diff options
106 files changed, 1164 insertions, 2376 deletions
diff --git a/.cirrus.yml b/.cirrus.yml index 4156e3082..5f99b0490 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -362,7 +362,8 @@ static_alt_build_task: # this cache ensures only the static podman binary is built. nix_cache: folder: '/var/cache/nix' - fingerprint_script: cat nix/* + # Cirrus will calculate/use sha of this output as the cache key + fingerprint_script: echo "${IMAGE_SUFFIX}" && cat nix/* setup_script: *setup main_script: *main always: *binary_artifacts diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 1d2c26750..30fddf82b 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -286,16 +286,7 @@ commit automatically with `git commit -s`. ### Go Format and lint -All code changes must pass ``make validate`` and ``make lint``, as -executed in a standard container. The container image for this -purpose is provided at: ``quay.io/libpod/gate:master``. With -other tags available for different branches as needed. These -images are built automatically after merges to the branch. - -#### Building the gate container locally - -For local use, debugging, or experimentation, the gate image may -be built locally from the repository root, with the command: +All code changes must pass ``make validate`` and ``make lint``. ``` podman build -t gate -f contrib/gate/Dockerfile . diff --git a/cmd/podman/common/completion.go b/cmd/podman/common/completion.go index 4d66b4e2b..00123f9e6 100644 --- a/cmd/podman/common/completion.go +++ b/cmd/podman/common/completion.go @@ -2,6 +2,7 @@ package common import ( "bufio" + "fmt" "os" "strings" @@ -22,62 +23,97 @@ var ( LogLevels = []string{"debug", "info", "warn", "error", "fatal", "panic"} ) -func getContainers(status string, toComplete string) ([]string, cobra.ShellCompDirective) { +func getContainers(toComplete string, statuses ...string) ([]string, cobra.ShellCompDirective) { suggestions := []string{} listOpts := entities.ContainerListOptions{ Filters: make(map[string][]string), } listOpts.All = true + listOpts.Pod = true - if status != "all" { - listOpts.Filters = map[string][]string{"status": {status}} - } + // TODO: The api doesn't handle several different statuses correct see: + // https://github.com/containers/podman/issues/8344 + // Instead of looping over the statuses we should be able to set + // listOpts.Filters["status"] = statuses - containers, err := registry.ContainerEngine().ContainerList(registry.GetContext(), listOpts) - if err != nil { - cobra.CompErrorln(err.Error()) - return nil, cobra.ShellCompDirectiveError + var containers []entities.ListContainer + var err error + if len(statuses) == 0 { + containers, err = registry.ContainerEngine().ContainerList(registry.GetContext(), listOpts) + if err != nil { + cobra.CompErrorln(err.Error()) + return nil, cobra.ShellCompDirectiveError + } + } else { + for _, s := range statuses { + listOpts.Filters["status"] = []string{s} + res, err := registry.ContainerEngine().ContainerList(registry.GetContext(), listOpts) + if err != nil { + cobra.CompErrorln(err.Error()) + return nil, cobra.ShellCompDirectiveError + } + containers = append(containers, res...) + } } - for _, container := range containers { + for _, c := range containers { // include ids in suggestions if more then 2 chars are typed - if len(toComplete) > 1 { - suggestions = append(suggestions, container.ID[0:12]) + if len(toComplete) > 1 && strings.HasPrefix(c.ID, toComplete) { + suggestions = append(suggestions, c.ID[0:12]+"\t"+c.PodName) } // include name in suggestions - suggestions = append(suggestions, container.Names...) + if strings.HasPrefix(c.Names[0], toComplete) { + suggestions = append(suggestions, c.Names[0]+"\t"+c.PodName) + } } return suggestions, cobra.ShellCompDirectiveNoFileComp } -func getPods(status string, toComplete string) ([]string, cobra.ShellCompDirective) { +func getPods(toComplete string, statuses ...string) ([]string, cobra.ShellCompDirective) { suggestions := []string{} listOpts := entities.PodPSOptions{ Filters: make(map[string][]string), } - if status != "all" { - listOpts.Filters = map[string][]string{"status": {status}} - } + // TODO: The api doesn't handle several different statuses correct see: + // https://github.com/containers/podman/issues/8344 + // Instead of looping over the statuses we should be able to set + // listOpts.Filters["status"] = statuses - pods, err := registry.ContainerEngine().PodPs(registry.GetContext(), listOpts) - if err != nil { - cobra.CompErrorln(err.Error()) - return nil, cobra.ShellCompDirectiveError + var pods []*entities.ListPodsReport + var err error + if len(statuses) == 0 { + pods, err = registry.ContainerEngine().PodPs(registry.GetContext(), listOpts) + if err != nil { + cobra.CompErrorln(err.Error()) + return nil, cobra.ShellCompDirectiveError + } + } else { + for _, s := range statuses { + listOpts.Filters["status"] = []string{s} + res, err := registry.ContainerEngine().PodPs(registry.GetContext(), listOpts) + if err != nil { + cobra.CompErrorln(err.Error()) + return nil, cobra.ShellCompDirectiveError + } + pods = append(pods, res...) + } } for _, pod := range pods { // include ids in suggestions if more then 2 chars are typed - if len(toComplete) > 1 { + if len(toComplete) > 1 && strings.HasPrefix(pod.Id, toComplete) { suggestions = append(suggestions, pod.Id[0:12]) } // include name in suggestions - suggestions = append(suggestions, pod.Name) + if strings.HasPrefix(pod.Name, toComplete) { + suggestions = append(suggestions, pod.Name) + } } return suggestions, cobra.ShellCompDirectiveNoFileComp } -func getVolumes() ([]string, cobra.ShellCompDirective) { +func getVolumes(toComplete string) ([]string, cobra.ShellCompDirective) { suggestions := []string{} lsOpts := entities.VolumeListOptions{} @@ -87,8 +123,10 @@ func getVolumes() ([]string, cobra.ShellCompDirective) { return nil, cobra.ShellCompDirectiveError } - for _, volume := range volumes { - suggestions = append(suggestions, volume.Name) + for _, v := range volumes { + if strings.HasPrefix(v.Name, toComplete) { + suggestions = append(suggestions, v.Name) + } } return suggestions, cobra.ShellCompDirectiveNoFileComp } @@ -104,16 +142,16 @@ func getImages(toComplete string) ([]string, cobra.ShellCompDirective) { } for _, image := range images { - // FIXME: need ux testing - // discuss when image ids should be completed // include ids in suggestions if more then 2 chars are typed - if len(toComplete) > 1 { + if len(toComplete) > 1 && strings.HasPrefix(image.ID, toComplete) { suggestions = append(suggestions, image.ID[0:12]) } for _, repo := range image.RepoTags { if toComplete == "" { // suggest only full repo path if no input is given - suggestions = append(suggestions, repo) + if strings.HasPrefix(repo, toComplete) { + suggestions = append(suggestions, repo) + } } else { // suggested "registry.fedoraproject.org/f29/httpd:latest" as // - "registry.fedoraproject.org/f29/httpd:latest" @@ -125,8 +163,13 @@ func getImages(toComplete string) ([]string, cobra.ShellCompDirective) { paths := strings.Split(repo, "/") for i := range paths { suggestionWithTag := strings.Join(paths[i:], "/") + if strings.HasPrefix(suggestionWithTag, toComplete) { + suggestions = append(suggestions, suggestionWithTag) + } suggestionWithoutTag := strings.SplitN(strings.SplitN(suggestionWithTag, ":", 2)[0], "@", 2)[0] - suggestions = append(suggestions, suggestionWithTag, suggestionWithoutTag) + if strings.HasPrefix(suggestionWithoutTag, toComplete) { + suggestions = append(suggestions, suggestionWithoutTag) + } } } } @@ -143,9 +186,11 @@ func getRegistries() ([]string, cobra.ShellCompDirective) { return regs, cobra.ShellCompDirectiveNoFileComp } -func getNetworks() ([]string, cobra.ShellCompDirective) { +func getNetworks(toComplete string) ([]string, cobra.ShellCompDirective) { suggestions := []string{} - networkListOptions := entities.NetworkListOptions{} + networkListOptions := entities.NetworkListOptions{ + Filter: "name=" + toComplete, + } networks, err := registry.ContainerEngine().NetworkList(registry.Context(), networkListOptions) if err != nil { @@ -159,76 +204,154 @@ func getNetworks() ([]string, cobra.ShellCompDirective) { return suggestions, cobra.ShellCompDirectiveNoFileComp } +// validCurrentCmdLine validates the current cmd line +// It utilizes the Args function from the cmd struct +// In most cases the Args function validates the args length but it +// is also used to verify that --latest is not given with an argument. +// This function helps to makes sure we only complete valid arguments. +func validCurrentCmdLine(cmd *cobra.Command, args []string, toComplete string) bool { + if cmd.Args == nil { + // Without an Args function we cannot check so assume it's correct + return true + } + // We have to append toComplete to the args otherwise the + // argument count would not match the expected behavior + if err := cmd.Args(cmd, append(args, toComplete)); err != nil { + // Special case if we use ExactArgs(2) or MinimumNArgs(2), + // They will error if we try to complete the first arg. + // Lets try to parse the common error and compare if we have less args than + // required. In this case we are fine and should provide completion. + + // Clean the err msg so we can parse it with fmt.Sscanf + // Trim MinimumNArgs prefix + cleanErr := strings.TrimPrefix(err.Error(), "requires at least ") + // Trim MinimumNArgs "only" part + cleanErr = strings.ReplaceAll(cleanErr, "only received", "received") + // Trim ExactArgs prefix + cleanErr = strings.TrimPrefix(cleanErr, "accepts ") + var need, got int + cobra.CompDebugln(cleanErr, true) + _, err = fmt.Sscanf(cleanErr, "%d arg(s), received %d", &need, &got) + if err == nil { + if need >= got { + // We still need more arguments so provide more completions + return true + } + } + cobra.CompDebugln(err.Error(), true) + return false + } + return true +} + /* Autocomplete Functions for cobra ValidArgsFunction */ // AutocompleteContainers - Autocomplete all container names. func AutocompleteContainers(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { - return getContainers("all", toComplete) + if !validCurrentCmdLine(cmd, args, toComplete) { + return nil, cobra.ShellCompDirectiveNoFileComp + } + return getContainers(toComplete) } // AutocompleteContainersCreated - Autocomplete only created container names. func AutocompleteContainersCreated(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { - return getContainers("created", toComplete) + if !validCurrentCmdLine(cmd, args, toComplete) { + return nil, cobra.ShellCompDirectiveNoFileComp + } + return getContainers(toComplete, "created") } // AutocompleteContainersExited - Autocomplete only exited container names. func AutocompleteContainersExited(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { - return getContainers("exited", toComplete) + if !validCurrentCmdLine(cmd, args, toComplete) { + return nil, cobra.ShellCompDirectiveNoFileComp + } + return getContainers(toComplete, "exited") } // AutocompleteContainersPaused - Autocomplete only paused container names. func AutocompleteContainersPaused(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { - return getContainers("paused", toComplete) + if !validCurrentCmdLine(cmd, args, toComplete) { + return nil, cobra.ShellCompDirectiveNoFileComp + } + return getContainers(toComplete, "paused") } // AutocompleteContainersRunning - Autocomplete only running container names. func AutocompleteContainersRunning(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { - return getContainers("running", toComplete) + if !validCurrentCmdLine(cmd, args, toComplete) { + return nil, cobra.ShellCompDirectiveNoFileComp + } + return getContainers(toComplete, "running") } // AutocompleteContainersStartable - Autocomplete only created and exited container names. func AutocompleteContainersStartable(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { - containersCreated, _ := getContainers("created", toComplete) - containersExited, _ := getContainers("exited", toComplete) - return append(containersCreated, containersExited...), cobra.ShellCompDirectiveNoFileComp + if !validCurrentCmdLine(cmd, args, toComplete) { + return nil, cobra.ShellCompDirectiveNoFileComp + } + return getContainers(toComplete, "created", "exited") } // AutocompletePods - Autocomplete all pod names. func AutocompletePods(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { - return getPods("all", toComplete) + if !validCurrentCmdLine(cmd, args, toComplete) { + return nil, cobra.ShellCompDirectiveNoFileComp + } + return getPods(toComplete) } // AutocompletePodsRunning - Autocomplete only running pod names. +// It considers degraded as running. func AutocompletePodsRunning(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { - return getPods("running", toComplete) + if !validCurrentCmdLine(cmd, args, toComplete) { + return nil, cobra.ShellCompDirectiveNoFileComp + } + return getPods(toComplete, "running", "degraded") } // AutocompleteContainersAndPods - Autocomplete container names and pod names. func AutocompleteContainersAndPods(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { - containers, _ := getContainers("all", toComplete) - pods, _ := getPods("all", toComplete) + if !validCurrentCmdLine(cmd, args, toComplete) { + return nil, cobra.ShellCompDirectiveNoFileComp + } + containers, _ := getContainers(toComplete) + pods, _ := getPods(toComplete) return append(containers, pods...), cobra.ShellCompDirectiveNoFileComp } // AutocompleteContainersAndImages - Autocomplete container names and pod names. func AutocompleteContainersAndImages(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { - containers, _ := getContainers("all", toComplete) + if !validCurrentCmdLine(cmd, args, toComplete) { + return nil, cobra.ShellCompDirectiveNoFileComp + } + containers, _ := getContainers(toComplete) images, _ := getImages(toComplete) return append(containers, images...), cobra.ShellCompDirectiveNoFileComp } // AutocompleteVolumes - Autocomplete volumes. func AutocompleteVolumes(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { - return getVolumes() + if !validCurrentCmdLine(cmd, args, toComplete) { + return nil, cobra.ShellCompDirectiveNoFileComp + } + return getVolumes(toComplete) } // AutocompleteImages - Autocomplete images. func AutocompleteImages(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { + if !validCurrentCmdLine(cmd, args, toComplete) { + return nil, cobra.ShellCompDirectiveNoFileComp + } return getImages(toComplete) } // AutocompleteCreateRun - Autocomplete only the fist argument as image and then do file completion. func AutocompleteCreateRun(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { + if !validCurrentCmdLine(cmd, args, toComplete) { + return nil, cobra.ShellCompDirectiveNoFileComp + } if len(args) < 1 { return getImages(toComplete) } @@ -238,18 +361,27 @@ func AutocompleteCreateRun(cmd *cobra.Command, args []string, toComplete string) // AutocompleteRegistries - Autocomplete registries. func AutocompleteRegistries(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { + if !validCurrentCmdLine(cmd, args, toComplete) { + return nil, cobra.ShellCompDirectiveNoFileComp + } return getRegistries() } // AutocompleteNetworks - Autocomplete networks. func AutocompleteNetworks(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { - return getNetworks() + if !validCurrentCmdLine(cmd, args, toComplete) { + return nil, cobra.ShellCompDirectiveNoFileComp + } + return getNetworks(toComplete) } // AutocompleteCpCommand - Autocomplete podman cp command args. func AutocompleteCpCommand(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { + if !validCurrentCmdLine(cmd, args, toComplete) { + return nil, cobra.ShellCompDirectiveNoFileComp + } if len(args) < 2 { - containers, _ := getContainers("all", toComplete) + containers, _ := getContainers(toComplete) for _, container := range containers { // TODO: Add path completion for inside the container if possible if strings.HasPrefix(container, toComplete) { @@ -265,6 +397,9 @@ func AutocompleteCpCommand(cmd *cobra.Command, args []string, toComplete string) // AutocompleteSystemConnections - Autocomplete system connections. func AutocompleteSystemConnections(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { + if !validCurrentCmdLine(cmd, args, toComplete) { + return nil, cobra.ShellCompDirectiveNoFileComp + } suggestions := []string{} cfg, err := config.ReadCustomConfig() if err != nil { @@ -318,7 +453,7 @@ func AutocompleteNamespace(cmd *cobra.Command, args []string, toComplete string) switch { case strings.HasPrefix(toComplete, "container:"): // Complete containers after colon - containers, _ := getContainers("all", toComplete[10:]) //trim "container:" + containers, _ := getContainers(toComplete[10:]) //trim "container:" // add "container:" in front of the suggestions var suggestions []string @@ -504,21 +639,13 @@ func AutocompleteMountFlag(cmd *cobra.Command, args []string, toComplete string) // AutocompleteVolumeFlag - Autocomplete volume flag options. // -> volumes and paths func AutocompleteVolumeFlag(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { - result := []string{} - volumes, _ := getVolumes() - for _, volume := range volumes { - // If we don't filter on "toComplete", zsh and fish will not do file completion - // even if the prefix typed by the user does not match the returned completions - if strings.HasPrefix(volume, toComplete) { - result = append(result, volume) - } - } + volumes, _ := getVolumes(toComplete) directive := cobra.ShellCompDirectiveNoSpace | cobra.ShellCompDirectiveDefault if strings.Contains(toComplete, ":") { // add space after second path directive = cobra.ShellCompDirectiveDefault } - return result, directive + return volumes, directive } // AutocompleteJSONFormat - Autocomplete format flag option. diff --git a/cmd/podman/common/specgen.go b/cmd/podman/common/specgen.go index 39ff02857..0bb6e79e5 100644 --- a/cmd/podman/common/specgen.go +++ b/cmd/podman/common/specgen.go @@ -592,7 +592,7 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string case "max-size": logSize, err := units.FromHumanSize(split[1]) if err != nil { - return errors.Wrapf(err, "%s is not a valid option", o) + return err } s.LogConfiguration.Size = logSize default: @@ -662,7 +662,7 @@ func makeHealthCheckFromCli(inCmd, interval string, retries uint, timeout, start } intervalDuration, err := time.ParseDuration(interval) if err != nil { - return nil, errors.Wrapf(err, "invalid healthcheck-interval %s ", interval) + return nil, errors.Wrapf(err, "invalid healthcheck-interval") } hc.Interval = intervalDuration @@ -673,7 +673,7 @@ func makeHealthCheckFromCli(inCmd, interval string, retries uint, timeout, start hc.Retries = int(retries) timeoutDuration, err := time.ParseDuration(timeout) if err != nil { - return nil, errors.Wrapf(err, "invalid healthcheck-timeout %s", timeout) + return nil, errors.Wrapf(err, "invalid healthcheck-timeout") } if timeoutDuration < time.Duration(1) { return nil, errors.New("healthcheck-timeout must be at least 1 second") @@ -682,7 +682,7 @@ func makeHealthCheckFromCli(inCmd, interval string, retries uint, timeout, start startPeriodDuration, err := time.ParseDuration(startPeriod) if err != nil { - return nil, errors.Wrapf(err, "invalid healthcheck-start-period %s", startPeriod) + return nil, errors.Wrapf(err, "invalid healthcheck-start-period") } if startPeriodDuration < time.Duration(0) { return nil, errors.New("healthcheck-start-period must be 0 seconds or greater") diff --git a/cmd/podman/common/util.go b/cmd/podman/common/util.go index a971aa957..ef30e08d3 100644 --- a/cmd/podman/common/util.go +++ b/cmd/podman/common/util.go @@ -250,7 +250,7 @@ func parseAndValidateRange(portRange string) (uint16, uint16, error) { func parseAndValidatePort(port string) (uint16, error) { num, err := strconv.Atoi(port) if err != nil { - return 0, errors.Wrapf(err, "cannot parse %q as a port number", port) + return 0, errors.Wrapf(err, "invalid port number") } if num < 1 || num > 65535 { return 0, errors.Errorf("port numbers must be between 1 and 65535 (inclusive), got %d", num) diff --git a/cmd/podman/containers/prune.go b/cmd/podman/containers/prune.go index e8debd3ad..9ac529b1c 100644 --- a/cmd/podman/containers/prune.go +++ b/cmd/podman/containers/prune.go @@ -57,7 +57,7 @@ func prune(cmd *cobra.Command, args []string) error { fmt.Print("Are you sure you want to continue? [y/N] ") answer, err := reader.ReadString('\n') if err != nil { - return errors.Wrapf(err, "error reading input") + return err } if strings.ToLower(answer)[0] != 'y' { return nil diff --git a/cmd/podman/containers/run.go b/cmd/podman/containers/run.go index b17c13f46..6ff1b929d 100644 --- a/cmd/podman/containers/run.go +++ b/cmd/podman/containers/run.go @@ -205,7 +205,7 @@ func run(cmd *cobra.Command, args []string) error { if runRmi { _, rmErrors := registry.ImageEngine().Remove(registry.GetContext(), []string{imageName}, entities.ImageRemoveOptions{}) if len(rmErrors) > 0 { - logrus.Errorf("%s", errors.Wrapf(errorhandling.JoinErrors(rmErrors), "failed removing image")) + logrus.Errorf("%s", errorhandling.JoinErrors(rmErrors)) } } return nil diff --git a/cmd/podman/containers/start.go b/cmd/podman/containers/start.go index dba2c3c3e..7e57bb576 100644 --- a/cmd/podman/containers/start.go +++ b/cmd/podman/containers/start.go @@ -21,6 +21,7 @@ var ( Short: "Start one or more containers", Long: startDescription, RunE: start, + Args: validateStart, ValidArgsFunction: common.AutocompleteContainersStartable, Example: `podman start --latest podman start 860a4b231279 5421ab43b45 @@ -32,6 +33,7 @@ var ( Short: startCommand.Short, Long: startCommand.Long, RunE: startCommand.RunE, + Args: startCommand.Args, ValidArgsFunction: startCommand.ValidArgsFunction, Example: `podman container start --latest podman container start 860a4b231279 5421ab43b45 @@ -76,8 +78,7 @@ func init() { validate.AddLatestFlag(containerStartCommand, &startOptions.Latest) } -func start(cmd *cobra.Command, args []string) error { - var errs utils.OutputErrors +func validateStart(cmd *cobra.Command, args []string) error { if len(args) == 0 && !startOptions.Latest { return errors.New("start requires at least one argument") } @@ -87,7 +88,11 @@ func start(cmd *cobra.Command, args []string) error { if len(args) > 1 && startOptions.Attach { return errors.Errorf("you cannot start and attach multiple containers at once") } + return nil +} +func start(cmd *cobra.Command, args []string) error { + var errs utils.OutputErrors sigProxy := startOptions.SigProxy || startOptions.Attach if cmd.Flag("sig-proxy").Changed { sigProxy = startOptions.SigProxy diff --git a/cmd/podman/images/build.go b/cmd/podman/images/build.go index c76e4ac80..739e1c265 100644 --- a/cmd/podman/images/build.go +++ b/cmd/podman/images/build.go @@ -353,18 +353,18 @@ func buildFlagsWrapperToOptions(c *cobra.Command, contextDir string, flags *buil isolation, err := parse.IsolationOption(flags.Isolation) if err != nil { - return nil, errors.Wrapf(err, "error parsing ID mapping options") + return nil, err } usernsOption, idmappingOptions, err := parse.IDMappingOptions(c, isolation) if err != nil { - return nil, errors.Wrapf(err, "error parsing ID mapping options") + return nil, err } nsValues = append(nsValues, usernsOption...) systemContext, err := parse.SystemContextFromOptions(c) if err != nil { - return nil, errors.Wrapf(err, "error building system context") + return nil, err } format := "" diff --git a/cmd/podman/images/prune.go b/cmd/podman/images/prune.go index 3af56b015..e68fe5f40 100644 --- a/cmd/podman/images/prune.go +++ b/cmd/podman/images/prune.go @@ -11,7 +11,6 @@ import ( "github.com/containers/podman/v2/cmd/podman/utils" "github.com/containers/podman/v2/cmd/podman/validate" "github.com/containers/podman/v2/pkg/domain/entities" - "github.com/pkg/errors" "github.com/spf13/cobra" ) @@ -60,7 +59,7 @@ WARNING! This will remove all dangling images. Are you sure you want to continue? [y/N] `) answer, err := reader.ReadString('\n') if err != nil { - return errors.Wrapf(err, "error reading input") + return err } if strings.ToLower(answer)[0] != 'y' { return nil diff --git a/cmd/podman/images/sign.go b/cmd/podman/images/sign.go index 529fb3d92..342536f7c 100644 --- a/cmd/podman/images/sign.go +++ b/cmd/podman/images/sign.go @@ -58,7 +58,7 @@ func sign(cmd *cobra.Command, args []string) error { if len(signOptions.Directory) > 0 { sigStoreDir = signOptions.Directory if _, err := os.Stat(sigStoreDir); err != nil { - return errors.Wrapf(err, "invalid directory %s", sigStoreDir) + return err } } _, err := registry.ImageEngine().Sign(registry.Context(), args, signOptions) diff --git a/cmd/podman/images/trust_set.go b/cmd/podman/images/trust_set.go index f0399b110..1a7392f3e 100644 --- a/cmd/podman/images/trust_set.go +++ b/cmd/podman/images/trust_set.go @@ -55,7 +55,7 @@ func setTrust(cmd *cobra.Command, args []string) error { valid, err := image.IsValidImageURI(args[0]) if err != nil || !valid { - return errors.Wrapf(err, "invalid image uri %s", args[0]) + return err } if !util.StringInSlice(setOptions.Type, validTrustTypes) { diff --git a/cmd/podman/inspect/inspect.go b/cmd/podman/inspect/inspect.go index f9bd75c93..13f36ebbd 100644 --- a/cmd/podman/inspect/inspect.go +++ b/cmd/podman/inspect/inspect.go @@ -2,6 +2,7 @@ package inspect import ( "context" + "encoding/json" // due to a bug in json-iterator it cannot be used here "fmt" "os" "regexp" @@ -28,17 +29,14 @@ const ( ContainerType = "container" // ImageType is the image type. ImageType = "image" - //NetworkType is the network type + // NetworkType is the network type NetworkType = "network" - //PodType is the pod type. + // PodType is the pod type. PodType = "pod" - //VolumeType is the volume type + // VolumeType is the volume type VolumeType = "volume" ) -// Pull in configured json library -var json = registry.JSONLibrary() - // AddInspectFlagSet takes a command and adds the inspect flags and returns an // InspectOptions object. func AddInspectFlagSet(cmd *cobra.Command) *entities.InspectOptions { @@ -173,7 +171,7 @@ func (i *inspector) inspect(namesOrIDs []string) error { data = append(data, podData) } } - if i.podOptions.Latest { //latest means there are no names in the namesOrID array + if i.podOptions.Latest { // latest means there are no names in the namesOrID array podData, err := i.containerEngine.PodInspect(ctx, i.podOptions) if err != nil { cause := errors.Cause(err) @@ -238,9 +236,12 @@ func (i *inspector) inspect(namesOrIDs []string) error { } func printJSON(data []interface{}) error { - enc := json.NewEncoder(os.Stdout) - enc.SetIndent("", " ") - return enc.Encode(data) + buf, err := json.MarshalIndent(data, "", " ") + if err != nil { + return err + } + _, err = fmt.Println(string(buf)) + return err } func printTmpl(typ, row string, data []interface{}) error { diff --git a/cmd/podman/manifest/add.go b/cmd/podman/manifest/add.go index 91bd423b8..cb0838eeb 100644 --- a/cmd/podman/manifest/add.go +++ b/cmd/podman/manifest/add.go @@ -11,7 +11,6 @@ import ( "github.com/containers/podman/v2/cmd/podman/registry" "github.com/containers/podman/v2/pkg/domain/entities" "github.com/containers/podman/v2/pkg/util" - "github.com/pkg/errors" "github.com/spf13/cobra" ) @@ -116,7 +115,7 @@ func add(cmd *cobra.Command, args []string) error { listID, err := registry.ImageEngine().ManifestAdd(context.Background(), manifestAddOpts.ManifestAddOptions) if err != nil { - return errors.Wrapf(err, "error adding to manifest list %s", args[0]) + return err } fmt.Printf("%s\n", listID) return nil diff --git a/cmd/podman/manifest/annotate.go b/cmd/podman/manifest/annotate.go index dab8c4da6..71017e0ec 100644 --- a/cmd/podman/manifest/annotate.go +++ b/cmd/podman/manifest/annotate.go @@ -73,7 +73,7 @@ func annotate(cmd *cobra.Command, args []string) error { } updatedListID, err := registry.ImageEngine().ManifestAnnotate(context.Background(), args, manifestAnnotateOpts) if err != nil { - return errors.Wrapf(err, "error removing from manifest list %s", listImageSpec) + return err } fmt.Printf("%s\n", updatedListID) return nil diff --git a/cmd/podman/manifest/create.go b/cmd/podman/manifest/create.go index c903c6fa8..399f9440c 100644 --- a/cmd/podman/manifest/create.go +++ b/cmd/podman/manifest/create.go @@ -7,7 +7,6 @@ import ( "github.com/containers/podman/v2/cmd/podman/common" "github.com/containers/podman/v2/cmd/podman/registry" "github.com/containers/podman/v2/pkg/domain/entities" - "github.com/pkg/errors" "github.com/spf13/cobra" ) @@ -39,7 +38,7 @@ func init() { func create(cmd *cobra.Command, args []string) error { imageID, err := registry.ImageEngine().ManifestCreate(context.Background(), args[:1], args[1:], manifestCreateOpts) if err != nil { - return errors.Wrapf(err, "error creating manifest %s", args[0]) + return err } fmt.Printf("%s\n", imageID) return nil diff --git a/cmd/podman/manifest/inspect.go b/cmd/podman/manifest/inspect.go index 17c94aaba..39fd54445 100644 --- a/cmd/podman/manifest/inspect.go +++ b/cmd/podman/manifest/inspect.go @@ -7,7 +7,6 @@ import ( "github.com/containers/podman/v2/cmd/podman/common" "github.com/containers/podman/v2/cmd/podman/registry" "github.com/containers/podman/v2/pkg/domain/entities" - "github.com/pkg/errors" "github.com/spf13/cobra" ) @@ -35,7 +34,7 @@ func init() { func inspect(cmd *cobra.Command, args []string) error { buf, err := registry.ImageEngine().ManifestInspect(context.Background(), args[0]) if err != nil { - return errors.Wrapf(err, "error inspect manifest %s", args[0]) + return err } fmt.Printf("%s\n", buf) return nil diff --git a/cmd/podman/manifest/manifest.go b/cmd/podman/manifest/manifest.go index c3bcdc8c7..990ad0e95 100644 --- a/cmd/podman/manifest/manifest.go +++ b/cmd/podman/manifest/manifest.go @@ -18,7 +18,7 @@ var ( podman manifest create localhost/list podman manifest inspect localhost/list podman manifest annotate --annotation left=right mylist:v1.11 image:v1.11-amd64 - podman manifest push mylist:v1.11 quay.io/myimagelist + podman manifest push mylist:v1.11 docker://quay.io/myuser/image:v1.11 podman manifest remove mylist:v1.11 sha256:15352d97781ffdf357bf3459c037be3efac4133dc9070c2dce7eca7c05c3e736`, } ) diff --git a/cmd/podman/manifest/push.go b/cmd/podman/manifest/push.go index 9d0977834..a3b469491 100644 --- a/cmd/podman/manifest/push.go +++ b/cmd/podman/manifest/push.go @@ -28,7 +28,7 @@ var ( Short: "Push a manifest list or image index to a registry", Long: "Pushes manifest lists and image indexes to registries.", RunE: push, - Example: `podman manifest push mylist:v1.11 quay.io/myimagelist`, + Example: `podman manifest push mylist:v1.11 docker://quay.io/myuser/image:v1.11`, Args: cobra.ExactArgs(2), ValidArgsFunction: common.AutocompleteImages, } @@ -108,7 +108,7 @@ func push(cmd *cobra.Command, args []string) error { manifestPushOpts.SkipTLSVerify = types.NewOptionalBool(!manifestPushOpts.TLSVerifyCLI) } if err := registry.ImageEngine().ManifestPush(registry.Context(), args, manifestPushOpts.ManifestPushOptions); err != nil { - return errors.Wrapf(err, "error pushing manifest %s to %s", listImageSpec, destSpec) + return err } return nil } diff --git a/cmd/podman/networks/list.go b/cmd/podman/networks/list.go index bab6b45ea..f2a5a431a 100644 --- a/cmd/podman/networks/list.go +++ b/cmd/podman/networks/list.go @@ -87,8 +87,11 @@ func networkList(cmd *cobra.Command, args []string) error { nlprs = append(nlprs, ListPrintReports{r}) } + // Headers() gets lost resolving the embedded field names so add them headers := report.Headers(ListPrintReports{}, map[string]string{ + "Name": "name", "CNIVersion": "version", + "Version": "version", "Plugins": "plugins", }) renderHeaders := true @@ -110,7 +113,6 @@ func networkList(cmd *cobra.Command, args []string) error { if err := tmpl.Execute(w, headers); err != nil { return err } - } return tmpl.Execute(w, nlprs) } diff --git a/cmd/podman/play/kube.go b/cmd/podman/play/kube.go index a9e91bd68..db70ad7d4 100644 --- a/cmd/podman/play/kube.go +++ b/cmd/podman/play/kube.go @@ -22,6 +22,7 @@ type playKubeOptionsWrapper struct { TLSVerifyCLI bool CredentialsCLI string + StartCLI bool } var ( @@ -68,6 +69,7 @@ func init() { flags.BoolVarP(&kubeOptions.Quiet, "quiet", "q", false, "Suppress output information when pulling images") flags.BoolVar(&kubeOptions.TLSVerifyCLI, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries") + flags.BoolVar(&kubeOptions.StartCLI, "start", true, "Start the pod after creating it") authfileFlagName := "authfile" flags.StringVar(&kubeOptions.Authfile, authfileFlagName, auth.GetDefaultAuthFile(), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override") @@ -100,6 +102,9 @@ func kube(cmd *cobra.Command, args []string) error { if cmd.Flags().Changed("tls-verify") { kubeOptions.SkipTLSVerify = types.NewOptionalBool(!kubeOptions.TLSVerifyCLI) } + if cmd.Flags().Changed("start") { + kubeOptions.Start = types.NewOptionalBool(kubeOptions.StartCLI) + } if kubeOptions.Authfile != "" { if _, err := os.Stat(kubeOptions.Authfile); err != nil { return err diff --git a/cmd/podman/pods/create.go b/cmd/podman/pods/create.go index d33455e81..449d60bb9 100644 --- a/cmd/podman/pods/create.go +++ b/cmd/podman/pods/create.go @@ -218,7 +218,7 @@ func create(cmd *cobra.Command, args []string) error { } if len(podIDFile) > 0 { if err = ioutil.WriteFile(podIDFile, []byte(response.Id), 0644); err != nil { - return errors.Wrapf(err, "failed to write pod ID to file %q", podIDFile) + return errors.Wrapf(err, "failed to write pod ID to file") } } fmt.Println(response.Id) diff --git a/cmd/podman/pods/prune.go b/cmd/podman/pods/prune.go index 626ef2895..444b0f5e0 100644 --- a/cmd/podman/pods/prune.go +++ b/cmd/podman/pods/prune.go @@ -12,7 +12,6 @@ import ( "github.com/containers/podman/v2/cmd/podman/utils" "github.com/containers/podman/v2/cmd/podman/validate" "github.com/containers/podman/v2/pkg/domain/entities" - "github.com/pkg/errors" "github.com/spf13/cobra" ) @@ -51,7 +50,7 @@ func prune(cmd *cobra.Command, args []string) error { fmt.Print("Are you sure you want to continue? [y/N] ") answer, err := reader.ReadString('\n') if err != nil { - return errors.Wrapf(err, "error reading input") + return err } if strings.ToLower(answer)[0] != 'y' { return nil diff --git a/cmd/podman/root.go b/cmd/podman/root.go index 0a44f5eac..34d92cd0f 100644 --- a/cmd/podman/root.go +++ b/cmd/podman/root.go @@ -189,8 +189,7 @@ func persistentPreRunE(cmd *cobra.Command, args []string) error { if cmd.Flag("cpu-profile").Changed { f, err := os.Create(cfg.CPUProfile) if err != nil { - return errors.Wrapf(err, "unable to create cpu profiling file %s", - cfg.CPUProfile) + return err } if err := pprof.StartCPUProfile(f); err != nil { return err diff --git a/cmd/podman/system/connection/add.go b/cmd/podman/system/connection/add.go index b3a23bffd..57e747451 100644 --- a/cmd/podman/system/connection/add.go +++ b/cmd/podman/system/connection/add.go @@ -79,14 +79,14 @@ func add(cmd *cobra.Command, args []string) error { // Default to ssh: schema if none given dest := args[1] if match, err := regexp.Match(schemaPattern, []byte(dest)); err != nil { - return errors.Wrapf(err, "internal regex error %q", schemaPattern) + return errors.Wrapf(err, "invalid destination") } else if !match { dest = "ssh://" + dest } uri, err := url.Parse(dest) if err != nil { - return errors.Wrapf(err, "failed to parse %q", dest) + return err } if uri.User.Username() == "" { @@ -109,7 +109,7 @@ func add(cmd *cobra.Command, args []string) error { if uri.Path == "" || uri.Path == "/" { if uri.Path, err = getUDS(cmd, uri); err != nil { - return errors.Wrapf(err, "failed to connect to %q", uri.String()) + return err } } @@ -151,7 +151,7 @@ func getUserInfo(uri *url.URL) (*url.Userinfo, error) { if u, found := os.LookupEnv("_CONTAINERS_ROOTLESS_UID"); found { usr, err = user.LookupId(u) if err != nil { - return nil, errors.Wrapf(err, "failed to find user %q", u) + return nil, errors.Wrapf(err, "failed to lookup rootless user") } } else { usr, err = user.Current() @@ -209,7 +209,7 @@ func getUDS(cmd *cobra.Command, uri *url.URL) (string, error) { } dial, err := ssh.Dial("tcp", uri.Host, cfg) if err != nil { - return "", errors.Wrapf(err, "failed to connect to %q", uri.Host) + return "", errors.Wrapf(err, "failed to connect") } defer dial.Close() @@ -229,7 +229,7 @@ func getUDS(cmd *cobra.Command, uri *url.URL) (string, error) { var buffer bytes.Buffer session.Stdout = &buffer if err := session.Run(run); err != nil { - return "", errors.Wrapf(err, "failed to run %q", run) + return "", err } var info define.Info @@ -238,7 +238,7 @@ func getUDS(cmd *cobra.Command, uri *url.URL) (string, error) { } if info.Host.RemoteSocket == nil || len(info.Host.RemoteSocket.Path) == 0 { - return "", fmt.Errorf("remote podman %q failed to report its UDS socket", uri.Host) + return "", errors.Errorf("remote podman %q failed to report its UDS socket", uri.Host) } return info.Host.RemoteSocket.Path, nil } diff --git a/cmd/podman/system/events.go b/cmd/podman/system/events.go index 224ef89f3..d2aefab67 100644 --- a/cmd/podman/system/events.go +++ b/cmd/podman/system/events.go @@ -13,7 +13,6 @@ import ( "github.com/containers/podman/v2/cmd/podman/validate" "github.com/containers/podman/v2/libpod/events" "github.com/containers/podman/v2/pkg/domain/entities" - "github.com/pkg/errors" "github.com/spf13/cobra" ) @@ -104,7 +103,7 @@ func eventsCmd(cmd *cobra.Command, _ []string) error { case doJSON: jsonStr, err := event.ToJSONString() if err != nil { - return errors.Wrapf(err, "unable to format json") + return err } fmt.Println(jsonStr) case cmd.Flags().Changed("format"): diff --git a/cmd/podman/system/prune.go b/cmd/podman/system/prune.go index be0d60604..f2b9a3db5 100644 --- a/cmd/podman/system/prune.go +++ b/cmd/podman/system/prune.go @@ -12,7 +12,6 @@ import ( "github.com/containers/podman/v2/cmd/podman/utils" "github.com/containers/podman/v2/cmd/podman/validate" "github.com/containers/podman/v2/pkg/domain/entities" - "github.com/pkg/errors" "github.com/spf13/cobra" ) @@ -68,7 +67,7 @@ WARNING! This will remove: Are you sure you want to continue? [y/N] `, volumeString) answer, err := reader.ReadString('\n') if err != nil { - return errors.Wrapf(err, "error reading input") + return err } if strings.ToLower(answer)[0] != 'y' { return nil diff --git a/cmd/podman/system/reset.go b/cmd/podman/system/reset.go index d38a1a427..97f4fba28 100644 --- a/cmd/podman/system/reset.go +++ b/cmd/podman/system/reset.go @@ -13,7 +13,7 @@ import ( "github.com/containers/podman/v2/cmd/podman/validate" "github.com/containers/podman/v2/pkg/domain/entities" "github.com/containers/podman/v2/pkg/domain/infra" - "github.com/pkg/errors" + "github.com/sirupsen/logrus" "github.com/spf13/cobra" ) @@ -57,7 +57,7 @@ WARNING! This will remove: Are you sure you want to continue? [y/N] `) answer, err := reader.ReadString('\n') if err != nil { - fmt.Println(errors.Wrapf(err, "error reading input")) + logrus.Error(err) os.Exit(1) } if strings.ToLower(answer)[0] != 'y' { @@ -71,13 +71,13 @@ Are you sure you want to continue? [y/N] `) engine, err := infra.NewSystemEngine(entities.ResetMode, registry.PodmanConfig()) if err != nil { - fmt.Println(err) + logrus.Error(err) os.Exit(125) } defer engine.Shutdown(registry.Context()) if err := engine.Reset(registry.Context()); err != nil { - fmt.Println(err) + logrus.Error(err) os.Exit(125) } os.Exit(0) diff --git a/cmd/podman/system/service_abi.go b/cmd/podman/system/service_abi.go index 95cbd19d9..8c52616be 100644 --- a/cmd/podman/system/service_abi.go +++ b/cmd/podman/system/service_abi.go @@ -5,12 +5,8 @@ package system import ( "context" "net" - "os" - "os/signal" "strings" - "github.com/containers/podman/v2/cmd/podman/utils" - "github.com/containers/podman/v2/libpod" api "github.com/containers/podman/v2/pkg/api/server" "github.com/containers/podman/v2/pkg/domain/entities" "github.com/containers/podman/v2/pkg/domain/infra" @@ -33,7 +29,7 @@ func restService(opts entities.ServiceOptions, flags *pflag.FlagSet, cfg *entiti address := strings.Join(fields[1:], ":") l, err := net.Listen(fields[0], address) if err != nil { - return errors.Wrapf(err, "unable to create socket %s", opts.URI) + return errors.Wrapf(err, "unable to create socket") } listener = &l } @@ -43,7 +39,7 @@ func restService(opts entities.ServiceOptions, flags *pflag.FlagSet, cfg *entiti return err } - startWatcher(rt) + infra.StartWatcher(rt) server, err := api.NewServerWithSettings(rt, opts.Timeout, listener) if err != nil { return err @@ -60,24 +56,3 @@ func restService(opts entities.ServiceOptions, flags *pflag.FlagSet, cfg *entiti } return err } - -// startWatcher starts a new SIGHUP go routine for the current config. -func startWatcher(rt *libpod.Runtime) { - // Setup the signal notifier - ch := make(chan os.Signal, 1) - signal.Notify(ch, utils.SIGHUP) - - go func() { - for { - // Block until the signal is received - logrus.Debugf("waiting for SIGHUP to reload configuration") - <-ch - if err := rt.Reload(); err != nil { - logrus.Errorf("unable to reload configuration: %v", err) - continue - } - } - }() - - logrus.Debugf("registered SIGHUP watcher for config") -} diff --git a/cmd/podman/volumes/prune.go b/cmd/podman/volumes/prune.go index 2f58b668f..4c2136dcf 100644 --- a/cmd/podman/volumes/prune.go +++ b/cmd/podman/volumes/prune.go @@ -12,7 +12,6 @@ import ( "github.com/containers/podman/v2/cmd/podman/utils" "github.com/containers/podman/v2/cmd/podman/validate" "github.com/containers/podman/v2/pkg/domain/entities" - "github.com/pkg/errors" "github.com/spf13/cobra" ) @@ -53,7 +52,7 @@ func prune(cmd *cobra.Command, args []string) error { fmt.Print("Are you sure you want to continue? [y/N] ") answer, err := reader.ReadString('\n') if err != nil { - return errors.Wrapf(err, "error reading input") + return err } if strings.ToLower(answer)[0] != 'y' { return nil diff --git a/contrib/gate/Dockerfile b/contrib/gate/Dockerfile deleted file mode 100644 index 0a4d57416..000000000 --- a/contrib/gate/Dockerfile +++ /dev/null @@ -1,41 +0,0 @@ -FROM fedora:32 - -ENV GOPATH="/var/tmp/go" \ - GOBIN="/var/tmp/go/bin" \ - PATH="/var/tmp/go/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" \ - SRCPATH="/usr/src/libpod" \ - GOSRC="/var/tmp/go/src/github.com/containers/podman" - -# Only needed for installing build-time dependencies, then will be removed -COPY . $GOSRC - -# Install packages from dependencies.txt, ignoring commented lines -# Note: adding conmon and crun so podman command checks will work -RUN dnf -y install \ - $(grep "^[^#]" $GOSRC/contrib/dependencies.txt) diffutils containers-common fuse-overlayfs conmon crun runc --exclude container-selinux; \ - sed -i -e 's|^#mount_program|mount_program|g' -e 's/# size.*/skip_mount_home = "true"/g' /etc/containers/storage.conf \ - && dnf clean all - -# Install dependencies -RUN set -x && \ - mkdir -p "$GOBIN" && \ - mkdir -p /etc/cni/net.d && \ - mkdir -p /etc/containers && \ - install -D -m 755 $GOSRC/contrib/gate/entrypoint.sh /usr/local/bin/ && \ - python3 -m pip install pre-commit - -# Install cni config -COPY cni/87-podman-bridge.conflist /etc/cni/net.d/87-podman-bridge.conflist -# Make sure we have some policy for pulling images -COPY test/redhat_sigstore.yaml /etc/containers/registries.d/registry.access.redhat.com.yaml - -WORKDIR "$GOSRC" -RUN make install.tools && \ - cd / && \ - rm -rf "$GOSRC" && \ - mkdir -p "$GOSRC" -VOLUME ["/usr/src/libpod"] -# This entrypoint will synchronize the above volume ($SRCPATH) to $GOSRC before -# executing make. This ensures the original source remains prestine and is never -# modified by any lint/validation checks. -ENTRYPOINT ["/usr/local/bin/entrypoint.sh"] diff --git a/contrib/gate/README.md b/contrib/gate/README.md deleted file mode 100644 index 6c33e1d74..000000000 --- a/contrib/gate/README.md +++ /dev/null @@ -1,6 +0,0 @@ - - -The "gate" image is a standard container image for lint-checking and validating -changes to the libpod repository. It must be built from the repository root as -[described in the contibutors guide](https://github.com/containers/podman/blob/master/CONTRIBUTING.md#go-format-and-lint). -The image is also used in [CI/CD automation](../../.cirrus.yml). diff --git a/contrib/gate/entrypoint.sh b/contrib/gate/entrypoint.sh deleted file mode 100755 index 102d012e5..000000000 --- a/contrib/gate/entrypoint.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/usr/bin/env bash - -set -e - -die() { - echo "${2:-FATAL ERROR (but no message given!)} (gate container entrypoint)" - exit ${1:-1} -} - -[[ -n "$SRCPATH" ]] || die 1 "ERROR: \$SRCPATH must be non-empty" -[[ -n "$GOPATH" ]] || die 2 "ERROR: \$GOPATH must be non-empty" -[[ -n "$GOSRC" ]] || die 3 "ERROR: \$GOSRC must be non-empty" -[[ -r "${SRCPATH}/contrib/gate/Dockerfile" ]] || \ - die 4 "ERROR: Expecting libpod repository root at $SRCPATH" - -# Working from a copy avoids needing to perturb the actual source files -# if/when developers use gate container for local testing -echo "Copying $SRCPATH to $GOSRC" -mkdir -vp "$GOSRC" -/usr/bin/rsync --recursive --links --quiet --safe-links \ - --perms --times --delete "${SRCPATH}/" "${GOSRC}/" -cd "$GOSRC" -exec make "$@" diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md index a6083201d..749af8a66 100644 --- a/docs/source/markdown/podman-create.1.md +++ b/docs/source/markdown/podman-create.1.md @@ -346,7 +346,7 @@ value can be expressed in a time format such as `1m22s`. The default value is ` Container host name -Sets the container host name that is available inside the container. Can only be used with a private UTS namespace `--uts=private` (default). If `--pod` is specified and the pod shares the UTS namespace (default) the pods hostname will be used. +Sets the container host name that is available inside the container. Can only be used with a private UTS namespace `--uts=private` (default). If `--pod` is specified and the pod shares the UTS namespace (default) the pod's hostname will be used. #### **--help** @@ -574,9 +574,9 @@ to the container with **--name** then it will generate a random string name. The name is useful any place you need to identify a container. This works for both background and foreground containers. -#### **--network**=*bridge*, **--net** +#### **--network**=*mode*, **--net** -Set the network mode for the container. Invalid if using **--dns**, **--dns-opt**, or **--dns-search** with **--network** that is set to **none** or **container:**_id_. +Set the network mode for the container. Invalid if using **--dns**, **--dns-opt**, or **--dns-search** with **--network** that is set to **none** or **container:**_id_. If used together with **--pod**, the container will not join the pod's network namespace. Valid _mode_ values are: diff --git a/docs/source/markdown/podman-play-kube.1.md b/docs/source/markdown/podman-play-kube.1.md index e14d1ed79..67584ffcc 100644 --- a/docs/source/markdown/podman-play-kube.1.md +++ b/docs/source/markdown/podman-play-kube.1.md @@ -58,6 +58,10 @@ Suppress output information when pulling images Directory path for seccomp profiles (default: "/var/lib/kubelet/seccomp"). (Not available for remote commands) +#### **--start**=*true|false* + +Start the pod after creating it, set to false to only create it. + #### **--tls-verify**=*true|false* Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true, diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md index db9c98073..5b2cdd6a5 100644 --- a/docs/source/markdown/podman-run.1.md +++ b/docs/source/markdown/podman-run.1.md @@ -384,7 +384,7 @@ Print usage statement Container host name -Sets the container host name that is available inside the container. Can only be used with a private UTS namespace `--uts=private` (default). If `--pod` is specified and the pod shares the UTS namespace (default) the pods hostname will be used. +Sets the container host name that is available inside the container. Can only be used with a private UTS namespace `--uts=private` (default). If `--pod` is specified and the pod shares the UTS namespace (default) the pod's hostname will be used. #### **--http-proxy**=**true**|**false** @@ -602,7 +602,7 @@ This works for both background and foreground containers. #### **--network**=*mode*, **--net** -Set the network mode for the container. Invalid if using **--dns**, **--dns-opt**, or **--dns-search** with **--network** that is set to **none** or **container:**_id_. +Set the network mode for the container. Invalid if using **--dns**, **--dns-opt**, or **--dns-search** with **--network** that is set to **none** or **container:**_id_. If used together with **--pod**, the container will not join the pods network namespace. Valid _mode_ values are: diff --git a/docs/tutorials/image_signing.md b/docs/tutorials/image_signing.md index f0adca9af..0d1d63de2 100644 --- a/docs/tutorials/image_signing.md +++ b/docs/tutorials/image_signing.md @@ -34,7 +34,7 @@ Now let’s assume that we run a container registry. For example we could simply start one on our local machine: ```bash -> sudo podman run -d -p 5000:5000 docker.io/registry +sudo podman run -d -p 5000:5000 docker.io/registry ``` The registry does not know anything about image signing, it just provides the remote @@ -44,11 +44,11 @@ have to take care of how to distribute the signatures. Let’s choose a standard `alpine` image for our signing experiment: ```bash -> sudo podman pull docker://docker.io/alpine:latest +sudo podman pull docker://docker.io/alpine:latest ``` ```bash -> sudo podman images alpine +sudo podman images alpine REPOSITORY TAG IMAGE ID CREATED SIZE docker.io/library/alpine latest e7d92cdc71fe 6 weeks ago 5.86 MB ``` @@ -56,11 +56,11 @@ docker.io/library/alpine latest e7d92cdc71fe 6 weeks ago 5.86 MB Now we can re-tag the image to point it to our local registry: ```bash -> sudo podman tag alpine localhost:5000/alpine +sudo podman tag alpine localhost:5000/alpine ``` ```bash -> sudo podman images alpine +sudo podman images alpine REPOSITORY TAG IMAGE ID CREATED SIZE localhost:5000/alpine latest e7d92cdc71fe 6 weeks ago 5.86 MB docker.io/library/alpine latest e7d92cdc71fe 6 weeks ago 5.86 MB @@ -84,7 +84,7 @@ We can see that we have two signature stores configured: Now, let’s push and sign the image: ```bash -> sudo -E GNUPGHOME=$HOME/.gnupg \ +sudo -E GNUPGHOME=$HOME/.gnupg \ podman push \ --tls-verify=false \ --sign-by sgrunert@suse.com \ @@ -97,7 +97,7 @@ If we now take a look at the systems signature storage, then we see that there is a new signature available, which was caused by the image push: ```bash -> sudo ls /var/lib/containers/sigstore +sudo ls /var/lib/containers/sigstore 'alpine@sha256=e9b65ef660a3ff91d28cc50eba84f21798a6c5c39b4dd165047db49e84ae1fb9' ``` @@ -107,14 +107,14 @@ The default signature store in our edited version of the local staging signature store: ```bash -> sudo bash -c 'cd /var/lib/containers/sigstore && python3 -m http.server' +sudo bash -c 'cd /var/lib/containers/sigstore && python3 -m http.server' Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... ``` Let’s remove the local images for our verification test: ``` -> sudo podman rmi docker.io/alpine localhost:5000/alpine +sudo podman rmi docker.io/alpine localhost:5000/alpine ``` We have to write a policy to enforce that the signature has to be valid. This @@ -142,13 +142,13 @@ below example, copy the `"docker"` entry into the `"transports"` section of your The `keyPath` does not exist yet, so we have to put the GPG key there: ```bash -> gpg --output /tmp/key.gpg --armor --export sgrunert@suse.com +gpg --output /tmp/key.gpg --armor --export sgrunert@suse.com ``` If we now pull the image: ```bash -> sudo podman pull --tls-verify=false localhost:5000/alpine +sudo podman pull --tls-verify=false localhost:5000/alpine … Storing signatures e7d92cdc71feacf90708cb59182d0df1b911f8ae022d29e8e95d75ca6a99776a @@ -164,14 +164,14 @@ accessed: As an counterpart example, if we specify the wrong key at `/tmp/key.gpg`: ```bash -> gpg --output /tmp/key.gpg --armor --export mail@saschagrunert.de +gpg --output /tmp/key.gpg --armor --export mail@saschagrunert.de File '/tmp/key.gpg' exists. Overwrite? (y/N) y ``` Then a pull is not possible any more: ```bash -> sudo podman pull --tls-verify=false localhost:5000/alpine +sudo podman pull --tls-verify=false localhost:5000/alpine Trying to pull localhost:5000/alpine... Error: error pulling image "localhost:5000/alpine": unable to pull localhost:5000/alpine: unable to pull image: Source image rejected: Invalid GPG signature: … ``` diff --git a/docs/tutorials/mac_win_client.md b/docs/tutorials/mac_win_client.md index 9e0798bbf..af2668e10 100644 --- a/docs/tutorials/mac_win_client.md +++ b/docs/tutorials/mac_win_client.md @@ -36,7 +36,7 @@ $ systemctl --user enable --now podman.socket You will need to enable linger for this user in order for the socket to work when the user is not logged in. ``` -$ sudo loginctl enable-linger $USER +sudo loginctl enable-linger $USER ``` You can verify that the socket is listening with a simple Podman command. @@ -55,7 +55,7 @@ host: In order for the client to communicate with the server you need to enable and start the SSH daemon on your Linux machine, if it is not currently enabled. ``` -$ sudo systemctl enable -s sshd +sudo systemctl enable --now -s sshd ``` #### Setting up SSH diff --git a/docs/tutorials/podman_tutorial.md b/docs/tutorials/podman_tutorial.md index 85b95af04..c15de67a6 100644 --- a/docs/tutorials/podman_tutorial.md +++ b/docs/tutorials/podman_tutorial.md @@ -41,7 +41,7 @@ Note: If you add *-a* to the *ps* command, Podman will show all containers. You can "inspect" a running container for metadata and details about itself. We can even use the inspect subcommand to see what IP address was assigned to the container. As the container is running in rootless mode, an IP address is not assigned and the value will be listed as "none" in the output from inspect. ```console -$ podman inspect -l | grep IPAddress\": +podman inspect -l | grep IPAddress\": "SecondaryIPAddresses": null, "IPAddress": "", ``` @@ -60,7 +60,7 @@ curl http://<IP_address>:8080 ### Viewing the container's logs You can view the container's logs with Podman as well: ```console -$ sudo podman logs --latest +podman logs --latest 10.88.0.1 - - [07/Feb/2018:15:22:11 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.55.1" "-" 10.88.0.1 - - [07/Feb/2018:15:22:30 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.55.1" "-" 10.88.0.1 - - [07/Feb/2018:15:22:30 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.55.1" "-" @@ -71,7 +71,7 @@ $ sudo podman logs --latest ### Viewing the container's pids And you can observe the httpd pid in the container with *top*. ```console -$ sudo podman top <container_id> +podman top <container_id> UID PID PPID C STIME TTY TIME CMD 0 31873 31863 0 09:21 ? 00:00:00 nginx: master process nginx -g daemon off; 101 31889 31873 0 09:21 ? 00:00:00 nginx: worker process @@ -81,6 +81,8 @@ $ sudo podman top <container_id> Checkpointing a container stops the container while writing the state of all processes in the container to disk. With this a container can later be restored and continue running at exactly the same point in time as the checkpoint. This capability requires CRIU 3.11 or later installed on the system. +This feature is not supported as rootless; as such, if you wish to try it, you'll need to re-create your container as root, using the same command but with sudo. + To checkpoint the container use: ```console sudo podman container checkpoint <container_id> @@ -124,18 +126,18 @@ curl http://<IP_address>:8080 ### Stopping the container To stop the httpd container: ```console -sudo podman stop --latest +podman stop --latest ``` You can also check the status of one or more containers using the *ps* subcommand. In this case, we should use the *-a* argument to list all containers. ```console -sudo podman ps -a +podman ps -a ``` ### Removing the container To remove the httpd container: ```console -sudo podman rm --latest +podman rm --latest ``` You can verify the deletion of the container by running *podman ps -a*. diff --git a/docs/tutorials/remote_client.md b/docs/tutorials/remote_client.md index ad506d19a..e39d804a6 100644 --- a/docs/tutorials/remote_client.md +++ b/docs/tutorials/remote_client.md @@ -29,19 +29,19 @@ You will need to [install Podman](https://podman.io/getting-started/installation Before performing any Podman client commands, you must enable the podman.sock SystemD service on the Linux server. In these examples, we are running Podman as a normal, unprivileged user, also known as a rootless user. By default, the rootless socket listens at `/run/user/${UID}/podman/podman.sock`. You can enable this socket permanently using the following command: ``` -$ systemctl --user enable podman.socket +systemctl --user enable --now podman.socket ``` You will need to enable linger for this user in order for the socket to work when the user is not logged in: ``` -$ sudo loginctl enable-linger $USER +sudo loginctl enable-linger $USER ``` This is only required if you are not running Podman as root. You can verify that the socket is listening with a simple Podman command. ``` -$ podman --remote info +podman --remote info host: arch: amd64 buildahVersion: 1.16.0-dev @@ -54,13 +54,13 @@ host: In order for the Podman client to communicate with the server you need to enable and start the SSH daemon on your Linux machine, if it is not currently enabled. ``` -$ sudo systemctl enable -s sshd +sudo systemctl enable --now -s sshd ``` #### Setting up SSH Remote Podman uses SSH to communicate between the client and server. The remote client works considerably smoother using SSH keys. To set up your ssh connection, you need to generate an ssh key pair from your client machine. ``` -$ ssh-keygen +ssh-keygen ``` Your public key by default should be in your home directory under ~/.ssh/id_rsa.pub. You then need to copy the contents of id_rsa.pub and append it into ~/.ssh/authorized_keys on the Linux server. You can automate this using ssh-copy-id. @@ -75,13 +75,13 @@ The first step in using the Podman remote client is to configure a connection. You can add a connection by using the `podman-remote system connection add` command. ``` -$ podman-remote system connection add myuser --identity ~/.ssh/id_rsa ssh://192.168.122.1/run/user/1000/podman/podman.sock +podman-remote system connection add myuser --identity ~/.ssh/id_rsa ssh://192.168.122.1/run/user/1000/podman/podman.sock ``` This will add a remote connection to Podman and if it is the first connection added, it will mark the connection as the default. You can observe your connections with `podman-remote system connection list`: ``` -$ podman-remote system connection list +podman-remote system connection list Name Identity URI myuser* id_rsa ssh://myuser@192.168.122.1/run/user/1000/podman/podman.sock ``` @@ -89,7 +89,7 @@ myuser* id_rsa ssh://myuser@192.168.122.1/run/user/1000/podman/podman.s Now we can test the connection with `podman info`: ``` -$ podman-remote info +podman-remote info host: arch: amd64 buildahVersion: 1.16.0-dev @@ -101,7 +101,7 @@ host: Podman-remote has also introduced a “--connection” flag where you can use other connections you have defined. If no connection is provided, the default connection will be used. ``` -$ podman-remote system connection --help +podman-remote system connection --help ``` ## Wrap up diff --git a/docs/tutorials/rootless_tutorial.md b/docs/tutorials/rootless_tutorial.md index 3b9cbd2d0..9d8851bc8 100644 --- a/docs/tutorials/rootless_tutorial.md +++ b/docs/tutorials/rootless_tutorial.md @@ -6,14 +6,14 @@ Prior to allowing users without root privileges to run Podman, the administrator ## cgroup V2 support -The cgroup V2 Linux kernel feature allows the user to limit the amount of resources a rootless container can use. If the Linux distribution that you are running Podman on is enabled with cgroup V2 then you might need to change the default OCI Runtime. The default runtime `runc` does not currently work with cgroup V2 enabled systems, so you have to switch to the alternative OCI runtime `crun`. +The cgroup V2 Linux kernel feature allows the user to limit the amount of resources a rootless container can use. If the Linux distribution that you are running Podman on is enabled with cgroup V2 then you might need to change the default OCI Runtime. Some older versions of `runc` do not work with cgroup V2, you might have to switch to the alternative OCI runtime `crun`. -The alternative OCI runtime support for cgroup V2 can be turned on at the command line by using the `--runtime` option: +The alternative OCI runtime support for cgroup V2 can also be turned on at the command line by using the `--runtime` option: ``` -sudo podman --runtime /usr/bin/crun +podman --runtime crun ``` -or by changing the value for the "Default OCI runtime" in the containers.conf file either at the system level or at the [user level](#user-configuration-files) from `runtime = "runc"` to `runtime = "crun"`. +or for all commands by changing the value for the "Default OCI runtime" in the containers.conf file either at the system level or at the [user level](#user-configuration-files) from `runtime = "runc"` to `runtime = "crun"`. ## Administrator Actions @@ -10,12 +10,12 @@ require ( github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd // indirect github.com/containernetworking/cni v0.8.0 github.com/containernetworking/plugins v0.8.7 - github.com/containers/buildah v1.17.1-0.20201113135631-d0c958d65eb2 + github.com/containers/buildah v1.18.0 github.com/containers/common v0.27.0 github.com/containers/conmon v2.0.20+incompatible github.com/containers/image/v5 v5.8.0 github.com/containers/psgo v1.5.1 - github.com/containers/storage v1.23.9 + github.com/containers/storage v1.24.0 github.com/coreos/go-systemd/v22 v22.1.0 github.com/cri-o/ocicni v0.2.1-0.20201102180012-75c612fda1a2 github.com/cyphar/filepath-securejoin v0.2.2 @@ -26,6 +26,8 @@ github.com/Microsoft/go-winio v0.4.11/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcy github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw= github.com/Microsoft/go-winio v0.4.15-0.20200113171025-3fe6c5262873 h1:93nQ7k53GjoMQ07HVP8g6Zj1fQZDDj7Xy2VkNNtvX8o= github.com/Microsoft/go-winio v0.4.15-0.20200113171025-3fe6c5262873/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw= +github.com/Microsoft/go-winio v0.4.15 h1:qkLXKzb1QoVatRyd/YlXZ/Kg0m5K3SPuoD82jjSOaBc= +github.com/Microsoft/go-winio v0.4.15/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw= github.com/Microsoft/hcsshim v0.8.6/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg= github.com/Microsoft/hcsshim v0.8.9 h1:VrfodqvztU8YSOvygU+DN1BGaSGxmrNfqOv5oOuX2Bk= github.com/Microsoft/hcsshim v0.8.9/go.mod h1:5692vkUqntj1idxauYlpoINNKeqCiG6Sg38RRsjT5y8= @@ -91,8 +93,8 @@ github.com/containernetworking/cni v0.8.0 h1:BT9lpgGoH4jw3lFC7Odz2prU5ruiYKcgAjM github.com/containernetworking/cni v0.8.0/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY= github.com/containernetworking/plugins v0.8.7 h1:bU7QieuAp+sACI2vCzESJ3FoT860urYP+lThyZkb/2M= github.com/containernetworking/plugins v0.8.7/go.mod h1:R7lXeZaBzpfqapcAbHRW8/CYwm0dHzbz0XEjofx0uB0= -github.com/containers/buildah v1.17.1-0.20201113135631-d0c958d65eb2 h1:sYOJ4xbCJTQEhjQax649sE+iy8ZohxmLGP8pCTrnypY= -github.com/containers/buildah v1.17.1-0.20201113135631-d0c958d65eb2/go.mod h1:+GBrGojiBt2/IXxKYMCVD02kLIxfe5KYMvCwBjhJkFk= +github.com/containers/buildah v1.18.0 h1:mWEm013LVNGecF++sYo0T7fe/4pqMas/PQxQ/qviC68= +github.com/containers/buildah v1.18.0/go.mod h1:qHLk7RUL7cHfA7ve1MKkZ6cyKUxHD0YxiLJcKY+mJe8= github.com/containers/common v0.26.3/go.mod h1:hJWZIlrl5MsE2ELNRa+MPp6I1kPbXHauuj0Ym4BsLG4= github.com/containers/common v0.27.0 h1:+QlYEOitVYtU9/x8xebRgxdGqt4sLaIqV6MBOns+zLk= github.com/containers/common v0.27.0/go.mod h1:ZTswJJfu4aGF6Anyi2yON8Getda9NDYcdIzurOEHHXI= @@ -111,6 +113,8 @@ github.com/containers/storage v1.23.6/go.mod h1:haFs0HRowKwyzvWEx9EgI3WsL8XCSnBD github.com/containers/storage v1.23.7/go.mod h1:cUT2zHjtx+WlVri30obWmM2gpqpi8jfPsmIzP1TVpEI= github.com/containers/storage v1.23.9 h1:qbgnTp76pLSyW3vYwY5GH4vk5cHYVXFJ+CsUEBp9TMw= github.com/containers/storage v1.23.9/go.mod h1:3b2ktpB6pw53SEeIoFfO0sQfP9+IoJJKPq5iJk74gxE= +github.com/containers/storage v1.24.0 h1:Fo2LkF7tkMLmo38sTZ/G8wHjcn8JfUFPfyTxM4WwMfk= +github.com/containers/storage v1.24.0/go.mod h1:A4d3BzuZK9b3oLVEsiSRhZLPIx3z7utgiPyXLK/YMhY= github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/go-iptables v0.4.5 h1:DpHb9vJrZQEFMcVLFKAAGMUVX0XoRC0ptCthinRYm38= diff --git a/libpod/boltdb_state.go b/libpod/boltdb_state.go index be0adfe6a..dcb2ff751 100644 --- a/libpod/boltdb_state.go +++ b/libpod/boltdb_state.go @@ -1296,10 +1296,6 @@ func (s *BoltState) NetworkDisconnect(ctr *Container, network string) error { } ctrAliasesBkt := dbCtr.Bucket(aliasesBkt) - if ctrAliasesBkt == nil { - return errors.Wrapf(define.ErrNoAliases, "container %s has no network aliases", ctr.ID()) - } - ctrNetworksBkt := dbCtr.Bucket(networksBkt) if ctrNetworksBkt == nil { return errors.Wrapf(define.ErrNoSuchNetwork, "container %s is not connected to any CNI networks, so cannot disconnect", ctr.ID()) @@ -1313,13 +1309,15 @@ func (s *BoltState) NetworkDisconnect(ctr *Container, network string) error { return errors.Wrapf(err, "error removing container %s from network %s", ctr.ID(), network) } - bktExists := ctrAliasesBkt.Bucket([]byte(network)) - if bktExists == nil { - return nil - } + if ctrAliasesBkt != nil { + bktExists := ctrAliasesBkt.Bucket([]byte(network)) + if bktExists == nil { + return nil + } - if err := ctrAliasesBkt.DeleteBucket([]byte(network)); err != nil { - return errors.Wrapf(err, "error removing container %s network aliases for network %s", ctr.ID(), network) + if err := ctrAliasesBkt.DeleteBucket([]byte(network)); err != nil { + return errors.Wrapf(err, "error removing container %s network aliases for network %s", ctr.ID(), network) + } } return nil diff --git a/libpod/container.go b/libpod/container.go index 580fa7b3d..9009a4ec8 100644 --- a/libpod/container.go +++ b/libpod/container.go @@ -1,22 +1,18 @@ package libpod import ( + "bytes" "fmt" "io/ioutil" "net" "os" - "path/filepath" - "strings" "time" "github.com/containernetworking/cni/pkg/types" cnitypes "github.com/containernetworking/cni/pkg/types/current" - "github.com/containers/common/pkg/config" "github.com/containers/image/v5/manifest" "github.com/containers/podman/v2/libpod/define" "github.com/containers/podman/v2/libpod/lock" - "github.com/containers/podman/v2/pkg/rootless" - "github.com/containers/podman/v2/utils" "github.com/containers/storage" "github.com/cri-o/ocicni/pkg/ocicni" spec "github.com/opencontainers/runtime-spec/specs-go" @@ -912,44 +908,23 @@ func (c *Container) CgroupManager() string { // CGroupPath returns a cgroups "path" for a given container. func (c *Container) CGroupPath() (string, error) { - cgroupManager := c.CgroupManager() - - switch { - case c.config.NoCgroups || c.config.CgroupsMode == "disabled": + if c.config.NoCgroups || c.config.CgroupsMode == "disabled" { return "", errors.Wrapf(define.ErrNoCgroups, "this container is not creating cgroups") - case c.config.CgroupsMode == cgroupSplit: - if c.config.CgroupParent != "" { - return "", errors.Errorf("cannot specify cgroup-parent with cgroup-mode %q", cgroupSplit) - } - cg, err := utils.GetCgroupProcess(c.state.ConmonPID) - if err != nil { - return "", err - } - // Use the conmon cgroup for two reasons: we validate the container - // delegation was correct, and the conmon cgroup doesn't change at runtime - // while we are not sure about the container that can create sub cgroups. - if !strings.HasSuffix(cg, "supervisor") { - return "", errors.Errorf("invalid cgroup for conmon %q", cg) - } - return strings.TrimSuffix(cg, "/supervisor") + "/container", nil - case cgroupManager == config.CgroupfsCgroupsManager: - return filepath.Join(c.config.CgroupParent, fmt.Sprintf("libpod-%s", c.ID())), nil - case cgroupManager == config.SystemdCgroupsManager: - if rootless.IsRootless() { - uid := rootless.GetRootlessUID() - parts := strings.SplitN(c.config.CgroupParent, "/", 2) - - dir := "" - if len(parts) > 1 { - dir = parts[1] - } + } - return filepath.Join(parts[0], fmt.Sprintf("user-%d.slice/user@%d.service/user.slice/%s", uid, uid, dir), createUnitName("libpod", c.ID())), nil - } - return filepath.Join(c.config.CgroupParent, createUnitName("libpod", c.ID())), nil - default: - return "", errors.Wrapf(define.ErrInvalidArg, "unsupported CGroup manager %s in use", cgroupManager) + // Read /proc/[PID]/cgroup and look at the first line. cgroups(7) + // nails it down to three fields with the 3rd pointing to the cgroup's + // path which works both on v1 and v2. + procPath := fmt.Sprintf("/proc/%d/cgroup", c.state.PID) + lines, err := ioutil.ReadFile(procPath) + if err != nil { + return "", err } + fields := bytes.Split(bytes.Split(lines, []byte("\n"))[0], []byte(":")) + if len(fields) != 3 { + return "", errors.Errorf("expected 3 fields but got %d: %s", len(fields), procPath) + } + return string(fields[2]), nil } // RootFsSize returns the root FS size of the container @@ -1113,3 +1088,17 @@ func (c *Container) networks() ([]string, error) { return networks, err } + +// networksByNameIndex provides us with a map of container networks where key +// is network name and value is the index position +func (c *Container) networksByNameIndex() (map[string]int, error) { + networks, err := c.networks() + if err != nil { + return nil, err + } + networkNamesByIndex := make(map[string]int, len(networks)) + for index, name := range networks { + networkNamesByIndex[name] = index + } + return networkNamesByIndex, nil +} diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index 83d5c20cb..b81f3f716 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -1354,6 +1354,14 @@ func (c *Container) makeBindMounts() error { return err } } + } else { + if !c.config.UseImageHosts && c.state.BindMounts["/etc/hosts"] == "" { + newHosts, err := c.generateHosts("/etc/hosts") + if err != nil { + return errors.Wrapf(err, "error creating hosts file for container %s", c.ID()) + } + c.state.BindMounts["/etc/hosts"] = newHosts + } } // SHM is always added when we mount the container @@ -1614,14 +1622,11 @@ func (c *Container) getHosts() string { } if !hasNetNS { // 127.0.1.1 and host's hostname to match Docker - osHostname, err := os.Hostname() - if err != nil { - osHostname = c.Hostname() - } - hosts += fmt.Sprintf("127.0.1.1 %s\n", osHostname) + osHostname, _ := os.Hostname() + hosts += fmt.Sprintf("127.0.1.1 %s %s %s\n", osHostname, c.Hostname(), c.config.Name) } if netNone { - hosts += fmt.Sprintf("127.0.1.1 %s\n", c.Hostname()) + hosts += fmt.Sprintf("127.0.1.1 %s %s\n", c.Hostname(), c.config.Name) } } } @@ -2091,10 +2096,7 @@ func (c *Container) getOCICgroupPath() (string, error) { logrus.Debugf("Setting CGroups for container %s to %s", c.ID(), systemdCgroups) return systemdCgroups, nil case cgroupManager == config.CgroupfsCgroupsManager: - cgroupPath, err := c.CGroupPath() - if err != nil { - return "", err - } + cgroupPath := filepath.Join(c.config.CgroupParent, fmt.Sprintf("libpod-%s", c.ID())) logrus.Debugf("Setting CGroup path for container %s to %s", c.ID(), cgroupPath) return cgroupPath, nil default: diff --git a/libpod/define/pod_inspect.go b/libpod/define/pod_inspect.go index a4115eb92..2fa91166f 100644 --- a/libpod/define/pod_inspect.go +++ b/libpod/define/pod_inspect.go @@ -67,7 +67,7 @@ type InspectPodInfraConfig struct { StaticIP net.IP // StaticMAC is a static MAC address that will be assigned to the infra // container and then used by the pod. - StaticMAC net.HardwareAddr + StaticMAC string // NoManageResolvConf indicates that the pod will not manage resolv.conf // and instead each container will handle their own. NoManageResolvConf bool diff --git a/libpod/filters/pods.go b/libpod/filters/pods.go index 7d12eefa6..3cd97728f 100644 --- a/libpod/filters/pods.go +++ b/libpod/filters/pods.go @@ -88,7 +88,7 @@ func GeneratePodFilterFunc(filter, filterValue string) ( return match }, nil case "status": - if !util.StringInSlice(filterValue, []string{"stopped", "running", "paused", "exited", "dead", "created"}) { + if !util.StringInSlice(filterValue, []string{"stopped", "running", "paused", "exited", "dead", "created", "degraded"}) { return nil, errors.Errorf("%s is not a valid pod status", filterValue) } return func(p *libpod.Pod) bool { diff --git a/libpod/network/create.go b/libpod/network/create.go index c11904ecf..387f4fcd3 100644 --- a/libpod/network/create.go +++ b/libpod/network/create.go @@ -8,7 +8,7 @@ import ( "path/filepath" "github.com/containernetworking/cni/pkg/version" - "github.com/containers/podman/v2/libpod" + "github.com/containers/common/pkg/config" "github.com/containers/podman/v2/pkg/domain/entities" "github.com/containers/podman/v2/pkg/rootless" "github.com/containers/podman/v2/pkg/util" @@ -16,25 +16,21 @@ import ( ) // Create the CNI network -func Create(name string, options entities.NetworkCreateOptions, r *libpod.Runtime) (*entities.NetworkCreateReport, error) { +func Create(name string, options entities.NetworkCreateOptions, runtimeConfig *config.Config) (*entities.NetworkCreateReport, error) { var fileName string if err := isSupportedDriver(options.Driver); err != nil { return nil, err } - config, err := r.GetConfig() - if err != nil { - return nil, err - } // Acquire a lock for CNI - l, err := acquireCNILock(filepath.Join(config.Engine.TmpDir, LockFileName)) + l, err := acquireCNILock(filepath.Join(runtimeConfig.Engine.TmpDir, LockFileName)) if err != nil { return nil, err } defer l.releaseCNILock() if len(options.MacVLAN) > 0 { - fileName, err = createMacVLAN(r, name, options) + fileName, err = createMacVLAN(name, options, runtimeConfig) } else { - fileName, err = createBridge(r, name, options) + fileName, err = createBridge(name, options, runtimeConfig) } if err != nil { return nil, err @@ -81,17 +77,17 @@ func validateBridgeOptions(options entities.NetworkCreateOptions) error { } // createBridge creates a CNI network -func createBridge(r *libpod.Runtime, name string, options entities.NetworkCreateOptions) (string, error) { +func createBridge(name string, options entities.NetworkCreateOptions, runtimeConfig *config.Config) (string, error) { + var ( + ipamRanges [][]IPAMLocalHostRangeConf + err error + routes []IPAMRoute + ) isGateway := true ipMasq := true - runtimeConfig, err := r.GetConfig() - if err != nil { - return "", err - } // validate options - err = validateBridgeOptions(options) - if err != nil { + if err := validateBridgeOptions(options); err != nil { return "", err } @@ -102,8 +98,6 @@ func createBridge(r *libpod.Runtime, name string, options entities.NetworkCreate subnet := &options.Subnet ipRange := &options.Range gateway := options.Gateway - var ipamRanges [][]IPAMLocalHostRangeConf - var routes []IPAMRoute if subnet.IP != nil { // if network is provided, does it conflict with existing CNI or live networks err = ValidateUserNetworkIsAvailable(runtimeConfig, subnet) @@ -201,7 +195,7 @@ func createBridge(r *libpod.Runtime, name string, options entities.NetworkCreate return cniPathName, err } -func createMacVLAN(r *libpod.Runtime, name string, options entities.NetworkCreateOptions) (string, error) { +func createMacVLAN(name string, options entities.NetworkCreateOptions, runtimeConfig *config.Config) (string, error) { var ( plugins []CNIPlugins ) @@ -210,17 +204,12 @@ func createMacVLAN(r *libpod.Runtime, name string, options entities.NetworkCreat return "", err } - config, err := r.GetConfig() - if err != nil { - return "", err - } - // Make sure the host-device exists if !util.StringInSlice(options.MacVLAN, liveNetNames) { return "", errors.Errorf("failed to find network interface %q", options.MacVLAN) } if len(name) > 0 { - netNames, err := GetNetworkNamesFromFileSystem(config) + netNames, err := GetNetworkNamesFromFileSystem(runtimeConfig) if err != nil { return "", err } @@ -228,7 +217,7 @@ func createMacVLAN(r *libpod.Runtime, name string, options entities.NetworkCreat return "", errors.Errorf("the network name %s is already used", name) } } else { - name, err = GetFreeDeviceName(config) + name, err = GetFreeDeviceName(runtimeConfig) if err != nil { return "", err } @@ -241,7 +230,7 @@ func createMacVLAN(r *libpod.Runtime, name string, options entities.NetworkCreat if err != nil { return "", err } - cniPathName := filepath.Join(GetCNIConfDir(config), fmt.Sprintf("%s.conflist", name)) + cniPathName := filepath.Join(GetCNIConfDir(runtimeConfig), fmt.Sprintf("%s.conflist", name)) err = ioutil.WriteFile(cniPathName, b, 0644) return cniPathName, err } diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go index fed90cfc3..3882e095a 100644 --- a/libpod/networking_linux.go +++ b/libpod/networking_linux.go @@ -13,6 +13,7 @@ import ( "os" "os/exec" "path/filepath" + "sort" "strings" "syscall" "time" @@ -20,6 +21,7 @@ import ( cnitypes "github.com/containernetworking/cni/pkg/types/current" "github.com/containernetworking/plugins/pkg/ns" "github.com/containers/podman/v2/libpod/define" + "github.com/containers/podman/v2/libpod/network" "github.com/containers/podman/v2/pkg/errorhandling" "github.com/containers/podman/v2/pkg/netns" "github.com/containers/podman/v2/pkg/rootless" @@ -981,3 +983,139 @@ func (w *logrusDebugWriter) Write(p []byte) (int, error) { logrus.Debugf("%s%s", w.prefix, string(p)) return len(p), nil } + +// DisconnectContainerFromNetwork removes a container from its CNI network +func (r *Runtime) DisconnectContainerFromNetwork(nameOrID, netName string, force bool) error { + ctr, err := r.LookupContainer(nameOrID) + if err != nil { + return err + } + + networks, err := ctr.networksByNameIndex() + if err != nil { + return err + } + + exists, err := network.Exists(r.config, netName) + if err != nil { + return err + } + if !exists { + return errors.Wrap(define.ErrNoSuchNetwork, netName) + } + + index, nameExists := networks[netName] + if !nameExists && len(networks) > 0 { + return errors.Errorf("container %s is not connected to network %s", nameOrID, netName) + } + + ctr.lock.Lock() + defer ctr.lock.Unlock() + if err := ctr.syncContainer(); err != nil { + return err + } + + podConfig := r.getPodNetwork(ctr.ID(), ctr.Name(), ctr.state.NetNS.Path(), []string{netName}, ctr.config.PortMappings, nil, nil) + if err := r.netPlugin.TearDownPod(podConfig); err != nil { + return err + } + if err := r.state.NetworkDisconnect(ctr, netName); err != nil { + return err + } + + // update network status + networkStatus := ctr.state.NetworkStatus + // if len is one and we confirmed earlier that the container is in + // fact connected to the network, then just return an empty slice + if len(networkStatus) == 1 { + ctr.state.NetworkStatus = make([]*cnitypes.Result, 0) + } else { + // clip out the index of the network + networkStatus[len(networkStatus)-1], networkStatus[index] = networkStatus[index], networkStatus[len(networkStatus)-1] + // shorten the slice by one + ctr.state.NetworkStatus = networkStatus[:len(networkStatus)-1] + } + return nil +} + +// ConnectContainerToNetwork connects a container to a CNI network +func (r *Runtime) ConnectContainerToNetwork(nameOrID, netName string, aliases []string) error { + ctr, err := r.LookupContainer(nameOrID) + if err != nil { + return err + } + + networks, err := ctr.networksByNameIndex() + if err != nil { + return err + } + + exists, err := network.Exists(r.config, netName) + if err != nil { + return err + } + if !exists { + return errors.Wrap(define.ErrNoSuchNetwork, netName) + } + + _, nameExists := networks[netName] + if !nameExists && len(networks) > 0 { + return errors.Errorf("container %s is not connected to network %s", nameOrID, netName) + } + + ctr.lock.Lock() + defer ctr.lock.Unlock() + if err := ctr.syncContainer(); err != nil { + return err + } + + if err := r.state.NetworkConnect(ctr, netName, aliases); err != nil { + return err + } + + podConfig := r.getPodNetwork(ctr.ID(), ctr.Name(), ctr.state.NetNS.Path(), []string{netName}, ctr.config.PortMappings, nil, nil) + podConfig.Aliases = make(map[string][]string, 1) + podConfig.Aliases[netName] = aliases + results, err := r.netPlugin.SetUpPod(podConfig) + if err != nil { + return err + } + if len(results) != 1 { + return errors.New("when adding aliases, results must be of length 1") + } + + networkResults := make([]*cnitypes.Result, 0) + for _, r := range results { + resultCurrent, err := cnitypes.GetResult(r.Result) + if err != nil { + return errors.Wrapf(err, "error parsing CNI plugin result %q: %v", r.Result, err) + } + networkResults = append(networkResults, resultCurrent) + } + + // update network status + networkStatus := ctr.state.NetworkStatus + // if len is one and we confirmed earlier that the container is in + // fact connected to the network, then just return an empty slice + if len(networkStatus) == 0 { + ctr.state.NetworkStatus = append(ctr.state.NetworkStatus, networkResults...) + } else { + // build a list of network names so we can sort and + // get the new name's index + var networkNames []string + for netName := range networks { + networkNames = append(networkNames, netName) + } + networkNames = append(networkNames, netName) + // sort + sort.Strings(networkNames) + // get index of new network name + index := sort.SearchStrings(networkNames, netName) + // Append a zero value to to the slice + networkStatus = append(networkStatus, &cnitypes.Result{}) + // populate network status + copy(networkStatus[index+1:], networkStatus[index:]) + networkStatus[index] = networkResults[0] + } + return nil +} diff --git a/libpod/pod_api.go b/libpod/pod_api.go index 87ac5c07a..845948dd3 100644 --- a/libpod/pod_api.go +++ b/libpod/pod_api.go @@ -535,7 +535,7 @@ func (p *Pod) Inspect() (*define.InspectPodData, error) { infraConfig = new(define.InspectPodInfraConfig) infraConfig.HostNetwork = p.config.InfraContainer.HostNetwork infraConfig.StaticIP = p.config.InfraContainer.StaticIP - infraConfig.StaticMAC = p.config.InfraContainer.StaticMAC + infraConfig.StaticMAC = p.config.InfraContainer.StaticMAC.String() infraConfig.NoManageResolvConf = p.config.InfraContainer.UseImageResolvConf infraConfig.NoManageHosts = p.config.InfraContainer.UseImageHosts diff --git a/pkg/api/handlers/compat/networks.go b/pkg/api/handlers/compat/networks.go index abbb6d2c0..64ddebf9c 100644 --- a/pkg/api/handlers/compat/networks.go +++ b/pkg/api/handlers/compat/networks.go @@ -312,48 +312,40 @@ func RemoveNetwork(w http.ResponseWriter, r *http.Request) { } // Connect adds a container to a network -// TODO: For now this func is a no-op that checks the container name, network name, and -// responds with a 200. This allows the call to remain intact. We need to decide how -// we make this work with CNI networking and setup/teardown. func Connect(w http.ResponseWriter, r *http.Request) { runtime := r.Context().Value("runtime").(*libpod.Runtime) - var netConnect types.NetworkConnect + var ( + aliases []string + netConnect types.NetworkConnect + ) if err := json.NewDecoder(r.Body).Decode(&netConnect); err != nil { utils.Error(w, "Something went wrong.", http.StatusInternalServerError, errors.Wrap(err, "Decode()")) return } - config, err := runtime.GetConfig() - if err != nil { - utils.InternalServerError(w, err) - return - } name := utils.GetName(r) - exists, err := network.Exists(config, name) - if err != nil { - utils.InternalServerError(w, err) - return - } - if !exists { - utils.Error(w, "network not found", http.StatusNotFound, define.ErrNoSuchNetwork) - return + if netConnect.EndpointConfig != nil { + if netConnect.EndpointConfig.Aliases != nil { + aliases = netConnect.EndpointConfig.Aliases + } } - if _, err = runtime.LookupContainer(netConnect.Container); err != nil { + err := runtime.ConnectContainerToNetwork(netConnect.Container, name, aliases) + if err != nil { if errors.Cause(err) == define.ErrNoSuchCtr { utils.ContainerNotFound(w, netConnect.Container, err) return } - utils.Error(w, "unable to lookup container", http.StatusInternalServerError, err) + if errors.Cause(err) == define.ErrNoSuchNetwork { + utils.Error(w, "network not found", http.StatusNotFound, err) + return + } + utils.Error(w, "Something went wrong.", http.StatusInternalServerError, err) return } - logrus.Warnf("network connect endpoint is not fully implemented - tried to connect container %s to network %s", netConnect.Container, name) utils.WriteResponse(w, http.StatusOK, "OK") } // Disconnect removes a container from a network -// TODO: For now this func is a no-op that checks the container name, network name, and -// responds with a 200. This allows the call to remain intact. We need to decide how -// we make this work with CNI networking and setup/teardown. func Disconnect(w http.ResponseWriter, r *http.Request) { runtime := r.Context().Value("runtime").(*libpod.Runtime) @@ -362,29 +354,20 @@ func Disconnect(w http.ResponseWriter, r *http.Request) { utils.Error(w, "Something went wrong.", http.StatusInternalServerError, errors.Wrap(err, "Decode()")) return } - config, err := runtime.GetConfig() - if err != nil { - utils.InternalServerError(w, err) - return - } + name := utils.GetName(r) - exists, err := network.Exists(config, name) + err := runtime.DisconnectContainerFromNetwork(netDisconnect.Container, name, netDisconnect.Force) if err != nil { - utils.InternalServerError(w, err) - return - } - if !exists { - utils.Error(w, "network not found", http.StatusNotFound, define.ErrNoSuchNetwork) - return - } - if _, err = runtime.LookupContainer(netDisconnect.Container); err != nil { if errors.Cause(err) == define.ErrNoSuchCtr { - utils.ContainerNotFound(w, netDisconnect.Container, err) + utils.Error(w, "container not found", http.StatusNotFound, err) + return + } + if errors.Cause(err) == define.ErrNoSuchNetwork { + utils.Error(w, "network not found", http.StatusNotFound, err) return } - utils.Error(w, "unable to lookup container", http.StatusInternalServerError, err) + utils.Error(w, "Something went wrong.", http.StatusInternalServerError, err) return } - logrus.Warnf("network disconnect endpoint is not fully implemented - tried to connect container %s to network %s", netDisconnect.Container, name) utils.WriteResponse(w, http.StatusOK, "OK") } diff --git a/pkg/api/handlers/libpod/play.go b/pkg/api/handlers/libpod/play.go index 0c7a6e19d..42ff26a57 100644 --- a/pkg/api/handlers/libpod/play.go +++ b/pkg/api/handlers/libpod/play.go @@ -23,8 +23,10 @@ func PlayKube(w http.ResponseWriter, r *http.Request) { Network string `schema:"reference"` TLSVerify bool `schema:"tlsVerify"` LogDriver string `schema:"logDriver"` + Start bool `schema:"start"` }{ TLSVerify: true, + Start: true, } if err := decoder.Decode(&query, r.URL.Query()); err != nil { @@ -73,6 +75,9 @@ func PlayKube(w http.ResponseWriter, r *http.Request) { if _, found := r.URL.Query()["tlsVerify"]; found { options.SkipTLSVerify = types.NewOptionalBool(!query.TLSVerify) } + if _, found := r.URL.Query()["start"]; found { + options.Start = types.NewOptionalBool(query.Start) + } report, err := containerEngine.PlayKube(r.Context(), tmpfile.Name(), options) if err != nil { diff --git a/pkg/api/server/register_play.go b/pkg/api/server/register_play.go index e41f8311d..6aa349a3b 100644 --- a/pkg/api/server/register_play.go +++ b/pkg/api/server/register_play.go @@ -29,6 +29,11 @@ func (s *APIServer) registerPlayHandlers(r *mux.Router) error { // name: logDriver // type: string // description: Logging driver for the containers in the pod. + // - in: query + // name: start + // type: boolean + // default: true + // description: Start the pod after creating it. // - in: body // name: request // description: Kubernetes YAML file. diff --git a/pkg/bindings/play/play.go b/pkg/bindings/play/play.go index 8af3b8fb1..cfb40d74b 100644 --- a/pkg/bindings/play/play.go +++ b/pkg/bindings/play/play.go @@ -30,7 +30,10 @@ func Kube(ctx context.Context, path string, options entities.PlayKubeOptions) (* params.Set("network", options.Network) params.Set("logDriver", options.LogDriver) if options.SkipTLSVerify != types.OptionalBoolUndefined { - params.Set("tlsVerify", strconv.FormatBool(options.SkipTLSVerify == types.OptionalBoolTrue)) + params.Set("tlsVerify", strconv.FormatBool(options.SkipTLSVerify != types.OptionalBoolTrue)) + } + if options.Start != types.OptionalBoolUndefined { + params.Set("start", strconv.FormatBool(options.Start == types.OptionalBoolTrue)) } // TODO: have a global system context we can pass around (1st argument) diff --git a/pkg/domain/entities/play.go b/pkg/domain/entities/play.go index 7e4afcc28..0b42e1a3f 100644 --- a/pkg/domain/entities/play.go +++ b/pkg/domain/entities/play.go @@ -28,6 +28,8 @@ type PlayKubeOptions struct { ConfigMaps []string // LogDriver for the container. For example: journald LogDriver string + // Start - don't start the pod if false + Start types.OptionalBool } // PlayKubePod represents a single pod and associated containers created by play kube diff --git a/pkg/domain/infra/abi/network.go b/pkg/domain/infra/abi/network.go index 4f572fb88..06941f8d0 100644 --- a/pkg/domain/infra/abi/network.go +++ b/pkg/domain/infra/abi/network.go @@ -110,7 +110,11 @@ func (ic *ContainerEngine) NetworkRm(ctx context.Context, namesOrIds []string, o } func (ic *ContainerEngine) NetworkCreate(ctx context.Context, name string, options entities.NetworkCreateOptions) (*entities.NetworkCreateReport, error) { - return network.Create(name, options, ic.Libpod) + runtimeConfig, err := ic.Libpod.GetConfig() + if err != nil { + return nil, err + } + return network.Create(name, options, runtimeConfig) } func ifPassesFilterTest(netconf *libcni.NetworkConfigList, filter []string) bool { diff --git a/pkg/domain/infra/abi/play.go b/pkg/domain/infra/abi/play.go index c0948e099..4bcc6469c 100644 --- a/pkg/domain/infra/abi/play.go +++ b/pkg/domain/infra/abi/play.go @@ -297,20 +297,22 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY containers = append(containers, ctr) } - //start the containers - podStartErrors, err := pod.Start(ctx) - if err != nil { - return nil, err - } + if options.Start != types.OptionalBoolFalse { + //start the containers + podStartErrors, err := pod.Start(ctx) + if err != nil { + return nil, err + } - // Previous versions of playkube started containers individually and then - // looked for errors. Because we now use the uber-Pod start call, we should - // iterate the map of possible errors and return one if there is a problem. This - // keeps the behavior the same + // Previous versions of playkube started containers individually and then + // looked for errors. Because we now use the uber-Pod start call, we should + // iterate the map of possible errors and return one if there is a problem. This + // keeps the behavior the same - for _, e := range podStartErrors { - if e != nil { - return nil, e + for _, e := range podStartErrors { + if e != nil { + return nil, e + } } } diff --git a/pkg/domain/infra/runtime_libpod.go b/pkg/domain/infra/runtime_libpod.go index 26c9c7e2e..b786a5fbf 100644 --- a/pkg/domain/infra/runtime_libpod.go +++ b/pkg/domain/infra/runtime_libpod.go @@ -6,8 +6,10 @@ import ( "context" "fmt" "os" + "os/signal" "sync" + "github.com/containers/podman/v2/cmd/podman/utils" "github.com/containers/podman/v2/libpod" "github.com/containers/podman/v2/pkg/cgroups" "github.com/containers/podman/v2/pkg/domain/entities" @@ -16,6 +18,7 @@ import ( "github.com/containers/storage" "github.com/containers/storage/pkg/idtools" "github.com/pkg/errors" + "github.com/sirupsen/logrus" flag "github.com/spf13/pflag" ) @@ -348,3 +351,24 @@ func ParseIDMapping(mode namespaces.UsernsMode, uidMapSlice, gidMapSlice []strin } return &options, nil } + +// StartWatcher starts a new SIGHUP go routine for the current config. +func StartWatcher(rt *libpod.Runtime) { + // Setup the signal notifier + ch := make(chan os.Signal, 1) + signal.Notify(ch, utils.SIGHUP) + + go func() { + for { + // Block until the signal is received + logrus.Debugf("waiting for SIGHUP to reload configuration") + <-ch + if err := rt.Reload(); err != nil { + logrus.Errorf("unable to reload configuration: %v", err) + continue + } + } + }() + + logrus.Debugf("registered SIGHUP watcher for config") +} diff --git a/test/apiv2/rest_api/test_rest_v2_0_0.py b/test/apiv2/rest_api/test_rest_v2_0_0.py index 7192347c7..49e18f063 100644 --- a/test/apiv2/rest_api/test_rest_v2_0_0.py +++ b/test/apiv2/rest_api/test_rest_v2_0_0.py @@ -187,12 +187,14 @@ class TestApi(unittest.TestCase): payload = json.loads(create.text) self.assertIsNotNone(payload["Id"]) - connect = requests.post( - PODMAN_URL + "/v1.40/networks/TestNetwork/connect", - json={"Container": payload["Id"]}, - ) - self.assertEqual(connect.status_code, 200, create.text) - self.assertEqual(connect.text, "OK\n") + # This cannot be done until full completion of the network connect + # stack and network disconnect stack are complete + # connect = requests.post( + # PODMAN_URL + "/v1.40/networks/TestNetwork/connect", + # json={"Container": payload["Id"]}, + # ) + # self.assertEqual(connect.status_code, 200, connect.text) + # self.assertEqual(connect.text, "OK\n") def test_commit(self): r = requests.post(_url(ctnr("/commit?container={}"))) diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go index 7ae474c76..92e4544f9 100644 --- a/test/e2e/play_kube_test.go +++ b/test/e2e/play_kube_test.go @@ -1482,4 +1482,19 @@ MemoryReservation: {{ .HostConfig.MemoryReservation }}`}) Expect(inspect.ExitCode()).To(Equal(0)) Expect(inspect.OutputToString()).To(ContainSubstring("journald")) }) + + It("podman play kube test only creating the containers", func() { + pod := getPod() + err := generateKubeYaml("pod", pod, kubeYaml) + Expect(err).To(BeNil()) + + kube := podmanTest.Podman([]string{"play", "kube", "--start=false", kubeYaml}) + kube.WaitWithDefaultTimeout() + Expect(kube.ExitCode()).To(Equal(0)) + + inspect := podmanTest.Podman([]string{"inspect", getCtrNameInPod(pod), "--format", "{{ .State.Running }}"}) + inspect.WaitWithDefaultTimeout() + Expect(inspect.ExitCode()).To(Equal(0)) + Expect(inspect.OutputToString()).To(Equal("false")) + }) }) diff --git a/test/e2e/pod_inspect_test.go b/test/e2e/pod_inspect_test.go index ccdf0a423..25212991d 100644 --- a/test/e2e/pod_inspect_test.go +++ b/test/e2e/pod_inspect_test.go @@ -99,4 +99,23 @@ var _ = Describe("Podman pod inspect", func() { Expect(len(inspectJSON.InfraConfig.PortBindings["80/tcp"])).To(Equal(1)) Expect(inspectJSON.InfraConfig.PortBindings["80/tcp"][0].HostPort).To(Equal("8080")) }) + + It("podman pod inspect outputs show correct MAC", func() { + SkipIfRootless("--mac-address is not supported in rootless mode") + podName := "testPod" + macAddr := "42:43:44:00:00:01" + create := podmanTest.Podman([]string{"pod", "create", "--name", podName, "--mac-address", macAddr}) + create.WaitWithDefaultTimeout() + Expect(create.ExitCode()).To(Equal(0)) + + create = podmanTest.Podman([]string{"run", "-d", "--pod", podName, ALPINE, "top"}) + create.WaitWithDefaultTimeout() + Expect(create.ExitCode()).To(Equal(0)) + + inspectOut := podmanTest.Podman([]string{"pod", "inspect", podName}) + inspectOut.WaitWithDefaultTimeout() + Expect(inspectOut.ExitCode()).To(Equal(0)) + + Expect(inspectOut.OutputToString()).To(ContainSubstring(macAddr)) + }) }) diff --git a/test/e2e/pod_pod_namespaces.go b/test/e2e/pod_pod_namespaces_test.go index 20b8bdb39..20b8bdb39 100644 --- a/test/e2e/pod_pod_namespaces.go +++ b/test/e2e/pod_pod_namespaces_test.go diff --git a/test/e2e/run_networking_test.go b/test/e2e/run_networking_test.go index e9c1bab21..3e80e953e 100644 --- a/test/e2e/run_networking_test.go +++ b/test/e2e/run_networking_test.go @@ -551,6 +551,10 @@ var _ = Describe("Podman run networking", func() { run.WaitWithDefaultTimeout() Expect(run.ExitCode()).To(BeZero()) Expect(run.OutputToString()).To(ContainSubstring(ipAddr)) + + create = podmanTest.Podman([]string{"network", "rm", netName}) + create.WaitWithDefaultTimeout() + Expect(create.ExitCode()).To(BeZero()) }) It("podman run with new:pod and static-ip", func() { @@ -588,7 +592,7 @@ var _ = Describe("Podman run networking", func() { Expect(strings.Contains(run.OutputToString(), hostname)).To(BeTrue()) }) - It("podman run with --net=none adds hostname to /etc/hosts", func() { + It("podman run with --net=none sets hostname", func() { hostname := "testctr" run := podmanTest.Podman([]string{"run", "--net=none", "--hostname", hostname, ALPINE, "hostname"}) run.WaitWithDefaultTimeout() @@ -596,6 +600,37 @@ var _ = Describe("Podman run networking", func() { Expect(strings.Contains(run.OutputToString(), hostname)).To(BeTrue()) }) + It("podman run with --net=none adds hostname to /etc/hosts", func() { + hostname := "testctr" + run := podmanTest.Podman([]string{"run", "--net=none", "--hostname", hostname, ALPINE, "cat", "/etc/hosts"}) + run.WaitWithDefaultTimeout() + Expect(run.ExitCode()).To(BeZero()) + Expect(strings.Contains(run.OutputToString(), hostname)).To(BeTrue()) + }) + + ping_test := func(netns string) { + hostname := "testctr" + run := podmanTest.Podman([]string{"run", netns, "--hostname", hostname, ALPINE, "ping", "-c", "1", hostname}) + run.WaitWithDefaultTimeout() + Expect(run.ExitCode()).To(BeZero()) + + run = podmanTest.Podman([]string{"run", netns, "--hostname", hostname, "--name", "test", ALPINE, "ping", "-c", "1", "test"}) + run.WaitWithDefaultTimeout() + Expect(run.ExitCode()).To(BeZero()) + } + + It("podman attempt to ping container name and hostname --net=none", func() { + ping_test("--net=none") + }) + + It("podman attempt to ping container name and hostname --net=host", func() { + ping_test("--net=host") + }) + + It("podman attempt to ping container name and hostname --net=private", func() { + ping_test("--net=private") + }) + It("podman run check dnsname plugin", func() { pod := "testpod" session := podmanTest.Podman([]string{"pod", "create", "--name", pod}) @@ -621,10 +656,10 @@ var _ = Describe("Podman run networking", func() { session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(BeZero()) - session = podmanTest.Podman([]string{"run", "--name", "con3", "--pod", pod2, ALPINE, "nslookup", "con3"}) + session = podmanTest.Podman([]string{"run", "--name", "con3", "--pod", pod2, ALPINE, "nslookup", "con1"}) session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(1)) - Expect(session.ErrorToString()).To(ContainSubstring("can't resolve 'con3'")) + Expect(session.ErrorToString()).To(ContainSubstring("can't resolve 'con1'")) session = podmanTest.Podman([]string{"run", "--name", "con4", "--network", net, ALPINE, "nslookup", pod2}) session.WaitWithDefaultTimeout() diff --git a/test/e2e/run_seccomp.go b/test/e2e/run_seccomp_test.go index 7d04cc60a..7d04cc60a 100644 --- a/test/e2e/run_seccomp.go +++ b/test/e2e/run_seccomp_test.go diff --git a/test/e2e/run_security_labels.go b/test/e2e/run_security_labels_test.go index 0c5621e3f..0c5621e3f 100644 --- a/test/e2e/run_security_labels.go +++ b/test/e2e/run_security_labels_test.go diff --git a/test/e2e/run_working_dir.go b/test/e2e/run_working_dir_test.go index 7d8db361c..7d8db361c 100644 --- a/test/e2e/run_working_dir.go +++ b/test/e2e/run_working_dir_test.go diff --git a/test/e2e/search_test.go b/test/e2e/search_test.go index 7747cdd0e..5c3c69fd4 100644 --- a/test/e2e/search_test.go +++ b/test/e2e/search_test.go @@ -93,10 +93,10 @@ registries = ['{{.Host}}:{{.Port}}']` }) It("podman search single registry flag", func() { - search := podmanTest.Podman([]string{"search", "quay.io/libpod/gate:latest"}) + search := podmanTest.Podman([]string{"search", "quay.io/skopeo/stable:latest"}) search.WaitWithDefaultTimeout() Expect(search.ExitCode()).To(Equal(0)) - Expect(search.LineInOutputContains("quay.io/libpod/gate")).To(BeTrue()) + Expect(search.LineInOutputContains("quay.io/skopeo/stable")).To(BeTrue()) }) It("podman search image with description", func() { diff --git a/test/e2e/stats_test.go b/test/e2e/stats_test.go index c8f5efa9d..5e8a7a3d0 100644 --- a/test/e2e/stats_test.go +++ b/test/e2e/stats_test.go @@ -5,6 +5,7 @@ package integration import ( "fmt" "os" + "strconv" "time" . "github.com/containers/podman/v2/test/utils" @@ -126,4 +127,44 @@ var _ = Describe("Podman stats", func() { session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) }) + + // Regression test for #8265 + It("podman stats with custom memory limits", func() { + // Run thre containers. One with a memory limit. Make sure + // that the limits are different and the limited one has a + // lower limit. + ctrNoLimit0 := "no-limit-0" + ctrNoLimit1 := "no-limit-1" + ctrWithLimit := "with-limit" + + session := podmanTest.Podman([]string{"run", "-d", "--name", ctrNoLimit0, ALPINE, "top"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + + session = podmanTest.Podman([]string{"run", "-d", "--name", ctrNoLimit1, ALPINE, "top"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + + session = podmanTest.Podman([]string{"run", "-d", "--name", ctrWithLimit, "--memory", "50m", ALPINE, "top"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + + session = podmanTest.Podman([]string{"stats", "--no-stream", "--format", "{{.MemLimit}}", ctrNoLimit0, ctrNoLimit1, ctrWithLimit}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + + // We have three containers. The unlimited ones need to have + // the same limit, the limited one a lower one. + limits := session.OutputToStringArray() + Expect(len(limits)).To(BeNumerically("==", 3)) + Expect(limits[0]).To(Equal(limits[1])) + Expect(limits[0]).ToNot(Equal(limits[2])) + + defaultLimit, err := strconv.Atoi(limits[0]) + Expect(err).To(BeNil()) + customLimit, err := strconv.Atoi(limits[2]) + Expect(err).To(BeNil()) + + Expect(customLimit).To(BeNumerically("<", defaultLimit)) + }) }) diff --git a/test/python/docker/test_containers.py b/test/python/docker/test_containers.py index 5fb340fd4..0fd419d9d 100644 --- a/test/python/docker/test_containers.py +++ b/test/python/docker/test_containers.py @@ -60,10 +60,14 @@ class TestContainers(unittest.TestCase): def test_create_network(self): net = self.client.networks.create("testNetwork", driver="bridge") ctnr = self.client.containers.create(image="alpine", detach=True) - net.connect(ctnr) - nets = self.client.networks.list(greedy=True) - self.assertGreaterEqual(len(nets), 1) + # TODO fix when ready + # This test will not work until all connect|disconnect + # code is fixed. + # net.connect(ctnr) + + # nets = self.client.networks.list(greedy=True) + # self.assertGreaterEqual(len(nets), 1) # TODO fix endpoint to include containers # for n in nets: diff --git a/troubleshooting.md b/troubleshooting.md index 604ca9b1d..3ff578142 100644 --- a/troubleshooting.md +++ b/troubleshooting.md @@ -457,7 +457,7 @@ Attempts to run podman result in One workaround is to disable Secure Boot in your BIOS. -### 20) error creating libpod runtime: there might not be enough IDs available in the namespace +### 19) error creating libpod runtime: there might not be enough IDs available in the namespace Unable to pull images diff --git a/vendor/github.com/Microsoft/go-winio/archive/tar/LICENSE b/vendor/github.com/Microsoft/go-winio/archive/tar/LICENSE deleted file mode 100644 index 744875676..000000000 --- a/vendor/github.com/Microsoft/go-winio/archive/tar/LICENSE +++ /dev/null @@ -1,27 +0,0 @@ -Copyright (c) 2012 The Go Authors. All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are -met: - - * Redistributions of source code must retain the above copyright -notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above -copyright notice, this list of conditions and the following disclaimer -in the documentation and/or other materials provided with the -distribution. - * Neither the name of Google Inc. nor the names of its -contributors may be used to endorse or promote products derived from -this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/vendor/github.com/Microsoft/go-winio/archive/tar/common.go b/vendor/github.com/Microsoft/go-winio/archive/tar/common.go deleted file mode 100644 index 0378401c0..000000000 --- a/vendor/github.com/Microsoft/go-winio/archive/tar/common.go +++ /dev/null @@ -1,344 +0,0 @@ -// Copyright 2009 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package tar implements access to tar archives. -// It aims to cover most of the variations, including those produced -// by GNU and BSD tars. -// -// References: -// http://www.freebsd.org/cgi/man.cgi?query=tar&sektion=5 -// http://www.gnu.org/software/tar/manual/html_node/Standard.html -// http://pubs.opengroup.org/onlinepubs/9699919799/utilities/pax.html -package tar - -import ( - "bytes" - "errors" - "fmt" - "os" - "path" - "time" -) - -const ( - blockSize = 512 - - // Types - TypeReg = '0' // regular file - TypeRegA = '\x00' // regular file - TypeLink = '1' // hard link - TypeSymlink = '2' // symbolic link - TypeChar = '3' // character device node - TypeBlock = '4' // block device node - TypeDir = '5' // directory - TypeFifo = '6' // fifo node - TypeCont = '7' // reserved - TypeXHeader = 'x' // extended header - TypeXGlobalHeader = 'g' // global extended header - TypeGNULongName = 'L' // Next file has a long name - TypeGNULongLink = 'K' // Next file symlinks to a file w/ a long name - TypeGNUSparse = 'S' // sparse file -) - -// A Header represents a single header in a tar archive. -// Some fields may not be populated. -type Header struct { - Name string // name of header file entry - Mode int64 // permission and mode bits - Uid int // user id of owner - Gid int // group id of owner - Size int64 // length in bytes - ModTime time.Time // modified time - Typeflag byte // type of header entry - Linkname string // target name of link - Uname string // user name of owner - Gname string // group name of owner - Devmajor int64 // major number of character or block device - Devminor int64 // minor number of character or block device - AccessTime time.Time // access time - ChangeTime time.Time // status change time - CreationTime time.Time // creation time - Xattrs map[string]string - Winheaders map[string]string -} - -// File name constants from the tar spec. -const ( - fileNameSize = 100 // Maximum number of bytes in a standard tar name. - fileNamePrefixSize = 155 // Maximum number of ustar extension bytes. -) - -// FileInfo returns an os.FileInfo for the Header. -func (h *Header) FileInfo() os.FileInfo { - return headerFileInfo{h} -} - -// headerFileInfo implements os.FileInfo. -type headerFileInfo struct { - h *Header -} - -func (fi headerFileInfo) Size() int64 { return fi.h.Size } -func (fi headerFileInfo) IsDir() bool { return fi.Mode().IsDir() } -func (fi headerFileInfo) ModTime() time.Time { return fi.h.ModTime } -func (fi headerFileInfo) Sys() interface{} { return fi.h } - -// Name returns the base name of the file. -func (fi headerFileInfo) Name() string { - if fi.IsDir() { - return path.Base(path.Clean(fi.h.Name)) - } - return path.Base(fi.h.Name) -} - -// Mode returns the permission and mode bits for the headerFileInfo. -func (fi headerFileInfo) Mode() (mode os.FileMode) { - // Set file permission bits. - mode = os.FileMode(fi.h.Mode).Perm() - - // Set setuid, setgid and sticky bits. - if fi.h.Mode&c_ISUID != 0 { - // setuid - mode |= os.ModeSetuid - } - if fi.h.Mode&c_ISGID != 0 { - // setgid - mode |= os.ModeSetgid - } - if fi.h.Mode&c_ISVTX != 0 { - // sticky - mode |= os.ModeSticky - } - - // Set file mode bits. - // clear perm, setuid, setgid and sticky bits. - m := os.FileMode(fi.h.Mode) &^ 07777 - if m == c_ISDIR { - // directory - mode |= os.ModeDir - } - if m == c_ISFIFO { - // named pipe (FIFO) - mode |= os.ModeNamedPipe - } - if m == c_ISLNK { - // symbolic link - mode |= os.ModeSymlink - } - if m == c_ISBLK { - // device file - mode |= os.ModeDevice - } - if m == c_ISCHR { - // Unix character device - mode |= os.ModeDevice - mode |= os.ModeCharDevice - } - if m == c_ISSOCK { - // Unix domain socket - mode |= os.ModeSocket - } - - switch fi.h.Typeflag { - case TypeSymlink: - // symbolic link - mode |= os.ModeSymlink - case TypeChar: - // character device node - mode |= os.ModeDevice - mode |= os.ModeCharDevice - case TypeBlock: - // block device node - mode |= os.ModeDevice - case TypeDir: - // directory - mode |= os.ModeDir - case TypeFifo: - // fifo node - mode |= os.ModeNamedPipe - } - - return mode -} - -// sysStat, if non-nil, populates h from system-dependent fields of fi. -var sysStat func(fi os.FileInfo, h *Header) error - -// Mode constants from the tar spec. -const ( - c_ISUID = 04000 // Set uid - c_ISGID = 02000 // Set gid - c_ISVTX = 01000 // Save text (sticky bit) - c_ISDIR = 040000 // Directory - c_ISFIFO = 010000 // FIFO - c_ISREG = 0100000 // Regular file - c_ISLNK = 0120000 // Symbolic link - c_ISBLK = 060000 // Block special file - c_ISCHR = 020000 // Character special file - c_ISSOCK = 0140000 // Socket -) - -// Keywords for the PAX Extended Header -const ( - paxAtime = "atime" - paxCharset = "charset" - paxComment = "comment" - paxCtime = "ctime" // please note that ctime is not a valid pax header. - paxCreationTime = "LIBARCHIVE.creationtime" - paxGid = "gid" - paxGname = "gname" - paxLinkpath = "linkpath" - paxMtime = "mtime" - paxPath = "path" - paxSize = "size" - paxUid = "uid" - paxUname = "uname" - paxXattr = "SCHILY.xattr." - paxWindows = "MSWINDOWS." - paxNone = "" -) - -// FileInfoHeader creates a partially-populated Header from fi. -// If fi describes a symlink, FileInfoHeader records link as the link target. -// If fi describes a directory, a slash is appended to the name. -// Because os.FileInfo's Name method returns only the base name of -// the file it describes, it may be necessary to modify the Name field -// of the returned header to provide the full path name of the file. -func FileInfoHeader(fi os.FileInfo, link string) (*Header, error) { - if fi == nil { - return nil, errors.New("tar: FileInfo is nil") - } - fm := fi.Mode() - h := &Header{ - Name: fi.Name(), - ModTime: fi.ModTime(), - Mode: int64(fm.Perm()), // or'd with c_IS* constants later - } - switch { - case fm.IsRegular(): - h.Mode |= c_ISREG - h.Typeflag = TypeReg - h.Size = fi.Size() - case fi.IsDir(): - h.Typeflag = TypeDir - h.Mode |= c_ISDIR - h.Name += "/" - case fm&os.ModeSymlink != 0: - h.Typeflag = TypeSymlink - h.Mode |= c_ISLNK - h.Linkname = link - case fm&os.ModeDevice != 0: - if fm&os.ModeCharDevice != 0 { - h.Mode |= c_ISCHR - h.Typeflag = TypeChar - } else { - h.Mode |= c_ISBLK - h.Typeflag = TypeBlock - } - case fm&os.ModeNamedPipe != 0: - h.Typeflag = TypeFifo - h.Mode |= c_ISFIFO - case fm&os.ModeSocket != 0: - h.Mode |= c_ISSOCK - default: - return nil, fmt.Errorf("archive/tar: unknown file mode %v", fm) - } - if fm&os.ModeSetuid != 0 { - h.Mode |= c_ISUID - } - if fm&os.ModeSetgid != 0 { - h.Mode |= c_ISGID - } - if fm&os.ModeSticky != 0 { - h.Mode |= c_ISVTX - } - // If possible, populate additional fields from OS-specific - // FileInfo fields. - if sys, ok := fi.Sys().(*Header); ok { - // This FileInfo came from a Header (not the OS). Use the - // original Header to populate all remaining fields. - h.Uid = sys.Uid - h.Gid = sys.Gid - h.Uname = sys.Uname - h.Gname = sys.Gname - h.AccessTime = sys.AccessTime - h.ChangeTime = sys.ChangeTime - if sys.Xattrs != nil { - h.Xattrs = make(map[string]string) - for k, v := range sys.Xattrs { - h.Xattrs[k] = v - } - } - if sys.Typeflag == TypeLink { - // hard link - h.Typeflag = TypeLink - h.Size = 0 - h.Linkname = sys.Linkname - } - } - if sysStat != nil { - return h, sysStat(fi, h) - } - return h, nil -} - -var zeroBlock = make([]byte, blockSize) - -// POSIX specifies a sum of the unsigned byte values, but the Sun tar uses signed byte values. -// We compute and return both. -func checksum(header []byte) (unsigned int64, signed int64) { - for i := 0; i < len(header); i++ { - if i == 148 { - // The chksum field (header[148:156]) is special: it should be treated as space bytes. - unsigned += ' ' * 8 - signed += ' ' * 8 - i += 7 - continue - } - unsigned += int64(header[i]) - signed += int64(int8(header[i])) - } - return -} - -type slicer []byte - -func (sp *slicer) next(n int) (b []byte) { - s := *sp - b, *sp = s[0:n], s[n:] - return -} - -func isASCII(s string) bool { - for _, c := range s { - if c >= 0x80 { - return false - } - } - return true -} - -func toASCII(s string) string { - if isASCII(s) { - return s - } - var buf bytes.Buffer - for _, c := range s { - if c < 0x80 { - buf.WriteByte(byte(c)) - } - } - return buf.String() -} - -// isHeaderOnlyType checks if the given type flag is of the type that has no -// data section even if a size is specified. -func isHeaderOnlyType(flag byte) bool { - switch flag { - case TypeLink, TypeSymlink, TypeChar, TypeBlock, TypeDir, TypeFifo: - return true - default: - return false - } -} diff --git a/vendor/github.com/Microsoft/go-winio/archive/tar/reader.go b/vendor/github.com/Microsoft/go-winio/archive/tar/reader.go deleted file mode 100644 index e210c618a..000000000 --- a/vendor/github.com/Microsoft/go-winio/archive/tar/reader.go +++ /dev/null @@ -1,1002 +0,0 @@ -// Copyright 2009 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package tar - -// TODO(dsymonds): -// - pax extensions - -import ( - "bytes" - "errors" - "io" - "io/ioutil" - "math" - "os" - "strconv" - "strings" - "time" -) - -var ( - ErrHeader = errors.New("archive/tar: invalid tar header") -) - -const maxNanoSecondIntSize = 9 - -// A Reader provides sequential access to the contents of a tar archive. -// A tar archive consists of a sequence of files. -// The Next method advances to the next file in the archive (including the first), -// and then it can be treated as an io.Reader to access the file's data. -type Reader struct { - r io.Reader - err error - pad int64 // amount of padding (ignored) after current file entry - curr numBytesReader // reader for current file entry - hdrBuff [blockSize]byte // buffer to use in readHeader -} - -type parser struct { - err error // Last error seen -} - -// A numBytesReader is an io.Reader with a numBytes method, returning the number -// of bytes remaining in the underlying encoded data. -type numBytesReader interface { - io.Reader - numBytes() int64 -} - -// A regFileReader is a numBytesReader for reading file data from a tar archive. -type regFileReader struct { - r io.Reader // underlying reader - nb int64 // number of unread bytes for current file entry -} - -// A sparseFileReader is a numBytesReader for reading sparse file data from a -// tar archive. -type sparseFileReader struct { - rfr numBytesReader // Reads the sparse-encoded file data - sp []sparseEntry // The sparse map for the file - pos int64 // Keeps track of file position - total int64 // Total size of the file -} - -// A sparseEntry holds a single entry in a sparse file's sparse map. -// -// Sparse files are represented using a series of sparseEntrys. -// Despite the name, a sparseEntry represents an actual data fragment that -// references data found in the underlying archive stream. All regions not -// covered by a sparseEntry are logically filled with zeros. -// -// For example, if the underlying raw file contains the 10-byte data: -// var compactData = "abcdefgh" -// -// And the sparse map has the following entries: -// var sp = []sparseEntry{ -// {offset: 2, numBytes: 5} // Data fragment for [2..7] -// {offset: 18, numBytes: 3} // Data fragment for [18..21] -// } -// -// Then the content of the resulting sparse file with a "real" size of 25 is: -// var sparseData = "\x00"*2 + "abcde" + "\x00"*11 + "fgh" + "\x00"*4 -type sparseEntry struct { - offset int64 // Starting position of the fragment - numBytes int64 // Length of the fragment -} - -// Keywords for GNU sparse files in a PAX extended header -const ( - paxGNUSparseNumBlocks = "GNU.sparse.numblocks" - paxGNUSparseOffset = "GNU.sparse.offset" - paxGNUSparseNumBytes = "GNU.sparse.numbytes" - paxGNUSparseMap = "GNU.sparse.map" - paxGNUSparseName = "GNU.sparse.name" - paxGNUSparseMajor = "GNU.sparse.major" - paxGNUSparseMinor = "GNU.sparse.minor" - paxGNUSparseSize = "GNU.sparse.size" - paxGNUSparseRealSize = "GNU.sparse.realsize" -) - -// Keywords for old GNU sparse headers -const ( - oldGNUSparseMainHeaderOffset = 386 - oldGNUSparseMainHeaderIsExtendedOffset = 482 - oldGNUSparseMainHeaderNumEntries = 4 - oldGNUSparseExtendedHeaderIsExtendedOffset = 504 - oldGNUSparseExtendedHeaderNumEntries = 21 - oldGNUSparseOffsetSize = 12 - oldGNUSparseNumBytesSize = 12 -) - -// NewReader creates a new Reader reading from r. -func NewReader(r io.Reader) *Reader { return &Reader{r: r} } - -// Next advances to the next entry in the tar archive. -// -// io.EOF is returned at the end of the input. -func (tr *Reader) Next() (*Header, error) { - if tr.err != nil { - return nil, tr.err - } - - var hdr *Header - var extHdrs map[string]string - - // Externally, Next iterates through the tar archive as if it is a series of - // files. Internally, the tar format often uses fake "files" to add meta - // data that describes the next file. These meta data "files" should not - // normally be visible to the outside. As such, this loop iterates through - // one or more "header files" until it finds a "normal file". -loop: - for { - tr.err = tr.skipUnread() - if tr.err != nil { - return nil, tr.err - } - - hdr = tr.readHeader() - if tr.err != nil { - return nil, tr.err - } - - // Check for PAX/GNU special headers and files. - switch hdr.Typeflag { - case TypeXHeader: - extHdrs, tr.err = parsePAX(tr) - if tr.err != nil { - return nil, tr.err - } - continue loop // This is a meta header affecting the next header - case TypeGNULongName, TypeGNULongLink: - var realname []byte - realname, tr.err = ioutil.ReadAll(tr) - if tr.err != nil { - return nil, tr.err - } - - // Convert GNU extensions to use PAX headers. - if extHdrs == nil { - extHdrs = make(map[string]string) - } - var p parser - switch hdr.Typeflag { - case TypeGNULongName: - extHdrs[paxPath] = p.parseString(realname) - case TypeGNULongLink: - extHdrs[paxLinkpath] = p.parseString(realname) - } - if p.err != nil { - tr.err = p.err - return nil, tr.err - } - continue loop // This is a meta header affecting the next header - default: - mergePAX(hdr, extHdrs) - - // Check for a PAX format sparse file - sp, err := tr.checkForGNUSparsePAXHeaders(hdr, extHdrs) - if err != nil { - tr.err = err - return nil, err - } - if sp != nil { - // Current file is a PAX format GNU sparse file. - // Set the current file reader to a sparse file reader. - tr.curr, tr.err = newSparseFileReader(tr.curr, sp, hdr.Size) - if tr.err != nil { - return nil, tr.err - } - } - break loop // This is a file, so stop - } - } - return hdr, nil -} - -// checkForGNUSparsePAXHeaders checks the PAX headers for GNU sparse headers. If they are found, then -// this function reads the sparse map and returns it. Unknown sparse formats are ignored, causing the file to -// be treated as a regular file. -func (tr *Reader) checkForGNUSparsePAXHeaders(hdr *Header, headers map[string]string) ([]sparseEntry, error) { - var sparseFormat string - - // Check for sparse format indicators - major, majorOk := headers[paxGNUSparseMajor] - minor, minorOk := headers[paxGNUSparseMinor] - sparseName, sparseNameOk := headers[paxGNUSparseName] - _, sparseMapOk := headers[paxGNUSparseMap] - sparseSize, sparseSizeOk := headers[paxGNUSparseSize] - sparseRealSize, sparseRealSizeOk := headers[paxGNUSparseRealSize] - - // Identify which, if any, sparse format applies from which PAX headers are set - if majorOk && minorOk { - sparseFormat = major + "." + minor - } else if sparseNameOk && sparseMapOk { - sparseFormat = "0.1" - } else if sparseSizeOk { - sparseFormat = "0.0" - } else { - // Not a PAX format GNU sparse file. - return nil, nil - } - - // Check for unknown sparse format - if sparseFormat != "0.0" && sparseFormat != "0.1" && sparseFormat != "1.0" { - return nil, nil - } - - // Update hdr from GNU sparse PAX headers - if sparseNameOk { - hdr.Name = sparseName - } - if sparseSizeOk { - realSize, err := strconv.ParseInt(sparseSize, 10, 0) - if err != nil { - return nil, ErrHeader - } - hdr.Size = realSize - } else if sparseRealSizeOk { - realSize, err := strconv.ParseInt(sparseRealSize, 10, 0) - if err != nil { - return nil, ErrHeader - } - hdr.Size = realSize - } - - // Set up the sparse map, according to the particular sparse format in use - var sp []sparseEntry - var err error - switch sparseFormat { - case "0.0", "0.1": - sp, err = readGNUSparseMap0x1(headers) - case "1.0": - sp, err = readGNUSparseMap1x0(tr.curr) - } - return sp, err -} - -// mergePAX merges well known headers according to PAX standard. -// In general headers with the same name as those found -// in the header struct overwrite those found in the header -// struct with higher precision or longer values. Esp. useful -// for name and linkname fields. -func mergePAX(hdr *Header, headers map[string]string) error { - for k, v := range headers { - switch k { - case paxPath: - hdr.Name = v - case paxLinkpath: - hdr.Linkname = v - case paxGname: - hdr.Gname = v - case paxUname: - hdr.Uname = v - case paxUid: - uid, err := strconv.ParseInt(v, 10, 0) - if err != nil { - return err - } - hdr.Uid = int(uid) - case paxGid: - gid, err := strconv.ParseInt(v, 10, 0) - if err != nil { - return err - } - hdr.Gid = int(gid) - case paxAtime: - t, err := parsePAXTime(v) - if err != nil { - return err - } - hdr.AccessTime = t - case paxMtime: - t, err := parsePAXTime(v) - if err != nil { - return err - } - hdr.ModTime = t - case paxCtime: - t, err := parsePAXTime(v) - if err != nil { - return err - } - hdr.ChangeTime = t - case paxCreationTime: - t, err := parsePAXTime(v) - if err != nil { - return err - } - hdr.CreationTime = t - case paxSize: - size, err := strconv.ParseInt(v, 10, 0) - if err != nil { - return err - } - hdr.Size = int64(size) - default: - if strings.HasPrefix(k, paxXattr) { - if hdr.Xattrs == nil { - hdr.Xattrs = make(map[string]string) - } - hdr.Xattrs[k[len(paxXattr):]] = v - } else if strings.HasPrefix(k, paxWindows) { - if hdr.Winheaders == nil { - hdr.Winheaders = make(map[string]string) - } - hdr.Winheaders[k[len(paxWindows):]] = v - } - } - } - return nil -} - -// parsePAXTime takes a string of the form %d.%d as described in -// the PAX specification. -func parsePAXTime(t string) (time.Time, error) { - buf := []byte(t) - pos := bytes.IndexByte(buf, '.') - var seconds, nanoseconds int64 - var err error - if pos == -1 { - seconds, err = strconv.ParseInt(t, 10, 0) - if err != nil { - return time.Time{}, err - } - } else { - seconds, err = strconv.ParseInt(string(buf[:pos]), 10, 0) - if err != nil { - return time.Time{}, err - } - nano_buf := string(buf[pos+1:]) - // Pad as needed before converting to a decimal. - // For example .030 -> .030000000 -> 30000000 nanoseconds - if len(nano_buf) < maxNanoSecondIntSize { - // Right pad - nano_buf += strings.Repeat("0", maxNanoSecondIntSize-len(nano_buf)) - } else if len(nano_buf) > maxNanoSecondIntSize { - // Right truncate - nano_buf = nano_buf[:maxNanoSecondIntSize] - } - nanoseconds, err = strconv.ParseInt(string(nano_buf), 10, 0) - if err != nil { - return time.Time{}, err - } - } - ts := time.Unix(seconds, nanoseconds) - return ts, nil -} - -// parsePAX parses PAX headers. -// If an extended header (type 'x') is invalid, ErrHeader is returned -func parsePAX(r io.Reader) (map[string]string, error) { - buf, err := ioutil.ReadAll(r) - if err != nil { - return nil, err - } - sbuf := string(buf) - - // For GNU PAX sparse format 0.0 support. - // This function transforms the sparse format 0.0 headers into sparse format 0.1 headers. - var sparseMap bytes.Buffer - - headers := make(map[string]string) - // Each record is constructed as - // "%d %s=%s\n", length, keyword, value - for len(sbuf) > 0 { - key, value, residual, err := parsePAXRecord(sbuf) - if err != nil { - return nil, ErrHeader - } - sbuf = residual - - keyStr := string(key) - if keyStr == paxGNUSparseOffset || keyStr == paxGNUSparseNumBytes { - // GNU sparse format 0.0 special key. Write to sparseMap instead of using the headers map. - sparseMap.WriteString(value) - sparseMap.Write([]byte{','}) - } else { - // Normal key. Set the value in the headers map. - headers[keyStr] = string(value) - } - } - if sparseMap.Len() != 0 { - // Add sparse info to headers, chopping off the extra comma - sparseMap.Truncate(sparseMap.Len() - 1) - headers[paxGNUSparseMap] = sparseMap.String() - } - return headers, nil -} - -// parsePAXRecord parses the input PAX record string into a key-value pair. -// If parsing is successful, it will slice off the currently read record and -// return the remainder as r. -// -// A PAX record is of the following form: -// "%d %s=%s\n" % (size, key, value) -func parsePAXRecord(s string) (k, v, r string, err error) { - // The size field ends at the first space. - sp := strings.IndexByte(s, ' ') - if sp == -1 { - return "", "", s, ErrHeader - } - - // Parse the first token as a decimal integer. - n, perr := strconv.ParseInt(s[:sp], 10, 0) // Intentionally parse as native int - if perr != nil || n < 5 || int64(len(s)) < n { - return "", "", s, ErrHeader - } - - // Extract everything between the space and the final newline. - rec, nl, rem := s[sp+1:n-1], s[n-1:n], s[n:] - if nl != "\n" { - return "", "", s, ErrHeader - } - - // The first equals separates the key from the value. - eq := strings.IndexByte(rec, '=') - if eq == -1 { - return "", "", s, ErrHeader - } - return rec[:eq], rec[eq+1:], rem, nil -} - -// parseString parses bytes as a NUL-terminated C-style string. -// If a NUL byte is not found then the whole slice is returned as a string. -func (*parser) parseString(b []byte) string { - n := 0 - for n < len(b) && b[n] != 0 { - n++ - } - return string(b[0:n]) -} - -// parseNumeric parses the input as being encoded in either base-256 or octal. -// This function may return negative numbers. -// If parsing fails or an integer overflow occurs, err will be set. -func (p *parser) parseNumeric(b []byte) int64 { - // Check for base-256 (binary) format first. - // If the first bit is set, then all following bits constitute a two's - // complement encoded number in big-endian byte order. - if len(b) > 0 && b[0]&0x80 != 0 { - // Handling negative numbers relies on the following identity: - // -a-1 == ^a - // - // If the number is negative, we use an inversion mask to invert the - // data bytes and treat the value as an unsigned number. - var inv byte // 0x00 if positive or zero, 0xff if negative - if b[0]&0x40 != 0 { - inv = 0xff - } - - var x uint64 - for i, c := range b { - c ^= inv // Inverts c only if inv is 0xff, otherwise does nothing - if i == 0 { - c &= 0x7f // Ignore signal bit in first byte - } - if (x >> 56) > 0 { - p.err = ErrHeader // Integer overflow - return 0 - } - x = x<<8 | uint64(c) - } - if (x >> 63) > 0 { - p.err = ErrHeader // Integer overflow - return 0 - } - if inv == 0xff { - return ^int64(x) - } - return int64(x) - } - - // Normal case is base-8 (octal) format. - return p.parseOctal(b) -} - -func (p *parser) parseOctal(b []byte) int64 { - // Because unused fields are filled with NULs, we need - // to skip leading NULs. Fields may also be padded with - // spaces or NULs. - // So we remove leading and trailing NULs and spaces to - // be sure. - b = bytes.Trim(b, " \x00") - - if len(b) == 0 { - return 0 - } - x, perr := strconv.ParseUint(p.parseString(b), 8, 64) - if perr != nil { - p.err = ErrHeader - } - return int64(x) -} - -// skipUnread skips any unread bytes in the existing file entry, as well as any -// alignment padding. It returns io.ErrUnexpectedEOF if any io.EOF is -// encountered in the data portion; it is okay to hit io.EOF in the padding. -// -// Note that this function still works properly even when sparse files are being -// used since numBytes returns the bytes remaining in the underlying io.Reader. -func (tr *Reader) skipUnread() error { - dataSkip := tr.numBytes() // Number of data bytes to skip - totalSkip := dataSkip + tr.pad // Total number of bytes to skip - tr.curr, tr.pad = nil, 0 - - // If possible, Seek to the last byte before the end of the data section. - // Do this because Seek is often lazy about reporting errors; this will mask - // the fact that the tar stream may be truncated. We can rely on the - // io.CopyN done shortly afterwards to trigger any IO errors. - var seekSkipped int64 // Number of bytes skipped via Seek - if sr, ok := tr.r.(io.Seeker); ok && dataSkip > 1 { - // Not all io.Seeker can actually Seek. For example, os.Stdin implements - // io.Seeker, but calling Seek always returns an error and performs - // no action. Thus, we try an innocent seek to the current position - // to see if Seek is really supported. - pos1, err := sr.Seek(0, os.SEEK_CUR) - if err == nil { - // Seek seems supported, so perform the real Seek. - pos2, err := sr.Seek(dataSkip-1, os.SEEK_CUR) - if err != nil { - tr.err = err - return tr.err - } - seekSkipped = pos2 - pos1 - } - } - - var copySkipped int64 // Number of bytes skipped via CopyN - copySkipped, tr.err = io.CopyN(ioutil.Discard, tr.r, totalSkip-seekSkipped) - if tr.err == io.EOF && seekSkipped+copySkipped < dataSkip { - tr.err = io.ErrUnexpectedEOF - } - return tr.err -} - -func (tr *Reader) verifyChecksum(header []byte) bool { - if tr.err != nil { - return false - } - - var p parser - given := p.parseOctal(header[148:156]) - unsigned, signed := checksum(header) - return p.err == nil && (given == unsigned || given == signed) -} - -// readHeader reads the next block header and assumes that the underlying reader -// is already aligned to a block boundary. -// -// The err will be set to io.EOF only when one of the following occurs: -// * Exactly 0 bytes are read and EOF is hit. -// * Exactly 1 block of zeros is read and EOF is hit. -// * At least 2 blocks of zeros are read. -func (tr *Reader) readHeader() *Header { - header := tr.hdrBuff[:] - copy(header, zeroBlock) - - if _, tr.err = io.ReadFull(tr.r, header); tr.err != nil { - return nil // io.EOF is okay here - } - - // Two blocks of zero bytes marks the end of the archive. - if bytes.Equal(header, zeroBlock[0:blockSize]) { - if _, tr.err = io.ReadFull(tr.r, header); tr.err != nil { - return nil // io.EOF is okay here - } - if bytes.Equal(header, zeroBlock[0:blockSize]) { - tr.err = io.EOF - } else { - tr.err = ErrHeader // zero block and then non-zero block - } - return nil - } - - if !tr.verifyChecksum(header) { - tr.err = ErrHeader - return nil - } - - // Unpack - var p parser - hdr := new(Header) - s := slicer(header) - - hdr.Name = p.parseString(s.next(100)) - hdr.Mode = p.parseNumeric(s.next(8)) - hdr.Uid = int(p.parseNumeric(s.next(8))) - hdr.Gid = int(p.parseNumeric(s.next(8))) - hdr.Size = p.parseNumeric(s.next(12)) - hdr.ModTime = time.Unix(p.parseNumeric(s.next(12)), 0) - s.next(8) // chksum - hdr.Typeflag = s.next(1)[0] - hdr.Linkname = p.parseString(s.next(100)) - - // The remainder of the header depends on the value of magic. - // The original (v7) version of tar had no explicit magic field, - // so its magic bytes, like the rest of the block, are NULs. - magic := string(s.next(8)) // contains version field as well. - var format string - switch { - case magic[:6] == "ustar\x00": // POSIX tar (1003.1-1988) - if string(header[508:512]) == "tar\x00" { - format = "star" - } else { - format = "posix" - } - case magic == "ustar \x00": // old GNU tar - format = "gnu" - } - - switch format { - case "posix", "gnu", "star": - hdr.Uname = p.parseString(s.next(32)) - hdr.Gname = p.parseString(s.next(32)) - devmajor := s.next(8) - devminor := s.next(8) - if hdr.Typeflag == TypeChar || hdr.Typeflag == TypeBlock { - hdr.Devmajor = p.parseNumeric(devmajor) - hdr.Devminor = p.parseNumeric(devminor) - } - var prefix string - switch format { - case "posix", "gnu": - prefix = p.parseString(s.next(155)) - case "star": - prefix = p.parseString(s.next(131)) - hdr.AccessTime = time.Unix(p.parseNumeric(s.next(12)), 0) - hdr.ChangeTime = time.Unix(p.parseNumeric(s.next(12)), 0) - } - if len(prefix) > 0 { - hdr.Name = prefix + "/" + hdr.Name - } - } - - if p.err != nil { - tr.err = p.err - return nil - } - - nb := hdr.Size - if isHeaderOnlyType(hdr.Typeflag) { - nb = 0 - } - if nb < 0 { - tr.err = ErrHeader - return nil - } - - // Set the current file reader. - tr.pad = -nb & (blockSize - 1) // blockSize is a power of two - tr.curr = ®FileReader{r: tr.r, nb: nb} - - // Check for old GNU sparse format entry. - if hdr.Typeflag == TypeGNUSparse { - // Get the real size of the file. - hdr.Size = p.parseNumeric(header[483:495]) - if p.err != nil { - tr.err = p.err - return nil - } - - // Read the sparse map. - sp := tr.readOldGNUSparseMap(header) - if tr.err != nil { - return nil - } - - // Current file is a GNU sparse file. Update the current file reader. - tr.curr, tr.err = newSparseFileReader(tr.curr, sp, hdr.Size) - if tr.err != nil { - return nil - } - } - - return hdr -} - -// readOldGNUSparseMap reads the sparse map as stored in the old GNU sparse format. -// The sparse map is stored in the tar header if it's small enough. If it's larger than four entries, -// then one or more extension headers are used to store the rest of the sparse map. -func (tr *Reader) readOldGNUSparseMap(header []byte) []sparseEntry { - var p parser - isExtended := header[oldGNUSparseMainHeaderIsExtendedOffset] != 0 - spCap := oldGNUSparseMainHeaderNumEntries - if isExtended { - spCap += oldGNUSparseExtendedHeaderNumEntries - } - sp := make([]sparseEntry, 0, spCap) - s := slicer(header[oldGNUSparseMainHeaderOffset:]) - - // Read the four entries from the main tar header - for i := 0; i < oldGNUSparseMainHeaderNumEntries; i++ { - offset := p.parseNumeric(s.next(oldGNUSparseOffsetSize)) - numBytes := p.parseNumeric(s.next(oldGNUSparseNumBytesSize)) - if p.err != nil { - tr.err = p.err - return nil - } - if offset == 0 && numBytes == 0 { - break - } - sp = append(sp, sparseEntry{offset: offset, numBytes: numBytes}) - } - - for isExtended { - // There are more entries. Read an extension header and parse its entries. - sparseHeader := make([]byte, blockSize) - if _, tr.err = io.ReadFull(tr.r, sparseHeader); tr.err != nil { - return nil - } - isExtended = sparseHeader[oldGNUSparseExtendedHeaderIsExtendedOffset] != 0 - s = slicer(sparseHeader) - for i := 0; i < oldGNUSparseExtendedHeaderNumEntries; i++ { - offset := p.parseNumeric(s.next(oldGNUSparseOffsetSize)) - numBytes := p.parseNumeric(s.next(oldGNUSparseNumBytesSize)) - if p.err != nil { - tr.err = p.err - return nil - } - if offset == 0 && numBytes == 0 { - break - } - sp = append(sp, sparseEntry{offset: offset, numBytes: numBytes}) - } - } - return sp -} - -// readGNUSparseMap1x0 reads the sparse map as stored in GNU's PAX sparse format -// version 1.0. The format of the sparse map consists of a series of -// newline-terminated numeric fields. The first field is the number of entries -// and is always present. Following this are the entries, consisting of two -// fields (offset, numBytes). This function must stop reading at the end -// boundary of the block containing the last newline. -// -// Note that the GNU manual says that numeric values should be encoded in octal -// format. However, the GNU tar utility itself outputs these values in decimal. -// As such, this library treats values as being encoded in decimal. -func readGNUSparseMap1x0(r io.Reader) ([]sparseEntry, error) { - var cntNewline int64 - var buf bytes.Buffer - var blk = make([]byte, blockSize) - - // feedTokens copies data in numBlock chunks from r into buf until there are - // at least cnt newlines in buf. It will not read more blocks than needed. - var feedTokens = func(cnt int64) error { - for cntNewline < cnt { - if _, err := io.ReadFull(r, blk); err != nil { - if err == io.EOF { - err = io.ErrUnexpectedEOF - } - return err - } - buf.Write(blk) - for _, c := range blk { - if c == '\n' { - cntNewline++ - } - } - } - return nil - } - - // nextToken gets the next token delimited by a newline. This assumes that - // at least one newline exists in the buffer. - var nextToken = func() string { - cntNewline-- - tok, _ := buf.ReadString('\n') - return tok[:len(tok)-1] // Cut off newline - } - - // Parse for the number of entries. - // Use integer overflow resistant math to check this. - if err := feedTokens(1); err != nil { - return nil, err - } - numEntries, err := strconv.ParseInt(nextToken(), 10, 0) // Intentionally parse as native int - if err != nil || numEntries < 0 || int(2*numEntries) < int(numEntries) { - return nil, ErrHeader - } - - // Parse for all member entries. - // numEntries is trusted after this since a potential attacker must have - // committed resources proportional to what this library used. - if err := feedTokens(2 * numEntries); err != nil { - return nil, err - } - sp := make([]sparseEntry, 0, numEntries) - for i := int64(0); i < numEntries; i++ { - offset, err := strconv.ParseInt(nextToken(), 10, 64) - if err != nil { - return nil, ErrHeader - } - numBytes, err := strconv.ParseInt(nextToken(), 10, 64) - if err != nil { - return nil, ErrHeader - } - sp = append(sp, sparseEntry{offset: offset, numBytes: numBytes}) - } - return sp, nil -} - -// readGNUSparseMap0x1 reads the sparse map as stored in GNU's PAX sparse format -// version 0.1. The sparse map is stored in the PAX headers. -func readGNUSparseMap0x1(extHdrs map[string]string) ([]sparseEntry, error) { - // Get number of entries. - // Use integer overflow resistant math to check this. - numEntriesStr := extHdrs[paxGNUSparseNumBlocks] - numEntries, err := strconv.ParseInt(numEntriesStr, 10, 0) // Intentionally parse as native int - if err != nil || numEntries < 0 || int(2*numEntries) < int(numEntries) { - return nil, ErrHeader - } - - // There should be two numbers in sparseMap for each entry. - sparseMap := strings.Split(extHdrs[paxGNUSparseMap], ",") - if int64(len(sparseMap)) != 2*numEntries { - return nil, ErrHeader - } - - // Loop through the entries in the sparse map. - // numEntries is trusted now. - sp := make([]sparseEntry, 0, numEntries) - for i := int64(0); i < numEntries; i++ { - offset, err := strconv.ParseInt(sparseMap[2*i], 10, 64) - if err != nil { - return nil, ErrHeader - } - numBytes, err := strconv.ParseInt(sparseMap[2*i+1], 10, 64) - if err != nil { - return nil, ErrHeader - } - sp = append(sp, sparseEntry{offset: offset, numBytes: numBytes}) - } - return sp, nil -} - -// numBytes returns the number of bytes left to read in the current file's entry -// in the tar archive, or 0 if there is no current file. -func (tr *Reader) numBytes() int64 { - if tr.curr == nil { - // No current file, so no bytes - return 0 - } - return tr.curr.numBytes() -} - -// Read reads from the current entry in the tar archive. -// It returns 0, io.EOF when it reaches the end of that entry, -// until Next is called to advance to the next entry. -// -// Calling Read on special types like TypeLink, TypeSymLink, TypeChar, -// TypeBlock, TypeDir, and TypeFifo returns 0, io.EOF regardless of what -// the Header.Size claims. -func (tr *Reader) Read(b []byte) (n int, err error) { - if tr.err != nil { - return 0, tr.err - } - if tr.curr == nil { - return 0, io.EOF - } - - n, err = tr.curr.Read(b) - if err != nil && err != io.EOF { - tr.err = err - } - return -} - -func (rfr *regFileReader) Read(b []byte) (n int, err error) { - if rfr.nb == 0 { - // file consumed - return 0, io.EOF - } - if int64(len(b)) > rfr.nb { - b = b[0:rfr.nb] - } - n, err = rfr.r.Read(b) - rfr.nb -= int64(n) - - if err == io.EOF && rfr.nb > 0 { - err = io.ErrUnexpectedEOF - } - return -} - -// numBytes returns the number of bytes left to read in the file's data in the tar archive. -func (rfr *regFileReader) numBytes() int64 { - return rfr.nb -} - -// newSparseFileReader creates a new sparseFileReader, but validates all of the -// sparse entries before doing so. -func newSparseFileReader(rfr numBytesReader, sp []sparseEntry, total int64) (*sparseFileReader, error) { - if total < 0 { - return nil, ErrHeader // Total size cannot be negative - } - - // Validate all sparse entries. These are the same checks as performed by - // the BSD tar utility. - for i, s := range sp { - switch { - case s.offset < 0 || s.numBytes < 0: - return nil, ErrHeader // Negative values are never okay - case s.offset > math.MaxInt64-s.numBytes: - return nil, ErrHeader // Integer overflow with large length - case s.offset+s.numBytes > total: - return nil, ErrHeader // Region extends beyond the "real" size - case i > 0 && sp[i-1].offset+sp[i-1].numBytes > s.offset: - return nil, ErrHeader // Regions can't overlap and must be in order - } - } - return &sparseFileReader{rfr: rfr, sp: sp, total: total}, nil -} - -// readHole reads a sparse hole ending at endOffset. -func (sfr *sparseFileReader) readHole(b []byte, endOffset int64) int { - n64 := endOffset - sfr.pos - if n64 > int64(len(b)) { - n64 = int64(len(b)) - } - n := int(n64) - for i := 0; i < n; i++ { - b[i] = 0 - } - sfr.pos += n64 - return n -} - -// Read reads the sparse file data in expanded form. -func (sfr *sparseFileReader) Read(b []byte) (n int, err error) { - // Skip past all empty fragments. - for len(sfr.sp) > 0 && sfr.sp[0].numBytes == 0 { - sfr.sp = sfr.sp[1:] - } - - // If there are no more fragments, then it is possible that there - // is one last sparse hole. - if len(sfr.sp) == 0 { - // This behavior matches the BSD tar utility. - // However, GNU tar stops returning data even if sfr.total is unmet. - if sfr.pos < sfr.total { - return sfr.readHole(b, sfr.total), nil - } - return 0, io.EOF - } - - // In front of a data fragment, so read a hole. - if sfr.pos < sfr.sp[0].offset { - return sfr.readHole(b, sfr.sp[0].offset), nil - } - - // In a data fragment, so read from it. - // This math is overflow free since we verify that offset and numBytes can - // be safely added when creating the sparseFileReader. - endPos := sfr.sp[0].offset + sfr.sp[0].numBytes // End offset of fragment - bytesLeft := endPos - sfr.pos // Bytes left in fragment - if int64(len(b)) > bytesLeft { - b = b[:bytesLeft] - } - - n, err = sfr.rfr.Read(b) - sfr.pos += int64(n) - if err == io.EOF { - if sfr.pos < endPos { - err = io.ErrUnexpectedEOF // There was supposed to be more data - } else if sfr.pos < sfr.total { - err = nil // There is still an implicit sparse hole at the end - } - } - - if sfr.pos == endPos { - sfr.sp = sfr.sp[1:] // We are done with this fragment, so pop it - } - return n, err -} - -// numBytes returns the number of bytes left to read in the sparse file's -// sparse-encoded data in the tar archive. -func (sfr *sparseFileReader) numBytes() int64 { - return sfr.rfr.numBytes() -} diff --git a/vendor/github.com/Microsoft/go-winio/archive/tar/stat_atim.go b/vendor/github.com/Microsoft/go-winio/archive/tar/stat_atim.go deleted file mode 100644 index cf9cc79c5..000000000 --- a/vendor/github.com/Microsoft/go-winio/archive/tar/stat_atim.go +++ /dev/null @@ -1,20 +0,0 @@ -// Copyright 2012 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// +build linux dragonfly openbsd solaris - -package tar - -import ( - "syscall" - "time" -) - -func statAtime(st *syscall.Stat_t) time.Time { - return time.Unix(st.Atim.Unix()) -} - -func statCtime(st *syscall.Stat_t) time.Time { - return time.Unix(st.Ctim.Unix()) -} diff --git a/vendor/github.com/Microsoft/go-winio/archive/tar/stat_atimespec.go b/vendor/github.com/Microsoft/go-winio/archive/tar/stat_atimespec.go deleted file mode 100644 index 6f17dbe30..000000000 --- a/vendor/github.com/Microsoft/go-winio/archive/tar/stat_atimespec.go +++ /dev/null @@ -1,20 +0,0 @@ -// Copyright 2012 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// +build darwin freebsd netbsd - -package tar - -import ( - "syscall" - "time" -) - -func statAtime(st *syscall.Stat_t) time.Time { - return time.Unix(st.Atimespec.Unix()) -} - -func statCtime(st *syscall.Stat_t) time.Time { - return time.Unix(st.Ctimespec.Unix()) -} diff --git a/vendor/github.com/Microsoft/go-winio/archive/tar/stat_unix.go b/vendor/github.com/Microsoft/go-winio/archive/tar/stat_unix.go deleted file mode 100644 index cb843db4c..000000000 --- a/vendor/github.com/Microsoft/go-winio/archive/tar/stat_unix.go +++ /dev/null @@ -1,32 +0,0 @@ -// Copyright 2012 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// +build linux darwin dragonfly freebsd openbsd netbsd solaris - -package tar - -import ( - "os" - "syscall" -) - -func init() { - sysStat = statUnix -} - -func statUnix(fi os.FileInfo, h *Header) error { - sys, ok := fi.Sys().(*syscall.Stat_t) - if !ok { - return nil - } - h.Uid = int(sys.Uid) - h.Gid = int(sys.Gid) - // TODO(bradfitz): populate username & group. os/user - // doesn't cache LookupId lookups, and lacks group - // lookup functions. - h.AccessTime = statAtime(sys) - h.ChangeTime = statCtime(sys) - // TODO(bradfitz): major/minor device numbers? - return nil -} diff --git a/vendor/github.com/Microsoft/go-winio/archive/tar/writer.go b/vendor/github.com/Microsoft/go-winio/archive/tar/writer.go deleted file mode 100644 index 30d7e606d..000000000 --- a/vendor/github.com/Microsoft/go-winio/archive/tar/writer.go +++ /dev/null @@ -1,444 +0,0 @@ -// Copyright 2009 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package tar - -// TODO(dsymonds): -// - catch more errors (no first header, etc.) - -import ( - "bytes" - "errors" - "fmt" - "io" - "path" - "sort" - "strconv" - "strings" - "time" -) - -var ( - ErrWriteTooLong = errors.New("archive/tar: write too long") - ErrFieldTooLong = errors.New("archive/tar: header field too long") - ErrWriteAfterClose = errors.New("archive/tar: write after close") - errInvalidHeader = errors.New("archive/tar: header field too long or contains invalid values") -) - -// A Writer provides sequential writing of a tar archive in POSIX.1 format. -// A tar archive consists of a sequence of files. -// Call WriteHeader to begin a new file, and then call Write to supply that file's data, -// writing at most hdr.Size bytes in total. -type Writer struct { - w io.Writer - err error - nb int64 // number of unwritten bytes for current file entry - pad int64 // amount of padding to write after current file entry - closed bool - usedBinary bool // whether the binary numeric field extension was used - preferPax bool // use pax header instead of binary numeric header - hdrBuff [blockSize]byte // buffer to use in writeHeader when writing a regular header - paxHdrBuff [blockSize]byte // buffer to use in writeHeader when writing a pax header -} - -type formatter struct { - err error // Last error seen -} - -// NewWriter creates a new Writer writing to w. -func NewWriter(w io.Writer) *Writer { return &Writer{w: w, preferPax: true} } - -// Flush finishes writing the current file (optional). -func (tw *Writer) Flush() error { - if tw.nb > 0 { - tw.err = fmt.Errorf("archive/tar: missed writing %d bytes", tw.nb) - return tw.err - } - - n := tw.nb + tw.pad - for n > 0 && tw.err == nil { - nr := n - if nr > blockSize { - nr = blockSize - } - var nw int - nw, tw.err = tw.w.Write(zeroBlock[0:nr]) - n -= int64(nw) - } - tw.nb = 0 - tw.pad = 0 - return tw.err -} - -// Write s into b, terminating it with a NUL if there is room. -func (f *formatter) formatString(b []byte, s string) { - if len(s) > len(b) { - f.err = ErrFieldTooLong - return - } - ascii := toASCII(s) - copy(b, ascii) - if len(ascii) < len(b) { - b[len(ascii)] = 0 - } -} - -// Encode x as an octal ASCII string and write it into b with leading zeros. -func (f *formatter) formatOctal(b []byte, x int64) { - s := strconv.FormatInt(x, 8) - // leading zeros, but leave room for a NUL. - for len(s)+1 < len(b) { - s = "0" + s - } - f.formatString(b, s) -} - -// fitsInBase256 reports whether x can be encoded into n bytes using base-256 -// encoding. Unlike octal encoding, base-256 encoding does not require that the -// string ends with a NUL character. Thus, all n bytes are available for output. -// -// If operating in binary mode, this assumes strict GNU binary mode; which means -// that the first byte can only be either 0x80 or 0xff. Thus, the first byte is -// equivalent to the sign bit in two's complement form. -func fitsInBase256(n int, x int64) bool { - var binBits = uint(n-1) * 8 - return n >= 9 || (x >= -1<<binBits && x < 1<<binBits) -} - -// Write x into b, as binary (GNUtar/star extension). -func (f *formatter) formatNumeric(b []byte, x int64) { - if fitsInBase256(len(b), x) { - for i := len(b) - 1; i >= 0; i-- { - b[i] = byte(x) - x >>= 8 - } - b[0] |= 0x80 // Highest bit indicates binary format - return - } - - f.formatOctal(b, 0) // Last resort, just write zero - f.err = ErrFieldTooLong -} - -var ( - minTime = time.Unix(0, 0) - // There is room for 11 octal digits (33 bits) of mtime. - maxTime = minTime.Add((1<<33 - 1) * time.Second) -) - -// WriteHeader writes hdr and prepares to accept the file's contents. -// WriteHeader calls Flush if it is not the first header. -// Calling after a Close will return ErrWriteAfterClose. -func (tw *Writer) WriteHeader(hdr *Header) error { - return tw.writeHeader(hdr, true) -} - -// WriteHeader writes hdr and prepares to accept the file's contents. -// WriteHeader calls Flush if it is not the first header. -// Calling after a Close will return ErrWriteAfterClose. -// As this method is called internally by writePax header to allow it to -// suppress writing the pax header. -func (tw *Writer) writeHeader(hdr *Header, allowPax bool) error { - if tw.closed { - return ErrWriteAfterClose - } - if tw.err == nil { - tw.Flush() - } - if tw.err != nil { - return tw.err - } - - // a map to hold pax header records, if any are needed - paxHeaders := make(map[string]string) - - // TODO(shanemhansen): we might want to use PAX headers for - // subsecond time resolution, but for now let's just capture - // too long fields or non ascii characters - - var f formatter - var header []byte - - // We need to select which scratch buffer to use carefully, - // since this method is called recursively to write PAX headers. - // If allowPax is true, this is the non-recursive call, and we will use hdrBuff. - // If allowPax is false, we are being called by writePAXHeader, and hdrBuff is - // already being used by the non-recursive call, so we must use paxHdrBuff. - header = tw.hdrBuff[:] - if !allowPax { - header = tw.paxHdrBuff[:] - } - copy(header, zeroBlock) - s := slicer(header) - - // Wrappers around formatter that automatically sets paxHeaders if the - // argument extends beyond the capacity of the input byte slice. - var formatString = func(b []byte, s string, paxKeyword string) { - needsPaxHeader := paxKeyword != paxNone && len(s) > len(b) || !isASCII(s) - if needsPaxHeader { - paxHeaders[paxKeyword] = s - return - } - f.formatString(b, s) - } - var formatNumeric = func(b []byte, x int64, paxKeyword string) { - // Try octal first. - s := strconv.FormatInt(x, 8) - if len(s) < len(b) { - f.formatOctal(b, x) - return - } - - // If it is too long for octal, and PAX is preferred, use a PAX header. - if paxKeyword != paxNone && tw.preferPax { - f.formatOctal(b, 0) - s := strconv.FormatInt(x, 10) - paxHeaders[paxKeyword] = s - return - } - - tw.usedBinary = true - f.formatNumeric(b, x) - } - var formatTime = func(b []byte, t time.Time, paxKeyword string) { - var unixTime int64 - if !t.Before(minTime) && !t.After(maxTime) { - unixTime = t.Unix() - } - formatNumeric(b, unixTime, paxNone) - - // Write a PAX header if the time didn't fit precisely. - if paxKeyword != "" && tw.preferPax && allowPax && (t.Nanosecond() != 0 || !t.Before(minTime) || !t.After(maxTime)) { - paxHeaders[paxKeyword] = formatPAXTime(t) - } - } - - // keep a reference to the filename to allow to overwrite it later if we detect that we can use ustar longnames instead of pax - pathHeaderBytes := s.next(fileNameSize) - - formatString(pathHeaderBytes, hdr.Name, paxPath) - - f.formatOctal(s.next(8), hdr.Mode) // 100:108 - formatNumeric(s.next(8), int64(hdr.Uid), paxUid) // 108:116 - formatNumeric(s.next(8), int64(hdr.Gid), paxGid) // 116:124 - formatNumeric(s.next(12), hdr.Size, paxSize) // 124:136 - formatTime(s.next(12), hdr.ModTime, paxMtime) // 136:148 - s.next(8) // chksum (148:156) - s.next(1)[0] = hdr.Typeflag // 156:157 - - formatString(s.next(100), hdr.Linkname, paxLinkpath) - - copy(s.next(8), []byte("ustar\x0000")) // 257:265 - formatString(s.next(32), hdr.Uname, paxUname) // 265:297 - formatString(s.next(32), hdr.Gname, paxGname) // 297:329 - formatNumeric(s.next(8), hdr.Devmajor, paxNone) // 329:337 - formatNumeric(s.next(8), hdr.Devminor, paxNone) // 337:345 - - // keep a reference to the prefix to allow to overwrite it later if we detect that we can use ustar longnames instead of pax - prefixHeaderBytes := s.next(155) - formatString(prefixHeaderBytes, "", paxNone) // 345:500 prefix - - // Use the GNU magic instead of POSIX magic if we used any GNU extensions. - if tw.usedBinary { - copy(header[257:265], []byte("ustar \x00")) - } - - _, paxPathUsed := paxHeaders[paxPath] - // try to use a ustar header when only the name is too long - if !tw.preferPax && len(paxHeaders) == 1 && paxPathUsed { - prefix, suffix, ok := splitUSTARPath(hdr.Name) - if ok { - // Since we can encode in USTAR format, disable PAX header. - delete(paxHeaders, paxPath) - - // Update the path fields - formatString(pathHeaderBytes, suffix, paxNone) - formatString(prefixHeaderBytes, prefix, paxNone) - } - } - - // The chksum field is terminated by a NUL and a space. - // This is different from the other octal fields. - chksum, _ := checksum(header) - f.formatOctal(header[148:155], chksum) // Never fails - header[155] = ' ' - - // Check if there were any formatting errors. - if f.err != nil { - tw.err = f.err - return tw.err - } - - if allowPax { - if !hdr.AccessTime.IsZero() { - paxHeaders[paxAtime] = formatPAXTime(hdr.AccessTime) - } - if !hdr.ChangeTime.IsZero() { - paxHeaders[paxCtime] = formatPAXTime(hdr.ChangeTime) - } - if !hdr.CreationTime.IsZero() { - paxHeaders[paxCreationTime] = formatPAXTime(hdr.CreationTime) - } - for k, v := range hdr.Xattrs { - paxHeaders[paxXattr+k] = v - } - for k, v := range hdr.Winheaders { - paxHeaders[paxWindows+k] = v - } - } - - if len(paxHeaders) > 0 { - if !allowPax { - return errInvalidHeader - } - if err := tw.writePAXHeader(hdr, paxHeaders); err != nil { - return err - } - } - tw.nb = int64(hdr.Size) - tw.pad = (blockSize - (tw.nb % blockSize)) % blockSize - - _, tw.err = tw.w.Write(header) - return tw.err -} - -func formatPAXTime(t time.Time) string { - sec := t.Unix() - usec := t.Nanosecond() - s := strconv.FormatInt(sec, 10) - if usec != 0 { - s = fmt.Sprintf("%s.%09d", s, usec) - } - return s -} - -// splitUSTARPath splits a path according to USTAR prefix and suffix rules. -// If the path is not splittable, then it will return ("", "", false). -func splitUSTARPath(name string) (prefix, suffix string, ok bool) { - length := len(name) - if length <= fileNameSize || !isASCII(name) { - return "", "", false - } else if length > fileNamePrefixSize+1 { - length = fileNamePrefixSize + 1 - } else if name[length-1] == '/' { - length-- - } - - i := strings.LastIndex(name[:length], "/") - nlen := len(name) - i - 1 // nlen is length of suffix - plen := i // plen is length of prefix - if i <= 0 || nlen > fileNameSize || nlen == 0 || plen > fileNamePrefixSize { - return "", "", false - } - return name[:i], name[i+1:], true -} - -// writePaxHeader writes an extended pax header to the -// archive. -func (tw *Writer) writePAXHeader(hdr *Header, paxHeaders map[string]string) error { - // Prepare extended header - ext := new(Header) - ext.Typeflag = TypeXHeader - // Setting ModTime is required for reader parsing to - // succeed, and seems harmless enough. - ext.ModTime = hdr.ModTime - // The spec asks that we namespace our pseudo files - // with the current pid. However, this results in differing outputs - // for identical inputs. As such, the constant 0 is now used instead. - // golang.org/issue/12358 - dir, file := path.Split(hdr.Name) - fullName := path.Join(dir, "PaxHeaders.0", file) - - ascii := toASCII(fullName) - if len(ascii) > 100 { - ascii = ascii[:100] - } - ext.Name = ascii - // Construct the body - var buf bytes.Buffer - - // Keys are sorted before writing to body to allow deterministic output. - var keys []string - for k := range paxHeaders { - keys = append(keys, k) - } - sort.Strings(keys) - - for _, k := range keys { - fmt.Fprint(&buf, formatPAXRecord(k, paxHeaders[k])) - } - - ext.Size = int64(len(buf.Bytes())) - if err := tw.writeHeader(ext, false); err != nil { - return err - } - if _, err := tw.Write(buf.Bytes()); err != nil { - return err - } - if err := tw.Flush(); err != nil { - return err - } - return nil -} - -// formatPAXRecord formats a single PAX record, prefixing it with the -// appropriate length. -func formatPAXRecord(k, v string) string { - const padding = 3 // Extra padding for ' ', '=', and '\n' - size := len(k) + len(v) + padding - size += len(strconv.Itoa(size)) - record := fmt.Sprintf("%d %s=%s\n", size, k, v) - - // Final adjustment if adding size field increased the record size. - if len(record) != size { - size = len(record) - record = fmt.Sprintf("%d %s=%s\n", size, k, v) - } - return record -} - -// Write writes to the current entry in the tar archive. -// Write returns the error ErrWriteTooLong if more than -// hdr.Size bytes are written after WriteHeader. -func (tw *Writer) Write(b []byte) (n int, err error) { - if tw.closed { - err = ErrWriteAfterClose - return - } - overwrite := false - if int64(len(b)) > tw.nb { - b = b[0:tw.nb] - overwrite = true - } - n, err = tw.w.Write(b) - tw.nb -= int64(n) - if err == nil && overwrite { - err = ErrWriteTooLong - return - } - tw.err = err - return -} - -// Close closes the tar archive, flushing any unwritten -// data to the underlying writer. -func (tw *Writer) Close() error { - if tw.err != nil || tw.closed { - return tw.err - } - tw.Flush() - tw.closed = true - if tw.err != nil { - return tw.err - } - - // trailer: two zero blocks - for i := 0; i < 2; i++ { - _, tw.err = tw.w.Write(zeroBlock) - if tw.err != nil { - break - } - } - return tw.err -} diff --git a/vendor/github.com/Microsoft/go-winio/backuptar/strconv.go b/vendor/github.com/Microsoft/go-winio/backuptar/strconv.go new file mode 100644 index 000000000..341609663 --- /dev/null +++ b/vendor/github.com/Microsoft/go-winio/backuptar/strconv.go @@ -0,0 +1,68 @@ +package backuptar + +import ( + "archive/tar" + "fmt" + "strconv" + "strings" + "time" +) + +// Functions copied from https://github.com/golang/go/blob/master/src/archive/tar/strconv.go +// as we need to manage the LIBARCHIVE.creationtime PAXRecord manually. +// Idea taken from containerd which did the same thing. + +// parsePAXTime takes a string of the form %d.%d as described in the PAX +// specification. Note that this implementation allows for negative timestamps, +// which is allowed for by the PAX specification, but not always portable. +func parsePAXTime(s string) (time.Time, error) { + const maxNanoSecondDigits = 9 + + // Split string into seconds and sub-seconds parts. + ss, sn := s, "" + if pos := strings.IndexByte(s, '.'); pos >= 0 { + ss, sn = s[:pos], s[pos+1:] + } + + // Parse the seconds. + secs, err := strconv.ParseInt(ss, 10, 64) + if err != nil { + return time.Time{}, tar.ErrHeader + } + if len(sn) == 0 { + return time.Unix(secs, 0), nil // No sub-second values + } + + // Parse the nanoseconds. + if strings.Trim(sn, "0123456789") != "" { + return time.Time{}, tar.ErrHeader + } + if len(sn) < maxNanoSecondDigits { + sn += strings.Repeat("0", maxNanoSecondDigits-len(sn)) // Right pad + } else { + sn = sn[:maxNanoSecondDigits] // Right truncate + } + nsecs, _ := strconv.ParseInt(sn, 10, 64) // Must succeed + if len(ss) > 0 && ss[0] == '-' { + return time.Unix(secs, -1*nsecs), nil // Negative correction + } + return time.Unix(secs, nsecs), nil +} + +// formatPAXTime converts ts into a time of the form %d.%d as described in the +// PAX specification. This function is capable of negative timestamps. +func formatPAXTime(ts time.Time) (s string) { + secs, nsecs := ts.Unix(), ts.Nanosecond() + if nsecs == 0 { + return strconv.FormatInt(secs, 10) + } + + // If seconds is negative, then perform correction. + sign := "" + if secs < 0 { + sign = "-" // Remember sign + secs = -(secs + 1) // Add a second to secs + nsecs = -(nsecs - 1e9) // Take that second away from nsecs + } + return strings.TrimRight(fmt.Sprintf("%s%d.%09d", sign, secs, nsecs), "0") +} diff --git a/vendor/github.com/Microsoft/go-winio/backuptar/tar.go b/vendor/github.com/Microsoft/go-winio/backuptar/tar.go index d6566dbf0..088a43c68 100644 --- a/vendor/github.com/Microsoft/go-winio/backuptar/tar.go +++ b/vendor/github.com/Microsoft/go-winio/backuptar/tar.go @@ -3,6 +3,7 @@ package backuptar import ( + "archive/tar" "encoding/base64" "errors" "fmt" @@ -15,7 +16,6 @@ import ( "time" "github.com/Microsoft/go-winio" - "github.com/Microsoft/go-winio/archive/tar" // until archive/tar supports pax extensions in its interface ) const ( @@ -32,11 +32,13 @@ const ( ) const ( - hdrFileAttributes = "fileattr" - hdrSecurityDescriptor = "sd" - hdrRawSecurityDescriptor = "rawsd" - hdrMountPoint = "mountpoint" - hdrEaPrefix = "xattr." + hdrFileAttributes = "MSWINDOWS.fileattr" + hdrSecurityDescriptor = "MSWINDOWS.sd" + hdrRawSecurityDescriptor = "MSWINDOWS.rawsd" + hdrMountPoint = "MSWINDOWS.mountpoint" + hdrEaPrefix = "MSWINDOWS.xattr." + + hdrCreationTime = "LIBARCHIVE.creationtime" ) func writeZeroes(w io.Writer, count int64) error { @@ -86,16 +88,17 @@ func copySparse(t *tar.Writer, br *winio.BackupStreamReader) error { // BasicInfoHeader creates a tar header from basic file information. func BasicInfoHeader(name string, size int64, fileInfo *winio.FileBasicInfo) *tar.Header { hdr := &tar.Header{ - Name: filepath.ToSlash(name), - Size: size, - Typeflag: tar.TypeReg, - ModTime: time.Unix(0, fileInfo.LastWriteTime.Nanoseconds()), - ChangeTime: time.Unix(0, fileInfo.ChangeTime.Nanoseconds()), - AccessTime: time.Unix(0, fileInfo.LastAccessTime.Nanoseconds()), - CreationTime: time.Unix(0, fileInfo.CreationTime.Nanoseconds()), - Winheaders: make(map[string]string), + Format: tar.FormatPAX, + Name: filepath.ToSlash(name), + Size: size, + Typeflag: tar.TypeReg, + ModTime: time.Unix(0, fileInfo.LastWriteTime.Nanoseconds()), + ChangeTime: time.Unix(0, fileInfo.ChangeTime.Nanoseconds()), + AccessTime: time.Unix(0, fileInfo.LastAccessTime.Nanoseconds()), + PAXRecords: make(map[string]string), } - hdr.Winheaders[hdrFileAttributes] = fmt.Sprintf("%d", fileInfo.FileAttributes) + hdr.PAXRecords[hdrFileAttributes] = fmt.Sprintf("%d", fileInfo.FileAttributes) + hdr.PAXRecords[hdrCreationTime] = formatPAXTime(time.Unix(0, fileInfo.CreationTime.Nanoseconds())) if (fileInfo.FileAttributes & syscall.FILE_ATTRIBUTE_DIRECTORY) != 0 { hdr.Mode |= c_ISDIR @@ -155,7 +158,7 @@ func WriteTarFileFromBackupStream(t *tar.Writer, r io.Reader, name string, size if err != nil { return err } - hdr.Winheaders[hdrRawSecurityDescriptor] = base64.StdEncoding.EncodeToString(sd) + hdr.PAXRecords[hdrRawSecurityDescriptor] = base64.StdEncoding.EncodeToString(sd) case winio.BackupReparseData: hdr.Mode |= c_ISLNK @@ -166,7 +169,7 @@ func WriteTarFileFromBackupStream(t *tar.Writer, r io.Reader, name string, size return err } if rp.IsMountPoint { - hdr.Winheaders[hdrMountPoint] = "1" + hdr.PAXRecords[hdrMountPoint] = "1" } hdr.Linkname = rp.Target @@ -183,7 +186,7 @@ func WriteTarFileFromBackupStream(t *tar.Writer, r io.Reader, name string, size // Use base64 encoding for the binary value. Note that there // is no way to encode the EA's flags, since their use doesn't // make any sense for persisted EAs. - hdr.Winheaders[hdrEaPrefix+ea.Name] = base64.StdEncoding.EncodeToString(ea.Value) + hdr.PAXRecords[hdrEaPrefix+ea.Name] = base64.StdEncoding.EncodeToString(ea.Value) } case winio.BackupAlternateData, winio.BackupLink, winio.BackupPropertyData, winio.BackupObjectId, winio.BackupTxfsData: @@ -254,6 +257,7 @@ func WriteTarFileFromBackupStream(t *tar.Writer, r io.Reader, name string, size } if (bhdr.Attributes & winio.StreamSparseAttributes) == 0 { hdr = &tar.Header{ + Format: hdr.Format, Name: name + altName, Mode: hdr.Mode, Typeflag: tar.TypeReg, @@ -296,9 +300,10 @@ func FileInfoFromHeader(hdr *tar.Header) (name string, size int64, fileInfo *win LastAccessTime: syscall.NsecToFiletime(hdr.AccessTime.UnixNano()), LastWriteTime: syscall.NsecToFiletime(hdr.ModTime.UnixNano()), ChangeTime: syscall.NsecToFiletime(hdr.ChangeTime.UnixNano()), - CreationTime: syscall.NsecToFiletime(hdr.CreationTime.UnixNano()), + // Default to ModTime, we'll pull hdrCreationTime below if present + CreationTime: syscall.NsecToFiletime(hdr.ModTime.UnixNano()), } - if attrStr, ok := hdr.Winheaders[hdrFileAttributes]; ok { + if attrStr, ok := hdr.PAXRecords[hdrFileAttributes]; ok { attr, err := strconv.ParseUint(attrStr, 10, 32) if err != nil { return "", 0, nil, err @@ -309,6 +314,13 @@ func FileInfoFromHeader(hdr *tar.Header) (name string, size int64, fileInfo *win fileInfo.FileAttributes |= syscall.FILE_ATTRIBUTE_DIRECTORY } } + if creationTimeStr, ok := hdr.PAXRecords[hdrCreationTime]; ok { + creationTime, err := parsePAXTime(creationTimeStr) + if err != nil { + return "", 0, nil, err + } + fileInfo.CreationTime = syscall.NsecToFiletime(creationTime.UnixNano()) + } return } @@ -321,13 +333,13 @@ func WriteBackupStreamFromTarFile(w io.Writer, t *tar.Reader, hdr *tar.Header) ( var err error // Maintaining old SDDL-based behavior for backward compatibility. All new tar headers written // by this library will have raw binary for the security descriptor. - if sddl, ok := hdr.Winheaders[hdrSecurityDescriptor]; ok { + if sddl, ok := hdr.PAXRecords[hdrSecurityDescriptor]; ok { sd, err = winio.SddlToSecurityDescriptor(sddl) if err != nil { return nil, err } } - if sdraw, ok := hdr.Winheaders[hdrRawSecurityDescriptor]; ok { + if sdraw, ok := hdr.PAXRecords[hdrRawSecurityDescriptor]; ok { sd, err = base64.StdEncoding.DecodeString(sdraw) if err != nil { return nil, err @@ -348,7 +360,7 @@ func WriteBackupStreamFromTarFile(w io.Writer, t *tar.Reader, hdr *tar.Header) ( } } var eas []winio.ExtendedAttribute - for k, v := range hdr.Winheaders { + for k, v := range hdr.PAXRecords { if !strings.HasPrefix(k, hdrEaPrefix) { continue } @@ -380,7 +392,7 @@ func WriteBackupStreamFromTarFile(w io.Writer, t *tar.Reader, hdr *tar.Header) ( } } if hdr.Typeflag == tar.TypeSymlink { - _, isMountPoint := hdr.Winheaders[hdrMountPoint] + _, isMountPoint := hdr.PAXRecords[hdrMountPoint] rp := winio.ReparsePoint{ Target: filepath.FromSlash(hdr.Linkname), IsMountPoint: isMountPoint, diff --git a/vendor/github.com/containers/buildah/CHANGELOG.md b/vendor/github.com/containers/buildah/CHANGELOG.md index e0a2671f7..f37f387e7 100644 --- a/vendor/github.com/containers/buildah/CHANGELOG.md +++ b/vendor/github.com/containers/buildah/CHANGELOG.md @@ -2,6 +2,38 @@ # Changelog +## v1.18.0 (2020-11-16) + Fix testing error caused by simultanious merge + Vendor in containers/storage v1.24.0 + short-names aliasing + Add --policy flag to buildah pull + Stop overwrapping and stuttering + copier.Get(): ignore ENOTSUP/ENOSYS when listing xattrs + Run: don't forcibly disable UTS namespaces in rootless mode + test: ensure non-directory in a Dockerfile path is handled correctly + Add a few tests for `pull` command + Fix buildah config --cmd to handle array + build(deps): bump github.com/containers/storage from 1.23.8 to 1.23.9 + Fix NPE when Dockerfile path contains non-directory entries + Update buildah bud man page from podman build man page + Move declaration of decryption-keys to common cli + Run: correctly call copier.Mkdir + util: digging UID/GID out of os.FileInfo should work on Unix + imagebuildah.getImageTypeAndHistoryAndDiffIDs: cache results + Verify userns-uid-map and userns-gid-map input + Use CPP, CC and flags in dep check scripts + Avoid overriding LDFLAGS in Makefile + ADD: handle --chown on URLs + Update nix pin with `make nixpkgs` + (*Builder).Run: MkdirAll: handle EEXIST error + copier: try to force loading of nsswitch modules before chroot() + fix MkdirAll usage + build(deps): bump github.com/containers/common from 0.26.2 to 0.26.3 + build(deps): bump github.com/containers/storage from 1.23.7 to 1.23.8 + Use osusergo build tag for static build + imagebuildah: cache should take image format into account + Bump to v1.18.0-dev + ## v1.17.0 (2020-10-29) Handle cases where other tools mount/unmount containers overlay.MountReadOnly: support RO overlay mounts diff --git a/vendor/github.com/containers/buildah/buildah.go b/vendor/github.com/containers/buildah/buildah.go index 96e8619a8..9ab47e60c 100644 --- a/vendor/github.com/containers/buildah/buildah.go +++ b/vendor/github.com/containers/buildah/buildah.go @@ -28,7 +28,7 @@ const ( Package = "buildah" // Version for the Package. Bump version in contrib/rpm/buildah.spec // too. - Version = "1.18.0-dev" + Version = "1.18.0" // The value we use to identify what type of information, currently a // serialized Builder structure, we are using as per-container state. // This should only be changed when we make incompatible changes to diff --git a/vendor/github.com/containers/buildah/changelog.txt b/vendor/github.com/containers/buildah/changelog.txt index df19d0746..f59d426ae 100644 --- a/vendor/github.com/containers/buildah/changelog.txt +++ b/vendor/github.com/containers/buildah/changelog.txt @@ -1,3 +1,35 @@ +- Changelog for v1.18.0 (2020-11-16) + * Fix testing error caused by simultanious merge + * Vendor in containers/storage v1.24.0 + * short-names aliasing + * Add --policy flag to buildah pull + * Stop overwrapping and stuttering + * copier.Get(): ignore ENOTSUP/ENOSYS when listing xattrs + * Run: don't forcibly disable UTS namespaces in rootless mode + * test: ensure non-directory in a Dockerfile path is handled correctly + * Add a few tests for `pull` command + * Fix buildah config --cmd to handle array + * build(deps): bump github.com/containers/storage from 1.23.8 to 1.23.9 + * Fix NPE when Dockerfile path contains non-directory entries + * Update buildah bud man page from podman build man page + * Move declaration of decryption-keys to common cli + * Run: correctly call copier.Mkdir + * util: digging UID/GID out of os.FileInfo should work on Unix + * imagebuildah.getImageTypeAndHistoryAndDiffIDs: cache results + * Verify userns-uid-map and userns-gid-map input + * Use CPP, CC and flags in dep check scripts + * Avoid overriding LDFLAGS in Makefile + * ADD: handle --chown on URLs + * Update nix pin with `make nixpkgs` + * (*Builder).Run: MkdirAll: handle EEXIST error + * copier: try to force loading of nsswitch modules before chroot() + * fix MkdirAll usage + * build(deps): bump github.com/containers/common from 0.26.2 to 0.26.3 + * build(deps): bump github.com/containers/storage from 1.23.7 to 1.23.8 + * Use osusergo build tag for static build + * imagebuildah: cache should take image format into account + * Bump to v1.18.0-dev + - Changelog for v1.17.0 (2020-10-29) * Handle cases where other tools mount/unmount containers * overlay.MountReadOnly: support RO overlay mounts diff --git a/vendor/github.com/containers/buildah/define/types.go b/vendor/github.com/containers/buildah/define/types.go index 187e785d3..62c47d6bc 100644 --- a/vendor/github.com/containers/buildah/define/types.go +++ b/vendor/github.com/containers/buildah/define/types.go @@ -1,6 +1,8 @@ package define -import "fmt" +import ( + "fmt" +) // PullPolicy takes the value PullIfMissing, PullAlways, PullIfNewer, or PullNever. type PullPolicy int @@ -39,3 +41,10 @@ func (p PullPolicy) String() string { } return fmt.Sprintf("unrecognized policy %d", p) } + +var PolicyMap = map[string]PullPolicy{ + "missing": PullIfMissing, + "always": PullAlways, + "never": PullNever, + "ifnewer": PullIfNewer, +} diff --git a/vendor/github.com/containers/buildah/go.mod b/vendor/github.com/containers/buildah/go.mod index 2bc71f948..b1f3ad67a 100644 --- a/vendor/github.com/containers/buildah/go.mod +++ b/vendor/github.com/containers/buildah/go.mod @@ -8,7 +8,7 @@ require ( github.com/containers/common v0.26.3 github.com/containers/image/v5 v5.8.0 github.com/containers/ocicrypt v1.0.3 - github.com/containers/storage v1.23.9 + github.com/containers/storage v1.24.0 github.com/docker/distribution v2.7.1+incompatible github.com/docker/docker v17.12.0-ce-rc1.0.20201020191947-73dc6a680cdd+incompatible // indirect github.com/docker/go-units v0.4.0 diff --git a/vendor/github.com/containers/buildah/go.sum b/vendor/github.com/containers/buildah/go.sum index 1952ace1a..069328c38 100644 --- a/vendor/github.com/containers/buildah/go.sum +++ b/vendor/github.com/containers/buildah/go.sum @@ -22,6 +22,8 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw= github.com/Microsoft/go-winio v0.4.15-0.20200113171025-3fe6c5262873 h1:93nQ7k53GjoMQ07HVP8g6Zj1fQZDDj7Xy2VkNNtvX8o= github.com/Microsoft/go-winio v0.4.15-0.20200113171025-3fe6c5262873/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw= +github.com/Microsoft/go-winio v0.4.15 h1:qkLXKzb1QoVatRyd/YlXZ/Kg0m5K3SPuoD82jjSOaBc= +github.com/Microsoft/go-winio v0.4.15/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw= github.com/Microsoft/hcsshim v0.8.9 h1:VrfodqvztU8YSOvygU+DN1BGaSGxmrNfqOv5oOuX2Bk= github.com/Microsoft/hcsshim v0.8.9/go.mod h1:5692vkUqntj1idxauYlpoINNKeqCiG6Sg38RRsjT5y8= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= @@ -83,8 +85,8 @@ github.com/containers/ocicrypt v1.0.3 h1:vYgl+RZ9Q3DPMuTfxmN+qp0X2Bj52uuY2vnt6Gz github.com/containers/ocicrypt v1.0.3/go.mod h1:CUBa+8MRNL/VkpxYIpaMtgn1WgXGyvPQj8jcy0EVG6g= github.com/containers/storage v1.23.6/go.mod h1:haFs0HRowKwyzvWEx9EgI3WsL8XCSnBDb5f8P5CAxJY= github.com/containers/storage v1.23.7/go.mod h1:cUT2zHjtx+WlVri30obWmM2gpqpi8jfPsmIzP1TVpEI= -github.com/containers/storage v1.23.9 h1:qbgnTp76pLSyW3vYwY5GH4vk5cHYVXFJ+CsUEBp9TMw= -github.com/containers/storage v1.23.9/go.mod h1:3b2ktpB6pw53SEeIoFfO0sQfP9+IoJJKPq5iJk74gxE= +github.com/containers/storage v1.24.0 h1:Fo2LkF7tkMLmo38sTZ/G8wHjcn8JfUFPfyTxM4WwMfk= +github.com/containers/storage v1.24.0/go.mod h1:A4d3BzuZK9b3oLVEsiSRhZLPIx3z7utgiPyXLK/YMhY= github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= diff --git a/vendor/github.com/containers/buildah/import.go b/vendor/github.com/containers/buildah/import.go index 329633b44..0aa1d236d 100644 --- a/vendor/github.com/containers/buildah/import.go +++ b/vendor/github.com/containers/buildah/import.go @@ -154,7 +154,7 @@ func importBuilderFromImage(ctx context.Context, store storage.Store, options Im _, img, err := util.FindImage(store, "", systemContext, options.Image) if err != nil { - return nil, errors.Wrapf(err, "error locating image %q for importing settings", options.Image) + return nil, errors.Wrapf(err, "importing settings") } builder, err := importBuilderDataFromImage(ctx, store, systemContext, img.ID, "", "") diff --git a/vendor/github.com/containers/buildah/pull.go b/vendor/github.com/containers/buildah/pull.go index d7e7b8890..d1fec145e 100644 --- a/vendor/github.com/containers/buildah/pull.go +++ b/vendor/github.com/containers/buildah/pull.go @@ -60,6 +60,8 @@ type PullOptions struct { // OciDecryptConfig contains the config that can be used to decrypt an image if it is // encrypted if non-nil. If nil, it does not attempt to decrypt an image. OciDecryptConfig *encconfig.DecryptConfig + // PullPolicy takes the value PullIfMissing, PullAlways, PullIfNewer, or PullNever. + PullPolicy PullPolicy } func localImageNameForReference(ctx context.Context, store storage.Store, srcRef types.ImageReference) (string, error) { @@ -169,6 +171,7 @@ func Pull(ctx context.Context, imageName string, options PullOptions) (imageID s MaxPullRetries: options.MaxRetries, PullRetryDelay: options.RetryDelay, OciDecryptConfig: options.OciDecryptConfig, + PullPolicy: options.PullPolicy, } if !options.AllTags { diff --git a/vendor/github.com/containers/storage/VERSION b/vendor/github.com/containers/storage/VERSION index 63f23d2af..53cc1a6f9 100644 --- a/vendor/github.com/containers/storage/VERSION +++ b/vendor/github.com/containers/storage/VERSION @@ -1 +1 @@ -1.23.9 +1.24.0 diff --git a/vendor/github.com/containers/storage/drivers/driver.go b/vendor/github.com/containers/storage/drivers/driver.go index a5393c10f..2d6485e80 100644 --- a/vendor/github.com/containers/storage/drivers/driver.go +++ b/vendor/github.com/containers/storage/drivers/driver.go @@ -60,6 +60,7 @@ type ApplyDiffOpts struct { Mappings *idtools.IDMappings MountLabel string IgnoreChownErrors bool + ForceMask *os.FileMode } // InitFunc initializes the storage driver. diff --git a/vendor/github.com/containers/storage/drivers/overlay/overlay.go b/vendor/github.com/containers/storage/drivers/overlay/overlay.go index a7cfeadc7..c1895c364 100644 --- a/vendor/github.com/containers/storage/drivers/overlay/overlay.go +++ b/vendor/github.com/containers/storage/drivers/overlay/overlay.go @@ -93,6 +93,7 @@ type overlayOptions struct { skipMountHome bool mountOptions string ignoreChownErrors bool + forceMask *os.FileMode } // Driver contains information about the home directory and the list of active mounts that are created using this driver. @@ -143,6 +144,9 @@ func Init(home string, options graphdriver.Options) (graphdriver.Driver, error) // check if they are running over btrfs, aufs, zfs, overlay, or ecryptfs if opts.mountProgram == "" { + if opts.forceMask != nil { + return nil, errors.New("'force_mask' is supported only with 'mount_program'") + } switch fsMagic { case graphdriver.FsMagicAufs, graphdriver.FsMagicZfs, graphdriver.FsMagicOverlay, graphdriver.FsMagicEcryptfs: return nil, errors.Wrapf(graphdriver.ErrIncompatibleFS, "'overlay' is not supported over %s, a mount_program is required", backingFs) @@ -328,6 +332,22 @@ func parseOptions(options []string) (*overlayOptions, error) { if err != nil { return nil, err } + case "force_mask": + logrus.Debugf("overlay: force_mask=%s", val) + var mask int64 + switch val { + case "shared": + mask = 0755 + case "private": + mask = 0700 + default: + mask, err = strconv.ParseInt(val, 8, 32) + if err != nil { + return nil, err + } + } + m := os.FileMode(mask) + o.forceMask = &m default: return nil, fmt.Errorf("overlay: Unknown option %s", key) } @@ -573,17 +593,15 @@ func (d *Driver) create(id, parent string, opts *graphdriver.CreateOpts) (retErr if err := idtools.MkdirAllAs(path.Dir(dir), 0700, rootUID, rootGID); err != nil { return err } - perms := defaultPerms if parent != "" { st, err := system.Stat(d.dir(parent)) if err != nil { return err } - perms = os.FileMode(st.Mode()) rootUID = int(st.UID()) rootGID = int(st.GID()) } - if err := idtools.MkdirAs(dir, perms, rootUID, rootGID); err != nil { + if err := idtools.MkdirAs(dir, 0700, rootUID, rootGID); err != nil { return err } @@ -608,6 +626,18 @@ func (d *Driver) create(id, parent string, opts *graphdriver.CreateOpts) (retErr } } + perms := defaultPerms + if d.options.forceMask != nil { + perms = *d.options.forceMask + } + if parent != "" { + st, err := system.Stat(filepath.Join(d.dir(parent), "diff")) + if err != nil { + return err + } + perms = os.FileMode(st.Mode()) + } + if err := idtools.MkdirAs(path.Join(dir, "diff"), perms, rootUID, rootGID); err != nil { return err } @@ -852,15 +882,24 @@ func (d *Driver) get(id string, disableShifting bool, options graphdriver.MountO } diffN := 1 perms := defaultPerms + if d.options.forceMask != nil { + perms = *d.options.forceMask + } + permsKnown := false st, err := os.Stat(filepath.Join(dir, nameWithSuffix("diff", diffN))) if err == nil { perms = os.FileMode(st.Mode()) + permsKnown = true } for err == nil { absLowers = append(absLowers, filepath.Join(dir, nameWithSuffix("diff", diffN))) relLowers = append(relLowers, dumbJoin(string(link), "..", nameWithSuffix("diff", diffN))) diffN++ - _, err = os.Stat(filepath.Join(dir, nameWithSuffix("diff", diffN))) + st, err = os.Stat(filepath.Join(dir, nameWithSuffix("diff", diffN))) + if err == nil && !permsKnown { + perms = os.FileMode(st.Mode()) + permsKnown = true + } } // For each lower, resolve its path, and append it and any additional diffN @@ -871,10 +910,14 @@ func (d *Driver) get(id string, disableShifting bool, options graphdriver.MountO } lower := "" newpath := path.Join(d.home, l) - if _, err := os.Stat(newpath); err != nil { + if st, err := os.Stat(newpath); err != nil { for _, p := range d.AdditionalImageStores() { lower = path.Join(p, d.name, l) - if _, err2 := os.Stat(lower); err2 == nil { + if st2, err2 := os.Stat(lower); err2 == nil { + if !permsKnown { + perms = os.FileMode(st2.Mode()) + permsKnown = true + } break } lower = "" @@ -892,6 +935,10 @@ func (d *Driver) get(id string, disableShifting bool, options graphdriver.MountO return "", fmt.Errorf("Can't stat lower layer %q: %v", newpath, err) } } else { + if !permsKnown { + perms = os.FileMode(st.Mode()) + permsKnown = true + } lower = newpath } absLowers = append(absLowers, lower) @@ -1122,6 +1169,9 @@ func (d *Driver) ApplyDiff(id, parent string, options graphdriver.ApplyDiffOpts) if d.options.ignoreChownErrors { options.IgnoreChownErrors = d.options.ignoreChownErrors } + if d.options.forceMask != nil { + options.ForceMask = d.options.forceMask + } return d.naiveDiff.ApplyDiff(id, parent, options) } @@ -1138,6 +1188,7 @@ func (d *Driver) ApplyDiff(id, parent string, options graphdriver.ApplyDiffOpts) UIDMaps: idMappings.UIDs(), GIDMaps: idMappings.GIDs(), IgnoreChownErrors: d.options.ignoreChownErrors, + ForceMask: d.options.forceMask, WhiteoutFormat: d.getWhiteoutFormat(), InUserNS: rsystem.RunningInUserNS(), }); err != nil { @@ -1251,8 +1302,12 @@ func (d *Driver) UpdateLayerIDMap(id string, toContainer, toHost *idtools.IDMapp i := 0 perms := defaultPerms st, err := os.Stat(nameWithSuffix(diffDir, i)) - if err == nil { - perms = os.FileMode(st.Mode()) + if d.options.forceMask != nil { + perms = *d.options.forceMask + } else { + if err == nil { + perms = os.FileMode(st.Mode()) + } } for err == nil { i++ diff --git a/vendor/github.com/containers/storage/drivers/windows/windows.go b/vendor/github.com/containers/storage/drivers/windows/windows.go index c1ab93e1d..1fd84e3b4 100644 --- a/vendor/github.com/containers/storage/drivers/windows/windows.go +++ b/vendor/github.com/containers/storage/drivers/windows/windows.go @@ -3,6 +3,7 @@ package windows import ( + "archive/tar" "bufio" "bytes" "encoding/json" @@ -21,7 +22,6 @@ import ( "unsafe" "github.com/Microsoft/go-winio" - "github.com/Microsoft/go-winio/archive/tar" "github.com/Microsoft/go-winio/backuptar" "github.com/Microsoft/hcsshim" "github.com/containers/storage/drivers" diff --git a/vendor/github.com/containers/storage/go.mod b/vendor/github.com/containers/storage/go.mod index 9d5a2b425..34c1ea7ad 100644 --- a/vendor/github.com/containers/storage/go.mod +++ b/vendor/github.com/containers/storage/go.mod @@ -4,7 +4,7 @@ module github.com/containers/storage require ( github.com/BurntSushi/toml v0.3.1 - github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5 + github.com/Microsoft/go-winio v0.4.15 github.com/Microsoft/hcsshim v0.8.9 github.com/docker/go-units v0.4.0 github.com/hashicorp/go-multierror v1.1.0 diff --git a/vendor/github.com/containers/storage/go.sum b/vendor/github.com/containers/storage/go.sum index 681f77cbc..bec6aa59a 100644 --- a/vendor/github.com/containers/storage/go.sum +++ b/vendor/github.com/containers/storage/go.sum @@ -3,6 +3,8 @@ github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5 h1:ygIc8M6trr62pF5DucadTWGdEB4mEyvzi0e2nbcmcyA= github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw= +github.com/Microsoft/go-winio v0.4.15 h1:qkLXKzb1QoVatRyd/YlXZ/Kg0m5K3SPuoD82jjSOaBc= +github.com/Microsoft/go-winio v0.4.15/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw= github.com/Microsoft/hcsshim v0.8.9 h1:VrfodqvztU8YSOvygU+DN1BGaSGxmrNfqOv5oOuX2Bk= github.com/Microsoft/hcsshim v0.8.9/go.mod h1:5692vkUqntj1idxauYlpoINNKeqCiG6Sg38RRsjT5y8= github.com/checkpoint-restore/go-criu/v4 v4.0.2 h1:jt+rnBIhFtPw0fhtpYGcUOilh4aO9Hj7r+YLEtf30uA= diff --git a/vendor/github.com/containers/storage/pkg/archive/archive.go b/vendor/github.com/containers/storage/pkg/archive/archive.go index 345da2903..2f917344a 100644 --- a/vendor/github.com/containers/storage/pkg/archive/archive.go +++ b/vendor/github.com/containers/storage/pkg/archive/archive.go @@ -65,13 +65,16 @@ type ( // from the traditional behavior/format to get features like subsecond // precision in timestamps. CopyPass bool + // ForceMask, if set, indicates the permission mask used for created files. + ForceMask *os.FileMode } ) const ( - tarExt = "tar" - solaris = "solaris" - windows = "windows" + tarExt = "tar" + solaris = "solaris" + windows = "windows" + containersOverrideXattr = "user.containers.override_stat" ) // Archiver allows the reuse of most utility functions of this package with a @@ -603,18 +606,23 @@ func (ta *tarAppender) addTarFile(path, name string) error { return nil } -func createTarFile(path, extractDir string, hdr *tar.Header, reader io.Reader, Lchown bool, chownOpts *idtools.IDPair, inUserns, ignoreChownErrors bool, buffer []byte) error { +func createTarFile(path, extractDir string, hdr *tar.Header, reader io.Reader, Lchown bool, chownOpts *idtools.IDPair, inUserns, ignoreChownErrors bool, forceMask *os.FileMode, buffer []byte) error { // hdr.Mode is in linux format, which we can use for sycalls, // but for os.Foo() calls we need the mode converted to os.FileMode, // so use hdrInfo.Mode() (they differ for e.g. setuid bits) hdrInfo := hdr.FileInfo() + mask := hdrInfo.Mode() + if forceMask != nil { + mask = *forceMask + } + switch hdr.Typeflag { case tar.TypeDir: // Create directory unless it exists as a directory already. // In that case we just want to merge the two if fi, err := os.Lstat(path); !(err == nil && fi.IsDir()) { - if err := os.Mkdir(path, hdrInfo.Mode()); err != nil { + if err := os.Mkdir(path, mask); err != nil { return err } } @@ -623,7 +631,7 @@ func createTarFile(path, extractDir string, hdr *tar.Header, reader io.Reader, L // Source is regular file. We use system.OpenFileSequential to use sequential // file access to avoid depleting the standby list on Windows. // On Linux, this equates to a regular os.OpenFile - file, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY, hdrInfo.Mode()) + file, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY, mask) if err != nil { return err } @@ -680,6 +688,13 @@ func createTarFile(path, extractDir string, hdr *tar.Header, reader io.Reader, L return fmt.Errorf("unhandled tar header type %d", hdr.Typeflag) } + if forceMask != nil && hdr.Typeflag != tar.TypeSymlink { + value := fmt.Sprintf("%d:%d:0%o", hdr.Uid, hdr.Gid, hdrInfo.Mode()&07777) + if err := system.Lsetxattr(path, containersOverrideXattr, []byte(value), 0); err != nil { + return err + } + } + // Lchown is not supported on Windows. if Lchown && runtime.GOOS != windows { if chownOpts == nil { @@ -697,7 +712,7 @@ func createTarFile(path, extractDir string, hdr *tar.Header, reader io.Reader, L // There is no LChmod, so ignore mode for symlink. Also, this // must happen after chown, as that can modify the file mode - if err := handleLChmod(hdr, path, hdrInfo); err != nil { + if err := handleLChmod(hdr, path, hdrInfo, forceMask); err != nil { return err } @@ -946,6 +961,16 @@ func Unpack(decompressedArchive io.Reader, dest string, options *TarOptions) err whiteoutConverter := getWhiteoutConverter(options.WhiteoutFormat, options.WhiteoutData) buffer := make([]byte, 1<<20) + if options.ForceMask != nil { + uid, gid, mode, err := getFileOwner(dest) + if err == nil { + value := fmt.Sprintf("%d:%d:0%o", uid, gid, mode) + if err := system.Lsetxattr(dest, containersOverrideXattr, []byte(value), 0); err != nil { + return err + } + } + } + // Iterate through the files in the archive. loop: for { @@ -1041,7 +1066,7 @@ loop: chownOpts = &idtools.IDPair{UID: hdr.Uid, GID: hdr.Gid} } - if err := createTarFile(path, dest, hdr, trBuf, !options.NoLchown, chownOpts, options.InUserNS, options.IgnoreChownErrors, buffer); err != nil { + if err := createTarFile(path, dest, hdr, trBuf, !options.NoLchown, chownOpts, options.InUserNS, options.IgnoreChownErrors, options.ForceMask, buffer); err != nil { return err } diff --git a/vendor/github.com/containers/storage/pkg/archive/archive_ffjson.go b/vendor/github.com/containers/storage/pkg/archive/archive_ffjson.go index 05aae4c13..6a5a867c7 100644 --- a/vendor/github.com/containers/storage/pkg/archive/archive_ffjson.go +++ b/vendor/github.com/containers/storage/pkg/archive/archive_ffjson.go @@ -10,6 +10,7 @@ import ( "fmt" "github.com/containers/storage/pkg/idtools" fflib "github.com/pquerna/ffjson/fflib/v1" + "os" ) // MarshalJSON marshal bytes to json - template @@ -501,6 +502,12 @@ func (j *TarOptions) MarshalJSONBuf(buf fflib.EncodingBuffer) error { } else { buf.WriteString(`,"CopyPass":false`) } + if j.ForceMask != nil { + buf.WriteString(`,"ForceMask":`) + fflib.FormatBits2(buf, uint64(*j.ForceMask), 10, false) + } else { + buf.WriteString(`,"ForceMask":null`) + } buf.WriteByte('}') return nil } @@ -538,6 +545,8 @@ const ( ffjtTarOptionsInUserNS ffjtTarOptionsCopyPass + + ffjtTarOptionsForceMask ) var ffjKeyTarOptionsIncludeFiles = []byte("IncludeFiles") @@ -570,6 +579,8 @@ var ffjKeyTarOptionsInUserNS = []byte("InUserNS") var ffjKeyTarOptionsCopyPass = []byte("CopyPass") +var ffjKeyTarOptionsForceMask = []byte("ForceMask") + // UnmarshalJSON umarshall json - template of ffjson func (j *TarOptions) UnmarshalJSON(input []byte) error { fs := fflib.NewFFLexer(input) @@ -657,6 +668,14 @@ mainparse: goto mainparse } + case 'F': + + if bytes.Equal(ffjKeyTarOptionsForceMask, kn) { + currentKey = ffjtTarOptionsForceMask + state = fflib.FFParse_want_colon + goto mainparse + } + case 'G': if bytes.Equal(ffjKeyTarOptionsGIDMaps, kn) { @@ -732,6 +751,12 @@ mainparse: } + if fflib.EqualFoldRight(ffjKeyTarOptionsForceMask, kn) { + currentKey = ffjtTarOptionsForceMask + state = fflib.FFParse_want_colon + goto mainparse + } + if fflib.EqualFoldRight(ffjKeyTarOptionsCopyPass, kn) { currentKey = ffjtTarOptionsCopyPass state = fflib.FFParse_want_colon @@ -884,6 +909,9 @@ mainparse: case ffjtTarOptionsCopyPass: goto handle_CopyPass + case ffjtTarOptionsForceMask: + goto handle_ForceMask + case ffjtTarOptionsnosuchkey: err = fs.SkipField(tok) if err != nil { @@ -1597,6 +1625,39 @@ handle_CopyPass: state = fflib.FFParse_after_value goto mainparse +handle_ForceMask: + + /* handler: j.ForceMask type=os.FileMode kind=uint32 quoted=false*/ + + { + if tok != fflib.FFTok_integer && tok != fflib.FFTok_null { + return fs.WrapErr(fmt.Errorf("cannot unmarshal %s into Go value for FileMode", tok)) + } + } + + { + + if tok == fflib.FFTok_null { + + j.ForceMask = nil + + } else { + + tval, err := fflib.ParseUint(fs.Output.Bytes(), 10, 32) + + if err != nil { + return fs.WrapErr(err) + } + + ttypval := os.FileMode(tval) + j.ForceMask = &ttypval + + } + } + + state = fflib.FFParse_after_value + goto mainparse + wantedvalue: return fs.WrapErr(fmt.Errorf("wanted value token, but got token: %v", tok)) wrongtokenerror: diff --git a/vendor/github.com/containers/storage/pkg/archive/archive_linux.go b/vendor/github.com/containers/storage/pkg/archive/archive_linux.go index 3a47eceae..3faa23889 100644 --- a/vendor/github.com/containers/storage/pkg/archive/archive_linux.go +++ b/vendor/github.com/containers/storage/pkg/archive/archive_linux.go @@ -142,3 +142,15 @@ func isWhiteOut(stat os.FileInfo) bool { s := stat.Sys().(*syscall.Stat_t) return major(uint64(s.Rdev)) == 0 && minor(uint64(s.Rdev)) == 0 } + +func getFileOwner(path string) (uint32, uint32, uint32, error) { + f, err := os.Stat(path) + if err != nil { + return 0, 0, 0, err + } + s, ok := f.Sys().(*syscall.Stat_t) + if ok { + return s.Uid, s.Gid, s.Mode & 07777, nil + } + return 0, 0, uint32(f.Mode()), nil +} diff --git a/vendor/github.com/containers/storage/pkg/archive/archive_other.go b/vendor/github.com/containers/storage/pkg/archive/archive_other.go index 585faa824..08e3bc889 100644 --- a/vendor/github.com/containers/storage/pkg/archive/archive_other.go +++ b/vendor/github.com/containers/storage/pkg/archive/archive_other.go @@ -5,3 +5,7 @@ package archive func getWhiteoutConverter(format WhiteoutFormat, data interface{}) tarWhiteoutConverter { return nil } + +func getFileOwner(path string) (uint32, uint32, uint32, error) { + return 0, 0, 0, nil +} diff --git a/vendor/github.com/containers/storage/pkg/archive/archive_unix.go b/vendor/github.com/containers/storage/pkg/archive/archive_unix.go index bdc1a3d79..ecb704b64 100644 --- a/vendor/github.com/containers/storage/pkg/archive/archive_unix.go +++ b/vendor/github.com/containers/storage/pkg/archive/archive_unix.go @@ -106,15 +106,19 @@ func handleTarTypeBlockCharFifo(hdr *tar.Header, path string) error { return system.Mknod(path, mode, int(system.Mkdev(hdr.Devmajor, hdr.Devminor))) } -func handleLChmod(hdr *tar.Header, path string, hdrInfo os.FileInfo) error { +func handleLChmod(hdr *tar.Header, path string, hdrInfo os.FileInfo, forceMask *os.FileMode) error { + permissionsMask := hdrInfo.Mode() + if forceMask != nil { + permissionsMask = *forceMask + } if hdr.Typeflag == tar.TypeLink { if fi, err := os.Lstat(hdr.Linkname); err == nil && (fi.Mode()&os.ModeSymlink == 0) { - if err := os.Chmod(path, hdrInfo.Mode()); err != nil { + if err := os.Chmod(path, permissionsMask); err != nil { return err } } } else if hdr.Typeflag != tar.TypeSymlink { - if err := os.Chmod(path, hdrInfo.Mode()); err != nil { + if err := os.Chmod(path, permissionsMask); err != nil { return err } } diff --git a/vendor/github.com/containers/storage/pkg/archive/archive_windows.go b/vendor/github.com/containers/storage/pkg/archive/archive_windows.go index 0bcbb925d..a0872444f 100644 --- a/vendor/github.com/containers/storage/pkg/archive/archive_windows.go +++ b/vendor/github.com/containers/storage/pkg/archive/archive_windows.go @@ -69,7 +69,7 @@ func handleTarTypeBlockCharFifo(hdr *tar.Header, path string) error { return nil } -func handleLChmod(hdr *tar.Header, path string, hdrInfo os.FileInfo) error { +func handleLChmod(hdr *tar.Header, path string, hdrInfo os.FileInfo, forceMask *os.FileMode) error { return nil } diff --git a/vendor/github.com/containers/storage/pkg/archive/diff.go b/vendor/github.com/containers/storage/pkg/archive/diff.go index a12dd4202..14ffad5c0 100644 --- a/vendor/github.com/containers/storage/pkg/archive/diff.go +++ b/vendor/github.com/containers/storage/pkg/archive/diff.go @@ -106,7 +106,7 @@ func UnpackLayer(dest string, layer io.Reader, options *TarOptions) (size int64, } defer os.RemoveAll(aufsTempdir) } - if err := createTarFile(filepath.Join(aufsTempdir, basename), dest, hdr, tr, true, nil, options.InUserNS, options.IgnoreChownErrors, buffer); err != nil { + if err := createTarFile(filepath.Join(aufsTempdir, basename), dest, hdr, tr, true, nil, options.InUserNS, options.IgnoreChownErrors, options.ForceMask, buffer); err != nil { return 0, err } } @@ -197,7 +197,7 @@ func UnpackLayer(dest string, layer io.Reader, options *TarOptions) (size int64, return 0, err } - if err := createTarFile(path, dest, srcHdr, srcData, true, nil, options.InUserNS, options.IgnoreChownErrors, buffer); err != nil { + if err := createTarFile(path, dest, srcHdr, srcData, true, nil, options.InUserNS, options.IgnoreChownErrors, options.ForceMask, buffer); err != nil { return 0, err } diff --git a/vendor/github.com/containers/storage/pkg/chrootarchive/archive.go b/vendor/github.com/containers/storage/pkg/chrootarchive/archive.go index 33ba6a128..aacfee76f 100644 --- a/vendor/github.com/containers/storage/pkg/chrootarchive/archive.go +++ b/vendor/github.com/containers/storage/pkg/chrootarchive/archive.go @@ -5,7 +5,9 @@ import ( "fmt" "io" "io/ioutil" + "net" "os" + "os/user" "path/filepath" "sync" @@ -15,6 +17,13 @@ import ( "github.com/pkg/errors" ) +func init() { + // initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host + // environment not in the chroot from untrusted files. + _, _ = user.Lookup("storage") + _, _ = net.LookupHost("localhost") +} + // NewArchiver returns a new Archiver which uses chrootarchive.Untar func NewArchiver(idMappings *idtools.IDMappings) *archive.Archiver { archiver := archive.NewArchiver(idMappings) diff --git a/vendor/github.com/containers/storage/pkg/config/config.go b/vendor/github.com/containers/storage/pkg/config/config.go index c2fa2109e..7c9ac6ad6 100644 --- a/vendor/github.com/containers/storage/pkg/config/config.go +++ b/vendor/github.com/containers/storage/pkg/config/config.go @@ -2,6 +2,7 @@ package config import ( "fmt" + "os" ) // ThinpoolOptionsConfig represents the "storage.options.thinpool" @@ -94,6 +95,9 @@ type OverlayOptionsConfig struct { Size string `toml:"size"` // Do not create a bind mount on the storage home SkipMountHome string `toml:"skip_mount_home"` + // ForceMask indicates the permissions mask (e.g. "0755") to use for new + // files and directories + ForceMask string `toml:"force_mask"` } type VfsOptionsConfig struct { @@ -129,6 +133,10 @@ type OptionsConfig struct { // ignored when building an image. IgnoreChownErrors string `toml:"ignore_chown_errors"` + // ForceMask indicates the permissions mask (e.g. "0755") to use for new + // files and directories. + ForceMask os.FileMode `toml:"force_mask"` + // RemapUser is the name of one or more entries in /etc/subuid which // should be used to set up default UID mappings. RemapUser string `toml:"remap-user"` @@ -279,6 +287,11 @@ func GetGraphDriverOptions(driverName string, options OptionsConfig) []string { } else if options.SkipMountHome != "" { doptions = append(doptions, fmt.Sprintf("%s.skip_mount_home=%s", driverName, options.SkipMountHome)) } + if options.Overlay.ForceMask != "" { + doptions = append(doptions, fmt.Sprintf("%s.force_mask=%s", driverName, options.Overlay.ForceMask)) + } else if options.ForceMask != 0 { + doptions = append(doptions, fmt.Sprintf("%s.force_mask=%s", driverName, options.ForceMask)) + } case "vfs": if options.Vfs.IgnoreChownErrors != "" { doptions = append(doptions, fmt.Sprintf("%s.ignore_chown_errors=%s", driverName, options.Vfs.IgnoreChownErrors)) diff --git a/vendor/github.com/containers/storage/storage.conf b/vendor/github.com/containers/storage/storage.conf index 64e02f327..0577e84ca 100644 --- a/vendor/github.com/containers/storage/storage.conf +++ b/vendor/github.com/containers/storage/storage.conf @@ -82,6 +82,39 @@ mountopt = "nodev" # Size is used to set a maximum size of the container image. # size = "" +# ForceMask specifies the permissions mask that is used for new files and +# directories. +# +# The values "shared" and "private" are accepted. +# Octal permission masks are also accepted. +# +# "": No value specified. +# All files/directories, get set with the permissions identified within the +# image. +# "private": it is equivalent to 0700. +# All files/directories get set with 0700 permissions. The owner has rwx +# access to the files. No other users on the system can access the files. +# This setting could be used with networked based homedirs. +# "shared": it is equivalent to 0755. +# The owner has rwx access to the files and everyone else can read, access +# and execute them. This setting is useful for sharing containers storage +# with other users. For instance have a storage owned by root but shared +# to rootless users as an additional store. +# NOTE: All files within the image are made readable and executable by any +# user on the system. Even /etc/shadow within your image is now readable by +# any user. +# +# OCTAL: Users can experiment with other OCTAL Permissions. +# +# Note: The force_mask Flag is an experimental feature, it could change in the +# future. When "force_mask" is set the original permission mask is stored in +# the "user.containers.override_stat" xattr and the "mount_program" option must +# be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the +# extended attribute permissions to processes within containers rather then the +# "force_mask" permissions. +# +# force_mask = "" + [storage.options.thinpool] # Storage Options for thinpool diff --git a/vendor/github.com/containers/storage/store.go b/vendor/github.com/containers/storage/store.go index 6b51b405d..b9115f195 100644 --- a/vendor/github.com/containers/storage/store.go +++ b/vendor/github.com/containers/storage/store.go @@ -3551,6 +3551,9 @@ func ReloadConfigurationFile(configFile string, storeOptions *StoreOptions) { if config.Storage.Options.IgnoreChownErrors != "" { storeOptions.GraphDriverOptions = append(storeOptions.GraphDriverOptions, fmt.Sprintf("%s.ignore_chown_errors=%s", config.Storage.Driver, config.Storage.Options.IgnoreChownErrors)) } + if config.Storage.Options.ForceMask != 0 { + storeOptions.GraphDriverOptions = append(storeOptions.GraphDriverOptions, fmt.Sprintf("%s.force_mask=%o", config.Storage.Driver, config.Storage.Options.ForceMask)) + } if config.Storage.Options.MountOpt != "" { storeOptions.GraphDriverOptions = append(storeOptions.GraphDriverOptions, fmt.Sprintf("%s.mountopt=%s", config.Storage.Driver, config.Storage.Options.MountOpt)) } diff --git a/vendor/modules.txt b/vendor/modules.txt index 673687b2e..320d9851f 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -3,9 +3,8 @@ github.com/Azure/go-ansiterm github.com/Azure/go-ansiterm/winterm # github.com/BurntSushi/toml v0.3.1 github.com/BurntSushi/toml -# github.com/Microsoft/go-winio v0.4.15-0.20200113171025-3fe6c5262873 +# github.com/Microsoft/go-winio v0.4.15 github.com/Microsoft/go-winio -github.com/Microsoft/go-winio/archive/tar github.com/Microsoft/go-winio/backuptar github.com/Microsoft/go-winio/pkg/guid github.com/Microsoft/go-winio/vhd @@ -68,7 +67,7 @@ github.com/containernetworking/plugins/pkg/utils/hwaddr github.com/containernetworking/plugins/pkg/utils/sysctl github.com/containernetworking/plugins/plugins/ipam/host-local/backend github.com/containernetworking/plugins/plugins/ipam/host-local/backend/allocator -# github.com/containers/buildah v1.17.1-0.20201113135631-d0c958d65eb2 +# github.com/containers/buildah v1.18.0 github.com/containers/buildah github.com/containers/buildah/bind github.com/containers/buildah/chroot @@ -169,7 +168,7 @@ github.com/containers/psgo/internal/dev github.com/containers/psgo/internal/host github.com/containers/psgo/internal/proc github.com/containers/psgo/internal/process -# github.com/containers/storage v1.23.9 +# github.com/containers/storage v1.24.0 github.com/containers/storage github.com/containers/storage/drivers github.com/containers/storage/drivers/aufs |