Commit Graph

7012 Commits

Author SHA1 Message Date
Paul Holzinger
f07a95da0e test/compose: use 4 spaces indentation
For consistency.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-03-31 15:00:12 +02:00
Paul Holzinger
9f422e1a77 test/compose: use cdi option over mount
So that we don't have to overwrite a system dir and also can test
rootless.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-03-31 14:58:56 +02:00
Paul Holzinger
926ad1172e test/compose: remove cni reference
CNI is not being tested here for a long time, use a more appropriate
directory name.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-03-31 14:58:56 +02:00
openshift-merge-bot[bot]
490eb476a8 Merge pull request #25717 from jankaluza/cdi-spec-dir
Add cdi-spec-dir option to top level options
2025-03-28 13:52:20 +00:00
openshift-merge-bot[bot]
4f7b95de54 Merge pull request #25718 from ricardobranco777/runc
test: Fix runc error message
2025-03-28 13:19:13 +00:00
openshift-merge-bot[bot]
d842b145f7 Merge pull request #25699 from johnschug/main
quadlet: add support for the UpheldBy option in the Install section
2025-03-28 12:43:42 +00:00
Ricardo Branco
392a8f4ac5 test: Fix runc error message
Signed-off-by: Ricardo Branco <rbranco@suse.de>
2025-03-28 12:53:42 +01:00
Micah Chambers (eos)
dce36131ae Add cdi-spec-dir option to top level options.
This commit adds new --cdi-spec-dir global option. This
option is used to add additional CDI spec paths.

Signed-off-by: Micah Chambers (eos) <mchambers@anduril.com>
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
2025-03-28 11:24:57 +01:00
John Schug
a0cae65c13 quadlet: add support for the UpheldBy option in the Install section
This adds support for the UpheldBy option in quadlet files. The UpheldBy option
is the counterpart to the Upholds option added in systemd v249 and is
similar to the existing WantedBy and RequiredBy options.

See https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Upholds=.

Signed-off-by: John Schug <john.ips.schug@gmail.com>
2025-03-27 15:48:46 -07:00
axel7083
ea5ed2a875 fix: mounting issue with single character volume on windows
fixes https://github.com/containers/podman/issues/25218

Signed-off-by: axel7083 <42176370+axel7083@users.noreply.github.com>
2025-03-26 17:57:52 +01:00
openshift-merge-bot[bot]
cb2466004f Merge pull request #25645 from jankaluza/24418
Add support for --pids-limit in podman kube play.
2025-03-26 16:15:45 +00:00
openshift-merge-bot[bot]
f5ab9d1530 Merge pull request #25687 from giuseppe/reenable-vfs-test
fix idmapped mounts test failure on vfs
2025-03-26 13:44:17 +00:00
openshift-merge-bot[bot]
a918c91678 Merge pull request #25512 from findesgh/feature/#21256-extend-cidfile-support
Feature/#21256 extend cidfile support
2025-03-26 13:03:35 +00:00
openshift-merge-bot[bot]
d4cfceeda5 Merge pull request #25681 from Honny1/fix-container-clone-with-hc
Fix container clone with configured Healthcheck
2025-03-26 11:38:14 +00:00
openshift-merge-bot[bot]
8d693d60dc Merge pull request #25675 from jankaluza/25109
Add support for Retry= and RetryDelay= to Podman Quadlet.
2025-03-26 11:19:00 +00:00
Giuseppe Scrivano
1f3347ff3c test: re-enable idmapped mounts test on vfs
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2025-03-26 12:11:11 +01:00
Jan Rodák
f94d613556 Fix container clone with configured Healthcheck
Fixes: https://github.com/containers/podman/issues/21630
Fixes: https://issues.redhat.com/browse/RUN-2632

Signed-off-by: Jan Rodák <hony.com@seznam.cz>
2025-03-26 11:01:18 +01:00
Jan Kaluza
f15b0887c7 Add support for pids-limit annotation for podman kube play.
This commit adds new annotation called:

io.podman.annotations.pids-limit/$ctrname

This annotation is used to define the PIDsLimit for
a particular pod. It is also automatically defined
when newly added --pids-limit option is used.

Fixes: #24418

Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
2025-03-26 10:06:56 +01:00
Jan Kaluza
08a1c6d91e Add support for Retry= and RetryDelay= to Podman Quadlet.
This commit adds new Retry= and RetryDelay= options
to quadlet.go which result in --retry and --retry-delay
usage in podman run, image and build commands.

This allows configuring the retry logic in the systemd
files.

Fixes: #25109

Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
2025-03-26 09:01:28 +01:00
openshift-merge-bot[bot]
b58250b35d Merge pull request #25664 from victortoso/add-kube-subpath
Add volume SubPath in generate kube
2025-03-25 14:33:10 +00:00
Victor Toso
321634d599 Add volume SubPath in generate kube
Trying to generate a Pod yaml file when we are using --mount with
SubPath does not generate a VolumeMount with SubPath. This patch fixes
that.

Note that kube play does support SubPath since 95cc7e052, see:
    https://github.com/containers/podman/pull/16803

Signed-off-by: Victor Toso <victortoso@redhat.com>
2025-03-25 11:59:21 +01:00
flouthoc
7ca96702ee buildah-bud: skip bud-with-mount-cache-like-buildkit
Following test needs unique cache in TMPDIR so cache of this test does
not conflicts with other tests however for this specific test there is
no convenient way to pass custom TMPDIR.

Skipping this test similar to this already exists in tests/bud.bats but
covers `--mount=type=cache,sharing=locked`

Read more discussion here: https://github.com/containers/podman/issues/25414
Closes: https://github.com/containers/podman/issues/25414

Signed-off-by: flouthoc <flouthoc.git@gmail.com>
2025-03-24 19:28:06 -07:00
Martin Glatzle
f1527283d6 Make exec support --cidfile.
Fixes: #21256

Signed-off-by: Martin Glatzle <findessp@yandex.ru>
2025-03-21 17:46:47 +01:00
openshift-merge-bot[bot]
7d3ee5a5cd Merge pull request #25635 from giuseppe/mask-thermal-paths
Mask thermal paths
2025-03-21 14:44:32 +00:00
openshift-merge-bot[bot]
b2285f6d46 Merge pull request #25626 from jankaluza/24875
Add --env and --unsetenv to podman update.
2025-03-21 13:52:17 +00:00
Giuseppe Scrivano
260035d069 vendor: update common and buildah
vendor the following dependencies:

- https://github.com/containers/common/pull/2375
- https://github.com/containers/buildah/pull/6074

Closes: https://github.com/containers/podman/issues/25634

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2025-03-21 14:36:00 +01:00
Jan Kaluza
701aade262 Add --env and --unsetenv to podman update.
The --env is used to add new environment variable to container or
override the existing one. The --unsetenv is used to remove
the environment variable.

It is done by sharing "env" and "unsetenv" flags between both
"update" and "create" commands and later handling these flags
in the "update" command handler.

The list of environment variables to add/remove is stored
in newly added variables in the ContainerUpdateOptions.

The Container.Update API call is refactored to take
the ContainerUpdateOptions as an input to limit the number of its
arguments.

The Env and UnsetEnv lists are later handled using the envLib
package and the Container is updated.

The remote API is also extended to handle Env and EnvUnset.

Fixes: #24875

Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
2025-03-21 13:15:44 +01:00
renovate[bot]
0ca539c3ab chore(deps): update dependency setuptools to v77
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-03-20 17:05:33 +00:00
openshift-merge-bot[bot]
5c9fd29808 Merge pull request #25617 from giuseppe/use-securejoin-openinroot
container: replace code with securejoin.OpenInRoot()
2025-03-19 13:37:37 +00:00
openshift-merge-bot[bot]
0031c9500a Merge pull request #25625 from giuseppe/set-additional-gids-exec
libpod: fix handling of additional gids in exec
2025-03-19 13:26:39 +00:00
Giuseppe Scrivano
51ca839c14 libpod: fix handling of additional gids in exec
change the behavior to match what Docker does.

Docker always adds the specified additional gids, no matter the user
specified to exec.

Instead the additional gids read from the /etc/group file are added
only when there is not an explicit group specified in the exec
userspec.

➜ docker run -d --name container-with-groups --group-add mail --group-add news --group-add cron --group-add ftp --rm alpine top
c4190928097f64cabb83af7cac6ec10041a9e74de359433dfd3e5b9d8a7dce1a
➜ docker exec container-with-groups id -G
0 1 2 3 4 6 10 11 12 13 16 20 21 26 27
➜ docker exec --user root container-with-groups id -G
0 1 2 3 4 6 10 11 12 13 16 20 21 26 27
➜ docker exec --user nobody container-with-groups id -G
65534 12 13 16 21
➜ docker exec --user nobody:nobody container-with-groups id -G
65534 12 13 16 21
➜ docker exec --user root:root container-with-groups id -G
0 12 13 16 21
➜ docker exec --user root:root container-with-groups id -G
0 12 13 16 21

Closes: https://github.com/containers/podman/issues/25610

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2025-03-19 12:56:27 +01:00
Giuseppe Scrivano
c0627de21d container: replace code with securejoin.OpenInRoot()
when the code was first added, there was no securejoin.OpenInRoot().
Since there is a function already provided by a dependency and already
used in libpod, replace the custom code with securejoin.OpenInRoot().

The new version does not report a symlink that points outside the
root, but it is still resolved relative to the specified mountpoint,
since that is the openat2 semantic.  It does not affect the security
of the function.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2025-03-19 09:32:47 +01:00
Paul Holzinger
a23511e341 vendor: update github.com/burntsushi/toml to v1.5.0
Includes one minor test fix as the line number reported as error was
changed, it seems to be actually correct now.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-03-18 15:34:42 +01:00
renovate[bot]
829cc591df chore(deps): update dependency setuptools to ~=76.1.0
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-03-18 11:22:57 +00:00
Paul Holzinger
b3fe3906bb test/e2e: skip idmapped mounts test with vfs
Giuseppe is working on some proper fixes, for now in order to get this
moved along skip it so we can merge the disk usage fix.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-03-17 13:48:12 +01:00
Paul Holzinger
97cab8c9c0 test/system: add systemd df regression test
Add a test for https://github.com/containers/podman/issues/24452

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-03-17 13:38:06 +01:00
renovate[bot]
dd4f67fd72 chore(deps): update dependency setuptools to v76
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-03-15 12:58:42 +00:00
openshift-merge-bot[bot]
ca10fce595 Merge pull request #25586 from mheon/fix_25585
Fix a potential deadlock during `podman cp`
2025-03-14 15:13:24 +00:00
Matt Heon
687fe08f42 Fix a potential deadlock during podman cp
Have one function without a `defer lock.unlock()` as one of the
commands in it calls a function that also takes the same lock,
so the unlock has to happen prior to function completion.
Unfortunately, this is prone to errors, like the one here: I
missed a case, and we could return without unlocking, causing a
deadlock later in the cleanup code as we tried to take the same
lock again.

Refactor the command to use `defer unlock()` to simplify and
avoid any further errors of this type.

Introduced by e66b788a51 - this
should be included in any backports of that commit.

Fixes #25585

Signed-off-by: Matt Heon <mheon@redhat.com>
2025-03-14 10:37:59 -04:00
openshift-merge-bot[bot]
f981584f91 Merge pull request #25561 from Luap99/new-images
New images 2025-03-12
2025-03-14 13:44:55 +00:00
openshift-merge-bot[bot]
d1d8f3334f Merge pull request #25520 from Honny1/fix-hc-inf-log
Fix HealthCheck log destination, count, and size defaults
2025-03-13 18:59:34 +00:00
Paul Holzinger
bcc2063e9e test/e2e: use go net.Dial() ov nc
This is simpler as we don't have to rely on an external command. The
retry loop is need as we check for a container porcess connection, and
while we know podman binds the port before returning there is no way to
know whenthe contianer application bound the port so we must retry a
bit.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-03-13 19:44:14 +01:00
Paul Holzinger
f8787bb219 test: use ncat over nc
nc can be provided by either ncat (nmap) or netcat (OpenBSD), we only
work with the nmap version so make sure we always use that one and not
the short alias which can be resolved to either one.

It is not clear to me what changed on rawhide but it seemsv netcat is
preferred even though we have nmap-ncat installed.

Note this only changes the host side nc calls, the Alpine based images
only have nc as command so we must continue to use it inside.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-03-13 19:44:14 +01:00
openshift-merge-bot[bot]
6e34514553 Merge pull request #25397 from Luap99/artifact-mount
add artifact mount support
2025-03-13 12:53:34 +00:00
Jan Rodák
fff42ac232 Fix HealthCheck log destination, count, and size defaults
GoLang sets unset values to the default value of the type. This means that the destination of the log is an empty string and the count and size are set to 0. However, this means that size and count are unbounded, and this is not the default behavior.

Fixes: https://github.com/containers/podman/issues/25473
Fixes: https://issues.redhat.com/browse/RHEL-83262

Signed-off-by: Jan Rodák <hony.com@seznam.cz>
2025-03-12 21:27:00 +01:00
renovate[bot]
18abb18c9a chore(deps): update dependency setuptools to ~=75.9.1
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-03-12 19:03:18 +00:00
Paul Holzinger
9e94dc53b2 add new artifact mount type
Add a new option to allow for mounting artifacts in the container, the
syntax is added to the existing --mount option:
type=artifact,src=$artifactName,dest=/path[,digest=x][,title=x]

This works very similar to image mounts. The name is passed down into
the container config and then on each start we lookup the artifact and
the figure out which blobs to mount. There is no protaction against a
user removing the artifact while still being used in a container. When
the container is running the bind mounted files will stay there (as the
kernel keeps the mounts active even if the bind source was deleted).
On the next start it will fail to start as if it does not find the
artifact. The good thing is that this technically allows someone to
update the artifact with the new file by creating a new artifact with
the same name.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-03-12 19:42:14 +01:00
Paul Holzinger
f6e2d94409 test/e2e: improve createArtifactFile()
There is no need whatsoever to run container to populate a random file,
this is just much slower than just writing some random bytes directly
without having to run a container and run dd in it.

Also the function accepted the number of bytes, however because dd uses
a minimum block size of 512 bytes it was actually numBytes * 1024 which
where written. That makes no sense so fix the two tests that depended on
the wrong number.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-03-12 19:42:14 +01:00
openshift-merge-bot[bot]
9573519cca Merge pull request #25452 from ygalblum/quadlet-warning-messages
Quadlet warning messages
2025-03-12 17:35:29 +00:00
Giuseppe Scrivano
c9c44d400c libpod: do not cover idmapped mountpoint
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2025-03-11 11:03:41 +01:00