Change isHyperVAdminMember from returning a bool to returning an error so that callers surface the specific failure reason — particularly distinguishing "not in the group" from "in the group but session not updated" (new ErrHypervUserSessionNotUpdated sentinel). This gives users actionable guidance instead of a generic permission error.
Signed-off-by: lstocchi <lstocchi@redhat.com>
Add missing defer Close() calls in four locations:
- libpod/container.go: specFromState() opens the container config file
but never closes it after reading, leaking one fd per call.
- libpod/container_internal_common.go: checkpoint() and restore() each
open the bundle directory for CRIU statistics but never close it,
leaking one fd per checkpoint/restore operation.
- pkg/machine/shim/host.go: Init() opens the playbook file but never
closes it after ReadAll, leaking one fd per machine init.
Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
With podman 6 we have a --import-native-ca option that handles the
copying of certs much better.
As such remove our old legacy way of copying files these envs and also
the static certs.d dir. Since we now mount the full containers config
dir the certs from the cert.d are mounted already.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The other providers use the volume mounts from containers.conf which
should take care of it. But because WSL is not using this we need to
hard code this ourselves.
Add a new custom unit to make systemd mount the path like we do for
podman socket mounts.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Each machine init boot takes a while, we can easily do this as part of
one test run to speed the overall machine test time up.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The config.go file has a build tag that was never used. Also remove
unused functions from other files.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Introducing a new `podmand system` subcommand to prepare a Windows host
to run Hyper-V based Podman machines: `hyperv-prep`.
When executed it:
- creates of the registry keys for VSocks
- adds the current user to the Hyper-V administrators group
This command requires an administrator terminal.
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
Hyper-V VMs require some specific Windows registry keys to allow the
communication between the host and the guest. Creating these registry
keys require elevated privileges.
These keys were created during the first Podman `machine init` and
removed when the last Podman machine is removed.
In this commit we skip the creation of the keys if they already exist in
the registry. So that admin privileges aren't required anymore, even for
the creation of the first Podman machine.
In other words, if the keys are pre-created by an administrator, user
will be able to create and remove machines without requiring to run any
elevated command. Even for the first podman machine.
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
The podman module paths are moving from github.com/containers/podman to
go.podman.io/podman. This will help with future mobility.
Signed-off-by: Brent Baude <bbaude@redhat.com>
Currently, running Podman on Hyper-V as a non-administrator requires the user to be a member of the "Hyper-V Administrators" local group. If they are not, various WMI calls fail with access denied.
This commit automates the permission setup.
1. During podman machine init, if Podman is running with elevated privileges (required for registry/networking setup anyway), it will now automatically add the current user to the localized "Hyper-V Administrators" group
2. If a user is added to the group, the change is not reflected until the next login. We now detect this state and explicitly instruct the user to log out and back in.
3. Modified the Hyper-V stubber to handle permission checks at the method level rather than the provider selection level (GetAll). This allows init to continue far enough to perform the elevation and setting.
Signed-off-by: lstocchi <lstocchi@redhat.com>
This PR reflects the upstream change of moving the buildah module from
github.com/containers/buildah to go.podman.io/buildah.
Signed-off-by: Brent Baude <bbaude@redhat.com>
Use shared configfile instead of custom policy.json path handling.
This updates ocipull to rely on signature.DefaultPolicy(), removes
explicit SignaturePolicyPath, and replaces trust's custom default-policy
path logic with common configfile code.
Replace hidden `--policypath` with --signature-policy` and require
it for `trust set` command instead of path resolution based on
configfile.
For `trust get`, the `--signature-policy` is optional.
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
This was implemented by containers/netavark #1369; this commit
completes the process by wiring it into Podman. We now respect
the CLI order for configured networks - if a user passes
`--net net1,net2` we guarantee that net1 will be configured
before net2.
For containers created before this patch, we don't retain enough
information to configure networks in CLI order, so we use
alphabetical order instead to still guarantee consistency.
No breaking API changes have been made, but we do add a new
field to supplement the existing map to (optionally) provide
ordering information. The Podman CLI will always pass this.
Existing applications that do not will, again, receive]
deterministic ordering based on an alphabetical sort of network
names.
This requires the latest version of Netavark to work properly.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
The old ErrRelaunchAttempt name was ambiguous — it reads as though the
relaunch attempt failed, when it actually signals success. Rename to
ErrRelaunchSucceeded and update comments at every call site to clarify
that this is not a real error but a sentinel indicating the elevated
child process completed the operation successfully.
Also fix a bug in WSL's launchElevate where a failed elevated process
was incorrectly wrapped with the sentinel, causing callers to treat the
failure as success and print "Machine init complete."
Signed-off-by: lstocchi <lstocchi@redhat.com>
This commit adds automatic UAC elevation prompts for HyperV machine
init/rm actions when administrator privileges are required.
Previously, users had to manually run Podman as administrator
when creating the first machine or removing the last machine, which
requires Windows Registry modifications.
When the HyperV command gets relaunched as elevated, the error of the
elevated process is saved on a file to be displayed by the caller. The
implementation is the same as that used by WSL.
Signed-off-by: lstocchi <lstocchi@redhat.com>
This will be useful when importing host certificates and the certificates file
isn't mounted in the guest.
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
Fix a few new issues reported by the linter update.
There is no need to copy the capAdd/capDrop slice in the compat create
endpoint as they are only read and not modified.
For the other code preallocate the slices so we safe memory allocations.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Replace github.com/docker/docker API imports with github.com/moby/moby
across compat handlers, swagger models, and tests to align with upstream
type definitions.
Fixes: #27536.
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
Right now, this correctly handles pullOptions.credentials
which were ignored previously (admittedly that field is never set
by anything...); in the future, it will ensure the two c/image users
won't get out of sync again.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
closes: #27411
Adjust SUB_UID and SUB_GID ranges to support running rootless Podman inside a rootless run Podman container.
Also add a test to verify the change and prevent regression.
By default, a new user is assigned the following sub-ID ranges:
SUB_UID_MIN=100000, SUB_GID_MIN=100000, SUB_UID_COUNT=65536, SUB_GID_COUNT=65536
This means the user’s sub-UID and sub-GID ranges are 100000–165535.
When the container is run rootless with the user defined below, ID mappings occur as follows:
- Container ID 0 (root) maps to user ID 1000 on the host (which is the user created below).
- Container IDs 1–65536 map to IDs 100000–165535 on host (the subid range previously mentioned).
If a new user is created inside this container (to build containers for example), it will
attempt to use the default sub-ID range (100000–165535). However, this exceeds the container’s
available ID mapping, since only IDs up to 65536 are mapped. This causes nested rootless Podman
to fail.
To enable container-in-container builds, the sub-ID ranges for the user must be large enough
to provide at least 65536 usable IDs. A minimum SUB_UID_COUNT and SUB_GID_COUNT of 165536 is
required, but 1,000,000 is used here to provide additional margin.
1,000,000 matches the subid range other machines are using, defined in [ignition.go](69b397af49/pkg/machine/ignition/ignition.go (L284-L289)).
The script of other machines modify the subid files directly for 1 user, the `sed` command used in
this fix mimics that.
The test is added as en extension to the 'simple init with username' test case, to prevent having
to create a new VM.
Signed-off-by: dvorst <87502756+dvorst@users.noreply.github.com>
runWslCommand never returns err != nil because if there's an error, it
calls Fail (which panics, so the code after it is unreachable).
Remove error returning and checking.
Inspired by the following linter warning:
> pkg/machine/e2e/config_windows_test.go:59:56: runWslCommand - result 1 (error) is always nil (unparam)
> func runWslCommand(cmdArgs []string) (*machineSession, error) {
> ^
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Rather than append LocalhostSSHArgs to args, prepend it, assuming the
order doesn't matter here.
This fixes the following prealloc warning (without decreasing
readability):
> cmd/podman/machine/cp.go:130:2: Consider preallocating args (prealloc)
> args := []string{"-r", "-i", sshConfig.IdentityPath, "-P", strconv.Itoa(sshConfig.Port)}
> ^
This commit is part of series fixing issues reported by prealloc linter
from golangci-lint v2.8.0.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>