Template expansions are not aware of shell script syntax, and therefore
can potentially result in code injection vulnerabilities when used in
code contexts: https://docs.zizmor.sh/audits/#template-injection
To avoid this, instead use environment variables to safely store the
values of the template expansions.
Also (in the process of doing the above) added double-quotes around a
some instances of variable expansions in shell scripts, which is
necessary to avoid unintended shell splitting and globbing. (I didn't
see any instances where this was actually likely to result in erroneous
behavior, but it's good practice and makes shell scripts more robust.)
Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
sed scripts are capable of doing file I/O and executing arbitrary
commands. The `--sandbox` option prevents this by rejecting sed commands
with such capabilities; it's good practice to use this whenever the sed
script is dynamically generated (e.g. if it involves a variable
expansion).
Also fixed an error in one sed script where `.*` had been placed outside
of the quoted string (and would therefore be subject to shell globbing),
presumably due to single-quotes having been changed to double-quotes at
some point in the past.
Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
Explicitly set `persist-credentials: true` for uses of
`actions/checkout` where it's needed (when the job does git operations
using the stored credentials) and `persist-credentials: false` where the
stored credentials are not later used.
This reduces the risk of cached credentials accidentally being leaked
via artifacts.
Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
Also remove some unnecessary permissions:
* The notification job in release-artifacts.yml only needs to read repo
contents, not write contents and actions.
* All jobs in release.yml except "Create release" and "Update podman.io"
only need to read repo contents. "Update podman.io" only needs to
write repo contents and pull requests.
* Likewise, permissions for update-podmanio.yml can be restricted to
only writing repo contents and pull requests.
Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
By default, systemd sets a limit of how many times a service can start,
which means that if you have a healthcheck that runs more often than the
limits, systemd will refuse to start it with a message like "Start request
repeated too quickly." emitted to the journal.
Signed-off-by: Winter M <winter@antithesis.com>
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The WSL machine start was using the function FindExecutablePeer that
ignores user configuration (helper_binaries_dir). FindHelperBinary
instead is used when starting the machine for the rest of the providers
and honors user configuration.
This commit requires 4877783c37
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
The --macvlan flag was deprecated in Podman 3.x and was scheduled
for removal in version 4.0. Since we're now at version 6.0.0-dev,
this commit removes the deprecated flag and its associated code.
Users should now use the standard syntax:
podman network create --driver macvlan --opt parent=<device> <name>
Signed-off-by: shiavm006 <shivammittal42006@gmail.com>
There doesn't seem any reason why the system commands should not join
the userns. In particular the main commands use ParentNSRequired and
UnshareNSRequired when they don't want to be joined to the main userns.
Since the system command don't set these the go code does the join and
re-exec anyway so might as well use the shortcut to speed that up.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When trying to join the conmon pid to recreate the pause process based
on the namespace it can be that the pid is no longer valid, i.e. when
conmon crashed or was killed.
Currently we have a big issue that can be reproduced using:
$ podman run -d quay.io/libpod/testimage:20241011 sleep 100
$ killall -9 conmon
$ killall catatonit
All commands would fail as we keep trying to rejoin the namespace of the
non existing conmon process.
So to address that fall back to creating a new namespace if we fail to
join the conmon pids.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Just a minor improvement as we know the size needed for the slice we can
allocate it only once instead of the append having to resize it.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Based on the description in commit 63ef557 this was added so that the
migrate command does not move the pause process into a separate cgroup.
It should however not disable the rejoining of the userns when the pause
process join failed. BEcause of this we end up calling migrate without a
userns and that then can fail if there are actual contianer it tries to
cleanup.
Fixes: 63ef5576ed ("command: migrate doesn't move process to cgroup")
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
There is no good reason to use logrus and os.Exit() here, other parts of
this function already return the error so do the same. The main podman
process will exit then with the normal formatted error message.
And also log an error about the last return which should never happen as
we should have exited above if the re-exec worked or errored out.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The virtiofs mount points do not actually are network mounts so we can
mount them earlier and using multi-user.target to enable them was wrong.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
- remove old CLI validation that only checked --pod flag
- add validation in namespaces.go to catch all paths (cli, quadlet, api)
- block userns mixing for all pods with infra, not just ipc/net
- update error message to be clearer
- fix test cleanup to use PodmanExitCleanly()
- use dynamic pod names in system tests to avoid conflicts
fixes #26848
Signed-off-by: 0xdvc <neilohene@gmail.com>
This also then bumps github.com/opencontainers/runtime-spec to v1.3.0
which contains breaking changes of the pid type as such we had to update
all the podman callers.
And tags.cncf.io/container-device-interface also used some changed
types from it and they have been updated in main so bump to the latest
commit there as well in order to get podman to compile properly.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
