Pass --mount settings and the contents of the --source-policy-file
argument to remote builds.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Since these examples are multiline, we need to manually add padding to
the start of the line, otherwise the lines are not aligned.
Signed-off-by: mhorky <mhorky@redhat.com>
As I outlined in the design docs this is broken, there are several
data races here because we write to the config files that can be read by
other goroutines in parallel which violates the go memory model and
thus can lead to runtime panics and undefined behavior.
One could fix with a mutex but that would make the whole code base much
more ugly and there is still the risk that something would access this
field without the mutex held.
I am not sure we have any users using this, it never worked for the
storage side and since the service is a not a daemon any user could just
stop and start it again to re-read the files without having to stop
running containers.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Rather than append LocalhostSSHArgs to args, prepend it, assuming the
order doesn't matter here.
This fixes the following prealloc warning (without decreasing
readability):
> cmd/podman/machine/cp.go:130:2: Consider preallocating args (prealloc)
> args := []string{"-r", "-i", sshConfig.IdentityPath, "-P", strconv.Itoa(sshConfig.Port)}
> ^
This commit is part of series fixing issues reported by prealloc linter
from golangci-lint v2.8.0.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
When we already know the resulting slice size but still need/want to use
append, it makes sense to preallocate the slice by using make with the
capacity argument.
This commit is part of series fixing issues reported by prealloc linter
from golangci-lint v2.8.0.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Calling append can lead to resizing the slice. In case we have all
elements beforehand, it is not necessary to call append in the first
place and this avoid resizing.
This is the first part of fixing issues reported by prealloc linter from
golangci-lint v2.8.0.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This is useful for triggering the execution of a healthcheck
without caring about it's result as long as no fatal error occured.
Signed-off-by: Patrick Wicki <patrick.wicki@siemens.com>
now that we use `bootc switch` for changing out-of-band updates, we can
consider also using some of their supported transports.
* containers-storage
* oci
* oci-archive
* registry
RUN-3963
Signed-off-by: Brent Baude <bbaude@redhat.com>
Remove user-facing CLI options for CNI network backend:
CLI flags:
- Keep --network-backend global flag as hidden and deprecated for
backward compatibility with cleanup commands from 5.x containers
- Map flag to a throwaway variable (value is ignored)
- Remove shell completion for network backend values
Shell completions:
- Remove AutocompleteNetworkBackend() function
- Remove references to CNI and Netavark type constants
Backward compatibility:
- Remove --rootless-cni flag alias for podman unshare
- Remove SetNormalizeFunc that mapped rootless-cni to rootless-netns
- Update --rootless-netns flag description to mention only netavark
The --network-backend flag remains as a hidden deprecated flag to
prevent failures when upgrading from 5.x where containers may have
cleanup commands that include this flag. The flag is accepted but
ignored. Users can no longer specify CNI as a network backend option.
The --rootless-cni alias is removed; users must use --rootless-netns.
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
Implements automatic OS upgrade functionality for Podman machines that requires no user input beyond running the command. The upgrade logic automatically determines the appropriate upgrade path using a three-way comparison between client version, machine version, and OCI registry:
* When the client version is older than the machine version, no action is taken and an error is returned.
* When the client version matches the machine version, the OCI registry is queried to check for in-band updates by comparing image digests. This handles minor, patch level, and updates oci image use cases.
* When the client version is newer than the machine version, the machine is upgraded to match the client's major.minor version.
* No manual image selection or version specification required.
The command supports dry-run mode and JSON (only) output format for automation.
Signed-off-by: Brent Baude <bbaude@redhat.com>
Previously, `secret create` required stdin to be a pipe when using `-`,
blocking interactive stdin forcing users to use insecure patterns like
`echo "secret" | podman secret create <name>`.
Remove the pipe check to allow interactive stdin.
Closes#18591, #27879
Signed-off-by: Danish Prakash <contact@danishpraka.sh>
I happened to run `podman run --config=/path/to/file` and got
an error without a trailing newline, which was a bit jarring.
Fix the instances I noticed.
Assisted-by: OpenCode (Claude Opus 4.5)
Signed-off-by: Colin Walters <walters@verbum.org>
This PR removes support for Intel Apple Macs. The removal includes
impacts to code, tests, Makefile, builds, release builds, and so forth.
Fixes Jira: RUN-3621
Signed-off-by: Brent Baude <bbaude@redhat.com>
Adds two fields to the output of `podman image list --format json`,
"Repository" and "Tag." Consequently makes the existing embedded field
"RepoTag" redundant, and in current implementation is always `nil`. Adds
`json:",omitempty"` to improve program output.
Fixes: #27632
Signed-off-by: givensuman <givensuman@duck.com>
- Update documentation: Differentiate `unless-stopped` from `always` - containers stopped by the user before a reboot will not restart.
- Add `should-start-on-boot` filter: Identify containers that require a restart after a system reboot.
- Update command documentation: Add `restart-policy` and `label!` filters to the documentation for container commands (rm, ps, start, stop, pause, unpause, restart).
- Add `restart-policy` and `shoud-start-on-boot` to completions.
- Update service: Update `podman-restart.service` to use the `needs-restart=true` filter.
- Preserve state: Preserve the `StoppedByUser` state across reboots.
- Update API: Add a `ShouldStartOnBoot()` method to the Container API.
- Update documentation: Add descriptions for the `should-start-on-boot` filter.
Fixes: https://issues.redhat.com/browse/RHEL-129405
Fixes: https://github.com/containers/podman/issues/20418
Signed-off-by: Jan Rodák <hony.com@seznam.cz>
The --macvlan flag was deprecated in Podman 3.x and was scheduled
for removal in version 4.0. Since we're now at version 6.0.0-dev,
this commit removes the deprecated flag and its associated code.
Users should now use the standard syntax:
podman network create --driver macvlan --opt parent=<device> <name>
Signed-off-by: shiavm006 <shivammittal42006@gmail.com>
- remove old CLI validation that only checked --pod flag
- add validation in namespaces.go to catch all paths (cli, quadlet, api)
- block userns mixing for all pods with infra, not just ipc/net
- update error message to be clearer
- fix test cleanup to use PodmanExitCleanly()
- use dynamic pod names in system tests to avoid conflicts
fixes#26848
Signed-off-by: 0xdvc <neilohene@gmail.com>
In function rm variable `report` might be initialized as nil as a result
of call
`registry.ImageEngine().Remove(registry.Context(), args, imageOpts)`.
Then, there is a call `registry.SetExitCode(report.ExitCode)` without
explicit nil check before. Check `len(rmErrors) > 0` doesn't guarantee
that report is a non-nil value.
So such call may lead to nil deref.
This commit adds check `report` for nil before its dereference.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
Fixes: #26588
For use cases like HPC, where `podman exec` is called in rapid succession, the standard exec process can become a bottleneck due to container locking and database I/O for session tracking.
This commit introduces a new `--no-session` flag to `podman exec`. When used, this flag invokes a new, lightweight backend implementation that:
- Skips container locking, reducing lock contention
- Bypasses the creation, tracking, and removal of exec sessions in the database
- Executes the command directly and retrieves the exit code without persisting session state
- Maintains consistency with regular exec for container lookup, TTY handling, and environment setup
- Shares implementation with health check execution to avoid code duplication
The implementation addresses all performance bottlenecks while preserving compatibility with existing exec functionality including --latest flag support and proper exit code handling.
Changes include:
- Add --no-session flag to cmd/podman/containers/exec.go
- Implement lightweight execution path in libpod/container_exec.go
- Ensure consistent container validation and environment setup
- Add comprehensive exit code testing including signal handling (exit 137)
- Optimize configuration to skip unnecessary exit command setup
Signed-off-by: Ryan McCann <ryan_mccann@student.uml.edu>
Signed-off-by: ryanmccann1024 <ryan_mccann@student.uml.edu>
This didn't error check for mounted cgroups, only errored for rootless
cgroupsv1 containers. Safe to remove.
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
While doing the provider obfuscation, I injected a regression where
podman ssh machine failed. The regression was added in
0f22c1c772. I have fixed the regression
and added a test to prevent future occurance.
Fixes: #27491
Signed-off-by: Brent Baude <bbaude@redhat.com>
