if /sys is bind mounted from the host then also add an explicit mount
for /sys/fs/cgroup so that 'ro' is honored.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
If you are running temporary containers within podman play kube
we should really be running these in read-only mode. For automotive
they plan on running all of their containers in read-only temporal
mode. Adding this option guarantees that the container image is not
being modified during the running of the container.
The containers can only write to tmpfs mounted directories.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
podman play kube now supports and has tests for the subpath field when using a hostPath volume type and a configMap volume type.
The hostpath works similarly to the named volume, allowing a user to specify a whole directory but also a specific file or subdir within that mount. Config Maps operate the same way but specifically allow users to mount specific data in a subpath alongside the existing data
resolves#16828
Signed-off-by: Charlie Doern <cbddoern@gmail.com>
False is the assumed value, and inspect and podman generate kube are
being cluttered with a ton of annotations that indicate nothing.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We should have done this much earlier, most of the times CNI networks
just mean networks so I changed this and also fixed some function
names. This should make it more clear what actually refers to CNI and
what is just general network backend stuff.
[NO NEW TESTS NEEDED]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Also fix a number of duplicate words. Yet disable the new `dupword`
linter as it displays too many false positives.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
subpath allows for only a subdirecty of a volumes data to be mounted in the container
add support for the named volume type sub path with others to follow.
resolves#12929
Signed-off-by: Charlie Doern <cbddoern@gmail.com>
* podman kube play support startup probe
* make probe use json string array instead of CMD-SHELL
Signed-off-by: Liang Chu-Xuan <karta0807913@gmail.com>
Fixes e2e tests, remove '\n' from base64 encoded data.
Correct test to check that data in secret mounted file is decoded.
Closes#16269Closes#16625
Signed-off-by: Andrei Natanael Cosma <andrei@intersect.ro>
The containers should be able to write to tmpfs mounted directories.
Also cleanup output of podman kube generate to not show default values.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Fix an overriding logic in Inhearit function.
Alos, ToSpecGen function doesn't load the cgroup/image volume config from containers.conf.
Signed-off-by: karta0807913 <karta0807913@gmail.com>
Startup healthchecks are similar to K8S startup probes, in that
they are a separate check from the regular healthcheck that runs
before it. If the startup healthcheck fails repeatedly, the
associated container is restarted.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
If the secret exists, set optional in the KubeVolume to false to always use it
If the secret does not exist, if optional, set the same in the KubeVolume to skip it, otherwise fail
Add e2e tests
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
honor eventual options set in the containers.userns setting in the
containers.conf file, e.g.:
[containers]
userns = "auto:size=8192"
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Whenever image has `arch` and `os` configured for `wasm/wasi` switch to
`crun-wasm` as extension if applicable, following will only work if
`podman` is using `crun` as default runtime.
[NO NEW TESTS NEEDED]
[NO TESTS NEEDED]
A test for this can be added when `crun-wasm` is part of CI.
Signed-off-by: Aditya R <arajan@redhat.com>
Conceptually equivalent to networking by means of slirp4netns(1),
with a few practical differences:
- pasta(1) forks to background once networking is configured in the
namespace and quits on its own once the namespace is deleted:
file descriptor synchronisation and PID tracking are not needed
- port forwarding is configured via command line options at start-up,
instead of an API socket: this is taken care of right away as we're
about to start pasta
- there's no need for further selection of port forwarding modes:
pasta behaves similarly to containers-rootlessport for local binds
(splice() instead of read()/write() pairs, without L2-L4
translation), and keeps the original source address for non-local
connections like slirp4netns does
- IPv6 is not an experimental feature, and enabled by default. IPv6
port forwarding is supported
- by default, addresses and routes are copied from the host, that is,
container users will see the same IP address and routes as if they
were in the init namespace context. The interface name is also
sourced from the host upstream interface with the first default
route in the routing table. This is also configurable as documented
- sandboxing and seccomp(2) policies cannot be disabled
- only rootless mode is supported.
See https://passt.top for more details about pasta.
Also add a link to the maintained build of pasta(1) manual as valid
in the man page cross-reference checks: that's where the man page
for the latest build actually is -- it's not on Github and it doesn't
match any existing pattern, so add it explicitly.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Motivated to have a working `make lint` on Fedora 37 (beta).
Most changes come from the new `gofmt` standards.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Also create one constant for ErrDuplicateDest, rather then have the same
value set three times.
Fixes: https://github.com/containers/podman/issues/4217
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This call does a deep copy, which is only needed if you want
to modify the return value. Instead we use ctr.ConfigNoCopy().Spec
which is just a pointer dereference.
[NO NEW TESTS NEEDED] Just minor performance effects
Signed-off-by: Alexander Larsson <alexl@redhat.com>
If user does not specify hostPort in a kube.yml file but does specify
a containerPort, then the hostPort should default to the containerPort.
Fixes: https://github.com/containers/podman/issues/15942
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Ensure kubernetes default parameters are respected.
Additional curl parameter enforces returning error for HTTP error codes.
Use build-in HealthCheckOnFailureAction instead of killing the container
while executing the probe.
Signed-off-by: Piotr <piotr.skoczylas@gmail.com>
Package `io/ioutil` was deprecated in golang 1.16, preventing podman from
building under Fedora 37. Fortunately, functionality identical
replacements are provided by the packages `io` and `os`. Replace all
usage of all `io/ioutil` symbols with appropriate substitutions
according to the golang docs.
Signed-off-by: Chris Evich <cevich@redhat.com>
podman container clone was failing when env variables had multiple `=` in them.
Switch split to splitn
resolves#15836
Signed-off-by: Charlie Doern <cdoern@redhat.com>
Podman adds an Error: to every error message. So starting an error
message with "error" ends up being reported to the user as
Error: error ...
This patch removes the stutter.
Also ioutil.ReadFile errors report the Path, so wrapping the err message
with the path causes a stutter.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This logic has been broken by commit 9c6c981928c3e020ff6eef9454c7ee86aa8c83d1
(kube: fix conversion from milliCPU to period/quota).
[NO NEW TESTS NEEDED]
Fixes: #15726
Signed-off-by: Mikhail Khachayants <tyler92@inbox.ru>
