Podman machine os apply takes a takes a OCI image with container native ostree functionality and rebases the machine os on that image.
Currently, this requires the guest os inside the vm to use rpm-ostree.
When specifying an image, any container transport may be specified. If a
container transport is not specified, OS apply will attempt to search
the local containers-storage for the image, and if it is not found, it
will then attempt to use the Docker transport to pull from a remote
registry.
The architecture of OS apply is as follows:
podman machine os apply ssh's into the machine and calls podman machine os
apply. on the secondary call to podman machine os apply, apply
recognizes that it is inside the machine and does image operations, and
finally calls rpm-ostree rebase.
Tests are written but commented out, due to the chicken-and-egg problem.
Signed-off-by: Ashley Cui <acui@redhat.com>
When generating a kube yaml with kube generate, do not
set the hostPort in the pod spec if the service flag is
set and we are generating a service kind too.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
* add tests
* add documentation for --shm-size-systemd
* add support for both pod and standalone run
Signed-off-by: danishprakash <danish.prakash@suse.com>
Add a podman ulimit annotation to kube generate and play.
If a container has a container with ulimits set, kube gen
will add those as an annotation to the generated yaml.
If kube play encounters the ulimit annotation, it will set
ulimits for the container being played.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Remove the container in ExecStop to make sure that Quadlet's adheres to
Podman's customizable stop signal/timeout. Certain programs ignore
SIGTERM which renders the services generated by Quadlet less user
friendly compared to the ones from podman-generate-systemd.
Previously, `systemctl stop` would just hang until systemd's stop
timeout is hit. Since `podman rm` also removes the CID file, the
additional `rm` can be removed. Note that `podman rm` will return
immediately if the specified CID file isn't present.
I am working on a short tutorial on Quadlet and hit the issue with a
simple container running `sleep`. `sleep` ignores SIGTERM and stopping
the service would take forever even with `PodmanArgs=--stop-timeout=0`.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Install the signal proxy before attaching to/starting the container to
make sure there's no race-condition as revealed in the failing start/run
tests in #16901. The tests had the valid expectation that signal
forwarding works once the container is running.
Further update the tests to account for the attach test where the
expectation is that signal forwarding works once Podman has attached to
container (or even before).
Fixes: #16901
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Signed-off-by: Ed Santiago <santiago@redhat.com>
Commit 4fa307f149 fixed a number of issues in the sdnotify proxies.
Whenever a container runs with a custom sdnotify policy, the proxies
need to keep running which in turn required Podman to run and wait for
the service container to stop. Improve on that behavior and set the
service container as the main PID (instead of Podman) when no container
needs sdnotify.
Fixes: #17345
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
We currently name the container being created during kube play
as ctrName-podName, but this is not how it is done in k8s.
Since we can't change this at the CLI level as it will be a breaking
change (it will be planned for podman 5.0), add only ctrName as an alias
to the network of the pod.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Also includes unreleased https://github.com/openshift/imagebuilder/pull/246 to work
with the updated docker/docker dependency.
And updates some references to newly deprecated docker/docker symbols.
[NO NEW TESTS NEEDED]
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Handle a race condition in the REST API when listing networks.
In between listing all containers and inspecting them, they may have
already been removed, so handle this case gracefully.
[NO NEW TESTS NEEDED] as it's a race condition.
Fixes: #17341
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Add missing return after utils.Error(),
utils.InternalServerError(), utils.BadRequest().
[NO NEW TESTS NEEDED]
Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
Add support for disabeling SELinux process separation in the container.
Add support for setting the process type of the container.
Add support for setting the process MCS level of the container.
Add support for setting the file type of the container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
when using --userns=auto or --userns=pod, we should bind mount /sys
from the host instead of creating a new /sys in the container,
otherwise we rely on the fallback provided by crun, which might not be
available in other runtimes.
Also, in the last version of crun the fallback is stricter than it
used to be before and it uses a recursive bind mount through the new
mount API. That can be missing on old kernel.
Closes: https://github.com/containers/crun/issues/1131
[NO NEW TESTS NEEDED] to trigger the failure, we need a specific
combination of kernel, libc and OCI runtime.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
