Commits f34c272 and d25cb5f upgraded these modules along with
`golang.org/x/crypto`. PR #25624 subsequently downgraded the
crypto module but missed rolling back these other changes to
Unfortunately the newer versions of these other modules fall
between the differences from Fedora to RHEL, so CI missed
their RHEL incompatibility. Under RHEL podman fails to
compile with the error:
```
_build/src/github.com/containers/podman/vendor/golang.org/x/net/http2/transport.go:1109:13:
tc.NetConn undefined (type *tls.Conn has no field or method NetConn)
```
Rollback `x/text` -> `v0.15.0`, which then through
`make vendor` pulls in adjustments to `x/tools` and `x/net`. Though
the versions are still newer than what they were prior to
f34c272/d25cb5f, so as far as podman releases go, they're actually
newer than what was available previously.
Manually tested on both RHEL 9.0 & 8.6
Signed-off-by: Chris Evich <cevich@redhat.com>
This commit re-vendors the module from a temporary source, and moves to
an earlier, patched version to address CVE-2025-22869. Prior to this
commit, building podman fails due to platform dependence on golang 1.17
- the version currently used to build for RHEL.
In the future, it is intended that the RHEL platform will migrate to a
newer golang toolchain. This will enable re-vendoring the crypto module
again back to the authoritative upstream source. Thus removing the need
for the temporary fork.
Resolves: RHEL-81301 RHEL-81320
Signed-off-by: Chris Evich <cevich@redhat.com>
As the title says. Bumping to address:
CVE-2024-1753
https://issues.redhat.com/browse/RHEL-26761
[NO NEW TESTS NEEDED]
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Commit 3e7ca842a manually patched runc/libcontainer in vendor, which is
OK but creates a maintenance problem down the line.
Instead, let's
- create a branch[1] based on runc commit used here;
- backport the CVE-2024-21626 fixes;
- vendor the above branch here.
As a side note, all this mess could have been avoided if
https://github.com/opencontainers/runc/pull/3508 was backported
to a stable runc branch. Alas, this was never requested.
[1] https://github.com/projectatomic/runc/tree/podman-v4.2.0-rhel
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
There was a bug on s390x related to clone syscall argument order.
C/storage PR #1423 fixes it; this vendors into Podman to close
the loop and complete the fix.
Fixes RHBZ 2140084
Signed-off-by: Matthew Heon <mheon@redhat.com>
Also, do a general cleanup of all the timeout code. Changes
include:
- Convert from int to *uint where possible. Timeouts cannot be
negative, hence the uint change; and a timeout of 0 is valid,
so we need a new way to detect that the user set a timeout
(hence, pointer).
- Change name in the database to avoid conflicts between new data
type and old one. This will cause timeouts set with 4.2.0 to be
lost, but considering nobody is using the feature at present
(and the lack of validation means we could have invalid,
negative timeouts in the DB) this feels safe.
- Ensure volume plugin timeouts can only be used with volumes
created using a plugin. Timeouts on the local driver are
nonsensical.
- Remove the existing test, as it did not use a volume plugin.
Write a new test that does.
The actual plumbing of the containers.conf timeout in is one line
in volume_api.go; the remainder are the above-described cleanups.
Backported to v4.2.0-rhel per RHBZ 2125241
Signed-off-by: Matthew Heon <mheon@redhat.com>
By vendoring the fixes from containers/image. Also add a test (thanks
@edsantiago) to make sure we won't regress in the future again.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
We now use the golang error wrapping format specifier `%w` instead of
the deprecated github.com/pkg/errors package.
[NO NEW TESTS NEEDED]
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Since conmon-rs also uses this code we moved it to c/common. Now podman
should has this also to prevent duplication.
[NO NEW TESTS NEEDED]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
using the new resource backend, implement podman pod create --memory which enables
users to modify memory.max inside of the parent cgroup (the pod), implicitly impacting all
children unless overriden
Signed-off-by: Charlie Doern <cdoern@redhat.com>
Pull in fixes for platform checks to silence annoying warnings when
pulling images by platforms using uname values.
Fixes: #14669
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
currently, setting any sort of resource limit in a pod does nothing. With the newly refactored creation process in c/common, podman ca now set resources at a pod level
meaning that resource related flags can now be exposed to podman pod create.
cgroupfs and systemd are both supported with varying completion. cgroupfs is a much simpler process and one that is virtually complete for all resource types, the flags now just need to be added. systemd on the other hand
has to be handeled via the dbus api meaning that the limits need to be passed as recognized properties to systemd. The properties added so far are the ones that podman pod create supports as well as `cpuset-mems` as this will
be the next flag I work on.
Signed-off-by: Charlie Doern <cdoern@redhat.com>
Update cobra to latest version. Remove workaround for podman -h.
Also regenerate the completion scripts.
[NO NEW TESTS NEEDED]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Changes since 2022-05-31:
- add --omit-history option (buildah PR 4028)
Signed-off-by: Ed Santiago <santiago@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Note that the bud-logfile-with-split-logfile-by-platform test is skipped
on the remote client (see #14544).
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
