This is something Docker does, and we did not do until now. Most
difficult/annoying part was the REST API, where I did not really
want to modify the struct being sent, so I made the new restart
policy parameters query parameters instead.
Testing was also a bit annoying, because testing restart policy
always is.
Signed-off-by: Matt Heon <mheon@redhat.com>
The Docker endpoint here is kind of a nightmare - accepts a full
Resources block, including a large number of scary things like
devices. But it only documents (and seems to use) a small subset
of those. This implements support for that subset. We can always
extend things to implement more later if we have a need.
Signed-off-by: Matt Heon <mheon@redhat.com>
Commit 668d517af9 moved a lot of type definitions and by that also
copied a bucnh of swagger:model comments, this caused swagger to create
a incorrect yaml that can no longer be parsed by redoc due
"Self-referencing circular pointer".
The yaml basically defined the type with a name and the pointed to the
same name definition again so it caused a infinitive recursion where
redoc just throws an error but the swagger style ignored the case so it
seemed like it worked but obviously the type information was not
working.
Fixes#22351
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
First of all this removes the need for a network connection, second
renovate can update the version as it is tracked in go.mod.
However the real important part is that the binary downloads are
broken[1]. For some reason the swagger created with them does not
include all the type information for the examples. However when building
from source the same thing works fine.
[1] https://github.com/go-swagger/go-swagger/issues/2842
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This reverts commit 1b6e8d73aa.
This does not say what error this is supposed to fix. But assuming this
was about "Self-referencing circular pointer" by redoc then see the
following commit "swagger fix infinitive recursion on some types" for a
proper fix.
Our public docs.podman.io page uses redoc so this doesn't fix anything
other than a local run which is not very helpful.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
when listing images through the restful service, consumers want to know
if the image they are listing is a manifest or not because the libpod
endpoint returns both images and manifest lists.
in addition, we now add `arch` and `os` as fields in the libpod endpoint
for image listing as well.
Fixes: #22184Fixes: #22185
Signed-off-by: Brent Baude <bbaude@redhat.com>
Not sure why this only triggers now but this code was broken for a
while. It is racy as reported on the issue but because it changes the
actual map part of the network backend it means it can also alter the
behavior of the network which is very bad.
Fixes#22330
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Docker shows exposed ports as just PORT/PROTO so match that behavior. It
is not clear to me why someone needs that information in ps as "expose"
doesn't effect anything networking related.
Fixes https://issues.redhat.com/browse/RHEL-32154
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Non-Linux systems, such as BSD kernels, constrain xatter updates
according to file permissions. This is in contrast to Linux selinux
attr writes, which are governed by an selinux policy. By dafault this
policy apllows users to relabel files owned by themselves even if file
perms would otherwise disallow write.
This results in robust container relabeling results on Linux, and
fragile results everywhere else. Therefore, change the mac policy to
force the nfs_t context on all files, and ignore all relabel
events.
As a side-effect, this will disallow any ability to store custom
selinux constants on files. However, this is of limited use in
a machine context, since files in these volumes are externally
managed on systems which do not support SELinux.
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
This includes migrating from cdi.GetRegistry() to cdi.Configure() and
cdi.GetDefaultCache() as applicable.
Signed-off-by: Evan Lezar <elezar@nvidia.com>
This was added ages ago in commit c65b3599cc, however in the meantime
both podman and conmon can support longer socket paths as they use a
workaround to open the path via /proc/self/fd, see openUnixSocket() in
libpod/oci_conmon_attach_linux.go
Thus this restriction is not needed anymore and we can drop a workaround
in the tests.
Fixes#22272
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When we remove with --force we do not return a error if the input does
not exists, however if we get more than on input we must try to remove
all and not just NOP out and not remove anything just because one arg
did not exists.
Also make the code simpler for commands that do have the --ignore option
and just make --force imply --ignore which reduces the ugly error
handling.
Fixes#21529
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This is racy by design, if you walk a tree and the directory was removed
between listing and then opening we get an ENOENT error. Simply ignore
that case and do not log it.
Fixes#21782
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
There has been various issues with vfkit exiting with
"Error: vfkit exited unexpectedly with exit code 1"
Among other reasons, this can be caused by vfkit being
built without the com.apple.security.virtualization
entitlement, and this can also happen when running
vfkit.x86_64 on Apple silicon hardware.
At the moment, the vfkit logs are not available, so there is no easy way
to know what's happening. This PR redirects vfkit stdout/stderr to
podman's log when --log-level debug is used.
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
creating vsocks in windows requires admin privileges. there could be
some workarounds made in the future,but the general deal has
always been, you need to be admin. lets enforce this with an error
until those work-arounds can be implemented.
Signed-off-by: Brent Baude <bbaude@redhat.com>
Windows is not guaranteed to have the SSH feature installed, so prefer the use
of the built-in ssh client for all operations other than podman machine ssh,
which requires terminal pty logic. This restores previous behavior in 4.x.
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
Fix following issues:
- create container API handler ignores Annotations from HostConfig
- inspect container API handler does not provide Annotations as
part of HostConfig
Signed-off-by: diplane <diplane3d@gmail.com>
this pr fixes two hyperv bugs. previous podman 5 versions of hyperv
failed to actually remove the vm from hyperv when machine rm -f was
called.
also fixes an annoying bug where removal of the hyperv ignition entries
were failing because this can only be done (with the current api) when
the vm is running. new api in latest libhvee fixes this.
Signed-off-by: Brent Baude <bbaude@redhat.com>
I am really not sure why the caller even should have the option to set
this. We should always use the correct isolation type based on the
privileges the server runs under never the client. podman-remote build
seems to send the default based on its local privs which was wrong as
well. To fix this I also changed the client to send the default if the
isolation flag is not set.
Fixes#22109
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
when the "bind" option is used, do not use the "rprivate" propagation
as it would inhibit the effect of "bind", instead default to "private".
Closes: https://github.com/containers/podman/issues/22107
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Paul Holzinger
openshift-merge-bot[bot]
Giuseppe Scrivano
Matt Heon
fanqiaojun
Jhon Honce
Brent Baude
Jason T. Greene
Evan Lezar
Christophe Fergeau
diplane
Garth Bushell