I think this should work fine with the defaults. Since we mount the
/etc/containers dir always we should no longer write to /etc/containers.
If we still need this it should be moved into the image and not done at
init time.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
FCOS symlinks /home to var/home. systemd rejects a mount unit whose
Where= path traverses a symlink, breaking default home dir mounts.
Resolve known FCOS symlinks before writing the ignition unit.
Fixes: #28911
Signed-off-by: Chanhyeok Seo <chanhyeok.seo@datadoghq.com>
systemd interprets % as specifier characters in unit configuration files
(e.g. %H, %u, %40). Proxy environment variable values that contain
percent-encoded URL characters (such as %40 for @ in usernames) cause
systemd to emit warnings and fail to parse the generated
/etc/systemd/system.conf.d/default-env.conf:
system.conf.d/default-env.conf:2: Failed to resolve specifiers in
HTTP_PROXY=http://user%40example.com@proxy:3128
Fix by adding a bash variable substitution that doubles every % to %%
before writing to the systemd unit conf files. The profile.d and
environment.d destinations do not need this escaping and continue to
use the original value.
Fixes#28698
Signed-off-by: crawfordxx <crawfordxx@users.noreply.github.com>
We are seeing frequent flakes in hyperV machine tests. The machine start
fails with an ssh handshake failure:
ssh: handshake failed: read tcp 127.0.0.1:56425->127.0.0.1:56377:
wsarecv: An existing connection was forcibly closed by the remote host.
Normally we do the ssh probe in conductVMReadinessCheck() with a retry
mechanism, however because the hyperV mount code already used ssh in
PostStartNetworking() we never got there and failed early.
PostStartNetworking seems the wrong place to mount anyway so move this
to MountVolumesToVM() instead which is placed after the ready check
already so it should have a working ssh by then.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Change isHyperVAdminMember from returning a bool to returning an error so that callers surface the specific failure reason — particularly distinguishing "not in the group" from "in the group but session not updated" (new ErrHypervUserSessionNotUpdated sentinel). This gives users actionable guidance instead of a generic permission error.
Signed-off-by: lstocchi <lstocchi@redhat.com>
Add missing defer Close() calls in four locations:
- libpod/container.go: specFromState() opens the container config file
but never closes it after reading, leaking one fd per call.
- libpod/container_internal_common.go: checkpoint() and restore() each
open the bundle directory for CRIU statistics but never close it,
leaking one fd per checkpoint/restore operation.
- pkg/machine/shim/host.go: Init() opens the playbook file but never
closes it after ReadAll, leaking one fd per machine init.
Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
With podman 6 we have a --import-native-ca option that handles the
copying of certs much better.
As such remove our old legacy way of copying files these envs and also
the static certs.d dir. Since we now mount the full containers config
dir the certs from the cert.d are mounted already.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The other providers use the volume mounts from containers.conf which
should take care of it. But because WSL is not using this we need to
hard code this ourselves.
Add a new custom unit to make systemd mount the path like we do for
podman socket mounts.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Each machine init boot takes a while, we can easily do this as part of
one test run to speed the overall machine test time up.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The config.go file has a build tag that was never used. Also remove
unused functions from other files.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Introducing a new `podmand system` subcommand to prepare a Windows host
to run Hyper-V based Podman machines: `hyperv-prep`.
When executed it:
- creates of the registry keys for VSocks
- adds the current user to the Hyper-V administrators group
This command requires an administrator terminal.
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
Hyper-V VMs require some specific Windows registry keys to allow the
communication between the host and the guest. Creating these registry
keys require elevated privileges.
These keys were created during the first Podman `machine init` and
removed when the last Podman machine is removed.
In this commit we skip the creation of the keys if they already exist in
the registry. So that admin privileges aren't required anymore, even for
the creation of the first Podman machine.
In other words, if the keys are pre-created by an administrator, user
will be able to create and remove machines without requiring to run any
elevated command. Even for the first podman machine.
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
The podman module paths are moving from github.com/containers/podman to
go.podman.io/podman. This will help with future mobility.
Signed-off-by: Brent Baude <bbaude@redhat.com>
Currently, running Podman on Hyper-V as a non-administrator requires the user to be a member of the "Hyper-V Administrators" local group. If they are not, various WMI calls fail with access denied.
This commit automates the permission setup.
1. During podman machine init, if Podman is running with elevated privileges (required for registry/networking setup anyway), it will now automatically add the current user to the localized "Hyper-V Administrators" group
2. If a user is added to the group, the change is not reflected until the next login. We now detect this state and explicitly instruct the user to log out and back in.
3. Modified the Hyper-V stubber to handle permission checks at the method level rather than the provider selection level (GetAll). This allows init to continue far enough to perform the elevation and setting.
Signed-off-by: lstocchi <lstocchi@redhat.com>
This PR reflects the upstream change of moving the buildah module from
github.com/containers/buildah to go.podman.io/buildah.
Signed-off-by: Brent Baude <bbaude@redhat.com>
Use shared configfile instead of custom policy.json path handling.
This updates ocipull to rely on signature.DefaultPolicy(), removes
explicit SignaturePolicyPath, and replaces trust's custom default-policy
path logic with common configfile code.
Replace hidden `--policypath` with --signature-policy` and require
it for `trust set` command instead of path resolution based on
configfile.
For `trust get`, the `--signature-policy` is optional.
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
This was implemented by containers/netavark #1369; this commit
completes the process by wiring it into Podman. We now respect
the CLI order for configured networks - if a user passes
`--net net1,net2` we guarantee that net1 will be configured
before net2.
For containers created before this patch, we don't retain enough
information to configure networks in CLI order, so we use
alphabetical order instead to still guarantee consistency.
No breaking API changes have been made, but we do add a new
field to supplement the existing map to (optionally) provide
ordering information. The Podman CLI will always pass this.
Existing applications that do not will, again, receive]
deterministic ordering based on an alphabetical sort of network
names.
This requires the latest version of Netavark to work properly.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
The old ErrRelaunchAttempt name was ambiguous — it reads as though the
relaunch attempt failed, when it actually signals success. Rename to
ErrRelaunchSucceeded and update comments at every call site to clarify
that this is not a real error but a sentinel indicating the elevated
child process completed the operation successfully.
Also fix a bug in WSL's launchElevate where a failed elevated process
was incorrectly wrapped with the sentinel, causing callers to treat the
failure as success and print "Machine init complete."
Signed-off-by: lstocchi <lstocchi@redhat.com>
This commit adds automatic UAC elevation prompts for HyperV machine
init/rm actions when administrator privileges are required.
Previously, users had to manually run Podman as administrator
when creating the first machine or removing the last machine, which
requires Windows Registry modifications.
When the HyperV command gets relaunched as elevated, the error of the
elevated process is saved on a file to be displayed by the caller. The
implementation is the same as that used by WSL.
Signed-off-by: lstocchi <lstocchi@redhat.com>