The `cleanupExecBundle` function was only meant to be called on a
locked container, as it does some state mutation operations. It
also has a timed wait (if the directory is busy and can't be
removed yet, give it a few milliseconds) in which it deliberately
yields the lock to not block the container for that time.
The `healthCheckExec()` function calls `cleanupExecBundle` out of
a `defer` block. This is after the `defer c.lock.Unlock()` so it
fires afterwards when the function returns, so we're normally
fine - the container is still locked when our defer runs. The
problem is that `healthCheckExec()` also unlocks the container
during the expensive exec operation, and can actually fail and
return while not holding the lock - meaning our `defer` can fire
on an unlocked container, leading to a potential double unlock
in `cleanupExecBundle`.
We could, potentially, re-lock the container after the exec
occurs, but we're actually waiting for a `select` to trigger to
end the function, so that's not a good solution. Instead, just
re-lock (if necessary) in the defer, before invoking
`cleanupExecBundle()`. The `defer c.lock.Unlock()` will fire
right after and unlock after us.
Fixes#26968
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
We already used `x` in tmpfiles, to ensure systemd did not remove
our directories or clean their contents (we really need them to
be left unmodified). However, systemd-tmpfiles lets us use more
than one directive per line, which means we can safely add an R!
(recursive remove on reboot) to these lines to ensure that, if
/tmp is not a tmpfs, systemd-tmpfiles will still remove our
temporary files, ensuring reboots are still accurately detected.
Signed-off-by: Matt Heon <mheon@redhat.com>
For ConfigMap and Secret kube play volumes podman populates the data
from the yaml. However the volume content is not controlled by us and we
can be tricked following a symlink to a file on the host instead.
Fixes: CVE-2025-9566
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 43fbde4e665fe6cee6921868f04b7ccd3de5ad89)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Starting with runc 1.3.0 it errors when we pass unknown mount options to
the runtime, the copy/nocopy options are specific to podman when we
mount the volume and are not valid mount options for the runtime.
Fixes: #26938
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Starting with runc 1.3.0 it errors when we pass unknown mount options to
the runtime, the volume-opt options are specifc to the volume we create
and should not be passed to the mount in the oci spec.
Fixes: #26938
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
unconfined is a special value and not a path as such it must not be
converted otherwise --security-opt seccomp=unconfined fails as it tries
to access a file called unconfined.
Fixes: 3e8b2d7d96 ("Fix seccomp profile path on Windows")
Fixes: #26855
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
In the journald driver there is a bug where the network event
attributes are not preserved. This causes the network driver to be
missing and that in turn causes the ToHumanReadable() function to print
an empty line. Fix it by making sure we preserve the network driver in
the event attributes.
Fixes: https://issues.redhat.com/browse/RHEL-109790
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Bump Buildah to v1.41.3 in preparation for Podman v5.6.0. This vendoring also
cures a last minute issue in the Buildah build code.
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
An issue was found late in Podman v5.6 RC2 and it was reported
in #26773. The failing test was changed so that it was skipped.
This commit renables that test as the fix should be contained
in Buildah 1.41.3.
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Right now, only log-level=info, so not shown by default. We can
continue to up this in subsequent releases to convince folks of
the urgency of switching.
Resolves https://issues.redhat.com/browse/RUN-3343
Signed-off-by: Matt Heon <mheon@redhat.com>
