This fixes a regression in
https://github.com/containers/podman/pull/19241 which quite reasonably
assumed that the default image volume mode from pkg/config was correct.
Signed-off-by: Doug Rabson <dfr@rabson.org>
Add a new field to the network section to allow users to set the default
network program which is used when running rootless containers.
This should be used when you run something like --network private or
--network default as rootless user.
The current default is slirp4netns so we keep that for now. Once I
integrate pasta in the rootless netns then we can consider switching the
default to pasta.
This setting will also be useful then for distros who may not ship pasta
so that they could set it back to slirp if needed.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Users way wish to configure a set of default options that should be used
when running pasta. Options that are given on the cli will be appended,
however the implementation of this needs to happen in podman.
For slirp4netns we already support the network_cmd_options field.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The original SELinux support in Docker and Podman does not follow the
default SELinux rules for how label transitions are supposed to be
handled. Containers always switch their user and role to
system_u:system_r, rather then maintain the collers user and role.
For example
unconfined_u:unconfined_r:container_t:s0:c1,c2
Advanced SELinux administrators want to confine users but still allow
them to create containers from their role, but not allow them to launch
a privileged container like spc_t.
This means if a user running as
container_user_u:container_user_r:container_user_t:s0
Ran a container they would get
container_user_u:container_user_r:container_t:s0:c1,c2
If they run a privileged container they would run it with:
container_user_u:container_user_r:container_user_t:s0
If they want to force the label they would get an error
podman run --security-opt label=type:spc_t ...
Should fail. Because the container_user_r can not run with the spc_t.
SELinux rules would also prevent the user from forcing system_u user and
the sytem_r role.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Updates to containers/storage@main
(contains a required fswriters PR: containers/storage#1554)
[NO NEW TESTS NEEDED]
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
The kube_generate_type field can be used to set what kind
of k8s object, i.e pod or deployment, that the podman kube
generate command should generate by default.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Add yet another environment variable for loading containers.conf.
When CONTAINERS_CONF_OVERRIDE is set, the specified config file
will be loaded last - even when CONTAINERS_CONF is set.
This mechanism is needed to preserve system settings and other
environment variables. Setting CONTAINERS_CONF will load only
the specified config file and ignore all system and user paths.
That makes testing hard as many Podman tests use CONTAINERS_CONF
for testing.
The intended use of CONTAINERS_CONF_OVERRIDE is to set it during tests
and point it to a specific configuration of Podman (e.g., netavark with
sqlite backend).
Similar needs have popped up talking to users in the automotive and
high-performance computing space. In a way, such a setting allows for
specifying a specific "flavor" of Podman while preserving all existing
settings on the system.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
This will allows users to set all containers to automatically
set certain cgroup fields globally for all of their containers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The on-going work of adding a new database backend to Podman requires it
to be configurable in containers.conf. To prevent any breaking changes,
the backend defaults to Podman's current boltdb backend. Also export
the parsing function for it be usable by Podman.
NOTE: documentation will be added once the database rewrite in Podman
has been completed. I want to avoid any incomplete docs from leaking
into a release.
Fixes: https://issues.redhat.com/browse/RUN-1772
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
exec.LookPath seems to handle absolute paths gracefully. On Windows this
allows to additionally check for all known executable alternatives
when only name is provided.
Signed-off-by: Arthur Sengileyev <arthur.sengileyev@gmail.com>
Add an option to create a more verbose container-create event which
includes a JSON payload with detailed information about the container.
Jira: https://issues.redhat.com/browse/RUN-1702
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
This is taking time on every podman call, and provide limited
protection. Versioning should be handled in the packaging system
and this is an unlikely to happen.
Every exec done by container tools hurts us as we try to get container
startup team to absolute minimal amounts.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Podman and Buildah do not use this field, and I
know of no users of it, remove it from docs and
the default conf file, so users will not expect
it to do anything.
Leaving implementation in the slight chance someone
has used it in a non containers project.
Fixes: https://github.com/containers/podman/issues/16562
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Containers.conf now supports `platform_to_oci_runtime` which allows end
users to map variant of OCI runtime for a particular platform.
Most ideal use-case of this feature is switching to crun's variant when
platform string is `wasm32/wasi`.
Example
```toml
[engine.platform_to_oci_runtime]
"wasi/wasm" = "crun-wasm"
"wasm/wasm32" = "crun-wasm"
"wasm/wasm64" = "crun-wasm"
```
Signed-off-by: Aditya R <arajan@redhat.com>
Another experimental OCI runtime for FreeBSD, similar to runj but with
a focus on podman/buildah compatiblity.
Signed-off-by: Doug Rabson <dfr@rabson.org>
Used `go fmt` rules to migrate away from deprecated functions, for
instance `gofmt -w -s -r 'ioutil.TempDir(a, b) -> os.MkdirTemp(a, b)'`
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
this ensures that podman machine will still work (until we want to make this mandatory). I made the call back function more verbose so we know what is happening from now on.
Signed-off-by: Charlie Doern <cdoern@redhat.com>
This should make it easier to locate helper binaries relative to where the main
binary was installed, which should be useful in installations such as Homebrew
which install packages under a versioned directory.
Use a `$BINDIR` magic token as a prefix in the helper path to indicate it should
be relative to the directory where the binary is located. This is somewhat familiar
to the syntax used in the shell and Makefile and is still quite explicit about the
behavior (as opposed to, say, making all relative paths be relative to the directory
of the binary.)
Tested: After updating the Darwin config to include a `$BINDIR/../libexec/podman`
directory, updated vendored package in podman, built it with `podman-remote`,
copied `gvproxy` to a `libexec/podman` at the same level as `bin/podman` and
confirmed that `podman machine start` worked as expected. Also confirmed that
having the `podman` in search path be a symlink to a binary elsewhere works as
expected, the searched `../libexec/podman` directory is relative to the actual
binary and not the symlink (which matches the Homebrew use case.)
Signed-off-by: Filipe Brandenburger <filbranden@gmail.com>
Allow distributions to specify the location of the podman image VM
images in the form of URIs with $ARCH and $OS specified. This would
allow a distribution to pull the image based on the current OS and Arch.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Adds the conmon-rs paths so Podman can find the right conmon-rs binary
when making a new runtime.
I also slightly modified the `FindConmon` function so that the code
could be shared with the `FindConmonRs` function that I added.
Signed-off-by: Jake Correnti <jcorrenti13@gmail.com>
initial implementation of the ssh package including:
- nativeConnectionCreate() / golangConnectionCreate()
- n/a / golangConnectionDial()
- nativeConnectionScp() / golangConnectionScp()
- nativeConnectionExec() / golangConnectionExeC()
the way this works, is there are publicly accessible functions Create, Exec, Dial and Scp. podman will have a new global flag --ssh` that will allow users to choose native or golang based ssh functions. The functionality in containers/common (here) also checks if you have the necessary binaries installed
closes#1091
Signed-off-by: Charlie Doern <cdoern@redhat.com>
`github.com/pkg/errors` is deprecated since quite some time so we now
use the native error wrapping for more idiomatic golang.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
This commit allows using aardvark with an alternate port as per
implementation in containers/netavark#323
Signed-off-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
gofumpt is more opinionated version of gofmt. One can use it from their
$EDITOR, or IDE, or gopls to better format the source code.
Previously, commit b951b72412 already formatted all the code with
gofumpt, but since then a couple of things crept in.
Fix these (with gofumpt v0.3.1) and enable the gofumpt linter.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
unparam and exportloopref already work without changes.
For revive I had to silence many naming issues. I decided to silence them
instead of changing the name because I didn't want to break any code.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Add a new `pod_exit_policy` field to the containers.conf's engine table.
A pod's exit policy determines the behaviour when the last container of
a pod exits.
Required-in: containers/podman/pull/13859
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
machine.IsPodmanMachine replaces MachineEnabled
machine.MachineHostType informs the type unknown, qemu, wsl, etc
machine.IsGvProxyBased used to make specific determinations re gvproxy
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
Set the ip for the host.containers.internal entry in the containers /etc/hosts
file. This can be set to "none" to disable adding this entry. By default it
will automatically choose the host ip.
Also add a function to get the correct host.containers.internal ip. This
should be used by podman and buildah and then passed to the New()
function.
Ref https://github.com/containers/podman/issues/13224
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
base_hosts_file can be used to overwrite the default base host file
/etc/hosts which is used to copy hosts entries from this file into the
containers /etc/hosts file. As special value "image" can be used to copy
the entries from the image hosts file or "none" to not use a base file
at all. IF the value is empty we should use /etc/hosts as default.
Ref https://github.com/containers/podman/issues/13277
Ref https://github.com/containers/podman/issues/13748
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Changing the value for events_logfile_max_size from 0 to 1048576. This allows
up to 10,000 events to be written to the events log file before rotation occurs.
Also adding new values to default.go
Signed-off-by: Niall Crowe <nicrowe@redhat.com>
This will allow users to specify which volumes they want podman machine
to automatically mount into the machine. These volumes can later be used
to volume mount into containers.
Environment variables like $HOME can be used and are translated at the
time of machine start.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
gofumpt is a stricter version of gofmt, basically making the code more
readable, and fixing the gocritic's octalLiterar warnings like this one:
pkg/util/util_supported.go:26:17: octalLiteral: use new octal literal style, 0o722 (gocritic)
return (perm & 0722) == 0700
^
Generated by gofumpt -w .
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Number types must use omitzero otherwise they are included in the toml
file when it is written and the value is 0, see commit 6c61942524.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Add a new option to the `[engine]` table in containers.conf
for specifying the maximum size of `events_logfile_path`.
Once exceeded, Podman will rotate the logfile and delete
the old one.
Also add tests to make sure we're not regressing in the future.
Signed-off-by: Niall Crowe <nicrowe@redhat.com>
Add a new field to set the default subnet pools. They can be used to
change the subnet which is automatically allocated by podman network
create.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This field was only needed for machine to force cni, however you can set
netns="bridge" in the config to have the same effect. This is already
done in the machine setup.
The field was more of a hack and just creates confusion for users so we
remove it.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Since the network namespace is shared for all rootful libpod instances
we also need to make sure to use the same network config dir and run dir
to ensure that we do not use the same subnet or ip for more than one
container.
Also update the documentation about the network_config_dir field.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Add an option to containers.conf as a knob to enforce short-name
resolution to Docker Hub in Podman's compatibility REST API.
By popular request, turn it on by default.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
The Engine.Env needs to be set very early in the setup process
to make sure no one attempts to use the environment.
Fixes: https://github.com/containers/podman/issues/12296
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When searching for helpers, check $CONTAINERS_HELPER_BINARY_DIR.
If it points at an existing directory, prepend it to the
search path for binaries.
Intention is to use this for developer testing: a way to run make
(e.g. in podman) then use the locally-built rootlessport and pause
images
Signed-off-by: Ed Santiago <santiago@redhat.com>
This field determines whether CNI or netavark will be used to
create container networks. Default presently set to "cni".
Signed-off-by: Matthew Heon <mheon@redhat.com>
Reduce the logs for unknown keys from Warn to Debug level.
The containers.conf continuously receives new keys, and some consumers
(e.g., Podman) are updating it at runtime. Even small divergences in
the vendored versions of containers/common can let one tool run fine and
the other print warnings for each invocation. Reducing the log-level to
debug works around that problem at the cost of honest typos not being
as easy to detect as before.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
When toml writes the config file it does not use `omitempty` for numeric
values instead it requires `omitzero`. [1]
The problem is that without this change, `config.Write()` writes
```
[machine]
cpus = 0
disk_size = 0
memory = 0
```
to the user file. Because podman machine system connection add code will
do this the config file is broken afterwards. The first vm will be created
successfully but after this every other vm will be broken because the
cpu, memory and disk size are set to zero.
[1] https://github.com/BurntSushi/toml/pull/81Fixescontainers/podman#11824
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Add machine teable to configure podman machine options. Move machine_image to the machine table, and add cups, disk size, and memory to the machine table.
Signed-off-by: Ashley Cui <acui@redhat.com>
Allow users to set the default location for the temporary files used
during image pulls and pushes.
Defaults to /var/tmp;
Overridden via "TMPDIR" environment variable.
Allow special flag "storage" to indicate the the storage should use
the tmp directory in containers/storage/tmp.
Needed to fix: https://github.com/containers/podman/issues/11107
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This field contains a list of directories which should be used to store
some helper binaries, e.g. gvproxy.
Also add a FindHelperBinary method to the config struct to get the full
path to a helper binary.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
split the DBUS_SESSION_BUS_ADDRESS value so that something like:
unix:path=/run/user/1000/bus,guid=817e9ffcfb383869ad17ea8360e7428a
will ignore ",guid=817e9ffcfb383869ad17ea8360e7428a" when checking
that the path exists.
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1984531
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Currently if a user puts a typo into a contianers.conf
or puts the keys in the wrong section, then tools using
container-common ignore them. This patch will print them
as warnings, so that the user has some ide.
I have tested this locally with Podman.
./bin/podman run alpine echo hi
WARN[0000] Failed to decode the keys ["containers.events_logger" "engine.foo"] from "/home/dwalsh/.config/containers/containers.conf".
WARN[0000] Failed to decode the keys ["containers.events_logger" "engine.foo"] from "/home/dwalsh/.config/containers/containers.conf".
WARN[0000] Failed to decode the keys ["containers.events_logger" "engine.foo"] from "/home/dwalsh/.config/containers/containers.conf".
WARN[0000] Failed to decode the keys ["containers.events_logger" "engine.foo"] from "/home/dwalsh/.config/containers/containers.conf".
hi
With ~/.config/containers/containers.conf
[containers]
events_logger = "file"
[engine]
foo="bar"
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
If a root user writes to a config using Write(), and there is not already an /etc/containers/containers.conf, Write() will create it. This config file also needs to be read by non-root podman.
Signed-off-by: Ashley Cui <acui@redhat.com>
This reverts commit 352073be9e as it's
causing a regression as it overwrites any custom OCI runtime with either
rucc, crun or kata. See the Podman CI failure below:
```
[+0383s] not ok 95 podman build - set runtime
[+0383s] # (from function `die' in file test/system/helpers.bash, line 412,
[+0383s] # from function `run_podman' in file test/system/helpers.bash, line 220,
[+0383s] # in test file test/system/070-build.bats, line 70)
```
I currently do not have the time for a proper fix but the next commit
attempting to address the warnings must include tests.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
On Mac and Windows, automtically read default rootless config location, since
unshare.IsRootless doesn't work.
Signed-off-by: Ashley Cui <acui@redhat.com>
The following changes were not split into smaller commits since the
entire package is still work in progress and I want to keep moving:
* Various small fixes.
* The internal image cache has been removed as it's a recipe for
inconsistencies for longer running processes. This should make
libimage easier to use for CRI-O and a Podman service.
* LookupImage now returns storage.ErrUnknownImage rather than nil.
This simplifies the callers and makes sure we have a consistent
error.
* LookupImage is now able to handle manifests lists. Unless the
platform is explicitly ignored via the options, the matching
image within the manifest list is now returned. This greatly
simplifies the spec generation in Podman; no callers should have
to worry about this kind of detail.
* LookupImage has been refactored into smaller-sized and easier to
read functions.
* RemoveImages has been changed to assemble the data of removed or
untagged images. This comes in handy for pruning images. I am
heavily against having a dedicated API for pruning since the it's
really just a combination of filtering and removing images which
RemoveImages already supports. Hence these changes to satisfy
the needs of `podman image prune`.
Furthermore, it now returns an []error slice rather than a single
error. Again to make Podman happy which needs to inspect *all*
errors for setting the appropriate exit code.
* A rather large refactoring of the removal code along with very
verbose comments. Those were largely absent in the Podman code base
but there many rules and contracts embedded that I partially could
only reconstruct by manually tests and comparing to Docker.
* Add a new `containers={true,false}` filter which allows filtering
images whether they are used by containers (=true) or if no container
is using them (=false). This filter is required for pruning images
in Podman.
* `libimage/types` has been merged into `libimage`. Podman has to do
_a lot of_ massaging for the remote client already and the types
are pretty much nailed down for the remote API. Hence, I prefer to
do some translation between `libimage` types and what Podman needs
rather than splitting `libimage` in half without an obvious reason.
This way the package is self-contained allowing for an easier
navigation and maintenance.
* `libimage.PullPolicy` has been merged into `pkg/config.PullPolicy`
to have _one_ central place to deal with pull policies. The type
system in `pkg/config` sets "always" as the default unfortunately
but I think consistency is more important at that point.
* Added `CopyOptions.DirForceCompress` to enforce layer compression
when copying to a `dir` destination.
* We now use `github.com/disiqueira/gotree` for pretty printing image
trees. That greatly simplifies the code and we don't have to worry
about the logic of printing a tree. Note that trees are now always
printed top down!
* Added a new `libimage.ManifestList` type along with an API for local
lookups and performing certain operations on it to wrap around
`libimage/manifests` as previously done in `libpod/image` and other
places in Podman.
* Correct caching of `(*Image).Inspect`.
* In addition to username, password and credentials, allow for
speciying an identity token for copying images. That's needed for
Podman's remote API.
* Make image removal more tolerant toward corrupted images.
* A new "until=timestamp" filter that can be used by all APIs
supporting filtering.
* An empty string now resolves to PullPolicyMissing.
* `(*Runtime) systemContextCopy()` returns a deep copy of the runtime's
system context. Golang's shallow copies are very dangerous for long
running processes such as Podman's system service. Hence, we need to
make sure that base data is not altered over time. That adds another
external dependency but I do not see a way around that. Long term,
I desire a `(*containers/image/types.SystemContext).Copy()` function.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Doug Rabson
Lokesh Mandvekar
Giuseppe Scrivano
Paul Holzinger
Daniel J Walsh
Jason T. Greene
Urvashi Mohnani
Erik Sjölund
Valentin Rothberg
Arthur Sengileyev
OpenShift Merge Robot
Aditya R
Charlie Doern
Filipe Brandenburger
Matthew Heon
Jake Correnti
openshift-ci[bot]
Sascha Grunert
Dominique Martinet
Kir Kolyshkin
Niall Crowe
Rover van der Noort
Ondra Machacek
Valentin Rothberg
Ed Santiago
Matthew Heon
Jacob Emmert-Aronson
Ashley Cui
unknowndevQwQ
Vikas Goel
Matej Vasek
Tino Rusch
Brent Baude
Vasyl Gello