| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Added support for pod security options. These are applied to infra and passed down to the
containers as added (unless overridden).
Modified the inheritance process from infra, creating a new function Inherit() which reads the config, and marshals the compatible options into an intermediate struct `InfraInherit`
This is then unmarshaled into a container config and all of this is added to the CtrCreateOptions. Removes the need (mostly) for special additons which complicate the Container_create
code and pod creation.
resolves #12173
Signed-off-by: cdoern <cdoern@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Some containers require certain user account(s) to exist within the
container when they are run. This option will allow callers to add a
bunch of passwd entries from the host to the container even if the
entries are not in the local /etc/passwd file on the host.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1935831
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
It has been deprecated and is no longer supported. Fully remove it and
only print a warning if a user uses it.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2011695
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
added support for a new flag --passwd which, when false prohibits podman from creating entries in
/etc/passwd and /etc/groups allowing users to modify those files in the container entrypoint
resolves #11805
Signed-off-by: cdoern <cdoern@redhat.com>
|
| |\
| |
| | |
network db rewrite
|
| | |
| |
| |
| |
| |
| | |
Allow the same --network options for play kube as for podman run/create.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Rework the --network parse logic to support multiple networks with
specific network configuration settings.
--network can now be set multiple times. For bridge network mode the
following options have been added:
- **alias=name**: Add network-scoped alias for the container.
- **ip=IPv4**: Specify a static ipv4 address for this container.
- **ip=IPv6**: Specify a static ipv6 address for this container.
- **mac=MAC**: Specify a static mac address address for this container.
- **interface_name**: Specify a name for the created network interface inside the container.
So now you can set --network bridge:ip=10.88.0.10,mac=44:33:22:11:00:99
for the default bridge network as well as for network names.
This is better than using --ip because we can set the ip per network
without any confusion which network the ip address should be assigned
to.
The --ip, --mac-address and --network-alias options are still supported
but --ip or --mac-address can only be set when only one network is set.
This limitation already existed previously.
The ability to specify a custom network interface name is new
Fixes #11534
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Add the new networks format to specgen. For api users cni_networks is
still supported to make migration easier however the static ip and mac
fields are removed.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Network connect now supports setting a static ipv4, ipv6 and mac address
for the container network. The options are added to the cli and api.
Fixes #9883
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
| | |
| |
| |
| |
| |
| | |
We do not need to return a extra bool.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
| |/
|
|
|
|
|
|
|
| |
We have to get the network ID from the network backend. With the
netavark backend we no longer use the sha from the name as ID.
[NO NEW TESTS NEEDED]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2030599
When you create pod, it shares the UTS namespace with Containers.
Currently the --hostname is not passed to the pod created when
you create a container and pod in the same command.
Also fix error message on supported --share flags
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
GLOBAL_OPTS haven't been supported for at least two major versions of
Podman. The runlabel code is extremely fragile and I think it should
be rewritten before adding new features.
Fixes: #12436
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |
|
|
|
|
|
| |
[NO NEW TESTS NEEDED] This is just moving pkg/cgroups out so
existing tests should be fine.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |\
| |
| |
| |
| | |
dispensable/respect_pod_yaml_spec_hostname_when_play
Hostname in `spec.hostname` should be passed to infra ctr init opt
|
| | |
| |
| |
| |
| |
| | |
Fixes https://github.com/containers/podman/issues/12393
Signed-off-by: Qiang Wang <sunsetmask@gmail.com>
|
| |\ \
| | |
| | | |
Add support for configmap volumes to play kube
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
If the k8s yaml has volumes from a configmap, play kube
will now create a volume based on the data from the
configmap and volume source and set it to the right path
in the container accordingly.
Add tests for this and update some test for ENV from configmap.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
|
| |\ \ \
| | | |
| | | | |
Add restart-sec option to systemd generate command
|
| | | | |
| | | |
| | | |
| | | | |
Signed-off-by: Ondra Machacek <omachace@redhat.com>
|
| |\ \ \ \
| |/ / /
|/| | | |
cmd, push: use the configured compression format
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
[NO NEW TESTS NEEDED] I am just changing the default value
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |\ \ \ \
| | | | |
| | | | | |
Don't use a global RNG, and avoid conflicts, when generating NodePorts
|
| | | |_|/
| |/| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Add an error return to it and affected callers.
Should not affect behavior, the function can't currently fail.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
| |\ \ \ \
| |_|/ /
|/| | | |
Fix possible rootless netns cleanup race
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
rootlessNetNS.Cleanup() has an issue with how it detects if cleanup
is needed, reading the container state is not good ebough because
containers are first stopped and than cleanup will be called. So at one
time two containers could wait for cleanup but the second one will fail
because the first one triggered already the cleanup thus making rootless
netns unavailable for the second container resulting in an teardown
error. Instead of checking the container state we need to check the
netns state.
Secondly, podman unshare --rootless-netns should not do the cleanup.
This causes more issues than it is worth fixing. Users also might want
to use this to setup the namespace in a special way. If unshare also
cleans this up right away we cannot do this.
[NO NEW TESTS NEEDED]
Fixes #12459
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
| |/ /
| |
| |
| |
| |
| | |
support overriding the compression format at push time.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |/
|
|
|
|
|
|
|
|
| |
The previous code fails on a MAC when opening /dev/stdout
Fixes: https://github.com/containers/podman/issues/12402
[NO NEW TESTS NEEDED] No easy way to test this.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |
|
|
|
|
| |
Fixes #12363
Signed-off-by: Jakub Dzon <jdzon@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Add a new flag to set the start timeout for a generated systemd unit.
To make naming consistent, add a new --stop-timeout flag as well and let
the previous --time map to it.
Fixes: #11618
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\
| |
| | |
Add note about volume with unprivileged container
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add a note to the generated kube yaml if we detect a
volume is being mounted. The note lets the user know
what needs to be done to avoid permission denied error
when trying to access the volume for an unprivileged
container.
Add the same note to the man pages.
NO NEW TESTS NEEDED
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
|
| |/
|
|
|
|
|
| |
Create a custom writer which logs the netavark output to logrus. This
will log to the syslog when it is enabled.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
| |\
| |
| | |
Do not store the exit command in container config
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
There is a problem with creating and storing the exit command when the
container was created. It only contains the options the container was
created with but NOT the options the container is started with. One
example would be a CNI network config. If I start a container once, then
change the cni config dir with `--cni-config-dir` ans start it a second
time it will start successfully. However the exit command still contains
the wrong `--cni-config-dir` because it was not updated.
To fix this we do not want to store the exit command at all. Instead we
create it every time the conmon process for the container is startet.
This guarantees us that the container cleanup process is startet with
the correct settings.
[NO NEW TESTS NEEDED]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
| |/
|
|
|
|
|
|
| |
CRIU supports checkpoint/restore of file locks. This feature is
required to checkpoint/restore containers running applications
such as MySQL.
Signed-off-by: Radostin Stoyanov <radostin@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Support `checkpoint --pre-checkpoint`
* Support `checkpoint --with-previous`
* Disable `restore --import-previous` for the remote client since we had
to send two files which in turn would require to tar them up and hence
be a breaking change. Podman 4.0 would be the chance and I hope we'll
find time before that to remote-restore prettier.
Note that I did not run over swagger yet to check whether all parameters
are actually documented due to time constraints.
Fixes: #12334
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\
| |
| | |
fix remote checkpoint/restore
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Nothing was working before, and it's too much to summarize. To make
sure we're not regressing in the future again, enable the remote e2e
tests.
Fixes: #12007
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Podman adds a few environment variables by default, and
currently there is no way to get rid of them from your container.
This option will allow you to specify which defaults you don't
want.
--unsetenv-all will remove all default environment variables.
Default environment variables can come from podman builtin,
containers.conf or from the container image.
Fixes: https://github.com/containers/podman/issues/11836
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |\
| |
| | |
Support template unit files in podman generate systemd
|
| | |
| |
| |
| | |
Signed-off-by: Boaz Shuster <boaz.shuster.github@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This adds the parameter '--print-stats' to 'podman container restore'.
With '--print-stats' Podman will measure how long Podman itself, the OCI
runtime and CRIU requires to restore a checkpoint and print out these
information. CRIU already creates process restore statistics which are
just read in addition to the added measurements. In contrast to just
printing out the ID of the restored container, Podman will now print
out JSON:
# podman container restore --latest --print-stats
{
"podman_restore_duration": 305871,
"container_statistics": [
{
"Id": "47b02e1d474b5d5fe917825e91ac653efa757c91e5a81a368d771a78f6b5ed20",
"runtime_restore_duration": 140614,
"criu_statistics": {
"forking_time": 5,
"restore_time": 67672,
"pages_restored": 14
}
}
]
}
The output contains 'podman_restore_duration' which contains the
number of microseconds Podman required to restore the checkpoint. The
output also includes 'runtime_restore_duration' which is the time
the runtime needed to restore that specific container. Each container
also includes 'criu_statistics' which displays the timing information
collected by CRIU.
Signed-off-by: Adrian Reber <areber@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This adds the parameter '--print-stats' to 'podman container checkpoint'.
With '--print-stats' Podman will measure how long Podman itself, the OCI
runtime and CRIU requires to create a checkpoint and print out these
information. CRIU already creates checkpointing statistics which are
just read in addition to the added measurements. In contrast to just
printing out the ID of the checkpointed container, Podman will now print
out JSON:
# podman container checkpoint --latest --print-stats
{
"podman_checkpoint_duration": 360749,
"container_statistics": [
{
"Id": "25244244bf2efbef30fb6857ddea8cb2e5489f07eb6659e20dda117f0c466808",
"runtime_checkpoint_duration": 177222,
"criu_statistics": {
"freezing_time": 100657,
"frozen_time": 60700,
"memdump_time": 8162,
"memwrite_time": 4224,
"pages_scanned": 20561,
"pages_written": 2129
}
}
]
}
The output contains 'podman_checkpoint_duration' which contains the
number of microseconds Podman required to create the checkpoint. The
output also includes 'runtime_checkpoint_duration' which is the time
the runtime needed to checkpoint that specific container. Each container
also includes 'criu_statistics' which displays the timing information
collected by CRIU.
Signed-off-by: Adrian Reber <areber@redhat.com>
|
| |\ \
| | |
| | | |
Enable 'podman run --memory-swappiness=0'
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
'--memory-swappiness=0' used to work. This patch fixes the regression
issue, which was caused by the change of infra container creation
process.
Signed-off-by: Hironori Shiina <shiina.hironori@jp.fujitsu.com>
|
| |\ \ \
| |/ /
|/| | |
--authfile command line argument for image sign command.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Adds the --authfile command line argument to allow users to use
alternative authfile paths when signing images.
Replaces: https://github.com/containers/podman/pull/10975
Fixes: https://github.com/containers/podman/issues/10866
Signed-off-by: José Guilherme Vanz <jvanz@jvanz.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| | |
Do not force-pull the infra image in `play kube` but let the backend
take care of that when creating the pod(s) which may build a local
`podman-pause` image instead of using the default infra image.
Fixes: #12254
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| | |
To make testing easier we can overwrite the network backend with the
global `--network-backend` option.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
