aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--cmd/podman/machine/init.go1
-rw-r--r--cmd/podman/machine/inspect.go1
-rw-r--r--cmd/podman/machine/list.go1
-rw-r--r--cmd/podman/machine/machine.go9
-rw-r--r--cmd/podman/machine/rm.go1
-rw-r--r--cmd/podman/machine/set.go1
-rw-r--r--cmd/podman/machine/ssh.go9
-rw-r--r--cmd/podman/machine/start.go1
-rw-r--r--cmd/podman/machine/stop.go1
-rw-r--r--contrib/podmanimage/stable/Containerfile3
-rw-r--r--contrib/podmanimage/testing/Containerfile3
-rw-r--r--contrib/podmanimage/upstream/Containerfile3
-rw-r--r--docs/source/markdown/podman-machine-init.1.md7
-rw-r--r--docs/source/markdown/podman-machine-inspect.1.md2
-rw-r--r--docs/source/markdown/podman-machine-list.1.md9
-rw-r--r--docs/source/markdown/podman-machine-rm.1.md1
-rw-r--r--docs/source/markdown/podman-machine-set.1.md2
-rw-r--r--docs/source/markdown/podman-machine-ssh.1.md2
-rw-r--r--docs/source/markdown/podman-machine-start.1.md7
-rw-r--r--docs/source/markdown/podman-machine-stop.1.md7
-rw-r--r--docs/source/markdown/podman-machine.1.md9
-rw-r--r--libpod/container_api.go9
-rw-r--r--libpod/container_internal.go3
-rw-r--r--libpod/runtime_ctr.go4
-rw-r--r--libpod/runtime_pod_linux.go33
-rw-r--r--test/e2e/system_reset_test.go12
-rw-r--r--test/system/050-stop.bats15
-rw-r--r--test/system/055-rm.bats10
28 files changed, 132 insertions, 34 deletions
diff --git a/cmd/podman/machine/init.go b/cmd/podman/machine/init.go
index 9d464ad37..f9ba7b30d 100644
--- a/cmd/podman/machine/init.go
+++ b/cmd/podman/machine/init.go
@@ -20,6 +20,7 @@ var (
Use: "init [options] [NAME]",
Short: "Initialize a virtual machine",
Long: "initialize a virtual machine ",
+ PersistentPreRunE: rootlessOnly,
RunE: initMachine,
Args: cobra.MaximumNArgs(1),
Example: `podman machine init myvm`,
diff --git a/cmd/podman/machine/inspect.go b/cmd/podman/machine/inspect.go
index 4600a2b6d..d69c382f2 100644
--- a/cmd/podman/machine/inspect.go
+++ b/cmd/podman/machine/inspect.go
@@ -20,6 +20,7 @@ var (
Use: "inspect [options] [MACHINE...]",
Short: "Inspect an existing machine",
Long: "Provide details on a managed virtual machine",
+ PersistentPreRunE: rootlessOnly,
RunE: inspect,
Example: `podman machine inspect myvm`,
ValidArgsFunction: autocompleteMachine,
diff --git a/cmd/podman/machine/list.go b/cmd/podman/machine/list.go
index 1ffb8690c..f904c0caa 100644
--- a/cmd/podman/machine/list.go
+++ b/cmd/podman/machine/list.go
@@ -27,6 +27,7 @@ var (
Aliases: []string{"ls"},
Short: "List machines",
Long: "List managed virtual machines.",
+ PersistentPreRunE: rootlessOnly,
RunE: list,
Args: validate.NoArgs,
ValidArgsFunction: completion.AutocompleteNone,
diff --git a/cmd/podman/machine/machine.go b/cmd/podman/machine/machine.go
index 5a8a06b9d..d3d44b45e 100644
--- a/cmd/podman/machine/machine.go
+++ b/cmd/podman/machine/machine.go
@@ -5,6 +5,7 @@ package machine
import (
"errors"
+ "fmt"
"net"
"os"
"path/filepath"
@@ -17,6 +18,7 @@ import (
"github.com/containers/podman/v4/cmd/podman/validate"
"github.com/containers/podman/v4/libpod/events"
"github.com/containers/podman/v4/pkg/machine"
+ "github.com/containers/podman/v4/pkg/rootless"
"github.com/containers/podman/v4/pkg/util"
"github.com/sirupsen/logrus"
"github.com/spf13/cobra"
@@ -162,3 +164,10 @@ func closeMachineEvents(cmd *cobra.Command, _ []string) error {
}
return nil
}
+
+func rootlessOnly(cmd *cobra.Command, args []string) error {
+ if !rootless.IsRootless() {
+ return fmt.Errorf("cannot run command %q as root", cmd.CommandPath())
+ }
+ return nil
+}
diff --git a/cmd/podman/machine/rm.go b/cmd/podman/machine/rm.go
index a6e66265c..362c9a7d3 100644
--- a/cmd/podman/machine/rm.go
+++ b/cmd/podman/machine/rm.go
@@ -20,6 +20,7 @@ var (
Use: "rm [options] [MACHINE]",
Short: "Remove an existing machine",
Long: "Remove a managed virtual machine ",
+ PersistentPreRunE: rootlessOnly,
RunE: rm,
Args: cobra.MaximumNArgs(1),
Example: `podman machine rm myvm`,
diff --git a/cmd/podman/machine/set.go b/cmd/podman/machine/set.go
index 5777882da..1b9e1b2bd 100644
--- a/cmd/podman/machine/set.go
+++ b/cmd/podman/machine/set.go
@@ -18,6 +18,7 @@ var (
Use: "set [options] [NAME]",
Short: "Sets a virtual machine setting",
Long: "Sets an updatable virtual machine setting",
+ PersistentPreRunE: rootlessOnly,
RunE: setMachine,
Args: cobra.MaximumNArgs(1),
Example: `podman machine set --rootful=false`,
diff --git a/cmd/podman/machine/ssh.go b/cmd/podman/machine/ssh.go
index 8261f3607..38b8914fb 100644
--- a/cmd/podman/machine/ssh.go
+++ b/cmd/podman/machine/ssh.go
@@ -17,10 +17,11 @@ import (
var (
sshCmd = &cobra.Command{
- Use: "ssh [options] [NAME] [COMMAND [ARG ...]]",
- Short: "SSH into an existing machine",
- Long: "SSH into a managed virtual machine ",
- RunE: ssh,
+ Use: "ssh [options] [NAME] [COMMAND [ARG ...]]",
+ Short: "SSH into an existing machine",
+ Long: "SSH into a managed virtual machine ",
+ PersistentPreRunE: rootlessOnly,
+ RunE: ssh,
Example: `podman machine ssh myvm
podman machine ssh myvm echo hello`,
ValidArgsFunction: autocompleteMachineSSH,
diff --git a/cmd/podman/machine/start.go b/cmd/podman/machine/start.go
index 3bd7f4a25..e645bba87 100644
--- a/cmd/podman/machine/start.go
+++ b/cmd/podman/machine/start.go
@@ -18,6 +18,7 @@ var (
Use: "start [MACHINE]",
Short: "Start an existing machine",
Long: "Start a managed virtual machine ",
+ PersistentPreRunE: rootlessOnly,
RunE: start,
Args: cobra.MaximumNArgs(1),
Example: `podman machine start myvm`,
diff --git a/cmd/podman/machine/stop.go b/cmd/podman/machine/stop.go
index 993662792..ce87a44c4 100644
--- a/cmd/podman/machine/stop.go
+++ b/cmd/podman/machine/stop.go
@@ -17,6 +17,7 @@ var (
Use: "stop [MACHINE]",
Short: "Stop an existing machine",
Long: "Stop a managed virtual machine ",
+ PersistentPreRunE: rootlessOnly,
RunE: stop,
Args: cobra.MaximumNArgs(1),
Example: `podman machine stop myvm`,
diff --git a/contrib/podmanimage/stable/Containerfile b/contrib/podmanimage/stable/Containerfile
index 9121c5cde..70ff439d9 100644
--- a/contrib/podmanimage/stable/Containerfile
+++ b/contrib/podmanimage/stable/Containerfile
@@ -11,6 +11,9 @@ FROM registry.fedoraproject.org/fedora:latest
# Don't include container-selinux and remove
# directories used by dnf that are just taking
# up space.
+# TODO: rpm --setcaps... needed due to Fedora (base) image builds
+# being (maybe still?) affected by
+# https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3
RUN dnf -y update && \
rpm --setcaps shadow-utils 2>/dev/null && \
dnf -y install podman fuse-overlayfs \
diff --git a/contrib/podmanimage/testing/Containerfile b/contrib/podmanimage/testing/Containerfile
index 16314a633..65c06f98c 100644
--- a/contrib/podmanimage/testing/Containerfile
+++ b/contrib/podmanimage/testing/Containerfile
@@ -11,6 +11,9 @@ FROM registry.fedoraproject.org/fedora:latest
# Don't include container-selinux and remove
# directories used by dnf that are just taking
# up space.
+# TODO: rpm --setcaps... needed due to Fedora (base) image builds
+# being (maybe still?) affected by
+# https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3
RUN dnf -y update && \
rpm --setcaps shadow-utils 2>/dev/null && \
dnf -y install podman fuse-overlayfs \
diff --git a/contrib/podmanimage/upstream/Containerfile b/contrib/podmanimage/upstream/Containerfile
index c3a07a8d6..96e39c949 100644
--- a/contrib/podmanimage/upstream/Containerfile
+++ b/contrib/podmanimage/upstream/Containerfile
@@ -14,6 +14,9 @@ FROM registry.fedoraproject.org/fedora:latest
# directories used by dnf that are just taking
# up space. The latest podman + deps. come from
# https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/
+# TODO: rpm --setcaps... needed due to Fedora (base) image builds
+# being (maybe still?) affected by
+# https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3
RUN dnf -y update && \
rpm --setcaps shadow-utils 2>/dev/null && \
dnf -y install 'dnf-command(copr)' --enablerepo=updates-testing && \
diff --git a/docs/source/markdown/podman-machine-init.1.md b/docs/source/markdown/podman-machine-init.1.md
index 33947bbba..2adb15e6a 100644
--- a/docs/source/markdown/podman-machine-init.1.md
+++ b/docs/source/markdown/podman-machine-init.1.md
@@ -10,9 +10,12 @@ podman\-machine\-init - Initialize a new virtual machine
Initialize a new virtual machine for Podman.
-Podman on macOS requires a virtual machine. This is because containers are Linux -
+Rootless only.
+
+Podman on MacOS and Windows requires a virtual machine. This is because containers are Linux -
containers do not run on any other OS because containers' core functionality are
-tied to the Linux kernel.
+tied to the Linux kernel. Podman machine must be used to manage MacOS and Windows machines,
+but can be optionally used on Linux.
**podman machine init** initializes a new Linux virtual machine where containers are run.
SSH keys are automatically generated to access the VM, and system connections to the root account
diff --git a/docs/source/markdown/podman-machine-inspect.1.md b/docs/source/markdown/podman-machine-inspect.1.md
index 38eb66b0d..29cd775c2 100644
--- a/docs/source/markdown/podman-machine-inspect.1.md
+++ b/docs/source/markdown/podman-machine-inspect.1.md
@@ -13,6 +13,8 @@ Inspect one or more virtual machines
Obtain greater detail about Podman virtual machines. More than one virtual machine can be
inspected at once.
+Rootless only.
+
## OPTIONS
#### **--format**
diff --git a/docs/source/markdown/podman-machine-list.1.md b/docs/source/markdown/podman-machine-list.1.md
index 0c5310463..a25aae090 100644
--- a/docs/source/markdown/podman-machine-list.1.md
+++ b/docs/source/markdown/podman-machine-list.1.md
@@ -12,9 +12,12 @@ podman\-machine\-list - List virtual machines
List Podman managed virtual machines.
-Podman on macOS requires a virtual machine. This is because containers are Linux -
-containers do not run on any other OS because containers' core functionality is
-tied to the Linux kernel.
+Podman on MacOS and Windows requires a virtual machine. This is because containers are Linux -
+containers do not run on any other OS because containers' core functionality are
+tied to the Linux kernel. Podman machine must be used to manage MacOS and Windows machines,
+but can be optionally used on Linux.
+
+Rootless only.
## OPTIONS
diff --git a/docs/source/markdown/podman-machine-rm.1.md b/docs/source/markdown/podman-machine-rm.1.md
index 4a2c59173..d90b615ce 100644
--- a/docs/source/markdown/podman-machine-rm.1.md
+++ b/docs/source/markdown/podman-machine-rm.1.md
@@ -16,6 +16,7 @@ generated for that VM are also removed as is its image file on the filesystem.
Users get a display of what will be deleted and are required to confirm unless the option `--force`
is used.
+Rootless only.
## OPTIONS
diff --git a/docs/source/markdown/podman-machine-set.1.md b/docs/source/markdown/podman-machine-set.1.md
index de90ee4b0..1daf97a61 100644
--- a/docs/source/markdown/podman-machine-set.1.md
+++ b/docs/source/markdown/podman-machine-set.1.md
@@ -10,6 +10,8 @@ podman\-machine\-set - Sets a virtual machine setting
Change a machine setting.
+Rootless only.
+
## OPTIONS
#### **--cpus**=*number*
diff --git a/docs/source/markdown/podman-machine-ssh.1.md b/docs/source/markdown/podman-machine-ssh.1.md
index 6a1455df1..5432f0e9f 100644
--- a/docs/source/markdown/podman-machine-ssh.1.md
+++ b/docs/source/markdown/podman-machine-ssh.1.md
@@ -16,6 +16,8 @@ with the virtual machine is established.
The exit code from ssh command will be forwarded to the podman machine ssh caller, see [Exit Codes](#Exit-Codes).
+Rootless only.
+
## OPTIONS
#### **--help**
diff --git a/docs/source/markdown/podman-machine-start.1.md b/docs/source/markdown/podman-machine-start.1.md
index e55dcab13..b92494dda 100644
--- a/docs/source/markdown/podman-machine-start.1.md
+++ b/docs/source/markdown/podman-machine-start.1.md
@@ -10,9 +10,12 @@ podman\-machine\-start - Start a virtual machine
Starts a virtual machine for Podman.
-Podman on macOS requires a virtual machine. This is because containers are Linux -
+Rootless only.
+
+Podman on MacOS and Windows requires a virtual machine. This is because containers are Linux -
containers do not run on any other OS because containers' core functionality are
-tied to the Linux kernel.
+tied to the Linux kernel. Podman machine must be used to manage MacOS and Windows machines,
+but can be optionally used on Linux.
Only one Podman managed VM can be active at a time. If a VM is already running,
`podman machine start` will return an error.
diff --git a/docs/source/markdown/podman-machine-stop.1.md b/docs/source/markdown/podman-machine-stop.1.md
index 9aa781561..29f3e81f4 100644
--- a/docs/source/markdown/podman-machine-stop.1.md
+++ b/docs/source/markdown/podman-machine-stop.1.md
@@ -10,9 +10,12 @@ podman\-machine\-stop - Stop a virtual machine
Stops a virtual machine.
-Podman on macOS requires a virtual machine. This is because containers are Linux -
+Rootless only.
+
+Podman on MacOS and Windows requires a virtual machine. This is because containers are Linux -
containers do not run on any other OS because containers' core functionality are
-tied to the Linux kernel.
+tied to the Linux kernel. Podman machine must be used to manage MacOS and Windows machines,
+but can be optionally used on Linux.
**podman machine stop** stops a Linux virtual machine where containers are run.
diff --git a/docs/source/markdown/podman-machine.1.md b/docs/source/markdown/podman-machine.1.md
index e9f6c7d20..c55226e02 100644
--- a/docs/source/markdown/podman-machine.1.md
+++ b/docs/source/markdown/podman-machine.1.md
@@ -7,7 +7,14 @@ podman\-machine - Manage Podman's virtual machine
**podman machine** *subcommand*
## DESCRIPTION
-`podman machine` is a set of subcommands that manage Podman's virtual machine on macOS.
+`podman machine` is a set of subcommands that manage Podman's virtual machine.
+
+Podman on MacOS and Windows requires a virtual machine. This is because containers are Linux -
+containers do not run on any other OS because containers' core functionality are
+tied to the Linux kernel. Podman machine must be used to manage MacOS and Windows machines,
+but can be optionally used on Linux.
+
+All `podman machine` commands are rootless only.
## SUBCOMMANDS
diff --git a/libpod/container_api.go b/libpod/container_api.go
index c14fe95b0..f35cce772 100644
--- a/libpod/container_api.go
+++ b/libpod/container_api.go
@@ -666,6 +666,15 @@ func (c *Container) Cleanup(ctx context.Context) error {
defer c.lock.Unlock()
if err := c.syncContainer(); err != nil {
+ switch errors.Cause(err) {
+ // When the container has already been removed, the OCI runtime directory remain.
+ case define.ErrNoSuchCtr, define.ErrCtrRemoved:
+ if err := c.cleanupRuntime(ctx); err != nil {
+ return errors.Wrapf(err, "error cleaning up container %s from OCI runtime", c.ID())
+ }
+ default:
+ logrus.Errorf("Syncing container %s status: %v", c.ID(), err)
+ }
return err
}
}
diff --git a/libpod/container_internal.go b/libpod/container_internal.go
index 64696cc27..3b01ee6c8 100644
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@@ -1289,8 +1289,9 @@ func (c *Container) stop(timeout uint) error {
if err := c.syncContainer(); err != nil {
switch errors.Cause(err) {
// If the container has already been removed (e.g., via
- // the cleanup process), there's nothing left to do.
+ // the cleanup process), set the container state to "stopped".
case define.ErrNoSuchCtr, define.ErrCtrRemoved:
+ c.state.State = define.ContainerStateStopped
return stopErr
default:
if stopErr != nil {
diff --git a/libpod/runtime_ctr.go b/libpod/runtime_ctr.go
index fafec5e12..4d34c6a08 100644
--- a/libpod/runtime_ctr.go
+++ b/libpod/runtime_ctr.go
@@ -715,6 +715,10 @@ func (r *Runtime) removeContainer(ctx context.Context, c *Container, force, remo
// Do a quick ping of the database to check if the container
// still exists.
if ok, _ := r.state.HasContainer(c.ID()); !ok {
+ // When the container has already been removed, the OCI runtime directory remain.
+ if err := c.cleanupRuntime(ctx); err != nil {
+ return errors.Wrapf(err, "error cleaning up container %s from OCI runtime", c.ID())
+ }
return nil
}
}
diff --git a/libpod/runtime_pod_linux.go b/libpod/runtime_pod_linux.go
index 00017ca21..1f9ebe724 100644
--- a/libpod/runtime_pod_linux.go
+++ b/libpod/runtime_pod_linux.go
@@ -78,21 +78,24 @@ func (r *Runtime) NewPod(ctx context.Context, p specgen.PodSpecGenerator, option
pod.state.CgroupPath = filepath.Join(pod.config.CgroupParent, pod.ID())
if p.InfraContainerSpec != nil {
p.InfraContainerSpec.CgroupParent = pod.state.CgroupPath
- res, err := GetLimits(p.InfraContainerSpec.ResourceLimits)
- if err != nil {
- return nil, err
- }
- // Need to both create and update the cgroup
- // rather than create a new path in c/common for pod cgroup creation
- // just create as if it is a ctr and then update figures out that we need to
- // populate the resource limits on the pod level
- cgc, err := cgroups.New(pod.state.CgroupPath, &res)
- if err != nil {
- return nil, err
- }
- err = cgc.Update(&res)
- if err != nil {
- return nil, err
+ // cgroupfs + rootless = permission denied when creating the cgroup.
+ if !rootless.IsRootless() {
+ res, err := GetLimits(p.InfraContainerSpec.ResourceLimits)
+ if err != nil {
+ return nil, err
+ }
+ // Need to both create and update the cgroup
+ // rather than create a new path in c/common for pod cgroup creation
+ // just create as if it is a ctr and then update figures out that we need to
+ // populate the resource limits on the pod level
+ cgc, err := cgroups.New(pod.state.CgroupPath, &res)
+ if err != nil {
+ return nil, err
+ }
+ err = cgc.Update(&res)
+ if err != nil {
+ return nil, err
+ }
}
}
}
diff --git a/test/e2e/system_reset_test.go b/test/e2e/system_reset_test.go
index 28f2e25ca..075ea435c 100644
--- a/test/e2e/system_reset_test.go
+++ b/test/e2e/system_reset_test.go
@@ -4,6 +4,7 @@ import (
"fmt"
"os"
+ "github.com/containers/podman/v4/pkg/rootless"
. "github.com/containers/podman/v4/test/utils"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
@@ -92,9 +93,12 @@ var _ = Describe("podman system reset", func() {
// TODO: machine tests currently don't run outside of the machine test pkg
// no machines are created here to cleanup
- session = podmanTest.Podman([]string{"machine", "list", "-q"})
- session.WaitWithDefaultTimeout()
- Expect(session).Should(Exit(0))
- Expect(session.OutputToStringArray()).To(BeEmpty())
+ // machine commands are rootless only
+ if rootless.IsRootless() {
+ session = podmanTest.Podman([]string{"machine", "list", "-q"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ Expect(session.OutputToStringArray()).To(BeEmpty())
+ }
})
})
diff --git a/test/system/050-stop.bats b/test/system/050-stop.bats
index c2dfba84d..39002512b 100644
--- a/test/system/050-stop.bats
+++ b/test/system/050-stop.bats
@@ -171,4 +171,19 @@ load helpers
run_podman --noout stop -t 0 stopme
is "$output" "" "output should be empty"
}
+
+@test "podman stop, with --rm container" {
+ OCIDir=/run/$(podman_runtime)
+
+ if is_rootless; then
+ OCIDir=/run/user/$(id -u)/$(podman_runtime)
+ fi
+
+ run_podman run --rm -d --name rmstop $IMAGE sleep infinity
+ local cid="$output"
+ run_podman stop rmstop
+
+ # Check the OCI runtime directory has removed.
+ is "$(ls $OCIDir | grep $cid)" "" "The OCI runtime directory should have been removed"
+}
# vim: filetype=sh
diff --git a/test/system/055-rm.bats b/test/system/055-rm.bats
index 69663fafa..0ef2216b8 100644
--- a/test/system/055-rm.bats
+++ b/test/system/055-rm.bats
@@ -52,10 +52,20 @@ load helpers
}
@test "podman rm <-> run --rm race" {
+ OCIDir=/run/$(podman_runtime)
+
+ if is_rootless; then
+ OCIDir=/run/user/$(id -u)/$(podman_runtime)
+ fi
+
# A container's lock is released before attempting to stop it. This opens
# the window for race conditions that led to #9479.
run_podman run --rm -d $IMAGE sleep infinity
+ local cid="$output"
run_podman rm -af
+
+ # Check the OCI runtime directory has removed.
+ is "$(ls $OCIDir | grep $cid)" "" "The OCI runtime directory should have been removed"
}
@test "podman rm --depend" {