[v5.8] some bugfix backports#28475
Merged
Luap99 merged 20 commits intocontainers:v5.8from Apr 10, 2026
Merged
Conversation
Setting Entrypoint= (empty value) in a quadlet .container file should produce --entrypoint "" in the generated podman command, which clears the image's default entrypoint. Previously this was silently ignored because lookupAndAddString skips empty values. Move the Entrypoint key out of the generic stringKeys map and handle it separately so that an empty value is passed through. Closes containers#28213 Signed-off-by: umut-polat <52835619+umut-polat@users.noreply.github.com> (cherry picked from commit 926f562) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This prevents a nil pointer crash when running network=host containers on a FreeBSD host using podman-remote. Fixes: containers#28289 Signed-off-by: Doug Rabson <dfr@rabson.org> (cherry picked from commit 9a10cef) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
github-actions
bot
added
the
kind/api-change
Member
Author
Signed-off-by: Tim Zhou <tizhou@redhat.com> (cherry picked from commit 98c398b) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Signed-off-by: Tim Zhou <tizhou@redhat.com> (cherry picked from commit 5d79adb) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Podman uses this env toi do various things, we don't want the external env to affect our tests here. Signed-off-by: Paul Holzinger <pholzing@redhat.com> (cherry picked from commit 7e3caae) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
From containers/automation_images#438 Signed-off-by: Paul Holzinger <pholzing@redhat.com> (cherry picked from commit f2bc5b8) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
runc may or may not issue a warning here. opencontainers/runc#4732 Signed-off-by: Ricardo Branco <rbranco@suse.de> (cherry picked from commit b775318) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
In the SystemCheck HTTP handler, when parsing the unreferenced_layer_max_age query parameter fails, the error response is sent but execution continues to `unreferencedLayerMaximumAge = &duration` where `duration` is the zero value. This causes the system check to run with a zero duration instead of returning the 400 error to the client. Add the missing `return` after the error response. Fixes containers#28350 Signed-off-by: crawfordxx <crawfordxx@users.noreply.github.com> (cherry picked from commit 29d80a2) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When `podman-remote` tars the context, extra `podman-build-secret*` paths were either dropped by `.dockerignore` (containers#25314) or archived as absolute paths so `COPY . .` pulled host-shaped trees into the image (containers#28334). Use relative names under the primary context for extra sources and do not apply `.dockerignore` to those forced entries. Fixes: containers#25314 Fixes: containers#28334 Signed-off-by: Jan Rodák <hony.com@seznam.cz> (cherry picked from commit e18bb9e) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Signed-off-by: Jan Rodák <hony.com@seznam.cz> (cherry picked from commit 765ffb9) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
ExecContainerHTTP returns attachChan to its caller before attachExecHTTP finishes. The caller's deferred close(holdConnOpen) can therefore fire while attachExecHTTP is still running (including its own deferred cleanups), which races with the goroutine inside attachExecHTTP that reads deferredErr after <-holdConnOpen unblocks. Fix this by introducing an errCh channel: deferred functions write deferredErr into it, and the goroutine reads from it after <-holdConnOpen unblocks, ensuring the read happens-after all writes to the named return value. Fixes: containers#28277 Signed-off-by: crawfordxx <crawfordxx@users.noreply.github.com> (cherry picked from commit 497185c) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When creating a secret with driver=shell via the API, the file driver's default DriverOpts (including path) were applied because DriverOpts was empty. The shell driver rejects path as an unknown option, making it impossible to create shell-driver secrets via the REST API or podman-remote. Only apply default DriverOpts from config when the requested driver matches the configured default driver. Signed-off-by: Joe Doss <joe@solidadmin.com> (cherry picked from commit 667f55c) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Verify that creating a secret with driver=shell and no --driver-opts does not inherit the file driver's default path option. Before the fix, this produced "invalid shell driver option"; after, it correctly fails with "missing config value" for unconfigured shell commands. Signed-off-by: Joe Doss <joe@solidadmin.com> (cherry picked from commit 8b90561) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Fixes: containers#28409 Signed-off-by: Jan Rodák <hony.com@seznam.cz> (cherry picked from commit cf6404f) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The go std os package to will always make sure to use O_CLOEXEC, however in cases where we directly call unix.Open() we need to pass that flag explicitly. I looked at this as there was a report of a leaked fd on the pasta list, though I am not sure this will address it. But anyway doing this should be rather safe and avoid leaks into other processes. Signed-off-by: Paul Holzinger <pholzing@redhat.com> (cherry picked from commit d20933d) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Under normal circumstances this is not a problem as the archive file created podman container checkpoint will no create symlinks. However if a user passes a custom archive they could contain symlinks that point outside our root. To resolve them within the root use securejoin. Note this is not a security problem because the full archive must be trusted by a user to begin with as it contain the full container config. Fixes: containers#27977 Signed-off-by: Paul Holzinger <pholzing@redhat.com> (cherry picked from commit abb5120) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Just as additional hardening. Note chrootarchive does not work on macos/windows, in that case it still falls back to the regular pkg/archive. Signed-off-by: Paul Holzinger <pholzing@redhat.com> (cherry picked from commit 25aee24) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The server already does validate this so this is not strictly needed and the client must trust the server no matter what. But adding an extra check here does not hurt and may help prevent future bugs. Signed-off-by: Paul Holzinger <pholzing@redhat.com> (cherry picked from commit 12bec19) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com> (cherry picked from commit aa5361a) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Bump the timeout to 60 minutes. We already bumped to 40 minutes a while ago in commit 623cb5f but it seems this is not enough. The x86_64 test needs only 25 minutes so I am confused why aarch64 got so much slower, they used to be around the same time. Of course our tests should not take that long so we really need to figure out what is actually causing this slow down. Looking at logs a test that boots and stops a VM takes 30s on x86_64 while it takes 50s on aarch64. However at the same time the aarch64 test on the macs with libkrun and applehv are quite fast (15-17m) so it seems unlikely to me that it is something inside the aarch64 machine image that causes but rather related to the host side. Signed-off-by: Paul Holzinger <pholzing@redhat.com> (cherry picked from commit 938d677) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Member
|
LGTM |
Member
Author
@giuseppe remeber we no longer use the bot, so just press the green button now :) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backports of:
nTarsecrets with relative paths and ignore bypass #28356Lookup()stripping unmatched quotes #28414Does this PR introduce a user-facing change?