Replace github.com/docker/docker API imports with github.com/moby/moby
across compat handlers, swagger models, and tests to align with upstream
type definitions.
Fixes: #27536.
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
For remote operation, start the remote service with --tls-details:
using --tls-details on the client side will only affect client's
connection.
This should eventually include many more tests - track down all current
uses of libpod.Runtime.{SystemContext,imageContext,LibimageRuntime}.
That will come later
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
There is exactly one caller, with two code paths, and each only
needs _half_ of the function - and they really only share the
parentFlags and Quiet logic. It's easier to do things
directly.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
When we have the _precise_ knowledge of where the parameter boundaries
are, and an API that allows us to express that, just _do that_ instead
of completely unnecessarily worrying about spaces in parameter values.
Also, this allows us to format the code to make the option and value
correspondence much easier to see.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
... to centralize the conversion from entities.PodmanConfig
to bindings.Options, we will add more code there.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This way, the CLI can still call pkg/domain/infra, without needing
a "remote || linux || freebsd" build tag.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Require (linux || freebsd), because the code already does that, in practice.
This just means macOS users of IDEs aren't hit with thousands of compilation
errors (and then the IDE can open an Linux-specific file and then process it
under the Linux assumption, which works much better).
This commit contains the parts that differ somehow.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Require (linux || freebsd), because the code already does that, in practice.
This just means macOS users of IDEs aren't hit with thousands of compilation
errors (and then the IDE can open an Linux-specific file and then process it
under the Linux assumption, which works much better).
This commit ONLY replaces
//go:build !remote
with
//go:build !remote && (linux || freebsd)
and is split from the rest to allow mechanically verifying that fact,
and focusing a review on the other kinds of changes.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
As I outlined in the design docs this is broken, there are several
data races here because we write to the config files that can be read by
other goroutines in parallel which violates the go memory model and
thus can lead to runtime panics and undefined behavior.
One could fix with a mutex but that would make the whole code base much
more ugly and there is still the risk that something would access this
field without the mutex held.
I am not sure we have any users using this, it never worked for the
storage side and since the service is a not a daemon any user could just
stop and start it again to re-read the files without having to stop
running containers.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When we already know the resulting slice size but still need/want to use
append, it makes sense to preallocate the slice by using make with the
capacity argument.
This commit is part of series fixing issues reported by prealloc linter
from golangci-lint v2.8.0.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Remove runtime configuration options for CNI network backend:
Runtime options:
- Remove WithNetworkBackend() runtime option function
- Function allowed setting network backend programmatically
Flag handling:
- Remove --network-backend flag change detection
- Remove call to WithNetworkBackend() when flag changed
- Remove TODO comment about CNI plugins directory flag
The network backend configuration is now handled entirely by the
vendored common/libnetwork code, which will default to Netavark.
There is no longer any way to configure CNI as the network backend
through Podman's runtime initialization.
Note: libpod/info.go keeps existing NetworkBackend reporting logic
which will automatically report "netavark" as the only backend since
configuration defaults to netavark and cannot be changed to CNI.
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
use name_to_handle_at and open_by_handle_at to persist rootless
namespaces without needing a pause process.
The namespace file handles are stored in a file and can be used to
rejoin the namespaces, as long as the namespaces still exist.
Fall back to the pause process approach only when the kernel doesn't
support nsfs handles (EOPNOTSUPP).
The feature is currently only enabled when the PODMAN_NO_PAUSE_PROCESS
environment variable is set.
These changes in the kernel are required (landed in Linux 6.18):
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3ab378cfa793
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
The `*os.File` returned by `pathrs.OpenatInRoot` needs to
be closed before returning from `openSymlinkPath`
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
- Update documentation: Differentiate `unless-stopped` from `always` - containers stopped by the user before a reboot will not restart.
- Add `should-start-on-boot` filter: Identify containers that require a restart after a system reboot.
- Update command documentation: Add `restart-policy` and `label!` filters to the documentation for container commands (rm, ps, start, stop, pause, unpause, restart).
- Add `restart-policy` and `shoud-start-on-boot` to completions.
- Update service: Update `podman-restart.service` to use the `needs-restart=true` filter.
- Preserve state: Preserve the `StoppedByUser` state across reboots.
- Update API: Add a `ShouldStartOnBoot()` method to the Container API.
- Update documentation: Add descriptions for the `should-start-on-boot` filter.
Fixes: https://issues.redhat.com/browse/RHEL-129405
Fixes: https://github.com/containers/podman/issues/20418
Signed-off-by: Jan Rodák <hony.com@seznam.cz>
The --macvlan flag was deprecated in Podman 3.x and was scheduled
for removal in version 4.0. Since we're now at version 6.0.0-dev,
this commit removes the deprecated flag and its associated code.
Users should now use the standard syntax:
podman network create --driver macvlan --opt parent=<device> <name>
Signed-off-by: shiavm006 <shivammittal42006@gmail.com>
When trying to join the conmon pid to recreate the pause process based
on the namespace it can be that the pid is no longer valid, i.e. when
conmon crashed or was killed.
Currently we have a big issue that can be reproduced using:
$ podman run -d quay.io/libpod/testimage:20241011 sleep 100
$ killall -9 conmon
$ killall catatonit
All commands would fail as we keep trying to rejoin the namespace of the
non existing conmon process.
So to address that fall back to creating a new namespace if we fail to
join the conmon pids.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Just a minor improvement as we know the size needed for the slice we can
allocate it only once instead of the append having to resize it.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Based on the description in commit 63ef557 this was added so that the
migrate command does not move the pause process into a separate cgroup.
It should however not disable the rejoining of the userns when the pause
process join failed. BEcause of this we end up calling migrate without a
userns and that then can fail if there are actual contianer it tries to
cleanup.
Fixes: 63ef5576ed ("command: migrate doesn't move process to cgroup")
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
There is no good reason to use logrus and os.Exit() here, other parts of
this function already return the error so do the same. The main podman
process will exit then with the normal formatted error message.
And also log an error about the last return which should never happen as
we should have exited above if the re-exec worked or errored out.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Fixes: #26588
For use cases like HPC, where `podman exec` is called in rapid succession, the standard exec process can become a bottleneck due to container locking and database I/O for session tracking.
This commit introduces a new `--no-session` flag to `podman exec`. When used, this flag invokes a new, lightweight backend implementation that:
- Skips container locking, reducing lock contention
- Bypasses the creation, tracking, and removal of exec sessions in the database
- Executes the command directly and retrieves the exit code without persisting session state
- Maintains consistency with regular exec for container lookup, TTY handling, and environment setup
- Shares implementation with health check execution to avoid code duplication
The implementation addresses all performance bottlenecks while preserving compatibility with existing exec functionality including --latest flag support and proper exit code handling.
Changes include:
- Add --no-session flag to cmd/podman/containers/exec.go
- Implement lightweight execution path in libpod/container_exec.go
- Ensure consistent container validation and environment setup
- Add comprehensive exit code testing including signal handling (exit 137)
- Optimize configuration to skip unnecessary exit command setup
Signed-off-by: Ryan McCann <ryan_mccann@student.uml.edu>
Signed-off-by: ryanmccann1024 <ryan_mccann@student.uml.edu>
Quadlets installed from `.quadlet` file now belongs to a single
application, anyone file removed from this application removes all the
other files as well.
Assited by: claude-4-sonnet
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
Enable installing multiple quadlets from one file using '---' delimiters.
Each section requires '# FileName=<name>' comment for custom naming.
Single quadlet files remain unchanged for backward compatibility.
Assited by: claude-4-sonnet
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
The old location is deprecated and has been removed in v0.6.0 even. I
did this as extra commit to make cherry-picking easier.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
