There are endless of links pointing to this document we should not get
rid of that.
Also I find having two podman-quadlet with different numbers rather
confusing, while I understand the motivation I think for most users this
is not intuitive. Most people will not type the man section numbers.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
If the `Mount` option inside a quadlet is missing the source=... part,
the code today panics with the following message.
```
panic: runtime error: index out of range [0] with length 0
goroutine 1 [running]:
github.com/containers/podman/v5/pkg/systemd/quadlet.handleStorageSource(0xc000140de0?, 0x1d?, {0x0?, 0x1?}, 0x5634e39e233e?, 0x10?)
...
```
This commit checks for the missing source and returns an error to avoid the panic.
Signed-off-by: Jakob Meier <mail@jakobmeier.ch>
For ConfigMap and Secret kube play volumes podman populates the data
from the yaml. However the volume content is not controlled by us and we
can be tricked following a symlink to a file on the host instead.
Fixes: CVE-2025-9566
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We already used `x` in tmpfiles, to ensure systemd did not remove
our directories or clean their contents (we really need them to
be left unmodified). However, systemd-tmpfiles lets us use more
than one directive per line, which means we can safely add an R!
(recursive remove on reboot) to these lines to ensure that, if
/tmp is not a tmpfs, systemd-tmpfiles will still remove our
temporary files, ensuring reboots are still accurately detected.
Signed-off-by: Matt Heon <mheon@redhat.com>
For podman build --squash is different from the buildah bud --squash
option, in podman it must use --squash-all.
Fixes: #26906
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The `cleanupExecBundle` function was only meant to be called on a
locked container, as it does some state mutation operations. It
also has a timed wait (if the directory is busy and can't be
removed yet, give it a few milliseconds) in which it deliberately
yields the lock to not block the container for that time.
The `healthCheckExec()` function calls `cleanupExecBundle` out of
a `defer` block. This is after the `defer c.lock.Unlock()` so it
fires afterwards when the function returns, so we're normally
fine - the container is still locked when our defer runs. The
problem is that `healthCheckExec()` also unlocks the container
during the expensive exec operation, and can actually fail and
return while not holding the lock - meaning our `defer` can fire
on an unlocked container, leading to a potential double unlock
in `cleanupExecBundle`.
We could, potentially, re-lock the container after the exec
occurs, but we're actually waiting for a `select` to trigger to
end the function, so that's not a good solution. Instead, just
re-lock (if necessary) in the defer, before invoking
`cleanupExecBundle()`. The `defer c.lock.Unlock()` will fire
right after and unlock after us.
Fixes#26968
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Without this the corss binaries will never get rebuild until the user
manually deletes them which is not very useful.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This reverts commit c45b27ffb0.
This commit was just wrong, local-cross depends on this target as it
calls a target like "bin/podman.cross.linux.amd64". Without this it is
just broken as there is no matching target.
$ make bin/podman.cross.linux.amd64
make: *** No rule to make target 'bin/podman.cross.linux.amd64'. Stop.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
At one point, we created multiple jails per container in order to enable
network configuration from outside the container jail. On FreeBSD 14.x
and later this is not necessary and there is only one jail per
container. In this case, return the correct jail name.
Signed-off-by: Mark Johnston <mark.johnston@klarasystems.com>
FreeBSD's ps ignores -J if -a is specified, so "podman top" would
effectively just run ps -a, not terribly useful. But there's no need to
specify -a when specifying a selector such as -J (or -G or -U, etc.).
Signed-off-by: Mark Johnston <mark.johnston@klarasystems.com>
The container/stats endpoint was unimplemented. Copy over the structure
from the Linux endpoint handler, albeit with most of the stats
unpopulated. This is similar to how "podman stats" returns very little
info on FreeBSD. On the other hand, some orchestration tools will query
the stats endpoint to check liveness of a container, so it's useful to
implement it even though some fields are unimplemented for now.
Signed-off-by: Mark Johnston <mark.johnston@klarasystems.com>
This commit does the following:
- Splits the podman-systemd.unit.5.md into multiple files - one for each
quadlet file type, podman-quadlet.7.md for general quadlet information
and podman-quadlet-basic-usage.7.md for quadlet examples.
- Removes the original podman-systemd.unit.5.md file.
- Adds support for jinja2 templating language in the markdown_preprocess.
- Uses jinja2 in options/*.md to use the single .md file for both podman
subcommands man-pages and quadlet man-pages. This deduplicates
the Quadlet man-pages a lot.
- Adds new `@@option quadlet:source.md` preprocess command to import
such .md files from options directory.
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
