diff options
106 files changed, 1236 insertions, 1115 deletions
diff --git a/.cirrus.yml b/.cirrus.yml index 0752901ab..ae5463427 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -807,7 +807,59 @@ success_task: CTR_FQIN: ${FEDORA_CONTAINER_FQIN} TEST_ENVIRON: container clone_script: *noop - script: /bin/true + script: *noop + + +artifacts_task: + name: "Artifacts" + alias: artifacts + only_if: *not_docs + depends_on: + - success + # This task is a secondary/convenience for downstream consumers, don't + # block development progress if there is a failure in a PR, only break + # when running on branches or tags. + allow_failures: $CIRRUS_PR != '' + container: *smallcontainer + env: + CTR_FQIN: ${FEDORA_CONTAINER_FQIN} + TEST_ENVIRON: container + CURL: "curl --fail --location -O https://api.cirrus-ci.com/v1/artifact/build/${CIRRUS_BUILD_ID}" + # In order to keep the download URL and Cirrus-CI artifact.zip contents + # simple, nothing should exist in $CIRRUS_WORKING_DIR except for artifacts. + clone_script: *noop + script: + # Assume the latest Fedora release build is most useful + - $CURL/Build%20for%20$FEDORA_NAME/binary/bin/podman + - $CURL/Build%20for%20$FEDORA_NAME/binary/bin/podman-remote + - $CURL/Build%20for%20$FEDORA_NAME/binary/bin/rootlessport + - chmod +x podman* rootlessport + # Architecture in filename & can't use wildcards in a URL + - mkdir -p /tmp/alt + - cd /tmp/alt + - $CURL/Alt%20Arch.%20Cross/gosrc.zip + - unzip gosrc.zip + - cd $CIRRUS_WORKING_DIR + - mv /tmp/alt/*.tar.gz ./ + # Windows MSI filename has version number + - mkdir -p /tmp/win + - cd /tmp/win + - $CURL/Windows%20Cross/gosrc.zip + - unzip gosrc.zip + - cd $CIRRUS_WORKING_DIR + - mv /tmp/win/podman-remote*.zip /tmp/win/*.msi ./ + # OSX + - $CURL/OSX%20Cross/gosrc/podman-remote-release-darwin_amd64.zip + - $CURL/OSX%20Cross/gosrc/podman-remote-release-darwin_arm64.zip + # Always show contents to assist in debugging + always: + contents_script: ls -1 $CIRRUS_WORKING_DIR + # Produce downloadable files and an automatic zip-file accessible + # by a consistent URL, based on contents of $CIRRUS_WORKING_DIR + # Ref: https://cirrus-ci.org/guide/writing-tasks/#latest-build-artifacts + binary_artifacts: + path: ./* + type: application/octet-stream # When a new tag is pushed, confirm that the code and commits @@ -435,22 +435,6 @@ local-cross: $(CROSS_BUILD_TARGETS) ## Cross compile podman binary for multiple .PHONY: cross cross: local-cross -# Update nix/nixpkgs.json its latest stable commit -.PHONY: nixpkgs -nixpkgs: - @nix run \ - -f channel:nixos-21.05 nix-prefetch-git \ - -c nix-prefetch-git \ - --no-deepClone \ - https://github.com/nixos/nixpkgs refs/heads/nixos-21.05 > nix/nixpkgs.json - -# Build statically linked binary -.PHONY: static -static: - @nix build -f nix/ - mkdir -p ./bin - cp -rfp ./result/bin/* ./bin/ - .PHONY: build-no-cgo build-no-cgo: BUILDTAGS="containers_image_openpgp exclude_graphdriver_btrfs \ diff --git a/cmd/podman/common/create.go b/cmd/podman/common/create.go index 8d9a255ec..afaa1942e 100644 --- a/cmd/podman/common/create.go +++ b/cmd/podman/common/create.go @@ -394,14 +394,6 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions, ) _ = cmd.RegisterFlagCompletionFunc(platformFlagName, completion.AutocompleteNone) - podFlagName := "pod" - createFlags.StringVar( - &cf.Pod, - podFlagName, "", - "Run container in an existing pod", - ) - _ = cmd.RegisterFlagCompletionFunc(podFlagName, AutocompletePods) - podIDFileFlagName := "pod-id-file" createFlags.StringVar( &cf.PodIDFile, @@ -837,6 +829,14 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions, ) _ = cmd.RegisterFlagCompletionFunc(nameFlagName, completion.AutocompleteNone) + podFlagName := "pod" + createFlags.StringVar( + &cf.Pod, + podFlagName, "", + "Run container in an existing pod", + ) + _ = cmd.RegisterFlagCompletionFunc(podFlagName, AutocompletePods) + cpuPeriodFlagName := "cpu-period" createFlags.Uint64Var( &cf.CPUPeriod, diff --git a/cmd/podman/images/import.go b/cmd/podman/images/import.go index a7416e298..47f2a798d 100644 --- a/cmd/podman/images/import.go +++ b/cmd/podman/images/import.go @@ -76,6 +76,18 @@ func importFlags(cmd *cobra.Command) { flags.StringVarP(&importOpts.Message, messageFlagName, "m", "", "Set commit message for imported image") _ = cmd.RegisterFlagCompletionFunc(messageFlagName, completion.AutocompleteNone) + osFlagName := "os" + flags.StringVar(&importOpts.OS, osFlagName, "", "Set the OS of the imported image") + _ = cmd.RegisterFlagCompletionFunc(osFlagName, completion.AutocompleteNone) + + archFlagName := "arch" + flags.StringVar(&importOpts.Architecture, archFlagName, "", "Set the architecture of the imported image") + _ = cmd.RegisterFlagCompletionFunc(archFlagName, completion.AutocompleteNone) + + variantFlagName := "variant" + flags.StringVar(&importOpts.Variant, variantFlagName, "", "Set the variant of the imported image") + _ = cmd.RegisterFlagCompletionFunc(variantFlagName, completion.AutocompleteNone) + flags.BoolVarP(&importOpts.Quiet, "quiet", "q", false, "Suppress output") if !registry.IsRemote() { flags.StringVar(&importOpts.SignaturePolicy, "signature-policy", "", "Path to a signature-policy file") diff --git a/cmd/podman/machine/set.go b/cmd/podman/machine/set.go index 4a05a9c1c..4c15f1de1 100644 --- a/cmd/podman/machine/set.go +++ b/cmd/podman/machine/set.go @@ -17,7 +17,7 @@ var ( Long: "Sets an updatable virtual machine setting", RunE: setMachine, Args: cobra.MaximumNArgs(1), - Example: `podman machine set --root=false`, + Example: `podman machine set --rootful=false`, ValidArgsFunction: completion.AutocompleteNone, } ) diff --git a/cmd/podman/play/kube.go b/cmd/podman/play/kube.go index 3067f0d54..e92516eb4 100644 --- a/cmd/podman/play/kube.go +++ b/cmd/podman/play/kube.go @@ -209,10 +209,15 @@ func teardown(yamlfile string) error { podRmErrors utils.OutputErrors ) options := new(entities.PlayKubeDownOptions) - reports, err := registry.ContainerEngine().PlayKubeDown(registry.GetContext(), yamlfile, *options) + f, err := os.Open(yamlfile) if err != nil { return err } + defer f.Close() + reports, err := registry.ContainerEngine().PlayKubeDown(registry.GetContext(), f, *options) + if err != nil { + return errors.Wrap(err, yamlfile) + } // Output stopped pods fmt.Println("Pods stopped:") @@ -242,10 +247,15 @@ func teardown(yamlfile string) error { } func playkube(yamlfile string) error { - report, err := registry.ContainerEngine().PlayKube(registry.GetContext(), yamlfile, kubeOptions.PlayKubeOptions) + f, err := os.Open(yamlfile) if err != nil { return err } + defer f.Close() + report, err := registry.ContainerEngine().PlayKube(registry.GetContext(), f, kubeOptions.PlayKubeOptions) + if err != nil { + return errors.Wrap(err, yamlfile) + } // Print volumes report for i, volume := range report.Volumes { if i == 0 { diff --git a/contrib/cirrus/cirrus_yaml_test.py b/contrib/cirrus/cirrus_yaml_test.py index 39de0c7b7..b424c3ee6 100755 --- a/contrib/cirrus/cirrus_yaml_test.py +++ b/contrib/cirrus/cirrus_yaml_test.py @@ -26,7 +26,7 @@ class TestCaseBase(unittest.TestCase): class TestDependsOn(TestCaseBase): ALL_TASK_NAMES = None - SUCCESS_DEPS_EXCLUDE = set(['success', 'release', 'release_test']) + SUCCESS_DEPS_EXCLUDE = set(['success', 'artifacts', 'release', 'release_test']) def setUp(self): super().setUp() diff --git a/contrib/msi/podman.wxs b/contrib/msi/podman.wxs index c4ba623c0..786465589 100644 --- a/contrib/msi/podman.wxs +++ b/contrib/msi/podman.wxs @@ -13,6 +13,8 @@ <Package Id="*" Keywords="Installer" Description="Red Hat's Podman $(var.VERSION) Installer" Comments="Apache 2.0 License" Manufacturer="Red Hat Inc." InstallScope="perMachine" InstallerVersion="200" Compressed="yes"/> <Media Id="1" Cabinet="Podman.cab" EmbedCab="yes"/> + <!-- Switch to AllowDowngrades="yes" when msitools is released with commit dde7dd2f --> + <MajorUpgrade DowngradeErrorMessage="A newer version of [ProductName] is already installed. Uninstall first to downgrade."/> <Property Id="DiskPrompt" Value="Red Hat's Podman $(var.VERSION) Installation"/> <Directory Id="TARGETDIR" Name="SourceDir"> diff --git a/docs/source/markdown/podman-build.1.md b/docs/source/markdown/podman-build.1.md index b9542fec5..c8707521f 100644 --- a/docs/source/markdown/podman-build.1.md +++ b/docs/source/markdown/podman-build.1.md @@ -312,7 +312,7 @@ environment variable. `export BUILDAH_FORMAT=docker` Overrides the first `FROM` instruction within the Containerfile. If there are multiple FROM instructions in a Containerfile, only the first is changed. -**-h**, **--help** +#### **--help**, **-h** Print usage statement @@ -320,15 +320,15 @@ Print usage statement Pass through HTTP Proxy environment variables. +#### **--ignorefile** + +Path to an alternative .containerignore file. + #### **--iidfile**=*ImageIDfile* Write the built image's ID to the file. When `--platform` is specified more than once, attempting to use this option will trigger an error. -#### **--ignorefile** - -Path to an alternative .containerignore file. - #### **--ipc**=*how* Sets the configuration for IPC namespaces when handling `RUN` instructions. @@ -643,47 +643,62 @@ the user namespace in which `podman` itself is being run should be reused, or it can be the path to a user namespace which is already in use by another process. -#### **--userns-uid-map**=*mapping* +#### **--userns-gid-map**=*mapping* -Directly specifies a UID mapping which should be used to set ownership, at the +Directly specifies a GID mapping which should be used to set ownership, at the filesystem level, on the working container's contents. Commands run when handling `RUN` instructions will default to being run in their own user namespaces, configured using the UID and GID maps. Entries in this map take the form of one or more triples of a starting -in-container UID, a corresponding starting host-level UID, and the number of +in-container GID, a corresponding starting host-level GID, and the number of consecutive IDs which the map entry represents. -This option overrides the *remap-uids* setting in the *options* section of +This option overrides the *remap-gids* setting in the *options* section of /etc/containers/storage.conf. -If this option is not specified, but a global --userns-uid-map setting is +If this option is not specified, but a global --userns-gid-map setting is supplied, settings from the global option will be used. -If none of --userns-uid-map-user, --userns-gid-map-group, or --userns-uid-map -are specified, but --userns-gid-map is specified, the UID map will be set to -use the same numeric values as the GID map. +If none of --userns-uid-map-user, --userns-gid-map-group, or --userns-gid-map +are specified, but --userns-uid-map is specified, the GID map will be set to +use the same numeric values as the UID map. -#### **--userns-gid-map**=*mapping* +#### **--userns-gid-map-group**=*group* -Directly specifies a GID mapping which should be used to set ownership, at the +Specifies that a GID mapping which should be used to set ownership, at the +filesystem level, on the working container's contents, can be found in entries +in the `/etc/subgid` file which correspond to the specified group. +Commands run when handling `RUN` instructions will default to being run in +their own user namespaces, configured using the UID and GID maps. +If --userns-uid-map-user is specified, but --userns-gid-map-group is not +specified, `podman` will assume that the specified user name is also a +suitable group name to use as the default setting for this option. + +**NOTE:** When this option is specified by a rootless user, the specified +mappings are relative to the rootless user namespace in the container, rather +than being relative to the host as it would be when run rootfull. + +#### **--userns-uid-map**=*mapping* + +Directly specifies a UID mapping which should be used to set ownership, at the filesystem level, on the working container's contents. Commands run when handling `RUN` instructions will default to being run in their own user namespaces, configured using the UID and GID maps. Entries in this map take the form of one or more triples of a starting -in-container GID, a corresponding starting host-level GID, and the number of +in-container UID, a corresponding starting host-level UID, and the number of consecutive IDs which the map entry represents. -This option overrides the *remap-gids* setting in the *options* section of +This option overrides the *remap-uids* setting in the *options* section of /etc/containers/storage.conf. -If this option is not specified, but a global --userns-gid-map setting is +If this option is not specified, but a global --userns-uid-map setting is supplied, settings from the global option will be used. -If none of --userns-uid-map-user, --userns-gid-map-group, or --userns-gid-map -are specified, but --userns-uid-map is specified, the GID map will be set to -use the same numeric values as the UID map. +If none of --userns-uid-map-user, --userns-gid-map-group, or --userns-uid-map +are specified, but --userns-gid-map is specified, the UID map will be set to +use the same numeric values as the GID map. #### **--userns-uid-map-user**=*user* @@ -700,21 +715,6 @@ suitable user name to use as the default setting for this option. mappings are relative to the rootless user namespace in the container, rather than being relative to the host as it would be when run rootfull. -#### **--userns-gid-map-group**=*group* - -Specifies that a GID mapping which should be used to set ownership, at the -filesystem level, on the working container's contents, can be found in entries -in the `/etc/subgid` file which correspond to the specified group. -Commands run when handling `RUN` instructions will default to being run in -their own user namespaces, configured using the UID and GID maps. -If --userns-uid-map-user is specified, but --userns-gid-map-group is not -specified, `podman` will assume that the specified user name is also a -suitable group name to use as the default setting for this option. - -**NOTE:** When this option is specified by a rootless user, the specified -mappings are relative to the rootless user namespace in the container, rather -than being relative to the host as it would be when run rootfull. - #### **--uts**=*how* Sets the configuration for UTS namespaces when handling `RUN` instructions. @@ -1010,7 +1010,7 @@ Exclude all doc files except Help.doc from the image. This functionality is compatible with the handling of .containerignore files described here: -https://github.com/containers/buildah/blob/main/docs/containerignore.5.md +https://github.com/containers/common/blob/main/docs/containerignore.5.md **registries.conf** (`/etc/containers/registries.conf`) @@ -1032,7 +1032,7 @@ If you are using `useradd` within your build script, you should pass the useradd to stop creating the lastlog file. ## SEE ALSO -**[podman(1)](podman.1.md)**, **[buildah(1)](https://github.com/containers/buildah/blob/main/docs/buildah.1.md)**, **[containers-certs.d(5)](https://github.com/containers/image/blob/main/docs/containers-certs.d.5.md)**, **[containers-registries.conf(5)](https://github.com/containers/image/blob/main/docs/containers-registries.conf.5.md)**, **[crun(1)](https://github.com/containers/crun/blob/main/crun.1.md)**, **[runc(8)](https://github.com/opencontainers/runc/blob/master/man/runc.8.md)**, **[useradd(8)](https://www.unix.com/man-page/redhat/8/useradd)**, **[podman-ps(1)](podman-ps.1.md)**, **[podman-rm(1)](podman-rm.1.md)**, **[Containerfile(5)](https://github.com/containers/buildah/blob/main/docs/Containerfile.5.md)**, **[containerignore(5)](https://github.com/containers/buildah/blob/main/docs/containerignore.5.md)** +**[podman(1)](podman.1.md)**, **[buildah(1)](https://github.com/containers/buildah/blob/main/docs/buildah.1.md)**, **[containers-certs.d(5)](https://github.com/containers/image/blob/main/docs/containers-certs.d.5.md)**, **[containers-registries.conf(5)](https://github.com/containers/image/blob/main/docs/containers-registries.conf.5.md)**, **[crun(1)](https://github.com/containers/crun/blob/main/crun.1.md)**, **[runc(8)](https://github.com/opencontainers/runc/blob/master/man/runc.8.md)**, **[useradd(8)](https://www.unix.com/man-page/redhat/8/useradd)**, **[podman-ps(1)](podman-ps.1.md)**, **[podman-rm(1)](podman-rm.1.md)**, **[Containerfile(5)](https://github.com/containers/common/blob/main/docs/Containerfile.5.md)**, **[containerignore(5)](https://github.com/containers/common/blob/main/docs/containerignore.5.md)** ## HISTORY Aug 2020, Additional options and .containerignore added by Dan Walsh `<dwalsh@redhat.com>` diff --git a/docs/source/markdown/podman-commit.1.md b/docs/source/markdown/podman-commit.1.md index df3c38711..3df931254 100644 --- a/docs/source/markdown/podman-commit.1.md +++ b/docs/source/markdown/podman-commit.1.md @@ -60,14 +60,14 @@ Set commit message for committed image.\ Pause the container when creating an image.\ The default is **false**. -#### **--squash**, **-s** +#### **--quiet**, **-q** -Squash newly built layers into a single new layer.\ +Suppresses output.\ The default is **false**. -#### **--quiet**, **-q** +#### **--squash**, **-s** -Suppresses output.\ +Squash newly built layers into a single new layer.\ The default is **false**. ## EXAMPLES diff --git a/docs/source/markdown/podman-container-checkpoint.1.md b/docs/source/markdown/podman-container-checkpoint.1.md index fcb3cfd0c..5c07cd975 100644 --- a/docs/source/markdown/podman-container-checkpoint.1.md +++ b/docs/source/markdown/podman-container-checkpoint.1.md @@ -35,6 +35,14 @@ to import the *container* on another system and thus enabling container live migration. This checkpoint archive also includes all changes to the *container's* root file-system, if not explicitly disabled using **--ignore-rootfs**. +#### **--file-locks** + +Checkpoint a *container* with file locks. If an application running in the container +is using file locks, this OPTION is required during checkpoint and restore. Otherwise +checkpointing *containers* with file locks is expected to fail. If file locks are not +used, this option is ignored.\ +The default is **false**. + #### **--ignore-rootfs** If a checkpoint is exported to a tar.gz file it is possible with the help of **--ignore-rootfs** to explicitly disable including changes to the root file-system into the checkpoint archive file.\ @@ -119,14 +127,6 @@ restore. Defaults to not checkpointing *containers* with established TCP connections.\ The default is **false**. -#### **--file-locks** - -Checkpoint a *container* with file locks. If an application running in the container -is using file locks, this OPTION is required during checkpoint and restore. Otherwise -checkpointing *containers* with file locks is expected to fail. If file locks are not -used, this option is ignored.\ -The default is **false**. - #### **--with-previous** Check out the *container* with previous criu image files in pre-dump. It only works on `runc 1.0-rc3` or `higher`.\ diff --git a/docs/source/markdown/podman-container-clone.1.md b/docs/source/markdown/podman-container-clone.1.md index 52fa023f3..eaf330373 100644 --- a/docs/source/markdown/podman-container-clone.1.md +++ b/docs/source/markdown/podman-container-clone.1.md @@ -11,25 +11,6 @@ podman\-container\-clone - Creates a copy of an existing container ## OPTIONS -#### **--name** - -Set a custom name for the cloned container. The default if not specified is of the syntax: **<ORIGINAL_NAME>-clone** - -#### **--destroy** - -Remove the original container that we are cloning once used to mimic the configuration. - -#### **--cpus** - -Set a number of CPUs for the container that overrides the original containers CPU limits. If none are specified, the original container's Nano CPUs are used. - -This is shorthand -for **--cpu-period** and **--cpu-quota**, so only **--cpus** or either both the **--cpu-period** and **--cpu-quota** options can be set. - -#### **--cpuset-cpus** - -CPUs in which to allow execution (0-3, 0,1). If none are specified, the original container's CPUset is used. - #### **--cpu-period**=*limit* Set the CPU period for the Completely Fair Scheduler (CFS), which is a @@ -43,6 +24,43 @@ https://github.com/containers/podman/blob/master/troubleshooting.md#26-running-c If none is specified, the original container's cpu period is used +#### **--cpu-quota**=*limit* + +Limit the CPU Completely Fair Scheduler (CFS) quota. + +Limit the container's CPU usage. By default, containers run with the full +CPU resource. The limit is a number in microseconds. If a number is provided, +the container will be allowed to use that much CPU time until the CPU period +ends (controllable via **--cpu-period**). + +On some systems, changing the CPU limits may not be allowed for non-root +users. For more details, see +https://github.com/containers/podman/blob/master/troubleshooting.md#26-running-containers-with-cpu-limits-fails-with-a-permissions-error + +If none is specified, the original container's CPU quota are used. + +#### **--cpu-rt-period**=*microseconds* + +Limit the CPU real-time period in microseconds + +Limit the container's Real Time CPU usage. This option tells the kernel to restrict the container's Real Time CPU usage to the period specified. + +This option is not supported on cgroups V2 systems. + +If none is specified, the original container's CPU runtime period is used. + + +#### **--cpu-rt-runtime**=*microseconds* + +Limit the CPU real-time runtime in microseconds. + +Limit the containers Real Time CPU usage. This option tells the kernel to limit the amount of time in a given CPU period Real Time tasks may consume. Ex: +Period of 1,000,000us and Runtime of 950,000us means that this container could consume 95% of available CPU and leave the remaining 5% to normal priority tasks. + +The sum of all runtimes across containers cannot exceed the amount allotted to the parent cgroup. + +This option is not supported on cgroup V2 systems. + #### **--cpu-shares**=*shares* CPU shares (relative weight) @@ -82,6 +100,17 @@ PID container CPU CPU share If none are specified, the original container's CPU shares are used. +#### **--cpus** + +Set a number of CPUs for the container that overrides the original containers CPU limits. If none are specified, the original container's Nano CPUs are used. + +This is shorthand +for **--cpu-period** and **--cpu-quota**, so only **--cpus** or either both the **--cpu-period** and **--cpu-quota** options can be set. + +#### **--cpuset-cpus** + +CPUs in which to allow execution (0-3, 0,1). If none are specified, the original container's CPUset is used. + #### **--cpuset-mems**=*nodes* Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems. @@ -92,42 +121,9 @@ two memory nodes. If none are specified, the original container's CPU memory nodes are used. -#### **--cpu-quota**=*limit* - -Limit the CPU Completely Fair Scheduler (CFS) quota. - -Limit the container's CPU usage. By default, containers run with the full -CPU resource. The limit is a number in microseconds. If a number is provided, -the container will be allowed to use that much CPU time until the CPU period -ends (controllable via **--cpu-period**). - -On some systems, changing the CPU limits may not be allowed for non-root -users. For more details, see -https://github.com/containers/podman/blob/master/troubleshooting.md#26-running-containers-with-cpu-limits-fails-with-a-permissions-error - -If none is specified, the original container's CPU quota are used. - -#### **--cpu-rt-period**=*microseconds* - -Limit the CPU real-time period in microseconds - -Limit the container's Real Time CPU usage. This option tells the kernel to restrict the container's Real Time CPU usage to the period specified. - -This option is not supported on cgroups V2 systems. - -If none is specified, the original container's CPU runtime period is used. - - -#### **--cpu-rt-runtime**=*microseconds* - -Limit the CPU real-time runtime in microseconds. - -Limit the containers Real Time CPU usage. This option tells the kernel to limit the amount of time in a given CPU period Real Time tasks may consume. Ex: -Period of 1,000,000us and Runtime of 950,000us means that this container could consume 95% of available CPU and leave the remaining 5% to normal priority tasks. - -The sum of all runtimes across containers cannot exceed the amount allotted to the parent cgroup. +#### **--destroy** -This option is not supported on cgroup V2 systems. +Remove the original container that we are cloning once used to mimic the configuration. #### **--memory**, **-m**=*limit* @@ -141,6 +137,16 @@ system's page size (the value would be very large, that's millions of trillions) If no memory limits are specified, the original container's will be used. +#### **--name** + +Set a custom name for the cloned container. The default if not specified is of the syntax: **<ORIGINAL_NAME>-clone** + +#### **--pod**=*name* + +Clone the container in an existing pod. It is helpful to move a container to an +existing pod. The container will join the pod shared namespaces, losing its configuration +that conflicts with the shared namespaces. + #### **--run** When set to true, this flag runs the newly created container after the diff --git a/docs/source/markdown/podman-container-restore.1.md b/docs/source/markdown/podman-container-restore.1.md index 4016eb1cb..5b1bf82c5 100644 --- a/docs/source/markdown/podman-container-restore.1.md +++ b/docs/source/markdown/podman-container-restore.1.md @@ -16,25 +16,14 @@ Restore all checkpointed *containers*.\ The default is **false**.\ *IMPORTANT: This OPTION does not need a container name or ID as input argument.* -#### **--keep**, **-k** +#### **--file-locks** -Keep all temporary log and statistics files created by `CRIU` during -checkpointing as well as restoring. These files are not deleted if restoring -fails for further debugging. If restoring succeeds these files are -theoretically not needed, but if these files are needed Podman can keep the -files for further analysis. This includes the checkpoint directory with all -files created during checkpointing. The size required by the checkpoint -directory is roughly the same as the amount of memory required by the -processes in the checkpointed *container*.\ -Without the **--keep**, **-k** option the checkpoint will be consumed and cannot be used again.\ +Restore a *container* with file locks. This option is required to +restore file locks from a checkpoint image. If the checkpoint image +does not contain file locks, this option is ignored. Defaults to not +restoring file locks.\ The default is **false**. -#### **--latest**, **-l** - -Instead of providing the *container ID* or *name*, use the last created *container*. If other tools than Podman are used to run *containers* such as `CRI-O`, the last started *container* could be from either tool.\ -The default is **false**.\ -*IMPORTANT: This OPTION is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines. This OPTION does not need a container name or ID as input argument.* - #### **--ignore-rootfs** If a *container* is restored from a checkpoint tar.gz file it is possible that it also contains all root file-system changes. With **--ignore-rootfs** it is possible to explicitly disable applying these root file-system changes to the restored *container*.\ @@ -89,6 +78,25 @@ Import a pre-checkpoint tar.gz file which was exported by Podman. This option must be used with **-i** or **--import**. It only works on `runc 1.0-rc3` or `higher`. *IMPORTANT: This OPTION is not supported on the remote client, including Mac and Windows (excluding WSL2) machines.* +#### **--keep**, **-k** + +Keep all temporary log and statistics files created by `CRIU` during +checkpointing as well as restoring. These files are not deleted if restoring +fails for further debugging. If restoring succeeds these files are +theoretically not needed, but if these files are needed Podman can keep the +files for further analysis. This includes the checkpoint directory with all +files created during checkpointing. The size required by the checkpoint +directory is roughly the same as the amount of memory required by the +processes in the checkpointed *container*.\ +Without the **--keep**, **-k** option the checkpoint will be consumed and cannot be used again.\ +The default is **false**. + +#### **--latest**, **-l** + +Instead of providing the *container ID* or *name*, use the last created *container*. If other tools than Podman are used to run *containers* such as `CRI-O`, the last started *container* could be from either tool.\ +The default is **false**.\ +*IMPORTANT: This OPTION is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines. This OPTION does not need a container name or ID as input argument.* + #### **--name**, **-n**=*name* If a *container* is restored from a checkpoint tar.gz file it is possible to rename it with **--name, -n**. This way it is possible to restore a *container* from a checkpoint multiple times with different @@ -149,14 +157,6 @@ option is ignored. Defaults to not restoring *containers* with established TCP connections.\ The default is **false**. -#### **--file-locks** - -Restore a *container* with file locks. This option is required to -restore file locks from a checkpoint image. If the checkpoint image -does not contain file locks, this option is ignored. Defaults to not -restoring file locks.\ -The default is **false**. - ## EXAMPLE Restores the container "mywebserver". ``` diff --git a/docs/source/markdown/podman-container-runlabel.1.md b/docs/source/markdown/podman-container-runlabel.1.md index ac34b232c..40e5392ce 100644 --- a/docs/source/markdown/podman-container-runlabel.1.md +++ b/docs/source/markdown/podman-container-runlabel.1.md @@ -35,10 +35,6 @@ Path of the containers-auth.json(5) file. Default is ${XDG\_RUNTIME\_DIR}/contai Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE environment variable. `export REGISTRY_AUTH_FILE=path` -#### **--display** - -Display the label's value of the image having populated its environment variables. The runlabel command will not execute if --display is specified. - #### **--cert-dir**=*path* Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. (Default: /etc/containers/certs.d) @@ -48,6 +44,10 @@ Please refer to containers-certs.d(5) for details. (This option is not available The [username[:password]] to use to authenticate with the registry if required. If one or both values are not supplied, a command line prompt will appear and the value can be entered. The password is entered without echo. +#### **--display** + +Display the label's value of the image having populated its environment variables. The runlabel command will not execute if --display is specified. + #### **--help**, **-h** Print usage statement diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md index 506f575fe..7ef5cb2d3 100644 --- a/docs/source/markdown/podman-create.1.md +++ b/docs/source/markdown/podman-create.1.md @@ -65,6 +65,7 @@ and specified with a _tag_. $ podman create oci-archive:/tmp/fedora echo hello ## OPTIONS + #### **--add-host**=*host* Add a custom host-to-IP mapping (host:ip) @@ -114,6 +115,14 @@ Add Linux capabilities Drop Linux capabilities +#### **--cgroup-conf**=*KEY=VALUE* + +When running on cgroup v2, specify the cgroup file to write to and its value. For example **--cgroup-conf=memory.high=1073741824** sets the memory.high limit to 1GB. + +#### **--cgroup-parent**=*path* + +Path to cgroups under which the cgroup for the container will be created. If the path is not absolute, the path is considered to be relative to the cgroups path of the init process. Cgroups will be created if they do not already exist. + #### **--cgroupns**=*mode* Set the cgroup namespace mode for the container. @@ -134,13 +143,11 @@ The *disabled* option will force the container to not create CGroups, and thus c The *no-conmon* option disables a new CGroup only for the conmon process. The *split* option splits the current cgroup in two sub-cgroups: one for conmon and one for the container payload. It is not possible to set *--cgroup-parent* with *split*. -#### **--cgroup-parent**=*path* - -Path to cgroups under which the cgroup for the container will be created. If the path is not absolute, the path is considered to be relative to the cgroups path of the init process. Cgroups will be created if they do not already exist. - -#### **--cgroup-conf**=*KEY=VALUE* +#### **--chrootdirs**=*path* -When running on cgroup v2, specify the cgroup file to write to and its value. For example **--cgroup-conf=memory.high=1073741824** sets the memory.high limit to 1GB. +Path to a directory inside the container that should be treated as a `chroot` directory. +Any Podman managed file (e.g., /etc/resolv.conf, /etc/hosts, etc/hostname) that is mounted into the root directory will be mounted into that location as well. +Multiple directories should be separated with a comma. #### **--cidfile**=*id* @@ -346,14 +353,14 @@ This option allows arbitrary environment variables that are available for the pr See [**Environment**](#environment) note below for precedence and examples. -#### **--env-host** - -Use host environment inside of the container. See **Environment** note below for precedence. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) - #### **--env-file**=*file* Read in a line delimited file of environment variables. See **Environment** note below for precedence. +#### **--env-host** + +Use host environment inside of the container. See **Environment** note below for precedence. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) + #### **--expose**=*port* Expose a port, or a range of ports (e.g. --expose=3300-3310) to set up port redirection @@ -406,6 +413,10 @@ The initialization time needed for a container to bootstrap. The value can be ex The maximum time allowed to complete the healthcheck before an interval is considered failed. Like start-period, the value can be expressed in a time format such as `1m22s`. The default value is `30s`. +#### **--help** + +Print usage statement + #### **--hostname**=*name*, **-h** Container host name @@ -417,10 +428,6 @@ Sets the container host name that is available inside the container. Can only be Add a user account to /etc/passwd from the host to the container. The Username or UID must exist on the host system. -#### **--help** - -Print usage statement - #### **--http-proxy** By default proxy environment variables are passed into the container if set @@ -761,6 +768,16 @@ Default is to create a private PID namespace for the container - `ns`: join the specified PID namespace - `private`: create a new namespace for the container (default) +#### **--pidfile**=*path* + +When the pidfile location is specified, the container process' PID will be written to the pidfile. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) +If the pidfile option is not specified, the container process' PID will be written to /run/containers/storage/${storage-driver}-containers/$CID/userdata/pidfile. + +After the container is started, the location for the pidfile can be discovered with the following `podman inspect` command: + + $ podman inspect --format '{{ .PidFile }}' $CID + /run/containers/storage/${storage-driver}-containers/$CID/userdata/pidfile + #### **--pids-limit**=*limit* Tune the container's pids limit. Set `-1` to have unlimited pids for the container. (default "4096" on systems that support PIDS cgroups). @@ -1077,23 +1094,6 @@ standard input. Set timezone in container. This flag takes area-based timezones, GMT time, as well as `local`, which sets the timezone in the container to match the host machine. See `/usr/share/zoneinfo/` for valid timezones. Remote connections use local containers.conf for defaults -#### **--umask**=*umask* - -Set the umask inside the container. Defaults to `0022`. -Remote connections use local containers.conf for defaults - -#### **--unsetenv**=*env* - -Unset default environment variables for the container. Default environment -variables include variables provided natively by Podman, environment variables -configured by the image, and environment variables from containers.conf. - -#### **--unsetenv-all**=*true|false* - -Unset all default environment variables for the container. Default environment -variables include variables provided natively by Podman, environment variables -configured by the image, and environment variables from containers.conf. - #### **--uidmap**=*container_uid*:*from_uid*:*amount* Run the container in a new user namespace using the supplied mapping. This @@ -1178,6 +1178,23 @@ Ulimit options You can pass `host` to copy the current configuration from the host. +#### **--umask**=*umask* + +Set the umask inside the container. Defaults to `0022`. +Remote connections use local containers.conf for defaults + +#### **--unsetenv**=*env* + +Unset default environment variables for the container. Default environment +variables include variables provided natively by Podman, environment variables +configured by the image, and environment variables from containers.conf. + +#### **--unsetenv-all**=*true|false* + +Unset all default environment variables for the container. Default environment +variables include variables provided natively by Podman, environment variables +configured by the image, and environment variables from containers.conf. + #### **--user**, **-u**=*user* Sets the username or UID used and optionally the groupname or GID for the specified command. @@ -1443,22 +1460,6 @@ The default working directory for running binaries within a container is the roo The image developer can set a different default with the WORKDIR instruction. The operator can override the working directory by using the **-w** option. -#### **--pidfile**=*path* - -When the pidfile location is specified, the container process' PID will be written to the pidfile. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) -If the pidfile option is not specified, the container process' PID will be written to /run/containers/storage/${storage-driver}-containers/$CID/userdata/pidfile. - -After the container is started, the location for the pidfile can be discovered with the following `podman inspect` command: - - $ podman inspect --format '{{ .PidFile }}' $CID - /run/containers/storage/${storage-driver}-containers/$CID/userdata/pidfile - -#### **--chrootdirs**=*path* - -Path to a directory inside the container that should be treated as a `chroot` directory. -Any Podman managed file (e.g., /etc/resolv.conf, /etc/hosts, etc/hostname) that is mounted into the root directory will be mounted into that location as well. -Multiple directories should be separated with a comma. - ## EXAMPLES ### Create a container using a local image diff --git a/docs/source/markdown/podman-events.1.md b/docs/source/markdown/podman-events.1.md index 7ca52e3e9..741aca3a5 100644 --- a/docs/source/markdown/podman-events.1.md +++ b/docs/source/markdown/podman-events.1.md @@ -70,15 +70,6 @@ The *volume* type will report the following statuses: ## OPTIONS -#### **--help** - -Print usage statement. - -#### **--format** - -Format the output to JSON Lines or using the given Go template. - - #### **--filter**=*filter* Filter events that are displayed. They must be in the format of "filter=value". The following @@ -93,6 +84,14 @@ filters are supported: In the case where an ID is used, the ID may be in its full or shortened form. +#### **--format** + +Format the output to JSON Lines or using the given Go template. + +#### **--help** + +Print usage statement. + #### **--no-trunc** Do not truncate the output (default *true*). diff --git a/docs/source/markdown/podman-export.1.md b/docs/source/markdown/podman-export.1.md index b2ad4e907..53d7e425e 100644 --- a/docs/source/markdown/podman-export.1.md +++ b/docs/source/markdown/podman-export.1.md @@ -24,14 +24,14 @@ Note: `:` is a restricted character and cannot be part of the file name. ## OPTIONS -#### **--output**, **-o** - -Write to a file, default is STDOUT - #### **--help**, **-h** Print usage statement +#### **--output**, **-o** + +Write to a file, default is STDOUT + ## EXAMPLES ``` diff --git a/docs/source/markdown/podman-generate-systemd.1.md b/docs/source/markdown/podman-generate-systemd.1.md index b2b5ee2ca..32d5d2bc4 100644 --- a/docs/source/markdown/podman-generate-systemd.1.md +++ b/docs/source/markdown/podman-generate-systemd.1.md @@ -16,6 +16,16 @@ _Note: If you use this command with the remote client, including Mac and Windows ## OPTIONS +#### **--after**=*dependency_name* + +Add the systemd unit after (`After=`) option, that ordering dependencies between the list of dependencies and this service. This option may be specified more than once. + +User-defined dependencies will be appended to the generated unit file, but any existing options such as needed or defined by default (e.g. `online.target`) will **not** be removed or overridden. + +#### **--container-prefix**=*prefix* + +Set the systemd unit name prefix for containers. The default is *container*. + #### **--files**, **-f** Generate files instead of printing to stdout. The generated files are named {container,pod}-{ID,name}.service and will be placed in the current working directory. @@ -40,13 +50,13 @@ Note that `--new` only works on containers and pods created directly via Podman Do not generate the header including meta data such as the Podman version and the timestamp. -#### **--start-timeout** =*value* +#### **--pod-prefix**=*prefix* -Override the default start timeout for the container with the given value in seconds. +Set the systemd unit name prefix for pods. The default is *pod*. -#### **--stop-timeout** =*value* +#### **--requires**=*dependency_name* -Override the default stop timeout for the container with the given value in seconds. +Set the systemd unit requires (`Requires=`) option. Similar to wants, but declares a stronger requirement dependency. #### **--restart-policy**=*policy* @@ -58,33 +68,17 @@ Set the systemd restart policy. The restart-policy must be one of: "no", "on-su Set the systemd service restartsec value. Configures the time to sleep before restarting a service (as configured with restart-policy). Takes a value in seconds. -#### **--container-prefix**=*prefix* - -Set the systemd unit name prefix for containers. The default is *container*. - -#### **--pod-prefix**=*prefix* - -Set the systemd unit name prefix for pods. The default is *pod*. - #### **--separator**=*separator* Set the systemd unit name separator between the name/id of a container/pod and the prefix. The default is *-*. -#### **--wants**=*dependency_name* - -Add the systemd unit wants (`Wants=`) option, that this service is (weak) dependent on. This option may be specified more than once. This option does not influence the order in which services are started or stopped. - -User-defined dependencies will be appended to the generated unit file, but any existing options such as needed or defined by default (e.g. `online.target`) will **not** be removed or overridden. - -#### **--after**=*dependency_name* - -Add the systemd unit after (`After=`) option, that ordering dependencies between the list of dependencies and this service. This option may be specified more than once. +#### **--start-timeout** =*value* -User-defined dependencies will be appended to the generated unit file, but any existing options such as needed or defined by default (e.g. `online.target`) will **not** be removed or overridden. +Override the default start timeout for the container with the given value in seconds. -#### **--requires**=*dependency_name* +#### **--stop-timeout** =*value* -Set the systemd unit requires (`Requires=`) option. Similar to wants, but declares a stronger requirement dependency. +Override the default stop timeout for the container with the given value in seconds. #### **--template** @@ -92,6 +86,12 @@ Add template specifiers to run multiple services from the systemd unit file. Note that if `--new` was not set to true, it is set to true by default. However, if `--new` is set to `false` explicitly the command will fail. +#### **--wants**=*dependency_name* + +Add the systemd unit wants (`Wants=`) option, that this service is (weak) dependent on. This option may be specified more than once. This option does not influence the order in which services are started or stopped. + +User-defined dependencies will be appended to the generated unit file, but any existing options such as needed or defined by default (e.g. `online.target`) will **not** be removed or overridden. + ## EXAMPLES ### Generate and print a systemd unit file for a container diff --git a/docs/source/markdown/podman-history.1.md b/docs/source/markdown/podman-history.1.md index 4ab2547ea..af35814c2 100644 --- a/docs/source/markdown/podman-history.1.md +++ b/docs/source/markdown/podman-history.1.md @@ -29,6 +29,15 @@ Valid placeholders for the Go template are listed below: ## OPTIONS +Print the numeric IDs only (default *false*). +#### **--format**=*format* + +Alter the output for a format like 'json' or a Go template. + +#### **--help**, **-h** + +Print usage statement + #### **--human**, **-H** Display sizes and dates in human readable format (default *true*). @@ -39,15 +48,6 @@ Do not truncate the output (default *false*). #### **--quiet**, **-q** -Print the numeric IDs only (default *false*). -#### **--format**=*format* - -Alter the output for a format like 'json' or a Go template. - -#### **--help**, **-h** - -Print usage statement - ## EXAMPLES ``` diff --git a/docs/source/markdown/podman-image-scp.1.md b/docs/source/markdown/podman-image-scp.1.md index e08d5b465..1d902da91 100644 --- a/docs/source/markdown/podman-image-scp.1.md +++ b/docs/source/markdown/podman-image-scp.1.md @@ -20,14 +20,14 @@ Note: `::` is used to specify the image name depending on if you are saving or l ## OPTIONS -#### **--quiet**, **-q** - -Suppress the output - #### **--help**, **-h** Print usage statement +#### **--quiet**, **-q** + +Suppress the output + ## EXAMPLES diff --git a/docs/source/markdown/podman-image-sign.1.md b/docs/source/markdown/podman-image-sign.1.md index 7e483a3b2..035e10743 100644 --- a/docs/source/markdown/podman-image-sign.1.md +++ b/docs/source/markdown/podman-image-sign.1.md @@ -15,10 +15,6 @@ By default, the signature will be written into `/var/lib/containers/sigstore` fo ## OPTIONS -#### **--help**, **-h** - -Print usage statement. - #### **--all**, **-a** Sign all the manifests of the multi-architecture image (default false). @@ -39,6 +35,10 @@ Please refer to containers-certs.d(5) for details. (This option is not available Store the signatures in the specified directory. Default: /var/lib/containers/sigstore +#### **--help**, **-h** + +Print usage statement. + #### **--sign-by**=*identity* Override the default identity of the signature. diff --git a/docs/source/markdown/podman-images.1.md b/docs/source/markdown/podman-images.1.md index f1d9d4816..f81ea5a20 100644 --- a/docs/source/markdown/podman-images.1.md +++ b/docs/source/markdown/podman-images.1.md @@ -73,14 +73,14 @@ Valid placeholders for the Go template are listed below: Display the history of image names. If an image gets re-tagged or untagged, then the image name history gets prepended (latest image first). This is especially useful when undoing a tag operation or an image does not contain any name because it has been untagged. -#### **--noheading**, **-n** - -Omit the table headings from the listing of images. - #### **--no-trunc** Do not truncate the output (default *false*). +#### **--noheading**, **-n** + +Omit the table headings from the listing of images. + #### **--quiet**, **-q** Lists only the image IDs. diff --git a/docs/source/markdown/podman-import.1.md b/docs/source/markdown/podman-import.1.md index 462e9eacf..bfe0291de 100644 --- a/docs/source/markdown/podman-import.1.md +++ b/docs/source/markdown/podman-import.1.md @@ -19,6 +19,10 @@ Note: `:` is a restricted character and cannot be part of the file name. ## OPTIONS +#### **--arch** + +Set architecture of the imported image. + #### **--change**=*instruction*, **-c** Apply the following possible instructions to the created image: @@ -26,21 +30,29 @@ Apply the following possible instructions to the created image: Can be set multiple times +#### **--help**, **-h** + +Print usage statement + #### **--message**, **-m**=*message* Set commit message for imported image +#### **--os** + +Set OS of the imported image. + #### **--quiet**, **-q** Shows progress on the import -**--verbose** +#### **--variant** -Print additional debugging information +Set variant of the imported image. -#### **--help**, **-h** +**--verbose** -Print usage statement +Print additional debugging information ## EXAMPLES diff --git a/docs/source/markdown/podman-inspect.1.md b/docs/source/markdown/podman-inspect.1.md index 9eafb7460..a67604ab5 100644 --- a/docs/source/markdown/podman-inspect.1.md +++ b/docs/source/markdown/podman-inspect.1.md @@ -22,11 +22,6 @@ For more inspection options, see also ## OPTIONS -#### **--type**, **-t**=*type* - -Return JSON for the specified type. Type can be 'container', 'image', 'volume', 'network', 'pod', or 'all' (default: all) -(Only meaningful when invoked as *podman inspect*) - #### **--format**, **-f**=*format* Format the output using the given Go template. @@ -43,6 +38,10 @@ This option can be used to inspect the latest pod created when used with --type In addition to normal output, display the total file size if the type is a container. +#### **--type**, **-t**=*type* + +Return JSON for the specified type. Type can be 'container', 'image', 'volume', 'network', 'pod', or 'all' (default: all) +(Only meaningful when invoked as *podman inspect*) ## EXAMPLE diff --git a/docs/source/markdown/podman-load.1.md b/docs/source/markdown/podman-load.1.md index 30e8e82ea..ad32df854 100644 --- a/docs/source/markdown/podman-load.1.md +++ b/docs/source/markdown/podman-load.1.md @@ -26,6 +26,10 @@ Note: `:` is a restricted character and cannot be part of the file name. ## OPTIONS +#### **--help**, **-h** + +Print usage statement + #### **--input**, **-i**=*input* Load the specified input file instead of from stdin. The file can be on the local file system or on a server (e.g., https://server.com/archive.tar) @@ -38,10 +42,6 @@ NOTE: Use the environment variable `TMPDIR` to change the temporary storage loca Suppress the progress output -#### **--help**, **-h** - -Print usage statement - ## EXAMPLES ``` diff --git a/docs/source/markdown/podman-logout.1.md b/docs/source/markdown/podman-logout.1.md index e34c80e95..96ac98f35 100644 --- a/docs/source/markdown/podman-logout.1.md +++ b/docs/source/markdown/podman-logout.1.md @@ -21,6 +21,10 @@ All the cached credentials can be removed by setting the **all** flag. ## OPTIONS +#### **--all**, **-a** + +Remove the cached credentials for all registries in the auth file + #### **--authfile**=*path* Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json. @@ -28,10 +32,6 @@ Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE environment variable. `export REGISTRY_AUTH_FILE=path` -#### **--all**, **-a** - -Remove the cached credentials for all registries in the auth file - #### **--help**, **-h** Print usage statement diff --git a/docs/source/markdown/podman-logs.1.md b/docs/source/markdown/podman-logs.1.md index f62a66c81..e12042030 100644 --- a/docs/source/markdown/podman-logs.1.md +++ b/docs/source/markdown/podman-logs.1.md @@ -39,14 +39,6 @@ strings (e.g. 10m, 1h30m) computed relative to the client machine's time. Suppor time stamps include RFC3339Nano, RFC3339, 2006-01-02T15:04:05, 2006-01-02T15:04:05.999999999, 2006-01-02Z07:00, and 2006-01-02. -#### **--until**=*TIMESTAMP* - -Show logs until TIMESTAMP. The --until option can be Unix timestamps, date formatted timestamps, or Go duration -strings (e.g. 10m, 1h30m) computed relative to the client machine's time. Supported formats for date formatted -time stamps include RFC3339Nano, RFC3339, 2006-01-02T15:04:05, 2006-01-02T15:04:05.999999999, 2006-01-02Z07:00, -and 2006-01-02. - - #### **--tail**=*LINES* Output the specified number of LINES at the end of the logs. LINES must be an integer. Defaults to -1, @@ -56,6 +48,13 @@ which prints all lines Show timestamps in the log outputs. The default is false +#### **--until**=*TIMESTAMP* + +Show logs until TIMESTAMP. The --until option can be Unix timestamps, date formatted timestamps, or Go duration +strings (e.g. 10m, 1h30m) computed relative to the client machine's time. Supported formats for date formatted +time stamps include RFC3339Nano, RFC3339, 2006-01-02T15:04:05, 2006-01-02T15:04:05.999999999, 2006-01-02Z07:00, +and 2006-01-02. + ## EXAMPLE To view a container's logs: diff --git a/docs/source/markdown/podman-machine-init.1.md b/docs/source/markdown/podman-machine-init.1.md index 36db5b1cd..ac258eaae 100644 --- a/docs/source/markdown/podman-machine-init.1.md +++ b/docs/source/markdown/podman-machine-init.1.md @@ -32,6 +32,10 @@ Number of CPUs. Size of the disk for the guest VM in GB. +#### **--help** + +Print usage statement. + #### **--ignition-path** Fully qualified path of the ignition file. @@ -83,10 +87,6 @@ so mounts must be created under the /mnt directory. Driver to use for mounting volumes from the host, such as `virtfs`. -#### **--help** - -Print usage statement. - ## EXAMPLES ``` diff --git a/docs/source/markdown/podman-machine-rm.1.md b/docs/source/markdown/podman-machine-rm.1.md index c9c68d111..4a2c59173 100644 --- a/docs/source/markdown/podman-machine-rm.1.md +++ b/docs/source/markdown/podman-machine-rm.1.md @@ -19,14 +19,14 @@ is used. ## OPTIONS -#### **--help** - -Print usage statement. - #### **--force**, **-f** Stop and delete without confirmation. +#### **--help** + +Print usage statement. + #### **--save-ignition** Do not delete the generated ignition file. diff --git a/docs/source/markdown/podman-machine-set.1.md b/docs/source/markdown/podman-machine-set.1.md index e69779564..a4918eacf 100644 --- a/docs/source/markdown/podman-machine-set.1.md +++ b/docs/source/markdown/podman-machine-set.1.md @@ -15,6 +15,10 @@ subset can be changed after machine initialization. ## OPTIONS +#### **--help** + +Print usage statement. + #### **--rootful**=*true|false* Whether this machine should prefer rootful (`true`) or rootless (`false`) @@ -22,11 +26,9 @@ container execution. This option will also update the current podman remote connection default if it is currently pointing at the specified machine name (or `podman-machine-default` if no name is specified). -API forwarding, if available, will follow this setting. - -#### **--help** - -Print usage statement. +Unlike [**podman system connection default**](podman-system-connection-default.1.md) +this option will also make the API socket, if available, forward to the rootful/rootless +socket in the VM. ## EXAMPLES diff --git a/docs/source/markdown/podman-manifest-push.1.md b/docs/source/markdown/podman-manifest-push.1.md index a0011cea8..22e8cae9a 100644 --- a/docs/source/markdown/podman-manifest-push.1.md +++ b/docs/source/markdown/podman-manifest-push.1.md @@ -50,14 +50,14 @@ Manifest list type (oci or v2s2) to use when pushing the list (default is oci). When writing the manifest, suppress progress output -#### **--rm** - -Delete the manifest list or image index from local storage if pushing succeeds. - #### **--remove-signatures** Don't copy signatures when pushing images. +#### **--rm** + +Delete the manifest list or image index from local storage if pushing succeeds. + #### **--sign-by**=*fingerprint* Sign the pushed images using the GPG key that matches the specified fingerprint. diff --git a/docs/source/markdown/podman-network-create.1.md b/docs/source/markdown/podman-network-create.1.md index 5a3224501..479c36318 100644 --- a/docs/source/markdown/podman-network-create.1.md +++ b/docs/source/markdown/podman-network-create.1.md @@ -32,21 +32,6 @@ Special considerations for the *netavark* backend: - The `macvlan` driver requires the `--subnet` option, DHCP is currently not supported. - The `ipvlan` driver is not currently supported. -#### **--opt**=*option*, **-o** - -Set driver specific options. - -All drivers accept the `mtu` option. The `mtu` option sets the Maximum Transmission Unit (MTU) and takes an integer value. - -Additionally the `bridge` driver supports the following option: -- `vlan`: This option assign VLAN tag and enables vlan\_filtering. Defaults to none. - -The `macvlan` and `ipvlan` driver support the following options: -- `parent`: The host device which should be used for the macvlan interface. Defaults to the default route interface. -- `mode`: This option sets the specified ip/macvlan mode on the interface. - - Supported values for `macvlan` are `bridge`, `private`, `vepa`, `passthru`. Defaults to `bridge`. - - Supported values for `ipvlan` are `l2`, `l3`, `l3s`. Defaults to `l2`. - #### **--gateway** Define a gateway for the subnet. If you want to provide a gateway address, you must also provide a @@ -64,20 +49,35 @@ Allocate container IP from a range. The range must be a complete subnet and in must be used with a *subnet* option. Can be specified multiple times. The argument order of the **--subnet**, **--gateway** and **--ip-range** options must match. +#### **--ipv6** + +Enable IPv6 (Dual Stack) networking. If not subnets are given it will allocate a ipv4 and ipv6 subnet. + #### **--label** Set metadata for a network (e.g., --label mykey=value). +#### **--opt**=*option*, **-o** + +Set driver specific options. + +All drivers accept the `mtu` option. The `mtu` option sets the Maximum Transmission Unit (MTU) and takes an integer value. + +Additionally the `bridge` driver supports the following option: +- `vlan`: This option assign VLAN tag and enables vlan\_filtering. Defaults to none. + +The `macvlan` and `ipvlan` driver support the following options: +- `parent`: The host device which should be used for the macvlan interface. Defaults to the default route interface. +- `mode`: This option sets the specified ip/macvlan mode on the interface. + - Supported values for `macvlan` are `bridge`, `private`, `vepa`, `passthru`. Defaults to `bridge`. + - Supported values for `ipvlan` are `l2`, `l3`, `l3s`. Defaults to `l2`. + #### **--subnet** The subnet in CIDR notation. Can be specified multiple times to allocate more than one subnet for this network. The argument order of the **--subnet**, **--gateway** and **--ip-range** options must match. This is useful to set a static ipv4 and ipv6 subnet. -#### **--ipv6** - -Enable IPv6 (Dual Stack) networking. If not subnets are given it will allocate a ipv4 and ipv6 subnet. - ## EXAMPLE Create a network with no options. diff --git a/docs/source/markdown/podman-network-ls.1.md b/docs/source/markdown/podman-network-ls.1.md index d5bdb6a39..b341083f9 100644 --- a/docs/source/markdown/podman-network-ls.1.md +++ b/docs/source/markdown/podman-network-ls.1.md @@ -54,14 +54,14 @@ Valid placeholders for the Go template are listed below: | .NetworkInterface | Name of the network interface on the host | | .Subnets | List of subnets on this network | -#### **--noheading** - -Omit the table headings from the listing of networks. - #### **--no-trunc** Do not truncate the network ID. +#### **--noheading** + +Omit the table headings from the listing of networks. + #### **--quiet**, **-q** The `quiet` option will restrict the output to only the network names. diff --git a/docs/source/markdown/podman-network-prune.1.md b/docs/source/markdown/podman-network-prune.1.md index a1dc5d85c..2c8cf13db 100644 --- a/docs/source/markdown/podman-network-prune.1.md +++ b/docs/source/markdown/podman-network-prune.1.md @@ -12,9 +12,6 @@ has no containers connected or configured to connect to it. It will not remove the so-called default network which goes by the name of *podman*. ## OPTIONS -#### **--force**, **-f** - -Do not prompt for confirmation #### **--filter** @@ -33,6 +30,10 @@ The `label` *filter* accepts two formats. One is the `label`=*key* or `label`=*k The `until` *filter* can be Unix timestamps, date formatted timestamps, or Go duration strings (e.g. 10m, 1h30m) computed relative to the machine’s time. +#### **--force**, **-f** + +Do not prompt for confirmation + ## EXAMPLE Prune networks diff --git a/docs/source/markdown/podman-play-kube.1.md b/docs/source/markdown/podman-play-kube.1.md index 310bade34..ad3bd421d 100644 --- a/docs/source/markdown/podman-play-kube.1.md +++ b/docs/source/markdown/podman-play-kube.1.md @@ -148,6 +148,10 @@ value can be entered. The password is entered without echo. Tears down the pods that were created by a previous run of `play kube`. The pods are stopped and then removed. Any volumes created are left intact. +#### **--help**, **-h** + +Print usage statement + #### **--ip**=*IP address* Assign a static ip address to the pod. This option can be specified several times when play kube creates more than one pod. @@ -236,10 +240,6 @@ Require HTTPS and verify certificates when contacting registries (default: true) then TLS verification will be used. If set to false, then TLS verification will not be used. If not specified, TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf. -#### **--help**, **-h** - -Print usage statement - ## EXAMPLES Recreate the pod and containers as described in a file called `demo.yml` diff --git a/docs/source/markdown/podman-pod-create.1.md b/docs/source/markdown/podman-pod-create.1.md index 8088e1d62..2ae4453c9 100644 --- a/docs/source/markdown/podman-pod-create.1.md +++ b/docs/source/markdown/podman-pod-create.1.md @@ -75,21 +75,6 @@ Set custom DNS search domains in the /etc/resolv.conf file that will be shared b GID map for the user namespace. Using this flag will run the container with user namespace enabled. It conflicts with the `--userns` and `--subgidname` flags. -#### **--uidmap**=*container_uid*:*from_uid*:*amount* - -Run the container in a new user namespace using the supplied mapping. This -option conflicts with the **--userns** and **--subuidname** options. This -option provides a way to map host UIDs to container UIDs. It can be passed -several times to map different ranges. - -#### **--subgidname**=*name* - -Name for GID map from the `/etc/subgid` file. Using this flag will run the container with user namespace enabled. This flag conflicts with `--userns` and `--gidmap`. - -#### **--subuidname**=*name* - -Name for UID map from the `/etc/subuid` file. Using this flag will run the container with user namespace enabled. This flag conflicts with `--userns` and `--uidmap`. - #### **--help**, **-h** Print usage statement. @@ -102,14 +87,14 @@ Set a hostname to the pod Create an infra container and associate it with the pod. An infra container is a lightweight container used to coordinate the shared kernel namespace of a pod. Default: true. -#### **--infra-conmon-pidfile**=*file* - -Write the pid of the infra container's **conmon** process to a file. As **conmon** runs in a separate process than Podman, this is necessary when using systemd to manage Podman containers and pods. - #### **--infra-command**=*command* The command that will be run to start the infra container. Default: "/pause". +#### **--infra-conmon-pidfile**=*file* + +Write the pid of the infra container's **conmon** process to a file. As **conmon** runs in a separate process than Podman, this is necessary when using systemd to manage Podman containers and pods. + #### **--infra-image**=*image* The custom image that will be used for the infra container. Unless specified, Podman builds a custom local image which does not require pulling down an image. @@ -282,6 +267,14 @@ This boolean determines whether or not all containers entering the pod will use Note: This options conflict with **--share=cgroup** since that would set the pod as the cgroup parent but enter the container into the same cgroupNS as the infra container. +#### **--subgidname**=*name* + +Name for GID map from the `/etc/subgid` file. Using this flag will run the container with user namespace enabled. This flag conflicts with `--userns` and `--gidmap`. + +#### **--subuidname**=*name* + +Name for UID map from the `/etc/subuid` file. Using this flag will run the container with user namespace enabled. This flag conflicts with `--userns` and `--uidmap`. + #### **--sysctl**=_name_=_value_ Configure namespace kernel parameters for all containers in the pod. @@ -304,6 +297,13 @@ For the network namespace, only sysctls beginning with net.\* are allowed. Note: if the network namespace is not shared within the pod, these sysctls are not allowed. +#### **--uidmap**=*container_uid*:*from_uid*:*amount* + +Run the container in a new user namespace using the supplied mapping. This +option conflicts with the **--userns** and **--subuidname** options. This +option provides a way to map host UIDs to container UIDs. It can be passed +several times to map different ranges. + #### **--userns**=*mode* Set the user namespace mode for all the containers in a pod. It defaults to the **PODMAN_USERNS** environment variable. An empty value ("") means user namespaces are disabled. diff --git a/docs/source/markdown/podman-pod-inspect.1.md b/docs/source/markdown/podman-pod-inspect.1.md index 75b422306..3105ebaab 100644 --- a/docs/source/markdown/podman-pod-inspect.1.md +++ b/docs/source/markdown/podman-pod-inspect.1.md @@ -11,10 +11,6 @@ Displays configuration and state information about a given pod. It also display that belong to the pod. ## OPTIONS -#### **--latest**, **-l** - -Instead of providing the pod name or ID, use the last created pod. If you use methods other than Podman -to run pods such as CRI-O, the last started pod could be from either of those methods. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) #### **--format**=*format*, **-f** @@ -39,6 +35,11 @@ Valid placeholders for the Go template are listed below: | .NumContainers | Number of containers in the pod | | .Containers | Pod containers | +#### **--latest**, **-l** + +Instead of providing the pod name or ID, use the last created pod. If you use methods other than Podman +to run pods such as CRI-O, the last started pod could be from either of those methods. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) + ## EXAMPLE ``` # podman pod inspect foobar diff --git a/docs/source/markdown/podman-pod-logs.1.md b/docs/source/markdown/podman-pod-logs.1.md index 880853000..5ef667504 100644 --- a/docs/source/markdown/podman-pod-logs.1.md +++ b/docs/source/markdown/podman-pod-logs.1.md @@ -39,14 +39,6 @@ strings (e.g. 10m, 1h30m) computed relative to the client machine's time. Suppor time stamps include RFC3339Nano, RFC3339, 2006-01-02T15:04:05, 2006-01-02T15:04:05.999999999, 2006-01-02Z07:00, and 2006-01-02. -#### **--until**=*TIMESTAMP* - -Show logs until TIMESTAMP. The --until option can be Unix timestamps, date formatted timestamps, or Go duration -strings (e.g. 10m, 1h30m) computed relative to the client machine's time. Supported formats for date formatted -time stamps include RFC3339Nano, RFC3339, 2006-01-02T15:04:05, 2006-01-02T15:04:05.999999999, 2006-01-02Z07:00, -and 2006-01-02. - - #### **--tail**=*LINES* Output the specified number of LINES at the end of the logs. LINES must be an integer. Defaults to -1, @@ -56,6 +48,13 @@ which prints all lines Show timestamps in the log outputs. The default is false +#### **--until**=*TIMESTAMP* + +Show logs until TIMESTAMP. The --until option can be Unix timestamps, date formatted timestamps, or Go duration +strings (e.g. 10m, 1h30m) computed relative to the client machine's time. Supported formats for date formatted +time stamps include RFC3339Nano, RFC3339, 2006-01-02T15:04:05, 2006-01-02T15:04:05.999999999, 2006-01-02Z07:00, +and 2006-01-02. + ## EXAMPLE To view a pod's logs: diff --git a/docs/source/markdown/podman-pod-ps.1.md b/docs/source/markdown/podman-pod-ps.1.md index 8a9c3f7cc..34f49173a 100644 --- a/docs/source/markdown/podman-pod-ps.1.md +++ b/docs/source/markdown/podman-pod-ps.1.md @@ -28,37 +28,48 @@ By default it lists: ## OPTIONS -#### **--ctr-names** - -Display the container names - #### **--ctr-ids** Display the container IDs +#### **--ctr-names** + +Display the container names + #### **--ctr-status** Display the container statuses -#### **--latest**, **-l** +#### **--filter**, **-f**=*filter* -Show the latest pod created (all states) (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) +Provide filter values. -#### **--noheading** +The *filters* argument format is of `key=value`. If there is more than one *filter*, then pass multiple OPTIONS: **--filter** *foo=bar* **--filter** *bif=baz*. -Omit the table headings from the listing of pods. +Supported filters: -#### **--no-trunc** +| Filter | Description | +| ---------- | -------------------------------------------------------------------------------------------------- | +| *ctr-ids* | Filter by container ID within the pod. | +| *ctr-names* | Filter by container name within the pod. | +| *ctr-number*| Filter by number of containers in the pod. | +| *ctr-status*| Filter by container status within the pod. | +| *id* | Filter by pod ID. | +| *label* | Filter by container with (or without, in the case of label!=[...] is used) the specified labels. | +| *name* | Filter by pod name. | +| *network* | Filter by network name or full ID of network. | +| *status* | Filter by pod status. | +| *until* | Filter by pods created before given timestamp. | -Do not truncate the output (default *false*). +The `ctr-ids`, `ctr-names`, `id`, `name` filters accept `regex` format. -#### **--ns** +The `ctr-status` filter accepts values: `created`, `running`, `paused`, `stopped`, `exited`, `unknown`. -Display namespace information of the pod +The `label` *filter* accepts two formats. One is the `label`=*key* or `label`=*key*=*value*, which removes containers with the specified labels. The other format is the `label!`=*key* or `label!`=*key*=*value*, which removes containers without the specified labels. -#### **--quiet**, **-q** +The `until` *filter* can be Unix timestamps, date formatted timestamps, or Go duration strings (e.g. 10m, 1h30m) computed relative to the machine’s time. -Print the numeric IDs of the pods only +The `status` filter accepts values: `stopped`, `running`, `paused`, `exited`, `dead`, `created`, `degraded`. #### **--format**=*format* @@ -78,47 +89,35 @@ Valid placeholders for the Go template are listed below: | .InfraID | Pod infra container ID | | .Networks | Show all networks connected to the infra container | -#### **--sort** - -Sort by created, ID, name, status, or number of containers +#### **--help**, **-h** -Default: created +Print usage statement -#### **--filter**, **-f**=*filter* +#### **--latest**, **-l** -Provide filter values. +Show the latest pod created (all states) (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) -The *filters* argument format is of `key=value`. If there is more than one *filter*, then pass multiple OPTIONS: **--filter** *foo=bar* **--filter** *bif=baz*. +#### **--no-trunc** -Supported filters: +Do not truncate the output (default *false*). -| Filter | Description | -| ---------- | -------------------------------------------------------------------------------------------------- | -| *ctr-ids* | Filter by container ID within the pod. | -| *ctr-names* | Filter by container name within the pod. | -| *ctr-number*| Filter by number of containers in the pod. | -| *ctr-status*| Filter by container status within the pod. | -| *id* | Filter by pod ID. | -| *label* | Filter by container with (or without, in the case of label!=[...] is used) the specified labels. | -| *name* | Filter by pod name. | -| *network* | Filter by network name or full ID of network. | -| *status* | Filter by pod status. | -| *until* | Filter by pods created before given timestamp. | +#### **--noheading** -The `ctr-ids`, `ctr-names`, `id`, `name` filters accept `regex` format. +Omit the table headings from the listing of pods. -The `ctr-status` filter accepts values: `created`, `running`, `paused`, `stopped`, `exited`, `unknown`. +#### **--ns** -The `label` *filter* accepts two formats. One is the `label`=*key* or `label`=*key*=*value*, which removes containers with the specified labels. The other format is the `label!`=*key* or `label!`=*key*=*value*, which removes containers without the specified labels. +Display namespace information of the pod -The `until` *filter* can be Unix timestamps, date formatted timestamps, or Go duration strings (e.g. 10m, 1h30m) computed relative to the machine’s time. +#### **--quiet**, **-q** -The `status` filter accepts values: `stopped`, `running`, `paused`, `exited`, `dead`, `created`, `degraded`. +Print the numeric IDs of the pods only +#### **--sort** -#### **--help**, **-h** +Sort by created, ID, name, status, or number of containers -Print usage statement +Default: created ## EXAMPLES diff --git a/docs/source/markdown/podman-pod-rm.1.md b/docs/source/markdown/podman-pod-rm.1.md index ed33c5e57..75a44c6d4 100644 --- a/docs/source/markdown/podman-pod-rm.1.md +++ b/docs/source/markdown/podman-pod-rm.1.md @@ -15,6 +15,10 @@ podman\-pod\-rm - Remove one or more stopped pods and containers Remove all pods. Can be used in conjunction with \-f as well. +#### **--force**, **-f** + +Stop running containers and delete all stopped containers before removal of pod. + #### **--ignore**, **-i** Ignore errors when specified pods are not in the container store. A user might @@ -25,10 +29,6 @@ ExecStop directive of a systemd service referencing that pod. Instead of providing the pod name or ID, remove the last created pod. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) -#### **--force**, **-f** - -Stop running containers and delete all stopped containers before removal of pod. - #### **--pod-id-file** Read pod ID from the specified file and remove the pod. Can be specified multiple times. diff --git a/docs/source/markdown/podman-pod-stats.1.md b/docs/source/markdown/podman-pod-stats.1.md index 460571add..389540fdf 100644 --- a/docs/source/markdown/podman-pod-stats.1.md +++ b/docs/source/markdown/podman-pod-stats.1.md @@ -15,18 +15,6 @@ Display a live stream of containers in one or more pods resource usage statistic Show all containers. Only running containers are shown by default -#### **--latest**, **-l** - -Instead of providing the pod name or ID, use the last created pod. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) - -#### **--no-reset** - -Do not clear the terminal/screen in between reporting intervals - -#### **--no-stream** - -Disable streaming pod stats and only pull the first result, default setting is false - #### **--format**=*template* Pretty-print container statistics to JSON or using a Go template @@ -47,6 +35,19 @@ Valid placeholders for the Go template are listed below: | .PIDS | Number of PIDs | When using a GO template, you may precede the format with `table` to print headers. + +#### **--latest**, **-l** + +Instead of providing the pod name or ID, use the last created pod. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) + +#### **--no-reset** + +Do not clear the terminal/screen in between reporting intervals + +#### **--no-stream** + +Disable streaming pod stats and only pull the first result, default setting is false + ## EXAMPLE ``` diff --git a/docs/source/markdown/podman-pod-stop.1.md b/docs/source/markdown/podman-pod-stop.1.md index 13d86d1db..bded0ba7d 100644 --- a/docs/source/markdown/podman-pod-stop.1.md +++ b/docs/source/markdown/podman-pod-stop.1.md @@ -25,14 +25,14 @@ ExecStop directive of a systemd service referencing that pod. Instead of providing the pod name or ID, stop the last created pod. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) -#### **--time**, **-t**=*seconds* - -Seconds to wait before forcibly stopping the containers in the pod. - #### **--pod-id-file** Read pod ID from the specified file and stop the pod. Can be specified multiple times. +#### **--time**, **-t**=*seconds* + +Seconds to wait before forcibly stopping the containers in the pod. + ## EXAMPLE Stop a pod called *mywebserverpod* diff --git a/docs/source/markdown/podman-ps.1.md b/docs/source/markdown/podman-ps.1.md index 5b142d283..6e2a8616c 100644 --- a/docs/source/markdown/podman-ps.1.md +++ b/docs/source/markdown/podman-ps.1.md @@ -100,14 +100,14 @@ Show the latest container created (all states) (This option is not available wit Display namespace information -#### **--noheading** - -Omit the table headings from the listing of containers. - #### **--no-trunc** Do not truncate the output (default *false*). +#### **--noheading** + +Omit the table headings from the listing of containers. + #### **--pod**, **-p** Display the pods the containers are associated with @@ -116,15 +116,15 @@ Display the pods the containers are associated with Print the numeric IDs of the containers only +#### **--size**, **-s** + +Display the total file size + #### **--sort**=*created* Sort by command, created, id, image, names, runningfor, size, or status", Note: Choosing size will sort by size of rootFs, not alphabetically like the rest of the options -#### **--size**, **-s** - -Display the total file size - #### **--sync** Force a sync of container state with the OCI runtime. diff --git a/docs/source/markdown/podman-push.1.md b/docs/source/markdown/podman-push.1.md index c71eecfd2..74555c11b 100644 --- a/docs/source/markdown/podman-push.1.md +++ b/docs/source/markdown/podman-push.1.md @@ -55,12 +55,6 @@ If the authorization state is not found there, $HOME/.docker/config.json is chec Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE environment variable. `export REGISTRY_AUTH_FILE=path` -#### **--creds**=*[username[:password]]* - -The [username[:password]] to use to authenticate with the registry if required. -If one or both values are not supplied, a command line prompt will appear and the -value can be entered. The password is entered without echo. - #### **--cert-dir**=*path* Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. (Default: /etc/containers/certs.d) @@ -75,6 +69,12 @@ Note: This flag can only be set when using the **dir** transport Specifies the compression format to use. Supported values are: `gzip`, `zstd` and `zstd:chunked`. The default is `gzip`. +#### **--creds**=*[username[:password]]* + +The [username[:password]] to use to authenticate with the registry if required. +If one or both values are not supplied, a command line prompt will appear and the +value can be entered. The password is entered without echo. + #### **--digestfile** *Digestfile* After copying the image, write the digest of the resulting image to the file. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) diff --git a/docs/source/markdown/podman-rm.1.md b/docs/source/markdown/podman-rm.1.md index 23944270c..1fac3aa34 100644 --- a/docs/source/markdown/podman-rm.1.md +++ b/docs/source/markdown/podman-rm.1.md @@ -18,14 +18,14 @@ Running or unusable containers will not be removed without the **-f** option. Remove all containers. Can be used in conjunction with **-f** as well. -#### **--depend** - -Remove selected container and recursively remove all containers that depend on it. - #### **--cidfile** Read container ID from the specified file and remove the container. Can be specified multiple times. +#### **--depend** + +Remove selected container and recursively remove all containers that depend on it. + #### **--force**, **-f** Force the removal of running and paused containers. Forcing a container removal also diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md index 7fa7bda30..ffe84e287 100644 --- a/docs/source/markdown/podman-run.1.md +++ b/docs/source/markdown/podman-run.1.md @@ -130,6 +130,14 @@ Add Linux capabilities. Drop Linux capabilities. +#### **--cgroup-conf**=*KEY=VALUE* + +When running on cgroup v2, specify the cgroup file to write to and its value. For example **--cgroup-conf=memory.high=1073741824** sets the memory.high limit to 1GB. + +#### **--cgroup-parent**=*path* + +Path to cgroups under which the cgroup for the container will be created. If the path is not absolute, the path is considered to be relative to the cgroups path of the init process. Cgroups will be created if they do not already exist. + #### **--cgroupns**=*mode* Set the cgroup namespace mode for the container. @@ -152,13 +160,11 @@ The **disabled** option will force the container to not create CGroups, and thus The **no-conmon** option disables a new CGroup only for the **conmon** process. The **split** option splits the current CGroup in two sub-cgroups: one for conmon and one for the container payload. It is not possible to set **--cgroup-parent** with **split**. -#### **--cgroup-parent**=*path* - -Path to cgroups under which the cgroup for the container will be created. If the path is not absolute, the path is considered to be relative to the cgroups path of the init process. Cgroups will be created if they do not already exist. - -#### **--cgroup-conf**=*KEY=VALUE* +#### **--chrootdirs**=*path* -When running on cgroup v2, specify the cgroup file to write to and its value. For example **--cgroup-conf=memory.high=1073741824** sets the memory.high limit to 1GB. +Path to a directory inside the container that should be treated as a `chroot` directory. +Any Podman managed file (e.g., /etc/resolv.conf, /etc/hosts, etc/hostname) that is mounted into the root directory will be mounted into that location as well. +Multiple directories should be separated with a comma. #### **--cidfile**=*file* @@ -381,14 +387,14 @@ This option allows arbitrary environment variables that are available for the pr See [**Environment**](#environment) note below for precedence and examples. -#### **--env-host** - -Use host environment inside of the container. See **Environment** note below for precedence. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) - #### **--env-file**=*file* Read in a line delimited file of environment variables. See **Environment** note below for precedence. +#### **--env-host** + +Use host environment inside of the container. See **Environment** note below for precedence. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) + #### **--expose**=*port* Expose a port, or a range of ports (e.g. **--expose=3300-3310**) to set up port redirection @@ -448,11 +454,6 @@ The initialization time needed for a container to bootstrap. The value can be ex The maximum time allowed to complete the healthcheck before an interval is considered failed. Like start-period, the value can be expressed in a time format such as **1m22s**. The default value is **30s**. -#### **--hostuser**=*name* - -Add a user account to /etc/passwd from the host to the container. The Username -or UID must exist on the host system. - #### **--help** Print usage statement @@ -463,6 +464,11 @@ Container host name Sets the container host name that is available inside the container. Can only be used with a private UTS namespace `--uts=private` (default). If `--pod` is specified and the pod shares the UTS namespace (default) the pod's hostname will be used. +#### **--hostuser**=*name* + +Add a user account to /etc/passwd from the host to the container. The Username +or UID must exist on the host system. + #### **--http-proxy** By default proxy environment variables are passed into the container if set @@ -795,6 +801,16 @@ The default is to create a private PID namespace for the container. - **private**: create a new namespace for the container (default) - **ns:**_path_: join the specified PID namespace. +#### **--pidfile**=*path* + +When the pidfile location is specified, the container process' PID will be written to the pidfile. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) +If the pidfile option is not specified, the container process' PID will be written to /run/containers/storage/${storage-driver}-containers/$CID/userdata/pidfile. + +After the container is started, the location for the pidfile can be discovered with the following `podman inspect` command: + + $ podman inspect --format '{{ .PidFile }}' $CID + /run/containers/storage/${storage-driver}-containers/$CID/userdata/pidfile + #### **--pids-limit**=*limit* Tune the container's pids limit. Set to **-1** to have unlimited pids for the container. The default is **4096** on systems that support "pids" cgroup controller. @@ -1150,23 +1166,6 @@ echo "asdf" | podman run --rm -i someimage /bin/cat Set timezone in container. This flag takes area-based timezones, GMT time, as well as `local`, which sets the timezone in the container to match the host machine. See `/usr/share/zoneinfo/` for valid timezones. Remote connections use local containers.conf for defaults -#### **--umask**=*umask* - -Set the umask inside the container. Defaults to `0022`. -Remote connections use local containers.conf for defaults - -#### **--unsetenv**=*env* - -Unset default environment variables for the container. Default environment -variables include variables provided natively by Podman, environment variables -configured by the image, and environment variables from containers.conf. - -#### **--unsetenv-all**=*true|false* - -Unset all default environment variables for the container. Default environment -variables include variables provided natively by Podman, environment variables -configured by the image, and environment variables from containers.conf. - #### **--uidmap**=*container_uid*:*from_uid*:*amount* Run the container in a new user namespace using the supplied mapping. This @@ -1251,6 +1250,23 @@ Note: the **--uidmap** flag cannot be called in conjunction with the **--pod** f Ulimit options. You can use **host** to copy the current configuration from the host. +#### **--umask**=*umask* + +Set the umask inside the container. Defaults to `0022`. +Remote connections use local containers.conf for defaults + +#### **--unsetenv**=*env* + +Unset default environment variables for the container. Default environment +variables include variables provided natively by Podman, environment variables +configured by the image, and environment variables from containers.conf. + +#### **--unsetenv-all**=*true|false* + +Unset all default environment variables for the container. Default environment +variables include variables provided natively by Podman, environment variables +configured by the image, and environment variables from containers.conf. + #### **--user**, **-u**=[_user_ | _user_:_group_ | _uid_ | _uid_:_gid_ | _user_:_gid_ | _uid_:_group_ ] Sets the username or UID used and optionally the groupname or GID for the specified command. @@ -1519,22 +1535,6 @@ The default working directory for running binaries within a container is the roo The image developer can set a different default with the WORKDIR instruction. The operator can override the working directory by using the **-w** option. -#### **--pidfile**=*path* - -When the pidfile location is specified, the container process' PID will be written to the pidfile. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) -If the pidfile option is not specified, the container process' PID will be written to /run/containers/storage/${storage-driver}-containers/$CID/userdata/pidfile. - -After the container is started, the location for the pidfile can be discovered with the following `podman inspect` command: - - $ podman inspect --format '{{ .PidFile }}' $CID - /run/containers/storage/${storage-driver}-containers/$CID/userdata/pidfile - -#### **--chrootdirs**=*path* - -Path to a directory inside the container that should be treated as a `chroot` directory. -Any Podman managed file (e.g., /etc/resolv.conf, /etc/hosts, etc/hostname) that is mounted into the root directory will be mounted into that location as well. -Multiple directories should be separated with a comma. - ## Exit Status The exit code from **podman run** gives information about why the container diff --git a/docs/source/markdown/podman-save.1.md b/docs/source/markdown/podman-save.1.md index 0de64e518..aa4900e25 100644 --- a/docs/source/markdown/podman-save.1.md +++ b/docs/source/markdown/podman-save.1.md @@ -29,14 +29,6 @@ Note: `:` is a restricted character and cannot be part of the file name. Compress tarball image layers when pushing to a directory using the 'dir' transport. (default is same compression type, compressed or uncompressed, as source) Note: This flag can only be set with **--format=docker-dir**. -#### **--uncompressed** - -Accept uncompressed layers when using one of the OCI formats. - -#### **--output**, **-o**=*file* - -Write to a file, default is STDOUT - #### **--format**=*format* An image format to produce, one of: @@ -48,18 +40,26 @@ An image format to produce, one of: | **oci-dir** | A directory using the OCI Image Format | | **docker-dir** | **dir** transport (see **containers-transports(5)**) with v2s2 manifest type | +#### **--help**, **-h** + +Print usage statement + #### **--multi-image-archive**, **-m** Allow for creating archives with more than one image. Additional names will be interpreted as images instead of tags. Only supported for **--format=docker-archive**. The default for this option can be modified via the `multi_image_archive="true"|"false"` flag in containers.conf. +#### **--output**, **-o**=*file* + +Write to a file, default is STDOUT + #### **--quiet**, **-q** Suppress the output -#### **--help**, **-h** +#### **--uncompressed** -Print usage statement +Accept uncompressed layers when using one of the OCI formats. ## EXAMPLES diff --git a/docs/source/markdown/podman-search.1.md b/docs/source/markdown/podman-search.1.md index 9c075a1e0..81a67d762 100644 --- a/docs/source/markdown/podman-search.1.md +++ b/docs/source/markdown/podman-search.1.md @@ -70,6 +70,10 @@ Valid placeholders for the Go template are listed below: Note: use .Tag only if the --list-tags is set. +#### **--help**, **-h** + +Print usage statement + #### **--limit**=*limit* Limit the number of results (default 25). @@ -95,10 +99,6 @@ then TLS verification will be used. If set to false, then TLS verification will default registries will be searched through (in /etc/containers/registries.conf), and TLS will be skipped if a default registry is listed in the insecure registries. -#### **--help**, **-h** - -Print usage statement - ## EXAMPLES ``` diff --git a/docs/source/markdown/podman-secret-create.1.md b/docs/source/markdown/podman-secret-create.1.md index 2d504c0ad..e08afb388 100644 --- a/docs/source/markdown/podman-secret-create.1.md +++ b/docs/source/markdown/podman-secret-create.1.md @@ -20,10 +20,6 @@ Secrets will not be committed to an image with `podman commit`, and will not be ## OPTIONS -#### **--env**=*false* - -Read secret data from environment variable - #### **--driver**=*driver* Specify the secret driver (default **file**, which is unencrypted). @@ -32,6 +28,10 @@ Specify the secret driver (default **file**, which is unencrypted). Specify driver specific options +#### **--env**=*false* + +Read secret data from environment variable + #### **--help** Print usage statement. diff --git a/docs/source/markdown/podman-secret-ls.1.md b/docs/source/markdown/podman-secret-ls.1.md index f33ccf41b..3b8535b5d 100644 --- a/docs/source/markdown/podman-secret-ls.1.md +++ b/docs/source/markdown/podman-secret-ls.1.md @@ -12,14 +12,6 @@ Lists all the secrets that exist. The output can be formatted to a Go template u ## OPTIONS -#### **--format**=*format* - -Format secret output using Go template. - -#### **--noheading** - -Omit the table headings from the listing of secrets. . - #### **--filter**, **-f**=*filter=value* Filter output based on conditions given. @@ -32,6 +24,14 @@ Valid filters are listed below: | name | [Name] Secret name (accepts regex) | | id | [ID] Full or partial secret ID | +#### **--format**=*format* + +Format secret output using Go template. + +#### **--noheading** + +Omit the table headings from the listing of secrets. . + ## EXAMPLES ``` diff --git a/docs/source/markdown/podman-start.1.md b/docs/source/markdown/podman-start.1.md index 793f27aa4..6b0433483 100644 --- a/docs/source/markdown/podman-start.1.md +++ b/docs/source/markdown/podman-start.1.md @@ -16,6 +16,10 @@ attach to the container. ## OPTIONS +#### **--all** + +Start all the containers created by Podman, default is only running containers. + #### **--attach**, **-a** Attach container's STDOUT and STDERR. The default is false. This option cannot be used when @@ -25,23 +29,6 @@ starting multiple containers. Specify the key sequence for detaching a container. Format is a single character `[a-Z]` or one or more `ctrl-<value>` characters where `<value>` is one of: `a-z`, `@`, `^`, `[`, `,` or `_`. Specifying "" will disable this feature. The default is *ctrl-p,ctrl-q*. -#### **--interactive**, **-i** - -Attach container's STDIN. The default is false. - -#### **--latest**, **-l** - -Instead of providing the container name or ID, use the last created container. If you use methods other than Podman -to run containers such as CRI-O, the last started container could be from either of those methods. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) - -#### **--sig-proxy** - -Proxy received signals to the process (non-TTY mode only). SIGCHLD, SIGSTOP, and SIGKILL are not proxied. The default is *true* when attaching, *false* otherwise. - -#### **--all** - -Start all the containers created by Podman, default is only running containers. - #### **--filter**, **-f** Filter what containers are going to be started from the given arguments. @@ -66,6 +53,18 @@ Valid filters are listed below: | pod | [Pod] name or full or partial ID of pod | | network | [Network] name or full ID of network | +#### **--interactive**, **-i** + +Attach container's STDIN. The default is false. + +#### **--latest**, **-l** + +Instead of providing the container name or ID, use the last created container. If you use methods other than Podman +to run containers such as CRI-O, the last started container could be from either of those methods. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) + +#### **--sig-proxy** + +Proxy received signals to the process (non-TTY mode only). SIGCHLD, SIGSTOP, and SIGKILL are not proxied. The default is *true* when attaching, *false* otherwise. ## EXAMPLE diff --git a/docs/source/markdown/podman-stats.1.md b/docs/source/markdown/podman-stats.1.md index a1a156b10..472cbfbcf 100644 --- a/docs/source/markdown/podman-stats.1.md +++ b/docs/source/markdown/podman-stats.1.md @@ -24,23 +24,6 @@ about their networking usage. Show all containers. Only running containers are shown by default -#### **--latest**, **-l** - -Instead of providing the container name or ID, use the last created container. If you use methods other than Podman -to run containers such as CRI-O, the last started container could be from either of those methods. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) - -#### **--no-reset** - -Do not clear the terminal/screen in between reporting intervals - -#### **--no-stream** - -Disable streaming stats and only pull the first result, default setting is false - -#### **--interval**=*seconds*, **-i**=*seconds* - -Time in seconds between stats reports, defaults to 5 seconds. - #### **--format**=*template* Pretty-print container statistics to JSON or using a Go template @@ -61,6 +44,23 @@ Valid placeholders for the Go template are listed below: When using a GO template, you may precede the format with `table` to print headers. +#### **--interval**=*seconds*, **-i**=*seconds* + +Time in seconds between stats reports, defaults to 5 seconds. + +#### **--latest**, **-l** + +Instead of providing the container name or ID, use the last created container. If you use methods other than Podman +to run containers such as CRI-O, the last started container could be from either of those methods. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) + +#### **--no-reset** + +Do not clear the terminal/screen in between reporting intervals + +#### **--no-stream** + +Disable streaming stats and only pull the first result, default setting is false + ## EXAMPLE ``` diff --git a/docs/source/markdown/podman-system-service.1.md b/docs/source/markdown/podman-system-service.1.md index 17d8ea06a..678f08a20 100644 --- a/docs/source/markdown/podman-system-service.1.md +++ b/docs/source/markdown/podman-system-service.1.md @@ -25,14 +25,6 @@ Note: The default systemd unit files (system and user) change the log-level opti ## OPTIONS -#### **--time**, **-t** - -The time until the session expires in _seconds_. The default is 5 -seconds. A value of `0` means no timeout, therefore the session will not expire. - -The default timeout can be changed via the `service_timeout=VALUE` field in containers.conf. -See **[containers.conf(5)](https://github.com/containers/common/blob/master/docs/containers.conf.5.md)** for more information. - #### **--cors** CORS headers to inject to the HTTP response. The default value is empty string which disables CORS headers. @@ -41,6 +33,14 @@ CORS headers to inject to the HTTP response. The default value is empty string w Print usage statement. +#### **--time**, **-t** + +The time until the session expires in _seconds_. The default is 5 +seconds. A value of `0` means no timeout, therefore the session will not expire. + +The default timeout can be changed via the `service_timeout=VALUE` field in containers.conf. +See **[containers.conf(5)](https://github.com/containers/common/blob/master/docs/containers.conf.5.md)** for more information. + ## EXAMPLES Run an API listening for 5 seconds using the default socket. diff --git a/docs/source/markdown/podman-unshare.1.md b/docs/source/markdown/podman-unshare.1.md index 01393a862..db1bc5387 100644 --- a/docs/source/markdown/podman-unshare.1.md +++ b/docs/source/markdown/podman-unshare.1.md @@ -4,7 +4,7 @@ podman\-unshare - Run a command inside of a modified user namespace ## SYNOPSIS -**podman unshare** [*--*] [*command*] +**podman unshare** [*options*] [*command*] ## DESCRIPTION Launches a process (by default, *$SHELL*) in a new user namespace. The user @@ -24,6 +24,8 @@ The unshare session defines two environment variables: - **CONTAINERS_GRAPHROOT**: the path to the persistent container's data. - **CONTAINERS_RUNROOT**: the path to the volatile container's data. +*IMPORTANT: This command is not available with the remote Podman client.* + ## OPTIONS #### **--help**, **-h** diff --git a/docs/source/markdown/podman-version.1.md b/docs/source/markdown/podman-version.1.md index 809ce64a6..94fa0fb21 100644 --- a/docs/source/markdown/podman-version.1.md +++ b/docs/source/markdown/podman-version.1.md @@ -12,10 +12,6 @@ OS, and Architecture. ## OPTIONS -#### **--help**, **-h** - -Print usage statement - #### **--format**, **-f**=*format* Change output format to "json" or a Go template. @@ -39,6 +35,10 @@ $ podman version --format '{{.Client.Version}}' 2.0.0 ``` +#### **--help**, **-h** + +Print usage statement + ## SEE ALSO **[podman(1)](podman.1.md)** diff --git a/docs/source/markdown/podman-volume-export.1.md b/docs/source/markdown/podman-volume-export.1.md index ed73e86d0..57b707ae5 100644 --- a/docs/source/markdown/podman-volume-export.1.md +++ b/docs/source/markdown/podman-volume-export.1.md @@ -18,14 +18,13 @@ Note: Following command is not supported by podman-remote. ## OPTIONS -#### **--output**, **-o**=*file* - -Write to a file, default is STDOUT - #### **--help** Print usage statement +#### **--output**, **-o**=*file* + +Write to a file, default is STDOUT ## EXAMPLES diff --git a/docs/source/markdown/podman-volume-prune.1.md b/docs/source/markdown/podman-volume-prune.1.md index 2028e42f2..0127cc12a 100644 --- a/docs/source/markdown/podman-volume-prune.1.md +++ b/docs/source/markdown/podman-volume-prune.1.md @@ -15,10 +15,6 @@ unused volumes. To bypass the confirmation, use the **--force** flag. ## OPTIONS -#### **--force**, **-f** - -Do not prompt for confirmation. - #### **--filter** Provide filter values. @@ -36,6 +32,10 @@ The `label` *filter* accepts two formats. One is the `label`=*key* or `label`=*k The `until` *filter* can be Unix timestamps, date formatted timestamps, or Go duration strings (e.g. 10m, 1h30m) computed relative to the machine’s time. +#### **--force**, **-f** + +Do not prompt for confirmation. + #### **--help** Print usage statement diff --git a/docs/source/markdown/podman.1.md b/docs/source/markdown/podman.1.md index 4d3e92dd2..aad12c584 100644 --- a/docs/source/markdown/podman.1.md +++ b/docs/source/markdown/podman.1.md @@ -32,22 +32,14 @@ The CGroup manager to use for container cgroups. Supported values are cgroupfs o Note: Setting this flag can cause certain commands to break when called on containers previously created by the other CGroup manager type. Note: CGroup manager is not supported in rootless mode when using CGroups Version V1. -#### **--network-config-dir**=*directory* - -Path to the directory where network configuration files are located. -For the CNI backend the default is "/etc/cni/net.d" as root -and "$HOME/.config/cni/net.d" as rootless. -For the netavark backend "/etc/containers/networks" is used as root -and "$graphroot/networks" as rootless. +#### **--conmon** +Path of the conmon binary (Default path is configured in `containers.conf`) #### **--connection**, **-c** Connection to use for remote podman, including Mac and Windows (excluding WSL2) machines, (Default connection is configured in `containers.conf`) Setting this option will switch the **--remote** option to true. Remote connections use local containers.conf for default. -#### **--conmon** -Path of the conmon binary (Default path is configured in `containers.conf`) - #### **--events-backend**=*type* Backend to use for storing events. Allowed values are **file**, **journald**, and @@ -98,6 +90,14 @@ When namespace is set, created containers and pods will join the given namespace #### **--network-cmd-path**=*path* Path to the command binary to use for setting up a network. It is currently only used for setting up a slirp4netns network. If "" is used then the binary is looked up using the $PATH environment variable. +#### **--network-config-dir**=*directory* + +Path to the directory where network configuration files are located. +For the CNI backend the default is "/etc/cni/net.d" as root +and "$HOME/.config/cni/net.d" as rootless. +For the netavark backend "/etc/containers/networks" is used as root +and "$graphroot/networks" as rootless. + #### **--noout** Redirect stdout to /dev/null. This command will prevent all stdout from the Podman command. The **--noout** option will not block stderr or stdout from containers. @@ -107,39 +107,6 @@ When true, access to the Podman service will be remote. Defaults to false. Settings can be modified in the containers.conf file. If the CONTAINER_HOST environment variable is set, the **--remote** option defaults to true. -#### **--url**=*value* -URL to access Podman service (default from `containers.conf`, rootless `unix://run/user/$UID/podman/podman.sock` or as root `unix://run/podman/podman.sock`). -Setting this option will switch the **--remote** option to true. - - - `CONTAINER_HOST` is of the format `<schema>://[<user[:<password>]@]<host>[:<port>][<path>]` - -Details: - - `schema` is one of: - * `ssh` (default): a local unix(7) socket on the named `host` and `port`, reachable via SSH - * `tcp`: an unencrypted, unauthenticated TCP connection to the named `host` and `port` - * `unix`: a local unix(7) socket at the specified `path`, or the default for the user - - `user` will default to either `root` or the current running user (`ssh` only) - - `password` has no default (`ssh` only) - - `host` must be provided and is either the IP or name of the machine hosting the Podman service (`ssh` and `tcp`) - - `port` defaults to 22 (`ssh` and `tcp`) - - `path` defaults to either `/run/podman/podman.sock`, or `/run/user/$UID/podman/podman.sock` if running rootless (`unix`), or must be explicitly specified (`ssh`) - -URL value resolution precedence: - - command line value - - environment variable `CONTAINER_HOST` - - `containers.conf` `service_destinations` table - - `unix://run/podman/podman.sock` - -Remote connections use local containers.conf for default. - -Some example URL values in valid formats: - - unix://run/podman/podman.sock - - unix://run/user/$UID/podman/podman.sock - - ssh://notroot@localhost:22/run/user/$UID/podman/podman.sock - - ssh://root@localhost:22/run/podman/podman.sock - - tcp://localhost:34451 - - tcp://127.0.0.1:34451 - #### **--root**=*value* Storage root dir in which data, including images, is stored (default: "/var/lib/containers/storage" for UID 0, "$HOME/.local/share/containers/storage" for other users). @@ -189,6 +156,39 @@ Path to the tmp directory, for libpod runtime content. NOTE --tmpdir is not used for the temporary storage of downloaded images. Use the environment variable `TMPDIR` to change the temporary storage location of downloaded container images. Podman defaults to use `/var/tmp`. +#### **--url**=*value* +URL to access Podman service (default from `containers.conf`, rootless `unix://run/user/$UID/podman/podman.sock` or as root `unix://run/podman/podman.sock`). +Setting this option will switch the **--remote** option to true. + + - `CONTAINER_HOST` is of the format `<schema>://[<user[:<password>]@]<host>[:<port>][<path>]` + +Details: + - `schema` is one of: + * `ssh` (default): a local unix(7) socket on the named `host` and `port`, reachable via SSH + * `tcp`: an unencrypted, unauthenticated TCP connection to the named `host` and `port` + * `unix`: a local unix(7) socket at the specified `path`, or the default for the user + - `user` will default to either `root` or the current running user (`ssh` only) + - `password` has no default (`ssh` only) + - `host` must be provided and is either the IP or name of the machine hosting the Podman service (`ssh` and `tcp`) + - `port` defaults to 22 (`ssh` and `tcp`) + - `path` defaults to either `/run/podman/podman.sock`, or `/run/user/$UID/podman/podman.sock` if running rootless (`unix`), or must be explicitly specified (`ssh`) + +URL value resolution precedence: + - command line value + - environment variable `CONTAINER_HOST` + - `containers.conf` `service_destinations` table + - `unix://run/podman/podman.sock` + +Remote connections use local containers.conf for default. + +Some example URL values in valid formats: + - unix://run/podman/podman.sock + - unix://run/user/$UID/podman/podman.sock + - ssh://notroot@localhost:22/run/user/$UID/podman/podman.sock + - ssh://root@localhost:22/run/podman/podman.sock + - tcp://localhost:34451 + - tcp://127.0.0.1:34451 + #### **--version**, **-v** Print the version @@ -15,7 +15,7 @@ require ( github.com/containers/common v0.47.5-0.20220318125043-0ededd18a1f9 github.com/containers/conmon v2.0.20+incompatible github.com/containers/image/v5 v5.20.1-0.20220310094651-0d8056ee346f - github.com/containers/ocicrypt v1.1.2 + github.com/containers/ocicrypt v1.1.3 github.com/containers/psgo v1.7.2 github.com/containers/storage v1.38.3-0.20220321121613-8e565392dd91 github.com/coreos/go-systemd/v22 v22.3.2 @@ -370,8 +370,9 @@ github.com/containers/libtrust v0.0.0-20200511145503-9c3a6c22cd9a/go.mod h1:9rfv github.com/containers/ocicrypt v1.0.1/go.mod h1:MeJDzk1RJHv89LjsH0Sp5KTY3ZYkjXO/C+bKAeWFIrc= github.com/containers/ocicrypt v1.1.0/go.mod h1:b8AOe0YR67uU8OqfVNcznfFpAzu3rdgUV4GP9qXPfu4= github.com/containers/ocicrypt v1.1.1/go.mod h1:Dm55fwWm1YZAjYRaJ94z2mfZikIyIN4B0oB3dj3jFxY= -github.com/containers/ocicrypt v1.1.2 h1:Ez+GAMP/4GLix5Ywo/fL7O0nY771gsBIigiqUm1aXz0= github.com/containers/ocicrypt v1.1.2/go.mod h1:Dm55fwWm1YZAjYRaJ94z2mfZikIyIN4B0oB3dj3jFxY= +github.com/containers/ocicrypt v1.1.3 h1:uMxn2wTb4nDR7GqG3rnZSfpJXqWURfzZ7nKydzIeKpA= +github.com/containers/ocicrypt v1.1.3/go.mod h1:xpdkbVAuaH3WzbEabUd5yDsl9SwJA5pABH85425Es2g= github.com/containers/psgo v1.7.2 h1:WbCvsY9w+nCv3j4der0mbD3PSRUv/W8l+G0YrZrdSDc= github.com/containers/psgo v1.7.2/go.mod h1:SLpqxsPOHtTqRygjutCPXmeU2PoEFzV3gzJplN4BMx0= github.com/containers/storage v1.37.0/go.mod h1:kqeJeS0b7DO2ZT1nVWs0XufrmPFbgV3c+Q/45RlH6r4= @@ -975,8 +976,9 @@ github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKju github.com/miekg/dns v1.1.35/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM= github.com/miekg/dns v1.1.41/go.mod h1:p6aan82bvRIyn+zDIv9xYNUpwa73JcSh9BKwknJysuI= github.com/miekg/pkcs11 v1.0.2/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= -github.com/miekg/pkcs11 v1.0.3 h1:iMwmD7I5225wv84WxIG/bmxz9AXjWvTWIbM/TYHvWtw= github.com/miekg/pkcs11 v1.0.3/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= +github.com/miekg/pkcs11 v1.1.1 h1:Ugu9pdy6vAYku5DEpVWVFPYnzV+bxB+iRdbuFSu7TvU= +github.com/miekg/pkcs11 v1.1.1/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= github.com/mistifyio/go-zfs v2.1.2-0.20190413222219-f784269be439+incompatible h1:aKW/4cBs+yK6gpqU3K/oIwk9Q/XICqd3zOX/UFuvqmk= github.com/mistifyio/go-zfs v2.1.2-0.20190413222219-f784269be439+incompatible/go.mod h1:8AuVvqP/mXw1px98n46wfvcGfQ4ci2FwoAjKYxuo3Z4= github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= diff --git a/hack/xref-helpmsgs-manpages b/hack/xref-helpmsgs-manpages index a447f4da1..33ba43e9b 100755 --- a/hack/xref-helpmsgs-manpages +++ b/hack/xref-helpmsgs-manpages @@ -287,6 +287,7 @@ sub podman_man { my $section = ''; my @most_recent_flags; my $previous_subcmd = ''; + my $previous_flag = ''; while (my $line = <$fh>) { chomp $line; next unless $line; # skip empty lines @@ -294,6 +295,12 @@ sub podman_man { # .md files designate sections with leading double hash if ($line =~ /^##\s*(GLOBAL\s+)?OPTIONS/) { $section = 'flags'; + $previous_flag = ''; + } + elsif ($line =~ /^###\s+\w+\s+OPTIONS/) { + # poaman image trust has sections for set & show + $section = 'flags'; + $previous_flag = ''; } elsif ($line =~ /^\#\#\s+(SUB)?COMMANDS/) { $section = 'commands'; @@ -320,7 +327,7 @@ sub podman_man { # $1 will be changed by recursion _*BEFORE*_ left-hand assignment my $subcmd = $1; if ($previous_subcmd gt $subcmd) { - warn "$ME: $subpath: '$previous_subcmd' and '$subcmd' are out of order\n"; + warn "$ME: $subpath:$.: '$previous_subcmd' and '$subcmd' are out of order\n"; ++$Errs; } $previous_subcmd = $subcmd; @@ -342,9 +349,20 @@ sub podman_man { # If option has long and short form, long must come first. # This is a while-loop because there may be multiple long # option names, e.g. --net/--network + my $is_first = 1; while ($line =~ s/^\*\*(--[a-z0-9-]+)\*\*(=\*[a-zA-Z0-9-]+\*)?(,\s+)?//g) { - $man{$1} = 1; - push @most_recent_flags, $1; + my $flag = $1; + $man{$flag} = 1; + if ($flag lt $previous_flag && $is_first) { + warn "$ME: $subpath:$.: $flag should precede $previous_flag\n"; + ++$Errs; + } + $previous_flag = $flag if $is_first; + push @most_recent_flags, $flag; + + # Further iterations of /g are allowed to be out of order, + # e.g., it's OK for "--namespace, -ns" to precede --nohead + $is_first = 0; } # Short form if ($line =~ s/^\*\*(-[a-zA-Z0-9])\*\*(=\*[a-zA-Z0-9-]+\*)?//g) { diff --git a/libpod/container_exec.go b/libpod/container_exec.go index d1c190905..140267f28 100644 --- a/libpod/container_exec.go +++ b/libpod/container_exec.go @@ -341,22 +341,60 @@ func (c *Container) ExecStartAndAttach(sessionID string, streams *define.AttachS } lastErr = tmpErr - exitCode, err := c.readExecExitCode(session.ID()) - if err != nil { + exitCode, exitCodeErr := c.readExecExitCode(session.ID()) + + // Lock again. + // Important: we must lock and sync *before* the above error is handled. + // We need info from the database to handle the error. + if !c.batched { + c.lock.Lock() + } + // We can't reuse the old exec session (things may have changed from + // other use, the container was unlocked). + // So re-sync and get a fresh copy. + // If we can't do this, no point in continuing, any attempt to save + // would write garbage to the DB. + if err := c.syncContainer(); err != nil { + if errors.Is(err, define.ErrNoSuchCtr) || errors.Is(err, define.ErrCtrRemoved) { + // We can't save status, but since the container has + // been entirely removed, we don't have to; exit cleanly + return lastErr + } if lastErr != nil { logrus.Errorf("Container %s exec session %s error: %v", c.ID(), session.ID(), lastErr) } - lastErr = err - } + return errors.Wrapf(err, "error syncing container %s state to update exec session %s", c.ID(), sessionID) + } + + // Now handle the error from readExecExitCode above. + if exitCodeErr != nil { + newSess, ok := c.state.ExecSessions[sessionID] + if !ok { + // The exec session was removed entirely, probably by + // the cleanup process. When it did so, it should have + // written an event with the exit code. + // Given that, there's nothing more we can do. + logrus.Infof("Container %s exec session %s already removed", c.ID(), session.ID()) + return lastErr + } - logrus.Debugf("Container %s exec session %s completed with exit code %d", c.ID(), session.ID(), exitCode) + if newSess.State == define.ExecStateStopped { + // Exec session already cleaned up. + // Exit code should be recorded, so it's OK if we were + // not able to read it. + logrus.Infof("Container %s exec session %s already cleaned up", c.ID(), session.ID()) + return lastErr + } - // Lock again - if !c.batched { - c.lock.Lock() + if lastErr != nil { + logrus.Errorf("Container %s exec session %s error: %v", c.ID(), session.ID(), lastErr) + } + lastErr = exitCodeErr } - if err := writeExecExitCode(c, session.ID(), exitCode); err != nil { + logrus.Debugf("Container %s exec session %s completed with exit code %d", c.ID(), session.ID(), exitCode) + + if err := justWriteExecExitCode(c, session.ID(), exitCode); err != nil { if lastErr != nil { logrus.Errorf("Container %s exec session %s error: %v", c.ID(), session.ID(), lastErr) } diff --git a/libpod/define/containerstate.go b/libpod/define/containerstate.go index 23ba1f451..9ad3aec08 100644 --- a/libpod/define/containerstate.go +++ b/libpod/define/containerstate.go @@ -138,7 +138,6 @@ type ContainerStats struct { CPU float64 CPUNano uint64 CPUSystemNano uint64 - DataPoints int64 SystemNano uint64 MemUsage uint64 MemLimit uint64 diff --git a/libpod/oci_conmon_exec_linux.go b/libpod/oci_conmon_exec_linux.go index aa970bbde..65123b37e 100644 --- a/libpod/oci_conmon_exec_linux.go +++ b/libpod/oci_conmon_exec_linux.go @@ -758,11 +758,14 @@ func prepareProcessExec(c *Container, options *ExecOptions, env []string, sessio } else { pspec.Capabilities.Bounding = ctrSpec.Process.Capabilities.Bounding } + + // Always unset the inheritable capabilities similarly to what the Linux kernel does + // They are used only when using capabilities with uid != 0. + pspec.Capabilities.Inheritable = []string{} + if execUser.Uid == 0 { pspec.Capabilities.Effective = pspec.Capabilities.Bounding - pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding pspec.Capabilities.Permitted = pspec.Capabilities.Bounding - pspec.Capabilities.Ambient = pspec.Capabilities.Bounding } else { if user == c.config.User { pspec.Capabilities.Effective = ctrSpec.Process.Capabilities.Effective diff --git a/libpod/pod.go b/libpod/pod.go index 6273ff247..ed2d97b37 100644 --- a/libpod/pod.go +++ b/libpod/pod.go @@ -422,10 +422,6 @@ type PodContainerStats struct { // GetPodStats returns the stats for each of its containers func (p *Pod) GetPodStats(previousContainerStats map[string]*define.ContainerStats) (map[string]*define.ContainerStats, error) { - var ( - ok bool - prevStat *define.ContainerStats - ) p.lock.Lock() defer p.lock.Unlock() @@ -438,10 +434,7 @@ func (p *Pod) GetPodStats(previousContainerStats map[string]*define.ContainerSta } newContainerStats := make(map[string]*define.ContainerStats) for _, c := range containers { - if prevStat, ok = previousContainerStats[c.ID()]; !ok { - prevStat = &define.ContainerStats{} - } - newStats, err := c.GetContainerStats(prevStat) + newStats, err := c.GetContainerStats(previousContainerStats[c.ID()]) // If the container wasn't running, don't include it // but also suppress the error if err != nil && errors.Cause(err) != define.ErrCtrStateInvalid { diff --git a/libpod/stats.go b/libpod/stats.go index b5d39240d..25baa378d 100644 --- a/libpod/stats.go +++ b/libpod/stats.go @@ -14,7 +14,9 @@ import ( "github.com/pkg/errors" ) -// GetContainerStats gets the running stats for a given container +// GetContainerStats gets the running stats for a given container. +// The previousStats is used to correctly calculate cpu percentages. You +// should pass nil if there is no previous stat for this container. func (c *Container) GetContainerStats(previousStats *define.ContainerStats) (*define.ContainerStats, error) { stats := new(define.ContainerStats) stats.ContainerID = c.ID() @@ -36,6 +38,14 @@ func (c *Container) GetContainerStats(previousStats *define.ContainerStats) (*de return stats, define.ErrCtrStateInvalid } + if previousStats == nil { + previousStats = &define.ContainerStats{ + // if we have no prev stats use the container start time as prev time + // otherwise we cannot correctly calculate the CPU percentage + SystemNano: uint64(c.state.StartedTime.UnixNano()), + } + } + cgroupPath, err := c.cGroupPath() if err != nil { return nil, err @@ -67,8 +77,8 @@ func (c *Container) GetContainerStats(previousStats *define.ContainerStats) (*de stats.Duration = cgroupStats.CPU.Usage.Total stats.UpTime = time.Duration(stats.Duration) stats.CPU = calculateCPUPercent(cgroupStats, previousCPU, now, previousStats.SystemNano) - stats.AvgCPU = calculateAvgCPU(stats.CPU, previousStats.AvgCPU, previousStats.DataPoints) - stats.DataPoints = previousStats.DataPoints + 1 + // calc the average cpu usage for the time the container is running + stats.AvgCPU = calculateCPUPercent(cgroupStats, 0, now, uint64(c.state.StartedTime.UnixNano())) stats.MemUsage = cgroupStats.Memory.Usage.Usage stats.MemLimit = c.getMemLimit() stats.MemPerc = (float64(stats.MemUsage) / float64(stats.MemLimit)) * 100 @@ -146,9 +156,3 @@ func calculateBlockIO(stats *cgroups.Metrics) (read uint64, write uint64) { } return } - -// calculateAvgCPU calculates the avg CPU percentage given the previous average and the number of data points. -func calculateAvgCPU(statsCPU float64, prevAvg float64, prevData int64) float64 { - avgPer := ((prevAvg * float64(prevData)) + statsCPU) / (float64(prevData) + 1) - return avgPer -} diff --git a/nix/default-arm64.nix b/nix/default-arm64.nix deleted file mode 100644 index fa076f27d..000000000 --- a/nix/default-arm64.nix +++ /dev/null @@ -1,90 +0,0 @@ -let - pkgs = (import ./nixpkgs.nix { - crossSystem = { - config = "aarch64-unknown-linux-gnu"; - }; - config = { - packageOverrides = pkg: { - gpgme = (static pkg.gpgme); - libassuan = (static pkg.libassuan); - libgpgerror = (static pkg.libgpgerror); - libseccomp = (static pkg.libseccomp); - glib = (static pkg.glib).overrideAttrs (x: { - outputs = [ "bin" "out" "dev" ]; - mesonFlags = [ - "-Ddefault_library=static" - "-Ddevbindir=${placeholder ''dev''}/bin" - "-Dgtk_doc=false" - "-Dnls=disabled" - ]; - postInstall = '' - moveToOutput "share/glib-2.0" "$dev" - substituteInPlace "$dev/bin/gdbus-codegen" --replace "$out" "$dev" - sed -i "$dev/bin/glib-gettextize" -e "s|^gettext_dir=.*|gettext_dir=$dev/share/glib-2.0/gettext|" - sed '1i#line 1 "${x.pname}-${x.version}/include/glib-2.0/gobject/gobjectnotifyqueue.c"' \ - -i "$dev"/include/glib-2.0/gobject/gobjectnotifyqueue.c - ''; - }); - pcsclite = (static pkg.pcsclite).overrideAttrs (x: { - configureFlags = [ - "--enable-confdir=/etc" - "--enable-usbdropdir=/var/lib/pcsc/drivers" - "--disable-libsystemd" - "--disable-libudev" - "--disable-libusb" - ]; - buildInputs = [ pkgs.python3 pkgs.dbus ]; - }); - systemd = (static pkg.systemd).overrideAttrs (x: { - outputs = [ "out" "dev" ]; - mesonFlags = x.mesonFlags ++ [ - "-Dglib=false" - "-Dstatic-libsystemd=true" - ]; - }); - }; - }; - }); - - static = pkg: pkg.overrideAttrs (x: { - doCheck = false; - configureFlags = (x.configureFlags or [ ]) ++ [ - "--without-shared" - "--disable-shared" - ]; - dontDisableStatic = true; - enableSharedExecutables = false; - enableStatic = true; - }); - - self = with pkgs; buildGoModule rec { - name = "podman"; - src = builtins.filterSource - (path: type: !(type == "directory" && baseNameOf path == "bin")) ./..; - vendorSha256 = null; - doCheck = false; - enableParallelBuilding = true; - outputs = [ "out" ]; - nativeBuildInputs = [ bash gitMinimal go-md2man pkg-config which ]; - buildInputs = [ glibc glibc.static glib gpgme libassuan libgpgerror libseccomp libapparmor libselinux ]; - prePatch = '' - export CFLAGS='-static -pthread' - export LDFLAGS='-s -w -static-libgcc -static' - export EXTRA_LDFLAGS='-s -w -linkmode external -extldflags "-static -lm"' - export BUILDTAGS='static netgo osusergo exclude_graphdriver_btrfs exclude_graphdriver_devicemapper seccomp apparmor selinux' - export CGO_ENABLED=1 - ''; - buildPhase = '' - patchShebangs . - make bin/podman - make bin/podman-remote - make bin/rootlessport - ''; - installPhase = '' - install -Dm755 bin/podman $out/bin/podman - install -Dm755 bin/podman-remote $out/bin/podman-remote - install -Dm755 bin/rootlessport $out/libexec/podman/rootlessport - ''; - }; -in -self diff --git a/nix/default.nix b/nix/default.nix deleted file mode 100644 index 30ae21503..000000000 --- a/nix/default.nix +++ /dev/null @@ -1,88 +0,0 @@ -{ system ? builtins.currentSystem }: -let - pkgs = (import ./nixpkgs.nix { - config = { - packageOverrides = pkg: { - gpgme = (static pkg.gpgme); - libassuan = (static pkg.libassuan); - libgpgerror = (static pkg.libgpgerror); - libseccomp = (static pkg.libseccomp); - glib = (static pkg.glib).overrideAttrs (x: { - outputs = [ "bin" "out" "dev" ]; - mesonFlags = [ - "-Ddefault_library=static" - "-Ddevbindir=${placeholder ''dev''}/bin" - "-Dgtk_doc=false" - "-Dnls=disabled" - ]; - postInstall = '' - moveToOutput "share/glib-2.0" "$dev" - substituteInPlace "$dev/bin/gdbus-codegen" --replace "$out" "$dev" - sed -i "$dev/bin/glib-gettextize" -e "s|^gettext_dir=.*|gettext_dir=$dev/share/glib-2.0/gettext|" - sed '1i#line 1 "${x.pname}-${x.version}/include/glib-2.0/gobject/gobjectnotifyqueue.c"' \ - -i "$dev"/include/glib-2.0/gobject/gobjectnotifyqueue.c - ''; - }); - pcsclite = (static pkg.pcsclite).overrideAttrs (x: { - configureFlags = [ - "--enable-confdir=/etc" - "--enable-usbdropdir=/var/lib/pcsc/drivers" - "--disable-libsystemd" - "--disable-libudev" - "--disable-libusb" - ]; - buildInputs = [ pkgs.python3 pkgs.dbus ]; - }); - systemd = (static pkg.systemd).overrideAttrs (x: { - outputs = [ "out" "dev" ]; - mesonFlags = x.mesonFlags ++ [ - "-Dglib=false" - "-Dstatic-libsystemd=true" - ]; - }); - }; - }; - }); - - static = pkg: pkg.overrideAttrs (x: { - doCheck = false; - configureFlags = (x.configureFlags or [ ]) ++ [ - "--without-shared" - "--disable-shared" - ]; - dontDisableStatic = true; - enableSharedExecutables = false; - enableStatic = true; - }); - - self = with pkgs; buildGoModule rec { - name = "podman"; - src = builtins.filterSource - (path: type: !(type == "directory" && baseNameOf path == "bin")) ./..; - vendorSha256 = null; - doCheck = false; - enableParallelBuilding = true; - outputs = [ "out" ]; - nativeBuildInputs = [ bash gitMinimal go-md2man pkg-config which ]; - buildInputs = [ glibc glibc.static glib gpgme libassuan libgpgerror libseccomp libapparmor libselinux ]; - prePatch = '' - export CFLAGS='-static -pthread' - export LDFLAGS='-s -w -static-libgcc -static' - export EXTRA_LDFLAGS='-s -w -linkmode external -extldflags "-static -lm"' - export BUILDTAGS='static netgo osusergo exclude_graphdriver_btrfs exclude_graphdriver_devicemapper seccomp apparmor selinux' - export CGO_ENABLED=1 - ''; - buildPhase = '' - patchShebangs . - make bin/podman - make bin/podman-remote - make bin/rootlessport - ''; - installPhase = '' - install -Dm755 bin/podman $out/bin/podman - install -Dm755 bin/podman-remote $out/bin/podman-remote - install -Dm755 bin/rootlessport $out/libexec/podman/rootlessport - ''; - }; -in -self diff --git a/nix/nixpkgs.json b/nix/nixpkgs.json deleted file mode 100644 index efcfe202e..000000000 --- a/nix/nixpkgs.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "url": "https://github.com/nixos/nixpkgs", - "rev": "2a96414d7e350160a33ed0978449c9ff5b5a6eb3", - "date": "2021-07-13T18:21:47+02:00", - "path": "/nix/store/2ai9q8ac6vxb2rrngdz82y8jxnk15cvm-nixpkgs", - "sha256": "1dzrfqdjq3yq5jjskiqflzy58l2xx6059gay9p1k07zrlm1wigy5", - "fetchSubmodules": false, - "deepClone": false, - "leaveDotGit": false -} diff --git a/nix/nixpkgs.nix b/nix/nixpkgs.nix deleted file mode 100644 index 11c20380a..000000000 --- a/nix/nixpkgs.nix +++ /dev/null @@ -1,9 +0,0 @@ -let - json = builtins.fromJSON (builtins.readFile ./nixpkgs.json); - nixpkgs = import (builtins.fetchTarball { - name = "nixos-unstable"; - url = "${json.url}/archive/${json.rev}.tar.gz"; - inherit (json) sha256; - }); -in -nixpkgs diff --git a/pkg/api/handlers/compat/containers_stats.go b/pkg/api/handlers/compat/containers_stats.go index 99f14d02f..77b16b03e 100644 --- a/pkg/api/handlers/compat/containers_stats.go +++ b/pkg/api/handlers/compat/containers_stats.go @@ -56,7 +56,7 @@ func StatsContainer(w http.ResponseWriter, r *http.Request) { return } - stats, err := ctnr.GetContainerStats(&define.ContainerStats{}) + stats, err := ctnr.GetContainerStats(nil) if err != nil { utils.InternalServerError(w, errors.Wrapf(err, "failed to obtain Container %s stats", name)) return diff --git a/pkg/api/handlers/compat/networks.go b/pkg/api/handlers/compat/networks.go index eb1a5d59c..89d914e0a 100644 --- a/pkg/api/handlers/compat/networks.go +++ b/pkg/api/handlers/compat/networks.go @@ -242,7 +242,7 @@ func CreateNetwork(w http.ResponseWriter, r *http.Request) { body := struct { ID string `json:"Id"` - Warning []string + Warning string }{ ID: newNetwork.ID, } diff --git a/pkg/api/handlers/libpod/images.go b/pkg/api/handlers/libpod/images.go index d59a83342..cddf4c205 100644 --- a/pkg/api/handlers/libpod/images.go +++ b/pkg/api/handlers/libpod/images.go @@ -367,10 +367,13 @@ func ImagesImport(w http.ResponseWriter, r *http.Request) { runtime := r.Context().Value(api.RuntimeKey).(*libpod.Runtime) decoder := r.Context().Value(api.DecoderKey).(*schema.Decoder) query := struct { - Changes []string `schema:"changes"` - Message string `schema:"message"` - Reference string `schema:"reference"` - URL string `schema:"URL"` + Changes []string `schema:"changes"` + Message string `schema:"message"` + Reference string `schema:"reference"` + URL string `schema:"URL"` + OS string `schema:"OS"` + Architecture string `schema:"Architecture"` + Variant string `schema:"Variant"` }{ // Add defaults here once needed. } @@ -402,10 +405,13 @@ func ImagesImport(w http.ResponseWriter, r *http.Request) { imageEngine := abi.ImageEngine{Libpod: runtime} importOptions := entities.ImageImportOptions{ - Changes: query.Changes, - Message: query.Message, - Reference: query.Reference, - Source: source, + Changes: query.Changes, + Message: query.Message, + Reference: query.Reference, + OS: query.OS, + Architecture: query.Architecture, + Variant: query.Variant, + Source: source, } report, err := imageEngine.Import(r.Context(), importOptions) if err != nil { diff --git a/pkg/api/handlers/libpod/manifests.go b/pkg/api/handlers/libpod/manifests.go index 250736579..ad662f32c 100644 --- a/pkg/api/handlers/libpod/manifests.go +++ b/pkg/api/handlers/libpod/manifests.go @@ -401,7 +401,7 @@ func ManifestModify(w http.ResponseWriter, r *http.Request) { case len(report.Errors) > 0 && len(report.Images) > 0: statusCode = http.StatusConflict case len(report.Errors) > 0: - statusCode = http.StatusInternalServerError + statusCode = http.StatusBadRequest } utils.WriteResponse(w, statusCode, report) } diff --git a/pkg/api/handlers/libpod/play.go b/pkg/api/handlers/libpod/play.go index aed889298..ca9ada761 100644 --- a/pkg/api/handlers/libpod/play.go +++ b/pkg/api/handlers/libpod/play.go @@ -1,11 +1,8 @@ package libpod import ( - "io" - "io/ioutil" "net" "net/http" - "os" "github.com/containers/image/v5/types" "github.com/containers/podman/v4/libpod" @@ -16,7 +13,6 @@ import ( "github.com/containers/podman/v4/pkg/domain/infra/abi" "github.com/gorilla/schema" "github.com/pkg/errors" - "github.com/sirupsen/logrus" ) func PlayKube(w http.ResponseWriter, r *http.Request) { @@ -62,28 +58,6 @@ func PlayKube(w http.ResponseWriter, r *http.Request) { staticMACs = append(staticMACs, mac) } - // Fetch the K8s YAML file from the body, and copy it to a temp file. - tmpfile, err := ioutil.TempFile("", "libpod-play-kube.yml") - if err != nil { - utils.Error(w, http.StatusInternalServerError, errors.Wrap(err, "unable to create tempfile")) - return - } - defer func() { - if err := os.Remove(tmpfile.Name()); err != nil { - logrus.Warn(err) - } - }() - if _, err := io.Copy(tmpfile, r.Body); err != nil && err != io.EOF { - if err := tmpfile.Close(); err != nil { - logrus.Warn(err) - } - utils.Error(w, http.StatusInternalServerError, errors.Wrap(err, "unable to write archive to temporary file")) - return - } - if err := tmpfile.Close(); err != nil { - utils.Error(w, http.StatusInternalServerError, errors.Wrap(err, "error closing temporary file")) - return - } authConf, authfile, err := auth.GetCredentials(r) if err != nil { utils.Error(w, http.StatusBadRequest, err) @@ -116,7 +90,8 @@ func PlayKube(w http.ResponseWriter, r *http.Request) { if _, found := r.URL.Query()["start"]; found { options.Start = types.NewOptionalBool(query.Start) } - report, err := containerEngine.PlayKube(r.Context(), tmpfile.Name(), options) + report, err := containerEngine.PlayKube(r.Context(), r.Body, options) + _ = r.Body.Close() if err != nil { utils.Error(w, http.StatusInternalServerError, errors.Wrap(err, "error playing YAML file")) return @@ -126,30 +101,10 @@ func PlayKube(w http.ResponseWriter, r *http.Request) { func PlayKubeDown(w http.ResponseWriter, r *http.Request) { runtime := r.Context().Value(api.RuntimeKey).(*libpod.Runtime) - tmpfile, err := ioutil.TempFile("", "libpod-play-kube.yml") - if err != nil { - utils.Error(w, http.StatusInternalServerError, errors.Wrap(err, "unable to create tempfile")) - return - } - defer func() { - if err := os.Remove(tmpfile.Name()); err != nil { - logrus.Warn(err) - } - }() - if _, err := io.Copy(tmpfile, r.Body); err != nil && err != io.EOF { - if err := tmpfile.Close(); err != nil { - logrus.Warn(err) - } - utils.Error(w, http.StatusInternalServerError, errors.Wrap(err, "unable to write archive to temporary file")) - return - } - if err := tmpfile.Close(); err != nil { - utils.Error(w, http.StatusInternalServerError, errors.Wrap(err, "error closing temporary file")) - return - } containerEngine := abi.ContainerEngine{Libpod: runtime} options := new(entities.PlayKubeDownOptions) - report, err := containerEngine.PlayKubeDown(r.Context(), tmpfile.Name(), *options) + report, err := containerEngine.PlayKubeDown(r.Context(), r.Body, *options) + _ = r.Body.Close() if err != nil { utils.Error(w, http.StatusInternalServerError, errors.Wrap(err, "error tearing down YAML file")) return diff --git a/pkg/api/server/register_exec.go b/pkg/api/server/register_exec.go index c19ca7859..90136463d 100644 --- a/pkg/api/server/register_exec.go +++ b/pkg/api/server/register_exec.go @@ -169,7 +169,7 @@ func (s *APIServer) registerExecHandlers(r *mux.Router) error { // - application/json // responses: // 200: - // description: no error + // $ref: "#/responses/InspectExecSession" // 404: // $ref: "#/responses/NoSuchExecInstance" // 500: diff --git a/pkg/api/server/register_networks.go b/pkg/api/server/register_networks.go index 4466c938f..b900aa953 100644 --- a/pkg/api/server/register_networks.go +++ b/pkg/api/server/register_networks.go @@ -105,8 +105,15 @@ func (s *APIServer) registerNetworkHandlers(r *mux.Router) error { // schema: // $ref: "#/definitions/NetworkCreateRequest" // responses: - // 200: - // $ref: "#/responses/CompatNetworkCreate" + // 201: + // description: network created + // schema: + // type: object + // properties: + // Id: + // type: string + // Warning: + // type: string // 400: // $ref: "#/responses/BadParamError" // 500: diff --git a/pkg/api/server/swagger.go b/pkg/api/server/swagger.go index 9b652be87..6cf89581a 100644 --- a/pkg/api/server/swagger.go +++ b/pkg/api/server/swagger.go @@ -235,3 +235,12 @@ type swagSystemAuthResponse struct { entities.AuthReport } } + +// Inspect response +// swagger:response InspectExecSession +type swagInspectExecSession struct { + // in:body + Body struct { + define.InspectExecSession + } +} diff --git a/pkg/bindings/images/types.go b/pkg/bindings/images/types.go index 163365924..75cb38a0a 100644 --- a/pkg/bindings/images/types.go +++ b/pkg/bindings/images/types.go @@ -103,6 +103,12 @@ type ImportOptions struct { Reference *string // Url to option image to import. Cannot be used with the reader URL *string + // OS for the imported image + OS *string + // Architecture for the imported image + Architecture *string + // Variant for the imported image + Variant *string } //go:generate go run ../generator/generator.go PushOptions diff --git a/pkg/bindings/images/types_import_options.go b/pkg/bindings/images/types_import_options.go index ea66fa312..f958fe8b4 100644 --- a/pkg/bindings/images/types_import_options.go +++ b/pkg/bindings/images/types_import_options.go @@ -76,3 +76,48 @@ func (o *ImportOptions) GetURL() string { } return *o.URL } + +// WithOS set field OS to given value +func (o *ImportOptions) WithOS(value string) *ImportOptions { + o.OS = &value + return o +} + +// GetOS returns value of field OS +func (o *ImportOptions) GetOS() string { + if o.OS == nil { + var z string + return z + } + return *o.OS +} + +// WithArchitecture set field Architecture to given value +func (o *ImportOptions) WithArchitecture(value string) *ImportOptions { + o.Architecture = &value + return o +} + +// GetArchitecture returns value of field Architecture +func (o *ImportOptions) GetArchitecture() string { + if o.Architecture == nil { + var z string + return z + } + return *o.Architecture +} + +// WithVariant set field Variant to given value +func (o *ImportOptions) WithVariant(value string) *ImportOptions { + o.Variant = &value + return o +} + +// GetVariant returns value of field Variant +func (o *ImportOptions) GetVariant() string { + if o.Variant == nil { + var z string + return z + } + return *o.Variant +} diff --git a/pkg/bindings/manifests/manifests.go b/pkg/bindings/manifests/manifests.go index 458cb913a..f7cd0d262 100644 --- a/pkg/bindings/manifests/manifests.go +++ b/pkg/bindings/manifests/manifests.go @@ -2,10 +2,9 @@ package manifests import ( "context" - "errors" "fmt" + "io/ioutil" "net/http" - "net/url" "strconv" "strings" @@ -14,8 +13,11 @@ import ( "github.com/containers/podman/v4/pkg/api/handlers" "github.com/containers/podman/v4/pkg/bindings" "github.com/containers/podman/v4/pkg/bindings/images" + "github.com/containers/podman/v4/pkg/domain/entities" + "github.com/containers/podman/v4/pkg/errorhandling" "github.com/containers/podman/v4/version" jsoniter "github.com/json-iterator/go" + "github.com/pkg/errors" ) // Create creates a manifest for the given name. Optional images to be associated with @@ -135,30 +137,8 @@ func Add(ctx context.Context, name string, options *AddOptions) (string, error) // Remove deletes a manifest entry from a manifest list. Both name and the digest to be // removed are mandatory inputs. The ID of the new manifest list is returned as a string. func Remove(ctx context.Context, name, digest string, _ *RemoveOptions) (string, error) { - if bindings.ServiceVersion(ctx).GTE(semver.MustParse("4.0.0")) { - optionsv4 := new(ModifyOptions).WithOperation("remove") - return Modify(ctx, name, []string{digest}, optionsv4) - } - - // API Version < 4.0.0 - conn, err := bindings.GetClient(ctx) - if err != nil { - return "", err - } - - headers := http.Header{} - headers.Add("API-Version", "3.4.0") - - params := url.Values{} - params.Set("digest", digest) - response, err := conn.DoRequest(ctx, nil, http.MethodDelete, "/manifests/%s", params, headers, name) - if err != nil { - return "", err - } - defer response.Body.Close() - - var idr handlers.IDResponse - return idr.ID, response.Process(&idr) + optionsv4 := new(ModifyOptions).WithOperation("remove") + return Modify(ctx, name, []string{digest}, optionsv4) } // Push takes a manifest list and pushes to a destination. If the destination is not specified, @@ -229,8 +209,36 @@ func Modify(ctx context.Context, name string, images []string, options *ModifyOp } defer response.Body.Close() - var idr handlers.IDResponse - return idr.ID, response.Process(&idr) + data, err := ioutil.ReadAll(response.Body) + if err != nil { + return "", errors.Wrap(err, "unable to process API response") + } + + if response.IsSuccess() || response.IsRedirection() { + var report entities.ManifestModifyReport + if err = jsoniter.Unmarshal(data, &report); err != nil { + return "", errors.Wrap(err, "unable to decode API response") + } + + err = errorhandling.JoinErrors(report.Errors) + if err != nil { + errModel := errorhandling.ErrorModel{ + Because: (errors.Cause(err)).Error(), + Message: err.Error(), + ResponseCode: response.StatusCode, + } + return report.ID, &errModel + } + return report.ID, nil + } + + errModel := errorhandling.ErrorModel{ + ResponseCode: response.StatusCode, + } + if err = jsoniter.Unmarshal(data, &errModel); err != nil { + return "", errors.Wrap(err, "unable to decode API response") + } + return "", &errModel } // Annotate modifies the given manifest list using options and the optional list of images diff --git a/pkg/bindings/play/play.go b/pkg/bindings/play/play.go index d4018b6b3..8058a8514 100644 --- a/pkg/bindings/play/play.go +++ b/pkg/bindings/play/play.go @@ -2,6 +2,7 @@ package play import ( "context" + "io" "net/http" "os" "strconv" @@ -14,20 +15,25 @@ import ( ) func Kube(ctx context.Context, path string, options *KubeOptions) (*entities.PlayKubeReport, error) { + f, err := os.Open(path) + if err != nil { + return nil, err + } + defer f.Close() + + return KubeWithBody(ctx, f, options) +} + +func KubeWithBody(ctx context.Context, body io.Reader, options *KubeOptions) (*entities.PlayKubeReport, error) { var report entities.PlayKubeReport if options == nil { options = new(KubeOptions) } - conn, err := bindings.GetClient(ctx) - if err != nil { - return nil, err - } - f, err := os.Open(path) + conn, err := bindings.GetClient(ctx) if err != nil { return nil, err } - defer f.Close() params, err := options.ToParams() if err != nil { @@ -46,7 +52,7 @@ func Kube(ctx context.Context, path string, options *KubeOptions) (*entities.Pla return nil, err } - response, err := conn.DoRequest(ctx, f, http.MethodPost, "/play/kube", params, header) + response, err := conn.DoRequest(ctx, body, http.MethodPost, "/play/kube", params, header) if err != nil { return nil, err } @@ -60,12 +66,6 @@ func Kube(ctx context.Context, path string, options *KubeOptions) (*entities.Pla } func KubeDown(ctx context.Context, path string) (*entities.PlayKubeReport, error) { - var report entities.PlayKubeReport - conn, err := bindings.GetClient(ctx) - if err != nil { - return nil, err - } - f, err := os.Open(path) if err != nil { return nil, err @@ -75,7 +75,18 @@ func KubeDown(ctx context.Context, path string) (*entities.PlayKubeReport, error logrus.Warn(err) } }() - response, err := conn.DoRequest(ctx, f, http.MethodDelete, "/play/kube", nil, nil) + + return KubeDownWithBody(ctx, f) +} + +func KubeDownWithBody(ctx context.Context, body io.Reader) (*entities.PlayKubeReport, error) { + var report entities.PlayKubeReport + conn, err := bindings.GetClient(ctx) + if err != nil { + return nil, err + } + + response, err := conn.DoRequest(ctx, body, http.MethodDelete, "/play/kube", nil, nil) if err != nil { return nil, err } diff --git a/pkg/domain/entities/engine_container.go b/pkg/domain/entities/engine_container.go index 7cf7ca17f..6b70a3452 100644 --- a/pkg/domain/entities/engine_container.go +++ b/pkg/domain/entities/engine_container.go @@ -68,8 +68,8 @@ type ContainerEngine interface { NetworkPrune(ctx context.Context, options NetworkPruneOptions) ([]*NetworkPruneReport, error) NetworkReload(ctx context.Context, names []string, options NetworkReloadOptions) ([]*NetworkReloadReport, error) NetworkRm(ctx context.Context, namesOrIds []string, options NetworkRmOptions) ([]*NetworkRmReport, error) - PlayKube(ctx context.Context, path string, opts PlayKubeOptions) (*PlayKubeReport, error) - PlayKubeDown(ctx context.Context, path string, opts PlayKubeDownOptions) (*PlayKubeReport, error) + PlayKube(ctx context.Context, body io.Reader, opts PlayKubeOptions) (*PlayKubeReport, error) + PlayKubeDown(ctx context.Context, body io.Reader, opts PlayKubeDownOptions) (*PlayKubeReport, error) PodCreate(ctx context.Context, specg PodSpec) (*PodCreateReport, error) PodExists(ctx context.Context, nameOrID string) (*BoolReport, error) PodInspect(ctx context.Context, options PodInspectOptions) (*PodInspectReport, error) diff --git a/pkg/domain/entities/images.go b/pkg/domain/entities/images.go index 93334fc6a..7081c5d25 100644 --- a/pkg/domain/entities/images.go +++ b/pkg/domain/entities/images.go @@ -279,6 +279,7 @@ type ImageLoadReport struct { type ImageImportOptions struct { Architecture string + Variant string Changes []string Message string OS string diff --git a/pkg/domain/entities/types.go b/pkg/domain/entities/types.go index 4d9ced900..bed3183e9 100644 --- a/pkg/domain/entities/types.go +++ b/pkg/domain/entities/types.go @@ -20,7 +20,7 @@ type Volume struct { } type Report struct { - Id []string //nolint + Id []string // nolint Err map[string]error } @@ -98,8 +98,10 @@ type EventsOptions struct { // ContainerCreateResponse is the response struct for creating a container type ContainerCreateResponse struct { // ID of the container created + // required: true ID string `json:"Id"` // Warnings during container creation + // required: true Warnings []string `json:"Warnings"` } diff --git a/pkg/domain/infra/abi/containers.go b/pkg/domain/infra/abi/containers.go index e6feb7c82..f45bdeba5 100644 --- a/pkg/domain/infra/abi/containers.go +++ b/pkg/domain/infra/abi/containers.go @@ -1431,12 +1431,7 @@ func (ic *ContainerEngine) ContainerStats(ctx context.Context, namesOrIds []stri reportStats := []define.ContainerStats{} for _, ctr := range containers { - prev, ok := containerStats[ctr.ID()] - if !ok { - prev = &define.ContainerStats{} - } - - stats, err := ctr.GetContainerStats(prev) + stats, err := ctr.GetContainerStats(containerStats[ctr.ID()]) if err != nil { cause := errors.Cause(err) if queryAll && (cause == define.ErrCtrRemoved || cause == define.ErrNoSuchCtr || cause == define.ErrCtrStateInvalid) { @@ -1501,6 +1496,35 @@ func (ic *ContainerEngine) ContainerClone(ctx context.Context, ctrCloneOpts enti return nil, err } + if ctrCloneOpts.CreateOpts.Pod != "" { + pod, err := ic.Libpod.LookupPod(ctrCloneOpts.CreateOpts.Pod) + if err != nil { + return nil, err + } + + allNamespaces := []struct { + isShared bool + value *specgen.Namespace + }{ + {pod.SharesPID(), &spec.PidNS}, + {pod.SharesNet(), &spec.NetNS}, + {pod.SharesCgroup(), &spec.CgroupNS}, + {pod.SharesIPC(), &spec.IpcNS}, + {pod.SharesUTS(), &spec.UtsNS}, + } + + printWarning := false + for _, n := range allNamespaces { + if n.isShared && !n.value.IsDefault() { + *n.value = specgen.Namespace{NSMode: specgen.Default} + printWarning = true + } + } + if printWarning { + logrus.Warning("At least one namespace was reset to the default configuration") + } + } + err = specgenutil.FillOutSpecGen(spec, &ctrCloneOpts.CreateOpts, []string{}) if err != nil { return nil, err diff --git a/pkg/domain/infra/abi/images.go b/pkg/domain/infra/abi/images.go index 3fdfa8f3a..74478b26d 100644 --- a/pkg/domain/infra/abi/images.go +++ b/pkg/domain/infra/abi/images.go @@ -445,7 +445,8 @@ func (ir *ImageEngine) Import(ctx context.Context, options entities.ImageImportO importOptions.Tag = options.Reference importOptions.SignaturePolicyPath = options.SignaturePolicy importOptions.OS = options.OS - importOptions.Architecture = options.Architecture + importOptions.Arch = options.Architecture + importOptions.Variant = options.Variant if !options.Quiet { importOptions.Writer = os.Stderr diff --git a/pkg/domain/infra/abi/play.go b/pkg/domain/infra/abi/play.go index 236d56053..1423ab06e 100644 --- a/pkg/domain/infra/abi/play.go +++ b/pkg/domain/infra/abi/play.go @@ -33,12 +33,12 @@ import ( yamlv2 "gopkg.in/yaml.v2" ) -func (ic *ContainerEngine) PlayKube(ctx context.Context, path string, options entities.PlayKubeOptions) (*entities.PlayKubeReport, error) { +func (ic *ContainerEngine) PlayKube(ctx context.Context, body io.Reader, options entities.PlayKubeOptions) (*entities.PlayKubeReport, error) { report := &entities.PlayKubeReport{} validKinds := 0 // read yaml document - content, err := ioutil.ReadFile(path) + content, err := ioutil.ReadAll(body) if err != nil { return nil, err } @@ -52,7 +52,7 @@ func (ic *ContainerEngine) PlayKube(ctx context.Context, path string, options en // sort kube kinds documentList, err = sortKubeKinds(documentList) if err != nil { - return nil, errors.Wrapf(err, "unable to sort kube kinds in %q", path) + return nil, errors.Wrap(err, "unable to sort kube kinds") } ipIndex := 0 @@ -64,7 +64,7 @@ func (ic *ContainerEngine) PlayKube(ctx context.Context, path string, options en for _, document := range documentList { kind, err := getKubeKind(document) if err != nil { - return nil, errors.Wrapf(err, "unable to read %q as kube YAML", path) + return nil, errors.Wrap(err, "unable to read kube YAML") } switch kind { @@ -73,7 +73,7 @@ func (ic *ContainerEngine) PlayKube(ctx context.Context, path string, options en var podTemplateSpec v1.PodTemplateSpec if err := yaml.Unmarshal(document, &podYAML); err != nil { - return nil, errors.Wrapf(err, "unable to read YAML %q as Kube Pod", path) + return nil, errors.Wrap(err, "unable to read YAML as Kube Pod") } podTemplateSpec.ObjectMeta = podYAML.ObjectMeta @@ -97,7 +97,7 @@ func (ic *ContainerEngine) PlayKube(ctx context.Context, path string, options en var deploymentYAML v1apps.Deployment if err := yaml.Unmarshal(document, &deploymentYAML); err != nil { - return nil, errors.Wrapf(err, "unable to read YAML %q as Kube Deployment", path) + return nil, errors.Wrap(err, "unable to read YAML as Kube Deployment") } r, err := ic.playKubeDeployment(ctx, &deploymentYAML, options, &ipIndex, configMaps) @@ -111,7 +111,7 @@ func (ic *ContainerEngine) PlayKube(ctx context.Context, path string, options en var pvcYAML v1.PersistentVolumeClaim if err := yaml.Unmarshal(document, &pvcYAML); err != nil { - return nil, errors.Wrapf(err, "unable to read YAML %q as Kube PersistentVolumeClaim", path) + return nil, errors.Wrap(err, "unable to read YAML as Kube PersistentVolumeClaim") } r, err := ic.playKubePVC(ctx, &pvcYAML, options) @@ -125,7 +125,7 @@ func (ic *ContainerEngine) PlayKube(ctx context.Context, path string, options en var configMap v1.ConfigMap if err := yaml.Unmarshal(document, &configMap); err != nil { - return nil, errors.Wrapf(err, "unable to read YAML %q as Kube ConfigMap", path) + return nil, errors.Wrap(err, "unable to read YAML as Kube ConfigMap") } configMaps = append(configMaps, configMap) default: @@ -773,14 +773,14 @@ func getBuildFile(imageName string, cwd string) (string, error) { return "", err } -func (ic *ContainerEngine) PlayKubeDown(ctx context.Context, path string, _ entities.PlayKubeDownOptions) (*entities.PlayKubeReport, error) { +func (ic *ContainerEngine) PlayKubeDown(ctx context.Context, body io.Reader, _ entities.PlayKubeDownOptions) (*entities.PlayKubeReport, error) { var ( podNames []string ) reports := new(entities.PlayKubeReport) // read yaml document - content, err := ioutil.ReadFile(path) + content, err := ioutil.ReadAll(body) if err != nil { return nil, err } @@ -794,27 +794,27 @@ func (ic *ContainerEngine) PlayKubeDown(ctx context.Context, path string, _ enti // sort kube kinds documentList, err = sortKubeKinds(documentList) if err != nil { - return nil, errors.Wrapf(err, "unable to sort kube kinds in %q", path) + return nil, errors.Wrap(err, "unable to sort kube kinds") } for _, document := range documentList { kind, err := getKubeKind(document) if err != nil { - return nil, errors.Wrapf(err, "unable to read %q as kube YAML", path) + return nil, errors.Wrap(err, "unable to read as kube YAML") } switch kind { case "Pod": var podYAML v1.Pod if err := yaml.Unmarshal(document, &podYAML); err != nil { - return nil, errors.Wrapf(err, "unable to read YAML %q as Kube Pod", path) + return nil, errors.Wrap(err, "unable to read YAML as Kube Pod") } podNames = append(podNames, podYAML.ObjectMeta.Name) case "Deployment": var deploymentYAML v1apps.Deployment if err := yaml.Unmarshal(document, &deploymentYAML); err != nil { - return nil, errors.Wrapf(err, "unable to read YAML %q as Kube Deployment", path) + return nil, errors.Wrap(err, "unable to read YAML as Kube Deployment") } var numReplicas int32 = 1 deploymentName := deploymentYAML.ObjectMeta.Name diff --git a/pkg/domain/infra/tunnel/images.go b/pkg/domain/infra/tunnel/images.go index 62eacb19f..18e10e8dd 100644 --- a/pkg/domain/infra/tunnel/images.go +++ b/pkg/domain/infra/tunnel/images.go @@ -230,6 +230,7 @@ func (ir *ImageEngine) Import(ctx context.Context, opts entities.ImageImportOpti f *os.File ) options := new(images.ImportOptions).WithChanges(opts.Changes).WithMessage(opts.Message).WithReference(opts.Reference) + options.WithOS(opts.OS).WithArchitecture(opts.Architecture).WithVariant(opts.Variant) if opts.SourceIsURL { options.WithURL(opts.Source) } else { diff --git a/pkg/domain/infra/tunnel/play.go b/pkg/domain/infra/tunnel/play.go index cd51262d0..d9637254a 100644 --- a/pkg/domain/infra/tunnel/play.go +++ b/pkg/domain/infra/tunnel/play.go @@ -2,13 +2,14 @@ package tunnel import ( "context" + "io" "github.com/containers/image/v5/types" "github.com/containers/podman/v4/pkg/bindings/play" "github.com/containers/podman/v4/pkg/domain/entities" ) -func (ic *ContainerEngine) PlayKube(ctx context.Context, path string, opts entities.PlayKubeOptions) (*entities.PlayKubeReport, error) { +func (ic *ContainerEngine) PlayKube(ctx context.Context, body io.Reader, opts entities.PlayKubeOptions) (*entities.PlayKubeReport, error) { options := new(play.KubeOptions).WithAuthfile(opts.Authfile).WithUsername(opts.Username).WithPassword(opts.Password) options.WithCertDir(opts.CertDir).WithQuiet(opts.Quiet).WithSignaturePolicy(opts.SignaturePolicy).WithConfigMaps(opts.ConfigMaps) options.WithLogDriver(opts.LogDriver).WithNetwork(opts.Networks).WithSeccompProfileRoot(opts.SeccompProfileRoot) @@ -26,9 +27,9 @@ func (ic *ContainerEngine) PlayKube(ctx context.Context, path string, opts entit if start := opts.Start; start != types.OptionalBoolUndefined { options.WithStart(start == types.OptionalBoolTrue) } - return play.Kube(ic.ClientCtx, path, options) + return play.KubeWithBody(ic.ClientCtx, body, options) } -func (ic *ContainerEngine) PlayKubeDown(ctx context.Context, path string, _ entities.PlayKubeDownOptions) (*entities.PlayKubeReport, error) { - return play.KubeDown(ic.ClientCtx, path) +func (ic *ContainerEngine) PlayKubeDown(ctx context.Context, body io.Reader, _ entities.PlayKubeDownOptions) (*entities.PlayKubeReport, error) { + return play.KubeDownWithBody(ic.ClientCtx, body) } diff --git a/pkg/machine/qemu/machine.go b/pkg/machine/qemu/machine.go index 1bd9fb51b..287b93612 100644 --- a/pkg/machine/qemu/machine.go +++ b/pkg/machine/qemu/machine.go @@ -98,7 +98,7 @@ func (p *Provider) NewMachine(opts machine.InitOptions) (machine.VM, error) { return nil, err } - cmd := append([]string{execPath}) + cmd := []string{execPath} // Add memory cmd = append(cmd, []string{"-m", strconv.Itoa(int(vm.Memory))}...) // Add cpus @@ -430,13 +430,29 @@ func (v *MachineVM) Start(name string, _ machine.StartOptions) error { // Disable graphic window when not in debug mode // Done in start, so we're not suck with the debug level we used on init - if logrus.GetLevel() != logrus.DebugLevel { + if !logrus.IsLevelEnabled(logrus.DebugLevel) { cmd = append(cmd, "-display", "none") } _, err = os.StartProcess(v.CmdLine[0], cmd, attr) if err != nil { - return err + // check if qemu was not found + if !errors.Is(err, os.ErrNotExist) { + return err + } + // lookup qemu again maybe the path was changed, https://github.com/containers/podman/issues/13394 + cfg, err := config.Default() + if err != nil { + return err + } + cmd[0], err = cfg.FindHelperBinary(QemuCommand, true) + if err != nil { + return err + } + _, err = os.StartProcess(cmd[0], cmd, attr) + if err != nil { + return err + } } fmt.Println("Waiting for VM ...") socketPath, err := getRuntimeDir() @@ -782,7 +798,7 @@ func (v *MachineVM) isRunning() (bool, error) { func (v *MachineVM) isListening() bool { // Check if we can dial it - conn, err := net.DialTimeout("tcp", fmt.Sprintf("%s:%d", "localhost", v.Port), 10*time.Millisecond) + conn, err := net.DialTimeout("tcp", fmt.Sprintf("%s:%d", "127.0.0.1", v.Port), 10*time.Millisecond) if err != nil { return false } diff --git a/pkg/specgen/generate/container.go b/pkg/specgen/generate/container.go index 64669f34d..0e9d33dd8 100644 --- a/pkg/specgen/generate/container.go +++ b/pkg/specgen/generate/container.go @@ -338,8 +338,8 @@ func FinishThrottleDevices(s *specgen.SpecGenerator) error { } // ConfigToSpec takes a completed container config and converts it back into a specgenerator for purposes of cloning an exisiting container -func ConfigToSpec(rt *libpod.Runtime, specg *specgen.SpecGenerator, contaierID string) (*libpod.Container, error) { - c, err := rt.LookupContainer(contaierID) +func ConfigToSpec(rt *libpod.Runtime, specg *specgen.SpecGenerator, containerID string) (*libpod.Container, error) { + c, err := rt.LookupContainer(containerID) if err != nil { return nil, err } diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go index 9c6709905..988c29832 100644 --- a/pkg/specgen/generate/security.go +++ b/pkg/specgen/generate/security.go @@ -146,6 +146,10 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, configSpec := g.Config configSpec.Process.Capabilities.Ambient = []string{} + + // Always unset the inheritable capabilities similarly to what the Linux kernel does + // They are used only when using capabilities with uid != 0. + configSpec.Process.Capabilities.Inheritable = []string{} configSpec.Process.Capabilities.Bounding = caplist user := strings.Split(s.User, ":")[0] @@ -153,7 +157,6 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, if (user == "" && s.UserNS.NSMode != specgen.KeepID) || user == "root" || user == "0" { configSpec.Process.Capabilities.Effective = caplist configSpec.Process.Capabilities.Permitted = caplist - configSpec.Process.Capabilities.Inheritable = caplist } else { mergedCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd, nil) if err != nil { @@ -175,12 +178,12 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, } configSpec.Process.Capabilities.Effective = userCaps configSpec.Process.Capabilities.Permitted = userCaps - configSpec.Process.Capabilities.Inheritable = userCaps // Ambient capabilities were added to Linux 4.3. Set ambient // capabilities only when the kernel supports them. if supportAmbientCapabilities() { configSpec.Process.Capabilities.Ambient = userCaps + configSpec.Process.Capabilities.Inheritable = userCaps } } diff --git a/podman.spec.rpkg b/podman.spec.rpkg index 41385dba6..937253918 100644 --- a/podman.spec.rpkg +++ b/podman.spec.rpkg @@ -144,10 +144,7 @@ Summary: (Experimental) Remote client for managing %{name} containers %description remote Remote client for managing %{name} containers. -This experimental remote client is under heavy development. Please do not -run %{name}-remote in production. - -%{name}-remote uses the version 2 API to connect to a %{name} client to +%{name}-remote uses the libpod REST API to connect to a %{name} client to manage pods, containers and container images. %{name}-remote supports ssh connections as well. diff --git a/test/e2e/container_clone_test.go b/test/e2e/container_clone_test.go index bebc6872b..a327bb8ed 100644 --- a/test/e2e/container_clone_test.go +++ b/test/e2e/container_clone_test.go @@ -184,4 +184,41 @@ var _ = Describe("Podman container clone", func() { Expect(ctrInspect.InspectContainerToJSON()[0].HostConfig.NetworkMode).Should(Equal(runInspect.InspectContainerToJSON()[0].HostConfig.NetworkMode)) }) + It("podman container clone to a pod", func() { + createPod := podmanTest.Podman([]string{"pod", "create", "--share", "uts", "--name", "foo-pod"}) + createPod.WaitWithDefaultTimeout() + Expect(createPod).To(Exit(0)) + + ctr := podmanTest.RunTopContainer("ctr") + ctr.WaitWithDefaultTimeout() + Expect(ctr).Should(Exit(0)) + + clone := podmanTest.Podman([]string{"container", "clone", "--name", "cloned", "--pod", "foo-pod", "ctr"}) + clone.WaitWithDefaultTimeout() + Expect(clone).To(Exit(0)) + + ctrInspect := podmanTest.Podman([]string{"inspect", "cloned"}) + ctrInspect.WaitWithDefaultTimeout() + Expect(ctrInspect).Should(Exit(0)) + + Expect(ctrInspect.InspectContainerToJSON()[0].Pod).Should(Equal(createPod.OutputToString())) + + Expect(ctrInspect.InspectContainerToJSON()[0].HostConfig.NetworkMode).Should(Not(ContainSubstring("container:"))) + + createPod = podmanTest.Podman([]string{"pod", "create", "--share", "uts,net", "--name", "bar-pod"}) + createPod.WaitWithDefaultTimeout() + Expect(createPod).To(Exit(0)) + + clone = podmanTest.Podman([]string{"container", "clone", "--name", "cloned2", "--pod", "bar-pod", "ctr"}) + clone.WaitWithDefaultTimeout() + Expect(clone).To(Exit(0)) + + ctrInspect = podmanTest.Podman([]string{"inspect", "cloned2"}) + ctrInspect.WaitWithDefaultTimeout() + Expect(ctrInspect).Should(Exit(0)) + + Expect(ctrInspect.InspectContainerToJSON()[0].Pod).Should(Equal(createPod.OutputToString())) + + Expect(ctrInspect.InspectContainerToJSON()[0].HostConfig.NetworkMode).Should(ContainSubstring("container:")) + }) }) diff --git a/test/e2e/import_test.go b/test/e2e/import_test.go index 884eae18e..f62df23d9 100644 --- a/test/e2e/import_test.go +++ b/test/e2e/import_test.go @@ -52,6 +52,26 @@ var _ = Describe("Podman import", func() { Expect(results).Should(Exit(0)) }) + It("podman import with custom os, arch and variant", func() { + outfile := filepath.Join(podmanTest.TempDir, "container.tar") + _, ec, cid := podmanTest.RunLsContainer("") + Expect(ec).To(Equal(0)) + + export := podmanTest.Podman([]string{"export", "-o", outfile, cid}) + export.WaitWithDefaultTimeout() + Expect(export).Should(Exit(0)) + + importImage := podmanTest.Podman([]string{"import", "--os", "testos", "--arch", "testarch", outfile, "foobar.com/imported-image:latest"}) + importImage.WaitWithDefaultTimeout() + Expect(importImage).Should(Exit(0)) + + results := podmanTest.Podman([]string{"inspect", "--type", "image", "foobar.com/imported-image:latest"}) + results.WaitWithDefaultTimeout() + Expect(results).Should(Exit(0)) + Expect(results.OutputToString()).To(ContainSubstring("testos")) + Expect(results.OutputToString()).To(ContainSubstring("testarch")) + }) + It("podman import without reference", func() { outfile := filepath.Join(podmanTest.TempDir, "container.tar") _, ec, cid := podmanTest.RunLsContainer("") diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index 91a2eddad..f4a6e5733 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -498,7 +498,7 @@ var _ = Describe("Podman run", func() { session = podmanTest.Podman([]string{"run", "--rm", "--user", "root", ALPINE, "grep", "CapInh", "/proc/self/status"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb")) + Expect(session.OutputToString()).To(ContainSubstring("0000000000000000")) session = podmanTest.Podman([]string{"run", "--rm", ALPINE, "grep", "CapBnd", "/proc/self/status"}) session.WaitWithDefaultTimeout() @@ -533,7 +533,7 @@ var _ = Describe("Podman run", func() { session = podmanTest.Podman([]string{"run", "--user=0:0", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb")) + Expect(session.OutputToString()).To(ContainSubstring("0000000000000000")) if os.Geteuid() > 0 { if os.Getenv("SKIP_USERNS") != "" { @@ -550,7 +550,7 @@ var _ = Describe("Podman run", func() { session = podmanTest.Podman([]string{"run", "--userns=keep-id", "--privileged", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring("0000000000000000")) + Expect(session.OutputToString()).To(ContainSubstring("0000000000000002")) session = podmanTest.Podman([]string{"run", "--userns=keep-id", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"}) session.WaitWithDefaultTimeout() diff --git a/vendor/github.com/containers/ocicrypt/go.mod b/vendor/github.com/containers/ocicrypt/go.mod index 02be18591..8837d288e 100644 --- a/vendor/github.com/containers/ocicrypt/go.mod +++ b/vendor/github.com/containers/ocicrypt/go.mod @@ -5,9 +5,9 @@ go 1.12 require ( github.com/golang/protobuf v1.4.3 github.com/google/go-cmp v0.5.2 // indirect - github.com/miekg/pkcs11 v1.0.3 + github.com/miekg/pkcs11 v1.1.1 github.com/opencontainers/go-digest v1.0.0 - github.com/opencontainers/image-spec v1.0.1 + github.com/opencontainers/image-spec v1.0.2 github.com/pkg/errors v0.9.1 github.com/sirupsen/logrus v1.7.0 github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980 diff --git a/vendor/github.com/containers/ocicrypt/go.sum b/vendor/github.com/containers/ocicrypt/go.sum index 7153900da..a621a145c 100644 --- a/vendor/github.com/containers/ocicrypt/go.sum +++ b/vendor/github.com/containers/ocicrypt/go.sum @@ -30,12 +30,12 @@ github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.2 h1:X2ev0eStA3AbceY54o37/0PQ/UWqKEiiO2dKL5OPaFM= github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/miekg/pkcs11 v1.0.3 h1:iMwmD7I5225wv84WxIG/bmxz9AXjWvTWIbM/TYHvWtw= -github.com/miekg/pkcs11 v1.0.3/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= +github.com/miekg/pkcs11 v1.1.1 h1:Ugu9pdy6vAYku5DEpVWVFPYnzV+bxB+iRdbuFSu7TvU= +github.com/miekg/pkcs11 v1.1.1/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= -github.com/opencontainers/image-spec v1.0.1 h1:JMemWkRwHx4Zj+fVxWoMCFm/8sYGGrUVojFA6h/TRcI= -github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= +github.com/opencontainers/image-spec v1.0.2 h1:9yCKha/T5XdGtO0q9Q9a6T5NUCsTn/DrBg0D7ufOcFM= +github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= diff --git a/vendor/github.com/miekg/pkcs11/.travis.yml b/vendor/github.com/miekg/pkcs11/.travis.yml deleted file mode 100644 index 687044d83..000000000 --- a/vendor/github.com/miekg/pkcs11/.travis.yml +++ /dev/null @@ -1,14 +0,0 @@ -language: go -sudo: required -dist: trusty - -go: - - 1.9 - - tip - -script: - - go test -v ./... - -before_script: - - sudo apt-get update - - sudo apt-get -y install libsofthsm diff --git a/vendor/github.com/miekg/pkcs11/README.md b/vendor/github.com/miekg/pkcs11/README.md index 0a5c1b7b6..18a361a99 100644 --- a/vendor/github.com/miekg/pkcs11/README.md +++ b/vendor/github.com/miekg/pkcs11/README.md @@ -1,6 +1,6 @@ -# PKCS#11 [](https://travis-ci.org/miekg/pkcs11) [](http://godoc.org/github.com/miekg/pkcs11) +# PKCS#11 -This is a Go implementation of the PKCS#11 API. It wraps the library closely, but uses Go idiom were +This is a Go implementation of the PKCS#11 API. It wraps the library closely, but uses Go idiom where it makes sense. It has been tested with SoftHSM. ## SoftHSM @@ -13,10 +13,10 @@ it makes sense. It has been tested with SoftHSM. softhsm --init-token --slot 0 --label test --pin 1234 ~~~ - * Then use `libsofthsm.so` as the pkcs11 module: + * Then use `libsofthsm2.so` as the pkcs11 module: ~~~ go - p := pkcs11.New("/usr/lib/softhsm/libsofthsm.so") + p := pkcs11.New("/usr/lib/softhsm/libsofthsm2.so") ~~~ ## Examples @@ -24,7 +24,7 @@ it makes sense. It has been tested with SoftHSM. A skeleton program would look somewhat like this (yes, pkcs#11 is verbose): ~~~ go -p := pkcs11.New("/usr/lib/softhsm/libsofthsm.so") +p := pkcs11.New("/usr/lib/softhsm/libsofthsm2.so") err := p.Initialize() if err != nil { panic(err) diff --git a/vendor/github.com/miekg/pkcs11/pkcs11.go b/vendor/github.com/miekg/pkcs11/pkcs11.go index e21d23b73..e1b5824ec 100644 --- a/vendor/github.com/miekg/pkcs11/pkcs11.go +++ b/vendor/github.com/miekg/pkcs11/pkcs11.go @@ -2,6 +2,8 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. +//go:generate go run const_generate.go + // Package pkcs11 is a wrapper around the PKCS#11 cryptographic library. package pkcs11 @@ -14,7 +16,7 @@ package pkcs11 #cgo windows CFLAGS: -DPACKED_STRUCTURES #cgo linux LDFLAGS: -ldl #cgo darwin LDFLAGS: -ldl -#cgo openbsd LDFLAGS: -ldl +#cgo openbsd LDFLAGS: #cgo freebsd LDFLAGS: -ldl #include <stdlib.h> @@ -770,9 +772,10 @@ static inline CK_VOID_PTR getAttributePval(CK_ATTRIBUTE_PTR a) */ import "C" -import "strings" - -import "unsafe" +import ( + "strings" + "unsafe" +) // Ctx contains the current pkcs11 context. type Ctx struct { diff --git a/vendor/github.com/miekg/pkcs11/release.go b/vendor/github.com/miekg/pkcs11/release.go index 4380f374d..d8b99f147 100644 --- a/vendor/github.com/miekg/pkcs11/release.go +++ b/vendor/github.com/miekg/pkcs11/release.go @@ -1,3 +1,4 @@ +//go:build release // +build release package pkcs11 @@ -5,7 +6,7 @@ package pkcs11 import "fmt" // Release is current version of the pkcs11 library. -var Release = R{1, 0, 3} +var Release = R{1, 1, 1} // R holds the version of this library. type R struct { diff --git a/vendor/github.com/miekg/pkcs11/types.go b/vendor/github.com/miekg/pkcs11/types.go index 970db9061..60eadcb71 100644 --- a/vendor/github.com/miekg/pkcs11/types.go +++ b/vendor/github.com/miekg/pkcs11/types.go @@ -182,8 +182,20 @@ func NewAttribute(typ uint, x interface{}) *Attribute { } case int: a.Value = uintToBytes(uint64(v)) + case int16: + a.Value = uintToBytes(uint64(v)) + case int32: + a.Value = uintToBytes(uint64(v)) + case int64: + a.Value = uintToBytes(uint64(v)) case uint: a.Value = uintToBytes(uint64(v)) + case uint16: + a.Value = uintToBytes(uint64(v)) + case uint32: + a.Value = uintToBytes(uint64(v)) + case uint64: + a.Value = uintToBytes(uint64(v)) case string: a.Value = []byte(v) case []byte: diff --git a/vendor/github.com/miekg/pkcs11/const.go b/vendor/github.com/miekg/pkcs11/zconst.go index 408856146..41df5cfcf 100644 --- a/vendor/github.com/miekg/pkcs11/const.go +++ b/vendor/github.com/miekg/pkcs11/zconst.go @@ -2,48 +2,18 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. -package pkcs11 - -const ( - CKU_SO uint = 0 - CKU_USER uint = 1 - CKU_CONTEXT_SPECIFIC uint = 2 -) - -const ( - CKO_DATA uint = 0x00000000 - CKO_CERTIFICATE uint = 0x00000001 - CKO_PUBLIC_KEY uint = 0x00000002 - CKO_PRIVATE_KEY uint = 0x00000003 - CKO_SECRET_KEY uint = 0x00000004 - CKO_HW_FEATURE uint = 0x00000005 - CKO_DOMAIN_PARAMETERS uint = 0x00000006 - CKO_MECHANISM uint = 0x00000007 - CKO_OTP_KEY uint = 0x00000008 - CKO_VENDOR_DEFINED uint = 0x80000000 -) - -const ( - CKG_MGF1_SHA1 uint = 0x00000001 - CKG_MGF1_SHA224 uint = 0x00000005 - CKG_MGF1_SHA256 uint = 0x00000002 - CKG_MGF1_SHA384 uint = 0x00000003 - CKG_MGF1_SHA512 uint = 0x00000004 - CKG_MGF1_SHA3_224 uint = 0x00000006 - CKG_MGF1_SHA3_256 uint = 0x00000007 - CKG_MGF1_SHA3_384 uint = 0x00000008 - CKG_MGF1_SHA3_512 uint = 0x00000009 -) - -const ( - CKZ_DATA_SPECIFIED uint = 0x00000001 -) +// Code generated by "go run const_generate.go"; DO NOT EDIT. -// Generated with: awk '/#define CK[AFKMRC]/{ print $2 " = " $3 }' pkcs11t.h | sed -e 's/UL$//g' -e 's/UL)$/)/g' +package pkcs11 -// All the flag (CKF_), attribute (CKA_), error code (CKR_), key type (CKK_), certificate type (CKC_) and -// mechanism (CKM_) constants as defined in PKCS#11. const ( + CK_TRUE = 1 + CK_FALSE = 0 + CK_UNAVAILABLE_INFORMATION = ^uint(0) + CK_EFFECTIVELY_INFINITE = 0 + CK_INVALID_HANDLE = 0 + CKN_SURRENDER = 0 + CKN_OTP_CHANGED = 1 CKF_TOKEN_PRESENT = 0x00000001 CKF_REMOVABLE_DEVICE = 0x00000002 CKF_HW_SLOT = 0x00000004 @@ -66,12 +36,34 @@ const ( CKF_SO_PIN_LOCKED = 0x00400000 CKF_SO_PIN_TO_BE_CHANGED = 0x00800000 CKF_ERROR_STATE = 0x01000000 + CKU_SO = 0 + CKU_USER = 1 + CKU_CONTEXT_SPECIFIC = 2 + CKS_RO_PUBLIC_SESSION = 0 + CKS_RO_USER_FUNCTIONS = 1 + CKS_RW_PUBLIC_SESSION = 2 + CKS_RW_USER_FUNCTIONS = 3 + CKS_RW_SO_FUNCTIONS = 4 CKF_RW_SESSION = 0x00000002 CKF_SERIAL_SESSION = 0x00000004 + CKO_DATA = 0x00000000 + CKO_CERTIFICATE = 0x00000001 + CKO_PUBLIC_KEY = 0x00000002 + CKO_PRIVATE_KEY = 0x00000003 + CKO_SECRET_KEY = 0x00000004 + CKO_HW_FEATURE = 0x00000005 + CKO_DOMAIN_PARAMETERS = 0x00000006 + CKO_MECHANISM = 0x00000007 + CKO_OTP_KEY = 0x00000008 + CKO_VENDOR_DEFINED = 0x80000000 + CKH_MONOTONIC_COUNTER = 0x00000001 + CKH_CLOCK = 0x00000002 + CKH_USER_INTERFACE = 0x00000003 + CKH_VENDOR_DEFINED = 0x80000000 CKK_RSA = 0x00000000 CKK_DSA = 0x00000001 CKK_DH = 0x00000002 - CKK_ECDSA = 0x00000003 + CKK_ECDSA = 0x00000003 // Deprecated CKK_EC = 0x00000003 CKK_X9_42_DH = 0x00000004 CKK_KEA = 0x00000005 @@ -83,7 +75,7 @@ const ( CKK_DES3 = 0x00000015 CKK_CAST = 0x00000016 CKK_CAST3 = 0x00000017 - CKK_CAST5 = 0x00000018 + CKK_CAST5 = 0x00000018 // Deprecated CKK_CAST128 = 0x00000018 CKK_RC5 = 0x00000019 CKK_IDEA = 0x0000001A @@ -99,14 +91,14 @@ const ( CKK_ACTI = 0x00000024 CKK_CAMELLIA = 0x00000025 CKK_ARIA = 0x00000026 - CKK_SHA512_224_HMAC = 0x00000027 - CKK_SHA512_256_HMAC = 0x00000028 - CKK_SHA512_T_HMAC = 0x00000029 + CKK_MD5_HMAC = 0x00000027 CKK_SHA_1_HMAC = 0x00000028 - CKK_SHA224_HMAC = 0x0000002E + CKK_RIPEMD128_HMAC = 0x00000029 + CKK_RIPEMD160_HMAC = 0x0000002A CKK_SHA256_HMAC = 0x0000002B CKK_SHA384_HMAC = 0x0000002C CKK_SHA512_HMAC = 0x0000002D + CKK_SHA224_HMAC = 0x0000002E CKK_SEED = 0x0000002F CKK_GOSTR3410 = 0x00000030 CKK_GOSTR3411 = 0x00000031 @@ -116,11 +108,26 @@ const ( CKK_SHA3_384_HMAC = 0x00000035 CKK_SHA3_512_HMAC = 0x00000036 CKK_VENDOR_DEFINED = 0x80000000 + CK_CERTIFICATE_CATEGORY_UNSPECIFIED = 0 + CK_CERTIFICATE_CATEGORY_TOKEN_USER = 1 + CK_CERTIFICATE_CATEGORY_AUTHORITY = 2 + CK_CERTIFICATE_CATEGORY_OTHER_ENTITY = 3 + CK_SECURITY_DOMAIN_UNSPECIFIED = 0 + CK_SECURITY_DOMAIN_MANUFACTURER = 1 + CK_SECURITY_DOMAIN_OPERATOR = 2 + CK_SECURITY_DOMAIN_THIRD_PARTY = 3 CKC_X_509 = 0x00000000 CKC_X_509_ATTR_CERT = 0x00000001 CKC_WTLS = 0x00000002 CKC_VENDOR_DEFINED = 0x80000000 CKF_ARRAY_ATTRIBUTE = 0x40000000 + CK_OTP_FORMAT_DECIMAL = 0 + CK_OTP_FORMAT_HEXADECIMAL = 1 + CK_OTP_FORMAT_ALPHANUMERIC = 2 + CK_OTP_FORMAT_BINARY = 3 + CK_OTP_PARAM_IGNORED = 0 + CK_OTP_PARAM_OPTIONAL = 1 + CK_OTP_PARAM_MANDATORY = 2 CKA_CLASS = 0x00000000 CKA_TOKEN = 0x00000001 CKA_PRIVATE = 0x00000002 @@ -183,15 +190,16 @@ const ( CKA_MODIFIABLE = 0x00000170 CKA_COPYABLE = 0x00000171 CKA_DESTROYABLE = 0x00000172 - CKA_ECDSA_PARAMS = 0x00000180 + CKA_ECDSA_PARAMS = 0x00000180 // Deprecated CKA_EC_PARAMS = 0x00000180 CKA_EC_POINT = 0x00000181 - CKA_SECONDARY_AUTH = 0x00000200 - CKA_AUTH_PIN_FLAGS = 0x00000201 + CKA_SECONDARY_AUTH = 0x00000200 // Deprecated + CKA_AUTH_PIN_FLAGS = 0x00000201 // Deprecated CKA_ALWAYS_AUTHENTICATE = 0x00000202 CKA_WRAP_WITH_TRUSTED = 0x00000210 - CKA_WRAP_TEMPLATE = CKF_ARRAY_ATTRIBUTE | 0x00000211 - CKA_UNWRAP_TEMPLATE = CKF_ARRAY_ATTRIBUTE | 0x00000212 + CKA_WRAP_TEMPLATE = (CKF_ARRAY_ATTRIBUTE | 0x00000211) + CKA_UNWRAP_TEMPLATE = (CKF_ARRAY_ATTRIBUTE | 0x00000212) + CKA_DERIVE_TEMPLATE = (CKF_ARRAY_ATTRIBUTE | 0x00000213) CKA_OTP_FORMAT = 0x00000220 CKA_OTP_LENGTH = 0x00000221 CKA_OTP_TIME_INTERVAL = 0x00000222 @@ -226,7 +234,7 @@ const ( CKA_REQUIRED_CMS_ATTRIBUTES = 0x00000501 CKA_DEFAULT_CMS_ATTRIBUTES = 0x00000502 CKA_SUPPORTED_CMS_ATTRIBUTES = 0x00000503 - CKA_ALLOWED_MECHANISMS = CKF_ARRAY_ATTRIBUTE | 0x00000600 + CKA_ALLOWED_MECHANISMS = (CKF_ARRAY_ATTRIBUTE | 0x00000600) CKA_VENDOR_DEFINED = 0x80000000 CKM_RSA_PKCS_KEY_PAIR_GEN = 0x00000000 CKM_RSA_PKCS = 0x00000001 @@ -246,11 +254,10 @@ const ( CKM_DSA_KEY_PAIR_GEN = 0x00000010 CKM_DSA = 0x00000011 CKM_DSA_SHA1 = 0x00000012 - CKM_DSA_FIPS_G_GEN = 0x00000013 - CKM_DSA_SHA224 = 0x00000014 - CKM_DSA_SHA256 = 0x00000015 - CKM_DSA_SHA384 = 0x00000016 - CKM_DSA_SHA512 = 0x00000017 + CKM_DSA_SHA224 = 0x00000013 + CKM_DSA_SHA256 = 0x00000014 + CKM_DSA_SHA384 = 0x00000015 + CKM_DSA_SHA512 = 0x00000016 CKM_DSA_SHA3_224 = 0x00000018 CKM_DSA_SHA3_256 = 0x00000019 CKM_DSA_SHA3_384 = 0x0000001A @@ -387,13 +394,13 @@ const ( CKM_CAST128_KEY_GEN = 0x00000320 CKM_CAST5_ECB = 0x00000321 CKM_CAST128_ECB = 0x00000321 - CKM_CAST5_CBC = 0x00000322 + CKM_CAST5_CBC = 0x00000322 // Deprecated CKM_CAST128_CBC = 0x00000322 - CKM_CAST5_MAC = 0x00000323 + CKM_CAST5_MAC = 0x00000323 // Deprecated CKM_CAST128_MAC = 0x00000323 - CKM_CAST5_MAC_GENERAL = 0x00000324 + CKM_CAST5_MAC_GENERAL = 0x00000324 // Deprecated CKM_CAST128_MAC_GENERAL = 0x00000324 - CKM_CAST5_CBC_PAD = 0x00000325 + CKM_CAST5_CBC_PAD = 0x00000325 // Deprecated CKM_CAST128_CBC_PAD = 0x00000325 CKM_RC5_KEY_GEN = 0x00000330 CKM_RC5_ECB = 0x00000331 @@ -441,9 +448,9 @@ const ( CKM_PBE_MD5_DES_CBC = 0x000003A1 CKM_PBE_MD5_CAST_CBC = 0x000003A2 CKM_PBE_MD5_CAST3_CBC = 0x000003A3 - CKM_PBE_MD5_CAST5_CBC = 0x000003A4 + CKM_PBE_MD5_CAST5_CBC = 0x000003A4 // Deprecated CKM_PBE_MD5_CAST128_CBC = 0x000003A4 - CKM_PBE_SHA1_CAST5_CBC = 0x000003A5 + CKM_PBE_SHA1_CAST5_CBC = 0x000003A5 // Deprecated CKM_PBE_SHA1_CAST128_CBC = 0x000003A5 CKM_PBE_SHA1_RC4_128 = 0x000003A6 CKM_PBE_SHA1_RC4_40 = 0x000003A7 @@ -522,7 +529,7 @@ const ( CKM_BATON_COUNTER = 0x00001034 CKM_BATON_SHUFFLE = 0x00001035 CKM_BATON_WRAP = 0x00001036 - CKM_ECDSA_KEY_PAIR_GEN = 0x00001040 + CKM_ECDSA_KEY_PAIR_GEN = 0x00001040 // Deprecated CKM_EC_KEY_PAIR_GEN = 0x00001040 CKM_ECDSA = 0x00001041 CKM_ECDSA_SHA1 = 0x00001042 @@ -551,9 +558,9 @@ const ( CKM_AES_CTR = 0x00001086 CKM_AES_GCM = 0x00001087 CKM_AES_CCM = 0x00001088 - CKM_AES_CMAC_GENERAL = 0x00001089 + CKM_AES_CTS = 0x00001089 CKM_AES_CMAC = 0x0000108A - CKM_AES_CTS = 0x0000108B + CKM_AES_CMAC_GENERAL = 0x0000108B CKM_AES_XCBC_MAC = 0x0000108C CKM_AES_XCBC_MAC_96 = 0x0000108D CKM_AES_GMAC = 0x0000108E @@ -704,33 +711,56 @@ const ( CKR_MUTEX_NOT_LOCKED = 0x000001A1 CKR_NEW_PIN_MODE = 0x000001B0 CKR_NEXT_OTP = 0x000001B1 - CKR_EXCEEDED_MAX_ITERATIONS = 0x000001C0 - CKR_FIPS_SELF_TEST_FAILED = 0x000001C1 - CKR_LIBRARY_LOAD_FAILED = 0x000001C2 - CKR_PIN_TOO_WEAK = 0x000001C3 - CKR_PUBLIC_KEY_INVALID = 0x000001C4 + CKR_EXCEEDED_MAX_ITERATIONS = 0x000001B5 + CKR_FIPS_SELF_TEST_FAILED = 0x000001B6 + CKR_LIBRARY_LOAD_FAILED = 0x000001B7 + CKR_PIN_TOO_WEAK = 0x000001B8 + CKR_PUBLIC_KEY_INVALID = 0x000001B9 CKR_FUNCTION_REJECTED = 0x00000200 CKR_VENDOR_DEFINED = 0x80000000 CKF_LIBRARY_CANT_CREATE_OS_THREADS = 0x00000001 CKF_OS_LOCKING_OK = 0x00000002 CKF_DONT_BLOCK = 1 + CKG_MGF1_SHA1 = 0x00000001 + CKG_MGF1_SHA256 = 0x00000002 + CKG_MGF1_SHA384 = 0x00000003 + CKG_MGF1_SHA512 = 0x00000004 + CKG_MGF1_SHA224 = 0x00000005 + CKZ_DATA_SPECIFIED = 0x00000001 + CKD_NULL = 0x00000001 + CKD_SHA1_KDF = 0x00000002 + CKD_SHA1_KDF_ASN1 = 0x00000003 + CKD_SHA1_KDF_CONCATENATE = 0x00000004 + CKD_SHA224_KDF = 0x00000005 + CKD_SHA256_KDF = 0x00000006 + CKD_SHA384_KDF = 0x00000007 + CKD_SHA512_KDF = 0x00000008 + CKD_CPDIVERSIFY_KDF = 0x00000009 + CKD_SHA3_224_KDF = 0x0000000A + CKD_SHA3_256_KDF = 0x0000000B + CKD_SHA3_384_KDF = 0x0000000C + CKD_SHA3_512_KDF = 0x0000000D + CKP_PKCS5_PBKD2_HMAC_SHA1 = 0x00000001 + CKP_PKCS5_PBKD2_HMAC_GOSTR3411 = 0x00000002 + CKP_PKCS5_PBKD2_HMAC_SHA224 = 0x00000003 + CKP_PKCS5_PBKD2_HMAC_SHA256 = 0x00000004 + CKP_PKCS5_PBKD2_HMAC_SHA384 = 0x00000005 + CKP_PKCS5_PBKD2_HMAC_SHA512 = 0x00000006 + CKP_PKCS5_PBKD2_HMAC_SHA512_224 = 0x00000007 + CKP_PKCS5_PBKD2_HMAC_SHA512_256 = 0x00000008 + CKZ_SALT_SPECIFIED = 0x00000001 + CK_OTP_VALUE = 0 + CK_OTP_PIN = 1 + CK_OTP_CHALLENGE = 2 + CK_OTP_TIME = 3 + CK_OTP_COUNTER = 4 + CK_OTP_FLAGS = 5 + CK_OTP_OUTPUT_LENGTH = 6 + CK_OTP_OUTPUT_FORMAT = 7 CKF_NEXT_OTP = 0x00000001 CKF_EXCLUDE_TIME = 0x00000002 CKF_EXCLUDE_COUNTER = 0x00000004 CKF_EXCLUDE_CHALLENGE = 0x00000008 CKF_EXCLUDE_PIN = 0x00000010 CKF_USER_FRIENDLY_OTP = 0x00000020 - CKD_NULL = 0x00000001 - CKD_SHA1_KDF = 0x00000002 -) - -// Special return values defined in PKCS#11 v2.40 section 3.2. -const ( - // CK_EFFECTIVELY_INFINITE may be returned in the CK_TOKEN_INFO fields ulMaxSessionCount and ulMaxRwSessionCount. - // It indicates there is no practical limit on the number of sessions. - CK_EFFECTIVELY_INFINITE = 0 - - // CK_UNAVAILABLE_INFORMATION may be returned for several fields within CK_TOKEN_INFO. It indicates - // the token is unable or unwilling to provide the requested information. - CK_UNAVAILABLE_INFORMATION = ^uint(0) ) diff --git a/vendor/modules.txt b/vendor/modules.txt index 90d924d8d..f75c3810d 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -206,7 +206,7 @@ github.com/containers/image/v5/types github.com/containers/image/v5/version # github.com/containers/libtrust v0.0.0-20200511145503-9c3a6c22cd9a github.com/containers/libtrust -# github.com/containers/ocicrypt v1.1.2 +# github.com/containers/ocicrypt v1.1.3 ## explicit github.com/containers/ocicrypt github.com/containers/ocicrypt/blockcipher @@ -478,7 +478,7 @@ github.com/mattn/go-runewidth github.com/mattn/go-shellwords # github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 github.com/matttproud/golang_protobuf_extensions/pbutil -# github.com/miekg/pkcs11 v1.0.3 +# github.com/miekg/pkcs11 v1.1.1 github.com/miekg/pkcs11 # github.com/mistifyio/go-zfs v2.1.2-0.20190413222219-f784269be439+incompatible github.com/mistifyio/go-zfs |