When reading logs from the journal, keep going after the container
exits, in case it gets restarted.
Events logged to the journal via the normal paths don't include
CONTAINER_ID_FULL, so don't bother adding it to the "history" event we
use to force at least one entry for the container to show up in the log.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Honor custom `target` if specified while running or creating containers
with secret `type=mount`.
Example:
`podman run -it --secret token,type=mount,target=TOKEN ubi8/ubi:latest
bash`
Signed-off-by: Aditya Rajan <arajan@redhat.com>
This commits adds port forwarding logic directly into podman. The
podman-machine cni plugin is no longer needed.
The following new features are supported:
- works with cni, netavark and slirp4netns
- ports can use the hostIP to bind instead of hard coding 0.0.0.0
- gvproxy no longer listens on 0.0.0.0:7777 (requires a new gvproxy
version)
- support the udp protocol
With this we no longer need podman-machine-cni and should remove it from
the packaging. There is also a change to make sure we are backwards
compatible with old config which include this plugin.
Fixes#11528Fixes#11728
[NO NEW TESTS NEEDED] We have no podman machine test at the moment.
Please test this manually on your system.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This adds the parameter '--print-stats' to 'podman container restore'.
With '--print-stats' Podman will measure how long Podman itself, the OCI
runtime and CRIU requires to restore a checkpoint and print out these
information. CRIU already creates process restore statistics which are
just read in addition to the added measurements. In contrast to just
printing out the ID of the restored container, Podman will now print
out JSON:
# podman container restore --latest --print-stats
{
"podman_restore_duration": 305871,
"container_statistics": [
{
"Id": "47b02e1d474b5d5fe917825e91ac653efa757c91e5a81a368d771a78f6b5ed20",
"runtime_restore_duration": 140614,
"criu_statistics": {
"forking_time": 5,
"restore_time": 67672,
"pages_restored": 14
}
}
]
}
The output contains 'podman_restore_duration' which contains the
number of microseconds Podman required to restore the checkpoint. The
output also includes 'runtime_restore_duration' which is the time
the runtime needed to restore that specific container. Each container
also includes 'criu_statistics' which displays the timing information
collected by CRIU.
Signed-off-by: Adrian Reber <areber@redhat.com>
This adds the parameter '--print-stats' to 'podman container checkpoint'.
With '--print-stats' Podman will measure how long Podman itself, the OCI
runtime and CRIU requires to create a checkpoint and print out these
information. CRIU already creates checkpointing statistics which are
just read in addition to the added measurements. In contrast to just
printing out the ID of the checkpointed container, Podman will now print
out JSON:
# podman container checkpoint --latest --print-stats
{
"podman_checkpoint_duration": 360749,
"container_statistics": [
{
"Id": "25244244bf2efbef30fb6857ddea8cb2e5489f07eb6659e20dda117f0c466808",
"runtime_checkpoint_duration": 177222,
"criu_statistics": {
"freezing_time": 100657,
"frozen_time": 60700,
"memdump_time": 8162,
"memwrite_time": 4224,
"pages_scanned": 20561,
"pages_written": 2129
}
}
]
}
The output contains 'podman_checkpoint_duration' which contains the
number of microseconds Podman required to create the checkpoint. The
output also includes 'runtime_checkpoint_duration' which is the time
the runtime needed to checkpoint that specific container. Each container
also includes 'criu_statistics' which displays the timing information
collected by CRIU.
Signed-off-by: Adrian Reber <areber@redhat.com>
To make testing easier we can overwrite the network backend with the
global `--network-backend` option.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
make sure the /etc/mtab symlink is created inside the rootfs when /etc
is a symlink.
Closes: https://github.com/containers/podman/issues/12189
[NO NEW TESTS NEEDED] there is already a test case
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
You can change the network backendend in containers.conf supported
values are "cni" and "netavark".
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
THe rust netlink library is very verbose. It contains way to much debug
and trave logs. We can set `RUST_LOG=netavark=<level>` to make sure this
log level only applies to netavark and not the libraries.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Add a new boltdb to handle IPAM assignment.
The db structure is the following:
Each network has their own bucket with the network name as bucket key.
Inside the network bucket there is an ID bucket which maps the container ID (key)
to a json array of ip addresses (value).
The network bucket also has a bucket for each subnet, the subnet is used as key.
Inside the subnet bucket an ip is used as key and the container ID as value.
The db should be stored on a tmpfs to ensure we always have a clean
state after a reboot.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Implement a new network interface for netavark.
For now only bridge networking is supported.
The interface can create/list/inspect/remove networks. For setup and
teardown netavark will be invoked.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
To prevent code duplication when creating new network backends move
reusable code into a separate internal package.
This allows all network backends to use the same code as long as they
implement the new NetUtil interface.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
As rootless we have to reload the port mappings. If it fails we should
return an error instead of the warning.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When run as rootless the podman network reload command tries to reload
the rootlessport ports because the childIP could have changed.
However if the containers has no ports we should skip this instead of
printing a warning.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
A rootless container created with a custom userns and forwarded ports
did not work. I refactored the network setup to make the setup logic
more clear.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When starting a container libpod/runtime_pod_linux.go:NewPod calls
libpod/lock/lock.go:AllocateLock ends up in here. If you exceed
num_locks, in response to a "podman run ..." you will see:
Error: error allocating lock for new container: no space left on device
As noted inline, this error is technically true as it is talking about
the SHM area, but for anyone who has not dug into the source (i.e. me,
before a few hours ago :) your initial thought is going to be that
your disk is full. I spent quite a bit of time trying to diagnose
what disk, partition, overlay, etc. was filling up before I realised
this was actually due to leaking from failing containers.
This overrides this case to give a more explicit message that
hopefully puts people on the right track to fixing this faster. You
will now see:
$ ./bin/podman run --rm -it fedora bash
Error: error allocating lock for new container: allocation failed; exceeded num_locks (20)
[NO NEW TESTS NEEDED] (just changes an existing error message)
Signed-off-by: Ian Wienand <iwienand@redhat.com>
Address the TOCTOU when generating random names by having at most 10
attempts to assign a random name when creating a pod or container.
[NO TESTS NEEDED] since I do not know a way to force a conflict with
randomly generated names in a reasonable time frame.
Fixes: #11735
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
The new mac address type broke the api docs. While we could
successfully generate the swagger file it could not be viewed in a
browser.
The problem is that the swagger generation create two type definitions
with the name `HardwareAddr` and this pointed back to itself. Thus the
render process was stucked in an endless loop. To fix this manually
rename the new type to MacAddress and overwrite the types to string
because the json unmarshaller accepts the mac as string.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
There was the question about how long it takes to create a checkpoint.
CRIU already provides some statistics about how long it takes to create
a checkpoint and similar.
With this change the file 'stats-dump' is included in the checkpoint
archive and the tool checkpointctl can be used to display these
statistics:
./checkpointctl show -t /tmp/cp.tar --print-stats
Displaying container checkpoint data from /tmp/dump.tar
[...]
CRIU dump statistics
+---------------+-------------+--------------+---------------+---------------+---------------+
| FREEZING TIME | FROZEN TIME | MEMDUMP TIME | MEMWRITE TIME | PAGES SCANNED | PAGES WRITTEN |
+---------------+-------------+--------------+---------------+---------------+---------------+
| 105405 us | 1376964 us | 504399 us | 446571 us | 492153 | 88689 |
+---------------+-------------+--------------+---------------+---------------+---------------+
Signed-off-by: Adrian Reber <areber@redhat.com>
Since we want to use the rootless cni ns also for netavark we should
pick a more generic name. The name is now "rootless network namespace"
or short "rootless netns".
The rename might cause some issues after the update but when the
all containers are restarted or the host is rebooted it should work
correctly.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We should mount the full runtime directory into the namespace instead of
just the netns dir. This allows more use cases.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The check if cleanup is needed reads all container and checks if there
are running containers with bridge networking. If we do not find any we
have to cleanup the ns. However there was a problem with this because
the state is empty by default so the running check never worked.
Fortunately the was a second check which relies on the CNI files so we
still did cleanup anyway.
With netavark I noticed that this check is broken because the CNI files
were not present.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Create a new mac address type which supports json marshal/unmarshal from
and to string. This change is backwards compatible with the previous
versions as the unmarshal method still accepts the old byte array or
base64 encoded string.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Make Podman more tolerant when parsing image volumes during container
creation and further fix an infinite loop when checking them.
Consider `VOLUME ['/etc/foo', '/etc/bar']` in a Containerfile. While
it looks correct to the human eye, the single quotes are wrong and yield
the two volumes to be `[/etc/foo,` and `/etc/bar]` in Podman and Docker.
When running the container, it'll create a directory `bar]` in `/etc`
and a directory `[` in `/` with two subdirectories `etc/foo,`. This
behavior is surprising to me but how Docker behaves. We may improve on
that in the future. Note that the correct way to syntax for volumes in
a Containerfile is `VOLUME /A /B /C` or `VOLUME ["/A", "/B", "/C"]`;
single quotes are not supported.
This change restores this behavior without breaking container creation
or ending up in an infinite loop.
BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2014149
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
commit 6b3b0a17c6 introduced a check for
the PID file before attempting to move the PID to a new scope.
This is still vulnerable to TOCTOU race condition though, since the
PID file or the PID can be removed/killed after the check was
successful but before it was used.
Closes: https://github.com/containers/podman/issues/12065
[NO NEW TESTS NEEDED] it fixes a CI flake
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
we are having a hard time figuring out a failure in the CI:
https://github.com/containers/podman/issues/11191
Rename the sub-cgroup created here, so we can be certain the error is
caused by this part.
[NO NEW TESTS NEEDED] we need this for the CI.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
The OCICNI port format has one big problem: It does not support ranges.
So if a users forwards a range of 1k ports with podman run -p 1001-2000
we have to store each of the thousand ports individually as array element.
This bloats the db and makes the JSON encoding and decoding much slower.
In many places we already use a better port struct type which supports
ranges, e.g. `pkg/specgen` or the new network interface.
Because of this we have to do many runtime conversions between the two
port formats. If everything uses the new format we can skip the runtime
conversions.
This commit adds logic to replace all occurrences of the old format
with the new one. The database will automatically migrate the ports
to new format when the container config is read for the first time
after the update.
The `ParsePortMapping` function is `pkg/specgen/generate` has been
reworked to better work with the new format. The new logic is able
to deduplicate the given ports. This is necessary the ensure we
store them efficiently in the DB. The new code should also be more
performant than the old one.
To prove that the code is fast enough I added go benchmarks. Parsing
1 million ports took less than 0.5 seconds on my laptop.
Benchmark normalize PortMappings in specgen:
Please note that the 1 million ports are actually 20x 50k ranges
because we cannot have bigger ranges than 65535 ports.
```
$ go test -bench=. -benchmem ./pkg/specgen/generate/
goos: linux
goarch: amd64
pkg: github.com/containers/podman/v3/pkg/specgen/generate
cpu: Intel(R) Core(TM) i7-10850H CPU @ 2.70GHz
BenchmarkParsePortMappingNoPorts-12 480821532 2.230 ns/op 0 B/op 0 allocs/op
BenchmarkParsePortMapping1-12 38972 30183 ns/op 131584 B/op 9 allocs/op
BenchmarkParsePortMapping100-12 18752 60688 ns/op 141088 B/op 315 allocs/op
BenchmarkParsePortMapping1k-12 3104 331719 ns/op 223840 B/op 3018 allocs/op
BenchmarkParsePortMapping10k-12 376 3122930 ns/op 1223650 B/op 30027 allocs/op
BenchmarkParsePortMapping1m-12 3 390869926 ns/op 124593840 B/op 4000624 allocs/op
BenchmarkParsePortMappingReverse100-12 18940 63414 ns/op 141088 B/op 315 allocs/op
BenchmarkParsePortMappingReverse1k-12 3015 362500 ns/op 223841 B/op 3018 allocs/op
BenchmarkParsePortMappingReverse10k-12 343 3318135 ns/op 1223650 B/op 30027 allocs/op
BenchmarkParsePortMappingReverse1m-12 3 403392469 ns/op 124593840 B/op 4000624 allocs/op
BenchmarkParsePortMappingRange1-12 37635 28756 ns/op 131584 B/op 9 allocs/op
BenchmarkParsePortMappingRange100-12 39604 28935 ns/op 131584 B/op 9 allocs/op
BenchmarkParsePortMappingRange1k-12 38384 29921 ns/op 131584 B/op 9 allocs/op
BenchmarkParsePortMappingRange10k-12 29479 40381 ns/op 131584 B/op 9 allocs/op
BenchmarkParsePortMappingRange1m-12 927 1279369 ns/op 143022 B/op 164 allocs/op
PASS
ok github.com/containers/podman/v3/pkg/specgen/generate 25.492s
```
Benchmark convert old port format to new one:
```
go test -bench=. -benchmem ./libpod/
goos: linux
goarch: amd64
pkg: github.com/containers/podman/v3/libpod
cpu: Intel(R) Core(TM) i7-10850H CPU @ 2.70GHz
Benchmark_ocicniPortsToNetTypesPortsNoPorts-12 663526126 1.663 ns/op 0 B/op 0 allocs/op
Benchmark_ocicniPortsToNetTypesPorts1-12 7858082 141.9 ns/op 72 B/op 2 allocs/op
Benchmark_ocicniPortsToNetTypesPorts10-12 2065347 571.0 ns/op 536 B/op 4 allocs/op
Benchmark_ocicniPortsToNetTypesPorts100-12 138478 8641 ns/op 4216 B/op 4 allocs/op
Benchmark_ocicniPortsToNetTypesPorts1k-12 9414 120964 ns/op 41080 B/op 4 allocs/op
Benchmark_ocicniPortsToNetTypesPorts10k-12 781 1490526 ns/op 401528 B/op 4 allocs/op
Benchmark_ocicniPortsToNetTypesPorts1m-12 4 250579010 ns/op 40001656 B/op 4 allocs/op
PASS
ok github.com/containers/podman/v3/libpod 11.727s
```
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
A restored container still had the state set to 'Checkpointed: true'
which seems wrong if it running again.
[NO NEW TESTS NEEDED]
Signed-off-by: Adrian Reber <areber@redhat.com>
Duplicate Address Detection slows the ipv6 setup down for 1-2 seconds.
Since slirp4netns is run it is own namespace and not directly routed
we can skip this to make the ipv6 address immediately available.
We change the default to make sure the slirp tap interface gets the
correct value assigned so DAD is disabled for it.
Also make sure to change this value back to the original after slirp4netns
is ready in case users rely on this sysctl.
Fixes#11062
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The following problems regarding `logs --tail` with the journald log
driver are fixed:
- One more line than a specified value is displayed.
- '--tail 0' displays all lines while the other log drivers displays
nothing.
- Partial lines are not considered.
- If the journald events backend is used and a container has exited,
nothing is displayed.
Integration tests that should have detected the bugs are also fixed. The
tests are executed with json-file log driver three times without this
fix.
Signed-off-by: Hironori Shiina <shiina.hironori@jp.fujitsu.com>
Trying to restore a container that was started with '--ipc host' fails
with:
Error: error creating container storage: ProcessLabel and Mountlabel must either not be specified or both specified
We already fixed this exact same error message for containers started
with '--privileged'. The previous fix was to check if the to be restored
container is a privileged container (c.config.Privileged). Unfortunately
this does not work for containers started with '--ipc host'.
This commit changes the check for a privileged container to check if
both the ProcessLabel and the MountLabel is actually set and only then
re-uses those labels.
Signed-off-by: Adrian Reber <areber@redhat.com>
So far, the infra containers of pods required pulling down an image
rendering pods not usable in disconnected environments. Instead, build
an image locally which uses local pause binary.
Fixes: #10354
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Make sure to create the mounts for containers with an overlay root FS in
the runtime dir (e.g., /run/user/1000/...) to guarantee that we can
actually overlay mount on the specific path which is not the case for
the graph root.
[NO NEW TESTS NEEDED] since it is not a user-facing change.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
This will change mount of /dev within container to noexec, making
containers slightly more secure.
[NO NEW TESTS NEEDED]
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
If we interrupt pod removal between removing containers and
removing the whole pod, the infra ID was still in the DB, and
most pod operations would try to retrieve the infra container
(and would this fail). Clear the infra ID from the DB just before
we remove all containers to prevent this.
Fixes#12034
[NO NEW TESTS NEEDED] This is a very narrow race and I have no
idea how to repro it.
Signed-off-by: Matthew Heon <mheon@redhat.com>
If podman uses Workdir="/" or the workdir specified in the image, it
should not add it to the yaml.
If Podman find environment variables in the image, they should not
get added to the yaml.
If the container or pod do not have changes to SELinux we should not
print seLinuxOpt{}
If the container or pod do not change any dns options the yaml should
not have a dnsOption={}
If the container is not privileged it should not have privileged=false
in the yaml.
Fixes: https://github.com/containers/podman/issues/11995
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Allow chainging ownership of mountpoint created on top external overlay
rootfs to support use-cases when custom --uidmap and --gidmap are
specified.
Signed-off-by: Aditya Rajan <arajan@redhat.com>
When looking for a cursor that matches the first journal entry for a
given container, wait and try to find it using exponential backoff.
[NO NEW TESTS NEEDED]
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Made changes so that if the pod contains all exited containers and only infra is running, remove the pod.
resolves#11713
Signed-off-by: cdoern <cdoern@redhat.com>
Following commit ensures not dandling mounts are left behind when we are
creating an overlay on top of external rootfs.
Co-authored-by: Valentin Rothberg <rothberg@redhat.com>
Signed-off-by: Aditya Rajan <arajan@redhat.com>
When the targetPort is not defined, it is supposed to
be set to the port value according to the k8s docs.
Add tests for targetPort.
Update tests to be able to check the Service yaml that
is generated.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
As the default protocol in k8s is TCP, don't add it
to the generate yaml when using protocol.
Add UDP to the protocol of the generated yaml when udp
is being used.
Add tests for this as well.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Checkpoint is blowing up when you use --log-driver=none
[NO NEW TESTS NEEDED] No way currently to test checkpoint restore.
Fixes: https://github.com/containers/podman/issues/11974
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
If no entrypoint or command is set in the podman create
command, and the image command or entrypoint is being
used as the default, then do not add the image command or
entrypoint to the generated kube yaml.
Kubernetes knows to default to the image command and/or
entrypoint settings when not defined in the kube yaml.
Add and modify tests for this case.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
The --ip-range option did not work correctly. The endIP was accidentally
assigned to the start IP. New tests are added to make sure it works.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Removed the inclusion of RunAsUser or RunAsGroup unless a container is run with the --user flag. When building from an image
the user will be pulled from there anyway
resolves#11914
Signed-off-by: cdoern <cdoern@redhat.com>
Don't use reexec for the rootlessport process, instead make it a
separate binary to reduce the memory usage. The problem with reexec is
that it will import all packages that podman uses and therefore loads a
lot of stuff into the heap. The rootlessport process however only needs
the rootlesskit library.
The memory usage is a concern since the rootlessport process will spawn
two process per container which has ports forwarded. The processes stay
until the container dies. On my laptop the current reexec version uses
47800 KB RSS. The new separate binary only uses 4540 KB RSS. This is
more than a 90% improvement.
The Makefile has been updated to compile the new binary and install it
to the libexec directory.
Fixes#10790
[NO TESTS NEEDED]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Kubernetes fails to deal with an annotation that has a space in it.
Trim these strings to remove spaces.
Fixes: #11929
Signed-off-by: Brent Baude <bbaude@redhat.com>
[NO TESTS NEEDED]
* Increase timeout for tests to 10s
* To aid in debugging add PID to shutdown package logging
* Added new message for forced service shutdown
* Always wait for HTTP server to shutdown, duration of 0 not friendly
to clients
Note: The log event
"IdleTracker: StateClosed transition by connection marked un-managed"
denotes a TCP connection has been initiated but no HTTP request was sent.
And is expected during these tests.
Fixes#11921
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Currently we are not passing the force flag down to the removal of
the running container. If the container is running, and we set
--force when removing the volume, the container should be stopped.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Refactor sidecar HTTP service for /debug/pprof endpoints to use a TCP
address given via new podman system service --pprof-address flag
* Allow same URL parsing in "system service" as bindings/connection.go
* Refactor NewServerWithSettings() to use entities.ServiceOptions
in place of deleted server.Options
* Updated godoc for impacted functions and types
* Fixed API service Shutdown() to do an orderly shutdown when
terminated and running with --time=0
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Vendor the latest HEAD in c/common to pull in changes for a faster
inspection of images. Previously, only the size computation was
optional, now the one for the parent image is as well.
In many cases, the parent image is not needed but it takes around 10ms
on my local machine. With this change, we cut off 10ms from many code
paths, most importantly, container creation.
[NO NEW TESTS NEEDED]
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Note: the Warning message will not come to podman-remote.
It would be difficult to plumb, and not really worth the effort.
Fixes: https://github.com/containers/podman/issues/11854
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
There is a race where `conn.Close()` was called before `conn.CloseWrite()`.
In this case `CloseWrite` will fail and an useless error is printed. To
fix this we move the the `CloseWrite()` call to the same goroutine to
remove the race. This ensures that `CloseWrite()` is called before
`Close()` and never afterwards.
Also fixed podman-remote run where the STDIN was never was closed.
This is causing flakes in CI testing.
[NO TESTS NEEDED]
Fixes#11856
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The backend for `ps --sync` has been nonfunctional for a long
while now - probably since v2.0. It's questionable how useful the
flag is in modern Podman (the original case it was intended to
catch, Conmon gone via SIGKILL, should be handled now via pinging
the process with a signal to ensure it's still alive) but having
the ability to force a refresh of container state from the OCI
runtime is still useful.
Signed-off-by: Matthew Heon <mheon@redhat.com>
This allows you to stop a container after a `podman stop` process
started, but did not finish, stopping the container (probably an
ignored stop signal, with no time to SIGKILL?). This is a very
narrow case, but once you're in it the only way to recover is a
`podman rm -f` of the container or extensive manual remediation
(you'd have to kill the container yourself, manually, and then
force a `podman ps --all --sync` to update its status from the
OCI runtime).
[NO NEW TESTS NEEDED] I have no idea how to verify this one -
we need to test that it actually started *during* the other stop
command, and that's nontrivial.
Signed-off-by: Matthew Heon <mheon@redhat.com>