Add a note about the restriction of the use of
thre back-ticks in the md files in the options directory.
If this is not done properly, it can quietly corrupt
the compliled man pages.
[NO NEW TESTS NEEDED]
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Support auto updating containers running inside pods. Similar to
containers, the systemd units need to be generated via
`podman-generate-systemd --new $POD` to generate the pod's units.
Note that auto updating a container inside a pod will restart the entire
pod. Updates of multiple containers inside a pod are batched, such that
a pod is restarted at most once. That is effectively the same mechanism
for auto updating containers in a K8s YAML via the `podman-kube@`
template or via Quadlet.
Updating a single container unit without restarting the entire pod is
not possible. The reasoning behind is that pods are created with
--exit-policy=stop which will render the pod to be stopped when auto
updating the only container inside the pod. The (reverse) dependencies
between the pod and its containers unit have been carefully selected for
robustness. Changes may entail undesired side effects or backward
incompatibilities that I am not comfortable with.
Fixes: #17181
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Somehow the options/secret.md file generated corrupt md which
then generated corrupt .man files. Fix, and add a Makefile
check to prevent this from happening again.
Signed-off-by: Ed Santiago <santiago@redhat.com>
we were previously using an experimental feature in crun, but we lost
this capability once we moved to using the OCI runtime spec to specify
the volume mappings in fdcc2257df.
Add the same feature to libpod, so that we can support relative
positions for the idmaps.
Closes: https://github.com/containers/podman/issues/17517
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Podman machine os apply takes a takes a OCI image with container native ostree functionality and rebases the machine os on that image.
Currently, this requires the guest os inside the vm to use rpm-ostree.
When specifying an image, any container transport may be specified. If a
container transport is not specified, OS apply will attempt to search
the local containers-storage for the image, and if it is not found, it
will then attempt to use the Docker transport to pull from a remote
registry.
The architecture of OS apply is as follows:
podman machine os apply ssh's into the machine and calls podman machine os
apply. on the secondary call to podman machine os apply, apply
recognizes that it is inside the machine and does image operations, and
finally calls rpm-ostree rebase.
Tests are written but commented out, due to the chicken-and-egg problem.
Signed-off-by: Ashley Cui <acui@redhat.com>
Followup to #17486: stricter checks on --format.
* If a subcommand offers autocompletion for templates,
it must also offer a '--format json' option.
* If a subcommand has a --format option that DOES NOT
offer autocompletion for templates, it must be listed
in a hardcoded grandparented-in table of commands
where that's not applicable. (Mostly commands
like build, commit, save, where "format" is used
in the context of "oci/docker").
Only likely to trigger on PRs which add new subcommands,
and is intended to catch oversights.
Also, test for alphanumeric order in man page tables.
Sort all existing tables.
Signed-off-by: Ed Santiago <santiago@redhat.com>
* add tests
* add documentation for --shm-size-systemd
* add support for both pod and standalone run
Signed-off-by: danishprakash <danish.prakash@suse.com>
command tables are chock full of duplication, hence they break.
Look for inconsistencies between the displayed man page name
and the actual man page name:
| foo | [podman-foo(1)](podman-cmd-foo.1.md) | ...
^^^
Inspired by #17474.
We can't actually check the subcommand name (the plain "foo")
because there are many existing subcommands whose name does
not match the man page: rmi vs image-rm, list vs podman-ps.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Very belated successor to #14046.
I don't know why this is so important to me. Probably because we're
doing a halfhearted sloppy job of documenting, and new options get
added, and not documented, and that's just wrong.
I've given up on documenting internal structs. This iteration
has a $Format_Exceptions table defined at the top of the xref
script, enumerating a hardcoded defined set of podman commands
and fields that should remain undocumented.
This iteration also forgives completely-undocumented formats.
If podman-foo has a --format, but podman-foo.1.md does not
list *any* valid fields, the script warns but does not fail.
This at least is better than documenting a random mix of fields.
This version of the xref script is much slower: 10s vs 4. I
think we can live with that in a CI-only script.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Document the identifiers used in the journald events backend. Those can
be used to filter Podman events with journalctl and I need them to be
documented for a blog I am writing at the moment.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
- Don't order the container unit before local-fs.target as that creates
an ordering cycle that triggers other issues.
- Use the example network in the container unit
- Only use groups that exists by default for the volume
Signed-off-by: Timothée Ravier <tim@siosm.fr>
Add support for disabeling SELinux process separation in the container.
Add support for setting the process type of the container.
Add support for setting the process MCS level of the container.
Add support for setting the file type of the container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Currently we are shipping no data about quadlet, since the
podman-systemd.unit file is not shipped. Also want to add the
quadlet name to the description of the man page so that
man -k quadlet
will help users find the man page.
Also add a link file such that if the user types in
man quadlet
man will show the podman-systemd.unit file.
Also eliminate the subpackage podman-quadlet
Fixes: https://github.com/containers/podman/issues/17349
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
copy the current mapping into a new user namespace, and run into a
separate user namespace.
Closes: https://github.com/containers/podman/issues/17337
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
When multiple files are specified buildah considers `FROM` instruction
from the last file specified and so does `buildkit` and `docker` so lets
specify that in docs.
[NO NEW TESTS NEEDED]
[NO TESTS NEEDED]
Similar to: https://github.com/containers/buildah/pull/4546
Signed-off-by: Aditya R <arajan@redhat.com>
issues.redhat.com/browse/RHELBU-1918 is mentioning the podman-events man
page which are lacking notes on the verbose create events added by
commit 71f92d263c.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
(podman push) and (podman manifest push) now support --sign-by-sigstore=param-file,
using the containers-sigstore-signing-params.yaml(5) file format.
That notably adds support for Fulcio and Rekor signing.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
We had a number of references, mostly in docs, to the word master that
can now be changed to main. This PR does that and makes the project a
bit more inclusive.
[NO NEW TESTS NEEDED]
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
The Device, Type, Copy and Options keys are now supported in
quadlet .volume files. This allows users to create filesystem
based volumes with quadlets .volume files.
Signed-off-by: Ingo Becker <ingo@orgizm.net>
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
Where the terms CNI and cni are used in documentation like man pages,
readme's, and tutorials, we have begun to add deprecation notices where
applicable. In cases where netavark cannot do what CNI can, those have
been left alone.
[NO NEW TESTS NEEDED]
Signed-off-by: Brent Baude <bbaude@redhat.com>
Reserved annotations are used internally by Podman and would effect
nothing when run with Kubernetes so we should not be generating these
annotations.
Fixes: https://github.com/containers/podman/issues/17105
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Users need to know about this side effect.
Fixes: 5a2405ae1b ("Don't mount /dev/tty* inside privileged...")
Fixes: f4c81b0aa5 ("Only prevent VTs to be mounted inside ...")
Signed-off-by: Martin Roukala (né Peres) <martin.roukala@mupuf.org>
Move the handling of Publish key to a method
use --publish instead of -p
Use the new method for both .container and .kube files
Adjust .container tests
Add .kube tests
Update the man page
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
Add a new flag --publish
Remote - Pass PublishPorts as a string array
ABI - translate the string array to Ports and merge with the ports in the spec
Add e2e tests
Add option to man doc
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
The man-page cross-reference script checks the SEE ALSO section
to confirm that all references are to existing man pages (#12258).
However, it's a little too forgiving: it allows aliases, the
short '.so' files under the 'links/' subdirectory. That means
we could link to non-default command names, and were doing so.
As of this PR, we no longer allow that. Any podman command
referenced in SEE ALSO must be the canonical command name
(and man page). Fix existing non-canonical names, and
remove the exception so we don't allow this again.
See #16848 for discussion of context.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Add the new keys to the supported keys list for the Container group
Pass the list of EnvironmentFile values while maintaining the order
Quadlet e2e test framework: Add support for checking regex in Podman args
Add relevant tests
Update man
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
Added the functionality for a user to update the PIDs limit for a
container.
Fixes: #16543
Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
Users are surprised when chowning large volumes how long it can take
to relabel of chown the entire directory tree. This PR updates the
documentation to explain this fact to the user.
Fixes: https://github.com/containers/podman/issues/16575
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
False is the assumed value, and inspect and podman generate kube are
being cluttered with a ton of annotations that indicate nothing.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Support .network file to create a systemd service that runs podman network create
Support networks with .network suffix in Container and Kube to link with Quadlet created networks
Add E2E Tests
Add man doc
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
In the recent past, I met the frequent need to wait for a container to
exist that, at the same time, may get removed (e.g., system tests in [1]).
Add an `--ignore` option to podman-wait which will ignore errors when a
specified container is missing and mark its exit code as -1. Also
remove ID fields from the WaitReport. It is actually not used by
callers and removing it makes the code simpler and faster.
Once merged, we can go over the tests and simplify them.
[1] github.com/containers/podman/pull/16852
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Also update vendor of containers/storage and image
Cleanup display of added/dropped capabilties as well
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Add --ignore flag to the command line
Add a new parameter to the NetworkCreate interface in pkg/domain for CreateOptions
Add a new API Network CreateWithOptions in pkg/bindings
Remote API - Add a query parameter to set the ignore flag
Kube - use the IgnoreIfExists flag when creating the default network instead of handling the failure
Add e2e tests
Update man page for podman-network-create
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
On Mac machines security model none works, while "mapped-xattr"
causes symlinks to not work.
Update docs/source/markdown/podman-machine-init.1.md
[NO NEW TESTS NEEDED]
Related: https://github.com/containers/podman/discussions/16102
Co-authored-by: Tom Sweeney <tsweeney@redhat.com>
Signed-off-by: Sorin Sbarnea <sorin.sbarnea@gmail.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Now that the OCI runtime specs have support for idmapped mounts, let's
use them instead of relying on the custom annotation in crun.
Also add the mechanism to specify the mapping to use. Pick the same
format used by crun so it won't be a breaking change for users that
are already using it.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Just like podman-remote run users should still be able to set volumes,
of course the source must be on the server machine but this is already
the case for podman machine for example.
Fixes#16694
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The remote client should be allowed to specify if the container should
be run with the proxy env vars. It will still use the proxy vars from
the server process and not the client. This makes podman-remote more
consistent with the local version and easier to use in environments
where a proxy is required.
Fixes#16520
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This changes references to `/etc/containers/storage.conf` (and similar) to
links to `containers-storage.conf(5)`, as there are alternative locations
for this file.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
This just calls GC on the local storage, which will remove any leftover
directories from previous containers that are not in the podman db anymore.
This is useful primarily for transient store mode, but can also help in
the case of an unclean shutdown.
Also adds some e2e test to ensure prune --external works.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
This handles the transient store options from the container/storage
configuration in the runtime/engine.
Changes are:
* Print transient store status in `podman info`
* Print transient store status in runtime debug output
* Add --transient-store argument to override config option
* Propagate config state to conmon cleanup args so the callback podman
gets the same config.
Note: This doesn't really change any behaviour yet (other than the changes
in containers/storage).
Signed-off-by: Alexander Larsson <alexl@redhat.com>
Startup healthchecks are similar to K8S startup probes, in that
they are a separate check from the regular healthcheck that runs
before it. If the startup healthcheck fails repeatedly, the
associated container is restarted.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Add documentation on the new Netavark option, `metric`, used to
set default route preference for containers joined to multiple
networks.
[NO NEW TESTS NEEDED]
Signed-off-by: Matthew Heon <mheon@redhat.com>
Quadlet was doing some custom handling of uid/gid remapping, originating
from pre --userns=auto support, including its own user for getting subuids
which kinda conflicts with the "container" user used for that.
This drops all the old support for id remapping in favour of a new set
of keys that more directly map to the podman run options.
We have essentially 3 modes now:
```
RemapUsers=manual
RemapUid=0:10000:10
RemapUid=10:20000:10
RemapGid=0:10000:10
RemapGid=10:20000:10
```
This maps to --uidmap and --gidmap options.
```
RemapUsers=auto
```
This maps to --userns=auto. But you can additionally specify RemapUid,
RemapGid and RemapUidSize which gets applied as options to the
--userns podman option.
```
RemapUsers=keep-id
```
This maps to --userns=keep-id and only works for user units.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
1. proxy value from env `CONTAINER_PROXY`
2. proxy socks5 && socks5h is supported
3. the proxy dial timeout is 3s
Signed-off-by: shuai.yang <shuai.yang@mihoyo.com>
Since pasta is now considered a network mode using it as network name
causes a conflict. For now we will prefer the named network but in a
future major version bump we want to remove this and just use pasta(1).
The docs should reflect that this name is considered deprecated.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Add quiet and no-info flags to podman machine start.
No-info suppresses helpful informational tips
Quiet suppresses machine start progress output, as well as informational
tips.
Signed-off-by: Ashley Cui <acui@redhat.com>
Up - do not fail if volume already exists, use the existing one
Down - allow the user to remove the volume by passing --force
Add tests
Update the documentation
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
Conceptually equivalent to networking by means of slirp4netns(1),
with a few practical differences:
- pasta(1) forks to background once networking is configured in the
namespace and quits on its own once the namespace is deleted:
file descriptor synchronisation and PID tracking are not needed
- port forwarding is configured via command line options at start-up,
instead of an API socket: this is taken care of right away as we're
about to start pasta
- there's no need for further selection of port forwarding modes:
pasta behaves similarly to containers-rootlessport for local binds
(splice() instead of read()/write() pairs, without L2-L4
translation), and keeps the original source address for non-local
connections like slirp4netns does
- IPv6 is not an experimental feature, and enabled by default. IPv6
port forwarding is supported
- by default, addresses and routes are copied from the host, that is,
container users will see the same IP address and routes as if they
were in the init namespace context. The interface name is also
sourced from the host upstream interface with the first default
route in the routing table. This is also configurable as documented
- sandboxing and seccomp(2) policies cannot be disabled
- only rootless mode is supported.
See https://passt.top for more details about pasta.
Also add a link to the maintained build of pasta(1) manual as valid
in the man page cross-reference checks: that's where the man page
for the latest build actually is -- it's not on Github and it doesn't
match any existing pattern, so add it explicitly.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Remove the container/pod ID file along with the container/pod. It's
primarily used in the context of systemd and are not useful nor needed
once a container/pod has ceased to exist.
Fixes: #16387
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
--insecure and --verbose flags for docker compatibility
--tls-verify for syntax compatibility and allow users to inspect
manifests at remote Container Registiries without requiring tls.
Helps fix: https://github.com/containers/podman/issues/14917
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This was a horrible one. I basically went with the podman-run
version, with a few minor changes. See PR for discussion of
diff review.
podman-build is not included here, it is too different.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Add the abilitiy to deploy the generated kube yaml to a
kubernetes cluster with the podman kube apply command.
Add support to directly apply containers, pods, or volumes
by passing in their names or ids to the command.
Use the kubernetes API endpoints and http requests to connect
to the cluster and deploy the various kubernetes object kinds.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Underscore is special in markdown. We usually escape them
properly, but these are a few that we missed. Found using:
$ ack '[A-Z]\\fI[A-Z]' docs/build/man
(plus one that I found by accident).
If anyone has ideas on how to add a commit check for these,
please speak up. I'm at a complete loss to automate this.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Add a new annotation to allow the user to point to a local tar file
If the annotation is present, import the file's content into the volume
Add a flag to PlayKubeOptions to note remote requests
Fail when trying to import volume content in remote requests
Add the annotation to the documentation
Add an E2E test to the new annotation
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
It was a bit unclear what setting it to empty means.
Also, add to the tests verification that this works.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
This just fixes the indentation which was previously breaking the
list such that the various network modes were just mixed into one large
paragraph instead of a list.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
This makees much more sense for typical service loads, and can
easily be reverted by `ReadOnly=no`.
Also updates and adds various tests for this.
Signed-off-by: Alexander Larsson <alexl@redhat.com>