We never verified that the context directory passed into the build
command was a valid directory. When we then slapped a default Containerfile
name onto it, things went south fast if the user had passed us a file and
not a directory.
Fixes: #4383
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
change the default to -1, so that we can change the semantic of
"--tail 0" to not print any existing log line.
Closes: https://github.com/containers/libpod/issues/4396
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Refactor the `RuntimeConfig` along with related code from libpod into
libpod/config. Note that this is a first step of consolidating code
into more coherent packages to make the code more maintainable and less
prone to regressions on the long runs.
Some libpod definitions were moved to `libpod/define` to resolve
circular dependencies.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Currently podman play kube is not using the system default seccomp.json file.
This PR will use the default or override location for podman play.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Generate an image's RepoDigests list using all applicable digests, and
refrain from outputting a digest in the tag column of the "images"
output.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Be prepared to report multiple image digests for images which contain
multiple manifests but, because they continue to have the same set of
layers and the same configuration, are considered to be the same image.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add --override-arch and --override-os as hidden flags, in line with the
global flag names that skopeo uses, so that we can test behavior around
manifest lists without having to conditionalize more of it by arch.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Move to containers/image v5 and containers/buildah to v1.11.4.
Replace an equality check with a type assertion when checking for a
docker.ErrUnauthorizedForCredentials in `podman login`.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
when users create a new network and the dnsname plugin can be found by
podman, we will enable container name resolution on the new network.
there is an option to opt *out* as well.
tests cannot be added until we solve the packaging portion of the
dnsname plugin.
Signed-off-by: baude <bbaude@redhat.com>
Unless specified otherwise by --all, --latest or via arguments, list all
running containers. This matches the behaviour of Docker and is also
illustrated in the man pages where containers and options are marked to
be optional.
Fixes: #4274
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
if the cgroup manager is set to systemd, detect if dbus is available,
otherwise fallback to --cgroup-manager=cgroupfs.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Everything else is a flag to mount, but "uid" and "gid" are not.
We need to parse them out of "o" and handle them separately.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
We need to use the new Inspect() endpoint instead of trying to
JSON the actual volume structs. Currently, the output seems
completely nonsensical; it seems like we're JSONing the struct
for the Varlink connection itself? This should restore sanity and
match the format of remote and local inspect on volumes.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
The json field is called `Image` while the go field is called `ImageID`,
tricking users into filtering for `Image` which ultimately results in an
error. Hence, rename the field to `Image` to align json and go.
To prevent podman users from regressing, rename `Image` to `ImageID` in
the specified filters. Add tests to prevent us from regressing. Note
that consumers of the go API that are using `ImageID` are regressing;
ultimately we consider it to be a bug fix.
Fixes: #4193
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
similar change to f7d55d64e7
with images --format=json, be sure the output is valid json also when
it is an empty list.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Translate the podman build --squash command to podman build --layers=false which
has the same functionality as docker build --squash. Add a new option --squash-all
which will squash all layers into one. This will be translated to buildah bud --squash
for the buildah bud api.
Also allow only one option, squash, layers or squash--all to be used per build command.
Fixes: https://github.com/containers/buildah/issues/1234
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Changes include: Containerfile by default, add --device flags to bud, allow buildah bud to be called without
arguments, and a couple of small typo corrections.
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Default path should be ${XDG_RUNTIME_DIR}/containers/auth.json according
to the docs.
This regressed to ${XDG_RUNTIME_DIR}/auth.json in #3760.
Fixes: #4227
Signed-off-by: Hunor Csomortáni <csomh@redhat.com>
This is a horrible hack to work around issues with Fedora 31, but
other distros might need it to, so we'll move it upstream.
I do not recommend this functionality for general use, and the
manpages and other documentation will reflect this. But for some
upgrade cases, it will be the only thing that allows for a
working system.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
it enforces the systemd mode also when the command name doesn't match
/usr/sbin/init or systemd.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
"init" is a quite common name for the command executed in a container
image and Podman ends up using the systemd mode also when not
required.
Be stricter on enabling the systemd mode and not enable it
automatically when the basename is "init" but expect the full path
"/usr/sbin/init".
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
if the pause process cannot be joined, remove the pause.pid while
keeping a lock on it, and try to recreate it.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
CRI-O defaults to 1024 for the maximum pids in a container. Podman
should have a similar limit. Once we have a containers.conf, we can
set the limit in this file, and have it easily customizable.
Currently the documentation says that -1 sets pids-limit=max, but -1 fails.
This patch allows -1, but also indicates that 0 also sets the max pids limit.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This requires updating all import paths throughout, and a matching
buildah update to interoperate.
I can't figure out the reason for go.mod tracking
github.com/containers/image v3.0.2+incompatible // indirect
((go mod graph) lists it as a direct dependency of libpod, but
(go list -json -m all) lists it as an indirect dependency),
but at least looking at the vendor subdirectory, it doesn't seem
to be actually used in the built binaries.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
currently, podman import change do not support syntax like
- KEY val
- KEY ["val"]
This adds support for both of these syntax along with KEY=val
Signed-off-by: Kunal Kushwaha <kunal.kushwaha@gmail.com>
A true result from reexec.Init() isn't an error, but it indicates that
main() should exit with a success exit status.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
If we don't do this, we print WARN level messages that we should
not be printing by default.
Up one WARN message to ERROR so it still shows up by default.
Fixes: #4115Fixes: #4012
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Add ability to evict a container when it becomes unusable. This may
happen when the host setup changes after a container creation, making it
impossible for that container to be used or removed.
Evicting a container is done using the `rm --force` command.
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
close#3894
This patch let podman cp return 'no such file or directory' error if DEST_PATH does not exist and ends with / when copying file.
Signed-off-by: Qi Wang <qiwan@redhat.com>
The API document incorrectly documented the wrong varlink build
arguments. The output attribute is required.
Fixes: #3204
Signed-off-by: baude <bbaude@redhat.com>
Fix the logic when getting the runtime for varlink to actually disable
SDNotify support.
Fixes: #4005
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
when using the remote client, users may need to specify a non-standard
port for ssh connections. we can do so on the command line and within
the remote-client configuration file.
Fixes: #3987
Signed-off-by: baude <bbaude@redhat.com>
We want to default to secure when running containers as root,
in rootless, we need to change the default if the system does not
support cgroup v1.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
do not shadow the err variable so that the correct error message can
be reported when utils.RunUnderSystemdScope fails.
Closes: https://github.com/containers/libpod/issues/4012
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
We have leaked the exit number codess all over the code, this patch
removes the numbers to constants.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
when removing a podman network, we need to make sure we delete the
network interface if one was ever created (by running a container).
also, when removing networks, we check if any containers are using the
network. if they are, we error out unless the user provides a 'force'
option which will remove the containers in question.
Signed-off-by: baude <bbaude@redhat.com>
when running in rootless mode and using systemd as cgroup manager
create automatically a systemd scope when the user doesn't own the
current cgroup.
This solves a couple of issues:
on cgroup v2 it is necessary that a process before it can moved to a
different cgroup tree must be in a directory owned by the unprivileged
user. This is not always true, e.g. when creating a session with su
-l.
Closes: https://github.com/containers/libpod/issues/3937
Also, for running systemd in a container it was before necessary to
specify "systemd-run --scope --user podman ...", now this is done
automatically as part of this PR.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This is mostly used with Systemd, which really wants to manage
CGroups itself when managing containers via unit file.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
This isn't included in Docker, but seems handy enough.
Use the new API for 'volume rm' and 'volume inspect'.
Fixes#3891
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
We have had some issues with users squashing large images or pulling large
content from github, that could trigger crashes based on the size of /tmp.
Docker had an issue with this back in 2016. https://github.com/golang/go/issues/14021
The discussion there was to change the default to /var/tmp.
This change will only effect systems that do not set the TMPDIR environment variable.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Use a consistent format for description of the <size><unit> flags.
Also, avoid backticks for /dev/shm, as that's interpreted as the format
by the flag parsing lib.
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
detect if the current user namespace doesn't match the configuration
in the /etc/subuid and /etc/subgid files.
If there is a mismatch, raise a warning and suggest the user to
recreate the user namespace with "system migrate", that also restarts
the containers.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
prune unwanted messages when running a container remotely. also, cp is
not remote-enabled yet and as such should not be available on the remote
client.
Fixes: #3861
Signed-off-by: baude <bbaude@redhat.com>
Support generating systemd unit files for a pod. Podman generates one
unit file for the pod including the PID file for the infra container's
conmon process and one unit file for each container (excluding the infra
container).
Note that this change implies refactorings in the `pkg/systemdgen` API.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Add the digestfile option to the push command so the digest can
be stored away in a file when requested by the user. Also have added
a debug statement to show the completion of the push.
Emulates Buildah's https://github.com/containers/buildah/pull/1799/files
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Drop the support for remote clients to generate systemd-service files.
The generated files are machine-dependent and hence relate only to the
a local machine. Furthermore, a proper service management when using
a remote-client is not possible as systemd has no access to a process.
Dropping the support will also reduce the risk of making users believe
that the generated services are usable in a remote scenario.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
podman stats does not work in rootless environments with cgroups V1.
Fix error message and document this fact.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
adding podman network and the subcommands inspect, list, and rm. the
inspect subcommand displays the raw cni network configuration. the list
subcommand displays a summary of the cni networks ala ps. and the rm
subcommand removes a cni network.
Signed-off-by: baude <bbaude@redhat.com>
add ability to not activate sd_notify when running under varlink as it
causes deadlocks and hangs.
Fixes: #3572
Signed-off-by: baude <bbaude@redhat.com>
obtaining containerstats requires the use of cgroups. at present,
rootless users do not have privileges to create cgroups. add an error
message that catches this for the varlink endpoint and return a proper
error.
Fixes: #3749
Signed-off-by: baude <bbaude@redhat.com>
Requirement from https://github.com/containers/libpod/issues/3575#issuecomment-512238393
Added --pull for podman create and pull to match the newly added flag in docker CLI.
`missing`: default value, podman will pull the image if it does not exist in the local.
`always`: podman will always pull the image.
`never`: podman will never pull the image.
Signed-off-by: Qi Wang <qiwan@redhat.com>
Add flag `--authfile` to create and run so Podman can read authfile path from not only environemnt variable REGISTRY_AUTH_FILE but also CLI
Signed-off-by: Qi Wang <qiwan@redhat.com>
rework an error path so that users can run the windows remote client.
also, create the basedir path for the podman-remote.conf file if it does
not exist already.
Signed-off-by: baude <bbaude@redhat.com>
A quick fix a few nits in documentation within
cmd/podman/shared/containers.go. This gets the last
bits as noted in #3577
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
when listing multiple ports on a container with podman port, an early
return was limiting results.
Fixes: #3747
Signed-off-by: baude <bbaude@redhat.com>
Previously, we use CreateConfig's Command to populate container
Command (which is used as CMD for Inspect and Commit).
Unfortunately, CreateConfig's Command is the container's full
command, including a prepend of Entrypoint - so we duplicate
Entrypoint for images that include it.
Maintain a separate UserCommand in CreateConfig that does not
include the entrypoint, and use that instead.
Fixes#3708
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
if the image is unnamed, pass an nil slice to the parse repotags function instead of getting the image name by index.
after this patch, unnamed images will be shown as <none>
```
Images space usage:
REPOSITORY TAG IMAGE ID CREATED SIZE SHARED SIZE UNIQUE SIZE CONTAINERS
docker.io/library/ubuntu bionic 3556258649b2 11 days ago 66.6MB 0B 66.6MB 0
<none> <none> dd8a8db2c79b 11 days ago 986MB 66.6MB 919MB 0
```
Signed-off-by: Qi Wang <qiwan@redhat.com>
Begin to separate the internal structures and frontend for
inspect on volumes. We can't rely on keeping internal data
structures for external presentation - separating presentation
and internal data format is good practice.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
If a container is restored multiple times from an exported checkpoint
with the help of '--import --name', the restore will fail if during
'podman run' a static container IP was set with '--ip'. The user can
tell the restore process to ignore the static IP with
'--ignore-static-ip'.
Signed-off-by: Adrian Reber <areber@redhat.com>
This enables programs and scripts wrapping the podman command to handle
'podman rm' and 'podman rmi' failures caused by paused or running
containers or due to images having other child images or dependent
containers. These errors are common enough that it makes sense to have
a more machine readable way of detecting them than parsing the standard
error output.
Signed-off-by: Ondrej Zoder <ozoder@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Jimmy Crumpler
TomSweeneyRedHat
OpenShift Merge Robot
Jhon Honce
Giuseppe Scrivano
Valentin Rothberg
Aleksey Chudov
Daniel J Walsh
Nalin Dahyabhai
baude
Matthew Heon
Hunor Csomortáni
Matthew Heon
Miloslav Trmač
Mrigank Krishan
Anders F Björklund
Kunal Kushwaha
Marco Vedovati
Qi Wang
xcffl
Ashley Cui
Chen Zhiwei
Adrian Reber
Fabian Zoske