After a failed start, we can run into (somehow inconsistent) states
where the machine won't start because a previous QEMU process is still
running and the PID file is being used. Stop didn't resolve the issue
as this state wasn't detected.
Allow to recover from this state by a) detecting it during start and
error out with a more helpful message than the error QEMU would
otherwise spit out, and b) by enabling stop to kill the dangling QEMU
process - even after a failed stop.
With the changes, a recovery may look as follows:
```
_ podman git:(main) _ ./bin/darwin/podman machine start
Starting machine "podman-machine-default"
Error: cannot start VM "podman-machine-default": another instance of "/opt/homebrew/bin/qemu-system-aarch64" is already running with process ID 970: please stop and restart the VM
_ podman git:(main) _ ./bin/darwin/podman machine stop
Machine "podman-machine-default" stopped successfully
_ podman git:(main) _ ./bin/darwin/podman machine start
Starting machine "podman-machine-default"
Waiting for VM ...
```
Please note that this change does not prevent us from running into such
inconsistent states but only allows for recovering from them.
[NO NEW TESTS NEEDED] - there is no reliable reproducer.
Fixes: #16054
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Moves the shared logic from `writeConfig` into a shared function in
`pkg/machine/machine_common.go`
[NO NEW TESTS NEEDED]
Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
Moves most of the logic of `setRootful` to the common file
`pkg/machine/machine_common.go`.
Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
Moves `removeFilesAndConnections` to the common file
`pkg/machine/connections.go` to be reused by multiple hypervisors.
Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
Moves `waitAPIAndPrintInfo` into the common file
`pkg/machine/machine_common.go` allowing applehv and qemu to share the
code.
Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
Moves the implementation of `addSSHConnectionsToPodmanSocket` into the
common file `pkg/machine/machine_common.go`. The implementation was
shared between the hypervisors and does not need to be implemented
multiple times.
Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
Also update Fedora and Debian names. Include ID of broken images in
`validate_task` comment about broken rawhide. This should get picked
up by renovate next time images are updated - hopefully prompting
someone to re-enable the check.
Signed-off-by: Renovate Bot <bot@renovateapp.com>
Signed-off-by: Chris Evich <cevich@redhat.com>
Currently the CIDFile is not removed with podman --remote run --rm
if the client and server are on different machines.
[NO NEW TESTS NEEDED] i
There is currently a test for this that does not fail because the client
and server are on the same machine.
If we run these tests on a MAC or Windows platform, they would start
failing.
Fixes: https://github.com/containers/podman/issues/19420
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The original SELinux support in Docker and Podman does not follow the
default SELinux rules for how label transitions are supposed to be
handled. Containers always switch their user and role to
system_u:system_r, rather then maintain the collers user and role.
For example
unconfined_u:unconfined_r:container_t:s0:c1,c2
Advanced SELinux administrators want to confine users but still allow
them to create containers from their role, but not allow them to launch
a privileged container like spc_t.
This means if a user running as
container_user_u:container_user_r:container_user_t:s0
Ran a container they would get
container_user_u:container_user_r:container_t:s0:c1,c2
If they run a privileged container they would run it with:
container_user_u:container_user_r:container_user_t:s0
If they want to force the label they would get an error
podman run --security-opt label=type:spc_t ...
Should fail. Because the container_user_r can not run with the spc_t.
SELinux rules would also prevent the user from forcing system_u user and
the sytem_r role.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Signed-off-by: Chris Evich <cevich@redhat.com>
This tool sometimes throws nonsensical or difficult to debug errors.
Verifying DCO and white-space issues in commits has long since been
moved to other tools (github-actions and git pre-commit hooks). There's
no need to duplicate these checks with the git-validation tool.
Signed-off-by: Chris Evich <cevich@redhat.com>
Moves acquisition of an alternate image provided by the user out of
`acquireVMImage` in `pkg/machine/<hypervisor>/machine.go` and into
`pkg/machine/pull.go` as its own function.
Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
Moves `getDevNullFiles` into a new common file,
`pkg/machine/machine_common.go`, preventing the re-implementation of the
function across the different hypervisor implementations.
Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
Converts new functions added in #19311 to methods and adds
documentation.
[NO NEW TESTS NEEDED]
Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
