Short description in man pages:
* Use imperative form
Command help (cobra.Command.Short):
* Capitalize first letter
* Use imperative form
* Remove ending full stop when the short description
only contains one sentence without any commas
Command help (cobra.Command.Long):
* Capitalize first letter unless the sentence starts
with a command "podman command ..."
* Use imperative form when the long description is
identical or almost identical to the short description.
This modification was only done in a few places.
Command tables:
* Use imperative form in the "Description" column
[NO NEW TESTS NEEDED]
Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
Work around a go-md2man bug, and add a check script to make sure
this doesn't hit us again.
Background: go-md2man can't deal with a left-hand column > 31 chars.
It produces man pages that look like:
| Something With >31 Character | |
| | ..description |
(should be all on one row). It also has trouble when the vertical
bars are misaligned: it completely removes the right-hand side.
There's almost certainly a better solution: fix go-md2man, or
use a different conversion tool, or maybe even pre/postprocess.
But this is a quick interim solution.
Sorry for the perl. This could be done in bash/sed/awk/grep,
but not with any sort of sane error messages.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Add a new field `ExitCodePropagation` field to allow for configuring the
newly added functionality of controlling how the main PID of a kube
service exits.
Jira: issues.redhat.com/browse/RUN-1776
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Implement means for reflecting failed containers (i.e., those having
exited non-zero) to better integrate `kube play` with systemd. The
idea is to have the main PID of `kube play` exit non-zero in a
configurable way such that systemd's restart policies can kick in.
When using the default sdnotify-notify policy, the service container
acts as the main PID to further reduce the resource footprint. In that
case, before stopping the service container, Podman will lookup the exit
codes of all non-infra containers. The service will then behave
according to the following three exit-code policies:
- `none`: exit 0 and ignore containers (default)
- `any`: exit non-zero if _any_ container did
- `all`: exit non-zero if _all_ containers did
The upper values can be passed via a hidden `kube play
--service-exit-code-propagation` flag which can be used by tests and
later on by Quadlet.
In case Podman acts as the main PID (i.e., when at least one container
runs with an sdnotify-policy other than "ignore"), Podman will continue
to wait for the service container to exit and reflect its exit code.
Note that this commit also fixes a long-standing annoyance of the
service container exiting non-zero. The underlying issue was that the
service container had been stopped with SIGKILL instead of SIGTERM and
hence exited non-zero. Fixing that was a prerequisite for the exit-code
propagation to work but also improves the integration of `kube play`
with systemd and hence Quadlet with systemd.
Jira: issues.redhat.com/browse/RUN-1776
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Make sure to look for the container's exit code when it's in stopped
state. With `--restart=always`, the container seems to stay in the
stopped state which led the wait logic to loop until the 20 seconds
timeout for the cleanup process to have finished kicks in.
Also defensively make sure to loop when the container is in stopped
state but no exit code has been written yet.
Add a regression test to make sure Podman doesn't wait more than 20
seconds. Even on a CI machine under high load I expect it to take much
much much less than that, so I do not expect this test to flake in the
future.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
the combination --pod and --userns is already blocked. Ignore the
PODMAN_USERNS variable when a pod is used, since it would cause to
create a new user namespace for the container.
Ideally a container should be able to do that, but its user namespace
must be a child of the pod user namespace, not a sibling. Since
nested user namespaces are not allowed in the OCI runtime specs,
disallow this case, since the end result is just confusing for the
user.
Closes: https://github.com/containers/podman/issues/18580
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
'make docs' has been spitting out these warnings:
WARNING: go-md2man does not handle node type HTMLSpan
Warnings suck, they cost us important time and attention.
This warning is always caused by left-angle-brackets in markdown
but they are very hard to find. I've found them and fixed them.
Warnings are now gone.
Signed-off-by: Ed Santiago <santiago@redhat.com>
When no name arg is given to Podman machine commands, Podman assumes the machine name is podman-machine-default. Document this behavior.
Signed-off-by: Ashley Cui <acui@redhat.com>
The `--network-cmd-path` CLI option only affects rootless networks using `slirp4netns(1)`, not `pasta(1)`. Following #18568 Podman should rather use the more generic `r.config.FindHelperBinary()` method (and therefore honour the `helper_binaries_dir` config) to find the path to the `slirp4netns` binary and deprecate the misleading `--network-cmd-path` CLI option. However, since this wasn't implemented yet we can't deprecate `--network-cmd-path` as of now. Adding a note anyway.
Fixes#18560
Signed-off-by: Daniel Rudolf <github.com@daniel-rudolf.de>
Read the entire YAML file in case of a multi-doc file
Adjust the unit test
Add a system test
Add comment in the man page
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
If there's a container defined in multiple directories use the following
precedence:
$XDG_CONFIG_HOME/containers/systemd/ or ~/.config/containers/systemd/
takes precedence over /etc/containers/systemd/users/$(UID) and this
takes precedence over /etc/containers/systemd/users/
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
I would like to allow admin to control quadlet containers
in users homedirs.
If an admin sets a quadlet in
/etc/containers/systemd/users, then all users will run these
quadlet services when they login.
If an admin places a quadlet in /etc/containers/systemd/users/$(USERNAME)
then only the USERNAME will execute this quadlet service when
they login.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Add Restarts column to the podman pod ps output to show the total number
of times the containers in a pod were restarted. This is the same as the
restarts column displayed by kubernetes with kubectl get pods. This will
only be displayed when --format={{.Restarts}}.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Add Restarts column to the podman ps output to show how many times a
container was restarted based on its restart policy. This column will be
displayed when --format={{.Restarts}}.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Add --restart flag to pod create to allow users to set the
restart policy for the pod, which applies to all the containers
in the pod. This reuses the restart policy already there for
containers and has the same restart policy options.
Add "never" to the restart policy options to match k8s syntax.
It is a synonym for "no" and does the exact same thing where the
containers are not restarted once exited.
Only the containers that have exited will be restarted based on the
restart policy, running containers will not be restarted when an exited
container is restarted in the same pod (same as is done in k8s).
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Systemd supports unit files with a prefix '-' which
tells the system to check if the content exists before
using it. This would allow the QM project to specify
AddDevice=-/dev/kvm, which would add the /dev/kvm device
to the container iff it exists on the host.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Found a typo today while reading documentation.
Simple enough change :-)
Signed-off-by: Mike Eisemann <me@michaeleisemann.com>
Signed-off-by: AndroidKitKat <me@michaeleisemann.com>
system reset it says it will delete containers, images, networks, etc...
However it will also delete the graphRoot and runRoot directories.
Normally this is not an issue, however in same cases these directories
were set to the users home directory or some other important system
directory.
As first step simply show the directories that are configured and thus
will be deleted by reset. As future step we could implement some
safeguard will will not delete some known important directories however
I tried to keep it simple for now.
[NO NEW TESTS NEEDED]
see #18349 and #18295
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Highlight that existing user and system services may be overridden if
they have same name as the Quadlet file. Also point the user to
systemctl and how to list existing files.
Closes: #18275
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Wire in support for writing the digest of the pushed image to a
user-specified file. Requires some massaging of _internal_ APIs
and the extension of the push endpoint to integrate the raw manifest
(i.e., in bytes) in the stream.
Closes: #18216
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Update e2e tests not to expect the flag
System tests - explicitly set the log driver to be able to parse the output
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
Commands like podman-create(1), podman-run(1), podman-inspect(1),
podman-ps(1) will emit formatted output upon success. This allows
the output from commands to be emitted directly to a file and
can supersede the --noout parameter by using /dev/null. An issue
with --noout was also remedied.
This closes issue #18120.
Signed-off-by: Ali Rizvi-Santiago <arizvisa@gmail.com>
- add information about netavark plugins
- add missing arguments to options the require an arg
- document that container dns is only supported with bridge
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Allow users to customize the network_interface option is the network
config. For bridge this allows users to change the bridge name and for
maclvan it will be the same as `--opt parent=...`.
However the main reason for this option is to allow netavark plugins to
make use of it. I demoed the host-device plugin which makes use of this
as an example. While we could let users set them via --opt it is more
natural to just use the field which is designed for that purpose.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Bump containers/(storage, common, buildah and image)
Changes since 2023-01-01:
- skip mount-cache-selinux-long-name test under remote, with
a FIXME requesting that someone see if it can be made to work.
- skip six tests that fail under rootless-remote
- add new --build-arg-file option:
- update man page
Squash of:
* cf56eb1865
* 561f082772
Signed-off-by: Ed Santiago <santiago@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Signed-off-by: Aditya R <arajan@redhat.com>
The `UserNS` key will replace the `RemapGid`, `RemapUid`, `RemapUidSize`
and `RemapUsers` options which are therefore marked as deprecated by
this commit.
Closes#17984
Signed-off-by: Cedric Staniewski <cedric@gmx.ca>
...mostly just test code that wasn't doing the required waits.
My first approach in the kube-play test was to add "--wait".
Bit mistake! The --wait flag, counterintuitively and counter to
documentation, actually destroys all pods+containers+everything
on exit. (Or tries -- see #17803). Since this violates POLA
and is undocumented, I include here a fix to the man page.
Despite my best intentions, I can't reasonably check every single
test for missing waits, especially in kube-play where failing
containers will get retried forever so we can't wait. We'll
just have to fix flakes as we see them.
Fixes: #17958Fixes: #18071
Signed-off-by: Ed Santiago <santiago@redhat.com>
Mention that specified credentials are only used to authenticate against
target registries (e.g., during `pull` or `build`) and are not used to
authenticat against mirrors etc.
Closes: #17185
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
This commit adds an quadlet option `Tmpfs` which can be used to mount a
tmpfs in the container.
Closes#17907
Signed-off-by: Cedric Staniewski <cedric@gmx.ca>
Add the command along with the abi and tunnel support
Add e2e tests
Add man page
Add apiv2 test to ensure return codes
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
The podman kube generate command can now generate a
Deployment kind when the --ype flag is set to deployment.
By default, a Pod spec will be generated if --type flag is
not set.
Add --replicas flag to kube generate to allow users to set
the value of replicas in the generated yaml when generating a
Deployment kind.
Add e2e and minikube tests for this feature.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Fix the example for RemapGid from keep-id to keep-groups
Reflect the chnages to the support for keep-id in Containers as well
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
If the volume source starts with . resolve the path relative to the
location of the unit file
Update the test code to allow verification of regex for the value in key
value arguments
Add the usage of relative paths to the volume and mount test cases
Update the man page
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
When we searching any image at a container registry,
--cert-dir and --creds could be required
as well as push, pull, etc.
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
The --stream flag is being used extensively in the tests and some blog
posts refer to it which has been causing some confusion on why the flag
was hidden. I do not see a good reason to hide it anymore, so unhide it
and add some docs.
[NO NEW TESTS NEEDED] as it's already being tested.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Currently Podman prevents SELinux container separation,
when running within a container. This PR adds a new
--security-opt label=nested
When setting this option, Podman unmasks and mountsi
/sys/fs/selinux into the containers making /sys/fs/selinux
fully exposed. Secondly Podman sets the attribute
run.oci.mount_context_type=rootcontext
This attribute tells crun to mount volumes with rootcontext=MOUNTLABEL
as opposed to context=MOUNTLABEL.
With these two settings Podman inside the container is allowed to set
its own SELinux labels on tmpfs file systems mounted into its parents
container, while still being confined by SELinux. Thus you can have
nested SELinux labeling inside of a container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
OpenShift Merge Robot
Ygal Blum
Tom Deseyn
Erik Sjölund
Ed Santiago
Valentin Rothberg
binghongtao
Abhijeet Kasurde
Daniel J Walsh
Giuseppe Scrivano
Ashley Cui
Daniel Rudolf
Petr Lautrbach
Hussam Qasem
Urvashi Mohnani
AndroidKitKat
Paul Holzinger
Jason T. Greene
arctic-alpaca
Park Jaeon
Ali Rizvi-Santiago
Sohan Kunkerkar
Aditya R
Cedric Staniewski
tomsweeneyredhat
Alex Willmer
Marek Czernek
Toshiki Sonoda
restitux