closes: #27411
Adjust SUB_UID and SUB_GID ranges to support running rootless Podman inside a rootless run Podman container.
Also add a test to verify the change and prevent regression.
By default, a new user is assigned the following sub-ID ranges:
SUB_UID_MIN=100000, SUB_GID_MIN=100000, SUB_UID_COUNT=65536, SUB_GID_COUNT=65536
This means the user’s sub-UID and sub-GID ranges are 100000–165535.
When the container is run rootless with the user defined below, ID mappings occur as follows:
- Container ID 0 (root) maps to user ID 1000 on the host (which is the user created below).
- Container IDs 1–65536 map to IDs 100000–165535 on host (the subid range previously mentioned).
If a new user is created inside this container (to build containers for example), it will
attempt to use the default sub-ID range (100000–165535). However, this exceeds the container’s
available ID mapping, since only IDs up to 65536 are mapped. This causes nested rootless Podman
to fail.
To enable container-in-container builds, the sub-ID ranges for the user must be large enough
to provide at least 65536 usable IDs. A minimum SUB_UID_COUNT and SUB_GID_COUNT of 165536 is
required, but 1,000,000 is used here to provide additional margin.
1,000,000 matches the subid range other machines are using, defined in [ignition.go](69b397af49/pkg/machine/ignition/ignition.go (L284-L289)).
The script of other machines modify the subid files directly for 1 user, the `sed` command used in
this fix mimics that.
The test is added as en extension to the 'simple init with username' test case, to prevent having
to create a new VM.
Signed-off-by: dvorst <87502756+dvorst@users.noreply.github.com>
The WSL machine start was using the function FindExecutablePeer that
ignores user configuration (helper_binaries_dir). FindHelperBinary
instead is used when starting the machine for the rest of the providers
and honors user configuration.
This commit requires 4877783c37
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
this commit moves the HasAdminRights func from the wsl package to a generic windows package as this could also be used by the HyperV provider.
Signed-off-by: lstocchi <lstocchi@redhat.com>
Tremendous amount of changes in here, but all should amount to
the same thing: changing Go import paths from v5 to v6.
Also bumped go.mod to github.com/containers/podman/v6 and updated
version to v6.0.0-dev.
Signed-off-by: Matt Heon <mheon@redhat.com>
Problem: While removing cgroupsv1 code, I noticed my neovim Go config
automatically changed fileperms to the new octal format and I didn't
want that polluting my diffs.
Decision: I thought it best to switch to the new octal format in a dedicated PR.
Action:
- Cursor switched to new octal format for all fileperm ocurrences in Go
source and test files.
- vendor/, docs/ and non-Go files were ignored.
- Reviewed manually.
Ref: https://go.dev/ref/spec#Go_1.13
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
Since Go 1.18, any is a type alias for interface{}. After commit 8631032556
there is still one last instance of interface{} left -- replace it
manually.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
this patch changes how the detection of wsl works.
The old way of using wsl --status command output to detect some missing features required by WSL is not fully reliable.
WSL checks if the wsl feature is enabled and if the vmcompute service do exist. However, this is not enough to identify if the virtual machine platform feature is enabled. The vmcompute service could exist because it has been installed by other tools or it could exist but being stopped.
The way proposed by this patch is to try execute the import command and,
if it fails, check the error and if it is related to the Host Compute
Service try to install all features required by WSL.
The flow is the same as before, the user is asked to execute the podman
machine init command with elevated privileges. Eventually, after
enabling WSL and VMP features, the user is asked to reboot the machine.
When the machine restarts, the powershell gets invoked again and execute
the command init.
The code also fixes some issues that could cause misbehaviors when
invoking recursively the elevated shell, like an unreleased lock, or a
missing file.
Signed-off-by: lstocchi <lstocchi@redhat.com>
There is no reason to deifne a dummy service to run sleep just to get
the podman.socket enabled. Enabeling a service is just creating the
symlink so we can do that for the user sessions as well.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Those are not used since commit 0c587f024 ("refactor(machine,wsl):
improve operations of Windows API").
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Allow the user to provide an Ansible playbook file on init which will
then be run on boot.
Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
Signed-off-by: Brent Baude <bbaude@redhat.com>
This commit disables ssh port forwarding on WSL by passing -1 to the -ssh-port flag of gvproxy. Port forwarding is not required on WSL and disabling it prevents port conflict with CRC.
Fixes: https://github.com/containers/podman/issues/20327
Signed-off-by: Gunjan Vyas <vyasgun20@gmail.com>
gvproxy and win-sshproxy have capabilities to serve this type of enpoint.
This change only adds one additional API enpoint publishing by appending
proxy command lines.
Signed-off-by: Arthur Sengileyev <arthur.sengileyev@gmail.com>
We do a soft stop via systemd to allow graceful shutdown behavior.
Hoewever for unknown reason we are hitting such a case in CI right now.
Regardless of the CI issue we should always to the hard terminate in
such case so only log the timeout as warning.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
First of some commands ignored cmd.Wait() error which means it was
impossible to notice any command errors. And others only returned
the wait error as it which when a command fails is just
`exit status <code>` which is not helpful at all.
This commit should add proper error wrapping with stderr to get useful
strings back hopefully.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
1. Prefer using the built-in functions of `golang.org/x/sys/windows` rather than using `syscall` to directly call system APIs
2. Reduce bitwise operations to improve code maintainability
3. Minimize defining your own Flags, and prioritize using those already defined in `golang.org/x/sys/windows`
Signed-off-by: Kevin Cui <bh@bugs.cc>
Cache cleanups only happen if there is a cache miss, and we need to pull a new image
For quay.io/podman/machine-os, we remove all old images from the cache dir. This means we will delete any file that exists in the cache dir; this should be safe to do since the machine pull code should be the only thing touching this cache dir. OCI machine images will always have a different manifest, and won’t be updated with the same manifest, so if the version moves on, there isn’t a reason to keep the old version in the cache, it really doesn’t change.
For Fedora (WSL), we use the cache, so we go through the cache dir and remove any old cached images, on a cache miss. We also switch to using ~/.local/share/containers/podman/machine/wsl/cache as the cache dir rather than ~/.local/share/containers/podman/machine/wsl. Both these behaviors existed in v4.9, but are now added back into 5.x.
For generic files pulled from a URL or a non-default OCI image, we shouldn’t actually cache, so we delete the pulled file immediately after creating a machine image. This restores the behavior from v4.9.
For generic files from a local path, the original file will never be cleaned up
Unsure how to test, so:
[NO NEW TESTS NEEDED]
Signed-off-by: Ashley Cui <acui@redhat.com>
creating vsocks in windows requires admin privileges. there could be
some workarounds made in the future,but the general deal has
always been, you need to be admin. lets enforce this with an error
until those work-arounds can be implemented.
Signed-off-by: Brent Baude <bbaude@redhat.com>
This function is not used, it has been refactored in the general
starting good higher up the stack.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
- Fixes conflicts such as removal of second machine deleting a socket of a
the first machine while it's running
- Move API socket into runtime directory for consistency
- Add API and gvproxy sockets to removal list
- Cleanup related logic
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
For podman machine init, deprecate the --image-path option for --image.
--image now accepts the correct image from containers.conf
Also, add the ability to specify an OCI image from the --image flag using the docker:// transport.
Signed-off-by: Ashley Cui <acui@redhat.com>
Previously, the locks were on the provider layer, which doesn't make a vm operation with a config file update atomic. Move them up a layer, so the entire function locks while doing provider and config operations.
This adds a Remove and a Set function to the shim layer.
[NO NEW TESTS NEEDED] Unsure how to test this
Signed-off-by: Ashley Cui <acui@redhat.com>
Matt found a bug where if a machine start did not run to completion, a
gvproxy was left around running. This gvproxy then subsequently stopped
the next attempt to start.
Signed-off-by: Brent Baude <bbaude@redhat.com>
[NO NEW TESTS NEEDED]
Copy all proxy envs into the VM on each start, this allows for updates
without having to recrate the VM. This is implemented via shell script
that is passed via ssh to the VM after it is started.
With that we now use the same logic for all providers the old fw_cfg
logic for qemu has been removed and the WSL code as well which keeps the
behavior the same.
There is a small risk now because we only update the env via ssh that
processes started before will have the old incorrect env but it should
really only effect core system processes which likely do not need them
anyway. The podman system service should not be started at this point
so it should be good enough.
It also fixes the broken behavior with SSL_CERT_FILE/SSL_CERT_DIR which
were updated on each start which is not correct as the files are only
copied with ignition so these should not be updated and just set
statically when the VM was created.
e2e test has been added to ensure the behavior works as expected.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>