2018-01-18 16:37:41 +00:00
package libpod
import (
2018-05-31 18:47:17 +00:00
"bytes"
2018-04-18 20:48:35 +00:00
"context"
2018-01-18 16:37:41 +00:00
"fmt"
"io"
2018-01-19 14:51:59 +00:00
"io/ioutil"
2018-01-18 16:37:41 +00:00
"os"
"path/filepath"
2018-10-09 11:54:37 +00:00
"strconv"
2018-01-19 14:51:59 +00:00
"strings"
2018-10-19 20:02:14 +00:00
"time"
2018-01-18 16:37:41 +00:00
2019-02-28 20:15:56 +00:00
"github.com/containers/libpod/libpod/events"
2018-10-19 20:02:14 +00:00
"github.com/containers/libpod/pkg/ctime"
2018-08-16 10:41:15 +00:00
"github.com/containers/libpod/pkg/hooks"
"github.com/containers/libpod/pkg/hooks/exec"
"github.com/containers/libpod/pkg/rootless"
2018-01-18 16:37:41 +00:00
"github.com/containers/storage"
"github.com/containers/storage/pkg/archive"
2018-08-10 18:46:59 +00:00
"github.com/containers/storage/pkg/mount"
2018-01-18 16:37:41 +00:00
spec "github.com/opencontainers/runtime-spec/specs-go"
2019-02-06 19:17:25 +00:00
"github.com/opencontainers/runtime-tools/generate"
2018-01-18 16:37:41 +00:00
"github.com/opencontainers/selinux/go-selinux/label"
2018-10-16 20:30:53 +00:00
opentracing "github.com/opentracing/opentracing-go"
2018-01-18 16:37:41 +00:00
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
)
2018-01-18 16:46:10 +00:00
const (
// name of the directory holding the artifacts
artifactsDir = "artifacts"
)
2018-01-18 16:37:41 +00:00
// rootFsSize gets the size of the container's root filesystem
// A container FS is split into two parts. The first is the top layer, a
// mutable layer, and the rest is the RootFS: the set of immutable layers
// that make up the image on which the container is based.
func ( c * Container ) rootFsSize ( ) ( int64 , error ) {
2018-04-26 15:21:48 +00:00
if c . config . Rootfs != "" {
return 0 , nil
}
2019-03-19 09:38:56 +00:00
if c . runtime . store == nil {
return 0 , nil
}
2018-04-26 15:21:48 +00:00
2018-01-18 16:37:41 +00:00
container , err := c . runtime . store . Container ( c . ID ( ) )
if err != nil {
return 0 , err
}
// Ignore the size of the top layer. The top layer is a mutable RW layer
// and is not considered a part of the rootfs
rwLayer , err := c . runtime . store . Layer ( container . LayerID )
if err != nil {
return 0 , err
}
layer , err := c . runtime . store . Layer ( rwLayer . Parent )
if err != nil {
return 0 , err
}
size := int64 ( 0 )
for layer . Parent != "" {
layerSize , err := c . runtime . store . DiffSize ( layer . Parent , layer . ID )
if err != nil {
return size , errors . Wrapf ( err , "getting diffsize of layer %q and its parent %q" , layer . ID , layer . Parent )
}
size += layerSize
layer , err = c . runtime . store . Layer ( layer . Parent )
if err != nil {
return 0 , err
}
}
// Get the size of the last layer. Has to be outside of the loop
2018-05-25 00:50:37 +00:00
// because the parent of the last layer is "", and lstore.Get("")
2018-01-18 16:37:41 +00:00
// will return an error.
layerSize , err := c . runtime . store . DiffSize ( layer . Parent , layer . ID )
return size + layerSize , err
}
// rwSize Gets the size of the mutable top layer of the container.
func ( c * Container ) rwSize ( ) ( int64 , error ) {
2018-04-26 15:21:48 +00:00
if c . config . Rootfs != "" {
var size int64
err := filepath . Walk ( c . config . Rootfs , func ( path string , info os . FileInfo , err error ) error {
if err != nil {
return err
}
size += info . Size ( )
return nil
} )
return size , err
}
2018-01-18 16:37:41 +00:00
container , err := c . runtime . store . Container ( c . ID ( ) )
if err != nil {
return 0 , err
}
// Get the size of the top layer by calculating the size of the diff
// between the layer and its parent. The top layer of a container is
// the only RW layer, all others are immutable
layer , err := c . runtime . store . Layer ( container . LayerID )
if err != nil {
return 0 , err
}
return c . runtime . store . DiffSize ( layer . Parent , layer . ID )
}
2018-05-16 17:38:17 +00:00
// bundlePath returns the path to the container's root filesystem - where the OCI spec will be
2018-01-18 16:37:41 +00:00
// placed, amongst other things
func ( c * Container ) bundlePath ( ) string {
return c . config . StaticDir
}
2018-05-16 17:38:17 +00:00
// ControlSocketPath returns the path to the containers control socket for things like tty
// resizing
func ( c * Container ) ControlSocketPath ( ) string {
return filepath . Join ( c . bundlePath ( ) , "ctl" )
}
2018-09-18 09:56:19 +00:00
// CheckpointPath returns the path to the directory containing the checkpoint
func ( c * Container ) CheckpointPath ( ) string {
return filepath . Join ( c . bundlePath ( ) , "checkpoint" )
}
2018-05-16 17:38:17 +00:00
// AttachSocketPath retrieves the path of the container's attach socket
func ( c * Container ) AttachSocketPath ( ) string {
2019-06-19 21:08:43 +00:00
return filepath . Join ( c . ociRuntime . socketsDir , c . ID ( ) , "attach" )
2018-01-18 16:37:41 +00:00
}
2018-02-27 18:51:43 +00:00
// Get PID file path for a container's exec session
func ( c * Container ) execPidPath ( sessionID string ) string {
2018-02-27 20:36:36 +00:00
return filepath . Join ( c . state . RunDir , "exec_pid_" + sessionID )
2018-02-27 18:51:43 +00:00
}
2018-10-19 20:02:14 +00:00
// exitFilePath gets the path to the container's exit file
func ( c * Container ) exitFilePath ( ) string {
2019-06-19 21:08:43 +00:00
return filepath . Join ( c . ociRuntime . exitsDir , c . ID ( ) )
2018-10-19 20:02:14 +00:00
}
// Wait for the container's exit file to appear.
// When it does, update our state based on it.
func ( c * Container ) waitForExitFileAndSync ( ) error {
exitFile := c . exitFilePath ( )
2019-05-21 08:01:29 +00:00
chWait := make ( chan error )
defer close ( chWait )
_ , err := WaitForFile ( exitFile , chWait , time . Second * 5 )
2018-10-19 20:02:14 +00:00
if err != nil {
// Exit file did not appear
// Reset our state
c . state . ExitCode = - 1
c . state . FinishedTime = time . Now ( )
c . state . State = ContainerStateStopped
if err2 := c . save ( ) ; err2 != nil {
logrus . Errorf ( "Error saving container %s state: %v" , c . ID ( ) , err2 )
}
return err
}
2019-06-19 21:08:43 +00:00
if err := c . ociRuntime . updateContainerStatus ( c , false ) ; err != nil {
2018-10-19 20:02:14 +00:00
return err
}
return c . save ( )
}
// Handle the container exit file.
// The exit file is used to supply container exit time and exit code.
// This assumes the exit file already exists.
func ( c * Container ) handleExitFile ( exitFile string , fi os . FileInfo ) error {
c . state . FinishedTime = ctime . Created ( fi )
statusCodeStr , err := ioutil . ReadFile ( exitFile )
if err != nil {
return errors . Wrapf ( err , "failed to read exit file for container %s" , c . ID ( ) )
}
statusCode , err := strconv . Atoi ( string ( statusCodeStr ) )
if err != nil {
2018-10-29 17:20:26 +00:00
return errors . Wrapf ( err , "error converting exit status code (%q) for container %s to int" ,
c . ID ( ) , statusCodeStr )
2018-10-19 20:02:14 +00:00
}
c . state . ExitCode = int32 ( statusCode )
oomFilePath := filepath . Join ( c . bundlePath ( ) , "oom" )
if _ , err = os . Stat ( oomFilePath ) ; err == nil {
c . state . OOMKilled = true
}
c . state . Exited = true
2019-03-12 20:12:09 +00:00
// Write an event for the container's death
c . newContainerExitedEvent ( c . state . ExitCode )
2018-10-19 20:02:14 +00:00
return nil
}
2019-04-01 19:22:32 +00:00
// Handle container restart policy.
// This is called when a container has exited, and was not explicitly stopped by
// an API call to stop the container or pod it is in.
2019-05-03 14:35:48 +00:00
func ( c * Container ) handleRestartPolicy ( ctx context . Context ) ( restarted bool , err error ) {
// If we did not get a restart policy match, exit immediately.
// Do the same if we're not a policy that restarts.
if ! c . state . RestartPolicyMatch ||
c . config . RestartPolicy == RestartPolicyNo ||
c . config . RestartPolicy == RestartPolicyNone {
return false , nil
}
// If we're RestartPolicyOnFailure, we need to check retries and exit
// code.
if c . config . RestartPolicy == RestartPolicyOnFailure {
if c . state . ExitCode == 0 {
return false , nil
}
// If we don't have a max retries set, continue
if c . config . RestartRetries > 0 {
if c . state . RestartCount < c . config . RestartRetries {
logrus . Debugf ( "Container %s restart policy trigger: on retry %d (of %d)" ,
c . ID ( ) , c . state . RestartCount , c . config . RestartRetries )
} else {
2019-05-03 15:42:34 +00:00
logrus . Debugf ( "Container %s restart policy trigger: retries exhausted" , c . ID ( ) )
2019-05-03 14:35:48 +00:00
return false , nil
}
}
}
2019-04-01 19:22:32 +00:00
logrus . Debugf ( "Restarting container %s due to restart policy %s" , c . ID ( ) , c . config . RestartPolicy )
// Need to check if dependencies are alive.
if err = c . checkDependenciesAndHandleError ( ctx ) ; err != nil {
2019-05-03 14:35:48 +00:00
return false , err
2019-04-01 19:22:32 +00:00
}
2019-04-03 14:24:35 +00:00
// Is the container running again?
// If so, we don't have to do anything
if c . state . State == ContainerStateRunning || c . state . State == ContainerStatePaused {
2019-05-03 14:35:48 +00:00
return false , nil
2019-04-03 14:24:35 +00:00
} else if c . state . State == ContainerStateUnknown {
2019-05-03 14:35:48 +00:00
return false , errors . Wrapf ( ErrInternal , "invalid container state encountered in restart attempt!" )
2019-04-03 14:24:35 +00:00
}
2019-04-03 18:17:02 +00:00
c . newContainerEvent ( events . Restart )
2019-04-01 23:20:03 +00:00
// Increment restart count
c . state . RestartCount = c . state . RestartCount + 1
logrus . Debugf ( "Container %s now on retry %d" , c . ID ( ) , c . state . RestartCount )
if err := c . save ( ) ; err != nil {
2019-05-03 14:35:48 +00:00
return false , err
2019-04-01 23:20:03 +00:00
}
2019-04-01 19:22:32 +00:00
defer func ( ) {
if err != nil {
if err2 := c . cleanup ( ctx ) ; err2 != nil {
logrus . Errorf ( "error cleaning up container %s: %v" , c . ID ( ) , err2 )
}
}
} ( )
if err := c . prepare ( ) ; err != nil {
2019-05-03 14:35:48 +00:00
return false , err
2019-04-01 19:22:32 +00:00
}
if c . state . State == ContainerStateStopped {
// Reinitialize the container if we need to
2019-04-01 23:20:03 +00:00
if err := c . reinit ( ctx , true ) ; err != nil {
2019-05-03 14:35:48 +00:00
return false , err
2019-04-01 19:22:32 +00:00
}
} else if c . state . State == ContainerStateConfigured ||
c . state . State == ContainerStateExited {
// Initialize the container
2019-04-01 23:20:03 +00:00
if err := c . init ( ctx , true ) ; err != nil {
2019-05-03 14:35:48 +00:00
return false , err
2019-04-01 19:22:32 +00:00
}
}
2019-05-03 14:35:48 +00:00
if err := c . start ( ) ; err != nil {
return false , err
}
return true , nil
2019-04-01 19:22:32 +00:00
}
2018-02-28 14:29:46 +00:00
// Sync this container with on-disk state and runtime status
2018-01-18 16:37:41 +00:00
// Should only be called with container lock held
// This function should suffice to ensure a container's state is accurate and
// it is valid for use.
func ( c * Container ) syncContainer ( ) error {
if err := c . runtime . state . UpdateContainer ( c ) ; err != nil {
return err
}
2018-02-28 14:29:46 +00:00
// If runtime knows about the container, update its status in runtime
2018-01-18 16:37:41 +00:00
// And then save back to disk
if ( c . state . State != ContainerStateUnknown ) &&
2018-09-23 22:04:29 +00:00
( c . state . State != ContainerStateConfigured ) &&
( c . state . State != ContainerStateExited ) {
2018-01-18 16:37:41 +00:00
oldState := c . state . State
// TODO: optionally replace this with a stat for the exit file
2019-06-19 21:08:43 +00:00
if err := c . ociRuntime . updateContainerStatus ( c , false ) ; err != nil {
2018-01-18 16:37:41 +00:00
return err
}
// Only save back to DB if state changed
if c . state . State != oldState {
2019-04-01 19:22:32 +00:00
// Check for a restart policy match
2019-04-01 23:45:23 +00:00
if c . config . RestartPolicy != RestartPolicyNone && c . config . RestartPolicy != RestartPolicyNo &&
2019-04-01 19:22:32 +00:00
( oldState == ContainerStateRunning || oldState == ContainerStatePaused ) &&
( c . state . State == ContainerStateStopped || c . state . State == ContainerStateExited ) &&
! c . state . StoppedByUser {
c . state . RestartPolicyMatch = true
}
2018-01-18 16:37:41 +00:00
if err := c . save ( ) ; err != nil {
return err
}
}
}
if ! c . valid {
return errors . Wrapf ( ErrCtrRemoved , "container %s is not valid" , c . ID ( ) )
}
return nil
}
// Create container root filesystem for use
2018-04-18 20:48:35 +00:00
func ( c * Container ) setupStorage ( ctx context . Context ) error {
2018-10-16 20:30:53 +00:00
span , _ := opentracing . StartSpanFromContext ( ctx , "setupStorage" )
span . SetTag ( "type" , "container" )
defer span . Finish ( )
2018-01-18 16:37:41 +00:00
if ! c . valid {
return errors . Wrapf ( ErrCtrRemoved , "container %s is not valid" , c . ID ( ) )
}
if c . state . State != ContainerStateConfigured {
return errors . Wrapf ( ErrCtrStateInvalid , "container %s must be in Configured state to have storage set up" , c . ID ( ) )
}
// Need both an image ID and image name, plus a bool telling us whether to use the image configuration
2018-04-26 15:21:48 +00:00
if c . config . Rootfs == "" && ( c . config . RootfsImageID == "" || c . config . RootfsImageName == "" ) {
2018-01-18 16:37:41 +00:00
return errors . Wrapf ( ErrInvalidArg , "must provide image ID and image name to use an image" )
}
2018-10-18 19:50:11 +00:00
options := storage . ContainerOptions {
IDMappingOptions : storage . IDMappingOptions {
HostUIDMapping : true ,
HostGIDMapping : true ,
} ,
LabelOpts : c . config . LabelOpts ,
}
2018-11-16 11:51:26 +00:00
if c . config . Privileged {
privOpt := func ( opt string ) bool {
for _ , privopt := range [ ] string { "nodev" , "nosuid" , "noexec" } {
if opt == privopt {
return true
}
}
return false
}
2019-05-31 02:01:25 +00:00
defOptions , err := storage . GetMountOptions ( c . runtime . store . GraphDriverName ( ) , c . runtime . store . GraphOptions ( ) )
2018-11-16 11:51:26 +00:00
if err != nil {
return errors . Wrapf ( err , "error getting default mount options" )
}
var newOptions [ ] string
for _ , opt := range defOptions {
if ! privOpt ( opt ) {
newOptions = append ( newOptions , opt )
}
}
options . MountOpts = newOptions
}
2018-06-03 19:08:07 +00:00
2018-10-18 19:50:11 +00:00
if c . config . Rootfs == "" {
options . IDMappingOptions = c . config . IDMappings
2018-06-03 19:08:07 +00:00
}
2018-10-18 19:50:11 +00:00
containerInfo , err := c . runtime . storageService . CreateContainerStorage ( ctx , c . runtime . imageContext , c . config . RootfsImageName , c . config . RootfsImageID , c . config . Name , c . config . ID , options )
2018-01-18 16:37:41 +00:00
if err != nil {
return errors . Wrapf ( err , "error creating container storage" )
}
2019-05-01 16:49:04 +00:00
if len ( c . config . IDMappings . UIDMap ) != 0 || len ( c . config . IDMappings . GIDMap ) != 0 {
2019-03-21 11:18:42 +00:00
if err := os . Chown ( containerInfo . RunDir , c . RootUID ( ) , c . RootGID ( ) ) ; err != nil {
2018-04-24 14:41:42 +00:00
return err
}
2019-03-21 11:18:42 +00:00
if err := os . Chown ( containerInfo . Dir , c . RootUID ( ) , c . RootGID ( ) ) ; err != nil {
return err
2018-04-24 14:41:42 +00:00
}
}
2018-10-18 19:50:11 +00:00
c . config . ProcessLabel = containerInfo . ProcessLabel
c . config . MountLabel = containerInfo . MountLabel
2018-01-18 16:37:41 +00:00
c . config . StaticDir = containerInfo . Dir
c . state . RunDir = containerInfo . RunDir
2018-05-01 16:08:52 +00:00
// Set the default Entrypoint and Command
2019-03-14 20:10:25 +00:00
if containerInfo . Config != nil {
if c . config . Entrypoint == nil {
c . config . Entrypoint = containerInfo . Config . Config . Entrypoint
}
if c . config . Command == nil {
c . config . Command = containerInfo . Config . Config . Cmd
}
2018-05-23 15:33:22 +00:00
}
2018-05-01 16:08:52 +00:00
2018-01-18 16:37:41 +00:00
artifacts := filepath . Join ( c . config . StaticDir , artifactsDir )
if err := os . MkdirAll ( artifacts , 0755 ) ; err != nil {
return errors . Wrapf ( err , "error creating artifacts directory %q" , artifacts )
}
return nil
}
// Tear down a container's storage prior to removal
func ( c * Container ) teardownStorage ( ) error {
if c . state . State == ContainerStateRunning || c . state . State == ContainerStatePaused {
return errors . Wrapf ( ErrCtrStateInvalid , "cannot remove storage for container %s as it is running or paused" , c . ID ( ) )
}
artifacts := filepath . Join ( c . config . StaticDir , artifactsDir )
if err := os . RemoveAll ( artifacts ) ; err != nil {
2019-04-11 13:51:26 +00:00
return errors . Wrapf ( err , "error removing container %s artifacts %q" , c . ID ( ) , artifacts )
2018-01-18 16:37:41 +00:00
}
if err := c . cleanupStorage ( ) ; err != nil {
return errors . Wrapf ( err , "failed to cleanup container %s storage" , c . ID ( ) )
}
if err := c . runtime . storageService . DeleteContainer ( c . ID ( ) ) ; err != nil {
2018-04-01 01:27:28 +00:00
// If the container has already been removed, warn but do not
// error - we wanted it gone, it is already gone.
// Potentially another tool using containers/storage already
// removed it?
2018-05-14 14:17:24 +00:00
if err == storage . ErrNotAContainer || err == storage . ErrContainerUnknown {
2018-04-02 13:10:52 +00:00
logrus . Warnf ( "Storage for container %s already removed" , c . ID ( ) )
2018-04-01 01:27:28 +00:00
return nil
}
2018-01-18 16:37:41 +00:00
return errors . Wrapf ( err , "error removing container %s root filesystem" , c . ID ( ) )
}
return nil
}
2018-06-21 13:45:03 +00:00
// Reset resets state fields to default values
// It is performed before a refresh and clears the state after a reboot
// It does not save the results - assumes the database will do that for us
2019-01-17 14:43:34 +00:00
func resetState ( state * ContainerState ) error {
2018-06-21 13:45:03 +00:00
state . PID = 0
state . Mountpoint = ""
state . Mounted = false
2019-02-05 20:37:56 +00:00
if state . State != ContainerStateExited {
state . State = ContainerStateConfigured
}
2018-06-21 13:45:03 +00:00
state . ExecSessions = make ( map [ string ] * ExecSession )
2018-07-12 14:51:31 +00:00
state . NetworkStatus = nil
2018-06-21 13:45:03 +00:00
state . BindMounts = make ( map [ string ] string )
2019-04-01 17:30:28 +00:00
state . StoppedByUser = false
2019-04-01 19:22:32 +00:00
state . RestartPolicyMatch = false
2019-04-01 23:20:03 +00:00
state . RestartCount = 0
2018-06-21 13:45:03 +00:00
return nil
}
2018-08-23 19:13:41 +00:00
// Refresh refreshes the container's state after a restart.
// Refresh cannot perform any operations that would lock another container.
// We cannot guarantee any other container has a valid lock at the time it is
// running.
2018-01-18 16:37:41 +00:00
func ( c * Container ) refresh ( ) error {
2018-07-31 13:26:06 +00:00
// Don't need a full sync, but we do need to update from the database to
// pick up potentially-missing container state
if err := c . runtime . state . UpdateContainer ( c ) ; err != nil {
return err
}
2018-01-18 16:37:41 +00:00
if ! c . valid {
return errors . Wrapf ( ErrCtrRemoved , "container %s is not valid - may have been removed" , c . ID ( ) )
}
// We need to get the container's temporary directory from c/storage
// It was lost in the reboot and must be recreated
dir , err := c . runtime . storageService . GetRunDir ( c . ID ( ) )
if err != nil {
return errors . Wrapf ( err , "error retrieving temporary directory for container %s" , c . ID ( ) )
}
2019-03-21 11:18:42 +00:00
c . state . RunDir = dir
2018-04-24 14:41:42 +00:00
if len ( c . config . IDMappings . UIDMap ) != 0 || len ( c . config . IDMappings . GIDMap ) != 0 {
info , err := os . Stat ( c . runtime . config . TmpDir )
if err != nil {
return errors . Wrapf ( err , "cannot stat `%s`" , c . runtime . config . TmpDir )
}
if err := os . Chmod ( c . runtime . config . TmpDir , info . Mode ( ) | 0111 ) ; err != nil {
return errors . Wrapf ( err , "cannot chmod `%s`" , c . runtime . config . TmpDir )
}
root := filepath . Join ( c . runtime . config . TmpDir , "containers-root" , c . ID ( ) )
if err := os . MkdirAll ( root , 0755 ) ; err != nil {
return errors . Wrapf ( err , "error creating userNS tmpdir for container %s" , c . ID ( ) )
}
if err := os . Chown ( root , c . RootUID ( ) , c . RootGID ( ) ) ; err != nil {
return err
}
}
2018-01-18 16:37:41 +00:00
2018-08-23 19:13:41 +00:00
// We need to pick up a new lock
2019-05-06 17:44:01 +00:00
lock , err := c . runtime . lockManager . AllocateAndRetrieveLock ( c . config . LockID )
2018-08-23 19:13:41 +00:00
if err != nil {
2019-06-21 20:00:39 +00:00
return errors . Wrapf ( err , "error acquiring lock %d for container %s" , c . config . LockID , c . ID ( ) )
2018-08-23 19:13:41 +00:00
}
c . lock = lock
2018-04-24 14:41:42 +00:00
if err := c . save ( ) ; err != nil {
2018-01-18 16:37:41 +00:00
return errors . Wrapf ( err , "error refreshing state for container %s" , c . ID ( ) )
}
2018-03-13 15:49:24 +00:00
// Remove ctl and attach files, which may persist across reboot
if err := c . removeConmonFiles ( ) ; err != nil {
return err
}
return nil
}
// Remove conmon attach socket and terminal resize FIFO
// This is necessary for restarting containers
func ( c * Container ) removeConmonFiles ( ) error {
// Files are allowed to not exist, so ignore ENOENT
attachFile := filepath . Join ( c . bundlePath ( ) , "attach" )
if err := os . Remove ( attachFile ) ; err != nil && ! os . IsNotExist ( err ) {
return errors . Wrapf ( err , "error removing container %s attach file" , c . ID ( ) )
}
ctlFile := filepath . Join ( c . bundlePath ( ) , "ctl" )
if err := os . Remove ( ctlFile ) ; err != nil && ! os . IsNotExist ( err ) {
return errors . Wrapf ( err , "error removing container %s ctl file" , c . ID ( ) )
}
oomFile := filepath . Join ( c . bundlePath ( ) , "oom" )
if err := os . Remove ( oomFile ) ; err != nil && ! os . IsNotExist ( err ) {
return errors . Wrapf ( err , "error removing container %s OOM file" , c . ID ( ) )
}
2019-02-12 17:57:11 +00:00
// Instead of outright deleting the exit file, rename it (if it exists).
// We want to retain it so we can get the exit code of containers which
// are removed (at least until we have a workable events system)
2019-06-19 21:08:43 +00:00
exitFile := filepath . Join ( c . ociRuntime . exitsDir , c . ID ( ) )
oldExitFile := filepath . Join ( c . ociRuntime . exitsDir , fmt . Sprintf ( "%s-old" , c . ID ( ) ) )
2019-02-12 17:57:11 +00:00
if _ , err := os . Stat ( exitFile ) ; err != nil {
if ! os . IsNotExist ( err ) {
return errors . Wrapf ( err , "error running stat on container %s exit file" , c . ID ( ) )
}
} else if err == nil {
// Rename should replace the old exit file (if it exists)
if err := os . Rename ( exitFile , oldExitFile ) ; err != nil {
return errors . Wrapf ( err , "error renaming container %s exit file" , c . ID ( ) )
}
2018-03-13 15:49:24 +00:00
}
2018-01-18 16:37:41 +00:00
return nil
}
func ( c * Container ) export ( path string ) error {
mountPoint := c . state . Mountpoint
if ! c . state . Mounted {
mount , err := c . runtime . store . Mount ( c . ID ( ) , c . config . MountLabel )
if err != nil {
return errors . Wrapf ( err , "error mounting container %q" , c . ID ( ) )
}
mountPoint = mount
defer func ( ) {
2018-07-08 11:55:30 +00:00
if _ , err := c . runtime . store . Unmount ( c . ID ( ) , false ) ; err != nil {
2018-01-18 16:37:41 +00:00
logrus . Errorf ( "error unmounting container %q: %v" , c . ID ( ) , err )
}
} ( )
}
input , err := archive . Tar ( mountPoint , archive . Uncompressed )
if err != nil {
return errors . Wrapf ( err , "error reading container directory %q" , c . ID ( ) )
}
outFile , err := os . Create ( path )
if err != nil {
return errors . Wrapf ( err , "error creating file %q" , path )
}
defer outFile . Close ( )
_ , err = io . Copy ( outFile , input )
return err
}
// Get path of artifact with a given name for this container
func ( c * Container ) getArtifactPath ( name string ) string {
return filepath . Join ( c . config . StaticDir , artifactsDir , name )
}
// Used with Wait() to determine if a container has exited
func ( c * Container ) isStopped ( ) ( bool , error ) {
2018-04-14 21:32:49 +00:00
if ! c . batched {
2018-01-18 16:37:41 +00:00
c . lock . Lock ( )
defer c . lock . Unlock ( )
}
err := c . syncContainer ( )
if err != nil {
return true , err
}
2019-01-16 15:33:01 +00:00
return ( c . state . State != ContainerStateRunning && c . state . State != ContainerStatePaused ) , nil
2018-01-18 16:37:41 +00:00
}
// save container state to the database
func ( c * Container ) save ( ) error {
if err := c . runtime . state . SaveContainer ( c ) ; err != nil {
return errors . Wrapf ( err , "error saving container %s state" , c . ID ( ) )
}
return nil
}
2019-02-15 21:39:24 +00:00
// Checks the container is in the right state, then initializes the container in preparation to start the container.
// If recursive is true, each of the containers dependencies will be started.
// Otherwise, this function will return with error if there are dependencies of this container that aren't running.
func ( c * Container ) prepareToStart ( ctx context . Context , recursive bool ) ( err error ) {
// Container must be created or stopped to be started
if ! ( c . state . State == ContainerStateConfigured ||
c . state . State == ContainerStateCreated ||
c . state . State == ContainerStateStopped ||
c . state . State == ContainerStateExited ) {
return errors . Wrapf ( ErrCtrStateInvalid , "container %s must be in Created or Stopped state to be started" , c . ID ( ) )
}
if ! recursive {
if err := c . checkDependenciesAndHandleError ( ctx ) ; err != nil {
return err
}
} else {
if err := c . startDependencies ( ctx ) ; err != nil {
return err
}
}
defer func ( ) {
if err != nil {
if err2 := c . cleanup ( ctx ) ; err2 != nil {
logrus . Errorf ( "error cleaning up container %s: %v" , c . ID ( ) , err2 )
}
}
} ( )
if err := c . prepare ( ) ; err != nil {
return err
}
if c . state . State == ContainerStateStopped {
// Reinitialize the container if we need to
2019-04-01 23:20:03 +00:00
if err := c . reinit ( ctx , false ) ; err != nil {
2019-02-15 21:39:24 +00:00
return err
}
} else if c . state . State == ContainerStateConfigured ||
c . state . State == ContainerStateExited {
// Or initialize it if necessary
2019-04-01 23:20:03 +00:00
if err := c . init ( ctx , false ) ; err != nil {
2019-02-15 21:39:24 +00:00
return err
}
}
return nil
}
// checks dependencies are running and prints a helpful message
func ( c * Container ) checkDependenciesAndHandleError ( ctx context . Context ) error {
notRunning , err := c . checkDependenciesRunning ( )
if err != nil {
return errors . Wrapf ( err , "error checking dependencies for container %s" , c . ID ( ) )
}
if len ( notRunning ) > 0 {
depString := strings . Join ( notRunning , "," )
return errors . Wrapf ( ErrCtrStateInvalid , "some dependencies of container %s are not started: %s" , c . ID ( ) , depString )
}
return nil
}
// Recursively start all dependencies of a container so the container can be started.
func ( c * Container ) startDependencies ( ctx context . Context ) error {
depCtrIDs := c . Dependencies ( )
if len ( depCtrIDs ) == 0 {
return nil
}
depVisitedCtrs := make ( map [ string ] * Container )
if err := c . getAllDependencies ( depVisitedCtrs ) ; err != nil {
return errors . Wrapf ( err , "error starting dependency for container %s" , c . ID ( ) )
}
// Because of how Go handles passing slices through functions, a slice cannot grow between function calls
// without clunky syntax. Circumnavigate this by translating the map to a slice for buildContainerGraph
depCtrs := make ( [ ] * Container , 0 )
for _ , ctr := range depVisitedCtrs {
depCtrs = append ( depCtrs , ctr )
}
// Build a dependency graph of containers
graph , err := buildContainerGraph ( depCtrs )
if err != nil {
return errors . Wrapf ( err , "error generating dependency graph for container %s" , c . ID ( ) )
}
// If there are no containers without dependencies, we can't start
// Error out
if len ( graph . noDepNodes ) == 0 {
2019-02-19 14:27:26 +00:00
// we have no dependencies that need starting, go ahead and return
if len ( graph . nodes ) == 0 {
return nil
}
2019-02-15 21:39:24 +00:00
return errors . Wrapf ( ErrNoSuchCtr , "All dependencies have dependencies of %s" , c . ID ( ) )
}
2019-02-19 14:27:26 +00:00
ctrErrors := make ( map [ string ] error )
ctrsVisited := make ( map [ string ] bool )
2019-02-15 21:39:24 +00:00
// Traverse the graph beginning at nodes with no dependencies
for _ , node := range graph . noDepNodes {
startNode ( ctx , node , false , ctrErrors , ctrsVisited , true )
}
if len ( ctrErrors ) > 0 {
logrus . Errorf ( "error starting some container dependencies" )
for _ , e := range ctrErrors {
logrus . Errorf ( "%q" , e )
}
return errors . Wrapf ( ErrInternal , "error starting some containers" )
}
return nil
}
// getAllDependencies is a precursor to starting dependencies.
// To start a container with all of its dependencies, we need to recursively find all dependencies
// a container has, as well as each of those containers' dependencies, and so on
// To do so, keep track of containers already visisted (so there aren't redundant state lookups),
// and recursively search until we have reached the leafs of every dependency node.
// Since we need to start all dependencies for our original container to successfully start, we propegate any errors
// in looking up dependencies.
// Note: this function is currently meant as a robust solution to a narrow problem: start an infra-container when
// a container in the pod is run. It has not been tested for performance past one level, so expansion of recursive start
// must be tested first.
func ( c * Container ) getAllDependencies ( visited map [ string ] * Container ) error {
depIDs := c . Dependencies ( )
if len ( depIDs ) == 0 {
return nil
}
for _ , depID := range depIDs {
if _ , ok := visited [ depID ] ; ! ok {
2019-04-12 14:21:45 +00:00
dep , err := c . runtime . state . Container ( depID )
2019-02-15 21:39:24 +00:00
if err != nil {
return err
}
2019-02-19 14:27:26 +00:00
status , err := dep . State ( )
if err != nil {
2019-02-15 21:39:24 +00:00
return err
}
2019-02-19 14:27:26 +00:00
// if the dependency is already running, we can assume its dependencies are also running
// so no need to add them to those we need to start
if status != ContainerStateRunning {
visited [ depID ] = dep
if err := dep . getAllDependencies ( visited ) ; err != nil {
return err
}
}
2019-02-15 21:39:24 +00:00
}
}
return nil
}
2018-04-02 16:23:19 +00:00
// Check if a container's dependencies are running
// Returns a []string containing the IDs of dependencies that are not running
func ( c * Container ) checkDependenciesRunning ( ) ( [ ] string , error ) {
2018-04-01 00:53:05 +00:00
deps := c . Dependencies ( )
2018-04-02 16:23:19 +00:00
notRunning := [ ] string { }
// We were not passed a set of dependency containers
// Make it ourselves
2018-04-01 00:53:05 +00:00
depCtrs := make ( map [ string ] * Container , len ( deps ) )
for _ , dep := range deps {
// Get the dependency container
depCtr , err := c . runtime . state . Container ( dep )
if err != nil {
2018-04-02 16:23:19 +00:00
return nil , errors . Wrapf ( err , "error retrieving dependency %s of container %s from state" , dep , c . ID ( ) )
2018-04-01 00:53:05 +00:00
}
// Check the status
state , err := depCtr . State ( )
if err != nil {
2018-04-02 16:23:19 +00:00
return nil , errors . Wrapf ( err , "error retrieving state of dependency %s of container %s" , dep , c . ID ( ) )
2018-04-01 00:53:05 +00:00
}
if state != ContainerStateRunning {
2018-04-02 16:23:19 +00:00
notRunning = append ( notRunning , dep )
2018-04-01 00:53:05 +00:00
}
depCtrs [ dep ] = depCtr
2018-04-02 16:23:19 +00:00
}
return notRunning , nil
}
// Check if a container's dependencies are running
// Returns a []string containing the IDs of dependencies that are not running
// Assumes depencies are already locked, and will be passed in
// Accepts a map[string]*Container containing, at a minimum, the locked
// dependency containers
// (This must be a map from container ID to container)
func ( c * Container ) checkDependenciesRunningLocked ( depCtrs map [ string ] * Container ) ( [ ] string , error ) {
deps := c . Dependencies ( )
notRunning := [ ] string { }
for _ , dep := range deps {
depCtr , ok := depCtrs [ dep ]
if ! ok {
return nil , errors . Wrapf ( ErrNoSuchCtr , "container %s depends on container %s but it is not on containers passed to checkDependenciesRunning" , c . ID ( ) , dep )
}
2018-04-01 00:53:05 +00:00
2018-04-02 16:23:19 +00:00
if err := c . syncContainer ( ) ; err != nil {
return nil , err
}
if depCtr . state . State != ContainerStateRunning {
notRunning = append ( notRunning , dep )
}
2018-04-01 00:53:05 +00:00
}
2018-04-02 16:23:19 +00:00
return notRunning , nil
}
2018-04-20 16:59:19 +00:00
func ( c * Container ) completeNetworkSetup ( ) error {
2018-12-06 19:56:57 +00:00
netDisabled , err := c . NetworkDisabled ( )
if err != nil {
return err
}
if ! c . config . PostConfigureNetNS || netDisabled {
2018-04-20 16:59:19 +00:00
return nil
}
if err := c . syncContainer ( ) ; err != nil {
return err
}
2018-11-26 20:31:06 +00:00
if c . config . NetMode == "slirp4netns" {
2018-07-25 13:15:13 +00:00
return c . runtime . setupRootlessNetNS ( c )
}
2018-04-20 16:59:19 +00:00
return c . runtime . setupNetNS ( c )
}
2018-04-02 16:23:19 +00:00
// Initialize a container, creating it in the runtime
2019-04-01 23:20:03 +00:00
func ( c * Container ) init ( ctx context . Context , retainRetries bool ) error {
2018-10-16 20:30:53 +00:00
span , _ := opentracing . StartSpanFromContext ( ctx , "init" )
span . SetTag ( "struct" , "container" )
defer span . Finish ( )
2018-03-12 19:32:10 +00:00
// Generate the OCI spec
2018-04-18 20:48:35 +00:00
spec , err := c . generateSpec ( ctx )
2018-03-12 19:32:10 +00:00
if err != nil {
return err
}
// Save the OCI spec to disk
if err := c . saveSpec ( spec ) ; err != nil {
return err
}
// With the spec complete, do an OCI create
2019-06-19 21:08:43 +00:00
if err := c . ociRuntime . createContainer ( c , c . config . CgroupParent , nil ) ; err != nil {
2018-03-12 19:32:10 +00:00
return err
}
logrus . Debugf ( "Created container %s in OCI runtime" , c . ID ( ) )
2018-09-23 22:04:29 +00:00
c . state . ExitCode = 0
c . state . Exited = false
2018-03-12 19:32:10 +00:00
c . state . State = ContainerStateCreated
2019-04-01 17:30:28 +00:00
c . state . StoppedByUser = false
2019-04-01 19:22:32 +00:00
c . state . RestartPolicyMatch = false
2018-03-12 19:32:10 +00:00
2019-04-01 23:20:03 +00:00
if ! retainRetries {
c . state . RestartCount = 0
}
2018-04-20 16:59:19 +00:00
if err := c . save ( ) ; err != nil {
return err
}
2019-03-14 20:14:18 +00:00
if c . config . HealthCheckConfig != nil {
if err := c . createTimer ( ) ; err != nil {
logrus . Error ( err )
}
}
2019-02-28 20:15:56 +00:00
defer c . newContainerEvent ( events . Init )
2018-04-20 16:59:19 +00:00
return c . completeNetworkSetup ( )
2018-03-12 19:32:10 +00:00
}
2018-09-23 22:04:29 +00:00
// Clean up a container in the OCI runtime.
// Deletes the container in the runtime, and resets its state to Exited.
// The container can be restarted cleanly after this.
func ( c * Container ) cleanupRuntime ( ctx context . Context ) error {
2018-10-16 20:30:53 +00:00
span , _ := opentracing . StartSpanFromContext ( ctx , "cleanupRuntime" )
span . SetTag ( "struct" , "container" )
defer span . Finish ( )
2019-04-29 14:37:50 +00:00
// If the container is not ContainerStateStopped or
// ContainerStateCreated, do nothing.
if c . state . State != ContainerStateStopped && c . state . State != ContainerStateCreated {
2018-09-23 22:04:29 +00:00
return nil
}
2018-03-15 14:14:57 +00:00
2018-03-14 19:14:49 +00:00
// If necessary, delete attach and ctl files
if err := c . removeConmonFiles ( ) ; err != nil {
return err
}
2018-05-31 18:47:17 +00:00
if err := c . delete ( ctx ) ; err != nil {
return err
2018-03-14 19:14:49 +00:00
}
2018-05-31 18:47:17 +00:00
2019-04-29 14:37:50 +00:00
// If we were Stopped, we are now Exited, as we've removed ourself
// from the runtime.
// If we were Created, we are now Configured.
if c . state . State == ContainerStateStopped {
c . state . State = ContainerStateExited
} else if c . state . State == ContainerStateCreated {
c . state . State = ContainerStateConfigured
}
2018-10-02 17:39:33 +00:00
if c . valid {
if err := c . save ( ) ; err != nil {
return err
}
2018-03-14 19:14:49 +00:00
}
2018-03-15 14:14:57 +00:00
logrus . Debugf ( "Successfully cleaned up container %s" , c . ID ( ) )
2018-09-23 22:04:29 +00:00
return nil
}
// Reinitialize a container.
// Deletes and recreates a container in the runtime.
// Should only be done on ContainerStateStopped containers.
// Not necessary for ContainerStateExited - the container has already been
// removed from the runtime, so init() can proceed freely.
2019-04-01 23:20:03 +00:00
func ( c * Container ) reinit ( ctx context . Context , retainRetries bool ) error {
2018-10-16 20:30:53 +00:00
span , _ := opentracing . StartSpanFromContext ( ctx , "reinit" )
span . SetTag ( "struct" , "container" )
defer span . Finish ( )
2018-09-23 22:04:29 +00:00
logrus . Debugf ( "Recreating container %s in OCI runtime" , c . ID ( ) )
if err := c . cleanupRuntime ( ctx ) ; err != nil {
return err
}
2018-03-14 19:14:49 +00:00
// Initialize the container again
2019-04-01 23:20:03 +00:00
return c . init ( ctx , retainRetries )
2018-03-14 19:14:49 +00:00
}
2018-03-12 19:32:10 +00:00
// Initialize (if necessary) and start a container
// Performs all necessary steps to start a container that is not running
// Does not lock or check validity
2018-04-18 20:48:35 +00:00
func ( c * Container ) initAndStart ( ctx context . Context ) ( err error ) {
2018-03-12 19:32:10 +00:00
// If we are ContainerStateUnknown, throw an error
if c . state . State == ContainerStateUnknown {
return errors . Wrapf ( ErrCtrStateInvalid , "container %s is in an unknown state" , c . ID ( ) )
}
// If we are running, do nothing
if c . state . State == ContainerStateRunning {
return nil
}
// If we are paused, throw an error
if c . state . State == ContainerStatePaused {
return errors . Wrapf ( ErrCtrStateInvalid , "cannot start paused container %s" , c . ID ( ) )
}
defer func ( ) {
if err != nil {
2018-09-23 22:04:29 +00:00
if err2 := c . cleanup ( ctx ) ; err2 != nil {
2018-03-14 19:14:49 +00:00
logrus . Errorf ( "error cleaning up container %s: %v" , c . ID ( ) , err2 )
2018-03-12 19:32:10 +00:00
}
}
} ( )
2018-11-07 16:44:33 +00:00
if err := c . prepare ( ) ; err != nil {
return err
}
2018-03-13 15:49:24 +00:00
// If we are ContainerStateStopped we need to remove from runtime
// And reset to ContainerStateConfigured
if c . state . State == ContainerStateStopped {
2018-03-15 14:14:57 +00:00
logrus . Debugf ( "Recreating container %s in OCI runtime" , c . ID ( ) )
2019-04-01 23:20:03 +00:00
if err := c . reinit ( ctx , false ) ; err != nil {
2018-03-13 15:49:24 +00:00
return err
}
2018-09-23 22:04:29 +00:00
} else if c . state . State == ContainerStateConfigured ||
c . state . State == ContainerStateExited {
2019-04-01 23:20:03 +00:00
if err := c . init ( ctx , false ) ; err != nil {
2018-03-12 19:32:10 +00:00
return err
}
}
// Now start the container
return c . start ( )
}
// Internal, non-locking function to start a container
func ( c * Container ) start ( ) error {
2019-01-02 17:11:50 +00:00
if c . config . Spec . Process != nil {
logrus . Debugf ( "Starting container %s with command %v" , c . ID ( ) , c . config . Spec . Process . Args )
}
2019-06-19 21:08:43 +00:00
if err := c . ociRuntime . startContainer ( c ) ; err != nil {
2018-03-12 19:32:10 +00:00
return err
}
logrus . Debugf ( "Started container %s" , c . ID ( ) )
c . state . State = ContainerStateRunning
2019-03-14 20:14:18 +00:00
if c . config . HealthCheckConfig != nil {
if err := c . updateHealthStatus ( HealthCheckStarting ) ; err != nil {
logrus . Error ( err )
}
if err := c . startTimer ( ) ; err != nil {
logrus . Error ( err )
}
}
2019-03-12 20:12:09 +00:00
defer c . newContainerEvent ( events . Start )
2018-03-12 19:32:10 +00:00
return c . save ( )
}
2018-01-29 16:59:33 +00:00
// Internal, non-locking function to stop container
func ( c * Container ) stop ( timeout uint ) error {
2019-03-05 23:11:28 +00:00
logrus . Debugf ( "Stopping ctr %s (timeout %d)" , c . ID ( ) , timeout )
2018-01-29 16:59:33 +00:00
2019-06-19 21:08:43 +00:00
if err := c . ociRuntime . stopContainer ( c , timeout ) ; err != nil {
2018-01-29 16:59:33 +00:00
return err
}
2019-04-01 17:30:28 +00:00
c . state . StoppedByUser = true
if err := c . save ( ) ; err != nil {
return errors . Wrapf ( err , "error saving container %s state after stopping" , c . ID ( ) )
}
2018-10-19 20:02:14 +00:00
// Wait until we have an exit file, and sync once we do
return c . waitForExitFileAndSync ( )
2018-01-29 16:59:33 +00:00
}
2018-06-21 13:45:03 +00:00
// Internal, non-locking function to pause a container
func ( c * Container ) pause ( ) error {
2019-06-19 21:08:43 +00:00
if err := c . ociRuntime . pauseContainer ( c ) ; err != nil {
2018-06-21 13:45:03 +00:00
return err
}
logrus . Debugf ( "Paused container %s" , c . ID ( ) )
c . state . State = ContainerStatePaused
return c . save ( )
}
// Internal, non-locking function to unpause a container
func ( c * Container ) unpause ( ) error {
2019-06-19 21:08:43 +00:00
if err := c . ociRuntime . unpauseContainer ( c ) ; err != nil {
2018-06-21 13:45:03 +00:00
return err
}
logrus . Debugf ( "Unpaused container %s" , c . ID ( ) )
c . state . State = ContainerStateRunning
return c . save ( )
}
2018-07-23 19:56:12 +00:00
// Internal, non-locking function to restart a container
func ( c * Container ) restartWithTimeout ( ctx context . Context , timeout uint ) ( err error ) {
if c . state . State == ContainerStateUnknown || c . state . State == ContainerStatePaused {
return errors . Wrapf ( ErrCtrStateInvalid , "unable to restart a container in a paused or unknown state" )
}
2019-04-03 18:17:02 +00:00
c . newContainerEvent ( events . Restart )
2018-07-23 19:56:12 +00:00
if c . state . State == ContainerStateRunning {
if err := c . stop ( timeout ) ; err != nil {
return err
}
}
defer func ( ) {
if err != nil {
2018-09-23 22:04:29 +00:00
if err2 := c . cleanup ( ctx ) ; err2 != nil {
2018-07-23 19:56:12 +00:00
logrus . Errorf ( "error cleaning up container %s: %v" , c . ID ( ) , err2 )
}
}
} ( )
2018-11-07 16:44:33 +00:00
if err := c . prepare ( ) ; err != nil {
return err
}
2018-07-23 19:56:12 +00:00
if c . state . State == ContainerStateStopped {
// Reinitialize the container if we need to
2019-04-01 23:20:03 +00:00
if err := c . reinit ( ctx , false ) ; err != nil {
2018-07-23 19:56:12 +00:00
return err
}
2018-09-23 22:04:29 +00:00
} else if c . state . State == ContainerStateConfigured ||
c . state . State == ContainerStateExited {
// Initialize the container
2019-04-01 23:20:03 +00:00
if err := c . init ( ctx , false ) ; err != nil {
2018-07-23 19:56:12 +00:00
return err
}
}
return c . start ( )
}
2018-01-18 16:37:41 +00:00
// mountStorage sets up the container's root filesystem
// It mounts the image and any other requested mounts
// TODO: Add ability to override mount label so we can use this for Mount() too
// TODO: Can we use this for export? Copying SHM into the export might not be
// good
2018-10-17 18:43:36 +00:00
func ( c * Container ) mountStorage ( ) ( string , error ) {
var err error
2018-01-18 16:37:41 +00:00
// Container already mounted, nothing to do
if c . state . Mounted {
2018-10-17 18:43:36 +00:00
return c . state . Mountpoint , nil
2018-01-18 16:37:41 +00:00
}
2018-11-08 11:14:46 +00:00
mounted , err := mount . Mounted ( c . config . ShmDir )
if err != nil {
return "" , errors . Wrapf ( err , "unable to determine if %q is mounted" , c . config . ShmDir )
}
2018-06-01 11:10:14 +00:00
2018-12-24 11:55:24 +00:00
if ! mounted && ! MountExists ( c . config . Spec . Mounts , "/dev/shm" ) {
2018-11-08 11:14:46 +00:00
shmOptions := fmt . Sprintf ( "mode=1777,size=%d" , c . config . ShmSize )
if err := c . mountSHM ( shmOptions ) ; err != nil {
return "" , err
}
2018-04-24 00:42:53 +00:00
if err := os . Chown ( c . config . ShmDir , c . RootUID ( ) , c . RootGID ( ) ) ; err != nil {
2018-10-17 18:43:36 +00:00
return "" , errors . Wrapf ( err , "failed to chown %s" , c . config . ShmDir )
2018-04-24 00:42:53 +00:00
}
2018-01-18 16:37:41 +00:00
}
2018-11-08 11:14:46 +00:00
// TODO: generalize this mount code so it will mount every mount in ctr.config.Mounts
2018-04-26 15:21:48 +00:00
mountPoint := c . config . Rootfs
if mountPoint == "" {
2018-07-19 20:59:42 +00:00
mountPoint , err = c . mount ( )
2018-04-26 15:21:48 +00:00
if err != nil {
2018-10-17 18:43:36 +00:00
return "" , err
2018-04-26 15:21:48 +00:00
}
2018-01-18 16:37:41 +00:00
}
2018-10-17 18:43:36 +00:00
return mountPoint , nil
2018-01-18 16:37:41 +00:00
}
// cleanupStorage unmounts and cleans up the container's root filesystem
func ( c * Container ) cleanupStorage ( ) error {
if ! c . state . Mounted {
// Already unmounted, do nothing
2019-03-05 23:11:28 +00:00
logrus . Debugf ( "Container %s storage is already unmounted, skipping..." , c . ID ( ) )
2018-01-18 16:37:41 +00:00
return nil
}
2019-03-05 23:11:28 +00:00
2018-01-18 16:37:41 +00:00
for _ , mount := range c . config . Mounts {
2018-07-04 15:51:20 +00:00
if err := c . unmountSHM ( mount ) ; err != nil {
return err
2018-01-18 16:37:41 +00:00
}
}
2019-03-05 23:11:28 +00:00
2018-04-26 15:21:48 +00:00
if c . config . Rootfs != "" {
return nil
}
2018-01-18 16:37:41 +00:00
2018-07-30 13:04:18 +00:00
if err := c . unmount ( false ) ; err != nil {
2018-05-14 14:17:24 +00:00
// If the container has already been removed, warn but don't
// error
// We still want to be able to kick the container out of the
// state
2019-03-11 09:08:31 +00:00
if errors . Cause ( err ) == storage . ErrNotAContainer || errors . Cause ( err ) == storage . ErrContainerUnknown {
2018-05-14 14:17:24 +00:00
logrus . Errorf ( "Storage for container %s has been removed" , c . ID ( ) )
return nil
}
2018-07-19 20:59:42 +00:00
return err
2018-01-18 16:37:41 +00:00
}
c . state . Mountpoint = ""
c . state . Mounted = false
2018-06-04 21:31:49 +00:00
if c . valid {
return c . save ( )
}
return nil
2018-01-18 16:37:41 +00:00
}
2018-03-14 19:14:49 +00:00
// Unmount the a container and free its resources
2018-09-23 22:04:29 +00:00
func ( c * Container ) cleanup ( ctx context . Context ) error {
2018-03-14 19:14:49 +00:00
var lastError error
2018-10-16 20:30:53 +00:00
span , _ := opentracing . StartSpanFromContext ( ctx , "cleanup" )
span . SetTag ( "struct" , "container" )
defer span . Finish ( )
2018-05-09 20:33:31 +00:00
logrus . Debugf ( "Cleaning up container %s" , c . ID ( ) )
2019-03-14 20:14:18 +00:00
// Remove healthcheck unit/timer file if it execs
if c . config . HealthCheckConfig != nil {
if err := c . removeTimer ( ) ; err != nil {
2019-04-11 13:51:26 +00:00
logrus . Errorf ( "Error removing timer for container %s healthcheck: %v" , c . ID ( ) , err )
2019-03-14 20:14:18 +00:00
}
}
2018-03-14 19:14:49 +00:00
// Clean up network namespace, if present
if err := c . cleanupNetwork ( ) ; err != nil {
2019-04-11 13:51:26 +00:00
lastError = errors . Wrapf ( err , "error removing container %s network" , c . ID ( ) )
2018-03-14 19:14:49 +00:00
}
// Unmount storage
if err := c . cleanupStorage ( ) ; err != nil {
if lastError != nil {
logrus . Errorf ( "Error unmounting container %s storage: %v" , c . ID ( ) , err )
} else {
2019-04-11 13:51:26 +00:00
lastError = errors . Wrapf ( err , "error unmounting container %s storage" , c . ID ( ) )
2018-03-14 19:14:49 +00:00
}
}
2018-09-23 22:04:29 +00:00
// Remove the container from the runtime, if necessary
if err := c . cleanupRuntime ( ctx ) ; err != nil {
if lastError != nil {
logrus . Errorf ( "Error removing container %s from OCI runtime: %v" , c . ID ( ) , err )
} else {
lastError = err
}
}
2018-03-14 19:14:49 +00:00
return lastError
}
2018-05-31 18:47:17 +00:00
// delete deletes the container and runs any configured poststop
// hooks.
func ( c * Container ) delete ( ctx context . Context ) ( err error ) {
2018-10-16 20:30:53 +00:00
span , _ := opentracing . StartSpanFromContext ( ctx , "delete" )
span . SetTag ( "struct" , "container" )
defer span . Finish ( )
2019-06-19 21:08:43 +00:00
if err := c . ociRuntime . deleteContainer ( c ) ; err != nil {
2018-05-31 18:47:17 +00:00
return errors . Wrapf ( err , "error removing container %s from runtime" , c . ID ( ) )
}
if err := c . postDeleteHooks ( ctx ) ; err != nil {
return errors . Wrapf ( err , "container %s poststop hooks" , c . ID ( ) )
}
return nil
}
// postDeleteHooks runs the poststop hooks (if any) as specified by
// the OCI Runtime Specification (which requires them to run
// post-delete, despite the stage name).
func ( c * Container ) postDeleteHooks ( ctx context . Context ) ( err error ) {
2018-10-16 20:30:53 +00:00
span , _ := opentracing . StartSpanFromContext ( ctx , "postDeleteHooks" )
span . SetTag ( "struct" , "container" )
defer span . Finish ( )
2018-05-31 18:47:17 +00:00
if c . state . ExtensionStageHooks != nil {
extensionHooks , ok := c . state . ExtensionStageHooks [ "poststop" ]
if ok {
state , err := json . Marshal ( spec . State {
Version : spec . Version ,
ID : c . ID ( ) ,
Status : "stopped" ,
Bundle : c . bundlePath ( ) ,
Annotations : c . config . Spec . Annotations ,
} )
if err != nil {
return err
}
for i , hook := range extensionHooks {
2018-06-18 17:19:48 +00:00
logrus . Debugf ( "container %s: invoke poststop hook %d, path %s" , c . ID ( ) , i , hook . Path )
2018-05-31 18:47:17 +00:00
var stderr , stdout bytes . Buffer
hookErr , err := exec . Run ( ctx , & hook , state , & stdout , & stderr , exec . DefaultPostKillTimeout )
if err != nil {
logrus . Warnf ( "container %s: poststop hook %d: %v" , c . ID ( ) , i , err )
if hookErr != err {
logrus . Debugf ( "container %s: poststop hook %d (hook error): %v" , c . ID ( ) , i , hookErr )
}
stdoutString := stdout . String ( )
if stdoutString != "" {
logrus . Debugf ( "container %s: poststop hook %d: stdout:\n%s" , c . ID ( ) , i , stdoutString )
}
stderrString := stderr . String ( )
if stderrString != "" {
logrus . Debugf ( "container %s: poststop hook %d: stderr:\n%s" , c . ID ( ) , i , stderrString )
}
}
}
}
}
return nil
}
2018-03-07 16:17:42 +00:00
// writeStringToRundir copies the provided file to the runtimedir
func ( c * Container ) writeStringToRundir ( destFile , output string ) ( string , error ) {
2018-01-19 14:51:59 +00:00
destFileName := filepath . Join ( c . state . RunDir , destFile )
2018-04-24 14:41:42 +00:00
if err := os . Remove ( destFileName ) ; err != nil && ! os . IsNotExist ( err ) {
return "" , errors . Wrapf ( err , "error removing %s for container %s" , destFile , c . ID ( ) )
}
2018-01-19 14:51:59 +00:00
f , err := os . Create ( destFileName )
if err != nil {
return "" , errors . Wrapf ( err , "unable to create %s" , destFileName )
}
defer f . Close ( )
2018-06-11 14:03:34 +00:00
if err := f . Chown ( c . RootUID ( ) , c . RootGID ( ) ) ; err != nil {
return "" , err
2018-04-24 00:42:53 +00:00
}
if _ , err := f . WriteString ( output ) ; err != nil {
2018-01-19 14:51:59 +00:00
return "" , errors . Wrapf ( err , "unable to write %s" , destFileName )
2018-01-18 16:37:41 +00:00
}
// Relabel runDirResolv for the container
if err := label . Relabel ( destFileName , c . config . MountLabel , false ) ; err != nil {
return "" , err
}
2018-04-24 14:41:42 +00:00
2019-03-21 11:18:42 +00:00
return filepath . Join ( c . state . RunDir , destFile ) , nil
2018-01-18 16:37:41 +00:00
}
2018-01-19 14:51:59 +00:00
2019-03-04 03:54:41 +00:00
// appendStringToRundir appends the provided string to the runtimedir file
func ( c * Container ) appendStringToRundir ( destFile , output string ) ( string , error ) {
destFileName := filepath . Join ( c . state . RunDir , destFile )
f , err := os . OpenFile ( destFileName , os . O_APPEND | os . O_WRONLY , 0600 )
if err != nil {
return "" , errors . Wrapf ( err , "unable to open %s" , destFileName )
}
defer f . Close ( )
if _ , err := f . WriteString ( output ) ; err != nil {
return "" , errors . Wrapf ( err , "unable to write %s" , destFileName )
}
2019-03-21 11:18:42 +00:00
return filepath . Join ( c . state . RunDir , destFile ) , nil
2019-03-04 03:54:41 +00:00
}
2019-02-06 19:22:46 +00:00
// saveSpec saves the OCI spec to disk, replacing any existing specs for the container
2018-03-07 16:15:00 +00:00
func ( c * Container ) saveSpec ( spec * spec . Spec ) error {
// If the OCI spec already exists, we need to replace it
// Cannot guarantee some things, e.g. network namespaces, have the same
// paths
jsonPath := filepath . Join ( c . bundlePath ( ) , "config.json" )
if _ , err := os . Stat ( jsonPath ) ; err != nil {
if ! os . IsNotExist ( err ) {
return errors . Wrapf ( err , "error doing stat on container %s spec" , c . ID ( ) )
}
// The spec does not exist, we're fine
} else {
// The spec exists, need to remove it
if err := os . Remove ( jsonPath ) ; err != nil {
return errors . Wrapf ( err , "error replacing runtime spec for container %s" , c . ID ( ) )
}
}
fileJSON , err := json . Marshal ( spec )
if err != nil {
return errors . Wrapf ( err , "error exporting runtime spec for container %s to JSON" , c . ID ( ) )
}
if err := ioutil . WriteFile ( jsonPath , fileJSON , 0644 ) ; err != nil {
return errors . Wrapf ( err , "error writing runtime spec JSON for container %s to disk" , c . ID ( ) )
}
logrus . Debugf ( "Created OCI spec for container %s at %s" , c . ID ( ) , jsonPath )
c . state . ConfigPath = jsonPath
return nil
}
2018-03-29 15:01:47 +00:00
2018-11-19 17:22:32 +00:00
// Warning: precreate hooks may alter 'config' in place.
2018-06-27 16:14:13 +00:00
func ( c * Container ) setupOCIHooks ( ctx context . Context , config * spec . Spec ) ( extensionStageHooks map [ string ] [ ] spec . Hook , err error ) {
2018-11-19 17:22:32 +00:00
allHooks := make ( map [ string ] [ ] spec . Hook )
libpod/container_internal: Deprecate implicit hook directories
Part of the motivation for 800eb863 (Hooks supports two directories,
process default and override, 2018-09-17, #1487) was [1]:
> We only use this for override. The reason this was caught is people
> are trying to get hooks to work with CoreOS. You are not allowed to
> write to /usr/share... on CoreOS, so they wanted podman to also look
> at /etc, where users and third parties can write.
But we'd also been disabling hooks completely for rootless users. And
even for root users, the override logic was tricky when folks actually
had content in both directories. For example, if you wanted to
disable a hook from the default directory, you'd have to add a no-op
hook to the override directory.
Also, the previous implementation failed to handle the case where
there hooks defined in the override directory but the default
directory did not exist:
$ podman version
Version: 0.11.2-dev
Go Version: go1.10.3
Git Commit: "6df7409cb5a41c710164c42ed35e33b28f3f7214"
Built: Sun Dec 2 21:30:06 2018
OS/Arch: linux/amd64
$ ls -l /etc/containers/oci/hooks.d/test.json
-rw-r--r--. 1 root root 184 Dec 2 16:27 /etc/containers/oci/hooks.d/test.json
$ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T21:31:19-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
time="2018-12-02T21:31:19-08:00" level=warning msg="failed to load hooks: {}%!(EXTRA *os.PathError=open /usr/share/containers/oci/hooks.d: no such file or directory)"
With this commit:
$ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /etc/containers/oci/hooks.d"
time="2018-12-02T21:33:07-08:00" level=debug msg="added hook /etc/containers/oci/hooks.d/test.json"
time="2018-12-02T21:33:07-08:00" level=debug msg="hook test.json matched; adding to stages [prestart]"
time="2018-12-02T21:33:07-08:00" level=warning msg="implicit hook directories are deprecated; set --hooks-dir="/etc/containers/oci/hooks.d" explicitly to continue to load hooks from this directory"
time="2018-12-02T21:33:07-08:00" level=error msg="container create failed: container_linux.go:336: starting container process caused "process_linux.go:399: container init caused \"process_linux.go:382: running prestart hook 0 caused \\\"error running hook: exit status 1, stdout: , stderr: oh, noes!\\\\n\\\"\""
(I'd setup the hook to error out). You can see that it's silenly
ignoring the ENOENT for /usr/share/containers/oci/hooks.d and
continuing on to load hooks from /etc/containers/oci/hooks.d.
When it loads the hook, it also logs a warning-level message
suggesting that callers explicitly configure their hook directories.
That will help consumers migrate, so we can drop the implicit hook
directories in some future release. When folks *do* explicitly
configure hook directories (via the newly-public --hooks-dir and
hooks_dir options), we error out if they're missing:
$ podman --hooks-dir /does/not/exist run --rm docker.io/library/alpine echo 'successful container'
error setting up OCI Hooks: open /does/not/exist: no such file or directory
I've dropped the trailing "path" from the old, hidden --hooks-dir-path
and hooks_dir_path because I think "dir(ectory)" is already enough
context for "we expect a path argument". I consider this name change
non-breaking because the old forms were undocumented.
Coming back to rootless users, I've enabled hooks now. I expect they
were previously disabled because users had no way to avoid
/usr/share/containers/oci/hooks.d which might contain hooks that
required root permissions. But now rootless users will have to
explicitly configure hook directories, and since their default config
is from ~/.config/containers/libpod.conf, it's a misconfiguration if
it contains hooks_dir entries which point at directories with hooks
that require root access. We error out so they can fix their
libpod.conf.
[1]: https://github.com/containers/libpod/pull/1487#discussion_r218149355
Signed-off-by: W. Trevor King <wking@tremily.us>
2018-12-03 05:22:08 +00:00
if c . runtime . config . HooksDir == nil {
if rootless . IsRootless ( ) {
2018-09-17 13:33:11 +00:00
return nil , nil
}
libpod/container_internal: Deprecate implicit hook directories
Part of the motivation for 800eb863 (Hooks supports two directories,
process default and override, 2018-09-17, #1487) was [1]:
> We only use this for override. The reason this was caught is people
> are trying to get hooks to work with CoreOS. You are not allowed to
> write to /usr/share... on CoreOS, so they wanted podman to also look
> at /etc, where users and third parties can write.
But we'd also been disabling hooks completely for rootless users. And
even for root users, the override logic was tricky when folks actually
had content in both directories. For example, if you wanted to
disable a hook from the default directory, you'd have to add a no-op
hook to the override directory.
Also, the previous implementation failed to handle the case where
there hooks defined in the override directory but the default
directory did not exist:
$ podman version
Version: 0.11.2-dev
Go Version: go1.10.3
Git Commit: "6df7409cb5a41c710164c42ed35e33b28f3f7214"
Built: Sun Dec 2 21:30:06 2018
OS/Arch: linux/amd64
$ ls -l /etc/containers/oci/hooks.d/test.json
-rw-r--r--. 1 root root 184 Dec 2 16:27 /etc/containers/oci/hooks.d/test.json
$ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T21:31:19-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
time="2018-12-02T21:31:19-08:00" level=warning msg="failed to load hooks: {}%!(EXTRA *os.PathError=open /usr/share/containers/oci/hooks.d: no such file or directory)"
With this commit:
$ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /etc/containers/oci/hooks.d"
time="2018-12-02T21:33:07-08:00" level=debug msg="added hook /etc/containers/oci/hooks.d/test.json"
time="2018-12-02T21:33:07-08:00" level=debug msg="hook test.json matched; adding to stages [prestart]"
time="2018-12-02T21:33:07-08:00" level=warning msg="implicit hook directories are deprecated; set --hooks-dir="/etc/containers/oci/hooks.d" explicitly to continue to load hooks from this directory"
time="2018-12-02T21:33:07-08:00" level=error msg="container create failed: container_linux.go:336: starting container process caused "process_linux.go:399: container init caused \"process_linux.go:382: running prestart hook 0 caused \\\"error running hook: exit status 1, stdout: , stderr: oh, noes!\\\\n\\\"\""
(I'd setup the hook to error out). You can see that it's silenly
ignoring the ENOENT for /usr/share/containers/oci/hooks.d and
continuing on to load hooks from /etc/containers/oci/hooks.d.
When it loads the hook, it also logs a warning-level message
suggesting that callers explicitly configure their hook directories.
That will help consumers migrate, so we can drop the implicit hook
directories in some future release. When folks *do* explicitly
configure hook directories (via the newly-public --hooks-dir and
hooks_dir options), we error out if they're missing:
$ podman --hooks-dir /does/not/exist run --rm docker.io/library/alpine echo 'successful container'
error setting up OCI Hooks: open /does/not/exist: no such file or directory
I've dropped the trailing "path" from the old, hidden --hooks-dir-path
and hooks_dir_path because I think "dir(ectory)" is already enough
context for "we expect a path argument". I consider this name change
non-breaking because the old forms were undocumented.
Coming back to rootless users, I've enabled hooks now. I expect they
were previously disabled because users had no way to avoid
/usr/share/containers/oci/hooks.d which might contain hooks that
required root permissions. But now rootless users will have to
explicitly configure hook directories, and since their default config
is from ~/.config/containers/libpod.conf, it's a misconfiguration if
it contains hooks_dir entries which point at directories with hooks
that require root access. We error out so they can fix their
libpod.conf.
[1]: https://github.com/containers/libpod/pull/1487#discussion_r218149355
Signed-off-by: W. Trevor King <wking@tremily.us>
2018-12-03 05:22:08 +00:00
for _ , hDir := range [ ] string { hooks . DefaultDir , hooks . OverrideDir } {
2019-03-02 05:36:44 +00:00
manager , err := hooks . New ( ctx , [ ] string { hDir } , [ ] string { "precreate" , "poststop" } )
libpod/container_internal: Deprecate implicit hook directories
Part of the motivation for 800eb863 (Hooks supports two directories,
process default and override, 2018-09-17, #1487) was [1]:
> We only use this for override. The reason this was caught is people
> are trying to get hooks to work with CoreOS. You are not allowed to
> write to /usr/share... on CoreOS, so they wanted podman to also look
> at /etc, where users and third parties can write.
But we'd also been disabling hooks completely for rootless users. And
even for root users, the override logic was tricky when folks actually
had content in both directories. For example, if you wanted to
disable a hook from the default directory, you'd have to add a no-op
hook to the override directory.
Also, the previous implementation failed to handle the case where
there hooks defined in the override directory but the default
directory did not exist:
$ podman version
Version: 0.11.2-dev
Go Version: go1.10.3
Git Commit: "6df7409cb5a41c710164c42ed35e33b28f3f7214"
Built: Sun Dec 2 21:30:06 2018
OS/Arch: linux/amd64
$ ls -l /etc/containers/oci/hooks.d/test.json
-rw-r--r--. 1 root root 184 Dec 2 16:27 /etc/containers/oci/hooks.d/test.json
$ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T21:31:19-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
time="2018-12-02T21:31:19-08:00" level=warning msg="failed to load hooks: {}%!(EXTRA *os.PathError=open /usr/share/containers/oci/hooks.d: no such file or directory)"
With this commit:
$ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /etc/containers/oci/hooks.d"
time="2018-12-02T21:33:07-08:00" level=debug msg="added hook /etc/containers/oci/hooks.d/test.json"
time="2018-12-02T21:33:07-08:00" level=debug msg="hook test.json matched; adding to stages [prestart]"
time="2018-12-02T21:33:07-08:00" level=warning msg="implicit hook directories are deprecated; set --hooks-dir="/etc/containers/oci/hooks.d" explicitly to continue to load hooks from this directory"
time="2018-12-02T21:33:07-08:00" level=error msg="container create failed: container_linux.go:336: starting container process caused "process_linux.go:399: container init caused \"process_linux.go:382: running prestart hook 0 caused \\\"error running hook: exit status 1, stdout: , stderr: oh, noes!\\\\n\\\"\""
(I'd setup the hook to error out). You can see that it's silenly
ignoring the ENOENT for /usr/share/containers/oci/hooks.d and
continuing on to load hooks from /etc/containers/oci/hooks.d.
When it loads the hook, it also logs a warning-level message
suggesting that callers explicitly configure their hook directories.
That will help consumers migrate, so we can drop the implicit hook
directories in some future release. When folks *do* explicitly
configure hook directories (via the newly-public --hooks-dir and
hooks_dir options), we error out if they're missing:
$ podman --hooks-dir /does/not/exist run --rm docker.io/library/alpine echo 'successful container'
error setting up OCI Hooks: open /does/not/exist: no such file or directory
I've dropped the trailing "path" from the old, hidden --hooks-dir-path
and hooks_dir_path because I think "dir(ectory)" is already enough
context for "we expect a path argument". I consider this name change
non-breaking because the old forms were undocumented.
Coming back to rootless users, I've enabled hooks now. I expect they
were previously disabled because users had no way to avoid
/usr/share/containers/oci/hooks.d which might contain hooks that
required root permissions. But now rootless users will have to
explicitly configure hook directories, and since their default config
is from ~/.config/containers/libpod.conf, it's a misconfiguration if
it contains hooks_dir entries which point at directories with hooks
that require root access. We error out so they can fix their
libpod.conf.
[1]: https://github.com/containers/libpod/pull/1487#discussion_r218149355
Signed-off-by: W. Trevor King <wking@tremily.us>
2018-12-03 05:22:08 +00:00
if err != nil {
if os . IsNotExist ( err ) {
continue
}
return nil , err
}
hooks , err := manager . Hooks ( config , c . Spec ( ) . Annotations , len ( c . config . UserVolumes ) > 0 )
if err != nil {
return nil , err
}
if len ( hooks ) > 0 || config . Hooks != nil {
logrus . Warnf ( "implicit hook directories are deprecated; set --hooks-dir=%q explicitly to continue to load hooks from this directory" , hDir )
}
for i , hook := range hooks {
allHooks [ i ] = hook
}
2018-09-17 13:33:11 +00:00
}
2018-11-19 17:22:32 +00:00
} else {
2019-03-02 05:36:44 +00:00
manager , err := hooks . New ( ctx , c . runtime . config . HooksDir , [ ] string { "precreate" , "poststop" } )
2018-11-19 17:22:32 +00:00
if err != nil {
if os . IsNotExist ( err ) {
logrus . Warnf ( "Requested OCI hooks directory %q does not exist" , c . runtime . config . HooksDir )
return nil , nil
}
return nil , err
}
allHooks , err = manager . Hooks ( config , c . Spec ( ) . Annotations , len ( c . config . UserVolumes ) > 0 )
if err != nil {
return nil , err
}
2018-03-29 15:01:47 +00:00
}
libpod/container_internal: Deprecate implicit hook directories
Part of the motivation for 800eb863 (Hooks supports two directories,
process default and override, 2018-09-17, #1487) was [1]:
> We only use this for override. The reason this was caught is people
> are trying to get hooks to work with CoreOS. You are not allowed to
> write to /usr/share... on CoreOS, so they wanted podman to also look
> at /etc, where users and third parties can write.
But we'd also been disabling hooks completely for rootless users. And
even for root users, the override logic was tricky when folks actually
had content in both directories. For example, if you wanted to
disable a hook from the default directory, you'd have to add a no-op
hook to the override directory.
Also, the previous implementation failed to handle the case where
there hooks defined in the override directory but the default
directory did not exist:
$ podman version
Version: 0.11.2-dev
Go Version: go1.10.3
Git Commit: "6df7409cb5a41c710164c42ed35e33b28f3f7214"
Built: Sun Dec 2 21:30:06 2018
OS/Arch: linux/amd64
$ ls -l /etc/containers/oci/hooks.d/test.json
-rw-r--r--. 1 root root 184 Dec 2 16:27 /etc/containers/oci/hooks.d/test.json
$ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T21:31:19-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
time="2018-12-02T21:31:19-08:00" level=warning msg="failed to load hooks: {}%!(EXTRA *os.PathError=open /usr/share/containers/oci/hooks.d: no such file or directory)"
With this commit:
$ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /etc/containers/oci/hooks.d"
time="2018-12-02T21:33:07-08:00" level=debug msg="added hook /etc/containers/oci/hooks.d/test.json"
time="2018-12-02T21:33:07-08:00" level=debug msg="hook test.json matched; adding to stages [prestart]"
time="2018-12-02T21:33:07-08:00" level=warning msg="implicit hook directories are deprecated; set --hooks-dir="/etc/containers/oci/hooks.d" explicitly to continue to load hooks from this directory"
time="2018-12-02T21:33:07-08:00" level=error msg="container create failed: container_linux.go:336: starting container process caused "process_linux.go:399: container init caused \"process_linux.go:382: running prestart hook 0 caused \\\"error running hook: exit status 1, stdout: , stderr: oh, noes!\\\\n\\\"\""
(I'd setup the hook to error out). You can see that it's silenly
ignoring the ENOENT for /usr/share/containers/oci/hooks.d and
continuing on to load hooks from /etc/containers/oci/hooks.d.
When it loads the hook, it also logs a warning-level message
suggesting that callers explicitly configure their hook directories.
That will help consumers migrate, so we can drop the implicit hook
directories in some future release. When folks *do* explicitly
configure hook directories (via the newly-public --hooks-dir and
hooks_dir options), we error out if they're missing:
$ podman --hooks-dir /does/not/exist run --rm docker.io/library/alpine echo 'successful container'
error setting up OCI Hooks: open /does/not/exist: no such file or directory
I've dropped the trailing "path" from the old, hidden --hooks-dir-path
and hooks_dir_path because I think "dir(ectory)" is already enough
context for "we expect a path argument". I consider this name change
non-breaking because the old forms were undocumented.
Coming back to rootless users, I've enabled hooks now. I expect they
were previously disabled because users had no way to avoid
/usr/share/containers/oci/hooks.d which might contain hooks that
required root permissions. But now rootless users will have to
explicitly configure hook directories, and since their default config
is from ~/.config/containers/libpod.conf, it's a misconfiguration if
it contains hooks_dir entries which point at directories with hooks
that require root access. We error out so they can fix their
libpod.conf.
[1]: https://github.com/containers/libpod/pull/1487#discussion_r218149355
Signed-off-by: W. Trevor King <wking@tremily.us>
2018-12-03 05:22:08 +00:00
2018-11-19 17:22:32 +00:00
hookErr , err := exec . RuntimeConfigFilter ( ctx , allHooks [ "precreate" ] , config , exec . DefaultPostKillTimeout )
libpod/container_internal: Deprecate implicit hook directories
Part of the motivation for 800eb863 (Hooks supports two directories,
process default and override, 2018-09-17, #1487) was [1]:
> We only use this for override. The reason this was caught is people
> are trying to get hooks to work with CoreOS. You are not allowed to
> write to /usr/share... on CoreOS, so they wanted podman to also look
> at /etc, where users and third parties can write.
But we'd also been disabling hooks completely for rootless users. And
even for root users, the override logic was tricky when folks actually
had content in both directories. For example, if you wanted to
disable a hook from the default directory, you'd have to add a no-op
hook to the override directory.
Also, the previous implementation failed to handle the case where
there hooks defined in the override directory but the default
directory did not exist:
$ podman version
Version: 0.11.2-dev
Go Version: go1.10.3
Git Commit: "6df7409cb5a41c710164c42ed35e33b28f3f7214"
Built: Sun Dec 2 21:30:06 2018
OS/Arch: linux/amd64
$ ls -l /etc/containers/oci/hooks.d/test.json
-rw-r--r--. 1 root root 184 Dec 2 16:27 /etc/containers/oci/hooks.d/test.json
$ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T21:31:19-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
time="2018-12-02T21:31:19-08:00" level=warning msg="failed to load hooks: {}%!(EXTRA *os.PathError=open /usr/share/containers/oci/hooks.d: no such file or directory)"
With this commit:
$ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /etc/containers/oci/hooks.d"
time="2018-12-02T21:33:07-08:00" level=debug msg="added hook /etc/containers/oci/hooks.d/test.json"
time="2018-12-02T21:33:07-08:00" level=debug msg="hook test.json matched; adding to stages [prestart]"
time="2018-12-02T21:33:07-08:00" level=warning msg="implicit hook directories are deprecated; set --hooks-dir="/etc/containers/oci/hooks.d" explicitly to continue to load hooks from this directory"
time="2018-12-02T21:33:07-08:00" level=error msg="container create failed: container_linux.go:336: starting container process caused "process_linux.go:399: container init caused \"process_linux.go:382: running prestart hook 0 caused \\\"error running hook: exit status 1, stdout: , stderr: oh, noes!\\\\n\\\"\""
(I'd setup the hook to error out). You can see that it's silenly
ignoring the ENOENT for /usr/share/containers/oci/hooks.d and
continuing on to load hooks from /etc/containers/oci/hooks.d.
When it loads the hook, it also logs a warning-level message
suggesting that callers explicitly configure their hook directories.
That will help consumers migrate, so we can drop the implicit hook
directories in some future release. When folks *do* explicitly
configure hook directories (via the newly-public --hooks-dir and
hooks_dir options), we error out if they're missing:
$ podman --hooks-dir /does/not/exist run --rm docker.io/library/alpine echo 'successful container'
error setting up OCI Hooks: open /does/not/exist: no such file or directory
I've dropped the trailing "path" from the old, hidden --hooks-dir-path
and hooks_dir_path because I think "dir(ectory)" is already enough
context for "we expect a path argument". I consider this name change
non-breaking because the old forms were undocumented.
Coming back to rootless users, I've enabled hooks now. I expect they
were previously disabled because users had no way to avoid
/usr/share/containers/oci/hooks.d which might contain hooks that
required root permissions. But now rootless users will have to
explicitly configure hook directories, and since their default config
is from ~/.config/containers/libpod.conf, it's a misconfiguration if
it contains hooks_dir entries which point at directories with hooks
that require root access. We error out so they can fix their
libpod.conf.
[1]: https://github.com/containers/libpod/pull/1487#discussion_r218149355
Signed-off-by: W. Trevor King <wking@tremily.us>
2018-12-03 05:22:08 +00:00
if err != nil {
2018-11-19 17:22:32 +00:00
logrus . Warnf ( "container %s: precreate hook: %v" , c . ID ( ) , err )
if hookErr != nil && hookErr != err {
logrus . Debugf ( "container %s: precreate hook (hook error): %v" , c . ID ( ) , hookErr )
2018-12-07 16:23:03 +00:00
}
libpod/container_internal: Deprecate implicit hook directories
Part of the motivation for 800eb863 (Hooks supports two directories,
process default and override, 2018-09-17, #1487) was [1]:
> We only use this for override. The reason this was caught is people
> are trying to get hooks to work with CoreOS. You are not allowed to
> write to /usr/share... on CoreOS, so they wanted podman to also look
> at /etc, where users and third parties can write.
But we'd also been disabling hooks completely for rootless users. And
even for root users, the override logic was tricky when folks actually
had content in both directories. For example, if you wanted to
disable a hook from the default directory, you'd have to add a no-op
hook to the override directory.
Also, the previous implementation failed to handle the case where
there hooks defined in the override directory but the default
directory did not exist:
$ podman version
Version: 0.11.2-dev
Go Version: go1.10.3
Git Commit: "6df7409cb5a41c710164c42ed35e33b28f3f7214"
Built: Sun Dec 2 21:30:06 2018
OS/Arch: linux/amd64
$ ls -l /etc/containers/oci/hooks.d/test.json
-rw-r--r--. 1 root root 184 Dec 2 16:27 /etc/containers/oci/hooks.d/test.json
$ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T21:31:19-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
time="2018-12-02T21:31:19-08:00" level=warning msg="failed to load hooks: {}%!(EXTRA *os.PathError=open /usr/share/containers/oci/hooks.d: no such file or directory)"
With this commit:
$ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /etc/containers/oci/hooks.d"
time="2018-12-02T21:33:07-08:00" level=debug msg="added hook /etc/containers/oci/hooks.d/test.json"
time="2018-12-02T21:33:07-08:00" level=debug msg="hook test.json matched; adding to stages [prestart]"
time="2018-12-02T21:33:07-08:00" level=warning msg="implicit hook directories are deprecated; set --hooks-dir="/etc/containers/oci/hooks.d" explicitly to continue to load hooks from this directory"
time="2018-12-02T21:33:07-08:00" level=error msg="container create failed: container_linux.go:336: starting container process caused "process_linux.go:399: container init caused \"process_linux.go:382: running prestart hook 0 caused \\\"error running hook: exit status 1, stdout: , stderr: oh, noes!\\\\n\\\"\""
(I'd setup the hook to error out). You can see that it's silenly
ignoring the ENOENT for /usr/share/containers/oci/hooks.d and
continuing on to load hooks from /etc/containers/oci/hooks.d.
When it loads the hook, it also logs a warning-level message
suggesting that callers explicitly configure their hook directories.
That will help consumers migrate, so we can drop the implicit hook
directories in some future release. When folks *do* explicitly
configure hook directories (via the newly-public --hooks-dir and
hooks_dir options), we error out if they're missing:
$ podman --hooks-dir /does/not/exist run --rm docker.io/library/alpine echo 'successful container'
error setting up OCI Hooks: open /does/not/exist: no such file or directory
I've dropped the trailing "path" from the old, hidden --hooks-dir-path
and hooks_dir_path because I think "dir(ectory)" is already enough
context for "we expect a path argument". I consider this name change
non-breaking because the old forms were undocumented.
Coming back to rootless users, I've enabled hooks now. I expect they
were previously disabled because users had no way to avoid
/usr/share/containers/oci/hooks.d which might contain hooks that
required root permissions. But now rootless users will have to
explicitly configure hook directories, and since their default config
is from ~/.config/containers/libpod.conf, it's a misconfiguration if
it contains hooks_dir entries which point at directories with hooks
that require root access. We error out so they can fix their
libpod.conf.
[1]: https://github.com/containers/libpod/pull/1487#discussion_r218149355
Signed-off-by: W. Trevor King <wking@tremily.us>
2018-12-03 05:22:08 +00:00
return nil , err
}
2018-11-19 17:22:32 +00:00
return allHooks , nil
2018-03-29 15:01:47 +00:00
}
2018-07-19 20:59:42 +00:00
// mount mounts the container's root filesystem
func ( c * Container ) mount ( ) ( string , error ) {
mountPoint , err := c . runtime . storageService . MountContainerImage ( c . ID ( ) )
if err != nil {
return "" , errors . Wrapf ( err , "error mounting storage for container %s" , c . ID ( ) )
}
2018-08-31 15:20:13 +00:00
mountPoint , err = filepath . EvalSymlinks ( mountPoint )
if err != nil {
return "" , errors . Wrapf ( err , "error resolving storage path for container %s" , c . ID ( ) )
}
2019-03-21 11:18:42 +00:00
if err := os . Chown ( mountPoint , c . RootUID ( ) , c . RootGID ( ) ) ; err != nil {
return "" , errors . Wrapf ( err , "cannot chown %s to %d:%d" , mountPoint , c . RootUID ( ) , c . RootGID ( ) )
}
2018-07-19 20:59:42 +00:00
return mountPoint , nil
}
// unmount unmounts the container's root filesystem
2018-07-30 13:04:18 +00:00
func ( c * Container ) unmount ( force bool ) error {
2018-07-19 20:59:42 +00:00
// Also unmount storage
2018-07-30 13:04:18 +00:00
if _ , err := c . runtime . storageService . UnmountContainerImage ( c . ID ( ) , force ) ; err != nil {
2018-07-19 20:59:42 +00:00
return errors . Wrapf ( err , "error unmounting container %s root filesystem" , c . ID ( ) )
}
return nil
}
2018-10-01 17:10:46 +00:00
// getExcludedCGroups returns a string slice of cgroups we want to exclude
// because runc or other components are unaware of them.
func getExcludedCGroups ( ) ( excludes [ ] string ) {
excludes = [ ] string { "rdma" }
return
}
2019-02-14 18:21:52 +00:00
// this should be from chrootarchive.
func ( c * Container ) copyWithTarFromImage ( src , dest string ) error {
mountpoint , err := c . mount ( )
if err != nil {
return err
}
a := archive . NewDefaultArchiver ( )
source := filepath . Join ( mountpoint , src )
2019-03-14 12:33:53 +00:00
if err = c . copyOwnerAndPerms ( source , dest ) ; err != nil {
return err
}
2019-02-14 18:21:52 +00:00
return a . CopyWithTar ( source , dest )
}
2019-05-10 16:42:14 +00:00
// checkReadyForRemoval checks whether the given container is ready to be
// removed.
// These checks are only used if force-remove is not specified.
// If it is, we'll remove the container anyways.
// Returns nil if safe to remove, or an error describing why it's unsafe if not.
func ( c * Container ) checkReadyForRemoval ( ) error {
if c . state . State == ContainerStateUnknown {
return errors . Wrapf ( ErrCtrStateInvalid , "container %s is in invalid state" , c . ID ( ) )
}
if c . state . State == ContainerStateRunning ||
c . state . State == ContainerStatePaused {
return errors . Wrapf ( ErrCtrStateInvalid , "cannot remove container %s as it is %s - running or paused containers cannot be removed" , c . ID ( ) , c . state . State . String ( ) )
}
if len ( c . state . ExecSessions ) != 0 {
return errors . Wrapf ( ErrCtrStateInvalid , "cannot remove container %s as it has active exec sessions" , c . ID ( ) )
}
return nil
}
2019-02-06 19:17:25 +00:00
// writeJSONFile marshalls and writes the given data to a JSON file
// in the bundle path
func ( c * Container ) writeJSONFile ( v interface { } , file string ) ( err error ) {
fileJSON , err := json . MarshalIndent ( v , "" , " " )
if err != nil {
return errors . Wrapf ( err , "error writing JSON to %s for container %s" , file , c . ID ( ) )
}
file = filepath . Join ( c . bundlePath ( ) , file )
if err := ioutil . WriteFile ( file , fileJSON , 0644 ) ; err != nil {
return err
}
return nil
}
// prepareCheckpointExport writes the config and spec to
// JSON files for later export
func ( c * Container ) prepareCheckpointExport ( ) ( err error ) {
// save live config
if err := c . writeJSONFile ( c . Config ( ) , "config.dump" ) ; err != nil {
return err
}
// save spec
jsonPath := filepath . Join ( c . bundlePath ( ) , "config.json" )
g , err := generate . NewFromFile ( jsonPath )
if err != nil {
logrus . Debugf ( "generating spec for container %q failed with %v" , c . ID ( ) , err )
return err
}
if err := c . writeJSONFile ( g . Spec ( ) , "spec.dump" ) ; err != nil {
return err
}
return nil
}
