Integrate sd-notify policies into `kube play`. The policies can be
configured for all contianers via the `io.containers.sdnotify`
annotation or for indidivual containers via the
`io.containers.sdnotify/$name` annotation.
The `kube play` process will wait for all containers to be ready by
waiting for the individual `READY=1` messages which are received via
the `pkg/systemd/notifyproxy` proxy mechanism.
Also update the simple "container" sd-notify test as it did not fully
test the expected behavior which became obvious when adding the new
tests.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
We now use the golang error wrapping format specifier `%w` instead of
the deprecated github.com/pkg/errors package.
[NO NEW TESTS NEEDED]
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
add support for the --uts flag in pod create, allowing users to avoid
issues with default values in containers.conf.
uts follows the same format as other namespace flags:
--uts=private (default), --uts=host, --uts=ns:PATH
resolves#13714
Signed-off-by: Charlie Doern <cdoern@redhat.com>
When podman-remote is used we should not resolve the default network
mode on the client. Defaults should be set on the server. In this case
this is important because we have different defaults for root/rootless.
So when the client is rootless and the server is root we must pick the
root default.
Note that this already worked when --network was set since we did not
parsed the flag in this case. To reproduce you need --network=default.
Also removed a unused function.
[NO NEW TESTS NEEDED] I tested it manually but I am not sure how I can
hook a test like this up in CI. The client would need to run as rootless
and the server as root or the other way around.
Fixes#14368
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The linter ensures a common code style.
- use switch/case instead of else if
- use if instead of switch/case for single case statement
- add space between comment and text
- detect the use of defer with os.Exit()
- use short form var += "..." instead of var = var + "..."
- detect problems with append()
```
newSlice := append(orgSlice, val)
```
This could lead to nasty bugs because the orgSlice will be changed in
place if it has enough capacity too hold the new elements. Thus we
newSlice might not be a copy.
Of course most of the changes are just cosmetic and do not cause any
logic errors but I think it is a good idea to enforce a common style.
This should help maintainability.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Because /etc/hosts is shared for all containers with a shared network
namespace you should not be able to add hosts from a joined container.
Only the primary netns container can set the hosts.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
--cap-add is useful when running a privileged container with UID != 0,
so that individual capabilities can be added to the container process.
Closes: https://github.com/containers/podman/issues/13449
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Because we cannot reqad the networking mode in the frontent because we
should always use the server default we have to parse the mac and ip
address to the server via a default network. Now when the server reads
the default nsmode it has to reject the provided networks when the mode
is not set to bridge.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Add the new networks format to specgen. For api users cni_networks is
still supported to make migration easier however the static ip and mac
fields are removed.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We missed bumping the go module, so let's do it now :)
* Automated go code with github.com/sirkon/go-imports-rename
* Manually via `vgrep podman/v2` the rest
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Cleanup the golangci.yml file and enable more linters.
`pkg/spec` and `iopodman.io` is history. The vendor directory
is excluded by default. The dependencies dir was listed twice.
Fix the reported problems in `pkg/specgen` because that was also
excluded by `pkg/spec`.
Enable the structcheck, typecheck, varcheck, deadcode and depguard
linters.
[NO TESTS NEEDED]
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Make sure we pass the ip and mac address as CNI_ARGS to
the cnitool which is executed in the rootless-cni-infra
container.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
when running container creation as rootless on the compatibility layer,
we need to make sure settings are not being done for memory and memory
swappiness.
Signed-off-by: baude <bbaude@redhat.com>
because a pod's network information is dictated by the infra container at creation, a container cannot be created with network attributes. this has been difficult for users to understand. we now return an error when a container is being created inside a pod and passes any of the following attributes:
* static IP (v4 and v6)
* static mac
* ports -p (i.e. -p 8080:80)
* exposed ports (i.e. 222-225)
* publish ports from image -P
Signed-off-by: Brent Baude <bbaude@redhat.com>
Add better error message when using `--pod` and `--hostname`.
Improve the docs to better explain the uts hostname relation.
Add more valid options for the `--uts` flag.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Buildah and podman build can create images without a working dir.
FROM fedora
WORKDIR /test
If you build this image with caching twice, the second time the image
will not have a working dir.
Similarly if you execute
podman run --workdir /foobar fedora
It blows up since the workingdir is not created automatically.
Finally there was duplicated code for getting the workingdir
out of an image, that this PR removes.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Currently you can not apply an ApparmorProfile if you specify
--privileged. This patch will allow both to be specified
simultaniosly.
By default Apparmor should be disabled if the user
specifies --privileged, but if the user specifies --security apparmor:PROFILE,
with --privileged, we should do both.
Added e2e run_apparmor_test.go
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When creating a pod or container where a static MAC or IP address is provided, we should return a proper error and exit as 125.
Fixes: #6972
Signed-off-by: Brent Baude <bbaude@redhat.com>
--sdnotify container|conmon|ignore
With "conmon", we send the MAINPID, and clear the NOTIFY_SOCKET so the OCI
runtime doesn't pass it into the container. We also advertise "ready" when the
OCI runtime finishes to advertise the service as ready.
With "container", we send the MAINPID, and leave the NOTIFY_SOCKET so the OCI
runtime passes it into the container for initialization, and let the container advertise further metadata.
This is the default, which is closest to the behavior podman has done in the past.
The "ignore" option removes NOTIFY_SOCKET from the environment, so neither podman nor
any child processes will talk to systemd.
This removes the need for hardcoded CID and PID files in the command line, and
the PIDFile directive, as the pid is advertised directly through sd-notify.
Signed-off-by: Joseph Gooch <mrwizard@dok.org>
With the advent of Podman 2.0.0 we crossed the magical barrier of go
modules. While we were able to continue importing all packages inside
of the project, the project could not be vendored anymore from the
outside.
Move the go module to new major version and change all imports to
`github.com/containers/libpod/v2`. The renaming of the imports
was done via `gomove` [1].
[1] https://github.com/KSubedi/gomove
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
The `--privileged` flag does not conflict with `--group-add`
(this one was breaking Toolbox) and does not conflict with most
parts of `--security-opt` (this was breaking Openstack).
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Systemd enablement has to happen on the server side, since we need
check if the image is running systemd.
Also need to make sure user setting the StopSignal is not overriden on the
server side. But if not set and using systemd, we set it correctly.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This should complete Podmanv2's support for volume-related flags.
Most code was sourced from the old pkg/spec implementation with
modifications to account for the split between frontend flags
(volume, mount, tmpfs) and the backend flags implemented here.
Also enables tests for podman run with volumes
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Namespaces have now been changed to properly handle all cases.
Spec handling code for namespaces was consolidated in a single
function.
Still missing:
- Image ports
- Pod namespaces likely still broken in Podmanv2
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
We were not handling the parsing of --ip. This pr adds validation
checks and now will support the flag.
Move validation to the actual parsing of the network flags.
We should only parse the dns flags if the user changed them. We don't
want to pass default options if set in containers.conf to the server.
Potential for duplicating defaults.
Add support for --dns-opt flag passing
Begin handling of --network flag, although we don't have a way right now
to translate a string into a specgen.Namespace.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
create a container in podmanv2 using specgen approach. this is the core implementation and still has quite a bit of code commented out specifically around volumes, devices, and namespaces. need contributions from smes on these parts.
Signed-off-by: Brent Baude <bbaude@redhat.com>
using the factory approach similar to container, we now create pods based on a pod spec generator. wired up the podmanv2 pod create command, podcreatewithspec binding, simple binding test, and apiv2 endpoint.
also included some code refactoring as it introduced as easy circular import.
Signed-off-by: Brent Baude <bbaude@redhat.com>
