For ConfigMap and Secret kube play volumes podman populates the data
from the yaml. However the volume content is not controlled by us and we
can be tricked following a symlink to a file on the host instead.
Fixes: CVE-2025-9566
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We already used `x` in tmpfiles, to ensure systemd did not remove
our directories or clean their contents (we really need them to
be left unmodified). However, systemd-tmpfiles lets us use more
than one directive per line, which means we can safely add an R!
(recursive remove on reboot) to these lines to ensure that, if
/tmp is not a tmpfs, systemd-tmpfiles will still remove our
temporary files, ensuring reboots are still accurately detected.
Signed-off-by: Matt Heon <mheon@redhat.com>
For podman build --squash is different from the buildah bud --squash
option, in podman it must use --squash-all.
Fixes: #26906
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The `cleanupExecBundle` function was only meant to be called on a
locked container, as it does some state mutation operations. It
also has a timed wait (if the directory is busy and can't be
removed yet, give it a few milliseconds) in which it deliberately
yields the lock to not block the container for that time.
The `healthCheckExec()` function calls `cleanupExecBundle` out of
a `defer` block. This is after the `defer c.lock.Unlock()` so it
fires afterwards when the function returns, so we're normally
fine - the container is still locked when our defer runs. The
problem is that `healthCheckExec()` also unlocks the container
during the expensive exec operation, and can actually fail and
return while not holding the lock - meaning our `defer` can fire
on an unlocked container, leading to a potential double unlock
in `cleanupExecBundle`.
We could, potentially, re-lock the container after the exec
occurs, but we're actually waiting for a `select` to trigger to
end the function, so that's not a good solution. Instead, just
re-lock (if necessary) in the defer, before invoking
`cleanupExecBundle()`. The `defer c.lock.Unlock()` will fire
right after and unlock after us.
Fixes#26968
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Without this the corss binaries will never get rebuild until the user
manually deletes them which is not very useful.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This reverts commit c45b27ffb0.
This commit was just wrong, local-cross depends on this target as it
calls a target like "bin/podman.cross.linux.amd64". Without this it is
just broken as there is no matching target.
$ make bin/podman.cross.linux.amd64
make: *** No rule to make target 'bin/podman.cross.linux.amd64'. Stop.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The distro-integration tag was added for fedora openQA to only run a
subset of tests. However since it was added only a few new tests have
been labelled like that and in general a normal contributor or even
maintianer has no idea when to add this tag.
We also have been seeing several regressions getting into fedora that
these tests would have caught. As such I worked with Adam to enable all
tests for fedora openQA so we actually have proper coverage. This has
been working for a few weeks so I think we can dop these tags so
upstream does not need to bother with them at all.
https://pagure.io/fedora-qa/os-autoinst-distri-fedora/issue/373
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The test pulled a new $IMAGE already because it runs the http server
container. So this doesn't striclty ensure the load works correctly.
Make sure to actually test the load of a different image, so we use
$PODMAN_NONLOCAL_IMAGE_FQN for that like another load test already
does.
I noticed this as the image pull on the webserver start flaked in
a openQA run. Using _prefetch should help to reduce the network pulls
here as it caches the image locally once it is pulled for the first
time.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This is an unnecessary network connection that flakes from time to time.
Spawn our own local server instead and use that. That also allows to
check that the actual file content has been copied.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Add support for HttpProxy key in quadlet Container sections to control
proxy environment variable inheritance during image pulls and builds.
- HttpProxy=true enables proxy inheritance (default podman behavior)
- HttpProxy=false disables proxy inheritance
- When omitted, uses podman's default behavior
This addresses the need for declarative proxy configuration in IPv6-only
networks and other scenarios where proxy settings need to be controlled
at the container level without manual workarounds.
Fixes#26925
Signed-off-by: Ondřej Gajdušek <ogajduse@redhat.com>
Starting with runc 1.3.0 it errors when we pass unknown mount options to
the runtime, the copy/nocopy options are specific to podman when we
mount the volume and are not valid mount options for the runtime.
Fixes: #26938
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Starting with runc 1.3.0 it errors when we pass unknown mount options to
the runtime, the volume-opt options are specifc to the volume we create
and should not be passed to the mount in the oci spec.
Fixes: #26938
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The `podman-import` man page already mentions support for zstd
compressed tarball support but the cli output didn't.
Signed-off-by: Jelle van der Waa <jvanderwaa@redhat.com>
