Verify images in manifest list are not dangling and pruned

Vendor in latest containers/common

Currently if you create an un tagged image and add it to a manifest
list, podman image prune will remove the image, and leave you with
a broken manifest list. This PR removes the image from dangling in
this situation and prevents the pruning.

We have seen this trigger issues with RamaLama which is creating
manifest lists in this manner, and then users pruning the images.

Verifing: containers/common#2360

Signed-off-by: Daniel J Walsh <[email protected]>

Author: rhatdan

Makefile

@@ -363,7 +363,7 @@ $(IN_CONTAINER): %-in-container:
 	$(PODMANCMD) run --rm --env HOME=/root \
 		-v $(CURDIR):/src -w /src \
 		--security-opt label=disable \
-		docker.io/library/golang:1.22 \
+		docker.io/library/golang:1.23 \
 		make $(*)
 
 

go.mod

@@ -6,18 +6,18 @@ module github.com/containers/podman/v5
 go 1.23.0
 
 require (
-	github.com/BurntSushi/toml v1.4.0
+	github.com/BurntSushi/toml v1.5.0
 	github.com/Microsoft/go-winio v0.6.2
 	github.com/blang/semver/v4 v4.0.0
 	github.com/buger/goterm v1.0.4
 	github.com/checkpoint-restore/checkpointctl v1.3.0
 	github.com/checkpoint-restore/go-criu/v7 v7.2.0
-	github.com/containernetworking/plugins v1.5.1
+	github.com/containernetworking/plugins v1.6.2
 	github.com/containers/buildah v1.39.2
 	github.com/containers/common v0.62.2-0.20250311121556-b27979403716
 	github.com/containers/conmon v2.0.20+incompatible
 	github.com/containers/gvisor-tap-vsock v0.8.4
-	github.com/containers/image/v5 v5.34.2-0.20250306154130-12497efe55ac
+	github.com/containers/image/v5 v5.34.3-0.20250311194052-d84dbab374e7
 	github.com/containers/libhvee v0.10.0
 	github.com/containers/ocicrypt v1.2.1
 	github.com/containers/psgo v1.9.0
@@ -53,8 +53,9 @@ require (
 	github.com/moby/sys/user v0.3.0
 	github.com/moby/term v0.5.2
 	github.com/nxadm/tail v1.4.11
-	github.com/onsi/ginkgo/v2 v2.22.2
+	github.com/onsi/ginkgo/v2 v2.23.0
 	github.com/onsi/gomega v1.36.2
+	github.com/opencontainers/cgroups v0.0.1
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.1
 	github.com/opencontainers/runc v1.2.6
@@ -70,7 +71,7 @@ require (
 	github.com/stretchr/testify v1.10.0
 	github.com/vbauerster/mpb/v8 v8.9.3
 	github.com/vishvananda/netlink v1.3.1-0.20250221194427-0af32151e72b
-	go.etcd.io/bbolt v1.3.11
+	go.etcd.io/bbolt v1.4.0
 	golang.org/x/crypto v0.36.0
 	golang.org/x/net v0.37.0
 	golang.org/x/sync v0.12.0
@@ -81,7 +82,7 @@ require (
 	gopkg.in/inf.v0 v0.9.1
 	gopkg.in/yaml.v3 v3.0.1
 	sigs.k8s.io/yaml v1.4.0
-	tags.cncf.io/container-device-interface v0.8.1
+	tags.cncf.io/container-device-interface v1.0.0
 )
 
 require (
@@ -95,6 +96,7 @@ require (
 	github.com/bytedance/sonic v1.11.6 // indirect
 	github.com/bytedance/sonic/loader v0.1.1 // indirect
 	github.com/chzyer/readline v1.5.1 // indirect
+	github.com/cilium/ebpf v0.17.3 // indirect
 	github.com/cloudwego/base64x v0.1.4 // indirect
 	github.com/cloudwego/iasm v0.2.0 // indirect
 	github.com/containerd/cgroups/v3 v3.0.5 // indirect
@@ -166,7 +168,7 @@ require (
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.16 // indirect
-	github.com/mdlayher/socket v0.5.0 // indirect
+	github.com/mdlayher/socket v0.5.1 // indirect
 	github.com/miekg/pkcs11 v1.1.1 // indirect
 	github.com/mistifyio/go-zfs/v3 v3.0.1 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
@@ -184,7 +186,7 @@ require (
 	github.com/ostreedev/ostree-go v0.0.0-20210805093236-719684c64e4f // indirect
 	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/pkg/sftp v1.13.7 // indirect
+	github.com/pkg/sftp v1.13.8 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
@@ -222,14 +224,17 @@ require (
 	go.opentelemetry.io/otel/trace v1.32.0 // indirect
 	golang.org/x/arch v0.8.0 // indirect
 	golang.org/x/exp v0.0.0-20250128182459-e0ece0dbea4c // indirect
-	golang.org/x/mod v0.22.0 // indirect
+	golang.org/x/mod v0.23.0 // indirect
 	golang.org/x/oauth2 v0.26.0 // indirect
 	golang.org/x/time v0.9.0 // indirect
-	golang.org/x/tools v0.29.0 // indirect
+	golang.org/x/tools v0.30.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f // indirect
 	google.golang.org/grpc v1.70.0 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
-	tags.cncf.io/container-device-interface/specs-go v0.8.0 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	tags.cncf.io/container-device-interface/specs-go v1.0.0 // indirect
 )
+
+replace github.com/containers/common => github.com/rhatdan/common v0.47.1-0.20250318135319-2242b2e1f465

go.sum

@@ -13,15 +13,14 @@ import (
 	"strings"
 	"sync"
 
-	runcconfig "github.com/opencontainers/runc/libcontainer/configs"
-	"github.com/opencontainers/runc/libcontainer/devices"
-
 	"github.com/containers/common/pkg/cgroups"
 	"github.com/containers/common/pkg/config"
 	"github.com/containers/common/pkg/systemd"
 	"github.com/containers/podman/v5/pkg/errorhandling"
 	"github.com/containers/podman/v5/pkg/rootless"
 	pmount "github.com/containers/storage/pkg/mount"
+	cgroupsConfig "github.com/opencontainers/cgroups"
+	devices "github.com/opencontainers/cgroups/devices/config"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/sirupsen/logrus"
@@ -231,11 +230,11 @@ func (r *ConmonOCIRuntime) moveConmonToCgroupAndSignal(ctr *Container, cmd *exec
 }
 
 // GetLimits converts spec resource limits to cgroup consumable limits
-func GetLimits(resource *spec.LinuxResources) (runcconfig.Resources, error) {
+func GetLimits(resource *spec.LinuxResources) (cgroupsConfig.Resources, error) {
 	if resource == nil {
 		resource = &spec.LinuxResources{}
 	}
-	final := &runcconfig.Resources{}
+	final := &cgroupsConfig.Resources{}
 	devs := []*devices.Rule{}
 
 	// Devices
@@ -262,29 +261,29 @@ func GetLimits(resource *spec.LinuxResources) (runcconfig.Resources, error) {
 	final.Devices = devs
 
 	// HugepageLimits
-	pageLimits := []*runcconfig.HugepageLimit{}
+	pageLimits := []*cgroupsConfig.HugepageLimit{}
 	for _, entry := range resource.HugepageLimits {
-		pageLimits = append(pageLimits, &runcconfig.HugepageLimit{
+		pageLimits = append(pageLimits, &cgroupsConfig.HugepageLimit{
 			Pagesize: entry.Pagesize,
 			Limit:    entry.Limit,
 		})
 	}
 	final.HugetlbLimit = pageLimits
 
 	// Networking
-	netPriorities := []*runcconfig.IfPrioMap{}
+	netPriorities := []*cgroupsConfig.IfPrioMap{}
 	if resource.Network != nil {
 		for _, entry := range resource.Network.Priorities {
-			netPriorities = append(netPriorities, &runcconfig.IfPrioMap{
+			netPriorities = append(netPriorities, &cgroupsConfig.IfPrioMap{
 				Interface: entry.Name,
 				Priority:  int64(entry.Priority),
 			})
 		}
 	}
 	final.NetPrioIfpriomap = netPriorities
-	rdma := make(map[string]runcconfig.LinuxRdma)
+	rdma := make(map[string]cgroupsConfig.LinuxRdma)
 	for name, entry := range resource.Rdma {
-		rdma[name] = runcconfig.LinuxRdma{HcaHandles: entry.HcaHandles, HcaObjects: entry.HcaObjects}
+		rdma[name] = cgroupsConfig.LinuxRdma{HcaHandles: entry.HcaHandles, HcaObjects: entry.HcaObjects}
 	}
 	final.Rdma = rdma
 
@@ -329,25 +328,25 @@ func GetLimits(resource *spec.LinuxResources) (runcconfig.Resources, error) {
 	if resource.BlockIO != nil {
 		if len(resource.BlockIO.ThrottleReadBpsDevice) > 0 {
 			for _, entry := range resource.BlockIO.ThrottleReadBpsDevice {
-				throttle := runcconfig.NewThrottleDevice(entry.Major, entry.Minor, entry.Rate)
+				throttle := cgroupsConfig.NewThrottleDevice(entry.Major, entry.Minor, entry.Rate)
 				final.BlkioThrottleReadBpsDevice = append(final.BlkioThrottleReadBpsDevice, throttle)
 			}
 		}
 		if len(resource.BlockIO.ThrottleWriteBpsDevice) > 0 {
 			for _, entry := range resource.BlockIO.ThrottleWriteBpsDevice {
-				throttle := runcconfig.NewThrottleDevice(entry.Major, entry.Minor, entry.Rate)
+				throttle := cgroupsConfig.NewThrottleDevice(entry.Major, entry.Minor, entry.Rate)
 				final.BlkioThrottleWriteBpsDevice = append(final.BlkioThrottleWriteBpsDevice, throttle)
 			}
 		}
 		if len(resource.BlockIO.ThrottleReadIOPSDevice) > 0 {
 			for _, entry := range resource.BlockIO.ThrottleReadIOPSDevice {
-				throttle := runcconfig.NewThrottleDevice(entry.Major, entry.Minor, entry.Rate)
+				throttle := cgroupsConfig.NewThrottleDevice(entry.Major, entry.Minor, entry.Rate)
 				final.BlkioThrottleReadIOPSDevice = append(final.BlkioThrottleReadIOPSDevice, throttle)
 			}
 		}
 		if len(resource.BlockIO.ThrottleWriteIOPSDevice) > 0 {
 			for _, entry := range resource.BlockIO.ThrottleWriteIOPSDevice {
-				throttle := runcconfig.NewThrottleDevice(entry.Major, entry.Minor, entry.Rate)
+				throttle := cgroupsConfig.NewThrottleDevice(entry.Major, entry.Minor, entry.Rate)
 				final.BlkioThrottleWriteIOPSDevice = append(final.BlkioThrottleWriteIOPSDevice, throttle)
 			}
 		}
@@ -366,7 +365,7 @@ func GetLimits(resource *spec.LinuxResources) (runcconfig.Resources, error) {
 				if entry.LeafWeight != nil {
 					lw = *entry.LeafWeight
 				}
-				weight := runcconfig.NewWeightDevice(entry.Major, entry.Minor, w, lw)
+				weight := cgroupsConfig.NewWeightDevice(entry.Major, entry.Minor, w, lw)
 				final.BlkioWeightDevice = append(final.BlkioWeightDevice, weight)
 			}
 		}

libpod/oci_conmon_linux.go

@@ -9,7 +9,7 @@ import (
 	"syscall"
 	"time"
 
-	runccgroup "github.com/opencontainers/runc/libcontainer/cgroups"
+	runccgroup "github.com/opencontainers/cgroups"
 
 	"github.com/containers/common/pkg/cgroups"
 	"github.com/containers/podman/v5/libpod/define"

libpod/stats_linux.go

@@ -15,7 +15,7 @@ import (
 	api "github.com/containers/podman/v5/pkg/api/types"
 	"github.com/containers/storage/pkg/system"
 	"github.com/docker/docker/api/types/container"
-	runccgroups "github.com/opencontainers/runc/libcontainer/cgroups"
+	cgroupsConfig "github.com/opencontainers/cgroups"
 	"github.com/sirupsen/logrus"
 )
 
@@ -238,7 +238,7 @@ streamLabel: // A label to flatten the scope
 	}
 }
 
-func toBlkioStatEntry(entries []runccgroups.BlkioStatEntry) []container.BlkioStatEntry {
+func toBlkioStatEntry(entries []cgroupsConfig.BlkioStatEntry) []container.BlkioStatEntry {
 	results := make([]container.BlkioStatEntry, len(entries))
 	for i, e := range entries {
 		bits, err := json.Marshal(e)

pkg/api/handlers/compat/containers_stats_linux.go

@@ -597,7 +597,7 @@ func (ir *ImageEngine) Tree(ctx context.Context, nameOrID string, opts entities.
 	if err != nil {
 		return nil, err
 	}
-	tree, err := image.Tree(opts.WhatRequires)
+	tree, err := image.Tree(ctx, opts.WhatRequires)
 	if err != nil {
 		return nil, err
 	}

pkg/domain/infra/abi/images.go

@@ -324,4 +324,30 @@ function manifestListAddArtifactOnce() {
         manifestListAddArtifactOnce
     done
 }
+
+@test "manifest list images should not be marked as dangling" {
+      # build image and attach it to a manifest list
+      mlist=m-$(safename)
+      run_podman build -q -f -  <<< "from scratch"
+      iid=${output}
+      run_podman manifest create ${mlist} ${iid}
+
+      # verify image is not dangling, and is not remove via prune
+      run_podman images --filter dangling=true
+      assert "$output" != "sha256:${iid}" "Verify the filter dangling does not list the image"
+      run_podman image prune --force
+      assert "$output" != "${iid}" "Verify the prune does not remove the non dangling image"
+      run_podman image exists ${iid}
+
+      # Remove manifes
+      run_podman manifest rm ${mlist}
+
+      # verify the image is now dangling, and is removed via prune
+      run_podman images -q --filter dangling=true --no-trunc
+      assert "$output" == "sha256:${iid}" "Verify the filter dangling does list the image"
+      run_podman image prune --force
+      assert "$output" == "${iid}" "Verify that prune does not remove the dangling image"
+      run_podman 1 image exists ${iid}
+}
+
 # vim: filetype=sh