When you execute podman create/run with the --pod new:<name> syntax
the pod was created but the namespaces where not shared and
therefore containers could not communicate over localhost.
Add the default namespaces and pass the network options to the
pod create options.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Currently if you give a bogus flag to --format it will crash
the formatter. With this change we will get a nice error.
podman images --format '{{ bogus }}'
Error: template: list:1: function "bogus" not defined
versus
/bin/podman.old images --format '{{ bogus }}'
panic: template: list:1: function "bogus" not defined
goroutine 1 [running]:
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
For some reason we were overwriting memory when handling both
--pid=host and --ipc=host. Simplified the code to handle this
correctly, and add test to make sure it does not happen again.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When copying from a URL, podman will download and create a context
directory in a temporary file. The problem was that this directory
was being removed as soon as the function that created it was returned.
Later the build code would look for content in the temporary directory
and fail to find it, blowing up the build.
By pulling the extraction code back into the build function, we keep the
temporary directory around until the build completes.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
There are many use cases where you want to just mount an image
without creating a container on it. For example you might want
to just examine the content in an image after you pull it for
security analysys. Or you might want to just use the executables
on the image without running it in a container.
The image is mounted readonly since we do not want people changing
images.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We should default to the user name unmount rather then the internal
name of umount.
Also User namespace was not being handled correctly. We want to inform
the user that if they do a mount when in rootless mode that they have
to be first in the podman unshare state.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Currently some commands use the html/template package.
This can lead to invalid output.
e.g. `system df --verbose` will print `<none>`
instead of `<none>` with an untaged image.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Somewhere in the Podman v2 rewrite, we allowed
`podman start --attach` to print the container ID of the started
container after exiting from the attach session (via detach key
or the container exiting naturally). We should never print the ID
when `--attach` is given, which makes the fix simple - make the
print statement conditional on `--attach` not being present.
Wierdly, this only happened with `--interactive` was given to
`podman start`. I don't know why that is, but this resolves the
issue without having to dig any deeper, so I'm content.
Fixes#7055
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Currently you can not apply an ApparmorProfile if you specify
--privileged. This patch will allow both to be specified
simultaniosly.
By default Apparmor should be disabled if the user
specifies --privileged, but if the user specifies --security apparmor:PROFILE,
with --privileged, we should do both.
Added e2e run_apparmor_test.go
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
--umask sets the umask inside the container
Defaults to 0022
Co-authored-by: Daniel J Walsh <dwalsh@redhat.com>
Signed-off-by: Ashley Cui <acui@redhat.com>
People who use docker scripts with Podman see failures
if they use disable-content-trust flag. This flag already
existed for podman build, adding it to pull/push/create/run.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Currently we are sending over pids-limits from the user even if they
never modified the defaults. The pids limit should be set at the server
side unless modified by the user.
This issue has led to failures on systems that were running with cgroups V1.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We properly determined what sig-proxy should be set to, but we
never passed that along to the backend. As such, cases where the
default swapped (mostly when `--attach` was specified but the
`--sig-proxy` flag was not) were not handled correctly
Fixes#6928
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
In `podman inspect` output for containers and pods, we include
the command that was used to create the container. This is also
used by `podman generate systemd --new` to generate unit files.
With remote podman, the generated create commands were incorrect
since we sourced directly from os.Args on the server side, which
was guaranteed to be `podman system service` (or some variant
thereof). The solution is to pass the command along in the
Specgen or PodSpecgen, where we can source it from the client's
os.Args.
This will still be VERY iffy for mixed local/remote use (doing a
`podman --remote run ...` on a remote client then a
`podman generate systemd --new` on the server on the same
container will not work, because the `--remote` flag will slip
in) but at the very least the output of `podman inspect` will be
correct. We can look into properly handling `--remote` (parsing
it out would be a little iffy) in a future PR.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Allow more variants to yield json output for `podman version` and
`podman info`. Instead of comparing strings, use a regex and add
unit and e2e tests.
Fixes: #6927
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
If I enter a continer with --userns keep-id, my UID will be present
inside of the container, but most likely my user will not be defined.
This patch will take information about the user and stick it into the
container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
--sdnotify container|conmon|ignore
With "conmon", we send the MAINPID, and clear the NOTIFY_SOCKET so the OCI
runtime doesn't pass it into the container. We also advertise "ready" when the
OCI runtime finishes to advertise the service as ready.
With "container", we send the MAINPID, and leave the NOTIFY_SOCKET so the OCI
runtime passes it into the container for initialization, and let the container advertise further metadata.
This is the default, which is closest to the behavior podman has done in the past.
The "ignore" option removes NOTIFY_SOCKET from the environment, so neither podman nor
any child processes will talk to systemd.
This removes the need for hardcoded CID and PID files in the command line, and
the PIDFile directive, as the pid is advertised directly through sd-notify.
Signed-off-by: Joseph Gooch <mrwizard@dok.org>
