s" , destFileName )
}
defer f . Close ( )
if _ , err := f . WriteString ( output ) ; err != nil {
return "" , errors . Wrapf ( err , "unable to write %s" , destFileName )
}
2019-03-21 11:18:42 +00:00
return filepath . Join ( c . state . RunDir , destFile ) , nil
2019-03-04 03:54:41 +00:00
}
2019-02-06 19:22:46 +00:00
// saveSpec saves the OCI spec to disk, replacing any existing specs for the container
2018-03-07 16:15:00 +00:00
func ( c * Container ) saveSpec ( spec * spec . Spec ) error {
// If the OCI spec already exists, we need to replace it
// Cannot guarantee some things, e.g. network namespaces, have the same
// paths
jsonPath := filepath . Join ( c . bundlePath ( ) , "config.json" )
if _ , err := os . Stat ( jsonPath ) ; err != nil {
if ! os . IsNotExist ( err ) {
return errors . Wrapf ( err , "error doing stat on container %s spec" , c . ID ( ) )
}
// The spec does not exist, we're fine
} else {
// The spec exists, need to remove it
if err := os . Remove ( jsonPath ) ; err != nil {
return errors . Wrapf ( err , "error replacing runtime spec for container %s" , c . ID ( ) )
}
}
fileJSON , err := json . Marshal ( spec )
if err != nil {
return errors . Wrapf ( err , "error exporting runtime spec for container %s to JSON" , c . ID ( ) )
}
if err := ioutil . WriteFile ( jsonPath , fileJSON , 0644 ) ; err != nil {
return errors . Wrapf ( err , "error writing runtime spec JSON for container %s to disk" , c . ID ( ) )
}
logrus . Debugf ( "Created OCI spec for container %s at %s" , c . ID ( ) , jsonPath )
c . state . ConfigPath = jsonPath
return nil
}
2018-03-29 15:01:47 +00:00
2018-11-19 17:22:32 +00:00
// Warning: precreate hooks may alter 'config' in place.
2018-06-27 16:14:13 +00:00
func ( c * Container ) setupOCIHooks ( ctx context . Context , config * spec . Spec ) ( extensionStageHooks map [ string ] [ ] spec . Hook , err error ) {
2018-11-19 17:22:32 +00:00
allHooks := make ( map [ string ] [ ] spec . Hook )
libpod/container_internal: Deprecate implicit hook directories
Part of the motivation for 800eb863 (Hooks supports two directories,
process default and override, 2018-09-17, #1487) was [1]:
> We only use this for override. The reason this was caught is people
> are trying to get hooks to work with CoreOS. You are not allowed to
> write to /usr/share... on CoreOS, so they wanted podman to also look
> at /etc, where users and third parties can write.
But we'd also been disabling hooks completely for rootless users. And
even for root users, the override logic was tricky when folks actually
had content in both directories. For example, if you wanted to
disable a hook from the default directory, you'd have to add a no-op
hook to the override directory.
Also, the previous implementation failed to handle the case where
there hooks defined in the override directory but the default
directory did not exist:
$ podman version
Version: 0.11.2-dev
Go Version: go1.10.3
Git Commit: "6df7409cb5a41c710164c42ed35e33b28f3f7214"
Built: Sun Dec 2 21:30:06 2018
OS/Arch: linux/amd64
$ ls -l /etc/containers/oci/hooks.d/test.json
-rw-r--r--. 1 root root 184 Dec 2 16:27 /etc/containers/oci/hooks.d/test.json
$ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T21:31:19-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
time="2018-12-02T21:31:19-08:00" level=warning msg="failed to load hooks: {}%!(EXTRA *os.PathError=open /usr/share/containers/oci/hooks.d: no such file or directory)"
With this commit:
$ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /etc/containers/oci/hooks.d"
time="2018-12-02T21:33:07-08:00" level=debug msg="added hook /etc/containers/oci/hooks.d/test.json"
time="2018-12-02T21:33:07-08:00" level=debug msg="hook test.json matched; adding to stages [prestart]"
time="2018-12-02T21:33:07-08:00" level=warning msg="implicit hook directories are deprecated; set --hooks-dir="/etc/containers/oci/hooks.d" explicitly to continue to load hooks from this directory"
time="2018-12-02T21:33:07-08:00" level=error msg="container create failed: container_linux.go:336: starting container process caused "process_linux.go:399: container init caused \"process_linux.go:382: running prestart hook 0 caused \\\"error running hook: exit status 1, stdout: , stderr: oh, noes!\\\\n\\\"\""
(I'd setup the hook to error out). You can see that it's silenly
ignoring the ENOENT for /usr/share/containers/oci/hooks.d and
continuing on to load hooks from /etc/containers/oci/hooks.d.
When it loads the hook, it also logs a warning-level message
suggesting that callers explicitly configure their hook directories.
That will help consumers migrate, so we can drop the implicit hook
directories in some future release. When folks *do* explicitly
configure hook directories (via the newly-public --hooks-dir and
hooks_dir options), we error out if they're missing:
$ podman --hooks-dir /does/not/exist run --rm docker.io/library/alpine echo 'successful container'
error setting up OCI Hooks: open /does/not/exist: no such file or directory
I've dropped the trailing "path" from the old, hidden --hooks-dir-path
and hooks_dir_path because I think "dir(ectory)" is already enough
context for "we expect a path argument". I consider this name change
non-breaking because the old forms were undocumented.
Coming back to rootless users, I've enabled hooks now. I expect they
were previously disabled because users had no way to avoid
/usr/share/containers/oci/hooks.d which might contain hooks that
required root permissions. But now rootless users will have to
explicitly configure hook directories, and since their default config
is from ~/.config/containers/libpod.conf, it's a misconfiguration if
it contains hooks_dir entries which point at directories with hooks
that require root access. We error out so they can fix their
libpod.conf.
[1]: https://github.com/containers/libpod/pull/1487#discussion_r218149355
Signed-off-by: W. Trevor King <wking@tremily.us>
2018-12-03 05:22:08 +00:00
if c . runtime . config . HooksDir == nil {
if rootless . IsRootless ( ) {
2018-09-17 13:33:11 +00:00
return nil , nil
}
libpod/container_internal: Deprecate implicit hook directories
Part of the motivation for 800eb863 (Hooks supports two directories,
process default and override, 2018-09-17, #1487) was [1]:
> We only use this for override. The reason this was caught is people
> are trying to get hooks to work with CoreOS. You are not allowed to
> write to /usr/share... on CoreOS, so they wanted podman to also look
> at /etc, where users and third parties can write.
But we'd also been disabling hooks completely for rootless users. And
even for root users, the override logic was tricky when folks actually
had content in both directories. For example, if you wanted to
disable a hook from the default directory, you'd have to add a no-op
hook to the override directory.
Also, the previous implementation failed to handle the case where
there hooks defined in the override directory but the default
directory did not exist:
$ podman version
Version: 0.11.2-dev
Go Version: go1.10.3
Git Commit: "6df7409cb5a41c710164c42ed35e33b28f3f7214"
Built: Sun Dec 2 21:30:06 2018
OS/Arch: linux/amd64
$ ls -l /etc/containers/oci/hooks.d/test.json
-rw-r--r--. 1 root root 184 Dec 2 16:27 /etc/containers/oci/hooks.d/test.json
$ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T21:31:19-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
time="2018-12-02T21:31:19-08:00" level=warning msg="failed to load hooks: {}%!(EXTRA *os.PathError=open /usr/share/containers/oci/hooks.d: no such file or directory)"
With this commit:
$ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /etc/containers/oci/hooks.d"
time="2018-12-02T21:33:07-08:00" level=debug msg="added hook /etc/containers/oci/hooks.d/test.json"
time="2018-12-02T21:33:07-08:00" level=debug msg="hook test.json matched; adding to stages [prestart]"
time="2018-12-02T21:33:07-08:00" level=warning msg="implicit hook directories are deprecated; set --hooks-dir="/etc/containers/oci/hooks.d" explicitly to continue to load hooks from this directory"
time="2018-12-02T21:33:07-08:00" level=error msg="container create failed: container_linux.go:336: starting container process caused "process_linux.go:399: container init caused \"process_linux.go:382: running prestart hook 0 caused \\\"error running hook: exit status 1, stdout: , stderr: oh, noes!\\\\n\\\"\""
(I'd setup the hook to error out). You can see that it's silenly
ignoring the ENOENT for /usr/share/containers/oci/hooks.d and
continuing on to load hooks from /etc/containers/oci/hooks.d.
When it loads the hook, it also logs a warning-level message
suggesting that callers explicitly configure their hook directories.
That will help consumers migrate, so we can drop the implicit hook
directories in some future release. When folks *do* explicitly
configure hook directories (via the newly-public --hooks-dir and
hooks_dir options), we error out if they're missing:
$ podman --hooks-dir /does/not/exist run --rm docker.io/library/alpine echo 'successful container'
error setting up OCI Hooks: open /does/not/exist: no such file or directory
I've dropped the trailing "path" from the old, hidden --hooks-dir-path
and hooks_dir_path because I think "dir(ectory)" is already enough
context for "we expect a path argument". I consider this name change
non-breaking because the old forms were undocumented.
Coming back to rootless users, I've enabled hooks now. I expect they
were previously disabled because users had no way to avoid
/usr/share/containers/oci/hooks.d which might contain hooks that
required root permissions. But now rootless users will have to
explicitly configure hook directories, and since their default config
is from ~/.config/containers/libpod.conf, it's a misconfiguration if
it contains hooks_dir entries which point at directories with hooks
that require root access. We error out so they can fix their
libpod.conf.
[1]: https://github.com/containers/libpod/pull/1487#discussion_r218149355
Signed-off-by: W. Trevor King <wking@tremily.us>
2018-12-03 05:22:08 +00:00
for _ , hDir := range [ ] string { hooks . DefaultDir , hooks . OverrideDir } {
2019-03-02 05:36:44 +00:00
manager , err := hooks . New ( ctx , [ ] string { hDir } , [ ] string { "precreate" , "poststop" } )
libpod/container_internal: Deprecate implicit hook directories
Part of the motivation for 800eb863 (Hooks supports two directories,
process default and override, 2018-09-17, #1487) was [1]:
> We only use this for override. The reason this was caught is people
> are trying to get hooks to work with CoreOS. You are not allowed to
> write to /usr/share... on CoreOS, so they wanted podman to also look
> at /etc, where users and third parties can write.
But we'd also been disabling hooks completely for rootless users. And
even for root users, the override logic was tricky when folks actually
had content in both directories. For example, if you wanted to
disable a hook from the default directory, you'd have to add a no-op
hook to the override directory.
Also, the previous implementation failed to handle the case where
there hooks defined in the override directory but the default
directory did not exist:
$ podman version
Version: 0.11.2-dev
Go Version: go1.10.3
Git Commit: "6df7409cb5a41c710164c42ed35e33b28f3f7214"
Built: Sun Dec 2 21:30:06 2018
OS/Arch: linux/amd64
$ ls -l /etc/containers/oci/hooks.d/test.json
-rw-r--r--. 1 root root 184 Dec 2 16:27 /etc/containers/oci/hooks.d/test.json
$ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T21:31:19-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
time="2018-12-02T21:31:19-08:00" level=warning msg="failed to load hooks: {}%!(EXTRA *os.PathError=open /usr/share/containers/oci/hooks.d: no such file or directory)"
With this commit:
$ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /etc/containers/oci/hooks.d"
time="2018-12-02T21:33:07-08:00" level=debug msg="added hook /etc/containers/oci/hooks.d/test.json"
time="2018-12-02T21:33:07-08:00" level=debug msg="hook test.json matched; adding to stages [prestart]"
time="2018-12-02T21:33:07-08:00" level=warning msg="implicit hook directories are deprecated; set --hooks-dir="/etc/containers/oci/hooks.d" explicitly to continue to load hooks from this directory"
time="2018-12-02T21:33:07-08:00" level=error msg="container create failed: container_linux.go:336: starting container process caused "process_linux.go:399: container init caused \"process_linux.go:382: running prestart hook 0 caused \\\"error running hook: exit status 1, stdout: , stderr: oh, noes!\\\\n\\\"\""
(I'd setup the hook to error out). You can see that it's silenly
ignoring the ENOENT for /usr/share/containers/oci/hooks.d and
continuing on to load hooks from /etc/containers/oci/hooks.d.
When it loads the hook, it also logs a warning-level message
suggesting that callers explicitly configure their hook directories.
That will help consumers migrate, so we can drop the implicit hook
directories in some future release. When folks *do* explicitly
configure hook directories (via the newly-public --hooks-dir and
hooks_dir options), we error out if they're missing:
$ podman --hooks-dir /does/not/exist run --rm docker.io/library/alpine echo 'successful container'
error setting up OCI Hooks: open /does/not/exist: no such file or directory
I've dropped the trailing "path" from the old, hidden --hooks-dir-path
and hooks_dir_path because I think "dir(ectory)" is already enough
context for "we expect a path argument". I consider this name change
non-breaking because the old forms were undocumented.
Coming back to rootless users, I've enabled hooks now. I expect they
were previously disabled because users had no way to avoid
/usr/share/containers/oci/hooks.d which might contain hooks that
required root permissions. But now rootless users will have to
explicitly configure hook directories, and since their default config
is from ~/.config/containers/libpod.conf, it's a misconfiguration if
it contains hooks_dir entries which point at directories with hooks
that require root access. We error out so they can fix their
libpod.conf.
[1]: https://github.com/containers/libpod/pull/1487#discussion_r218149355
Signed-off-by: W. Trevor King <wking@tremily.us>
2018-12-03 05:22:08 +00:00
if err != nil {
if os . IsNotExist ( err ) {
continue
}
return nil , err
}
2019-07-03 20:37:17 +00:00
ociHooks , err := manager . Hooks ( config , c . Spec ( ) . Annotations , len ( c . config . UserVolumes ) > 0 )
libpod/container_internal: Deprecate implicit hook directories
Part of the motivation for 800eb863 (Hooks supports two directories,
process default and override, 2018-09-17, #1487) was [1]:
> We only use this for override. The reason this was caught is people
> are trying to get hooks to work with CoreOS. You are not allowed to
> write to /usr/share... on CoreOS, so they wanted podman to also look
> at /etc, where users and third parties can write.
But we'd also been disabling hooks completely for rootless users. And
even for root users, the override logic was tricky when folks actually
had content in both directories. For example, if you wanted to
disable a hook from the default directory, you'd have to add a no-op
hook to the override directory.
Also, the previous implementation failed to handle the case where
there hooks defined in the override directory but the default
directory did not exist:
$ podman version
Version: 0.11.2-dev
Go Version: go1.10.3
Git Commit: "6df7409cb5a41c710164c42ed35e33b28f3f7214"
Built: Sun Dec 2 21:30:06 2018
OS/Arch: linux/amd64
$ ls -l /etc/containers/oci/hooks.d/test.json
-rw-r--r--. 1 root root 184 Dec 2 16:27 /etc/containers/oci/hooks.d/test.json
$ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T21:31:19-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
time="2018-12-02T21:31:19-08:00" level=warning msg="failed to load hooks: {}%!(EXTRA *os.PathError=open /usr/share/containers/oci/hooks.d: no such file or directory)"
With this commit:
$ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /etc/containers/oci/hooks.d"
time="2018-12-02T21:33:07-08:00" level=debug msg="added hook /etc/containers/oci/hooks.d/test.json"
time="2018-12-02T21:33:07-08:00" level=debug msg="hook test.json matched; adding to stages [prestart]"
time="2018-12-02T21:33:07-08:00" level=warning msg="implicit hook directories are deprecated; set --hooks-dir="/etc/containers/oci/hooks.d" explicitly to continue to load hooks from this directory"
time="2018-12-02T21:33:07-08:00" level=error msg="container create failed: container_linux.go:336: starting container process caused "process_linux.go:399: container init caused \"process_linux.go:382: running prestart hook 0 caused \\\"error running hook: exit status 1, stdout: , stderr: oh, noes!\\\\n\\\"\""
(I'd setup the hook to error out). You can see that it's silenly
ignoring the ENOENT for /usr/share/containers/oci/hooks.d and
continuing on to load hooks from /etc/containers/oci/hooks.d.
When it loads the hook, it also logs a warning-level message
suggesting that callers explicitly configure their hook directories.
That will help consumers migrate, so we can drop the implicit hook
directories in some future release. When folks *do* explicitly
configure hook directories (via the newly-public --hooks-dir and
hooks_dir options), we error out if they're missing:
$ podman --hooks-dir /does/not/exist run --rm docker.io/library/alpine echo 'successful container'
error setting up OCI Hooks: open /does/not/exist: no such file or directory
I've dropped the trailing "path" from the old, hidden --hooks-dir-path
and hooks_dir_path because I think "dir(ectory)" is already enough
context for "we expect a path argument". I consider this name change
non-breaking because the old forms were undocumented.
Coming back to rootless users, I've enabled hooks now. I expect they
were previously disabled because users had no way to avoid
/usr/share/containers/oci/hooks.d which might contain hooks that
required root permissions. But now rootless users will have to
explicitly configure hook directories, and since their default config
is from ~/.config/containers/libpod.conf, it's a misconfiguration if
it contains hooks_dir entries which point at directories with hooks
that require root access. We error out so they can fix their
libpod.conf.
[1]: https://github.com/containers/libpod/pull/1487#discussion_r218149355
Signed-off-by: W. Trevor King <wking@tremily.us>
2018-12-03 05:22:08 +00:00
if err != nil {
return nil , err
}
2019-07-03 20:37:17 +00:00
if len ( ociHooks ) > 0 || config . Hooks != nil {
logrus . Warnf ( "implicit hook directories are deprecated; set --ociHooks-dir=%q explicitly to continue to load ociHooks from this directory" , hDir )
libpod/container_internal: Deprecate implicit hook directories
Part of the motivation for 800eb863 (Hooks supports two directories,
process default and override, 2018-09-17, #1487) was [1]:
> We only use this for override. The reason this was caught is people
> are trying to get hooks to work with CoreOS. You are not allowed to
> write to /usr/share... on CoreOS, so they wanted podman to also look
> at /etc, where users and third parties can write.
But we'd also been disabling hooks completely for rootless users. And
even for root users, the override logic was tricky when folks actually
had content in both directories. For example, if you wanted to
disable a hook from the default directory, you'd have to add a no-op
hook to the override directory.
Also, the previous implementation failed to handle the case where
there hooks defined in the override directory but the default
directory did not exist:
$ podman version
Version: 0.11.2-dev
Go Version: go1.10.3
Git Commit: "6df7409cb5a41c710164c42ed35e33b28f3f7214"
Built: Sun Dec 2 21:30:06 2018
OS/Arch: linux/amd64
$ ls -l /etc/containers/oci/hooks.d/test.json
-rw-r--r--. 1 root root 184 Dec 2 16:27 /etc/containers/oci/hooks.d/test.json
$ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T21:31:19-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
time="2018-12-02T21:31:19-08:00" level=warning msg="failed to load hooks: {}%!(EXTRA *os.PathError=open /usr/share/containers/oci/hooks.d: no such file or directory)"
With this commit:
$ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /etc/containers/oci/hooks.d"
time="2018-12-02T21:33:07-08:00" level=debug msg="added hook /etc/containers/oci/hooks.d/test.json"
time="2018-12-02T21:33:07-08:00" level=debug msg="hook test.json matched; adding to stages [prestart]"
time="2018-12-02T21:33:07-08:00" level=warning msg="implicit hook directories are deprecated; set --hooks-dir="/etc/containers/oci/hooks.d" explicitly to continue to load hooks from this directory"
time="2018-12-02T21:33:07-08:00" level=error msg="container create failed: container_linux.go:336: starting container process caused "process_linux.go:399: container init caused \"process_linux.go:382: running prestart hook 0 caused \\\"error running hook: exit status 1, stdout: , stderr: oh, noes!\\\\n\\\"\""
(I'd setup the hook to error out). You can see that it's silenly
ignoring the ENOENT for /usr/share/containers/oci/hooks.d and
continuing on to load hooks from /etc/containers/oci/hooks.d.
When it loads the hook, it also logs a warning-level message
suggesting that callers explicitly configure their hook directories.
That will help consumers migrate, so we can drop the implicit hook
directories in some future release. When folks *do* explicitly
configure hook directories (via the newly-public --hooks-dir and
hooks_dir options), we error out if they're missing:
$ podman --hooks-dir /does/not/exist run --rm docker.io/library/alpine echo 'successful container'
error setting up OCI Hooks: open /does/not/exist: no such file or directory
I've dropped the trailing "path" from the old, hidden --hooks-dir-path
and hooks_dir_path because I think "dir(ectory)" is already enough
context for "we expect a path argument". I consider this name change
non-breaking because the old forms were undocumented.
Coming back to rootless users, I've enabled hooks now. I expect they
were previously disabled because users had no way to avoid
/usr/share/containers/oci/hooks.d which might contain hooks that
required root permissions. But now rootless users will have to
explicitly configure hook directories, and since their default config
is from ~/.config/containers/libpod.conf, it's a misconfiguration if
it contains hooks_dir entries which point at directories with hooks
that require root access. We error out so they can fix their
libpod.conf.
[1]: https://github.com/containers/libpod/pull/1487#discussion_r218149355
Signed-off-by: W. Trevor King <wking@tremily.us>
2018-12-03 05:22:08 +00:00
}
2019-07-03 20:37:17 +00:00
for i , hook := range ociHooks {
libpod/container_internal: Deprecate implicit hook directories
Part of the motivation for 800eb863 (Hooks supports two directories,
process default and override, 2018-09-17, #1487) was [1]:
> We only use this for override. The reason this was caught is people
> are trying to get hooks to work with CoreOS. You are not allowed to
> write to /usr/share... on CoreOS, so they wanted podman to also look
> at /etc, where users and third parties can write.
But we'd also been disabling hooks completely for rootless users. And
even for root users, the override logic was tricky when folks actually
had content in both directories. For example, if you wanted to
disable a hook from the default directory, you'd have to add a no-op
hook to the override directory.
Also, the previous implementation failed to handle the case where
there hooks defined in the override directory but the default
directory did not exist:
$ podman version
Version: 0.11.2-dev
Go Version: go1.10.3
Git Commit: "6df7409cb5a41c710164c42ed35e33b28f3f7214"
Built: Sun Dec 2 21:30:06 2018
OS/Arch: linux/amd64
$ ls -l /etc/containers/oci/hooks.d/test.json
-rw-r--r--. 1 root root 184 Dec 2 16:27 /etc/containers/oci/hooks.d/test.json
$ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T21:31:19-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
time="2018-12-02T21:31:19-08:00" level=warning msg="failed to load hooks: {}%!(EXTRA *os.PathError=open /usr/share/containers/oci/hooks.d: no such file or directory)"
With this commit:
$ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /etc/containers/oci/hooks.d"
time="2018-12-02T21:33:07-08:00" level=debug msg="added hook /etc/containers/oci/hooks.d/test.json"
time="2018-12-02T21:33:07-08:00" level=debug msg="hook test.json matched; adding to stages [prestart]"
time="2018-12-02T21:33:07-08:00" level=warning msg="implicit hook directories are deprecated; set --hooks-dir="/etc/containers/oci/hooks.d" explicitly to continue to load hooks from this directory"
time="2018-12-02T21:33:07-08:00" level=error msg="container create failed: container_linux.go:336: starting container process caused "process_linux.go:399: container init caused \"process_linux.go:382: running prestart hook 0 caused \\\"error running hook: exit status 1, stdout: , stderr: oh, noes!\\\\n\\\"\""
(I'd setup the hook to error out). You can see that it's silenly
ignoring the ENOENT for /usr/share/containers/oci/hooks.d and
continuing on to load hooks from /etc/containers/oci/hooks.d.
When it loads the hook, it also logs a warning-level message
suggesting that callers explicitly configure their hook directories.
That will help consumers migrate, so we can drop the implicit hook
directories in some future release. When folks *do* explicitly
configure hook directories (via the newly-public --hooks-dir and
hooks_dir options), we error out if they're missing:
$ podman --hooks-dir /does/not/exist run --rm docker.io/library/alpine echo 'successful container'
error setting up OCI Hooks: open /does/not/exist: no such file or directory
I've dropped the trailing "path" from the old, hidden --hooks-dir-path
and hooks_dir_path because I think "dir(ectory)" is already enough
context for "we expect a path argument". I consider this name change
non-breaking because the old forms were undocumented.
Coming back to rootless users, I've enabled hooks now. I expect they
were previously disabled because users had no way to avoid
/usr/share/containers/oci/hooks.d which might contain hooks that
required root permissions. But now rootless users will have to
explicitly configure hook directories, and since their default config
is from ~/.config/containers/libpod.conf, it's a misconfiguration if
it contains hooks_dir entries which point at directories with hooks
that require root access. We error out so they can fix their
libpod.conf.
[1]: https://github.com/containers/libpod/pull/1487#discussion_r218149355
Signed-off-by: W. Trevor King <wking@tremily.us>
2018-12-03 05:22:08 +00:00
allHooks [ i ] = hook
}
2018-09-17 13:33:11 +00:00
}
2018-11-19 17:22:32 +00:00
} else {
2019-03-02 05:36:44 +00:00
manager , err := hooks . New ( ctx , c . runtime . config . HooksDir , [ ] string { "precreate" , "poststop" } )
2018-11-19 17:22:32 +00:00
if err != nil {
return nil , err
}
allHooks , err = manager . Hooks ( config , c . Spec ( ) . Annotations , len ( c . config . UserVolumes ) > 0 )
if err != nil {
return nil , err
}
2018-03-29 15:01:47 +00:00
}
libpod/container_internal: Deprecate implicit hook directories
Part of the motivation for 800eb863 (Hooks supports two directories,
process default and override, 2018-09-17, #1487) was [1]:
> We only use this for override. The reason this was caught is people
> are trying to get hooks to work with CoreOS. You are not allowed to
> write to /usr/share... on CoreOS, so they wanted podman to also look
> at /etc, where users and third parties can write.
But we'd also been disabling hooks completely for rootless users. And
even for root users, the override logic was tricky when folks actually
had content in both directories. For example, if you wanted to
disable a hook from the default directory, you'd have to add a no-op
hook to the override directory.
Also, the previous implementation failed to handle the case where
there hooks defined in the override directory but the default
directory did not exist:
$ podman version
Version: 0.11.2-dev
Go Version: go1.10.3
Git Commit: "6df7409cb5a41c710164c42ed35e33b28f3f7214"
Built: Sun Dec 2 21:30:06 2018
OS/Arch: linux/amd64
$ ls -l /etc/containers/oci/hooks.d/test.json
-rw-r--r--. 1 root root 184 Dec 2 16:27 /etc/containers/oci/hooks.d/test.json
$ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T21:31:19-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
time="2018-12-02T21:31:19-08:00" level=warning msg="failed to load hooks: {}%!(EXTRA *os.PathError=open /usr/share/containers/oci/hooks.d: no such file or directory)"
With this commit:
$ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /etc/containers/oci/hooks.d"
time="2018-12-02T21:33:07-08:00" level=debug msg="added hook /etc/containers/oci/hooks.d/test.json"
time="2018-12-02T21:33:07-08:00" level=debug msg="hook test.json matched; adding to stages [prestart]"
time="2018-12-02T21:33:07-08:00" level=warning msg="implicit hook directories are deprecated; set --hooks-dir="/etc/containers/oci/hooks.d" explicitly to continue to load hooks from this directory"
time="2018-12-02T21:33:07-08:00" level=error msg="container create failed: container_linux.go:336: starting container process caused "process_linux.go:399: container init caused \"process_linux.go:382: running prestart hook 0 caused \\\"error running hook: exit status 1, stdout: , stderr: oh, noes!\\\\n\\\"\""
(I'd setup the hook to error out). You can see that it's silenly
ignoring the ENOENT for /usr/share/containers/oci/hooks.d and
continuing on to load hooks from /etc/containers/oci/hooks.d.
When it loads the hook, it also logs a warning-level message
suggesting that callers explicitly configure their hook directories.
That will help consumers migrate, so we can drop the implicit hook
directories in some future release. When folks *do* explicitly
configure hook directories (via the newly-public --hooks-dir and
hooks_dir options), we error out if they're missing:
$ podman --hooks-dir /does/not/exist run --rm docker.io/library/alpine echo 'successful container'
error setting up OCI Hooks: open /does/not/exist: no such file or directory
I've dropped the trailing "path" from the old, hidden --hooks-dir-path
and hooks_dir_path because I think "dir(ectory)" is already enough
context for "we expect a path argument". I consider this name change
non-breaking because the old forms were undocumented.
Coming back to rootless users, I've enabled hooks now. I expect they
were previously disabled because users had no way to avoid
/usr/share/containers/oci/hooks.d which might contain hooks that
required root permissions. But now rootless users will have to
explicitly configure hook directories, and since their default config
is from ~/.config/containers/libpod.conf, it's a misconfiguration if
it contains hooks_dir entries which point at directories with hooks
that require root access. We error out so they can fix their
libpod.conf.
[1]: https://github.com/containers/libpod/pull/1487#discussion_r218149355
Signed-off-by: W. Trevor King <wking@tremily.us>
2018-12-03 05:22:08 +00:00
2018-11-19 17:22:32 +00:00
hookErr , err := exec . RuntimeConfigFilter ( ctx , allHooks [ "precreate" ] , config , exec . DefaultPostKillTimeout )
libpod/container_internal: Deprecate implicit hook directories
Part of the motivation for 800eb863 (Hooks supports two directories,
process default and override, 2018-09-17, #1487) was [1]:
> We only use this for override. The reason this was caught is people
> are trying to get hooks to work with CoreOS. You are not allowed to
> write to /usr/share... on CoreOS, so they wanted podman to also look
> at /etc, where users and third parties can write.
But we'd also been disabling hooks completely for rootless users. And
even for root users, the override logic was tricky when folks actually
had content in both directories. For example, if you wanted to
disable a hook from the default directory, you'd have to add a no-op
hook to the override directory.
Also, the previous implementation failed to handle the case where
there hooks defined in the override directory but the default
directory did not exist:
$ podman version
Version: 0.11.2-dev
Go Version: go1.10.3
Git Commit: "6df7409cb5a41c710164c42ed35e33b28f3f7214"
Built: Sun Dec 2 21:30:06 2018
OS/Arch: linux/amd64
$ ls -l /etc/containers/oci/hooks.d/test.json
-rw-r--r--. 1 root root 184 Dec 2 16:27 /etc/containers/oci/hooks.d/test.json
$ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T21:31:19-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
time="2018-12-02T21:31:19-08:00" level=warning msg="failed to load hooks: {}%!(EXTRA *os.PathError=open /usr/share/containers/oci/hooks.d: no such file or directory)"
With this commit:
$ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /etc/containers/oci/hooks.d"
time="2018-12-02T21:33:07-08:00" level=debug msg="added hook /etc/containers/oci/hooks.d/test.json"
time="2018-12-02T21:33:07-08:00" level=debug msg="hook test.json matched; adding to stages [prestart]"
time="2018-12-02T21:33:07-08:00" level=warning msg="implicit hook directories are deprecated; set --hooks-dir="/etc/containers/oci/hooks.d" explicitly to continue to load hooks from this directory"
time="2018-12-02T21:33:07-08:00" level=error msg="container create failed: container_linux.go:336: starting container process caused "process_linux.go:399: container init caused \"process_linux.go:382: running prestart hook 0 caused \\\"error running hook: exit status 1, stdout: , stderr: oh, noes!\\\\n\\\"\""
(I'd setup the hook to error out). You can see that it's silenly
ignoring the ENOENT for /usr/share/containers/oci/hooks.d and
continuing on to load hooks from /etc/containers/oci/hooks.d.
When it loads the hook, it also logs a warning-level message
suggesting that callers explicitly configure their hook directories.
That will help consumers migrate, so we can drop the implicit hook
directories in some future release. When folks *do* explicitly
configure hook directories (via the newly-public --hooks-dir and
hooks_dir options), we error out if they're missing:
$ podman --hooks-dir /does/not/exist run --rm docker.io/library/alpine echo 'successful container'
error setting up OCI Hooks: open /does/not/exist: no such file or directory
I've dropped the trailing "path" from the old, hidden --hooks-dir-path
and hooks_dir_path because I think "dir(ectory)" is already enough
context for "we expect a path argument". I consider this name change
non-breaking because the old forms were undocumented.
Coming back to rootless users, I've enabled hooks now. I expect they
were previously disabled because users had no way to avoid
/usr/share/containers/oci/hooks.d which might contain hooks that
required root permissions. But now rootless users will have to
explicitly configure hook directories, and since their default config
is from ~/.config/containers/libpod.conf, it's a misconfiguration if
it contains hooks_dir entries which point at directories with hooks
that require root access. We error out so they can fix their
libpod.conf.
[1]: https://github.com/containers/libpod/pull/1487#discussion_r218149355
Signed-off-by: W. Trevor King <wking@tremily.us>
2018-12-03 05:22:08 +00:00
if err != nil {
2018-11-19 17:22:32 +00:00
logrus . Warnf ( "container %s: precreate hook: %v" , c . ID ( ) , err )
if hookErr != nil && hookErr != err {
logrus . Debugf ( "container %s: precreate hook (hook error): %v" , c . ID ( ) , hookErr )
2018-12-07 16:23:03 +00:00
}
libpod/container_internal: Deprecate implicit hook directories
Part of the motivation for 800eb863 (Hooks supports two directories,
process default and override, 2018-09-17, #1487) was [1]:
> We only use this for override. The reason this was caught is people
> are trying to get hooks to work with CoreOS. You are not allowed to
> write to /usr/share... on CoreOS, so they wanted podman to also look
> at /etc, where users and third parties can write.
But we'd also been disabling hooks completely for rootless users. And
even for root users, the override logic was tricky when folks actually
had content in both directories. For example, if you wanted to
disable a hook from the default directory, you'd have to add a no-op
hook to the override directory.
Also, the previous implementation failed to handle the case where
there hooks defined in the override directory but the default
directory did not exist:
$ podman version
Version: 0.11.2-dev
Go Version: go1.10.3
Git Commit: "6df7409cb5a41c710164c42ed35e33b28f3f7214"
Built: Sun Dec 2 21:30:06 2018
OS/Arch: linux/amd64
$ ls -l /etc/containers/oci/hooks.d/test.json
-rw-r--r--. 1 root root 184 Dec 2 16:27 /etc/containers/oci/hooks.d/test.json
$ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T21:31:19-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
time="2018-12-02T21:31:19-08:00" level=warning msg="failed to load hooks: {}%!(EXTRA *os.PathError=open /usr/share/containers/oci/hooks.d: no such file or directory)"
With this commit:
$ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /etc/containers/oci/hooks.d"
time="2018-12-02T21:33:07-08:00" level=debug msg="added hook /etc/containers/oci/hooks.d/test.json"
time="2018-12-02T21:33:07-08:00" level=debug msg="hook test.json matched; adding to stages [prestart]"
time="2018-12-02T21:33:07-08:00" level=warning msg="implicit hook directories are deprecated; set --hooks-dir="/etc/containers/oci/hooks.d" explicitly to continue to load hooks from this directory"
time="2018-12-02T21:33:07-08:00" level=error msg="container create failed: container_linux.go:336: starting container process caused "process_linux.go:399: container init caused \"process_linux.go:382: running prestart hook 0 caused \\\"error running hook: exit status 1, stdout: , stderr: oh, noes!\\\\n\\\"\""
(I'd setup the hook to error out). You can see that it's silenly
ignoring the ENOENT for /usr/share/containers/oci/hooks.d and
continuing on to load hooks from /etc/containers/oci/hooks.d.
When it loads the hook, it also logs a warning-level message
suggesting that callers explicitly configure their hook directories.
That will help consumers migrate, so we can drop the implicit hook
directories in some future release. When folks *do* explicitly
configure hook directories (via the newly-public --hooks-dir and
hooks_dir options), we error out if they're missing:
$ podman --hooks-dir /does/not/exist run --rm docker.io/library/alpine echo 'successful container'
error setting up OCI Hooks: open /does/not/exist: no such file or directory
I've dropped the trailing "path" from the old, hidden --hooks-dir-path
and hooks_dir_path because I think "dir(ectory)" is already enough
context for "we expect a path argument". I consider this name change
non-breaking because the old forms were undocumented.
Coming back to rootless users, I've enabled hooks now. I expect they
were previously disabled because users had no way to avoid
/usr/share/containers/oci/hooks.d which might contain hooks that
required root permissions. But now rootless users will have to
explicitly configure hook directories, and since their default config
is from ~/.config/containers/libpod.conf, it's a misconfiguration if
it contains hooks_dir entries which point at directories with hooks
that require root access. We error out so they can fix their
libpod.conf.
[1]: https://github.com/containers/libpod/pull/1487#discussion_r218149355
Signed-off-by: W. Trevor King <wking@tremily.us>
2018-12-03 05:22:08 +00:00
return nil , err
}
2018-11-19 17:22:32 +00:00
return allHooks , nil
2018-03-29 15:01:47 +00:00
}
2018-07-19 20:59:42 +00:00
// mount mounts the container's root filesystem
func ( c * Container ) mount ( ) ( string , error ) {
mountPoint , err := c . runtime . storageService . MountContainerImage ( c . ID ( ) )
if err != nil {
return "" , errors . Wrapf ( err , "error mounting storage for container %s" , c . ID ( ) )
}
2018-08-31 15:20:13 +00:00
mountPoint , err = filepath . EvalSymlinks ( mountPoint )
if err != nil {
return "" , errors . Wrapf ( err , "error resolving storage path for container %s" , c . ID ( ) )
}
2019-03-21 11:18:42 +00:00
if err := os . Chown ( mountPoint , c . RootUID ( ) , c . RootGID ( ) ) ; err != nil {
return "" , errors . Wrapf ( err , "cannot chown %s to %d:%d" , mountPoint , c . RootUID ( ) , c . RootGID ( ) )
}
2018-07-19 20:59:42 +00:00
return mountPoint , nil
}
// unmount unmounts the container's root filesystem
2018-07-30 13:04:18 +00:00
func ( c * Container ) unmount ( force bool ) error {
2018-07-19 20:59:42 +00:00
// Also unmount storage
2018-07-30 13:04:18 +00:00
if _ , err := c . runtime . storageService . UnmountContainerImage ( c . ID ( ) , force ) ; err != nil {
2018-07-19 20:59:42 +00:00
return errors . Wrapf ( err , "error unmounting container %s root filesystem" , c . ID ( ) )
}
return nil
}
2018-10-01 17:10:46 +00:00
2019-02-14 18:21:52 +00:00
// this should be from chrootarchive.
func ( c * Container ) copyWithTarFromImage ( src , dest string ) error {
mountpoint , err := c . mount ( )
if err != nil {
return err
}
a := archive . NewDefaultArchiver ( )
source := filepath . Join ( mountpoint , src )
2019-03-14 12:33:53 +00:00
if err = c . copyOwnerAndPerms ( source , dest ) ; err != nil {
return err
}
2019-02-14 18:21:52 +00:00
return a . CopyWithTar ( source , dest )
}
2019-05-10 16:42:14 +00:00
// checkReadyForRemoval checks whether the given container is ready to be
// removed.
// These checks are only used if force-remove is not specified.
// If it is, we'll remove the container anyways.
// Returns nil if safe to remove, or an error describing why it's unsafe if not.
func ( c * Container ) checkReadyForRemoval ( ) error {
2019-06-25 13:40:19 +00:00
if c . state . State == define . ContainerStateUnknown {
2019-06-24 20:48:34 +00:00
return errors . Wrapf ( define . ErrCtrStateInvalid , "container %s is in invalid state" , c . ID ( ) )
2019-05-10 16:42:14 +00:00
}
2019-06-25 13:40:19 +00:00
if c . state . State == define . ContainerStateRunning ||
c . state . State == define . ContainerStatePaused {
2019-06-24 20:48:34 +00:00
return errors . Wrapf ( define . ErrCtrStateInvalid , "cannot remove container %s as it is %s - running or paused containers cannot be removed" , c . ID ( ) , c . state . State . String ( ) )
2019-05-10 16:42:14 +00:00
}
if len ( c . state . ExecSessions ) != 0 {
2019-06-24 20:48:34 +00:00
return errors . Wrapf ( define . ErrCtrStateInvalid , "cannot remove container %s as it has active exec sessions" , c . ID ( ) )
2019-05-10 16:42:14 +00:00
}
return nil
}
2019-02-06 19:17:25 +00:00
// writeJSONFile marshalls and writes the given data to a JSON file
// in the bundle path
func ( c * Container ) writeJSONFile ( v interface { } , file string ) ( err error ) {
fileJSON , err := json . MarshalIndent ( v , "" , " " )
if err != nil {
return errors . Wrapf ( err , "error writing JSON to %s for container %s" , file , c . ID ( ) )
}
file = filepath . Join ( c . bundlePath ( ) , file )
if err := ioutil . WriteFile ( file , fileJSON , 0644 ) ; err != nil {
return err
}
return nil
}
// prepareCheckpointExport writes the config and spec to
// JSON files for later export
func ( c * Container ) prepareCheckpointExport ( ) ( err error ) {
// save live config
if err := c . writeJSONFile ( c . Config ( ) , "config.dump" ) ; err != nil {
return err
}
// save spec
jsonPath := filepath . Join ( c . bundlePath ( ) , "config.json" )
g , err := generate . NewFromFile ( jsonPath )
if err != nil {
logrus . Debugf ( "generating spec for container %q failed with %v" , c . ID ( ) , err )
return err
}
2019-07-11 10:44:12 +00:00
if err := c . writeJSONFile ( g . Config , "spec.dump" ) ; err != nil {
2019-02-06 19:17:25 +00:00
return err
}
return nil
}
2019-07-02 15:40:14 +00:00
// sortUserVolumes sorts the volumes specified for a container
// between named and normal volumes
func ( c * Container ) sortUserVolumes ( ctrSpec * spec . Spec ) ( [ ] * ContainerNamedVolume , [ ] spec . Mount ) {
namedUserVolumes := [ ] * ContainerNamedVolume { }
userMounts := [ ] spec . Mount { }
// We need to parse all named volumes and mounts into maps, so we don't
// end up with repeated lookups for each user volume.
// Map destination to struct, as destination is what is stored in
// UserVolumes.
namedVolumes := make ( map [ string ] * ContainerNamedVolume )
mounts := make ( map [ string ] spec . Mount )
for _ , namedVol := range c . config . NamedVolumes {
namedVolumes [ namedVol . Dest ] = namedVol
}
for _ , mount := range ctrSpec . Mounts {
mounts [ mount . Destination ] = mount
}
for _ , vol := range c . config . UserVolumes {
if volume , ok := namedVolumes [ vol ] ; ok {
namedUserVolumes = append ( namedUserVolumes , volume )
} else if mount , ok := mounts [ vol ] ; ok {
userMounts = append ( userMounts , mount )
} else {
logrus . Warnf ( "Could not find mount at destination %q when parsing user volumes for container %s" , vol , c . ID ( ) )
}
}
return namedUserVolumes , userMounts
}