Set proxy settings (such as `HTTP_PROXY`, and others)
for the whole guest OS with setting up `DefaultEnvironment`
with a `systemd` configuration file `default-env.conf`,
a `profile.d` scenario file - `default-env.sh` and
a `environment.d` configuration file `default-env.conf`
The **actual** environment variables are read by podman
at a start, then they are encrypted with base64 into
a single string and after are provided into a VM through
QEMU Firmware Configuration (fw_cfg) Device
Inside a VM a systemd service `envset-fwcfg.service`
reads the providead encrypted string from fw_cfg, decrypts
and then adds to the files
- `/etc/systemd/system.conf.d/default-env.conf`
- `/etc/profile.d/default-env.sh`
- `/etc/environment.d/default-env.conf`
At the end this service execute `systemctl daemon-reload`
to propagate new variables for systemd manager
[NO NEW TESTS NEEDED]
Closes#13168
Signed-off-by: esendjer <esendjer@gmail.com>
Until podman4 is in the fcos trees, we need to pull the machine images
from a side repository. There is a hard coded bit that forces the
side repo download right now. Simple comment or removal of the bit will
revert to normal download behavior.
[NO NEW TESTS NEEDED]
Signed-off-by: Brent Baude <bbaude@redhat.com>
Makes sure that ignition setups up systemd config so cgroup controllers
like `cpu, io` are also delegated to `non-root` along with `memory,
pid`.
This allows general users of `podman` on `macOS` and `podman-remote` to
do operations which are dependent on `cpu, io` cgroup controllers.
[NO TESTS NEEDED]
[NO NEW TESTS NEEDED]
We don't have a CI infra to test this, please pull the tree and run
`podman info` inside the machine to confirm.
Signed-off-by: Aditya R <arajan@redhat.com>
After refactoring Stop(), mounting volumes was hanging in Start().
Restore the conditional, and add error reporting from isListening.
[NO NEW TESTS NEEDED]
Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
This field was only needed for machine to force cni, however you can set
netns="bridge" in the config to have the same effect. This is already
done in the machine setup.
see https://github.com/containers/common/pull/895
[NO NEW TESTS NEEDED]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
if users run podman machine stop && podman machine ls, the status of the
machine in the subsequent ls command would running. now we wait for
everything to complete for stop so that scripting is more accurate.
Fixes: #12815
[NO NEW TESTS NEEDED]
Signed-off-by: Brent Baude <bbaude@redhat.com>
Podman often has to run behind an http/https proxy, often in corporate environments.
This proxy may or may not include SSL inspection capabilities, requiring a trusted SSL CA certificate to be added to a system's trust store.
Copy the file referred to by SSL_CERT_FILE on the host into the podman machine's OS trust store, overriding the built-in single-file trust store certificate.
Also set the `SSL_FILE_CERT` on remote machine
[NO NEW TESTS NEEDED]
Signed-off-by: Aditya Rajan <arajan@redhat.com>
Podman often has to run behind an http/https proxy, often in corporate environments.
This proxy may or may not include SSL inspection capabilities, requiring a trusted SSL CA certificate to be added to a system's trust store.
Solve this by reading standard proxy variables (HTTP_PROXY HTTPS_PROXY NO_PROXY http_proxy https_proxy no_proxy) and injecting them into the machine at init.
[NO NEW TESTS NEEDED]
Signed-off-by: Aditya Rajan <arajan@redhat.com>
Use the same type of mounts for all the machine volumes.
The default could change in the future, depending on OS.
[NO NEW TESTS NEEDED]
Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
There are other mount types available, such as NFS or SMB,
or one could use reverse sshfs for better compatibility.
It could either be a global option, or it could perhaps be
overridden for each volume (like the container volumes).
Refactor the creation of the options string or array.
Allow specifying the volume as read-only, if desired.
[NO NEW TESTS NEEDED]
Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
Allow using the built-in 9pfs feature of qemu,
mounting host directories into vm mountpoints.
The volumes are generic, the mounts are specific.
Wait for the machine to be "running", otherwise
the SSH function might throw an error instead.
Increase the default msize from 8 KiB to 128 KiB
[NO NEW TESTS NEEDED]
Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
Following PR ensures that certs from `~/.config/containers/certs.d` or `~/.config/docker/certs.d`
are copied into the remote machine at `/etc/containers/certs.d/`
As a result on platforms like `macOS` where podman works with a remote
machine setup. User's local certs must be transferd to VM without any
plumbing needed by user.
[NO-NEW-TESTS-NEEDED]
Signed-off-by: Aditya Rajan <arajan@redhat.com>
Added an option to podman machine init to declare the timezone of the
resulting machine. the default is to use the value of the host name or
else a given timezone name like America/Chicago.
Fixes: #11895
Signed-off-by: Brent Baude <bbaude@redhat.com>
[NO NEW TESTS NEEDED]
Signed-off-by: Brent Baude <bbaude@redhat.com>
Replace `multi-user.target` with `default.target` across the code base.
It seems like the multi-user one is not available for (rootless) users
on F35 anymore is causing issues in all kinds of ways, for instance,
enabling the podman.service or generated systemd units.
Fixes: #12438
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Wait for sshd to be ready before we return from start. This should make
podman machine ssh immediately available without any race conditions.
Fixes#11532
[NO NEW TESTS NEEDED] I could not reproduce the issue so I am not sure
if this fixes it.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This commits adds port forwarding logic directly into podman. The
podman-machine cni plugin is no longer needed.
The following new features are supported:
- works with cni, netavark and slirp4netns
- ports can use the hostIP to bind instead of hard coding 0.0.0.0
- gvproxy no longer listens on 0.0.0.0:7777 (requires a new gvproxy
version)
- support the udp protocol
With this we no longer need podman-machine-cni and should remove it from
the packaging. There is also a change to make sure we are backwards
compatible with old config which include this plugin.
Fixes#11528Fixes#11728
[NO NEW TESTS NEEDED] We have no podman machine test at the moment.
Please test this manually on your system.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Now that aarch64 fcos is an official thing, we no longer need to use the side repo (for lack of a better word). We can now use the same image lookup technique as x86_64. I removed the special lookup, moved the x86_64 lookup to generic arch, and removed the arch specific files that we no longer needed.
[NO TESTS NEEDED]
Signed-off-by: baude <baude@redhat.com>
