Use specV1.AnnotationTitle instead of hard-coding its value when we go
looking for podman-machine images.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Adds provider detection for LibKrun in `pkg/provider/platform_darwin.go`.
Changes the macOS version check to 13 instead of 11, and now uses the `semver`
package to verify current version.
Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
Extends the `pkg/machine/provider` package to add an API which includes
provider detection based on the host operating system.
Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
AppleHV accepts a max 36 bytes for mount tags. Instead of using the fully qualified path for the mount tag, SHA256 the path, and truncate the shasum to 36 bytes.
Also correctly escape dashes in mounted paths.
Signed-off-by: Ashley Cui <acui@redhat.com>
Cache cleanups only happen if there is a cache miss, and we need to pull a new image
For quay.io/podman/machine-os, we remove all old images from the cache dir. This means we will delete any file that exists in the cache dir; this should be safe to do since the machine pull code should be the only thing touching this cache dir. OCI machine images will always have a different manifest, and won’t be updated with the same manifest, so if the version moves on, there isn’t a reason to keep the old version in the cache, it really doesn’t change.
For Fedora (WSL), we use the cache, so we go through the cache dir and remove any old cached images, on a cache miss. We also switch to using ~/.local/share/containers/podman/machine/wsl/cache as the cache dir rather than ~/.local/share/containers/podman/machine/wsl. Both these behaviors existed in v4.9, but are now added back into 5.x.
For generic files pulled from a URL or a non-default OCI image, we shouldn’t actually cache, so we delete the pulled file immediately after creating a machine image. This restores the behavior from v4.9.
For generic files from a local path, the original file will never be cleaned up
Unsure how to test, so:
[NO NEW TESTS NEEDED]
Signed-off-by: Ashley Cui <acui@redhat.com>
This PR adds libkrun support to podman machine. This is an experimental feature and should not be marketed yet. Before we unmark the experimental status on this function, we will need to have full CI support and a full podman point release has pased.
This work relies on the fact that vfkit and libkrun share a reasonably (if not perfectly) same API. The --log-level debug option will not show a GUI screen for boots as krun is not capable of this.
Signed-off-by: Brent Baude <bbaude@redhat.com>
Non-Linux systems, such as BSD kernels, constrain xatter updates
according to file permissions. This is in contrast to Linux selinux
attr writes, which are governed by an selinux policy. By dafault this
policy apllows users to relabel files owned by themselves even if file
perms would otherwise disallow write.
This results in robust container relabeling results on Linux, and
fragile results everywhere else. Therefore, change the mac policy to
force the nfs_t context on all files, and ignore all relabel
events.
As a side-effect, this will disallow any ability to store custom
selinux constants on files. However, this is of limited use in
a machine context, since files in these volumes are externally
managed on systems which do not support SELinux.
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
There has been various issues with vfkit exiting with
"Error: vfkit exited unexpectedly with exit code 1"
Among other reasons, this can be caused by vfkit being
built without the com.apple.security.virtualization
entitlement, and this can also happen when running
vfkit.x86_64 on Apple silicon hardware.
At the moment, the vfkit logs are not available, so there is no easy way
to know what's happening. This PR redirects vfkit stdout/stderr to
podman's log when --log-level debug is used.
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
creating vsocks in windows requires admin privileges. there could be
some workarounds made in the future,but the general deal has
always been, you need to be admin. lets enforce this with an error
until those work-arounds can be implemented.
Signed-off-by: Brent Baude <bbaude@redhat.com>
Windows is not guaranteed to have the SSH feature installed, so prefer the use
of the built-in ssh client for all operations other than podman machine ssh,
which requires terminal pty logic. This restores previous behavior in 4.x.
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
this pr fixes two hyperv bugs. previous podman 5 versions of hyperv
failed to actually remove the vm from hyperv when machine rm -f was
called.
also fixes an annoying bug where removal of the hyperv ignition entries
were failing because this can only be done (with the current api) when
the vm is running. new api in latest libhvee fixes this.
Signed-off-by: Brent Baude <bbaude@redhat.com>
I am really not sure why the caller even should have the option to set
this. We should always use the correct isolation type based on the
privileges the server runs under never the client. podman-remote build
seems to send the default based on its local privs which was wrong as
well. To fix this I also changed the client to send the default if the
isolation flag is not set.
Fixes#22109
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We need to take another lock to prevent concurrent starts from different
machines.
I manually tested it by starting three VM in parallel with:
podman machine start & podman machine start test1 & podman machine start test2
I also added a CI test that seems to work as expected (failed with the
old binary, worked with the new)
Before this patch I was able to start more than VM, with this patch it
now only starts one of them and the other ones will fail to start with
a proper error.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This function is not used, it has been refactored in the general
starting good higher up the stack.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Currently we first read the conf and then lock, this is racy because
while we wait for the lock another process might change the state so
the only way to have the actual current state is to read the file
while holding the lock.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
- Fixes conflicts such as removal of second machine deleting a socket of a
the first machine while it's running
- Move API socket into runtime directory for consistency
- Add API and gvproxy sockets to removal list
- Cleanup related logic
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
we are having second thoughts about *requiring* a policy.json on podman
machine hosts. we are concerned that we need to work out some more use
cases to be sure we do not make choices now that limit us in the near
term future. for example, should the policy files be the same for
container images and machine images? And should one live on the host
machine and the other live in the machine?
therefore, if a policy.json *is* present in the correct location, we will use and honor it; however, if it does not, we will allow the machine image to be pulled without a policy.
Signed-off-by: Brent Baude <baude@redhat.com>
Co-authored-by: Paul Holzinger <45212748+Luap99@users.noreply.github.com>
Signed-off-by: Brent Baude <bbaude@redhat.com>
1. Added the xz decompression unit tests
2. Removed the xz implementation to use the one from c/images
3. Removed the specific macos gzip, zstd compressor and use
the generic compressor but with SparseWriter if GOOS == darwin
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
Adding the final machine endpoint as quay.io/podman/machine-os in the
Podman code. As a reminder, we decided we would set this in containers
conf once things settle down and this code would then be removed.
Signed-off-by: Brent Baude <bbaude@redhat.com>
Move the writes into the shim level to make sure they happen while we
hold the machine lock to prevent any race conditions reading/writing the
file.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
First make sure we check that a given VM exist when holding the VM lock
for it. The check in cmd/podman/machine/init.go is a nice quick out but
not enough to ensure that 2 processes to not create the same VM at the
same time. The only way to ensure this is by holding the lock and
checking if the VM config file exists.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Neither of the SparseWriter users actually _wants_ the underlying
WriteSeeker to be closed; so, don't.
That makes it clear where the responsibility for closing the file
lies, and allows us to remove the reliance on the destinations
reliably returning ErrClosed.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Make sure we only update the machine config when we are locked.
While it doesn't make a functional differnce for cpu and memory it was a
problem for disk size. The disk size must be larger than the previous
one so we must have accurate data on the previous value.
Thus change the settings only while locked and refresh the config so we
have the current up to date values.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
It is unused, and it clearly doesn't work (it closes dest
before writing anything to it).
Just drop it, it can always be re-added.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
When we set a relative path (i.e. ".") it should be resolved next to
binary so we need to get the base dir. If we join it directly like it
did before you get a path like .../podman/policy.json where podman is the
podman executable so it is not a directory and thus could not contain the
policy.json file.
ref #21964
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
While working on #21592 we figured out that the
the full VM File was loaded in memory when detecting
the file format, but only a few bytes are needed.
This commit address that.
[NO NEW TESTS NEEDED]
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
Nalin Dahyabhai
openshift-merge-bot[bot]
Gabriel Parreiras
Jake Correnti
Shion Tanaka
Ashley Cui
Brent Baude
Paul Holzinger
Giuseppe Scrivano
fanqiaojun
Jason T. Greene
Christophe Fergeau
Brent Baude
Brent Baude
Mario Loriedo
Miloslav Trmač