The kube generate command can now generate a yaml for
the Job kind and the kube play command can create a pod
and containers with podman when passed in a Job yaml.
Add relevant tests and docs for this.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
This is a follow up to 5389eee737
to add rooltess.md information to man pages to help users
discover solutions to troubleshooting and rooless issues.
Specicifally I was surprised when binding to ports < 1024 was
not covered in podman-troubleshooting.7 man page.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Adds a note in the `podman machine info` manpage that clarifies
that `defaultmachine` in the `podman machine info` output does
not suggest that a user can set a default podman machine via
system connections.
Additionally adds a Podman 6.0 TODO comment to change the name of the
field to `ActiveMachineConnection` to better describe its purpose.
[NO NEW TESTS NEEDED]
Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
We're supposed to catch duplicate man-page options in review,
but once in a while they sneak in. These are two dups that
are 100% identical, and were auto-refactored by a script
that I have. A few more options have snuck in (--dns, --usb)
but those have different text so they can't be handled by
my script. If anyone feels like refactoring those, go ahead.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Podman machine list now supports a new option, --all-providers, which lists all machines from all providers.
Signed-off-by: Ashley Cui <acui@redhat.com>
Generated at build time from troubleshooting.md. Purpose is
to ship an actual man page to end users.
Much more complicated than initial guess, because there was
a bug in my Makefile man page filtering, the sed expression
that cleans up markdown that does not translate to roff.
All I've done here is reorder some of the expressions,
stripping off https links *before* we process
podman man page links.
Signed-off-by: Ed Santiago <santiago@redhat.com>
By default wait only waits for the exit of a container, there is really
no way to make it wait for the removal too when the container was
created with --rm. I though I found a clever way in 8a943311db but this
is not working race free. While it works most of the time any other
parallel process might call syncContainer() before the cleanup process
holds the lock until it removes it. As such the wait hack to only update
the state and not sync the exit file did not work so we can drop that.
However the test wants to wait for the removal to happen by the cleanup
process and we can already say --condition=removing to do this but this
will throw an error if the ctr was removed instead of counting this as
success so fix that as well.
Fixes#23640
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Waiting now actually makes sure to exit on first container exit. Also
notice that it does not wait for --rm to have the container removed at
this point.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
In podman-systemd we are intersecting the worlds of containers
and systemd, and I had to stop and think to understand what
`Exec=` does.
I tried to clarify things more here.
I found it especially confusing because the example at the
very top of the file does:
```
Image=quay.io/fedora/fedora
Exec=sleep 10
```
But that only makes sense because the fedora base image
(being generic) doesn't define an `ENTRYPOINT`, just a `CMD`.
But IMO by far the most common usage for podman-systemd
is "app images" which conventionally should use `ENTRYPOINT`
in general. Maybe we should change the default example,
but I'm leaving that for a later followup.
(It perhaps would have been less confusing if this field
had been called `Args=` to make clear it's quite different
in practice from systemd `ExecStart=`)
Signed-off-by: Colin Walters <walters@verbum.org>
Adds a `NetworkAlias=` key to both .container and .pod quadlet files,
which translates to the `--network-alias` option to `podman run` and
`podman pod create` respectively. Can be repeated multiple times.
Signed-off-by: Félix Saparelli <felix@passcod.name>
Change the warning message at runtime to refer to the man page of podman-compose instead of "the documentation"
Add instructions in the man page on how to disable the warning emitted by podman-compose when using an external compose provider
Signed-off-by: marinmo <bugzilla@marinmo.org>
Run root e2e & system tests using composefs on rawhide.
Write magic settings to storage.conf. That part is easy.
e2e tests, however, ignore storage.conf. They require everything
to be specified on the command line. And "everything", in the
case of composefs, includes a long complicated --pull-options
string which in turn requires containers-storage PR 1966
which, as of this writing, is finally vendored into podman.
Signed-off-by: Ed Santiago <santiago@redhat.com>
This senetence does not add any value and instead confuses users as it
suggest that the name is somhow special and related to bridge networks
which is not the case. Using either the name or id is fine as described
in the sentence before.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The driver is now hardcoded again, and there can only be
one type of mounts at a time (which one changes over time)
Revert "Make it possible to select the volume driver"
This reverts commit 6630e5cf66.
Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
I found that Quadlet didn't currently have support for log options.
This merge allows Quadlet to handle log options and correctly
pass those values through to `podman run` for Container and Kube
types.
Syntactically consistent with existing parameters:
```ini
[Container]
Image=localhost/imagename
LogOpt=path=/var/log/container/mycontainer.json
LogOpt=size=10mb
```
Signed-off-by: Brett Calliss <brett@obligatory.email>
Add a `podman system check` that performs consistency checks on local
storage, optionally removing damaged items so that they can be
recreated.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
.build files allow to build an image via Quadlet. The keys from a .build
file are translated to arguments of a `podman build` command by Quadlet.
Minimal keys for .build files are `ImageTag=` and a context directory,
see `SetWorkingDirectory=`, or a `File=` pointing to a Containerfile.
After sorting .build files into the Quadlet dependency order, there
remains a possible dependency cycle issue between .volume and .build
files: A .volume can have `Image=some.build`, and a .build can have
`Volume=some.volume:/some/volume`.
We solve this dependency cycle by prefilling resourceNames with all
image names from .build files before converting all the unit files.
This results in an issue for the test suite though: For .volume's
depending on *.image or *.build, we need to copy these additional
dependencies to the test's quadletDir, otherwise the test will fail.
This is necessary, because `handleImageSource()` actually needs to know
the image name defined in the referenced *.{build,image} file. It cannot
fall back on the default names, as it is done for networks or volumes,
for example.
Signed-off-by: Johannes Maibaum <jmaibaum@gmail.com>
When an empty volume is mounted into a container, Docker will
chown that volume appropriately for use in the container. Podman
does this as well, but there are differences in the details. In
Podman, a chown is presently a one-and-done deal; in Docker, it
will continue so long as the volume remains empty. Mount into a
dozen containers, but never add content, the chown occurs every
time. The chown is also linked to copy-up; it will always occur
when a copy-up occurred, despite the volume now not being empty.
This PR changes our logic to (mostly) match Docker's.
For some reason, the chowning also stops if the volume is chowned
to root at any point. This feels like a Docker bug, but as they
say, bug for bug compatible.
In retrospect, using bools for NeedsChown and NeedsCopyUp was a
mistake. Docker isn't actually tracking this stuff; they're just
doing a copy-up and permissions change unconditionally as long as
the volume is empty. They also have the two linked as one
operation, seemingly, despite happening at very different times
during container init. Replicating that in our stateful system is
nontrivial, hence the need for the new CopiedUp field. Basically,
we never want to chown a volume with contents in it, except if
that data is a result of a copy-up that resulted from mounting
into the current container. Tracking who did the copy-up is the
easiest way to do this.
Fixes#22571
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
If a container unit starts on boot with a dependency on `default.target`
the image unit may start too soon, before network is ready. This cause
the unit to fail to pull the image.
- Add a dependency on `network-online.target` to make sure image pulls
don't fail.
See https://github.com/containers/podman/issues/21873
- Document the hardcoded dependency on `network-online.target` for images unit
and explain how it can be overriden if necessary.
- tests/e2e/quadlet: Add `assert-last-key-regex`
Required to test the `After=` override in [Unit] section
See https://github.com/containers/podman/pull/22057#issuecomment-2008959993
- quadlet/unitfile: add a prepenUnitLine method
Requirements on networks should be inserted at the top of the
section so the user can override them.
Signed-off-by: jbtrystram <jbtrystram@redhat.com>
Update the podman network docs to specify that the default rootless
networking tool has been swapped from slirp4netns to pasta.
Signed-off-by: Pranav RK <pranavrk7@gmail.com>
Effectively, this is an ability to take an image already pulled
to the system, and automatically mount it into one or more
containers defined in Kubernetes YAML accepted by `podman play`.
Requirements:
- The image must already exist in storage.
- The image must have at least 1 volume directive.
- The path given by the volume directive will be mounted from the
image into the container. For example, an image with a volume
at `/test/test_dir` will have `/test/test_dir` in the image
mounted to `/test/test_dir` in the container.
- Multiple images can be specified. If multiple images have a
volume at a specific path, the last image specified trumps.
- The images are always mounted read-only.
- Images to mount are defined in the annotation
"io.podman.annotations.kube.image.automount/$ctrname" as a
semicolon-separated list. They are mounted into a single
container in the pod, not the whole pod.
As we're using a nonstandard annotation, this is Podman only, any
Kubernetes install will just ignore this.
Underneath, this compiles down to an image volume
(`podman run --mount type=image,...`) with subpaths to specify
what bits we want to mount into the container.
Signed-off-by: Matt Heon <mheon@redhat.com>
Image volumes (the `--mount type=image,...` kind, not the
`podman volume create --driver image ...` kind - it's strange
that we have two) are needed for our automount scheme, but the
request is that we mount only specific subpaths from the image
into the container. To do that, we need image volume subpath
support. Not that difficult code-wise, mostly just plumbing.
Also, add support to the CLI; not strictly necessary, but it
doesn't hurt anything and will make testing easier.
Signed-off-by: Matt Heon <mheon@redhat.com>
This is something Docker does, and we did not do until now. Most
difficult/annoying part was the REST API, where I did not really
want to modify the struct being sent, so I made the new restart
policy parameters query parameters instead.
Testing was also a bit annoying, because testing restart policy
always is.
Signed-off-by: Matt Heon <mheon@redhat.com>
The logic here is more complex than I would like, largely due to
the behavior of `podman inspect` for running containers. When a
container is running, `podman inspect` will source as much as
possible from the OCI spec used to run that container, to grab
up-to-date information on things like devices. We don't want to
change this, it's definitely the right behavior, but it does make
updating a running container inconvenient: we have to rewrite the
OCI spec as part of the update to make sure that `podman inspect`
will read the correct resource limits.
Also, make update emit events. Docker does it, we should as well.
Signed-off-by: Matt Heon <mheon@redhat.com>
Markdown needs lists to be separate paragraphs, otherwise all the items
end up in a single line.
I also made arguments to be replaced italic to clarify that they
shouldn't be typed exactly as shown.
Signed-off-by: Baltazár Radics <baltazar.radics@gmail.com>
Docker shows exposed ports as just PORT/PROTO so match that behavior. It
is not clear to me why someone needs that information in ps as "expose"
doesn't effect anything networking related.
Fixes https://issues.redhat.com/browse/RHEL-32154
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Update kube docs stating the support of moving to and from
k8s in podman and explicitly stating that we are not replicating
the kubectl cli.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
The way `podman login` works by default is fundamentally different
from `docker login` and this causes a lot of confusion, and I
have seen multiple bad suggestions for ways to address this
such as setting `XDG_RUNTIME_DIR`.
Let's document up front how to write to the persistent path.
Signed-off-by: Colin Walters <walters@verbum.org>
Belated followup to #21981. (Looks like I started to add this
functionality back in 2020 but left it unfinished. Tsk tsk.)
docs/source/Commands.rst is unnecessary duplication. It _should_
be autogenerated, but I can't figure out how to cleanly add
that to our Make process. This PR is an interim cross-check
until we get that resolved:
- everything in podman --help must have a matching entry
in Commands.rst (top-level commands only)
- check for dups and out-of-sequence in Commands.rst
- also for anything in Commands.rst that is not in --help
Fix existing mismatches in Commands.rst.
Also, #21784 removed a format specifier that I was using in
regression tests. Switch to using something else, to get
test passing again. Given the fact the correct solution
is autogenerating Commands.rst, I choose not to add new
tests for the rst xref.
Also, executive decision, remove volume.rst. It is not referenced
from anywhere, it looks like a lonely orphan remnant from days
of yore.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Also update the website to display the correct swagger doc for the right
version, the 5.0 swagger file will not exist until we branch but I added
it anyway so we do not forget it.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Based on user feedback, I think it's time to clarify that there are no
plans to remove generate-systemd. Deprecation here means that the
command will not receive new features but only urgent bug fixes.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Commit 03f6589f3 added basic support for pull-error event from libimage
but it contains several problems:
1. storing the error as error type prevents it from being unmarshalled,
thus change it to a string
2. the error was never propagated from the libimage event to the podman
event struct
3. the error message was not wired into the cli and API
This commit fixes these problems.
Fixes#21458
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
For podman machine init, deprecate the --image-path option for --image.
--image now accepts the correct image from containers.conf
Also, add the ability to specify an OCI image from the --image flag using the docker:// transport.
Signed-off-by: Ashley Cui <acui@redhat.com>
Like docker podman network inspect should output the information of
running container with their ip/mac address on this network.
However the output format is not docker compatible as this cannot
include all the info we have and the previous output was already not
compatible so this is not new.
New example output:
```
[
{
...
"containers": {
"7c0d295779cee4a6db7adc07a99e635909413a390eeab9f951edbc4aac406bf1": {
"name": "c2",
"interfaces": {
"eth0": {
"subnets": [
{
"ipnet": "10.89.0.4/24",
"gateway": "10.89.0.1"
},
{
"ipnet": "fda3:b4da:da1e:7e9d::4/64",
"gateway": "fda3:b4da:da1e:7e9d::1"
}
],
"mac_address": "1a:bd:ca:ea:4b:3a"
}
}
},
"b17c6651ae6d9cc7d5825968e01d6b1e67f44460bb0c140bcc32bd9d436ac11d": {
"name": "c1",
"interfaces": {
"eth0": {
"subnets": [
{
"ipnet": "10.89.0.3/24",
"gateway": "10.89.0.1"
},
{
"ipnet": "fda3:b4da:da1e:7e9d::3/64",
"gateway": "fda3:b4da:da1e:7e9d::1"
}
],
"mac_address": "f6:50:e6:22:d9:55"
}
}
}
}
}
]
```
Fixes#14126
Fixes https://issues.redhat.com/browse/RHEL-3153
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Urvashi Mohnani
Daniel J Walsh
openshift-merge-bot[bot]
Steve Jibson
Ben Darwin
Jake Correnti
Ed Santiago
Misaki Kasumi
Paul Holzinger
Ygal Blum
Will Refvem
Ashley Cui
Jerome Degroote
Qori El-Hafizh
Colin Walters
tomsweeneyredhat
benniekiss
Félix Saparelli
marinmo
Wanqi Li
Anders F Björklund
Brett Calliss
Brent Baude
Nalin Dahyabhai
Johannes Maibaum
Elliot Ford
Matthew Heon
jbtrystram
Pranav RK
Shion Tanaka
Jonas Berlin
Sander Maijers
Matt Heon
Morgan Bauer
Chad Dougherty
Baltazár Radics
localhost
WesselAtWork
Eric D. Helms
availhang
Valentin Rothberg
Giuseppe Scrivano