This updates the Windows installer and macOS installer to ship the newer
binaries, as well as the vendored gvisor-tap-vsock code.
[NO NEW TESTS NEEDED]
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
Bump containers/(storage, common, buildah and image)
Changes since 2023-01-01:
- skip mount-cache-selinux-long-name test under remote, with
a FIXME requesting that someone see if it can be made to work.
- skip six tests that fail under rootless-remote
- add new --build-arg-file option:
- update man page
Squash of:
* cf56eb1865
* 561f082772
Signed-off-by: Ed Santiago <santiago@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Signed-off-by: Aditya R <arajan@redhat.com>
implement new ssh interface into podman
this completely redesigns the entire functionality of podman image scp,
podman system connection add, and podman --remote. All references to golang.org/x/crypto/ssh
have been moved to common as have native ssh/scp execs and the new usage of the sftp package.
this PR adds a global flag, --ssh to podman which has two valid inputs `golang` and `native` where golang is the default.
Users should not notice any difference in their everyday workflows if they continue using the golang option. UNLESS they have been using an improperly verified ssh key, this will now fail. This is because podman was incorrectly using the
ssh callback method to IGNORE the ssh known hosts file which is very insecure and golang tells you not yo use this in production.
The native paths allows for immense flexibility, with a new containers.conf field `SSH_CONFIG` that specifies a specific ssh config file to be used in all operations. Else the users ~/.ssh/config file will be used.
podman --remote currently only uses the golang path, given its deep interconnection with dialing multiple clients and urls.
My goal after this PR is to go back and abstract the idea of podman --remote from golang's dialed clients, as it should not be so intrinsically connected. Overall, this is a v1 of a long process of offering native ssh, and one that covers some good ground with podman system connection add and podman image scp.
Signed-off-by: Charlie Doern <cdoern@redhat.com>
golang.org/x/crypto/ssh/terminal is deprecated. The package was moved to
golang.org/x/term. golang.org/x/crypto/ssh/terminal was already just
calling golang.org/x/term itslef so there are no functional changes.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Resolves: GHSA-8c26-wmh5-6g9v - CVE-2022-27191
Podman doesn't seem to be directly affected as the logic in question
is not called.
golang.org/x/crypto@1baeb1ce contains the actual CVE fix. Using the
latest upstream commit to also include support for SHA-2.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
added functionality for image secure copying from local to remote.
Also moved system connection add code around a bit so functions within that file
can be used by scp.
Signed-off-by: cdoern <cdoern@redhat.com>
Some systems have "HashKnownHosts yes" in their ssh_config
This causes entries in the ssh known_hosts to be hashed (|)
Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
* podman --remote ssh://<user>:<password>@<host>:<port><path>
* podman --remote ssh://<user>:<password>@<host>:<port><path> \
--identity <path> --passphrase <phrase>
* ssh-add <key>
podman --remote ssh://<user>@<host><path>
* Fix `podman help` to run even if podman missing components
* Prompt for passphrase on stdin IFF key is protected and passphrase
not given via any other configuration
* cobra flags do not support optional value flags therefore refactored
--remote to be a boolean and --url will now contain the URI to Podman
service
Signed-off-by: Jhon Honce <jhonce@redhat.com>
* If possible, update each dependency to the latest available version.
* Use releases over commit IDs and avoid vendoring branches.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Some more features.
docker-archive generates docker legacy compatible images
Do not create $DiffID subdirectories for layers with no configs
Ensure the layer IDs in legacy docker/tarfile metadata are unique
docker-archive: repeated layers are symlinked in the tar file
sysregistries: remove all trailing slashes
Improve docker/* error messages
Fix failure to make auth directory
Create a new slice in Schema1.UpdateLayerInfos
Drop unused storageImageDestination.{image,systemContext}
Load a *storage.Image only once in storageImageSource
Support gzip for docker-archive files
Remove .tar extension from blob and config file names
ostree, src: support copy of compressed layers
ostree: re-pull layer if it misses uncompressed_digest|uncompressed_size
image: fix docker schema v1 -> OCI conversion
Add /etc/containers/certs.d as default certs directory
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #569
Approved by: mheon
