Commit Graph

26433 Commits

Author SHA1 Message Date
renovate[bot]
20e61ba88e [skip-ci] Update dessant/lock-threads action to v6
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-12-12 15:50:41 +00:00
Paul Holzinger
254403dc03 Merge pull request #27426 from Honny1/local-api-artifact-add
Artifact add optimization on macOS and Windows
2025-12-12 16:49:50 +01:00
Paul Holzinger
0056ff4101 Merge pull request #27757 from containers/renovate/google.golang.org-protobuf-1.x
fix(deps): update module google.golang.org/protobuf to v1.36.11
2025-12-12 12:07:19 +01:00
renovate[bot]
e78fb1ed27 fix(deps): update module google.golang.org/protobuf to v1.36.11
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-12-12 09:47:11 +00:00
Paul Holzinger
b29a6db228 Merge pull request #27750 from containers/renovate/golang.org-x-net-0.x
fix(deps): update module golang.org/x/net to v0.48.0
2025-12-11 21:39:31 +01:00
Paul Holzinger
f2923914b7 Merge pull request #27751 from containers/renovate/tags.cncf.io-container-device-interface-1.x
fix(deps): update module tags.cncf.io/container-device-interface to v1.1.0
2025-12-11 20:42:35 +01:00
renovate[bot]
0e45e7003c fix(deps): update module tags.cncf.io/container-device-interface to v1.1.0
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-12-11 18:17:10 +00:00
Paul Holzinger
b197aeebe6 Merge pull request #27748 from containers/renovate/github.com-checkpoint-restore-checkpointctl-1.x
fix(deps): update module github.com/checkpoint-restore/checkpointctl to v1.4.1
2025-12-11 19:15:17 +01:00
Brent Baude
060c5875de Merge pull request #27746 from Luap99/renovate-conf
renovate: remove old c/{common, image, storage} config
2025-12-11 10:04:47 -06:00
renovate[bot]
e49992fef6 fix(deps): update module golang.org/x/net to v0.48.0
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-12-11 14:37:08 +00:00
Paul Holzinger
2608feb4f7 Merge pull request #27708 from anagno/fix/probe
fix: skip execution of probes when initialDelaySeconds is not elapsed
2025-12-11 15:35:06 +01:00
renovate[bot]
0a1f564289 fix(deps): update module github.com/checkpoint-restore/checkpointctl to v1.4.1
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-12-11 13:28:03 +00:00
Jan Rodák
7ffe891bc2 Merge pull request #27741 from baude/strongreplace2
Vendor latest mono repo for libartifact changes
2025-12-11 14:26:23 +01:00
Vasileios Anagnostopoulos
88bacfc133 fix: skip execution of probes when initialDelaySeconds is not elapsed
According to the [Kubernetes docs](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes)
the probes should be executed after the `initialDelaySeconds`. So to be
consistent with the kubernetes specs, skip the execution of the probes until
the `initialDelaySeconds` is elapsed.

Closes #27678

Signed-off-by: Vasileios Anagnostopoulos <anagnwstopoulos@hotmail.com>
2025-12-11 12:50:24 +01:00
Paul Holzinger
b53159d0f2 renovate: remove old c/{common, image, storage} config
We no longer use these repos so we can drop this config.

In the meantime I added this for the new location in the global config.
b49c089e5f

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-12-11 12:21:36 +01:00
Brent Baude
f348a0717d Vendor latest mono repo for libartifact changes
This PR vendors in the strong typed libartifact code and carries the
associated changes.

Signed-off-by: Brent Baude <bbaude@redhat.com>
2025-12-10 14:44:50 -06:00
Paul Holzinger
f7162828df Merge pull request #27740 from l0rd/fix-win-release-artifact-not-found
Use explicit download-artifact name and path for win-installer release
2025-12-10 17:24:16 +01:00
Mario Loriedo
22b10fa153 Use explicit download-artifact name and path for win-installer release
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
2025-12-10 16:45:08 +01:00
openshift-merge-bot[bot]
f8e0b70063 Merge pull request #27727 from cfergeau/openatinroot
kube play: Fix fd leak when handling symlinks
2025-12-09 18:28:37 +00:00
Christophe Fergeau
84a2902d32 kube play: Fix fd leak when handling symlinks
The `*os.File` returned by `pathrs.OpenatInRoot` needs to
be closed before returning from `openSymlinkPath`

Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
2025-12-09 16:28:16 +01:00
openshift-merge-bot[bot]
f66f7c8a5b Merge pull request #27650 from lstocchi/i27614
Prevent non hyper-v admin users to execute machine commands
2025-12-09 12:17:38 +00:00
openshift-merge-bot[bot]
ed132b7a72 Merge pull request #27709 from baude/removedarwinamd64
Remove Intel MacOS support
2025-12-09 01:20:42 +00:00
Brent Baude
f87cefc262 Remove Intel MacOS support
This PR removes support for Intel Apple Macs. The removal includes
impacts to code, tests, Makefile, builds, release builds, and so forth.

Fixes Jira: RUN-3621

Signed-off-by: Brent Baude <bbaude@redhat.com>
2025-12-07 07:03:06 -06:00
openshift-merge-bot[bot]
8ce77d6e6b Merge pull request #27687 from mheon/deterministic_pod_inspect
Deterministically order pod inspect fields
2025-12-05 14:07:55 +00:00
Matt Heon
a8ecb80ac0 Deterministically order pod inspect fields
There are two fields I'm worried about: shared namespaces and pod
containers. Both are generated via loops over maps and are thus
non-deterministic in ordering. Throw a sort on each to fix the
order so we can actually diff `podman pod inspect` output.

Signed-off-by: Matt Heon <mheon@redhat.com>
2025-12-04 15:25:11 -05:00
openshift-merge-bot[bot]
244aa643c7 Merge pull request #27672 from Luap99/workdir
libpod: fix workdir MkdirAll() all check
2025-12-04 15:52:35 +00:00
openshift-merge-bot[bot]
f5ea6f16d2 Merge pull request #27645 from containers/renovate/github.com-shirou-gopsutil-v4-4.x
Update module github.com/shirou/gopsutil/v4 to v4.25.11
2025-12-04 15:35:39 +00:00
openshift-merge-bot[bot]
5508d873c1 Merge pull request #27619 from Honny1/fix-unless-stopped-reboot
Fix `unless-stopped` restart policy to match Docker behavior
2025-12-04 15:04:10 +00:00
Paul Holzinger
d18e44e9ab libpod: simplify resolveWorkDir()
The code checks for isPathOnVolume and isPathOnMount so we can just use
the SecureJoin here directly to check for path existance.

Then instead of walking symlinks and trying to guess if they are on a
mount just assume if it is a link (path is different from the normal
joined one) then don't error out early and let the OCI runtime deal with
it. The runtime does produce a less readable error but it still fails
and we have much less fragile code.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-12-04 15:25:49 +01:00
Paul Holzinger
7b1be7f177 libpod: fix workdir MkdirAll() all check
MkdirAll can fail with EEXIST when the path is a symlink and the target
doesn't exist. As such we should ignore the error.

Note there is something fundemantal wrong here with the path access as
it is following the symlink to the host, however it is only for a
stat() so it is not an security issue here.

Fixes: 637c264e2e ("fix issues found by nilness")

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-12-04 15:25:30 +01:00
openshift-merge-bot[bot]
0bd2b4b358 Merge pull request #27602 from ZuhairM7/fix-remote-build-secrets
bindings: fix handling of env secrets in remote builds
2025-12-04 13:15:24 +00:00
openshift-merge-bot[bot]
32be5c3f42 Merge pull request #27664 from givensuman/T-27632-list-json-bug
Add Repository and Tag fields to image list --format JSON output
2025-12-04 13:12:38 +00:00
givensuman
2461ccd621 Add Repository and Tag fields to image list --format JSON output
Adds two fields to the output of `podman image list --format json`,
"Repository" and "Tag." Consequently makes the existing embedded field
"RepoTag" redundant, and in current implementation is always `nil`. Adds
`json:",omitempty"` to improve program output.

Fixes: #27632

Signed-off-by: givensuman <givensuman@duck.com>
2025-12-03 17:53:26 -05:00
openshift-merge-bot[bot]
5134dd3bee Merge pull request #27663 from HastD/zizmor-workflow
ci: add Zizmor workflow
2025-12-03 15:29:57 +00:00
openshift-merge-bot[bot]
963aabb54b Merge pull request #27551 from lsm5/cgv1-removal-vendor
CGgroups v1 cleanup: Round 2 w/ container-libs vendoring
2025-12-03 14:00:04 +00:00
Daniel Hast
1dbb897733 ci: add Zizmor workflow
Zizmor (https://docs.zizmor.sh/) is a static analysis tool for GitHub
Actions. Most of the issues identified by Zizmor were fixed in #27642.
This Zizmor action integrates with GitHub Advanced Security and scans
workflows for potential security issues, which should help ensure that
such issues aren't reintroduced in the future.

Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
2025-12-02 18:12:15 -05:00
ZuhairM7
fdbb696731 bindings: fix handling of env secrets in remote builds
Previously, using --secret=id=foo,env=BAR in remote mode would fail because the client sent the env var name to the server, which tried to resolve it locally. This patch modifies the client to resolve the environment variable locally, write it to a temp file, and send it as a file-based secret.

Fixes #27494

Signed-off-by: ZuhairM7 <ZuhairM7>
Signed-off-by: ZuhairM7 <zuhairmerali@gmail.com>
2025-12-02 16:21:49 -06:00
Lokesh Mandvekar
b78f1cf986 vendor: update container-libs to df55d6c661e8 for cgv1 removal
Also simplifies cgroups.AvailableControllers

Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
2025-12-02 15:38:30 -05:00
openshift-merge-bot[bot]
4eaff6fe22 Merge pull request #27662 from baude/addperltomakevalidatepr
Add perl to make validatepr
2025-12-02 19:27:27 +00:00
Brent Baude
1bddd38e0a Add perl to make validatepr
Users reported that our container image for make validatepr needs perl
base installed.

Signed-off-by: Brent Baude <bbaude@redhat.com>
2025-12-02 12:47:34 -06:00
lstocchi
d150051d7a add windows platform tests
Signed-off-by: lstocchi <lstocchi@redhat.com>
2025-12-02 16:28:20 +01:00
lstocchi
85fe4de1ee fix failing windows platform tests
fixes broken windows tests and enables them to be run on
windows CI

Signed-off-by: lstocchi <lstocchi@redhat.com>
2025-12-02 16:19:50 +01:00
lstocchi
1bd51314ff prevent non hyper-v admin users to execute machine commands
Update GetAll() and GetByVMType() to add a check to prevent non hyper-v admin users to
interact with hyperv machines.
Users can work with hyperv machines only with elevated rights or if
members of the hyperv administrators group

Signed-off-by: lstocchi <lstocchi@redhat.com>
2025-12-02 16:19:31 +01:00
Jan Rodák
4d3c6311a5 Fix unless-stopped restart policy to match Docker behavior
- Update documentation: Differentiate `unless-stopped` from `always` - containers stopped by the user before a reboot will not restart.
- Add `should-start-on-boot` filter: Identify containers that require a restart after a system reboot.
- Update command documentation: Add `restart-policy` and `label!` filters to the documentation for container commands (rm, ps, start, stop, pause, unpause, restart).
- Add `restart-policy` and `shoud-start-on-boot` to completions.
- Update service: Update `podman-restart.service` to use the `needs-restart=true` filter.
- Preserve state: Preserve the `StoppedByUser` state across reboots.
- Update API: Add a `ShouldStartOnBoot()` method to the Container API.
- Update documentation: Add descriptions for the `should-start-on-boot` filter.

Fixes: https://issues.redhat.com/browse/RHEL-129405
Fixes: https://github.com/containers/podman/issues/20418

Signed-off-by: Jan Rodák <hony.com@seznam.cz>
2025-12-02 15:40:46 +01:00
openshift-merge-bot[bot]
9a811bf5ac Merge pull request #27642 from HastD/zizmor-issues
ci: fix Zizmor-identified issues in workflows
2025-12-02 14:17:46 +00:00
Daniel Hast
67c050bb8e ci: use env vars to avoid template expansion in code contexts
Template expansions are not aware of shell script syntax, and therefore
can potentially result in code injection vulnerabilities when used in
code contexts: https://docs.zizmor.sh/audits/#template-injection

To avoid this, instead use environment variables to safely store the
values of the template expansions.

Also (in the process of doing the above) added double-quotes around a
some instances of variable expansions in shell scripts, which is
necessary to avoid unintended shell splitting and globbing. (I didn't
see any instances where this was actually likely to result in erroneous
behavior, but it's good practice and makes shell scripts more robust.)

Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
2025-12-01 08:43:09 -05:00
Daniel Hast
3f4af378f4 ci: use --sandbox for dynamically generated sed scripts
sed scripts are capable of doing file I/O and executing arbitrary
commands. The `--sandbox` option prevents this by rejecting sed commands
with such capabilities; it's good practice to use this whenever the sed
script is dynamically generated (e.g. if it involves a variable
expansion).

Also fixed an error in one sed script where `.*` had been placed outside
of the quoted string (and would therefore be subject to shell globbing),
presumably due to single-quotes having been changed to double-quotes at
some point in the past.

Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
2025-12-01 08:43:05 -05:00
Daniel Hast
b9736e8d11 ci: pass secrets explicitly to reusable workflow
Using `secrets: inherit` forwards all secrets to the workflow and makes
it harder to determine which secrets the workflow was actually executed
with. See: https://docs.zizmor.sh/audits/#secrets-inherit

Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
2025-12-01 08:43:01 -05:00
Daniel Hast
64ddbfea12 ci: disable caching for actions/setup-go
This mitigates a potential cache-poisoning attack. For details, see:
https://docs.zizmor.sh/audits/#cache-poisoning

Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
2025-12-01 08:42:54 -05:00
Daniel Hast
0752c5327e ci: specify persist-credentials for actions/checkout
Explicitly set `persist-credentials: true` for uses of
`actions/checkout` where it's needed (when the job does git operations
using the stored credentials) and `persist-credentials: false` where the
stored credentials are not later used.

This reduces the risk of cached credentials accidentally being leaked
via artifacts.

Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
2025-12-01 08:42:49 -05:00