aboutsummaryrefslogtreecommitdiff
path: root/docs/source
Commit message (Collapse)AuthorAge
* Merge pull request #12208 from cdoern/podSecurityOptOpenShift Merge Robot2022-01-05
|\ | | | | Pod Security Option support and Infra Inheritance changes
| * Pod Security Option supportcdoern2021-12-27
| | | | | | | | | | | | | | | | | | | | | | | | | | Added support for pod security options. These are applied to infra and passed down to the containers as added (unless overridden). Modified the inheritance process from infra, creating a new function Inherit() which reads the config, and marshals the compatible options into an intermediate struct `InfraInherit` This is then unmarshaled into a container config and all of this is added to the CtrCreateOptions. Removes the need (mostly) for special additons which complicate the Container_create code and pod creation. resolves #12173 Signed-off-by: cdoern <cdoern@redhat.com>
* | Fix wrong 'podman search --format' placeholderPavel Dostál2022-01-04
| | | | | | | | Signed-off-by: Pavel Dostál <pdostal@suse.cz>
* | Merge pull request #12611 from Luap99/ipv6OpenShift Merge Robot2022-01-03
|\ \ | | | | | | add --ip6 flag to podman create/run
| * | add --ip6 flag to podman create/runPaul Holzinger2022-01-03
| |/ | | | | | | | | | | | | | | | | | | | | | | Add the --ipv6 flag to podman create/run and pod create. We support the --network name:ip6=<ip> syntax now but for docker compat we should also support the --ip6 flag. Note that there is no validation if the ip is actually a v6 or v4 address because the backend does not care either. Fixes #7511 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* / docs: sort swagger operations alpabeticallyAditya Rajan2021-12-27
|/ | | | | | | | | | Use `sort-operations-alphabetically` to sort swagger operations alphabetically [CI:DOCS] [NO-NEW-TESTS-NEEDED] Signed-off-by: Aditya Rajan <arajan@redhat.com>
* Merge pull request #12627 from rhatdan/passwdOpenShift Merge Robot2021-12-23
|\ | | | | Allow users to add host user accounts to /etc/passwd
| * Allow users to add host user accounts to /etc/passwdDaniel J Walsh2021-12-23
| | | | | | | | | | | | | | | | | | | | | | Some containers require certain user account(s) to exist within the container when they are run. This option will allow callers to add a bunch of passwd entries from the host to the container even if the entries are not in the local /etc/passwd file on the host. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1935831 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #12679 from vrothberg/fix-12671OpenShift Merge Robot2021-12-23
|\ \ | |/ |/| clarify `io.podman.annotations.seccomp`
| * [CI:DOCS] clarify `io.podman.annotations.seccomp`Valentin Rothberg2021-12-23
| | | | | | | | | | | | | | | | | | Clarify the semantics of the `io.podman.annotations.seccomp` annotation which is set when a container has been created with a custom seccomp profile. Fixes: #12671 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #12692 from giuseppe/fix-additional-ids-docOpenShift Merge Robot2021-12-23
|\ \ | |/ |/| [CI:DOCS] docs: document rootless userns mappings
| * [CI:DOCS] docs: document rootless userns mappingsGiuseppe Scrivano2021-12-23
| | | | | | | | | | | | | | | | | | document how the host IDs are mapped inside the rootless user namespace. Closes: https://github.com/containers/podman/issues/12676 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Error out early if system does not support pre-copy checkpointingAdrian Reber2021-12-23
|/ | | | | | | | | | | | | | | | | | | CRIU's pre-copy migration support relies on the soft dirty page tracking in the Linux kernel: https://www.kernel.org/doc/Documentation/vm/soft-dirty.txt This functionality is not implemented for all architectures and it can also be turned off in the kernel. CRIU can check if the combination of architecture/kernel/CRIU supports the soft dirty page tracking and exports this feature checking functionality in go-criu. This commit adds an early check if the user selects pre-copy checkpointing to error out if the system does not support it. Signed-off-by: Adrian Reber <areber@redhat.com>
* Merge pull request #12664 from cdoern/noManagePasswdOpenShift Merge Robot2021-12-22
|\ | | | | Podman run --passwd
| * Podman run --passwdcdoern2021-12-21
| | | | | | | | | | | | | | | | | | added support for a new flag --passwd which, when false prohibits podman from creating entries in /etc/passwd and /etc/groups allowing users to modify those files in the container entrypoint resolves #11805 Signed-off-by: cdoern <cdoern@redhat.com>
* | Merge pull request #12662 from ↵OpenShift Merge Robot2021-12-21
|\ \ | | | | | | | | | | | | adrianreber/2021-12-20-checkpoint-restore-man-pages [CI:DOCS] Small checkpoint/restore man page fixes
| * | [CI:DOCS] Small checkpoint/restore man page fixesAdrian Reber2021-12-20
| |/ | | | | | | | | | | | | | | | | At some places the checkpoint restore man pages were using the markdown modifier `**` inside `*..*`. This does not seem to work as intended and results in markdown modifiers present in the final man page. Switching to `__` inside of `*..*` seems to fix this. Signed-off-by: Adrian Reber <areber@redhat.com>
* / [CI:DOCS] Explicitly mention that checkpointing systemd containers might failAdrian Reber2021-12-20
|/ | | | | | | | | Checkpoint a container using systemd as entrypoint will probably result in an error as CRIU cannot handle all the resources latest systemd uses. This updates the checkpoint man page with this information. Signed-off-by: Adrian Reber <areber@redhat.com>
* Set machine timezoneBrent Baude2021-12-16
| | | | | | | | | | | | | | Added an option to podman machine init to declare the timezone of the resulting machine. the default is to use the value of the host name or else a given timezone name like America/Chicago. Fixes: #11895 Signed-off-by: Brent Baude <bbaude@redhat.com> [NO NEW TESTS NEEDED] Signed-off-by: Brent Baude <bbaude@redhat.com>
* Merge pull request #12600 from rhatdan/externalOpenShift Merge Robot2021-12-15
|\ | | | | Show --external containers even without --all option
| * Show --external containers even without --all optionDaniel J Walsh2021-12-14
| | | | | | | | | | | | | | | | | | | | | | We currently do not show --external containers when the user specifies it, unless they also specify the --all flag. This has led to confusion. I see no reason not to list them without the --all flag if the user specifies the option. Fixes: https://github.com/containers/podman/issues/12353 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #12534 from Luap99/network-dbOpenShift Merge Robot2021-12-15
|\ \ | |/ |/| network db rewrite
| * play kube add support for multiple networksPaul Holzinger2021-12-14
| | | | | | | | | | | | Allow the same --network options for play kube as for podman run/create. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
| * support advanced network configuration via cliPaul Holzinger2021-12-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Rework the --network parse logic to support multiple networks with specific network configuration settings. --network can now be set multiple times. For bridge network mode the following options have been added: - **alias=name**: Add network-scoped alias for the container. - **ip=IPv4**: Specify a static ipv4 address for this container. - **ip=IPv6**: Specify a static ipv6 address for this container. - **mac=MAC**: Specify a static mac address address for this container. - **interface_name**: Specify a name for the created network interface inside the container. So now you can set --network bridge:ip=10.88.0.10,mac=44:33:22:11:00:99 for the default bridge network as well as for network names. This is better than using --ip because we can set the ip per network without any confusion which network the ip address should be assigned to. The --ip, --mac-address and --network-alias options are still supported but --ip or --mac-address can only be set when only one network is set. This limitation already existed previously. The ability to specify a custom network interface name is new Fixes #11534 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
| * network connect allow ip, ipv6 and mac addressPaul Holzinger2021-12-14
| | | | | | | | | | | | | | | | | | Network connect now supports setting a static ipv4, ipv6 and mac address for the container network. The options are added to the cli and api. Fixes #9883 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Add secret list --filter to cliJakub Guzik2021-12-14
|/ | | | | | | This PR is a follow-up of #11431. It adds possibility of filtering secret list based on id and name. Signed-off-by: Jakub Guzik <jguzik@redhat.com>
* Merge pull request #12489 from mtrmac/save-me-from-repetitionOpenShift Merge Robot2021-12-03
|\ | | | | Improve documentation of (podman image save)
| * Fix documentation of (podman image save --compress --uncompressed)Miloslav Trmač2021-12-02
| | | | | | | | Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Improve documentation of (podman image save --format)Miloslav Trmač2021-12-02
| | | | | | | | | | | | | | | | - Don't pointlessly repeat the names - Improve documentation of the formats - Use a table, per MANPAGE_SYNTAX.md Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | Add restart-sec option to systemd generateOndra Machacek2021-12-03
|/ | | | Signed-off-by: Ondra Machacek <omachace@redhat.com>
* Merge pull request #12469 from Luap99/ns-teardown-flakeOpenShift Merge Robot2021-12-02
|\ | | | | Fix possible rootless netns cleanup race
| * Fix possible rootless netns cleanup racePaul Holzinger2021-12-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | rootlessNetNS.Cleanup() has an issue with how it detects if cleanup is needed, reading the container state is not good ebough because containers are first stopped and than cleanup will be called. So at one time two containers could wait for cleanup but the second one will fail because the first one triggered already the cleanup thus making rootless netns unavailable for the second container resulting in an teardown error. Instead of checking the container state we need to check the netns state. Secondly, podman unshare --rootless-netns should not do the cleanup. This causes more issues than it is worth fixing. Users also might want to use this to setup the namespace in a special way. If unshare also cleans this up right away we cannot do this. [NO NEW TESTS NEEDED] Fixes #12459 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #12450 from giuseppe/compression-formatOpenShift Merge Robot2021-12-01
|\ \ | |/ |/| podman, push: expose --compression-format
| * podman, push: expose --compression-formatGiuseppe Scrivano2021-12-01
| | | | | | | | | | | | support overriding the compression format at push time. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | systemd: replace multi-user with default.targetValentin Rothberg2021-11-30
|/ | | | | | | | | | Replace `multi-user.target` with `default.target` across the code base. It seems like the multi-user one is not available for (rootless) users on F35 anymore is causing issues in all kinds of ways, for instance, enabling the podman.service or generated systemd units. Fixes: #12438 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* List /etc/containers/certs.d as default for --cert-pathDaniel J Walsh2021-11-29
| | | | | | Helps Document https://github.com/containers/podman/issues/10116 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Support env variables based on ConfigMaps sent in payloadJakub Dzon2021-11-23
| | | | | | Fixes #12363 Signed-off-by: Jakub Dzon <jdzon@redhat.com>
* generate systemd: add --start-timeout flagValentin Rothberg2021-11-23
| | | | | | | | | Add a new flag to set the start timeout for a generated systemd unit. To make naming consistent, add a new --stop-timeout flag as well and let the previous --time map to it. Fixes: #11618 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #12301 from umohnani8/tableOpenShift Merge Robot2021-11-22
|\ | | | | Add note about volume with unprivileged container
| * Add note about volume with unprivileged containerUrvashi Mohnani2021-11-21
| | | | | | | | | | | | | | | | | | | | | | | | | | Add a note to the generated kube yaml if we detect a volume is being mounted. The note lets the user know what needs to be done to avoid permission denied error when trying to access the volume for an unprivileged container. Add the same note to the man pages. NO NEW TESTS NEEDED Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
* | [CI:DOCS] Update notes on java TZ in man pageUrvashi Mohnani2021-11-22
| | | | | | | | Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
* | Merge pull request #12373 from TomSweeneyRedHat/dev/tsweeney/jdocOpenShift Merge Robot2021-11-22
|\ \ | | | | | | [CI:DOCS] Add java TZ note to run manpage
| * | [CI:DOCS] Add java TZ note to run manpageTomSweeneyRedHat2021-11-19
| |/ | | | | | | | | | | | | | | | | Add a note to show how to workaround the `--tz` option being ignored in the run command. Related to: https://bugzilla.redhat.com/show_bug.cgi?id=1984251 Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
* / Use same runtime to restore a container as during checkpointingAdrian Reber2021-11-19
|/ | | | | | | | | | | | | | | | | | | | | | There are at least two runtimes that support checkpoint and restore: runc and crun. Although the checkpoints created by these are almost compatible, it is not (yet) possible to restore a checkpoint created with one runtime with the other runtime. To make checkpoint/restore usage more comfortable this adds code to look into the checkpoint archive during restore and to set the runtime to the one used during checkpointing. This also adds a check, if the user explicitly sets a runtime during restore, that the runtime is also the same as used during checkpointing. If a different runtime is selected than the one used during checkpointing the restore will fail early. If runc and crun will create compatible checkpoints in the future the check can be changed to treat crun and runc as compatible checkpoint/restore runtimes. Signed-off-by: Adrian Reber <areber@redhat.com>
* Merge pull request #12354 from Luap99/exit-commandOpenShift Merge Robot2021-11-18
|\ | | | | Do not store the exit command in container config
| * Do not store the exit command in container configPaul Holzinger2021-11-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There is a problem with creating and storing the exit command when the container was created. It only contains the options the container was created with but NOT the options the container is started with. One example would be a CNI network config. If I start a container once, then change the cni config dir with `--cni-config-dir` ans start it a second time it will start successfully. However the exit command still contains the wrong `--cni-config-dir` because it was not updated. To fix this we do not want to store the exit command at all. Instead we create it every time the conmon process for the container is startet. This guarantees us that the container cleanup process is startet with the correct settings. [NO NEW TESTS NEEDED] Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #12298 from giuseppe/idmapped-bind-mountsOpenShift Merge Robot2021-11-18
|\ \ | | | | | | volumes: add new option idmap
| * | volumes: add new option idmapGiuseppe Scrivano2021-11-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | pass down the "idmap" mount option to the OCI runtime. Needs: https://github.com/containers/crun/pull/780 Closes: https://github.com/containers/podman/issues/12154 [NO NEW TESTS NEEDED] there is no crun version yet that support the new feature. Test case (must run as root): podman run --rm -v foo:/foo alpine touch /foo/bar podman run --uidmap 0:1:1000 --rm -v foo:/foo:idmap alpine ls -l /foo total 0 -rw-r--r-- 1 root root 0 Nov 15 14:01 bar Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Add --file-locks checkpoint/restore optionRadostin Stoyanov2021-11-18
| |/ |/| | | | | | | | | | | | | CRIU supports checkpoint/restore of file locks. This feature is required to checkpoint/restore containers running applications such as MySQL. Signed-off-by: Radostin Stoyanov <radostin@redhat.com>
* | remote checkpoint/restore: more fixesValentin Rothberg2021-11-18
|/ | | | | | | | | | | | | | | | | * Support `checkpoint --pre-checkpoint` * Support `checkpoint --with-previous` * Disable `restore --import-previous` for the remote client since we had to send two files which in turn would require to tar them up and hence be a breaking change. Podman 4.0 would be the chance and I hope we'll find time before that to remote-restore prettier. Note that I did not run over swagger yet to check whether all parameters are actually documented due to time constraints. Fixes: #12334 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>