diff options
| -rw-r--r-- | CONTRIBUTING.md | 7 | ||||
| -rw-r--r-- | docs/source/markdown/options/arch.md | 1 | ||||
| -rw-r--r-- | docs/source/markdown/options/cert-dir.md | 5 | ||||
| -rw-r--r-- | docs/source/markdown/options/cpu-period.md | 4 | ||||
| -rw-r--r-- | docs/source/markdown/options/cpu-quota.md | 4 | ||||
| -rw-r--r-- | docs/source/markdown/options/cpu-shares.md | 4 | ||||
| -rw-r--r-- | docs/source/markdown/options/cpuset-cpus.md | 4 | ||||
| -rw-r--r-- | docs/source/markdown/options/cpuset-mems.md | 4 | ||||
| -rw-r--r-- | docs/source/markdown/options/platform.md | 1 | ||||
| -rw-r--r-- | docs/source/markdown/podman-build.1.md.in | 22 | ||||
| -rw-r--r-- | docs/source/markdown/podman-create.1.md.in | 1 | ||||
| -rw-r--r-- | docs/source/markdown/podman-kube-play.1.md.in | 5 | ||||
| -rw-r--r-- | docs/source/markdown/podman-pull.1.md.in | 6 | ||||
| -rw-r--r-- | docs/source/markdown/podman-run.1.md.in | 1 | ||||
| -rwxr-xr-x | hack/markdown-preprocess-review | 56 | ||||
| -rw-r--r-- | troubleshooting.md | 33 | ||||
| -rw-r--r-- | version/version.go | 2 |
17 files changed, 121 insertions, 39 deletions
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index a5ee0c1df..d0f4ceb02 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -97,6 +97,13 @@ You need install some dependencies before building a binary. $ export PKG_CONFIG_PATH="/usr/lib/pkgconfig" ``` +#### Debian / Ubuntu + + ```shell + $ sudo apt-get install -y libsystemd-dev libgpgme-dev libseccomp-dev + $ export PKG_CONFIG_PATH="/usr/lib/pkgconfig" + ``` + ### Building binaries and test your changes To test your changes do `make binaries` to generate your binaries. diff --git a/docs/source/markdown/options/arch.md b/docs/source/markdown/options/arch.md index 005197707..76fb349a0 100644 --- a/docs/source/markdown/options/arch.md +++ b/docs/source/markdown/options/arch.md @@ -1,2 +1,3 @@ #### **--arch**=*ARCH* Override the architecture, defaults to hosts, of the image to be pulled. For example, `arm`. +Unless overridden, subsequent lookups of the same image in the local storage will match this architecture, regardless of the host. diff --git a/docs/source/markdown/options/cert-dir.md b/docs/source/markdown/options/cert-dir.md new file mode 100644 index 000000000..4d05075cf --- /dev/null +++ b/docs/source/markdown/options/cert-dir.md @@ -0,0 +1,5 @@ +#### **--cert-dir**=*path* + +Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. (Default: /etc/containers/certs.d) +Please refer to **[containers-certs.d(5)](https://github.com/containers/image/blob/main/docs/containers-certs.d.5.md)** for details. +(This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) diff --git a/docs/source/markdown/options/cpu-period.md b/docs/source/markdown/options/cpu-period.md index 8df6445e9..efbe6c2ab 100644 --- a/docs/source/markdown/options/cpu-period.md +++ b/docs/source/markdown/options/cpu-period.md @@ -5,6 +5,6 @@ duration in microseconds. Once the container's CPU quota is used up, it will not be scheduled to run until the current period ends. Defaults to 100000 microseconds. -On some systems, changing the CPU limits may not be allowed for non-root +On some systems, changing the resource limits may not be allowed for non-root users. For more details, see -https://github.com/containers/podman/blob/main/troubleshooting.md#26-running-containers-with-cpu-limits-fails-with-a-permissions-error +https://github.com/containers/podman/blob/main/troubleshooting.md#26-running-containers-with-resource-limits-fails-with-a-permissions-error diff --git a/docs/source/markdown/options/cpu-quota.md b/docs/source/markdown/options/cpu-quota.md index 67b9dee8c..753797bad 100644 --- a/docs/source/markdown/options/cpu-quota.md +++ b/docs/source/markdown/options/cpu-quota.md @@ -7,6 +7,6 @@ CPU resource. The limit is a number in microseconds. If a number is provided, the container will be allowed to use that much CPU time until the CPU period ends (controllable via **--cpu-period**). -On some systems, changing the CPU limits may not be allowed for non-root +On some systems, changing the resource limits may not be allowed for non-root users. For more details, see -https://github.com/containers/podman/blob/main/troubleshooting.md#26-running-containers-with-cpu-limits-fails-with-a-permissions-error +https://github.com/containers/podman/blob/main/troubleshooting.md#26-running-containers-with-resource-limits-fails-with-a-permissions-error diff --git a/docs/source/markdown/options/cpu-shares.md b/docs/source/markdown/options/cpu-shares.md index a5aacd2ca..c2115c1bf 100644 --- a/docs/source/markdown/options/cpu-shares.md +++ b/docs/source/markdown/options/cpu-shares.md @@ -33,3 +33,7 @@ this can result in the following division of CPU shares: | 100 | C0 | 0 | 100% of CPU0 | | 101 | C1 | 1 | 100% of CPU1 | | 102 | C1 | 2 | 100% of CPU2 | + +On some systems, changing the resource limits may not be allowed for non-root +users. For more details, see +https://github.com/containers/podman/blob/main/troubleshooting.md#26-running-containers-with-resource-limits-fails-with-a-permissions-error diff --git a/docs/source/markdown/options/cpuset-cpus.md b/docs/source/markdown/options/cpuset-cpus.md index d717516a0..a67766897 100644 --- a/docs/source/markdown/options/cpuset-cpus.md +++ b/docs/source/markdown/options/cpuset-cpus.md @@ -3,3 +3,7 @@ CPUs in which to allow execution. Can be specified as a comma-separated list (e.g. **0,1**), as a range (e.g. **0-3**), or any combination thereof (e.g. **0-3,7,11-15**). + +On some systems, changing the resource limits may not be allowed for non-root +users. For more details, see +https://github.com/containers/podman/blob/main/troubleshooting.md#26-running-containers-with-resource-limits-fails-with-a-permissions-error diff --git a/docs/source/markdown/options/cpuset-mems.md b/docs/source/markdown/options/cpuset-mems.md index d2d13eb54..1eeab7b13 100644 --- a/docs/source/markdown/options/cpuset-mems.md +++ b/docs/source/markdown/options/cpuset-mems.md @@ -6,3 +6,7 @@ NUMA systems. If there are four memory nodes on the system (0-3), use **--cpuset-mems=0,1** then processes in the container will only use memory from the first two memory nodes. + +On some systems, changing the resource limits may not be allowed for non-root +users. For more details, see +https://github.com/containers/podman/blob/main/troubleshooting.md#26-running-containers-with-resource-limits-fails-with-a-permissions-error diff --git a/docs/source/markdown/options/platform.md b/docs/source/markdown/options/platform.md index edfa428ff..b66efdfb2 100644 --- a/docs/source/markdown/options/platform.md +++ b/docs/source/markdown/options/platform.md @@ -2,3 +2,4 @@ Specify the platform for selecting the image. (Conflicts with --arch and --os) The `--platform` option can be used to override the current architecture and operating system. +Unless overridden, subsequent lookups of the same image in the local storage will match this platform, regardless of the host. diff --git a/docs/source/markdown/podman-build.1.md.in b/docs/source/markdown/podman-build.1.md.in index b49beb3bf..760396d0a 100644 --- a/docs/source/markdown/podman-build.1.md.in +++ b/docs/source/markdown/podman-build.1.md.in @@ -65,8 +65,9 @@ discarded when writing images in Docker formats. Set the architecture of the image to be built, and that of the base image to be pulled, if the build uses one, to the provided value instead of using the -architecture of the build host. (Examples: arm, arm64, 386, amd64, ppc64le, -s390x) +architecture of the build host. Unless overridden, subsequent lookups of the +same image in the local storage will match this architecture, regardless of the +host. (Examples: arm, arm64, 386, amd64, ppc64le, s390x) @@option authfile @@ -164,10 +165,7 @@ If a capability is specified to both the **--cap-add** and **--cap-drop** options, it will be dropped, regardless of the order in which the options were given. -#### **--cert-dir**=*path* - -Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. (Default: /etc/containers/certs.d) -Please refer to containers-certs.d(5) for details. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) +@@option cert-dir @@option cgroup-parent @@ -454,7 +452,8 @@ do not include `History` information in their images. Set the OS of the image to be built, and that of the base image to be pulled, if the build uses one, instead of using the current operating system of the -build host. +build host. Unless overridden, subsequent lookups of the same image in the +local storage will match this OS, regardless of the host. #### **--os-feature**=*feature* @@ -506,9 +505,12 @@ process. Set the *os/arch* of the built image (and its base image, if your build uses one) to the provided value instead of using the current operating system and -architecture of the host (for example `linux/arm`). If `--platform` is set, -then the values of the `--arch`, `--os`, and `--variant` options will be -overridden. +architecture of the host (for example `linux/arm`). Unless overridden, +subsequent lookups of the same image in the local storage will match this +platform, regardless of the host. + +If `--platform` is set, then the values of the `--arch`, `--os`, and +`--variant` options will be overridden. The `--platform` option can be specified more than once, or given a comma-separated list of values as its argument. When more than one platform is diff --git a/docs/source/markdown/podman-create.1.md.in b/docs/source/markdown/podman-create.1.md.in index 3e6b07225..7ec4fc66f 100644 --- a/docs/source/markdown/podman-create.1.md.in +++ b/docs/source/markdown/podman-create.1.md.in @@ -452,6 +452,7 @@ This option conflicts with **--add-host**. #### **--os**=*OS* Override the OS, defaults to hosts, of the image to be pulled. For example, `windows`. +Unless overridden, subsequent lookups of the same image in the local storage will match this OS, regardless of the host. @@option passwd-entry diff --git a/docs/source/markdown/podman-kube-play.1.md.in b/docs/source/markdown/podman-kube-play.1.md.in index 83b9f9904..14c5f2498 100644 --- a/docs/source/markdown/podman-kube-play.1.md.in +++ b/docs/source/markdown/podman-kube-play.1.md.in @@ -118,10 +118,7 @@ and as a result environment variable `FOO` will be set to `bar` for container `c Build images even if they are found in the local storage. Use `--build=false` to completely disable builds. (This option is not available with the remote Podman client) -#### **--cert-dir**=*path* - -Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. (Default: /etc/containers/certs.d) -Please refer to containers-certs.d(5) for details. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) +@@option cert-dir #### **--configmap**=*path* diff --git a/docs/source/markdown/podman-pull.1.md.in b/docs/source/markdown/podman-pull.1.md.in index cf06cc6a8..4753c38c7 100644 --- a/docs/source/markdown/podman-pull.1.md.in +++ b/docs/source/markdown/podman-pull.1.md.in @@ -53,10 +53,7 @@ All tagged images in the repository will be pulled. @@option authfile -#### **--cert-dir**=*path* - -Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. (Default: /etc/containers/certs.d) -Please refer to **[containers-certs.d(5)](https://github.com/containers/image/blob/main/docs/containers-certs.d.5.md)** for details. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) +@@option cert-dir #### **--creds**=*[username[:password]]* @@ -77,6 +74,7 @@ Print the usage statement. #### **--os**=*OS* Override the OS, defaults to hosts, of the image to be pulled. For example, `windows`. +Unless overridden, subsequent lookups of the same image in the local storage will match this OS, regardless of the host. @@option platform diff --git a/docs/source/markdown/podman-run.1.md.in b/docs/source/markdown/podman-run.1.md.in index 1c02eafe9..d10520e35 100644 --- a/docs/source/markdown/podman-run.1.md.in +++ b/docs/source/markdown/podman-run.1.md.in @@ -465,6 +465,7 @@ This option conflicts with **--add-host**. #### **--os**=*OS* Override the OS, defaults to hosts, of the image to be pulled. For example, `windows`. +Unless overridden, subsequent lookups of the same image in the local storage will match this OS, regardless of the host. #### **--passwd** diff --git a/hack/markdown-preprocess-review b/hack/markdown-preprocess-review index a487265ad..a3e237fb6 100755 --- a/hack/markdown-preprocess-review +++ b/hack/markdown-preprocess-review @@ -114,8 +114,60 @@ for my $i (0..$#all_opts) { next if $ans =~ /^n/i; exit 0 if $ans =~ /^q/i; - system("diffuse", "-w", glob("*")) == 0 - or die "Diffuse failed\n"; + # Try to cull the files (remove identical ones) + my @files = glob("*"); + my $winner = pop @files; + + for my $f (@files) { + system('cmp', '-s', $f, $winner); + if ($? == 0) { + print "[ $f is the one we went with; removing from list ]\n"; + unlink $f; + next; + } + + system('wdiff', '-1', '-2', '-3', $f, $winner); + if ($? == 0) { + print "[ $f is whitespace-identical with what we went with ]\n"; + unlink $f; + next; + } + } + + # Recompute @files, in case some were deleted above + @files = glob("*"); pop @files; + + for (my $i=0; $i < $#files; $i++) { + my $f1 = $files[$i]; + next unless -e $f1; + + for (my $j=$i+1; $j <= $#files; $j++) { + my $f2 = $files[$j]; + next unless -e $f2; + + system('wdiff', '-1', '-2', '-3', $f1, $f2); + if ($? == 0) { + print "[ $f2 : removing, it =~ $f1 ]\n"; + unlink $f2; + } + } + } + + # Recompute @files, in case some were deleted above + @files = glob("*"); + + # diffuse works great for 3-4 files, passable for 5, not at all for >5 + if (@files <= 5) { + system("diffuse", "-w", @files) == 0 + or die "Diffuse failed\n"; + } + else { + # Too many files. Go by threes. + my $winner = pop @files; + for (my $i=0; $i < @files; $i += 3) { + system("diffuse", "-w", @files[$i..$i+2], $winner); + } + } } diff --git a/troubleshooting.md b/troubleshooting.md index 6d46a543f..c4ce191ca 100644 --- a/troubleshooting.md +++ b/troubleshooting.md @@ -678,23 +678,28 @@ $ podman run --rootfs /path/to/rootfs:O .... Modifications to the mount point are destroyed when the container finishes executing, similar to a tmpfs mount point being unmounted. -### 26) Running containers with CPU limits fails with a permissions error +### 26) Running containers with resource limits fails with a permissions error -On some systemd-based systems, non-root users do not have CPU limit delegation -permissions. This causes setting CPU limits to fail. +On some systemd-based systems, non-root users do not have resource limit delegation +permissions. This causes setting resource limits to fail. #### Symptom -Running a container with a CPU limit options such as `--cpus`, `--cpu-period`, -or `--cpu-quota` will fail with an error similar to the following: +Running a container with a resource limit options will fail with an error similar to the following: - Error: opening file `cpu.max` for writing: Permission denied: OCI runtime permission denied error +`--cpus`, `--cpu-period`, `--cpu-quota`, `--cpu-shares`: -This means that CPU limit delegation is not enabled for the current user. + Error: OCI runtime error: crun: the requested cgroup controller `cpu` is not available + +`--cpuset-cpus`, `--cpuset-mems`: + + Error: OCI runtime error: crun: the requested cgroup controller `cpuset` is not available + +This means that resource limit delegation is not enabled for the current user. #### Solution -You can verify whether CPU limit delegation is enabled by running the following command: +You can verify whether resource limit delegation is enabled by running the following command: ```console $ cat "/sys/fs/cgroup/user.slice/user-$(id -u).slice/user@$(id -u).service/cgroup.controllers" @@ -704,19 +709,19 @@ Example output might be: memory pids -In the above example, `cpu` is not listed, which means the current user does -not have permission to set CPU limits. +In the above example, `cpu` and `cpuset` are not listed, which means the current user does +not have permission to set CPU or CPUSET limits. -If you want to enable CPU limit delegation for all users, you can create the +If you want to enable CPU or CPUSET limit delegation for all users, you can create the file `/etc/systemd/system/user@.service.d/delegate.conf` with the contents: ```ini [Service] -Delegate=memory pids cpu io +Delegate=memory pids cpu cpuset ``` -After logging out and logging back in, you should have permission to set CPU -limits. +After logging out and logging back in, you should have permission to set +CPU and CPUSET limits. ### 26) `exec container process '/bin/sh': Exec format error` (or another binary than `bin/sh`) diff --git a/version/version.go b/version/version.go index 0a84bb235..417f3a9b1 100644 --- a/version/version.go +++ b/version/version.go @@ -27,7 +27,7 @@ const ( // NOTE: remember to bump the version at the top // of the top-level README.md file when this is // bumped. -var Version = semver.MustParse("4.2.0-dev") +var Version = semver.MustParse("4.3.0-dev") // See https://docs.docker.com/engine/api/v1.40/ // libpod compat handlers are expected to honor docker API versions |