Quadlet was doing some custom handling of uid/gid remapping, originating
from pre --userns=auto support, including its own user for getting subuids
which kinda conflicts with the "container" user used for that.
This drops all the old support for id remapping in favour of a new set
of keys that more directly map to the podman run options.
We have essentially 3 modes now:
```
RemapUsers=manual
RemapUid=0:10000:10
RemapUid=10:20000:10
RemapGid=0:10000:10
RemapGid=10:20000:10
```
This maps to --uidmap and --gidmap options.
```
RemapUsers=auto
```
This maps to --userns=auto. But you can additionally specify RemapUid,
RemapGid and RemapUidSize which gets applied as options to the
--userns podman option.
```
RemapUsers=keep-id
```
This maps to --userns=keep-id and only works for user units.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
Attempts to fix#16419
podman generate systemd --restart-sec pod
^now generates RestartSec= both in pod service file and in container service file.
podman generate systemd --restart-sec container
^now generates RestartSec= in container service file.
Signed-off-by: Veronika Fuxova <vfuxova@redhat.com>
This is much better for the systemd case becase we pass the journal
socket fds directly to the container. This means less copying of the
logs, but it also means the journal will correctly get the peer
process id when it tries to extract things like the name of what
is logging something.
With this we correctly name the logging process rather than claim
everything comes from conmon.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
This makees much more sense for typical service loads, and can
easily be reverted by `ReadOnly=no`.
Also updates and adds various tests for this.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
The notify proxy has a watcher to check whether the container has left
the running state. In that case, Podman should stop waiting for the
ready message to prevent a dead lock. Fix this watcher but adding a
loop.
Fixes the dead lock in #16076 surfacing in a timeout. The underlying
issue persists though. Also use a timer in the select statement to
prevent the goroutine from running unnecessarily long
[NO NEW TESTS NEEDED]
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Truncate the container and pod ID files instead of throwing an error.
The main motivation is to prevent redundant work when starting systemd
units. Throwing an error when the file already exists is not preventing
races or file corruptions, so let's leave that to the user which in
almost all cases are generated (and tested) systemd units.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
This way we don't have to use the `ExecCondition=podman volume exist`,
which saves one process start.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
Reduce the number of top-level packages in ./pkg by moving quadlet
packages under ./pkg/systemd.
[NO NEW TESTS NEEDED] - no functional change.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Starting listening for the READY messages on the sdnotify proxies before
starting the Pod. Otherwise, we may be missing messages.
[NO NEW TESTS NEEDED] as it's hard to test this very narrow race.
Related to but may not be fixing #16076.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Package `io/ioutil` was deprecated in golang 1.16, preventing podman from
building under Fedora 37. Fortunately, functionality identical
replacements are provided by the packages `io` and `os`. Replace all
usage of all `io/ioutil` symbols with appropriate substitutions
according to the golang docs.
Signed-off-by: Chris Evich <cevich@redhat.com>
The read deadline may yield the READY message to be lost in space.
Instead, use a more Go-idiomatic alternative by using two goroutines;
one reading from the connection, the other watching the container.
[NO NEW TESTS NEEDED] since existing tests are exercising this
functionality already.
Fixes: #15800
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
This reverts commit c20abf12c7. In the
absence of `ExecStop` step, systemd will send the stop/kill signals to
the main PID while I asummed that systemd would jump directly to an
ExecStopPost step instead.
Hence revert the commit to let Podman take care of stopping rather than
systemd.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Drop the ExecStop step to simplify the generated units a bit.
The extra ExecStopPost step was added by commit e5c3432944. If the
main PID (i.e., conmon) is killed, systemd will not execute ExecStop
(since the main PID is already down) but only execute the *Post steps.
Credits to the late Ulrich Obergfell for tracking this issue down; he is
missed.
The ExecStop step can safely be dropped since the Post step will take of
stopping (and removing) in any case.
Context: #15686
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Two PRs have been merged causing a failure in one unit test.
Fix the unit test to turn CI green again.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
When creating a new pod without the `--name` flag, e.g.:
`podman pod create foobar`
it will get the name `foobar` implicitly and this will be recorded as the in the
`podCreateArgs`. Unfortunately, the implicit name only works if it appears as
the **last** argument of the startup command.
With 6e2e3a78ed we started appending the pod
security policy to the startCommand, resulting in the following `ExecStartPre=`
line:
```
/usr/bin/podman pod create --infra-conmon-pidfile %t/pod-foobar.pid --pod-id-file %t/pod-foobar.pod-id foobar --exit-policy=stop
```
This fails to launch, as the `pod create` command expects only a single
non-flag parameter, but it assumes that `exit-policy=stop` is a second and
terminates immediately instead.
This fixes https://github.com/containers/podman/issues/15592
Signed-off-by: Dan Čermák <dcermak@suse.com>
Change the dependencies from a pod unit to its associated container
units from `Requires` to `Wants` to prevent the entire pod from
transitioning to a failed state. Restart policies for individual
containers can be configured separately.
Also make sure that the pod's RunRoot is always set.
Fixes: #14546
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Emit a warning to the user when generating a unit with --new on a
container that was created with a custom --restart policy. As shown
in #15284, a custom --restart policy in that case can lead to issues
on system shutdown where systemd attempts to nuke the unit but Podman
keeps on restarting the container.
Fixes: #15284
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Podman adds an Error: to every error message. So starting an error
message with "error" ends up being reported to the user as
Error: error ...
This patch removes the stutter.
Also ioutil.ReadFile errors report the Path, so wrapping the err message
with the path causes a stutter.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Add auto-update support to `podman kube play`. Auto-update policies can
be configured for:
* the entire pod via the `io.containers.autoupdate` annotation
* a specific container via the `io.containers.autoupdate/$name` annotation
To make use of rollbacks, the `io.containers.sdnotify` policy should be
set to `container` such that the workload running _inside_ the container
can send the READY message via the NOTIFY_SOCKET once ready. For
further details on auto updates and rollbacks, please refer to the
specific article [1].
Since auto updates and rollbacks bases on Podman's systemd integration,
the k8s YAML must be executed in the `podman-kube@` systemd template.
For further details on how to run k8s YAML in systemd via Podman, please
refer to the specific article [2].
An examplary k8s YAML may look as follows:
```YAML
apiVersion: v1
kind: Pod
metadata:
annotations:
io.containers.autoupdate: "local"
io.containers.autoupdate/b: "registry"
labels:
app: test
name: test_pod
spec:
containers:
- command:
- top
image: alpine
name: a
- command:
- top
image: alpine
name: b
```
[1] https://www.redhat.com/sysadmin/podman-auto-updates-rollbacks
[2] https://www.redhat.com/sysadmin/kubernetes-workloads-podman-systemd
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Integrate sd-notify policies into `kube play`. The policies can be
configured for all contianers via the `io.containers.sdnotify`
annotation or for indidivual containers via the
`io.containers.sdnotify/$name` annotation.
The `kube play` process will wait for all containers to be ready by
waiting for the individual `READY=1` messages which are received via
the `pkg/systemd/notifyproxy` proxy mechanism.
Also update the simple "container" sd-notify test as it did not fully
test the expected behavior which became obvious when adding the new
tests.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Add a new package for proxying notify sockets and waiting for the
READY=1 message to appear. May subject to further changes in
future commits.
Tests make sure that it behaves properly.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
podman run/create can accept `-h <hostname>` as argument. When parsing
flags -h throws an help requested error from pflag. To prevent this
error we have to define the help flag.
Fixes#15124
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Alexander Larsson
Ygal Blum
OpenShift Merge Robot
Erik Sjölund
Veronika Fuxova
Daniel J Walsh
Valentin Rothberg
Chris Evich
Dan Čermák
Toshiki Sonoda
Paul Holzinger