[v4.4.1-rhel] Bump runc to 1.2.9, Buildah to v1.29.6 #27764
+394,174
−89,084
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
TomSweeneyRedHat
added
the
No New Tests
github-actions
bot
added
the
kind/api-change
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/cve-2025-52881-v4.4.1-rhel
branch
from
157deb1 to
6ae98a6
Compare
Honny1
reviewed
Dec 15, 2025
Member
Author
|
@timcoding1988 I'm assuming I need to bump AWS credentials here too? If not, please holler. |
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/cve-2025-52881-v4.4.1-rhel
branch
3 times, most recently
from
2a36702 to
7140248
Compare
Collaborator
@TomSweeneyRedHat correct |
Signed-off-by: tomsweeneyredhat <[email protected]>
These functions were removed in github.com/opencontainers/selinux v1.12.0. Signed-off-by: Paul Holzinger <[email protected]> Signed-off-by: tomsweeneyredhat <[email protected]>
... Podman cli flags couldn't override the active-destination when env variables were set. As a remedy, the precedence of cli flags has been changed. Note: This commit is from containers#19997 and it brought in some pretty massive changes to how the remote connections are created. Signed-off-by: Chetan Giradkar <[email protected]> Signed-off-by: tomsweeneyredhat <[email protected]>
The vendoring of Buildah dragged in a bump of common from v0.51.4 to v0.57.7 which contained many changes to variable and function names. Signed-off-by: tomsweeneyredhat <[email protected]>
Signed-off-by: Tim Zhou <[email protected]> Signed-off-by: tomsweeneyredhat <[email protected]>
Signed-off-by: Tim Zhou <[email protected]> Signed-off-by: tomsweeneyredhat <[email protected]>
We require GO 1.22, and it looks like Fedora 37 tops out at 1.19. Bump the Fedora to F41. Signed-off-by: tomsweeneyredhat <[email protected]>
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/cve-2025-52881-v4.4.1-rhel
branch
from
7140248 to
b80a469
Compare
The common v0.57.7 vendor bump added !remote build tags to libimage,
causing podman-remote builds to fail. This change splits files that
use libimage into separate _local and _remote variants:
- pkg/specgen/specgen_{local,remote}.go: Image field storage and methods
- pkg/api/handlers/types_local.go: ImageDataToImageInspect function
- cmd/podman/utils/error_local.go: ExitCodeFromBuildError function
This allows type definitions to be shared between remote and local
builds while keeping libimage-dependent implementations local-only.
Signed-off-by: Lokesh Mandvekar <[email protected]>
lsm5
force-pushed
the
dev/tsweeney/cve-2025-52881-v4.4.1-rhel
branch
from
4be25e2 to
4231526
Compare
This commit fixes two issues in runtime initialization that occur when
vendor code doesn't properly set StaticDir and VolumePath defaults:
1. Add defensive initialization for StaticDir and VolumePath
- Check if StaticDir is empty and set it to GraphRoot/libpod
- Check if VolumePath is empty and set it to GraphRoot/volumes
- This works around missing initialization in older vendor code
without requiring changes to the vendor directory
2. Fix database initialization to allow creating new bolt_state.db
- Previously, getDBState() would fail if bolt_state.db didn't exist
- Now, only return error if it's not os.ErrNotExist
- This allows NewBoltState() to create the database on first run
These changes resolve the "creating runtime static files directory:
mkdir : no such file or directory" error that occurred when running
podman commands.
Tested with:
- podman ps, info, version commands work correctly
- Volume operations create volumes at correct path
- Database is properly initialized on first run
Signed-off-by: Lokesh Mandvekar <[email protected]>
Member
Author
|
@lsm5 do you know the status of this PR versus the branch you've been working on? |
Member
I'll update this PR with my updates. |
The events file backend writes events as they're generated, which may not match chronological order due to race conditions during concurrent operations in rmi -f. The remove and untag events from rmi can appear in any order in the events file. This matches the approach used in main branch (see commit 111a4bb) which recognizes that event ordering is not guaranteed for concurrent operations, especially in podman-remote. This fix: - Simplifies initial validation to check for event presence (not order) - Checks deterministic events (0-6) in exact order - Validates rmi events (7-9) are present without requiring specific order - Checks final event (10) is the second loadfromarchive - Does NOT modify runtime code to enforce ordering (events remain as-generated) Signed-off-by: Lokesh Mandvekar <[email protected]>
This commit fixes three related issues that prevented userns=auto from working correctly in rootless containers: 1. Fix setgroups() error with userns=auto When using userns=auto, supplementary GIDs from the container image were being passed to setgroups() before user namespace mappings were allocated by storage, causing EINVAL errors. Added a check in container_internal_common.go to skip supplementary groups when AutoUserNs is enabled but GIDMap isn't populated yet. 2. Fix ID mapping allocation bug in storage.go CreateContainerStorage was returning empty UID/GID mappings from the input options parameter instead of the allocated mappings from the storage container object, causing containers to fail with "readlink: No such file or directory" errors. Changed the return statement to use container.UIDMap and container.GIDMap. 3. Add workaround for containers/storage v1.51.0 bug The vendored storage library has a bug in parseMountedFiles where groupFile path is incorrectly used as a directory path. Set an explicit Size=65536 in AutoUserNsOpts to bypass the buggy code path. With these fixes, all userns=auto tests in 170-run-userns.bats now pass in rootless mode. Signed-off-by: Lokesh Mandvekar <[email protected]>
The original cp.go uses buildah/copier which depends on libimage, making it unavailable in remote builds. This change splits cp implementation into separate local and remote variants: - cmd/podman/containers/cp.go: Shared command definitions, flags, and init function (no build tag) - cmd/podman/containers/cp_local.go: Local implementation using buildah/copier (//go:build !remote) - cmd/podman/containers/cp_remote.go: Remote implementation using stdlib archive/tar (//go:build remote) The remote implementation: - Uses ContainerEngine interface methods that work over REST API: ContainerStat, ContainerCopyToArchive, ContainerCopyFromArchive - Properly handles file and directory copying in both directions - Uses CopyOptions.Rename for file renaming when copying to specific filenames - Returns error for container-to-container copying (not supported with podman-remote) This follows the same pattern used for other libimage-dependent code in commit 4231526. Fixes system tests that require cp functionality with podman-remote. Signed-off-by: Lokesh Mandvekar <[email protected]>
The test framework was not parsing the '+w' suffix in expected exit codes (e.g., '0+w' meaning "expect exit code 0 and warnings allowed"). This caused the literal string to be passed as a command argument to podman, resulting in "unrecognized command" errors. Added pattern matching for: - [0-9]+w (single digit with warnings) - [1-9][0-9]+w (double digit with warnings) - [12][0-9][0-9]+w (triple digit with warnings) The '+w' suffix is stripped off and only the numeric exit code is used for validation. Note: The actual warning validation is not implemented yet, but this allows tests using the '+w' notation to run correctly. This fixes the "podman-remote: non-default connection" test failure.
This fixes several cp-related issues in podman-remote: - Enable container-to-container copy support - Fix symlink expansion for broken symlinks - Fix cp from /dev/stdin - Fix directory extraction to non-existent destination - Add validation for copying directory to file - Fix trailing slash handling for broken symlinks - Fix stdin validation and --overwrite flag support - Require existing directory destination when copying from stdin Signed-off-by: Lokesh Mandvekar <[email protected]>
This fixes several cp-related issues in podman-remote: - Enable container-to-container copy support - Fix symlink expansion for broken symlinks - Fix cp from /dev/stdin - Fix directory extraction to non-existent destination - Add validation for copying directory to file - Fix trailing slash handling for broken symlinks - Fix stdin validation and --overwrite flag support - Require existing directory destination when copying from stdin Signed-off-by: Lokesh Mandvekar <[email protected]>
The test was using old expectations that required all containers to have system_r role. The updated version from main branch correctly expects that privileged/pid=host/ipc=host/label=disable containers run with the current user and role, not system_r. This is intentional behavior to support confined users (see commit 5b7dce8). This brings the test expectations in line with the actual behavior.
The podman-remote build command was not displaying build output, causing remotesystem tests to fail when expecting output like "COMMIT", "cache", "Successfully built", etc. Root causes: 1. BuildOptions.Out was set to nil when no --logfile was specified, causing all build output to be discarded 2. BuildOptions.Err was not set, preventing auxiliary build output from being displayed Changes: - Set Out and Err to default to os.Stdout and os.Stderr respectively - Both redirect to logfile when --logfile is specified - Remove incorrect client-side quiet flag handling (already handled by build engine via Quiet option) This matches the behavior of the non-remote build implementation in build.go and ensures build output is properly streamed from the server through the bindings to the client's stdout/stderr. Fixes test failures in make remotesystem for build-related tests.
Many system tests use hardcoded names for containers, images, and everything. This has worked because system tests run serially. It will not work if we ever run in parallel. Create a new safename() helper, and use it as follows: myctr=c_$(safename) myvol1=v1_$(safename) ... Find current instances of hardcoded names, and replace with safe ones. Whether or not we ever end up parallelizing system tests, this is simply good practice. There are far too many instances to fix in one (reviewable) PR. This is commit 1 of N. Signed-off-by: Ed Santiago <[email protected]> safename: consistent within same test, and, dashes Make safename() invocations consistent within the same test. This puts the onus on the caller to add a unique element when calling multiple times, e.g. "ctr1-$(safename)". This is not too much of a burden. Major benefit is making it easy for a reader to associate containers, pods, volumes, images within a given test. And, use dashes, not underscores. "podman generate kube" removes underscores, making it very difficult to do things like "podman inspect $podname" (because we need to generate "$podname_with_underscores_removed") Signed-off-by: Ed Santiago <[email protected]>
The buildah buil kill trick is bad as we have to sleep and wait to aboid flakes which takes time. Instead it is possible to redo this build part manually with buildah commands. It is not trival and harder to understand but it safes 2-3s so I think it is worth it. Signed-off-by: Paul Holzinger <[email protected]>
After[1] c/image no longer prints "Storing signatures" so we should not check for it. [1] containers/image#2001 Signed-off-by: Paul Holzinger <[email protected]>
The journald_unavailable() helper was testing 'journalctl -n 1' which checks the general system journal, but quadlet and auto-update tests actually need to read user systemd unit logs. On some RHEL systems, the general journal works but reading user unit logs fails with 'No journal files were found'. Update the function to test the actual use case: reading logs from user systemd units with 'journalctl --user --unit=...'. This properly detects when user unit logging is unavailable so tests skip correctly.
We were ignoreing relabel requests on certain unsupported file systems and not on others, this changes to consistently logrus.Debug ENOTSUP file systems. Fixes: containers#20745 Still needs some work on the Buildah side. Signed-off-by: Daniel J Walsh <[email protected]>
The previous commit introduced usage of unix.ENOTSUP but forgot to import golang.org/x/sys/unix, causing a build failure on RHEL 9.2.0. Fixes the build error: libpod/container_internal_common.go:2800:20: undefined: unix Signed-off-by: Lokesh Mandvekar <[email protected]>
lsm5
force-pushed
the
dev/tsweeney/cve-2025-52881-v4.4.1-rhel
branch
from
aa74d6a to
e581a29
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Addresses CVE-2025-52881, and also CVE-2025-31133 and CVE-2025-52565
Fixes: https://issues.redhat.com/browse/RHEL-126910, https://issues.redhat.com/browse/RHEL-126908, https://issues.redhat.com/browse/OCPBUGS-64908, https://issues.redhat.com/browse/OCPBUGS-64909, https://issues.redhat.com/browse/OCPBUGS-64907
Checklist
Ensure you have completed the following checklist for your pull request to be reviewed:
commits. (
git commit -s). (If needed, usegit commit -s --amend). The author email must matchthe sign-off email address. See CONTRIBUTING.md
for more information.
Fixes: #00000in commit message (if applicable)make validatepr(format/lint checks)Noneif no user-facing changes)Does this PR introduce a user-facing change?