Require (linux || freebsd), because the code already does that, in practice.
This just means macOS users of IDEs aren't hit with thousands of compilation
errors (and then the IDE can open an Linux-specific file and then process it
under the Linux assumption, which works much better).
This commit contains the parts that differ somehow.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Require (linux || freebsd), because the code already does that, in practice.
This just means macOS users of IDEs aren't hit with thousands of compilation
errors (and then the IDE can open an Linux-specific file and then process it
under the Linux assumption, which works much better).
This commit ONLY replaces
//go:build !remote
with
//go:build !remote && (linux || freebsd)
and is split from the rest to allow mechanically verifying that fact,
and focusing a review on the other kinds of changes.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
closes: #27411
Adjust SUB_UID and SUB_GID ranges to support running rootless Podman inside a rootless run Podman container.
Also add a test to verify the change and prevent regression.
By default, a new user is assigned the following sub-ID ranges:
SUB_UID_MIN=100000, SUB_GID_MIN=100000, SUB_UID_COUNT=65536, SUB_GID_COUNT=65536
This means the user’s sub-UID and sub-GID ranges are 100000–165535.
When the container is run rootless with the user defined below, ID mappings occur as follows:
- Container ID 0 (root) maps to user ID 1000 on the host (which is the user created below).
- Container IDs 1–65536 map to IDs 100000–165535 on host (the subid range previously mentioned).
If a new user is created inside this container (to build containers for example), it will
attempt to use the default sub-ID range (100000–165535). However, this exceeds the container’s
available ID mapping, since only IDs up to 65536 are mapped. This causes nested rootless Podman
to fail.
To enable container-in-container builds, the sub-ID ranges for the user must be large enough
to provide at least 65536 usable IDs. A minimum SUB_UID_COUNT and SUB_GID_COUNT of 165536 is
required, but 1,000,000 is used here to provide additional margin.
1,000,000 matches the subid range other machines are using, defined in [ignition.go](69b397af49/pkg/machine/ignition/ignition.go (L284-L289)).
The script of other machines modify the subid files directly for 1 user, the `sed` command used in
this fix mimics that.
The test is added as en extension to the 'simple init with username' test case, to prevent having
to create a new VM.
Signed-off-by: dvorst <87502756+dvorst@users.noreply.github.com>
The `ServiceName=` Quadlet option was only documented for `.pod` and
`.artifact` units. However, it applies to all Quadlet types as it is a
global option.
Added `ServiceName=` listing and description to the `[Container]`,
`[Kube]`, `[Network]`, `[Volume]`, `[Build]`, and `[Image]` sections.
Fixes: #27015
Signed-off-by: Paul Nettleton <k9@k9withabone.dev>
Add a per-volume 'nocreate' option that prevents automatic creation of
named volumes when they don't exist. When specified, Podman will fail
if the volume is not found instead of creating it automatically.
Usage: -v myvolume:/data:nocreate
--mount type=volume,src=myvolume,dst=/data,nocreate
See: #27862
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
ConfigToSpec() serializes the container config to JSON and deserializes
it into a SpecGenerator. Both structs use the JSON tag "secret_env" but
with incompatible types: the container config uses map[string]*secrets.Secret
(complex objects) while the specgen uses map[string]string (env var name
to secret name). This causes an unmarshal error when cloning containers
that use --secret with type=env.
Fix this by saving and clearing EnvSecrets before JSON marshal (same
pattern as existing tmpSystemd/tmpMounts), then converting the secret
objects to name strings and assigning them to the specgen afterward.
Also fix FillOutSpecGen to not overwrite env secrets populated by
ConfigToSpec when no new secrets are provided on the command line.
Fixes: #28130
Signed-off-by: Ozgur As <ozgur@live.com>
That test uses process substitution for the Containerfile which fails
because podman tries to use /dev/fd as context directory.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The client and server version can mismatch in which case the client may
fail on something the newer server can understand or the other way
around. Given the server has to parse and validate that output no matter
what there does not seem to be a strong argument for doing this on the
client side again.
Also this means we do leak the sourcepolicy package into the remote
client.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Pass --mount settings and the contents of the --source-policy-file
argument to remote builds.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The original text was added in 518daef in 2023-08. Later, in 0d4a148
in 2025-04, a new option has been introduced without the text being
updated.
Signed-off-by: mhorky <mhorky@redhat.com>
