- fix issues found by recvcheck
- skip k8s files from recvcheck
- remove two removed linters gomnd and execinquery
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This PR adds libkrun support to podman machine. This is an experimental feature and should not be marketed yet. Before we unmark the experimental status on this function, we will need to have full CI support and a full podman point release has pased.
This work relies on the fact that vfkit and libkrun share a reasonably (if not perfectly) same API. The --log-level debug option will not show a GUI screen for boots as krun is not capable of this.
Signed-off-by: Brent Baude <bbaude@redhat.com>
Non-Linux systems, such as BSD kernels, constrain xatter updates
according to file permissions. This is in contrast to Linux selinux
attr writes, which are governed by an selinux policy. By dafault this
policy apllows users to relabel files owned by themselves even if file
perms would otherwise disallow write.
This results in robust container relabeling results on Linux, and
fragile results everywhere else. Therefore, change the mac policy to
force the nfs_t context on all files, and ignore all relabel
events.
As a side-effect, this will disallow any ability to store custom
selinux constants on files. However, this is of limited use in
a machine context, since files in these volumes are externally
managed on systems which do not support SELinux.
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
There has been various issues with vfkit exiting with
"Error: vfkit exited unexpectedly with exit code 1"
Among other reasons, this can be caused by vfkit being
built without the com.apple.security.virtualization
entitlement, and this can also happen when running
vfkit.x86_64 on Apple silicon hardware.
At the moment, the vfkit logs are not available, so there is no easy way
to know what's happening. This PR redirects vfkit stdout/stderr to
podman's log when --log-level debug is used.
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
Previously, the locks were on the provider layer, which doesn't make a vm operation with a config file update atomic. Move them up a layer, so the entire function locks while doing provider and config operations.
This adds a Remove and a Set function to the shim layer.
[NO NEW TESTS NEEDED] Unsure how to test this
Signed-off-by: Ashley Cui <acui@redhat.com>
Remove TODO to swap `Rootful` in Inspect with `HostUser`
It is unnecessary to remove the vfkit logfile in the provider-specific Remove function. Vfkit is fed the default logfile provided by mc.LogFile which is removed by the generic Remove function.
Removes TODO regarding moving the location of Stop. False TODO.
[NO NEW TESTS NEEDED]
Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
Replaces GetHyperVisorVMs() with Exists() to better abstract the underlying
use-case and slightly imrpove efficiency.
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
Also addresses a number of issues:
- StopHostNetworking isn't plumbed, win-sshproxy leaks on hyperv
- Wait api and print output doesn't work properly on Windows
- API forwarding doesn't work on WSL
- Terminal corruption with after start/stop on Windows
- Gvproxy is forcefully killed vs gracefully quit
- Switching rootful/rootless does not update /var/run/docker.sock on the guest
- File already closed error on init
- HyperV backend is publishing Unix sockets when it should be named pipes
- User-mode networking doesn't always work
- Stop state outside of lock boundaries
- WSL blocks parallel machined (should be supported)
[NO NEW TESTS NEEDED]
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
Sets up USB passthrough for machine. Additionally moves `SetOptions` out
from `pkg/machine/config.go` to its own file in
`pkg/machine/define/setopts.go`.
[NO NEW TESTS NEEDED]
Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
Changes the signature for `getDefaultDevices` to take
a `vmconfigs.MachineConfig`.
[NO NEW TESTS NEEDED]
Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
Moving from Go module v4 to v5 prepares us for public releases.
Move done using gomove [1] as with the v3 and v4 moves.
[1] https://github.com/KSubedi/gomove
Signed-off-by: Matt Heon <mheon@redhat.com>
Adds the functionality for `podman machine set --rootful` for AppleHV,
QEMU, and HyperV. Abstracts the functionality out to a method of
`MachineConfig`. WSL currently uses a function `SetRootful` that is
provided by the `machine` package, which will eventually get changed
when WSL moves to the refactored structure.
Re-enables the "set rootful with docker sock change" test.
[NO NEW TESTS NEEDED]
Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
Signed-off-by: Brent Baude <bbaude@redhat.com>
gz by definition is not able to preserve the sparse nature of files. using some code from the crc project and gluing it together with our decompression code, we can re-create the sparseness of a file. one downside is the operation is a little bit slower, but i think the gains from the sparse file are well worth it in IO alone.
there are a number of todo's in this PR that would be ripe for quick hitting fixes.
[NO NEW TESTS NEEDED]
Signed-off-by: Brent Baude <baude@redhat.com>
this pr represents the podman 5 maching refactoring for HyperV. with
the exception of already skipped tests, all local tests pass.
Signed-off-by: Brent Baude <bbaude@redhat.com>
this is the second provider done (qemu first). all tests pass on arm64 hardware locally ... the hybrid pull from oci registries limit this to arm64 only.
calling gvproxy, waiting for it, and then vfkit seems to still be problematic. this would be an area that should be cleaned up once all providers are implemented.
Signed-off-by: Brent Baude <bbaude@redhat.com>
The following PR is the leading PR for refactoring podman machine with
the following goals:
* less duplication/more re-use
* common configuration file between providers
* more consistentency in how machines are handled by providers
The goal of this PR is the rough refactor. There are still rough spots
for sure, specifically around the podman socket and pipe. This
implemention is only for Linux. All other providers are still present
but will not compile or work. This is why tests for them have been
temporarily suspended.
The ready socket code is another area that needs to be smoothed over.
Right now, the ready socket code is still in QEMU. Preferably it would
be moved to a generic spot where all three approaches to readiness
socket use can be defined.
It should also be noted:
* all machine related tests pass.
* make validate for Linux passes
* Apple QEMU was largely removed
* More code pruning is possible; will become clearer when other
providers are complete.
the dir pkg/machine/p5 is not permanent. i had to seperate this from
machine initially due to circular import problems. i think when all
providers are done (or nearly done), it can be placed and named
properly.
Signed-off-by: Brent Baude <bbaude@redhat.com>
this is a logical place to get changes upstream before they grow out of
control. this pr is the first in an effort to deduplicate machine code
and streamline code flow.
a lot of code is simply moved to eliminate circular imports. names and
specific paths can ultimately be changed. i dont like some of the
descriptive interface names, etc. ultimately, i think once we have the
"old" code sanitized, we can re-use some of those.
clearly some of what is in here is temporary and will either be deleted,
changed, or moved again as this effort comes to a close.
right now, the machine code does not use any of the "new" code. you
will see in `init` and `rm` some commented out code that hooks it. i'm
afraid things will get worse before they get better (way worse).
[NO NEW TESTS NEEDED]
Signed-off-by: Brent Baude <bbaude@redhat.com>
While this is potentially a security problem, it solves the issues of
users sharing content from the host into containers and attempting to
relabel it. From a security point of view this means all content volume
mounted from the host into the podman machine on apple hypervisor is
read/write from an SELinux point of view if it is volume mounted into
the container. If the user attempts to use :Z or :z it will work and
relabel the content to be only usable bu the specify container.
Helps Fix: https://github.com/containers/podman/issues/21269
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
`getRuntimeDir()` (which is also responsible for creating TMPDIR if it doesn't exist) was being called on `Init()` but not on `Start()` which meant that after the host was restarted and TMPDIR was wiped, `startHostNetworking()` would try to start gvproxy and immediately bail.
Signed-off-by: kaorihinata <kaori.hinata@gmail.com>
The remote user functionality was not quite correct. This PR breaks out
the accumulation of user descriptions into a separate function. One
odditiy is ignition must be told to NOT create the core user (or it will
by default) by "adding" the core user with a set bool.
[NO NEW TESTS NEEDED]
Signed-off-by: Brent Baude <bbaude@redhat.com>
When starting podman machine with applehv, this warning is printed:
WARN[0025] API socket failed ping test
This is due to a bug in applehv.setupAPIForwarding which is not
returning the path to the socket, which causes `WaitAndPingAPI` to be
called with `""` as the socket path, triggering the warning.
This commit changes setupAPIForwarding to be similar to the
implementation in the other machine implementations.
I don't know how to add a test for this, but this can be handled in
podman-machine end to end tests by making sure that there are no
warnings when running `podman machine start` with applehv.
[NO NEW TESTS NEEDED]
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
`applehv.Start()` has this line of code:
```
cmd.ExtraFiles = []*os.File{ioEater, ioEater, ioEater}
```
whose purpose is not clear.
The intent may have been to redirect stdin/stdout/stderr to /dev/null in
the child process.
This should be done by setting cmd.Stdin/cmd.Stdout/cmd/Stderr to nil,
which is the case by default.
The way it's done could also cause issues as
`Vfkit.VirtualMachine.Cmd()` sometimes adds files it needs to keep open
to `ExtraFiles`, so at the very least this should be an `append()`
This commit removes this code.
[NO NEW TESTS NEEDED]
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
LastUp now correctly reports the lastUp time for podman machine on
AppleHV, for both inspect and list.
[NO NEW TESTS NEEDED]
since this fixes an existing failing test.
Signed-off-by: Ashley Cui <acui@redhat.com>
Previously, every machine created using appleHV interacted with VFKit using port 8081. This meant that if multiple machines existed on the machine, starting one would start all the machines. This patch assigns a separate random port for each machine, so machine commands interact with just the specified machine.
Signed-off-by: Ashley Cui <acui@redhat.com>
Fixes a bug where a user would be unable to change
a rootless machine to rootful. Also makes sure that
the podman/docker socket service is updated if the
UID or Rootful status of the host user has been
updated.
[NO NEW TESTS NEEDED]
Fixes: #21195
Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
We shouldn't hardcode `~/.local` - we should use the internal
config helper APIs which honor the XDG_DATA_DIR etc. standard
environment variables.
Signed-off-by: Colin Walters <walters@verbum.org>
Fixes a bug where if a machine failed during init due to a bad ignition path, it would not be properly torn down.
Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
Changes SSH key behavior such that there is a single persisted key for all
machines across all providers. If there is no key that is located at
`.local/share/containers/podman/machine/` then it is created. The keys are
not deleted when the last machine on the host is removed.
The main motivation for this change is it leads to fewer files created on the
host as a result of vm configuration. Having `n` machines on your system doesn't
result in `2n` machine-related files in `.ssh` on your system anymore.
As a result of ssh keys being persisted by default, the `--save-keys` flag
on `podman machine rm` will no longer be supported.
Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
Uses the systemd unit file parser to build unit files instead of having
them be just blocks of hard-coded strings.
Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
Moves all of the ignitionfiles out of the `machine` package and into
its own called `ignition`. This required `VMType` to get moved out of
the `machine` package and into the `define` package in order to prevent
a circular dependency.
Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
