chore(deps): bump github.com/containers/podman/v5 from 5.6.1 to 5.8.2

[dependabot]

Bumps github.com/containers/podman/v5 from 5.6.1 to 5.8.2.

Release notes

Sourced from github.com/containers/podman/v5's releases.

v5.8.2

Security

• This release addresses CVE-2026-33414, where the podman machine init --image command when run on Windows using the Hyper-V backend can run Powershell-escaped commands from the user-specified image path on in a Powershell session on the host (GHSA-hc8w-h2mf-hp59).

Bugfixes

• Fixed a bug where containers with the unless-stopped restart policy would not restart after a reboot when podman-restart.service was enabled (#28152).
• Fixed a bug where setting Entrypoint="" in a Quadlet .container file did not clear the container's entrypoint (#28213).
• Fixed a bug where setting a HealthCmd in a Quadlet .container file to a command that included double-quotes (") would result in a nonfunctional healthcheck due to a parsing issue (#28409).
• Fixed a bug where FreeBSD systems could panic when inspecting containers created with the host network mode (#28289).

API

• Fixed a bug where the Libpod System Check endpoint could perform operations with bad data after returning a 400 error (#28350).
• Fixed a bug where the remote attach API for containers (Libpod & Compat) could panic due to a rare race condition (#28277).
• Fixed a bug where the Secret Create API could not create functional secrets using the shell driver due to options from the default driver being improperly added.

Misc

• Updated Buildah to v1.43.1
• Updated the containers/common library to v0.67.1
• Updated the containers/image library to v5.39.2

v5.8.1

Bugfixes

• Fixed a critical bug where automatic migration from BoltDB to SQLite after a reboot could perform a partial migration, with some containers in SQLite and some remaining in BoltDB, when Quadlets were in use (#28215). For those who encountered this bug with 5.8.0 there is no way to automatically recover. If you do not have persistent containers/pods/volumes (i.e. all containers are run using Quadlets) then the easiest option is to move the db.sql file in Podman's storage directory to db.sql.bak (or similar) and reboot again with v5.8.1 to attempt another migration. Please contact the maintainers with any issues during migration and we will assist as able.

v5.8.0

Features

• The podman quadlet install command can now install files which contain multiple separate Quadlet files. The files must be separated with a --- delimeter on a new line, and each section must begin with a # FileName=<name> line to name the new Quadlet (#27384).
• Quadlet .container files now support a new key, AppArmor, for configuring the container's AppArmor profile (#27095).
• When running the podman artifact add command against a podman machine VM, if the path being loaded or built is shared into the VM, Podman will load it from the VM's filesystem instead of streaming the data through the REST API, improving performance (#26321).
• The podman update command now features a new option, --ulimit, to update container ulimits (#26381).
• The podman exec command now features a new option, --no-session, which disables tracking of the exec session to improve performance and startup time (#26588).

Changes

• Podman will now automatically attempt to migrate legacy BoltDB databases to SQLite when the system reboots. This is necessary as support for BoltDB will be removed in Podman 6.0 in May. If automatic migration is not possible, a new option, podman system migrate --migrate-db, will manually force a migration.
• The podman secret create - command no longer requires that the secret be provided through a pipe, and instead allows typing the secret through the terminal (#27879).

Bugfixes

• Fixed a bug where containers created by podman play kube with a healthcheck using the initialDelaySeconds option would run healthchecks before the initial delay had expired (#27678).
• Fixed a bug where healthchecks would sometimes fail to execute due to systemd rate limits.
• Fixed a bug where the podman export command would emit a Mount event instead of an Export event.
• Fixed a bug where the podman kube play command incorrectly handled precedence between environment variables set by both the envFrom and env fields (#27287).
• Fixed a bug where the podman kube play command would panic when parsing Pod YAML missing the image field (#27784).
• Fixed a bug where the podman volume mount command returned empty paths when volumes were handled by a plugin driver (#27858).
• Fixed a bug where containers created with --rootfs instead of from an image would show that they had a healthcheck in the starting state even if no healthcheck was defined (#27651).
• Fixed a bug where the podman build command's --pull=newer option did not function correctly (#22845).
• Fixed a bug where the RequiresMountsFor field in Quadlet .container files incorrectly handled bind-mount paths which contained spaces.
• Fixed a bug where the remote Podman client's podman run --detach-keys option did not accept an empty string (IE, no detach keys) (#27414).
• Fixed a bug where the remove Podman client's podman build --secret ... env=VAR option would incorrectly try to read the environment variable on the server side, instead of from the client (#27494).
• Fixed a bug where the podman artifact push and podman artifact pull commands ignored authentication credentials given by the --authfile option (#27421).
• Fixed a bug where Windows paths were incorrectly handled under some circumstances when using the HyperV machine provider (#27571).

... (truncated)

Changelog

Sourced from github.com/containers/podman/v5's changelog.

5.8.2

Security

• This release addresses CVE-2026-33414, where the podman machine init --image command when run on Windows using the Hyper-V backend can run Powershell-escaped commands from the user-specified image path on in a Powershell session on the host (GHSA-hc8w-h2mf-hp59).

Bugfixes

• Fixed a bug where containers with the unless-stopped restart policy would not restart after a reboot when podman-restart.service was enabled (#28152).
• Fixed a bug where setting Entrypoint="" in a Quadlet .container file did not clear the container's entrypoint (#28213).
• Fixed a bug where setting a HealthCmd in a Quadlet .container file to a command that included double-quotes (") would result in a nonfunctional healthcheck due to a parsing issue (#28409).
• Fixed a bug where FreeBSD systems could panic when inspecting containers created with the host network mode (#28289).

API

• Fixed a bug where the Libpod System Check endpoint could perform operations with bad data after returning a 400 error (#28350).
• Fixed a bug where the remote attach API for containers (Libpod & Compat) could panic due to a rare race condition (#28277).
• Fixed a bug where the Secret Create API could not create functional secrets using the shell driver due to options from the default driver being improperly added.

Misc

• Updated Buildah to v1.43.1
• Updated the containers/common library to v0.67.1
• Updated the containers/image library to v5.39.2

5.8.1

Bugfixes

• Fixed a critical bug where automatic migration from BoltDB to SQLite after a reboot could perform a partial migration, with some containers in SQLite and some remaining in BoltDB, when Quadlets were in use (#28215). For those who encountered this bug with 5.8.0 there is no way to automatically recover. If you do not have persistent containers/pods/volumes (i.e. all containers are run using Quadlets) then the easiest option is to move the db.sql file in Podman's storage directory to db.sql.bak (or similar) and reboot again with v5.8.1 to attempt another migration. Please contact the maintainers with any issues during migration and we will assist as able.

5.8.0

Features

• The podman quadlet install command can now install files which contain multiple separate Quadlet files. The files must be separated with a --- delimeter on a new line, and each section must begin with a # FileName=<name> line to name the new Quadlet (#27384).
• Quadlet .container files now support a new key, AppArmor, for configuring the container's AppArmor profile (#27095).
• When running the podman artifact add command against a podman machine VM, if the path being loaded or built is shared into the VM, Podman will load it from the VM's filesystem instead of streaming the data through the REST API, improving performance (#26321).
• The podman update command now features a new option, --ulimit, to update container ulimits (#26381).
• The podman exec command now features a new option, --no-session, which disables tracking of the exec session to improve performance and startup time (#26588).

Changes

• Podman will now automatically attempt to migrate legacy BoltDB databases to SQLite when the system reboots. This is necessary as support for BoltDB will be removed in Podman 6.0 in May. If automatic migration is not possible, a new option, podman system migrate --migrate-db, will manually force a migration.
• The podman secret create - command no longer requires that the secret be provided through a pipe, and instead allows typing the secret through the terminal (#27879).

Bugfixes

• Fixed a bug where containers created by podman play kube with a healthcheck using the initialDelaySeconds option would run healthchecks before the initial delay had expired (#27678).
• Fixed a bug where healthchecks would sometimes fail to execute due to systemd rate limits.
• Fixed a bug where the podman export command would emit a Mount event instead of an Export event.
• Fixed a bug where the podman kube play command incorrectly handled precedence between environment variables set by both the envFrom and env fields (#27287).
• Fixed a bug where the podman kube play command would panic when parsing Pod YAML missing the image field (#27784).
• Fixed a bug where the podman volume mount command returned empty paths when volumes were handled by a plugin driver (#27858).
• Fixed a bug where containers created with --rootfs instead of from an image would show that they had a healthcheck in the starting state even if no healthcheck was defined (#27651).
• Fixed a bug where the podman build command's --pull=newer option did not function correctly (#22845).
• Fixed a bug where the RequiresMountsFor field in Quadlet .container files incorrectly handled bind-mount paths which contained spaces.
• Fixed a bug where the remote Podman client's podman run --detach-keys option did not accept an empty string (IE, no detach keys) (#27414).
• Fixed a bug where the remove Podman client's podman build --secret ... env=VAR option would incorrectly try to read the environment variable on the server side, instead of from the client (#27494).
• Fixed a bug where the podman artifact push and podman artifact pull commands ignored authentication credentials given by the --authfile option (#27421).
• Fixed a bug where Windows paths were incorrectly handled under some circumstances when using the HyperV machine provider (#27571).

... (truncated)

Commits

• 5b263b5 Bump to v5.8.2
• 884cd28 Release notes for v5.8.2
• eeb4c6b Merge commit from fork
• 6cffe93 hyperV: fix powershell path escape
• 825eed6 Merge pull request #28475 from Luap99/v5.8-backports
• f13de01 cirrus: bump linux machine aarch64 test timeout
• d1cf366 Remove iptables references in upgrade tests
• add385e bindings: artifact extract reject invalid names
• a49ad4b use chrootarchive over plain archive package
• 92cd249 fix symlink handling in checkpoint restore
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[openshift-ci]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a Azure member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[mociarain]

/ok-to-test

[mociarain]

/azp run ci

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[mrWinston]

CI and Local image builds fail with this error message:

/usr/bin/ld: /tmp/go-link-1909522424/000077.o: in function `_containers_unshare':
unshare.c:(.text+0x91c): multiple definition of `_containers_unshare'; /tmp/go-link-1909522424/000053.o:unshare.c:(.text+0x91c): first defined here
collect2: error: ld returned 1 exit status

p.s: i accidentally closed the PR

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

[openshift-ci]

@dependabot[bot]: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/images	653161e	link	true	/test images

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.