Non-Linux systems, such as BSD kernels, constrain xatter updates
according to file permissions. This is in contrast to Linux selinux
attr writes, which are governed by an selinux policy. By dafault this
policy apllows users to relabel files owned by themselves even if file
perms would otherwise disallow write.
This results in robust container relabeling results on Linux, and
fragile results everywhere else. Therefore, change the mac policy to
force the nfs_t context on all files, and ignore all relabel
events.
As a side-effect, this will disallow any ability to store custom
selinux constants on files. However, this is of limited use in
a machine context, since files in these volumes are externally
managed on systems which do not support SELinux.
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
There has been various issues with vfkit exiting with
"Error: vfkit exited unexpectedly with exit code 1"
Among other reasons, this can be caused by vfkit being
built without the com.apple.security.virtualization
entitlement, and this can also happen when running
vfkit.x86_64 on Apple silicon hardware.
At the moment, the vfkit logs are not available, so there is no easy way
to know what's happening. This PR redirects vfkit stdout/stderr to
podman's log when --log-level debug is used.
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
creating vsocks in windows requires admin privileges. there could be
some workarounds made in the future,but the general deal has
always been, you need to be admin. lets enforce this with an error
until those work-arounds can be implemented.
Signed-off-by: Brent Baude <bbaude@redhat.com>
Windows is not guaranteed to have the SSH feature installed, so prefer the use
of the built-in ssh client for all operations other than podman machine ssh,
which requires terminal pty logic. This restores previous behavior in 4.x.
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
this pr fixes two hyperv bugs. previous podman 5 versions of hyperv
failed to actually remove the vm from hyperv when machine rm -f was
called.
also fixes an annoying bug where removal of the hyperv ignition entries
were failing because this can only be done (with the current api) when
the vm is running. new api in latest libhvee fixes this.
Signed-off-by: Brent Baude <bbaude@redhat.com>
I am really not sure why the caller even should have the option to set
this. We should always use the correct isolation type based on the
privileges the server runs under never the client. podman-remote build
seems to send the default based on its local privs which was wrong as
well. To fix this I also changed the client to send the default if the
isolation flag is not set.
Fixes#22109
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We need to take another lock to prevent concurrent starts from different
machines.
I manually tested it by starting three VM in parallel with:
podman machine start & podman machine start test1 & podman machine start test2
I also added a CI test that seems to work as expected (failed with the
old binary, worked with the new)
Before this patch I was able to start more than VM, with this patch it
now only starts one of them and the other ones will fail to start with
a proper error.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This function is not used, it has been refactored in the general
starting good higher up the stack.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Currently we first read the conf and then lock, this is racy because
while we wait for the lock another process might change the state so
the only way to have the actual current state is to read the file
while holding the lock.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
- Fixes conflicts such as removal of second machine deleting a socket of a
the first machine while it's running
- Move API socket into runtime directory for consistency
- Add API and gvproxy sockets to removal list
- Cleanup related logic
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
we are having second thoughts about *requiring* a policy.json on podman
machine hosts. we are concerned that we need to work out some more use
cases to be sure we do not make choices now that limit us in the near
term future. for example, should the policy files be the same for
container images and machine images? And should one live on the host
machine and the other live in the machine?
therefore, if a policy.json *is* present in the correct location, we will use and honor it; however, if it does not, we will allow the machine image to be pulled without a policy.
Signed-off-by: Brent Baude <baude@redhat.com>
Co-authored-by: Paul Holzinger <45212748+Luap99@users.noreply.github.com>
Signed-off-by: Brent Baude <bbaude@redhat.com>
1. Added the xz decompression unit tests
2. Removed the xz implementation to use the one from c/images
3. Removed the specific macos gzip, zstd compressor and use
the generic compressor but with SparseWriter if GOOS == darwin
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
Adding the final machine endpoint as quay.io/podman/machine-os in the
Podman code. As a reminder, we decided we would set this in containers
conf once things settle down and this code would then be removed.
Signed-off-by: Brent Baude <bbaude@redhat.com>
Move the writes into the shim level to make sure they happen while we
hold the machine lock to prevent any race conditions reading/writing the
file.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
First make sure we check that a given VM exist when holding the VM lock
for it. The check in cmd/podman/machine/init.go is a nice quick out but
not enough to ensure that 2 processes to not create the same VM at the
same time. The only way to ensure this is by holding the lock and
checking if the VM config file exists.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Neither of the SparseWriter users actually _wants_ the underlying
WriteSeeker to be closed; so, don't.
That makes it clear where the responsibility for closing the file
lies, and allows us to remove the reliance on the destinations
reliably returning ErrClosed.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Make sure we only update the machine config when we are locked.
While it doesn't make a functional differnce for cpu and memory it was a
problem for disk size. The disk size must be larger than the previous
one so we must have accurate data on the previous value.
Thus change the settings only while locked and refresh the config so we
have the current up to date values.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
It is unused, and it clearly doesn't work (it closes dest
before writing anything to it).
Just drop it, it can always be re-added.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
When we set a relative path (i.e. ".") it should be resolved next to
binary so we need to get the base dir. If we join it directly like it
did before you get a path like .../podman/policy.json where podman is the
podman executable so it is not a directory and thus could not contain the
policy.json file.
ref #21964
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
While working on #21592 we figured out that the
the full VM File was loaded in memory when detecting
the file format, but only a few bytes are needed.
This commit address that.
[NO NEW TESTS NEEDED]
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
As outlined in #21856, it can take a number of seconds until an image
gets pulled. That is because init is hitting the registry first to look
up the image. To improve the UX, add a new line indicating what
happens.
[NO NEW TESTS NEEDED]
Fixes: #21856
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Lots of small special-case tweaks to logformatter because Macs
have to be different.
Also fix:
- Wrong slash in printf-newline, leading to gray [It] blocks
- echo gitCommit, so we can link to sources
- --image-path is deprecated
Signed-off-by: Ed Santiago <santiago@redhat.com>
For podman machine init, deprecate the --image-path option for --image.
--image now accepts the correct image from containers.conf
Also, add the ability to specify an OCI image from the --image flag using the docker:// transport.
Signed-off-by: Ashley Cui <acui@redhat.com>
Previously, the locks were on the provider layer, which doesn't make a vm operation with a config file update atomic. Move them up a layer, so the entire function locks while doing provider and config operations.
This adds a Remove and a Set function to the shim layer.
[NO NEW TESTS NEEDED] Unsure how to test this
Signed-off-by: Ashley Cui <acui@redhat.com>
We used to use ignition to perform any customization required for podman
machine because our input was a generic FCOS image. Now that we are
building our own images, some of this customization can be migrated to
the Containerfile itself and be less of a burden in our code at boot up.
At the time of this PR, the Containerfile can be found at
https://github.com/baude/podman-machine-images/tree/main. It is only
present for a so-called daily image. There is little liklihood that
this would the final location for the Containerfile so consider it a
working version only.
Split WSL and rest apart in the e2e tests so we no longer ppull the
generic FCOS image for testing.
Note: the change to the pull image name is so PRs are not immediately
broken that are already in the queue.
[NO NEW TESTS REQUIRED]
Signed-off-by: Brent Baude <bbaude@redhat.com>
If we hit an error here, it will be really useful to know
- That we're trying to fetch a container image
- Which image we're trying to fetch
[NO NEW TESTS NEEDED]
Signed-off-by: Colin Walters <walters@verbum.org>
