Ha ha. This was supposed to be a trivial little followup to #17174:
https://github.com/containers/podman/pull/17174#discussion_r1085963780
(safer username check when --userns=keep-id)
It got complicated. TL;DR we need to use User.Username, not User.Name.
The latter is GECOS! Tests were working because, on Fedora, GECOS
for root is "root". Found and fixed all 'u.Name' instances, but
if there are any references with a variable other than 'u', they
still need looking into.
Signed-off-by: Ed Santiago <santiago@redhat.com>
issues.redhat.com/browse/RHELBU-1918 is mentioning the podman-events man
page which are lacking notes on the verbose create events added by
commit 71f92d263c.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
- ImageCacheDir is hard-coded as "/tmp/podman/imagecachedir".
To avoid this hard-coding, I changed it to "os.TempDir()/imagecachedir".
- Change ImageCacheDir permissions from 0777 to 0700.
This directory should be used by per-user.
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
Updated build scripts and installer build scripts to include gvproxy.exe.
Includes tutorial on setting up a Podman VM with QEMU and gvproxy on Windows.
Signed-off-by: Arthur Sengileyev <arthur.sengileyev@gmail.com>
Only assume that http(s) scheme URLs (only ones supported by http.Client anyway) are URLs.
Treat everything else as a file path. (Windows paths can look like a URL scheme)
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
As @mheon pointed out in PR #17055[^1], isVirtualConsoleDevice() does
not only matches VT device paths but also devices named like
/dev/tty0abcd.
This causes that non VT device paths named /dev/tty[0-9]+[A-Za-z]+ are
not mounted into privileged container and systemd containers accidentally.
This is an unlikely issue because the Linux kernel does not use device
paths like that.
To make it failproof and prevent issues in unlikely scenarios, change
isVirtualConsoleDevice() to exactly match ^/dev/tty[0-9]+$ paths.
Because it is not possible to match this path exactly with Glob syntax,
the path is now checked with strings.TrimPrefix() and
strconv.ParseUint().
ParseUint uses a bitsize of 16, this is sufficient because the max
number of TTY devices is 512 in Linux 6.1.5.
(Checked via 'git grep -e '#define' --and -e 'TTY_MINORS').
The commit also adds a unit-test for isVirtualConsoleDevice().
Fixes: f4c81b0aa5 ("Only prevent VTs to be mounted inside...")
[^1]: https://github.com/containers/podman/pull/17055#issuecomment-1378904068
Signed-off-by: Fabian Holler <mail@fholler.de>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Add test to verify that updates without a pids-limit specified no longer
overwrite the previous value.
Also fixes erroneous warning generated by remote clients:
"Resource limits are not supported and ignored on cgroups V1 rootless
systems"
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
(podman push) and (podman manifest push) now support --sign-by-sigstore=param-file,
using the containers-sigstore-signing-params.yaml(5) file format.
That notably adds support for Fulcio and Rekor signing.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
In the super rare case that there are two containers with the same ID
for two different users, podman logs with the journald driver would show
logs from both containers.
[NO NEW TESTS NEEDED] Impossible to reproduce.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
I noticed this while running some things in parallel, podman events
would show events from other users. Because all events are written to
the journal everybody can see them. So when we read the journal we must
filter events for only the current UID.
To reproduce run `podman events` as user then in another window create a
container as root for example. After this patch it will correctly ignore
these events from other users.
[NO NEW TESTS NEEDED] I don't think we can test with two users at the same
time.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
If rootless, os.RemoveAll() is failed due to permission denied.
Therefore, we use "podman unshare rm" instead of os.RemoveAll().
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
We had a number of references, mostly in docs, to the word master that
can now be changed to main. This PR does that and makes the project a
bit more inclusive.
[NO NEW TESTS NEEDED]
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
If podman is the default wsl distribution, the (default) string is appended and result is assigned false.
[NO NEW TESTS NEEDED]
Fixes#17227
Signed-off-by: shblue21 <jihunkimkw@gmail.com>
containers/podman/pull/17186 and containers/podman/pull/17201 have been
merged at roughly the same time. Both work fine in isolation but the
new kube test breaks in combination.
Fix the IPC kube test to make CI healthy.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
- Use filepath.Join(podmanTest.TempDir, "any") instead of "/tmp/any"
- Add generatePolicyFile() to avoid the hardcording of "keyPath": "tmp/key.gpg"
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
The Device, Type, Copy and Options keys are now supported in
quadlet .volume files. This allows users to create filesystem
based volumes with quadlets .volume files.
Signed-off-by: Ingo Becker <ingo@orgizm.net>
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
Ed Santiago
OpenShift Merge Robot
Valentin Rothberg
Toshiki Sonoda
Arthur Sengileyev
Jason T. Greene
nabbisen
Fabian Holler
Miloslav Trmač
Paul Holzinger
tomsweeneyredhat
Daniel Lublin
shblue21
Lokesh Mandvekar
Ingo Becker