This change adds code to report the reclaimed space after a prune.
Reclaimed space from volumes, images, and containers is recorded
during the prune call in a PruneReport struct. These structs are
collected into a slice during a system prune and processed afterwards
to calculate the total reclaimed space.
Closes#8658
Signed-off-by: Baron Lenardson <lenardson.baron@gmail.com>
On Gentoo systems where `app-portage/gentoolkit` is installed the binary
`equery` is used to query for information on which package a file
belongs to.
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Per the conversation on pull/8724 I am consolidating filter logic
and helper functions under the pkg/domain/filters dir.
Signed-off-by: Baron Lenardson <lenardson.baron@gmail.com>
if a single user is mapped in the user namespace, handle it as root.
It is needed for running unprivileged containers with a single user
available without being forced to run with euid and egid set to 0.
Needs: https://github.com/containers/storage/pull/794
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
when following container log files, if the file gets rotated due to
something like size limit, re-open it and keep following.
Fixes: #8733
Signed-off-by: baude <bbaude@redhat.com>
We have a new field in containers.conf that tells whether
or not we want to generate a new keyring in a container.
This field was being ignored. It now will be followed and
passed down to conmon.
Fixes: https://github.com/containers/podman/issues/8384
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
With additional stores there is a risk that you could have
multiple images with the same name. IE An older image in a
read/only store versus a newer version in the read/write store.
This patch will ignore multiple images with the same name iff
one is read/write and all of the others are read/only.
Fixes: https://github.com/containers/podman/issues/8176
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
adds the ability to filter containers based on the filter "pod". the
value can be a pod name or its full or partial id.
Fixes: #8512
Signed-off-by: baude <bbaude@redhat.com>
When debugging issues, it would be helpful to know the
security settings of the system running into the problem.
Adding security info to `podman info` is also useful to users.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This change was missed in pull/8689. Now that volume pruneing supports
filters system pruneing can pass its filters down to the volume
pruneing. Additionally this change adds tests for the following components
* podman system prune subcommand with `--volumes` & `--filter` options
* apiv2 api tests for `/system/` and `/libpod/system` endpoints
Relates to #8453, #8672
Signed-off-by: Baron Lenardson <lenardson.baron@gmail.com>
In certain cases XDG_RUNTIME_DIR was deleted by accident based on
settings in the storage.conf. This patch verifies that when doing
a storage reset, we don't accidently remove XDG_RUNTIME_DIR.
Fixes: https://github.com/containers/podman/issues/8680
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
`podman network create` should always add a gateway to the cni config.
If no gateway is given use the first ip in the subnet. CNI does not require
the gateway field but we need it because of network inspect.
This worked with previous version but was dropped in Commit(e7a72d72fd59).
Fixes#8748
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Change the log level when running as rootless when moving conmon to a
different cgroup.
Closes: https://github.com/containers/podman/issues/8721
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This change adds support for the `--filter` / `?filters` arguments on
the `podman volume prune` subcommand.
* Adds ParseFilterArgumentsIntoFilters helper for consistent
Filter string slice handling
* Adds `--filter` support to podman volume prune cli
* Adds `?filters...` support to podman volume prune api
* Updates apiv2 / e2e tests
Closes#8672
Signed-off-by: Baron Lenardson <lenardson.baron@gmail.com>
The podman events aren't read until the given timestamp if the
timestamp is in the future. It just reads all events until now
and exits afterwards.
This does not make sense and does not match docker. The correct
behavior is to read all events until the given time is reached.
This fixes a bug where the wrong event log file path was used
when running first time with a new storage location.
Fixes#8694
This also fixes the events api endpoint which only exited when
an error occurred. Otherwise it just hung after reading all events.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
do not check whether the specified ID is valid in the user namespace.
crun handles this case[1], so the check in Podman prevents to get to
the OCI runtime at all.
$ podman run --user 10:0 --uidmap 0:0:1 --rm -ti fedora:33 sh -c 'id; cat /proc/self/uid_map'
uid=10(10) gid=0(root) groups=0(root),65534(nobody)
10 0 1
[1] https://github.com/containers/crun/pull/556
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Make the ContainerLogsOptions support two io.Writers,
one for stdout and the other for stderr. The logline already
includes the information to which Writer it has to be written.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Just checking for `rootless.IsRootless()` does not catch all the
cases where slirp4netns is in use - we actually allow it to be
used as root as well. Fortify the conditional here so we don't
fail in the root + slirp case.
Fixes#7883
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
This adds a new command, 'podman network reload', to reload the
networks of existing containers, forcing recreation of firewall
rules after e.g. `firewall-cmd --reload` wipes them out.
Under the hood, this works by calling CNI to tear down the
existing network, then recreate it using identical settings. We
request that CNI preserve the old IP and MAC address in most
cases (where the container only had 1 IP/MAC), but there will be
some downtime inherent to the teardown/bring-up approach. The
architecture of CNI doesn't really make doing this without
downtime easy (or maybe even possible...).
At present, this only works for root Podman, and only locally.
I don't think there is much of a point to adding remote support
(this is very much a local debugging command), but I think adding
rootless support (to kill/recreate slirp4netns) could be
valuable.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
add the ability to add multiple containers into a single k8s pod
instead of just one.
also fixed some bugs in the resulting yaml where an empty service
description was being added on error causing the k8s validation to fail.
Signed-off-by: baude <bbaude@redhat.com>
Podman pre-1.8 also included a field with this name, which was a
String. Podman 2.2.0 added a new field reusing the name but as a
Struct. This completely broke JSON decode for pre-1.8 containers
in Podman 2.2, resulting in completely broken behavior.
Re-name the JSON field and add a note that the old name should
not be re-used to prevent this problem from re-occurring. This
will still result in containers from 2.2.0 being broken
(specifically, containers with image volumes will have them
disappear) but this is the lesser of two evils.
Fixes#8613
Signed-off-by: Matthew Heon <mheon@redhat.com>
Installing a duplicate shutdown handler fails, but if a handler
with the same name is already present, we should be set to go.
There's no reason to print a user-facing error about it.
This comes up almost nowhere because Podman never makes more than
one Libpod runtime, but there is one exception (`system reset`)
and the error messages, while harmless, were making people very
confused (we got several bug reports that `system reset` was
nonfunctional).
Signed-off-by: Matthew Heon <mheon@redhat.com>
Before querying for a container's cgroup path, make sure that the
container is synced. Also make sure to error out if the container
isn't running.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Short-name aliasing was introduced with Podman 2.2 as an opt-in preview
by enabling an environment variable. Now, as we're preparing for the
3.0 release, we can enable short-name aliasing by default. Opting out
can be done by configuring the `registries.conf` config file.
Please refer to the following blog post for more details:
https://www.redhat.com/sysadmin/container-image-short-names
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
