This was report on of of my PRs, I do not know why this fails there all
of the sudden, it seems golangci-lint has gotten flaky recently.
Locally the linter passes without this change just fine but in CI this
seems to fail:
Error: cmd/podman-testing/call.go:58:22: SA4023(related information): the lhs of the comparison is the 1st return value of this function call (staticcheck)
reflectionClient := reflectionv1.NewServerReflectionClient(grpcClient)
^
Error: cmd/podman-testing/call.go:59:5: SA4023: this comparison is never true (staticcheck)
if reflectionClient == nil {
^
The lint seems right, NewServerReflectionClient never returns nil so
lets just fix it.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Pause the container by default during commit. It is safer as it
avoids conflicts, and potentially security issues, when another
process is accessing the container rootfs.
Originally this was not done because it was a breaking change and
rootless containers weren't able to use the freezer cgroup controller.
Now that we support only cgroup v2, there is no gap anymore with
root (exotic configurations can still use --pause=false).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
`podman run -ti` warns when stdin is not a tty, but if the container is
run in detached state that warning does not make much sense: we just
need the environment where podman attach will be run to be a tty.
Running with `-ti` even in detached state can make sense to avoid
applications buffering their output (for realtime logs) or allowing
later interaction and should not warn users.
Also remove the comment saying that warning will become fatal, as there
seems to be agreement that such a breaking change will not be made
Signed-off-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
Add support for blackhole, unreachable, and prohibit route types in podman
networks. These route types allow silently discarding packets (blackhole),
rejecting with destination unreachable (unreachable), or rejecting with
administratively prohibited (prohibit).
Note: Blackhole routes require netavark >= 2.0.0. Regular unicast routes
remain backward compatible with all netavark versions.
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
<MH: Rebased atop latest main & fixed cherry-pick conflicts>
Signed-off-by: Matt Heon <matthew.heon@pm.me>
inspect was using the default system provider (machineProvider) to resolve machine directories instead of the provider returned by shim.VMExists for the specific machine. This caused incorrect results (e.g. listing WSL dirs when inspecting a Hyper-V machine).
Signed-off-by: lstocchi <lstocchi@redhat.com>
Using os.Is{Exist,NotExist,Permission} checks is not recommended in the
new code (see official documentation). While using it in the existing
code is OK, it may still result in a subtle errors later (for a specific
example of that, see [1]).
Replace those with errors.Is.
Generated by:
gofmt -r 'os.IsExist(a) -> errors.Is(a, os.ErrExist)' -w .
gofmt -r 'os.IsNotExist(a) -> errors.Is(a, os.ErrNotExist)' -w .
gofmt -r 'os.IsPermission(a) -> errors.Is(a, os.ErrPermission)' -w .
goimports -w .
git diff vendor test/tools/vendor | patch -p1 -R
[1]: https://github.com/opencontainers/runc/pull/5061
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
- libpod/events.go & libpod/runtime.go: Added the `Artifact` event type.
Refactored and deduplicated event forwarding logic by introducing
`spawnEventForwarder[T any]`, replacing separate goroutine loops for
images and artifacts. Implemented graceful shutdown and resolved eventer
initialization race conditions.
- libpod/events: Implemented event filtering by name/ID, updated journald
and logfile readers/writers for artifact events, and added `Artifact` to
`ToHumanReadable` formatting.
- cmd/podman: Added shell auto-completion for `artifact=` and `type=artifact` filters.
- docs/test: Documented the `artifact` event type, statuses, and filters in
`podman-events.1.md`. Added an end-to-end test in `events_test.go` to verify
event emissions.
Signed-off-by: Byounguk Lee <nimdrak@gmail.com>
Add a --dry-run option to show which volumes would be pruned without removing them.
Related: #27838
Signed-off-by: KyounghoonJang <matkimchi_@naver.com>
Autocompletion for `podman inspect` now includes artifact names,
matching the behavior of other object types like containers, images,
pods, networks, and volumes.
Signed-off-by: Byounguk Lee <nimdrak@gmail.com>
This is gated behind a new option in `podman system migrate`,
`--migrate-db`, or by a system restart being performed.
BoltDB support was removed in Podman 6, so we are certain that,
when we start Podman, a SQLite state is in use. However, if we
also detect a valid BoltDB state, we will attempt a migration.
Migration is performed by retrieving all volumes, pods, and
containers (in that order, to ensure there are no dependency
conflicts) from the Bolt database, when adding them to the SQLite
database. If there is a conflict - IE, a container exists in both
SQLite and Bolt - we skip migration for that object. The old DB
is then renamed so we do not try to migrate it again.
Our ability to test complex migration scenarios is limited, but
this should handle simple migrations easily.
This is a heavily adapted version of #27660 rebuilt to work with
Podman 6.0. Substantial changes were required to throw errors
when a BoltDB database is detected and no migration is being
performed. Firstly, for automatic on-reboot migrations, we need
to have a deferred error returned by getDBState (very early in
runtime initialization) that is only acted on much later (once we
know for certain a state refresh is/is not being performed).
The `system migrate --migrate-db` command was much more
problematic. Conceptually, it's not terrible - add a flag to the
runtime to suppress errors, set that flag only when calling the
`system migrate` command with `--migrate-db` - but it unveiled a
serious problem with how we do runtime init (special flags to the
runtime were being ignored because the image runtime set the
Libpod runtime first and had none of the proper handling) which
took a genuinely annoying amount of time to identify and fix.
This cannot be tested automatically, as the ability to create Bolt
databases has been entirely removed with Podman 6.
This also includes 9b810aed3a from
the v5.8 branch by Luap99, which I have had to squash into this
commit to satisfy the build-each-commit check. It was just a
simplification of the SQLite path check.
Signed-off-by: Matt Heon <matthew.heon@pm.me>
Podman defaults to the directory of the Containerfile when no context dir is explicitly provided.
When running podman build with process subsituiton, `podman build -f <(echo "FROM scratch")`,
the Containerfile path expands to `/dev/fd/<NUM>`, which makes `/dev/fd` the context dir.
When building, Buildah attempts to create an overlay mount on top of the `/dev/fd` context dir, which fails.
In these cases, use a temp context dir instead: `$TMPDIR/podman-build-context-$randnum`
Fixes: https://github.com/containers/podman/issues/28113
Signed-off-by: Ashley Cui <acui@redhat.com>
Introducing a new `podmand system` subcommand to prepare a Windows host
to run Hyper-V based Podman machines: `hyperv-prep`.
When executed it:
- creates of the registry keys for VSocks
- adds the current user to the Hyper-V administrators group
This command requires an administrator terminal.
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
The recent registries.conf rework made so the backend already reads the
env var. As such clients should no longer set it directly to simplify
the code here.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The podman module paths are moving from github.com/containers/podman to
go.podman.io/podman. This will help with future mobility.
Signed-off-by: Brent Baude <bbaude@redhat.com>
This PR reflects the upstream change of moving the buildah module from
github.com/containers/buildah to go.podman.io/buildah.
Signed-off-by: Brent Baude <bbaude@redhat.com>
Use shared configfile instead of custom policy.json path handling.
This updates ocipull to rely on signature.DefaultPolicy(), removes
explicit SignaturePolicyPath, and replaces trust's custom default-policy
path logic with common configfile code.
Replace hidden `--policypath` with --signature-policy` and require
it for `trust set` command instead of path resolution based on
configfile.
For `trust get`, the `--signature-policy` is optional.
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
These are two new Buildah flags that we need to wire into Podman
(both local and remote) and document, with the interesting note
that one requires the other and a check needed to be added for
that.
Also: secret parsing was tightened up in Buildah, and was
breaking the remote build tests. Rewire it to use the new parser
Buildah made, which ends up simplifying the code considerably.
Tests are back to passing afterwards.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
This was implemented by containers/netavark #1369; this commit
completes the process by wiring it into Podman. We now respect
the CLI order for configured networks - if a user passes
`--net net1,net2` we guarantee that net1 will be configured
before net2.
For containers created before this patch, we don't retain enough
information to configure networks in CLI order, so we use
alphabetical order instead to still guarantee consistency.
No breaking API changes have been made, but we do add a new
field to supplement the existing map to (optionally) provide
ordering information. The Podman CLI will always pass this.
Existing applications that do not will, again, receive]
deterministic ordering based on an alphabetical sort of network
names.
This requires the latest version of Netavark to work properly.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
The old ErrRelaunchAttempt name was ambiguous — it reads as though the
relaunch attempt failed, when it actually signals success. Rename to
ErrRelaunchSucceeded and update comments at every call site to clarify
that this is not a real error but a sentinel indicating the elevated
child process completed the operation successfully.
Also fix a bug in WSL's launchElevate where a failed elevated process
was incorrectly wrapped with the sentinel, causing callers to treat the
failure as success and print "Machine init complete."
Signed-off-by: lstocchi <lstocchi@redhat.com>