This is useful for triggering the execution of a healthcheck
without caring about it's result as long as no fatal error occured.
Signed-off-by: Patrick Wicki <patrick.wicki@siemens.com>
Remove user-facing CLI options for CNI network backend:
CLI flags:
- Keep --network-backend global flag as hidden and deprecated for
backward compatibility with cleanup commands from 5.x containers
- Map flag to a throwaway variable (value is ignored)
- Remove shell completion for network backend values
Shell completions:
- Remove AutocompleteNetworkBackend() function
- Remove references to CNI and Netavark type constants
Backward compatibility:
- Remove --rootless-cni flag alias for podman unshare
- Remove SetNormalizeFunc that mapped rootless-cni to rootless-netns
- Update --rootless-netns flag description to mention only netavark
The --network-backend flag remains as a hidden deprecated flag to
prevent failures when upgrading from 5.x where containers may have
cleanup commands that include this flag. The flag is accepted but
ignored. Users can no longer specify CNI as a network backend option.
The --rootless-cni alias is removed; users must use --rootless-netns.
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
Remove test framework code that supported dual network backends:
Test utilities:
- Remove NetworkBackend enum type and constants (CNI, Netavark)
- Remove NetworkBackend.ToString() method
- Remove NetworkBackend field from PodmanTest struct
Test infrastructure:
- Remove SkipIfCNI() helper function
- Remove SkipIfNetavark() helper function
- Remove network backend selection logic based on NETWORK_BACKEND env var
- Remove CNI-specific network config directory setup
- Hardcode "netavark" in podman command line construction (flag will be removed in later commit)
Simplify test helpers:
- Simplify generateNetworkConfig() to only generate Netavark configs
- Remove conditional CNI vs Netavark network ID logic
- Update IP allocation comment to remove CNI-specific behavior description
Remove SkipIfCNI() calls from tests:
- Remove skip guards from Netavark-only feature tests
- These tests now run universally since Netavark is the only backend
Documentation:
- Remove NETWORK_BACKEND environment variable from test/README.md
All tests that were previously skipped with SkipIfCNI (Netavark-only
features) will now run for all users since Netavark is the only
supported network backend.
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
Remove test cases that only tested CNI-specific functionality:
- Remove "podman --cni-config-dir backwards compat" test
- Remove "podman CNI network create with internal should not have dnsname" test
Update CNI-specific test names to be network-backend agnostic:
- Rename "podman inspect container single CNI network" to "podman inspect container single network"
- Rename "podman inspect container two CNI networks (container not running)" to "podman inspect container two networks (container not running)"
- Rename "podman inspect container two CNI networks" to "podman inspect container two networks"
- Rename "podman run in custom CNI network with --static-ip" to "podman run in custom network with --static-ip"
- Rename "podman rootless cni adds /usr/sbin to PATH" to "podman rootless adds /usr/sbin to PATH"
Update test content to be backend-agnostic:
- Update skip reasons from "Requires root CNI networking" to "Requires root networking"
- Change --rootless-cni flag usage to --rootless-netns
- Update comments from "CNI network" to "network"
- Update comments from "iptables" to "nftables" for netavark
- Update test assertions to remove CNI-specific messaging
Remove CNI-related test documentation and comments:
- Remove commented-out CNI error messages from Python API tests
- Remove CNI network namespace error documentation from upgrade tests
- Remove CNI-related comments from BATS tests
Remove unused import of github.com/containernetworking/plugins/pkg/ns
from test/e2e/run_networking_test.go (test-only usage).
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
Previously, `secret create` required stdin to be a pipe when using `-`,
blocking interactive stdin forcing users to use insecure patterns like
`echo "secret" | podman secret create <name>`.
Remove the pipe check to allow interactive stdin.
Closes#18591, #27879
Signed-off-by: Danish Prakash <contact@danishpraka.sh>
I happened to run `podman run --config=/path/to/file` and got
an error without a trailing newline, which was a bit jarring.
Fix the instances I noticed.
Assisted-by: OpenCode (Claude Opus 4.5)
Signed-off-by: Colin Walters <walters@verbum.org>
The code checks for isPathOnVolume and isPathOnMount so we can just use
the SecureJoin here directly to check for path existance.
Then instead of walking symlinks and trying to guess if they are on a
mount just assume if it is a link (path is different from the normal
joined one) then don't error out early and let the OCI runtime deal with
it. The runtime does produce a less readable error but it still fails
and we have much less fragile code.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
MkdirAll can fail with EEXIST when the path is a symlink and the target
doesn't exist. As such we should ignore the error.
Note there is something fundemantal wrong here with the path access as
it is following the symlink to the host, however it is only for a
stat() so it is not an security issue here.
Fixes: 637c264e2e ("fix issues found by nilness")
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Adds two fields to the output of `podman image list --format json`,
"Repository" and "Tag." Consequently makes the existing embedded field
"RepoTag" redundant, and in current implementation is always `nil`. Adds
`json:",omitempty"` to improve program output.
Fixes: #27632
Signed-off-by: givensuman <givensuman@duck.com>
Previously, using --secret=id=foo,env=BAR in remote mode would fail because the client sent the env var name to the server, which tried to resolve it locally. This patch modifies the client to resolve the environment variable locally, write it to a temp file, and send it as a file-based secret.
Fixes#27494
Signed-off-by: ZuhairM7 <ZuhairM7>
Signed-off-by: ZuhairM7 <zuhairmerali@gmail.com>
- Update documentation: Differentiate `unless-stopped` from `always` - containers stopped by the user before a reboot will not restart.
- Add `should-start-on-boot` filter: Identify containers that require a restart after a system reboot.
- Update command documentation: Add `restart-policy` and `label!` filters to the documentation for container commands (rm, ps, start, stop, pause, unpause, restart).
- Add `restart-policy` and `shoud-start-on-boot` to completions.
- Update service: Update `podman-restart.service` to use the `needs-restart=true` filter.
- Preserve state: Preserve the `StoppedByUser` state across reboots.
- Update API: Add a `ShouldStartOnBoot()` method to the Container API.
- Update documentation: Add descriptions for the `should-start-on-boot` filter.
Fixes: https://issues.redhat.com/browse/RHEL-129405
Fixes: https://github.com/containers/podman/issues/20418
Signed-off-by: Jan Rodák <hony.com@seznam.cz>
The --macvlan flag was deprecated in Podman 3.x and was scheduled
for removal in version 4.0. Since we're now at version 6.0.0-dev,
this commit removes the deprecated flag and its associated code.
Users should now use the standard syntax:
podman network create --driver macvlan --opt parent=<device> <name>
Signed-off-by: shiavm006 <shivammittal42006@gmail.com>
- remove old CLI validation that only checked --pod flag
- add validation in namespaces.go to catch all paths (cli, quadlet, api)
- block userns mixing for all pods with infra, not just ipc/net
- update error message to be clearer
- fix test cleanup to use PodmanExitCleanly()
- use dynamic pod names in system tests to avoid conflicts
fixes#26848
Signed-off-by: 0xdvc <neilohene@gmail.com>
Fixes: #26588
For use cases like HPC, where `podman exec` is called in rapid succession, the standard exec process can become a bottleneck due to container locking and database I/O for session tracking.
This commit introduces a new `--no-session` flag to `podman exec`. When used, this flag invokes a new, lightweight backend implementation that:
- Skips container locking, reducing lock contention
- Bypasses the creation, tracking, and removal of exec sessions in the database
- Executes the command directly and retrieves the exit code without persisting session state
- Maintains consistency with regular exec for container lookup, TTY handling, and environment setup
- Shares implementation with health check execution to avoid code duplication
The implementation addresses all performance bottlenecks while preserving compatibility with existing exec functionality including --latest flag support and proper exit code handling.
Changes include:
- Add --no-session flag to cmd/podman/containers/exec.go
- Implement lightweight execution path in libpod/container_exec.go
- Ensure consistent container validation and environment setup
- Add comprehensive exit code testing including signal handling (exit 137)
- Optimize configuration to skip unnecessary exit command setup
Signed-off-by: Ryan McCann <ryan_mccann@student.uml.edu>
Signed-off-by: ryanmccann1024 <ryan_mccann@student.uml.edu>
It is failing with:
replacing mount point ".../root/overlay/xxx/merged": directory not empty
First, the build does not need network so ensure we don't leak network
allocations by killing it. Second, kill is always async so ensure to
wait for the actul build process exit.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
