[v4.6] Backports and updated release notes #19218

Signed-off-by: Ashley Cui <acui@redhat.com>

* add e2e test Signed-off-by: danishprakash <danish.prakash@suse.com>

Fixes: containers#18979 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Handle more TOCTOUs operating on listed images. Also pull in containers/common/pull/1520 and containers/common/pull/1522 which do the same on the internal layer tree. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2216700 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>

we were silently ignoring --device-cgroup-rule in rootless mode. Make sure an error is returned if the user tries to use it. Closes: containers#18698 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Signed-off-by: Fang-Pen Lin <hello@fangpenlin.com>

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

This is limited to images that don't depend on complex cgroup or capability setups but does cover enough functionality to be useful. [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>

There was a huge cut and paste of mount options which were not constent in parsing tmpfs, bind and volume mounts. Consolidated into a single function to guarantee all parse the same. Fixes: containers#18995 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

This is just useless noise and gets us closer to what Docker returns. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

This adds define.BindOptions to declare the mount options for bind-like mounts (nullfs on FreeBSD). Note: this mirrors identical declarations in buildah and it may be preferable to use buildah's copies throughout podman. [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>

With PR containers#14167, the pod-level security Context ID are supported, while the markdown says it isn't. This patch fixes it. ``` None ``` Signed-off-by: Fabian Wiesel <fwiesel@users.noreply.github.com>

When working on Linux emulation on FreeBSD, I assumed that SpecGenerator.ImageOS was always populated from the image's OS value but in fact, this value comes from the CLI --os flag if set, otherwise "". This broke running FreeBSD native containers unless --os=freebsd was also set. Fix the problem by getting the value from the image itself. This is a strong incentive for me to complete a stalled project to enable podman system tests on FreeBSD. [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>

An empty range caused a panic as parseOptionIDs tried to check further down for an @ at index 0 without taking into account that the splitted out string could be empty. Signed-off-by: Simon Brakhane <simon@brakhane.net>

Previously podman was using "MB" and "GB" (binary) for input but "MB" and "GB" (decimal) for output, which was causing confusion. Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>

Regarding "The command does not support more than one listening socket for the API service." See this Podman source code: (a permalink into the main branch as of 2 July 2023) https://github.com/containers/podman/blob/539be58163a1730af0d84b39fcde585983cd9925/cmd/podman/system/service_abi.go#L48-L50 Move up the paragraph "The REST API provided ...". Move up the sentence "Note: The default systemd ...". Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>

The markdown-to-manpage sequence interprets _from_uid_ and *from_uid* differently. Use the latter syntax to get the expected result. Fixes: containers#19171 Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>

This change matches the list above in the same document, in the section `Podman user unit search path`. I also confirmed that this matches [the code](https://github.com/containers/podman/blob/60a5a59/cmd/quadlet/main.go#L119). Signed-off-by: Michael Hrivnak <mhrivnak@hrivnak.org>

Podman will always pass down --syslog to conmon since 13c2aca. However there systems without syslog running, likely in container setups. As reported in this was already a problem before when debug level is used. Then conmon will pass down --syslog back to the podman container cleanup command causing it to fail without doing anything. Given that I think it is better to just ignore the error and log it on debug level, we need to make sure cleanup works consistently. [NO NEW TESTS NEEDED] Fixes containers#19075 Signed-off-by: Paul Holzinger <pholzing@redhat.com>

This file has not been present in BSD systems since 2.9.1 BSD and as far as I remember /proc/mounts has never existed on BSD systems. [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>

Previous tests have worked by pure chance since the client and server ran on the same host; the server picked up the credentials created by the client login. Extend the gating tests and add a new integration test which is further capable of exercising the remote code. Note that fixing authentication support requires adding a new `--authfile` CLi flag to `manifest inspect`. This will at least allow for passing an authfile to be bindings. Username and password are not yet supported. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>

This endpoint queried the same package versions twice causing it to be slower than info. Because it already called info we can just reuse the package versions from there. Signed-off-by: Paul Holzinger <pholzing@redhat.com>

Do not use podman info/version as they are expensive and clutter the log for no reason. Just checking if we can connect to the socket should be good enough and much faster. Fix the non existing error checking, so that we actually see an useful error when this does not work. Also change the interval, why wait 2s for a retry lets take 100ms steps instead. Fixes containers#19010 Signed-off-by: Paul Holzinger <pholzing@redhat.com>

[NO NEW TESTS NEEDED] Closes containers#19175 Signed-off-by: Peter Jannesen <peter@jannesen.com>

Since we have sqlite there is no point in duplicating this acroos two db backends. Just set earlier when we validate the networks anyway. Signed-off-by: Paul Holzinger <pholzing@redhat.com>

We use the name as alias but using the hostname makes also sense and this is what docker does. We have to keep the short id as well for docker compat. While adding some tests I removed some duplicated tests that were executed twice for nv for no reason. Fixes containers#17370 Signed-off-by: Paul Holzinger <pholzing@redhat.com>

The change to use the custom dns server in aardvark-dns caused a regression here because macvlan networks never returned the nameservers in netavark and it also does not make sense to do so. Instead check here if we got any network nameservers, if not we then use the ones from the config if set otherwise fallback to host servers. Fixes containers#19169 Signed-off-by: Paul Holzinger <pholzing@redhat.com>

When I reworked pod removal to provide more detailed errors (including per-container errors, not just a single multierror with all errors squashed), I made it part of the struct returned by the REST API and assumed that would be enough to get errors through to clients. Unfortunately, in case of an overarching error removing the pod (as any error with any container would cause), we don't send the response struct that would include the container errors - we just send a standardized REST error. We could work around this with custom, potentially backwards incompatible error handling for the REST pod delete endpoint, or we could just do what was done before, and package up all the errors in a multierror to send to the other side. Of those options, the multierror seems far simpler. Fixes containers#19159 Signed-off-by: Matt Heon <mheon@redhat.com>

The --authfile flag has been ignored. Fix that and add a test to make sure we won't regress another time. Requires a new --tls-verify flag to actually test the code. Also bump c/common since common/pull/1538 is required to correctly check for updates. Note that I had to use the go-mod-edit-replace trick on c/common as c/buildah would otherwise be moved back to 1.30. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2218315 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>

Make sure that starting a qemu machine uses proper exponential backoffs and that a single variable isn't shared across multiple backoffs. DO NOT BACKPORT: I want to avoid backporting this PR to the upcoming 4.6 release as it increases the flakiness of machine start (see containers#17403). On my M2 machine, the flake rate seems to have increased with this change and I strongly suspect that additional/redundant sleep after waiting for the machine to be running and listening reduced the flakiness. My hope is to have more predictable behavior and find the sources of the flakes soon. [NO NEW TESTS NEEDED] - still too flaky to add a test to CI. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>

During the exponential backoff waiting for the machine to be fully up and running, also make sure that SSH is ready. The systemd dependencies of the ready.service include the sshd.service among others but that is not enough. Other CoreOS users reported the same issue on IRC, so I feel fairly confident to use the pragmatic approach of making sure SSH works on the client side. containers#17403 is quite old and there are other pressing machine issues that need attention. [NO NEW TESTS NEEDED] Fixes: containers#17403 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>

The podman-login tests have accumulated much cruft over the years, because that's the only place where we run a local registry, and the process was crufty: we actually start/stopped the registry as the first & last tests of the file. Meaning, you couldn't do 'hack/bats 150:just-one-test' because that would skip the registry start. And just now, a completely unrelated test has had to be shoved into the login file. This PR revamps the whole thing, by adding a new registry helper module that can be used anywhere. And, once the registry is started, it just stays running until the end of tests. (This requires BATS 1.7 or greater). Signed-off-by: Ed Santiago <santiago@redhat.com>

Signed-off-by: Ashley Cui <acui@redhat.com>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[v4.6] Backports and updated release notes #19218

[v4.6] Backports and updated release notes #19218

Commits on Jul 13, 2023