We are getting a lot of issues on our removal of CAP_SYS_CHROOT
from the default list of capabilities used by Podman, so adding
it back until we do a major release.
This capabilty is also needed to successfully run the
quay.io/buildah/stable image with Podman.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The on-going work of adding a new database backend to Podman requires it
to be configurable in containers.conf. To prevent any breaking changes,
the backend defaults to Podman's current boltdb backend. Also export
the parsing function for it be usable by Podman.
NOTE: documentation will be added once the database rewrite in Podman
has been completed. I want to avoid any incomplete docs from leaking
into a release.
Fixes: https://issues.redhat.com/browse/RUN-1772
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
This is taking time on every podman call, and provide limited
protection. Versioning should be handled in the packaging system
and this is an unlikely to happen.
Every exec done by container tools hurts us as we try to get container
startup team to absolute minimal amounts.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This reverts commit 962dbc3281.
As shown in containers/podman/pull/16610 the changes require a number of
changes in Podman's CI. While many issues have been fixed in that PR,
there are some potentially controversial changes such as dropping
NET_RAW.
Let's revert the commit to unblock ongoing work. For the next
iteration, Podman CI must be green before merging.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
For a couple of years now we have been shipping containers.conf settings
to use only 10 capabities. Docker uses 14, with the difference being
CAP_AUDIT_ALLOW, CAP_NET_RAW, CAP_MKNOD, CAP_CHROOT.
This allows us to run with a tighter security then Docker.
This PR makes the change to default config, so that if no
containers.conf overrides are present, we will run with the tighter
security. Currently most distros that ship the containers.conf already
run with this setting, but this makes it formal, and changes the man
page to match the defaults.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Podman and Buildah do not use this field, and I
know of no users of it, remove it from docs and
the default conf file, so users will not expect
it to do anything.
Leaving implementation in the slight chance someone
has used it in a non containers project.
Fixes: https://github.com/containers/podman/issues/16562
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Containers.conf now supports `platform_to_oci_runtime` which allows end
users to map variant of OCI runtime for a particular platform.
Most ideal use-case of this feature is switching to crun's variant when
platform string is `wasm32/wasi`.
Example
```toml
[engine.platform_to_oci_runtime]
"wasi/wasm" = "crun-wasm"
"wasm/wasm32" = "crun-wasm"
"wasm/wasm64" = "crun-wasm"
```
Signed-off-by: Aditya R <arajan@redhat.com>
The correct location on FreeBSD is /usr/local/etc/containers/policy.json
which is consistent with path conventions for installed packages. This
fixes 'podman commit' on FreeBSD.
There are several definitions of this path:
- c/image/signature has builtinDefaultPolicyPath and DefaultPolicy
- c/podman/pkg/trust has systemDefaultPolicyPath and DefaultPolicyPath
- c/common/pkg/config has DefaultSignaturePolicyPath
As far as I can tell, buildah uses c/image/signature which is why 'buildah
commit' was already working for me. Podman is using the c/common one. Very
confusing.
[NO NEW TESTS NEEDED]
Signed-off-by: Doug Rabson <dfr@rabson.org>
Another experimental OCI runtime for FreeBSD, similar to runj but with
a focus on podman/buildah compatiblity.
Signed-off-by: Doug Rabson <dfr@rabson.org>
Used `go fmt` rules to migrate away from deprecated functions, for
instance `gofmt -w -s -r 'ioutil.TempDir(a, b) -> os.MkdirTemp(a, b)'`
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Before 50eb74a4b1 this code used unshare.IsRootless() which on Windows
always returns false (the behavior we want).
After 50eb74a4b1, a condition was unintentionally inverted, allowing
Windows to function.
Commit 18803495e8 fixed the inversion, but unintentionally excluded Windows
since it used == 0 instead of <= 0 (Windows returns -1)
Move the logic behind a function with a comment since the Windows path is a
bit exotic.
In the future, the Windows path should likely be refactored to be more
intuitive; however, this will get things working for now.
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
originally the code had the condition "!unshare.IsRootless()", and
commit 50eb74a4b1 introduced the issue
by replacing it with "unshare.GetRootlessUID() != 0".
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Change the check to look for the UID to decide whether to load the
default configuration files from the user directory instead of the
system path.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
The problem with setting such defaults in c/common is that podman cannot
know if a user set this or it is the default. EventsLogFilePath is not a
static path, it depends on the --tmpdir value from podman.
check
b0b36430b8/libpod/runtime.go (L1041-L1043)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Adds the conmon-rs paths so Podman can find the right conmon-rs binary
when making a new runtime.
I also slightly modified the `FindConmon` function so that the code
could be shared with the `FindConmonRs` function that I added.
Signed-off-by: Jake Correnti <jcorrenti13@gmail.com>
initial implementation of the ssh package including:
- nativeConnectionCreate() / golangConnectionCreate()
- n/a / golangConnectionDial()
- nativeConnectionScp() / golangConnectionScp()
- nativeConnectionExec() / golangConnectionExeC()
the way this works, is there are publicly accessible functions Create, Exec, Dial and Scp. podman will have a new global flag --ssh` that will allow users to choose native or golang based ssh functions. The functionality in containers/common (here) also checks if you have the necessary binaries installed
closes#1091
Signed-off-by: Charlie Doern <cdoern@redhat.com>
This commit allows using aardvark with an alternate port as per
implementation in containers/netavark#323
Signed-off-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
Add a new `pod_exit_policy` field to the containers.conf's engine table.
A pod's exit policy determines the behaviour when the last container of
a pod exits.
Required-in: containers/podman/pull/13859
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
base_hosts_file can be used to overwrite the default base host file
/etc/hosts which is used to copy hosts entries from this file into the
containers /etc/hosts file. As special value "image" can be used to copy
the entries from the image hosts file or "none" to not use a base file
at all. IF the value is empty we should use /etc/hosts as default.
Ref https://github.com/containers/podman/issues/13277
Ref https://github.com/containers/podman/issues/13748
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Slirp4netns options were changed to always default to ipv6 so it does
not need the extra setting. Update the documentation to reflect this.
see https://github.com/containers/podman/pull/13929
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Changing the value for events_logfile_max_size from 0 to 1048576. This allows
up to 10,000 events to be written to the events log file before rotation occurs.
Also adding new values to default.go
Signed-off-by: Niall Crowe <nicrowe@redhat.com>
This will allow users to specify which volumes they want podman machine
to automatically mount into the machine. These volumes can later be used
to volume mount into containers.
Environment variables like $HOME can be used and are translated at the
time of machine start.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
gofumpt is a stricter version of gofmt, basically making the code more
readable, and fixing the gocritic's octalLiterar warnings like this one:
pkg/util/util_supported.go:26:17: octalLiteral: use new octal literal style, 0o722 (gocritic)
return (perm & 0722) == 0700
^
Generated by gofumpt -w .
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Docker defined --ipc=private to mean that the container's IPC Namespace
can NOT be shared with another container. While --ipc=shareable can,
which is our current default. Docker also defines "none" which means
the container runs in a IPC namespace but does NOT mount a /dev/shm.
"Host" means the container runs in the host namespace, and
container:UUID means run new container in other containers namespace.
ns:PATH means run in the namepsace designated in PATH.2
This Patch, fixes containers/common to reflect the correct default.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We cannot use /var/tmp on windows, instead use the temp var which is
defined on windows, of fall back to appdata.
Fixescontainers/podman#13434
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Different packaging for different distributions have their own prefix for where helper binaries should live. additionalHelperBinariesDir is a variable that can be set during link-time so that a packager can change the location without having to carry patches for their default location.
[NO NEW TESTS NEEDED]
Signed-off-by: Ashley Cui <acui@redhat.com>
This patch adds unit tests for the function `probeConmon` as well as
fixes a bug where a `nil` error got wrapped always to `nil`.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Add a new field to set the default subnet pools. They can be used to
change the subnet which is automatically allocated by podman network
create.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This field was only needed for machine to force cni, however you can set
netns="bridge" in the config to have the same effect. This is already
done in the machine setup.
The field was more of a hack and just creates confusion for users so we
remove it.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Since the network namespace is shared for all rootful libpod instances
we also need to make sure to use the same network config dir and run dir
to ensure that we do not use the same subnet or ip for more than one
container.
Also update the documentation about the network_config_dir field.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When the network backend is unset in the config we have to to figure out
if we need CNI or netavark. New installs should use netavark while
existing installs should continue to use CNI to prevent breaking
systems.
We use the following conditions to determine what backend to use:
1. read ${graphroot}/defaultNetworkBackend
2. find netavark binary (if not installed use CNI)
3. check containers, images and CNI networks and if there are some
we have an existing install and should continue to use CNI
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Add an option to containers.conf as a knob to enforce short-name
resolution to Docker Hub in Podman's compatibility REST API.
By popular request, turn it on by default.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
This field determines whether CNI or netavark will be used to
create container networks. Default presently set to "cni".
Signed-off-by: Matthew Heon <mheon@redhat.com>
Add machine teable to configure podman machine options. Move machine_image to the machine table, and add cups, disk size, and memory to the machine table.
Signed-off-by: Ashley Cui <acui@redhat.com>
If you use this field in rootless mode, it will blow up,
since rootless mode can not use the host user namespace.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Allow users to set the default location for the temporary files used
during image pulls and pushes.
Defaults to /var/tmp;
Overridden via "TMPDIR" environment variable.
Allow special flag "storage" to indicate the the storage should use
the tmp directory in containers/storage/tmp.
Needed to fix: https://github.com/containers/podman/issues/11107
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This field contains a list of directories which should be used to store
some helper binaries, e.g. gvproxy.
Also add a FindHelperBinary method to the config struct to get the full
path to a helper binary.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The default path should be empty in order for podman to distinguish
between a path the was explicitly or to use the default (in memory)
profile.
Fixes: containers/podman#10556
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The default netns must be empty. Podman should decide what the default
option is. While podman also defaults to slirp4netns as rootless and
bridge as root, there are also other defaults for `podman run --pod ...`
and `podman pod create --infra=false` where it defaults to the pods
netns. This config field was always ignored by podman and trying to
make it work requires this patch since the default values are incorrect
for podman.
Buildah does not seem to use it either.
Also move the rootless_networking field in the default config file to
the correct containers stanza.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Currently we have users failing to run containers within containers
or on systems without systemd support. This change will give us
better defaults on these systems.
Fixes: https://github.com/containers/common/issues/580
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We were hardcoding Slirp4netns as the only valid option for
rootless when "private" networking was selected. We shouldn't be
doing that - the default networking selection in Podman itself is
smart enough to figure out what to do, c/common should not decide
for us.
Signed-off-by: Matthew Heon <mheon@redhat.com>
This reverts commit 352073be9e as it's
causing a regression as it overwrites any custom OCI runtime with either
rucc, crun or kata. See the Podman CI failure below:
```
[+0383s] not ok 95 podman build - set runtime
[+0383s] # (from function `die' in file test/system/helpers.bash, line 412,
[+0383s] # from function `run_podman' in file test/system/helpers.bash, line 220,
[+0383s] # in test file test/system/070-build.bats, line 70)
```
I currently do not have the time for a proper fix but the next commit
attempting to address the warnings must include tests.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Commit ebfe786429 changed the default logging driver k8s-file to
journald. The only consumer of the log-driver is Podman which I think
still needs some more time to stabilize. Vendoring containers/common
into Podman has revealed quite some warts (see
containers/podman/pull/10222) which reduced my confidence level.
To resolve the chicken-egg-problem of maturing the journald driver, I
want to only partially revert commit ebfe786429. The built-in default
remains k8s-file while the containers.conf sets it to journald. The
intention behind is to make sure that running systems are not impacted
but we can change Fedora to journald to increase coverage.
Once the confidence level is back to normal, we can change the default
to journald. Latest before RHEL9.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
This eliminates the concern of log files growing infinitely and also
records all containers for posterity rather then allowing the removal
of a container to destroy the record.
Partially fixes: https://github.com/containers/podman/issues/9158
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
golang builtin OS functions, include the path to the object being used,
no reason for us to wrap these errors with an object for a second time.
This just causes stuttering, and looks bad at the CLI level.
Existing tests should catch any errors.
Also stop adding "error" to something that is obviusly an error when it
shows up to the user.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This reverts commit 451f5fb68b.
Journald is not yet passing Podman CI. We need to temporarily revert
the commit to unblock secrets work.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
In the containers.conf we default to true, but in code and man page
it is defaulted to false. Since Podman wants it defaulted to true
we need to change default and man page to match.
Also fixed the testing for SELinux, which would never succeed on an SELinux box.
Helps fix: https://github.com/containers/podman/pull/8844
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Systemd is now complaining or mentioning /var/run as a legacy directory.
It has been many years where /var/run is a symlink to /run on all
most distributions, make the change to the default.
Partial fix for https://github.com/containers/podman/issues/8369
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Users could have any one of the OCI runtimes installed,
code will search for default. This way they do not need
to modify defaults if they have "crun" installed.
Search order will be crun, runc, kata
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Paul Holzinger
Urvashi Mohnani
Daniel J Walsh
Valentin Rothberg
OpenShift Merge Robot
Aditya R
Doug Rabson
unknowndevQwQ
Jason T. Greene
Giuseppe Scrivano
Matthew Heon
Arthur Sengileyev
Jake Correnti
Charlie Doern
Dominique Martinet
Niall Crowe
Kir Kolyshkin
Ashley Cui
Rover van der Noort
Sascha Grunert
Valentin Rothberg
Matthew Heon
Frederic Crozat
unknowndevQwQ
openshift-ci[bot]
Matej Vasek
Tino Rusch
Paul Holzinger
Brent Baude
Vasyl Gello
pacoxu