Replace the JSON marshal/unmarshal round-trip in Inherit() with
copier.Copy. json.Unmarshal reuses existing slice backing arrays
and does not zero struct fields absent from the JSON (omitempty),
so mount options like "ro" from one mount would leak into another
mount at the same backing-array position.
Fixes the case where running:
podman run --pod mypod \
--mount type=bind,src=/a,target=/mylog \
--mount type=bind,src=/b,target=/mytmp,ro=true \
alpine touch /mylog/a
incorrectly fails with "Read-only file system" because /mylog
inherits "ro" from /mytmp.
Fixes: https://issues.redhat.com/browse/RHEL-154348
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Replace github.com/docker/docker API imports with github.com/moby/moby
across compat handlers, swagger models, and tests to align with upstream
type definitions.
Fixes: #27536.
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
This allows things like compose project names to be associated with log
messages and later used in log processing and analysis.
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
Currently validation that log tag requires journald driver is done in several
places and emits only warning. Making it an error and moving to
`(c *Container) validate()` is a more correct approach.
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
Require (linux || freebsd), because the code already does that, in practice.
This just means macOS users of IDEs aren't hit with thousands of compilation
errors (and then the IDE can open an Linux-specific file and then process it
under the Linux assumption, which works much better).
This commit ONLY replaces
//go:build !remote
with
//go:build !remote && (linux || freebsd)
and is split from the rest to allow mechanically verifying that fact,
and focusing a review on the other kinds of changes.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Add a per-volume 'nocreate' option that prevents automatic creation of
named volumes when they don't exist. When specified, Podman will fail
if the volume is not found instead of creating it automatically.
Usage: -v myvolume:/data:nocreate
--mount type=volume,src=myvolume,dst=/data,nocreate
See: #27862
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
ConfigToSpec() serializes the container config to JSON and deserializes
it into a SpecGenerator. Both structs use the JSON tag "secret_env" but
with incompatible types: the container config uses map[string]*secrets.Secret
(complex objects) while the specgen uses map[string]string (env var name
to secret name). This causes an unmarshal error when cloning containers
that use --secret with type=env.
Fix this by saving and clearing EnvSecrets before JSON marshal (same
pattern as existing tmpSystemd/tmpMounts), then converting the secret
objects to name strings and assigning them to the specgen afterward.
Also fix FillOutSpecGen to not overwrite env secrets populated by
ConfigToSpec when no new secrets are provided on the command line.
Fixes: #28130
Signed-off-by: Ozgur As <ozgur@live.com>
Instead of creating a slice and then appending to it, let's inline the
initial slice into append. This may or may not result in less slice
reallocations, but it is silencing the prealloc linter warnings.
This commit is part of series fixing issues reported by prealloc linter
from golangci-lint v2.8.0.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Calling append can lead to resizing the slice. In case we have all
elements beforehand, it is not necessary to call append in the first
place and this avoid resizing.
This is the first part of fixing issues reported by prealloc linter from
golangci-lint v2.8.0.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Remove CNI-specific conditional logic and update comments throughout
the libpod networking code:
- Simplified DNS configuration logic in container_internal_common.go
to always use netavark behavior (removed backend checks)
- Removed CNI-specific iptables chain error regex pattern
- Updated all comments referencing 'CNI' to use 'netavark' or
'network backend'
- Renamed variable 'cniNet' to 'netInfo' for clarity
- Updated field and type documentation to remove CNI references
All networking code now assumes netavark as the sole backend.
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
- remove old CLI validation that only checked --pod flag
- add validation in namespaces.go to catch all paths (cli, quadlet, api)
- block userns mixing for all pods with infra, not just ipc/net
- update error message to be clearer
- fix test cleanup to use PodmanExitCleanly()
- use dynamic pod names in system tests to avoid conflicts
fixes#26848
Signed-off-by: 0xdvc <neilohene@gmail.com>
This also then bumps github.com/opencontainers/runtime-spec to v1.3.0
which contains breaking changes of the pid type as such we had to update
all the podman callers.
And tags.cncf.io/container-device-interface also used some changed
types from it and they have been updated in main so bump to the latest
commit there as well in order to get podman to compile properly.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This was not working when emulating Linux container images on FreeBSD.
The code to handle host devices on FreeBSD relies on the container
having a devfs mount. Unfortunately, the Linux emulation code which adds
this was happening after the host device handling. This changes the
logic so that host device management happens after Linux emulation.
Signed-off-by: Doug Rabson <dfr@rabson.org>
Tremendous amount of changes in here, but all should amount to
the same thing: changing Go import paths from v5 to v6.
Also bumped go.mod to github.com/containers/podman/v6 and updated
version to v6.0.0-dev.
Signed-off-by: Matt Heon <mheon@redhat.com>
Using golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize
+ some manual cleanup in libpod/lock/shm/shm_lock_test.go as it
generated an unused variable
+ restored one removed comment
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Added log_path variable in containers/common, User sets default log path in containers.conf under the `[containers]` section.
The directory has to exist beforehand. Container logs go under this directory, sub-directories named with the container id
and inside the sub-directory a ctr.log file will be created where the container logs for the corresponding container will go.
This path can be overridden by using the `--log-opt` flag.
Signed-off-by: Joshua Arrevillaga <2004jarrevillaga@gmail.com>
- Add specific check for empty device modes in ParseDevice function
- Change error message from 'invalid device mode: ' to 'empty device mode in device specification: <device>'
- Include full device specification in error message for better context
- Add test cases for empty device mode scenarios
- Resolves issue where '/dev/fuse::' provided unhelpful error message
Fixes#26629
Signed-off-by: Devashish08 <devashish.cs025@gmail.com>
The field allows users to specify a custom stop signal (e.g., SIGUSR1) per container.
If defined, it overrides the default stop signal (SIGTERM) or that defined in the image metadata.
Fixes: #25389
Signed-off-by: Arthur Wu <lion811004@gmail.com>
An artifact without the title annoation just gets the digest as name
which is less than ideal. While it is a decent default to avoid
conflicts users would like to configure the name.
With the name=abc option we will call the file abc in case of a signle
artifact and otherwise we use abc-x where x is the layer index starting
at 0 to avoid conflicts.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
In case something other than a block device is supplied, podman proceeds
to apply settings for a block device with the same minor:major.
For example, "--blkio-weight-device /dev/zero:123" (alas, this is taken
literally from podman-update(1) EXAMPLES section) sets blkio weight
for /dev/ram5. Instead, it should error out since /dev/zero is not a
block device.
Add an appropriate check.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Refactor these functions to
- avoid repetition of common code (mostly stat of block device path);
- perform early return if nothing is to be done;
- remove some excessive nesting.
It also improves some error messages.
This is a preparation for the next commit.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
