If the --health-cmd flag is not specified, other flags such as --health-interval, --health-timeout, --health-retries, and --health-start-period are ignored if the image contains a Healthcheck. This makes it impossible to modify these Healthcheck configuration when a container is created.
Fixes: https://github.com/containers/podman/issues/20212
Fixes: https://issues.redhat.com/browse/RUN-2629
Signed-off-by: Jan Rodák <hony.com@seznam.cz>
First, remove wrong sentence that says ports are forwarded dynamically
by default. That is wrong and contradicts what is written below.
Second, document that we also set --dns-forward and --map-guest-addr by
default. And lastly document the containers.conf field so users know
they are not forced to set the options on each command.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
It seems support was added into Buildah for no-new-privileges [1]
however the Podman build documentation was not updated.
Fixes#25731
[1] d4c661a774
Signed-off-by: Lewis Denny <lewis@redhat.com>
The current max size is defined as `maxSecretSize = 512000` in
`github.com/containers/common/blob/main/pkg/secrets/secrets.go`.
Signed-off-by: Alexander Gramiak <agrambot@gmail.com>
The --env is used to add new environment variable to container or
override the existing one. The --unsetenv is used to remove
the environment variable.
It is done by sharing "env" and "unsetenv" flags between both
"update" and "create" commands and later handling these flags
in the "update" command handler.
The list of environment variables to add/remove is stored
in newly added variables in the ContainerUpdateOptions.
The Container.Update API call is refactored to take
the ContainerUpdateOptions as an input to limit the number of its
arguments.
The Env and UnsetEnv lists are later handled using the envLib
package and the Container is updated.
The remote API is also extended to handle Env and EnvUnset.
Fixes: #24875
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
Add a new option to allow for mounting artifacts in the container, the
syntax is added to the existing --mount option:
type=artifact,src=$artifactName,dest=/path[,digest=x][,title=x]
This works very similar to image mounts. The name is passed down into
the container config and then on each start we lookup the artifact and
the figure out which blobs to mount. There is no protaction against a
user removing the artifact while still being used in a container. When
the container is running the bind mounted files will stay there (as the
kernel keeps the mounts active even if the bind source was deleted).
On the next start it will fail to start as if it does not find the
artifact. The good thing is that this technically allows someone to
update the artifact with the new file by creating a new artifact with
the same name.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
like images and containers, it could be handy to have a --noheading
option that removes the headings on the output.
Signed-off-by: Brent Baude <bbaude@redhat.com>
added a --no-trunc flag to artifact ls, which follows what images has
done. by default now, the ls output will have the shortened 12
character digest. the --no-trunc will output the full digest.
Signed-off-by: Brent Baude <bbaude@redhat.com>
podman artifact add now supports two new command line switches.
--type string that describes the type of artifact
--annotation string slice in the form of key=val
These new options allow users to "tag" information in on their artifacts
for any number of purposes down the line
RUN-2446
Signed-off-by: Brent Baude <bbaude@redhat.com>
the podman artifact verb is used to manage OCI artifacts. the following
verbs were added to `podman artifact`:
* add
* inspect
* ls
* pull
* push
* rm
Notable items with this PR:
* all artifact commands and their output are subject to change. i.e.
consider all of this tech preview
* there is no way to add a file to an artifact that already exists in
the store. you would need to delete and recreate the artifact.
* all references to artifacts names should be fully qualified names in
the form of repo/name:tag (i.e. quay.io/artifact/foobar:latest)
* i understand that we will likely want to be able to attribute things
like arch, etc to artifact files. this function is not available yet.
Many thanks to Paul Holzinger for autocompletion PRs and review PRs that
fixed issues early on.
Also fix up some Args function to specify the correct number of args.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Signed-off-by: Brent Baude <bbaude@redhat.com>
Fixes: https://github.com/containers/podman/issues/25002
Also add the ability to inspect containers for
UseImageHosts and UseImageHostname.
Finally fixed some bugs in handling of --no-hosts for Pods,
which I descovered.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Introduce a new option "size" to configure the maximum size of the
user namespace configured by keep-id.
Closes: https://github.com/containers/podman/issues/24837
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Add --hosts-file flag to container create, container run and pod create
* Add HostsFile field to pod inspect and container inspect results
* Test BaseHostsFile config in containers.conf
Signed-off-by: Gavin Lam <gavin.oss@tutamail.com>
New flags in a `podman update` can change the configuration of HealthCheck when the container is started, without having to restart or recreate the container.
This can help determine why a given container suddenly started failing HealthCheck without interfering with the services it provides. For example, reconfigure HealthCheck to keep logs longer than the usual last X results, store logs to other destinations, etc.
Fixes: https://issues.redhat.com/browse/RHEL-60561
Signed-off-by: Jan Rodák <hony.com@seznam.cz>
This way has a huge disadvantage: The user will not see an error when he
uses a non-existent option. Another disadvantage is, that if we add more
options within podman, they might collide with the names chosen by
plugins. Such issues might be hard to debug.
The advantage is that the usage is very nice:
--network bridge:opt1=val1,opt2=val2.
Alternatively, we could put this behind `opt=`, which is harder to use,
but would solve all issues above:
--network bridge:opt=opt1=val1,opt=opt2=val2
Signed-off-by: Michael Zimmermann <sigmaepsilon92@gmail.com>
Clarifies the behavior of --interactive in both attached and unattached
scenarios.
Adds a caveat and explanation for --interactive being hungry as
described in https://github.com/containers/podman/issues/24370.
Signed-off-by: Alicia Boya García <aboya@igalia.com>
the previous implementation was expecting the rlimits to be set for the
entire process and clamping the values only when running as rootless.
Change the implementation to always specify the expected values in the
OCI spec file and do the clamping only when running as rootless and
using the default values.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Document the special *host-gateway* flag introduced with #19152, mention the special `host.containers.internal` and `host.docker.internal` hostnames, and clarify the option's usage in general.
Signed-off-by: Daniel Rudolf <github.com@daniel-rudolf.de>
These flags can affect the output of the HealtCheck log. Currently, when a container is configured with HealthCheck, the output from the HealthCheck command is only logged to the container status file, which is accessible via `podman inspect`.
It is also limited to the last five executions and the first 500 characters per execution.
This makes debugging past problems very difficult, since the only information available about the failure of the HealthCheck command is the generic `healthcheck service failed` record.
- The `--health-log-destination` flag sets the destination of the HealthCheck log.
- `none`: (default behavior) `HealthCheckResults` are stored in overlay containers. (For example: `$runroot/healthcheck.log`)
- `directory`: creates a log file named `<container-ID>-healthcheck.log` with JSON `HealthCheckResults` in the specified directory.
- `events_logger`: The log will be written with logging mechanism set by events_loggeri. It also saves the log to a default directory, for performance on a system with a large number of logs.
- The `--health-max-log-count` flag sets the maximum number of attempts in the HealthCheck log file.
- A value of `0` indicates an infinite number of attempts in the log file.
- The default value is `5` attempts in the log file.
- The `--health-max-log-size` flag sets the maximum length of the log stored.
- A value of `0` indicates an infinite log length.
- The default value is `500` log characters.
Add --health-max-log-count flag
Signed-off-by: Jan Rodák <hony.com@seznam.cz>
Add --health-max-log-size flag
Signed-off-by: Jan Rodák <hony.com@seznam.cz>
Add --health-log-destination flag
Signed-off-by: Jan Rodák <hony.com@seznam.cz>
We're supposed to catch duplicate man-page options in review,
but once in a while they sneak in. These are two dups that
are 100% identical, and were auto-refactored by a script
that I have. A few more options have snuck in (--dns, --usb)
but those have different text so they can't be handled by
my script. If anyone feels like refactoring those, go ahead.
Signed-off-by: Ed Santiago <santiago@redhat.com>
This senetence does not add any value and instead confuses users as it
suggest that the name is somhow special and related to bridge networks
which is not the case. Using either the name or id is fine as described
in the sentence before.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Update the podman network docs to specify that the default rootless
networking tool has been swapped from slirp4netns to pasta.
Signed-off-by: Pranav RK <pranavrk7@gmail.com>
Image volumes (the `--mount type=image,...` kind, not the
`podman volume create --driver image ...` kind - it's strange
that we have two) are needed for our automount scheme, but the
request is that we mount only specific subpaths from the image
into the container. To do that, we need image volume subpath
support. Not that difficult code-wise, mostly just plumbing.
Also, add support to the CLI; not strictly necessary, but it
doesn't hurt anything and will make testing easier.
Signed-off-by: Matt Heon <mheon@redhat.com>
This is something Docker does, and we did not do until now. Most
difficult/annoying part was the REST API, where I did not really
want to modify the struct being sent, so I made the new restart
policy parameters query parameters instead.
Testing was also a bit annoying, because testing restart policy
always is.
Signed-off-by: Matt Heon <mheon@redhat.com>
Markdown needs lists to be separate paragraphs, otherwise all the items
end up in a single line.
I also made arguments to be replaced italic to clarify that they
shouldn't be typed exactly as shown.
Signed-off-by: Baltazár Radics <baltazar.radics@gmail.com>