fix: skip execution of probes when initialDelaySeconds is not elapsed
According to the [Kubernetes docs](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes)
the probes should be executed after the `initialDelaySeconds`. So to be
consistent with the kubernetes specs, skip the execution of the probes until
the `initialDelaySeconds` is elapsed.
Paul Holzinger [Thu, 11 Dec 2025 11:21:36 +0000 (12:21 +0100)]
renovate: remove old c/{common, image, storage} config
We no longer use these repos so we can drop this config.
In the meantime I added this for the new location in the global config.
https://github.com/containers/automation/pull/259/commits/b49c089e5fa16be06f36b3abfa050f27dfee783b
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Matt Heon [Thu, 4 Dec 2025 20:25:11 +0000 (15:25 -0500)]
Deterministically order pod inspect fields
There are two fields I'm worried about: shared namespaces and pod
containers. Both are generated via loops over maps and are thus
non-deterministic in ordering. Throw a sort on each to fix the
order so we can actually diff `podman pod inspect` output.
Paul Holzinger [Wed, 3 Dec 2025 18:15:24 +0000 (19:15 +0100)]
libpod: simplify resolveWorkDir()
The code checks for isPathOnVolume and isPathOnMount so we can just use
the SecureJoin here directly to check for path existance.
Then instead of walking symlinks and trying to guess if they are on a
mount just assume if it is a link (path is different from the normal
joined one) then don't error out early and let the OCI runtime deal with
it. The runtime does produce a less readable error but it still fails
and we have much less fragile code.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Paul Holzinger [Wed, 3 Dec 2025 15:57:15 +0000 (16:57 +0100)]
libpod: fix workdir MkdirAll() all check
MkdirAll can fail with EEXIST when the path is a symlink and the target
doesn't exist. As such we should ignore the error.
Note there is something fundemantal wrong here with the path access as
it is following the symlink to the host, however it is only for a
stat() so it is not an security issue here.
Fixes: 637c264e2e ("fix issues found by nilness") Signed-off-by: Paul Holzinger <pholzing@redhat.com>
givensuman [Tue, 2 Dec 2025 18:08:44 +0000 (13:08 -0500)]
Add Repository and Tag fields to image list --format JSON output
Adds two fields to the output of `podman image list --format json`,
"Repository" and "Tag." Consequently makes the existing embedded field
"RepoTag" redundant, and in current implementation is always `nil`. Adds
`json:",omitempty"` to improve program output.
Daniel Hast [Tue, 2 Dec 2025 23:11:53 +0000 (18:11 -0500)]
ci: add Zizmor workflow
Zizmor (https://docs.zizmor.sh/) is a static analysis tool for GitHub
Actions. Most of the issues identified by Zizmor were fixed in #27642.
This Zizmor action integrates with GitHub Advanced Security and scans
workflows for potential security issues, which should help ensure that
such issues aren't reintroduced in the future.
Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
ZuhairM7 [Sun, 30 Nov 2025 02:43:20 +0000 (20:43 -0600)]
bindings: fix handling of env secrets in remote builds
Previously, using --secret=id=foo,env=BAR in remote mode would fail because the client sent the env var name to the server, which tried to resolve it locally. This patch modifies the client to resolve the environment variable locally, write it to a temp file, and send it as a file-based secret.
lstocchi [Mon, 1 Dec 2025 15:49:51 +0000 (16:49 +0100)]
prevent non hyper-v admin users to execute machine commands
Update GetAll() and GetByVMType() to add a check to prevent non hyper-v admin users to
interact with hyperv machines.
Users can work with hyperv machines only with elevated rights or if
members of the hyperv administrators group
Jan Rodák [Wed, 26 Nov 2025 13:16:51 +0000 (14:16 +0100)]
Fix `unless-stopped` restart policy to match Docker behavior
- Update documentation: Differentiate `unless-stopped` from `always` - containers stopped by the user before a reboot will not restart.
- Add `should-start-on-boot` filter: Identify containers that require a restart after a system reboot.
- Update command documentation: Add `restart-policy` and `label!` filters to the documentation for container commands (rm, ps, start, stop, pause, unpause, restart).
- Add `restart-policy` and `shoud-start-on-boot` to completions.
- Update service: Update `podman-restart.service` to use the `needs-restart=true` filter.
- Preserve state: Preserve the `StoppedByUser` state across reboots.
- Update API: Add a `ShouldStartOnBoot()` method to the Container API.
- Update documentation: Add descriptions for the `should-start-on-boot` filter.
Fixes: https://issues.redhat.com/browse/RHEL-129405 Fixes: https://github.com/containers/podman/issues/20418 Signed-off-by: Jan Rodák <hony.com@seznam.cz>
Daniel Hast [Mon, 1 Dec 2025 13:29:24 +0000 (08:29 -0500)]
ci: use env vars to avoid template expansion in code contexts
Template expansions are not aware of shell script syntax, and therefore
can potentially result in code injection vulnerabilities when used in
code contexts: https://docs.zizmor.sh/audits/#template-injection
To avoid this, instead use environment variables to safely store the
values of the template expansions.
Also (in the process of doing the above) added double-quotes around a
some instances of variable expansions in shell scripts, which is
necessary to avoid unintended shell splitting and globbing. (I didn't
see any instances where this was actually likely to result in erroneous
behavior, but it's good practice and makes shell scripts more robust.)
Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
Daniel Hast [Mon, 1 Dec 2025 13:05:02 +0000 (08:05 -0500)]
ci: use --sandbox for dynamically generated sed scripts
sed scripts are capable of doing file I/O and executing arbitrary
commands. The `--sandbox` option prevents this by rejecting sed commands
with such capabilities; it's good practice to use this whenever the sed
script is dynamically generated (e.g. if it involves a variable
expansion).
Also fixed an error in one sed script where `.*` had been placed outside
of the quoted string (and would therefore be subject to shell globbing),
presumably due to single-quotes having been changed to double-quotes at
some point in the past.
Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
Daniel Hast [Mon, 1 Dec 2025 12:50:53 +0000 (07:50 -0500)]
ci: pass secrets explicitly to reusable workflow
Using `secrets: inherit` forwards all secrets to the workflow and makes
it harder to determine which secrets the workflow was actually executed
with. See: https://docs.zizmor.sh/audits/#secrets-inherit
Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
Daniel Hast [Mon, 1 Dec 2025 12:38:24 +0000 (07:38 -0500)]
ci: specify persist-credentials for actions/checkout
Explicitly set `persist-credentials: true` for uses of
`actions/checkout` where it's needed (when the job does git operations
using the stored credentials) and `persist-credentials: false` where the
stored credentials are not later used.
This reduces the risk of cached credentials accidentally being leaked
via artifacts.
Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
Daniel Hast [Mon, 1 Dec 2025 12:30:41 +0000 (07:30 -0500)]
ci: specify workflow permissions per job
Also remove some unnecessary permissions:
* The notification job in release-artifacts.yml only needs to read repo
contents, not write contents and actions.
* All jobs in release.yml except "Create release" and "Update podman.io"
only need to read repo contents. "Update podman.io" only needs to
write repo contents and pull requests.
* Likewise, permissions for update-podmanio.yml can be restricted to
only writing repo contents and pull requests.
Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
Winter M [Mon, 20 Oct 2025 18:23:38 +0000 (14:23 -0400)]
libpod: fix healthchecks not executing every interval on linux
By default, systemd sets a limit of how many times a service can start,
which means that if you have a healthcheck that runs more often than the
limits, systemd will refuse to start it with a message like "Start request
repeated too quickly." emitted to the journal.
Signed-off-by: Winter M <winter@antithesis.com> Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Mario Loriedo [Wed, 26 Nov 2025 12:19:18 +0000 (13:19 +0100)]
Replace FindExecutablePeer with FindHelperBinary
The WSL machine start was using the function FindExecutablePeer that
ignores user configuration (helper_binaries_dir). FindHelperBinary
instead is used when starting the machine for the rest of the providers
and honors user configuration.
projects / 0xmirror / podman.git / log