Merge pull request #19218 from ashley-cui/rc2

[v4.6] Backports and updated release notes

.pre-commit-config.yaml

@@ -12,7 +12,7 @@ repos:
       - id: end-of-file-fixer
         exclude: test/buildah-bud/buildah-tests.diff
       - id: trailing-whitespace
-        exclude: test/buildah-bud/buildah-tests.diff
+        exclude: test/buildah-bud/buildah-tests.diff|test/e2e/quadlet/remap-keep-id2.container
       - id: mixed-line-ending
       - id: check-byte-order-marker
       - id: check-executables-have-shebangs

Makefile

@@ -253,7 +253,7 @@ help: ## (Default) Print listing of key targets with their descriptions
 .PHONY: .gitvalidation
 .gitvalidation:
 	@echo "Validating vs commit '$(call err_if_empty,EPOCH_TEST_COMMIT)'"
-	GIT_CHECK_EXCLUDE="./vendor:./test/tools/vendor:docs/make.bat:test/buildah-bud/buildah-tests.diff" ./test/tools/build/git-validation -run DCO,short-subject,dangling-whitespace -range $(EPOCH_TEST_COMMIT)..$(HEAD)
+	GIT_CHECK_EXCLUDE="./vendor:./test/tools/vendor:docs/make.bat:test/buildah-bud/buildah-tests.diff:test/e2e/quadlet/remap-keep-id2.container" ./test/tools/build/git-validation -run DCO,short-subject,dangling-whitespace -range $(EPOCH_TEST_COMMIT)..$(HEAD)
 
 .PHONY: lint
 lint: golangci-lint

RELEASE_NOTES.md

@@ -2,6 +2,7 @@
 
 ## 4.6.0
 ### Features
+- The `podman manifest inspect` command now supports the `--authfile` option, for authentication purposes.
 - The `podman wait` command now supports `--condition={healthy,unhealthy}`, allowing waits on successful health checks.
 - The `podman push` command now supports a new option, ` --compression-level`, which specifies the compression level to use ([#18939](https://github.com/containers/podman/issues/18939)).
 - The `podman machine start` command, when run with `--log-level=debug`, now creates a console window to display the virtual machine while booting.
@@ -51,7 +52,18 @@
 - Quadlet now supports the `HostName` field, which sets the container's host name, in `.container` files ([#18486](https://github.com/containers/podman/issues/18486)).
 
 ### Bugfixes
-- The `podman machine start` command now waits for systemd-user sessions to be up, addressing flaky machine starts ([##17403](https://github.com/containers/podman/issues/#17403)).
+- Fixed a bug where the `podman machine start` command would fail with a 255 exit code. It now waits for systemd-user sessions to be up, and for SSH to be ready, addressing the flaky machine starts ([#17403](https://github.com/containers/podman/issues/#17403)).
+- Fixed a bug where the `podman auto update` command did not correctly use authentication files when contacting container registries.
+- Fixed a bug where the `--dns` option to the `podman run` command was ignored for macvlan networks ([#19169](https://github.com/containers/podman/issues/19169)).
+- Fixed a bug in the `podman system service` command where setting LISTEN_FDS when listening on TCP would misbehave.
+- Fixed a bug where hostnames were not recognized as a network alias. Containers can now resolve other hostnames, in addition to their names ([#17370](https://github.com/containers/podman/issues/17370)).
+- Fixed a bug where the `podman pod run` command would error after a reboot on a non-systemd system ([#19175](https://github.com/containers/podman/issues/19175)).
+- Fixed a bug where the `--syslog` option returned a fatal error when no syslog server was found ([#19075](https://github.com/containers/podman/issues/19075)).
+- Fixed a bug where the `--mount` option would parse the `readonly` option incorrectly ([#18995](https://github.com/containers/podman/issues/18995)).
+- Fixed a bug where hook executables invoked by the `podman run` command set an incorrect working directory. It now sets the correct working directory pointing to the container bundle directory ([#18907](https://github.com/containers/podman/issues/18907)).
+- Fixed a bug where the `-device-cgroup-rule` option was silently ignored in rootless mode ([#18698](https://github.com/containers/podman/issues/18698)).
+- Listing images is now more resilient towards concurrently running image removals.
+- Fixed a bug where the `--force` option to the `podman kube down` command would not remove volumes ([#18797](https://github.com/containers/podman/issues/18797)).
 - Fixed a bug where setting the `--list-tags` option in the `podman search` command would cause the command to ignore the `--format` option ([#18939](https://github.com/containers/podman/issues/18939)).
 - Fixed a bug where the `podman machine start` command did not properly translate the proxy IP.
 - Fixed a bug where the `podman auto-update` command would not restart dependent units (specified via `Requires=`) on auto update ([#18926](https://github.com/containers/podman/issues/18926)).
@@ -101,7 +113,7 @@
 - Updated Buildah to v1.31.0
 - Updated the containers/storage library to v1.48.0
 - Updated the containers/image library to v5.26.1
-- Updated the containers/common library to v0.55.1
+- Updated the containers/common library to v0.55.2
 
 ## 4.5.1
 ### Security

cmd/podman/auto-update.go

@@ -8,6 +8,7 @@ import (
 	"github.com/containers/common/pkg/auth"
 	"github.com/containers/common/pkg/completion"
 	"github.com/containers/common/pkg/report"
+	"github.com/containers/image/v5/types"
 	"github.com/containers/podman/v4/cmd/podman/common"
 	"github.com/containers/podman/v4/cmd/podman/registry"
 	"github.com/containers/podman/v4/pkg/domain/entities"
@@ -17,7 +18,8 @@ import (
 
 type cliAutoUpdateOptions struct {
 	entities.AutoUpdateOptions
-	format string
+	format    string
+	tlsVerify bool
 }
 
 var (
@@ -56,6 +58,8 @@ func init() {
 
 	flags.StringVar(&autoUpdateOptions.format, "format", "", "Change the output format to JSON or a Go template")
 	_ = autoUpdateCommand.RegisterFlagCompletionFunc("format", common.AutocompleteFormat(&autoUpdateOutput{}))
+
+	flags.BoolVarP(&autoUpdateOptions.tlsVerify, "tls-verify", "", true, "Require HTTPS and verify certificates when contacting registries")
 }
 
 func autoUpdate(cmd *cobra.Command, args []string) error {
@@ -64,6 +68,10 @@ func autoUpdate(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("`%s` takes no arguments", cmd.CommandPath())
 	}
 
+	if cmd.Flags().Changed("tls-verify") {
+		autoUpdateOptions.InsecureSkipTLSVerify = types.NewOptionalBool(!autoUpdateOptions.tlsVerify)
+	}
+
 	allReports, failures := registry.ContainerEngine().AutoUpdate(registry.GetContext(), autoUpdateOptions.AutoUpdateOptions)
 	if allReports == nil {
 		return errorhandling.JoinErrors(failures)

cmd/podman/inspect/inspect.go

@@ -185,16 +185,16 @@ func (i *inspector) inspect(namesOrIDs []string) error {
 		err = rpt.Execute(data)
 	}
 	if err != nil {
-		errs = append(errs, fmt.Errorf("printing inspect output: %w", err))
+		errs = append(errs, err)
 	}
 
 	if len(errs) > 0 {
 		if len(errs) > 1 {
 			for _, err := range errs[1:] {
-				fmt.Fprintf(os.Stderr, "error inspecting object: %v\n", err)
+				fmt.Fprintf(os.Stderr, "%v\n", err)
 			}
 		}
-		return fmt.Errorf("inspecting object: %w", errs[0])
+		return errs[0]
 	}
 	return nil
 }

cmd/podman/machine/init.go

@@ -61,7 +61,7 @@ func init() {
 	flags.Uint64Var(
 		&initOpts.DiskSize,
 		diskSizeFlagName, cfg.ContainersConfDefaultsRO.Machine.DiskSize,
-		"Disk size in GB",
+		"Disk size in GiB",
 	)
 
 	_ = initCmd.RegisterFlagCompletionFunc(diskSizeFlagName, completion.AutocompleteNone)
@@ -70,7 +70,7 @@ func init() {
 	flags.Uint64VarP(
 		&initOpts.Memory,
 		memoryFlagName, "m", cfg.ContainersConfDefaultsRO.Machine.Memory,
-		"Memory in MB",
+		"Memory in MiB",
 	)
 	_ = initCmd.RegisterFlagCompletionFunc(memoryFlagName, completion.AutocompleteNone)
 

cmd/podman/machine/list.go

@@ -216,8 +216,8 @@ func toHumanFormat(vms []*machine.ListResponse) ([]*entities.ListReporter, error
 		response.Created = units.HumanDuration(time.Since(vm.CreatedAt)) + " ago"
 		response.VMType = vm.VMType
 		response.CPUs = vm.CPUs
-		response.Memory = units.HumanSize(float64(vm.Memory))
-		response.DiskSize = units.HumanSize(float64(vm.DiskSize))
+		response.Memory = units.BytesSize(float64(vm.Memory))
+		response.DiskSize = units.BytesSize(float64(vm.DiskSize))
 
 		humanResponses = append(humanResponses, response)
 	}

cmd/podman/machine/set.go

@@ -61,7 +61,7 @@ func init() {
 	flags.Uint64Var(
 		&setFlags.DiskSize,
 		diskSizeFlagName, 0,
-		"Disk size in GB",
+		"Disk size in GiB",
 	)
 
 	_ = setCmd.RegisterFlagCompletionFunc(diskSizeFlagName, completion.AutocompleteNone)
@@ -70,7 +70,7 @@ func init() {
 	flags.Uint64VarP(
 		&setFlags.Memory,
 		memoryFlagName, "m", 0,
-		"Memory in MB",
+		"Memory in MiB",
 	)
 	_ = setCmd.RegisterFlagCompletionFunc(memoryFlagName, completion.AutocompleteNone)
 

cmd/podman/manifest/inspect.go

@@ -3,6 +3,8 @@ package manifest
 import (
 	"fmt"
 
+	"github.com/containers/common/pkg/auth"
+	"github.com/containers/common/pkg/completion"
 	"github.com/containers/image/v5/types"
 	"github.com/containers/podman/v4/cmd/podman/common"
 	"github.com/containers/podman/v4/cmd/podman/registry"
@@ -11,8 +13,9 @@ import (
 )
 
 var (
-	tlsVerifyCLI bool
-	inspectCmd   = &cobra.Command{
+	inspectOptions entities.ManifestInspectOptions
+	tlsVerifyCLI   bool
+	inspectCmd     = &cobra.Command{
 		Use:               "inspect [options] IMAGE",
 		Short:             "Display the contents of a manifest list or image index",
 		Long:              "Display the contents of a manifest list or image index.",
@@ -30,6 +33,9 @@ func init() {
 	})
 	flags := inspectCmd.Flags()
 
+	authfileFlagName := "authfile"
+	flags.StringVar(&inspectOptions.Authfile, authfileFlagName, auth.GetDefaultAuthFile(), "path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override")
+	_ = inspectCmd.RegisterFlagCompletionFunc(authfileFlagName, completion.AutocompleteDefault)
 	flags.BoolP("verbose", "v", false, "Added for Docker compatibility")
 	_ = flags.MarkHidden("verbose")
 	flags.BoolVar(&tlsVerifyCLI, "tls-verify", true, "require HTTPS and verify certificates when accessing the registry")
@@ -38,14 +44,13 @@ func init() {
 }
 
 func inspect(cmd *cobra.Command, args []string) error {
-	opts := entities.ManifestInspectOptions{}
 	if cmd.Flags().Changed("tls-verify") {
-		opts.SkipTLSVerify = types.NewOptionalBool(!tlsVerifyCLI)
+		inspectOptions.SkipTLSVerify = types.NewOptionalBool(!tlsVerifyCLI)
 	} else if cmd.Flags().Changed("insecure") {
 		insecure, _ := cmd.Flags().GetBool("insecure")
-		opts.SkipTLSVerify = types.NewOptionalBool(insecure)
+		inspectOptions.SkipTLSVerify = types.NewOptionalBool(insecure)
 	}
-	buf, err := registry.ImageEngine().ManifestInspect(registry.Context(), args[0], opts)
+	buf, err := registry.ImageEngine().ManifestInspect(registry.Context(), args[0], inspectOptions)
 	if err != nil {
 		return err
 	}

cmd/podman/syslog_common.go

@@ -4,9 +4,7 @@
 package main
 
 import (
-	"fmt"
 	"log/syslog"
-	"os"
 
 	"github.com/sirupsen/logrus"
 	logrusSyslog "github.com/sirupsen/logrus/hooks/syslog"
@@ -19,10 +17,8 @@ func syslogHook() {
 
 	hook, err := logrusSyslog.NewSyslogHook("", "", syslog.LOG_INFO, "")
 	if err != nil {
-		fmt.Fprint(os.Stderr, "Failed to initialize syslog hook: "+err.Error())
-		os.Exit(1)
-	}
-	if err == nil {
+		logrus.Debug("Failed to initialize syslog hook: " + err.Error())
+	} else {
 		logrus.AddHook(hook)
 	}
 }

docs/kubernetes_support.md

@@ -52,18 +52,18 @@ Note: **N/A** means that the option cannot be supported in a single-node Podman
 | shareProcessNamespace                               | ✅      |
 | serviceAccountName                                  | no      |
 | automountServiceAccountToken                        | no      |
-| securityContext\.runAsUser                          | no      |
+| securityContext\.runAsUser                          | ✅      |
 | securityContext\.runAsNonRoot                       | no      |
-| securityContext\.runAsGroup                         | no      |
-| securityContext\.supplementalGroups                 | no      |
+| securityContext\.runAsGroup                         | ✅      |
+| securityContext\.supplementalGroups                 | ✅      |
 | securityContext\.fsGroup                            | no      |
 | securityContext\.fsGroupChangePolicy                | no      |
 | securityContext\.seccompProfile\.type               | no      |
 | securityContext\.seccompProfile\.localhostProfile   | no      |
-| securityContext\.seLinuxOptions\.level              | no      |
-| securityContext\.seLinuxOptions\.role               | no      |
-| securityContext\.seLinuxOptions\.type               | no      |
-| securityContext\.seLinuxOptions\.user               | no      |
+| securityContext\.seLinuxOptions\.level              | ✅      |
+| securityContext\.seLinuxOptions\.role               | ✅      |
+| securityContext\.seLinuxOptions\.type               | ✅      |
+| securityContext\.seLinuxOptions\.user               | ✅      |
 | securityContext\.sysctls\.name                      | no      |
 | securityContext\.sysctls\.value                     | no      |
 | securityContext\.windowsOptions\.gmsaCredentialSpec | no      |

docs/source/markdown/options/authfile.md

@@ -1,5 +1,5 @@
 ####> This option file is used in:
-####>   podman auto update, build, container runlabel, create, image sign, kube play, login, logout, manifest add, manifest push, pull, push, run, search
+####>   podman auto update, build, container runlabel, create, image sign, kube play, login, logout, manifest add, manifest inspect, manifest push, pull, push, run, search
 ####> If file is edited, make sure the changes
 ####> are applicable to all of those.
 #### **--authfile**=*path*

docs/source/markdown/options/tls-verify.md

@@ -1,5 +1,5 @@
 ####> This option file is used in:
-####>   podman build, container runlabel, create, kube play, login, manifest add, manifest create, manifest inspect, manifest push, pull, push, run, search
+####>   podman auto update, build, container runlabel, create, kube play, login, manifest add, manifest create, manifest inspect, manifest push, pull, push, run, search
 ####> If file is edited, make sure the changes
 ####> are applicable to all of those.
 #### **--tls-verify**

docs/source/markdown/options/uidmap.container.md

@@ -9,7 +9,7 @@ option conflicts with the **--userns** and **--subuidname** options. This
 option provides a way to map host UIDs to container UIDs. It can be passed
 several times to map different ranges.
 
-The _from_uid_ value is based upon the user running the command, either rootful or rootless users.
+The *from_uid* value is based upon the user running the command, either rootful or rootless users.
 * rootful user:  *container_uid*:*host_uid*:*amount*
 * rootless user: *container_uid*:*intermediate_uid*:*amount*
 
@@ -23,13 +23,13 @@ If for example _amount_ is **4** the mapping looks like:
 
 |   host UID     |    container UID    |
 | ----------     | ----------------    |
-| _from_uid_     | _container_uid_     |
-| _from_uid_ + 1 | _container_uid_ + 1 |
-| _from_uid_ + 2 | _container_uid_ + 2 |
-| _from_uid_ + 3 | _container_uid_ + 3 |
+| *from_uid*     | *container_uid*     |
+| *from_uid* + 1 | *container_uid* + 1 |
+| *from_uid* + 2 | *container_uid* + 2 |
+| *from_uid* + 3 | *container_uid* + 3 |
 
 When **podman <<subcommand>>** is called by an unprivileged user (i.e. running rootless),
-the value _from_uid_ is interpreted as an "intermediate UID". In the rootless
+the value *from_uid* is interpreted as an "intermediate UID". In the rootless
 case, host UIDs are not mapped directly to container UIDs. Instead the mapping
 happens over two mapping steps:
 
@@ -59,11 +59,11 @@ If for example _amount_ is **5** the second mapping step looks like:
 
 |   intermediate UID   |    container UID    |
 | ------------------   | ----------------    |
-| _from_uid_           | _container_uid_     |
-| _from_uid_ + 1       | _container_uid_ + 1 |
-| _from_uid_ + 2       | _container_uid_ + 2 |
-| _from_uid_ + 3       | _container_uid_ + 3 |
-| _from_uid_ + 4       | _container_uid_ + 4 |
+| *from_uid*           | *container_uid*     |
+| *from_uid* + 1       | *container_uid* + 1 |
+| *from_uid* + 2       | *container_uid* + 2 |
+| *from_uid* + 3       | *container_uid* + 3 |
+| *from_uid* + 4       | *container_uid* + 4 |
 
 When running as rootless, Podman uses all the ranges configured in the _/etc/subuid_ file.
 

docs/source/markdown/podman-auto-update.1.md.in

@@ -79,6 +79,7 @@ Please note that detecting if a systemd unit has failed is best done by the cont
 
 For a container to send the READY message via SDNOTIFY it must be created with the `--sdnotify=container` option (see podman-run(1)).  The application running inside the container can then execute `systemd-notify --ready` when ready or use the sdnotify bindings of the specific programming language (e.g., sd_notify(3)).
 
+@@option tls-verify
 
 ## EXAMPLES
 Autoupdate with registry policy

docs/source/markdown/podman-machine-init.1.md.in

@@ -36,7 +36,7 @@ Number of CPUs.
 
 #### **--disk-size**=*number*
 
-Size of the disk for the guest VM in GB.
+Size of the disk for the guest VM in GiB.
 
 #### **--help**
 
@@ -57,7 +57,7 @@ Defaults to `testing`.
 
 #### **--memory**, **-m**=*number*
 
-Memory (in MB).
+Memory (in MiB). Note: 1024MiB = 1GiB.
 
 #### **--now**
 

docs/source/markdown/podman-manifest-inspect.1.md.in

@@ -15,6 +15,8 @@ A formatted JSON representation of the manifest list or image index.
 
 ## OPTIONS
 
+@@option authfile
+
 @@option tls-verify
 
 ## EXAMPLES