support using keep-id when only one mapping is available to the
rootless user.
When there is only one id available (e.g. there are no additional IDs
set in /etc/subuid and /etc/subgid for the unprivileged user), then
only add the identity mapping $ID -> $ID, leaving unmapped other IDs
in the user namespace.
[NO NEW TESTS NEEDED] it needs a configuration with only one ID
available.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
idmap is documented as supported for volumes, but it was not added to
the getNamedVolume() function.
Fixes: e83d36665 ("volumes: add new option idmap")
Signed-off-by: Kristian Klausen <kristian@klausen.dk>
Add a new annotation to allow the user to point to a local tar file
If the annotation is present, import the file's content into the volume
Add a flag to PlayKubeOptions to note remote requests
Fail when trying to import volume content in remote requests
Add the annotation to the documentation
Add an E2E test to the new annotation
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
This is much better for the systemd case becase we pass the journal
socket fds directly to the container. This means less copying of the
logs, but it also means the journal will correctly get the peer
process id when it tries to extract things like the name of what
is logging something.
With this we correctly name the logging process rather than claim
everything comes from conmon.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
This makees much more sense for typical service loads, and can
easily be reverted by `ReadOnly=no`.
Also updates and adds various tests for this.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
The notify proxy has a watcher to check whether the container has left
the running state. In that case, Podman should stop waiting for the
ready message to prevent a dead lock. Fix this watcher but adding a
loop.
Fixes the dead lock in #16076 surfacing in a timeout. The underlying
issue persists though. Also use a timer in the select statement to
prevent the goroutine from running unnecessarily long
[NO NEW TESTS NEEDED]
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Truncate the container and pod ID files instead of throwing an error.
The main motivation is to prevent redundant work when starting systemd
units. Throwing an error when the file already exists is not preventing
races or file corruptions, so let's leave that to the user which in
almost all cases are generated (and tested) systemd units.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
This way we don't have to use the `ExecCondition=podman volume exist`,
which saves one process start.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
This ignores the create request if the named volume already exists.
It is very useful when scripting stuff.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
Safe guards calls to os.RemoveAll in order to prevent calls from accidently
deleting the root file system in very strange edge cases. Did this by creating
GuardedRemoveAll and migrated machine os.RemoveAll calls to it.
Signed-off-by: Mike Perry <mike@bitbistro.org>
Use `Default()` instead of re-loading containers.conf.
Also rework how the containers.conf objects are handled for parsing the
CLI. Previously, we were conflating "loading the defaults" with
"storing values from the CLI" with "libpod may further change fields"
which ultimately led to various bugs and test failues.
To address the issue, separate the defaults from the values from the CLI
and properly name the fields to make the semantics less ambiguous.
[NO NEW TESTS NEEDED] as it's not a functional change.
Fixes: containers/common/issues/1200
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Reduce the number of top-level packages in ./pkg by moving quadlet
packages under ./pkg/systemd.
[NO NEW TESTS NEEDED] - no functional change.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Fix two bugs in `system df`:
1. The total size was calculated incorrectly as it was creating the sum
of all image sizes but did not consider that a) the same image may
be listed more than once (i.e., for each repo-tag pair), and that
b) images share layers.
The total size is now calculated directly in `libimage` by taking
multi-layer use into account.
2. The reclaimable size was calculated incorrectly. This number
indicates which data we can actually remove which means the total
size minus what containers use (i.e., the "unique" size of the image
in use by containers).
NOTE: The c/storage version is pinned back to the previous commit as it
is buggy. c/common already requires the buggy version, so use a
`replace` to force/pin.
Fixes: #16135
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Based on the initial port in https://github.com/containers/quadlet/pull/41
This contains the unit tests and the testcases from the C code as well
as modification to the podman spec file based on what the quadlet
spec file looks like, producing a podman-quadlet subpackage.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
Motivated to have a working `make lint` on Fedora 37 (beta).
Most changes come from the new `gofmt` standards.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Also create one constant for ErrDuplicateDest, rather then have the same
value set three times.
Fixes: https://github.com/containers/podman/issues/4217
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This is a very expensive call as it deep duplicates the Config, and
we just need to read a single member, so use ConfigNoCopy() instead.
[NO NEW TESTS NEEDED] Just minor performance effects
Signed-off-by: Alexander Larsson <alexl@redhat.com>
This is a very expensive function as it does a deep copy. Instead
use pre-existing accessors like ctr.CreatedTime() where they exist
and ctr.ConfigNoCopy() where not.
[NO NEW TESTS NEEDED] Just minor performance effects
Signed-off-by: Alexander Larsson <alexl@redhat.com>
This call does a deep copy, which is only needed if you want
to modify the return value. Instead we use ctr.ConfigNoCopy().Spec
which is just a pointer dereference.
[NO NEW TESTS NEEDED] Just minor performance effects
Signed-off-by: Alexander Larsson <alexl@redhat.com>
This gets c.config.Spec.Linux.Resources, with some nil checks.
Using this means less open coding of the nil-checks, but also the
existing user of this field in moveConmonToCgroupAndSignal() was
using ctr.Spec().Linux.Resources instead, and the Spec() call
is very expensive.
[NO NEW TESTS NEEDED] Just minor performance effects
Signed-off-by: Alexander Larsson <alexl@redhat.com>
Starting listening for the READY messages on the sdnotify proxies before
starting the Pod. Otherwise, we may be missing messages.
[NO NEW TESTS NEEDED] as it's hard to test this very narrow race.
Related to but may not be fixing #16076.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
This just gets ctr.config.Spec.Process.Terminal with some null checks,
allowing several places that open-coded this to use the helper.
In particular, this helps the code in
pkg/domain/infra/abi/terminal.StartAttachCtr(), that used to do:
`ctr.Spec().Process.Terminal`, which looks fine, but actually causes
a deep json copy in the `ctr.Spec()` call that takes over 3 msec.
[NO NEW TESTS NEEDED] Just minor performance effects
Signed-off-by: Alexander Larsson <alexl@redhat.com>
We have a test to verify that init containers in pods are
deleted when the `--init-ctr=once` option is specified. The test
creates two containers, one of them an init container, starts the
pod, stops the pod, and restarts the pod, checking for the
presence of a file created by the init container during the
second start. We're seeing a race where the file still exists,
which I'm fairly certain comes down to the SHM mount not being
cleaned up after the pod is stopped.
Fortunately, we already have code to do this - just flip the bool
that controls cleanup from false to true.
[NO NEW TESTS NEEDED] Fixes a difficult to reproduce race
condition.
Fixes#16046
Signed-off-by: Matthew Heon <mheon@redhat.com>
Trying to print the image id on a failed inspect will result in a nil
pointer panic because the image will be nil. Replace image.id with the
image name which is defined as a string without the use of inspect.
Fixes: bz#2131836
[NO NEW TESTS NEEDED]
Signed-off-by: Brent Baude <bbaude@redhat.com>
In order to allow pods to reach other pods (as in Kubernetes) they all
need to be added to the same network. A network is created (if it
doesn't exist) and pods created by play-kube are added to that network.
When network options are passed to kube command the pods are not
attached to the default kube network.
Signed-off-by: Andrei Natanael Cosma <andrei@intersect.ro>
I see no reason to block --network host with kube play and force users
to have to set it in the yaml file.
This is just confusing when compared to the other podman create/run
--network options, see discussion in #15945.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Fixed issue where executing the command `podman pod logs -l` would panic
because it was indexing into an empty arguments array.
Signed-off-by: Jake Correnti <jcorrenti13@gmail.com>
This reverts commit 32f54a81ed.
`pkg/bindings` is supported outside of podman and we have to keep it
stable.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
If user does not specify hostPort in a kube.yml file but does specify
a containerPort, then the hostPort should default to the containerPort.
Fixes: https://github.com/containers/podman/issues/15942
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Ensure kubernetes default parameters are respected.
Additional curl parameter enforces returning error for HTTP error codes.
Use build-in HealthCheckOnFailureAction instead of killing the container
while executing the probe.
Signed-off-by: Piotr <piotr.skoczylas@gmail.com>
add the key used in newly initialized machines to the user's known_hosts file. This ensures that golang will be able to ssh into the machine using
podman-remote. Also, remove the /dev/null redirection for podman machine ssh's known_hosts file.
resolves#15347
Signed-off-by: Charlie Doern <cdoern@redhat.com>
Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
Auto updates using the "registry" policy require container to be created
with a fully-qualified image reference. Short names are not supported
due the ambiguity of their source registry. Initially, container
creation errored out for non FQN images but it seems that Podman has
regressed.
Fixes: #15879
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
We force the isolate option on new newtworks because that is the docker
behavior. However when we inspect them they should not be displayed to
the caller since they have no idea about it and docker-compose throws an
error because of that.
Fixes#15580
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Changes since 2022-09-09:
- man page: add --skip-unused-stages (buildah 4249)
- man page: bring in new Note for --cache-ttl (4248)
- system tests: de-stutter (4205)
- (internal): in skip() applier: escape asterisk, otherwise
the "bud with --dns* flags" sed expression never applies.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
restore endpoint was totally ignoring --pod, it was missing from the schema and from query handling
on the api handlers side. add support for it here.
resolves#15018
Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
This allows tools like Cockpit to know that the pod in question
has also been updated, so they can refresh the list of containers
in the pod.
Fixes#15408
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
According to https://systemd.io/CONTAINER_INTERFACE/, systemd will try take
control over /dev/ttyN if exported, which can cause conflicts with the host's tty
in privileged containers. Thus we will not expose these to privileged containers
in systemd mode, as this is a bad idea according to systemd's maintainers.
Additionally, this commit adds a bats regression test to check that no /dev/ttyN
are present in a privileged container in systemd mode
This fixes https://github.com/containers/podman/issues/15878
Signed-off-by: Dan Čermák <dcermak@suse.com>
Allow overwrite of the signature-policy file
by passing signature-policy flag to podman save command
Closes: https://github.com/containers/podman/issues/15869
Signed-off-by: 😎Mostafa Emami <mustafaemami@gmail.com>
Add --label/-l label flag to secret create, and show labels when
inspecting secrets. Also allow labeling secrets via libpod/compat API.
Signed-off-by: Ashley Cui <acui@redhat.com>
OpenShift Merge Robot