For ConfigMap and Secret kube play volumes podman populates the data
from the yaml. However the volume content is not controlled by us and we
can be tricked following a symlink to a file on the host instead.
Fixes: CVE-2025-9566
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Unfortunately on a number of occasions, Podman has been released
officially with a `-dev` suffix in the version number. Assist in
catching this mistake at release time by the addition of a simple
conditional test. Note that it must be positively enabled by a
magic env. var. before executing the system tests.
Ref. original PR: https://github.com/containers/podman/pull/26540
Signed-off-by: Chris Evich <cevich@redhat.com>
Commits f34c272 and d25cb5f upgraded these modules along with
`golang.org/x/crypto`. PR #25624 subsequently downgraded the
crypto module but missed rolling back these other changes to
Unfortunately the newer versions of these other modules fall
between the differences from Fedora to RHEL, so CI missed
their RHEL incompatibility. Under RHEL podman fails to
compile with the error:
```
_build/src/github.com/containers/podman/vendor/golang.org/x/net/http2/transport.go:1109:13:
tc.NetConn undefined (type *tls.Conn has no field or method NetConn)
```
Rollback `x/text` -> `v0.15.0`, which then through
`make vendor` pulls in adjustments to `x/tools` and `x/net`. Though
the versions are still newer than what they were prior to
f34c272/d25cb5f, so as far as podman releases go, they're actually
newer than what was available previously.
Manually tested on both RHEL 9.0 & 8.6
Signed-off-by: Chris Evich <cevich@redhat.com>
This commit re-vendors the module from a temporary source, and moves to
an earlier, patched version to address CVE-2025-22869. Prior to this
commit, building podman fails due to platform dependence on golang 1.17
- the version currently used to build for RHEL.
In the future, it is intended that the RHEL platform will migrate to a
newer golang toolchain. This will enable re-vendoring the crypto module
again back to the authoritative upstream source. Thus removing the need
for the temporary fork.
Resolves: RHEL-81301 RHEL-81320
Signed-off-by: Chris Evich <cevich@redhat.com>
The Fedora-36 CI VMs used prior to 2b3867e closely matched RHEL-8.6
which is the intended destination of this v4.2.0-rhel release branch.
Importantly this change, along with one or more future commits
(f34c2726..31e11a06) lead to downstream build failures on RHEL 8.6,
and reproduce using the original Fedora-36 CI VMs. In other words,
leaving the F36 CI VMs in place would have allowed these failures
to be caught during upstream rather than downstream testing.
Also strip the F41 aarch64 build as this similarly isn't relevant
in a RHEL 8.6 context, nor was this architecture present in CI
for this branch previously.
Signed-off-by: Chris Evich <cevich@redhat.com>
Update cirrus.yml to the latest image based of 5.4-rhel, then disable
validate as there no point for it when we do backports. And only
perform a single build on the f41.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
In the remote environment, this test will be failed,
because an error message is different from the local environment.
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
Basically, in the timeout loop where we checked for new CID
on the restarted container, we were running 'podman inspect'
(not 'inspect --format ID'), and comparing full hundred-line
output against single-line CID string.
While I'm in here, add 'c_' prefix to container to make it
easier for my old eyes to recognize "oh, that's a container name"
vs "is that a name? a SHA? a woozle?"
Signed-off-by: Ed Santiago <santiago@redhat.com>
This release branch is tracking RHEL 8.6/9.0 and therefore has no need
to execute any CI testing on F35/Ubuntu. Worse, going forward these
releases contain golang versions incompatible with future CVE backports.
Remove them.
Signed-off-by: Chris Evich <cevich@redhat.com>
Commit 3e7ca842a manually patched runc/libcontainer in vendor, which is
OK but creates a maintenance problem down the line.
Instead, let's
- create a branch[1] based on runc commit used here;
- backport the CVE-2024-21626 fixes;
- vendor the above branch here.
As a side note, all this mess could have been avoided if
https://github.com/opencontainers/runc/pull/3508 was backported
to a stable runc branch. Alas, this was never requested.
[1] https://github.com/projectatomic/runc/tree/podman-v4.2.0-rhel
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Someone please revert this once quay search is fixed.
Signed-off-by: Ed Santiago <santiago@redhat.com>
<MH: Cherry-pick into v4.2.0-rhel to fix CI>
Signed-off-by: Matt Heon <mheon@redhat.com>
We can't bump runc in this branch, it brings in too many other
things that won't build on this old Golang (this branch is still
on v1.16).
So, instead, backport the runc patches to this older runc.
The good news: We vendor very little of runc, so this was not all
that difficult.
Signed-off-by: Matt Heon <mheon@redhat.com>
systemd expects the value of the option to be `no` instead, but this is
already the default behavior. This fixes the following warning when
running `systemctl status` on the unit:
Failed to parse service restart specifier, ignoring: never
Addresses: https://issues.redhat.com/browse/OCPBUGS-14284
[NO NEW TESTS NEEDED]
Signed-off-by: Andrew Gunnerson <chillermillerlong@hotmail.com>
Signed-off-by: Tom Sweeney <tsweeney@redhat.com>
Cherry-pick #15788 to v4.2.0-rhel branch per RHBZ 2157930
In view of https://github.com/containers/storage/pull/1337, do this:
for f in $(git grep -l stringid.GenerateNonCryptoID | grep -v '^vendor/'); do
sed -i 's/stringid.GenerateNonCryptoID/stringid.GenerateRandomID/g' $f;
done
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
