For a source file like `foo.container`, look for drop in named
`foo.container.d/*.conf` and merged them into the main file. The
dropins are applied in alphabetical order, and files in earlier
diretories override later files with same name.
This is similar to how systemd dropins work, see:
https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html
Also adds some tests for these
Signed-off-by: Alexander Larsson <alexl@redhat.com>
The default is OCI runtime specific, there is no way for Podman to
know it.
[CI:DOCS]
Closes: https://github.com/containers/podman/issues/20754
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Add support for .pod unit files with only PodmanArgs, GlobalArgs, ContainersConfModule and PodName
Add support for linking .container units with .pod ones
Add e2e and system tests
Add to man page
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
Move the options for the podman build doc to a common md
that can be used by both podman build and podman farm build.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
This expands support for the (previously) boolean `Notify` directive, in
support of healthcheck determined SD-NOTIFY event emission, as
supported by Podman with the `--sdnotify=healthy` option.
Closes: #18189
Signed-off-by: Alex Palaistras <alex@deuill.org>
Add a new `no-dereference` mount option supported by crun 1.11+ to
re-create/copy a symlink if it's the source of a mount. By default the
kernel will resolve the symlink on the host and mount the target.
As reported in #20098, there are use cases where the symlink structure
must be preserved by all means.
Fixes: #20098
Fixes: issues.redhat.com/browse/RUN-1935
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
This mostly just inherits the c/common/pkg/auth implementation,
except that AuthFilePath and DockerCompatAuthFilePath can not be set
simultaneously, so don't unnecessarily explicitly set AuthFilePath.
c/common already handles that.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Support UIDMap, GIDMap, SubUIDMap and SubGIDMap
If any of them are set disregard the deprecated Remap keys
Add tests and man
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
Users fail to realize that they can use other systemd
options within the quadlet files, like ExecStartPre.
This change should make it clearer to the users.
https://github.com/containers/podman/discussions/20642
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
QEMU usb-host driver which is the one for passthrough, supports two
options for selecting an USB devices in the host to provide it to the
VM:
- Bus and Device number the device is plugged
- Vendor and Product information of the USB devices
https://qemu-project.gitlab.io/qemu/system/devices/usb.html
This commit allows a user to configure podman machine with either of
options, with new --usb command line option for podman machine init.
Examples
podman machine init tosovm4 --usb vendor=13d3,product=5406
podman machine init tosovm3 --usb bus=1,devnum=4 --usb bus=1,devnum=3
This commit also allows a user to change the USBs configured with
--usb command line option for podman machine set.
Note that this commit does not handle host device permissions nor
verify that the USB devices exists.
Signed-off-by: Victor Toso <victortoso@redhat.com>
The docs were rather vague about the deprecation of CNI, make it clear
that we are going to remove it with 5.0 as we decided to do that in our
planning.
Also while looking at the podman network create docs I noticed
--ipam-driver dhcp was still documented as not supported with netavark
so I fixed that as well.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Docker allows the passing of -1 to indicate the maximum limit
allowed for the current process.
Fixes: https://github.com/containers/podman/issues/19319
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This solves `--security-opt unmask=ALL` still masking the path.
[NO NEW TESTS NEEDED] Can't easily test this as we do not have
access to it in CI.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
All `[]string`s in containers.conf have now been migrated to attributed
string slices which require some adjustments in Buildah and Podman.
[NO NEW TESTS NEEDED]
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Add Quadlet key and disconnect relationship withr read-only
Update and add tests
Update man with new key
Remove the reference to VolatileTmpfs in the man page to reduce its
usage, since the same functionality can be achieved using the Tmpfs key
while keeping its support to maintain backward compatibility
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
Users can specify BUILDAH_ISOLATION environment variable to change the
default.
Fixes: https://github.com/containers/podman/issues/20024
Currently podman play kube is defaulting to chroot, which is the least
safe version of build, we should always default to secure whenever
possible. Chroot should only be used when building within a container.
No great way to tests this.
[NO NEW TESTS NEEDED]
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The network backend will ignore ports for macvlan and ipvlan networks so
they do not do anything. No warning or error is shown because containers
may be later connected to a bridge network in which case they would be
useful.
Fixes#17927
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
If you change this option all the containers disappear from the default
connection and socket. Thus it is required to recreate the resources.
Sharing between root and rootless is not possible for various reasons.
Fixes#19936
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Add support for adding podman level arguments before subcommand
Add specific key for Containers Conf Modules
Global arguments are added for both start and stop commands
Adjust testing environment
Add tests
Add to man page
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
As requested in containers/podman/issues/20000, add a `privileged` field
to the containers table in containers.conf. I was hesitant to add such
a field at first (for security reasons) but I understand that such a
field can come in handy when using modules - certain workloads require a
privileged container.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
As explained in #21022, there are all kinds of downsides to a machine
updating itself (via zincati) automatically, like interuption of
service, lost mounts, etc.
disabling zincati will at least allow stop these downsides. we are
likely to contemplate if podman will take over the update process
externally where interuption of services will not occur etc.
Fixes#20122
Signed-off-by: Brent Baude <bbaude@redhat.com>
Update podman load doc to mention support for loading in
compressed files. Add an example command as well.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Container ports defined with containerPort were exposed by default
even though kubernetes interprets them as mostly informative.
Closes#17028
Signed-off-by: Peter Werner <wpw.peter@gmail.com>
While doing a review of the farm man pages after they had been
submitted, I found a few references to "podman" that should have
been "Podman". I have touched those up in this commit.
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Also, we don't proxy SIGURG (Golang uses it internally for waking
threads, so Go processes get it constantly (see [1] for more
details).
[1] https://github.com/golang/go/issues/37942
Signed-off-by: Matt Heon <mheon@redhat.com>
Some --filter descriptions listed the filters with asterisks,
i.e. markdown italics. There were 60+ of those, 250+ without
asterisks, so I choose to de-asterisk them all. Update the
xref script to remove the allow-asterisk exception. (Except
for the column title, which is sometimes written with two
asterisks--boldface--and sometimes plain).
Signed-off-by: Ed Santiago <santiago@redhat.com>
main
----
Use order number to order the units processing
Process .image file
Usage of .image file should not log Ambiguous Name warning
Use AmbiguousName for .volume and .image units
Quadlet
-------
Convert .image files
Add driver and Image keys to .volume files
Handle usage of .image as Image
Man Page
--------
Add comments for new keys in .volume file
Add comment about using .image files as images
Add section about .image units
Tests
-----
Add integration tests
Add system test
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
Co-authored-by: Tom Sweeney <tsweeney@redhat.com>
The --module can only be parsed on the root level. It cannot work on
the command level, because it must be "manually" parsed on init() to
make sure the specified configuration files/modules are loaded prior to
parsing the flags via Cobra.
Hence move --module from the "persistent" to the "local" flags which
will yield an error instead of doing nothing when being specified on the
command level:
```
$ ./bin/podman run --module=foo.conf --rm alpine
Error: unknown flag: --module
See 'podman run --help'
```
Reported in #20000.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
For all commands with a --filter option, cross-reference
against man pages, and vice-versa.
I'm sorry. I know this script has gone off the deep end.
[NO NEW TESTS NEEDED] although actually I would like to test some broken completions
Signed-off-by: Ed Santiago <santiago@redhat.com>
QM needs to be able to specify the maximum number of open files within the QM
environment to ensure FFI.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Add support for --layerLabel.
Support for --cw is only added for the local client. I am not sure how
I would wire this over remote. The current code parse the options in
the frontend which hard codes the Tmpdir field to an incorrect value if
we would json marshal this vie remote API so it would not work in real
remote cases.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
QM needs to be able to specify the maximum number of PIDs within the QM
environment to ensure FFI.
Picking a total of 10,000 Pids might be a rasonable constraint on the
QM.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
`podman init` is a debugging command for inspecting a container's
OCI spec before it runs, to look for anything suspicious. It is
not capable of supporting modifications to that spec, as it
starts Conmon and thus the OCI runtime, so the spec has already
been loaded by the time `podman init` is run.
Signed-off-by: Matt Heon <mheon@redhat.com>
kaivol
Alexander Larsson
openshift-merge-bot[bot]
Erik Sjölund
Giuseppe Scrivano
Ygal Blum
Ed Santiago
Marta
Arthur Sengileyev
Urvashi Mohnani
Alex Palaistras
Valentin Rothberg
Miloslav Trmač
Andreas Gerstmayr
Joshua Beighton
Daniel J Walsh
Victor Toso
Jan Pazdziora
Paul Holzinger
openshift-ci[bot]
Matthew Heon
Aditya R
Rahil Bhimjiani
OpenShift Merge Robot
Brent Baude
André Cirne
wpross
Peter Werner
TomSweeneyRedHat
Matt Heon
xtex
Paul Lettich
ryanhockstad
Ryan Hockstad