summaryrefslogtreecommitdiff
path: root/pkg/specgen
Commit message (Collapse)AuthorAge
* Create full path to a directory when DirectoryOrCreate is used with play kubeMikhail Khachayants2022-10-06
| | | | Signed-off-by: Mikhail Khachayants <tyler92@inbox.ru>
* fix: kube play liveness probe http pathPiotr2022-09-28
| | | | | | | Use the default / for http probe path. Update to URI schemes ensuring lowercase Signed-off-by: Piotr <piotr.skoczylas@gmail.com>
* Merge pull request #15946 from rhatdan/kubeOpenShift Merge Robot2022-09-27
|\ | | | | Default missing hostPort to containerPort is defined in kube.yaml
| * Default missing hostPort to containerPort is defined in kube.yamlDaniel J Walsh2022-09-27
| | | | | | | | | | | | | | | | | | If user does not specify hostPort in a kube.yml file but does specify a containerPort, then the hostPort should default to the containerPort. Fixes: https://github.com/containers/podman/issues/15942 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | fix: liveness check with http probePiotr2022-09-27
|/ | | | | | | | | Ensure kubernetes default parameters are respected. Additional curl parameter enforces returning error for HTTP error codes. Use build-in HealthCheckOnFailureAction instead of killing the container while executing the probe. Signed-off-by: Piotr <piotr.skoczylas@gmail.com>
* Replace deprecated ioutilChris Evich2022-09-20
| | | | | | | | | | Package `io/ioutil` was deprecated in golang 1.16, preventing podman from building under Fedora 37. Fortunately, functionality identical replacements are provided by the packages `io` and `os`. Replace all usage of all `io/ioutil` symbols with appropriate substitutions according to the golang docs. Signed-off-by: Chris Evich <cevich@redhat.com>
* podman container clone env patchCharlie Doern2022-09-16
| | | | | | | | | podman container clone was failing when env variables had multiple `=` in them. Switch split to splitn resolves #15836 Signed-off-by: Charlie Doern <cdoern@redhat.com>
* Use new secret store APIAshley Cui2022-09-12
| | | | | | | | | Refactored secrets API in common for stability purposes. Move podman to said API. [NO NEW TESTS NEEDED] Signed-off-by: Ashley Cui <acui@redhat.com>
* Merge pull request #15511 from rhatdan/codespellOpenShift Merge Robot2022-09-12
|\ | | | | Fix stutters
| * Fix stuttersDaniel J Walsh2022-09-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Podman adds an Error: to every error message. So starting an error message with "error" ends up being reported to the user as Error: error ... This patch removes the stutter. Also ioutil.ReadFile errors report the Path, so wrapping the err message with the path causes a stutter. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Fix CPU usage limitation in play kube for non integer valuesMikhail Khachayants2022-09-10
|/ | | | | | | | | | This logic has been broken by commit 9c6c981928c3e020ff6eef9454c7ee86aa8c83d1 (kube: fix conversion from milliCPU to period/quota). [NO NEW TESTS NEEDED] Fixes: #15726 Signed-off-by: Mikhail Khachayants <tyler92@inbox.ru>
* Merge pull request #15687 from vrothberg/RUN-1639OpenShift Merge Robot2022-09-09
|\ | | | | health check: add on-failure actions
| * health check: add on-failure actionsValentin Rothberg2022-09-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For systems that have extreme robustness requirements (edge devices, particularly those in difficult to access environments), it is important that applications continue running in all circumstances. When the application fails, Podman must restart it automatically to provide this robustness. Otherwise, these devices may require customer IT to physically gain access to restart, which can be prohibitively difficult. Add a new `--on-failure` flag that supports four actions: - **none**: Take no action. - **kill**: Kill the container. - **restart**: Restart the container. Do not combine the `restart` action with the `--restart` flag. When running inside of a systemd unit, consider using the `kill` or `stop` action instead to make use of systemd's restart policy. - **stop**: Stop the container. To remain backwards compatible, **none** is the default action. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | Ignore cpu realtime options on cgroups V2 systemsToshiki Sonoda2022-09-09
|/ | | | | | | | | | | | `--cpu-rt-period` and `--cpu-rt-runtime` options are only supported on cgroups V1 rootful systems. Therefore, podman prints an warning message and ignores these options when we use cgroups V2 systems. Related to: #15666 Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
* specgen/generate: Factor out setting resource limits from CompleteSpecDoug Rabson2022-09-08
| | | | | | | | | | This avoids setting values in the spec which are not supported on FreeBSD - including these values causes warning messages for the unsupported features. [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
* kube play: support auto updates and rollbacksValentin Rothberg2022-09-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add auto-update support to `podman kube play`. Auto-update policies can be configured for: * the entire pod via the `io.containers.autoupdate` annotation * a specific container via the `io.containers.autoupdate/$name` annotation To make use of rollbacks, the `io.containers.sdnotify` policy should be set to `container` such that the workload running _inside_ the container can send the READY message via the NOTIFY_SOCKET once ready. For further details on auto updates and rollbacks, please refer to the specific article [1]. Since auto updates and rollbacks bases on Podman's systemd integration, the k8s YAML must be executed in the `podman-kube@` systemd template. For further details on how to run k8s YAML in systemd via Podman, please refer to the specific article [2]. An examplary k8s YAML may look as follows: ```YAML apiVersion: v1 kind: Pod metadata: annotations: io.containers.autoupdate: "local" io.containers.autoupdate/b: "registry" labels: app: test name: test_pod spec: containers: - command: - top image: alpine name: a - command: - top image: alpine name: b ``` [1] https://www.redhat.com/sysadmin/podman-auto-updates-rollbacks [2] https://www.redhat.com/sysadmin/kubernetes-workloads-podman-systemd Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* Merge pull request #15618 from mheon/add_group_to_addtlgroupsOpenShift Merge Robot2022-09-05
|\ | | | | Add container GID to additional groups
| * Add container GID to additional groupsMatthew Heon2022-09-02
| | | | | | | | | | | | | | Mitigates a potential permissions issue. Mirrors Buildah PR #4200 and CRI-O PR #6159. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #15582 from dfr/freebsd-bindOpenShift Merge Robot2022-09-04
|\ \ | | | | | | Add support for FreeBSD volume mounts in specgen
| * | specgen: Use platform-specific mount type for volume mountsDoug Rabson2022-08-30
| | | | | | | | | | | | | | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
* | | Merge pull request #15599 from umohnani8/gen-kubeOpenShift Merge Robot2022-09-02
|\ \ \ | |_|/ |/| | Fix bind-mount-option annotation in gen/play kube
| * | Fix bind-mount-option annotation in gen/play kubeUrvashi Mohnani2022-09-01
| |/ | | | | | | | | | | | | | | | | The format used for setting the bind-mount-options annotations in the kube yaml was incorrect and caused k8s to throw an error when trying to play the generated kube yaml. Fix the annotation format to match the rules of k8s. Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
* / implement podman updateCharlie Doern2022-09-01
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | podman update allows users to change the cgroup configuration of an existing container using the already defined resource limits flags from podman create/run. The supported flags in crun are: this command is also now supported in the libpod api via the /libpod/containers/<CID>/update endpoint where the resource limits are passed inthe request body and follow the OCI resource spec format –memory –cpus –cpuset-cpus –cpuset-mems –memory-swap –memory-reservation –cpu-shares –cpu-quota –cpu-period –blkio-weight –cpu-rt-period –cpu-rt-runtime -device-read-bps -device-write-bps -device-read-iops -device-write-iops -memory-swappiness -blkio-weight-device resolves #15067 Signed-off-by: Charlie Doern <cdoern@redhat.com>
* Merge pull request #15560 from dfr/freebsd-specgenOpenShift Merge Robot2022-09-01
|\ | | | | Add FreeBSD support for pkg/specgen/generate
| * specgen/generate: Add support for FreeBSDDoug Rabson2022-08-30
| | | | | | | | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
| * specgen/generate: Move specConfigNamespaces to namespace_linux.go and add stubsDoug Rabson2022-08-30
| | | | | | | | | | | | | | | | Everthing except for hostname management is linux-specific. [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
| * specgen/generate: Move SpecGenToOCI, WeightDevices to oci_linux.go and add ↵Doug Rabson2022-08-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | stubs. Almost all of SpecGenToOCI deals with linux-specific aspects of the runtime spec. Rather than try to factor this out piecemeal, I think it is cleaner to move the whole function along with its implementation helper functions. This also meams we don't need non-linux stubs for functions called from oci_linux.go [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
| * specgen/generate: Move security.go to security_linux.go and add stubsDoug Rabson2022-08-29
| | | | | | | | | | | | | | | | | | The security features (selinux, apparmor, capabilities) are linux specific. [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
* | Merge pull request #15473 from umohnani8/empty-dirOpenShift Merge Robot2022-08-31
|\ \ | | | | | | Add emptyDir volume support to kube play
| * | Add emptyDir volume support to kube playUrvashi Mohnani2022-08-30
| |/ | | | | | | | | | | | | | | | | | | | | When a kube yaml has a volume set as empty dir, podman will create an anonymous volume with the empty dir name and attach it to the containers running in the pod. When the pod is removed, the empy dir volume created is also removed. Add tests and docs for this as well. Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
* / podman: add uid and gid options to keep-idGiuseppe Scrivano2022-08-30
|/ | | | | | | | | | | | | | | | | | | | add two new options to the keep-id user namespace option: - uid: allow to override the UID used inside the container. - gid: allow to override the GID used inside the container. For example, the following command will map the rootless user (that has UID=0 inside the rootless user namespace) to the UID=11 inside the container user namespace: $ podman run --userns=keep-id:uid=11 --rm -ti fedora cat /proc/self/uid_map 0 1 11 11 0 1 12 12 65525 Closes: https://github.com/containers/podman/issues/15294 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #15434 from rhatdan/manifest1OpenShift Merge Robot2022-08-24
|\ | | | | Allow podman to run in an environment with keys containing spaces
| * Allow podman to run in an environment with keys containing spacesDaniel J Walsh2022-08-23
| | | | | | | | | | | | Fixes: https://github.com/containers/podman/issues/15251 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | run,create: add support for --env-merge for preprocessing varsAditya R2022-08-24
|/ | | | | | | | | | | | | | | Allow end users to preprocess default environment variables before injecting them into container using `--env-merge` Usage ``` podman run -it --rm --env-merge some=${some}-edit --env-merge some2=${some2}-edit2 myimage sh ``` Closes: https://github.com/containers/podman/issues/15288 Signed-off-by: Aditya R <arajan@redhat.com>
* Merge pull request #15415 from cdoern/cloneOpenShift Merge Robot2022-08-23
|\ | | | | pass environment variables to container clone
| * pass environment variables to container cloneCharlie Doern2022-08-22
| | | | | | | | | | | | | | | | the env vars are held in the spec rather than the config, so they need to be mapped manually. They are also of a different format so special handling needed to be added. All env from the parent container will now be passed to the clone. resolves #15242 Signed-off-by: Charlie Doern <cdoern@redhat.com>
* | Warning messages are printed and ignored if we use an unsupported optionToshiki Sonoda2022-08-23
|/ | | | | | | | | | | | | | | | | | | When an unsupported limit on cgroups V1 rootless systems is requested, podman prints an warning message and ignores the option/flag. ``` Target options/flags: --cpu-period, --cpu-quota, --cpu-rt-period, --cpu-rt-runtime, --cpus, --cpu-shares, --cpuset-cpus, --cpuset-mems, --memory, --memory-reservation, --memory-swap, --memory-swappiness, --blkio-weight, --device-read-bps, --device-write-bps, --device-read-iops, --device-write-iops, --blkio-weight-device ``` Related to https://github.com/containers/podman/discussions/10152 Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
* pkg/specgen: Add stubs for non-linux buildsDoug Rabson2022-08-15
| | | | | | | | | | This introduces a local type rlimT which is used to convert runtime-spec POSIXRlimit to platform-specific Rlimit structures - on FreeBSD rlimit members are signed integers. [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
* Merge pull request #15157 from cdoern/apiLogOpenShift Merge Robot2022-08-11
|\ | | | | fix LogConfig type for libpod API
| * fix LogConfig type for libpod APICharlie Doern2022-08-08
| | | | | | | | | | | | | | | | | | | | | | [NO NEW TESTS NEEDED] our native API was consuming the docker compat type for the API since the two have the exact same name. Fix this by renaming LogConfig to LogConfigLibpod resolves #15138 Signed-off-by: Charlie Doern <cdoern@redhat.com>
* | kube play: sd-notify integrationValentin Rothberg2022-08-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Integrate sd-notify policies into `kube play`. The policies can be configured for all contianers via the `io.containers.sdnotify` annotation or for indidivual containers via the `io.containers.sdnotify/$name` annotation. The `kube play` process will wait for all containers to be ready by waiting for the individual `READY=1` messages which are received via the `pkg/systemd/notifyproxy` proxy mechanism. Also update the simple "container" sd-notify test as it did not fully test the expected behavior which became obvious when adding the new tests. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | libpod: allow the notify socket to be passed programaticallyValentin Rothberg2022-08-10
| | | | | | | | | | | | | | | | | | The notify socket can now either be specified via an environment variable or programatically (where the env is ignored). The notify mode and the socket are now also displayed in `container inspect` which comes in handy for debugging and allows for propper testing. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | Merge pull request #14926 from cdoern/generateSpecOpenShift Merge Robot2022-08-10
|\ \ | | | | | | podman generate spec
| * | podman generate specCharlie Doern2022-08-04
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | implement a new command `podman generate spec` which can formulate a json specgen to be consumed by both the pod and container creation API. supported flags are --verbose (default true) print output to the terminal --compact print the json output in a single line format to be piped to the API --filename put the output in a file --clone rename the pod/ctr in the spec so it won't conflict w/ an existing entity Signed-off-by: Charlie Doern <cdoern@redhat.com>
* / specgen: use sandbox id instead of name for annotationGiuseppe Scrivano2022-08-08
|/ | | | | | | | | | | use the sandbox id instead of the name for the io.kubernetes.cri-o.SandboxID annotation used by gVisor. Closes: https://github.com/containers/podman/issues/15223 [NO NEW TESTS NEEDED] it is specific to gVisor Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #15035 from cdoern/cgroupOpenShift Merge Robot2022-07-23
|\ | | | | fix container create/run throttle devices
| * fix container create/run throttle devicesCharlie Doern2022-07-22
| | | | | | | | | | | | pod resource limits introduced a regression where `FinishThrottleDevices` was not called for create/run Signed-off-by: Charlie Doern <cdoern@redhat.com>
* | Merge pull request #14567 from cdoern/secretsOpenShift Merge Robot2022-07-22
|\ \ | |/ |/| Implement kubernetes secret handling for podman play kube
| * kube secret handling for podman play kubecdoern2022-07-20
| | | | | | | | | | | | | | | | | | | | | | add support for both creating a secret using yaml and mounting a secret as a volume given a yaml file. Kubernetes secrets have a different structure than podman and therefore have to be handeled differently. In this PR, I have introduced the basic usecases of kube secrets with more implementations like env secrets to come! resolves #12396 Signed-off-by: Charlie Doern <cdoern@redhat.com>
* | resource limits for podsCharlie Doern2022-07-21
|/ | | | | | | | | | | | | | | | | | added the following flags and handling for podman pod create --memory-swap --cpuset-mems --device-read-bps --device-write-bps --blkio-weight --blkio-weight-device --cpu-shares given the new backend for systemd in c/common, all of these can now be exposed to pod create. most of the heavy lifting (nearly all) is done within c/common. However, some rewiring needed to be done here as well! Signed-off-by: Charlie Doern <cdoern@redhat.com>