The tests are messy and should be turned into table-driven tests but I
do not have time at the moment.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Commit 395ba05c44 implemented a POC to allow for changing the behavior
when loading multiple container.conf files in sequence. By default, the
TOML encoder will override existing data/fields with the one specified
in the loaded file. The POC has demonstrated how this behavior can be
changed to append string slices instead of overriding/replacing them
entirely.
This change is the first step of integrating these appendable string
arrays into containers.conf and starts with enabling the `Env`,
`Mounts`, and `Volumes` fields in the `[Containers]` table.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Podman should default to sqlite for new installs, however to not break
upgrades we should detect if a boltdb database exists and use that in
such case. Now in order to distinguish between an explicitly set
"sqlite" and "boltdb" and nothing set we use an empty default.
With that podman can know if we really should use the default or if it
was configured for a db explicitly. The actual detection logic must be
implemented in podman as we only know the file locations there.
This commit also drops the unused StateType as this was not used at all.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
As requested in containers/podman/issues/20000, add a `privileged` field
to the containers table in containers.conf. I was hesitant to add such
a field at first (for security reasons) but I understand that such a
field can come in handy when using modules - certain workloads require a
privileged container.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
The method ActiveDestination was being used only by Podman and there seemed to code complications as the code is split in multiple parts. Hence, moved the code to Podman to make it more readable and efficient.
Signed-off-by: Chetan Giradkar <cgiradka@redhat.com>
It's wasteful and `sut` was not a name I would now understand. Change
the tests that need a default config. The diff also shows that the
tests would benefit a lot from a rewrite into a table-driven form but I
do not want to shave the entire Yak.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
It has no external user and should not be exported to avoid any API
misuse; built-in defaults are an implementation detail.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
A new --farm flag is being added to podman system connection
add so that when a new connection is added it can be added to a new
or existing farm. Update the code here to be able to do that.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Add two new fields Farms and DefaultFarm to the Config
to be used by the new podman buildfarm command.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
We want to allow HPC Customers and others to specify mounts
inside of containers.conf, so that they can have a default
list of mounts into all of thier containers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This fixes a regression in
https://github.com/containers/podman/pull/19241 which quite reasonably
assumed that the default image volume mode from pkg/config was correct.
Signed-off-by: Doug Rabson <dfr@rabson.org>
The original SELinux support in Docker and Podman does not follow the
default SELinux rules for how label transitions are supposed to be
handled. Containers always switch their user and role to
system_u:system_r, rather then maintain the collers user and role.
For example
unconfined_u:unconfined_r:container_t:s0:c1,c2
Advanced SELinux administrators want to confine users but still allow
them to create containers from their role, but not allow them to launch
a privileged container like spc_t.
This means if a user running as
container_user_u:container_user_r:container_user_t:s0
Ran a container they would get
container_user_u:container_user_r:container_t:s0:c1,c2
If they run a privileged container they would run it with:
container_user_u:container_user_r:container_user_t:s0
If they want to force the label they would get an error
podman run --security-opt label=type:spc_t ...
Should fail. Because the container_user_r can not run with the spc_t.
SELinux rules would also prevent the user from forcing system_u user and
the sytem_r role.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The kube_generate_type field can be used to set what kind
of k8s object, i.e pod or deployment, that the podman kube
generate command should generate by default.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Add yet another environment variable for loading containers.conf.
When CONTAINERS_CONF_OVERRIDE is set, the specified config file
will be loaded last - even when CONTAINERS_CONF is set.
This mechanism is needed to preserve system settings and other
environment variables. Setting CONTAINERS_CONF will load only
the specified config file and ignore all system and user paths.
That makes testing hard as many Podman tests use CONTAINERS_CONF
for testing.
The intended use of CONTAINERS_CONF_OVERRIDE is to set it during tests
and point it to a specific configuration of Podman (e.g., netavark with
sqlite backend).
Similar needs have popped up talking to users in the automotive and
high-performance computing space. In a way, such a setting allows for
specifying a specific "flavor" of Podman while preserving all existing
settings on the system.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
We are getting a lot of issues on our removal of CAP_SYS_CHROOT
from the default list of capabilities used by Podman, so adding
it back until we do a major release.
This capabilty is also needed to successfully run the
quay.io/buildah/stable image with Podman.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This will allows users to set all containers to automatically
set certain cgroup fields globally for all of their containers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The on-going work of adding a new database backend to Podman requires it
to be configurable in containers.conf. To prevent any breaking changes,
the backend defaults to Podman's current boltdb backend. Also export
the parsing function for it be usable by Podman.
NOTE: documentation will be added once the database rewrite in Podman
has been completed. I want to avoid any incomplete docs from leaking
into a release.
Fixes: https://issues.redhat.com/browse/RUN-1772
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Add an option to create a more verbose container-create event which
includes a JSON payload with detailed information about the container.
Jira: https://issues.redhat.com/browse/RUN-1702
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Containers.conf now supports `platform_to_oci_runtime` which allows end
users to map variant of OCI runtime for a particular platform.
Most ideal use-case of this feature is switching to crun's variant when
platform string is `wasm32/wasi`.
Example
```toml
[engine.platform_to_oci_runtime]
"wasi/wasm" = "crun-wasm"
"wasm/wasm32" = "crun-wasm"
"wasm/wasm64" = "crun-wasm"
```
Signed-off-by: Aditya R <arajan@redhat.com>
Another experimental OCI runtime for FreeBSD, similar to runj but with
a focus on podman/buildah compatiblity.
Signed-off-by: Doug Rabson <dfr@rabson.org>
Used `go fmt` rules to migrate away from deprecated functions, for
instance `gofmt -w -s -r 'ioutil.TempDir(a, b) -> os.MkdirTemp(a, b)'`
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
this ensures that podman machine will still work (until we want to make this mandatory). I made the call back function more verbose so we know what is happening from now on.
Signed-off-by: Charlie Doern <cdoern@redhat.com>
The problem with setting such defaults in c/common is that podman cannot
know if a user set this or it is the default. EventsLogFilePath is not a
static path, it depends on the --tmpdir value from podman.
check
b0b36430b8/libpod/runtime.go (L1041-L1043)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
initial implementation of the ssh package including:
- nativeConnectionCreate() / golangConnectionCreate()
- n/a / golangConnectionDial()
- nativeConnectionScp() / golangConnectionScp()
- nativeConnectionExec() / golangConnectionExeC()
the way this works, is there are publicly accessible functions Create, Exec, Dial and Scp. podman will have a new global flag --ssh` that will allow users to choose native or golang based ssh functions. The functionality in containers/common (here) also checks if you have the necessary binaries installed
closes#1091
Signed-off-by: Charlie Doern <cdoern@redhat.com>
cni_plugin_dirs validation require directories to exist, use a
directory that is more likely to exist like /tmp instead of an
arbitrary path that won't exist on most systems
Signed-off-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
Add a new `pod_exit_policy` field to the containers.conf's engine table.
A pod's exit policy determines the behaviour when the last container of
a pod exits.
Required-in: containers/podman/pull/13859
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Valentin Rothberg
Paul Holzinger
Chetan Giradkar
Aditya R
OpenShift Merge Robot
Urvashi Mohnani
Daniel J Walsh
Doug Rabson
Lokesh Mandvekar
Giuseppe Scrivano
unknowndevQwQ
Charlie Doern
Dominique Martinet