It is not quite clear what the difference between `podman machine set
--rootful` and `podman system connection default` is.
Add a small note with the difference, the --rootful option will also
affect the socket forwarding.
Fixes#13515
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Command flags (OPTIONS) in man pages have to date been in
haphazard order. Sometimes that order is sensible, e.g.,
most-important options first, but more often they're
just in arbitrary places. This makes life hard for users.
Here, I update the man-page-check Makefile script so it
checks and enforces alphabetical order in OPTIONS sections.
Then -- the hard part -- update all existing man pages to
conform to this requirement.
Signed-off-by: Ed Santiago <santiago@redhat.com>
systemd expects the container_uuid environment variable be set
when it is running in a container.
Fixes: https://github.com/containers/podman/issues/13187
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Allows users to set `--os` , `--arch` and `--variant` of the image
created from the custom import.
Following is useful when user is already aware of the values which are
correct for their generated rootfs
Signed-off-by: Aditya R <arajan@redhat.com>
The documentation files for `Containerfile` and `containerignore` have
been moved from the `buildah` repository to the `common` repository.
ref: https://github.com/containers/buildah/commit/488e8654ea
Signed-off-by: John Kristensen <john@jerrykan.com>
Add an `--ignore` flag to `podman image rm` to instruct ignoring image
if a specified image does not exist and to not throw an error. Other
commands (e.g., `podman container rm`) already support this flag.
Such an `--ignore` flag can come in handy in clean-up scripcts such as
the teardown phases in the Podman tests.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
The example is also improved to add the --subnet option, this option is required with netavark, else you get:
Error: macvlan driver needs at least one subnet specified, DHCP is not supported with netavark
Signed-off-by: Clayton Craft <clayton@craftyguy.net>
Allow users to add annotions in the podman play kube command.
This PR Also fixes the fact that annotations in the pod spec were
not being passed down to containers.
Fixes: https://github.com/containers/podman/issues/12968
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
If you want to remove a running machine, you can now pass the --force/-f
to podman machine rm and the machine will be stopped and removed without
confirmations.
Fixes: #13448
[NO NEW TESTS NEEDED]
Signed-off-by: Brent Baude <bbaude@redhat.com>
* Remove the ending text "(1)" to avoid it from being
displayed in the web tab title for a command man page
on the web. Often such a text indicates that a web
page got an update. For instance GitHub issues shows
the number of new comments that have been written
after the user's last visit.
Fixes#13438
Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
This option was requested so that users could specify alternate
locations to find context directories for each image build. It
requites the --build option to be set.
Partion Fix: https://github.com/containers/podman/issues/12485
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
If you run `podman play kube` on a yaml file that only contains
configMaps, podman will fail with the error:
Error: YAML document does not contain any supported kube kind
This is not strictly true; configMaps are a supported kube kind. The
problem is that configMaps aren't a standalone entity. They have to be
used in a container somewhere, otherwise they don't do anything.
This change adds a new message in the case when there only configMaps
resources. It would be helpful if podman reported which configMaps are
unused on every invocation of kube play. However, even if that feedback
were added, this new error messages still helpfully explains the reason
that podman is not creating any resources.
[NO NEW TESTS NEEDED]
Signed-off-by: Jordan Christiansen <xordspar0@gmail.com>
Generating unit files for a pod requires the pod to be created with an
infra container (see `--infra=true`). An infra container runs across
the entire lifespan of a pod and is hence required for systemd to manage
the life cycle of the pod's main unit.
This issue came up on the mailing list.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Allow users to commit containers into a single layer.
Usage
```bash
podman container commit --squash <name>
```
Signed-off-by: Aditya R <arajan@redhat.com>
`podman play kube` tries to build images even if `--build` is set to
false so lets honor that and make `--build` , `true` by default so it
matches the original behviour.
Signed-off-by: Aditya R <arajan@redhat.com>
podman container clone takes the id of an existing continer and creates a specgen from the given container's config
recreating all proper namespaces and overriding spec options like resource limits and the container name if given in the cli options
this command utilizes the common function DefineCreateFlags meaning that we can funnel as many create options as we want
into clone over time allowing the user to clone with as much or as little of the original config as they want.
container clone takes a second argument which is a new name and a third argument which is an image name to use instead of the original container's
the current supported flags are:
--destroy (remove the original container)
--name (new ctr name)
--cpus (sets cpu period and quota)
--cpuset-cpus
--cpu-period
--cpu-rt-period
--cpu-rt-runtime
--cpu-shares
--cpuset-mems
--memory
--run
resolves#10875
Signed-off-by: cdoern <cdoern@redhat.com>
Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
Signed-off-by: cdoern <cdoern@redhat.com>
Add some docs about the different network backends. Also remove the CNI
word from network since we refer to either a netavark or CNI config.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Right now it is not possible to look at the API version for a specific
version. docs.podman.io always show the latest version from the main
branch. This is not want many users want so they now have the ability to
select a different version.
Fixes#12796
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
separated cgroupNS sharing from setting the pod as the cgroup parent,
made a new flag --share-parent which sets the pod as the cgroup parent for all
containers entering the pod
remove cgroup from the default kernel namespaces since we want the same default behavior as before which is just the cgroup parent.
resolves#12765
Signed-off-by: cdoern <cdoern@redhat.com>
Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
Signed-off-by: cdoern <cdoern@redhat.com>
podman system prune should also remove all networks. When we want to
users to migrate to the new network stack we recommend to run podman
system reset. However this did not remove networks and if there were
still networks around we would continue to use cni since this was
considered an old system.
There is one exception for the default network. It should not be removed
since this could cause other issues when it no longer exists. The
network backend detection logic ignores the default network so this is
fine.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Document the recognized `schema` types that can be used in a value
passed to the `--url` command line flag.
[CI:DOCS]
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
by default slirp4netns uses the tap0 device. When slirp4netns is
used, use that device by default instead of eth0.
Closes: https://github.com/containers/podman/issues/11695
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Often users want their overlayed volumes to be `non-volatile` in nature
that means that same `upper` dir can be re-used by one or more
containers but overall of nature of volumes still have to be `overlay`
so work done is still on a overlay not on the actual volume.
Following PR adds support for more advanced options i.e custom `workdir`
and `upperdir` for overlayed volumes. So that users can re-use `workdir`
and `upperdir` across new containers as well.
Usage
```console
$ podman run -it -v myvol:/data:O,upperdir=/path/persistant/upper,workdir=/path/persistant/work alpine sh
```
Signed-off-by: Aditya R <arajan@redhat.com>
podman network create --subnet, --gateway and --ip-range can now be
specified multiple times to join the network to more than one subnet.
This is very useful if you want to use a dual stack network and assign a
fixed ipv4 and ipv6 subnet. The order of the options is important here,
the first --gateway/--ip-range will be assigned to the first subnet and
so on.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Bumps Buildah to v1.24.0 and adopts the new values for pull:
true, false, never, and always. The pull-never and pull-always options
for the build command are still usable, but they have been removed from
the man page documentation with this change.
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
This commit includes:
* Handlers for generate systemd unit
with manually defined dependencies such as:
Wants=, After= and Requires=
* The new unit and e2e tests for checking generated systemd units
for container and pod with custom dependencies
* Documented descriptions for custom dependencies options
Signed-off-by: Eugene (Evgenii) Shubin <esendjer@gmail.com>
Since this option will also be used for netavark we should rename it to
something more generic. It is important that --cni-config-dir still
works otherwise we could break existing container cleanup commands.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
add a check in namespaceOptions() that ensures the user is not setting a new uid/gid map
if entering or creating a pod that has an infra container
resolves#12669
Signed-off-by: cdoern <cdoern@redhat.com>
added support for pod wide sysctls. The sysctls supported are the same as the continer run controls.
These controls are only valid if the proper namespaces are shared within the pod, otherwise only the infra ctr gets the sysctl
resolves#12747
Signed-off-by: cdoern <cdoern@redhat.com>
This option causes Podman to not only remove the specified containers
but all of the containers that depend on the specified
containers.
Fixes: https://github.com/containers/podman/issues/10360
Also ran codespell on the code
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Add the --ipv6 flag to podman create/run and pod create. We support the
--network name:ip6=<ip> syntax now but for docker compat we should also
support the --ip6 flag.
Note that there is no validation if the ip is actually a v6 or v4 address
because the backend does not care either.
Fixes#7511
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Use the same type of mounts for all the machine volumes.
The default could change in the future, depending on OS.
[NO NEW TESTS NEEDED]
Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
Allow using the built-in 9pfs feature of qemu,
mounting host directories into vm mountpoints.
The volumes are generic, the mounts are specific.
Wait for the machine to be "running", otherwise
the SSH function might throw an error instead.
Increase the default msize from 8 KiB to 128 KiB
[NO NEW TESTS NEEDED]
Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
Added support for pod security options. These are applied to infra and passed down to the
containers as added (unless overridden).
Modified the inheritance process from infra, creating a new function Inherit() which reads the config, and marshals the compatible options into an intermediate struct `InfraInherit`
This is then unmarshaled into a container config and all of this is added to the CtrCreateOptions. Removes the need (mostly) for special additons which complicate the Container_create
code and pod creation.
resolves#12173
Signed-off-by: cdoern <cdoern@redhat.com>
Use `sort-operations-alphabetically` to sort swagger operations
alphabetically
[CI:DOCS]
[NO-NEW-TESTS-NEEDED]
Signed-off-by: Aditya Rajan <arajan@redhat.com>
Some containers require certain user account(s) to exist within the
container when they are run. This option will allow callers to add a
bunch of passwd entries from the host to the container even if the
entries are not in the local /etc/passwd file on the host.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1935831
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Clarify the semantics of the `io.podman.annotations.seccomp` annotation
which is set when a container has been created with a custom seccomp
profile.
Fixes: #12671
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
CRIU's pre-copy migration support relies on the soft dirty page tracking
in the Linux kernel:
https://www.kernel.org/doc/Documentation/vm/soft-dirty.txt
This functionality is not implemented for all architectures and it can
also be turned off in the kernel.
CRIU can check if the combination of architecture/kernel/CRIU supports
the soft dirty page tracking and exports this feature checking
functionality in go-criu.
This commit adds an early check if the user selects pre-copy
checkpointing to error out if the system does not support it.
Signed-off-by: Adrian Reber <areber@redhat.com>
added support for a new flag --passwd which, when false prohibits podman from creating entries in
/etc/passwd and /etc/groups allowing users to modify those files in the container entrypoint
resolves#11805
Signed-off-by: cdoern <cdoern@redhat.com>
At some places the checkpoint restore man pages were using the markdown
modifier `**` inside `*..*`. This does not seem to work as intended and
results in markdown modifiers present in the final man page. Switching
to `__` inside of `*..*` seems to fix this.
Signed-off-by: Adrian Reber <areber@redhat.com>
Checkpoint a container using systemd as entrypoint will probably result
in an error as CRIU cannot handle all the resources latest systemd uses.
This updates the checkpoint man page with this information.
Signed-off-by: Adrian Reber <areber@redhat.com>
Added an option to podman machine init to declare the timezone of the
resulting machine. the default is to use the value of the host name or
else a given timezone name like America/Chicago.
Fixes: #11895
Signed-off-by: Brent Baude <bbaude@redhat.com>
[NO NEW TESTS NEEDED]
Signed-off-by: Brent Baude <bbaude@redhat.com>
We currently do not show --external containers when the user specifies
it, unless they also specify the --all flag. This has led to confusion.
I see no reason not to list them without the --all flag if the user
specifies the option.
Fixes: https://github.com/containers/podman/issues/12353
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Rework the --network parse logic to support multiple networks with
specific network configuration settings.
--network can now be set multiple times. For bridge network mode the
following options have been added:
- **alias=name**: Add network-scoped alias for the container.
- **ip=IPv4**: Specify a static ipv4 address for this container.
- **ip=IPv6**: Specify a static ipv6 address for this container.
- **mac=MAC**: Specify a static mac address address for this container.
- **interface_name**: Specify a name for the created network interface inside the container.
So now you can set --network bridge:ip=10.88.0.10,mac=44:33:22:11:00:99
for the default bridge network as well as for network names.
This is better than using --ip because we can set the ip per network
without any confusion which network the ip address should be assigned
to.
The --ip, --mac-address and --network-alias options are still supported
but --ip or --mac-address can only be set when only one network is set.
This limitation already existed previously.
The ability to specify a custom network interface name is new
Fixes#11534
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Network connect now supports setting a static ipv4, ipv6 and mac address
for the container network. The options are added to the cli and api.
Fixes#9883
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
- Don't pointlessly repeat the names
- Improve documentation of the formats
- Use a table, per MANPAGE_SYNTAX.md
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
rootlessNetNS.Cleanup() has an issue with how it detects if cleanup
is needed, reading the container state is not good ebough because
containers are first stopped and than cleanup will be called. So at one
time two containers could wait for cleanup but the second one will fail
because the first one triggered already the cleanup thus making rootless
netns unavailable for the second container resulting in an teardown
error. Instead of checking the container state we need to check the
netns state.
Secondly, podman unshare --rootless-netns should not do the cleanup.
This causes more issues than it is worth fixing. Users also might want
to use this to setup the namespace in a special way. If unshare also
cleans this up right away we cannot do this.
[NO NEW TESTS NEEDED]
Fixes#12459
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Replace `multi-user.target` with `default.target` across the code base.
It seems like the multi-user one is not available for (rootless) users
on F35 anymore is causing issues in all kinds of ways, for instance,
enabling the podman.service or generated systemd units.
Fixes: #12438
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Add a new flag to set the start timeout for a generated systemd unit.
To make naming consistent, add a new --stop-timeout flag as well and let
the previous --time map to it.
Fixes: #11618
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Add a note to the generated kube yaml if we detect a
volume is being mounted. The note lets the user know
what needs to be done to avoid permission denied error
when trying to access the volume for an unprivileged
container.
Add the same note to the man pages.
NO NEW TESTS NEEDED
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Add a note to show how to workaround the `--tz` option
being ignored in the run command.
Related to: https://bugzilla.redhat.com/show_bug.cgi?id=1984251
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
There are at least two runtimes that support checkpoint and restore:
runc and crun. Although the checkpoints created by these are almost
compatible, it is not (yet) possible to restore a checkpoint created
with one runtime with the other runtime. To make checkpoint/restore
usage more comfortable this adds code to look into the checkpoint
archive during restore and to set the runtime to the one used during
checkpointing.
This also adds a check, if the user explicitly sets a runtime during
restore, that the runtime is also the same as used during checkpointing.
If a different runtime is selected than the one used during
checkpointing the restore will fail early.
If runc and crun will create compatible checkpoints in the future the
check can be changed to treat crun and runc as compatible
checkpoint/restore runtimes.
Signed-off-by: Adrian Reber <areber@redhat.com>
There is a problem with creating and storing the exit command when the
container was created. It only contains the options the container was
created with but NOT the options the container is started with. One
example would be a CNI network config. If I start a container once, then
change the cni config dir with `--cni-config-dir` ans start it a second
time it will start successfully. However the exit command still contains
the wrong `--cni-config-dir` because it was not updated.
To fix this we do not want to store the exit command at all. Instead we
create it every time the conmon process for the container is startet.
This guarantees us that the container cleanup process is startet with
the correct settings.
[NO NEW TESTS NEEDED]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
CRIU supports checkpoint/restore of file locks. This feature is
required to checkpoint/restore containers running applications
such as MySQL.
Signed-off-by: Radostin Stoyanov <radostin@redhat.com>
pass down the "idmap" mount option to the OCI runtime.
Needs: https://github.com/containers/crun/pull/780
Closes: https://github.com/containers/podman/issues/12154
[NO NEW TESTS NEEDED] there is no crun version yet that support the
new feature.
Test case (must run as root):
podman run --rm -v foo:/foo alpine touch /foo/bar
podman run --uidmap 0:1:1000 --rm -v foo:/foo:idmap alpine ls -l /foo
total 0
-rw-r--r-- 1 root root 0 Nov 15 14:01 bar
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Support `checkpoint --pre-checkpoint`
* Support `checkpoint --with-previous`
* Disable `restore --import-previous` for the remote client since we had
to send two files which in turn would require to tar them up and hence
be a breaking change. Podman 4.0 would be the chance and I hope we'll
find time before that to remote-restore prettier.
Note that I did not run over swagger yet to check whether all parameters
are actually documented due to time constraints.
Fixes: #12334
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Podman adds a few environment variables by default, and
currently there is no way to get rid of them from your container.
This option will allow you to specify which defaults you don't
want.
--unsetenv-all will remove all default environment variables.
Default environment variables can come from podman builtin,
containers.conf or from the container image.
Fixes: https://github.com/containers/podman/issues/11836
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit updates the man pages for checkpoint and restore to describe
the '--print-stats' parameter.
Signed-off-by: Adrian Reber <areber@redhat.com>
Fixed syntax so that podman image scp transfer works with no user specified.
This command can only be executed as root so to obtain the default user, I searched for
the SUDO_USER environmental variable. If that is not found, we error out and inform the user
to set this variable and make sure they are running as root
Signed-off-by: cdoern <cdoern@redhat.com>
Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
Add new CI check to confirm that links and references
in SEE ALSO sections are properly formatted and that
links are valid (at least in theory: we do no actual
URL fetching to test for 404).
The check is piggybacked into existing xref-helpmsgs-manpages
script. It could conceivably be more elegant to write a
separate tool for this purpose, but I don't wish to duplicate
the logic for finding and reading markdown files.
Script identified various problems, which I fix in this PR:
. missing '**' (asterisks) around some references, or '**'
in the wrong place.
. links pointing to github.com/.../tree/ instead of /blob/
(github redirects those automatically, but I like
consistency)
. a few copy-paste errors, e.g. subgid linking to subuid.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Support downloading files, for instance via
`podman load -i server.com/image.tar`. The specified URL is downloaded
in the frontend and stored as a temp file that gets passed down to the
backend.
Also vendor in c/common@main to use the new `pkg/download`.
Fixes: #11970
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Paul Holzinger
Ed Santiago
Daniel J Walsh
OpenShift Merge Robot
Aditya R
John Kristensen
Kuldar Kaasik
Valentin Rothberg
Jason T. Greene
Clayton Craft
LStandman
Brent Baude
Erik Sjölund
Xueyuan Chen
Jordan Christiansen
cdoern
Romain Geissler
Patrycja Guzik
Nalin Dahyabhai
Giuseppe Scrivano
Tsubasa Watanabe
tomsweeneyredhat
esendjer
Michael Hrivnak
Pavel Dostál
Anders F Björklund
Valentin Rothberg
Adrian Reber
Jakub Guzik
Ondra Machacek
Miloslav Trmač
Jakub Dzon
Urvashi Mohnani
Radostin Stoyanov
cdoern
José Guilherme Vanz
Yahav Itzhak