Docker supports log-opt max_size and so does conmon (ALthough poorly).
Adding support for this allows users to at least make sure their containers
logs do not become a DOS vector.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
If the container uses the /dev/fuse device, attempt to load the fuse
kernel module first so that nested containers can use it.
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1872240
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
In podman containers rm and podman images rm, the commands
exit with error code 1 if the object does not exists.
This PR implements similar functionality to volumes, networks, and Pods.
Similarly if volumes or Networks are in use by other containers, and return
exit code 2.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The remote client does not support loading directories yet. To prevent
confusing error messages and to make the behaviour more explicit, check
if the input points to a directory and throw an error if needed.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Add a bunch of tests to ensure that --volumes-from
works as expected.
Also align the podman create and run man page.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Add auth.json(5) link to login/logout docs. Provide more details about the usage of auth.json by podman-login.
Signed-off-by: Qi Wang <qiwan@redhat.com>
The `podman ps --all` command will now show containers that
are under the control of other c/storage container systems and
the new `ps --storage` option will show only containers that are
in c/storage but are not controlled by libpod.
In the below examples, the '*working-container' entries were created
by Buildah.
```
podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9257ef8c786c docker.io/library/busybox:latest ls /etc 8 hours ago Exited (0) 8 hours ago gifted_jang
d302c81856da docker.io/library/busybox:latest buildah 30 hours ago storage busybox-working-container
7a5a7b099d33 localhost/tom:latest ls -alF 30 hours ago Exited (0) 30 hours ago hopeful_hellman
01d601fca090 localhost/tom:latest ls -alf 30 hours ago Exited (1) 30 hours ago determined_panini
ee58f429ff26 localhost/tom:latest buildah 33 hours ago storage alpine-working-container
podman ps --external
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d302c81856da docker.io/library/busybox:latest buildah 30 hours ago external busybox-working-container
ee58f429ff26 localhost/tom:latest buildah 33 hours ago external alpine-working-container
```
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Support loading and saving tarballs with more than one image.
Add a new `/libpod/images/export` endpoint to the rest API to
allow for exporting/saving multiple images into an archive.
Note that a non-release version of containers/image is vendored.
A release version must be vendored before cutting a new Podman
release. We force the containers/image version via a replace in
the go.mod file; this way go won't try to match the versions.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Add support for generating systemd units
via the api and podman-remote.
Change the GenerateSystemdReport type to return the
units as map[string]string with the unit name as key.
Add `--format` flag to `podman generate systemd`
to allow the output to be formatted as json.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Add support for multi level subcommands.
e.g. podman system connection.
Update the flags and add note for containers.conf.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Fix podman build man pages to match buildah functionality.
Also document .dockerignore formatted files.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
it allows to manually tweak the configuration for cgroup v2.
we will expose some of the options in future as single
options (e.g. the new memory knobs), but for now add the more generic
--cgroup-conf mechanism for maximum control on the cgroup
configuration.
OCI specs change: https://github.com/opencontainers/runtime-spec/pull/1040
Requires: https://github.com/containers/crun/pull/459
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* override --url and/or --identity fields from containers.conf
* --connection flag has higher precedence than ActiveService from
containers.conf. Which is set via podman system connection default
* Add newline to error message printed on stderr
* Added --connection to bash completion and documentation
* Updated bindings to query server in case of no path or /
Closes #jira-991
Fixes#7276
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Squashed commits to work around CI issue
Add notes to the podman-create and podman-run man pages
to note that ports do not need to be published and should not
be, for containers that will be part of a pod.
Addresses: #6769
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Add better error message when using `--pod` and `--hostname`.
Improve the docs to better explain the uts hostname relation.
Add more valid options for the `--uts` flag.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
it allows to customize the options passed down to the OCI runtime for
setting up the /proc mount.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This adds support for the --cidr parameter that is supported
by slirp4netns since v0.3.0. This allows the user to change
the ip range that is used for the network inside the container.
Signed-off-by: Adis Hamzić <adis@hamzadis.com>
There are a bunch of *.rst files in docs/source, linking sometimes
to man pages and sometimes to other .rst files. These files each
have entries of the following form:
:doc:`foo <link-to-foo>` Description of foo
...for all podman sub and sub-subcommands 'foo'.
Read all .rst files and make sure that:
- all entries in a given file are in alphabetical order
- all link-to-foo targets point to existing doc files
- every subcommand known by 'podman help' has a corresponding
doc entry in a .rst file
Signed-off-by: Ed Santiago <santiago@redhat.com>
Podman 1.6.2 changed systemd mode auto-detection from commands ending in
``init`` to hard-coded paths ``/sbin/init`` and ``/usr/sbin/init``. This
broke FreeIPA container. ``podman run`` and ``podman create`` now
activate systemd mode when the command is ``/usr/local/sbin/init``.
Fixes: https://github.com/containers/podman/issues/7287
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Lots of references to man pages missing from docs.podman.io
Also fix sort order in man pages and other documents.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Allow to create a devpts mount.
This is useful for containers that bind mount /dev/ from the host but
at the same time want to create a terminal.
It can be used as:
podman run -v /dev:/dev --mount type=devpts,target=/dev/pts ...
Closes: https://github.com/containers/podman/issues/6804
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Docker and CNI have very different ideas of what 0.0.0.0 means.
Docker takes it to be 0.0.0.0/0 - that is, bind to every IPv4
address on the host. CNI (and, thus, root Podman) take it to mean
the literal IP 0.0.0.0. Instead, CNI interprets the empty string
("") as "bind to all IPs".
We could ask CNI to change, but given this is established
behavior, that's unlikely. Instead, let's just catch 0.0.0.0 and
turn it into "" when we parse ports.
Fixes#7014
Signed-off-by: Matthew Heon <mheon@redhat.com>
`/usr/lib/systemd/system` should only be used by the package manager
administrators should use: `/etc/systemd/system` or
`/usr/local/lib/systemd/system`
see: man systemd.unit
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Tests for #7094, in which symlinks in a volume would
cause chown errors and nonrunnable containers.
Tests for environment variable precedence, now
include --env-host and proxy settings
Fix a bug caught by covscan in helpers.t ('source'
path would fail if path included spaces).
Fix podman-run man page: it was incorrect in stating
precedence between in-image environment and --env-host.
Fixes: #7099
Signed-off-by: Ed Santiago <santiago@redhat.com>
There are many use cases where you want to just mount an image
without creating a container on it. For example you might want
to just examine the content in an image after you pull it for
security analysys. Or you might want to just use the executables
on the image without running it in a container.
The image is mounted readonly since we do not want people changing
images.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We should default to the user name unmount rather then the internal
name of umount.
Also User namespace was not being handled correctly. We want to inform
the user that if they do a mount when in rootless mode that they have
to be first in the podman unshare state.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
I updated the configuration part of the tutorial on rootless podman. I added the
order in which configuration files are read in and a hint, how users can create
default configuration in the home directories.
Closes#6777
Signed-off-by: Niklas Netter <niknett@gmail.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
- Added a space between 'containers' and 'this' in the opening paragraph
- comming -> coming
- 'looking our' -> 'looking at our'
Signed-off-by: Luke Mitchell <luke@lpmitchell.com>
--umask sets the umask inside the container
Defaults to 0022
Co-authored-by: Daniel J Walsh <dwalsh@redhat.com>
Signed-off-by: Ashley Cui <acui@redhat.com>
People who use docker scripts with Podman see failures
if they use disable-content-trust flag. This flag already
existed for podman build, adding it to pull/push/create/run.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Part of this section was a code block, and part of it was absorbed into
the preceding normal paragraph.
Signed-off-by: Jordan Christiansen <xordspar0@gmail.com>
Podman is committed to inclusivity, a core value of open source. Historically, there have been technology terms that are problematic and divisive, and should be changed. We are currently taking time to audit our repository in order to eliminate such terminology, and replace it with more inclusive terms. We are starting where we can, with our own code, comments, and documentation. However, such terms may be used in dependencies, and must be used in our repositories at the current moment for compatibility. Podman will change these terms in our repo as soon as new and better terminology is available to us via our dependencies.
For more information: https://www.redhat.com/en/blog/making-open-source-more-inclusive-eradicating-problematic-language?sc_cid=701600000011gf0AAA
Signed-off-by: Ashley Cui <acui@redhat.com>
When running "podman pod create --share user" the errors appears:
Error: User sharing functionality not supported on pod level
Fix docs and remove 'user' from shareable parameters.
Signed-off-by: Sagi Shnaidman <sshnaidm@redhat.com>
--sdnotify container|conmon|ignore
With "conmon", we send the MAINPID, and clear the NOTIFY_SOCKET so the OCI
runtime doesn't pass it into the container. We also advertise "ready" when the
OCI runtime finishes to advertise the service as ready.
With "container", we send the MAINPID, and leave the NOTIFY_SOCKET so the OCI
runtime passes it into the container for initialization, and let the container advertise further metadata.
This is the default, which is closest to the behavior podman has done in the past.
The "ignore" option removes NOTIFY_SOCKET from the environment, so neither podman nor
any child processes will talk to systemd.
This removes the need for hardcoded CID and PID files in the command line, and
the PIDFile directive, as the pid is advertised directly through sd-notify.
Signed-off-by: Joseph Gooch <mrwizard@dok.org>
Clarify in the help message and the man page that auto updates only work
with systemd units that are similar to the ones from `generate systemd
--new`. Units that merely start/stop a container do not work as they
will use the same image.
Fixes: #6793
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
--tz flag sets timezone inside container
Can be set to IANA timezone as well as `local` to match host machine
Signed-off-by: Ashley Cui <acui@redhat.com>
podman inspect is problematic because there can be naming clashes. Also,
it only inspects a couple of types of objects and the docs for it didn't
help discover that several more types could be inspected as well.
To address both concerns, we deprecate `podman inspect` and update the
docs to point to to the recommend alternatives.
Issue: #6756
Signed-off-by: Mark Stosberg <mark@rideamigos.com>
This makes it clear that we target compatibility with a specific
Docker version (v1.40), but do not reject other versions. It also
adds a link to documentation on the Podman-specific API.
Signed-off-by: Matthew Heon <mheon@redhat.com>
I didn't believe that this was actually legal, but it looks like
it is. And, unlike our previous understanding (host port being
empty means just use container port), empty host port actually
carries the same meaning as `--expose` + `--publish-all` (that
is, assign a random host port to the given container port). This
requires a significant rework of our port handling code to handle
this new case. I don't foresee this being commonly used, so I
optimized having a fixed port number as fast path, which this
random assignment code running after the main port handling code
only if necessary.
Fixes#6806
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
When running under systemd there is no need to create yet another
cgroup for the container.
With conmon-delegated the current cgroup will be split in two sub
cgroups:
- supervisor
- container
The supervisor cgroup will hold conmon and the podman process, while
the container cgroup is used by the OCI runtime (using the cgroupfs
backend).
Closes: https://github.com/containers/libpod/issues/6400
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
New functionality in hack/man-page-checker: start cross-
referencing the man page 'Synopsis' line against the
output of 'podman foo --help'. This is part 1, flag/option
consistency. Part 2 (arg consistency) is too big and will
have to wait for later.
flag/option consistency means: if 'podman foo --help'
includes the string '[flags]' in the Usage message,
make sure the man page includes '[*options*]' in its
Synopsis line, and vice-versa. This found several
inconsistencies, which I've fixed.
While doing this I realized that Cobra automatically
includes a 'Flags:' subsection in its --help output
for all subcommands that have defined flags. This
is great - it lets us cross-check against the
usage synopsis, and make sure that '[flags]' is
present or absent as needed, without fear of
human screwups. If a flag-less subcommand ever
gets extended with flags, but the developer forgets
to add '[flags]' and remove DisableFlagsInUseLine,
we now have a test that will catch that. (This,
too, caught two instances which I fixed).
I don't actually know if the new man-page-checker
functionality will work in CI: I vaguely recall that
it might run before 'make podman' does; and also
vaguely recall that some steps were taken to remedy
that.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Throw an error if a specified tag does not exist. Also make sure that
the user input is normalized as we already do for `podman tag`.
To prevent regressions, add a set of end-to-end and systemd tests.
Last but not least, update the docs and add bash completions.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Fix renaming bug in remote-docs.sh
Remove mentions of 'remote' in windows and mac dos
Remove podman-remote.conf.5
Signed-off-by: Ashley Cui <acui@redhat.com>
We initially believed that implementing this required support for
restarting containers after reboot, but this is not the case.
The unless-stopped restart policy acts identically to the always
restart policy except in cases related to reboot (which we do not
support yet), but it does not require that support for us to
implement it.
Changes themselves are quite simple, we need a new restart policy
constant, we need to remove existing checks that block creation
of containers when unless-stopped was used, and we need to update
the manpages.
Fixes#6508
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
When the container uses journald logging, we don't want to
automatically use the same driver for its exec sessions. If we do
we will pollute the journal (particularly in the case of
healthchecks) with large amounts of undesired logs. Instead,
force exec sessions logs to file for now; we can add a log-driver
flag later (we'll probably want to add a `podman logs` command
that reads exec session logs at the same time).
As part of this, add support for the new 'none' logs driver in
Conmon. It will be the default log driver for exec sessions, and
can be optionally selected for containers.
Great thanks to Joe Gooch (mrwizard@dok.org) for adding support
to Conmon for a null log driver, and wiring it in here.
Fixes#6555
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Add a `--replace` flag to the `pod create` command. If another pod with
the same name already exists, it will be replaced and removed.
Adding this flag is motivated by #5485 to make running Podman in systemd
units (or any other scripts/automation) more robust. In case of a
crash, a pod may not be removed by a sytemd unit anymore. The
`--replace` flag allows for supporting crashes.
Note that the `--replace` flag does not require the `--name` flag to be
set, so it can be set unconditionally in `podman generate systemd`.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Add a `--replace` flag to the `container {create,run}` commands.
If another container with the same name already exists, it will
be replaced and removed.
Adding this flag is motivated by #5485 to make running Podman in systemd
units (or any other scripts/automation) more robust. In case of a
crash, a container may not be removed by a sytemd unit anymore. The
`--replace` flag allows for supporting crashes.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Create a new template for generating a pod unit file. Eventually, this
allows for treating and extending pod and container generation
seprately.
The `--new` flag now also works on pods.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Add an `--infra-conmon-pidfile` flag to `podman-pod-create` to write the
infra container's conmon process ID to a specified path. Several
container sub-commands already support `--conmon-pidfile` which is
especially helpful to allow for systemd to access and track the conmon
processes. This allows for easily tracking the conmon process of a
pod's infra container.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Allow containers to join an existing pod via the `--pod-id-file` which
is already supported by a number of `podman-pod` subcommands. Also add
tests to make sure it's working and to prevent future regressions.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Support the `--pod-id-file` flag in the rm, start and stop pod commands.
This completes the already support flag in pod-create and is another
prerequisite for generating generic systemd unit files for pods.
Also add completions, docs and tests.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Unless `--since` or `--until` is specified, `podman events` will stream
new events. Clarify this behavior in the `--help` message and man page
to avoid confusion.
Fixes: #6536
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
this is step 1 to self-discovery of remote ssh connections. we add a remotesocket struct to info to detect what the socket path might be.
Co-authored-by: Jhon Honce <jhonce@redhat.com>
Signed-off-by: Brent Baude <bbaude@redhat.com>
* podman --remote ssh://<user>:<password>@<host>:<port><path>
* podman --remote ssh://<user>:<password>@<host>:<port><path> \
--identity <path> --passphrase <phrase>
* ssh-add <key>
podman --remote ssh://<user>@<host><path>
* Fix `podman help` to run even if podman missing components
* Prompt for passphrase on stdin IFF key is protected and passphrase
not given via any other configuration
* cobra flags do not support optional value flags therefore refactored
--remote to be a boolean and --url will now contain the URI to Podman
service
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Originally, we did not allow this, and the manpage reflects that.
We added support with 1.7.0, but did not update the manpage. Fix
the manpages so they are once again accurate.
Signed-off-by: Matthew Heon <mheon@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This is just an alias to the `ro` option, but it's already in the
manpages (and Docker) so we might as well add support for it.
Fixes#6379
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
--container-prefix <string> - default 'container'
Systemd unit name prefix for containers
--pod-prefix <string> - default 'pod'
Systemd unit name prefix for pods
--separator <string> - default '-'
Systemd unit name seperator between name/id and prefix
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Rewrote the Home and Introduction pages.
* Created a dedicated Search page
* Rewrote the Tutorials page to have native links in RTD/Shpinx
* Added iframe to Reference page to display API reference docs inline
Signed-off-by: Scott McCarty <scott.mccarty@gmail.com>
Currently we are displaying the Seconds since EPOCH
this will change to displaying date, similar to `podman version`
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We need to be able to use cleanup processes to remove exec
sessions as part of detached exec. This PR adds that ability. A
new flag is added to `podman container cleanup`, `--exec`, to
specify an exec session to be cleaned up.
As part of this, ensure that `ExecCleanup` can clean up exec
sessions that were running, but have since exited. This ensures
that we can come back to an exec session that was running but has
since stopped, and clean it up.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Support using custom authfiles for auto updates by adding a new
`--authfile` flag and passing it down into the backend.
Also do some minor fixes in the help text and the man page.
Fixes: #6159
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
There are three different priorities for applying env variables:
1) environment/config file environment variables
2) image's config
3) user overrides (--env)
The third kind are known to the client, while the default config and image's
config is handled by the backend.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Just create a quick link to the tutorials on GitHub
so they'll show on docs.podman.io. I've not done rst
format before, so fingers crossed!
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
When reviewing the manpages for `podman run` to find options to
test, I found a few mistakes. The description of how we handle
image volumes is extremely outdated, and we now provide full
support for the `--mac-address` option. Update the docs for these
flags so they're accurate.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Eduardo Vega
Daniel J Walsh
OpenShift Merge Robot
Giuseppe Scrivano
Ashley Cui
Valentin Rothberg
Paul Holzinger
Qi Wang
Flavio Castelli
Lokesh Mandvekar
TomSweeneyRedHat
Adis Hamzić
Ed Santiago
Christian Heimes
5eraph
Matthew Heon
Erik Sjölund
Jeffrey Konowitch
Luke Mitchell
Jhon Honce
Jordan Christiansen
Sagi Shnaidman
Joseph Gooch
Mark Stosberg
Matthew Heon
Peter Oliver
Gavin Campbell
Yuan-Hao Chen
Brent Baude
Boaz Shuster
Damiano Donati
Scott McCarty
Kunal Kushwaha
Ondřej Kraus
Eduardo Minguez Perez