Using os.Is{Exist,NotExist,Permission} checks is not recommended in the
new code (see official documentation). While using it in the existing
code is OK, it may still result in a subtle errors later (for a specific
example of that, see [1]).
Replace those with errors.Is.
Generated by:
gofmt -r 'os.IsExist(a) -> errors.Is(a, os.ErrExist)' -w .
gofmt -r 'os.IsNotExist(a) -> errors.Is(a, os.ErrNotExist)' -w .
gofmt -r 'os.IsPermission(a) -> errors.Is(a, os.ErrPermission)' -w .
goimports -w .
git diff vendor test/tools/vendor | patch -p1 -R
[1]: https://github.com/opencontainers/runc/pull/5061
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
- Populate the Docker-compatible container summary HostConfig from the
container inspect data
- Remove the unused ContainerCreateConfig wrapper from the compat
handler
- Add APIv2 test
Signed-off-by: Christopher Bii <christopherbii@hyub.org>
The swagger spec generated from pkg/api/server/doc.go sets the contact
URL to https://podman.io/community/. That URL now returns 404, while
https://podman.io/community (no trailing slash) returns 200 and is what
the live site links to from its own navigation. Issue #28298 reports
the link as broken at the top of the rendered API reference, which is
where ReDoc surfaces the contact field.
Drop the trailing slash so the contact link in the generated swagger
spec resolves.
Signed-off-by: Matt Van Horn <mvanhorn@gmail.com>
Add a --dry-run option to show which volumes would be pruned without removing them.
Related: #27838
Signed-off-by: KyounghoonJang <matkimchi_@naver.com>
This is a Docker compatibility change discovered while working on
cases it is practically speaking required because there are
mandatory parameters in the body, but in those cases you do not
get a JSON decode error back, you get an error about the field
that needs to be set. I see no reason for us not to match this
convention; it doesn't break our existing bindings, but makes
using the API via curl or similar somewhat easier.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
The Docker daemon emits a final `{"aux":{"Tag","Digest","Size"}}` JSON
object on the push event stream so clients can recover the registry-side
manifest digest without an extra registry round-trip.
Several Docker-API clients (e.g. the Pulumi and Terraform docker
providers) parse `aux.Digest` to populate their pushed-image outputs.
Without the trailer they either silently fall back to inspecting the
local image (whose digest does not always match what was pushed - see
containers/podman#14779) or emit "Push completed without reporting a
digest" warnings.
`pushReport.ManifestDigest` is already populated with the correct
on-the-wire digest from `manifest.Digest(pushedManifestBytes)`; this
change just wraps it into the same JSON shape Docker emits and adds an
apiv2 test asserting the trailer is present with Tag, Digest, and Size.
Signed-off-by: nitz <nitz.raz@gmail.com>
Update build.sh to run gofumpt on generated .pb.go files, and apply
formatting to existing generated files. This fixes gofumpt and inamedparam
lint errors on macOS CI and ensures future regenerations will be
automatically formatted.
Signed-off-by: Lokesh Mandvekar <lsm5@linux.com>
The podman module paths are moving from github.com/containers/podman to
go.podman.io/podman. This will help with future mobility.
Signed-off-by: Brent Baude <bbaude@redhat.com>
This PR reflects the upstream change of moving the buildah module from
github.com/containers/buildah to go.podman.io/buildah.
Signed-off-by: Brent Baude <bbaude@redhat.com>
Use shared configfile instead of custom policy.json path handling.
This updates ocipull to rely on signature.DefaultPolicy(), removes
explicit SignaturePolicyPath, and replaces trust's custom default-policy
path logic with common configfile code.
Replace hidden `--policypath` with --signature-policy` and require
it for `trust set` command instead of path resolution based on
configfile.
For `trust get`, the `--signature-policy` is optional.
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
The Docker client (docker run) sends /wait then /start, but it only
sends /start after receiving the 200 OK response from /wait. Previously,
the event subscription for the "died" event was set up after the 200 was
sent, creating a window where a fast-exiting container (e.g. hello-world)
could emit its "died" event before the subscription was ready, causing
the client to hang forever.
Fix this by subscribing to "died" events before flushing the 200 status
code. This guarantees the event listener is ready before the client can
send /start, eliminating the race entirely.
Fixes: https://github.com/containers/podman/issues/28514
Signed-off-by: Jan Rodák <hony.com@seznam.cz>
These are two new Buildah flags that we need to wire into Podman
(both local and remote) and document, with the interesting note
that one requires the other and a check needed to be added for
that.
Also: secret parsing was tightened up in Buildah, and was
breaking the remote build tests. Rewire it to use the new parser
Buildah made, which ends up simplifying the code considerably.
Tests are back to passing afterwards.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
This was implemented by containers/netavark #1369; this commit
completes the process by wiring it into Podman. We now respect
the CLI order for configured networks - if a user passes
`--net net1,net2` we guarantee that net1 will be configured
before net2.
For containers created before this patch, we don't retain enough
information to configure networks in CLI order, so we use
alphabetical order instead to still guarantee consistency.
No breaking API changes have been made, but we do add a new
field to supplement the existing map to (optionally) provide
ordering information. The Podman CLI will always pass this.
Existing applications that do not will, again, receive]
deterministic ordering based on an alphabetical sort of network
names.
This requires the latest version of Netavark to work properly.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
With netavark v2 we start to default to strict isolation mode in
netavark[1] as such that already matches the docker behavior.
Therefore no longer hard code the isolate option in the compat api.
Podman v6 is requires netavark v2 for other changes already so we do
not need to worry about podman 6 + older netavark here.
[1] https://github.com/containers/netavark/pull/1438Fixes: #27349
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Just as additional hardening.
Note chrootarchive does not work on macos/windows, in that case it still
falls back to the regular pkg/archive.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The Docker compat /containers/json endpoint was leaking podman-internal
container states ("stopped", "stopping") that are not valid Docker API
states. Docker clients that strictly validate the State field against
the documented set ("created", "running", "paused", "restarting",
"exited", "removing", "dead") would fail with deserialization errors.
LibpodToContainerJSON already performs this mapping correctly:
- "stopped" → "exited"
- "stopping" → "running"
Apply the same remapping in LibpodToContainer using a switch statement
so the list endpoint behaves consistently with the inspect endpoint.
Add a test assertion to the compat /containers/json test to verify
that a stopped container is reported with State="exited".
Fixes#28359
Signed-off-by: crawfordxx <crawfordxx@users.noreply.github.com>
In the SystemCheck HTTP handler, when parsing the
unreferenced_layer_max_age query parameter fails, the error response is
sent but execution continues to `unreferencedLayerMaximumAge = &duration`
where `duration` is the zero value. This causes the system check to run
with a zero duration instead of returning the 400 error to the client.
Add the missing `return` after the error response.
Fixes#28350
Signed-off-by: crawfordxx <crawfordxx@users.noreply.github.com>
Docker treats EndpointSettings.IPAddress as operational/state, not desired create input.
Static address requests should come from IPAMConfig fields. Using both can duplicate
the same IPv4 request and trigger already allocated IPAM errors in compose scenarios.
Ref: moby/moby#46183 (daemon validation), docker/cli#4493 (CLI IPAMConfig), moby/moby#19001 (static IP feature).
Signed-off-by: Jan Rodák <hony.com@seznam.cz>
The Docker API spec defines HTTP 409 for POST /containers/create when
the requested name is already in use. The handler was returning 500 for
all errors from ContainerCreate, including ErrCtrExists.
This mismatch breaks buildx parallel builds on Podman: buildx checks
for a conflict response to safely converge multiple concurrent builders
onto the already-running BuildKit container. With 500 it treats the
conflict as a fatal error instead, causing all but the first parallel
build to fail.
The fix follows the same pattern already used in the rename handler,
which correctly returns 409 for ErrCtrExists. The swagger annotation
for this endpoint already documents the 409 response.
Signed-off-by: Jordan Rodgers <com6056@gmail.com>
Add documentation for undocumented API parameters across multiple endpoints:
System:
- POST /libpod/system/prune: all, volumes, external, build, filters
Pods:
- DELETE /libpod/pods/{name}: timeout
- GET /libpod/pods/stats: stream, delay
Volumes:
- DELETE /volumes/{name}: timeout
- DELETE /libpod/volumes/{name}: timeout
Containers:
- GET /libpod/containers/stats: all
- POST /libpod/containers/{name}/restart: timeout
- POST /libpod/containers/{name}/resize: running
Images:
- POST /images/create: retry, retryDelay
- GET /images/json: shared-size
Exec:
- POST /libpod/exec/{id}/resize: running
Generate:
- GET /libpod/generate/{name}/systemd: templateUnitFile
Signed-off-by: Tim Zhou <tizhou@redhat.com>
Fix a few new issues reported by the linter update.
There is no need to copy the capAdd/capDrop slice in the compat create
endpoint as they are only read and not modified.
For the other code preallocate the slices so we safe memory allocations.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
