The current systemd service to mount /etc/containers is not working
right. The Before=podman.socket causes a ordering conflict which causes
the socket to be disabled and thus all podman remote connections fail.
The problem is the unit is wanted by the default.target while the socket
is wanted by sockets.target which can be before the default.target is
triggered. That means that the Before= line cannot be fulfilled and
sometimes systemd thus seems to not start the socket. It is unclear to
me why this is racy as it is sometimes also works.
This was reported by Vladimir Lazar from the PD team, our CI did not
caught this as we use rootless machines by default and the problem only
happens for the rootful socket so we do not see connection failures.
To fix this add at least one rootful socket check.
We do however have a different CI flake that was also caused by the
incorrect mount dependencies. The mount could happen after sshd or other
programs run. So to fix this we must hook the podman-mnt-config.service
into the local-fs.target which runs much earlier and is used for all the
mounts.
Fixes: #29003
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
It was removed, with the hardcoded image reference.
So cache was always off, even for the default image.
Fixes: #29090
Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
When the command output is logged we do not need an extra pipe and
scanner to read the output line by line, we can just log it directly via
a writer.
Now this of course does loose the line by line parsing of the scanner
but IMO this is better as it is simpler and less code to worry about.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
I think this should work fine with the defaults. Since we mount the
/etc/containers dir always we should no longer write to /etc/containers.
If we still need this it should be moved into the image and not done at
init time.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
FCOS symlinks /home to var/home. systemd rejects a mount unit whose
Where= path traverses a symlink, breaking default home dir mounts.
Resolve known FCOS symlinks before writing the ignition unit.
Fixes: #28911
Signed-off-by: Chanhyeok Seo <chanhyeok.seo@datadoghq.com>
systemd interprets % as specifier characters in unit configuration files
(e.g. %H, %u, %40). Proxy environment variable values that contain
percent-encoded URL characters (such as %40 for @ in usernames) cause
systemd to emit warnings and fail to parse the generated
/etc/systemd/system.conf.d/default-env.conf:
system.conf.d/default-env.conf:2: Failed to resolve specifiers in
HTTP_PROXY=http://user%40example.com@proxy:3128
Fix by adding a bash variable substitution that doubles every % to %%
before writing to the systemd unit conf files. The profile.d and
environment.d destinations do not need this escaping and continue to
use the original value.
Fixes#28698
Signed-off-by: crawfordxx <crawfordxx@users.noreply.github.com>
We are seeing frequent flakes in hyperV machine tests. The machine start
fails with an ssh handshake failure:
ssh: handshake failed: read tcp 127.0.0.1:56425->127.0.0.1:56377:
wsarecv: An existing connection was forcibly closed by the remote host.
Normally we do the ssh probe in conductVMReadinessCheck() with a retry
mechanism, however because the hyperV mount code already used ssh in
PostStartNetworking() we never got there and failed early.
PostStartNetworking seems the wrong place to mount anyway so move this
to MountVolumesToVM() instead which is placed after the ready check
already so it should have a working ssh by then.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Change isHyperVAdminMember from returning a bool to returning an error so that callers surface the specific failure reason — particularly distinguishing "not in the group" from "in the group but session not updated" (new ErrHypervUserSessionNotUpdated sentinel). This gives users actionable guidance instead of a generic permission error.
Signed-off-by: lstocchi <lstocchi@redhat.com>
Add missing defer Close() calls in four locations:
- libpod/container.go: specFromState() opens the container config file
but never closes it after reading, leaking one fd per call.
- libpod/container_internal_common.go: checkpoint() and restore() each
open the bundle directory for CRIU statistics but never close it,
leaking one fd per checkpoint/restore operation.
- pkg/machine/shim/host.go: Init() opens the playbook file but never
closes it after ReadAll, leaking one fd per machine init.
Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
With podman 6 we have a --import-native-ca option that handles the
copying of certs much better.
As such remove our old legacy way of copying files these envs and also
the static certs.d dir. Since we now mount the full containers config
dir the certs from the cert.d are mounted already.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The other providers use the volume mounts from containers.conf which
should take care of it. But because WSL is not using this we need to
hard code this ourselves.
Add a new custom unit to make systemd mount the path like we do for
podman socket mounts.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Each machine init boot takes a while, we can easily do this as part of
one test run to speed the overall machine test time up.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The config.go file has a build tag that was never used. Also remove
unused functions from other files.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Introducing a new `podmand system` subcommand to prepare a Windows host
to run Hyper-V based Podman machines: `hyperv-prep`.
When executed it:
- creates of the registry keys for VSocks
- adds the current user to the Hyper-V administrators group
This command requires an administrator terminal.
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
Hyper-V VMs require some specific Windows registry keys to allow the
communication between the host and the guest. Creating these registry
keys require elevated privileges.
These keys were created during the first Podman `machine init` and
removed when the last Podman machine is removed.
In this commit we skip the creation of the keys if they already exist in
the registry. So that admin privileges aren't required anymore, even for
the creation of the first Podman machine.
In other words, if the keys are pre-created by an administrator, user
will be able to create and remove machines without requiring to run any
elevated command. Even for the first podman machine.
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
The podman module paths are moving from github.com/containers/podman to
go.podman.io/podman. This will help with future mobility.
Signed-off-by: Brent Baude <bbaude@redhat.com>
Currently, running Podman on Hyper-V as a non-administrator requires the user to be a member of the "Hyper-V Administrators" local group. If they are not, various WMI calls fail with access denied.
This commit automates the permission setup.
1. During podman machine init, if Podman is running with elevated privileges (required for registry/networking setup anyway), it will now automatically add the current user to the localized "Hyper-V Administrators" group
2. If a user is added to the group, the change is not reflected until the next login. We now detect this state and explicitly instruct the user to log out and back in.
3. Modified the Hyper-V stubber to handle permission checks at the method level rather than the provider selection level (GetAll). This allows init to continue far enough to perform the elevation and setting.
Signed-off-by: lstocchi <lstocchi@redhat.com>
This PR reflects the upstream change of moving the buildah module from
github.com/containers/buildah to go.podman.io/buildah.
Signed-off-by: Brent Baude <bbaude@redhat.com>
Use shared configfile instead of custom policy.json path handling.
This updates ocipull to rely on signature.DefaultPolicy(), removes
explicit SignaturePolicyPath, and replaces trust's custom default-policy
path logic with common configfile code.
Replace hidden `--policypath` with --signature-policy` and require
it for `trust set` command instead of path resolution based on
configfile.
For `trust get`, the `--signature-policy` is optional.
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>