This commit implements automatic creation timestamp functionality for artifacts
as requested in GitHub issue #27081, allowing users to see when artifacts were created.
Changes made:
- Add org.opencontainers.image.created annotation with Unix nanoseconds timestamp during artifact creation
- Preserve original creation timestamp when using --append option
- Update artifact inspect and add man pages to document the new functionality
- Add comprehensive e2e and system BATS tests to verify creation timestamp behavior
- Store timestamp as integer (Unix nanoseconds) for programmatic access
The creation timestamp helps users understand artifact freshness, particularly
useful for AI models and other time-sensitive artifacts managed by tools like RamaLama.
Usage examples:
podman artifact add myartifact:latest /path/to/file # Creates with timestamp
podman artifact inspect myartifact:latest # Shows created annotation as integer
podman artifact add --append myartifact:latest /file2 # Preserves original timestamp
Fixes: https://github.com/containers/podman/issues/27081
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
For exec and attach use an upgrade request which the server responds
with HTTP 101 status. Since go 1.12 the Body can be casted to an
io.Writer and then use that to write to the server.
This does however not allow us to skip the ugly hack of overwriting
the default dialContext() because the ReadWriterCloser on the body
does not allow us to call CloseWrite() which is critical to correctly
close the stdin side. So we still have to extract the underlying
net.Conn for that.
Using the cast response.Body is important because the underlying http
lib reads from the socket to parse the header and response code of
course and it is possible that it read more content than needed that is
kept in its buffer but because we then only directly read from the
connection it was possible we miss the first few bytes of the message.
This should fix the issue and hopefully also some long standing
podman-remote missing output flakes in CI.
Fixes: #26951
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When `/proc/sys/fs/binfmt_misc` is not mounted, filepath.WalkDir may return
fs.ErrNotExist errors. These should be handled gracefully and return nil
instead of causing a panic.
Signed-off-by: Peiyuan Song <squallatf@gmail.com>
Using golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize
+ some manual cleanup in libpod/lock/shm/shm_lock_test.go as it
generated an unused variable
+ restored one removed comment
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
- Split the monolithic Build() function into focused helper functions.
- Add a TempFileManager for proper temporary file lifecycle management.
This refactoring is in preparation for implementing a local build API.
Signed-off-by: Jan Rodák <hony.com@seznam.cz>
If the `Mount` option inside a quadlet is missing the source=... part,
the code today panics with the following message.
```
panic: runtime error: index out of range [0] with length 0
goroutine 1 [running]:
github.com/containers/podman/v5/pkg/systemd/quadlet.handleStorageSource(0xc000140de0?, 0x1d?, {0x0?, 0x1?}, 0x5634e39e233e?, 0x10?)
...
```
This commit checks for the missing source and returns an error to avoid the panic.
Signed-off-by: Jakob Meier <mail@jakobmeier.ch>
For ConfigMap and Secret kube play volumes podman populates the data
from the yaml. However the volume content is not controlled by us and we
can be tricked following a symlink to a file on the host instead.
Fixes: CVE-2025-9566
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The container/stats endpoint was unimplemented. Copy over the structure
from the Linux endpoint handler, albeit with most of the stats
unpopulated. This is similar to how "podman stats" returns very little
info on FreeBSD. On the other hand, some orchestration tools will query
the stats endpoint to check liveness of a container, so it's useful to
implement it even though some fields are unimplemented for now.
Signed-off-by: Mark Johnston <mark.johnston@klarasystems.com>
Add support for HttpProxy key in quadlet Container sections to control
proxy environment variable inheritance during image pulls and builds.
- HttpProxy=true enables proxy inheritance (default podman behavior)
- HttpProxy=false disables proxy inheritance
- When omitted, uses podman's default behavior
This addresses the need for declarative proxy configuration in IPv6-only
networks and other scenarios where proxy settings need to be controlled
at the container level without manual workarounds.
Fixes#26925
Signed-off-by: Ondřej Gajdušek <ogajduse@redhat.com>
unconfined is a special value and not a path as such it must not be
converted otherwise --security-opt seccomp=unconfined fails as it tries
to access a file called unconfined.
Fixes: 3e8b2d7d96 ("Fix seccomp profile path on Windows")
Fixes: #26855
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Add support for loading images directly from machine paths to avoid
unnecessary file transfers when the image archive is already accessible
on the running machine through mounted directories.
Changes include:
- New /libpod/local/images/load API endpoint for direct machine loading
- Machine detection and path mapping functionality
- Fallback in tunnel mode to try optimized loading first
This optimization significantly speeds up image loading operations
when working with remote Podman machines by eliminating redundant
file transfers for already-accessible image archives.
Fixes: https://issues.redhat.com/browse/RUN-3249
Fixes: https://github.com/containers/podman/issues/26321
Signed-off-by: Jan Rodák <hony.com@seznam.cz>
Check Content-Type header before unmarshaling errors to avoid
unnecessary JSON parsing overhead for plain text responses.
Signed-off-by: Jan Rodák <hony.com@seznam.cz>
Add artifact tag to tags.yaml so API docs are ordered correctly
(alphabetically with libpod endpoints first).
Refactor artifact API documentation to be consistently formated.
Refactor some descriptions and summaries to be more accurate and user
friendly.
Signed-off-by: Lewis Roy <lewis@redhat.com>
Prior to this commit `artifact remove --all` was not supported on remote
clients.
This patch adds a new artifact API endpoint `artifact/remove` which can
either take a list of artifacts to remove or remove all artifacts by
setting all=true.
This patch removes the temporary warning message in the tunnel interface
implementation of ArtifactRm if `--all` was passed on the command line
and uses the new `artifact/remove` endpoint.
This patch also updates the `artifact remove` command both remote and
local to accept a list of artifacts to remove rather than limiting to
just one.
Signed-off-by: Lewis Roy <lewis@redhat.com>
Added log_path variable in containers/common, User sets default log path in containers.conf under the `[containers]` section.
The directory has to exist beforehand. Container logs go under this directory, sub-directories named with the container id
and inside the sub-directory a ctr.log file will be created where the container logs for the corresponding container will go.
This path can be overridden by using the `--log-opt` flag.
Signed-off-by: Joshua Arrevillaga <2004jarrevillaga@gmail.com>
This patch adds a new --tls-verify flag to the `podman machine init`
sub command which matches many of our other commands. This allows the
user to optionally control whether TLS verification is enabled or
disabled for download of the machine image.
The default remains to leave the TLS verification decision to the
backend library which defaults to enabling it, this patch just
allows the user to explicitly set it on the CLI.
Fixes: #26517
Signed-off-by: Lewis Roy <lewis@redhat.com>
The machine images should contain a new enough podman on the server side
to support this so the skips can be removed.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Since compat version 1.43 the VirtualSize field in the
GET /images/{name}/json, GET /images/json, and
GET /system/df responses is deprecated and will no
longer be included in API v1.44. Use the Size field
instead, which contains the same information.
Signed-off-by: Nicola Sella <nsella@redhat.com>
- Add specific check for empty device modes in ParseDevice function
- Change error message from 'invalid device mode: ' to 'empty device mode in device specification: <device>'
- Include full device specification in error message for better context
- Add test cases for empty device mode scenarios
- Resolves issue where '/dev/fuse::' provided unhelpful error message
Fixes#26629
Signed-off-by: Devashish08 <devashish.cs025@gmail.com>
Add the Go bindings implementation necessary to support Artifacts.
Implement the tunnel interface that consumes the Artifacts Go bindings.
With this patch, users of the Podman remote clients will now be able to
manage OCI artifacts via the Podman CLI and Podman machine.
Jira: https://issues.redhat.com/browse/RUN-2714#
Signed-off-by: Lewis Roy <lewis@redhat.com>
