Honor rootfulness when SSH-ing into named Machine

Fix a bug where SSH-ing into a named Podman Machine (not podman-machine-default)
results in the user being put in the rootless shell if the default system
connection is rootless.

Resolves: https://github.com/containers/podman/issues/25332



Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>

Fix a potential deadlock during `podman cp`

Have one function without a `defer lock.unlock()` as one of the
commands in it calls a function that also takes the same lock,
so the unlock has to happen prior to function completion.
Unfortunately, this is prone to errors, like the one here: I
missed a case, and we could return without unlocking, causing a
deadlock later in the cleanup code as we tried to take the same
lock again.

Refactor the command to use `defer unlock()` to simplify and
avoid any further errors of this type.

Introduced by e66b788a - this
should be included in any backports of that commit.

Fixes #25585

Signed-off-by: Matt Heon <mheon@redhat.com>

New images 2025-03-12

fix(deps): update module golang.org/x/net to v0.36.0 [security]

[skip-ci] packit: fix missing fedora arches

Fix HealthCheck log destination, count, and size defaults

This is simpler as we don't have to rely on an external command. The
retry loop is need as we check for a container porcess connection, and
while we know podman binds the port before returning there is no way to
know whenthe contianer application bound the port so we must retry a
bit.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>

nc can be provided by either ncat (nmap) or netcat (OpenBSD), we only
work with the nmap version so make sure we always use that one and not
the short alias which can be resolved to either one.

It is not clear to me what changed on rawhide but it seemsv netcat is
preferred even though we have nmap-ncat installed.

Note this only changes the host side nc calls, the Alpine based images
only have nc as command so we must continue to use it inside.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>

from https://github.com/containers/automation_images/pull/401



Signed-off-by: Paul Holzinger <pholzing@redhat.com>

libpod: improve createRootlessContainer

Some minor follow up fixes from PR comments

do not run the expensive pmount.GetMounts() function if it is not
needed.

As a follow-up for commit c9c44d40, do
not restore the propagation flag for the parent mount to shared unless
it was changed to slave first.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

AS pointed out by Valentin on #25491, it is not an actual bug but this
is makes it more clear how it works and should not confuse readers why
this case has no return.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>

It did start there, as pointed out by Ygal on #25481.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>

As pointed out by Tom on the PR #25397.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>

add artifact mount support

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

chore(deps): update dependency setuptools to ~=75.9.1

GoLang sets unset values to the default value of the type. This means that the destination of the log is an empty string and the count and size are set to 0. However, this means that size and count are unbounded, and this is not the default behavior.

Fixes: https://github.com/containers/podman/issues/25473
Fixes: https://issues.redhat.com/browse/RHEL-83262



Signed-off-by: Jan Rodák <hony.com@seznam.cz>

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

The oci layout code can handle a relative path find but all paths
returned by the code then will alos be relative, this can be bad and
result in bugs if something ever changes the cwd. The graphroot path we
pass should already be always absolute, so just add a sanity check here
given libartifact is planned to be moved as sperate lib and we cannot
assume anything about the path we will be given there.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>

Add a new option to allow for mounting artifacts in the container, the
syntax is added to the existing --mount option:
type=artifact,src=$artifactName,dest=/path[,digest=x][,title=x]

This works very similar to image mounts. The name is passed down into
the container config and then on each start we lookup the artifact and
the figure out which blobs to mount. There is no protaction against a
user removing the artifact while still being used in a container. When
the container is running the bind mounted files will stay there (as the
kernel keeps the mounts active even if the bind source was deleted).
On the next start it will fail to start as if it does not find the
artifact. The good thing is that this technically allows someone to
update the artifact with the new file by creating a new artifact with
the same name.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>

There is no need whatsoever to run container to populate a random file,
this is just much slower than just writing some random bytes directly
without having to run a container and run dd in it.

Also the function accepted the number of bytes, however because dd uses
a minimum block size of 512 bytes it was actually numBytes * 1024 which
where written. That makes no sense so fix the two tests that depended on
the wrong number.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>

Use a helper struct to hold the mounts instead of returning 5+ return
values from the functions. This allows use to easily add more volume
types without having to update all return lines every time in the
future. And 5+ return values are really not readable anymore so this
should make it easier to follow the code.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>

The function is never used elsewhere so do not export it.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>

Will safe a few memory copies, we must do that only after namesOrDigests
was populated so the len() does not report zero.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>

Instead of duplicating the NewArtifactStore() call in many places and
having to make sure we always pass the same path to it define it as
function on the runtime. This allows any caller with access to the
libpod runtime to create the store easily.

This is suing a sync.OnceValues() function so the store is initialized
only once and only when actually needed.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>

The goal of this new interface is to expose the blob source path and the
target file name for a bind mount into a container.

libpod will call this and then take care of setting up the actual mounts
based on the returned paths.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>

Create a getArtifactAndImageSource() function so this one can be shared
with the new mount blob API that is added next to avoid code
duplication.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>

Signed-off-by: Paul Holzinger <pholzing@redhat.com>

The main point of this is so that I can share the same lookup logic
between Extract() and then the new blob path API I add next.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>

Windows installer test: hardcode the ID of the latest GH release

Quadlet warning messages

To avoid problems when automatically downloading
`latest` podman windows installer (e.g. the windows
installer hasn't been included in the GH release
because of a problems with the keys to sign it), we
are now hardcoding the version of Podman that is
used to test the upgrade from latest to current
version.

Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>

[skip-ci] Packit: Fix action script for updating upstream commit id in rpm spec

Silly mistake on my end, of course we want to build on both arches.

Fixes: 9eb4d27c ("packit: only build F41+")

Signed-off-by: Paul Holzinger <pholzing@redhat.com>

Update CI to go1.23 and golang.org/x/crypto v0.36.0

This fixes multiple trailing quotes after the commit and also ensures
the older commit id will be correctly replaced by the newer id.

Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>