If two containers use the same image and one rolled back (i.e., tagged
the old image again), make sure to repull the image for the other
container.
Once an image has caused a rollback, it may be worth marking this image
as broken and not update any other container using it but that is
outside of the scope.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Change the auto-update logic to update unit-by-unit rather by policy.
This allows for, in theory now and in practice later, to have mutliple
containers run in a single systemd unit and update them in sequence
before restarting the unit.
[NO NEW TESTS NEEDED] - should not change behavior.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Drop a comment on using `chcon` to let the local rollback test pass.
It took me a while to understand why the test failed and future souls
may appreciated the extra breadcrumb.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
A `task` includes data and state for updating a given container image.
It will come in handy in future changes, but we are going there in
baby steps to have smaller incremental changes.
[NO NEW TESTS NEEDED] - should not change behaviour.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Introduce an `updater` type to allow for sharing state.
This will be more useful for future changes.
[NO NEW TESTS NEEDED] as it does not change behavior.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
When docs.podman.io is build on readthedocs we have to make sure to
generate the markdown pages first.
It works locally with sphinx but I have no idea if this works on the
readthedocs infra.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
str.removeprefix() and str.removesuffix() is python 3.9+ only but we need to
support older versions for the OSX cross task.
This fixes broken CI on main.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Secret was populating a generated kube as `null`. Add omitempty
so that when the volume source is not a secret, we do not print unnecessary info
resolves#15156
Signed-off-by: Charlie Doern <cdoern@redhat.com>
this updates downloading of gvproxy and qemu using a standard
makefile rule which will avoid downloading them again if its
already downloaded
[NO NEW TESTS NEEDED]
Signed-off-by: Anjan Nath <kaludios@gmail.com>
add file hvf.entitlements which has the com.apple.security.hypervisor
entitlement needed for qemu
[NO NEW TESTS NEEDED]
Signed-off-by: Anjan Nath <kaludios@gmail.com>
podman-create and -run have many options in common. To date,
these are copy-pasted and haphazardly maintained.
Solution: add an include mechanism, '@@option foo', such
that multiple md source files can fetch from one common file.
This is a Phase One commit, a very small subset of what's
possible. Purpose of this commit is ease of review. If this
passes review, much more (trickier stuff) will be forthcoming.
Signed-off-by: Ed Santiago <santiago@redhat.com>
The "podman kube down" reads in a structured file of
Kubernetes YAML and removes pods based on the Kubernetes kind described in the YAML,
similiar to "podman play kube --down". Users will still be able to use
"podman play kube --down" and "podman kube play --down" to
perform the same function.
Signed-off-by: Niall Crowe <nicrowe@redhat.com>
When podman kube play was added the endpoint for the kube play/play kube
commands was switched from the "play kube" endpoint to the new "kube play"
endpoint. This caused issues with the remote client, requiring the need
to use the "play kube" endpoint again in order to avoid these issues.
Signed-off-by: Niall Crowe <nicrowe@redhat.com>
podman run/create can accept `-h <hostname>` as argument. When parsing
flags -h throws an help requested error from pflag. To prevent this
error we have to define the help flag.
Fixes#15124
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Current directories and files stay the same with the current implementation as long as the tarball does not contain a directories or files with the same name.
Signed-off-by: Felix Stupp <me+github@banananet.work>
- Allow creating sigstore signatures via --sign-by-sigstore-private-key .
Like existing --sign-by, it does not work remote (in this case
because we would have to copy the private key to the server).
- Allow passing a passphrase (which is mandatory for sigstore private keys)
via --sign-passphrase-file; if it is not provided, prompt interactively.
- Also, use that passphrase for --sign-by as well, allowing non-interactive
GPG use. (But --sign-passphrase-file can only be used with _one of_
--sign-by and --sign-by-sigstore-private-key.)
Note that unlike the existing code, (podman build) does not yet
implement sigstore (I'm not sure why it needs to, it seems not to
push images?) because Buildah does not expose the feature yet.
Also, (podman image sign) was not extended to support sigstore.
The test for this follows existing (podman image sign) tests
and doesn't work rootless; that could be improved by exposing
a registries.d override option.
The test for push is getting large; I didn't want to
start yet another registry container, but that would be an
alternative. In the future, Ginkgo's Ordered/BeforeAll
would allow starting a registry once and using it for two
tests.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
