This mirrors how the Docker API handles things, allowing us to be
more compatible with Docker and more verbose on the Libpod API.
Stats are given as per network interface in the container, but
still aggregated for `podman stats` and `podman pod stats`
display (so the CLI does not change, only the Libpod and Compat
APIs).
Signed-off-by: Matt Heon <mheon@redhat.com>
The `--stars` option was incorrectly documented as meaning
the number of stars to filter by. This has been corrected
to indicate that it is the minimum number of stars to filter
by.
Tweaked wording of podman-search.md stars filter text
Signed-off-by: Kaniel Kirby <piratey7007@runbox.com>
Just like all the other inspect commands that accept multiple args we
should just make podman pod inspect output a json array.
This makes the code more consistent and removes the extra workaround
which was needed before to support this.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The pasta network mode has been added in podman v4.4 and this causes a
conflict with named networks that could also be called "pasta". To not
break anything we had special logic to prefer the named network over the
network mode. Now with 5.0 we can break this and remove this awkward
special handling from the code.
Containers created with 4.X that use a named network pasta will also
continue to work fine, this chnage will only effect the creation of new
containers with a named network pasta and instead always used the
network mode pasta. We now also block the creation of networks with the
name "pasta".
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We were pinned to a specific commit to ensure that tests kept
passing. Hopefully they pass now, as we need to grab latest runc
for CVE fixes.
Also grab Buildah main to fix a build issue on FreeBSD. After a
botched manual vendor, I used Ed's treadmill script and squashed
it into this commit to make Git happy. Thanks bunches Ed.
Signed-off-by: Matt Heon <mheon@redhat.com>
We now no longer write containers.conf, instead system connections and
farms are written to a new file called podman-connections.conf.
This is a major rework and I had to change a lot of things to get this
to compile again with my c/common changes.
It is a breaking change for users as connections/farms added before this
commit can now no longer be removed or modified directly. However because
the logic keeps reading from containers.conf the old connections can
still be used to connect to a remote host.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
On Mac and Windows systems the --latest option is not supported
this PR mentions this fact in the examples section of the man page.
Also added documentation and consistency to the man pages examples
sections.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
New CI validation check: all keys in quadlet.go must be
documented at least once in podman-systemd.unit.5.md.
Adding '// deprecated' next to an enum definition will
exclude said key from the documentation cross-checks.
And, because the md file lists keys in both table and block
form, make sure those all match.
And make sure everything is sorted in lexical order, in
both .go source and in man page.
And add a validation check to make sure it stays that way.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Initial impetus was #20958 (ps --format .Label abc). This is
a complicated solution to a simple-seeming problem.
The problem: .Label is a cobra *function*, something I did not
know about nor handle.
Solution: recognize cobra functions. Switch to __complete,
not __completeNoDesc, so we can see the number of arguments
required. Invent new man-page format for documenting functions.
And, finally, start enforcing how functions (and cobra structs)
are documented.
This discovered a never-used completion function, .Recycle(),
in podman-events. Remove it.
[NO NEW TESTS NEEDED] - the .go change is an excision of dead code.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Update farm build to directly push images to a registry
after all the builds are complete on all the nodes.
A manifest list is then created locally and pushed to
the registry as well.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
The quotes are interpreted as part of the value, so that, for example,
`HealthCmd="true"` is translated to the podman argument
`--health-cmd "\"true\""`.
Signed-off-by: Cedric Staniewski <cedric@gmx.ca>
Let's support --config option by setting environment variable
DOCKER_CONFIG instead of ignoring it for docker compatibility, so
it could be used to locate config.json as authentication file.
Also add a test case for this change, remove the deprecated one.
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
podman-kube-generate created from pod:
1. podman volume create mariadb_data
2. podman run --env MARIADB_ROOT_PASSWORD=x --name some-mariadb \
-v mariadb_data:/var/lib/mysql -P -d mariadb:10.11
3. + command in doc.
podman-run - using MARIADB_ROOT_PASSWORD environment variables for a
while now.
Signed-off-by: Daniel Black <daniel@mariadb.org>
Changes SSH key behavior such that there is a single persisted key for all
machines across all providers. If there is no key that is located at
`.local/share/containers/podman/machine/` then it is created. The keys are
not deleted when the last machine on the host is removed.
The main motivation for this change is it leads to fewer files created on the
host as a result of vm configuration. Having `n` machines on your system doesn't
result in `2n` machine-related files in `.ssh` on your system anymore.
As a result of ssh keys being persisted by default, the `--save-keys` flag
on `podman machine rm` will no longer be supported.
Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
Add support for using multiple `Ulimit=` options in `.container` files.
Before, only the last `Ulimit=` option was used in the podman command.
Update podman-systemd.unit.5 docs to reflect this change.
Add `test/e2e/quadlet/ulimit.container` to e2e tests.
Signed-off-by: Paul Nettleton <k9@k9withabone.dev>
The docs have this note for the `--compress` flag
> Note: This flag can only be set with --format=docker-dir.
Yet the provided example has `--compress` with `--format=oci-dir`
Signed-off-by: gardar <gardar@users.noreply.github.com>
Began as a review of #20983, a community PR from @krumelmonster
for moving divisive-language footnotes closer to the point
where they're used. In the process, I noticed a lot of poor
markdown, mostly bad use of whitespace. Cleaned it up, added
some italic/bold/tty markdown to options, and cleaned up
some language I found confusing.
Thanks to @krumelmonster for initial PR.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Also Support for podman pod ps --format '{{ .Label label }}'
Finally fix support for --format '{{ .Podname }}'
When user specifies .Podname this implies --pod was passed.
Fixes: https://github.com/containers/podman/issues/20957
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
add a new option --preserve-fd that allows to specify a list of FDs to
pass down to the container.
It is similar to --preserve-fds but it allows to specify a list of FDs
instead of the maximum FD number to preserve.
--preserve-fd and --preserve-fds are mutually exclusive.
It requires crun since runc would complain if any fd below
--preserve-fds is not preserved.
Closes: https://github.com/containers/podman/issues/20844
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This PR closes#20585
Add Inital support for Entrypoint on quadlets
Add Bats Tests for Entrypoint
Updates the documentation with one example to use the Entrypoint option
Signed-off-by: Odilon Sousa <osousa@redhat.com>
Update the health-start-period docs to clarify what exactly
the health-start-period flag does based on whether the health
check command succeeds or fails.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
When the `Mask=` and `Unmask=` quadlet options were initially added,
they were mistakenly placed in the [Kube] section when they should be in
the [Container] section. This commit corrects the mistake and adds
example usage to the [Container] options table.
Signed-off-by: Paul Nettleton <k9@k9withabone.dev>
The option `farm` which is used to specify the farm to be used, is moved to farm build command from farm command.
closes#20752
Signed-off-by: Chetan Giradkar <cgiradka@redhat.com>
Be specific that the `-v` flag only affects RUN instructions. The
previous wording left it ambiguous, and people might have concluded that
it applied to ADD and COPY as well.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When committing containers to create new images, accept a container
config blob being passed in the body of the API request by adding a
Config field to our API structures. Populate it from the body of
requests that we receive, and use its contents as the body of requests
that we make.
Make the libpod commit endpoint split changes values at newlines, just
like the compat endpoint does.
Pass both the config blob and the "changes" slice to buildah's Commit()
API, so that it can handle cases where they overlap or conflict.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
For a source file like `foo.container`, look for drop in named
`foo.container.d/*.conf` and merged them into the main file. The
dropins are applied in alphabetical order, and files in earlier
diretories override later files with same name.
This is similar to how systemd dropins work, see:
https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html
Also adds some tests for these
Signed-off-by: Alexander Larsson <alexl@redhat.com>
The default is OCI runtime specific, there is no way for Podman to
know it.
[CI:DOCS]
Closes: https://github.com/containers/podman/issues/20754
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Add support for .pod unit files with only PodmanArgs, GlobalArgs, ContainersConfModule and PodName
Add support for linking .container units with .pod ones
Add e2e and system tests
Add to man page
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
Move the options for the podman build doc to a common md
that can be used by both podman build and podman farm build.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
This expands support for the (previously) boolean `Notify` directive, in
support of healthcheck determined SD-NOTIFY event emission, as
supported by Podman with the `--sdnotify=healthy` option.
Closes: #18189
Signed-off-by: Alex Palaistras <alex@deuill.org>
Add a new `no-dereference` mount option supported by crun 1.11+ to
re-create/copy a symlink if it's the source of a mount. By default the
kernel will resolve the symlink on the host and mount the target.
As reported in #20098, there are use cases where the symlink structure
must be preserved by all means.
Fixes: #20098
Fixes: issues.redhat.com/browse/RUN-1935
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
This mostly just inherits the c/common/pkg/auth implementation,
except that AuthFilePath and DockerCompatAuthFilePath can not be set
simultaneously, so don't unnecessarily explicitly set AuthFilePath.
c/common already handles that.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Support UIDMap, GIDMap, SubUIDMap and SubGIDMap
If any of them are set disregard the deprecated Remap keys
Add tests and man
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
Users fail to realize that they can use other systemd
options within the quadlet files, like ExecStartPre.
This change should make it clearer to the users.
https://github.com/containers/podman/discussions/20642
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
QEMU usb-host driver which is the one for passthrough, supports two
options for selecting an USB devices in the host to provide it to the
VM:
- Bus and Device number the device is plugged
- Vendor and Product information of the USB devices
https://qemu-project.gitlab.io/qemu/system/devices/usb.html
This commit allows a user to configure podman machine with either of
options, with new --usb command line option for podman machine init.
Examples
podman machine init tosovm4 --usb vendor=13d3,product=5406
podman machine init tosovm3 --usb bus=1,devnum=4 --usb bus=1,devnum=3
This commit also allows a user to change the USBs configured with
--usb command line option for podman machine set.
Note that this commit does not handle host device permissions nor
verify that the USB devices exists.
Signed-off-by: Victor Toso <victortoso@redhat.com>
The docs were rather vague about the deprecation of CNI, make it clear
that we are going to remove it with 5.0 as we decided to do that in our
planning.
Also while looking at the podman network create docs I noticed
--ipam-driver dhcp was still documented as not supported with netavark
so I fixed that as well.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Docker allows the passing of -1 to indicate the maximum limit
allowed for the current process.
Fixes: https://github.com/containers/podman/issues/19319
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This solves `--security-opt unmask=ALL` still masking the path.
[NO NEW TESTS NEEDED] Can't easily test this as we do not have
access to it in CI.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
All `[]string`s in containers.conf have now been migrated to attributed
string slices which require some adjustments in Buildah and Podman.
[NO NEW TESTS NEEDED]
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Add Quadlet key and disconnect relationship withr read-only
Update and add tests
Update man with new key
Remove the reference to VolatileTmpfs in the man page to reduce its
usage, since the same functionality can be achieved using the Tmpfs key
while keeping its support to maintain backward compatibility
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
Users can specify BUILDAH_ISOLATION environment variable to change the
default.
Fixes: https://github.com/containers/podman/issues/20024
Currently podman play kube is defaulting to chroot, which is the least
safe version of build, we should always default to secure whenever
possible. Chroot should only be used when building within a container.
No great way to tests this.
[NO NEW TESTS NEEDED]
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The network backend will ignore ports for macvlan and ipvlan networks so
they do not do anything. No warning or error is shown because containers
may be later connected to a bridge network in which case they would be
useful.
Fixes#17927
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
If you change this option all the containers disappear from the default
connection and socket. Thus it is required to recreate the resources.
Sharing between root and rootless is not possible for various reasons.
Fixes#19936
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Add support for adding podman level arguments before subcommand
Add specific key for Containers Conf Modules
Global arguments are added for both start and stop commands
Adjust testing environment
Add tests
Add to man page
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
As requested in containers/podman/issues/20000, add a `privileged` field
to the containers table in containers.conf. I was hesitant to add such
a field at first (for security reasons) but I understand that such a
field can come in handy when using modules - certain workloads require a
privileged container.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
As explained in #21022, there are all kinds of downsides to a machine
updating itself (via zincati) automatically, like interuption of
service, lost mounts, etc.
disabling zincati will at least allow stop these downsides. we are
likely to contemplate if podman will take over the update process
externally where interuption of services will not occur etc.
Fixes#20122
Signed-off-by: Brent Baude <bbaude@redhat.com>
Update podman load doc to mention support for loading in
compressed files. Add an example command as well.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Container ports defined with containerPort were exposed by default
even though kubernetes interprets them as mostly informative.
Closes#17028
Signed-off-by: Peter Werner <wpw.peter@gmail.com>
While doing a review of the farm man pages after they had been
submitted, I found a few references to "podman" that should have
been "Podman". I have touched those up in this commit.
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Also, we don't proxy SIGURG (Golang uses it internally for waking
threads, so Go processes get it constantly (see [1] for more
details).
[1] https://github.com/golang/go/issues/37942
Signed-off-by: Matt Heon <mheon@redhat.com>
Some --filter descriptions listed the filters with asterisks,
i.e. markdown italics. There were 60+ of those, 250+ without
asterisks, so I choose to de-asterisk them all. Update the
xref script to remove the allow-asterisk exception. (Except
for the column title, which is sometimes written with two
asterisks--boldface--and sometimes plain).
Signed-off-by: Ed Santiago <santiago@redhat.com>
main
----
Use order number to order the units processing
Process .image file
Usage of .image file should not log Ambiguous Name warning
Use AmbiguousName for .volume and .image units
Quadlet
-------
Convert .image files
Add driver and Image keys to .volume files
Handle usage of .image as Image
Man Page
--------
Add comments for new keys in .volume file
Add comment about using .image files as images
Add section about .image units
Tests
-----
Add integration tests
Add system test
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
Co-authored-by: Tom Sweeney <tsweeney@redhat.com>
The --module can only be parsed on the root level. It cannot work on
the command level, because it must be "manually" parsed on init() to
make sure the specified configuration files/modules are loaded prior to
parsing the flags via Cobra.
Hence move --module from the "persistent" to the "local" flags which
will yield an error instead of doing nothing when being specified on the
command level:
```
$ ./bin/podman run --module=foo.conf --rm alpine
Error: unknown flag: --module
See 'podman run --help'
```
Reported in #20000.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
For all commands with a --filter option, cross-reference
against man pages, and vice-versa.
I'm sorry. I know this script has gone off the deep end.
[NO NEW TESTS NEEDED] although actually I would like to test some broken completions
Signed-off-by: Ed Santiago <santiago@redhat.com>
QM needs to be able to specify the maximum number of open files within the QM
environment to ensure FFI.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Add support for --layerLabel.
Support for --cw is only added for the local client. I am not sure how
I would wire this over remote. The current code parse the options in
the frontend which hard codes the Tmpdir field to an incorrect value if
we would json marshal this vie remote API so it would not work in real
remote cases.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
QM needs to be able to specify the maximum number of PIDs within the QM
environment to ensure FFI.
Picking a total of 10,000 Pids might be a rasonable constraint on the
QM.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
`podman init` is a debugging command for inspecting a container's
OCI spec before it runs, to look for anything suspicious. It is
not capable of supporting modifications to that spec, as it
starts Conmon and thus the OCI runtime, so the spec has already
been loaded by the time `podman init` is run.
Signed-off-by: Matt Heon <mheon@redhat.com>
To avoid the error:
`Error: unable to read YAML as Kube Pod: error unmarshaling JSON: while decoding JSON: json: cannot unmarshal object into Go struct field Container.spec.containers.command of type string`
Also makes it easier to understand as you only need the image parameter.
Signed-off-by: Daskan <kevin81991@web.de>
when running rootless, if the specified oom_score_adj for the
container process is lower than the current value, clamp it to the
current value and print a warning.
Closes: https://github.com/containers/podman/issues/19829
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Since we do not want the mapping to be applied to uids,
we should use the `g` flag in the mapping in the example
as well.
Follow up of #18173
Signed-off-by: Sergio Oller <sergioller@gmail.com>
Motivation
===========
This feature aims to make --uidmap and --gidmap easier to use, especially in rootless podman setups.
(I will focus here on the --gidmap option, although the same applies for --uidmap.)
In rootless podman, the user namespace mapping happens in two steps, through an intermediate mapping.
See https://docs.podman.io/en/latest/markdown/podman-run.1.html#uidmap-container-uid-from-uid-amount
for further detail, here is a summary:
First the user GID is mapped to 0 (root), and all subordinate GIDs (defined at /etc/subgid, and
usually >100000) are mapped starting at 1.
One way to customize the mapping is through the `--gidmap` option, that maps that intermediate mapping
to the final mapping that will be seen by the container.
As an example, let's say we have as main GID the group 1000, and we also belong to the additional GID 2000,
that we want to make accessible inside the container.
We first ask the sysadmin to subordinate the group to us, by adding "$user:2000:1" to /etc/subgid.
Then we need to use --gidmap to specify that we want to map GID 2000 into some GID inside the container.
And here is the first trouble:
Since the --gidmap option operates on the intermediate mapping, we first need to figure out where has
podman placed our GID 2000 in that intermediate mapping using:
podman unshare cat /proc/self/gid_map
Then, we may see that GID 2000 was mapped to intermediate GID 5. So our --gidmap option should include:
--gidmap 20000:5:1
This intermediate mapping may change in the future if further groups are subordinated to us (or we stop
having its subordination), so we are forced to verify the mapping with
`podman unshare cat /proc/self/gid_map` every time, and parse it if we want to script it.
**The first usability improvement** we agreed on #18333 is to be able to use:
--gidmap 20000:@2000:1
so podman does this lookup in the parent user namespace for us.
But this is only part of the problem. We must specify a **full** gidmap and not only what we want:
--gidmap 0:0:5 --gidmap 5:6:15000 --gidmap 20000:5:1
This is becoming complicated. We had to break the gidmap at 5, because the intermediate 5 had to
be mapped to another value (20000), and then we had to keep mapping all other subordinate ids... up to
close to the maximum number of subordinate ids that we have (or some reasonable value). This is hard
to explain to someone who does not understand how the mappings work internally.
To simplify this, **the second usability improvement** is to be able to use:
--gidmap "+20000:@2000:1"
where the plus flag (`+`) states that the given mapping should extend any previous/default mapping,
overriding any previous conflicting assignment.
Podman will set that mapping and fill the rest of mapped gids with all other subordinated gids, leading
to the same (or an equivalent) full gidmap that we were specifying before.
One final usability improvement related to this is the following:
By default, when podman gets a --gidmap argument but not a --uidmap argument, it copies the mapping.
This is convenient in many scenarios, since usually subordinated uids and gids are assigned in chunks
simultaneously, and the subordinated IDs in /etc/subuid and /etc/subgid for a given user match.
For scenarios with additional subordinated GIDs, this map copying is annoying, since it forces the user
to provide a --uidmap, to prevent the copy from being made. This means, that when the user wants:
--gidmap 0:0:5 --gidmap 5:6:15000 --gidmap 20000:5:1
The user has to include a uidmap as well:
--gidmap 0:0:5 --gidmap 5:6:15000 --gidmap 20000:5:1 --uidmap 0:0:65000
making everything even harder to understand without proper context.
For this reason, besides the "+" flag, we introduce the "u" and "g" flags. Those flags applied to a
mapping tell podman that the mapping should only apply to users or groups, and ignored otherwise.
Therefore we can use:
--gidmap "+g20000:@2000:1"
So the mapping only applies to groups and is ignored for uidmaps. If no "u" nor "g" flag is assigned
podman assumes the mapping applies to both users and groups as before, so we preserve backwards compatibility.
Co-authored-by: Tom Sweeney <tsweeney@redhat.com>
Signed-off-by: Sergio Oller <sergioller@gmail.com>
Specify that by default if only one of uidmap or gidmap is given, the other one is copied
Co-authored-by: Tom Sweeney <tsweeney@redhat.com>
Signed-off-by: Sergio Oller <sergioller@gmail.com>
Value of `--force-compression` should be already `true` is
`--compression-format` is selected otherwise let users decide.
Signed-off-by: Aditya R <arajan@redhat.com>
Add io.podman.annotations.infra.name annotation to kube play so
users can set the name of the infra container created.
When a pod is created with --infra-name set, the generated
kube yaml will have an infraName annotation set that will
be used when playing the generated yaml with podman.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Adds support for --force-compression which allows end-users to force
push blobs with the selected compresison in --compression option, in
order to make sure that blobs of other compression on registry are not
reused.
Signed-off-by: Aditya R <arajan@redhat.com>
Adds support for --force-compression which allows end-users to force
push blobs with the selected compresison in --compression option, in
order to make sure that blobs of other compression on registry are not
reused.
Is equivalent to: force-compression here: https://docs.docker.com/build/exporters/#compression
Closes: https://github.com/containers/podman/issues/18660
Signed-off-by: Aditya R <arajan@redhat.com>
Rewrite the auto-update man page. It was quite dusty and out-dated as
it was not mentioning Quadlet at all. At times it was too verbose about
internal implementation details that users shouldn't need to worry
about.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Users want to mount a tmpfs file system with secrets, and make
sure the secret is never saved into swap. They can do this either
by using a ramfs tmpfs mount or by passing `noswap` option to
a tmpfs mount.
Fixes: https://github.com/containers/podman/issues/19659
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This changes /run to /var/run for .containerenv and secrets in FreeBSD
containers for consistency with FreeBSD path conventions. Running Linux
containers on FreeBSD hosts continue to use /run for compatibility.
[NO NEW TESTS NEEDED]
Signed-off-by: Doug Rabson <dfr@rabson.org>
Switch man page to user USERID instead of UID, since UID environment
variable is set at login, and is not allowed to be changed.
UID=foobar
bash: UID: readonly variable
Fixes: https://github.com/containers/podman/issues/19646
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Support a new concept in containers.conf called "modules". A "module"
is a containers.conf file located at a specific directory. More than
one module can be loaded in the specified order, following existing
override semantics.
There are three directories to load modules from:
- $CONFIG_HOME/containers/containers.conf.modules
- /etc/containers/containers.conf.modules
- /usr/share/containers/containers.conf.modules
With CONFIG_HOME pointing to $HOME/.config or, if set, $XDG_CONFIG_HOME.
Absolute paths will be loaded as is, relative paths will be resolved
relative to the three directories above allowing for admin configs
(/etc/) to override system configs (/usr/share/) and user configs
($CONFIG_HOME) to override admin configs.
Pulls in containers/common/pull/1599.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
The git repo that was used for the example of a git build:
`podman build https://github.com/scollier/purpletest`
no longer exists. Someone reached out to @rhatdan about this
and he suggested using the Podman Hello World repo. However,
that didn't exist until a little bit ago, so I've updated
the man page with a pointer there. That should be a lot more
stable.
[NO NEW TESTS NEEDED]
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
The newly introduced `idmap` section of rootfs lacked a header
(comparable to Overlay Rootfs Mounts), had odd formatting, and
wording that differed from other instances of idmap, e.g., the
one in the --volume section. This commits addresses those issues.
Signed-off-by: Peter Whittaker <PeterWhittaker@SphyrnaSecurity.com>
Podman farm update allows users to update a farm by addig
connections, removing connections, or changing the default farm.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
The podman farm create command allows users to create
farms from the avaiable podman system connections.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Podman should ignore failures to find a cidfile when stoping the
container if the user specified --ignore
Fixes: https://github.com/containers/podman/issues/19546
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Compat api for containers/stop should take -1 value
Add support for `podman stop --time -1`
Add support for `podman restart --time -1`
Add support for `podman rm --time -1`
Add support for `podman pod stop --time -1`
Add support for `podman pod rm --time -1`
Add support for `podman volume rm --time -1`
Add support for `podman network rm --time -1`
Fixes: https://github.com/containers/podman/issues/17542
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Adds support for --add-compression which accepts multiple compression
formats and when used it will add all instances in a manifest list with
requested compression formats.
Signed-off-by: Aditya R <arajan@redhat.com>
Currently, due to sphinx smart quote features being enabled, fancy quotes are used in the commands. This means the docs are harder to use as the commands cannot be copy/pasted into a terminal.
Wrapping the code in code blocks fixes this. An alternative would be to disable smart quotes entirely, but this seems over-the-top (especially considering wrapping commands in code blocks harmonises this page with most of the other documentation)
Signed-off-by: Adam Jones <domdomegg+git@gmail.com>
Forcing users to set --rm when setting --rmi is just bad UI.
If I want the image to be removed, it implies that I want the
container removed that I am creating.
Fixes: https://github.com/containers/podman/issues/15640
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Currently the CIDFile is not removed with podman --remote run --rm
if the client and server are on different machines.
[NO NEW TESTS NEEDED] i
There is currently a test for this that does not fail because the client
and server are on the same machine.
If we run these tests on a MAC or Windows platform, they would start
failing.
Fixes: https://github.com/containers/podman/issues/19420
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The intention of --read-only-tmpfs=fals when in --read-only mode was to
not allow any processes inside of the container to write content
anywhere, unless the caller also specified a volume or a tmpfs. Having
/dev and /dev/shm writable breaks this assumption.
Fixes: https://github.com/containers/podman/issues/12937
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
HPC Community asked for this support specifically for using GPUs
within containers. Nvidia requires the correct shared library to
to be present in the directory that matches the device mounted
into the container. These libraries have random suffixes based
on versions of the installed libraries on the host.
podman run --mount type=glob:src=/usr/lib64/nvidia\*:ro=true. This helps
quadlets be more portable for this use case.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Add a new "healthy" sdnotify policy that instructs Podman to send the
READY message once the container has turned healthy.
Fixes: #6160
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
**podman compose** is a thin wrapper around an external compose provider
such as docker-compose or podman-compose. This means that `podman
compose` is executing another tool that implements the compose
functionality but sets up the environment in a way to let the compose
provider communicate transparently with the local Podman socket. The
specified options as well the command and argument are passed directly
to the compose provider.
The default compose providers are `docker-compose` and `podman-compose`.
If installed, `docker-compose` takes precedence since it is the original
implementation of the Compose specification and is widely used on the
supported platforms (i.e., Linux, Mac OS, Windows).
If you want to change the default behavior or have a custom installation
path for your provider of choice, please change the `compose_provider`
field in `containers.conf(5)`. You may also set the
`PODMAN_COMPOSE_PROVIDER` environment variable.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Only use the word "please" in these situations:
- reader is asked to do something inconvenient
- reader is asked for permission
- reader is asked for forgiveness
Remove other uses of the word "please" to
make the language more efficient.
[NO NEW TESTS NEEDED]
Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
I am working on running android auto in a quadlet.
[Container]
AddDevice=/dev/dri/renderD128
AddDevice=/dev/kvm
DropCapability=all
Environment=PULSE_SERVER=$XDG_RUNTIME_DIR/pulse/native
Environment=WAYLAND_DISPLAY=wayland-0
Environment=XDG_RUNTIME_DIR
Image=quay.io/slopezpa/qemu-aaos
ContainerName=Android
PodmanArgs=--shm-size=5g
SecurityLabelDisable=true
Volume=$XDG_RUNTIME_DIR:$XDG_RUNTIME_DIR
And I need to be able to set the --shm-size option.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
`podman system service` + TCP is not a configuration we should be
recommending. There was already language about this in the
manpages, but it was not sufficient in explaining how bad of an
idea this is. Expand the manpage warnings, add a dedicated
heading so people notice, and add a warning every time the
service starts with a TCP URL that directs people to the manpage
to see that explanation.
Signed-off-by: Matt Heon <mheon@redhat.com>
Add key for Quadlet to set WorkingDirectory to the directory of the YAML or Unit file
Add Doc
Add E2E tests
Add System test
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
Adds support for `since` as a valid filter option for `podman volume ls`
and `podman volume prune`.
Implements: #19228
Initially suggested from: #19119
Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
Fixes a bug where `podman volume ls` with multiple `label` filters would
return volumes that matched *any* of the filters, not *all* of them.
Adapts generating volume filter functions to be more in
line with how it is done for containers and pods.
Fixes: #19219
Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
Adds an `--podman-only` flag to `podman generate kube` to allow for
reserved annotations to be included in the generated YAML file.
Associated with: #19102
Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
Fixes an error in the `podman container prune` docs that provides an
example of how to use the `--filter until=` flag/filter in an incorrect
way.
Fixes: #19119
Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
When using --internal for macvlan/ipvlan networks we simply do not add a
default gateway/route. Make this clear in the docs.
Fixes#18914
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Reorder the table with --userns options to match the description below.
Also, reformat the Markdown to be better readable in source form.
Signed-off-by: Philipp Wagner <phw@ibm.com>
Adds a `--no-trunc` flag to `podman kube generate` preventing the
annotations from being trimmed at 63 characters. However, due to
the fact the annotations will not be trimmed, any annotation that is
longer than 63 characters means this YAML will no longer be Kubernetes
compatible. However, these YAML files can still be used with `podman
kube play` due to the addition of the new flag below.
Adds a `--no-trunc` flag to `podman kube play` supporting YAML files with
annotations that were not truncated to the Kubernetes maximum length of
63 characters.
Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
This commit extends `Volume` and `Network` unit definitions with two
additional parameters, `VolumeName` and `NetworkName`, which will,
respectively, set a user-defined name for the corresponding volume and
network. This is similar to how the `ContainerName` directive currently
works, and should allow for smoother transitions to Quadlet-managed
resources.
Closes: #19003
Signed-off-by: Alex Palaistras <alex@deuill.org>
Previous tests have worked by pure chance since the client and server
ran on the same host; the server picked up the credentials created by
the client login.
Extend the gating tests and add a new integration test which is further
capable of exercising the remote code.
Note that fixing authentication support requires adding a new
`--authfile` CLi flag to `manifest inspect`. This will at least allow
for passing an authfile to be bindings. Username and password are not
yet supported.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
This ended up more complicated then expected. Lets start first with the
problem to show why I am doing this:
Currently we simply execute ps(1) in the container. This has some
drawbacks. First, obviously you need to have ps(1) in the container
image. That is no always the case especially in small images. Second,
even if you do it will often be only busybox's ps which supports far
less options.
Now we also have psgo which is used by default but that only supports a
small subset of ps(1) options. Implementing all options there is way to
much work.
Docker on the other hand executes ps(1) directly on the host and tries
to filter pids with `-q` an option which is not supported by busybox's
ps and conflicts with other ps(1) arguments. That means they fall back
to full ps(1) on the host and then filter based on the pid in the
output. This is kinda ugly and fails short because users can modify the
ps output and it may not even include the pid in the output which causes
an error.
So every solution has a different drawback, but what if we can combine
them somehow?! This commit tries exactly that.
We use ps(1) from the host and execute that in the container's pid
namespace.
There are some security concerns that must be addressed:
- mount the executable paths for ps and podman itself readonly to
prevent the container from overwriting it via /proc/self/exe.
- set NO_NEW_PRIVS, SET_DUMPABLE and PDEATHSIG
- close all non std fds to prevent leaking files in that the caller had
open
- unset all environment variables to not leak any into the contianer
Technically this could be a breaking change if somebody does not
have ps on the host and only in the container but I find that very
unlikely, we still have the exec in container fallback.
Because this can be insecure when the contianer has CAP_SYS_PTRACE we
still only use the podman exec version in that case.
This updates the docs accordingly, note that podman pod top never falls
back to executing ps in the container as this makes no sense with
multiple containers so I fixed the docs there as well.
Fixes#19001
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2215572
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Users may want to replace the secret used within containers, without
destroying the secret and recreating it.
Partial fix for https://github.com/containers/podman/issues/18667
Make sure podman --remote secret inspect and podman secret inspect
return the same error message.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The markdown-to-manpage sequence interprets
_from_uid_ and *from_uid* differently.
Use the latter syntax to get the expected result.
Fixes: https://github.com/containers/podman/issues/19171
Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
Regarding "The command does not support more than one listening socket for the API service."
See this Podman source code: (a permalink into the main branch as of 2 July 2023)
539be58163/cmd/podman/system/service_abi.go (L48-L50)
Move up the paragraph "The REST API provided ...".
Move up the sentence "Note: The default systemd ...".
Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
Previously podman was using "MB" and "GB" (binary) for input but
"MB" and "GB" (decimal) for output, which was causing confusion.
Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
The --authfile flag has been ignored. Fix that and add a test to make
sure we won't regress another time. Requires a new --tls-verify flag
to actually test the code.
Also bump c/common since common/pull/1538 is required to correctly check
for updates. Note that I had to use the go-mod-edit-replace trick on
c/common as c/buildah would otherwise be moved back to 1.30.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2218315
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Better document which value `podman run --userns` has if no default
value is specified. Also improve documentation of "host" being an alias
for "".
Fixes#15764
Signed-off-by: Philipp Wagner <phw@ibm.com>
The markdown-to-manpage sequence needs a long row of dashes,
not a single dash. A single dash, as used in this one option,
generates unreadable *roff.
Also, some tool somewhere doesn't like too-long columns. Shrtn thm.
Also, verify that there are no more three-or-fewer-dash columns:
$ ack '\|\s+-{1,3}\s' docs/source/markdown
Fixes: #19086
Signed-off-by: Ed Santiago <santiago@redhat.com>
It is pretty complicated to display the secret on the host, but is
not really secured. This patch makes it easier to examine the secret.
Partial fix for https://github.com/containers/podman/issues/18667
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Support two new wait conditions, "healthy" and "unhealthy". This
further paves the way for integrating sdnotify with health checks which
is currently being tracked in #6160.
Fixes: #13627
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
While reading the code I found the man page to be lacking some
information that I found worth mentioning and clarifying.
In particular, how the command behaves with respect to exit codes and
when more than one condition is specified.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Add support for `--imagestore` in podman which allows users to split the filesystem of containers vs image store, imagestore if configured will pull images in image storage instead of the graphRoot while keeping the other parts still in the originally configured graphRoot.
This is an implementation of
https://github.com/containers/storage/pull/1549 in podman.
Signed-off-by: Aditya R <arajan@redhat.com>
The backend allows for any start/end ip in the subnet. There is no
reason to limit the cli to only CIDR subnets. This allows for much more
flexibility.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
- [service_destinations] should be [engine.service_destinations]
- service_destinations does not read from
`/usr/share/containers/containers.conf` because podman uses config.ReadCustomConfig().
Fixes: #15615
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
This commit creates a new command `podmansh` command which can be used by
administrators to provide a confined shell to their users.
The user will only have access to the volumes and capabilities for that
user.
Co-authored-by: Paul Holzinger <pholzing@redhat.com>
Co-authored-by: Daniel Walsh <dwalsh@redhat.com>
Co-authored-by: Petr Lautrbach <lautrbach@redhat.com>
Co-authored-by: Ed Santiago <santiago@redhat.com>
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
Giuseppe Scrivano
Matt Heon
Piratey7007
Paul Holzinger
openshift-merge-bot[bot]
James Hurst
Colin Walters
Alexander Larsson
Ed Santiago
Urvashi Mohnani
Ygal Blum
Daniel J Walsh
Cedric Staniewski
Ming Liu
Daniel Black
Jake Correnti
Oleksandr Redko
Paul Nettleton
gardar
Odilon Sousa
Anchit Bajaj
Daniel Mendizabal
Chetan Giradkar
Nalin Dahyabhai
kaivol
Erik Sjölund
Marta
Arthur Sengileyev
Alex Palaistras
Valentin Rothberg
Miloslav Trmač
Andreas Gerstmayr
Joshua Beighton
Victor Toso
Jan Pazdziora
openshift-ci[bot]
Matthew Heon
Aditya R
Rahil Bhimjiani
OpenShift Merge Robot
Brent Baude
André Cirne
wpross
Peter Werner
TomSweeneyRedHat
xtex
Paul Lettich
ryanhockstad
Ryan Hockstad
Lokesh Mandvekar
danishprakash
Daskan
guoguangwu
Sergio Oller
Ashley Cui
Doug Rabson
Peter Whittaker
Christian Hörtnagl
Oleh Dmytrychenko
Adam Jones
Black-Hole1
Hari Kannan
iczero
Philipp Wagner
Michael Hrivnak
Anders F Björklund
Toshiki Sonoda