`podman ps --format {{.Networks}}` will show all connected networks for
this container. For `pod ps` it will show the infra container networks.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Allow to filter on the network name or full id.
For pod ps it will filter on the infra container networks.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Currently if server is not connected, we return an error message that
is confusing users on Mac and Windows boxes. The hope here is to make
it a little easier to discover that a Podman service is required.
This message is similar to what Docker puts out so people might under
stand it better.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Restore correct API endpoint payloads including reclaimed space numbers
* Include tests for API prune endpoints
* Clean up function signatures with unused parameters
* Update swagger for /networks/prune
Fixes#8891
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Due to various reasons, CI results (esp. testing tasks) are completely
ignored for builds triggered by a new tag-push. Additionally, since
many of the automation scripts are in the repo., any related
failures/flakes would require code changes (therefore a new tag).
Resolve this by skipping every testing-type task for builds triggered by
tag-push. Only retain tasks which build things intended for consumption
associated with a possible official release.
Signed-off-by: Chris Evich <cevich@redhat.com>
Follow-up to commit (1ad796677e). The build on mips is still
failing because SIGWINCH was not defined in the signal pkg.
Also stat_t.Rdev is unit32 on mips so we need to typecast.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
When I launch a container with --userns=keep-id the rootless processes
should have no caps by default even if I launch the container with
--privileged. It should only get the caps if I specify by hand the
caps I want leaked to the process.
Currently we turn off capeff and capamb, but not capinh. This patch
treats capinh the same way as capeff and capamb.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
First, use the pflag library to parse the flags. With this we can
handle all corner cases such as -td or --detach=false.
Second, preserve the root args with --new. They are used for all podman
commands in the unit file. (e.g. podman --root /tmp run alpine)
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Systemd is now complaining or mentioning /var/run as a legacy directory.
It has been many years where /var/run is a symlink to /run on all
most distributions, make the change to the default.
Partial fix for https://github.com/containers/podman/issues/8369
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
writing to the id map fails when an extent overlaps multiple mappings
in the parent user namespace:
$ cat /proc/self/uid_map
0 1000 1
1 100000 65536
$ unshare -U sleep 100 &
[1] 1029703
$ printf "0 0 100\n" | tee /proc/$!/uid_map
0 0 100
tee: /proc/1029703/uid_map: Operation not permitted
This limitation is particularly annoying when working with rootless
containers as each container runs in the rootless user namespace, so a
command like:
$ podman run --uidmap 0:0:2 --rm fedora echo hi
Error: writing file `/proc/664087/gid_map`: Operation not permitted: OCI permission denied
would fail since the specified mapping overlaps the first
mapping (where the user id is mapped to root) and the second extent
with the additional IDs available.
Detect such cases and automatically split the specified mapping with
the equivalent of:
$ podman run --uidmap 0:0:1 --uidmap 1:1:1 --rm fedora echo hi
hi
A fix has already been proposed for the kernel[1], but even if it
accepted it will take time until it is available in a released kernel,
so fix it also in pkg/rootless.
[1] https://lkml.kernel.org/lkml/20201203150252.1229077-1-gscrivan@redhat.com/
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
When migrating a container with associated volumes, the content of
these volumes should be made available on the destination machine.
This patch enables container checkpoint/restore with named volumes
by including the content of volumes in checkpoint file. On restore,
volumes associated with container are created and their content is
restored.
The --ignore-volumes option is introduced to disable this feature.
Example:
# podman container checkpoint --export checkpoint.tar.gz <container>
The content of all volumes associated with the container are included
in `checkpoint.tar.gz`
# podman container checkpoint --export checkpoint.tar.gz --ignore-volumes <container>
The content of volumes is not included in `checkpoint.tar.gz`. This is
useful, for example, when the checkpoint/restore is performed on the
same machine.
# podman container restore --import checkpoint.tar.gz
The associated volumes will be created and their content will be
restored. Podman will exit with an error if volumes with the same
name already exist on the system or the content of volumes is not
included in checkpoint.tar.gz
# podman container restore --ignore-volumes --import checkpoint.tar.gz
Volumes associated with container must already exist. Podman will not
create them or restore their content.
Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
Instead of specifying restore option arguments individually from
RestoreOptions, provide the 'options' object to the CRImportCheckpoint
method. This change makes the code in CRImportCheckpoint easier to
extend as it doesn't require excessive number of function parameters.
Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
Instead of individual values from ContainerCheckpointOptions,
provide the options object.
This is a preparation for the next patch where one more value
of the options object is required in exportCheckpoint().
Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
When adding the HOSTNAME environment variable, only do so if it
is not already present in the spec. If it is already present, it
was likely added by the user, and we should honor their requested
value.
Fixes#8886
Signed-off-by: Matthew Heon <mheon@redhat.com>
`KillMode=none` has been deprecated in systemd and is now throwing big
warnings when being used. Users have reported the issues upstream
(see #8615) and on the mailing list.
This deprecation was mainly motivated by an abusive use of third-party
vendors causing all kinds of undesired side-effects. For instance, busy
mounts that delay reboot.
After talking to the systemd team, we came up with the following plan:
**Short term**: we can use TimeoutStopSec and remove KillMode=none which
will default to cgroup.
**Long term**: we want to change the type to sdnotify. The plumbing for
Podman is done but we need it for conmon. Once sdnotify is working, we
can get rid of the pidfile handling etc. and let Podman handle it.
Michal Seklatar came up with a nice idea that Podman increase the time
out on demand. That's a much cleaner way than hard-coding the time out
in the unit as suggest in the short-term solution.
This change is executing the short-term plan and sets a minimum timeout
of 60 seconds. User-specified timeouts are added to that.
Fixes: #8615
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Ensure that infra containers for pods will grab default sysctls
from containers.conf, to match how other containers are created.
This mostly affects the other containers in the pod, which will
inherit those sysctls when they join the pod's namespaces.
Signed-off-by: Matthew Heon <mheon@redhat.com>
The existing code grabs the base container's process, and then
modifies it for use with the exec session. This could cause
errors in `podman inspect` or similar on the container, as the
definition of its OCI spec has been changed by the exec session.
The change never propagates to the DB, so it's limited to a
single process, but we should still avoid it when possible - so
deep-copy it before use.
Signed-off-by: Matthew Heon <mheon@redhat.com>
OpenShift Merge Robot
Alexandre Fourcat
Paul Holzinger
Daniel J Walsh
Jhon Honce
Chris Evich
Giuseppe Scrivano
Radostin Stoyanov
Matthew Heon
Matthew Heon
Valentin Rothberg
dependabot-preview[bot]