Refactor the RawInput process of the `rm` and
`start` subcommands, like the other subcommands
such as `restart, stop, etc`.
[NO NEW TESTS NEEDED]
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
Much like --cidfile (#15414), --pod-id-file has two meanings.
One is used in pod-related commands, one in container ones.
Both meanings read the file, so the read/write split used
in --cidfile is not applicable here.
podman-pod-create keeps its --pod-id-file option because
that one cannot be refactored: that's the only command (now)
that writes a pod-id file.
Reviewable using hack/markdown-preprocess-review but I
did take some liberties with the #### args because they
were wrong. And, since I had to much with the description
text anyway (resulting in diffs), I also took the liberty
of cleaning up a double space.
Signed-off-by: Ed Santiago <santiago@redhat.com>
I've been doing the man-page cleanup distractedly, while
fighting other fires, and submitted some crap:
* #15339: I used single angle brackets, not double
* #15407: I only refactored --cert-dir from some man pages, not all
Easy to review with hack/markdown-preprocess-review, because all the
removed texts are identical. The only diff is that container-certs.d
is now a link.
Sorry about that. I'm going to spend more time being careful.
Signed-off-by: Ed Santiago <santiago@redhat.com>
the env vars are held in the spec rather than the config, so they need to be mapped manually. They are also of a different format so special handling needed to be added. All env from the parent container will now be passed to the clone.
resolves#15242
Signed-off-by: Charlie Doern <cdoern@redhat.com>
There are two meanings: one writes a cidfile, the other reads.
Split into two .md files.
This can be reviewed with hack/markdown-preprocess-review .
The main differences you'll see are all in cidfile.read:
1) I use the <<subcommand>> feature. This works nicely for
kill, pause/unpause, and stop. It works less nicely for
rm, because the man page will show "...and rm the container"
(a human might prefer to see "REMOVE the container"). Given
the benefit of this cleanup, I think this is a fine tradeoff.
2) I choose to include the "multiple times" text even on man pages
where it wasn't present before. I tested to make sure it works.
3) The #### line I choose is IMHO the best one.
Minor differences:
* I believe the "remove the container" text in podman-kill
and podman-stop is a copy/paste error. This PR fixes it.
* The only differences between the cidfile.write texts is
the #### line (my version is best) and a final period.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Refactor the --creds option. I went with the one in podman-pull
The main difference between all of them is the '####' line,
differences in the param descriptions. podman-pull had the
clearest one.
This is another one that hack/markdown-preprocess-review is
good for reviewing.
Signed-off-by: Ed Santiago <santiago@redhat.com>
After pulling/creating an image of a foreign platform, Podman will
happily use it when looking it up in the local storage and will not
pull down the image matching the host platform.
As discussed in #12682, the reasoning for it is Docker compatibility and
the fact that user already rely on the behavior. While Podman is now
emitting a warning when an image is in use not matching the local
platform, the documentation was lacking that information.
Fixes: #15300
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
...and, tweak markdown-process-review so it can detect and
remove identical files, making review easier.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Request object has its own context which must be used during a request
lifetime instead of just context.Background()
[NO NEW TESTS NEEDED]
Signed-off-by: Vladimir Kochnev <hashtable@yandex.ru>
This exposed a nasty bug in our system-test setup: Ubuntu (runc)
was writing a scratch containers.conf file, and setting CONTAINERS_CONF
to point to it. This was well-intentionedly introduced in #10199 as
part of our long sad history of not testing runc. What I did not
understand at that time is that CONTAINERS_CONF is **dangerous**:
it does not mean "I will read standard containers.conf and then
override", it means "I will **IGNORE** standard containers.conf
and use only the settings in this file"! So on Ubuntu we were
losing all the default settings: capabilities, sysctls, all.
Yes, this is documented in containers.conf(5) but it is such
a huge violation of POLA that I need to repeat it.
In #14972, as yet another attempt to fix our runc crisis, I
introduced a new runc-override mechanism: create a custom
/etc/containers/containers.conf when OCI_RUNTIME=runc.
Unlike the CONTAINERS_CONF envariable, the /etc file
actually means what you think it means: "read the default
file first, then override with the /etc file contents".
I.e., we get the desired defaults. But I didn't remember
this helpers.bash workaround, so our runc testing has
actually been flawed: we have not been testing with
the system containers.conf. This commit removes the
no-longer-needed and never-actually-wanted workaround,
and by virtue of testing the cap-drops in kube generate,
we add a regression test to make sure this never happens
again.
It's a little scary that we haven't been testing capabilities.
Also scary: this PR requires python, for converting yaml to json.
I think that should be safe: python3 'import yaml' and 'json'
works fine on a RHEL8.7 VM from 1minutetip.
Signed-off-by: Ed Santiago <santiago@redhat.com>
This also adds FreeBSD equivalents to the functions moved to
oci_conmon*_linux.go. For openUnixSocket, we create a temporary symlink
to shorten the path to something that fits into sockaddr_un.
[NO NEW TESTS NEEDED]
Signed-off-by: Doug Rabson <dfr@rabson.org>
This function depends on linux-specific functionality in /proc/fd to
allow connecting to local domain sockets with pathnames too long for
sockaddr_un.
[NO NEW TESTS NEEDED]
Signed-off-by: Doug Rabson <dfr@rabson.org>
