keyctl is in ALLOW by default and `socket` should not always be ALLOW,
per @giuseppe.
This change removes seccomp.json customizations and we'll use the
distro's default seccomp profile.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
This API is not used anywhere, as such remove it and make the loop in
NewNS() better as the netns dir parts should not be part of the loop.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The new API should replace the logic from Podman's setupNetNS() which
did several things incorrect. First and foremost it never bind mounted
the netns dir causing problems when the netns dir was later bind mounted
duplicating the netns mounts on diffeent parents which then caused all
unmount attempts to fail[1].
Also the Podman code did never check for conlicts so we way end up
overwriting an existing netns (super unlikely as we use 16 random bytes
but still). At the very least it duplicates the name logic for no reason
there so having this all here makes much more sense.
Of course we still have to port podman over to this new API.
[1] https://issues.redhat.com/browse/RHEL-59620
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
There are some rather bad problems when we bind mount over multiple
times, this is a rather small race but can happen. In order to avoid
this take an exclusive lock like ip netns add does because they create
the same bind mount setup. As such we will not race against other podman
process or ip netns add which is a good thing.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
For artifact support, the copier needs to get all tags; as such, we need
to pass in the correct value for ImageListSelection.
Signed-off-by: Brent Baude <bbaude@redhat.com>
To support artifact handling, we need to export some of the methods for
copier. The Copy and Close method have been exported. In addition, a
new constructor that is exported was created so we could introduce a
different SystemContext for artifacts.
Signed-off-by: Brent Baude <bbaude@redhat.com>
if the system is running on cgroup v2, ignore the ownership of cgroup
v1 controllers when the current process is at the root cgroup.
Closes: https://github.com/containers/podman/issues/23990
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
ELN is kind of a midway between Fedora and RHEL, so it's best to mention
ELN jobs separately. This will also allow reusing fedora targets using
YAML anchors for TMT tests.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
Packit now has sidetag support for adding multiple builds into a single
bodhi update.
Since we release c/ccommon, skopeo, buildah and podman often
almoost simultaneously, we should release them to Fedora in a single
bodhi update using sidetags so all builds can be tested together.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
writing to cgroup.subtree_control can fail with ENOENT either if the
file itself doesn't exist, or a specified controller is not available.
Try to detect the reason and improve the error message.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
The deadline option was renamed to timeout and I see 1m timeouts in CI
so I think the option isn't working there.
Also remove the core limit, by default it uses all cores and there is no
reason to limit that really.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
storage.conf has been updated upstream so the config files update script
needs to account for that.
Ref: https://github.com/containers/storage/pull/2066
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
Contains fixes for new linters, removed depracted and removed linters
from the config.
Most notably because we use go 1.22 now we can get rid of the copy for
loop vars[1]. Also as of the go 1..2 we can use the new int range syntax
in for loops the new intrange linter checks that.
[1] https://go.dev/blog/loopvar-preview
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
For the pasta network mode we now use --map-guest-addr which means we
have a specific ip that we want to use as host.containers.internal
address. I first thought we could handle it in podman but that doesn't
work as the contianers.conf option must have a higher priority.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
GetHostContainersInternalIP() is no longer called in podman or buildah
as they use GetHostContainersInternalIPExcluding(). I need to add a new
option so chnage the function to accept the parameters as struct so we
do not have to break the API every time we add a new parameter.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Brent Baude