now that we use `bootc switch` for changing out-of-band updates, we can
consider also using some of their supported transports.
* containers-storage
* oci
* oci-archive
* registry
RUN-3963
Signed-off-by: Brent Baude <bbaude@redhat.com>
Remove CNI-specific conditional logic and update comments throughout
the libpod networking code:
- Simplified DNS configuration logic in container_internal_common.go
to always use netavark behavior (removed backend checks)
- Removed CNI-specific iptables chain error regex pattern
- Updated all comments referencing 'CNI' to use 'netavark' or
'network backend'
- Renamed variable 'cniNet' to 'netInfo' for clarity
- Updated field and type documentation to remove CNI references
All networking code now assumes netavark as the sole backend.
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
Remove runtime configuration options for CNI network backend:
Runtime options:
- Remove WithNetworkBackend() runtime option function
- Function allowed setting network backend programmatically
Flag handling:
- Remove --network-backend flag change detection
- Remove call to WithNetworkBackend() when flag changed
- Remove TODO comment about CNI plugins directory flag
The network backend configuration is now handled entirely by the
vendored common/libnetwork code, which will default to Netavark.
There is no longer any way to configure CNI as the network backend
through Podman's runtime initialization.
Note: libpod/info.go keeps existing NetworkBackend reporting logic
which will automatically report "netavark" as the only backend since
configuration defaults to netavark and cannot be changed to CNI.
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
Remove user-facing CLI options for CNI network backend:
CLI flags:
- Keep --network-backend global flag as hidden and deprecated for
backward compatibility with cleanup commands from 5.x containers
- Map flag to a throwaway variable (value is ignored)
- Remove shell completion for network backend values
Shell completions:
- Remove AutocompleteNetworkBackend() function
- Remove references to CNI and Netavark type constants
Backward compatibility:
- Remove --rootless-cni flag alias for podman unshare
- Remove SetNormalizeFunc that mapped rootless-cni to rootless-netns
- Update --rootless-netns flag description to mention only netavark
The --network-backend flag remains as a hidden deprecated flag to
prevent failures when upgrading from 5.x where containers may have
cleanup commands that include this flag. The flag is accepted but
ignored. Users can no longer specify CNI as a network backend option.
The --rootless-cni alias is removed; users must use --rootless-netns.
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
this fixes two bugs in Hyper-V VM ignition handling:
1. Changed `err := readAndSplitIgnition()` to
`err = readAndSplitIgnition()` so the deferred cleanup function can
properly detect errors and clean up ignition
2. The function was trying to remove keys with pattern `vm.ElementName + index`, but
the actual keys were created using `"ignition.config." + index` pattern.
It also improve the deletion by calculating in how many parts the ignition file is splitted when being added in the registry and delete just them instead of blidnly iterating through 0-50.
Signed-off-by: lstocchi <lstocchi@redhat.com>
use name_to_handle_at and open_by_handle_at to persist rootless
namespaces without needing a pause process.
The namespace file handles are stored in a file and can be used to
rejoin the namespaces, as long as the namespaces still exist.
Fall back to the pause process approach only when the kernel doesn't
support nsfs handles (EOPNOTSUPP).
The feature is currently only enabled when the PODMAN_NO_PAUSE_PROCESS
environment variable is set.
These changes in the kernel are required (landed in Linux 6.18):
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3ab378cfa793
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Implements automatic OS upgrade functionality for Podman machines that requires no user input beyond running the command. The upgrade logic automatically determines the appropriate upgrade path using a three-way comparison between client version, machine version, and OCI registry:
* When the client version is older than the machine version, no action is taken and an error is returned.
* When the client version matches the machine version, the OCI registry is queried to check for in-band updates by comparing image digests. This handles minor, patch level, and updates oci image use cases.
* When the client version is newer than the machine version, the machine is upgraded to match the client's major.minor version.
* No manual image selection or version specification required.
The command supports dry-run mode and JSON (only) output format for automation.
Signed-off-by: Brent Baude <bbaude@redhat.com>
When startVM fails quickly, CleanupGVProxy may attempt to read the
gvproxy.pid file before gvproxy has written it, causing cleanup to
fail.
This commit adds retry logic that waits up to 2 seconds for the PID
file to appear.
Signed-off-by: lstocchi <lstocchi@redhat.com>
Podman 5.x and earlier required to run as admin to work with Hyper-v.
Starting from Podman 6 this is not mandatory anymore as Registry
entries are handled differently. However, it may
happen the user have a legacy machine running when switching to Podman 6
or starts an old machine in elevated mode and then tries to stop it as a
normal user with Podman 6. If that happens the system will end up in a corrupted state
as the gvproxy process will not be stopped.
To prevent such scenario and issues, this commit maintains the original
behavior Podman 5.x has. Legacy Hyper-v machines needs to be handled
with elevated rights.
Signed-off-by: lstocchi <lstocchi@redhat.com>
Instead of using rpm-ostree, we now use bootc for os apply. the
implementation is a little murky right now and will require some cleanup
to implement bootc's transports. for now, we only support oci images
from registries.
once we have an upgrade command, the transports can be added and the
docs for apply can be ammended to be more clear.
Fixes: RUN-3836
Signed-off-by: Brent Baude <bbaude@redhat.com>
I happened to run `podman run --config=/path/to/file` and got
an error without a trailing newline, which was a bit jarring.
Fix the instances I noticed.
Assisted-by: OpenCode (Claude Opus 4.5)
Signed-off-by: Colin Walters <walters@verbum.org>
The `*os.File` returned by `pathrs.OpenatInRoot` needs to
be closed before returning from `openSymlinkPath`
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
This PR removes support for Intel Apple Macs. The removal includes
impacts to code, tests, Makefile, builds, release builds, and so forth.
Fixes Jira: RUN-3621
Signed-off-by: Brent Baude <bbaude@redhat.com>
Previously, using --secret=id=foo,env=BAR in remote mode would fail because the client sent the env var name to the server, which tried to resolve it locally. This patch modifies the client to resolve the environment variable locally, write it to a temp file, and send it as a file-based secret.
Fixes #27494
Signed-off-by: ZuhairM7 <ZuhairM7>
Signed-off-by: ZuhairM7 <zuhairmerali@gmail.com>
