when the code was first added, there was no securejoin.OpenInRoot().
Since there is a function already provided by a dependency and already
used in libpod, replace the custom code with securejoin.OpenInRoot().
The new version does not report a symlink that points outside the
root, but it is still resolved relative to the specified mountpoint,
since that is the openat2 semantic. It does not affect the security
of the function.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Includes one minor test fix as the line number reported as error was
changed, it seems to be actually correct now.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Even though this is tardy, here is an update reflecting milestones and
features for 1Q25.
Fixes https://issues.redhat.com/browse/RUN-2447
Signed-off-by: Brent Baude <bbaude@redhat.com>
Giuseppe is working on some proper fixes, for now in order to get this
moved along skip it so we can merge the disk usage fix.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Our calculation is just wrong and the way the entire API is designed it
cannot work. This is the same interface as docker is using and they have
the same bug there. So simply document this as known problem, in case
users complain we at least have something to point to.
An actual fix might be possible but not without reworking the full API
and because this is exposed in the docker compat and libpod REST API we
cannot really change it.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Fix a bug where SSH-ing into a named Podman Machine (not podman-machine-default)
results in the user being put in the rootless shell if the default system
connection is rootless.
Resolves: https://github.com/containers/podman/issues/25332
Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
Have one function without a `defer lock.unlock()` as one of the
commands in it calls a function that also takes the same lock,
so the unlock has to happen prior to function completion.
Unfortunately, this is prone to errors, like the one here: I
missed a case, and we could return without unlocking, causing a
deadlock later in the cleanup code as we tried to take the same
lock again.
Refactor the command to use `defer unlock()` to simplify and
avoid any further errors of this type.
Introduced by e66b788a51 - this
should be included in any backports of that commit.
Fixes#25585
Signed-off-by: Matt Heon <mheon@redhat.com>
This is simpler as we don't have to rely on an external command. The
retry loop is need as we check for a container porcess connection, and
while we know podman binds the port before returning there is no way to
know whenthe contianer application bound the port so we must retry a
bit.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
nc can be provided by either ncat (nmap) or netcat (OpenBSD), we only
work with the nmap version so make sure we always use that one and not
the short alias which can be resolved to either one.
It is not clear to me what changed on rawhide but it seemsv netcat is
preferred even though we have nmap-ncat installed.
Note this only changes the host side nc calls, the Alpine based images
only have nc as command so we must continue to use it inside.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
do not run the expensive pmount.GetMounts() function if it is not
needed.
As a follow-up for commit c9c44d400c, do
not restore the propagation flag for the parent mount to shared unless
it was changed to slave first.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
AS pointed out by Valentin on #25491, it is not an actual bug but this
is makes it more clear how it works and should not confuse readers why
this case has no return.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Giuseppe Scrivano
openshift-merge-bot[bot]
renovate[bot]
Raniere Silva
Paul Holzinger
Mario Loriedo
Brent Baude
Yanko Kaneti
Jake Correnti
Matt Heon