Merge pull request containers#12274 from mheon/bump_342

Bump to v3.4.2

Makefile

@@ -59,10 +59,11 @@ PKG_MANAGER ?= $(shell command -v dnf yum|head -n1)
 PRE_COMMIT = $(shell command -v bin/venv/bin/pre-commit ~/.local/bin/pre-commit pre-commit | head -n1)
 
 # This isn't what we actually build; it's a superset, used for target
-# dependencies. Basically: all *.go files, except *_test.go, and except
-# anything in a dot subdirectory. If any of these files is newer than
-# our target (bin/podman{,-remote}), a rebuild is triggered.
-SOURCES = $(shell find . -path './.*' -prune -o \( -name '*.go' -a ! -name '*_test.go' \) -print)
+# dependencies. Basically: all *.go and *.c files, except *_test.go,
+# and except anything in a dot subdirectory. If any of these files is
+# newer than our target (bin/podman{,-remote}), a rebuild is
+# triggered.
+SOURCES = $(shell find . -path './.*' -prune -o \( \( -name '*.go' -o -name '*.c' \) -a ! -name '*_test.go' \) -print)
 
 BUILDFLAGS := -mod=vendor $(BUILDFLAGS)
 

RELEASE_NOTES.md

@@ -1,5 +1,24 @@
 # Release Notes
 
+## 3.4.2
+### Bugfixes
+- Fixed a bug where `podman tag` could not tag manifest lists ([#12046](https://github.com/containers/podman/issues/12046)).
+- Fixed a bug where built-in volumes specified by images would not be created correctly under some circumstances.
+- Fixed a bug where, when using Podman Machine on OS X, containers in pods did not have working port forwarding from the host ([#12207](https://github.com/containers/podman/issues/12207)).
+- Fixed a bug where the `podman network reload` command command on containers using the `slirp4netns` network mode and the `rootlessport` port forwarding driver would make an unnecessary attempt to restart `rootlessport` on containers that did not forward ports.
+- Fixed a bug where the `podman generate kube` command would generate YAML including some unnecessary (set to default) fields (e.g. empty SELinux and DNS configuration blocks, and the `privileged` flag when set to false) ([#11995](https://github.com/containers/podman/issues/11995)).
+- Fixed a bug where the `podman pod rm` command could, if interrupted at the right moment, leave a reference to an already-removed infra container behind ([#12034](https://github.com/containers/podman/issues/12034)).
+- Fixed a bug where the `podman pod rm` command would not remove pods with more than one container if all containers save for the infra container were stopped unless `--force` was specified ([#11713](https://github.com/containers/podman/issues/11713)).
+- Fixed a bug where the `--memory` flag to `podman run` and `podman create` did not accept a limit of 0 (which should specify unlimited memory) ([#12002](https://github.com/containers/podman/issues/12002)).
+- Fixed a bug where the remote Podman client's `podman build` command could attempt to build a Dockerfile in the working directory of the `podman system service` instance instead of the Dockerfile specified by the user ([#12054](https://github.com/containers/podman/issues/12054)).
+- Fixed a bug where the `podman logs --tail` command could function improperly (printing more output than requested) when the `journald` log driver was used.
+- Fixed a bug where containers run using the `slirp4netns` network mode with IPv6 enabled would not have IPv6 connectivity until several seconds after they started ([#11062](https://github.com/containers/podman/issues/11062)).
+- Fixed a bug where some Podman commands could cause an extra `dbus-daemon` process to be created ([#9727](https://github.com/containers/podman/issues/9727)).
+- Fixed a bug where rootless Podman would sometimes print warnings about a failure to move the pause process into a given CGroup ([#12065](https://github.com/containers/podman/issues/12065)).
+- Fixed a bug where the `checkpointed` field in `podman inspect` on a container was not set to false after a container was restored.
+- Fixed a bug where the `podman system service` command would print overly-verbose logs about request IDs ([#12181](https://github.com/containers/podman/issues/12181)).
+- Fixed a bug where Podman could, when creating a new container without a name explicitly specified by the user, sometimes use an auto-generated name already in use by another container if multiple containers were being created in parallel ([#11735](https://github.com/containers/podman/issues/11735)).
+
 ## 3.4.1
 ### Bugfixes
 - Fixed a bug where `podman machine init` could, under some circumstances, create invalid machine configurations which could not be started ([#11824](https://github.com/containers/podman/issues/11824)).
@@ -133,7 +152,7 @@
 ### Features
 - Containers inside VMs created by `podman machine` will now automatically handle port forwarding - containers in `podman machine` VMs that publish ports via `--publish` or `--publish-all` will have these ports not just forwarded on the VM, but also on the host system.
 - The `podman play kube` command's `--network` option now accepts advanced network options (e.g. `--network slirp4netns:port_handler=slirp4netns`) ([#10807](https://github.com/containers/podman/issues/10807)).
-- The `podman play kube` commmand now supports Kubernetes liveness probes, which will be created as Podman healthchecks.
+- The `podman play kube` command now supports Kubernetes liveness probes, which will be created as Podman healthchecks.
 - Podman now provides a systemd unit, `podman-restart.service`, which, when enabled, will restart all containers that were started with `--restart=always` after the system reboots.
 - Rootless Podman can now be configured to use CNI networking by default by using the `rootless_networking` option in `containers.conf`.
 - Images can now be pulled using `image:tag@digest` syntax (e.g. `podman pull fedora:34@sha256:1b0d4ddd99b1a8c8a80e885aafe6034c95f266da44ead992aab388e6aa91611a`) ([#6721](https://github.com/containers/podman/issues/6721)).
@@ -389,7 +408,7 @@
 - Fixed a bug where images with empty layers were stored incorrectly, causing them to be unable to be pushed or saved.
 - Fixed a bug where the `podman rmi` command could fail to remove corrupt images from storage.
 - Fixed a bug where the remote Podman client's `podman save` command did not support the `oci-dir` and `docker-dir` formats ([#9742](https://github.com/containers/podman/issues/9742)).
-- Fixed a bug where volume mounts from `podman play kube` created with a trailing `/` in the container path were were not properly superceding named volumes from the image ([#9618](https://github.com/containers/podman/issues/9618)).
+- Fixed a bug where volume mounts from `podman play kube` created with a trailing `/` in the container path were were not properly superseding named volumes from the image ([#9618](https://github.com/containers/podman/issues/9618)).
 - Fixed a bug where Podman could fail to build on 32-bit architectures.
 
 ### Misc
@@ -1034,7 +1053,7 @@
 ## 2.0.5
 ### Features
 - Rootless Podman will now add an entry to `/etc/passwd` for the user who ran Podman if run with `--userns=keep-id`.
-- The `podman system connection` command has been reworked to support multiple connections, and reenabled for use!
+- The `podman system connection` command has been reworked to support multiple connections, and re-enabled for use!
 - Podman now has a new global flag, `--connection`, to specify a connection to a remote Podman API instance.
 
 ### Changes

cmd/podman/common/create.go

@@ -426,7 +426,7 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
 		createFlags.StringVar(
 			&cf.Variant,
 			variantFlagName, "",
-			"Use _VARIANT_ instead of the running architecture variant for choosing images",
+			"Use `VARIANT` instead of the running architecture variant for choosing images",
 		)
 		_ = cmd.RegisterFlagCompletionFunc(variantFlagName, completion.AutocompleteNone)
 

cmd/podman/containers/start.go

@@ -87,6 +87,9 @@ func validateStart(cmd *cobra.Command, args []string) error {
 	if len(args) == 0 && !startOptions.Latest && !startOptions.All {
 		return errors.New("start requires at least one argument")
 	}
+	if startOptions.All && startOptions.Latest {
+		return errors.Errorf("--all and --latest cannot be used together")
+	}
 	if len(args) > 0 && startOptions.Latest {
 		return errors.Errorf("--latest and containers cannot be used together")
 	}

cmd/podman/images/pull.go

@@ -92,7 +92,7 @@ func pullFlags(cmd *cobra.Command) {
 	_ = cmd.RegisterFlagCompletionFunc(osFlagName, completion.AutocompleteOS)
 
 	variantFlagName := "variant"
-	flags.StringVar(&pullOptions.Variant, variantFlagName, "", " use VARIANT instead of the running architecture variant for choosing images")
+	flags.StringVar(&pullOptions.Variant, variantFlagName, "", "Use VARIANT instead of the running architecture variant for choosing images")
 	_ = cmd.RegisterFlagCompletionFunc(variantFlagName, completion.AutocompleteNone)
 
 	platformFlagName := "platform"

cmd/podman/images/scp.go

@@ -185,7 +185,7 @@ func saveToRemote(image, localFile string, tag string, uri *urlP.URL, iden strin
 		return errors.Wrapf(define.ErrInvalidArg, "Renaming of an image is currently not supported")
 	}
 	podman := os.Args[0]
-	run := podman + " image save " + image + " --format=oci-archive --output=" + remoteFile // run ssh image load of the file copied via scp. Files are reverse in thie case...
+	run := podman + " image save " + image + " --format=oci-archive --output=" + remoteFile // run ssh image load of the file copied via scp. Files are reverse in this case...
 	_, err = connection.ExecRemoteCommand(dial, run)
 	if err != nil {
 		return nil

cmd/podman/system/version.go

@@ -20,7 +20,7 @@ var (
 	versionCommand = &cobra.Command{
 		Use:               "version [options]",
 		Args:              validate.NoArgs,
-		Short:             "Display the Podman Version Information",
+		Short:             "Display the Podman version information",
 		RunE:              version,
 		ValidArgsFunction: completion.AutocompleteNone,
 	}

contrib/cirrus/lib.sh

@@ -143,6 +143,8 @@ setup_rootless() {
     local rootless_uid
     local rootless_gid
     local env_var_val
+    local akfilepath
+    local sshcmd
 
     # Only do this once; established by setup_environment.sh
     # shellcheck disable=SC2154
@@ -169,24 +171,25 @@ setup_rootless() {
         ssh-keygen -P "" -f "$HOME/.ssh/id_rsa"
 
     msg "Allowing ssh key for $ROOTLESS_USER"
+    akfilepath="/home/$ROOTLESS_USER/.ssh/authorized_keys"
     (umask 077 && mkdir "/home/$ROOTLESS_USER/.ssh")
     chown -R $ROOTLESS_USER:$ROOTLESS_USER "/home/$ROOTLESS_USER/.ssh"
     install -o $ROOTLESS_USER -g $ROOTLESS_USER -m 0600 \
-        "$HOME/.ssh/id_rsa.pub" "/home/$ROOTLESS_USER/.ssh/authorized_keys"
+        "$HOME/.ssh/id_rsa.pub" "$akfilepath"
     # Makes debugging easier
-    cat /root/.ssh/authorized_keys >> "/home/$ROOTLESS_USER/.ssh/authorized_keys"
-
-    msg "Configuring subuid and subgid"
-    grep -q "${ROOTLESS_USER}" /etc/subuid || \
-        echo "${ROOTLESS_USER}:$[rootless_uid * 100]:65536" | \
-            tee -a /etc/subuid >> /etc/subgid
+    cat /root/.ssh/authorized_keys >> "$akfilepath"
 
     msg "Ensure the ssh daemon is up and running within 5 minutes"
     systemctl start sshd
-    lilto ssh $ROOTLESS_USER@localhost \
-           -o UserKnownHostsFile=/dev/null \
-           -o StrictHostKeyChecking=no \
-           -o CheckHostIP=no true
+    sshcmd="ssh $ROOTLESS_USER@localhost
+           -o UserKnownHostsFile=/dev/null
+           -o StrictHostKeyChecking=no
+           -o CheckHostIP=no"
+    lilto $sshcmd true  # retry until sshd is up
+
+    msg "Configuring rootless user self-access to ssh to localhost"
+    $sshcmd ssh-keygen -P '""' -f "/home/$ROOTLESS_USER/.ssh/id_rsa"
+    cat "/home/$ROOTLESS_USER/.ssh/id_rsa" >> "$akfilepath"
 }
 
 install_test_configs() {

contrib/cirrus/pr-should-include-tests

@@ -12,9 +12,6 @@ fi
 if [[ "${CIRRUS_CHANGE_MESSAGE}" =~ NO.NEW.TESTS.NEEDED ]]; then
     exit 0
 fi
-if [[ "${CIRRUS_CHANGE_MESSAGE}" =~ NO.TESTS.NEEDED ]]; then
-    exit 0
-fi
 
 # HEAD should be good enough, but the CIRRUS envariable allows us to test
 head=${CIRRUS_CHANGE_IN_REPO:-HEAD}
@@ -52,14 +49,11 @@ if [[ -z "$filtered_changes" ]]; then
     exit 0
 fi
 
-# One last chance: perhaps the developer included the magic '[NO (NEW) TESTS NEEDED]'
+# One last chance: perhaps the developer included the magic '[NO NEW TESTS NEEDED]'
 # string in an amended commit.
 if git log --format=%B ${base}..${head} | fgrep '[NO NEW TESTS NEEDED]'; then
    exit 0
 fi
-if git log --format=%B ${base}..${head} | fgrep '[NO TESTS NEEDED]'; then
-   exit 0
-fi
 
 cat <<EOF
 $(basename $0): PR does not include changes in the 'tests' directory

contrib/podmanimage/stable/Dockerfile

@@ -19,14 +19,15 @@ RUN useradd podman; \
 echo podman:10000:5000 > /etc/subuid; \
 echo podman:10000:5000 > /etc/subgid;
 
-VOLUME /var/lib/containers
-VOLUME /home/podman/.local/share/containers
-RUN mkdir -p /home/podman/.local/share/containers
+RUN mkdir -p /home/podman/.local/share/containers; chown podman:podman -R /home/podman
 
 ADD https://raw.githubusercontent.com/containers/libpod/master/contrib/podmanimage/stable/containers.conf /etc/containers/containers.conf
 ADD https://raw.githubusercontent.com/containers/libpod/master/contrib/podmanimage/stable/podman-containers.conf /home/podman/.config/containers/containers.conf
 
-RUN chown podman:podman -R /home/podman
+# Note VOLUME options must always happen after the chown call above
+# RUN commands can not modify existing volumes
+VOLUME /var/lib/containers
+VOLUME /home/podman/.local/share/containers
 
 # chmod containers.conf and adjust storage.conf to enable Fuse storage.
 RUN chmod 644 /etc/containers/containers.conf; sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf

contrib/podmanimage/testing/Dockerfile

@@ -19,14 +19,15 @@ RUN useradd podman; \
 echo podman:10000:5000 > /etc/subuid; \
 echo podman:10000:5000 > /etc/subgid;
 
-VOLUME /var/lib/containers
-VOLUME /home/podman/.local/share/containers
-RUN mkdir -p /home/podman/.local/share/containers
+RUN mkdir -p /home/podman/.local/share/containers; chown podman:podman -R /home/podman
 
 ADD https://raw.githubusercontent.com/containers/libpod/master/contrib/podmanimage/stable/containers.conf /etc/containers/containers.conf
 ADD https://raw.githubusercontent.com/containers/libpod/master/contrib/podmanimage/stable/podman-containers.conf /home/podman/.config/containers/containers.conf
 
-RUN chown podman:podman -R /home/podman
+# Note VOLUME options must always happen after the chown call above
+# RUN commands can not modify existing volumes
+VOLUME /var/lib/containers
+VOLUME /home/podman/.local/share/containers
 
 # chmod containers.conf and adjust storage.conf to enable Fuse storage.
 RUN chmod 644 /etc/containers/containers.conf; sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf

contrib/podmanimage/upstream/Dockerfile

@@ -68,14 +68,15 @@ RUN useradd podman; \
 echo podman:10000:5000 > /etc/subuid; \
 echo podman:10000:5000 > /etc/subgid;
 
-VOLUME /var/lib/containers
-VOLUME /home/podman/.local/share/containers
-RUN mkdir -p /home/podman/.local/share/containers
+RUN mkdir -p /home/podman/.local/share/containers; chown podman:podman -R /home/podman
 
 ADD https://raw.githubusercontent.com/containers/libpod/master/contrib/podmanimage/stable/containers.conf /etc/containers/containers.conf
 ADD https://raw.githubusercontent.com/containers/libpod/master/contrib/podmanimage/stable/podman-containers.conf /home/podman/.config/containers/containers.conf
 
-RUN chown podman:podman -R /home/podman
+# Note VOLUME options must always happen after the chown call above
+# RUN commands can not modify existing volumes
+VOLUME /var/lib/containers
+VOLUME /home/podman/.local/share/containers
 
 # chmod containers.conf and adjust storage.conf to enable Fuse storage.
 RUN chmod 644 /etc/containers/containers.conf; sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf

contrib/spec/podman.spec.in

@@ -36,7 +36,7 @@ Epoch: 99
 %else
 Epoch: 0
 %endif
-Version: 3.4.2
+Version: 3.4.3
 Release: #COMMITDATE#.git%{shortcommit0}%{?dist}
 Summary: Manage Pods, Containers and Container Images
 License: ASL 2.0

contrib/systemd/system/podman-restart.service

@@ -5,8 +5,9 @@ StartLimitIntervalSec=0
 
 [Service]
 Type=oneshot
+RemainAfterExit=true
 Environment=LOGGING="--log-level=info"
 ExecStart=/usr/bin/podman $LOGGING start --all --filter restart-policy=always
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target default.target

docs/source/markdown/podman-build.1.md

@@ -631,7 +631,7 @@ Sets the configuration for user namespaces when handling `RUN` instructions.
 The configured value can be "" (the empty string) or "container" to indicate
 that a new user namespace should be created, it can be "host" to indicate that
 the user namespace in which `podman` itself is being run should be reused, or
-it can be the path to an user namespace which is already in use by another
+it can be the path to a user namespace which is already in use by another
 process.
 
 #### **--userns-uid-map**=*mapping*
@@ -774,6 +774,14 @@ content label. Shared volume labels allow all containers to read/write content.
 The `Z` option tells Podman to label the content with a private unshared label.
 Only the current container can use a private volume.
 
+Note: Do not relabel system files and directories. Relabeling system content
+might cause other confined services on your machine to fail.  For these types
+of containers, disabling SELinux separation is recommended.  The option
+`--security-opt label=disable` disables SELinux separation for the container.
+For example, if a user wanted to volume mount their entire home directory into the build containers, they need to disable SELinux separation.
+
+	   $ podman build --security-opt label=disable -v $HOME:/home/user .
+
   `Overlay Volume Mounts`
 
    The `:O` flag tells Podman to mount the directory from the host as a

docs/source/markdown/podman-completion.1.md

@@ -40,7 +40,7 @@ Shell completion needs to be already enabled in the environment. The following c
 **echo "autoload -U compinit; compinit" >> ~/.zshrc**
 
 To make it available for all zsh sessions run:\
-**podman completion -f "${fpath[1]}/_podman zsh"**
+**podman completion -f "${fpath[1]}/_podman" zsh**
 
 Once the shell is reloaded the auto-completion should be working.
 

docs/source/markdown/podman-create.1.md

@@ -1231,6 +1231,15 @@ content label. Shared volume labels allow all containers to read/write content.
 The `Z` option tells Podman to label the content with a private unshared label.
 Only the current container can use a private volume.
 
+Note: Do not relabel system files and directories. Relabeling system content
+might cause other confined services on your machine to fail.  For these types
+of containers we recommend that disable SELinux separation.  The option
+`--security-opt label=disable` disables SELinux separation for containers used in the build.
+For example if a user wanted to volume mount their entire home directory into a
+container, they need to disable SELinux separation.
+
+	   $ podman create --security-opt label=disable -v $HOME:/home/user fedora touch /home/user/file
+
   `Overlay Volume Mounts`
 
    The `:O` flag tells Podman to mount the directory from the host as a
@@ -1453,7 +1462,7 @@ Note: RHEL7 and Centos 7 will not have this feature until RHEL7.7 is released.
 In order for users to run rootless, there must be an entry for their username in /etc/subuid and /etc/subgid which lists the UIDs for their user namespace.
 
 Rootless Podman works better if the fuse-overlayfs and slirp4netns packages are installed.
-The fuse-overlay package provides a userspace overlay storage driver, otherwise users need to use
+The fuse-overlayfs package provides a userspace overlay storage driver, otherwise users need to use
 the vfs storage driver, which is diskspace expensive and does not perform well. slirp4netns is
 required for VPN, without it containers need to be run with the --network=host flag.