diff options
56 files changed, 747 insertions, 339 deletions
diff --git a/cmd/podman/common.go b/cmd/podman/common.go index 7610edbc0..6fa2b3c71 100644 --- a/cmd/podman/common.go +++ b/cmd/podman/common.go @@ -257,6 +257,10 @@ func getCreateFlags(c *cliconfig.PodmanCommand) { "Add a host device to the container (default [])", ) createFlags.StringSlice( + "device-cgroup-rule", []string{}, + "Add a rule to the cgroup allowed devices list", + ) + createFlags.StringSlice( "device-read-bps", []string{}, "Limit read rate (bytes per second) from a device (e.g. --device-read-bps=/dev/sda:1mb)", ) diff --git a/cmd/podman/images.go b/cmd/podman/images.go index 115f30d9b..de61690ae 100644 --- a/cmd/podman/images.go +++ b/cmd/podman/images.go @@ -21,16 +21,16 @@ import ( ) type imagesTemplateParams struct { - Repository string - Tag string - ID string - Digest digest.Digest - Digests []digest.Digest - Created string - CreatedTime time.Time - Size string - ReadOnly bool - History string + Repository string + Tag string + ID string + Digest digest.Digest + Digests []digest.Digest + CreatedAt time.Time + CreatedSince string + Size string + ReadOnly bool + History string } type imagesJSONParams struct { @@ -65,7 +65,7 @@ func (a imagesSorted) Swap(i, j int) { a[i], a[j] = a[j], a[i] } type imagesSortedCreated struct{ imagesSorted } func (a imagesSortedCreated) Less(i, j int) bool { - return a.imagesSorted[i].CreatedTime.After(a.imagesSorted[j].CreatedTime) + return a.imagesSorted[i].CreatedAt.After(a.imagesSorted[j].CreatedAt) } type imagesSortedID struct{ imagesSorted } @@ -185,7 +185,17 @@ func imagesCmd(c *cliconfig.ImagesValues) error { history: c.History, } - opts.outputformat = opts.setOutputFormat() + outputformat := opts.setOutputFormat() + // These fields were renamed, so we need to provide backward compat for + // the old names. + if strings.Contains(outputformat, "{{.Created}}") { + outputformat = strings.Replace(outputformat, "{{.Created}}", "{{.CreatedSince}}", -1) + } + if strings.Contains(outputformat, "{{.CreatedTime}}") { + outputformat = strings.Replace(outputformat, "{{.CreatedTime}}", "{{.CreatedAt}}", -1) + } + opts.outputformat = outputformat + filteredImages, err := runtime.GetFilteredImages(filters, false) if err != nil { return errors.Wrapf(err, "unable to get images") @@ -216,7 +226,7 @@ func (i imagesOptions) setOutputFormat() string { if i.digests { format += "{{.Digest}}\t" } - format += "{{.ID}}\t{{.Created}}\t{{.Size}}\t" + format += "{{.ID}}\t{{.CreatedSince}}\t{{.Size}}\t" if i.history { format += "{{if .History}}{{.History}}{{else}}<none>{{end}}\t" } @@ -301,16 +311,16 @@ func getImagesTemplateOutput(ctx context.Context, images []*adapter.ContainerIma imageDigest = img.Digest() } params := imagesTemplateParams{ - Repository: repo, - Tag: tag, - ID: imageID, - Digest: imageDigest, - Digests: img.Digests(), - CreatedTime: createdTime, - Created: units.HumanDuration(time.Since(createdTime)) + " ago", - Size: sizeStr, - ReadOnly: img.IsReadOnly(), - History: strings.Join(img.NamesHistory(), ", "), + Repository: repo, + Tag: tag, + ID: imageID, + Digest: imageDigest, + Digests: img.Digests(), + CreatedAt: createdTime, + CreatedSince: units.HumanDuration(time.Since(createdTime)) + " ago", + Size: sizeStr, + ReadOnly: img.IsReadOnly(), + History: strings.Join(img.NamesHistory(), ", "), } imagesOutput = append(imagesOutput, params) if opts.quiet { // Show only one image ID when quiet @@ -384,6 +394,9 @@ func GenImageOutputMap() map[string]string { values[key] = "R/O" continue } + if value == "CreatedSince" { + value = "created" + } values[key] = strings.ToUpper(splitCamelCase(value)) } return values diff --git a/cmd/podman/pull.go b/cmd/podman/pull.go index b5957d7fe..f800d68fe 100644 --- a/cmd/podman/pull.go +++ b/cmd/podman/pull.go @@ -4,7 +4,6 @@ import ( "fmt" "io" "os" - "strings" buildahcli "github.com/containers/buildah/pkg/cli" "github.com/containers/image/v5/docker" @@ -15,6 +14,7 @@ import ( "github.com/containers/libpod/libpod/image" "github.com/containers/libpod/pkg/adapter" "github.com/containers/libpod/pkg/util" + "github.com/docker/distribution/reference" "github.com/opentracing/opentracing-go" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -101,19 +101,32 @@ func pullCmd(c *cliconfig.PullValues) (retError error) { } } - // FIXME: that's a bug. What if we pass "localhost:5000/no-tag" ? - arr := strings.SplitN(args[0], ":", 2) - if len(arr) == 2 { - if c.Bool("all-tags") { - return errors.Errorf("tag can't be used with --all-tags") + ctx := getContext() + imageName := args[0] + + imageRef, err := alltransports.ParseImageName(imageName) + if err != nil { + imageRef, err = alltransports.ParseImageName(fmt.Sprintf("%s://%s", docker.Transport.Name(), imageName)) + if err != nil { + return errors.Errorf("invalid image reference %q", imageName) } } - ctx := getContext() - imgArg := args[0] + var writer io.Writer + if !c.Quiet { + writer = os.Stderr + } + // Special-case for docker-archive which allows multiple tags. + if imageRef.Transport().Name() == dockerarchive.Transport.Name() { + newImage, err := runtime.LoadFromArchiveReference(getContext(), imageRef, c.SignaturePolicy, writer) + if err != nil { + return errors.Wrapf(err, "error pulling image %q", imageName) + } + fmt.Println(newImage[0].ID()) + return nil + } var registryCreds *types.DockerAuthConfig - if c.Flag("creds").Changed { creds, err := util.ParseRegistryCreds(c.Creds) if err != nil { @@ -121,14 +134,6 @@ func pullCmd(c *cliconfig.PullValues) (retError error) { } registryCreds = creds } - - var ( - writer io.Writer - ) - if !c.Quiet { - writer = os.Stderr - } - dockerRegistryOptions := image.DockerRegistryOptions{ DockerRegistryCreds: registryCreds, DockerCertPath: c.CertDir, @@ -139,79 +144,52 @@ func pullCmd(c *cliconfig.PullValues) (retError error) { dockerRegistryOptions.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!c.TlsVerify) } - // Special-case for docker-archive which allows multiple tags. - if strings.HasPrefix(imgArg, dockerarchive.Transport.Name()+":") { - srcRef, err := alltransports.ParseImageName(imgArg) - if err != nil { - return errors.Wrapf(err, "error parsing %q", imgArg) - } - newImage, err := runtime.LoadFromArchiveReference(getContext(), srcRef, c.SignaturePolicy, writer) - if err != nil { - return errors.Wrapf(err, "error pulling image from %q", imgArg) - } - fmt.Println(newImage[0].ID()) - - return nil - } - - // FIXME: the default pull consults the registries.conf's search registries - // while the all-tags pull does not. This behavior must be fixed in the - // future and span across c/buildah, c/image and c/libpod to avoid redundant - // and error prone code. - // - // See https://bugzilla.redhat.com/show_bug.cgi?id=1701922 for background - // information. if !c.Bool("all-tags") { - newImage, err := runtime.New(getContext(), imgArg, c.SignaturePolicy, c.Authfile, writer, &dockerRegistryOptions, image.SigningOptions{}, nil, util.PullImageAlways) + newImage, err := runtime.New(getContext(), imageName, c.SignaturePolicy, c.Authfile, writer, &dockerRegistryOptions, image.SigningOptions{}, nil, util.PullImageAlways) if err != nil { - return errors.Wrapf(err, "error pulling image %q", imgArg) + return errors.Wrapf(err, "error pulling image %q", imageName) } fmt.Println(newImage.ID()) return nil } - // FIXME: all-tags should use the libpod backend instead of baking its own bread. - spec := imgArg - systemContext := image.GetSystemContext("", c.Authfile, false) - srcRef, err := alltransports.ParseImageName(spec) + // --all-tags requires the docker transport + if imageRef.Transport().Name() != docker.Transport.Name() { + return errors.New("--all-tags requires docker transport") + } + + // all-tags doesn't work with a tagged reference, so let's check early + namedRef, err := reference.Parse(imageName) if err != nil { - dockerTransport := "docker://" - logrus.Debugf("error parsing image name %q, trying with transport %q: %v", spec, dockerTransport, err) - spec = dockerTransport + spec - srcRef2, err2 := alltransports.ParseImageName(spec) - if err2 != nil { - return errors.Wrapf(err2, "error parsing image name %q", imgArg) - } - srcRef = srcRef2 + return errors.Wrapf(err, "error parsing %q", imageName) } - var names []string - if srcRef.DockerReference() == nil { - return errors.New("Non-docker transport is currently not supported") + if _, isTagged := namedRef.(reference.Tagged); isTagged { + return errors.New("--all-tags requires a reference without a tag") + } - tags, err := docker.GetRepositoryTags(ctx, systemContext, srcRef) + + systemContext := image.GetSystemContext("", c.Authfile, false) + tags, err := docker.GetRepositoryTags(ctx, systemContext, imageRef) if err != nil { return errors.Wrapf(err, "error getting repository tags") } - for _, tag := range tags { - name := spec + ":" + tag - names = append(names, name) - } var foundIDs []string - foundImage := true - for _, name := range names { + for _, tag := range tags { + name := imageName + ":" + tag newImage, err := runtime.New(getContext(), name, c.SignaturePolicy, c.Authfile, writer, &dockerRegistryOptions, image.SigningOptions{}, nil, util.PullImageAlways) if err != nil { logrus.Errorf("error pulling image %q", name) - foundImage = false continue } foundIDs = append(foundIDs, newImage.ID()) } - if len(names) == 1 && !foundImage { - return errors.Wrapf(err, "error pulling image %q", imgArg) + + if len(tags) != len(foundIDs) { + return errors.Errorf("error pulling image %q", imageName) } - if len(names) > 1 { + + if len(foundIDs) > 1 { fmt.Println("Pulled Images:") } for _, id := range foundIDs { diff --git a/cmd/podman/shared/create.go b/cmd/podman/shared/create.go index 3062b0ca3..be5adcccb 100644 --- a/cmd/podman/shared/create.go +++ b/cmd/podman/shared/create.go @@ -22,6 +22,7 @@ import ( "github.com/containers/libpod/pkg/inspect" ns "github.com/containers/libpod/pkg/namespaces" "github.com/containers/libpod/pkg/rootless" + "github.com/containers/libpod/pkg/seccomp" cc "github.com/containers/libpod/pkg/spec" "github.com/containers/libpod/pkg/util" "github.com/docker/go-connections/nat" @@ -31,10 +32,6 @@ import ( "github.com/sirupsen/logrus" ) -// seccompLabelKey is the key of the image annotation embedding a seccomp -// profile. -const seccompLabelKey = "io.containers.seccomp.profile" - func CreateContainer(ctx context.Context, c *GenericCLIResults, runtime *libpod.Runtime) (*libpod.Container, *cc.CreateConfig, error) { var ( healthCheck *manifest.Schema2HealthConfig @@ -713,11 +710,11 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod. // SECCOMP if data != nil { - if value, exists := labels[seccompLabelKey]; exists { + if value, exists := labels[seccomp.ContainerImageLabel]; exists { secConfig.SeccompProfileFromImage = value } } - if policy, err := cc.LookupSeccompPolicy(c.String("seccomp-policy")); err != nil { + if policy, err := seccomp.LookupPolicy(c.String("seccomp-policy")); err != nil { return nil, err } else { secConfig.SeccompPolicy = policy @@ -761,6 +758,7 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod. CPURtPeriod: c.Uint64("cpu-rt-period"), CPURtRuntime: c.Int64("cpu-rt-runtime"), CPUs: c.Float64("cpus"), + DeviceCgroupRules: c.StringSlice("device-cgroup-rule"), DeviceReadBps: c.StringSlice("device-read-bps"), DeviceReadIOps: c.StringSlice("device-read-iops"), DeviceWriteBps: c.StringSlice("device-write-bps"), diff --git a/cmd/podman/shared/intermediate.go b/cmd/podman/shared/intermediate.go index cfb3f612c..ee212234f 100644 --- a/cmd/podman/shared/intermediate.go +++ b/cmd/podman/shared/intermediate.go @@ -386,6 +386,7 @@ func NewIntermediateLayer(c *cliconfig.PodmanCommand, remote bool) GenericCLIRes m["detach"] = newCRBool(c, "detach") m["detach-keys"] = newCRString(c, "detach-keys") m["device"] = newCRStringSlice(c, "device") + m["device-cgroup-rule"] = newCRStringSlice(c, "device-cgroup-rule") m["device-read-bps"] = newCRStringSlice(c, "device-read-bps") m["device-read-iops"] = newCRStringSlice(c, "device-read-iops") m["device-write-bps"] = newCRStringSlice(c, "device-write-bps") diff --git a/completions/bash/podman b/completions/bash/podman index 7c14cf67c..d1dcef0a4 100644 --- a/completions/bash/podman +++ b/completions/bash/podman @@ -1221,8 +1221,11 @@ _podman_system() { subcommands=" df info + migrate prune + renumber reset + service " __podman_subcommands "$subcommands" && return @@ -1870,6 +1873,7 @@ _podman_container_run() { --cpuset-mems --cpu-shares -c --device + --device-cgroup-rule --device-read-bps --device-read-iops --device-write-bps diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md index 977382e61..ca38be6a1 100644 --- a/docs/source/markdown/podman-create.1.md +++ b/docs/source/markdown/podman-create.1.md @@ -209,6 +209,13 @@ Note: if the user only has access rights via a group then accessing the device from inside a rootless container will fail. The `crun` runtime offers a workaround for this by adding the option `--annotation run.oci.keep_original_groups=1`. +**--device-cgroup-rule**="type major:minor mode" + +Add a rule to the cgroup allowed devices list. The rule is expected to be in the format specified in the Linux kernel documentation (Documentation/cgroup-v1/devices.txt): + - type: a (all), c (char), or b (block); + - major and minor: either a number, or * for all; + - mode: a composition of r (read), w (write), and m (mknod(2)). + **--device-read-bps**=*path* Limit read rate (bytes per second) from a device (e.g. --device-read-bps=/dev/sda:1mb) diff --git a/docs/source/markdown/podman-images.1.md b/docs/source/markdown/podman-images.1.md index 21fca1dbd..d22fb940f 100644 --- a/docs/source/markdown/podman-images.1.md +++ b/docs/source/markdown/podman-images.1.md @@ -51,6 +51,18 @@ Filter output based on conditions provided Change the default output format. This can be of a supported type like 'json' or a Go template. +Valid placeholders for the Go template are listed below: + +| **Placeholder** | **Description** | +| --------------- | ----------------------------------------------------------------------------- | +| .ID | Image ID | +| .Repository | Image repository | +| .Tag | Image tag | +| .Digest | Image digest | +| .CreatedSince | Elapsed time since the image was created | +| .CreatedAt | Time when the image was created | +| .Size | Size of layer on disk | +| .History | History of the image layer | **--history** diff --git a/docs/source/markdown/podman-system-service.1.md b/docs/source/markdown/podman-system-service.1.md index a71ce9dc0..a2fefe4dd 100644 --- a/docs/source/markdown/podman-system-service.1.md +++ b/docs/source/markdown/podman-system-service.1.md @@ -32,12 +32,12 @@ Print usage statement. Run an API listening for 5 seconds using the default socket. ``` -podman service --timeout 5000 +podman system service --timeout 5000 ``` Run the podman varlink service with an alternate URI and accept the default timeout. ``` -$ podman service --varlink unix:/tmp/io.podman +$ podman system service --varlink unix:/tmp/io.podman ``` ## SEE ALSO @@ -38,7 +38,7 @@ require ( github.com/google/shlex v0.0.0-20181106134648-c34317bd91bf github.com/google/uuid v1.1.1 github.com/gorilla/handlers v1.4.2 // indirect - github.com/gorilla/mux v1.7.3 + github.com/gorilla/mux v1.7.4 github.com/gorilla/schema v1.1.0 github.com/hashicorp/go-multierror v1.0.0 github.com/hpcloud/tail v1.0.0 @@ -77,8 +77,8 @@ require ( google.golang.org/appengine v1.6.1 // indirect google.golang.org/genproto v0.0.0-20190620144150-6af8c5fc6601 // indirect gopkg.in/yaml.v2 v2.2.8 - k8s.io/api v0.17.2 - k8s.io/apimachinery v0.17.2 + k8s.io/api v0.17.3 + k8s.io/apimachinery v0.17.3 k8s.io/client-go v0.0.0-20190620085101-78d2af792bab k8s.io/utils v0.0.0-20190607212802-c55fbcfc754a // indirect ) @@ -213,6 +213,8 @@ github.com/gorilla/handlers v1.4.2/go.mod h1:Qkdc/uu4tH4g6mTK6auzZ766c4CA0Ng8+o/ github.com/gorilla/mux v0.0.0-20170217192616-94e7d24fd285/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= github.com/gorilla/mux v1.7.3 h1:gnP5JzjVOuiZD07fKKToCAOjS0yOpj/qPETTXCCS6hw= github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= +github.com/gorilla/mux v1.7.4 h1:VuZ8uybHlWmqV03+zRzdwKL4tUnIp1MAQtp1mIFE1bc= +github.com/gorilla/mux v1.7.4/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= github.com/gorilla/schema v1.1.0 h1:CamqUDOFUBqzrvxuz2vEwo8+SUdwsluFh7IlzJh30LY= github.com/gorilla/schema v1.1.0/go.mod h1:kgLaKoK1FELgZqMAVxx/5cbj0kT+57qxUrAlIO2eleU= github.com/gotestyourself/gotestyourself v2.2.0+incompatible/go.mod h1:zZKM6oeNM8k+FRljX1mnzVYeS8wiGgQyvST1/GafPbY= @@ -621,10 +623,14 @@ k8s.io/api v0.0.0-20190620084959-7cf5895f2711/go.mod h1:TBhBqb1AWbBQbW3XRusr7n7E k8s.io/api v0.17.0/go.mod h1:npsyOePkeP0CPwyGfXDHxvypiYMJxBWAMpQxCaJ4ZxI= k8s.io/api v0.17.2 h1:NF1UFXcKN7/OOv1uxdRz3qfra8AHsPav5M93hlV9+Dc= k8s.io/api v0.17.2/go.mod h1:BS9fjjLc4CMuqfSO8vgbHPKMt5+SF0ET6u/RVDihTo4= +k8s.io/api v0.17.3 h1:XAm3PZp3wnEdzekNkcmj/9Y1zdmQYJ1I4GKSBBZ8aG0= +k8s.io/api v0.17.3/go.mod h1:YZ0OTkuw7ipbe305fMpIdf3GLXZKRigjtZaV5gzC2J0= k8s.io/apimachinery v0.0.0-20190612205821-1799e75a0719/go.mod h1:I4A+glKBHiTgiEjQiCCQfCAIcIMFGt291SmsvcrFzJA= k8s.io/apimachinery v0.17.0/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg= k8s.io/apimachinery v0.17.2 h1:hwDQQFbdRlpnnsR64Asdi55GyCaIP/3WQpMmbNBeWr4= k8s.io/apimachinery v0.17.2/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg= +k8s.io/apimachinery v0.17.3 h1:f+uZV6rm4/tHE7xXgLyToprg6xWairaClGVkm2t8omg= +k8s.io/apimachinery v0.17.3/go.mod h1:gxLnyZcGNdZTCLnq3fgzyg2A5BVCHTNDFrw8AmuJ+0g= k8s.io/client-go v0.0.0-20170217214107-bcde30fb7eae/go.mod h1:7vJpHMYJwNQCWgzmNV+VYUl1zCObLyodBc8nIyt8L5s= k8s.io/client-go v0.0.0-20181219152756-3dd551c0f083/go.mod h1:7vJpHMYJwNQCWgzmNV+VYUl1zCObLyodBc8nIyt8L5s= k8s.io/client-go v0.0.0-20190620085101-78d2af792bab h1:E8Fecph0qbNsAbijJJQryKu4Oi9QTp5cVpjTE+nqg6g= diff --git a/libpod/container_internal.go b/libpod/container_internal.go index 78ec09f29..216bbe669 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -1383,18 +1383,34 @@ func (c *Container) mountNamedVolume(v *ContainerNamedVolume, mountpoint string) } if vol.state.NeedsCopyUp { logrus.Debugf("Copying up contents from container %s to volume %s", c.ID(), vol.Name()) + + // Set NeedsCopyUp to false immediately, so we don't try this + // again when there are already files copied. + vol.state.NeedsCopyUp = false + if err := vol.save(); err != nil { + return nil, err + } + + // If the volume is not empty, we should not copy up. + volMount := vol.MountPoint() + contents, err := ioutil.ReadDir(volMount) + if err != nil { + return nil, errors.Wrapf(err, "error listing contents of volume %s mountpoint when copying up from container %s", vol.Name(), c.ID()) + } + if len(contents) > 0 { + // The volume is not empty. It was likely modified + // outside of Podman. For safety, let's not copy up into + // it. Fixes CVE-2020-1726. + return vol, nil + } + srcDir, err := securejoin.SecureJoin(mountpoint, v.Dest) if err != nil { return nil, errors.Wrapf(err, "error calculating destination path to copy up container %s volume %s", c.ID(), vol.Name()) } - if err := c.copyWithTarFromImage(srcDir, vol.MountPoint()); err != nil && !os.IsNotExist(err) { + if err := c.copyWithTarFromImage(srcDir, volMount); err != nil && !os.IsNotExist(err) { return nil, errors.Wrapf(err, "error copying content from container %s into volume %s", c.ID(), vol.Name()) } - - vol.state.NeedsCopyUp = false - if err := vol.save(); err != nil { - return nil, err - } } return vol, nil } diff --git a/libpod/image/image_test.go b/libpod/image/image_test.go index 3ff6210d9..19f7eee1e 100644 --- a/libpod/image/image_test.go +++ b/libpod/image/image_test.go @@ -18,7 +18,6 @@ import ( var ( bbNames = []string{"docker.io/library/busybox:latest", "docker.io/library/busybox", "docker.io/busybox:latest", "docker.io/busybox", "busybox:latest", "busybox"} bbGlibcNames = []string{"docker.io/library/busybox:glibc", "docker.io/busybox:glibc", "busybox:glibc"} - fedoraNames = []string{"registry.fedoraproject.org/fedora-minimal:latest", "registry.fedoraproject.org/fedora-minimal", "fedora-minimal:latest", "fedora-minimal"} ) type localImageTest struct { @@ -139,7 +138,6 @@ func TestImage_New(t *testing.T) { ir.Eventer = events.NewNullEventer() // Build the list of pull names names = append(names, bbNames...) - names = append(names, fedoraNames...) writer := os.Stdout // Iterate over the names and delete the image diff --git a/pkg/adapter/pods.go b/pkg/adapter/pods.go index b0e63f770..a30ec6649 100644 --- a/pkg/adapter/pods.go +++ b/pkg/adapter/pods.go @@ -764,7 +764,6 @@ func kubeContainerToCreateConfig(ctx context.Context, containerYAML v1.Container containerConfig.ImageID = newImage.ID() containerConfig.Name = containerYAML.Name containerConfig.Tty = containerYAML.TTY - containerConfig.WorkDir = containerYAML.WorkingDir containerConfig.Pod = podID @@ -796,6 +795,27 @@ func kubeContainerToCreateConfig(ctx context.Context, containerYAML v1.Container containerConfig.StopSignal = 15 + containerConfig.WorkDir = "/" + if imageData != nil { + // FIXME, + // we are currently ignoring imageData.Config.ExposedPorts + containerConfig.BuiltinImgVolumes = imageData.Config.Volumes + if imageData.Config.WorkingDir != "" { + containerConfig.WorkDir = imageData.Config.WorkingDir + } + containerConfig.Labels = imageData.Config.Labels + if imageData.Config.StopSignal != "" { + stopSignal, err := util.ParseSignal(imageData.Config.StopSignal) + if err != nil { + return nil, err + } + containerConfig.StopSignal = stopSignal + } + } + + if containerYAML.WorkingDir != "" { + containerConfig.WorkDir = containerYAML.WorkingDir + } // If the user does not pass in ID mappings, just set to basics if userConfig.IDMappings == nil { userConfig.IDMappings = &storage.IDMappingOptions{} diff --git a/pkg/api/handlers/containers.go b/pkg/api/handlers/containers.go index f180fbc2b..d7d040ce2 100644 --- a/pkg/api/handlers/containers.go +++ b/pkg/api/handlers/containers.go @@ -41,10 +41,9 @@ func StopContainer(w http.ResponseWriter, r *http.Request) { utils.InternalServerError(w, errors.Wrapf(err, "unable to get state for Container %s", name)) return } - // If the Container is stopped already, send a 302 + // If the Container is stopped already, send a 304 if state == define.ContainerStateStopped || state == define.ContainerStateExited { - utils.Error(w, http.StatusText(http.StatusNotModified), http.StatusNotModified, - errors.Errorf("Container %s is already stopped ", name)) + utils.WriteResponse(w, http.StatusNotModified, "") return } @@ -134,8 +133,7 @@ func StartContainer(w http.ResponseWriter, r *http.Request) { return } if state == define.ContainerStateRunning { - msg := fmt.Sprintf("Container %s is already running", name) - utils.Error(w, msg, http.StatusNotModified, errors.New(msg)) + utils.WriteResponse(w, http.StatusNotModified, "") return } if err := con.Start(r.Context(), false); err != nil { diff --git a/pkg/api/handlers/events.go b/pkg/api/handlers/events.go index 44bf35254..22dad9923 100644 --- a/pkg/api/handlers/events.go +++ b/pkg/api/handlers/events.go @@ -1,19 +1,24 @@ package handlers import ( + "encoding/json" "fmt" "net/http" - "strings" - "time" + "github.com/containers/libpod/libpod/events" "github.com/containers/libpod/pkg/api/handlers/utils" "github.com/pkg/errors" + "github.com/sirupsen/logrus" ) func GetEvents(w http.ResponseWriter, r *http.Request) { + var ( + fromStart bool + eventsError error + ) query := struct { - Since time.Time `schema:"since"` - Until time.Time `schema:"until"` + Since string `schema:"since"` + Until string `schema:"until"` Filters map[string][]string `schema:"filters"` }{} if err := decodeQuery(r, &query); err != nil { @@ -27,15 +32,30 @@ func GetEvents(w http.ResponseWriter, r *http.Request) { } } - libpodEvents, err := getRuntime(r).GetEvents(libpodFilters) - if err != nil { - utils.BadRequest(w, "filters", strings.Join(r.URL.Query()["filters"], ", "), err) + if len(query.Since) > 0 || len(query.Until) > 0 { + fromStart = true + } + eventChannel := make(chan *events.Event) + go func() { + readOpts := events.ReadOptions{FromStart: fromStart, Stream: true, Filters: libpodFilters, EventChannel: eventChannel, Since: query.Since, Until: query.Until} + eventsError = getRuntime(r).Events(readOpts) + }() + if eventsError != nil { + utils.InternalServerError(w, eventsError) return } - - var apiEvents = make([]*Event, len(libpodEvents)) - for _, v := range libpodEvents { - apiEvents = append(apiEvents, EventToApiEvent(v)) + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(http.StatusOK) + for event := range eventChannel { + e := EventToApiEvent(event) + //utils.WriteJSON(w, http.StatusOK, e) + coder := json.NewEncoder(w) + coder.SetEscapeHTML(true) + if err := coder.Encode(e); err != nil { + logrus.Errorf("unable to write json: %q", err) + } + if flusher, ok := w.(http.Flusher); ok { + flusher.Flush() + } } - utils.WriteJSON(w, http.StatusOK, apiEvents) } diff --git a/pkg/api/handlers/generic/containers_stats.go b/pkg/api/handlers/generic/containers_stats.go index 85757c33e..19e2cc882 100644 --- a/pkg/api/handlers/generic/containers_stats.go +++ b/pkg/api/handlers/generic/containers_stats.go @@ -19,9 +19,6 @@ import ( const DefaultStatsPeriod = 5 * time.Second func StatsContainer(w http.ResponseWriter, r *http.Request) { - // 200 no error - // 404 no such - // 500 internal runtime := r.Context().Value("runtime").(*libpod.Runtime) decoder := r.Context().Value("decoder").(*schema.Decoder) diff --git a/pkg/api/handlers/libpod/containers.go b/pkg/api/handlers/libpod/containers.go index a64ed446c..e11e26510 100644 --- a/pkg/api/handlers/libpod/containers.go +++ b/pkg/api/handlers/libpod/containers.go @@ -56,7 +56,7 @@ func ListContainers(w http.ResponseWriter, r *http.Request) { decoder := r.Context().Value("decoder").(*schema.Decoder) query := struct { All bool `schema:"all"` - Filter map[string][]string `schema:"filter"` + Filters map[string][]string `schema:"filters"` Last int `schema:"last"` Namespace bool `schema:"namespace"` Pod bool `schema:"pod"` @@ -71,6 +71,7 @@ func ListContainers(w http.ResponseWriter, r *http.Request) { errors.Wrapf(err, "Failed to parse parameters for %s", r.URL.String())) return } + runtime := r.Context().Value("runtime").(*libpod.Runtime) opts := shared.PsOptions{ All: query.All, @@ -82,8 +83,8 @@ func ListContainers(w http.ResponseWriter, r *http.Request) { Pod: query.Pod, Sync: query.Sync, } - if len(query.Filter) > 0 { - for k, v := range query.Filter { + if len(query.Filters) > 0 { + for k, v := range query.Filters { for _, val := range v { generatedFunc, err := shared.GenerateContainerFilterFuncs(k, val, runtime) if err != nil { diff --git a/pkg/api/handlers/libpod/images.go b/pkg/api/handlers/libpod/images.go index f6459f1eb..bcbe4977e 100644 --- a/pkg/api/handlers/libpod/images.go +++ b/pkg/api/handlers/libpod/images.go @@ -304,7 +304,7 @@ func ImagesPull(w http.ResponseWriter, r *http.Request) { return } else if err != nil { origErr := err - imageRef, err = alltransports.ParseImageName(fmt.Sprintf("%s:%s", docker.Transport.Name(), query.Reference)) + imageRef, err = alltransports.ParseImageName(fmt.Sprintf("%s://%s", docker.Transport.Name(), query.Reference)) if err != nil { utils.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest, errors.Wrapf(origErr, "reference %q must be a docker reference", query.Reference)) diff --git a/pkg/api/handlers/libpod/pods.go b/pkg/api/handlers/libpod/pods.go index 8fb305290..e9297d91b 100644 --- a/pkg/api/handlers/libpod/pods.go +++ b/pkg/api/handlers/libpod/pods.go @@ -202,8 +202,7 @@ func PodStop(w http.ResponseWriter, r *http.Request) { } } if allContainersStopped { - alreadyStopped := errors.Errorf("pod %s is already stopped", pod.ID()) - utils.Error(w, "Something went wrong", http.StatusNotModified, alreadyStopped) + utils.WriteResponse(w, http.StatusNotModified, "") return } @@ -249,8 +248,7 @@ func PodStart(w http.ResponseWriter, r *http.Request) { } } if allContainersRunning { - alreadyRunning := errors.Errorf("pod %s is already running", pod.ID()) - utils.Error(w, "Something went wrong", http.StatusNotModified, alreadyRunning) + utils.WriteResponse(w, http.StatusNotModified, "") return } if _, err := pod.Start(r.Context()); err != nil { diff --git a/pkg/api/server/register_events.go b/pkg/api/server/register_events.go index a32244f4d..090f66323 100644 --- a/pkg/api/server/register_events.go +++ b/pkg/api/server/register_events.go @@ -29,7 +29,7 @@ func (s *APIServer) RegisterEventsHandlers(r *mux.Router) error { // description: JSON encoded map[string][]string of constraints // responses: // 200: - // $ref: "#/responses/ok" + // description: returns a string of json data describing an event // 500: // "$ref": "#/responses/InternalError" r.Handle(VersionedPath("/events"), APIHandler(s.Context, handlers.GetEvents)) diff --git a/pkg/api/server/server.go b/pkg/api/server/server.go index 7bb0f5481..87b11b716 100644 --- a/pkg/api/server/server.go +++ b/pkg/api/server/server.go @@ -106,6 +106,7 @@ func newServer(runtime *libpod.Runtime, duration time.Duration, listener *net.Li server.RegisterContainersHandlers, server.RegisterDistributionHandlers, server.registerExecHandlers, + server.RegisterEventsHandlers, server.registerHealthCheckHandlers, server.registerImagesHandlers, server.registerInfoHandlers, diff --git a/pkg/bindings/connection.go b/pkg/bindings/connection.go index 116af9709..f270060a6 100644 --- a/pkg/bindings/connection.go +++ b/pkg/bindings/connection.go @@ -130,7 +130,7 @@ func (c *Connection) DoRequest(httpBody io.Reader, httpMethod, endpoint string, // if more desirable we could use url to form the encoded endpoint with params r := req.URL.Query() for k, v := range queryParams { - r.Add(k, url.QueryEscape(v)) + r.Add(k, v) } req.URL.RawQuery = r.Encode() } @@ -155,18 +155,14 @@ func GetConnectionFromContext(ctx context.Context) (*Connection, error) { return conn, nil } -// FiltersToHTML converts our typical filter format of a +// FiltersToString converts our typical filter format of a // map[string][]string to a query/html safe string. -func FiltersToHTML(filters map[string][]string) (string, error) { +func FiltersToString(filters map[string][]string) (string, error) { lowerCaseKeys := make(map[string][]string) for k, v := range filters { lowerCaseKeys[strings.ToLower(k)] = v } - unsafeString, err := jsoniter.MarshalToString(lowerCaseKeys) - if err != nil { - return "", err - } - return url.QueryEscape(unsafeString), nil + return jsoniter.MarshalToString(lowerCaseKeys) } // IsInformation returns true if the response code is 1xx diff --git a/pkg/bindings/containers/containers.go b/pkg/bindings/containers/containers.go index 334a656d4..04f7f8802 100644 --- a/pkg/bindings/containers/containers.go +++ b/pkg/bindings/containers/containers.go @@ -5,8 +5,8 @@ import ( "net/http" "strconv" - "github.com/containers/libpod/cmd/podman/shared" "github.com/containers/libpod/libpod" + lpapiv2 "github.com/containers/libpod/pkg/api/handlers/libpod" "github.com/containers/libpod/pkg/bindings" ) @@ -15,13 +15,16 @@ import ( // the most recent number of containers. The pod and size booleans indicate that pod information and rootfs // size information should also be included. Finally, the sync bool synchronizes the OCI runtime and // container state. -func List(ctx context.Context, filters map[string][]string, last *int, pod, size, sync *bool) ([]*shared.PsContainerOutput, error) { // nolint:typecheck +func List(ctx context.Context, filters map[string][]string, all *bool, last *int, pod, size, sync *bool) ([]lpapiv2.ListContainer, error) { // nolint:typecheck conn, err := bindings.GetConnectionFromContext(ctx) if err != nil { return nil, err } - var images []*shared.PsContainerOutput + var containers []lpapiv2.ListContainer params := make(map[string]string) + if all != nil { + params["all"] = strconv.FormatBool(*all) + } if last != nil { params["last"] = strconv.Itoa(*last) } @@ -35,7 +38,7 @@ func List(ctx context.Context, filters map[string][]string, last *int, pod, size params["sync"] = strconv.FormatBool(*sync) } if filters != nil { - filterString, err := bindings.FiltersToHTML(filters) + filterString, err := bindings.FiltersToString(filters) if err != nil { return nil, err } @@ -43,9 +46,9 @@ func List(ctx context.Context, filters map[string][]string, last *int, pod, size } response, err := conn.DoRequest(nil, http.MethodGet, "/containers/json", params) if err != nil { - return images, err + return containers, err } - return images, response.Process(nil) + return containers, response.Process(&containers) } // Prune removes stopped and exited containers from local storage. The optional filters can be @@ -62,7 +65,7 @@ func Prune(ctx context.Context, filters map[string][]string) ([]string, error) { } params := make(map[string]string) if filters != nil { - filterString, err := bindings.FiltersToHTML(filters) + filterString, err := bindings.FiltersToString(filters) if err != nil { return nil, err } diff --git a/pkg/bindings/images/images.go b/pkg/bindings/images/images.go index deaf93f0e..b19482943 100644 --- a/pkg/bindings/images/images.go +++ b/pkg/bindings/images/images.go @@ -38,7 +38,7 @@ func List(ctx context.Context, all *bool, filters map[string][]string) ([]*handl params["all"] = strconv.FormatBool(*all) } if filters != nil { - strFilters, err := bindings.FiltersToHTML(filters) + strFilters, err := bindings.FiltersToString(filters) if err != nil { return nil, err } @@ -155,7 +155,7 @@ func Prune(ctx context.Context, filters map[string][]string) ([]string, error) { } params := make(map[string]string) if filters != nil { - stringFilter, err := bindings.FiltersToHTML(filters) + stringFilter, err := bindings.FiltersToString(filters) if err != nil { return nil, err } diff --git a/pkg/bindings/images/search.go b/pkg/bindings/images/search.go index d98ddf18d..58b25425b 100644 --- a/pkg/bindings/images/search.go +++ b/pkg/bindings/images/search.go @@ -26,7 +26,7 @@ func Search(ctx context.Context, term string, limit *int, filters map[string][]s params["limit"] = strconv.Itoa(*limit) } if filters != nil { - stringFilter, err := bindings.FiltersToHTML(filters) + stringFilter, err := bindings.FiltersToString(filters) if err != nil { return nil, err } diff --git a/pkg/bindings/pods/pods.go b/pkg/bindings/pods/pods.go index a6b74c21d..d079f01c2 100644 --- a/pkg/bindings/pods/pods.go +++ b/pkg/bindings/pods/pods.go @@ -97,7 +97,7 @@ func List(ctx context.Context, filters map[string][]string) (*[]libpod.PodInspec } params := make(map[string]string) if filters != nil { - stringFilter, err := bindings.FiltersToHTML(filters) + stringFilter, err := bindings.FiltersToString(filters) if err != nil { return nil, err } diff --git a/pkg/rootlessport/rootlessport_linux.go b/pkg/rootlessport/rootlessport_linux.go index 3e678d33a..2b51f4e09 100644 --- a/pkg/rootlessport/rootlessport_linux.go +++ b/pkg/rootlessport/rootlessport_linux.go @@ -122,6 +122,7 @@ func parent() error { logrus.WithError(driverErr).Warn("parent driver exited") } errCh <- driverErr + close(errCh) }() opaque := driver.OpaqueForChild() logrus.Infof("opaque=%+v", opaque) @@ -142,15 +143,12 @@ func parent() error { }() // reexec the child process in the child netns - cmd := exec.Command(fmt.Sprintf("/proc/%d/exe", os.Getpid())) + cmd := exec.Command("/proc/self/exe") cmd.Args = []string{reexecChildKey} cmd.Stdin = childQuitR cmd.Stdout = &logrusWriter{prefix: "child"} cmd.Stderr = cmd.Stdout cmd.Env = append(os.Environ(), reexecChildEnvOpaque+"="+string(opaqueJSON)) - cmd.SysProcAttr = &syscall.SysProcAttr{ - Pdeathsig: syscall.SIGTERM, - } childNS, err := ns.GetNS(cfg.NetNSPath) if err != nil { return err @@ -162,14 +160,27 @@ func parent() error { return err } + defer func() { + if err := syscall.Kill(cmd.Process.Pid, syscall.SIGTERM); err != nil { + logrus.WithError(err).Warn("kill child process") + } + }() + logrus.Info("waiting for initComplete") // wait for the child to connect to the parent - select { - case <-initComplete: - logrus.Infof("initComplete is closed; parent and child established the communication channel") - case err := <-errCh: - return err +outer: + for { + select { + case <-initComplete: + logrus.Infof("initComplete is closed; parent and child established the communication channel") + break outer + case err := <-errCh: + if err != nil { + return err + } + } } + defer func() { logrus.Info("stopping parent driver") quit <- struct{}{} diff --git a/pkg/seccomp/seccomp.go b/pkg/seccomp/seccomp.go new file mode 100644 index 000000000..dcf255378 --- /dev/null +++ b/pkg/seccomp/seccomp.go @@ -0,0 +1,54 @@ +package seccomp + +import ( + "sort" + + "github.com/pkg/errors" +) + +// ContianerImageLabel is the key of the image annotation embedding a seccomp +// profile. +const ContainerImageLabel = "io.containers.seccomp.profile" + +// Policy denotes a seccomp policy. +type Policy int + +const ( + // PolicyDefault - if set use SecurityConfig.SeccompProfilePath, + // otherwise use the default profile. The SeccompProfilePath might be + // explicitly set by the user. + PolicyDefault Policy = iota + // PolicyImage - if set use SecurityConfig.SeccompProfileFromImage, + // otherwise follow SeccompPolicyDefault. + PolicyImage +) + +// Map for easy lookups of supported policies. +var supportedPolicies = map[string]Policy{ + "": PolicyDefault, + "default": PolicyDefault, + "image": PolicyImage, +} + +// LookupPolicy looksup the corresponding Policy for the specified +// string. If none is found, an errors is returned including the list of +// supported policies. +// +// Note that an empty string resolved to SeccompPolicyDefault. +func LookupPolicy(s string) (Policy, error) { + policy, exists := supportedPolicies[s] + if exists { + return policy, nil + } + + // Sort the keys first as maps are non-deterministic. + keys := []string{} + for k := range supportedPolicies { + if k != "" { + keys = append(keys, k) + } + } + sort.Strings(keys) + + return -1, errors.Errorf("invalid seccomp policy %q: valid policies are %+q", s, keys) +} diff --git a/pkg/spec/config_linux.go b/pkg/spec/config_linux.go index 32d8cb4de..5f39b6d0d 100644 --- a/pkg/spec/config_linux.go +++ b/pkg/spec/config_linux.go @@ -7,6 +7,7 @@ import ( "io/ioutil" "os" "path/filepath" + "strconv" "strings" "github.com/containers/libpod/pkg/rootless" @@ -90,6 +91,42 @@ func devicesFromPath(g *generate.Generator, devicePath string) error { return addDevice(g, strings.Join(append([]string{resolvedDevicePath}, devs[1:]...), ":")) } +func deviceCgroupRules(g *generate.Generator, deviceCgroupRules []string) error { + for _, deviceCgroupRule := range deviceCgroupRules { + if err := validateDeviceCgroupRule(deviceCgroupRule); err != nil { + return err + } + ss := parseDeviceCgroupRule(deviceCgroupRule) + if len(ss[0]) != 5 { + return errors.Errorf("invalid device cgroup rule format: '%s'", deviceCgroupRule) + } + matches := ss[0] + var major, minor *int64 + if matches[2] == "*" { + majorDev := int64(-1) + major = &majorDev + } else { + majorDev, err := strconv.ParseInt(matches[2], 10, 64) + if err != nil { + return errors.Errorf("invalid major value in device cgroup rule format: '%s'", deviceCgroupRule) + } + major = &majorDev + } + if matches[3] == "*" { + minorDev := int64(-1) + minor = &minorDev + } else { + minorDev, err := strconv.ParseInt(matches[2], 10, 64) + if err != nil { + return errors.Errorf("invalid major value in device cgroup rule format: '%s'", deviceCgroupRule) + } + minor = &minorDev + } + g.AddLinuxResourcesDevice(true, matches[1], major, minor, matches[4]) + } + return nil +} + func addDevice(g *generate.Generator, device string) error { src, dst, permissions, err := ParseDevice(device) if err != nil { diff --git a/pkg/spec/config_linux_cgo.go b/pkg/spec/config_linux_cgo.go index ae83c9d52..05f42c4da 100644 --- a/pkg/spec/config_linux_cgo.go +++ b/pkg/spec/config_linux_cgo.go @@ -5,9 +5,10 @@ package createconfig import ( "io/ioutil" + "github.com/containers/libpod/pkg/seccomp" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/pkg/errors" - seccomp "github.com/seccomp/containers-golang" + goSeccomp "github.com/seccomp/containers-golang" "github.com/sirupsen/logrus" ) @@ -15,9 +16,9 @@ func getSeccompConfig(config *SecurityConfig, configSpec *spec.Spec) (*spec.Linu var seccompConfig *spec.LinuxSeccomp var err error - if config.SeccompPolicy == SeccompPolicyImage && config.SeccompProfileFromImage != "" { + if config.SeccompPolicy == seccomp.PolicyImage && config.SeccompProfileFromImage != "" { logrus.Debug("Loading seccomp profile from the security config") - seccompConfig, err = seccomp.LoadProfile(config.SeccompProfileFromImage, configSpec) + seccompConfig, err = goSeccomp.LoadProfile(config.SeccompProfileFromImage, configSpec) if err != nil { return nil, errors.Wrap(err, "loading seccomp profile failed") } @@ -30,13 +31,13 @@ func getSeccompConfig(config *SecurityConfig, configSpec *spec.Spec) (*spec.Linu if err != nil { return nil, errors.Wrapf(err, "opening seccomp profile (%s) failed", config.SeccompProfilePath) } - seccompConfig, err = seccomp.LoadProfile(string(seccompProfile), configSpec) + seccompConfig, err = goSeccomp.LoadProfile(string(seccompProfile), configSpec) if err != nil { return nil, errors.Wrapf(err, "loading seccomp profile (%s) failed", config.SeccompProfilePath) } } else { logrus.Debug("Loading default seccomp profile") - seccompConfig, err = seccomp.GetDefaultProfile(configSpec) + seccompConfig, err = goSeccomp.GetDefaultProfile(configSpec) if err != nil { return nil, errors.Wrapf(err, "loading seccomp profile (%s) failed", config.SeccompProfilePath) } diff --git a/pkg/spec/config_unsupported.go b/pkg/spec/config_unsupported.go index a2c7f4416..be3e7046d 100644 --- a/pkg/spec/config_unsupported.go +++ b/pkg/spec/config_unsupported.go @@ -30,3 +30,7 @@ func makeThrottleArray(throttleInput []string, rateType int) ([]spec.LinuxThrott func devicesFromPath(g *generate.Generator, devicePath string) error { return errors.New("function not implemented") } + +func deviceCgroupRules(g *generate.Generator, deviceCgroupRules []string) error { + return errors.New("function not implemented") +} diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go index fb222083b..8010be0d4 100644 --- a/pkg/spec/createconfig.go +++ b/pkg/spec/createconfig.go @@ -2,7 +2,6 @@ package createconfig import ( "os" - "sort" "strconv" "strings" "syscall" @@ -11,6 +10,7 @@ import ( "github.com/containers/libpod/libpod" "github.com/containers/libpod/libpod/define" "github.com/containers/libpod/pkg/namespaces" + "github.com/containers/libpod/pkg/seccomp" "github.com/containers/storage" "github.com/docker/go-connections/nat" spec "github.com/opencontainers/runtime-spec/specs-go" @@ -38,6 +38,7 @@ type CreateResourceConfig struct { CPUs float64 // cpus CPUsetCPUs string CPUsetMems string // cpuset-mems + DeviceCgroupRules []string //device-cgroup-rule DeviceReadBps []string // device-read-bps DeviceReadIOps []string // device-read-iops DeviceWriteBps []string // device-write-bps @@ -107,48 +108,6 @@ type NetworkConfig struct { PublishAll bool //publish-all } -// SeccompPolicy determines which seccomp profile gets applied to the container. -type SeccompPolicy int - -const ( - // SeccompPolicyDefault - if set use SecurityConfig.SeccompProfilePath, - // otherwise use the default profile. The SeccompProfilePath might be - // explicitly set by the user. - SeccompPolicyDefault SeccompPolicy = iota - // SeccompPolicyImage - if set use SecurityConfig.SeccompProfileFromImage, - // otherwise follow SeccompPolicyDefault. - SeccompPolicyImage -) - -// Map for easy lookups of supported policies. -var supportedSeccompPolicies = map[string]SeccompPolicy{ - "": SeccompPolicyDefault, - "default": SeccompPolicyDefault, - "image": SeccompPolicyImage, -} - -// LookupSeccompPolicy looksup the corresponding SeccompPolicy for the specified -// string. If none is found, an errors is returned including the list of -// supported policies. -// Note that an empty string resolved to SeccompPolicyDefault. -func LookupSeccompPolicy(s string) (SeccompPolicy, error) { - policy, exists := supportedSeccompPolicies[s] - if exists { - return policy, nil - } - - // Sort the keys first as maps are non-deterministic. - keys := []string{} - for k := range supportedSeccompPolicies { - if k != "" { - keys = append(keys, k) - } - } - sort.Strings(keys) - - return -1, errors.Errorf("invalid seccomp policy %q: valid policies are %+q", s, keys) -} - // SecurityConfig configures the security features for the container type SecurityConfig struct { CapAdd []string // cap-add @@ -158,7 +117,7 @@ type SecurityConfig struct { ApparmorProfile string //SecurityOpts SeccompProfilePath string //SecurityOpts SeccompProfileFromImage string // seccomp profile from the container image - SeccompPolicy SeccompPolicy + SeccompPolicy seccomp.Policy SecurityOpts []string Privileged bool //privileged ReadOnlyRootfs bool //read-only diff --git a/pkg/spec/parse.go b/pkg/spec/parse.go index 6fa0b0636..a5dfccdb9 100644 --- a/pkg/spec/parse.go +++ b/pkg/spec/parse.go @@ -2,12 +2,17 @@ package createconfig import ( "fmt" + "regexp" "strconv" "strings" "github.com/docker/go-units" + "github.com/pkg/errors" ) +// deviceCgroupRulegex defines the valid format of device-cgroup-rule +var deviceCgroupRuleRegex = regexp.MustCompile(`^([acb]) ([0-9]+|\*):([0-9]+|\*) ([rwm]{1,3})$`) + // Pod signifies a kernel namespace is being shared // by a container with the pod it is associated with const Pod = "pod" @@ -205,3 +210,16 @@ func IsValidDeviceMode(mode string) bool { } return true } + +// validateDeviceCgroupRule validates the format of deviceCgroupRule +func validateDeviceCgroupRule(deviceCgroupRule string) error { + if !deviceCgroupRuleRegex.MatchString(deviceCgroupRule) { + return errors.Errorf("invalid device cgroup rule format: '%s'", deviceCgroupRule) + } + return nil +} + +// parseDeviceCgroupRule matches and parses the deviceCgroupRule into slice +func parseDeviceCgroupRule(deviceCgroupRule string) [][]string { + return deviceCgroupRuleRegex.FindAllStringSubmatch(deviceCgroupRule, -1) +} diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index cae055bb0..b2a152a2d 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -232,6 +232,12 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM return nil, err } } + if len(config.Resources.DeviceCgroupRules) != 0 { + if err := deviceCgroupRules(&g, config.Resources.DeviceCgroupRules); err != nil { + return nil, err + } + addedResources = true + } } // SECURITY OPTS diff --git a/test/apiv2/01-basic.at b/test/apiv2/01-basic.at index e87ec534c..a54063260 100644 --- a/test/apiv2/01-basic.at +++ b/test/apiv2/01-basic.at @@ -27,7 +27,8 @@ t GET /nonesuch 404 t POST /nonesuch '' 404 t GET container/nonesuch/json 404 t GET libpod/containers/nonesuch/json 404 -t GET 'libpod/containers/json?a=b' 400 + +#### FIXME: maybe someday: t GET 'libpod/containers/json?a=b' 400 # Method not allowed t POST /_ping '' 405 diff --git a/test/apiv2/10-images.at b/test/apiv2/10-images.at index 243b35e9f..42ec028d0 100644 --- a/test/apiv2/10-images.at +++ b/test/apiv2/10-images.at @@ -6,9 +6,9 @@ # FIXME: API doesn't support pull yet, so use podman podman pull -q $IMAGE -# We want the SHA without the "sha256:" prefix -full_iid=$(podman images --no-trunc --format '{{.ID}}' $IMAGE) -iid=${full_iid##sha256:} +t GET libpod/images/json 200 \ + .[0].Id~[0-9a-f]\\{64\\} +iid=$(jq -r '.[0].Id' <<<"$output") t GET libpod/images/$iid/exists 204 t GET libpod/images/$PODMAN_TEST_IMAGE_NAME/exists 204 diff --git a/test/apiv2/20-containers.at b/test/apiv2/20-containers.at index 5f0a145f0..a69e8cc99 100644 --- a/test/apiv2/20-containers.at +++ b/test/apiv2/20-containers.at @@ -11,18 +11,22 @@ podman pull $IMAGE &>/dev/null # Ensure clean slate podman rm -a -f &>/dev/null -t GET libpod/containers/json 200 [] +t GET libpod/containers/json 200 length=0 podman run $IMAGE true -t GET libpod/containers/json 200 \ - .[0].ID~[0-9a-f]\\{12\\} \ +t GET libpod/containers/json 200 length=0 + +t GET libpod/containers/json?all=true 200 \ + length=1 \ + .[0].Id~[0-9a-f]\\{12\\} \ .[0].Image=$IMAGE \ - .[0].Command=true \ - .[0].State=4 \ + .[0].Command[0]="true" \ + .[0].State=exited \ + .[0].ExitCode=0 \ .[0].IsInfra=false -cid=$(jq -r '.[0].ID' <<<"$output") +cid=$(jq -r '.[0].Id' <<<"$output") t DELETE libpod/containers/$cid 204 diff --git a/test/apiv2/40-pods.at b/test/apiv2/40-pods.at index 1c25a3822..705de94d2 100644 --- a/test/apiv2/40-pods.at +++ b/test/apiv2/40-pods.at @@ -3,19 +3,31 @@ # test pod-related endpoints # +# FIXME! Shouldn't /create give an actual pod ID? +expected_id='machine.slice' +if rootless; then + expected_id=/libpod_parent +fi + t GET libpod/pods/json 200 null -t POST libpod/pods/create name=foo 201 '{"id":"machine.slice"}' # FIXME! +t POST libpod/pods/create name=foo 201 .id=$expected_id t GET libpod/pods/foo/exists 204 t GET libpod/pods/notfoo/exists 404 t GET libpod/pods/foo/json 200 .Config.name=foo .Containers=null t GET libpod/pods/json 200 .[0].Config.name=foo .[0].Containers=null -# Cannot create a dup pod with the same name (FIXME: should that be 409?) -t POST libpod/pods/create name=foo 500 .cause="pod already exists" +# Cannot create a dup pod with the same name +t POST libpod/pods/create name=foo 409 .cause="pod already exists" #t POST libpod/pods/create a=b 400 .cause='bad parameter' # FIXME: unimplemented -t POST libpod/pods/foo/pause '' 204 +if root; then + t POST libpod/pods/foo/pause '' 204 +else + t POST libpod/pods/foo/pause '' 500 \ + .cause="this container does not have a cgroup" \ + .message~".*pause pods containing rootless containers with cgroup V1" +fi t POST libpod/pods/foo/unpause '' 200 t POST libpod/pods/foo/unpause '' 200 # (2nd time) t POST libpod/pods/foo/stop '' 304 diff --git a/test/apiv2/test-apiv2 b/test/apiv2/test-apiv2 index 786c976d6..fffd7b085 100755 --- a/test/apiv2/test-apiv2 +++ b/test/apiv2/test-apiv2 @@ -41,6 +41,9 @@ echo 0 >$failures_file # Where the tests live TESTS_DIR=$(realpath $(dirname $0)) +# Path to podman binary +PODMAN_BIN=${PODMAN:-${TESTS_DIR}/../../bin/podman} + # END setup ############################################################################### # BEGIN infrastructure code - the helper functions used in tests themselves @@ -97,7 +100,7 @@ function _show_ok() { local green= local reset= local bold= - if [ -t 3 ]; then + if [ -t 1 ]; then red='\e[31m' green='\e[32m' reset='\e[0m' @@ -107,16 +110,16 @@ function _show_ok() { _bump $testcounter_file count=$(<$testcounter_file) if [ $ok -eq 1 ]; then - echo -e "${green}ok $count $testname${reset}" >&3 + echo -e "${green}ok $count $testname${reset}" return fi # Failed local expect=$3 local actual=$4 - echo -e "${red}not ok $count $testname${reset}" >&3 - echo -e "${red}# expected: $expect${reset}" >&3 - echo -e "${red}# actual: ${bold}$actual${reset}" >&3 + echo -e "${red}not ok $count $testname${reset}" + echo -e "${red}# expected: $expect${reset}" + echo -e "${red}# actual: ${bold}$actual${reset}" _bump $failures_file } @@ -201,17 +204,28 @@ function t() { output=$(< $WORKDIR/curl.result.out) + # Special case: 204/304, by definition, MUST NOT return content (rfc2616) + if [[ $expected_code = 204 || $expected_code = 304 ]]; then + if [ -n "$*" ]; then + die "Internal error: ${expected_code} status returns no output; fix your test." + fi + if [ -n "$output" ]; then + _show_ok 0 "$testname: ${expected_code} status returns no output" "''" "$output" + fi + return + fi + for i; do case "$i" in # Exact match on json field - .*=*) + *=*) json_field=$(expr "$i" : "\([^=]*\)=") expect=$(expr "$i" : '[^=]*=\(.*\)') actual=$(jq -r "$json_field" <<<"$output") is "$actual" "$expect" "$testname : $json_field" ;; # regex match on json field - .*~*) + *~*) json_field=$(expr "$i" : "\([^~]*\)~") expect=$(expr "$i" : '[^~]*~\(.*\)') actual=$(jq -r "$json_field" <<<"$output") @@ -231,35 +245,51 @@ function t() { service_pid= function start_service() { # If there's a listener on the port, nothing for us to do - echo -n >/dev/tcp/$HOST/$PORT &>/dev/null && return + { exec 3<> /dev/tcp/$HOST/$PORT; } &>/dev/null && return + + test -x $PODMAN_BIN || die "Not found: $PODMAN_BIN" if [ "$HOST" != "localhost" ]; then die "Cannot start service on non-localhost ($HOST)" fi - if [ $(id -u) -ne 0 ]; then - echo "$ME: WARNING: running service rootless is unlikely to work!" >&2 - fi - - # Find the binary - SERVICE_BIN=${SERVICE_BIN:-${TESTS_DIR}/../../bin/service} - test -x $SERVICE_BIN || die "Not found: $SERVICE_BIN" - - systemd-socket-activate -l 127.0.0.1:$PORT \ - $SERVICE_BIN --root $WORKDIR/root \ + $PODMAN_BIN --root $WORKDIR system service --timeout 15000 tcp:127.0.0.1:$PORT \ &> $WORKDIR/server.log & service_pid=$! # Wait local _timeout=5 while [ $_timeout -gt 0 ]; do - echo -n >/dev/tcp/$HOST/$PORT &>/dev/null && return + { exec 3<> /dev/tcp/$HOST/$PORT; } &>/dev/null && return sleep 1 _timeout=$(( $_timeout - 1 )) done die "Timed out waiting for service" } +############ +# podman # Needed by some test scripts to invoke the actual podman binary +############ +function podman() { + echo "\$ $PODMAN_BIN $*" >>$WORKDIR/output.log + $PODMAN_BIN --root $WORKDIR "$@" >>$WORKDIR/output.log 2>&1 +} + +#################### +# root, rootless # Is server rootless? +#################### +ROOTLESS= +function root() { + ! rootless +} + +function rootless() { + if [[ -z $ROOTLESS ]]; then + ROOTLESS=$(curl -s http://$HOST:$PORT/v1.40/info | jq .Rootless) + fi + test "$ROOTLESS" = "true" +} + # END infrastructure code ############################################################################### # BEGIN sanity checks @@ -288,10 +318,6 @@ else tests_to_run=($TESTS_DIR/*.at) fi -# Because subtests may run podman or other commands that emit stderr; -# redirect all those and use fd 3 for all output -exec 3>&1 &>$WORKDIR/output.log - start_service for i in ${tests_to_run[@]}; do @@ -304,22 +330,17 @@ done # Clean up if [ -n "$service_pid" ]; then - # Yep, has to be -9. It ignores everything else. - kill -9 $service_pid + kill $service_pid + wait -f $service_pid fi test_count=$(<$testcounter_file) failure_count=$(<$failures_file) -if [ $failure_count -gt 0 -a -s "$WORKDIR/output.log" ]; then - echo "# Collected stdout/stderr:" >&3 - sed -e 's/^/# /' < $WORKDIR/output.log >&3 -fi - if [ -z "$PODMAN_TESTS_KEEP_WORKDIR" ]; then rm -rf $WORKDIR fi -echo "1..${test_count}" >&3 +echo "1..${test_count}" exit $failure_count diff --git a/test/e2e/config.go b/test/e2e/config.go index 96cc157be..95b0481b3 100644 --- a/test/e2e/config.go +++ b/test/e2e/config.go @@ -2,7 +2,7 @@ package integration var ( redis = "docker.io/library/redis:alpine" - fedoraMinimal = "registry.fedoraproject.org/fedora-minimal:latest" + fedoraMinimal = "quay.io/libpod/fedora-minimal:latest" ALPINE = "docker.io/library/alpine:latest" ALPINELISTTAG = "docker.io/library/alpine:3.10.2" ALPINELISTDIGEST = "docker.io/library/alpine@sha256:72c42ed48c3a2db31b7dafe17d275b634664a708d901ec9fd57b1529280f01fb" diff --git a/test/e2e/images_test.go b/test/e2e/images_test.go index 9a67cc83a..8b6b679a5 100644 --- a/test/e2e/images_test.go +++ b/test/e2e/images_test.go @@ -116,7 +116,8 @@ var _ = Describe("Podman images", func() { }) It("podman images in GO template format", func() { - session := podmanTest.Podman([]string{"images", "--format={{.ID}}"}) + formatStr := "{{.ID}}\t{{.Created}}\t{{.CreatedAt}}\t{{.CreatedSince}}\t{{.CreatedTime}}" + session := podmanTest.Podman([]string{"images", fmt.Sprintf("--format=%s", formatStr)}) session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) }) @@ -280,7 +281,7 @@ RUN apk update && apk add man return session.OutputToStringArray() } - sortedArr := sortValueTest("created", 0, "CreatedTime") + sortedArr := sortValueTest("created", 0, "CreatedAt") Expect(sort.SliceIsSorted(sortedArr, func(i, j int) bool { return sortedArr[i] > sortedArr[j] })).To(BeTrue()) sortedArr = sortValueTest("id", 0, "ID") diff --git a/test/e2e/load_test.go b/test/e2e/load_test.go index 9ff358d26..9a2cee9e1 100644 --- a/test/e2e/load_test.go +++ b/test/e2e/load_test.go @@ -205,7 +205,7 @@ var _ = Describe("Podman load", func() { podmanTest.RestoreArtifact(fedoraMinimal) outfile := filepath.Join(podmanTest.TempDir, "load_test.tar.gz") - setup := podmanTest.PodmanNoCache([]string{"tag", "fedora-minimal", "hello"}) + setup := podmanTest.PodmanNoCache([]string{"tag", fedoraMinimal, "hello"}) setup.WaitWithDefaultTimeout() Expect(setup.ExitCode()).To(Equal(0)) diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go index 8411e632a..9daf266b8 100644 --- a/test/e2e/play_kube_test.go +++ b/test/e2e/play_kube_test.go @@ -4,6 +4,7 @@ package integration import ( "fmt" + "io/ioutil" "os" "path/filepath" "text/template" @@ -486,4 +487,46 @@ var _ = Describe("Podman generate kube", func() { newBBinspect := inspect.InspectImageJSON() Expect(oldBBinspect[0].Digest).To(Not(Equal(newBBinspect[0].Digest))) }) + + It("podman play kube with image data", func() { + testyaml := ` +apiVersion: v1 +kind: Pod +metadata: + name: demo_pod +spec: + containers: + - image: demo + name: demo_kube +` + pull := podmanTest.Podman([]string{"create", "--workdir", "/etc", "--name", "newBB", "--label", "key1=value1", "alpine"}) + + pull.WaitWithDefaultTimeout() + Expect(pull.ExitCode()).To(BeZero()) + + c := podmanTest.Podman([]string{"commit", "-c", "STOPSIGNAL=51", "newBB", "demo"}) + c.WaitWithDefaultTimeout() + Expect(c.ExitCode()).To(Equal(0)) + + conffile := filepath.Join(podmanTest.TempDir, "kube.yaml") + tempdir, err = CreateTempDirInTempDir() + Expect(err).To(BeNil()) + + err := ioutil.WriteFile(conffile, []byte(testyaml), 0755) + Expect(err).To(BeNil()) + + kube := podmanTest.Podman([]string{"play", "kube", conffile}) + kube.WaitWithDefaultTimeout() + Expect(kube.ExitCode()).To(Equal(0)) + + inspect := podmanTest.Podman([]string{"inspect", "demo_kube"}) + inspect.WaitWithDefaultTimeout() + Expect(inspect.ExitCode()).To(Equal(0)) + + ctr := inspect.InspectContainerToJSON() + Expect(ctr[0].Config.WorkingDir).To(ContainSubstring("/etc")) + Expect(ctr[0].Config.Labels["key1"]).To(ContainSubstring("value1")) + Expect(ctr[0].Config.Labels["key1"]).To(ContainSubstring("value1")) + Expect(ctr[0].Config.StopSignal).To(Equal(uint(51))) + }) }) diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index 72547ea00..3eb93b84a 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -999,4 +999,16 @@ USER mail` session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Not(Equal(0))) }) + + It("podman run --device-cgroup-rule", func() { + SkipIfRemote() + SkipIfRootless() + deviceCgroupRule := "c 42:* rwm" + session := podmanTest.Podman([]string{"run", "--name", "test", "-d", "--device-cgroup-rule", deviceCgroupRule, ALPINE, "top"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + session = podmanTest.Podman([]string{"exec", "test", "mknod", "newDev", "c", "42", "1"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + }) }) diff --git a/test/e2e/run_volume_test.go b/test/e2e/run_volume_test.go index 0c2389e40..46c27dc2e 100644 --- a/test/e2e/run_volume_test.go +++ b/test/e2e/run_volume_test.go @@ -397,4 +397,28 @@ var _ = Describe("Podman run with volumes", func() { volMount.WaitWithDefaultTimeout() Expect(volMount.ExitCode()).To(Not(Equal(0))) }) + + It("Podman fix for CVE-2020-1726", func() { + volName := "testVol" + volCreate := podmanTest.Podman([]string{"volume", "create", volName}) + volCreate.WaitWithDefaultTimeout() + Expect(volCreate.ExitCode()).To(Equal(0)) + + volPath := podmanTest.Podman([]string{"volume", "inspect", "--format", "{{.Mountpoint}}", volName}) + volPath.WaitWithDefaultTimeout() + Expect(volPath.ExitCode()).To(Equal(0)) + path := volPath.OutputToString() + + fileName := "thisIsATestFile" + file, err := os.Create(filepath.Join(path, fileName)) + Expect(err).To(BeNil()) + defer file.Close() + + runLs := podmanTest.Podman([]string{"run", "-t", "-i", "--rm", "-v", fmt.Sprintf("%v:/etc/ssl", volName), ALPINE, "ls", "-1", "/etc/ssl"}) + runLs.WaitWithDefaultTimeout() + Expect(runLs.ExitCode()).To(Equal(0)) + outputArr := runLs.OutputToStringArray() + Expect(len(outputArr)).To(Equal(1)) + Expect(strings.Contains(outputArr[0], fileName)).To(BeTrue()) + }) }) diff --git a/test/endpoint/endpoint.go b/test/endpoint/endpoint.go index 78aa957ab..f1634b6f0 100644 --- a/test/endpoint/endpoint.go +++ b/test/endpoint/endpoint.go @@ -29,7 +29,7 @@ var ( infra = "k8s.gcr.io/pause:3.1" BB = "docker.io/library/busybox:latest" redis = "docker.io/library/redis:alpine" - fedoraMinimal = "registry.fedoraproject.org/fedora-minimal:latest" + fedoraMinimal = "quay.io/libpod/fedora-minimal:latest" ) type EndpointTestIntegration struct { diff --git a/vendor/github.com/gorilla/mux/README.md b/vendor/github.com/gorilla/mux/README.md index 92e422eed..35eea9f10 100644 --- a/vendor/github.com/gorilla/mux/README.md +++ b/vendor/github.com/gorilla/mux/README.md @@ -1,11 +1,10 @@ # gorilla/mux [](https://godoc.org/github.com/gorilla/mux) -[](https://travis-ci.org/gorilla/mux) [](https://circleci.com/gh/gorilla/mux) [](https://sourcegraph.com/github.com/gorilla/mux?badge) - + https://www.gorillatoolkit.org/pkg/mux @@ -26,6 +25,7 @@ The name mux stands for "HTTP request multiplexer". Like the standard `http.Serv * [Examples](#examples) * [Matching Routes](#matching-routes) * [Static Files](#static-files) +* [Serving Single Page Applications](#serving-single-page-applications) (e.g. React, Vue, Ember.js, etc.) * [Registered URLs](#registered-urls) * [Walking Routes](#walking-routes) * [Graceful Shutdown](#graceful-shutdown) @@ -212,6 +212,93 @@ func main() { } ``` +### Serving Single Page Applications + +Most of the time it makes sense to serve your SPA on a separate web server from your API, +but sometimes it's desirable to serve them both from one place. It's possible to write a simple +handler for serving your SPA (for use with React Router's [BrowserRouter](https://reacttraining.com/react-router/web/api/BrowserRouter) for example), and leverage +mux's powerful routing for your API endpoints. + +```go +package main + +import ( + "encoding/json" + "log" + "net/http" + "os" + "path/filepath" + "time" + + "github.com/gorilla/mux" +) + +// spaHandler implements the http.Handler interface, so we can use it +// to respond to HTTP requests. The path to the static directory and +// path to the index file within that static directory are used to +// serve the SPA in the given static directory. +type spaHandler struct { + staticPath string + indexPath string +} + +// ServeHTTP inspects the URL path to locate a file within the static dir +// on the SPA handler. If a file is found, it will be served. If not, the +// file located at the index path on the SPA handler will be served. This +// is suitable behavior for serving an SPA (single page application). +func (h spaHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { + // get the absolute path to prevent directory traversal + path, err := filepath.Abs(r.URL.Path) + if err != nil { + // if we failed to get the absolute path respond with a 400 bad request + // and stop + http.Error(w, err.Error(), http.StatusBadRequest) + return + } + + // prepend the path with the path to the static directory + path = filepath.Join(h.staticPath, path) + + // check whether a file exists at the given path + _, err = os.Stat(path) + if os.IsNotExist(err) { + // file does not exist, serve index.html + http.ServeFile(w, r, filepath.Join(h.staticPath, h.indexPath)) + return + } else if err != nil { + // if we got an error (that wasn't that the file doesn't exist) stating the + // file, return a 500 internal server error and stop + http.Error(w, err.Error(), http.StatusInternalServerError) + return + } + + // otherwise, use http.FileServer to serve the static dir + http.FileServer(http.Dir(h.staticPath)).ServeHTTP(w, r) +} + +func main() { + router := mux.NewRouter() + + router.HandleFunc("/api/health", func(w http.ResponseWriter, r *http.Request) { + // an example API handler + json.NewEncoder(w).Encode(map[string]bool{"ok": true}) + }) + + spa := spaHandler{staticPath: "build", indexPath: "index.html"} + router.PathPrefix("/").Handler(spa) + + srv := &http.Server{ + Handler: router, + Addr: "127.0.0.1:8000", + // Good practice: enforce timeouts for servers you create! + WriteTimeout: 15 * time.Second, + ReadTimeout: 15 * time.Second, + } + + log.Fatal(srv.ListenAndServe()) +} +``` + ### Registered URLs Now let's see how to build registered URLs. diff --git a/vendor/github.com/gorilla/mux/context.go b/vendor/github.com/gorilla/mux/context.go deleted file mode 100644 index 665940a26..000000000 --- a/vendor/github.com/gorilla/mux/context.go +++ /dev/null @@ -1,18 +0,0 @@ -package mux - -import ( - "context" - "net/http" -) - -func contextGet(r *http.Request, key interface{}) interface{} { - return r.Context().Value(key) -} - -func contextSet(r *http.Request, key, val interface{}) *http.Request { - if val == nil { - return r - } - - return r.WithContext(context.WithValue(r.Context(), key, val)) -} diff --git a/vendor/github.com/gorilla/mux/go.mod b/vendor/github.com/gorilla/mux/go.mod index cfc8ede58..df170a399 100644 --- a/vendor/github.com/gorilla/mux/go.mod +++ b/vendor/github.com/gorilla/mux/go.mod @@ -1 +1,3 @@ module github.com/gorilla/mux + +go 1.12 diff --git a/vendor/github.com/gorilla/mux/middleware.go b/vendor/github.com/gorilla/mux/middleware.go index cf2b26dc0..cb51c565e 100644 --- a/vendor/github.com/gorilla/mux/middleware.go +++ b/vendor/github.com/gorilla/mux/middleware.go @@ -58,22 +58,17 @@ func CORSMethodMiddleware(r *Router) MiddlewareFunc { func getAllMethodsForRoute(r *Router, req *http.Request) ([]string, error) { var allMethods []string - err := r.Walk(func(route *Route, _ *Router, _ []*Route) error { - for _, m := range route.matchers { - if _, ok := m.(*routeRegexp); ok { - if m.Match(req, &RouteMatch{}) { - methods, err := route.GetMethods() - if err != nil { - return err - } - - allMethods = append(allMethods, methods...) - } - break + for _, route := range r.routes { + var match RouteMatch + if route.Match(req, &match) || match.MatchErr == ErrMethodMismatch { + methods, err := route.GetMethods() + if err != nil { + return nil, err } + + allMethods = append(allMethods, methods...) } - return nil - }) + } - return allMethods, err + return allMethods, nil } diff --git a/vendor/github.com/gorilla/mux/mux.go b/vendor/github.com/gorilla/mux/mux.go index a2cd193e4..c9ba64707 100644 --- a/vendor/github.com/gorilla/mux/mux.go +++ b/vendor/github.com/gorilla/mux/mux.go @@ -5,6 +5,7 @@ package mux import ( + "context" "errors" "fmt" "net/http" @@ -58,8 +59,7 @@ type Router struct { // If true, do not clear the request context after handling the request. // - // Deprecated: No effect when go1.7+ is used, since the context is stored - // on the request itself. + // Deprecated: No effect, since the context is stored on the request itself. KeepContext bool // Slice of middlewares to be called after a match is found @@ -111,10 +111,8 @@ func copyRouteConf(r routeConf) routeConf { c.regexp.queries = append(c.regexp.queries, copyRouteRegexp(q)) } - c.matchers = make([]matcher, 0, len(r.matchers)) - for _, m := range r.matchers { - c.matchers = append(c.matchers, m) - } + c.matchers = make([]matcher, len(r.matchers)) + copy(c.matchers, r.matchers) return c } @@ -197,8 +195,8 @@ func (r *Router) ServeHTTP(w http.ResponseWriter, req *http.Request) { var handler http.Handler if r.Match(req, &match) { handler = match.Handler - req = setVars(req, match.Vars) - req = setCurrentRoute(req, match.Route) + req = requestWithVars(req, match.Vars) + req = requestWithRoute(req, match.Route) } if handler == nil && match.MatchErr == ErrMethodMismatch { @@ -428,7 +426,7 @@ const ( // Vars returns the route variables for the current request, if any. func Vars(r *http.Request) map[string]string { - if rv := contextGet(r, varsKey); rv != nil { + if rv := r.Context().Value(varsKey); rv != nil { return rv.(map[string]string) } return nil @@ -440,18 +438,20 @@ func Vars(r *http.Request) map[string]string { // after the handler returns, unless the KeepContext option is set on the // Router. func CurrentRoute(r *http.Request) *Route { - if rv := contextGet(r, routeKey); rv != nil { + if rv := r.Context().Value(routeKey); rv != nil { return rv.(*Route) } return nil } -func setVars(r *http.Request, val interface{}) *http.Request { - return contextSet(r, varsKey, val) +func requestWithVars(r *http.Request, vars map[string]string) *http.Request { + ctx := context.WithValue(r.Context(), varsKey, vars) + return r.WithContext(ctx) } -func setCurrentRoute(r *http.Request, val interface{}) *http.Request { - return contextSet(r, routeKey, val) +func requestWithRoute(r *http.Request, route *Route) *http.Request { + ctx := context.WithValue(r.Context(), routeKey, route) + return r.WithContext(ctx) } // ---------------------------------------------------------------------------- diff --git a/vendor/github.com/gorilla/mux/regexp.go b/vendor/github.com/gorilla/mux/regexp.go index ac1abcd47..96dd94ad1 100644 --- a/vendor/github.com/gorilla/mux/regexp.go +++ b/vendor/github.com/gorilla/mux/regexp.go @@ -181,21 +181,21 @@ func (r *routeRegexp) Match(req *http.Request, match *RouteMatch) bool { } } return r.regexp.MatchString(host) - } else { - if r.regexpType == regexpTypeQuery { - return r.matchQueryString(req) - } - path := req.URL.Path - if r.options.useEncodedPath { - path = req.URL.EscapedPath() - } - return r.regexp.MatchString(path) } + + if r.regexpType == regexpTypeQuery { + return r.matchQueryString(req) + } + path := req.URL.Path + if r.options.useEncodedPath { + path = req.URL.EscapedPath() + } + return r.regexp.MatchString(path) } // url builds a URL part using the given values. func (r *routeRegexp) url(values map[string]string) (string, error) { - urlValues := make([]interface{}, len(r.varsN)) + urlValues := make([]interface{}, len(r.varsN), len(r.varsN)) for k, v := range r.varsN { value, ok := values[v] if !ok { @@ -230,14 +230,51 @@ func (r *routeRegexp) getURLQuery(req *http.Request) string { return "" } templateKey := strings.SplitN(r.template, "=", 2)[0] - for key, vals := range req.URL.Query() { - if key == templateKey && len(vals) > 0 { - return key + "=" + vals[0] - } + val, ok := findFirstQueryKey(req.URL.RawQuery, templateKey) + if ok { + return templateKey + "=" + val } return "" } +// findFirstQueryKey returns the same result as (*url.URL).Query()[key][0]. +// If key was not found, empty string and false is returned. +func findFirstQueryKey(rawQuery, key string) (value string, ok bool) { + query := []byte(rawQuery) + for len(query) > 0 { + foundKey := query + if i := bytes.IndexAny(foundKey, "&;"); i >= 0 { + foundKey, query = foundKey[:i], foundKey[i+1:] + } else { + query = query[:0] + } + if len(foundKey) == 0 { + continue + } + var value []byte + if i := bytes.IndexByte(foundKey, '='); i >= 0 { + foundKey, value = foundKey[:i], foundKey[i+1:] + } + if len(foundKey) < len(key) { + // Cannot possibly be key. + continue + } + keyString, err := url.QueryUnescape(string(foundKey)) + if err != nil { + continue + } + if keyString != key { + continue + } + valueString, err := url.QueryUnescape(string(value)) + if err != nil { + continue + } + return valueString, true + } + return "", false +} + func (r *routeRegexp) matchQueryString(req *http.Request) bool { return r.regexp.MatchString(r.getURLQuery(req)) } diff --git a/vendor/github.com/gorilla/mux/route.go b/vendor/github.com/gorilla/mux/route.go index 8479c68c1..750afe570 100644 --- a/vendor/github.com/gorilla/mux/route.go +++ b/vendor/github.com/gorilla/mux/route.go @@ -74,7 +74,7 @@ func (r *Route) Match(req *http.Request, match *RouteMatch) bool { return false } - if match.MatchErr == ErrMethodMismatch { + if match.MatchErr == ErrMethodMismatch && r.handler != nil { // We found a route which matches request method, clear MatchErr match.MatchErr = nil // Then override the mis-matched handler @@ -412,11 +412,30 @@ func (r *Route) Queries(pairs ...string) *Route { type schemeMatcher []string func (m schemeMatcher) Match(r *http.Request, match *RouteMatch) bool { - return matchInArray(m, r.URL.Scheme) + scheme := r.URL.Scheme + // https://golang.org/pkg/net/http/#Request + // "For [most] server requests, fields other than Path and RawQuery will be + // empty." + // Since we're an http muxer, the scheme is either going to be http or https + // though, so we can just set it based on the tls termination state. + if scheme == "" { + if r.TLS == nil { + scheme = "http" + } else { + scheme = "https" + } + } + return matchInArray(m, scheme) } // Schemes adds a matcher for URL schemes. // It accepts a sequence of schemes to be matched, e.g.: "http", "https". +// If the request's URL has a scheme set, it will be matched against. +// Generally, the URL scheme will only be set if a previous handler set it, +// such as the ProxyHeaders handler from gorilla/handlers. +// If unset, the scheme will be determined based on the request's TLS +// termination state. +// The first argument to Schemes will be used when constructing a route URL. func (r *Route) Schemes(schemes ...string) *Route { for k, v := range schemes { schemes[k] = strings.ToLower(v) @@ -493,8 +512,8 @@ func (r *Route) Subrouter() *Router { // This also works for host variables: // // r := mux.NewRouter() -// r.Host("{subdomain}.domain.com"). -// HandleFunc("/articles/{category}/{id:[0-9]+}", ArticleHandler). +// r.HandleFunc("/articles/{category}/{id:[0-9]+}", ArticleHandler). +// Host("{subdomain}.domain.com"). // Name("article") // // // url.String() will be "http://news.domain.com/articles/technology/42" @@ -502,6 +521,13 @@ func (r *Route) Subrouter() *Router { // "category", "technology", // "id", "42") // +// The scheme of the resulting url will be the first argument that was passed to Schemes: +// +// // url.String() will be "https://example.com" +// r := mux.NewRouter() +// url, err := r.Host("example.com") +// .Schemes("https", "http").URL() +// // All variables defined in the route are required, and their values must // conform to the corresponding patterns. func (r *Route) URL(pairs ...string) (*url.URL, error) { @@ -635,7 +661,7 @@ func (r *Route) GetQueriesRegexp() ([]string, error) { if r.regexp.queries == nil { return nil, errors.New("mux: route doesn't have queries") } - var queries []string + queries := make([]string, 0, len(r.regexp.queries)) for _, query := range r.regexp.queries { queries = append(queries, query.regexp.String()) } @@ -654,7 +680,7 @@ func (r *Route) GetQueriesTemplates() ([]string, error) { if r.regexp.queries == nil { return nil, errors.New("mux: route doesn't have queries") } - var queries []string + queries := make([]string, 0, len(r.regexp.queries)) for _, query := range r.regexp.queries { queries = append(queries, query.template) } diff --git a/vendor/github.com/gorilla/mux/test_helpers.go b/vendor/github.com/gorilla/mux/test_helpers.go index 32ecffde4..5f5c496de 100644 --- a/vendor/github.com/gorilla/mux/test_helpers.go +++ b/vendor/github.com/gorilla/mux/test_helpers.go @@ -15,5 +15,5 @@ import "net/http" // can be set by making a route that captures the required variables, // starting a server and sending the request to that server. func SetURLVars(r *http.Request, val map[string]string) *http.Request { - return setVars(r, val) + return requestWithVars(r, val) } diff --git a/vendor/modules.txt b/vendor/modules.txt index 5c2485f38..73bca1ef8 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -291,7 +291,7 @@ github.com/google/gofuzz github.com/google/shlex # github.com/google/uuid v1.1.1 github.com/google/uuid -# github.com/gorilla/mux v1.7.3 +# github.com/gorilla/mux v1.7.4 github.com/gorilla/mux # github.com/gorilla/schema v1.1.0 github.com/gorilla/schema @@ -630,9 +630,9 @@ gopkg.in/square/go-jose.v2/json gopkg.in/tomb.v1 # gopkg.in/yaml.v2 v2.2.8 gopkg.in/yaml.v2 -# k8s.io/api v0.17.2 +# k8s.io/api v0.17.3 k8s.io/api/core/v1 -# k8s.io/apimachinery v0.17.2 +# k8s.io/apimachinery v0.17.3 k8s.io/apimachinery/pkg/api/errors k8s.io/apimachinery/pkg/api/resource k8s.io/apimachinery/pkg/apis/meta/v1 |