24655 Commits

Author SHA1 Message Date
fe82fa85d2 pkg/specgenutil: rework volume/mount parsing
Use a helper struct to hold the mounts instead of returning 5+ return
values from the functions. This allows use to easily add more volume
types without having to update all return lines every time in the
future. And 5+ return values are really not readable anymore so this
should make it easier to follow the code.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-03-12 19:42:14 +01:00
590bf8b79d pkg/specgenutil: unexport Mounts()
The function is never used elsewhere so do not export it.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-03-12 19:42:14 +01:00
51cfcc65d5 correctly preallocate artifactDigests in ArtifactRm()
Will safe a few memory copies, we must do that only after namesOrDigests
was populated so the len() does not report zero.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-03-12 19:42:14 +01:00
b232ea3d18 create artifact store in the libpod runtime
Instead of duplicating the NewArtifactStore() call in many places and
having to make sure we always pass the same path to it define it as
function on the runtime. This allows any caller with access to the
libpod runtime to create the store easily.

This is suing a sync.OnceValues() function so the store is initialized
only once and only when actually needed.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-03-12 19:42:13 +01:00
7c200a5f4c libartifact: add BlobMountPaths()
The goal of this new interface is to expose the blob source path and the
target file name for a bind mount into a container.

libpod will call this and then take care of setting up the actual mounts
based on the returned paths.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-03-12 19:42:13 +01:00
86a6539b76 libartifact: extract common code into helper
Create a getArtifactAndImageSource() function so this one can be shared
with the new mount blob API that is added next to avoid code
duplication.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-03-12 19:42:13 +01:00
4cd19b7f7a libartifact: fix comment on Extract()
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-03-12 19:42:13 +01:00
618e37794e libartifact: create FilterBlobOptions
The main point of this is so that I can share the same lookup logic
between Extract() and then the new blob path API I add next.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-03-12 19:42:13 +01:00
07c1f0b996 Merge pull request #25553 from l0rd/fix-latest-win-installer-download
Windows installer test: hardcode the ID of the latest GH release
2025-03-12 18:38:44 +00:00
9573519cca Merge pull request #25452 from ygalblum/quadlet-warning-messages
Quadlet warning messages
2025-03-12 17:35:29 +00:00
91072dc940 Win installer test: hardcode latest GH release ID
To avoid problems when automatically downloading
`latest` podman windows installer (e.g. the windows
installer hasn't been included in the GH release
because of a problems with the keys to sign it), we
are now hardcoding the version of Podman that is
used to test the upgrade from latest to current
version.

Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
2025-03-12 17:44:26 +01:00
3e16ddc5e3 Merge pull request #25549 from lsm5/packit-git-commit-fix
[skip-ci] Packit: Fix action script for updating upstream commit id in rpm spec
2025-03-12 15:27:39 +00:00
d9d8aa49bd Merge pull request #25533 from Luap99/main-crypto
Update CI to go1.23 and golang.org/x/crypto v0.36.0
2025-03-12 13:32:07 +00:00
6ea7b192fa [skip-ci] Packit: Fix action script for fetching upstream commit
This fixes multiple trailing quotes after the commit and also ensures
the older commit id will be correctly replaced by the newer id.

Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
2025-03-12 17:37:12 +05:30
5eeaa43728 Merge pull request #25518 from Luap99/docker-v28
update docker to v28 and c/{common,image,storage} to main
2025-03-11 17:44:26 +00:00
c6ab079e06 Merge pull request #25504 from Honny1/sys-reset-podman-socket
Fix `podman system reset` deletes the `podman.sock`
2025-03-11 17:39:17 +00:00
9eb4d27c5c packit: only build F41+
F40 stil has go 1.22 but we need to support go 1.23 now.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-03-11 17:21:28 +01:00
56e62948f7 go1.23: use std maps package
With go 1.23 the maps package was added in the std library. The linter
now wants us to use that. However the API chnaged as it returns an
iterator, thus we also have to use slices.Collect().

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-03-11 17:21:24 +01:00
b23249635d vendor: bump to golang.org/x/crypto@v0.36.0
Fixes: CVE-2025-22869
Fixes: https://issues.redhat.com/browse/RHEL-81326
Fixes: https://issues.redhat.com/browse/RHEL-82777

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-03-11 16:57:35 +01:00
05fc9d2d6b cirrus: test only on f41/rawhide
Like commit d03e8ffc56, we need to bump to go 1.23 to get some
dependency updates for CVE fixes.

Thus it will no longer build/test on F40, however F40 might get
rebased to go 1.23 soon then we can revert this.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-03-11 16:55:33 +01:00
f2606c4230 fix deprecated docker v28 types
A lot of types are moved and now deprecated which causes lint issues.

IDResponse is copied into podman because that has no new 1 to 1
replacement. For some fields that we set as part of the docker API I
added the nolint directive as these fields might be used by API
consumers.

For the other types it is mostly a 1 to 1 move.

ParseUintList is deprecated but we can use the same function from
github.com/containers/storage/pkg/parsers instead.

Note that it containers breaking changes to pkg/bindings which we should
not do generally but given the prevoius commit already has a unavoidable
breaking change we might as well fix the IDResponse issue once now.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-03-11 16:24:34 +01:00
91a08235d1 vendor: update docker v28 and c/{common,image}
Update to the latest c/{common,image} which inclused an update to
docker v28, that update is NOT backwards compatible so I had to fix a
few types.

NOTE: handler.ExecCreateConfig is used directly by the bindings. Thus
this is an API break for pkg/bindings. Including docker types as part of
any stable pkg/bindings API was a very bad idea.

I see no way to avoid that unless we never want to docker v28, which is
not easy as the update comes in from c/image and maybe other packages.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-03-11 16:24:14 +01:00
264c8da0b9 Merge pull request #25501 from evidolob/update-gvisor
update gvproxy version to 0.8.4
2025-03-11 13:53:55 +00:00
47003f76db Merge pull request #25528 from giuseppe/fix-mount-leak
update c/storage
2025-03-11 13:05:35 +00:00
2ffb3a19b3 vendor: update c/storage
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2025-03-11 11:03:41 +01:00
c9c44d400c libpod: do not cover idmapped mountpoint
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2025-03-11 11:03:41 +01:00
48662fa32b update gvproxy version to 0.8.4
The 0.8.4 has one important fix[1], which could improve #25121.
Also it set all places to use same version of gvisor-tap-vsock
[1]https://github.com/containers/gvisor-tap-vsock/issues/474

Signed-off-by: Yevhen Vydolob <yvydolob@redhat.com>
2025-03-11 09:51:52 +02:00
41924f870f Prevents removal of podman.sock file using podman system reset command
The `podman system reset` removes the `RunDirectory` directory as part of the machine reset, where `podman.sock` is usually stored.

Fixes: https://issues.redhat.com/browse/RHEL-71320

Signed-off-by: Jan Rodák <hony.com@seznam.cz>
2025-03-10 18:44:15 +01:00
02658bc4cc Quadlet - Propagate warnings and print errors and warnings as they occur
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
2025-03-10 11:51:32 -04:00
d39806258a Merge pull request #25508 from Luap99/docs-machine-update
docs: update how the machine os is upgraded
2025-03-10 13:35:51 +00:00
73799672cf docs: update how the machine os is upgraded
Fixes: #22678

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-03-10 11:47:07 +01:00
ac3074e90e Merge pull request #25485 from danegsta/danegsta/cpwindows
Don't try to resolve host path if copying from stdin
2025-03-09 18:14:52 +00:00
2077faaf8f Merge pull request #25466 from baude/issue18230
Do not allow mounting to machine dir /tmp
2025-03-09 05:00:08 +00:00
b0077e0981 Merge pull request #25507 from Luap99/cirrus-rerun
.github: remove cirrus rerun action
2025-03-07 19:07:51 +00:00
c6fe768176 Don't try to resolve host path if copying to container from stdin.
Fixes: #25472

Signed-off-by: David Negstad <David.Negstad@microsoft.com>
2025-03-07 10:47:13 -08:00
130bb21612 .github: remove cirrus rerun action
As pointed out in buildah[1] the action is broken in bad ways where it can
trigger 1000+ rerun wasting our cloud resources.

Get rid of it for now until we find something better or can properly
identify and fix the root cause.

[1] https://github.com/containers/buildah/issues/6035

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-03-07 17:42:27 +01:00
5283f956a5 Disallow mounting to certain destination /dir paths
When certain directories, like /tmp, get mounted over, FCOS/Linux can
act in unexpected ways.  Added a sanity check for a list of directories
think might be impacted by this.  Also, moved the volume parsing earlier
in the init process so we can catch problems before the expensive
decompression of machine images.

The following destinations are forbidden for volumes:

`/bin`, `/boot`, `/dev`, `/etc`, `/home`, `/proc`, `/root`, `/run`, `/sbin`, `/sys`, `/tmp`, `/usr`, and `/var`. Subdirectories

Fixes: #18230

Signed-off-by: Brent Baude <bbaude@redhat.com>
2025-03-07 09:54:01 -06:00
3229a02d35 Merge pull request #25498 from ashley-cui/installer
Use svg for pkginstaller banner
2025-03-07 13:44:03 +00:00
5cd58742a2 Use svg for pkginstaller banner
On external monitors with different resolutions, our pkginstaller logo renders poorly. Using vector graphics solves this problem.

Signed-off-by: Ashley Cui <acui@redhat.com>
2025-03-06 15:11:13 -05:00
0ca749f536 Merge pull request #25492 from Juneezee/minmax
pkg/util: remove redundant min/max helper functions
2025-03-06 19:56:47 +00:00
57c4c8662a Merge pull request #25375 from ashley-cui/release
Automate release
2025-03-06 19:01:50 +00:00
da47f401eb Merge pull request #25491 from ytimenkov/wait-race-with-rm
Wait race with rm
2025-03-06 16:28:30 +00:00
1d304334dd pkg/util: remove redundant min/max helper functions
We can use the built-in `min` and `max` functions since Go 1.21.

Reference: https://go.dev/ref/spec#Min_and_max
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2025-03-06 21:39:36 +08:00
eed5f9ee4a libpod: race in WaitForConditionWithInterval()
There are multiple concurrent goroutinces which produce result and they
race agains each other, while producing different results.

This commit addresses at least a part of the problem - producing
different results for competing "sources".

Fixes: #25479

Signed-off-by: Yuri Timenkov <yuri@timenkov.pro>
2025-03-06 12:40:43 +00:00
d0efd0e278 libpod: race in WaitForExit() with autoremove
When waiting for container to be not-running, sometimes wait retuns code
-1 with an empty error instead of actual exit code.

It turned out that syncContainer returns ErrCtrRemoved for a removed
container instead of ErrNoSuchCtr, while data can still be pulled from
the database.

This fixes the issue by taking into account both codes.

Fixes: #25479

Signed-off-by: Yuri Timenkov <yuri@timenkov.pro>
2025-03-06 12:37:47 +00:00
faf8574bb4 Merge pull request #25450 from baude/issue25449
Replace old nginx image with podman hello
2025-03-05 23:31:38 +00:00
41dd3f2474 Automate release
Automatically generate our GitHub release.

This GitHub action is traggered on a tag push, or manually. After a the trigger, all artifacts are built, including linux, mac, and windows installers. After everything is built, the release is automatically generated on our GitHub, and an email notification is sent out.

Our old actions are marked deprecated, and now can only be triggered manually. Leave them as-is otherwise, as a backup, so we have a tried-and-tested way of generating images, just in case this new action goes wrong.

Signed-off-by: Ashley Cui <acui@redhat.com>
2025-03-05 14:30:57 -05:00
919247a77c Merge pull request #25481 from Luap99/kube-sdnotify-error
quadlet kube: correctly mark unit as failed
2025-03-05 16:07:56 +00:00
945aade38b quadlet kube: correctly mark unit as failed
When no containers could be started we need to make sure the unit status
reflects this. This means we should not send the READ=1 message and not
keep the service container running when we were unable to start any
container.

There is the question what should happen when only a subset was started.
For systemd we can only be either running or failed. And as podman kube
play also just keeps the partial started pods running I opted to let
systemd keep considering this as success.

Fixes #20667
Fixes https://issues.redhat.com/browse/RHEL-80471

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-03-05 15:53:55 +01:00
f10f32668e Merge pull request #25478 from lsm5/packit-failure-info-doc
[CI:DOCS] Packit: clarify secondary status in CI
2025-03-05 14:01:06 +00:00