From a3fcf52a1cb154139b29369e221ced031eddc6ec Mon Sep 17 00:00:00 2001 From: Lokesh Mandvekar Date: Fri, 7 Nov 2025 15:12:48 -0500 Subject: [PATCH 1/6] Fix deprecation notice to make gocritic happy. Signed-off-by: Lokesh Mandvekar --- libpod/container_config.go | 3 +++ pkg/bindings/containers/types.go | 1 + pkg/k8s.io/api/core/v1/annotation_key_constants.go | 4 ++++ pkg/k8s.io/api/core/v1/types.go | 4 ++++ pkg/specgen/podspecgen.go | 1 + pkg/specgen/specgen.go | 1 + pkg/util/utils.go | 1 + 7 files changed, 15 insertions(+) diff --git a/libpod/container_config.go b/libpod/container_config.go index df97164c436..2eb0eb3dec1 100644 --- a/libpod/container_config.go +++ b/libpod/container_config.go @@ -253,11 +253,13 @@ type ContainerNetworkConfig struct { // StaticIP is a static IP to request for the container. // This cannot be set unless CreateNetNS is set. // If not set, the container will be dynamically assigned an IP by CNI. + // // Deprecated: Do no use this anymore, this is only for DB backwards compat. StaticIP net.IP `json:"staticIP,omitempty"` // StaticMAC is a static MAC to request for the container. // This cannot be set unless CreateNetNS is set. // If not set, the container will be dynamically assigned a MAC by CNI. + // // Deprecated: Do no use this anymore, this is only for DB backwards compat. StaticMAC types.HardwareAddr `json:"staticMAC,omitempty"` // PortMappings are the ports forwarded to the container's network @@ -314,6 +316,7 @@ type ContainerNetworkConfig struct { // Please note that these can be altered at runtime. The actual list is // stored in the DB and should be retrieved from there; this is only the // set of networks the container was *created* with. + // // Deprecated: Do no use this anymore, this is only for DB backwards compat. // Also note that we need to keep the old json tag to decode from DB correctly NetworksDeprecated []string `json:"networks,omitempty"` diff --git a/pkg/bindings/containers/types.go b/pkg/bindings/containers/types.go index ceb7bacce5f..10a6fe860fa 100644 --- a/pkg/bindings/containers/types.go +++ b/pkg/bindings/containers/types.go @@ -238,6 +238,7 @@ type WaitOptions struct { // Time interval to wait before polling for completion. Interval *string // Container status to wait on. + // // Deprecated: use Conditions instead. Condition []define.ContainerStatus } diff --git a/pkg/k8s.io/api/core/v1/annotation_key_constants.go b/pkg/k8s.io/api/core/v1/annotation_key_constants.go index eb9517e1dd9..b42d4c41e65 100644 --- a/pkg/k8s.io/api/core/v1/annotation_key_constants.go +++ b/pkg/k8s.io/api/core/v1/annotation_key_constants.go @@ -36,15 +36,18 @@ const ( // SeccompPodAnnotationKey represents the key of a seccomp profile applied // to all containers of a pod. + // // Deprecated: set a pod security context `seccompProfile` field. SeccompPodAnnotationKey string = "seccomp.security.alpha.kubernetes.io/pod" // SeccompContainerAnnotationKeyPrefix represents the key of a seccomp profile applied // to one container of a pod. + // // Deprecated: set a container security context `seccompProfile` field. SeccompContainerAnnotationKeyPrefix string = "container.seccomp.security.alpha.kubernetes.io/" // SeccompProfileRuntimeDefault represents the default seccomp profile used by container runtime. + // // Deprecated: set a pod or container security context `seccompProfile` of type "RuntimeDefault" instead. SeccompProfileRuntimeDefault string = "runtime/default" @@ -71,6 +74,7 @@ const ( AppArmorBetaProfileNameUnconfined = "unconfined" // DeprecatedSeccompProfileDockerDefault represents the default seccomp profile used by docker. + // // Deprecated: set a pod or container security context `seccompProfile` of type "RuntimeDefault" instead. DeprecatedSeccompProfileDockerDefault string = "docker/default" diff --git a/pkg/k8s.io/api/core/v1/types.go b/pkg/k8s.io/api/core/v1/types.go index 9197de4b174..12a685607e0 100644 --- a/pkg/k8s.io/api/core/v1/types.go +++ b/pkg/k8s.io/api/core/v1/types.go @@ -1463,6 +1463,7 @@ const ( PodFailed PodPhase = "Failed" // PodUnknown means that for some reason the state of the pod could not be obtained, typically due // to an error in communicating with the host of the pod. + // // Deprecated: It isn't being set since 2015 (74da3b14b0c0f658b3bb8d2def5094686d0e9095) PodUnknown PodPhase = "Unknown" ) @@ -1882,6 +1883,7 @@ type PodSpec struct { // +optional ServiceAccountName string `json:"serviceAccountName,omitempty"` // DeprecatedServiceAccount is a depreciated alias for ServiceAccountName. + // // Deprecated: Use serviceAccountName instead. // +k8s:conversion-gen=false // +optional @@ -4272,6 +4274,7 @@ type ComponentCondition struct { // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // ComponentStatus (and ComponentStatusList) holds the cluster validation info. +// // Deprecated: This API is deprecated in v1.19+ type ComponentStatus struct { metav1.TypeMeta `json:",inline"` @@ -4290,6 +4293,7 @@ type ComponentStatus struct { // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // Status of all the conditions for the component as a list of ComponentStatus objects. +// // Deprecated: This API is deprecated in v1.19+ type ComponentStatusList struct { metav1.TypeMeta `json:",inline"` diff --git a/pkg/specgen/podspecgen.go b/pkg/specgen/podspecgen.go index ad1f6267baa..5330e2a2d8e 100644 --- a/pkg/specgen/podspecgen.go +++ b/pkg/specgen/podspecgen.go @@ -128,6 +128,7 @@ type PodNetworkConfig struct { // default network (unless it is part of this list). // Only available if NetNS is set to bridge. // Optional. + // // Deprecated: as of podman 4.0 use "Networks" instead. CNINetworks []string `json:"cni_networks,omitempty"` // NoManageResolvConf indicates that /etc/resolv.conf should not be diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go index 4db1f861e9f..461ed308453 100644 --- a/pkg/specgen/specgen.go +++ b/pkg/specgen/specgen.go @@ -511,6 +511,7 @@ type ContainerNetworkConfig struct { // default network (unless it is part of this list). // Only available if NetNS is set to bridge. // Optional. + // // Deprecated: as of podman 4.0 use "Networks" instead. CNINetworks []string `json:"cni_networks,omitempty"` // UseImageResolvConf indicates that resolv.conf should not be managed diff --git a/pkg/util/utils.go b/pkg/util/utils.go index 058894d2498..9d027d38d4e 100644 --- a/pkg/util/utils.go +++ b/pkg/util/utils.go @@ -1202,6 +1202,7 @@ func LookupUser(name string) (*user.User, error) { // SizeOfPath determines the file usage of a given path. it was called volumeSize in v1 // and now is made to be generic and take a path instead of a libpod volume +// // Deprecated: use github.com/containers/storage/pkg/directory.Size() instead. func SizeOfPath(path string) (uint64, error) { size, err := directory.Size(path) From 5d46171b7d1a46735d467939337a3cfd9780b92e Mon Sep 17 00:00:00 2001 From: Lokesh Mandvekar Date: Fri, 7 Nov 2025 15:14:00 -0500 Subject: [PATCH 2/6] bump golangcilint to 2.6.0 Obsoletes: #27407 Signed-off-by: Lokesh Mandvekar --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 6430c7bce5b..f2387d3df2c 100644 --- a/Makefile +++ b/Makefile @@ -71,7 +71,7 @@ BUILDTAGS += ${EXTRA_BUILDTAGS} # N/B: This value is managed by Renovate, manual changes are # possible, as long as they don't disturb the formatting # (i.e. DO NOT ADD A 'v' prefix!) -GOLANGCI_LINT_VERSION := 2.5.0 +GOLANGCI_LINT_VERSION := 2.6.0 PYTHON ?= $(shell command -v python3 python|head -n1) PKG_MANAGER ?= $(shell command -v dnf yum|head -n1) # ~/.local/bin is not in PATH on all systems From 3842f4d4e52a4f604a2ca71b3ffa1513a1750cdb Mon Sep 17 00:00:00 2001 From: Lokesh Mandvekar Date: Fri, 7 Nov 2025 15:40:30 -0500 Subject: [PATCH 3/6] pkg/specgen: Remove deprecated CNINetworks Signed-off-by: Lokesh Mandvekar --- pkg/specgen/generate/namespaces.go | 16 +++------------- pkg/specgen/generate/pod_create.go | 4 ---- pkg/specgen/podspecgen.go | 9 --------- pkg/specgen/specgen.go | 9 --------- 4 files changed, 3 insertions(+), 35 deletions(-) diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go index 4e551530718..a7295334cd8 100644 --- a/pkg/specgen/generate/namespaces.go +++ b/pkg/specgen/generate/namespaces.go @@ -338,19 +338,9 @@ func namespaceOptions(s *specgen.SpecGenerator, rt *libpod.Runtime, pod *libpod. } // if no network was specified use add the default if len(s.Networks) == 0 { - // backwards config still allow the old cni networks list and convert to new format - if len(s.CNINetworks) > 0 { - logrus.Warn(`specgen "cni_networks" option is deprecated use the "networks" map instead`) - networks := make(map[string]types.PerNetworkOptions, len(s.CNINetworks)) - for _, net := range s.CNINetworks { - networks[net] = types.PerNetworkOptions{} - } - s.Networks = networks - } else { - // no networks given but bridge is set so use default network - s.Networks = map[string]types.PerNetworkOptions{ - rtConfig.Network.DefaultNetwork: {}, - } + // no networks given but bridge is set so use default network + s.Networks = map[string]types.PerNetworkOptions{ + rtConfig.Network.DefaultNetwork: {}, } } // rename the "default" network to the correct default name diff --git a/pkg/specgen/generate/pod_create.go b/pkg/specgen/generate/pod_create.go index 903ebe46371..9b68daf60c3 100644 --- a/pkg/specgen/generate/pod_create.go +++ b/pkg/specgen/generate/pod_create.go @@ -260,10 +260,6 @@ func MapSpec(p *specgen.PodSpecGenerator) (*specgen.SpecGenerator, error) { if len(p.Networks) > 0 { spec.Networks = p.Networks } - // deprecated cni networks for api users - if len(p.CNINetworks) > 0 { - spec.CNINetworks = p.CNINetworks - } if p.NoManageHosts { spec.UseImageHosts = &p.NoManageHosts } diff --git a/pkg/specgen/podspecgen.go b/pkg/specgen/podspecgen.go index 5330e2a2d8e..ca2bc4aed93 100644 --- a/pkg/specgen/podspecgen.go +++ b/pkg/specgen/podspecgen.go @@ -122,15 +122,6 @@ type PodNetworkConfig struct { // If the map is empty and the bridge network mode is set the container // will be joined to the default network. Networks map[string]types.PerNetworkOptions - // CNINetworks is a list of CNI networks to join the container to. - // If this list is empty, the default CNI network will be joined - // instead. If at least one entry is present, we will not join the - // default network (unless it is part of this list). - // Only available if NetNS is set to bridge. - // Optional. - // - // Deprecated: as of podman 4.0 use "Networks" instead. - CNINetworks []string `json:"cni_networks,omitempty"` // NoManageResolvConf indicates that /etc/resolv.conf should not be // managed by the pod. Instead, each container will create and manage a // separate resolv.conf as if they had not joined a pod. diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go index 461ed308453..767710e898d 100644 --- a/pkg/specgen/specgen.go +++ b/pkg/specgen/specgen.go @@ -505,15 +505,6 @@ type ContainerNetworkConfig struct { // will be joined to the default network. // Optional. Networks map[string]nettypes.PerNetworkOptions - // CNINetworks is a list of CNI networks to join the container to. - // If this list is empty, the default CNI network will be joined - // instead. If at least one entry is present, we will not join the - // default network (unless it is part of this list). - // Only available if NetNS is set to bridge. - // Optional. - // - // Deprecated: as of podman 4.0 use "Networks" instead. - CNINetworks []string `json:"cni_networks,omitempty"` // UseImageResolvConf indicates that resolv.conf should not be managed // by Podman, but instead sourced from the image. // Conflicts with DNSServer, DNSSearch, DNSOption. From f11392c719e1fb622914fc5f31ee56401eaf52f2 Mon Sep 17 00:00:00 2001 From: Lokesh Mandvekar Date: Fri, 7 Nov 2025 16:09:34 -0500 Subject: [PATCH 4/6] Remove deprecated fields ctrConfig.[StaticIP,StaticMAC] Signed-off-by: Lokesh Mandvekar --- libpod/container_config.go | 12 ------------ libpod/container_validate.go | 10 ---------- libpod/pod_api.go | 1 - libpod/runtime_ctr.go | 5 ----- pkg/checkpoint/checkpoint_restore.go | 2 -- 5 files changed, 30 deletions(-) diff --git a/libpod/container_config.go b/libpod/container_config.go index 2eb0eb3dec1..acccb21af02 100644 --- a/libpod/container_config.go +++ b/libpod/container_config.go @@ -250,18 +250,6 @@ type ContainerNetworkConfig struct { // network namespace for the container. // This cannot be set if NetNsCtr is also set. CreateNetNS bool `json:"createNetNS"` - // StaticIP is a static IP to request for the container. - // This cannot be set unless CreateNetNS is set. - // If not set, the container will be dynamically assigned an IP by CNI. - // - // Deprecated: Do no use this anymore, this is only for DB backwards compat. - StaticIP net.IP `json:"staticIP,omitempty"` - // StaticMAC is a static MAC to request for the container. - // This cannot be set unless CreateNetNS is set. - // If not set, the container will be dynamically assigned a MAC by CNI. - // - // Deprecated: Do no use this anymore, this is only for DB backwards compat. - StaticMAC types.HardwareAddr `json:"staticMAC,omitempty"` // PortMappings are the ports forwarded to the container's network // namespace // These are not used unless CreateNetNS is true diff --git a/libpod/container_validate.go b/libpod/container_validate.go index 6d812b53214..01ec586b8b9 100644 --- a/libpod/container_validate.go +++ b/libpod/container_validate.go @@ -80,16 +80,6 @@ func (c *Container) validate() error { } } - // Can only set static IP or MAC is creating a network namespace. - if !c.config.CreateNetNS && (c.config.StaticIP != nil || c.config.StaticMAC != nil) { - return fmt.Errorf("cannot set static IP or MAC address if not creating a network namespace: %w", define.ErrInvalidArg) - } - - // Cannot set static IP or MAC if joining >1 network. - if len(c.config.Networks) > 1 && (c.config.StaticIP != nil || c.config.StaticMAC != nil) { - return fmt.Errorf("cannot set static IP or MAC address if joining more than one network: %w", define.ErrInvalidArg) - } - // Using image resolv.conf conflicts with various DNS settings. if c.config.UseImageResolvConf && (len(c.config.DNSSearch) > 0 || len(c.config.DNSServer) > 0 || diff --git a/libpod/pod_api.go b/libpod/pod_api.go index 5fa533526fc..c4b609d7aba 100644 --- a/libpod/pod_api.go +++ b/libpod/pod_api.go @@ -667,7 +667,6 @@ func (p *Pod) Inspect() (*define.InspectPodData, error) { } infraConfig = new(define.InspectPodInfraConfig) infraConfig.HostNetwork = p.NetworkMode() == "host" - infraConfig.StaticIP = infra.config.ContainerNetworkConfig.StaticIP infraConfig.NoManageResolvConf = infra.config.UseImageResolvConf infraConfig.NoManageHostname = infra.config.UseImageHostname infraConfig.NoManageHosts = infra.config.UseImageHosts diff --git a/libpod/runtime_ctr.go b/libpod/runtime_ctr.go index 3f0c0958a7a..b8f588a802e 100644 --- a/libpod/runtime_ctr.go +++ b/libpod/runtime_ctr.go @@ -205,11 +205,6 @@ func (r *Runtime) initContainerVariables(rSpec *spec.Spec, config *ContainerConf } // Reset the log path to point to the default ctr.config.LogPath = "" - // Later in validate() the check is for nil. JSONDeepCopy sets it to an empty - // object. Resetting it to nil if it was nil before. - if config.StaticMAC == nil { - ctr.config.StaticMAC = nil - } } ctr.config.Spec = rSpec diff --git a/pkg/checkpoint/checkpoint_restore.go b/pkg/checkpoint/checkpoint_restore.go index 98493c465de..9680cdb8b66 100644 --- a/pkg/checkpoint/checkpoint_restore.go +++ b/pkg/checkpoint/checkpoint_restore.go @@ -139,8 +139,6 @@ func CRImportCheckpoint(ctx context.Context, runtime *libpod.Runtime, restoreOpt opts.StaticMAC = nil ctrConfig.Networks[net] = opts } - ctrConfig.StaticIP = nil - ctrConfig.StaticMAC = nil } if ctrConfig.PIDNsCtr != "" { From 96aba07d9576a06798ef3538a52462bad17fe621 Mon Sep 17 00:00:00 2001 From: Lokesh Mandvekar Date: Mon, 10 Nov 2025 09:33:59 -0500 Subject: [PATCH 5/6] libpod/container_internal.go: util.SizeOfPath -> directory.Size - Remove deprecated util.SizeOfPath Signed-off-by: Lokesh Mandvekar --- libpod/container_internal.go | 5 +++-- pkg/util/utils.go | 10 ---------- 2 files changed, 3 insertions(+), 12 deletions(-) diff --git a/libpod/container_internal.go b/libpod/container_internal.go index 5ffe18c46e9..38295271e85 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -50,6 +50,7 @@ import ( cutil "go.podman.io/common/pkg/util" "go.podman.io/storage" "go.podman.io/storage/pkg/chrootarchive" + "go.podman.io/storage/pkg/directory" "go.podman.io/storage/pkg/fileutils" "go.podman.io/storage/pkg/idmap" "go.podman.io/storage/pkg/idtools" @@ -100,8 +101,8 @@ func (c *Container) rootFsSize() (int64, error) { // for a given container. func (c *Container) rwSize() (int64, error) { if c.config.Rootfs != "" { - size, err := util.SizeOfPath(c.config.Rootfs) - return int64(size), err + size, err := directory.Size(c.config.Rootfs) + return size, err } layerSize, err := c.runtime.store.ContainerSize(c.ID()) diff --git a/pkg/util/utils.go b/pkg/util/utils.go index 9d027d38d4e..4e034d95ce8 100644 --- a/pkg/util/utils.go +++ b/pkg/util/utils.go @@ -25,7 +25,6 @@ import ( "github.com/opencontainers/runtime-spec/specs-go" "github.com/sirupsen/logrus" "go.podman.io/image/v5/types" - "go.podman.io/storage/pkg/directory" "go.podman.io/storage/pkg/fileutils" "go.podman.io/storage/pkg/idtools" "go.podman.io/storage/pkg/unshare" @@ -1200,15 +1199,6 @@ func LookupUser(name string) (*user.User, error) { return user.Lookup(name) } -// SizeOfPath determines the file usage of a given path. it was called volumeSize in v1 -// and now is made to be generic and take a path instead of a libpod volume -// -// Deprecated: use github.com/containers/storage/pkg/directory.Size() instead. -func SizeOfPath(path string) (uint64, error) { - size, err := directory.Size(path) - return uint64(size), err -} - // ParseRestartPolicy parses the value given to the --restart flag and returns the policy // and restart retries value func ParseRestartPolicy(policy string) (string, uint, error) { From f47f74cad63e4a1fcb3c71a59def30d86d20ff77 Mon Sep 17 00:00:00 2001 From: Lokesh Mandvekar Date: Tue, 11 Nov 2025 10:14:08 -0500 Subject: [PATCH 6/6] pkg/specgen/generate/kube: nolint and FIXMEs for seccomp deprecations Ref: https://github.com/containers/podman/issues/27501 Signed-off-by: Lokesh Mandvekar --- pkg/specgen/generate/kube/seccomp.go | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/pkg/specgen/generate/kube/seccomp.go b/pkg/specgen/generate/kube/seccomp.go index 4f7cf164836..bc043e5790d 100644 --- a/pkg/specgen/generate/kube/seccomp.go +++ b/pkg/specgen/generate/kube/seccomp.go @@ -37,7 +37,8 @@ func InitializeSeccompPaths(annotations map[string]string, profileRoot string) ( for annKeyValue, seccomp := range annotations { // check if it is prefaced with container.seccomp.security.alpha.kubernetes.io/ prefixAndCtr := strings.Split(annKeyValue, "/") - if prefixAndCtr[0]+"/" != v1.SeccompContainerAnnotationKeyPrefix { + // FIXME: Rework for deprecation removal https://github.com/containers/podman/issues/27501 + if prefixAndCtr[0]+"/" != v1.SeccompContainerAnnotationKeyPrefix { //nolint:staticcheck continue } else if len(prefixAndCtr) != 2 { // this could be caused by a user inputting either of @@ -52,8 +53,8 @@ func InitializeSeccompPaths(annotations map[string]string, profileRoot string) ( } seccompPaths.containerPaths[prefixAndCtr[1]] = path } - - podSeccomp, ok := annotations[v1.SeccompPodAnnotationKey] + // FIXME: Rework for deprecation removal https://github.com/containers/podman/issues/27501 + podSeccomp, ok := annotations[v1.SeccompPodAnnotationKey] //nolint:staticcheck if ok { seccompPaths.podPath, err = verifySeccompPath(podSeccomp, profileRoot) } else { @@ -70,9 +71,11 @@ func InitializeSeccompPaths(annotations map[string]string, profileRoot string) ( // the available options are parsed as defined in https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp func verifySeccompPath(path string, profileRoot string) (string, error) { switch path { - case v1.DeprecatedSeccompProfileDockerDefault: + // FIXME: Rework for deprecation removal https://github.com/containers/podman/issues/27501 + case v1.DeprecatedSeccompProfileDockerDefault: //nolint:staticcheck fallthrough - case v1.SeccompProfileRuntimeDefault: + // FIXME: Rework for deprecation removal https://github.com/containers/podman/issues/27501 + case v1.SeccompProfileRuntimeDefault: //nolint:staticcheck return libpod.DefaultSeccompPath() case "unconfined": return path, nil