This fixes the issue of not propagating defaultErrnoRet from
system's seccomp.json to container's config.json, which can
result in redundant seccomp rules and inability to start a container
when using some runtimes (notably runc up to and including 1.0.1).
The fix is to vendor in containers/common with the fixed pkg/seccomp
which no longer ignores defaultErrnoRet.
Brought to you by:
go get github.com/containers/common@v0.38.18
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
There was an race condition when calling `GetRootlessCNINetNs()`. It
created the rootless cni directory before it got locked. Therefore
another process could have called cleanup and removed this directory
before it was used resulting in errors. The lockfile got moved into the
XDG_RUNTIME_DIR directory to prevent a panic when the parent dir was
removed by cleanup.
Fixes#10930Fixes#10922
To make this even more robust `GetRootlessCNINetNs()` will now return
locked. This guarantees that we can run `Do()` after `GetRootlessCNINetNs()`
before another process could have called `Cleanup()` in between.
[NO TESTS NEEDED] CI is flaking, hopefully this will fix it.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Fix issue 10929 : `[Regression in 3.2.0] CNI-in-slirp4netns DNS gets broken when running a rootful container after running a rootless container`
When /etc/resolv.conf on the host is a symlink to /run/systemd/resolve/stub-resolv.conf,
we have to mount an empty filesystem on /run/systemd/resolve in the child namespace,
so as to isolate the directory from the host mount namespace.
Otherwise our bind-mount for /run/systemd/resolve/stub-resolv.conf is unmounted
when systemd-resolved unlinks and recreates /run/systemd/resolve/stub-resolv.conf on the host.
[NO TESTS NEEDED]
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
The rootless cni namespace needs a valid /etc/resolv.conf file. On some
distros is a symlink to somewhere under /run. Because the kernel will
follow the symlink before mounting, it is not possible to mount a file
at exactly /etc/resolv.conf. We have to ensure that the link target will
be available in the rootless cni mount ns.
Fixes#10855
Also fixed a bug in the /var/lib/cni directory lookup logic. It used
`filepath.Base` instead of `filepath.Dir` and thus looping infinitely.
Fixes#10857
[NO TESTS NEEDED]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Support UID, GID, Mode options for mount type secrets. Also, change
default secret permissions to 444 so all users can read secret.
Signed-off-by: Ashley Cui <acui@redhat.com>
Clarify in the man page that podman-search is not generally realiable
way of determining the presence/existence of an image. The results of
the v1 and the v2 endpoints depend on the implementation of each
registry; the semantics are not really specified. Some registries may
not support search at all as it's not part of the OCI dist spec.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1978556
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Users are complaining about read/only /var/tmp failing
even if TMPDIR=/tmp is set.
This PR Fixes: https://github.com/containers/podman/issues/10698
[NO TESTS NEEDED] No way to test this.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
<MH: Fixed cherry-pick conflicts>
Signed-off-by: Matthew Heon <mheon@redhat.com>
Refactor podman commands that have drifted from using
c/common report pkg. Report pkg is needed to implement
go template functions.
Removed obsolete code from podman which exists in c/common.
Latest template library added default newlines and method to
remove them. Incorporated needed changes in c/common PR below.
Depends on https://github.com/containers/common/pull/624
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1855983
Signed-off-by: Jhon Honce <jhonce@redhat.com>
<MH: Fixed cherry-pick conflicts>
Signed-off-by: Matthew Heon <mheon@redhat.com>
Podman uses the volume option map to check if it has to mount the volume
or not when the container is started. Commit 28138dafcc39 added to uid
and gid options to this map, however when only uid/gid is set we cannot
mount this volume because there is no filesystem or device specified.
Make sure we do not try to mount the volume when only the uid/gid option
is set since this is a simple chown operation.
Also when a uid/gid is explicity set, do not chown the volume based on
the container user when the volume is used for the first time.
Fixes#10620
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Checkpointed containers started with --privileged fail during restore
with:
Error: error creating container storage: ProcessLabel and Mountlabel must either not be specified or both specified
This commit fixes it by not setting the labels when restoring a
privileged container.
[NO TESTS NEEDED]
Signed-off-by: Adrian Reber <areber@redhat.com>
As near as I can tell, sometime between `v1.6.4` and `v1.9` the definition
of `LDFLAGS_PODMAN_STATIC` was both created and lost. Additionally, after
a refactoring of the `Makefile` it was possible to enable CGO (which
will cause a dynamic binary to be built). Fix both issues by adding the
missing definition and forcing CGO to be disabled.
Signed-off-by: Chris Evich <cevich@redhat.com>
The container name should have the slirp interface ip set in /etc/hosts
and not the gateway ip. Commit c8dfcce6db0a introduced this regression.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1972073
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
As discussed in #10710, the additional checks for podman-exec added by
commit 666f555aa52b are extremely flaky and appear in nearly every PR
I have see this week.
Let's temporarily disable the checks and reenable them on #10710 is
fixed.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
When starting a process with `podman exec -it` the terminal is resized
after the process is started. To fix this allow exec start to accept the
terminal height and width as parameter and let it resize right before
the process is started.
Fixes#10560
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Previously podman failed when run in an environment where 127.0.0.53 is
the only nameserver but systemd-resolved is not used directly.
In practice this happened when podman was run within an alpine container
that used the host's network and the host was running systemd-resolved.
This fix makes podman ignore a file not found error when reading /run/systemd/resolve/resolv.conf.
Closes#10733
[NO TESTS NEEDED]
Signed-off-by: Max Goltzsche <max.goltzsche@gmail.com>
