Handle a race condition in the REST API when listing networks.
In between listing all containers and inspecting them, they may have
already been removed, so handle this case gracefully.
[NO NEW TESTS NEEDED] as it's a race condition.
Fixes: #17341
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Add missing return after utils.Error(),
utils.InternalServerError(), utils.BadRequest().
[NO NEW TESTS NEEDED]
Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
Add support for disabeling SELinux process separation in the container.
Add support for setting the process type of the container.
Add support for setting the process MCS level of the container.
Add support for setting the file type of the container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
when using --userns=auto or --userns=pod, we should bind mount /sys
from the host instead of creating a new /sys in the container,
otherwise we rely on the fallback provided by crun, which might not be
available in other runtimes.
Also, in the last version of crun the fallback is stricter than it
used to be before and it uses a recursive bind mount through the new
mount API. That can be missing on old kernel.
Closes: https://github.com/containers/crun/issues/1131
[NO NEW TESTS NEEDED] to trigger the failure, we need a specific
combination of kernel, libc and OCI runtime.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
copy the current mapping into a new user namespace, and run into a
separate user namespace.
Closes: https://github.com/containers/podman/issues/17337
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Also update to c/image after https://github.com/containers/image/pull/1821 ,
so that we don't ship two versions of the package simultaneously.
[NO NEW TESTS NEEDED]
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
The function which generates and assigns a random
port number for the --publish-all functionality
was not properly marking some ports as "used".
In very rare occasions this can cause a randomly
"generated" port to be used twice creating an
impossible container configuration.
Signed-off-by: telday <ellis.wright@cyberark.com>
This should never happen with a consistent client/server,
and we are seeing this show up with some hard-to-diagnose flakes.
So, log details about failures. After we find the cause, we might remove
this extra logging again.
[NO NEW TESTS NEEDED]
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Only assume that http(s) scheme URLs (only ones supported by http.Client anyway) are URLs.
Treat everything else as a file path. (Windows paths can look like a URL scheme)
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
As @mheon pointed out in PR #17055[^1], isVirtualConsoleDevice() does
not only matches VT device paths but also devices named like
/dev/tty0abcd.
This causes that non VT device paths named /dev/tty[0-9]+[A-Za-z]+ are
not mounted into privileged container and systemd containers accidentally.
This is an unlikely issue because the Linux kernel does not use device
paths like that.
To make it failproof and prevent issues in unlikely scenarios, change
isVirtualConsoleDevice() to exactly match ^/dev/tty[0-9]+$ paths.
Because it is not possible to match this path exactly with Glob syntax,
the path is now checked with strings.TrimPrefix() and
strconv.ParseUint().
ParseUint uses a bitsize of 16, this is sufficient because the max
number of TTY devices is 512 in Linux 6.1.5.
(Checked via 'git grep -e '#define' --and -e 'TTY_MINORS').
The commit also adds a unit-test for isVirtualConsoleDevice().
Fixes: f4c81b0aa5 ("Only prevent VTs to be mounted inside...")
[^1]: https://github.com/containers/podman/pull/17055#issuecomment-1378904068
Signed-off-by: Fabian Holler <mail@fholler.de>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
(podman push) and (podman manifest push) now support --sign-by-sigstore=param-file,
using the containers-sigstore-signing-params.yaml(5) file format.
That notably adds support for Fulcio and Rekor signing.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
If podman is the default wsl distribution, the (default) string is appended and result is assigned false.
[NO NEW TESTS NEEDED]
Fixes#17227
Signed-off-by: shblue21 <jihunkimkw@gmail.com>
The Device, Type, Copy and Options keys are now supported in
quadlet .volume files. This allows users to create filesystem
based volumes with quadlets .volume files.
Signed-off-by: Ingo Becker <ingo@orgizm.net>
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
Loading container states speed things up when listing all containers but
it comes with a price tag for many other call paths. Hence, make
loading the state conditional to allow for keeping `podman ps` fast
without other commands regressing in performance.
[NO NEW TESTS NEEDED]
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Also do not return (and immediately suppress) an error if no health
check is defined for a given container.
Makes listing 100 containers around 10 percent faster.
[NO NEW TESTS NEEDED]
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
The network functions popped up in the CPU profiles when listing 2042
containers. Not a very realistic or common use case but a nice way to
get something on the CPU profiles.
Listing 2042 containers now runs 1.54 times faster.
[NO NEW TESTS NEEDED]
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Small amount of refactoring to make WSL specific stuff into the WSL
package where possible. This is in preparation for the possibility of
adding more virtualization backends.
[NO NEW TESTS NEEDED]
Signed-off-by: Brent Baude <bbaude@redhat.com>
The user is only reading the config, so creating a copy turns out to be
extremely expensive. With this change, listing containers is 1.39 times
faster than before.
[NO NEW TESTS NEEDED] as it is not a functional change.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
OpenShift Merge Robot