this is the first pass at implementing init containers for podman pods.
init containersare made popular by k8s as a way to run setup for pods
before the pods standard containers run.
unlike k8s, we support two styles of init containers: always and
oneshot. always means the container stays in the pod and starts
whenever a pod is started. this does not apply to pods restarting.
oneshot means the container runs onetime when the pod starts and then is
removed.
Signed-off-by: Brent Baude <bbaude@redhat.com>
s/Loaded images(s)/Loaded image(s)/
[NO TESTS NEEDED] (I think we should test the output at some point)
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
The rootlessport forwarder requires a child IP to be set. This must be a
valid ip in the container network namespace. The problem is that after a
network disconnect and connect the eth0 ip changed. Therefore the
packages are dropped since the source ip does no longer exists in the
netns.
One solution is to set the child IP to 127.0.0.1, however this is a
security problem. [1]
To fix this we have to recreate the ports after network connect and
disconnect. To make this work the rootlessport process exposes a socket
where podman network connect/disconnect connect to and send to new child
IP to rootlessport. The rootlessport process will remove all ports and
recreate them with the new correct child IP.
Also bump rootlesskit to v0.14.3 to fix a race with RemovePort().
Fixes#10052
[1] https://nvd.nist.gov/vuln/detail/CVE-2021-20199
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
added functionality for image secure copying from local to remote.
Also moved system connection add code around a bit so functions within that file
can be used by scp.
Signed-off-by: cdoern <cdoern@redhat.com>
This adds support to checkpoint containers out of pods and restore
container into pods.
It is only possible to restore a container into a pod if it has been
checkpointed out of pod. It is also not possible to restore a non pod
container into a pod.
The main reason this does not work is the PID namespace. If a non pod
container is being restored in a pod with a shared PID namespace, at
least one process in the restored container uses PID 1 which is already
in use by the infrastructure container. If someone tries to restore
container from a pod with a shared PID namespace without a shared PID
namespace it will also fail because the resulting PID namespace will not
have a PID 1.
Signed-off-by: Adrian Reber <areber@redhat.com>
Implement container to container copy. Previously data could only be
copied from/to the host.
Fixes: #7370
Co-authored-by: Mehul Arora <aroram18@mcmaster.ca>
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
podman stats polled by default in a 1 sec period.
This can put quite some load on a machine if you run many containers.
The default value is now 5 seconds.
You can change this interval with a new, optional, --interval, -i cli flag.
The api request got also a interval query parameter for the same purpose.
Additionally a unused const was removed.
Api and cli will fail the request if a 0 or negative value is passed in.
Signed-off-by: Thomas Weber <towe75@googlemail.com>
This commit follows work started in #10756. Changes made in #11015
enabled cli support for volume prune --filter until. Adding e2e test
closes#10579.
Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
By proxy by vendoring containers/common. Previously, a "dangling" image
was an untagged image; just a described in the Docker docs. The
definition of dangling has now been refined to an untagged image without
children to be compatible with Docker.
Further update a redundant image-prune test.
Fixes: #10998Fixes: #10832
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
compat containers/logs was missing actual usage of until query param.
This led me to implement the until param for libpod's container logs as well. Added e2e tests.
Signed-off-by: cdoern <cdoern@redhat.com>
As a conclusion of a discussion in #10861, until filter is added
by this commit to volume ls filters.
Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* Write a description to outline the scope and mechanism of runlabel.
* Describe the variables/attributes that we want to be used.
* Do not describe the --optN or OPTN flags/variables since they are
already hidden flags and date back to the Atomic days.
* Update references to other man pages.
* Remove unsupported variables (e.g., SUDO_*) which caused confusion.
Fixes: #10799
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Require the network to be online in all (generated) systemd units to
make sure that containers and Podman run only after the network has been
fully configured.
Fixes: #10655
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Adds the new --infra-name command line argument allowing users to define
the name of the infra container
Issue #10794
Signed-off-by: José Guilherme Vanz <jvanz@jvanz.com>
added support for --pid flag. User can specify ns:file, pod, private, or host.
container returns an error since you cannot point the ns of the pods infra container
to a container outside of the pod.
Signed-off-by: cdoern <cdoern@redhat.com>
Add a --dry-run flag to `podman auto-update` which will look for new
images but won't perform any pull or restart any service or container.
The "UPDATED" column will now indicate the availability of a newer image
via "pending".
```
$ podman auto-update --dry-run
UNIT CONTAINER IMAGE POLICY UPDATED
container-test.service 08fd34e533fd (test) localhost:5000/busybox registry false
```
Fixes: #9949
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
The rather raw and scarce output of `podman auto-update` has been a
thorn in my eyes for a longer while. So far, Podman would only print
updated systemd units, one per line, without further formatting.
Motivated by issue #9949 which is asking for some more useful
information in combination with a dry-run feature, I sat down and
reflected which information may come in handy.
Running `podman auto-update` will now look as follows:
```
$ podman auto-update
Trying to pull [...]
UNIT CONTAINER IMAGE POLICY UPDATED
container-test.service 08fd34e533fd (test) localhost:5000/busybox registry false
```
Also refactor the spaghetti code in the backend a bit to make it easier
to digest and maintain.
For easier testing and for the sake of consistency with other commands
listing output, add a `--format` flag.
The man page will get an overhaul in a follow up commit.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
When optional information such as container IDs and names in pods, the
headers are not displayed. This fix restored the headers.
Documentation of this subcommand is also updated.
Signed-off-by: Hironori Shiina <shiina.hironori@jp.fujitsu.com>
The hostname `host.containers.internal` is way easier to remember and should IMHO be preferred to be used, as it is:
a) easier to remember than some random IP
b) if the IP changes some time in the future the container will continue to work
And explain hostname adding in more detail
As per @mheon's suggestion.
And explain hostname adding *reason*
Also implies an suggestion for using the hostname instead.
And port change from podman-create man page to podman-run, too
Signed-off-by: rugk <rugk+git@posteo.de>
First, make podman diff accept optionally a second argument. This allows
the user to specify a second image/container to compare the first with.
If it is not set the parent layer will be used as before.
Second, podman container diff should only use containers and podman
image diff should only use images. Previously, podman container diff
would use the image when both an image and container with this name
exists.
To make this work two new parameters have been added to the api. If they
are not used the previous behaviour is used. The same applies to the
bindings.
Fixes#10649
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Clarify in the man page that podman-search is not generally realiable
way of determining the presence/existence of an image. The results of
the v1 and the v2 endpoints depend on the implementation of each
registry; the semantics are not really specified. Some registries may
not support search at all as it's not part of the OCI dist spec.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1978556
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
feat: read secret config from config file if the user hasn't entered
explicit config values
feat: allow to specify `--driver-opts opt1=val1,opt2=val2` in the secret
create command to allow overriding the default values
fix: show driver options in `podman secret inspect`
Signed-off-by: Tino Rusch <tino.rusch@gmail.com>
Added logic and handling for two new Podman pod create Flags.
--cpus specifies the total number of cores on which the pod can execute, this
is a combination of the period and quota for the CPU.
--cpuset-cpus is a string value which determines of these available cores,
how many we will truly execute on.
Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
The man pages of podman push/pull were incomplete in explaining all
supported transports. To keep things simple, explain the defaults,
refer to containers-transports(5) and give some examples.
Fixes: #10730
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Insisting on “DCO” imposes formalities, that serve self-purpose. One cannot
assume that the submitter has time or will to read texts about symbolism in
software contributions. If the system wants to see the text
nrEAUIEUAIe eanuitdnuae EAIUEAUIAIE »ℓ§444.3.72b)°»°ℓ§euaieauuae
in each commit, people will write this, or any other text, that the system wants to
see. All such text, which presence is mandated by the system, has the same value.
Signed-off-by: Дилян Палаузов <git-dpa@aegee.org>
MANPAGE_SYNTAX was edited.
The following manpages have been adapted to the MANPAGE_SYNTAX:
- podman-container-prune
- podman-container-restore
The following manpages have had little changes:
- podman-attach
- podman-auto-update
- podman-commit
- podman-completion
- podman-container-checkpoint
- podman-container-cleanup
- podman-container-exists
Signed-off-by: Alexander Richter <67486332+Procyhon@users.noreply.github.com>
The following manpages have been adapted to the MANPAGE_SYNTAX:
- podman-completion
- podman-container-checkpoint
- podman-container-cleanup
- podman-container-exists
The following manpages have had little changes:
- podman-attach
- podman-commit
- MANPAGE_SYNTAX
- Makefile
Signed-off-by: Alexander Richter <67486332+Procyhon@users.noreply.github.com>
Insisting on “DCO” imposes formalities, that serve self-purpose. One cannot
assume that the submitter has time or will to read texts about symbolism in
software contributions. If the system wants to see the text
nrEAUIEUAIe eanuitdnuae EAIUEAUIAIE »ℓ§444.3.72b)°»°ℓ§euaieauuae
in each commit, people will write this, or any other text, that the system wants to
see. All such text, which presence is mandated by the system, has the same value.
Signed-off-by: Дилян Палаузов <git-dpa@aegee.org>
crun 0.20.1 changed an error message that we relied on. Deal
with it by accepting the old and new message.
Also (unrelated): sneak in some doc fixes to get rid of
nasty go-md2man warnings that have crept into man pages.
Signed-off-by: Ed Santiago <santiago@redhat.com>
This just reorders the options in the podman-container-checkpoint man
page alphabetically. No actual content changed.
Signed-off-by: Adrian Reber <areber@redhat.com>
Updated version for the MANPAGE_SYNTAX and adaption of the syntax for
the manpages of podman-commit, podman-attach, and podman-auto-update.
Signed-off-by: Alexander Richter <67486332+Procyhon@users.noreply.github.com>
The code for mounts.conf including the man page lives in
containers/common, so remove it from Podman to prevent
divergence among the two repositories.
Fixes: #10512
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Commit 748826fc88 fixed a bug where slow mounting of the runroot was
causing issues when the units are started at boot. The fix was to add
the container's runroot to the required mounts; the graph root has been
added as well.
Hard-coding the run- and graphroot to the required mounts, however,
breaks the portability of units generated with --now. Those units are
intended to be running on any machine as, theoreticaly, any user.
Make the mounts portable by using the `%t` macro for the run root.
Since the graphroot's location varies across root and ordinary users,
drop it from the list of required mounts. The graphroot was not causing
issues.
Fixes: #10493
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Point to containers-certs.d(5) for details on the default paths, the
lookup logic and the structure of these directories. Previously, the
man pages stated that the default path would be in `/etc/containers/...`
which is not entirely and a red herring for users (see #10116).
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Fixes: https://github.com/containers/podman/issues/10393
Currently if a user specifies a --root flag to override the location of
the container storage, we still enforce the storage-opts from
storage.conf. This causes issues with people trying to intereact with
the additional stores feature, and then forces them to use the obscure
--storage-opt="" option. I belive this should be the default and we
already do this when the user specifies the --storage-driver option.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
A conversation on the customer portal suggests that to add an extra note
about the requirement of XDG_RUNTIME_DIR to be set.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Support UID, GID, Mode options for mount type secrets. Also, change
default secret permissions to 444 so all users can read secret.
Signed-off-by: Ashley Cui <acui@redhat.com>
Fix a regression in `podman image prune` where unused images were
accidentally removed even when `--all=false`. Extend and partially
rewrite the e2e tests to make sure we're not regressing again in the
future.
Fixing the aforementioned issue revealed another issue in the default
prune filter. While prune should remove all "dangling" images (i.e.,
those without tag), it removed only "intermediate" ones; dangling images
without children. Remove the mistaken comment from the libimage
migration.
Also clarify the help message and man page.
Fixes: #10350
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Commit 800a2e2d35 introduced a way to disable the conversion of `--`into
an en dash on docs.podman.io, so the ugly workaround of escaping the
dashes is no longer necessary.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Once we settle on the wording for short-names in podman-pull, I will
add the same section to all of the podman commands that use pull.
Also ran through all man pages with a spell checker.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
In the case of generate kube the auto-update labels will be converted into kube annotations and for play kube they will be converted back to labels since that's what podman understands
Signed-off-by: Eduardo Vega <edvegavalerio@gmail.com>
Env var secrets are env vars that are set inside the container but not
commited to and image. Also support reading from env var when creating a
secret.
Signed-off-by: Ashley Cui <acui@redhat.com>
Brent Baude
openshift-ci[bot]
Valentin Rothberg
Paul Holzinger
Daniel J Walsh
cdoern
OpenShift Merge Robot
Mehul Arora
Adrian Reber
Thomas Weber
Jakub Guzik
Hironori Shiina
José Guilherme Vanz
rugk
Matej Vasek
Jhon Honce
Tino Rusch
Alexander Richter
cdoern
Дилян Палаузов
Kye Shi
flouthoc
Ed Santiago
Boaz Shuster
Ashley Cui
Paul Holzinger
Eduardo Vega