Merge pull request #21325 from mheon/bump_490

Podman v4.9.0: Release notes and final cherry-picks

Makefile

@@ -214,7 +214,7 @@ endif
 
 # gvisor-tap-vsock version for gvproxy.exe and win-sshproxy.exe downloads
 # the upstream project ships pre-built binaries since version 0.7.1
-GV_VERSION=v0.7.1
+GV_VERSION=v0.7.2
 
 ###
 ### Primary entry-point targets

RELEASE_NOTES.md

@@ -1,5 +1,18 @@
 # Release Notes
 
+## 4.9.0
+### Features
+- The `podman farm` suite of commands for multi-architecture builds is now fully enabled and documented.
+- Add a network recovery service to Podman Machine VMs using the QEMU backend to detect and recover from an inoperable host networking issues experienced by Mac users when running for long periods of time.
+
+### Bugfixes
+- Fixed a bug where the HyperV provider for `podman machine` did not forward the API socket to the host machine.
+- Fixed a bug where improperly formatted annotations passed to `podman kube play` could cause Podman to panic.
+- Fixed a bug where `podman system reset` could fail if non-Podman containers (e.g. containers created by Buildah) were present.
+
+### Misc
+- Containers run in `podman machine` VMs now default to a PID limit of unlimited, instead of 2048.
+
 ## 4.8.3
 ### Security
 - Fixed [GHSA-45x7-px36-x8w8](https://github.com/advisories/GHSA-45x7-px36-x8w8): CVE-2023-48795 by vendoring golang.org/x/crypto v0.17.0.
@@ -58,7 +71,6 @@
 - The amount of CPUs a podman machine uses now defaults to available cores/2 ([#17066](https://github.com/containers/podman/issues/17066)).
 - Podman machine now prohibits using provider names as machine names. `applehv`, `qemu`, `wsl`, and `hyperv` are no longer valid Podman machine names
 
-
 ### Quadlet
 - Quadlet now supports the `UIDMap`, `GIDMap`, `SubUIDMap`, and `SubGIDMap` options in .container files.
 - Fixed a bug where symlinks were not resolved in search paths ([#20504](https://github.com/containers/podman/issues/20504)).
@@ -73,7 +85,6 @@
 - Quadlet now removes anonymous volumes when removing a container ([#20070](https://github.com/containers/podman/issues/20070)).
 - Quadlet now supports a new unit type, `.image`.
 
-
 ### Bugfixes
 - Fixed a bug where mounted volumes on Podman machines on MacOS would have a max open files limit ([#16106](https://github.com/containers/podman/issues/16106)).
 - Fixed a bug where setting both the `--uts` and `--network` options to `host` did not fill /etc/hostname with the host's name ([#20448](https://github.com/containers/podman/issues/20448)).

cmd/podman/common/build.go

@@ -49,7 +49,7 @@ type BuildFlagsWrapper struct {
 // FarmBuildHiddenFlags are the flags hidden from the farm build command because they are either not
 // supported or don't make sense in the farm build use case
 var FarmBuildHiddenFlags = []string{"arch", "all-platforms", "compress", "cw", "disable-content-trust",
-	"logsplit", "manifest", "os", "output", "platform", "sign-by", "signature-policy", "stdin", "tls-verify",
+	"logsplit", "manifest", "os", "output", "platform", "sign-by", "signature-policy", "stdin",
 	"variant"}
 
 func DefineBuildFlags(cmd *cobra.Command, buildOpts *BuildFlagsWrapper, isFarmBuild bool) {
@@ -252,6 +252,7 @@ func ParseBuildOpts(cmd *cobra.Command, args []string, buildOpts *BuildFlagsWrap
 	}
 	apiBuildOpts.BuildOptions = *buildahDefineOpts
 	apiBuildOpts.ContainerFiles = containerFiles
+	apiBuildOpts.Authfile = buildOpts.Authfile
 
 	return &apiBuildOpts, err
 }

cmd/podman/farm/build.go

@@ -4,12 +4,13 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"strings"
 
+	"github.com/containers/common/pkg/completion"
 	"github.com/containers/common/pkg/config"
 	"github.com/containers/podman/v4/cmd/podman/common"
 	"github.com/containers/podman/v4/cmd/podman/registry"
 	"github.com/containers/podman/v4/cmd/podman/utils"
-	"github.com/containers/podman/v4/pkg/domain/entities"
 	"github.com/containers/podman/v4/pkg/farm"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
@@ -19,17 +20,19 @@ type buildOptions struct {
 	buildOptions common.BuildFlagsWrapper
 	local        bool
 	platforms    []string
+	farm         string
 }
 
 var (
 	farmBuildDescription = `Build images on farm nodes, then bundle them into a manifest list`
 	buildCommand         = &cobra.Command{
-		Use:     "build [options] [CONTEXT]",
-		Short:   "Build a container image for multiple architectures",
-		Long:    farmBuildDescription,
-		RunE:    build,
-		Example: "podman farm build [flags] buildContextDirectory",
-		Args:    cobra.ExactArgs(1),
+		Use:               "build [options] [CONTEXT]",
+		Short:             "Build a container image for multiple architectures",
+		Long:              farmBuildDescription,
+		RunE:              build,
+		Example:           "podman farm build [flags] buildContextDirectory",
+		ValidArgsFunction: common.AutocompleteDefaultOneArg,
+		Args:              cobra.MaximumNArgs(1),
 	}
 	buildOpts = buildOptions{
 		buildOptions: common.BuildFlagsWrapper{},
@@ -44,15 +47,26 @@ func init() {
 	flags := buildCommand.Flags()
 	flags.SetNormalizeFunc(utils.AliasFlags)
 
-	localFlagName := "local"
-	// Default for local is true and hide this flag for the remote use case
-	if !registry.IsRemote() {
-		flags.BoolVarP(&buildOpts.local, localFlagName, "l", true, "Build image on local machine as well as on farm nodes")
-	}
 	cleanupFlag := "cleanup"
 	flags.BoolVar(&buildOpts.buildOptions.Cleanup, cleanupFlag, false, "Remove built images from farm nodes on success")
+
+	podmanConfig := registry.PodmanConfig()
+	farmFlagName := "farm"
+	// If remote, don't read the client's containers.conf file
+	defaultFarm := ""
+	if !registry.IsRemote() {
+		defaultFarm = podmanConfig.ContainersConfDefaultsRO.Farms.Default
+	}
+	flags.StringVar(&buildOpts.farm, farmFlagName, defaultFarm, "Farm to use for builds")
+	_ = buildCommand.RegisterFlagCompletionFunc(farmFlagName, common.AutoCompleteFarms)
+
+	localFlagName := "local"
+	// Default for local is true
+	flags.BoolVarP(&buildOpts.local, localFlagName, "l", true, "Build image on local machine as well as on farm nodes")
+
 	platformsFlag := "platforms"
 	buildCommand.PersistentFlags().StringSliceVar(&buildOpts.platforms, platformsFlag, nil, "Build only on farm nodes that match the given platforms")
+	_ = buildCommand.RegisterFlagCompletionFunc(platformsFlag, completion.AutocompletePlatform)
 
 	common.DefineBuildFlags(buildCommand, &buildOpts.buildOptions, true)
 }
@@ -68,7 +82,18 @@ func build(cmd *cobra.Command, args []string) error {
 	if !cmd.Flags().Changed("tag") {
 		return errors.New("cannot create manifest list without a name, value for --tag is required")
 	}
-	opts, err := common.ParseBuildOpts(cmd, args, &buildOpts.buildOptions)
+	// Ensure that the user gives a full name so we can push the built images from
+	// the node to the given registry and repository
+	// Should be of the format registry/repository/imageName
+	tag, err := cmd.Flags().GetStringArray("tag")
+	if err != nil {
+		return err
+	}
+	if !strings.Contains(tag[0], "/") {
+		return fmt.Errorf("%q is not a full image reference name", tag[0])
+	}
+	bopts := buildOpts.buildOptions
+	opts, err := common.ParseBuildOpts(cmd, args, &bopts)
 	if err != nil {
 		return err
 	}
@@ -91,28 +116,29 @@ func build(cmd *cobra.Command, args []string) error {
 		return err
 	}
 	opts.IIDFile = iidFile
+	tlsVerify, err := cmd.Flags().GetBool("tls-verify")
+	if err != nil {
+		return err
+	}
+	opts.SkipTLSVerify = !tlsVerify
 
 	cfg, err := config.ReadCustomConfig()
 	if err != nil {
 		return err
 	}
 
 	defaultFarm := cfg.Farms.Default
-	if farmCmd.Flags().Changed("farm") {
-		f, err := farmCmd.Flags().GetString("farm")
+	if cmd.Flags().Changed("farm") {
+		f, err := cmd.Flags().GetString("farm")
 		if err != nil {
 			return err
 		}
 		defaultFarm = f
 	}
 
-	var localEngine entities.ImageEngine
-	if buildOpts.local {
-		localEngine = registry.ImageEngine()
-	}
-
+	localEngine := registry.ImageEngine()
 	ctx := registry.Context()
-	farm, err := farm.NewFarm(ctx, defaultFarm, localEngine)
+	farm, err := farm.NewFarm(ctx, defaultFarm, localEngine, buildOpts.local)
 	if err != nil {
 		return fmt.Errorf("initializing: %w", err)
 	}
@@ -126,7 +152,7 @@ func build(cmd *cobra.Command, args []string) error {
 	manifestName := opts.Output
 	// Set Output to "" so that the images built on the farm nodes have no name
 	opts.Output = ""
-	if err = farm.Build(ctx, schedule, *opts, manifestName); err != nil {
+	if err = farm.Build(ctx, schedule, *opts, manifestName, localEngine); err != nil {
 		return fmt.Errorf("build: %w", err)
 	}
 	logrus.Infof("build: ok")

cmd/podman/farm/create.go

@@ -16,7 +16,7 @@ var (
 	The "podman system connection add --farm" command can be used to add a new connection to a new or existing farm.`
 
 	createCommand = &cobra.Command{
-		Use:               "create [options] NAME [CONNECTIONS...]",
+		Use:               "create NAME [CONNECTIONS...]",
 		Args:              cobra.MinimumNArgs(1),
 		Short:             "Create a new farm",
 		Long:              farmCreateDescription,

cmd/podman/farm/farm.go

@@ -16,27 +16,8 @@ var (
 	}
 )
 
-var (
-	// Temporary struct to hold cli values.
-	farmOpts = struct {
-		Farm string
-	}{}
-)
-
 func init() {
 	registry.Commands = append(registry.Commands, registry.CliCommand{
 		Command: farmCmd,
 	})
-	farmCmd.Hidden = true
-
-	flags := farmCmd.Flags()
-	podmanConfig := registry.PodmanConfig()
-
-	farmFlagName := "farm"
-	// If remote, don't read the client's containers.conf file
-	defaultFarm := ""
-	if !registry.IsRemote() {
-		defaultFarm = podmanConfig.ContainersConfDefaultsRO.Farms.Default
-	}
-	flags.StringVarP(&farmOpts.Farm, farmFlagName, "f", defaultFarm, "Farm to use for builds")
 }

contrib/pkginstaller/Makefile

@@ -6,7 +6,7 @@ ifeq ($(ARCH), aarch64)
 else
 	GOARCH:=$(ARCH)
 endif
-GVPROXY_VERSION ?= 0.7.1
+GVPROXY_VERSION ?= 0.7.2
 QEMU_VERSION ?= 8.0.0-1
 GVPROXY_RELEASE_URL ?= https://github.com/containers/gvisor-tap-vsock/releases/download/v$(GVPROXY_VERSION)/gvproxy-darwin
 QEMU_RELEASE_URL ?= https://github.com/containers/podman-machine-qemu/releases/download/v$(QEMU_VERSION)/podman-machine-qemu-$(ARCH)-$(QEMU_VERSION).tar.xz

docs/source/markdown/.gitignore

@@ -9,6 +9,7 @@ podman-container-runlabel.1.md
 podman-create.1.md
 podman-diff.1.md
 podman-exec.1.md
+podman-farm-build.1.md
 podman-image-sign.1.md
 podman-image-trust.1.md
 podman-images.1.md

docs/source/markdown/options/add-host.md

@@ -1,5 +1,5 @@
 ####> This option file is used in:
-####>   podman build, create, pod create, run
+####>   podman build, create, farm build, pod create, run
 ####> If file is edited, make sure the changes
 ####> are applicable to all of those.
 #### **--add-host**=*host:ip*

docs/source/markdown/options/annotation.image.md

@@ -0,0 +1,11 @@
+####> This option file is used in:
+####>   podman build, farm build
+####> If file is edited, make sure the changes
+####> are applicable to all of those.
+#### **--annotation**=*annotation=value*
+
+Add an image *annotation* (e.g. annotation=*value*) to the image metadata. Can
+be used multiple times.
+
+Note: this information is not present in Docker image formats, so it is
+discarded when writing images in Docker formats.

docs/source/markdown/options/authfile.md

@@ -1,5 +1,5 @@
 ####> This option file is used in:
-####>   podman auto update, build, container runlabel, create, image sign, kube play, login, logout, manifest add, manifest inspect, manifest push, pull, push, run, search
+####>   podman auto update, build, container runlabel, create, farm build, image sign, kube play, login, logout, manifest add, manifest inspect, manifest push, pull, push, run, search
 ####> If file is edited, make sure the changes
 ####> are applicable to all of those.
 #### **--authfile**=*path*

docs/source/markdown/options/build-arg-file.md

@@ -0,0 +1,22 @@
+####> This option file is used in:
+####>   podman build, farm build
+####> If file is edited, make sure the changes
+####> are applicable to all of those.
+#### **--build-arg-file**=*path*
+
+Specifies a file containing lines of build arguments of the form `arg=value`.
+The suggested file name is `argfile.conf`.
+
+Comment lines beginning with `#` are ignored, along with blank lines.
+All others must be of the `arg=value` format passed to `--build-arg`.
+
+If several arguments are provided via the `--build-arg-file`
+and `--build-arg` options, the build arguments are merged across all
+of the provided files and command line arguments.
+
+Any file provided in a `--build-arg-file` option is read before
+the arguments supplied via the `--build-arg` option.
+
+When a given argument name is specified several times, the last instance
+is the one that is passed to the resulting builds. This means `--build-arg`
+values always override those in a `--build-arg-file`.

docs/source/markdown/options/build-arg.md

@@ -0,0 +1,8 @@
+####> This option file is used in:
+####>   podman build, farm build
+####> If file is edited, make sure the changes
+####> are applicable to all of those.
+#### **--build-arg**=*arg=value*
+
+Specifies a build argument and its value, which is interpolated in
+instructions read from the Containerfiles in the same way that environment variables are, but which are not added to environment variable list in the resulting image's configuration.

docs/source/markdown/options/build-context.md

@@ -0,0 +1,30 @@
+####> This option file is used in:
+####>   podman build, farm build
+####> If file is edited, make sure the changes
+####> are applicable to all of those.
+#### **--build-context**=*name=value*
+
+Specify an additional build context using its short name and its location.
+Additional build contexts can be referenced in the same manner as we access
+different stages in COPY instruction.
+
+Valid values are:
+
+* Local directory – e.g. --build-context project2=../path/to/project2/src (This option is not available with the remote Podman client. On Podman machine setup (i.e macOS and Winows) path must exists on the machine VM)
+* HTTP URL to a tarball – e.g. --build-context src=https://example.org/releases/src.tar
+* Container image – specified with a container-image:// prefix, e.g. --build-context alpine=container-image://alpine:3.15, (also accepts docker://, docker-image://)
+
+On the Containerfile side, reference the build context on all
+commands that accept the “from” parameter. Here’s how that might look:
+
+```dockerfile
+FROM [name]
+COPY --from=[name] ...
+RUN --mount=from=[name] …
+```
+
+The value of [name] is matched with the following priority order:
+
+* Named build context defined with --build-context [name]=..
+* Stage defined with AS [name] inside Containerfile
+* Image [name], either local or in a remote registry

docs/source/markdown/options/cache-from.md

@@ -0,0 +1,21 @@
+####> This option file is used in:
+####>   podman build, farm build
+####> If file is edited, make sure the changes
+####> are applicable to all of those.
+#### **--cache-from**=*image*
+
+Repository to utilize as a potential cache source. When specified, Buildah tries to look for
+cache images in the specified repository and attempts to pull cache images instead of actually
+executing the build steps locally. Buildah only attempts to pull previously cached images if they
+are considered as valid cache hits.
+
+Use the `--cache-to` option to populate a remote repository with cache content.
+
+Example
+
+```bash
+# populate a cache and also consult it
+buildah build -t test --layers --cache-to registry/myrepo/cache --cache-from registry/myrepo/cache .
+```
+
+Note: `--cache-from` option is ignored unless `--layers` is specified.

docs/source/markdown/options/cache-to.md

@@ -0,0 +1,19 @@
+####> This option file is used in:
+####>   podman build, farm build
+####> If file is edited, make sure the changes
+####> are applicable to all of those.
+#### **--cache-to**=*image*
+
+Set this flag to specify a remote repository that is used to store cache images. Buildah attempts to
+push newly built cache image to the remote repository.
+
+Note: Use the `--cache-from` option in order to use cache content in a remote repository.
+
+Example
+
+```bash
+# populate a cache and also consult it
+buildah build -t test --layers --cache-to registry/myrepo/cache --cache-from registry/myrepo/cache .
+```
+
+Note: `--cache-to` option is ignored unless `--layers` is specified.

docs/source/markdown/options/cache-ttl.md

@@ -0,0 +1,12 @@
+####> This option file is used in:
+####>   podman build, farm build
+####> If file is edited, make sure the changes
+####> are applicable to all of those.
+#### **--cache-ttl**
+
+Limit the use of cached images to only consider images with created timestamps less than *duration* ago.
+For example if `--cache-ttl=1h` is specified, Buildah considers intermediate cache images which are created
+under the duration of one hour, and intermediate cache images outside this duration is ignored.
+
+Note: Setting `--cache-ttl=0` manually is equivalent to using `--no-cache` in the
+implementation since this means that the user dones not want to use cache at all.