Replace github.com/docker/docker API imports with github.com/moby/moby
across compat handlers, swagger models, and tests to align with upstream
type definitions.
Fixes: #27536.
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
closes: #27411
Adjust SUB_UID and SUB_GID ranges to support running rootless Podman inside a rootless run Podman container.
Also add a test to verify the change and prevent regression.
By default, a new user is assigned the following sub-ID ranges:
SUB_UID_MIN=100000, SUB_GID_MIN=100000, SUB_UID_COUNT=65536, SUB_GID_COUNT=65536
This means the user’s sub-UID and sub-GID ranges are 100000–165535.
When the container is run rootless with the user defined below, ID mappings occur as follows:
- Container ID 0 (root) maps to user ID 1000 on the host (which is the user created below).
- Container IDs 1–65536 map to IDs 100000–165535 on host (the subid range previously mentioned).
If a new user is created inside this container (to build containers for example), it will
attempt to use the default sub-ID range (100000–165535). However, this exceeds the container’s
available ID mapping, since only IDs up to 65536 are mapped. This causes nested rootless Podman
to fail.
To enable container-in-container builds, the sub-ID ranges for the user must be large enough
to provide at least 65536 usable IDs. A minimum SUB_UID_COUNT and SUB_GID_COUNT of 165536 is
required, but 1,000,000 is used here to provide additional margin.
1,000,000 matches the subid range other machines are using, defined in [ignition.go](69b397af49/pkg/machine/ignition/ignition.go (L284-L289)).
The script of other machines modify the subid files directly for 1 user, the `sed` command used in
this fix mimics that.
The test is added as en extension to the 'simple init with username' test case, to prevent having
to create a new VM.
Signed-off-by: dvorst <87502756+dvorst@users.noreply.github.com>
runWslCommand never returns err != nil because if there's an error, it
calls Fail (which panics, so the code after it is unreachable).
Remove error returning and checking.
Inspired by the following linter warning:
> pkg/machine/e2e/config_windows_test.go:59:56: runWslCommand - result 1 (error) is always nil (unparam)
> func runWslCommand(cmdArgs []string) (*machineSession, error) {
> ^
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
When starting a machine and the user has not explicitly passed
-u=true|false AND stdin is a not a tty, we should not prompt to update
connections.
Fixes: #27556
Signed-off-by: Brent Baude <bbaude@redhat.com>
Now that Podman 6.0 no longer supports Intel Macs, use libkrun as the
default machine provider.
Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
this pr is a follow on to #27493. it adds support for hyperv "fake"
images and suggests a benefit in terms of test speed. for hyperv, we
create a generic 4MB vhdx and stick it into the temp dir. this saves us
from any image copy or compression.
i also followed up on a few comments Paul made about using windows|unix
instead of each platform.
Signed-off-by: Brent Baude <bbaude@redhat.com>
While doing the provider obfuscation, I injected a regression where
podman ssh machine failed. The regression was added in
0f22c1c772. I have fixed the regression
and added a test to prevent future occurance.
Fixes: #27491
Signed-off-by: Brent Baude <bbaude@redhat.com>
In tests that do not start a machine, we can use "fake" images to speed
up tests. In the case of darwin and Linux, that can be /dev/null. The
hypervisors don't care.
In the case of Windows, some research will need to be done to determine
the same approach but this is a start.
Signed-off-by: Brent Baude <bbaude@redhat.com>
This allows users to set the associated machine's system connection to the system default when running `podman machine init --now` or `podman machine start`. It also changes the default bbehavior of these commands in that the user will be prompted and asked if they would like to switch the system connection. It also introduces a command line switch called `--update-connection`. If the switch is unset, then the user will be prmpted. If the command value is explicitly set to `false`, the user will not be prompted and the system connection will not be altered. If the value is set to `true`, the system connection will be made the default and the user will not be prompted.
Fixes: https://issues.redhat.com/browse/RUN-3632
Signed-off-by: Brent Baude <bbaude@redhat.com>
A condition was changed in the refgactor of init where duplicate names would be allowed but no machine was created. Duplicate names are not permitted and should return an error.
Signed-off-by: Brent Baude <bbaude@redhat.com>
Add the ability for users to override the default provider when creating mahcines. The new flag is `--provider` and allows you to specifiy a valid vmtype for the platform. This PR also removes the previous list test where we tested listing all providers. I added a PR for testing --provider which includes a standard `machine ls` which defaults now to showing all providers.
Signed-off-by: Brent Baude <bbaude@redhat.com>
For Podman 6, we still have providers and will continue to have a default provider for each platform. But where a platform has multiple providers, we want users to be able to cross provider boudnaries imposed in Podman 4/5. The key change is to look up virtual machines by name, as before, but to then also iterate all possible providers. As of this PR, init will still only create with the default provider, but a subsequent PR will introdouce an provider override.
I also removed the "--all-providers" command line option on `podman
machine ls` because it no longer makes sense. And I marked the all
provider list test to be skipped.
Signed-off-by: Brent Baude <bbaude@redhat.com>
Tremendous amount of changes in here, but all should amount to
the same thing: changing Go import paths from v5 to v6.
Also bumped go.mod to github.com/containers/podman/v6 and updated
version to v6.0.0-dev.
Signed-off-by: Matt Heon <mheon@redhat.com>
Problem: While removing cgroupsv1 code, I noticed my neovim Go config
automatically changed fileperms to the new octal format and I didn't
want that polluting my diffs.
Decision: I thought it best to switch to the new octal format in a dedicated PR.
Action:
- Cursor switched to new octal format for all fileperm ocurrences in Go
source and test files.
- vendor/, docs/ and non-Go files were ignored.
- Reviewed manually.
Ref: https://go.dev/ref/spec#Go_1.13
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
The code which comment refers to was removed by commit 2e4e1bb97c
("podman machine ssh handling"), so the comment is no longer valid.
Remove it.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Using golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize
+ some manual cleanup in libpod/lock/shm/shm_lock_test.go as it
generated an unused variable
+ restored one removed comment
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
unconfined is a special value and not a path as such it must not be
converted otherwise --security-opt seccomp=unconfined fails as it tries
to access a file called unconfined.
Fixes: 3e8b2d7d96 ("Fix seccomp profile path on Windows")
Fixes: #26855
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This patch adds a new --tls-verify flag to the `podman machine init`
sub command which matches many of our other commands. This allows the
user to optionally control whether TLS verification is enabled or
disabled for download of the machine image.
The default remains to leave the TLS verification decision to the
backend library which defaults to enabling it, this patch just
allows the user to explicitly set it on the CLI.
Fixes: #26517
Signed-off-by: Lewis Roy <lewis@redhat.com>
The machine images should contain a new enough podman on the server side
to support this so the skips can be removed.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Fixed the --build-context flag to properly send files for remote builds. Previously
only the main context was sent over as a tar while additional contexts were passed as
local paths and this would cause builds to fail since the files wouldn't exist.
New changes modifies the Build API to use multipart HTTP requests allowing multiple
build contexts to be used. Each additional context is packaged and
transferred based on its type:
- Local Directories: Sent as tar archives
- Git Repositories: link sent to the server where its then cloned
- Container Images: Image reference sent to the server, it then pulls the image there
- URLs/archives: URL sent to the server, which handles the download
Fixes: #23433
Signed-off-by: Joshua Arrevillaga <2004jarrevillaga@gmail.com>
Setup a local web server both for HTTP and HTTPS and make sure the
client rejects the connection and does not try to pull the image.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The Windows source folder path was not converted in the corresponding
machine folder path when the volume was of type overlay as it does for
other bind mount volumes.
Fix#25988
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
When a custom username is requested we must stil enable lingering for
it. The linger setup in the coreos image with the hard coded core user
doesn't really make sense as it doesn't work when another name is used.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The podman machine copy test "attempt copying file to a new directory"
was failing because on recent version of Windows the error message
doesn't match the expected error message. To make it work on new and
old version of Windows both old and new error messages are now
considered as valid.
Fixes https://github.com/containers/podman/issues/26056
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
The image quay.io/libpod/alpine_nginx doesn't have a `linux/arm64` version
and the test "Single character volume mount" on Windows ARM64 was
failing. Changing it to TESTIMAGE (quay.io/libpod/testimage) fixes it.
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
