Merge remote-tracking branch 'upstream/podman-5.8' into merge-back#635
Merged
mtrmac merged 47 commits intocontainers:mainfrom Feb 6, 2026
Merged
Merge remote-tracking branch 'upstream/podman-5.8' into merge-back#635mtrmac merged 47 commits intocontainers:mainfrom
mtrmac merged 47 commits intocontainers:mainfrom
Conversation
…common-0.66.1 Bump common to v0.66.1
Add a new function to stage additions. This should be used to extract the layer content into a temp directory without holding the storage lock and then under the lock just rename the directory into the final location to reduce the lock contention. Signed-off-by: Paul Holzinger <pholzing@redhat.com> (cherry picked from commit de050ac) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
It is not clear to me when it will hit the code path there, by normal layer creation we always pass a valid parent so this branch is never reached AFAICT. Let's remove it and see if all tests still pass in podman, buildah and others... Signed-off-by: Paul Holzinger <pholzing@redhat.com> (cherry picked from commit 1b00a69) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Split out the layer permission gathering from the main create() function so it can be reused elsehwere, see the next commit. Signed-off-by: Paul Holzinger <pholzing@redhat.com> (cherry picked from commit 3517eba) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Add a function to apply the diff into a tmporary directory so we can do that unlocked and only rename under the lock. Signed-off-by: Paul Holzinger <pholzing@redhat.com> (cherry picked from commit d1cc083) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
I cannot see any reason why we should buffer the full tar split content in memory before writing it. That layer is still mark partial at this point and the store is locked so there is no concurrent access either thus we do not need the atomic rename here. Signed-off-by: Paul Holzinger <pholzing@redhat.com> (cherry picked from commit 8620f7e) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Split it into multiple function to make it reusable without having a layer and so that it can be used unlocked see the following commits. Signed-off-by: Paul Holzinger <pholzing@redhat.com> (cherry picked from commit 5403dfc) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The extracting of the tar under the store lock is a bottleneck as many concurrent processes might hold the locks for a long time on big layers. To address this move the layer extraction before we take the locks if possible. Currently this only work when using the overlay driver as the implementation requires driver specifc details in order for a rename() to work. Signed-off-by: Paul Holzinger <pholzing@redhat.com> (cherry picked from commit c443272) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
It doesn't seem needed here so don't take it. Signed-off-by: Paul Holzinger <pholzing@redhat.com> (cherry picked from commit 1cecfee) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
A minor rework to enable more changes in following commits. Note the caller still must hold the layer store locks so ensure we return the layer locked and let the caller unlock instead. Signed-off-by: Paul Holzinger <pholzing@redhat.com> (cherry picked from commit ba7580b) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Make it reusable for other callers, see next commit. Also while at it remove the dedupeStrings() call, as pointed out by Miloslav the work it is doing is more expensive than just checking the same name several times as it does a O(1) map lookup. Also most callers won't pass duplicated names to begin with. Signed-off-by: Paul Holzinger <pholzing@redhat.com> (cherry picked from commit f782a73) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The untar can be quite expensive so check for id, name conflicts right away. Also we must populate the idmappings so we extract with the right uids/gids. Signed-off-by: Paul Holzinger <pholzing@redhat.com> (cherry picked from commit f524d14) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This function was added in commit c577a81 and used by older drivers we no longer suppor, such as aufs and windows. As such this is dead code and can be removed. Signed-off-by: Paul Holzinger <pholzing@redhat.com> (cherry picked from commit af19fb6) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
It is unused in all drivers now, so it can be removed. Signed-off-by: Paul Holzinger <pholzing@redhat.com> (cherry picked from commit b37aa04) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We use this this typo all the time now so make the naming a bit more clear. Signed-off-by: Paul Holzinger <pholzing@redhat.com> (cherry picked from commit b93f966) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Just be safe based on the review feedback from the PR. containers#378 Signed-off-by: Paul Holzinger <pholzing@redhat.com> (cherry picked from commit 3bfe961) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The function is just a redirection to another one so inline it directly as we do not gain anything from the extra indirection. Signed-off-by: Paul Holzinger <pholzing@redhat.com> (cherry picked from commit e58297d) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Also add a missing sync when we stage to ensure the content was flushed to disk. Signed-off-by: Paul Holzinger <pholzing@redhat.com> (cherry picked from commit 83dd0eb) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
skopeo main moved already forward on much newer dependency versions which are not compatibile with the current version on this container-libs branch. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
[podman-5.8] backport staged layer creation
Signed-off-by: Kyounghoon Jang <matkimchi_@naver.com> (cherry picked from commit 905f456) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Signed-off-by: Kyounghoon Jang <matkimchi_@naver.com> (cherry picked from commit 97de24c) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
TryLock should not block when file lock is held by other process and state lock is held by other coroutine which waits for file lock. Signed-off-by: Konstantin Khlebnikov <koct9i@gmail.com> (cherry picked from commit 0b25f83) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Also address most troff issues. Not all of them are easy, in particular those manpages with long urls and examples that include digests are difficult to render in traditional manpages. Add troff renderering to the Manpage to surface those troff issues more easily Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit 9c9c17f) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
On musl-based systems, stderr is declared as FILE *const. Referencing stderr directly from Go code (via C.stderr) causes cgo to generate assignment code for a const-qualified pointer, which is invalid C and fails to compile. Both gcc and clang reject the generated code with error messages below: clang: > cgo-gcc-prolog:85:9: error: cannot assign to variable '_cgo_r' with const-qualified type 'typeof (_cgo_a->r)' (aka 'struct _IO_FILE *const') > cgo-gcc-prolog:83:24: note: variable '_cgo_r' declared const here > cgo-gcc-prolog:88:12: error: cannot assign to non-static data member 'r' with const-qualified type 'FILE *const' (aka 'struct _IO_FILE *const') > cgo-gcc-prolog:80:15: note: non-static data member 'r' declared const here gcc: > cgo-gcc-prolog:85:9: error: assignment of read-only variable '_cgo_r' > cgo-gcc-prolog:88:12: error: assignment of read-only member 'r' This patch avoids referencing C.stderr from Go code and instead returns stderr from a small C helper function. This keeps the usage entirely in C and avoids cgo’s broken handling for const-qualified global objects. Signed-off-by: Z. Liu <zhixu.liu@gmail.com> (cherry picked from commit 9f3bf57) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Signed-off-by: Miloslav Trmač <mitr@redhat.com> (cherry picked from commit cdc7019) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Block the socket() syscall with AF_VSOCK to prevent container escapes via VM sockets. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> (cherry picked from commit eaec878) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Add a new DockerProxy field to SystemContext that accepts a function for determining proxy URLs dynamically per request. This provides more flexibility than the static DockerProxyURL field, allowing for advanced proxy configurations such as those from httpproxy.Config.ProxyFunc(). Signed-off-by: Pablo Rodriguez Nava <git@amail.pablintino.com> (cherry picked from commit 2cf5727) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Signed-off-by: lyp256 <lyp256@qq.com> (cherry picked from commit 1b658a4) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
[podman-5.8] some backports
This patch is directly ported from [1] to resolve the exact same issue mentioned in that pull-request. Why is this patch needed? Because in [2], `FindExecutablePeer()` was replaced with `FindHelperBinary()`, making the fix introduced in [1] no longer effective, resulting in a regression. To resolve the regression[3], `safeEvalSymlinks()` is added to `findBindir()`. The function call stack is now: ``` FindHelperBinary() -> findBindir() -> safeEvalSymlinks() ``` xref: - ScoopInstaller/Main#6335 (comment) [1]: containers/podman#25151 [2]: containers/podman#27612 [3]: containers/podman#27763 Signed-off-by: Chawye Hsu <su+git@chawyehsu.com>
[podman-5.8] backport of the fix for `EvalSymlinks` on Windows
Thus begins the vendor dance for Podman v5.8 Bump the version of c/storage in the podman-5.8 branch to v1.62.0 Signed-off-by: Tom Sweeney <tomsweney@redhat.com>
…dance-5.8-1 [podman-5.8] Bump storage to v1.62.0
Bump storage to v1.62.0 in preparaton for Podman v5.8 and image v5.39.0 Signed-off-by: Tom Sweeney <tomsweney@redhat.com>
Bump image to v5.39.0 in preparation for Podman v5.8 Signed-off-by: Tom Sweeney <tomsweney@redhat.com>
…dance-5.8-2 [podman-5.8] Bump storage to v1.62.0 in image, bump image to v5.39.0
I stupidly neglected to update go.sum in my last PR, that corrects this. Signed-off-by: Tom Sweeney <tomsweney@redhat.com>
Touch up the last bump of image. I stupidly forgot to run `go mod vendor`. The go.sum file was not included in my last PR, this will create a new tag to include it. Signed-off-by: Tom Sweeney <tomsweney@redhat.com>
We call our release branches podman-x.y now so make sure we cover them as well. Signed-off-by: Paul Holzinger <pholzing@redhat.com> (cherry picked from commit c028ad0) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
…dance-5.8-3 [podman-5.8] Add missing go.sum and bump image to v5.39.1
Bump c/storage to v1.62.0, c/image to v5.39.1 in preparation for Podman v5.8. Note, there was no vendor directory in the podman-5.8 branch prior, after consulting with @Luap99, I'm leaving it that way. Signed-off-by: Tom Sweeney <tomsweney@redhat.com>
Bump common to v0.67.0 to be included in Podman v5.8 Signed-off-by: Tom Sweeney <tomsweney@redhat.com>
…dance-5.8-5 [podman-5.8] Bump common to v0.67.0
[podman-5.8] github: run validation workflow also on release branches
Merge the release commits back into main so the go modules can correctly resolve that the latest commit on main is newer than the last tag. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Member
Author
The aprse checkout seems to be causing trouble when we merge back the release branch into main, it seems like it is getting the wrong list of commits in the range as it does not have the full history. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Member
Author
|
Mhh, the commit validation workflow doesn't work (again) for this. It technically has the right merge base but it still has a ton of weird commits in that it should not validate. DCO wise they both don't have it so why only one of them fails is far beyond me here. I guess the reason why it pulls in so many more commits is due the sparse checkout, I suppose the proper fix is the full checkout of the tree there then so I will try that to say if that makes the test happy. |
|
Packit jobs failed. @containers/packit-build please check. |
mtrmac
approved these changes
Feb 6, 2026
| ref: ${{ github.event.pull_request.head.sha }} | ||
| fetch-depth: ${{ github.event.pull_request.commits }} | ||
| # Fetch all commits, a sparse checkout with only the commits count in the PR will not result in the right range. | ||
| fetch-depth: 0 |
Contributor
There was a problem hiding this comment.
I guess the reason why it pulls in so many more commits is due the sparse checkout, I suppose the proper fix is the full checkout of the tree there then so I will try that to say if that makes the test happy.
The EPOCH_TEST_COMMIT logic should restrict us to only the relevant commits… assuming the merge base is sufficiently represented in the sparse checkout. I guess the issue here is that the podman-5.8 branch is not actually branched from main, but from podman-5.7, and the merge commit from #533 is very deep in the main branch, so it was probably not visible due to fetch-depth.
It would be interesting to verify; but, meh, it’s a few extra seconds, and we can’t spare the time. Also, even if that hypothesis were true, I don’t know what we can do differently in actions/checkout.
mtrmac
added a commit
to mtrmac/container-libs
that referenced
this pull request
Feb 9, 2026
This needs to be at least the commit of containers#635, otherwise bots try to "update" c/storage to a branch version; and it needs to be from the main branch because c/common requires c/storage/pkg/configfile. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
mtrmac
added a commit
to mtrmac/container-libs
that referenced
this pull request
Feb 10, 2026
This needs to be at least the commit of containers#635, otherwise bots try to "update" c/storage to a branch version; and it needs to be from the main branch because c/common requires c/storage/pkg/configfile. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Luap99
added a commit
to Luap99/libpod
that referenced
this pull request
Feb 17, 2026
Mainly so we get a commit after [1] which makes the renovate auto update work again. And also buildah to get a fix for a flake [2]. [1] containers/container-libs#635 [2] containers/buildah#6688 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
6 tasks
nalind
pushed a commit
to nalind/podman
that referenced
this pull request
Feb 17, 2026
Mainly so we get a commit after [1] which makes the renovate auto update work again. And also buildah to get a fix for a flake [2]. [1] containers/container-libs#635 [2] containers/buildah#6688 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Luap99
added a commit
to Luap99/libpod
that referenced
this pull request
Feb 18, 2026
Mainly so we get a commit after [1] which makes the renovate auto update work again. And also buildah to get a fix for a flake [2]. [1] containers/container-libs#635 [2] containers/buildah#6688 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
11 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merge the release commits back into main so the go modules can correctly
resolve that the latest commit on main is newer than the last tag.