diff options
68 files changed, 833 insertions, 200 deletions
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index 3cfd8ed86..5c9c06687 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -1,5 +1,57 @@ # Release Notes +## 1.6.0 +### Features +- The `podman network create`, `podman network rm`, `podman network inspect`, and `podman network ls` commands have been added to manage CNI networks used by Podman +- The `podman volume create` command can now create and mount volumes with options, allowing volumes backed by NFS, tmpfs, and many other filesystems +- Podman can now run containers without CGroups for better integration with systemd by using the `--cgroups=disabled` flag with `podman create` and `podman run`. This is presently only supported with the `crun` OCI runtime +- The `podman volume rm` and `podman volume inspect` commands can now refer to volumes by an unambiguous partial name, in addition to full name (e.g. `podman volume rm myvol` to remove a volume named `myvolume`) ([#3891](https://github.com/containers/libpod/issues/3891)) +- The `podman run` and `podman create` commands now support the `--pull` flag to allow forced re-pulling of images ([#3734](https://github.com/containers/libpod/issues/3734)) +- Mounting volumes into a container using `--volume`, `--mount`, and `--tmpfs` now allows the `suid`, `dev`, and `exec` mount options (the inverse of `nosuid`, `nodev`, `noexec`) ([#3819](https://github.com/containers/libpod/issues/3819)) +- The `podman push` command now supports the `--digestfile` option to save a file containing the pushed digest +- Pods can now have their hostname set via `podman pod create --hostname` or providing Pod YAML with a hostname set to `podman play kube` ([#3732](https://github.com/containers/libpod/issues/3732)) +- The `podman image sign` command now supports the `--cert-dir` flag +- The `podman run` and `podman create` commands now support the `--security-opt label=filetype:$LABEL` flag to set the SELinux label for container files +- The remote Podman client now supports healthchecks + +### Bugfixes +- Fixed a bug where remote `podman pull` would panic if a Varlink connection was not available ([#4013](https://github.com/containers/libpod/issues/4013)) +- Fixed a bug where `podman exec` would not properly set terminal size when creating a new exec session ([#3903](https://github.com/containers/libpod/issues/3903)) +- Fixed a bug where `podman exec` would not clean up socket symlinks on the host ([#3962](https://github.com/containers/libpod/issues/3962)) +- Fixed a bug where Podman could not run systemd in containers that created a CGroup namespace +- Fixed a bug where `podman prune -a` would attempt to prune images used by Buildah and CRI-O, causing errors ([#3983](https://github.com/containers/libpod/issues/3983)) +- Fixed a bug where improper permissions on the `~/.config` directory could cause rootless Podman to use an incorrect directory for storing some files +- Fixed a bug where the bash completions for `podman import` threw errors +- Fixed a bug where Podman volumes created with `podman volume create` would not copy the contents of their mountpoint the first time they were mounted into a container ([#3945](https://github.com/containers/libpod/issues/3945)) +- Fixed a bug where rootless Podman could not run `podman exec` when the container was not run inside a CGroup owned by the user ([#3937](https://github.com/containers/libpod/issues/3937)) +- Fixed a bug where `podman play kube` would panic when given Pod YAML without a `securityContext` ([#3956](https://github.com/containers/libpod/issues/3956)) +- Fixed a bug where Podman would place files incorrectly when `storage.conf` configuration items were set to the empty string ([#3952](https://github.com/containers/libpod/issues/3952)) +- Fixed a bug where `podman build` did not correctly inherit Podman's CGroup configuration, causing crashed on CGroups V2 systems ([#3938](https://github.com/containers/libpod/issues/3938)) +- Fixed a bug where `podman cp` would improperly copy files on the host when copying a symlink in the container that included a glob operator ([#3829](https://github.com/containers/libpod/issues/3829)) +- Fixed a bug where remote `podman run --rm` would exit before the container was completely removed, allowing race conditions when removing container resources ([#3870](https://github.com/containers/libpod/issues/3870)) +- Fixed a bug where rootless Podman would not properly handle changes to `/etc/subuid` and `/etc/subgid` after a container was launched +- Fixed a bug where rootless Podman could not include some devices in a container using the `--device` flag ([#3905](https://github.com/containers/libpod/issues/3905)) +- Fixed a bug where the `commit` Varlink API would segfault if provided incorrect arguments ([#3897](https://github.com/containers/libpod/issues/3897)) +- Fixed a bug where temporary files were not properly cleaned up after a build using remote Podman ([#3869](https://github.com/containers/libpod/issues/3869)) +- Fixed a bug where `podman remote cp` crashed instead of reporting it was not yet supported ([#3861](https://github.com/containers/libpod/issues/3861)) +- Fixed a bug where `podman exec` would run as the wrong user when execing into a container was started from an image with Dockerfile `USER` (or a user specified via `podman run --user`) ([#3838](https://github.com/containers/libpod/issues/3838)) +- Fixed a bug where images pulled using the `oci:` transport would be improperly named +- Fixed a bug where `podman varlink` would hang when managed by systemd due to SD_NOTIFY support conflicting with Varlink ([#3572](https://github.com/containers/libpod/issues/3572)) + +### Misc +- Significant changes were made to Podman volumes in this release. If you have pre-existing volumes, it is strongly recommended to run `podman system renumber` after upgrading. +- Version 0.8.1 or greater of the CNI Plugins is now required for Podman +- Version 2.0.1 or greater of Conmon is strongly recommended +- Updated vendored Buildah to v1.11.2 +- Improved error messages when trying to run `podman pause` or `podman stats` on a rootless container on a system without CGroups V2 enabled +- `TMPDIR` has been set to `/var/tmp` by default to better handle large temporary files +- `podman wait` has been optimized to detect stopped containers more rapidly +- Podman containers now include a `ContainerManager` annotation indicating they were created by `libpod` +- The `podman info` command now includes information about `slirp4netns` and `fuse-overlayfs` if they are available +- Podman no longer sets a default size of 65kb for tmpfs filesystems +- The default Podman CNI network has been renamed in an attempt to prevent conflicts with CRI-O when both are run on the same system. This should only take effect on system restart +- The output of `podman volume inspect` has been more closely matched to `docker volume inspect` + ## 1.5.1 ### Features - The hostname of pods is now set to the pod's name diff --git a/cmd/podman/cliconfig/config.go b/cmd/podman/cliconfig/config.go index bf88e853b..e0ce202cc 100644 --- a/cmd/podman/cliconfig/config.go +++ b/cmd/podman/cliconfig/config.go @@ -280,6 +280,7 @@ type NetworkListValues struct { type NetworkRmValues struct { PodmanCommand + Force bool } type NetworkInspectValues struct { diff --git a/cmd/podman/containers_prune.go b/cmd/podman/containers_prune.go index b8a84a0e3..3d0fef37d 100644 --- a/cmd/podman/containers_prune.go +++ b/cmd/podman/containers_prune.go @@ -53,7 +53,7 @@ func pruneContainersCmd(c *cliconfig.PruneContainersValues) error { if err != nil { if errors.Cause(err) == define.ErrNoSuchCtr { if len(c.InputArgs) > 1 { - exitCode = 125 + exitCode = define.ExecErrorCodeGeneric } else { exitCode = 1 } @@ -61,7 +61,7 @@ func pruneContainersCmd(c *cliconfig.PruneContainersValues) error { return err } if len(failures) > 0 { - exitCode = 125 + exitCode = define.ExecErrorCodeGeneric } return printCmdResults(ok, failures) } diff --git a/cmd/podman/cp.go b/cmd/podman/cp.go index 5e1ca8312..7205f9357 100644 --- a/cmd/podman/cp.go +++ b/cmd/podman/cp.go @@ -14,6 +14,7 @@ import ( "github.com/containers/libpod/cmd/podman/libpodruntime" "github.com/containers/libpod/libpod" "github.com/containers/libpod/libpod/define" + "github.com/containers/libpod/pkg/cgroups" "github.com/containers/libpod/pkg/rootless" "github.com/containers/storage" "github.com/containers/storage/pkg/archive" @@ -52,7 +53,7 @@ func init() { cpCommand.Command = _cpCommand flags := cpCommand.Flags() flags.BoolVar(&cpCommand.Extract, "extract", false, "Extract the tar file into the destination directory.") - flags.BoolVar(&cpCommand.Pause, "pause", false, "Pause the container while copying") + flags.BoolVar(&cpCommand.Pause, "pause", copyPause(), "Pause the container while copying") cpCommand.SetHelpTemplate(HelpTemplate()) cpCommand.SetUsageTemplate(UsageTemplate()) } @@ -147,7 +148,6 @@ func copyBetweenHostAndContainer(runtime *libpod.Runtime, src string, dest strin hostOwner := idtools.IDPair{UID: int(hostUID), GID: int(hostGID)} - var glob []string if isFromHostToCtr { if isVol, volDestName, volName := isVolumeDestName(destPath, ctr); isVol { path, err := pathWithVolumeMount(ctr, runtime, volDestName, volName, destPath) @@ -209,13 +209,7 @@ func copyBetweenHostAndContainer(runtime *libpod.Runtime, src string, dest strin srcPath = cleanedPath } } - glob, err = filepath.Glob(srcPath) - if err != nil { - return errors.Wrapf(err, "invalid glob %q", srcPath) - } - if len(glob) == 0 { - glob = append(glob, srcPath) - } + if !filepath.IsAbs(destPath) { dir, err := os.Getwd() if err != nil { @@ -224,19 +218,11 @@ func copyBetweenHostAndContainer(runtime *libpod.Runtime, src string, dest strin destPath = filepath.Join(dir, destPath) } - var lastError error - for _, src := range glob { - if src == "-" { - src = os.Stdin.Name() - extract = true - } - err := copy(src, destPath, dest, idMappingOpts, &destOwner, extract, isFromHostToCtr) - if lastError != nil { - logrus.Error(lastError) - } - lastError = err + if src == "-" { + srcPath = os.Stdin.Name() + extract = true } - return lastError + return copy(srcPath, destPath, dest, idMappingOpts, &destOwner, extract, isFromHostToCtr) } func getUser(mountPoint string, userspec string) (specs.User, error) { @@ -495,3 +481,14 @@ func pathWithBindMountSource(m specs.Mount, path string) (string, error) { } return securejoin.SecureJoin(m.Source, strings.TrimPrefix(path, m.Destination)) } + +func copyPause() bool { + if !remoteclient && rootless.IsRootless() { + cgroupv2, _ := cgroups.IsCgroup2UnifiedMode() + if !cgroupv2 { + logrus.Debugf("defaulting to pause==false on rootless cp in cgroupv1 systems") + return false + } + } + return true +} diff --git a/cmd/podman/main.go b/cmd/podman/main.go index 2b808b2bc..b83ccd9a5 100644 --- a/cmd/podman/main.go +++ b/cmd/podman/main.go @@ -8,6 +8,7 @@ import ( "github.com/containers/libpod/cmd/podman/cliconfig" "github.com/containers/libpod/libpod" + "github.com/containers/libpod/libpod/define" _ "github.com/containers/libpod/pkg/hooks/0.1.0" "github.com/containers/libpod/pkg/rootless" "github.com/containers/libpod/version" @@ -20,7 +21,7 @@ import ( // This is populated by the Makefile from the VERSION file // in the repository var ( - exitCode = 125 + exitCode = define.ExecErrorCodeGeneric Ctx context.Context span opentracing.Span closer io.Closer @@ -152,11 +153,12 @@ func main() { if err := rootCmd.Execute(); err != nil { outputError(err) } else { - // The exitCode modified from 125, indicates an application + // The exitCode modified from define.ExecErrorCodeGeneric, + // indicates an application // running inside of a container failed, as opposed to the // podman command failed. Must exit with that exit code // otherwise command exited correctly. - if exitCode == 125 { + if exitCode == define.ExecErrorCodeGeneric { exitCode = 0 } diff --git a/cmd/podman/main_local.go b/cmd/podman/main_local.go index cad256615..08d7ccaf4 100644 --- a/cmd/podman/main_local.go +++ b/cmd/podman/main_local.go @@ -178,9 +178,9 @@ func setupRootless(cmd *cobra.Command, args []string) error { if !ownsCgroup { unitName := fmt.Sprintf("podman-%d.scope", os.Getpid()) if err := utils.RunUnderSystemdScope(os.Getpid(), "user.slice", unitName); err != nil { - conf, err := runtime.GetConfig() - if err != nil { - return err + conf, err2 := runtime.GetConfig() + if err2 != nil { + return err2 } if conf.CgroupManager == libpod.SystemdCgroupsManager { logrus.Warnf("Failed to add podman to systemd sandbox cgroup: %v", err) diff --git a/cmd/podman/network_rm.go b/cmd/podman/network_rm.go index 50bd48cea..41e5dbdab 100644 --- a/cmd/podman/network_rm.go +++ b/cmd/podman/network_rm.go @@ -3,10 +3,13 @@ package main import ( + "fmt" + "github.com/containers/libpod/cmd/podman/cliconfig" "github.com/containers/libpod/pkg/adapter" "github.com/containers/libpod/pkg/rootless" "github.com/pkg/errors" + "github.com/sirupsen/logrus" "github.com/spf13/cobra" ) @@ -31,6 +34,8 @@ func init() { networkrmCommand.Command = _networkrmCommand networkrmCommand.SetHelpTemplate(HelpTemplate()) networkrmCommand.SetUsageTemplate(UsageTemplate()) + flags := networkrmCommand.Flags() + flags.BoolVarP(&networkrmCommand.Force, "force", "f", false, "remove any containers using network") } func networkrmCmd(c *cliconfig.NetworkRmValues) error { @@ -40,9 +45,18 @@ func networkrmCmd(c *cliconfig.NetworkRmValues) error { if len(c.InputArgs) < 1 { return errors.Errorf("at least one network name is required") } - runtime, err := adapter.GetRuntimeNoStore(getContext(), &c.PodmanCommand) + runtime, err := adapter.GetRuntime(getContext(), &c.PodmanCommand) if err != nil { return err } - return runtime.NetworkRemove(c) + deletes, rmErrors, lastErr := runtime.NetworkRemove(getContext(), c) + for _, d := range deletes { + fmt.Println(d) + } + // we only want to print errors if there is more + // than one + for network, removalErr := range rmErrors { + logrus.Errorf("unable to remove %q: %q", network, removalErr) + } + return lastErr } diff --git a/cmd/podman/pause.go b/cmd/podman/pause.go index 3a8f4edb5..247a480e3 100644 --- a/cmd/podman/pause.go +++ b/cmd/podman/pause.go @@ -56,7 +56,7 @@ func pauseCmd(c *cliconfig.PauseValues) error { if err != nil { if errors.Cause(err) == define.ErrNoSuchCtr { if len(c.InputArgs) > 1 { - exitCode = 125 + exitCode = define.ExecErrorCodeGeneric } else { exitCode = 1 } @@ -64,7 +64,7 @@ func pauseCmd(c *cliconfig.PauseValues) error { return err } if len(failures) > 0 { - exitCode = 125 + exitCode = define.ExecErrorCodeGeneric } return printCmdResults(ok, failures) } diff --git a/cmd/podman/push.go b/cmd/podman/push.go index 13ebe8a1f..52fbc652e 100644 --- a/cmd/podman/push.go +++ b/cmd/podman/push.go @@ -86,6 +86,12 @@ func pushCmd(c *cliconfig.PushValues) error { destName = args[1] } + runtime, err := adapter.GetRuntime(getContext(), &c.PodmanCommand) + if err != nil { + return errors.Wrapf(err, "could not create runtime") + } + defer runtime.DeferredShutdown(false) + // --compress and --format can only be used for the "dir" transport splitArg := strings.SplitN(destName, ":", 2) if c.Flag("compress").Changed || c.Flag("format").Changed { @@ -106,12 +112,6 @@ func pushCmd(c *cliconfig.PushValues) error { registryCreds = creds } - runtime, err := adapter.GetRuntime(getContext(), &c.PodmanCommand) - if err != nil { - return errors.Wrapf(err, "could not create runtime") - } - defer runtime.DeferredShutdown(false) - var writer io.Writer if !c.Quiet { writer = os.Stderr diff --git a/cmd/podman/restart.go b/cmd/podman/restart.go index 494a9ec06..c97fb0dc1 100644 --- a/cmd/podman/restart.go +++ b/cmd/podman/restart.go @@ -61,7 +61,7 @@ func restartCmd(c *cliconfig.RestartValues) error { if err != nil { if errors.Cause(err) == define.ErrNoSuchCtr { if len(c.InputArgs) > 1 { - exitCode = 125 + exitCode = define.ExecErrorCodeGeneric } else { exitCode = 1 } @@ -69,7 +69,7 @@ func restartCmd(c *cliconfig.RestartValues) error { return err } if len(failures) > 0 { - exitCode = 125 + exitCode = define.ExecErrorCodeGeneric } return printCmdResults(ok, failures) } diff --git a/cmd/podman/unpause.go b/cmd/podman/unpause.go index 382b64e97..ae24b0e66 100644 --- a/cmd/podman/unpause.go +++ b/cmd/podman/unpause.go @@ -55,7 +55,7 @@ func unpauseCmd(c *cliconfig.UnpauseValues) error { if err != nil { if errors.Cause(err) == define.ErrNoSuchCtr { if len(c.InputArgs) > 1 { - exitCode = 125 + exitCode = define.ExecErrorCodeGeneric } else { exitCode = 1 } @@ -63,7 +63,7 @@ func unpauseCmd(c *cliconfig.UnpauseValues) error { return err } if len(failures) > 0 { - exitCode = 125 + exitCode = define.ExecErrorCodeGeneric } return printCmdResults(ok, failures) } diff --git a/completions/bash/podman b/completions/bash/podman index 041703810..4bc387871 100644 --- a/completions/bash/podman +++ b/completions/bash/podman @@ -1032,6 +1032,8 @@ _podman_network_rm() { local options_with_args=" " local boolean_options=" + --force + -f --help -h " diff --git a/docs/podman-cp.1.md b/docs/podman-cp.1.md index e3d992b55..736bdb12a 100644 --- a/docs/podman-cp.1.md +++ b/docs/podman-cp.1.md @@ -65,7 +65,7 @@ Extract the tar file into the destination directory. If the destination director **--pause** -Pause the container while copying into it to avoid potential security issues around symlinks. Defaults to *false*. +Pause the container while copying into it to avoid potential security issues around symlinks. Defaults to *true*. On rootless containers with cgroups V1, defaults to false. ## ALTERNATIVES diff --git a/docs/podman-network-rm.1.md b/docs/podman-network-rm.1.md index c95c93cd8..c71f0d8fd 100644 --- a/docs/podman-network-rm.1.md +++ b/docs/podman-network-rm.1.md @@ -9,13 +9,26 @@ podman\-network\-rm - Remove one or more CNI networks ## DESCRIPTION Delete one or more Podman networks. +## OPTIONS +**--force**, **-f** + +The `force` option will remove all containers that use the named network. If the container is +running, the container will be stopped and removed. + ## EXAMPLE -Delete the `podman9` network +Delete the `cni-podman9` network + +``` +# podman network rm cni-podman9 +Deleted: cni-podman9 +``` + +Delete the `fred` network and all containers associated with the network. ``` -# podman network rm podman -Deleted: podman9 +# podman network rm -f fred +Deleted: fred ``` ## SEE ALSO @@ -13,7 +13,7 @@ require ( github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc // indirect github.com/containernetworking/cni v0.7.1 github.com/containernetworking/plugins v0.8.1 - github.com/containers/buildah v1.11.0 + github.com/containers/buildah v1.11.2 github.com/containers/conmon v0.3.0 // indirect github.com/containers/image v3.0.2+incompatible github.com/containers/psgo v1.3.1 @@ -22,7 +22,7 @@ require ( github.com/coreos/etcd v3.3.13+incompatible // indirect github.com/coreos/go-iptables v0.4.2 // indirect github.com/coreos/go-semver v0.3.0 // indirect - github.com/coreos/go-systemd v0.0.0-20190620071333-e64a0ec8b42a + github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f github.com/cri-o/ocicni v0.1.1-0.20190702175919-7762645d18ca github.com/cyphar/filepath-securejoin v0.2.2 github.com/davecgh/go-spew v1.1.1 @@ -65,7 +65,7 @@ require ( github.com/onsi/gomega v1.5.0 github.com/opencontainers/go-digest v1.0.0-rc1 github.com/opencontainers/image-spec v1.0.1 - github.com/opencontainers/runc v1.0.0-rc8 + github.com/opencontainers/runc v1.0.0-rc8.0.20190827142921-dd075602f158 github.com/opencontainers/runtime-spec v0.1.2-0.20190618234442-a950415649c7 github.com/opencontainers/runtime-tools v0.9.0 github.com/opencontainers/selinux v1.3.0 @@ -54,6 +54,7 @@ github.com/containerd/cgroups v0.0.0-20190328223300-4994991857f9 h1:LmZz7ns2YaWW github.com/containerd/cgroups v0.0.0-20190328223300-4994991857f9/go.mod h1:X9rLEHIqSf/wfK8NsPqxJmeZgW4pcfzdXITDrUSJ6uI= github.com/containerd/cgroups v0.0.0-20190620142518-db272301ab84 h1:6ABxcB2knKIZIlkivRzz4BadxXGCGV/fxjG1y+S5lRc= github.com/containerd/cgroups v0.0.0-20190620142518-db272301ab84/go.mod h1:X9rLEHIqSf/wfK8NsPqxJmeZgW4pcfzdXITDrUSJ6uI= +github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw= github.com/containerd/continuity v0.0.0-20180814194400-c7c5070e6f6e/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= github.com/containerd/continuity v0.0.0-20181203112020-004b46473808 h1:4BX8f882bXEDKfWIf0wa8HRvpnBoPszJJXL+TVbBw4M= github.com/containerd/continuity v0.0.0-20181203112020-004b46473808/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= @@ -77,6 +78,8 @@ github.com/containers/buildah v1.10.1 h1:YBFHZkpbWCxUR/gjRAZrRzs2E0DfdUe3+/8OA9f github.com/containers/buildah v1.10.1/go.mod h1:ZTyMFo3IQlu9tYndtnAf0Tjf2NdeUL6bY2/TpP9uIuU= github.com/containers/buildah v1.11.0 h1:w0jZybDBTb5lvBKmFuuncxbb3D+D68EHnngIcAXFKjg= github.com/containers/buildah v1.11.0/go.mod h1:vIO922hCyTe9LEUlcH/oyaMdXy6xX/YdxR6huEOAM0o= +github.com/containers/buildah v1.11.2 h1:U6Abrp1J7H19vHvhqIran4Xvw+Z3WIqMM86fIt9L7Qk= +github.com/containers/buildah v1.11.2/go.mod h1:CtnP3vsLiU3xgKvkhdb4b0IzYwXNzHRv3ezl4z+RPC0= github.com/containers/conmon v0.3.0 h1:NDkYcQAu1BDZSVLh6xrY9jh/WmiDaUloKzRM16237XM= github.com/containers/conmon v0.3.0/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I= github.com/containers/image v2.0.0+incompatible h1:FTr6Br7jlIKNCKMjSOMbAxKp2keQ0//jzJaYNTVhauk= @@ -123,6 +126,8 @@ github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20190620071333-e64a0ec8b42a h1:W8b4lQ4tFF21aspRGoBuCNV6V2fFJBF+pm1J6OY8Lys= github.com/coreos/go-systemd v0.0.0-20190620071333-e64a0ec8b42a/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f h1:JOrtw2xFKzlg+cbHpyrpLDmnN1HqhBfnX7WDiW7eG2c= +github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea h1:n2Ltr3SrfQlf/9nOna1DoGKxLx3qTSI8Ttl6Xrqp6mw= github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f h1:lBNOc5arjvs8E5mO2tbpBpLoyyu8B6e44T7hJy6potg= @@ -394,6 +399,8 @@ github.com/opencontainers/runc v1.0.0-rc6 h1:7AoN22rYxxkmsJS48wFaziH/n0OvrZVqL/T github.com/opencontainers/runc v1.0.0-rc6/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= github.com/opencontainers/runc v1.0.0-rc8 h1:dDCFes8Hj1r/i5qnypONo5jdOme/8HWZC/aNDyhECt0= github.com/opencontainers/runc v1.0.0-rc8/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= +github.com/opencontainers/runc v1.0.0-rc8.0.20190827142921-dd075602f158 h1:/A6bAdnSZoTQmKml3MdHAnSEPnBAQeigNBl4sxnfaaQ= +github.com/opencontainers/runc v1.0.0-rc8.0.20190827142921-dd075602f158/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= github.com/opencontainers/runtime-spec v0.0.0-20181111125026-1722abf79c2f h1:yBRNGmKl04BYFrAx8cUYDknbFNVk9yIF/3gH1/4lu0I= github.com/opencontainers/runtime-spec v0.0.0-20181111125026-1722abf79c2f/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v0.1.2-0.20190618234442-a950415649c7 h1:Dliu5QO+4JYWu/yMshaMU7G3JN2POGpwjJN7gjy10Go= @@ -527,6 +534,7 @@ github.com/ulikunitz/xz v0.5.5 h1:pFrO0lVpTBXLpYw+pnLj6TbvHuyjXMfjGeCwSqCVwok= github.com/ulikunitz/xz v0.5.5/go.mod h1:2bypXElzHzzJZwzH67Y6wb67pO62Rzfn7BSiF4ABRW8= github.com/ulikunitz/xz v0.5.6 h1:jGHAfXawEGZQ3blwU5wnWKQJvAraT7Ftq9EXjnXYgt8= github.com/ulikunitz/xz v0.5.6/go.mod h1:2bypXElzHzzJZwzH67Y6wb67pO62Rzfn7BSiF4ABRW8= +github.com/urfave/cli v1.21.0/go.mod h1:lxDj6qX9Q6lWQxIrbrT0nwecwUtRnhVZAJjJZrVUZZQ= github.com/varlink/go v0.0.0-20190502142041-0f1d566d194b h1:hdDRrn9OP/roL8a/e/5Zu85ldrcdndu9IeBj2OEvQm0= github.com/varlink/go v0.0.0-20190502142041-0f1d566d194b/go.mod h1:YHaw8N660ESgMgLOZfLQqT1htFItynAUxMesFBho52s= github.com/vbatts/tar-split v0.10.2/go.mod h1:LEuURwDEiWjRjwu46yU3KVGuUdVv/dcnpcEPSzR8z6g= diff --git a/libpod/container_api.go b/libpod/container_api.go index 9bf97c5d4..4f0d5301c 100644 --- a/libpod/container_api.go +++ b/libpod/container_api.go @@ -216,8 +216,8 @@ func (c *Container) Kill(signal uint) error { } // Exec starts a new process inside the container -// Returns an exit code and an error. If Exec was not able to exec in the container before a failure, an exit code of 126 is returned. -// If another generic error happens, an exit code of 125 is returned. +// Returns an exit code and an error. If Exec was not able to exec in the container before a failure, an exit code of define.ExecErrorCodeCannotInvoke is returned. +// If another generic error happens, an exit code of define.ExecErrorCodeGeneric is returned. // Sometimes, the $RUNTIME exec call errors, and if that is the case, the exit code is the exit code of the call. // Otherwise, the exit code will be the exit code of the executed call inside of the container. // TODO investigate allowing exec without attaching @@ -821,3 +821,12 @@ func (c *Container) Restore(ctx context.Context, options ContainerCheckpointOpti defer c.newContainerEvent(events.Restore) return c.restore(ctx, options) } + +// AutoRemove indicates whether the container will be removed after it is executed +func (c *Container) AutoRemove() bool { + spec := c.config.Spec + if spec.Annotations == nil { + return false + } + return c.Spec().Annotations[InspectAnnotationAutoremove] == InspectResponseTrue +} diff --git a/libpod/container_internal.go b/libpod/container_internal.go index ac565fdad..6bf8439da 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -14,6 +14,7 @@ import ( "github.com/containers/libpod/libpod/define" "github.com/containers/libpod/libpod/events" + "github.com/containers/libpod/pkg/cgroups" "github.com/containers/libpod/pkg/ctime" "github.com/containers/libpod/pkg/hooks" "github.com/containers/libpod/pkg/hooks/exec" @@ -163,7 +164,15 @@ func (c *Container) createExecBundle(sessionID string) (err error) { // cleanup an exec session after its done func (c *Container) cleanupExecBundle(sessionID string) error { - return os.RemoveAll(c.execBundlePath(sessionID)) + if err := os.RemoveAll(c.execBundlePath(sessionID)); err != nil && !os.IsNotExist(err) { + return err + } + // Clean up the sockets dir. Issue #3962 + // Also ignore if it doesn't exist for some reason; hence the conditional return below + if err := os.RemoveAll(filepath.Join(c.ociRuntime.socketsDir, sessionID)); err != nil && !os.IsNotExist(err) { + return err + } + return nil } // the path to a containers exec session bundle @@ -1124,6 +1133,16 @@ func (c *Container) pause() error { return errors.Wrapf(define.ErrNoCgroups, "cannot pause without using CGroups") } + if rootless.IsRootless() { + cgroupv2, err := cgroups.IsCgroup2UnifiedMode() + if err != nil { + return errors.Wrap(err, "failed to determine cgroupversion") + } + if !cgroupv2 { + return errors.Wrap(define.ErrNoCgroups, "can not pause containers on rootless containers with cgroup V1") + } + } + if err := c.ociRuntime.pauseContainer(c); err != nil { return err } diff --git a/libpod/define/exec_codes.go b/libpod/define/exec_codes.go index 7184f1e59..33d631326 100644 --- a/libpod/define/exec_codes.go +++ b/libpod/define/exec_codes.go @@ -1,6 +1,8 @@ package define import ( + "strings" + "github.com/pkg/errors" ) @@ -28,3 +30,19 @@ func TranslateExecErrorToExitCode(originalEC int, err error) int { } return originalEC } + +// ExitCode reads the error message when failing to executing container process +// and then returns 0 if no error, ExecErrorCodeNotFound if command does not exist, or ExecErrorCodeCannotInvoke for +// all other errors +func ExitCode(err error) int { + if err == nil { + return 0 + } + e := strings.ToLower(err.Error()) + if strings.Contains(e, "file not found") || + strings.Contains(e, "no such file or directory") { + return ExecErrorCodeNotFound + } + + return ExecErrorCodeCannotInvoke +} diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go index fd14b2f73..67dd0150b 100644 --- a/libpod/networking_linux.go +++ b/libpod/networking_linux.go @@ -127,13 +127,13 @@ type slirp4netnsCmd struct { Args slirp4netnsCmdArg `json:"arguments"` } -func checkSlirpFlags(path string) (bool, bool, error) { +func checkSlirpFlags(path string) (bool, bool, bool, error) { cmd := exec.Command(path, "--help") out, err := cmd.CombinedOutput() if err != nil { - return false, false, err + return false, false, false, err } - return strings.Contains(string(out), "--disable-host-loopback"), strings.Contains(string(out), "--mtu"), nil + return strings.Contains(string(out), "--disable-host-loopback"), strings.Contains(string(out), "--mtu"), strings.Contains(string(out), "--enable-sandbox"), nil } // Configure the network namespace for a rootless container @@ -166,7 +166,7 @@ func (r *Runtime) setupRootlessNetNS(ctr *Container) (err error) { if havePortMapping { cmdArgs = append(cmdArgs, "--api-socket", apiSocket, fmt.Sprintf("%d", ctr.state.PID)) } - dhp, mtu, err := checkSlirpFlags(path) + dhp, mtu, sandbox, err := checkSlirpFlags(path) if err != nil { return errors.Wrapf(err, "error checking slirp4netns binary %s", path) } @@ -176,6 +176,9 @@ func (r *Runtime) setupRootlessNetNS(ctr *Container) (err error) { if mtu { cmdArgs = append(cmdArgs, "--mtu", "65520") } + if sandbox { + cmdArgs = append(cmdArgs, "--enable-sandbox") + } cmdArgs = append(cmdArgs, "-c", "-e", "3", "-r", "4", fmt.Sprintf("%d", ctr.state.PID), "tap0") cmd := exec.Command(path, cmdArgs...) diff --git a/libpod/oci_attach_linux.go b/libpod/oci_attach_linux.go index 22afa7416..6cada0801 100644 --- a/libpod/oci_attach_linux.go +++ b/libpod/oci_attach_linux.go @@ -107,8 +107,6 @@ func (c *Container) attachToExec(streams *AttachStreams, keys string, resize <-c logrus.Debugf("Attaching to container %s exec session %s", c.ID(), sessionID) - registerResizeFunc(resize, c.execBundlePath(sessionID)) - // set up the socket path, such that it is the correct length and location for exec socketPath := buildSocketPath(c.execAttachSocketPath(sessionID)) @@ -116,6 +114,7 @@ func (c *Container) attachToExec(streams *AttachStreams, keys string, resize <-c if _, err := readConmonPipeData(attachFd, ""); err != nil { return err } + // 2: then attach conn, err := net.DialUnix("unixpacket", nil, &net.UnixAddr{Name: socketPath, Net: "unixpacket"}) if err != nil { @@ -127,6 +126,10 @@ func (c *Container) attachToExec(streams *AttachStreams, keys string, resize <-c } }() + // Register the resize func after we've read the attach socket, as we know at this point the + // 'ctl' file has been created in conmon + registerResizeFunc(resize, c.execBundlePath(sessionID)) + // start listening on stdio of the process receiveStdoutError, stdinDone := setupStdioChannels(streams, conn, detachKeys) diff --git a/libpod/pod_api.go b/libpod/pod_api.go index e2448e92a..7c786b835 100644 --- a/libpod/pod_api.go +++ b/libpod/pod_api.go @@ -5,6 +5,8 @@ import ( "github.com/containers/libpod/libpod/define" "github.com/containers/libpod/libpod/events" + "github.com/containers/libpod/pkg/cgroups" + "github.com/containers/libpod/pkg/rootless" "github.com/pkg/errors" "github.com/sirupsen/logrus" ) @@ -163,6 +165,16 @@ func (p *Pod) Pause() (map[string]error, error) { return nil, define.ErrPodRemoved } + if rootless.IsRootless() { + cgroupv2, err := cgroups.IsCgroup2UnifiedMode() + if err != nil { + return nil, errors.Wrap(err, "failed to determine cgroupversion") + } + if !cgroupv2 { + return nil, errors.Wrap(define.ErrNoCgroups, "can not pause pods containing rootless containers with cgroup V1") + } + } + allCtrs, err := p.runtime.state.PodContainers(p) if err != nil { return nil, err diff --git a/pkg/adapter/containers.go b/pkg/adapter/containers.go index 41607145d..47db5c0dc 100644 --- a/pkg/adapter/containers.go +++ b/pkg/adapter/containers.go @@ -341,12 +341,7 @@ func (r *LocalRuntime) Run(ctx context.Context, c *cliconfig.RunValues, exitCode // if the container was created as part of a pod, also start its dependencies, if any. if err := ctr.Start(ctx, c.IsSet("pod")); err != nil { // This means the command did not exist - exitCode = 127 - e := strings.ToLower(err.Error()) - if strings.Contains(e, "permission denied") || strings.Contains(e, "operation not permitted") || strings.Contains(e, "file not found") || strings.Contains(e, "no such file or directory") { - exitCode = 126 - } - return exitCode, err + return define.ExitCode(err), err } fmt.Printf("%s\n", ctr.ID()) @@ -401,21 +396,14 @@ func (r *LocalRuntime) Run(ctx context.Context, c *cliconfig.RunValues, exitCode // Do not perform cleanup, or wait for container exit code // Just exit immediately if errors.Cause(err) == define.ErrDetach { - exitCode = 0 - return exitCode, nil - } - // This means the command did not exist - exitCode = 127 - e := strings.ToLower(err.Error()) - if strings.Contains(e, "permission denied") || strings.Contains(e, "operation not permitted") { - exitCode = 126 + return 0, nil } if c.IsSet("rm") { if deleteError := r.Runtime.RemoveContainer(ctx, ctr, true, false); deleteError != nil { logrus.Debugf("unable to remove container %s after failing to start and attach to it", ctr.ID()) } } - return exitCode, err + return define.ExitCode(err), err } if ecode, err := ctr.Wait(); err != nil { @@ -424,7 +412,7 @@ func (r *LocalRuntime) Run(ctx context.Context, c *cliconfig.RunValues, exitCode event, err := r.Runtime.GetLastContainerEvent(ctr.ID(), events.Exited) if err != nil { logrus.Errorf("Cannot get exit code: %v", err) - exitCode = 127 + exitCode = define.ExecErrorCodeNotFound } else { exitCode = event.ContainerExitCode } @@ -576,7 +564,7 @@ func (r *LocalRuntime) Restore(ctx context.Context, c *cliconfig.RestoreValues) // Start will start a container func (r *LocalRuntime) Start(ctx context.Context, c *cliconfig.StartValues, sigProxy bool) (int, error) { var ( - exitCode = 125 + exitCode = define.ExecErrorCodeGeneric lastError error ) @@ -636,7 +624,7 @@ func (r *LocalRuntime) Start(ctx context.Context, c *cliconfig.StartValues, sigP event, err := r.Runtime.GetLastContainerEvent(ctr.ID(), events.Exited) if err != nil { logrus.Errorf("Cannot get exit code: %v", err) - exitCode = 127 + exitCode = define.ExecErrorCodeNotFound } else { exitCode = event.ContainerExitCode } @@ -914,7 +902,7 @@ func (r *LocalRuntime) ExecContainer(ctx context.Context, cli *cliconfig.ExecVal cmd []string ) // default invalid command exit code - ec := 125 + ec := define.ExecErrorCodeGeneric if cli.Latest { if ctr, err = r.GetLatestContainer(); err != nil { diff --git a/pkg/adapter/containers_remote.go b/pkg/adapter/containers_remote.go index 590fef43f..01e008e87 100644 --- a/pkg/adapter/containers_remote.go +++ b/pkg/adapter/containers_remote.go @@ -464,19 +464,22 @@ func (r *LocalRuntime) Run(ctx context.Context, c *cliconfig.RunValues, exitCode results := shared.NewIntermediateLayer(&c.PodmanCommand, true) cid, err := iopodman.CreateContainer().Call(r.Conn, results.MakeVarlink()) if err != nil { - return 0, err + return exitCode, err } if c.Bool("detach") { - _, err := iopodman.StartContainer().Call(r.Conn, cid) + if _, err := iopodman.StartContainer().Call(r.Conn, cid); err != nil { + return exitCode, err + } fmt.Println(cid) - return 0, err + return 0, nil } - errChan, err := r.attach(ctx, os.Stdin, os.Stdout, cid, true, c.String("detach-keys")) + exitChan, errChan, err := r.attach(ctx, os.Stdin, os.Stdout, cid, true, c.String("detach-keys")) if err != nil { - return 0, err + return exitCode, err } + exitCode = <-exitChan finalError := <-errChan - return 0, finalError + return exitCode, finalError } func ReadExitFile(runtimeTmp, ctrID string) (int, error) { @@ -572,7 +575,7 @@ func (r *LocalRuntime) Attach(ctx context.Context, c *cliconfig.AttachValues) er return err } } - errChan, err := r.attach(ctx, inputStream, os.Stdout, c.InputArgs[0], false, c.DetachKeys) + _, errChan, err := r.attach(ctx, inputStream, os.Stdout, c.InputArgs[0], false, c.DetachKeys) if err != nil { return err } @@ -669,7 +672,7 @@ func (r *LocalRuntime) Restore(ctx context.Context, c *cliconfig.RestoreValues) func (r *LocalRuntime) Start(ctx context.Context, c *cliconfig.StartValues, sigProxy bool) (int, error) { var ( finalErr error - exitCode = 125 + exitCode = define.ExecErrorCodeGeneric ) // TODO Figure out how to deal with exit codes inputStream := os.Stdin @@ -686,12 +689,13 @@ func (r *LocalRuntime) Start(ctx context.Context, c *cliconfig.StartValues, sigP } // start.go makes sure that if attach, there can be only one ctr if c.Attach { - errChan, err := r.attach(ctx, inputStream, os.Stdout, containerIDs[0], true, c.DetachKeys) + exitChan, errChan, err := r.attach(ctx, inputStream, os.Stdout, containerIDs[0], true, c.DetachKeys) if err != nil { return exitCode, nil } + exitCode := <-exitChan err = <-errChan - return 0, err + return exitCode, err } // TODO the notion of starting a pod container and its deps still needs to be worked through @@ -710,13 +714,13 @@ func (r *LocalRuntime) Start(ctx context.Context, c *cliconfig.StartValues, sigP return exitCode, finalErr } -func (r *LocalRuntime) attach(ctx context.Context, stdin, stdout *os.File, cid string, start bool, detachKeys string) (chan error, error) { +func (r *LocalRuntime) attach(ctx context.Context, stdin, stdout *os.File, cid string, start bool, detachKeys string) (chan int, chan error, error) { var ( oldTermState *term.State ) spec, err := r.Spec(cid) if err != nil { - return nil, err + return nil, nil, err } resize := make(chan remotecommand.TerminalSize, 5) haveTerminal := terminal.IsTerminal(int(os.Stdin.Fd())) @@ -726,7 +730,7 @@ func (r *LocalRuntime) attach(ctx context.Context, stdin, stdout *os.File, cid s if haveTerminal && spec.Process.Terminal { cancel, oldTermState, err := handleTerminalAttach(ctx, resize) if err != nil { - return nil, err + return nil, nil, err } defer cancel() defer restoreTerminal(oldTermState) @@ -738,7 +742,7 @@ func (r *LocalRuntime) attach(ctx context.Context, stdin, stdout *os.File, cid s reply, err := iopodman.Attach().Send(r.Conn, varlink.Upgrade, cid, detachKeys, start) if err != nil { restoreTerminal(oldTermState) - return nil, err + return nil, nil, err } // See if the server accepts the upgraded connection or returns an error @@ -746,11 +750,12 @@ func (r *LocalRuntime) attach(ctx context.Context, stdin, stdout *os.File, cid s if err != nil { restoreTerminal(oldTermState) - return nil, err + return nil, nil, err } - errChan := configureVarlinkAttachStdio(r.Conn.Reader, r.Conn.Writer, stdin, stdout, oldTermState, resize, nil) - return errChan, nil + ecChan := make(chan int, 1) + errChan := configureVarlinkAttachStdio(r.Conn.Reader, r.Conn.Writer, stdin, stdout, oldTermState, resize, ecChan) + return ecChan, errChan, nil } // PauseContainers pauses container(s) based on CLI inputs. diff --git a/pkg/adapter/network.go b/pkg/adapter/network.go index e4a160767..d407984ce 100644 --- a/pkg/adapter/network.go +++ b/pkg/adapter/network.go @@ -3,9 +3,9 @@ package adapter import ( + "context" "encoding/json" "fmt" - "github.com/containers/libpod/pkg/util" "io/ioutil" "os" "path/filepath" @@ -14,6 +14,7 @@ import ( cniversion "github.com/containernetworking/cni/pkg/version" "github.com/containers/libpod/cmd/podman/cliconfig" "github.com/containers/libpod/pkg/network" + "github.com/containers/libpod/pkg/util" "github.com/pkg/errors" ) @@ -85,16 +86,69 @@ func (r *LocalRuntime) NetworkInspect(cli *cliconfig.NetworkInspectValues) error } // NetworkRemove deletes one or more CNI networks -func (r *LocalRuntime) NetworkRemove(cli *cliconfig.NetworkRmValues) error { +func (r *LocalRuntime) NetworkRemove(ctx context.Context, cli *cliconfig.NetworkRmValues) ([]string, map[string]error, error) { + var ( + networkRmSuccesses []string + lastError error + ) + networkRmErrors := make(map[string]error) + for _, name := range cli.InputArgs { - cniPath, err := network.GetCNIConfigPathByName(name) + containers, err := r.GetAllContainers() if err != nil { - return err + return networkRmSuccesses, networkRmErrors, err } - if err := os.Remove(cniPath); err != nil { - return err + if err := r.removeNetwork(ctx, name, containers, cli.Force); err != nil { + if lastError != nil { + networkRmErrors[name] = lastError + } + lastError = err + } else { + networkRmSuccesses = append(networkRmSuccesses, fmt.Sprintf("Deleted: %s\n", name)) + } + } + return networkRmSuccesses, networkRmErrors, lastError +} + +// removeNetwork removes a single network and its containers given a force bool +func (r *LocalRuntime) removeNetwork(ctx context.Context, name string, containers []*Container, force bool) error { + cniPath, err := network.GetCNIConfigPathByName(name) + if err != nil { + return err + } + // We need to iterate containers looking to see if they belong to the given network + for _, c := range containers { + if util.StringInSlice(name, c.Config().Networks) { + // if user passes force, we nuke containers + if force { + if err := r.RemoveContainer(ctx, c.Container, true, true); err != nil { + return err + } + } else { + // Without the the force option, we return an error + return errors.Errorf("%q has associated containers with it. use -f to forcibly delete containers", name) + } + } - fmt.Printf("Deleted: %s\n", name) + } + // Before we delete the configuration file, we need to make sure we can read and parse + // it to get the network interface name so we can remove that too + interfaceName, err := network.GetInterfaceNameFromConfig(cniPath) + if err != nil { + return errors.Wrapf(err, "failed to find network interface name in %q", cniPath) + } + liveNetworkNames, err := network.GetLiveNetworkNames() + if err != nil { + return errors.Wrapf(err, "failed to get live network names") + } + if util.StringInSlice(interfaceName, liveNetworkNames) { + if err := network.RemoveInterface(interfaceName); err != nil { + return errors.Wrapf(err, "failed to delete the network interface %q", interfaceName) + } + } + // Remove the configuration file + if err := os.Remove(cniPath); err != nil { + return errors.Wrapf(err, "failed to remove network configuration file %q", cniPath) } return nil } diff --git a/pkg/network/devices.go b/pkg/network/devices.go index 26101b6f7..85068a7d1 100644 --- a/pkg/network/devices.go +++ b/pkg/network/devices.go @@ -2,8 +2,10 @@ package network import ( "fmt" - "github.com/containers/libpod/pkg/util" + "os/exec" + "github.com/containers/libpod/pkg/util" + "github.com/containers/libpod/utils" "github.com/sirupsen/logrus" ) @@ -39,3 +41,15 @@ func GetFreeDeviceName() (string, error) { } return deviceName, nil } + +// RemoveInterface removes an interface by the given name +func RemoveInterface(interfaceName string) error { + // Make sure we have the ip command on the system + ipPath, err := exec.LookPath("ip") + if err != nil { + return err + } + // Delete the network interface + _, err = utils.ExecCmd(ipPath, []string{"link", "del", interfaceName}...) + return err +} diff --git a/pkg/network/files.go b/pkg/network/files.go index 80fde5e17..d55ec2dfd 100644 --- a/pkg/network/files.go +++ b/pkg/network/files.go @@ -86,6 +86,7 @@ func GetNetworksFromFilesystem() ([]*allocator.Net, error) { return nil, err } cniNetworks = append(cniNetworks, &ipamConf) + break } } } @@ -105,3 +106,26 @@ func GetNetworkNamesFromFileSystem() ([]string, error) { } return networkNames, nil } + +// GetInterfaceNameFromConfig returns the interface name for the bridge plugin +func GetInterfaceNameFromConfig(path string) (string, error) { + var name string + conf, err := libcni.ConfListFromFile(path) + if err != nil { + return "", err + } + for _, cniplugin := range conf.Plugins { + if cniplugin.Network.Type == "bridge" { + plugin := make(map[string]interface{}) + if err := json.Unmarshal(cniplugin.Bytes, &plugin); err != nil { + return "", err + } + name = plugin["bridge"].(string) + break + } + } + if len(name) == 0 { + return "", errors.New("unable to find interface name for network") + } + return name, nil +} diff --git a/pkg/spec/spec_test.go b/pkg/spec/spec_test.go index 0abff491b..2f91e1b21 100644 --- a/pkg/spec/spec_test.go +++ b/pkg/spec/spec_test.go @@ -4,6 +4,8 @@ import ( "runtime" "testing" + "github.com/containers/libpod/pkg/cgroups" + "github.com/containers/libpod/pkg/rootless" "github.com/containers/libpod/pkg/sysinfo" "github.com/containers/storage" "github.com/containers/storage/pkg/idtools" @@ -26,14 +28,30 @@ func makeTestCreateConfig() *CreateConfig { return cc } -// TestPIDsLimit verifies the given pid-limit is correctly defined in the spec -func TestPIDsLimit(t *testing.T) { +func doCommonSkipChecks(t *testing.T) { // The default configuration of podman enables seccomp, which is not available on non-Linux systems. // Thus, any tests that use the default seccomp setting would fail. // Skip the tests on non-Linux platforms rather than explicitly disable seccomp in the test and possibly affect the test result. if runtime.GOOS != "linux" { t.Skip("seccomp, which is enabled by default, is only supported on Linux") } + + if rootless.IsRootless() { + isCgroupV2, err := cgroups.IsCgroup2UnifiedMode() + if err != nil { + t.Errorf("unexpected error: %v", err) + } + + if !isCgroupV2 { + t.Skip("cgroups v1 cannot be used when rootless") + } + } +} + +// TestPIDsLimit verifies the given pid-limit is correctly defined in the spec +func TestPIDsLimit(t *testing.T) { + doCommonSkipChecks(t) + if !sysInfo.PidsLimit { t.Skip("running test not supported by the host system") } @@ -50,12 +68,8 @@ func TestPIDsLimit(t *testing.T) { // TestBLKIOWeightDevice verifies the given blkio weight is correctly set in the // spec. func TestBLKIOWeightDevice(t *testing.T) { - // The default configuration of podman enables seccomp, which is not available on non-Linux systems. - // Thus, any tests that use the default seccomp setting would fail. - // Skip the tests on non-Linux platforms rather than explicitly disable seccomp in the test and possibly affect the test result. - if runtime.GOOS != "linux" { - t.Skip("seccomp, which is enabled by default, is only supported on Linux") - } + doCommonSkipChecks(t) + if !sysInfo.BlkioWeightDevice { t.Skip("running test not supported by the host system") } @@ -75,12 +89,8 @@ func TestBLKIOWeightDevice(t *testing.T) { // TestMemorySwap verifies that the given swap memory limit is correctly set in // the spec. func TestMemorySwap(t *testing.T) { - // The default configuration of podman enables seccomp, which is not available on non-Linux systems. - // Thus, any tests that use the default seccomp setting would fail. - // Skip the tests on non-Linux platforms rather than explicitly disable seccomp in the test and possibly affect the test result. - if runtime.GOOS != "linux" { - t.Skip("seccomp, which is enabled by default, is only supported on Linux") - } + doCommonSkipChecks(t) + if !sysInfo.SwapLimit { t.Skip("running test not supported by the host system") } diff --git a/pkg/util/utils.go b/pkg/util/utils.go index 2261934f0..583bf5d18 100644 --- a/pkg/util/utils.go +++ b/pkg/util/utils.go @@ -377,3 +377,19 @@ func ValidatePullType(pullType string) (PullType, error) { return PullImageMissing, errors.Errorf("invalid pull type %q", pullType) } } + +// ExitCode reads the error message when failing to executing container process +// and then returns 0 if no error, 126 if command does not exist, or 127 for +// all other errors +func ExitCode(err error) int { + if err == nil { + return 0 + } + e := strings.ToLower(err.Error()) + if strings.Contains(e, "file not found") || + strings.Contains(e, "no such file or directory") { + return 127 + } + + return 126 +} diff --git a/pkg/varlinkapi/attach.go b/pkg/varlinkapi/attach.go index 1f8d48eb9..3bd487849 100644 --- a/pkg/varlinkapi/attach.go +++ b/pkg/varlinkapi/attach.go @@ -9,7 +9,9 @@ import ( "github.com/containers/libpod/cmd/podman/varlink" "github.com/containers/libpod/libpod" "github.com/containers/libpod/libpod/define" + "github.com/containers/libpod/libpod/events" "github.com/containers/libpod/pkg/varlinkapi/virtwriter" + "github.com/pkg/errors" "github.com/sirupsen/logrus" "k8s.io/client-go/tools/remotecommand" ) @@ -79,11 +81,36 @@ func (i *LibpodAPI) Attach(call iopodman.VarlinkCall, name string, detachKeys st finalErr = startAndAttach(ctr, streams, detachKeys, resize, errChan) } + exitCode := define.ExitCode(finalErr) if finalErr != define.ErrDetach && finalErr != nil { logrus.Error(finalErr) + } else { + if ecode, err := ctr.Wait(); err != nil { + if errors.Cause(err) == define.ErrNoSuchCtr { + // Check events + event, err := i.Runtime.GetLastContainerEvent(ctr.ID(), events.Exited) + if err != nil { + logrus.Errorf("Cannot get exit code: %v", err) + exitCode = define.ExecErrorCodeNotFound + } else { + exitCode = event.ContainerExitCode + } + } else { + exitCode = define.ExitCode(err) + } + } else { + exitCode = int(ecode) + } + } + + if ctr.AutoRemove() { + err := i.Runtime.RemoveContainer(getContext(), ctr, false, false) + if err != nil { + logrus.Errorf("Failed to remove container %s: %s", ctr.ID(), err.Error()) + } } - if err = virtwriter.HangUp(writer, 0); err != nil { + if err = virtwriter.HangUp(writer, uint32(exitCode)); err != nil { logrus.Errorf("Failed to HANG-UP attach to %s: %s", ctr.ID(), err.Error()) } return call.Writer.Flush() diff --git a/pkg/varlinkapi/containers.go b/pkg/varlinkapi/containers.go index 2dcdbc089..93f9d4fe3 100644 --- a/pkg/varlinkapi/containers.go +++ b/pkg/varlinkapi/containers.go @@ -319,12 +319,14 @@ func (i *LibpodAPI) ExportContainer(call iopodman.VarlinkCall, name, outPath str // GetContainerStats ... func (i *LibpodAPI) GetContainerStats(call iopodman.VarlinkCall, name string) error { - cgroupv2, err := cgroups.IsCgroup2UnifiedMode() - if err != nil { - return call.ReplyErrorOccurred(err.Error()) - } - if rootless.IsRootless() && !cgroupv2 { - return call.ReplyErrRequiresCgroupsV2ForRootless("rootless containers cannot report container stats") + if rootless.IsRootless() { + cgroupv2, err := cgroups.IsCgroup2UnifiedMode() + if err != nil { + return call.ReplyErrorOccurred(err.Error()) + } + if !cgroupv2 { + return call.ReplyErrRequiresCgroupsV2ForRootless("rootless containers cannot report container stats") + } } ctr, err := i.Runtime.LookupContainer(name) if err != nil { diff --git a/pkg/varlinkapi/pods.go b/pkg/varlinkapi/pods.go index c0fd8b1f7..9b659f66b 100644 --- a/pkg/varlinkapi/pods.go +++ b/pkg/varlinkapi/pods.go @@ -5,12 +5,12 @@ package varlinkapi import ( "encoding/json" "fmt" - "github.com/containers/libpod/pkg/adapter/shortcuts" "syscall" "github.com/containers/libpod/cmd/podman/shared" "github.com/containers/libpod/cmd/podman/varlink" "github.com/containers/libpod/libpod" + "github.com/containers/libpod/pkg/adapter/shortcuts" ) // CreatePod ... diff --git a/test/e2e/cp_test.go b/test/e2e/cp_test.go index edd9c70c6..9b0cb757d 100644 --- a/test/e2e/cp_test.go +++ b/test/e2e/cp_test.go @@ -223,7 +223,7 @@ var _ = Describe("Podman cp", func() { session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) - session = podmanTest.Podman([]string{"cp", "testctr:testfile", "testfile1"}) + session = podmanTest.Podman([]string{"cp", "--pause=false", "testctr:testfile", "testfile1"}) session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) @@ -233,7 +233,7 @@ var _ = Describe("Podman cp", func() { Expect(err).To(BeNil()) Expect(strings.Contains(string(cmdRet), "testuser")).To(BeFalse()) - session = podmanTest.Podman([]string{"cp", "testfile1", "testctr:testfile2"}) + session = podmanTest.Podman([]string{"cp", "--pause=false", "testfile1", "testctr:testfile2"}) session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) diff --git a/test/e2e/exec_test.go b/test/e2e/exec_test.go index f3190978c..670269eab 100644 --- a/test/e2e/exec_test.go +++ b/test/e2e/exec_test.go @@ -120,6 +120,18 @@ var _ = Describe("Podman exec", func() { Expect(session.ExitCode()).To(Equal(100)) }) + It("podman exec pseudo-terminal sanity check", func() { + setup := podmanTest.Podman([]string{"run", "--detach", "--name", "test1", fedoraMinimal, "sleep", "+Inf"}) + setup.WaitWithDefaultTimeout() + Expect(setup.ExitCode()).To(Equal(0)) + + session := podmanTest.Podman([]string{"exec", "--interactive", "--tty", "test1", "/usr/bin/stty", "--all"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + match, _ := session.GrepString(" onlcr") + Expect(match).Should(BeTrue()) + }) + It("podman exec simple command with user", func() { setup := podmanTest.RunTopContainer("test1") setup.WaitWithDefaultTimeout() diff --git a/test/e2e/run_exit_test.go b/test/e2e/run_exit_test.go index 861d6b3b7..374705879 100644 --- a/test/e2e/run_exit_test.go +++ b/test/e2e/run_exit_test.go @@ -1,10 +1,9 @@ -// +build !remoteclient - package integration import ( "os" + "github.com/containers/libpod/libpod/define" . "github.com/containers/libpod/test/utils" . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" @@ -34,22 +33,22 @@ var _ = Describe("Podman run exit", func() { }) - It("podman run exit 125", func() { + It("podman run exit define.ExecErrorCodeGeneric", func() { result := podmanTest.Podman([]string{"run", "--foobar", ALPINE, "ls", "$tmp"}) result.WaitWithDefaultTimeout() - Expect(result.ExitCode()).To(Equal(125)) + Expect(result.ExitCode()).To(Equal(define.ExecErrorCodeGeneric)) }) - It("podman run exit 126", func() { + It("podman run exit ExecErrorCodeCannotInvoke", func() { result := podmanTest.Podman([]string{"run", ALPINE, "/etc"}) result.WaitWithDefaultTimeout() - Expect(result.ExitCode()).To(Equal(126)) + Expect(result.ExitCode()).To(Equal(define.ExecErrorCodeCannotInvoke)) }) - It("podman run exit 127", func() { + It("podman run exit ExecErrorCodeNotFound", func() { result := podmanTest.Podman([]string{"run", ALPINE, "foobar"}) result.WaitWithDefaultTimeout() - Expect(result.ExitCode()).To(Equal(127)) + Expect(result.ExitCode()).To(Equal(define.ExecErrorCodeNotFound)) }) It("podman run exit 0", func() { diff --git a/test/e2e/run_selinux_test.go b/test/e2e/run_selinux_test.go index dfe71531a..0c78ab15b 100644 --- a/test/e2e/run_selinux_test.go +++ b/test/e2e/run_selinux_test.go @@ -162,7 +162,7 @@ var _ = Describe("Podman run", func() { session = podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=type:spc_t", "--security-opt", "label=filetype:foobar", fedoraMinimal, "ls", "-Z", "/dev"}) session.WaitWithDefaultTimeout() - Expect(session.ExitCode()).To(Equal(127)) + Expect(session.ExitCode()).To(Equal(126)) }) }) diff --git a/test/system/030-run.bats b/test/system/030-run.bats index f279a0c75..760ed6a18 100644 --- a/test/system/030-run.bats +++ b/test/system/030-run.bats @@ -60,7 +60,6 @@ echo $rand | 0 | $rand # 'run --rm' goes through different code paths and may lose exit status. # See https://github.com/containers/libpod/issues/3795 @test "podman run --rm" { - skip_if_remote "podman-remote does not handle exit codes" run_podman 0 run --rm $IMAGE /bin/true run_podman 1 run --rm $IMAGE /bin/false diff --git a/test/system/065-cp.bats b/test/system/065-cp.bats index 204065bdb..0ca730a50 100644 --- a/test/system/065-cp.bats +++ b/test/system/065-cp.bats @@ -27,13 +27,8 @@ load helpers "echo $rand_content1 >/tmp/$rand_filename1; echo $rand_content2 >/tmp/$rand_filename2" - run_podman cp 'cpcontainer:/tmp/*' $dstdir - - test -e $dstdir/$rand_filename1 || die "file 1 not copied from container" - test -e $dstdir/$rand_filename2 || die "file 2 not copied from container" - - is "$(<$dstdir/$rand_filename1)" "$rand_content1" "content of file 1" - is "$(<$dstdir/$rand_filename2)" "$rand_content2" "content of file 2" + # cp no longer supports wildcarding + run_podman 125 cp 'cpcontainer:/tmp/*' $dstdir run_podman rm cpcontainer } @@ -150,13 +145,13 @@ load helpers # Copy file from host into container, into a file named 'x' # Note that the second has a trailing slash; this will trigger mkdir - run_podman cp $srcdir/$rand_filename1 cpcontainer:/tmp/d1/x + run_podman cp --pause=false $srcdir/$rand_filename1 cpcontainer:/tmp/d1/x is "$output" "" "output from podman cp 1" - run_podman cp $srcdir/$rand_filename2 cpcontainer:/tmp/d2/x/ + run_podman cp --pause=false $srcdir/$rand_filename2 cpcontainer:/tmp/d2/x/ is "$output" "" "output from podman cp 3" - run_podman cp $srcdir/$rand_filename3 cpcontainer:/tmp/d3/x + run_podman cp --pause=false $srcdir/$rand_filename3 cpcontainer:/tmp/d3/x is "$output" "" "output from podman cp 3" # Read back. @@ -205,7 +200,7 @@ load helpers "mkdir -p $graphroot; trap 'exit 0' 15;while :;do sleep 0.5;done" # Copy from host into container. - run_podman cp $srcdir/$rand_filename cpcontainer:$graphroot/$rand_filename + run_podman cp --pause=false $srcdir/$rand_filename cpcontainer:$graphroot/$rand_filename # ls, and confirm it's there. run_podman exec cpcontainer ls -l $graphroot/$rand_filename diff --git a/vendor/github.com/containers/buildah/.gitignore b/vendor/github.com/containers/buildah/.gitignore index f419aed12..c70cab336 100644 --- a/vendor/github.com/containers/buildah/.gitignore +++ b/vendor/github.com/containers/buildah/.gitignore @@ -3,3 +3,4 @@ docs/buildah*.1 /imgtype /build/ tests/tools/build +Dockerfile* diff --git a/vendor/github.com/containers/buildah/.golangci.yml b/vendor/github.com/containers/buildah/.golangci.yml index 52e9990ed..044bc1f1b 100644 --- a/vendor/github.com/containers/buildah/.golangci.yml +++ b/vendor/github.com/containers/buildah/.golangci.yml @@ -21,6 +21,7 @@ linters: - gosimple - govet - ineffassign + - interfacer - misspell - nakedret - staticcheck @@ -37,7 +38,6 @@ linters: # - gocritic # - gocyclo # - gosec - # - interfacer # - lll # - maligned # - prealloc diff --git a/vendor/github.com/containers/buildah/.papr.yml b/vendor/github.com/containers/buildah/.papr.yml index aece0004f..6eaba332c 100644 --- a/vendor/github.com/containers/buildah/.papr.yml +++ b/vendor/github.com/containers/buildah/.papr.yml @@ -4,7 +4,8 @@ branches: - try host: - distro: fedora/28/atomic + # 29 is the highest level of atomic + distro: fedora/29/atomic required: true @@ -49,12 +50,12 @@ tests: - podman run --net=host --security-opt label=disable --cap-add all --security-opt seccomp=unconfined -v /etc/yum.repos.d:/etc/yum.repos.d.host:ro -v $PWD:/go/src/github.com/containers/buildah --workdir /go/src/github.com/containers/buildah - registry.fedoraproject.org/fedora:28 bash -c sh ./.papr.sh + registry.fedoraproject.org/fedora:30 bash -c sh ./.papr.sh --- container: - image: registry.fedoraproject.org/fedora:28 + image: registry.fedoraproject.org/fedora:30 packages: - btrfs-progs-devel diff --git a/vendor/github.com/containers/buildah/CHANGELOG.md b/vendor/github.com/containers/buildah/CHANGELOG.md index 82248b901..61c29b200 100644 --- a/vendor/github.com/containers/buildah/CHANGELOG.md +++ b/vendor/github.com/containers/buildah/CHANGELOG.md @@ -2,6 +2,58 @@ # Changelog +## v1.11.1 (2019-09-11) + Add --devices flag to bud and from + Downgrade .papr to highest atomic verion + Add support for /run/.containerenv + Truncate output of too long image names + Preserve file and directory mount permissions + Bump fedora version from 28 to 30 + makeImageRef: ignore EmptyLayer if Squash is set + Set TMPDIR to /var/tmp by default + replace --debug=false with --log-level=error + Allow mounts.conf entries for equal source and destination paths + fix label and annotation for 1-line Dockerfiles + Enable interfacer linter and fix lints + install.md: mention goproxy + Makefile: use go proxy + Bump to v1.12.0-dev + +## v1.11.0 (2019-08-29) + tests/bud.bats: add --signature-policy to some tests + Vendor github.com/openshift/api + pull/commit/push: pay attention to $BUILD_REGISTRY_SOURCES + Add `--log-level` command line option and deprecate `--debug` + add support for cgroupsV2 + Correctly detect ExitError values from Run() + Disable empty logrus timestamps to reduce logger noise + Remove outdated deps Makefile target + Remove gofmt.sh in favor of golangci-lint + Remove govet.sh in favor of golangci-lint + Allow to override build date with SOURCE_DATE_EPOCH + Update shebangs to take env into consideration + Fix directory pull image names + Add --digestfile and Re-add push statement as debug + README: mention that Podman uses Buildah's API + Use content digests in ADD/COPY history entries + add: add a DryRun flag to AddAndCopyOptions + Fix possible runtime panic on bud + Add security-related volume options to validator + use correct path for ginkgo + Add bud 'without arguments' integration tests + Update documentation about bud + add: handle hard links when copying with .dockerignore + add: teach copyFileWithTar() about symlinks and directories + Allow buildah bud to be called without arguments + imagebuilder: fix detection of referenced stage roots + Touch up go mod instructions in install + run_linux: fix mounting /sys in a userns + Vendor Storage v1.13.2 + Cirrus: Update VM images + Fix handling of /dev/null masked devices + Update `bud`/`from` help to contain indicator for `--dns=none` + Bump back to v1.11.0-dev + ## v1.10.1 (2019-08-08) Bump containers/image to v3.0.2 to fix keyring issue Bug fix for volume minus syntax diff --git a/vendor/github.com/containers/buildah/Makefile b/vendor/github.com/containers/buildah/Makefile index b490d8041..cb0dfeb51 100644 --- a/vendor/github.com/containers/buildah/Makefile +++ b/vendor/github.com/containers/buildah/Makefile @@ -1,3 +1,5 @@ +export GOPROXY=https://proxy.golang.org + SELINUXTAG := $(shell ./selinux_tag.sh) APPARMORTAG := $(shell hack/apparmor_tag.sh) STORAGETAGS := $(shell ./btrfs_tag.sh) $(shell ./btrfs_installed_tag.sh) $(shell ./libdm_tag.sh) $(shell ./ostree_tag.sh) @@ -25,7 +27,8 @@ SOURCE_DATE_EPOCH ?= $(if $(shell date +%s),$(shell date +%s),$(error "date fail STATIC_STORAGETAGS = "containers_image_ostree_stub containers_image_openpgp exclude_graphdriver_devicemapper $(STORAGE_TAGS)" CNI_COMMIT := $(shell sed -n 's;\tgithub.com/containernetworking/cni \([^ \n]*\).*$\;\1;p' go.mod) -RUNC_COMMIT := $(shell sed -n 's;\tgithub.com/opencontainers/runc \([^ \n]*\).*$\;\1;p' go.mod) +#RUNC_COMMIT := $(shell sed -n 's;\tgithub.com/opencontainers/runc \([^ \n]*\).*$\;\1;p' go.mod) +RUNC_COMMIT := v1.0.0-rc8 LIBSECCOMP_COMMIT := release-2.3 EXTRALDFLAGS := @@ -52,7 +55,7 @@ imgtype: *.go docker/*.go util/*.go tests/imgtype/imgtype.go .PHONY: clean clean: - $(RM) -r buildah imgtype build buildah.static + $(RM) -r buildah imgtype build buildah.static buildah.darwin tests/testreport/testreport $(MAKE) -C docs clean .PHONY: docs diff --git a/vendor/github.com/containers/buildah/buildah.go b/vendor/github.com/containers/buildah/buildah.go index 29e7bf44f..b482fe1be 100644 --- a/vendor/github.com/containers/buildah/buildah.go +++ b/vendor/github.com/containers/buildah/buildah.go @@ -16,6 +16,7 @@ import ( "github.com/containers/storage" "github.com/containers/storage/pkg/ioutils" v1 "github.com/opencontainers/image-spec/specs-go/v1" + "github.com/opencontainers/runc/libcontainer/configs" "github.com/pkg/errors" "github.com/sirupsen/logrus" ) @@ -26,7 +27,7 @@ const ( Package = "buildah" // Version for the Package. Bump version in contrib/rpm/buildah.spec // too. - Version = "1.11.0" + Version = "1.11.2" // The value we use to identify what type of information, currently a // serialized Builder structure, we are using as per-container state. // This should only be changed when we make incompatible changes to @@ -188,8 +189,7 @@ type Builder struct { // committed image after the history item for the layer that we're // committing. AppendedEmptyLayers []v1.History - - CommonBuildOpts *CommonBuildOptions + CommonBuildOpts *CommonBuildOptions // TopLayer is the top layer of the image TopLayer string // Format for the build Image @@ -198,6 +198,8 @@ type Builder struct { TempVolumes map[string]bool // ContentDigester counts the digest of all Add()ed content ContentDigester CompositeDigester + // Devices are the additional devices to add to the containers + Devices []configs.Device } // BuilderInfo are used as objects to display container information @@ -228,6 +230,7 @@ type BuilderInfo struct { AddCapabilities []string DropCapabilities []string History []v1.History + Devices []configs.Device } // GetBuildInfo gets a pointer to a Builder object and returns a BuilderInfo object from it. @@ -272,6 +275,7 @@ func GetBuildInfo(b *Builder) BuilderInfo { AddCapabilities: append([]string{}, b.AddCapabilities...), DropCapabilities: append([]string{}, b.DropCapabilities...), History: history, + Devices: b.Devices, } } @@ -406,6 +410,8 @@ type BuilderOptions struct { CommonBuildOpts *CommonBuildOptions // Format for the container image Format string + // Devices are the additional devices to add to the containers + Devices []configs.Device } // ImportOptions are used to initialize a Builder from an existing container diff --git a/vendor/github.com/containers/buildah/changelog.txt b/vendor/github.com/containers/buildah/changelog.txt index 94f61763e..2ae070e8c 100644 --- a/vendor/github.com/containers/buildah/changelog.txt +++ b/vendor/github.com/containers/buildah/changelog.txt @@ -1,3 +1,25 @@ +- Changelog for v1.11.2 (2019-09-13) + * Add some cleanup code + * Move devices code to unit specific directory. + * Bump back to v1.12.0-dev + +- Changelog for v1.11.1 (2019-09-11) + * Add --devices flag to bud and from + * Downgrade .papr to highest atomic verion + * Add support for /run/.containerenv + * Truncate output of too long image names + * Preserve file and directory mount permissions + * Bump fedora version from 28 to 30 + * makeImageRef: ignore EmptyLayer if Squash is set + * Set TMPDIR to /var/tmp by default + * replace --debug=false with --log-level=error + * Allow mounts.conf entries for equal source and destination paths + * fix label and annotation for 1-line Dockerfiles + * Enable interfacer linter and fix lints + * install.md: mention goproxy + * Makefile: use go proxy + * Bump to v1.12.0-dev + - Changelog for v1.11.0 (2019-08-29) * tests/bud.bats: add --signature-policy to some tests * Vendor github.com/openshift/api diff --git a/vendor/github.com/containers/buildah/go.mod b/vendor/github.com/containers/buildah/go.mod index 33b9bfb0d..bf30e9925 100644 --- a/vendor/github.com/containers/buildah/go.mod +++ b/vendor/github.com/containers/buildah/go.mod @@ -5,10 +5,13 @@ go 1.12 require ( github.com/VividCortex/ewma v1.1.1 // indirect github.com/blang/semver v3.5.0+incompatible // indirect + github.com/checkpoint-restore/go-criu v0.0.0-20190109184317-bdb7599cd87b // indirect + github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50 // indirect github.com/containerd/continuity v0.0.0-20181203112020-004b46473808 // indirect github.com/containernetworking/cni v0.7.1 github.com/containers/image v3.0.2+incompatible github.com/containers/storage v1.13.2 + github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f // indirect github.com/cyphar/filepath-securejoin v0.2.1 github.com/docker/distribution v0.0.0-20170817175659-5f6282db7d65 github.com/docker/docker-credential-helpers v0.6.1 // indirect @@ -25,12 +28,13 @@ require ( github.com/mattn/go-isatty v0.0.4 // indirect github.com/mattn/go-shellwords v1.0.5 github.com/moby/moby v0.0.0-20171005181806-f8806b18b4b9 // indirect + github.com/mrunalp/fileutils v0.0.0-20171103030105-7d4729fb3618 // indirect github.com/mtrmac/gpgme v0.0.0-20170102180018-b2432428689c // indirect github.com/onsi/ginkgo v1.8.0 github.com/onsi/gomega v1.5.0 github.com/opencontainers/go-digest v1.0.0-rc1 github.com/opencontainers/image-spec v1.0.1 - github.com/opencontainers/runc v1.0.0-rc8 + github.com/opencontainers/runc v1.0.0-rc8.0.20190827142921-dd075602f158 github.com/opencontainers/runtime-spec v0.1.2-0.20190618234442-a950415649c7 github.com/opencontainers/runtime-tools v0.9.0 github.com/opencontainers/selinux v1.2.2 @@ -42,8 +46,10 @@ require ( github.com/sirupsen/logrus v1.4.2 github.com/spf13/cobra v0.0.3 github.com/spf13/pflag v1.0.3 + github.com/stretchr/testify v1.3.0 github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2 github.com/ulikunitz/xz v0.5.5 // indirect + github.com/urfave/cli v1.21.0 // indirect github.com/vbauerster/mpb v3.4.0+incompatible // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect diff --git a/vendor/github.com/containers/buildah/go.sum b/vendor/github.com/containers/buildah/go.sum index d489375de..6b69f2f36 100644 --- a/vendor/github.com/containers/buildah/go.sum +++ b/vendor/github.com/containers/buildah/go.sum @@ -23,6 +23,8 @@ github.com/VividCortex/ewma v1.1.1 h1:MnEK4VOv6n0RSY4vtRe3h11qjxL3+t0B8yOL8iMXdc github.com/VividCortex/ewma v1.1.1/go.mod h1:2Tkkvm3sRDVXaiyucHiACn4cqf7DpdyLvmxzcbUokwA= github.com/blang/semver v3.5.0+incompatible h1:CGxCgetQ64DKk7rdZ++Vfnb1+ogGNnB17OJKJXD2Cfs= github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= +github.com/checkpoint-restore/go-criu v0.0.0-20190109184317-bdb7599cd87b/go.mod h1:TrMrLQfeENAPYPRsJuq3jsqdlRh3lvi6trTZJG8+tho= +github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw= github.com/containerd/continuity v0.0.0-20180814194400-c7c5070e6f6e/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= github.com/containerd/continuity v0.0.0-20181203112020-004b46473808 h1:4BX8f882bXEDKfWIf0wa8HRvpnBoPszJJXL+TVbBw4M= github.com/containerd/continuity v0.0.0-20181203112020-004b46473808/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= @@ -54,10 +56,12 @@ github.com/containers/storage v1.13.1 h1:rjVirLS9fCGkUFlLDZEoGDDUugtIf46DufWvJu0 github.com/containers/storage v1.13.1/go.mod h1:6D8nK2sU9V7nEmAraINRs88ZEscM5C5DK+8Npp27GeA= github.com/containers/storage v1.13.2 h1:UXZ0Ckmk6+6+4vj2M2ywruVtH97pnRoAhTG8ctd+yQI= github.com/containers/storage v1.13.2/go.mod h1:6D8nK2sU9V7nEmAraINRs88ZEscM5C5DK+8Npp27GeA= +github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/cyphar/filepath-securejoin v0.2.1 h1:5DPkzz/0MwUpvR4fxASKzgApeq2OMFY5FfYtrX28Coo= github.com/cyphar/filepath-securejoin v0.2.1/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4= github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/docker/distribution v0.0.0-20170817175659-5f6282db7d65 h1:4zlOyrJUbYnrvlzChJ+jP2J3i77Jbhm336NEuCv7kZo= github.com/docker/distribution v0.0.0-20170817175659-5f6282db7d65/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= @@ -160,6 +164,7 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJ github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/mrunalp/fileutils v0.0.0-20171103030105-7d4729fb3618/go.mod h1:x8F1gnqOkIEiO4rqoeEEEqQbo7HjGMTvyoq3gej4iT0= github.com/mtrmac/gpgme v0.0.0-20170102180018-b2432428689c h1:xa+eQWKuJ9MbB9FBL/eoNvDFvveAkz2LQoz8PzX7Q/4= github.com/mtrmac/gpgme v0.0.0-20170102180018-b2432428689c/go.mod h1:GhAqVMEWnTcW2dxoD/SO3n2enrgWl3y6Dnx4m59GvcA= github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= @@ -182,6 +187,8 @@ github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zM github.com/opencontainers/runc v0.1.1/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= github.com/opencontainers/runc v1.0.0-rc8 h1:dDCFes8Hj1r/i5qnypONo5jdOme/8HWZC/aNDyhECt0= github.com/opencontainers/runc v1.0.0-rc8/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= +github.com/opencontainers/runc v1.0.0-rc8.0.20190827142921-dd075602f158 h1:/A6bAdnSZoTQmKml3MdHAnSEPnBAQeigNBl4sxnfaaQ= +github.com/opencontainers/runc v1.0.0-rc8.0.20190827142921-dd075602f158/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= github.com/opencontainers/runtime-spec v0.1.2-0.20190618234442-a950415649c7 h1:Dliu5QO+4JYWu/yMshaMU7G3JN2POGpwjJN7gjy10Go= github.com/opencontainers/runtime-spec v0.1.2-0.20190618234442-a950415649c7/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-tools v0.9.0 h1:FYgwVsKRI/H9hU32MJ/4MLOzXWodKK5zsQavY8NPMkU= @@ -201,6 +208,7 @@ github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pquerna/ffjson v0.0.0-20171002144729-d49c2bc1aa13 h1:AUK/hm/tPsiNNASdb3J8fySVRZoI7fnK5mlOvdFD43o= github.com/pquerna/ffjson v0.0.0-20171002144729-d49c2bc1aa13/go.mod h1:YARuvh7BUWHNhzDq2OM5tzR2RiCcN2D7sapiKyCel/M= @@ -222,6 +230,7 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+ github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2 h1:b6uOv7YOFK0TYG7HtkIgExQo+2RdLuwRft63jn2HWj8= github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= @@ -231,6 +240,7 @@ github.com/tchap/go-patricia v2.3.0+incompatible h1:GkY4dP3cEfEASBPPkWd+AmjYxhmD github.com/tchap/go-patricia v2.3.0+incompatible/go.mod h1:bmLyhP68RS6kStMGxByiQ23RP/odRBOTVjwp2cDyi6I= github.com/ulikunitz/xz v0.5.5 h1:pFrO0lVpTBXLpYw+pnLj6TbvHuyjXMfjGeCwSqCVwok= github.com/ulikunitz/xz v0.5.5/go.mod h1:2bypXElzHzzJZwzH67Y6wb67pO62Rzfn7BSiF4ABRW8= +github.com/urfave/cli v1.21.0/go.mod h1:lxDj6qX9Q6lWQxIrbrT0nwecwUtRnhVZAJjJZrVUZZQ= github.com/vbatts/tar-split v0.10.2 h1:CXd7HEKGkTLjBMinpObcJZU5Hm8EKlor2a1JtX6msXQ= github.com/vbatts/tar-split v0.10.2/go.mod h1:LEuURwDEiWjRjwu46yU3KVGuUdVv/dcnpcEPSzR8z6g= github.com/vbatts/tar-split v0.11.1 h1:0Odu65rhcZ3JZaPHxl7tCI3V/C/Q9Zf82UFravl02dE= diff --git a/vendor/github.com/containers/buildah/image.go b/vendor/github.com/containers/buildah/image.go index 042aa2d00..cca7dd836 100644 --- a/vendor/github.com/containers/buildah/image.go +++ b/vendor/github.com/containers/buildah/image.go @@ -710,7 +710,7 @@ func (b *Builder) makeImageRef(options CommitOptions, exporting bool) (types.Ima preferredManifestType: manifestType, exporting: exporting, squash: options.Squash, - emptyLayer: options.EmptyLayer, + emptyLayer: options.EmptyLayer && !options.Squash, tarPath: b.tarPath(&b.IDMappingOptions), parent: parent, blobDirectory: options.BlobDirectory, diff --git a/vendor/github.com/containers/buildah/imagebuildah/build.go b/vendor/github.com/containers/buildah/imagebuildah/build.go index 85ceceb3a..f53018cd4 100644 --- a/vendor/github.com/containers/buildah/imagebuildah/build.go +++ b/vendor/github.com/containers/buildah/imagebuildah/build.go @@ -17,6 +17,7 @@ import ( "github.com/containers/image/types" "github.com/containers/storage" "github.com/containers/storage/pkg/archive" + "github.com/opencontainers/runc/libcontainer/configs" "github.com/opencontainers/runtime-spec/specs-go" "github.com/openshift/imagebuilder" "github.com/pkg/errors" @@ -156,6 +157,8 @@ type BuildOptions struct { BlobDirectory string // Target the targeted FROM in the Dockerfile to build Target string + // Devices are the additional devices to add to the containers + Devices []configs.Device } // BuildDockerfiles parses a set of one or more Dockerfiles (which may be @@ -264,7 +267,7 @@ func BuildDockerfiles(ctx context.Context, store storage.Store, options BuildOpt // dockerfile content and will use ctxDir as the base include path. // // Note: we cannot use cmd.StdoutPipe() as cmd.Wait() closes it. -func preprocessDockerfileContents(r io.ReadCloser, ctxDir string) (rdrCloser *io.ReadCloser, err error) { +func preprocessDockerfileContents(r io.Reader, ctxDir string) (rdrCloser *io.ReadCloser, err error) { cppPath := "/usr/bin/cpp" if _, err = os.Stat(cppPath); err != nil { if os.IsNotExist(err) { diff --git a/vendor/github.com/containers/buildah/imagebuildah/executor.go b/vendor/github.com/containers/buildah/imagebuildah/executor.go index 34ccb6efb..c65c3bab4 100644 --- a/vendor/github.com/containers/buildah/imagebuildah/executor.go +++ b/vendor/github.com/containers/buildah/imagebuildah/executor.go @@ -20,6 +20,7 @@ import ( "github.com/containers/storage" "github.com/containers/storage/pkg/archive" v1 "github.com/opencontainers/image-spec/specs-go/v1" + "github.com/opencontainers/runc/libcontainer/configs" "github.com/openshift/imagebuilder" "github.com/openshift/imagebuilder/dockerfile/parser" "github.com/pkg/errors" @@ -90,6 +91,9 @@ type Executor struct { excludes []string unusedArgs map[string]struct{} buildArgs map[string]string + addCapabilities []string + dropCapabilities []string + devices []configs.Device } // NewExecutor creates a new instance of the imagebuilder.Executor interface. @@ -144,6 +148,9 @@ func NewExecutor(store storage.Store, options BuildOptions, mainNode *parser.Nod blobDirectory: options.BlobDirectory, unusedArgs: make(map[string]struct{}), buildArgs: options.Args, + addCapabilities: options.AddCapabilities, + dropCapabilities: options.DropCapabilities, + devices: options.Devices, } if exec.err == nil { exec.err = os.Stderr diff --git a/vendor/github.com/containers/buildah/imagebuildah/stage_executor.go b/vendor/github.com/containers/buildah/imagebuildah/stage_executor.go index 144bf8c24..e942b3b34 100644 --- a/vendor/github.com/containers/buildah/imagebuildah/stage_executor.go +++ b/vendor/github.com/containers/buildah/imagebuildah/stage_executor.go @@ -585,6 +585,9 @@ func (s *StageExecutor) prepare(ctx context.Context, stage imagebuilder.Stage, f CommonBuildOpts: s.executor.commonBuildOptions, DefaultMountsFilePath: s.executor.defaultMountsFilePath, Format: s.executor.outputFormat, + AddCapabilities: s.executor.addCapabilities, + DropCapabilities: s.executor.dropCapabilities, + Devices: s.executor.devices, } // Check and see if the image is a pseudonym for the end result of a @@ -757,9 +760,17 @@ func (s *StageExecutor) Execute(ctx context.Context, stage imagebuilder.Stage, b if imgID, ref, err = s.commit(ctx, ib, s.executor.getCreatedBy(nil, ""), false, s.output); err != nil { return "", nil, errors.Wrapf(err, "error committing base container") } + } else if len(s.executor.labels) > 0 || len(s.executor.annotations) > 0 { + // The image would be modified by the labels passed + // via the command line, so we need to commit. + logCommit(s.output, -1) + if imgID, ref, err = s.commit(ctx, ib, s.executor.getCreatedBy(stage.Node, ""), true, s.output); err != nil { + return "", nil, err + } } else { - // We don't need to squash the base image, so just - // reuse the base image. + // We don't need to squash the base image, and the + // image wouldn't be modified by the command line + // options, so just reuse the base image. logCommit(s.output, -1) if imgID, ref, err = s.tagExistingImage(ctx, s.builder.FromImageID, s.output); err != nil { return "", nil, err diff --git a/vendor/github.com/containers/buildah/install.md b/vendor/github.com/containers/buildah/install.md index 6cfa3f24b..858364b45 100644 --- a/vendor/github.com/containers/buildah/install.md +++ b/vendor/github.com/containers/buildah/install.md @@ -324,11 +324,11 @@ registries = [] `/usr/share/containers/mounts.conf` and optionally `/etc/containers/mounts.conf` -The mounts.conf files specify volume mount directories that are automatically mounted inside containers when executing the `buildah run` or `buildah build-using-dockerfile` commands. Container process can then use this content. The volume mount content does not get committed to the final image. This file is usually provided by the containers-common package. +The mounts.conf files specify volume mount files or directories that are automatically mounted inside containers when executing the `buildah run` or `buildah build-using-dockerfile` commands. Container processes can then use this content. The volume mount content does not get committed to the final image. This file is usually provided by the containers-common package. Usually these directories are used for passing secrets or credentials required by the package software to access remote package repositories. -For example, a mounts.conf with the line "`/usr/share/rhel/secrets:/run/secrets`", the content of `/usr/share/rhel/secrets` directory is mounted on `/run/secrets` inside the container. This mountpoint allows Red Hat Enterprise Linux subscriptions from the host to be used within the container. +For example, a mounts.conf with the line "`/usr/share/rhel/secrets:/run/secrets`", the content of `/usr/share/rhel/secrets` directory is mounted on `/run/secrets` inside the container. This mountpoint allows Red Hat Enterprise Linux subscriptions from the host to be used within the container. It is also possible to omit the destination if it's equal to the source path. For example, specifying `/var/lib/secrets` will mount the directory into the same container destination path `/var/lib/secrets`. Note this is not a volume mount. The content of the volumes is copied into container storage, not bind mounted directly from the host. @@ -396,3 +396,5 @@ If you wish to vendor in your personal fork to try changes out (assuming contain To revert * `go mod edit -dropreplace github.com/containers/storage` * `make vendor` + +To speed up fetching dependencies, you can use a [Go Module Proxy](https://proxy.golang.org) by setting `GOPROXY=https://proxy.golang.org`. diff --git a/vendor/github.com/containers/buildah/new.go b/vendor/github.com/containers/buildah/new.go index 5642ef916..31ae01be7 100644 --- a/vendor/github.com/containers/buildah/new.go +++ b/vendor/github.com/containers/buildah/new.go @@ -360,6 +360,7 @@ func newBuilder(ctx context.Context, store storage.Store, options BuilderOptions Args: options.Args, Format: options.Format, TempVolumes: map[string]bool{}, + Devices: options.Devices, } if options.Mount { diff --git a/vendor/github.com/containers/buildah/pkg/cli/common.go b/vendor/github.com/containers/buildah/pkg/cli/common.go index 1a73efb54..06aec96ea 100644 --- a/vendor/github.com/containers/buildah/pkg/cli/common.go +++ b/vendor/github.com/containers/buildah/pkg/cli/common.go @@ -87,6 +87,7 @@ type FromAndBudResults struct { CPUSetCPUs string CPUSetMems string CPUShares uint64 + Devices []string DNSSearch []string DNSServers []string DNSOptions []string @@ -185,6 +186,7 @@ func GetFromAndBudFlags(flags *FromAndBudResults, usernsResults *UserNSResults, fs.Uint64VarP(&flags.CPUShares, "cpu-shares", "c", 0, "CPU shares (relative weight)") fs.StringVar(&flags.CPUSetCPUs, "cpuset-cpus", "", "CPUs in which to allow execution (0-3, 0,1)") fs.StringVar(&flags.CPUSetMems, "cpuset-mems", "", "memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems.") + fs.StringArrayVar(&flags.Devices, "device", []string{}, "Additional devices to be used within containers (default [])") fs.StringSliceVar(&flags.DNSSearch, "dns-search", []string{}, "Set custom DNS search domains") fs.StringSliceVar(&flags.DNSServers, "dns", []string{}, "Set custom DNS servers or disable it completely by setting it to 'none', which prevents the automatic creation of `/etc/resolv.conf`.") fs.StringSliceVar(&flags.DNSOptions, "dns-option", []string{}, "Set custom DNS options") diff --git a/vendor/github.com/containers/buildah/pkg/parse/parse.go b/vendor/github.com/containers/buildah/pkg/parse/parse.go index 09ca542a1..36ae07190 100644 --- a/vendor/github.com/containers/buildah/pkg/parse/parse.go +++ b/vendor/github.com/containers/buildah/pkg/parse/parse.go @@ -886,3 +886,67 @@ func RegistryFromFullName(input string) string { } return split[0] } + +// Device parses device mapping string to a src, dest & permissions string +// Valid values for device looklike: +// '/dev/sdc" +// '/dev/sdc:/dev/xvdc" +// '/dev/sdc:/dev/xvdc:rwm" +// '/dev/sdc:rm" +func Device(device string) (string, string, string, error) { + src := "" + dst := "" + permissions := "rwm" + arr := strings.Split(device, ":") + switch len(arr) { + case 3: + if !isValidDeviceMode(arr[2]) { + return "", "", "", fmt.Errorf("invalid device mode: %s", arr[2]) + } + permissions = arr[2] + fallthrough + case 2: + if isValidDeviceMode(arr[1]) { + permissions = arr[1] + } else { + if len(arr[1]) == 0 || arr[1][0] != '/' { + return "", "", "", fmt.Errorf("invalid device mode: %s", arr[1]) + } + dst = arr[1] + } + fallthrough + case 1: + if len(arr[0]) > 0 { + src = arr[0] + break + } + fallthrough + default: + return "", "", "", fmt.Errorf("invalid device specification: %s", device) + } + + if dst == "" { + dst = src + } + return src, dst, permissions, nil +} + +// isValidDeviceMode checks if the mode for device is valid or not. +// isValid mode is a composition of r (read), w (write), and m (mknod). +func isValidDeviceMode(mode string) bool { + var legalDeviceMode = map[rune]bool{ + 'r': true, + 'w': true, + 'm': true, + } + if mode == "" { + return false + } + for _, c := range mode { + if !legalDeviceMode[c] { + return false + } + legalDeviceMode[c] = false + } + return true +} diff --git a/vendor/github.com/containers/buildah/pkg/parse/parse_unix.go b/vendor/github.com/containers/buildah/pkg/parse/parse_unix.go index 0574fc24e..238293894 100644 --- a/vendor/github.com/containers/buildah/pkg/parse/parse_unix.go +++ b/vendor/github.com/containers/buildah/pkg/parse/parse_unix.go @@ -5,6 +5,10 @@ package parse import ( "fmt" + "github.com/containers/buildah/pkg/unshare" + "github.com/opencontainers/runc/libcontainer/configs" + "github.com/opencontainers/runc/libcontainer/devices" + "github.com/pkg/errors" "golang.org/x/sys/unix" ) @@ -19,3 +23,19 @@ func getDefaultProcessLimits() []string { } return defaultLimits } + +func DeviceFromPath(device string) (configs.Device, error) { + src, dst, permissions, err := Device(device) + if err != nil { + return configs.Device{}, err + } + if unshare.IsRootless() { + return configs.Device{}, errors.Errorf("Renaming device %s to %s is not a supported in rootless containers", src, dst) + } + dev, err := devices.DeviceFromPath(src, permissions) + if err != nil { + return configs.Device{}, errors.Wrapf(err, "%s is not a valid device", src) + } + dev.Path = dst + return *dev, nil +} diff --git a/vendor/github.com/containers/buildah/pkg/parse/parse_unsupported.go b/vendor/github.com/containers/buildah/pkg/parse/parse_unsupported.go index 7e970624f..51138f860 100644 --- a/vendor/github.com/containers/buildah/pkg/parse/parse_unsupported.go +++ b/vendor/github.com/containers/buildah/pkg/parse/parse_unsupported.go @@ -2,6 +2,16 @@ package parse +import ( + "fmt" + + "github.com/opencontainers/runc/libcontainer/configs" +) + func getDefaultProcessLimits() []string { return []string{} } + +func DeviceFromPath(device string) (configs.Device, error) { + return configs.Device{}, fmt.Errorf("devices not supported") +} diff --git a/vendor/github.com/containers/buildah/pkg/secrets/secrets.go b/vendor/github.com/containers/buildah/pkg/secrets/secrets.go index 70bd6a4b7..9be9bb3b6 100644 --- a/vendor/github.com/containers/buildah/pkg/secrets/secrets.go +++ b/vendor/github.com/containers/buildah/pkg/secrets/secrets.go @@ -7,6 +7,7 @@ import ( "path/filepath" "strings" + "github.com/containers/buildah/pkg/umask" "github.com/containers/storage/pkg/idtools" rspec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/selinux/go-selinux/label" @@ -28,20 +29,22 @@ var ( // secretData stores the name of the file and the content read from it type secretData struct { - name string - data []byte + name string + data []byte + mode os.FileMode + dirMode os.FileMode } // saveTo saves secret data to given directory func (s secretData) saveTo(dir string) error { path := filepath.Join(dir, s.name) - if err := os.MkdirAll(filepath.Dir(path), 0700); err != nil && !os.IsExist(err) { + if err := os.MkdirAll(filepath.Dir(path), s.dirMode); err != nil && !os.IsExist(err) { return err } - return ioutil.WriteFile(path, s.data, 0700) + return ioutil.WriteFile(path, s.data, s.mode) } -func readAll(root, prefix string) ([]secretData, error) { +func readAll(root, prefix string, parentMode os.FileMode) ([]secretData, error) { path := filepath.Join(root, prefix) data := []secretData{} @@ -56,7 +59,7 @@ func readAll(root, prefix string) ([]secretData, error) { } for _, f := range files { - fileData, err := readFile(root, filepath.Join(prefix, f.Name())) + fileData, err := readFileOrDir(root, filepath.Join(prefix, f.Name()), parentMode) if err != nil { // If the file did not exist, might be a dangling symlink // Ignore the error @@ -71,7 +74,7 @@ func readAll(root, prefix string) ([]secretData, error) { return data, nil } -func readFile(root, name string) ([]secretData, error) { +func readFileOrDir(root, name string, parentMode os.FileMode) ([]secretData, error) { path := filepath.Join(root, name) s, err := os.Stat(path) @@ -80,7 +83,7 @@ func readFile(root, name string) ([]secretData, error) { } if s.IsDir() { - dirData, err := readAll(root, name) + dirData, err := readAll(root, name, s.Mode()) if err != nil { return nil, err } @@ -90,12 +93,17 @@ func readFile(root, name string) ([]secretData, error) { if err != nil { return nil, err } - return []secretData{{name: name, data: bytes}}, nil + return []secretData{{ + name: name, + data: bytes, + mode: s.Mode(), + dirMode: parentMode, + }}, nil } -func getHostSecretData(hostDir string) ([]secretData, error) { +func getHostSecretData(hostDir string, mode os.FileMode) ([]secretData, error) { var allSecrets []secretData - hostSecrets, err := readAll(hostDir, "") + hostSecrets, err := readAll(hostDir, "", mode) if err != nil { return nil, errors.Wrapf(err, "failed to read secrets from %q", hostDir) } @@ -130,10 +138,13 @@ func getMounts(filePath string) []string { // getHostAndCtrDir separates the host:container paths func getMountsMap(path string) (string, string, error) { arr := strings.SplitN(path, ":", 2) - if len(arr) == 2 { + switch len(arr) { + case 1: + return arr[0], arr[0], nil + case 2: return arr[0], arr[1], nil } - return "", "", errors.Errorf("unable to get host and container dir") + return "", "", errors.Errorf("unable to get host and container dir from path: %s", path) } // SecretMounts copies, adds, and mounts the secrets to the container root filesystem @@ -162,7 +173,7 @@ func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPre if _, err := os.Stat(file); err == nil { mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, mountPrefix, uid, gid) if err != nil { - logrus.Warnf("error mounting secrets, skipping: %v", err) + logrus.Warnf("error mounting secrets, skipping entry in %s: %v", file, err) } secretMounts = mounts break @@ -220,12 +231,16 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPr return nil, err } + // Don't let the umask have any influence on the file and directory creation + oldUmask := umask.SetUmask(0) + defer umask.SetUmask(oldUmask) + switch mode := fileInfo.Mode(); { case mode.IsDir(): - if err = os.MkdirAll(ctrDirOrFileOnHost, 0755); err != nil { + if err = os.MkdirAll(ctrDirOrFileOnHost, mode.Perm()); err != nil { return nil, errors.Wrapf(err, "making container directory %q failed", ctrDirOrFileOnHost) } - data, err := getHostSecretData(hostDirOrFile) + data, err := getHostSecretData(hostDirOrFile, mode.Perm()) if err != nil { return nil, errors.Wrapf(err, "getting host secret data failed") } @@ -235,16 +250,16 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPr } } case mode.IsRegular(): - data, err := readFile("", hostDirOrFile) + data, err := readFileOrDir("", hostDirOrFile, mode.Perm()) if err != nil { return nil, errors.Wrapf(err, "error reading file %q", hostDirOrFile) } for _, s := range data { - if err := os.MkdirAll(filepath.Dir(ctrDirOrFileOnHost), 0700); err != nil { + if err := os.MkdirAll(filepath.Dir(ctrDirOrFileOnHost), s.dirMode); err != nil { return nil, err } - if err := ioutil.WriteFile(ctrDirOrFileOnHost, s.data, 0700); err != nil { + if err := ioutil.WriteFile(ctrDirOrFileOnHost, s.data, s.mode); err != nil { return nil, errors.Wrapf(err, "error saving data to container filesystem on host %q", ctrDirOrFileOnHost) } } diff --git a/vendor/github.com/containers/buildah/pkg/umask/umask_unix.go b/vendor/github.com/containers/buildah/pkg/umask/umask_unix.go new file mode 100644 index 000000000..02e10945b --- /dev/null +++ b/vendor/github.com/containers/buildah/pkg/umask/umask_unix.go @@ -0,0 +1,20 @@ +// +build linux darwin + +package umask + +import ( + "syscall" + + "github.com/sirupsen/logrus" +) + +func CheckUmask() { + oldUmask := syscall.Umask(0022) + if (oldUmask & ^0022) != 0 { + logrus.Debugf("umask value too restrictive. Forcing it to 022") + } +} + +func SetUmask(value int) int { + return syscall.Umask(value) +} diff --git a/vendor/github.com/containers/buildah/pkg/umask/umask_unsupported.go b/vendor/github.com/containers/buildah/pkg/umask/umask_unsupported.go new file mode 100644 index 000000000..20913a718 --- /dev/null +++ b/vendor/github.com/containers/buildah/pkg/umask/umask_unsupported.go @@ -0,0 +1,7 @@ +// +build !linux,!darwin + +package umask + +func CheckUmask() {} + +func SetUmask(int) int { return 0 } diff --git a/vendor/github.com/containers/buildah/run.go b/vendor/github.com/containers/buildah/run.go index 88900b6b7..bec1738e6 100644 --- a/vendor/github.com/containers/buildah/run.go +++ b/vendor/github.com/containers/buildah/run.go @@ -4,6 +4,7 @@ import ( "fmt" "io" + "github.com/opencontainers/runc/libcontainer/configs" "github.com/opencontainers/runtime-spec/specs-go" ) @@ -167,6 +168,8 @@ type RunOptions struct { // after processing the AddCapabilities set. If a capability appears in both // lists, it will be dropped. DropCapabilities []string + // Devices are the additional devices to add to the containers + Devices []configs.Device } // Find the configuration for the namespace of the given type. If there are diff --git a/vendor/github.com/containers/buildah/run_linux.go b/vendor/github.com/containers/buildah/run_linux.go index aeb9f5bbb..624da9dae 100644 --- a/vendor/github.com/containers/buildah/run_linux.go +++ b/vendor/github.com/containers/buildah/run_linux.go @@ -36,6 +36,7 @@ import ( "github.com/docker/libnetwork/types" "github.com/opencontainers/go-digest" "github.com/opencontainers/runtime-spec/specs-go" + spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" @@ -121,6 +122,20 @@ func (b *Builder) Run(command []string, options RunOptions) error { g.SetProcessArgs(nil) } + for _, d := range b.Devices { + sDev := spec.LinuxDevice{ + Type: string(d.Type), + Path: d.Path, + Major: d.Major, + Minor: d.Minor, + FileMode: &d.FileMode, + UID: &d.Uid, + GID: &d.Gid, + } + g.AddDevice(sDev) + g.AddLinuxResourcesDevice(true, string(d.Type), &d.Major, &d.Minor, d.Permissions) + } + setupMaskedPaths(g) setupReadOnlyPaths(g) @@ -181,6 +196,24 @@ func (b *Builder) Run(command []string, options RunOptions) error { } bindFiles["/etc/resolv.conf"] = resolvFile } + // Empty file, so no need to recreate if it exists + if _, ok := bindFiles["/run/.containerenv"]; !ok { + // Empty string for now, but we may consider populating this later + containerenvPath := filepath.Join(path, "/run/.containerenv") + if err = os.MkdirAll(filepath.Dir(containerenvPath), 0755); err != nil && !os.IsExist(err) { + return err + } + emptyFile, err := os.Create(containerenvPath) + if err != nil { + return err + } + emptyFile.Close() + if err := label.Relabel(containerenvPath, b.MountLabel, false); err != nil { + return errors.Wrapf(err, "error relabeling %q in container %q", containerenvPath, b.ContainerID) + } + + bindFiles["/run/.containerenv"] = containerenvPath + } err = b.setupMounts(mountPoint, spec, path, options.Mounts, bindFiles, volumes, b.CommonBuildOpts.Volumes, b.CommonBuildOpts.ShmSize, namespaceOptions) if err != nil { diff --git a/vendor/github.com/containers/buildah/util/util.go b/vendor/github.com/containers/buildah/util/util.go index 4be0b2de8..8ec767601 100644 --- a/vendor/github.com/containers/buildah/util/util.go +++ b/vendor/github.com/containers/buildah/util/util.go @@ -381,3 +381,17 @@ func LogIfNotRetryable(err error, what string) (retry bool) { func LogIfUnexpectedWhileDraining(err error, what string) { logIfNotErrno(err, what, syscall.EINTR, syscall.EAGAIN, syscall.EIO) } + +// TruncateString trims the given string to the provided maximum amount of +// characters and shortens it with `...`. +func TruncateString(str string, to int) string { + newStr := str + if len(str) > to { + const tr = "..." + if to > len(tr) { + to -= len(tr) + } + newStr = str[0:to] + tr + } + return newStr +} diff --git a/vendor/github.com/coreos/go-systemd/activation/listeners.go b/vendor/github.com/coreos/go-systemd/activation/listeners.go index bb5cc2311..3dbe2b087 100644 --- a/vendor/github.com/coreos/go-systemd/activation/listeners.go +++ b/vendor/github.com/coreos/go-systemd/activation/listeners.go @@ -67,7 +67,7 @@ func TLSListeners(tlsConfig *tls.Config) ([]net.Listener, error) { return nil, err } - if tlsConfig != nil && err == nil { + if tlsConfig != nil { for i, l := range listeners { // Activate TLS only for TCP sockets if l.Addr().Network() == "tcp" { @@ -88,7 +88,7 @@ func TLSListenersWithNames(tlsConfig *tls.Config) (map[string][]net.Listener, er return nil, err } - if tlsConfig != nil && err == nil { + if tlsConfig != nil { for _, ll := range listeners { // Activate TLS only for TCP sockets for i, l := range ll { diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go index 9717acc72..ec79ae767 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go +++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go @@ -22,6 +22,13 @@ const ( CgroupProcesses = "cgroup.procs" ) +// HugePageSizeUnitList is a list of the units used by the linux kernel when +// naming the HugePage control files. +// https://www.kernel.org/doc/Documentation/cgroup-v1/hugetlb.txt +// TODO Since the kernel only use KB, MB and GB; TB and PB should be removed, +// depends on https://github.com/docker/go-units/commit/a09cd47f892041a4fac473133d181f5aea6fa393 +var HugePageSizeUnitList = []string{"B", "KB", "MB", "GB", "TB", "PB"} + // https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt func FindCgroupMountpoint(cgroupPath, subsystem string) (string, error) { mnt, _, err := FindCgroupMountpointAndRoot(cgroupPath, subsystem) @@ -409,19 +416,26 @@ func RemovePaths(paths map[string]string) (err error) { } func GetHugePageSize() ([]string, error) { - var pageSizes []string - sizeList := []string{"B", "kB", "MB", "GB", "TB", "PB"} files, err := ioutil.ReadDir("/sys/kernel/mm/hugepages") if err != nil { - return pageSizes, err + return []string{}, err } + var fileNames []string for _, st := range files { - nameArray := strings.Split(st.Name(), "-") + fileNames = append(fileNames, st.Name()) + } + return getHugePageSizeFromFilenames(fileNames) +} + +func getHugePageSizeFromFilenames(fileNames []string) ([]string, error) { + var pageSizes []string + for _, fileName := range fileNames { + nameArray := strings.Split(fileName, "-") pageSize, err := units.RAMInBytes(nameArray[1]) if err != nil { return []string{}, err } - sizeString := units.CustomSize("%g%s", float64(pageSize), 1024.0, sizeList) + sizeString := units.CustomSize("%g%s", float64(pageSize), 1024.0, HugePageSizeUnitList) pageSizes = append(pageSizes, sizeString) } diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_windows.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_unsupported.go index d74847b0d..c0c23d700 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_windows.go +++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_unsupported.go @@ -1,3 +1,5 @@ +// +build !linux + package configs // TODO Windows: This can ultimately be entirely factored out on Windows as diff --git a/vendor/github.com/opencontainers/runc/libcontainer/devices/devices.go b/vendor/github.com/opencontainers/runc/libcontainer/devices/devices.go index 5e2ab0581..5dabe06ce 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/devices/devices.go +++ b/vendor/github.com/opencontainers/runc/libcontainer/devices/devices.go @@ -7,11 +7,11 @@ import ( "path/filepath" "github.com/opencontainers/runc/libcontainer/configs" - "golang.org/x/sys/unix" ) var ( + // ErrNotADevice denotes that a file is not a valid linux device. ErrNotADevice = errors.New("not a device node") ) @@ -21,7 +21,8 @@ var ( ioutilReadDir = ioutil.ReadDir ) -// Given the path to a device and its cgroup_permissions(which cannot be easily queried) look up the information about a linux device and return that information as a Device struct. +// Given the path to a device and its cgroup_permissions(which cannot be easily queried) look up the +// information about a linux device and return that information as a Device struct. func DeviceFromPath(path, permissions string) (*configs.Device, error) { var stat unix.Stat_t err := unixLstat(path, &stat) @@ -60,25 +61,29 @@ func DeviceFromPath(path, permissions string) (*configs.Device, error) { }, nil } +// HostDevices returns all devices that can be found under /dev directory. func HostDevices() ([]*configs.Device, error) { - return getDevices("/dev") + return GetDevices("/dev") } -func getDevices(path string) ([]*configs.Device, error) { +// GetDevices recursively traverses a directory specified by path +// and returns all devices found there. +func GetDevices(path string) ([]*configs.Device, error) { files, err := ioutilReadDir(path) if err != nil { return nil, err } - out := []*configs.Device{} + var out []*configs.Device for _, f := range files { switch { case f.IsDir(): switch f.Name() { // ".lxc" & ".lxd-mounts" added to address https://github.com/lxc/lxd/issues/2825 - case "pts", "shm", "fd", "mqueue", ".lxc", ".lxd-mounts": + // ".udev" added to address https://github.com/opencontainers/runc/issues/2093 + case "pts", "shm", "fd", "mqueue", ".lxc", ".lxd-mounts", ".udev": continue default: - sub, err := getDevices(filepath.Join(path, f.Name())) + sub, err := GetDevices(filepath.Join(path, f.Name())) if err != nil { return nil, err } diff --git a/vendor/modules.txt b/vendor/modules.txt index d0fcf879a..1de9fede0 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -49,7 +49,7 @@ github.com/containernetworking/plugins/pkg/ip github.com/containernetworking/plugins/plugins/ipam/host-local/backend/allocator github.com/containernetworking/plugins/pkg/utils/hwaddr github.com/containernetworking/plugins/plugins/ipam/host-local/backend -# github.com/containers/buildah v1.11.0 +# github.com/containers/buildah v1.11.2 github.com/containers/buildah github.com/containers/buildah/imagebuildah github.com/containers/buildah/pkg/chrootuser @@ -65,6 +65,7 @@ github.com/containers/buildah/pkg/blobcache github.com/containers/buildah/pkg/overlay github.com/containers/buildah/pkg/unshare github.com/containers/buildah/pkg/cgroups +github.com/containers/buildah/pkg/umask # github.com/containers/image v3.0.2+incompatible github.com/containers/image/directory github.com/containers/image/docker @@ -151,7 +152,7 @@ github.com/containers/storage/pkg/ostree github.com/containers/storage/drivers/copy # github.com/coreos/go-iptables v0.4.2 github.com/coreos/go-iptables/iptables -# github.com/coreos/go-systemd v0.0.0-20190620071333-e64a0ec8b42a +# github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f github.com/coreos/go-systemd/activation github.com/coreos/go-systemd/dbus github.com/coreos/go-systemd/sdjournal @@ -354,7 +355,7 @@ github.com/opencontainers/go-digest # github.com/opencontainers/image-spec v1.0.1 github.com/opencontainers/image-spec/specs-go/v1 github.com/opencontainers/image-spec/specs-go -# github.com/opencontainers/runc v1.0.0-rc8 +# github.com/opencontainers/runc v1.0.0-rc8.0.20190827142921-dd075602f158 github.com/opencontainers/runc/libcontainer/user github.com/opencontainers/runc/libcontainer/apparmor github.com/opencontainers/runc/libcontainer/configs |