Add support for `--imagestore` in podman which allows users to split the filesystem of containers vs image store, imagestore if configured will pull images in image storage instead of the graphRoot while keeping the other parts still in the originally configured graphRoot.
This is an implementation of
https://github.com/containers/storage/pull/1549 in podman.
Signed-off-by: Aditya R <arajan@redhat.com>
The backend allows for any start/end ip in the subnet. There is no
reason to limit the cli to only CIDR subnets. This allows for much more
flexibility.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This commit creates a new command `podmansh` command which can be used by
administrators to provide a confined shell to their users.
The user will only have access to the volumes and capabilities for that
user.
Co-authored-by: Paul Holzinger <pholzing@redhat.com>
Co-authored-by: Daniel Walsh <dwalsh@redhat.com>
Co-authored-by: Petr Lautrbach <lautrbach@redhat.com>
Co-authored-by: Ed Santiago <santiago@redhat.com>
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
add routes using the --route flag.
the no_default_route option in --opt prevents a default route from
getting added automatically.
Signed-off-by: Jan Hendrik Farr <github@jfarr.cc>
This fixes a lint issue, but I'm keeping it in its own commit so
it can be reverted independently if necessary; I don't know what
side effects this may have. I don't *think* there are any
issues, but I'm not sure why it wasn't a pointer in the first
place, so there may have been a reason.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
For filter=id=XXX (containers, pods) and =ctr-ids=XXX (pods):
if XXX is only hex characters, treat it as a PREFIX
otherwise, treat it as a REGEX
Add tests. Update documentation. And fix an incorrect help message.
Fixes: #18471
Signed-off-by: Ed Santiago <santiago@redhat.com>
To debug a deadlock, we really want to know what lock is actually
locked, so we can figure out what is using that lock. This PR
adds support for this, using trylock to check if every lock on
the system is free or in use. Will really need to be run a few
times in quick succession to verify that it's not a transient
lock and it's actually stuck, but that's not really a big deal.
Signed-off-by: Matt Heon <mheon@redhat.com>
This is a general debug command that identifies any lock
conflicts that could lead to a deadlock. It's only intended for
Libpod developers (while it does tell you if you need to run
`podman system renumber`, you should never have to do that
anyways, and the next commit will include a lot more technical
info in the output that no one except a Libpod dev will want).
Hence, hidden command, and only implemented for the local driver
(recommend just running it by SSHing into a `podman machine` VM
in the unlikely case it's needed by remote Podman).
These conflicts should normally never happen, but having a
command like this is useful for debugging deadlock conditions
when they do occur.
Signed-off-by: Matt Heon <mheon@redhat.com>
This probably should have been in the API since the beginning,
but it's not too late to start now.
The extra information is returned (both via the REST API, and to
the CLI handler for `podman rm`) but is not yet printed - it
feels like adding it to the output could be a breaking change?
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
When we do path completion in images a user could try to complete a
simple relative path, e.g. podman run $IMAGE e... should complete to etc
if this path exists in the image. Right now we panic in this case as the
current check didn't account for an empty string in simplePathJoinUnix().
In such a case return the path directly because we can not alter what
the user typed on the cli and must return a path without slash as well
in order for the shell to suggest the completion.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2209809
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Short description in man pages:
* Use imperative form
Command help (cobra.Command.Short):
* Capitalize first letter
* Use imperative form
* Remove ending full stop when the short description
only contains one sentence without any commas
Command help (cobra.Command.Long):
* Capitalize first letter unless the sentence starts
with a command "podman command ..."
* Use imperative form when the long description is
identical or almost identical to the short description.
This modification was only done in a few places.
Command tables:
* Use imperative form in the "Description" column
[NO NEW TESTS NEEDED]
Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
Implement means for reflecting failed containers (i.e., those having
exited non-zero) to better integrate `kube play` with systemd. The
idea is to have the main PID of `kube play` exit non-zero in a
configurable way such that systemd's restart policies can kick in.
When using the default sdnotify-notify policy, the service container
acts as the main PID to further reduce the resource footprint. In that
case, before stopping the service container, Podman will lookup the exit
codes of all non-infra containers. The service will then behave
according to the following three exit-code policies:
- `none`: exit 0 and ignore containers (default)
- `any`: exit non-zero if _any_ container did
- `all`: exit non-zero if _all_ containers did
The upper values can be passed via a hidden `kube play
--service-exit-code-propagation` flag which can be used by tests and
later on by Quadlet.
In case Podman acts as the main PID (i.e., when at least one container
runs with an sdnotify-policy other than "ignore"), Podman will continue
to wait for the service container to exit and reflect its exit code.
Note that this commit also fixes a long-standing annoyance of the
service container exiting non-zero. The underlying issue was that the
service container had been stopped with SIGKILL instead of SIGTERM and
hence exited non-zero. Fixing that was a prerequisite for the exit-code
propagation to work but also improves the integration of `kube play`
with systemd and hence Quadlet with systemd.
Jira: issues.redhat.com/browse/RUN-1776
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
The examples show that --dns-add 8.8.8.8,1.1.1.1 is valid but it fails,
fix this by using StringSliceVar which splits at commas.
Added tests to ensure it is working.
Fixes#18632
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Enable the --configmap flag for the remote case of podman
kube play. Users can pass in the paths to the configmap files
for kube play to use when creating the pods and containers from
a kube yaml file. The configmap file is read and the contents are
appended to the contents of the main yaml file before passed to the
remote client.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
When no name arg is given to Podman machine commands, Podman assumes the machine name is podman-machine-default. Document this behavior.
Signed-off-by: Ashley Cui <acui@redhat.com>
The `--network-cmd-path` CLI option only affects rootless networks using `slirp4netns(1)`, not `pasta(1)`. Following #18568 Podman should rather use the more generic `r.config.FindHelperBinary()` method (and therefore honour the `helper_binaries_dir` config) to find the path to the `slirp4netns` binary and deprecate the misleading `--network-cmd-path` CLI option. However, since this wasn't implemented yet we can't deprecate `--network-cmd-path` as of now. Adding a note anyway.
Fixes#18560
Signed-off-by: Daniel Rudolf <github.com@daniel-rudolf.de>
If there's a container defined in multiple directories use the following
precedence:
$XDG_CONFIG_HOME/containers/systemd/ or ~/.config/containers/systemd/
takes precedence over /etc/containers/systemd/users/$(UID) and this
takes precedence over /etc/containers/systemd/users/
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Fixes: https://github.com/containers/podman/issues/16354
Currently we check on the server side, which ends up generating a bad
error message.
$ podman --remote build foo/
ERRO[0000] While reading directory /home/dwalsh/go/src/github.com/containers/podman/foo: EOF
Error: stat /var/tmp/libpod_builder1249622306/build/Dockerfile: no such file or directory
With this change you will get
./bin/podman --remote build foo/
Error: Containerfile not specified and no Containerfile or Dockerfile found in context directory, /home/dwalsh/podman/foo
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
I would like to allow admin to control quadlet containers
in users homedirs.
If an admin sets a quadlet in
/etc/containers/systemd/users, then all users will run these
quadlet services when they login.
If an admin places a quadlet in /etc/containers/systemd/users/$(USERNAME)
then only the USERNAME will execute this quadlet service when
they login.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We have a spacial logic to create a better user error that hints at
podman machine, however because we string matched it missed the case of
the ssh connection.
Stop doing string comparison and return a proper error and match it with
errors.As()
[NO NEW TESTS NEEDED]
see https://github.com/containers/podman/discussions/18426
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
this pr is the first pass at enabling podman machine to use the apple hypervisor. there are still several TODO
areas like host networking. once the decision is handled on what host networking should look like, these TODOs
should be fairly quick to resolve. they also will impact the remove methods.
you must also have vfkit (https://github.com/crc-org/vfkit)
Signed-off-by: Brent Baude <bbaude@redhat.com>
[NO NEW TESTS NEEDED]
Signed-off-by: Brent Baude <bbaude@redhat.com>
Add Restarts column to the podman pod ps output to show the total number
of times the containers in a pod were restarted. This is the same as the
restarts column displayed by kubernetes with kubectl get pods. This will
only be displayed when --format={{.Restarts}}.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Add Restarts column to the podman ps output to show how many times a
container was restarted based on its restart policy. This column will be
displayed when --format={{.Restarts}}.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Add --restart flag to pod create to allow users to set the
restart policy for the pod, which applies to all the containers
in the pod. This reuses the restart policy already there for
containers and has the same restart policy options.
Add "never" to the restart policy options to match k8s syntax.
It is a synonym for "no" and does the exact same thing where the
containers are not restarted once exited.
Only the containers that have exited will be restarted based on the
restart policy, running containers will not be restarted when an exited
container is restarted in the same pod (same as is done in k8s).
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
