Ensure we verify the TLS connection when pulling the OCI image.
Fixes: CVE-2025-6032
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 726b506acc8a00d99f1a3a1357ecf619a1f798c3)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
In order to use parallel.Enqueue() it is required to call
parallel.SetMaxThreads() first. However in our main call we have been
doing this after we setup the initial runtime so just move this up.
And while at it move up the cpu and memory profile setup as well so we
can capture the earlier parts as well.
This was most likely introduced by commit 46d874aa52 ("Refactor graph
traversal & use for pod stop") which started using parallel.Enqueue() in
removePod() which then can get called from refresh() when a container
has autoremoval configured.
I tried many hard resets in VMs to reproduce but was unable to do so.
I always got "retrieving temporary directory for container xxx: no such
container" erros instead and it failed to autoremove but no panics.
Besides that many times c/storage was corrupted which made the image I
used unusable and it had to be deleted which is concerning in itself.
Fixes#26469
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Users of WSL images currently get podman from the copr rpm on the
release PR with Epoch: 102. This is a problem if the user is looking to
update the image with packages from official Fedora repos.
This commit limits Epoch: 102 to only the podman rpms on
rhcontainerbot/podman-next copr. All other rpms, including other copr
rpms, will use the default Epoch.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
The Windows source folder path was not converted in the corresponding
machine folder path when the volume was of type overlay as it does for
other bind mount volumes.
Fix#25988
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
(cherry picked from commit f25cefcb1bd2faa8bc251b47b3dc1133b0b78c46)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Specifically, this does two things:
1. Turn on case-sensitive LIKE queries. Technically, this is not
specific to volumes, as it will also affect container and pod
lookups - but there, it only affects IDs. So `podman rm abc123`
will not be the same as `podman rm ABC123` but I don't think
anyone was manually entering uppercase SHA256 hash IDs so it
shouldn't matter.
2. Escape the _ and % characters in volume lookup queries. These
are SQLite wildcards, and meant that `podman volume rm test_1`
would also match `podman volume rm testa2` (or any character in
place of the underscore). This isn't done with pod and container
lookups, but again those just use LIKE for IDs - so technically
`podman volume rm abc_123` probably works and removes containers
with an ID matching that pattern... I don't think that matters
though.
Fixes#26168
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
(cherry picked from commit b276e7ef21c62cdd491d3a7e0cbda156c1e05a47)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When using `docker compose run --entrypoint ''`, docker sends
`"Entrypoint": []` in the JSON. Podman currently treats that
as `nil` and fallback to default image entrypoint.
This is not what is expected by the user. Instead, it should
not use any entrypoint.
This commit fixes it by properly propagating the `[]` downstream
to libpod.
Fixes: #26078
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
(cherry picked from commit 3a981915f006b166df7d4207eb154c893af99dce)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The JSON decoder correctly cannot decode (overflow) negative values (e.g., `-1`) for fields of type `uint64`, as `-1` is used to represent `max` in `POSIXRlimit`. To handle this, we use `tmpSpecGenerator` to decode the request body. The `tmpSpecGenerator` replaces the `POSIXRlimit` type with a `tmpRlimit` type that uses the `json.Number` type for decoding values. The `tmpRlimit` is then converted into the `POSIXRlimit` type and assigned to the `SpecGenerator`.
This approach ensures compatibility with the Podman CLI and remote API, which already handle `-1` by casting it to `uint64` (`uint64(-1)` equals `MaxUint64`) to signify `max`.
Fixes: https://issues.redhat.com/browse/RUN-2859
Fixes: https://github.com/containers/podman/issues/24886
Signed-off-by: Jan Rodák <hony.com@seznam.cz>
(cherry picked from commit e66ff395b7c2618f58eb36e33e7324897ae54995)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Currently setting log_tag from containers.conf will override any value
set via --log-opt tag=value option. This commit fixes this.
Fixes: https://github.com/containers/podman/issues/26236
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
(cherry picked from commit a17f8afbbc634d81588e9f392a4b47542b6c2c29)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When a container has no image, i.e. using rootfs like our new infra
containers then the Image function crashed trying to show the first 12
image ID chars. If there is no image simply show nothing there.
Fixes: #26224
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 415668c802cb9988e856e56de5de1862fd746cb3)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Remove no longer correct statement that quadlet that does not translate
our own custom unit types
Fixes: e498c652 ("Quadlet - translate dependencies on other quadlet units")
Fixes: #26243
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit f2d941b241ba6ecc50f4e1f7c2469ecb58a7378d)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Netavark v1.15 added new warnings on some invalid names and that
triggerd a new test failure in podman e2e test.
The "Podman kube play with disabled cgroup" case now complains about an
empty name:
podman [options] kube play /tmp/CI_aM20/podman-e2e-3156601197/subtest-3441376193/p/kube.yaml
[WARN netavark::network::bridge] invalid network alias "": name is empty, ignoring this name
This is because this test does not set a container name thus the code
was adding an empty string so to fix it check if the name is not empty
first.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit da95bbdd5deb547791a527d1143fc3c298b351d3)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Previously there is a minor logic error, which causes podman system
check to do the check twice although there is no repair flag.
Signed-off-by: Sonny Sasaka <sonnysasaka@gmail.com>
(cherry picked from commit c87a761e055762339d6b7b59bf13c2f77dac22b4)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We like to append the host servers in that case so that we do not only
force dns.podman.
Fixes: #24713
Fixes: https://issues.redhat.com/browse/RHEL-83787
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 75dc508e98bdc2f1f23ea9bece3910e8bb25871e)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We should fully replace the options, now that we vendored the
libnetwork/resolvconf changes into podman this just works.
Fixes: #22399
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 89b8e233854b747c19215e82534e995e5ba001a0)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Our release is created by a GitHub action, and GitHub prevents workflows from running on events that were caused by other workflows to prevent unlimited recursion.
To get around this, use a reusable workflow to trigger the podman.io version bump from the release action.
Signed-off-by: Ashley Cui <acui@redhat.com>
We've added a bunch of new automation to make releases easier. Update RELEASE_PROCESS.md to reflect the changes.
Signed-off-by: Ashley Cui <acui@redhat.com>
After the system reboot, the Rootfs for infra-container can
be removed. This can happen when it is stored on tmpfs.
This commit recreates the infra-container directory which is
used for Rootfs for infra-container before mounting it.
Fixes: #26190
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
The count function for / and /proc results in the same value so the
order is not guaranteed. We must ensure that a / mount is always first
in the spec so that other mounts are not overshadowed by it.
Fixes: #26161
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
