Commit Graph

7079 Commits

Author SHA1 Message Date
Paul Holzinger
e71ded2997 pkg/machine/e2e: set XDG_CONFIG_HOME
This is basically a partial backport of commit b14e833ef6
("machine: add test to check config mount").

It seems on the ubuntu github actions runners we have XDG_CONFIG_HOME
set so the tests do not actually use its own private dir but a shared
one for the configs which breaks the test assumptions.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-05 13:28:12 +02:00
Paul Holzinger
ab71275a6d pkg/bindings/generator: fall back to golangci-lint from $PATH
Commit cf021c4ba9 switched the logic to also allow golangci-lint in
$PATH but forgot to update the call here.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 13c6b5d786)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-04 20:04:24 +02:00
Kir Kolyshkin
405451792d Remove unused nolint annotations
The interfacer linter was removed a few years ago.

Remove the annotations as well.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit a7886d1fe8)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-04 19:38:16 +02:00
Kir Kolyshkin
a94d273a8f Replace os.Is* error checks with errors.Is
Using os.Is{Exist,NotExist,Permission} checks is not recommended in the
new code (see official documentation). While using it in the existing
code is OK, it may still result in a subtle errors later (for a specific
example of that, see [1]).

Replace those with errors.Is.

Generated by:

	gofmt -r 'os.IsExist(a) -> errors.Is(a, os.ErrExist)' -w .
	gofmt -r 'os.IsNotExist(a) -> errors.Is(a, os.ErrNotExist)' -w .
	gofmt -r 'os.IsPermission(a) -> errors.Is(a, os.ErrPermission)' -w .
	goimports -w .
	git diff vendor test/tools/vendor | patch -p1 -R

[1]: https://github.com/opencontainers/runc/pull/5061
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 7f7b35356f)

[Added extra replacements manually that were only in the 5.8 tree]

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-04 19:38:16 +02:00
Paul Holzinger
6cffe93d88 hyperV: fix powershell path escape
To avoid special chars from being interpreted.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 571c842bd3)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-04-13 19:06:26 +02:00
Paul Holzinger
add385e31c bindings: artifact extract reject invalid names
The server already does validate this so this is not strictly needed and
the client must trust the server no matter what.

But adding an extra check here does not hurt and may help prevent future
bugs.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 12bec19426)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-04-09 14:23:52 +02:00
Paul Holzinger
a49ad4be81 use chrootarchive over plain archive package
Just as additional hardening.

Note chrootarchive does not work on macos/windows, in that case it still
falls back to the regular pkg/archive.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 25aee24cbd)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-04-09 14:23:52 +02:00
Paul Holzinger
92cd24903f fix symlink handling in checkpoint restore
Under normal circumstances this is not a problem as the archive file
created podman container checkpoint will no create symlinks.
However if a user passes a custom archive they could contain symlinks
that point outside our root. To resolve them within the root use
securejoin.

Note this is not a security problem because the full archive must be
trusted by a user to begin with as it contain the full container config.

Fixes: #27977

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit abb5120624)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-04-09 14:23:52 +02:00
Paul Holzinger
0fa3043415 add missing O_CLOEXEC to open calls
The go std os package to will always make sure to use O_CLOEXEC, however
in cases where we directly call unix.Open() we need to pass that flag
explicitly.

I looked at this as there was a report of a leaked fd on the pasta list,
though I am not sure this will address it.

But anyway doing this should be rather safe and avoid leaks into other
processes.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit d20933df02)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-04-09 14:23:52 +02:00
Jan Rodák
9c262736e4 Fix Quadlet Lookup() stripping unmatched quotes
Fixes: https://github.com/containers/podman/issues/28409

Signed-off-by: Jan Rodák <hony.com@seznam.cz>
(cherry picked from commit cf6404f387)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-04-09 14:23:52 +02:00
Joe Doss
e9fe245626 Fix shell driver DriverOpts cross-contamination in secret creation
When creating a secret with driver=shell via the API, the file driver's
default DriverOpts (including path) were applied because DriverOpts was
empty. The shell driver rejects path as an unknown option, making it
impossible to create shell-driver secrets via the REST API or
podman-remote.

Only apply default DriverOpts from config when the requested driver
matches the configured default driver.

Signed-off-by: Joe Doss <joe@solidadmin.com>
(cherry picked from commit 667f55c2ce)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-04-09 14:23:51 +02:00
Jan Rodák
15a2a7d605 Remote build: nTar secrets with relative paths and ignore bypass
When `podman-remote` tars the context, extra `podman-build-secret*` paths were
either dropped by `.dockerignore` (#25314) or archived as absolute paths so
`COPY . .` pulled host-shaped trees into the image (#28334).

Use relative names under the primary context for extra sources and do not apply
`.dockerignore` to those forced entries.

Fixes: https://github.com/containers/podman/issues/25314
Fixes: https://github.com/containers/podman/issues/28334

Signed-off-by: Jan Rodák <hony.com@seznam.cz>
(cherry picked from commit e18bb9ea8b)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-04-09 14:23:51 +02:00
crawfordxx
e5fe3fdf69 api: fix missing return after error in SystemCheck handler
In the SystemCheck HTTP handler, when parsing the
unreferenced_layer_max_age query parameter fails, the error response is
sent but execution continues to `unreferencedLayerMaximumAge = &duration`
where `duration` is the zero value. This causes the system check to run
with a zero duration instead of returning the 400 error to the client.

Add the missing `return` after the error response.

Fixes #28350

Signed-off-by: crawfordxx <crawfordxx@users.noreply.github.com>
(cherry picked from commit 29d80a26af)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-04-09 14:23:51 +02:00
umut-polat
7f37fbd6af quadlet: allow empty Entrypoint to clear image default
Setting Entrypoint= (empty value) in a quadlet .container file should
produce --entrypoint "" in the generated podman command, which clears
the image's default entrypoint. Previously this was silently ignored
because lookupAndAddString skips empty values.

Move the Entrypoint key out of the generic stringKeys map and handle
it separately so that an empty value is passed through.

Closes #28213

Signed-off-by: umut-polat <52835619+umut-polat@users.noreply.github.com>
(cherry picked from commit 926f562bd5)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-04-09 13:41:52 +02:00
Jan Rodák
fcc6ae217c [v5.8] Fix unless-stopped containers not restarting after ...
`podman-restart.service` stop them

When `podman-restart.service` stops containers, it marks them as "stopped by
user" which breaks the `unless-stopped` restart policy. Add hidden
`--not-stopped-by-user` flag to prevent this, allowing `unless-stopped`
containers to restart on next boot.

Fixes: https://github.com/containers/podman/issues/28152
Fixes: https://issues.redhat.com/browse/RUN-4357

Cherry pick fixes: https://redhat.atlassian.net/browse/RHEL-157746, https://redhat.atlassian.net/browse/RHEL-157747

Signed-off-by: Jan Rodák <hony.com@seznam.cz>
(cherry picked from commit 7326b862e3)
Signed-off-by: Tom Sweeney <tsweeney@redhat.com>
2026-03-19 19:40:30 -04:00
Ashley Cui
649c074bf5 Merge pull request #28042 from mheon/backports_580_rc1
Backports and release notes for v5.8.0-RC1
2026-02-09 20:10:48 -05:00
Paul Holzinger
6bec23fd04 Merge pull request #27660 from mheon/58_migrate_db
[v5.8] Add migration code for BoltDB to SQLite
2026-02-09 16:06:57 +01:00
ZuhairM7
4e3dd47967 bindings: fix handling of env secrets in remote builds
Previously, using --secret=id=foo,env=BAR in remote mode would fail because the client sent the env var name to the server, which tried to resolve it locally. This patch modifies the client to resolve the environment variable locally, write it to a temp file, and send it as a file-based secret.

Fixes #27494

Signed-off-by: ZuhairM7 <ZuhairM7>
Signed-off-by: ZuhairM7 <zuhairmerali@gmail.com>
2026-02-06 15:36:47 -05:00
Jan Rodák
86b6c75cef Fix unless-stopped restart policy to match Docker behavior
- Update documentation: Differentiate `unless-stopped` from `always` - containers stopped by the user before a reboot will not restart.
- Add `should-start-on-boot` filter: Identify containers that require a restart after a system reboot.
- Update command documentation: Add `restart-policy` and `label!` filters to the documentation for container commands (rm, ps, start, stop, pause, unpause, restart).
- Add `restart-policy` and `shoud-start-on-boot` to completions.
- Update service: Update `podman-restart.service` to use the `needs-restart=true` filter.
- Preserve state: Preserve the `StoppedByUser` state across reboots.
- Update API: Add a `ShouldStartOnBoot()` method to the Container API.
- Update documentation: Add descriptions for the `should-start-on-boot` filter.

Fixes: https://issues.redhat.com/browse/RHEL-129405
Fixes: https://github.com/containers/podman/issues/20418

Signed-off-by: Jan Rodák <hony.com@seznam.cz>

<MH: Fixed cherry-pick conflicts>

Signed-off-by: Matt Heon <matthew.heon@pm.me>
2026-02-06 15:36:47 -05:00
0xdvc
35c602bfbb fix: improve userns validation when joining pods
- remove old CLI validation that only checked --pod flag
- add validation in namespaces.go to catch all paths (cli, quadlet, api)
- block userns mixing for all pods with infra, not just ipc/net
- update error message to be clearer
- fix test cleanup to use PodmanExitCleanly()
- use dynamic pod names in system tests to avoid conflicts

fixes #26848

Signed-off-by: 0xdvc <neilohene@gmail.com>

<MH: Fixed cherry-pick conflicts>

Signed-off-by: Matt Heon <matthew.heon@pm.me>
2026-02-06 15:36:47 -05:00
Vyacheslav Bespalov
d6c79580f8 [Fixes: #27571] Fix 'shouldResolveWinPaths' returning 'false' on Windows
Signed-off-by: Vyacheslav Bespalov <vbespalov@ptsecurity.com>
2026-02-06 15:36:47 -05:00
axel7083
243b623629 fix(api/compat): typo in the remove secret handle
Fixes https://github.com/containers/podman/issues/27548

Signed-off-by: axel7083 <42176370+axel7083@users.noreply.github.com>
2026-02-06 15:36:47 -05:00
Aaron Ang
8423b3bbd0 Clamp rootless rlimits to host on format
Signed-off-by: Aaron Ang <aaron.angyd@gmail.com>

<MH: Fixed cherry-pick conflicts>

Signed-off-by: Matt Heon <matthew.heon@pm.me>
2026-02-06 15:36:47 -05:00
Aaron Ang
58a15f1500 Add ulimits to podman update API
Signed-off-by: Aaron Ang <aaron.angyd@gmail.com>

<MH: Fixed cherry-pick conflicts>

Signed-off-by: Matt Heon <matthew.heon@pm.me>
2026-02-06 15:36:47 -05:00
ryanmccann1024
484858710c feat(exec): Add --no-session flag for improved performance
Fixes: #26588

For use cases like HPC, where `podman exec` is called in rapid succession, the standard exec process can become a bottleneck due to container locking and database I/O for session tracking.

This commit introduces a new `--no-session` flag to `podman exec`. When used, this flag invokes a new, lightweight backend implementation that:

- Skips container locking, reducing lock contention
- Bypasses the creation, tracking, and removal of exec sessions in the database
- Executes the command directly and retrieves the exit code without persisting session state
- Maintains consistency with regular exec for container lookup, TTY handling, and environment setup
- Shares implementation with health check execution to avoid code duplication

The implementation addresses all performance bottlenecks while preserving compatibility with existing exec functionality including --latest flag support and proper exit code handling.

Changes include:
- Add --no-session flag to cmd/podman/containers/exec.go
- Implement lightweight execution path in libpod/container_exec.go
- Ensure consistent container validation and environment setup
- Add comprehensive exit code testing including signal handling (exit 137)
- Optimize configuration to skip unnecessary exit command setup

Signed-off-by: Ryan McCann <ryan_mccann@student.uml.edu>
Signed-off-by: ryanmccann1024 <ryan_mccann@student.uml.edu>
2026-02-06 15:36:47 -05:00
flouthoc
790f21d355 quadlet install: multiple quadlets from single file should share app
Quadlets installed from `.quadlet` file now belongs to a single
application, anyone file removed from this application removes all the
other files as well.

Assited by: claude-4-sonnet

Signed-off-by: flouthoc <flouthoc.git@gmail.com>
2026-02-06 15:36:47 -05:00
flouthoc
ed79cdfd6a quadlet: add support for multiple quadlets in a single file
Enable installing multiple quadlets from one file using '---' delimiters.
Each section requires '# FileName=<name>' comment for custom naming.
Single quadlet files remain unchanged for backward compatibility.

Assited by: claude-4-sonnet

Signed-off-by: flouthoc <flouthoc.git@gmail.com>
2026-02-06 15:36:47 -05:00
xiaolinny
e8c334f3cb chore: fix the inconsistent method names in the comments
Signed-off-by: xiaolinny <xiaolincode@outlook.com>
2026-02-06 15:36:47 -05:00
Alessandro Verzicco
d45377c6c8 Ignore auth header with empty JSON object
Signed-off-by: Alessandro Verzicco <152161683+alessandro-verzicco@users.noreply.github.com>
2026-02-06 15:36:47 -05:00
Byounguk Lee
f1dcf63a91 Fixes #27421 aritfact push and pull with authfile
Signed-off-by: Byounguk Lee <nimdrak@gmail.com>
2026-02-06 15:36:47 -05:00
shiavm006
87bb060531 Fix remote client rejecting empty --detach-keys string
The remote client (podman --remote) was incorrectly throwing an error
when --detach-keys="" was specified for attach, run, or start commands.
According to documentation and the v1.7.0 release notes, specifying an
empty string should disable detaching, not cause an error.

Fixes: #27414

Signed-off-by: shiavm006 <shivammittal42006@gmail.com>
2026-02-06 15:36:47 -05:00
Dmitry Konishchev
8b8390522b Escape RequiresMountsFor value
Signed-off-by: Dmitry Konishchev <konishchev@gmail.com>
2026-02-06 15:36:47 -05:00
Lewis Denny
f76be2a94d [play_kube] Add validation to container image field
Fixes: #27784

Signed-off-by: Lewis Denny <lewisdenny@me.com>
2026-02-06 15:36:47 -05:00
shiavm006
6c1378be44 extract shared TTY handling code into helper function
Signed-off-by: shiavm006 <shivammittal42006@gmail.com>
2026-02-06 15:36:47 -05:00
MayorFaj
8eacbd8464 fix: correct env/envFrom precedence in kube play
Fixes: #27287

Signed-off-by: MayorFaj <mayorfaj@gmail.com>
2026-02-06 13:46:37 -05:00
Gregor Dschung
9e965498aa Fix interfering escaping of commas and spaces in no_proxy variable
Signed-off-by: Gregor Dschung <gregor@chkpnt.de>
2026-02-06 13:46:37 -05:00
Gregor Dschung
4ea22f1b29 Write DefaultEnvironment proxy values to /etc/systemd/user.conf.d/default-env.conf
Otherwise, the proxy values aren't passed to rootless podman.

Signed-off-by: Gregor Dschung <gregor@chkpnt.de>
2026-02-06 13:46:37 -05:00
Gregor Dschung
0e4dc26c05 Fix test proxyenv/env_test.go for systems that use proxy variables
Signed-off-by: Gregor Dschung <gregor@chkpnt.de>
2026-02-06 13:46:37 -05:00
Mayowa Fajobi
eb118bafb4 Fix healthcheck argument with spaces split in Docker API (#27818)
Fixes: #26519

Signed-off-by: MayorFaj <mayorfaj@gmail.com>
2026-02-06 13:46:37 -05:00
givensuman
0747179589 Add AppArmor key to quadlet .container files
Fixes: #27095
Signed-off-by: givensuman <givensuman@duck.com>
2026-02-06 13:46:36 -05:00
MayorFaj
dac1e82710 fix(logs): add tests for nanosecond precision in log timestamps
Signed-off-by: MayorFaj <mayorfaj@gmail.com>
2026-02-06 13:46:36 -05:00
MayorFaj
d3bda38309 fix(logs): improve timestamp precision in container logs
Signed-off-by: MayorFaj <mayorfaj@gmail.com>
2026-02-06 13:46:36 -05:00
Colin Walters
06fe9b21c1 Fix missing newlines in stderr error messages
I happened to run `podman run --config=/path/to/file` and got
an error without a trailing newline, which was a bit jarring.

Fix the instances I noticed.

Assisted-by: OpenCode (Claude Opus 4.5)
Signed-off-by: Colin Walters <walters@verbum.org>
2026-02-06 13:46:36 -05:00
Matt Heon
b320fbcaff Add migration code for BoltDB to SQLite
This is gated behind a new option in `podman system migrate`,
`--migrate-db`.

The basic logic is simple:
* Podman is already configured to use BoltDB
* Open a new, fresh SQLite database to write into
* Migrate all database contents as they exist in BoltDB, to
  SQLite.
** Do this as simply as possible: grab the object from the old DB
   and write it into the new DB using the standard Add and Save
   functions.
* Set the new database in the Runtime, close the old one.
* Move the old database file so it won't be reused
* Show a warning if the user explicitly configured BoltDB in
  containers.conf

Our ability to test complex migration scenarios is limited, but
this should handle simple migrations easily.

Fixes #27628

Signed-off-by: Matt Heon <matthew.heon@pm.me>
2026-02-05 20:09:37 -05:00
Jan Rodák
7ae6813dfc [v5.8] artifact: Skip AddLocal optimization on WSL
The local API path optimization is ineffective on WSL because of NTFS mounting overhead.

Signed-off-by: Jan Rodák <hony.com@seznam.cz>
(cherry picked from commit d889aeb6af)
2026-02-05 19:33:51 +01:00
Jan Rodák
3918d4ca75 [v5.8] Require absolute path for local API
Signed-off-by: Jan Rodák <hony.com@seznam.cz>
(cherry picked from commit 2f7094c0de)
2026-02-05 19:33:51 +01:00
Jan Rodák
6465c07d21 [v5.8] Add local artifact add API endpoint
Fixes: https://issues.redhat.com/browse/RUN-3385
Fixes: https://github.com/containers/podman/issues/26321

Signed-off-by: Jan Rodák <hony.com@seznam.cz>
(cherry picked from commit 91af437471)
2026-02-05 19:33:46 +01:00
Nicola Sella
bae88e1e5e Add GET /quadlets/{name}/exists
Fixes: https://issues.redhat.com/browse/RUN-4068

Signed-off-by: Nicola Sella <nsella@redhat.com>
2026-02-05 14:56:03 +01:00
Nicola Sella
d6023e431f Add DELETE /libpod/quadlets
Fixes: https://issues.redhat.com/browse/RUN-3742

Signed-off-by: Nicola Sella <nsella@redhat.com>
2026-02-05 14:55:46 +01:00
Nicola Sella
f2fcc7f09c Add POST /libpod/quadlets
Fixes: https://issues.redhat.com/browse/RUN-3743

Signed-off-by: Nicola Sella <nsella@redhat.com>
2026-02-05 14:53:34 +01:00