Add an option to containers.conf as a knob to enforce short-name
resolution to Docker Hub in Podman's compatibility REST API.
By popular request, turn it on by default.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
This field determines whether CNI or netavark will be used to
create container networks. Default presently set to "cni".
Signed-off-by: Matthew Heon <mheon@redhat.com>
Add machine teable to configure podman machine options. Move machine_image to the machine table, and add cups, disk size, and memory to the machine table.
Signed-off-by: Ashley Cui <acui@redhat.com>
If you use this field in rootless mode, it will blow up,
since rootless mode can not use the host user namespace.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Allow users to set the default location for the temporary files used
during image pulls and pushes.
Defaults to /var/tmp;
Overridden via "TMPDIR" environment variable.
Allow special flag "storage" to indicate the the storage should use
the tmp directory in containers/storage/tmp.
Needed to fix: https://github.com/containers/podman/issues/11107
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This field contains a list of directories which should be used to store
some helper binaries, e.g. gvproxy.
Also add a FindHelperBinary method to the config struct to get the full
path to a helper binary.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The default path should be empty in order for podman to distinguish
between a path the was explicitly or to use the default (in memory)
profile.
Fixes: containers/podman#10556
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The default netns must be empty. Podman should decide what the default
option is. While podman also defaults to slirp4netns as rootless and
bridge as root, there are also other defaults for `podman run --pod ...`
and `podman pod create --infra=false` where it defaults to the pods
netns. This config field was always ignored by podman and trying to
make it work requires this patch since the default values are incorrect
for podman.
Buildah does not seem to use it either.
Also move the rootless_networking field in the default config file to
the correct containers stanza.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Currently we have users failing to run containers within containers
or on systems without systemd support. This change will give us
better defaults on these systems.
Fixes: https://github.com/containers/common/issues/580
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We were hardcoding Slirp4netns as the only valid option for
rootless when "private" networking was selected. We shouldn't be
doing that - the default networking selection in Podman itself is
smart enough to figure out what to do, c/common should not decide
for us.
Signed-off-by: Matthew Heon <mheon@redhat.com>
This reverts commit 352073be9e as it's
causing a regression as it overwrites any custom OCI runtime with either
rucc, crun or kata. See the Podman CI failure below:
```
[+0383s] not ok 95 podman build - set runtime
[+0383s] # (from function `die' in file test/system/helpers.bash, line 412,
[+0383s] # from function `run_podman' in file test/system/helpers.bash, line 220,
[+0383s] # in test file test/system/070-build.bats, line 70)
```
I currently do not have the time for a proper fix but the next commit
attempting to address the warnings must include tests.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Commit ebfe786429 changed the default logging driver k8s-file to
journald. The only consumer of the log-driver is Podman which I think
still needs some more time to stabilize. Vendoring containers/common
into Podman has revealed quite some warts (see
containers/podman/pull/10222) which reduced my confidence level.
To resolve the chicken-egg-problem of maturing the journald driver, I
want to only partially revert commit ebfe786429. The built-in default
remains k8s-file while the containers.conf sets it to journald. The
intention behind is to make sure that running systems are not impacted
but we can change Fedora to journald to increase coverage.
Once the confidence level is back to normal, we can change the default
to journald. Latest before RHEL9.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
This eliminates the concern of log files growing infinitely and also
records all containers for posterity rather then allowing the removal
of a container to destroy the record.
Partially fixes: https://github.com/containers/podman/issues/9158
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
golang builtin OS functions, include the path to the object being used,
no reason for us to wrap these errors with an object for a second time.
This just causes stuttering, and looks bad at the CLI level.
Existing tests should catch any errors.
Also stop adding "error" to something that is obviusly an error when it
shows up to the user.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This reverts commit 451f5fb68b.
Journald is not yet passing Podman CI. We need to temporarily revert
the commit to unblock secrets work.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
In the containers.conf we default to true, but in code and man page
it is defaulted to false. Since Podman wants it defaulted to true
we need to change default and man page to match.
Also fixed the testing for SELinux, which would never succeed on an SELinux box.
Helps fix: https://github.com/containers/podman/pull/8844
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Systemd is now complaining or mentioning /var/run as a legacy directory.
It has been many years where /var/run is a symlink to /run on all
most distributions, make the change to the default.
Partial fix for https://github.com/containers/podman/issues/8369
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Users could have any one of the OCI runtimes installed,
code will search for default. This way they do not need
to modify defaults if they have "crun" installed.
Search order will be crun, runc, kata
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We should be sourcing from the image CMD/ENTRYPOINT by default.
Having a default prevents us from doing that - we should only be
using this for user-configured values that do not come from the
image.
Signed-off-by: Matthew Heon <mheon@redhat.com>
Fix handling of storage.conf path, so that we can use it when testing podman.
Currently the Environment variable is not handled correctly.
There is a matching patches in containers/storage and eventually
containers/podman to allow the user of alternative storage.conf files in testing.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Some users want to stick to "docker" format escecially since some older
container registries don't properly support OCI images.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We want to make sure that the TERM envionment variable is always
set. TERM defaulted to ansi might be better, but we want to match
Docker defaults, so we will stick at xterm.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Currently it is difficult to modify the path to the storage.conf
file for setting up testing. It is hard coded to use /etc/containers/storage.conf.
Adding this envionment variable, will allow us to write tests on storage.conf
that do not override the system defaults.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Use XDG_CONFIG_HOME if it is defined.
XDG_CONFIG_HOME is already respected for configuration files such as containers.conf, storage.conf, and registry.conf but here `~/.config` was hardcoded.
Signed-off-by: David Scherer <david.scherer@antithesis.com>
I am experimenting with supporting CNI in rootless Podman. There is
no harm in preparing common to support such case and allow a custom
per-user configuration.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Only return the Pids Limit for container engines running as root or
with cgroupv2 and Systemd as a cgroup manager.
Trying to do this will rootless containers on cgroup V1 is not allowed.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Modify validate functions to work on a remote clients.
Any of the path checks will not work on remote machines or make
sense on remote clients. Therefore they should not be checked.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Currently if a rootless user runs podman in his homedir, and does
not have /etc/containers/policy.json on the system and does not
have ~/config/policy.json in his homedir, the command fails with
an error.
$ podman pull fedora
Error: error pulling image "fedora": unable to pull fedora: open /etc/containers/policy.json: no such file or directory
If the user has no root rights on the system, he can not create the file.
However the system would work fine if he created the file in his homedir.
With this change, we will force the default to be the file in his homedir if
BOTH files do not exist. Now the error message for a rootless container would
be.
$ podman pull fedora
Error: unable to pull fedora: open /home/dwalsh/.config/containers/policy.json: no such file or directory
And the user has an idea how to fix this situation.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
cgroupns="private" should be used only on cgroup v2.
On cgroup v1 it would be a breaking change, and also we'd need to
check whether the kernel supports cgroup namespaces.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
by default do not create a user namespace. A user namespace also
requires mappings to be specified and that is not possible with a
static setting. We cannot default to "auto" as it requires additional
configuration for the root user.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
We need to identify the list of containers that support KVM separation, these
containers can run with a different SELinux label, and we might be able to
make different decisions in the container engines about how to launch these
containers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Move pkg/sysinfo and pkg/apparmor out of libpod into containers/common.
This will allow other packages to use these libraries without requiring all of libpod.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The `pause:3.1` has wrong configs for non-amd64 images as they all claim
to be for amd64. The issue has now been fixed in the latest
`pause:3.2`.
[1] https://github.com/kubernetes/kubernetes/issues/87325
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
containers/common pkg/config is for more engines then just libpod.
We want to use the 'libpod' section to configure parts of buildah. Renaming this
section to engine, makes it more obvious to users that these fields can effect other
container engines.
Certain fields are still libpod specific, so we do not change those fields.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Callers should use containers/storage directly.
Also remove MergeDBConfig, this is no longer used by any callers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
pull_policy is the same as podman run --pull option to determin whether to pull a new image when running a container.
Accepted "always", "missing", and "never". Default value is "missing".
Signed-off-by: Qi Wang <qiwan@redhat.com>
Allow users to modify the default ammount of time to wait to send SIGKILL
after you tell a container to stop with a SIGINT.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
In root running containers we want to approach the MAX Number of processes and
open files, so that services running Podman will work when they have lots of open
files or processes. In rootless containers this number can not be changed. This
patch will only increase the numbers if the process is allowed.
Docker set the limit to 2**20 (1048576), it looks like this was the max for RHEL5 OS.
So we fall back to attempt to set this limit if the MAC_PROC limit is not allowed.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The default alternative path for seccomp.json should be /etc/containers/seccomp.json
The DefaultNetwork in network config should be bridge
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
at the moment the cgroups package is used only by Podman and by CRI-O
(that is already vendoring libpod). So let's simplify and not have a
duplicate here.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Fix handling of toml files
No longer need merge, since we can specify a default conf for each toml file.
The toml code will retain the previous defaults and only use the newly specified
values.
This greatly simplifies the code.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We want to hide Optional Bools from the default configuration. Callers should only have to deal with boolean
fields and not deal with optionals.
Add accessor functions for all optional bools, easier.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Add configurations from libpod.conf to containers.conf.Use merge code from libpod to read and merge configurations from file.
Add unshare_linux for build linux: HomeDir should buildah not only for linux. so add unshare_linux for linux and unshare.go for other
convert bool to optinalbool:Use OptionalBool for on-disk configurations so we can distinguish field is undefined vs. user set to false.
Signed-off-by: Qi Wang <qiwan@redhat.com>
Paul Holzinger
Jason T. Greene
OpenShift Merge Robot
Valentin Rothberg
Daniel J Walsh
Matthew Heon
Ashley Cui
Frederic Crozat
unknowndevQwQ
openshift-ci[bot]
Matej Vasek
Tino Rusch
Paul Holzinger
Brent Baude
Vasyl Gello
Sascha Grunert
pacoxu
David Scherer
Giuseppe Scrivano
Qi Wang
Carlos Eduardo Arango Gutierrez