On MacOS, mount /Users, /private/, /var/folders by default for better docker compat. The homedir on MacOS is /Users/<username>, so that will be mounted automatically anyway with this change.
Docker also mounts /Volumes and /tmp, /Volumes fails with a Too many levels of symbolic links, as Volumes on Mac is just a symlink to / which seems like a bad idea to mount anyway.
/tmp fails because the Podman machine uses the tmp directory inside the machine and writes content to it on boot, causing the mount to fail. However, on Mac, /tmp is symlinked to /private/tmp anyway, so those files are accessible from there.
Signed-off-by: Ashley Cui <acui@redhat.com>
I want to switch podman over to only using strings for the netns path.
So we no longer pass this interface around. Buildah doesn't use this so
we only need to fix it in Podman. I have a WIP PR[1] for that.
[1] https://github.com/containers/podman/pull/16756
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
do not start up a dbus daemon if it is not already running.
[NO NEW TESTS NEEDED] the fix is in a dependency.
Closes: https://github.com/containers/podman/issues/16718
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Add an option to create a more verbose container-create event which
includes a JSON payload with detailed information about the container.
Jira: https://issues.redhat.com/browse/RUN-1702
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
This is taking time on every podman call, and provide limited
protection. Versioning should be handled in the packaging system
and this is an unlikely to happen.
Every exec done by container tools hurts us as we try to get container
startup team to absolute minimal amounts.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This reverts commit 962dbc3281.
As shown in containers/podman/pull/16610 the changes require a number of
changes in Podman's CI. While many issues have been fixed in that PR,
there are some potentially controversial changes such as dropping
NET_RAW.
Let's revert the commit to unblock ongoing work. For the next
iteration, Podman CI must be green before merging.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
For a couple of years now we have been shipping containers.conf settings
to use only 10 capabities. Docker uses 14, with the difference being
CAP_AUDIT_ALLOW, CAP_NET_RAW, CAP_MKNOD, CAP_CHROOT.
This allows us to run with a tighter security then Docker.
This PR makes the change to default config, so that if no
containers.conf overrides are present, we will run with the tighter
security. Currently most distros that ship the containers.conf already
run with this setting, but this makes it formal, and changes the man
page to match the defaults.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Podman and Buildah do not use this field, and I
know of no users of it, remove it from docs and
the default conf file, so users will not expect
it to do anything.
Leaving implementation in the slight chance someone
has used it in a non containers project.
Fixes: https://github.com/containers/podman/issues/16562
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Containers.conf now supports `platform_to_oci_runtime` which allows end
users to map variant of OCI runtime for a particular platform.
Most ideal use-case of this feature is switching to crun's variant when
platform string is `wasm32/wasi`.
Example
```toml
[engine.platform_to_oci_runtime]
"wasi/wasm" = "crun-wasm"
"wasm/wasm32" = "crun-wasm"
"wasm/wasm64" = "crun-wasm"
```
Signed-off-by: Aditya R <arajan@redhat.com>
The correct location on FreeBSD is /usr/local/etc/containers/policy.json
which is consistent with path conventions for installed packages. This
fixes 'podman commit' on FreeBSD.
There are several definitions of this path:
- c/image/signature has builtinDefaultPolicyPath and DefaultPolicy
- c/podman/pkg/trust has systemDefaultPolicyPath and DefaultPolicyPath
- c/common/pkg/config has DefaultSignaturePolicyPath
As far as I can tell, buildah uses c/image/signature which is why 'buildah
commit' was already working for me. Podman is using the c/common one. Very
confusing.
[NO NEW TESTS NEEDED]
Signed-off-by: Doug Rabson <dfr@rabson.org>
The PR #1226 was merged to soon, it breaks podman tests and backwards
compat. `{{json}}` and `{{json.}}` are not valid templates but it worked
before the same as `json` so we should keep that for compat reasons.
Fixes up commit 44757e2c3d
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When a user request --format `{{json .}}` they would want the go
template parser to handle it. Currently we overwrite this and assume
that `{{json .}}` equals `json`. This is not correct. When the output is
a range (array), i.e. podman ps, it should return one json object per
line and not a json array which is the case with `json`.
This is required for docker compat.
Fixescontainers/podman#16436
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Another experimental OCI runtime for FreeBSD, similar to runj but with
a focus on podman/buildah compatiblity.
Signed-off-by: Doug Rabson <dfr@rabson.org>
Used `go fmt` rules to migrate away from deprecated functions, for
instance `gofmt -w -s -r 'ioutil.TempDir(a, b) -> os.MkdirTemp(a, b)'`
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Before 50eb74a4b1 this code used unshare.IsRootless() which on Windows
always returns false (the behavior we want).
After 50eb74a4b1, a condition was unintentionally inverted, allowing
Windows to function.
Commit 18803495e8 fixed the inversion, but unintentionally excluded Windows
since it used == 0 instead of <= 0 (Windows returns -1)
Move the logic behind a function with a comment since the Windows path is a
bit exotic.
In the future, the Windows path should likely be refactored to be more
intuitive; however, this will get things working for now.
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
We must try out all possible alternatives for rootless users instead of
failing eary if XDG_RUNTIME_DIR is not set.
Following regression was part of: 5948e6b369
[NO NEW TESTS NEEDED]
[NO TESTS NEEDED]
Signed-off-by: Aditya R <arajan@redhat.com>
this ensures that podman machine will still work (until we want to make this mandatory). I made the call back function more verbose so we know what is happening from now on.
Signed-off-by: Charlie Doern <cdoern@redhat.com>
originally the code had the condition "!unshare.IsRootless()", and
commit 50eb74a4b1 introduced the issue
by replacing it with "unshare.GetRootlessUID() != 0".
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Change the check to look for the UID to decide whether to load the
default configuration files from the user directory instead of the
system path.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
The problem with setting such defaults in c/common is that podman cannot
know if a user set this or it is the default. EventsLogFilePath is not a
static path, it depends on the --tmpdir value from podman.
check
b0b36430b8/libpod/runtime.go (L1041-L1043)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Docker tries to be smart and replaces \n with the actual newline character.
For compat we do the same but this will break formats such as '{{printf "\n"}}'
To be backwards compatible with the previous behavior we try to replace and
parse the template. If it fails use the original text and parse again.
This fix will not be enough. It requires many changes in podman since
most commands will do their own NormalizeFormat() call before using this
backend which seems wrong and creates a lot of duplication. This has to
be fixed in Podman.
Required for https://bugzilla.redhat.com/show_bug.cgi?id=2059658
and https://github.com/containers/podman/issues/13446.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
if cpuset.cpus[.effective] file is missing, then ignore the error
since it means the cpuset controller is not enabled in the kernel,
rather than returning an error.
Closes: https://github.com/containers/common/issues/1134
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Podman adds an Error: to every error message. So starting an error
message with "error" ends up being reported to the user as
Error: error ...
This patch removes the stutter.
Also ioutil.ReadFile errors report the Path, so wrapping the err message
with the path causes a stutter.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Setting it to disabled triggers NoCgroups logic in podman which adds
extra validation and changes the conmon command line in ways that are
messy to work around. It turns out that pretending cgroups is enabled
even though the platform doesn't support it is easier.
Signed-off-by: Doug Rabson <dfr@rabson.org>
Look for helpers such as `gvproxy` under `$BINDIR/../libexec/podman`, which
helps this work on distributions such as Homebrew without the need to hardcode
paths into the binary, which makes a pre-built binary distribution work
regardless of the installation prefix.
Tested: Updated vendored package in podman, built it with `podman-remote`,
copied `gvproxy` to a `libexec/podman` at the same level as `bin/podman` and
confirmed that `podman machine start` worked as expected.
Signed-off-by: Filipe Brandenburger <filbranden@gmail.com>
This should make it easier to locate helper binaries relative to where the main
binary was installed, which should be useful in installations such as Homebrew
which install packages under a versioned directory.
Use a `$BINDIR` magic token as a prefix in the helper path to indicate it should
be relative to the directory where the binary is located. This is somewhat familiar
to the syntax used in the shell and Makefile and is still quite explicit about the
behavior (as opposed to, say, making all relative paths be relative to the directory
of the binary.)
Tested: After updating the Darwin config to include a `$BINDIR/../libexec/podman`
directory, updated vendored package in podman, built it with `podman-remote`,
copied `gvproxy` to a `libexec/podman` at the same level as `bin/podman` and
confirmed that `podman machine start` worked as expected. Also confirmed that
having the `podman` in search path be a symlink to a binary elsewhere works as
expected, the searched `../libexec/podman` directory is relative to the actual
binary and not the symlink (which matches the Homebrew use case.)
Signed-off-by: Filipe Brandenburger <filbranden@gmail.com>
OpenShift Merge Robot