Merge pull request #26789 from mheon/560_rc2_backports

Backports for Podman v5.6.0-RC2

Author: openshift-merge-bot[bot]

RELEASE_NOTES.md

@@ -11,6 +11,7 @@
 - The `--mount` option to `podman create` and `podman run` now supports `dest=` as a valid alias for `destination=`.
 - The `podman kube play` command can now restrict container execution to specific CPU cores and specific memory nodes using the `io.podman.annotations.cpuset/$ctrname` and `io.podman.annotations.memory-nodes/$ctrname` annotations ([#26172](https://github.com/containers/podman/issues/26172)).
 - The `podman kube play` command now supports the `lifecycle.stopSignal` field in Pod YAML, allowing the signal used to stop containers to be specified ([#25389](https://github.com/containers/podman/issues/25389)).
+- The `podman artifact` suite of commands for interacting with OCI artifacts is now available in the remote Podman client and the bindings for the REST API.
 - The `podman volume import` and `podman volume export` commands are now available in the remote Podman client ([#26049](https://github.com/containers/podman/issues/26409)).
 - The `--build-context` option to `podman build` is now supported by the remote Podman client ([#23433](https://github.com/containers/podman/issues/23433)).
 - The `podman volume create` command now accepts two new options, `--uid` and `--gid`, to set the UID and GID the volume will be created with.
@@ -22,6 +23,7 @@
 - A new command, `podman buildx inspect`, has been added to improve Docker compatibility ([#13014](https://github.com/containers/podman/issues/13014)).
 
 ### Changes
+- The `podman artifact` suite of commands for interacting with OCI artifacts is now considered stable.
 - For users running `podman machine` VMs using the `libkrun` provider on an M3 or newer host running macOS 15+, nested virtualization is enabled by default.
 - When creating `podman machine` VMs on Windows using the WSL v2 provider, images are now pulled as artifacts from `quay.io/podman/machine-os`, matching the behavior of other VM providers.
 - Signal forwarding done by the `--sig-proxy` option to `podman run` and `podman attach` is now more robust to races and no longer forwards the `SIGSTOP` signal.
@@ -58,7 +60,11 @@
 - A full set of API endpoints for interacting with artifacts has been added, including inspecting artifacts (`GET /libpod/artifacts/{name}/json`), listing all artifacts (`GET /libpod/artifacts/json`), pulling an artifact (`POST /libpod/artifacts/pull`), removing an artifact (`DELETE /libpod/artifacts/{name}`), adding an artifact (or appending to an existing artifact) from a tar file in the request body (`POST /libpod/artifacts/add`), pushing an artifact to a registry (`/libpod/artifacts/{name}/push`), and retrieving the contents of an artifact (`GET /libpod/artifacts/{name}/extract`).
 - The Compat Create endpoint for Containers now accepts a new parameter, `HostConfig.CgroupnsMode`, to specify the cgroup namespace mode of the created container.
 - The Compat Create endpoint for Containers now respects the `base_hosts_file` option in `containers.conf`.
-- The Compat Info endpoint now returns a new field, `DefaultAddressPools`.
+- The Compat System Info endpoint now returns a new field, `DefaultAddressPools`.
+- The Compat System DF endpoint has removed the deprecated `BuilderSize` field.
+- The Compat Ping endpoint now sets `Builder-Version` to `1` to match Docker installs that do not include BuildKit.
+- The Compat List endpoint for Images now returns the `shared-size` field unconditionally, even if the `shared-size` query parameter was not set to true. If not requested through query parameter, it is set to `-1`. This improves Docker API compatibility.
+- The Compat Inspect endpoint for Images now no longer returns the deprecated `VirtualSize` field when Docker API version 1.44 and up is requested.
 - Fixed a bug where the Compat Delete API for Containers would remove running containers when the `FORCE` parameter was set to true; Docker only removes stopped containers ([#25871](https://github.com/containers/podman/issues/25871)).
 - Fixed a bug where the Compat List and Compat Inspect endpoints for Containers returned container status using Podman statuses instead of converting to Docker-compatible statuses ([#17728](https://github.com/containers/podman/issues/17728)).
 - Fixed a bug where healthchecks that exceeded their timeout were not properly terminated; they now receive SIGTERM, then SIGKILL after a delay, if their timeout is exceeded ([#26086](https://github.com/containers/podman/pull/26086)).
@@ -67,10 +73,10 @@
 ### Misc
 - Quadlet now no longer uses container/pod ID files when stopping containers, but instead passes the name of the container/pod directly to `podman stop`/`podman pod stop`.
 - When building Podman via Makefile, it will now attempt to dynamically link sqlite3 if the library and header are installed locally. This and other optimizations should result in a significant reduction in binary size relative to Podman 5.5.x. Packagers can use the `libsqlite3` build tag to force this behavior when not using the Makefile to build.
-- Updated Buildah to v1.41.0
-- Updated the containers/common library to v0.64.0
-- Updated the containers/storage library to v1.59.0
-- Updated the containers/image library to v5.36.0
+- Updated Buildah to v1.41.1
+- Updated the containers/common library to v0.64.1
+- Updated the containers/storage library to v1.59.1
+- Updated the containers/image library to v5.36.1
 
 ## 5.5.2
 ### Security

cmd/podman/artifact/add.go

@@ -23,20 +23,17 @@ var (
 		Example: `podman artifact add quay.io/myimage/myartifact:latest /tmp/foobar.txt
 podman artifact add --file-type text/yaml quay.io/myimage/myartifact:latest /tmp/foobar.yaml
 podman artifact add --append quay.io/myimage/myartifact:latest /tmp/foobar.tar.gz`,
-		Annotations: map[string]string{registry.EngineMode: registry.ABIMode},
 	}
 )
 
-type artifactAddOptions struct {
-	ArtifactType string
-	Annotations  []string
-	Append       bool
-	FileType     string
+// AddOptionsWrapper wraps entities.ArtifactsAddOptions and prevents leaking
+// CLI-only fields into the API types.
+type AddOptionsWrapper struct {
+	entities.ArtifactAddOptions
+	AnnotationsCLI []string // CLI only
 }
 
-var (
-	addOpts artifactAddOptions
-)
+var addOpts AddOptionsWrapper
 
 func init() {
 	registry.Commands = append(registry.Commands, registry.CliCommand{
@@ -46,34 +43,36 @@ func init() {
 	flags := addCmd.Flags()
 
 	annotationFlagName := "annotation"
-	flags.StringArrayVar(&addOpts.Annotations, annotationFlagName, nil, "set an `annotation` for the specified files of artifact")
+	flags.StringArrayVar(&addOpts.AnnotationsCLI, annotationFlagName, nil, "set an `annotation` for the specified files of artifact")
 	_ = addCmd.RegisterFlagCompletionFunc(annotationFlagName, completion.AutocompleteNone)
 
-	addTypeFlagName := "type"
-	flags.StringVar(&addOpts.ArtifactType, addTypeFlagName, "", "Use type to describe an artifact")
-	_ = addCmd.RegisterFlagCompletionFunc(addTypeFlagName, completion.AutocompleteNone)
+	addMIMETypeFlagName := "type"
+	flags.StringVar(&addOpts.ArtifactMIMEType, addMIMETypeFlagName, "", "Use type to describe an artifact")
+	_ = addCmd.RegisterFlagCompletionFunc(addMIMETypeFlagName, completion.AutocompleteNone)
 
 	appendFlagName := "append"
 	flags.BoolVarP(&addOpts.Append, appendFlagName, "a", false, "Append files to an existing artifact")
 
-	fileTypeFlagName := "file-type"
-	flags.StringVarP(&addOpts.FileType, fileTypeFlagName, "", "", "Set file type to use for the artifact (layer)")
-	_ = addCmd.RegisterFlagCompletionFunc(fileTypeFlagName, completion.AutocompleteNone)
+	fileMIMETypeFlagName := "file-type"
+	flags.StringVarP(&addOpts.FileMIMEType, fileMIMETypeFlagName, "", "", "Set file type to use for the artifact (layer)")
+	_ = addCmd.RegisterFlagCompletionFunc(fileMIMETypeFlagName, completion.AutocompleteNone)
 }
 
 func add(cmd *cobra.Command, args []string) error {
 	artifactName := args[0]
 	blobs := args[1:]
-	opts := new(entities.ArtifactAddOptions)
 
-	annots, err := utils.ParseAnnotations(addOpts.Annotations)
+	annots, err := utils.ParseAnnotations(addOpts.AnnotationsCLI)
 	if err != nil {
 		return err
 	}
-	opts.Annotations = annots
-	opts.ArtifactType = addOpts.ArtifactType
-	opts.Append = addOpts.Append
-	opts.FileType = addOpts.FileType
+
+	opts := entities.ArtifactAddOptions{
+		Annotations:      annots,
+		ArtifactMIMEType: addOpts.ArtifactMIMEType,
+		Append:           addOpts.Append,
+		FileMIMEType:     addOpts.FileMIMEType,
+	}
 
 	artifactBlobs := make([]entities.ArtifactBlob, 0, len(blobs))
 

cmd/podman/artifact/artifact.go

@@ -6,16 +6,13 @@ import (
 	"github.com/spf13/cobra"
 )
 
-var (
-	// Command: podman _artifact_
-	artifactCmd = &cobra.Command{
-		Use:         "artifact",
-		Short:       "Manage OCI artifacts",
-		Long:        "Manage OCI artifacts",
-		RunE:        validate.SubCommandExists,
-		Annotations: map[string]string{registry.EngineMode: registry.ABIMode},
-	}
-)
+// Command: podman _artifact_
+var artifactCmd = &cobra.Command{
+	Use:   "artifact",
+	Short: "Manage OCI artifacts",
+	Long:  "Manage OCI artifacts",
+	RunE:  validate.SubCommandExists,
+}
 
 func init() {
 	registry.Commands = append(registry.Commands, registry.CliCommand{

cmd/podman/artifact/extract.go

@@ -18,7 +18,6 @@ var (
 		ValidArgsFunction: common.AutocompleteArtifactAdd,
 		Example: `podman artifact Extract quay.io/myimage/myartifact:latest /tmp/foobar.txt
 podman artifact Extract quay.io/myimage/myartifact:latest /home/paul/mydir`,
-		Annotations: map[string]string{registry.EngineMode: registry.ABIMode},
 	}
 )
 
@@ -43,7 +42,7 @@ func init() {
 }
 
 func extract(cmd *cobra.Command, args []string) error {
-	err := registry.ImageEngine().ArtifactExtract(registry.Context(), args[0], args[1], &extractOpts)
+	err := registry.ImageEngine().ArtifactExtract(registry.Context(), args[0], args[1], extractOpts)
 	if err != nil {
 		return err
 	}

cmd/podman/artifact/inspect.go

@@ -17,7 +17,6 @@ var (
 		Args:              cobra.MinimumNArgs(1),
 		ValidArgsFunction: common.AutocompleteArtifacts,
 		Example:           `podman artifact inspect quay.io/myimage/myartifact:latest`,
-		Annotations:       map[string]string{registry.EngineMode: registry.ABIMode},
 	}
 )
 

cmd/podman/artifact/list.go

@@ -25,7 +25,6 @@ var (
 		Args:              validate.NoArgs,
 		ValidArgsFunction: completion.AutocompleteNone,
 		Example:           `podman artifact ls`,
-		Annotations:       map[string]string{registry.EngineMode: registry.ABIMode},
 	}
 	listFlag = listFlagType{}
 )

cmd/podman/artifact/pull.go

@@ -36,7 +36,6 @@ var (
 		Args:              cobra.ExactArgs(1),
 		ValidArgsFunction: common.AutocompleteArtifacts,
 		Example:           `podman artifact pull quay.io/myimage/myartifact:latest`,
-		Annotations:       map[string]string{registry.EngineMode: registry.ABIMode},
 	}
 )
 

cmd/podman/artifact/push.go

@@ -40,7 +40,6 @@ var (
 		Args:              cobra.ExactArgs(1),
 		ValidArgsFunction: common.AutocompleteArtifacts,
 		Example:           `podman artifact push quay.io/myimage/myartifact:latest`,
-		Annotations:       map[string]string{registry.EngineMode: registry.ABIMode},
 	}
 )
 

cmd/podman/artifact/rm.go

@@ -23,7 +23,6 @@ var (
 		ValidArgsFunction: common.AutocompleteArtifacts,
 		Example: `podman artifact rm quay.io/myimage/myartifact:latest
 podman artifact rm -a`,
-		Annotations: map[string]string{registry.EngineMode: registry.ABIMode},
 	}
 
 	rmOptions = entities.ArtifactRemoveOptions{}

pkg/api/handlers/compat/images.go

@@ -19,6 +19,7 @@ import (
 	"github.com/containers/podman/v5/libpod"
 	"github.com/containers/podman/v5/pkg/api/handlers"
 	"github.com/containers/podman/v5/pkg/api/handlers/utils"
+	"github.com/containers/podman/v5/pkg/api/handlers/utils/apiutil"
 	api "github.com/containers/podman/v5/pkg/api/types"
 	"github.com/containers/podman/v5/pkg/auth"
 	"github.com/containers/podman/v5/pkg/domain/entities"
@@ -340,15 +341,15 @@ func GetImage(w http.ResponseWriter, r *http.Request) {
 		utils.Error(w, http.StatusNotFound, fmt.Errorf("failed to find image %s: %s", name, errMsg))
 		return
 	}
-	inspect, err := imageDataToImageInspect(r.Context(), newImage)
+	inspect, err := imageDataToImageInspect(r.Context(), newImage, r)
 	if err != nil {
 		utils.Error(w, http.StatusInternalServerError, fmt.Errorf("failed to convert ImageData to ImageInspect '%s': %w", name, err))
 		return
 	}
 	utils.WriteResponse(w, http.StatusOK, inspect)
 }
 
-func imageDataToImageInspect(ctx context.Context, l *libimage.Image) (*handlers.ImageInspect, error) {
+func imageDataToImageInspect(ctx context.Context, l *libimage.Image, r *http.Request) (*handlers.ImageInspect, error) {
 	options := &libimage.InspectOptions{WithParent: true, WithSize: true}
 	info, err := l.Inspect(ctx, options)
 	if err != nil {
@@ -407,18 +408,24 @@ func imageDataToImageInspect(ctx context.Context, l *libimage.Image) (*handlers.
 		RootFS:          rootfs,
 		Size:            info.Size,
 		Variant:         "",
-		VirtualSize:     info.VirtualSize,
 	}
+
+	if _, err := apiutil.SupportedVersion(r, "<1.44.0"); err == nil {
+		//nolint:staticcheck // Deprecated field
+		dockerImageInspect.VirtualSize = info.VirtualSize
+	}
+
 	return &handlers.ImageInspect{InspectResponse: dockerImageInspect}, nil
 }
 
 func GetImages(w http.ResponseWriter, r *http.Request) {
 	decoder := utils.GetDecoder(r)
 	runtime := r.Context().Value(api.RuntimeKey).(*libpod.Runtime)
 	query := struct {
-		All     bool
-		Digests bool
-		Filter  string // Docker 1.24 compatibility
+		All        bool
+		Digests    bool
+		Filter     string // Docker 1.24 compatibility
+		SharedSize bool   `schema:"shared-size"` // Docker 1.42 compatibility
 	}{
 		// This is where you can override the golang default value for one of fields
 	}
@@ -468,6 +475,26 @@ func GetImages(w http.ResponseWriter, r *http.Request) {
 		// docker adds sha256: in front of the ID
 		for _, s := range summaries {
 			s.ID = "sha256:" + s.ID
+			// Ensure RepoTags and RepoDigests are empty arrays instead of null for Docker compatibility
+			// as per https://docs.docker.com/reference/api/engine/version-history/#v143-api-changes
+			// Relates to https://issues.redhat.com/browse/RUN-2699
+			if s.RepoTags == nil {
+				s.RepoTags = []string{}
+			}
+			if s.RepoDigests == nil {
+				s.RepoDigests = []string{}
+			}
+			// Docker 1.42 sets SharedSize to -1 if ont passed explicitly
+			if !query.SharedSize {
+				s.SharedSize = -1
+			}
+			// VirtualSize is deprecated in version 1.43 and removed in version 1.44
+			// See https://docs.docker.com/reference/api/engine/version-history/#v143-api-changes
+			if _, err := apiutil.SupportedVersion(r, "<1.44.0"); err == nil {
+				s.VirtualSize = s.Size
+			} else {
+				s.VirtualSize = 0
+			}
 		}
 	}
 	utils.WriteResponse(w, http.StatusOK, summaries)