summaryrefslogtreecommitdiff
path: root/docs/podman.1.md
Commit message (Collapse)AuthorAge
* hooks: Add pre-create hooks for runtime-config manipulationW. Trevor King2019-01-08
| | | | | | | | | | | | | | | | | | | | | | | There's been a lot of discussion over in [1] about how to support the NVIDIA folks and others who want to be able to create devices (possibly after having loaded kernel modules) and bind userspace libraries into the container. Currently that's happening in the middle of runc's create-time mount handling before the container pivots to its new root directory with runc's incorrectly-timed prestart hook trigger [2]. With this commit, we extend hooks with a 'precreate' stage to allow trusted parties to manipulate the config JSON before calling the runtime's 'create'. I'm recycling the existing Hook schema from pkg/hooks for this, because we'll want Timeout for reliability and When to avoid the expense of fork/exec when a given hook does not need to make config changes [3]. [1]: https://github.com/opencontainers/runc/pull/1811 [2]: https://github.com/opencontainers/runc/issues/1710 [3]: https://github.com/containers/libpod/issues/1828#issuecomment-439888059 Signed-off-by: W. Trevor King <wking@tremily.us>
* libpod/container_internal: Deprecate implicit hook directoriesW. Trevor King2018-12-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Part of the motivation for 800eb863 (Hooks supports two directories, process default and override, 2018-09-17, #1487) was [1]: > We only use this for override. The reason this was caught is people > are trying to get hooks to work with CoreOS. You are not allowed to > write to /usr/share... on CoreOS, so they wanted podman to also look > at /etc, where users and third parties can write. But we'd also been disabling hooks completely for rootless users. And even for root users, the override logic was tricky when folks actually had content in both directories. For example, if you wanted to disable a hook from the default directory, you'd have to add a no-op hook to the override directory. Also, the previous implementation failed to handle the case where there hooks defined in the override directory but the default directory did not exist: $ podman version Version: 0.11.2-dev Go Version: go1.10.3 Git Commit: "6df7409cb5a41c710164c42ed35e33b28f3f7214" Built: Sun Dec 2 21:30:06 2018 OS/Arch: linux/amd64 $ ls -l /etc/containers/oci/hooks.d/test.json -rw-r--r--. 1 root root 184 Dec 2 16:27 /etc/containers/oci/hooks.d/test.json $ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook time="2018-12-02T21:31:19-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d" time="2018-12-02T21:31:19-08:00" level=warning msg="failed to load hooks: {}%!(EXTRA *os.PathError=open /usr/share/containers/oci/hooks.d: no such file or directory)" With this commit: $ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d" time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /etc/containers/oci/hooks.d" time="2018-12-02T21:33:07-08:00" level=debug msg="added hook /etc/containers/oci/hooks.d/test.json" time="2018-12-02T21:33:07-08:00" level=debug msg="hook test.json matched; adding to stages [prestart]" time="2018-12-02T21:33:07-08:00" level=warning msg="implicit hook directories are deprecated; set --hooks-dir="/etc/containers/oci/hooks.d" explicitly to continue to load hooks from this directory" time="2018-12-02T21:33:07-08:00" level=error msg="container create failed: container_linux.go:336: starting container process caused "process_linux.go:399: container init caused \"process_linux.go:382: running prestart hook 0 caused \\\"error running hook: exit status 1, stdout: , stderr: oh, noes!\\\\n\\\"\"" (I'd setup the hook to error out). You can see that it's silenly ignoring the ENOENT for /usr/share/containers/oci/hooks.d and continuing on to load hooks from /etc/containers/oci/hooks.d. When it loads the hook, it also logs a warning-level message suggesting that callers explicitly configure their hook directories. That will help consumers migrate, so we can drop the implicit hook directories in some future release. When folks *do* explicitly configure hook directories (via the newly-public --hooks-dir and hooks_dir options), we error out if they're missing: $ podman --hooks-dir /does/not/exist run --rm docker.io/library/alpine echo 'successful container' error setting up OCI Hooks: open /does/not/exist: no such file or directory I've dropped the trailing "path" from the old, hidden --hooks-dir-path and hooks_dir_path because I think "dir(ectory)" is already enough context for "we expect a path argument". I consider this name change non-breaking because the old forms were undocumented. Coming back to rootless users, I've enabled hooks now. I expect they were previously disabled because users had no way to avoid /usr/share/containers/oci/hooks.d which might contain hooks that required root permissions. But now rootless users will have to explicitly configure hook directories, and since their default config is from ~/.config/containers/libpod.conf, it's a misconfiguration if it contains hooks_dir entries which point at directories with hooks that require root access. We error out so they can fix their libpod.conf. [1]: https://github.com/containers/libpod/pull/1487#discussion_r218149355 Signed-off-by: W. Trevor King <wking@tremily.us>
* Better document rootless containersDaniel J Walsh2018-11-10
| | | | | | | | | Need to return an error pointing user in right direction if rootless podman fails, because of no /etc/subuid or /etc/subgid files. Also fix up man pages to better describe rootless podman. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* rootless: default to fuse-overlayfs when availableGiuseppe Scrivano2018-11-08
| | | | | | | | | If fuse-overlayfs is present, rootless containers default to use it. This can still be overriden either via the command line with --storage-driver or in the ~/.config/containers/storage.conf configuration file. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Fix man page to show info on storageDaniel J Walsh2018-10-22
| | | | | | Also fix lint errors. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Fix trivial missing markup in manpagePaul W. Frields2018-10-18
| | | | Signed-off-by: Paul W. Frields <stickster@gmail.com>
* Hooks supports two directories, process default and overrideDaniel J Walsh2018-09-17
| | | | | | | | | | | | | ALso cleanup files section or podman man page Add description of policy.json Sort alphabetically. Add more info on oci hooks Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1487 Approved by: umohnani8
* Fix up libpod.conf man pages and referencese to it.Daniel J Walsh2018-09-06
| | | | | | | | | Remove podman --config option, since it does not do anything. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1410 Approved by: mheon
* We should fail Podman with ExitCode 125 by defaultDaniel J Walsh2018-09-05
| | | | | | | | | | | | | | | | | | | | | | | | $ ./bin/podman --foo $ echo $? 125 $ ./bin/podman foo Command "foo" not found. See `podman --help`. $ echo $? 1 After this change $ ./bin/podman foo Command "foo" not found. See `podman --help`. $ echo $? 125 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1398 Approved by: vrothberg
* docs: consistent headingsValentin Rothberg2018-08-30
| | | | | | | | | | | Base heading is level 2, which is identical to the level 1. However level 3 will be indendet which is used a lot in the `## EXAMPLES` sections. Signed-off-by: Valentin Rothberg <vrothberg@suse.com> Closes: #1375 Approved by: rhatdan
* docs: fix headersValentin Rothberg2018-08-30
| | | | | | | Signed-off-by: Valentin Rothberg <vrothberg@suse.com> Closes: #1375 Approved by: rhatdan
* docs: add containers-mounts.conf(5)Valentin Rothberg2018-08-27
| | | | | | | | | | | Add a containers-mounts.conf(5) manpage. The mounts.conf is used by other tools (e.g., CRI-O) as well. A dedicated manpage reduces redundancy. Signed-off-by: Valentin Rothberg <vrothberg@suse.com> Closes: #1350 Approved by: rhatdan
* docs: use "containers-" prefix for registries and storageValentin Rothberg2018-08-27
| | | | | | | | | | | Use the "containers-" prefix for all references to the containers-registries.conf and containers-storage.conf configuration files. Signed-off-by: Valentin Rothberg <vrothberg@suse.com> Closes: #1350 Approved by: rhatdan
* Mention that systemd is the default cgroup managerMatthew Heon2018-08-17
| | | | | | | | | | | Update docs to reflect our changed default CGroup manager. Fixes: #1292 Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1293 Approved by: baude
* Document STORAGE_DRIVER and STORAGE_OPTS environment variableDaniel J Walsh2018-08-16
| | | | | | | | | | Default settings for storage can be overriden by setting these environment variables. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1282 Approved by: mheon
* Add documentations on how to setup /etc/subuid and /etc/subgidDaniel J Walsh2018-07-31
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1185 Approved by: giuseppe
* Update comments in BoltDB and In-Memory statesMatthew Heon2018-07-24
| | | | | | | Better explain the inner workings of both state types in comments to make reviews and changes easier. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Address first round of review commentsMatthew Heon2018-07-24
| | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Add --namespace flag to PodmanMatthew Heon2018-07-24
| | | | | | | Allows joining libpod to a specific namespace when running a Podman command. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* rootless: support a per-user mounts.confGiuseppe Scrivano2018-07-20
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: allow a per-user registries.conf fileGiuseppe Scrivano2018-07-20
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: allow a per-user storage.conf fileGiuseppe Scrivano2018-07-20
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless, docs: document the libpod.conf file used in rootless modeGiuseppe Scrivano2018-07-20
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: require subids to be presentGiuseppe Scrivano2018-07-16
| | | | | | | | | | | | | | | | | | Most images won't work without multiple ids/gids. Error out immediately if there are no multiple ids available. The error code when the user is not present in /etc/sub{g,u}id looks like: $ bin/podman run --rm -ti alpine echo hello ERRO[0000] No subuid ranges found for user "gscrivano" Closes: https://github.com/projectatomic/libpod/issues/1087 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1097 Approved by: rhatdan
* Log all output of logrus to syslog as well as stdout/stderrDaniel J Walsh2018-07-12
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1084 Approved by: baude
* docs: Follow man-pages(7) suggestions for SYNOPSISW. Trevor King2018-07-04
| | | | | | | | | | | | | | | | | | | | | | | man-pages(7) has [1]: > For commands, this shows the syntax of the command and its arguments > (including options); boldface is used for as-is text and italics are > used to indicate replaceable arguments. Brackets ([]) surround > optional arguments, vertical bars (|) separate choices, and ellipses > (...) can be repeated. I've adjusted our SYNOPSIS entries to match that formatting, and generally tried to make them more consistent with the precedent set by the man-pages project. Outside of the SYNOPSIS entry, I prefer using backticks for literals, although in some places I've left the ** bolding to keep things visually similar to a nearby SYNOPSIS entry. [1]: http://man7.org/linux/man-pages/man7/man-pages.7.html Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #1027 Approved by: rhatdan
* docs: add documentation for rootless containersGiuseppe Scrivano2018-06-27
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #936 Approved by: rhatdan
* Doc changes to fix alignment on most of the docsumohnani82018-06-14
| | | | | | | | | | Went through the docs and fixed the alignment so they all match up and look readable when doing 'man podman [command]" Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #943 Approved by: rhatdan
* add podman container and image commandDaniel J Walsh2018-06-13
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #941 Approved by: TomSweeneyRedHat
* Touchups for registries.conf across a few man pagesTomSweeneyRedHat2018-06-11
| | | | | | | Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com> Closes: #927 Approved by: rhatdan
* Cleanup man pagesDaniel J Walsh2018-05-30
| | | | | | | | | | Format md files to work properly when converted to man pages. Add sed command to cleanup table in podman man page. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #842 Approved by: mheon
* docs/podman.1: Link to hook documentationW. Trevor King2018-05-17
| | | | | | | | | | | | | | | | | Collecting the Podman/libpod specifics in one place allows us use the hooks documentation which the previous commit made more generic. The re-ordered SEE ALSO is because [1]: > The list should be ordered by section number and then alphabetically > by name. [1]: http://man7.org/linux/man-pages/man7/man-pages.7.html Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #772 Approved by: mheon
* Add --cgroup-manager flag to Podman binaryMatthew Heon2018-05-11
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #507 Approved by: baude
* Begin wiring in USERNS Support into podmanDaniel J Walsh2018-05-04
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #690 Approved by: mheon
* Add files section to podman man pageDaniel J Walsh2018-03-26
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #536 Approved by: TomSweeneyRedHat
* Add restart to main podman manpageMatthew Heon2018-03-16
| | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com> Closes: #503 Approved by: rhatdan
* Merge pull request #471 from TomSweeneyRedHat/dev/tsweeney/podmanmanMatthew Heon2018-03-12
|\ | | | | Update commands section to a table and add missing commands
| * Update commands section to a table and add missing commandsTomSweeneyRedHat2018-03-10
| | | | | | | | Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
* | Remove crio.conf references from manpagesMatthew Heon2018-03-12
|/ | | | | | | | | Also changes a few docker-login references to podman-login. Signed-off-by: Matthew Heon <mheon@redhat.com> Closes: #473 Approved by: rhatdan
* Cleanup Documentation and bash completionsDaniel J Walsh2017-12-20
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #159 Approved by: TomSweeneyRedHat
* Rename all references to kpod to podmanDaniel J Walsh2017-12-18
The decision is in, kpod is going to be named podman. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #145 Approved by: umohnani8