On MacOS, mount /Users, /private/, /var/folders by default for better docker compat. The homedir on MacOS is /Users/<username>, so that will be mounted automatically anyway with this change.
Docker also mounts /Volumes and /tmp, /Volumes fails with a Too many levels of symbolic links, as Volumes on Mac is just a symlink to / which seems like a bad idea to mount anyway.
/tmp fails because the Podman machine uses the tmp directory inside the machine and writes content to it on boot, causing the mount to fail. However, on Mac, /tmp is symlinked to /private/tmp anyway, so those files are accessible from there.
Signed-off-by: Ashley Cui <acui@redhat.com>
Add an option to create a more verbose container-create event which
includes a JSON payload with detailed information about the container.
Jira: https://issues.redhat.com/browse/RUN-1702
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
This is taking time on every podman call, and provide limited
protection. Versioning should be handled in the packaging system
and this is an unlikely to happen.
Every exec done by container tools hurts us as we try to get container
startup team to absolute minimal amounts.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This reverts commit 962dbc3281.
As shown in containers/podman/pull/16610 the changes require a number of
changes in Podman's CI. While many issues have been fixed in that PR,
there are some potentially controversial changes such as dropping
NET_RAW.
Let's revert the commit to unblock ongoing work. For the next
iteration, Podman CI must be green before merging.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
For a couple of years now we have been shipping containers.conf settings
to use only 10 capabities. Docker uses 14, with the difference being
CAP_AUDIT_ALLOW, CAP_NET_RAW, CAP_MKNOD, CAP_CHROOT.
This allows us to run with a tighter security then Docker.
This PR makes the change to default config, so that if no
containers.conf overrides are present, we will run with the tighter
security. Currently most distros that ship the containers.conf already
run with this setting, but this makes it formal, and changes the man
page to match the defaults.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Podman and Buildah do not use this field, and I
know of no users of it, remove it from docs and
the default conf file, so users will not expect
it to do anything.
Leaving implementation in the slight chance someone
has used it in a non containers project.
Fixes: https://github.com/containers/podman/issues/16562
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Containers.conf now supports `platform_to_oci_runtime` which allows end
users to map variant of OCI runtime for a particular platform.
Most ideal use-case of this feature is switching to crun's variant when
platform string is `wasm32/wasi`.
Example
```toml
[engine.platform_to_oci_runtime]
"wasi/wasm" = "crun-wasm"
"wasm/wasm32" = "crun-wasm"
"wasm/wasm64" = "crun-wasm"
```
Signed-off-by: Aditya R <arajan@redhat.com>
The correct location on FreeBSD is /usr/local/etc/containers/policy.json
which is consistent with path conventions for installed packages. This
fixes 'podman commit' on FreeBSD.
There are several definitions of this path:
- c/image/signature has builtinDefaultPolicyPath and DefaultPolicy
- c/podman/pkg/trust has systemDefaultPolicyPath and DefaultPolicyPath
- c/common/pkg/config has DefaultSignaturePolicyPath
As far as I can tell, buildah uses c/image/signature which is why 'buildah
commit' was already working for me. Podman is using the c/common one. Very
confusing.
[NO NEW TESTS NEEDED]
Signed-off-by: Doug Rabson <dfr@rabson.org>
Another experimental OCI runtime for FreeBSD, similar to runj but with
a focus on podman/buildah compatiblity.
Signed-off-by: Doug Rabson <dfr@rabson.org>
Used `go fmt` rules to migrate away from deprecated functions, for
instance `gofmt -w -s -r 'ioutil.TempDir(a, b) -> os.MkdirTemp(a, b)'`
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Before 50eb74a4b1 this code used unshare.IsRootless() which on Windows
always returns false (the behavior we want).
After 50eb74a4b1, a condition was unintentionally inverted, allowing
Windows to function.
Commit 18803495e8 fixed the inversion, but unintentionally excluded Windows
since it used == 0 instead of <= 0 (Windows returns -1)
Move the logic behind a function with a comment since the Windows path is a
bit exotic.
In the future, the Windows path should likely be refactored to be more
intuitive; however, this will get things working for now.
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
this ensures that podman machine will still work (until we want to make this mandatory). I made the call back function more verbose so we know what is happening from now on.
Signed-off-by: Charlie Doern <cdoern@redhat.com>
originally the code had the condition "!unshare.IsRootless()", and
commit 50eb74a4b1 introduced the issue
by replacing it with "unshare.GetRootlessUID() != 0".
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Change the check to look for the UID to decide whether to load the
default configuration files from the user directory instead of the
system path.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
The problem with setting such defaults in c/common is that podman cannot
know if a user set this or it is the default. EventsLogFilePath is not a
static path, it depends on the --tmpdir value from podman.
check
b0b36430b8/libpod/runtime.go (L1041-L1043)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Setting it to disabled triggers NoCgroups logic in podman which adds
extra validation and changes the conmon command line in ways that are
messy to work around. It turns out that pretending cgroups is enabled
even though the platform doesn't support it is easier.
Signed-off-by: Doug Rabson <dfr@rabson.org>
Look for helpers such as `gvproxy` under `$BINDIR/../libexec/podman`, which
helps this work on distributions such as Homebrew without the need to hardcode
paths into the binary, which makes a pre-built binary distribution work
regardless of the installation prefix.
Tested: Updated vendored package in podman, built it with `podman-remote`,
copied `gvproxy` to a `libexec/podman` at the same level as `bin/podman` and
confirmed that `podman machine start` worked as expected.
Signed-off-by: Filipe Brandenburger <filbranden@gmail.com>
This should make it easier to locate helper binaries relative to where the main
binary was installed, which should be useful in installations such as Homebrew
which install packages under a versioned directory.
Use a `$BINDIR` magic token as a prefix in the helper path to indicate it should
be relative to the directory where the binary is located. This is somewhat familiar
to the syntax used in the shell and Makefile and is still quite explicit about the
behavior (as opposed to, say, making all relative paths be relative to the directory
of the binary.)
Tested: After updating the Darwin config to include a `$BINDIR/../libexec/podman`
directory, updated vendored package in podman, built it with `podman-remote`,
copied `gvproxy` to a `libexec/podman` at the same level as `bin/podman` and
confirmed that `podman machine start` worked as expected. Also confirmed that
having the `podman` in search path be a symlink to a binary elsewhere works as
expected, the searched `../libexec/podman` directory is relative to the actual
binary and not the symlink (which matches the Homebrew use case.)
Signed-off-by: Filipe Brandenburger <filbranden@gmail.com>
Allow distributions to specify the location of the podman image VM
images in the form of URIs with $ARCH and $OS specified. This would
allow a distribution to pull the image based on the current OS and Arch.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Adds the conmon-rs paths so Podman can find the right conmon-rs binary
when making a new runtime.
I also slightly modified the `FindConmon` function so that the code
could be shared with the `FindConmonRs` function that I added.
Signed-off-by: Jake Correnti <jcorrenti13@gmail.com>
initial implementation of the ssh package including:
- nativeConnectionCreate() / golangConnectionCreate()
- n/a / golangConnectionDial()
- nativeConnectionScp() / golangConnectionScp()
- nativeConnectionExec() / golangConnectionExeC()
the way this works, is there are publicly accessible functions Create, Exec, Dial and Scp. podman will have a new global flag --ssh` that will allow users to choose native or golang based ssh functions. The functionality in containers/common (here) also checks if you have the necessary binaries installed
closes#1091
Signed-off-by: Charlie Doern <cdoern@redhat.com>
`github.com/pkg/errors` is deprecated since quite some time so we now
use the native error wrapping for more idiomatic golang.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
This commit allows using aardvark with an alternate port as per
implementation in containers/netavark#323
Signed-off-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
cni_plugin_dirs validation require directories to exist, use a
directory that is more likely to exist like /tmp instead of an
arbitrary path that won't exist on most systems
Signed-off-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
Going through containers/podman/issues/14846 let me improve the
documentation here so it can be copied over to the man pages of
Podman and Buildah.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
gofumpt is more opinionated version of gofmt. One can use it from their
$EDITOR, or IDE, or gopls to better format the source code.
Previously, commit b951b72412 already formatted all the code with
gofumpt, but since then a couple of things crept in.
Fix these (with gofumpt v0.3.1) and enable the gofumpt linter.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
unparam and exportloopref already work without changes.
For revive I had to silence many naming issues. I decided to silence them
instead of changing the name because I didn't want to break any code.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Ashley Cui