This commit re-vendors the module from a temporary source, using a
patched version to address CVE-2025-22869. This version is specific
to the podman build requirement of golang 1.13. Should that requirement
change to a later version, re-vendoring the crypto module back to the
authoritative upstream source is recommended. However, the likelihood
of this happening prior to EOL is believed to be very low.
Resolves: RHEL-81303
Signed-off-by: Chris Evich <cevich@redhat.com>
While this RHEL release branch has a very short lifespan remaining,
there's still a good chance additional backports may be needed. To help
reduce the likelihood of flakes and reduce CI to the absolute bare-minimum
needed.
Signed-off-by: Chris Evich <cevich@redhat.com>
install.tools target broke a few weeks ago because it was fetching
something @latest.
We can't use 'go install' nor 'got get ...@version' on this branch,
so just delete the .gitvalidation steps entirely.
Signed-off-by: Ed Santiago <santiago@redhat.com>
On this branch, /usr/local/bin/swagger is fetched on each run
(vs, on current 2022-08 main, installed at VM-setup time).
Something changed, and the new binary is very strict about
bugs in our swagger comments, of which there seem to be many.
Possible solution: fix our code. Doesn't seem worth the bother
for an old branch like this one.
Possible solution: re-fetch an old version of swagger tool.
Ditto.
This solution: just skip the swagger test. It seems unlikely
that anyone will make significant API changes on this branch.
Signed-off-by: Ed Santiago <santiago@redhat.com>
As release branches age, it becomes less valuable to execute
comprehensive CI testing. Further given occasional flakes, it becomes
more burdensome to maintain. Trim back some non-essential testing tasks
for improved long-term reliability and reduced maintenance.
Signed-off-by: Chris Evich <cevich@redhat.com>
This check is breaking on PRs and branches, for example:
```
Rebasing (5/24)
error: could not apply e6ed1d4bf... cirrus: update image
Resolve all conflicts manually, mark them as resolved with
"git add/rm <conflicted_files>", then run "git rebase --continue".
You can instead skip this commit: run "git rebase --skip".
To abort and get back to the state before "git rebase", run "git rebase
--abort".
Could not apply e6ed1d4bf... cirrus: update image
Auto-merging .cirrus.yml
CONFLICT (content): Merge conflict in .cirrus.yml
make: *** [Makefile:269: build-all-new-commits] Error 1
```
Stop running this check rather than debugging/fixing it because this is
a release branch that will not likely ever see a PR containing more than
one commit.
Signed-off-by: Chris Evich <cevich@redhat.com>
This test frequently fails and is of little use on a release-branch and
for any backports that may occur in the future. Simply remove it.
Signed-off-by: Chris Evich <cevich@redhat.com>
avoid this warn:
```
golangci/golangci-lint info installed ./bin/golangci-lint
golangci/golangci-lint err this script is deprecated, please do not use it anymore. check https://github.com/goreleaser/godownloader/issues/207
```
Signed-off-by: Pascal Bourdier <pascal.bourdier@gmail.com>
Signed-off-by: Chris Evich <cevich@redhat.com>
rootless containers do not use cgroups on cgroupv1 or if using
cgroupfs, so improve the check to account for such configuration.
Closes: https://github.com/containers/podman/issues/10800
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2028243
[NO NEW TESTS NEEDED] it requires rebooting and the rundir on a non
tmpfs file system.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
This fixes the issue of not propagating defaultErrnoRet from
system's seccomp.json to container's config.json, which can
result in redundant seccomp rules and inability to start a container
when using some runtimes (notably runc up to and including 1.0.1).
The fix is to vendor in containers/common with the fixed pkg/seccomp
which no longer ignores defaultErrnoRet.
Brought to you by:
go get github.com/containers/common@v0.38.18
make vendor
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
We don't support the journald events backend on RHEL8, for
example. So we can't unconditionally run these tests.
Partial fix for RHBZ1955166
Signed-off-by: Matthew Heon <mheon@redhat.com>
There was an race condition when calling `GetRootlessCNINetNs()`. It
created the rootless cni directory before it got locked. Therefore
another process could have called cleanup and removed this directory
before it was used resulting in errors. The lockfile got moved into the
XDG_RUNTIME_DIR directory to prevent a panic when the parent dir was
removed by cleanup.
Fixes#10930Fixes#10922
To make this even more robust `GetRootlessCNINetNs()` will now return
locked. This guarantees that we can run `Do()` after `GetRootlessCNINetNs()`
before another process could have called `Cleanup()` in between.
[NO TESTS NEEDED] CI is flaking, hopefully this will fix it.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Fix issue 10929 : `[Regression in 3.2.0] CNI-in-slirp4netns DNS gets broken when running a rootful container after running a rootless container`
When /etc/resolv.conf on the host is a symlink to /run/systemd/resolve/stub-resolv.conf,
we have to mount an empty filesystem on /run/systemd/resolve in the child namespace,
so as to isolate the directory from the host mount namespace.
Otherwise our bind-mount for /run/systemd/resolve/stub-resolv.conf is unmounted
when systemd-resolved unlinks and recreates /run/systemd/resolve/stub-resolv.conf on the host.
[NO TESTS NEEDED]
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
The rootless cni namespace needs a valid /etc/resolv.conf file. On some
distros is a symlink to somewhere under /run. Because the kernel will
follow the symlink before mounting, it is not possible to mount a file
at exactly /etc/resolv.conf. We have to ensure that the link target will
be available in the rootless cni mount ns.
Fixes#10855
Also fixed a bug in the /var/lib/cni directory lookup logic. It used
`filepath.Base` instead of `filepath.Dir` and thus looping infinitely.
Fixes#10857
[NO TESTS NEEDED]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Support UID, GID, Mode options for mount type secrets. Also, change
default secret permissions to 444 so all users can read secret.
Signed-off-by: Ashley Cui <acui@redhat.com>
