As the title says.
Bump c/image to v1.38.4 and c/storage to v5.19.4.
Also backport e5a86d293f
for golang ci support.
[NO NEW TESTS NEEDED]
This partially addresses: https://bugzilla.redhat.com/show_bug.cgi?id=2072452
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
This is important for the stability of CI in case of a future backport
that happens to be incompatible with netavark/aardvark `main`. Since CI
doesn't run very often on the podman `v4.0` branch, an incompatible change
may not be noticed. Fix this by switching off of the `main` branch onto
a netavark/aardvark release branches.
Signed-off-by: Chris Evich <cevich@redhat.com>
avoid this warn:
```
golangci/golangci-lint info installed ./bin/golangci-lint
golangci/golangci-lint err this script is deprecated, please do not use it anymore. check https://github.com/goreleaser/godownloader/issues/207
```
Signed-off-by: Pascal Bourdier <pascal.bourdier@gmail.com>
Signed-off-by: Chris Evich <cevich@redhat.com>
bump c/ocicrypt to v1.1.4
bump c/image to v5.19.3
bump buildah to v1.24.4
This change uses a new ocicrypt which defaults to sha256 hashes and has
already been vendored into c/image and buildah versions listed above.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
go get is deprecated, we should use go install instead.
Also for some reason go get -u golang.org/x/tools/cmd/goimports is
broken at the moment, thus failing CI jobs where we have to install
this. Switching to go install seems to fix it.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
SHA-1 is prone to collisions.
This will likely break connectivity between old containers started
before update and containers started after update. It will also fail to
cleanup old netns. A reboot will fix this, so a reboot is recommended
after update.
[NO NEW TESTS NEEDED]
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
(cherry picked from commit 44642bee8720c0a19c97c6e116d725fd5f95daad)
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
Resolves: GHSA-8c26-wmh5-6g9v - CVE-2022-27191
Podman doesn't seem to be directly affected as the logic in question
is not called.
golang.org/x/crypto@1baeb1ce contains the actual CVE fix. Using the
latest upstream commit to also include support for SHA-2.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
(cherry picked from commit 5e680d54e9e8b849b90047d2d87bc7664edaaa1d)
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
aafa80918a245edcbdaceb1191d749570f1872d0 introduced the regression.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
(cherry picked from commit 640c2d53a88f46e997d4e5a594cfc85a57e74d36)
The kernel never sets the inheritable capabilities for a process, they
are only set by userspace. Emulate the same behavior.
Closes: CVE-2022-27649
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
(cherry picked from commit aafa80918a245edcbdaceb1191d749570f1872d0)
Invoking parallel/concurrent builds from podman race against each other
following behviour was fixed in
containers/storage#1153 and containers/image#1480
Test verifies if following bug is fixed in new race-free API or not.
Read more about this issue, see bz 2055487 for more details.
Test manually backported from: 63f92d0a66
Signed-off-by: Aditya R <arajan@redhat.com>
Update the login tests to reflect the latest changes to allow http{s}
prefixes (again) to address bugzilla.redhat.com/show_bug.cgi?id=2062072.
Backport of commit 57cdc21b0057.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
When enable_ipv6=true is set for slirp4netns (default since podman v4),
we will try to set the accept sysctl. This sysctl will not exist on
systems that have ipv6 disabled. In this case we should not error and
just ignore the extra ipv6 setup.
Also the current logic to wait for the slirp4 setup was kinda broken, it
did not actually wait until the sysctl was set before starting slirp.
This should now be fixed by using two `sync.WaitGroup`s.
[NO NEW TESTS NEEDED]
Fixes#13388
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Backports: #13421 Set default rule at the head of device configuration
by @hshiina
The default rule should be set at the head of device configuration.
Otherwise, rules for user devices are overridden by the default rule so
that any access to the user devices are denied.
This has been requested to backport and to include in RHEL 8.6 and 9.0.
The exception process is underway.
Addresses these BZs for the backport:
https://bugzilla.redhat.com/show_bug.cgi?id=2059296https://bugzilla.redhat.com/show_bug.cgi?id=2062835
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
(cherry picked from commit 61f6e1300a770af58c43dd226ad6ebe68c5d1921)
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
We could remove the container running the volume plugins, before
the containers using the volume plugins; this could cause
unmounting the volumes to fail because the plugin could not be
contacted.
Signed-off-by: Matthew Heon <mheon@redhat.com>
The CONTAINERS_CONF environment variable can be used to override the
configuration file, which is useful for testing. However, at the moment
this variable is not propagated to conmon. That means in particular, that
conmon can't propagate it back to podman when invoking its --exit-command.
The mismatch in configuration between the starting and cleaning up podman
instances can cause a variety of errors.
This patch also adds two related test cases. One checks explicitly that
the correct CONTAINERS_CONF value appears in conmon's environment. The
other checks for a possible specific impact of this bug: if we use a
nonstandard name for the runtime (even if its path is just a regular crun),
then the podman container cleanup invoked at container exit will fail.
That has the effect of meaning that a container started with -d --rm won't
be correctly removed once complete.
Fixes#12917
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This comment refers to overiding $PODMAN although the code below does
nothing of the sort. Presumbly the comment has been outdated by altering
the containers.conf / $CONTAINERS_CONF instead.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
We're running into problems that are impossible to diagnose
because we have no idea if the SUT is using netavark or CNI.
We've previously run into similar problems with runc/crun,
or cgroups 1/2.
This adds a one-line 'echo' with important system info. Now,
when viewing a full test log, it will be possible to view
system settings in one glance.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Add a extra `See 'podman command --help'` to the error output.
With this patch you now get:
```
$ podman run -h
Error: flag needs an argument: 'h' in -h
See 'podman run --help'
```
Fixes#13082Fixes#13002
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
To prevent duplication and potential bugs we should use the same
GetRuntimeDir function that is used in c/common.
[NO NEW TESTS NEEDED]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
