- remove old CLI validation that only checked --pod flag
- add validation in namespaces.go to catch all paths (cli, quadlet, api)
- block userns mixing for all pods with infra, not just ipc/net
- update error message to be clearer
- fix test cleanup to use PodmanExitCleanly()
- use dynamic pod names in system tests to avoid conflicts
fixes#26848
Signed-off-by: 0xdvc <neilohene@gmail.com>
<MH: Fixed cherry-pick conflicts>
Signed-off-by: Matt Heon <matthew.heon@pm.me>
Fixes: #26588
For use cases like HPC, where `podman exec` is called in rapid succession, the standard exec process can become a bottleneck due to container locking and database I/O for session tracking.
This commit introduces a new `--no-session` flag to `podman exec`. When used, this flag invokes a new, lightweight backend implementation that:
- Skips container locking, reducing lock contention
- Bypasses the creation, tracking, and removal of exec sessions in the database
- Executes the command directly and retrieves the exit code without persisting session state
- Maintains consistency with regular exec for container lookup, TTY handling, and environment setup
- Shares implementation with health check execution to avoid code duplication
The implementation addresses all performance bottlenecks while preserving compatibility with existing exec functionality including --latest flag support and proper exit code handling.
Changes include:
- Add --no-session flag to cmd/podman/containers/exec.go
- Implement lightweight execution path in libpod/container_exec.go
- Ensure consistent container validation and environment setup
- Add comprehensive exit code testing including signal handling (exit 137)
- Optimize configuration to skip unnecessary exit command setup
Signed-off-by: Ryan McCann <ryan_mccann@student.uml.edu>
Signed-off-by: ryanmccann1024 <ryan_mccann@student.uml.edu>
Quadlets installed from `.quadlet` file now belongs to a single
application, anyone file removed from this application removes all the
other files as well.
Assited by: claude-4-sonnet
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
Enable installing multiple quadlets from one file using '---' delimiters.
Each section requires '# FileName=<name>' comment for custom naming.
Single quadlet files remain unchanged for backward compatibility.
Assited by: claude-4-sonnet
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
The remote client (podman --remote) was incorrectly throwing an error
when --detach-keys="" was specified for attach, run, or start commands.
According to documentation and the v1.7.0 release notes, specifying an
empty string should disable detaching, not cause an error.
Fixes: #27414
Signed-off-by: shiavm006 <shivammittal42006@gmail.com>
I happened to run `podman run --config=/path/to/file` and got
an error without a trailing newline, which was a bit jarring.
Fix the instances I noticed.
Assisted-by: OpenCode (Claude Opus 4.5)
Signed-off-by: Colin Walters <walters@verbum.org>
The local API path optimization is ineffective on WSL because of NTFS mounting overhead.
Signed-off-by: Jan Rodák <hony.com@seznam.cz>
(cherry picked from commit d889aeb6af)
The `*os.File` returned by `pathrs.OpenatInRoot` needs to
be closed before returning from `openSymlinkPath`
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
There is a couple of newGenericDecompressor function usages, where
returned possibly non-nil `err` is not checked before dereferencing
returned decompressor. It may lead to nil ptr dereferencing.
This commit adds check for `err` to prevent dereferencing potentially
nullable decompressor.
Found by Linux Verification Center (linuxtesting.org) with SVACE
Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
This was not working when emulating Linux container images on FreeBSD.
The code to handle host devices on FreeBSD relies on the container
having a devfs mount. Unfortunately, the Linux emulation code which adds
this was happening after the host device handling. This changes the
logic so that host device management happens after Linux emulation.
Signed-off-by: Doug Rabson <dfr@rabson.org>
The WSL machine start was using the function FindExecutablePeer that
ignores user configuration (helper_binaries_dir). FindHelperBinary
instead is used when starting the machine for the rest of the providers
and honors user configuration.
This commit requires 4877783c37
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
There doesn't seem any reason why the system commands should not join
the userns. In particular the main commands use ParentNSRequired and
UnshareNSRequired when they don't want to be joined to the main userns.
Since the system command don't set these the go code does the join and
re-exec anyway so might as well use the shortcut to speed that up.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When trying to join the conmon pid to recreate the pause process based
on the namespace it can be that the pid is no longer valid, i.e. when
conmon crashed or was killed.
Currently we have a big issue that can be reproduced using:
$ podman run -d quay.io/libpod/testimage:20241011 sleep 100
$ killall -9 conmon
$ killall catatonit
All commands would fail as we keep trying to rejoin the namespace of the
non existing conmon process.
So to address that fall back to creating a new namespace if we fail to
join the conmon pids.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Just a minor improvement as we know the size needed for the slice we can
allocate it only once instead of the append having to resize it.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Based on the description in commit 63ef557 this was added so that the
migrate command does not move the pause process into a separate cgroup.
It should however not disable the rejoining of the userns when the pause
process join failed. BEcause of this we end up calling migrate without a
userns and that then can fail if there are actual contianer it tries to
cleanup.
Fixes: 63ef5576ed ("command: migrate doesn't move process to cgroup")
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
There is no good reason to use logrus and os.Exit() here, other parts of
this function already return the error so do the same. The main podman
process will exit then with the normal formatted error message.
And also log an error about the last return which should never happen as
we should have exited above if the re-exec worked or errored out.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The virtiofs mount points do not actually are network mounts so we can
mount them earlier and using multi-user.target to enable them was wrong.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The old location is deprecated and has been removed in v0.6.0 even. I
did this as extra commit to make cherry-picking easier.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Fixes a regression introduced by b2e6d53 that made always failing the
match of the WSL image from the registry with the image in the local
cache. The result was that the WSL machine image was always pulled from
quay.io even if an identical image was in the local cache.
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
