update some URLs
The origin repository renamed its "master" branch to "main", so we need
to update our references to items in that branch.
[NO NEW TESTS NEEDED]
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Executing a golang cross-compile on an expensive resource such as a Mac
has questionable overall value. Switch to running on a default Fedora
VM instead.
Signed-off-by: Chris Evich <cevich@redhat.com>
Addresses CVE-2024-1753 which allowed a user to write files to the
`/` directory of the host machine if selinux was not enabled.
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
When analyzing a layer blob's contents, don't break if the blob has more
zeroes padding it out even after the tar reader thinks it's hit the end
of the archive.
Add more detail to the diagnostic error we print when there's a digest
or length mismatch, too, in case it's triggered by something other than
zero padding.
Don't ignore errors which might be encountered when we try to use skopeo
to copy an image to a directory.
(cevich cherry-picked from b2504c2636)
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: Chris Evich <cevich@redhat.com>
Unfortunately maintenance CI was not enabled on this branch, resulting
in the CI VM images being pruned and irrecoverably purged. Restore
CI by substituting similar images. These images aren't a perfect match,
but they are already marked for permanent retention.
Signed-off-by: Chris Evich <cevich@redhat.com>
This mimics #5111 but without the vendor update, which is very
large on this branch.
[NO NEW TESTS NEEDED] This cannot be tested in CI as cloud
providers already don't provide these interfaces in their VMs.
Signed-off-by: Matt Heon <mheon@redhat.com>
Pay better attention to dev/nodev/exec/noexec/suid/nosuid/ro/rw flags on
bind, overlay, and tmpfs mounts when any of them are specified. Stop
quietly adding "nodev" when it isn't asked for.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
These jobs have been failing since early August due to
technical/scripting problems. Disable/remove entirely since a fix is
unlikely to be implemented anytime soon.
Ref: Abandoned recent attempt at debugging
https://github.com/containers/podman/pull/19720
Signed-off-by: Chris Evich <cevich@redhat.com>
With this pkg/parse does not depend on libimage.
[NO NEW TESTS NEEDED]
Based on Miloslav's work: https://github.com/containers/podman/pull/19718
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
internal/parse does not need to depend on libimage.
This allows for a smaller podman remote client.
Based on Miloslav's work: https://github.com/containers/podman/pull/19718
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This allows podman to import the copier package on the remote client
without needing the full libimage package.
Based on Miloslav's work: https://github.com/containers/podman/pull/19718
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Add docs for the new --cw option recognized by both `commit` and
`build`, and the new `mkcw` command.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a --cw option to `buildah build` and `buildah commit`, which takes a
comma-separated list of arguments and produces an image laid out for use
as a confidential workload:
type: sev or snp
attestation_url: location of a key broker server
cpus: expected number of virtual CPUs to run with
memory: expected megabytes of memory to run with
workload_id: a distinguishing identifier for the key broker server
ignore_attestation_errors: ignore errors registering the workload
passphrase: for encrypting the disk image
slop: extra space to allocate for the disk image
At least one of attestation_url and passphrase must be specified in
order for the encrypted disk image to be decryptable at run-time. Other
arguments can be omitted. ignore_attestation_errors is intentionally
undocumented, as it's mainly used to permit some amount of testing on
systems which don't have the required hardware.
Add an `mkcw` top-level command, for converting directly from an image
to a confidential workload.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When we read TMPDIR and SSH_AUTH_SOCK from the environment, convert them
to absolute paths before using them. Call auth.GetDefaultAuthFile()
instead of reading REGISTRY_AUTH_FILE.
[NO NEW TESTS NEEDED]
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Don't try to look up an image by name when we're committing an image,
because we don't want to accidentally take advantage of any fuzzy
matching that libimage might start doing. Instead, just use the
normalization call.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
openshift-merge-bot[bot]
Nalin Dahyabhai
Chris Evich
tomsweeneyredhat
Lokesh Mandvekar
openshift-ci[bot]
Matt Heon
OpenShift Merge Robot
Daniel J Walsh
renovate[bot]
Paul Holzinger