Using os.Is{Exist,NotExist,Permission} checks is not recommended in the
new code (see official documentation). While using it in the existing
code is OK, it may still result in a subtle errors later (for a specific
example of that, see [1]).
Replace those with errors.Is.
Generated by:
gofmt -r 'os.IsExist(a) -> errors.Is(a, os.ErrExist)' -w .
gofmt -r 'os.IsNotExist(a) -> errors.Is(a, os.ErrNotExist)' -w .
gofmt -r 'os.IsPermission(a) -> errors.Is(a, os.ErrPermission)' -w .
goimports -w .
git diff vendor test/tools/vendor | patch -p1 -R
[1]: https://github.com/opencontainers/runc/pull/5061
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
- libpod/events.go & libpod/runtime.go: Added the `Artifact` event type.
Refactored and deduplicated event forwarding logic by introducing
`spawnEventForwarder[T any]`, replacing separate goroutine loops for
images and artifacts. Implemented graceful shutdown and resolved eventer
initialization race conditions.
- libpod/events: Implemented event filtering by name/ID, updated journald
and logfile readers/writers for artifact events, and added `Artifact` to
`ToHumanReadable` formatting.
- cmd/podman: Added shell auto-completion for `artifact=` and `type=artifact` filters.
- docs/test: Documented the `artifact` event type, statuses, and filters in
`podman-events.1.md`. Added an end-to-end test in `events_test.go` to verify
event emissions.
Signed-off-by: Byounguk Lee <nimdrak@gmail.com>
Add a --dry-run option to show which volumes would be pruned without removing them.
Related: #27838
Signed-off-by: KyounghoonJang <matkimchi_@naver.com>
Autocompletion for `podman inspect` now includes artifact names,
matching the behavior of other object types like containers, images,
pods, networks, and volumes.
Signed-off-by: Byounguk Lee <nimdrak@gmail.com>
This is gated behind a new option in `podman system migrate`,
`--migrate-db`, or by a system restart being performed.
BoltDB support was removed in Podman 6, so we are certain that,
when we start Podman, a SQLite state is in use. However, if we
also detect a valid BoltDB state, we will attempt a migration.
Migration is performed by retrieving all volumes, pods, and
containers (in that order, to ensure there are no dependency
conflicts) from the Bolt database, when adding them to the SQLite
database. If there is a conflict - IE, a container exists in both
SQLite and Bolt - we skip migration for that object. The old DB
is then renamed so we do not try to migrate it again.
Our ability to test complex migration scenarios is limited, but
this should handle simple migrations easily.
This is a heavily adapted version of #27660 rebuilt to work with
Podman 6.0. Substantial changes were required to throw errors
when a BoltDB database is detected and no migration is being
performed. Firstly, for automatic on-reboot migrations, we need
to have a deferred error returned by getDBState (very early in
runtime initialization) that is only acted on much later (once we
know for certain a state refresh is/is not being performed).
The `system migrate --migrate-db` command was much more
problematic. Conceptually, it's not terrible - add a flag to the
runtime to suppress errors, set that flag only when calling the
`system migrate` command with `--migrate-db` - but it unveiled a
serious problem with how we do runtime init (special flags to the
runtime were being ignored because the image runtime set the
Libpod runtime first and had none of the proper handling) which
took a genuinely annoying amount of time to identify and fix.
This cannot be tested automatically, as the ability to create Bolt
databases has been entirely removed with Podman 6.
This also includes 9b810aed3a from
the v5.8 branch by Luap99, which I have had to squash into this
commit to satisfy the build-each-commit check. It was just a
simplification of the SQLite path check.
Signed-off-by: Matt Heon <matthew.heon@pm.me>
Podman defaults to the directory of the Containerfile when no context dir is explicitly provided.
When running podman build with process subsituiton, `podman build -f <(echo "FROM scratch")`,
the Containerfile path expands to `/dev/fd/<NUM>`, which makes `/dev/fd` the context dir.
When building, Buildah attempts to create an overlay mount on top of the `/dev/fd` context dir, which fails.
In these cases, use a temp context dir instead: `$TMPDIR/podman-build-context-$randnum`
Fixes: https://github.com/containers/podman/issues/28113
Signed-off-by: Ashley Cui <acui@redhat.com>
Introducing a new `podmand system` subcommand to prepare a Windows host
to run Hyper-V based Podman machines: `hyperv-prep`.
When executed it:
- creates of the registry keys for VSocks
- adds the current user to the Hyper-V administrators group
This command requires an administrator terminal.
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
The recent registries.conf rework made so the backend already reads the
env var. As such clients should no longer set it directly to simplify
the code here.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The podman module paths are moving from github.com/containers/podman to
go.podman.io/podman. This will help with future mobility.
Signed-off-by: Brent Baude <bbaude@redhat.com>
This PR reflects the upstream change of moving the buildah module from
github.com/containers/buildah to go.podman.io/buildah.
Signed-off-by: Brent Baude <bbaude@redhat.com>
Use shared configfile instead of custom policy.json path handling.
This updates ocipull to rely on signature.DefaultPolicy(), removes
explicit SignaturePolicyPath, and replaces trust's custom default-policy
path logic with common configfile code.
Replace hidden `--policypath` with --signature-policy` and require
it for `trust set` command instead of path resolution based on
configfile.
For `trust get`, the `--signature-policy` is optional.
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
These are two new Buildah flags that we need to wire into Podman
(both local and remote) and document, with the interesting note
that one requires the other and a check needed to be added for
that.
Also: secret parsing was tightened up in Buildah, and was
breaking the remote build tests. Rewire it to use the new parser
Buildah made, which ends up simplifying the code considerably.
Tests are back to passing afterwards.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
This was implemented by containers/netavark #1369; this commit
completes the process by wiring it into Podman. We now respect
the CLI order for configured networks - if a user passes
`--net net1,net2` we guarantee that net1 will be configured
before net2.
For containers created before this patch, we don't retain enough
information to configure networks in CLI order, so we use
alphabetical order instead to still guarantee consistency.
No breaking API changes have been made, but we do add a new
field to supplement the existing map to (optionally) provide
ordering information. The Podman CLI will always pass this.
Existing applications that do not will, again, receive]
deterministic ordering based on an alphabetical sort of network
names.
This requires the latest version of Netavark to work properly.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
The old ErrRelaunchAttempt name was ambiguous — it reads as though the
relaunch attempt failed, when it actually signals success. Rename to
ErrRelaunchSucceeded and update comments at every call site to clarify
that this is not a real error but a sentinel indicating the elevated
child process completed the operation successfully.
Also fix a bug in WSL's launchElevate where a failed elevated process
was incorrectly wrapped with the sentinel, causing callers to treat the
failure as success and print "Machine init complete."
Signed-off-by: lstocchi <lstocchi@redhat.com>
This commit adds automatic UAC elevation prompts for HyperV machine
init/rm actions when administrator privileges are required.
Previously, users had to manually run Podman as administrator
when creating the first machine or removing the last machine, which
requires Windows Registry modifications.
When the HyperV command gets relaunched as elevated, the error of the
elevated process is saved on a file to be displayed by the caller. The
implementation is the same as that used by WSL.
Signed-off-by: lstocchi <lstocchi@redhat.com>
The go std os package to will always make sure to use O_CLOEXEC, however
in cases where we directly call unix.Open() we need to pass that flag
explicitly.
I looked at this as there was a report of a leaked fd on the pasta list,
though I am not sure this will address it.
But anyway doing this should be rather safe and avoid leaks into other
processes.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This will be useful when importing host certificates and the certificates file
isn't mounted in the guest.
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
When an artifact is added without an explicit tag (e.g.
"quay.io/myimage/myartifact"), the TAG column in "podman artifact ls"
was empty instead of showing "latest", unlike container images which
default to :latest.
Add a call to reference.TagNameOnly() after parsing the stored name so
the display normalises the reference before extracting the tag, matching
the behaviour of container images.
Fixes: #27083
Signed-off-by: Devesh B <98201065+DeveshB-1@users.noreply.github.com>
Adds --filter status=<value> support to podman quadlet list.
Also adds shell completion for the status filter values.
Signed-off-by: Himanshu Jaiswal <himanshu.bw5@gmail.com>
rootlessport: clarify RootlessCNI comment
Update the comment for the RootlessCNI conditional to clarify that
the flag is for rootless bridge networking, not CNI specifically.
The bool is set when netStatus != nil in slirp4netns and will be
removed when slirp4netns and rootlessport are fully dropped.
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
