This `--config` option was initially added here:
4e4c3e3dbf
Under the hood this simply modifies env to set DOCKER_CONFIG=<passed
in string>
The DOCKER_CONFIG env var is used as a directory that contains
multiple config files... of which podman and container libs probably
only use `$DIR/config.json`.
See: https://docs.docker.com/reference/cli/docker/#environment-variables
The old CMD and help text was misleading... if we point the at a
regular file we can see errors like:
```
$ touch /tmp/foo/tmpcr9zrx71
$ /bin/podman --config /tmp/foo/tmpcr9zrx71 build -t foobar:latest
Error: creating build container: initializing source docker://quay.io/centos/centos:stream9: getting username and password: reading JSON file "/tmp/foo/tmpcr9zrx71/config.json": open /tmp/foo/tmpcr9zrx71/config.json: not a directory
```
^^ In this case we had created `/tmp/foo/tmpcr9zrx71` as a regular file.
Signed-off-by: Ian Page Hands <iphands@gmail.com>
create the /etc/passwd and /etc/group files before any user/group
lookup so that the entries added dynamically are found by --user.
As a side effect, do not automatically create the group with same
value as the uid when not specified, since it is expected to run with
gid=0.
Closes: https://github.com/containers/podman/issues/25805
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
If the --health-cmd flag is not specified, other flags such as --health-interval, --health-timeout, --health-retries, and --health-start-period are ignored if the image contains a Healthcheck. This makes it impossible to modify these Healthcheck configuration when a container is created.
Fixes: https://github.com/containers/podman/issues/20212
Fixes: https://issues.redhat.com/browse/RUN-2629
Signed-off-by: Jan Rodák <hony.com@seznam.cz>
This is related to #23292 and is needed to replace
pause image container with pause container based
on the rootfs.
Without this change, the GIDs and UIDs are not mapped
in the rootfs container which use overlay if --userns=auto
is used. This leads to an error mounting /dev/pts with gid=5,
becuase GID 5 simply does not exist in the pause container
using rootfs.
All the tests pass with this change, but I have to admit
I did not find out why the original code has been introduced.
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
This is shown when golangci-lint is run with --tests=false
> test/e2e/config.go:7:2: var fedoraMinimal is unused (unused)
> fedoraMinimal = "quay.io/libpod/systemd-image:20240124"
> ^
> test/e2e/config.go:18:2: var volumeTest is unused (unused)
> volumeTest = "quay.io/libpod/volume-plugin-test-img:20220623"
> ^
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This was added by commit 84e42877a ("make lint: re-enable revive"),
making nolintlint became almost useless.
Remove the ungodly amount of unused nolint annotations.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This commit adds new --cdi-spec-dir global option. This
option is used to add additional CDI spec paths.
Signed-off-by: Micah Chambers (eos) <mchambers@anduril.com>
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
Do not use the interspersed option for logs, it is not needed and just
restricts valid use cases.
Fixes#25653
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This commit adds new annotation called:
io.podman.annotations.pids-limit/$ctrname
This annotation is used to define the PIDsLimit for
a particular pod. It is also automatically defined
when newly added --pids-limit option is used.
Fixes: #24418
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
This commit adds new Retry= and RetryDelay= options
to quadlet.go which result in --retry and --retry-delay
usage in podman run, image and build commands.
This allows configuring the retry logic in the systemd
files.
Fixes: #25109
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
The --env is used to add new environment variable to container or
override the existing one. The --unsetenv is used to remove
the environment variable.
It is done by sharing "env" and "unsetenv" flags between both
"update" and "create" commands and later handling these flags
in the "update" command handler.
The list of environment variables to add/remove is stored
in newly added variables in the ContainerUpdateOptions.
The Container.Update API call is refactored to take
the ContainerUpdateOptions as an input to limit the number of its
arguments.
The Env and UnsetEnv lists are later handled using the envLib
package and the Container is updated.
The remote API is also extended to handle Env and EnvUnset.
Fixes: #24875
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
when the code was first added, there was no securejoin.OpenInRoot().
Since there is a function already provided by a dependency and already
used in libpod, replace the custom code with securejoin.OpenInRoot().
The new version does not report a symlink that points outside the
root, but it is still resolved relative to the specified mountpoint,
since that is the openat2 semantic. It does not affect the security
of the function.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Have one function without a `defer lock.unlock()` as one of the
commands in it calls a function that also takes the same lock,
so the unlock has to happen prior to function completion.
Unfortunately, this is prone to errors, like the one here: I
missed a case, and we could return without unlocking, causing a
deadlock later in the cleanup code as we tried to take the same
lock again.
Refactor the command to use `defer unlock()` to simplify and
avoid any further errors of this type.
Introduced by e66b788a51 - this
should be included in any backports of that commit.
Fixes#25585
Signed-off-by: Matt Heon <mheon@redhat.com>
This is simpler as we don't have to rely on an external command. The
retry loop is need as we check for a container porcess connection, and
while we know podman binds the port before returning there is no way to
know whenthe contianer application bound the port so we must retry a
bit.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Add a new option to allow for mounting artifacts in the container, the
syntax is added to the existing --mount option:
type=artifact,src=$artifactName,dest=/path[,digest=x][,title=x]
This works very similar to image mounts. The name is passed down into
the container config and then on each start we lookup the artifact and
the figure out which blobs to mount. There is no protaction against a
user removing the artifact while still being used in a container. When
the container is running the bind mounted files will stay there (as the
kernel keeps the mounts active even if the bind source was deleted).
On the next start it will fail to start as if it does not find the
artifact. The good thing is that this technically allows someone to
update the artifact with the new file by creating a new artifact with
the same name.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
There is no need whatsoever to run container to populate a random file,
this is just much slower than just writing some random bytes directly
without having to run a container and run dd in it.
Also the function accepted the number of bytes, however because dd uses
a minimum block size of 512 bytes it was actually numBytes * 1024 which
where written. That makes no sense so fix the two tests that depended on
the wrong number.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This commit adds the "secret" Event type and emits
"create" and "remove" events for this Event type
when Secret is created or removed.
This can be used for example by podman interfaces to
view and manage secrets.
Fixes: #24030
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
In a different PR review, it was noted that defined error types for
artifacts was lacking. We have these for most other commands and they
help with error differentiation. The changes here are to define the
errors, implement them in the library, and adopt test verifications to
match.
Signed-off-by: Brent Baude <bbaude@redhat.com>
