diff options
| -rw-r--r-- | go.mod | 2 | ||||
| -rw-r--r-- | go.sum | 2 | ||||
| -rw-r--r-- | libpod/kube.go | 20 | ||||
| -rw-r--r-- | pkg/api/handlers/compat/images_push.go | 11 | ||||
| -rw-r--r-- | test/apiv2/12-imagesMore.at | 7 | ||||
| -rw-r--r-- | test/apiv2/23-containersArchive.at | 9 | ||||
| -rwxr-xr-x | test/apiv2/test-apiv2 | 33 | ||||
| -rw-r--r-- | test/e2e/generate_kube_test.go | 35 | ||||
| -rw-r--r-- | vendor/github.com/containers/image/v5/pkg/sysregistriesv2/shortnames.go | 21 | ||||
| -rw-r--r-- | vendor/github.com/containers/image/v5/version/version.go | 2 | ||||
| -rw-r--r-- | vendor/modules.txt | 2 |
11 files changed, 111 insertions, 33 deletions
@@ -13,7 +13,7 @@ require ( github.com/containers/buildah v1.19.4 github.com/containers/common v0.34.3-0.20210208115708-8668c76dd577 github.com/containers/conmon v2.0.20+incompatible - github.com/containers/image/v5 v5.10.1 + github.com/containers/image/v5 v5.10.2 github.com/containers/ocicrypt v1.1.0 github.com/containers/psgo v1.5.2 github.com/containers/storage v1.25.0 @@ -108,6 +108,8 @@ github.com/containers/image/v5 v5.9.0 h1:dRmUtcluQcmasNo3DpnRoZjfU0rOu1qZeL6wlDJ github.com/containers/image/v5 v5.9.0/go.mod h1:blOEFd/iFdeyh891ByhCVUc+xAcaI3gBegXECwz9UbQ= github.com/containers/image/v5 v5.10.1 h1:tHhGQ8RCMxJfJLD/PEW1qrOKX8nndledW9qz6UiAxns= github.com/containers/image/v5 v5.10.1/go.mod h1:JlRLJZv7elVbtHaaaR6Kz8i6G3k2ttj4t7fubwxD9Hs= +github.com/containers/image/v5 v5.10.2 h1:STD9GYR9p/X0qTLmBYsyx8dEM7zQW+qZ8KHoL/64fkg= +github.com/containers/image/v5 v5.10.2/go.mod h1:JlRLJZv7elVbtHaaaR6Kz8i6G3k2ttj4t7fubwxD9Hs= github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b h1:Q8ePgVfHDplZ7U33NwHZkrVELsZP5fYj9pM5WBZB2GE= github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY= github.com/containers/ocicrypt v1.0.3 h1:vYgl+RZ9Q3DPMuTfxmN+qp0X2Bj52uuY2vnt6GzVe1c= diff --git a/libpod/kube.go b/libpod/kube.go index f9ead027d..6cb7723c9 100644 --- a/libpod/kube.go +++ b/libpod/kube.go @@ -322,7 +322,8 @@ func containerToV1Container(c *Container) (v1.Container, []v1.Volume, *v1.PodDNS return kubeContainer, kubeVolumes, nil, err } - if len(c.config.Spec.Linux.Devices) > 0 { + // NOTE: a privileged container mounts all of /dev/*. + if !c.Privileged() && len(c.config.Spec.Linux.Devices) > 0 { // TODO Enable when we can support devices and their names kubeContainer.VolumeDevices = generateKubeVolumeDeviceFromLinuxDevice(c.Spec().Linux.Devices) return kubeContainer, kubeVolumes, nil, errors.Wrapf(define.ErrNotImplemented, "linux devices") @@ -625,13 +626,18 @@ func capAddDrop(caps *specs.LinuxCapabilities) (*v1.Capabilities, error) { // generateKubeSecurityContext generates a securityContext based on the existing container func generateKubeSecurityContext(c *Container) (*v1.SecurityContext, error) { - priv := c.Privileged() + privileged := c.Privileged() ro := c.IsReadOnly() allowPrivEscalation := !c.config.Spec.Process.NoNewPrivileges - newCaps, err := capAddDrop(c.config.Spec.Process.Capabilities) - if err != nil { - return nil, err + var capabilities *v1.Capabilities + if !privileged { + // Running privileged adds all caps. + newCaps, err := capAddDrop(c.config.Spec.Process.Capabilities) + if err != nil { + return nil, err + } + capabilities = newCaps } var selinuxOpts v1.SELinuxOptions @@ -651,8 +657,8 @@ func generateKubeSecurityContext(c *Container) (*v1.SecurityContext, error) { } sc := v1.SecurityContext{ - Capabilities: newCaps, - Privileged: &priv, + Capabilities: capabilities, + Privileged: &privileged, SELinuxOptions: &selinuxOpts, // RunAsNonRoot is an optional parameter; our first implementations should be root only; however // I'm leaving this as a bread-crumb for later diff --git a/pkg/api/handlers/compat/images_push.go b/pkg/api/handlers/compat/images_push.go index c352ac6cd..34b53f34e 100644 --- a/pkg/api/handlers/compat/images_push.go +++ b/pkg/api/handlers/compat/images_push.go @@ -1,7 +1,6 @@ package compat import ( - "context" "net/http" "strings" @@ -76,7 +75,15 @@ func PushImage(w http.ResponseWriter, r *http.Request) { if _, found := r.URL.Query()["tlsVerify"]; found { options.SkipTLSVerify = types.NewOptionalBool(!query.TLSVerify) } - if err := imageEngine.Push(context.Background(), imageName, query.Destination, options); err != nil { + + var destination string + if _, found := r.URL.Query()["destination"]; found { + destination = query.Destination + } else { + destination = imageName + } + + if err := imageEngine.Push(r.Context(), imageName, destination, options); err != nil { if errors.Cause(err) != storage.ErrImageUnknown { utils.ImageNotFound(w, imageName, errors.Wrapf(err, "failed to find image %s", imageName)) return diff --git a/test/apiv2/12-imagesMore.at b/test/apiv2/12-imagesMore.at index 896e685cd..fe6a271ce 100644 --- a/test/apiv2/12-imagesMore.at +++ b/test/apiv2/12-imagesMore.at @@ -24,13 +24,10 @@ t GET libpod/images/$IMAGE/json 200 \ # Run registry container podman run -d --name registry -p 5000:5000 quay.io/libpod/registry:2.6 /entrypoint.sh /etc/docker/registry/config.yml +wait_for_port localhost 5000 # Push to local registry -# FIXME: this is failing: -# "cause": "received unexpected HTTP status: 500 Internal Server Error", -# "message": "error pushing image \"localhost:5000/myrepo:mytag\": error copying image to the remote destination: Error writing blob: Error initiating layer upload to /v2/myrepo/blobs/uploads/ in localhost:5000: received unexpected HTTP status: 500 Internal Server Error", -# "response": 400 -#t POST libpod/images/localhost:5000/myrepo:mytag/push\?tlsVerify\=false '' 200 +t POST "images/localhost:5000/myrepo/push?tlsVerify=false&tag=mytag" '' 200 # Untag the image t POST "libpod/images/$iid/untag?repo=localhost:5000/myrepo&tag=mytag" '' 201 diff --git a/test/apiv2/23-containersArchive.at b/test/apiv2/23-containersArchive.at index 459800196..688ca9f06 100644 --- a/test/apiv2/23-containersArchive.at +++ b/test/apiv2/23-containersArchive.at @@ -13,13 +13,10 @@ podman rm -a -f &>/dev/null CTR="ArchiveTestingCtr" -TMPD=$(mktemp -d) -pushd "${TMPD}" -echo "Hello" > "hello.txt" -tar --format=posix -cvf "hello.tar" "hello.txt" &> /dev/null -popd - +TMPD=$(mktemp -d podman-apiv2-test.archive.XXXXXXXX) HELLO_TAR="${TMPD}/hello.tar" +echo "Hello" > $TMPD/hello.txt +tar --format=posix -C $TMPD -cvf ${HELLO_TAR} hello.txt &> /dev/null podman run -d --name "${CTR}" "${IMAGE}" top diff --git a/test/apiv2/test-apiv2 b/test/apiv2/test-apiv2 index c8ca9df3f..5b1e2ef80 100755 --- a/test/apiv2/test-apiv2 +++ b/test/apiv2/test-apiv2 @@ -84,7 +84,9 @@ function like() { if expr "$actual" : "$expect" &>/dev/null; then # On success, include expected value; this helps readers understand - _show_ok 1 "$testname ('$actual') ~ $expect" + # (but don't show enormous multi-line output like 'generate kube') + blurb=$(head -n1 <<<"$actual") + _show_ok 1 "$testname ('$blurb') ~ $expect" return fi _show_ok 0 "$testname" "~ $expect" "$actual" @@ -231,14 +233,17 @@ function t() { if [[ $content_type =~ /octet ]]; then output="[$(file --brief $WORKDIR/curl.result.out)]" echo "$output" >>$LOG - else + elif [[ -e $WORKDIR/curl.result.out ]]; then output=$(< $WORKDIR/curl.result.out) - if [[ $content_type =~ application/json ]]; then + if [[ $content_type =~ application/json ]] && [[ $method != "HEAD" ]]; then jq . <<<"$output" >>$LOG else echo "$output" >>$LOG fi + else + output= + echo "[no output]" >>$LOG fi # Test return code @@ -305,10 +310,20 @@ function start_service() { &> $WORKDIR/server.log & service_pid=$! + wait_for_port $HOST $PORT +} + +################### +# wait_for_port # Returns once port is available on host +################### +function wait_for_port() { + local host=$1 # Probably "localhost" + local port=$2 # Numeric port + local timeout=${3:-5} # Optional; default to 5 seconds + # Wait - local _timeout=5 - while [ $_timeout -gt 0 ]; do - { exec 3<> /dev/tcp/$HOST/$PORT; } &>/dev/null && return + while [ $timeout -gt 0 ]; do + { exec 3<> /dev/tcp/$host/$port; } &>/dev/null && return sleep 1 _timeout=$(( $_timeout - 1 )) done @@ -385,6 +400,12 @@ done # Clean up if [ -n "$service_pid" ]; then + # Remove any containers and images; this prevents the following warning: + # 'rm: cannot remove '/.../overlay': Device or resource busy + podman rm -a + podman rmi -af + + # Stop the server kill $service_pid wait $service_pid fi diff --git a/test/e2e/generate_kube_test.go b/test/e2e/generate_kube_test.go index bcfab0f68..cd949c666 100644 --- a/test/e2e/generate_kube_test.go +++ b/test/e2e/generate_kube_test.go @@ -699,4 +699,39 @@ ENTRYPOINT /bin/sleep` Expect(containers[0].Command).To(Equal([]string{"/bin/sh", "-c", "/bin/sleep"})) Expect(containers[0].Args).To(Equal([]string{"10s"})) }) + + It("podman generate kube - --privileged container", func() { + session := podmanTest.Podman([]string{"create", "--pod", "new:testpod", "--privileged", ALPINE, "ls"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + + kube := podmanTest.Podman([]string{"generate", "kube", "testpod"}) + kube.WaitWithDefaultTimeout() + Expect(kube.ExitCode()).To(Equal(0)) + + // Now make sure that the capabilities aren't set. + pod := new(v1.Pod) + err := yaml.Unmarshal(kube.Out.Contents(), pod) + Expect(err).To(BeNil()) + + containers := pod.Spec.Containers + Expect(len(containers)).To(Equal(1)) + Expect(containers[0].SecurityContext.Capabilities).To(BeNil()) + + // Now make sure we can also `play` it. + kubeFile := filepath.Join(podmanTest.TempDir, "kube.yaml") + + kube = podmanTest.Podman([]string{"generate", "kube", "testpod", "-f", kubeFile}) + kube.WaitWithDefaultTimeout() + Expect(kube.ExitCode()).To(Equal(0)) + + // Remove the pod so play can recreate it. + kube = podmanTest.Podman([]string{"pod", "rm", "-f", "testpod"}) + kube.WaitWithDefaultTimeout() + Expect(kube.ExitCode()).To(Equal(0)) + + kube = podmanTest.Podman([]string{"play", "kube", kubeFile}) + kube.WaitWithDefaultTimeout() + Expect(kube.ExitCode()).To(Equal(0)) + }) }) diff --git a/vendor/github.com/containers/image/v5/pkg/sysregistriesv2/shortnames.go b/vendor/github.com/containers/image/v5/pkg/sysregistriesv2/shortnames.go index 4001b65b6..a9c498d7a 100644 --- a/vendor/github.com/containers/image/v5/pkg/sysregistriesv2/shortnames.go +++ b/vendor/github.com/containers/image/v5/pkg/sysregistriesv2/shortnames.go @@ -7,6 +7,7 @@ import ( "github.com/BurntSushi/toml" "github.com/containers/image/v5/docker/reference" + "github.com/containers/image/v5/internal/rootless" "github.com/containers/image/v5/types" "github.com/containers/storage/pkg/homedir" "github.com/containers/storage/pkg/lockfile" @@ -27,12 +28,24 @@ func shortNameAliasesConfPath(ctx *types.SystemContext) (string, error) { return ctx.UserShortNameAliasConfPath, nil } - configHome, err := homedir.GetConfigHome() - if err != nil { - return "", err + if rootless.GetRootlessEUID() == 0 { + // Root user or in a non-conforming user NS + return filepath.Join("/var/cache", userShortNamesFile), nil + } + + // Rootless user + var cacheRoot string + if xdgCache := os.Getenv("XDG_CACHE_HOME"); xdgCache != "" { + cacheRoot = xdgCache + } else { + configHome, err := homedir.GetConfigHome() + if err != nil { + return "", err + } + cacheRoot = filepath.Join(configHome, ".cache") } - return filepath.Join(configHome, userShortNamesFile), nil + return filepath.Join(cacheRoot, userShortNamesFile), nil } // shortNameAliasConf is a subset of the `V2RegistriesConf` format. It's used in the diff --git a/vendor/github.com/containers/image/v5/version/version.go b/vendor/github.com/containers/image/v5/version/version.go index 1fc775410..4c722505c 100644 --- a/vendor/github.com/containers/image/v5/version/version.go +++ b/vendor/github.com/containers/image/v5/version/version.go @@ -8,7 +8,7 @@ const ( // VersionMinor is for functionality in a backwards-compatible manner VersionMinor = 10 // VersionPatch is for backwards-compatible bug fixes - VersionPatch = 1 + VersionPatch = 2 // VersionDev indicates development branch. Releases will be empty string. VersionDev = "" diff --git a/vendor/modules.txt b/vendor/modules.txt index 9d950f0dd..7c1eaf8df 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -110,7 +110,7 @@ github.com/containers/common/pkg/umask github.com/containers/common/version # github.com/containers/conmon v2.0.20+incompatible github.com/containers/conmon/runner/config -# github.com/containers/image/v5 v5.10.1 +# github.com/containers/image/v5 v5.10.2 github.com/containers/image/v5/copy github.com/containers/image/v5/directory github.com/containers/image/v5/directory/explicitfilepath |