Add a new `no-dereference` mount option supported by crun 1.11+ to
re-create/copy a symlink if it's the source of a mount. By default the
kernel will resolve the symlink on the host and mount the target.
As reported in #20098, there are use cases where the symlink structure
must be preserved by all means.
Fixes: #20098
Fixes: issues.redhat.com/browse/RUN-1935
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Bump Buildah to v1.33.1 to get a CVE fix for Buildkit.
I thought it was also going to drag in the test fix as
mentioned in #20709, but I'm not seeing that here.
[NO NEW TESTS NEEDED]
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
As the title says. This is the last dance step in preparation
for Podman v4.8.
[NO NEW TESTS NEEDED]
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
All `[]string`s in containers.conf have now been migrated to attributed
string slices which require some adjustments in Buildah and Podman.
[NO NEW TESTS NEEDED]
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
This change is the first step of integrating appendable string arrays
into containers.conf and starts with enabling the `Env`, `Mounts`, and
`Volumes` fields in the `[Containers]` table.
Both, Buildah and Podman, read (and sometimes write) the fields of the
`Config` struct at various places, so I decided to migrate the fields
step-by-step. The ones in this change are most critical ones for
customers. Once all string slices/arrays are migrated, the docs of
containers.conf will be updated. The current changes are entirely
transparent to users.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
libimage did not walk thte layers correctly which was probably
inherited by old Podman code. Fix that by vendoring in the
corresponding changes in c/common.
Fixes: #20375
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
As requested in containers/podman/issues/20000, add a `privileged` field
to the containers table in containers.conf. I was hesitant to add such
a field at first (for security reasons) but I understand that such a
field can come in handy when using modules - certain workloads require a
privileged container.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
The id, digest, and intermediate filters were broken
for podman images. Fix to match on substrings instead of
the whole string for id and digest. Add the intermediate value
correctly when set.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
The processing and setting of the static and volume directories was
scattered across the code base (including c/common) leading to subtle
errors that surfaced in #19938.
There were multiple issues that I try to summarize below:
- c/common loaded the graphroot from c/storage to set the defaults for
static and volume dir. That ignored Podman's --root flag and
surfaced in #19938 and other bugs. c/common does not set the
defaults anymore which gives Podman the ability to detect when the
user/admin configured a custom directory (not empty value).
- When parsing the CLI, Podman (ab)uses containers.conf structures to
set the defaults but also to override them in case the user specified
a flag. The --root flag overrode the static dir which is wrong and
broke a couple of use cases. Now there is a dedicated field for in
the "PodmanConfig" which also includes a containers.conf struct.
- The defaults for static and volume dir and now being set correctly
and adhere to --root.
- The CONTAINERS_CONF_OVERRIDE env variable has not been passed to the
cleanup process. I believe that _all_ env variables should be passed
to conmon to avoid such subtle bugs.
Overall I find that the code and logic is scattered and hard to
understand and follow. I refrained from larger refactorings as I really
just want to get #19938 fixed and then go back to other priorities.
https://github.com/containers/common/pull/1659 broke three pkg/machine
tests. Those have been commented out until getting fixed.
Fixes: #19938
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
This PR is a mishmash of updates needed so that the hyperv provider can
begin to passd the machine e2e tests.
Summary as follows:
* Added custom error handling for machine errors so that all providers
can generate the same formatted error messages. The ones implemented
thus far are needed for the basic and init tests. More will come as
they are identified.
* Vendored new libhvee for better memory inspection. The memory type
changed from uint32 to uint64.
* Some machine e2e tests used linux-specific utilities to check various
error conditions and messages (like pgrep). Those were made into
functions and implemented on an operating system level.
[NO NEW TESTS NEEDED]
Signed-off-by: Brent Baude <bbaude@redhat.com>
Small fixes for bugs in the hyperv code that were made obvious when
manually preparing to run pkg/machine/e2e with windows and hyperv.
Also includes vendoring a new libhvee and solves bug where json config
was not being removed.
[NO NEW TESTS NEEDED]
Signed-off-by: Brent Baude <bbaude@redhat.com>
When pulling from an OCI source, make sure to preseve the optional name.
For instance, a podman pull oci:/tmp/foo:quay.io/foo/bar:latest should
pull the image and name it quay.io/foo/bar:latest.
While at it, also fix a bug when pulling an OCI without the optional
name. Previously, we used the path to name the image which will error in
most cases due to invalid characters (e.g., capital ones). Hence, apply
the same trick as for the dir transport and generate a sha.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
... by updating for a c/common API change.
[NO NEW TESTS NEEDED]: Only moves unchanged code,
should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
this version of libhvee contains fixes related to machine stop required
for windows hyperv
[NO NEW TESTS NEEDED]
Signed-off-by: Brent Baude <bbaude@redhat.com>
