diff options
| -rw-r--r-- | .github/workflows/stale.yml | 1 | ||||
| -rw-r--r-- | Makefile | 5 | ||||
| -rw-r--r-- | RELEASE_NOTES.md | 11 | ||||
| -rw-r--r-- | changelog.txt | 29 | ||||
| -rw-r--r-- | contrib/spec/podman.spec.in | 2 | ||||
| -rw-r--r-- | pkg/domain/infra/abi/images.go | 9 | ||||
| -rw-r--r-- | pkg/domain/infra/tunnel/containers.go | 9 | ||||
| -rw-r--r-- | pkg/hooks/1.0.0/hook.go | 9 | ||||
| -rw-r--r-- | pkg/hooks/hooks.go | 6 | ||||
| -rw-r--r-- | test/e2e/attach_test.go | 10 | ||||
| -rw-r--r-- | test/e2e/libpod_suite_remote_test.go | 4 | ||||
| -rw-r--r-- | test/e2e/libpod_suite_test.go | 4 | ||||
| -rw-r--r-- | test/e2e/libpod_suite_varlink_test.go | 4 | ||||
| -rw-r--r-- | test/e2e/mount_test.go | 23 | ||||
| -rw-r--r-- | version/version.go | 2 |
15 files changed, 121 insertions, 7 deletions
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 5e5a75713..8fd51b5e9 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -22,3 +22,4 @@ jobs: stale-pr-label: 'stale-pr' days-before-stale: 30 days-before-close: 365 + remove-stale-when-updated: true @@ -135,8 +135,13 @@ export PRINT_HELP_PYSCRIPT err_if_empty = $(if $(strip $($(1))),$(strip $($(1))),$(error Required variable $(1) value is undefined, whitespace, or empty)) .PHONY: help +ifneq (, ${PYTHON}) help: @$(PYTHON) -c "$$PRINT_HELP_PYSCRIPT" < $(MAKEFILE_LIST) +else +help: + $(error python required for 'make help', executable not found) +endif .gopathok: ifeq ("$(wildcard $(GOPKGDIR))","") diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index f3ac50a59..cabfafabb 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -15,6 +15,7 @@ - The `podman play kube` command now supports the Socket HostPath type ([#7112](https://github.com/containers/podman/issues/7112)). - The `podman play kube` command now supports read-only mounts. - The `podman play kube` command now supports setting labels on pods from Kubernetes metadata labels. +- The `podman play kube` command now supports setting container restart policy ([#7656](https://github.com/containers/podman/issues/7656)). - The `podman play kube` command now properly handles `HostAlias` entries. - The `podman generate kube` command now adds entries to `/etc/hosts` from `--host-add` generated YAML as `HostAlias` entries. - The `podman play kube` and `podman generate kube` commands now properly support `shareProcessNamespace` to share the PID namespace in pods. @@ -29,6 +30,9 @@ - A new global option has been added to Podman, `--runtime-flags`, which allows for setting flags to use when the OCI runtime is called. - The `podman manifest add` command now supports the `--cert-dir`, `--auth-file`, `--creds`, and `--tls-verify` options. +### Security +- This release resolves CVE-2020-14370, in which environment variables could be leaked between containers created using the Varlink API. + ### Changes - Podman will now retry pulling an image 3 times if a pull fails due to network errors. - The `podman exec` command would previously print error messages (e.g. `exec session exited with non-zero exit code -1`) when the command run exited with a non-0 exit code. It no longer does this. The `podman exec` command will still exit with the same exit code as the command run in the container did. @@ -72,8 +76,12 @@ - Fixed a bug where the `--infra-command` parameter to `podman pod create` was nonfunctional. - Fixed a bug where `podman auto-update` would fail for any container started with `--pull=always` ([#7407](https://github.com/containers/podman/issues/7407)). - Fixed a bug where the `podman wait` command would only accept a single argument. +- Fixed a bug where the parsing of the `--volumes-from` option to `podman run` and `podman create` was broken, making it impossible to use multiple mount options at the same time ([#7701](https://github.com/containers/podman/issues/7701)). +- Fixed a bug where the `podman exec` command would not join executed processes to the container's supplemental groups if the container was started with both the `--user` and `--group-add` options. +- Fixed a bug where the `--iidfile` option to `podman-remote build` was nonfunctional. ### API +- The Libpod API version has been bumped to v2.0.0 due to a breaking change in the Image List API. - Docker-compatible Volume Endpoints (Create, Inspect, List, Remove, Prune) are now available! - Added an endpoint for generating systemd unit files for containers. - The `last` parameter to the Libpod container list endpoint now has an alias, `limit` ([#6413](https://github.com/containers/podman/issues/6413)). @@ -96,6 +104,9 @@ - All non-hijacking responses to API requests should not include headers with the version of the server. - Fixed a bug where Libpod and Compat Events endpoints did not send response headers until the first event occurred ([#7263](https://github.com/containers/podman/issues/7263)). - Fixed a bug where the Build endpoints (Compat and Libpod) did not stream progress to the client. +- Fixed a bug where the Stats endpoints (Compat and Libpod) did not properly handle clients disconnecting. +- Fixed a bug where the Ignore parameter to the Libpod Stop endpoint was not performing properly. +- Fixed a bug where the Compat Logs endpoint for containers did not stream its output in the correct format ([#7196](https://github.com/containers/podman/issues/7196)). ### Misc - Updated Buildah to v1.16.1 diff --git a/changelog.txt b/changelog.txt index b98e91d63..0ec721996 100644 --- a/changelog.txt +++ b/changelog.txt @@ -1,3 +1,32 @@ +- Changelog for v2.1.0 (2020-09-22): + * Update release notes for v2.1.0 Final Release + * Fix up attach tests for podman remote + * update stale bot + * [CI:DOCS] Add 'In Progress' note to CONTRIBUTING.md + * Restore 'id' stanza in pull results + * Fix podman image unmount to only report images unmounted + * libpod: bumps up rootless-cni-infra to 2 + * stats: log errors instead of sending 500 + * Fix incorrect parsing of create/run --volumes-from + * rootless-cni-infra: fix flakiness during bringing up lo interface + * Fix handling of podman-remote stop --ignore + * Refactor version handling in cmd tree + * Preserve groups in exec sessions in ctrs with --user + * Install bats as root + * Makefile: Fix broken libpodimage targets + * stats: detect closed client connection + * stats endpoint: write OK header once + * handle the play kube and generate kube for with restartPolicy + * fix the .Path and .Args when use the infra-command + * Update nix pin with `make nixpkgs` + * fix a typo of login.1.md + * Bump github.com/rootless-containers/rootlesskit from 0.10.0 to 0.10.1 + * enable --iidfile for podman-remote build + * update github.com/docker/docker and relevant deps + * Make Go builds more consistent + * dependabot-dance: new tool for managing revendor PRs + * WIP: Fix remote logs + - Changelog for v2.1.0-rc2 (2020-09-17) * Update release notes for Podman v2.1.0-RC2 * Fix play_kube_test deployment template diff --git a/contrib/spec/podman.spec.in b/contrib/spec/podman.spec.in index 363aa60d7..2e266b59f 100644 --- a/contrib/spec/podman.spec.in +++ b/contrib/spec/podman.spec.in @@ -42,7 +42,7 @@ Epoch: 99 %else Epoch: 0 %endif -Version: 2.1.0 +Version: 2.2.0 Release: #COMMITDATE#.git%{shortcommit0}%{?dist} Summary: Manage Pods, Containers and Container Images License: ASL 2.0 diff --git a/pkg/domain/infra/abi/images.go b/pkg/domain/infra/abi/images.go index cc62c3f27..25c0c184f 100644 --- a/pkg/domain/infra/abi/images.go +++ b/pkg/domain/infra/abi/images.go @@ -191,6 +191,15 @@ func (ir *ImageEngine) Unmount(ctx context.Context, nameOrIDs []string, options reports := []*entities.ImageUnmountReport{} for _, img := range images { report := entities.ImageUnmountReport{Id: img.ID()} + mounted, _, err := img.Mounted() + if err != nil { + // Errors will be caught in Unmount call below + // Default assumption to mounted + mounted = true + } + if !mounted { + continue + } if err := img.Unmount(options.Force); err != nil { if options.All && errors.Cause(err) == storage.ErrLayerNotMounted { logrus.Debugf("Error umounting image %s, storage.ErrLayerNotMounted", img.ID()) diff --git a/pkg/domain/infra/tunnel/containers.go b/pkg/domain/infra/tunnel/containers.go index 3e99b73b6..d0f90d900 100644 --- a/pkg/domain/infra/tunnel/containers.go +++ b/pkg/domain/infra/tunnel/containers.go @@ -389,6 +389,15 @@ func (ic *ContainerEngine) ContainerLogs(_ context.Context, nameOrIDs []string, } func (ic *ContainerEngine) ContainerAttach(ctx context.Context, nameOrID string, options entities.AttachOptions) error { + ctrs, err := getContainersByContext(ic.ClientCxt, false, false, []string{nameOrID}) + if err != nil { + return err + } + ctr := ctrs[0] + if ctr.State != define.ContainerStateRunning.String() { + return errors.Errorf("you can only attach to running containers") + } + return containers.Attach(ic.ClientCxt, nameOrID, &options.DetachKeys, nil, bindings.PTrue, options.Stdin, options.Stdout, options.Stderr, nil) } diff --git a/pkg/hooks/1.0.0/hook.go b/pkg/hooks/1.0.0/hook.go index 77fbab5aa..244e8800f 100644 --- a/pkg/hooks/1.0.0/hook.go +++ b/pkg/hooks/1.0.0/hook.go @@ -67,7 +67,14 @@ func (hook *Hook) Validate(extensionStages []string) (err error) { return errors.New("missing required property: stages") } - validStages := map[string]bool{"prestart": true, "poststart": true, "poststop": true} + validStages := map[string]bool{ + "createContainer": true, + "createRuntime": true, + "prestart": true, + "poststart": true, + "poststop": true, + "startContainer": true, + } for _, stage := range extensionStages { validStages[stage] = true } diff --git a/pkg/hooks/hooks.go b/pkg/hooks/hooks.go index 2a12eceac..6257529ab 100644 --- a/pkg/hooks/hooks.go +++ b/pkg/hooks/hooks.go @@ -120,12 +120,18 @@ func (m *Manager) Hooks(config *rspec.Spec, annotations map[string]string, hasBi extensionStageHooks[stage] = append(extensionStageHooks[stage], namedHook.hook.Hook) } else { switch stage { + case "createContainer": + config.Hooks.CreateContainer = append(config.Hooks.CreateContainer, namedHook.hook.Hook) + case "createRuntime": + config.Hooks.CreateRuntime = append(config.Hooks.CreateRuntime, namedHook.hook.Hook) case "prestart": config.Hooks.Prestart = append(config.Hooks.Prestart, namedHook.hook.Hook) case "poststart": config.Hooks.Poststart = append(config.Hooks.Poststart, namedHook.hook.Hook) case "poststop": config.Hooks.Poststop = append(config.Hooks.Poststop, namedHook.hook.Hook) + case "startContainer": + config.Hooks.StartContainer = append(config.Hooks.StartContainer, namedHook.hook.Hook) default: return extensionStageHooks, fmt.Errorf("hook %q: unknown stage %q", namedHook.name, stage) } diff --git a/test/e2e/attach_test.go b/test/e2e/attach_test.go index 7b18f71ac..8065f6298 100644 --- a/test/e2e/attach_test.go +++ b/test/e2e/attach_test.go @@ -40,7 +40,6 @@ var _ = Describe("Podman attach", func() { }) It("podman attach to non-running container", func() { - SkipIfRemote() session := podmanTest.Podman([]string{"create", "--name", "test1", "-d", "-i", ALPINE, "ls"}) session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) @@ -51,8 +50,8 @@ var _ = Describe("Podman attach", func() { }) It("podman container attach to non-running container", func() { - SkipIfRemote() session := podmanTest.Podman([]string{"container", "create", "--name", "test1", "-d", "-i", ALPINE, "ls"}) + session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) @@ -87,7 +86,6 @@ var _ = Describe("Podman attach", func() { Expect(podmanTest.NumberOfContainersRunning()).To(Equal(1)) }) It("podman attach to the latest container", func() { - SkipIfRemote() session := podmanTest.Podman([]string{"run", "-d", "--name", "test1", ALPINE, "/bin/sh", "-c", "while true; do echo test1; sleep 1; done"}) session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) @@ -96,7 +94,11 @@ var _ = Describe("Podman attach", func() { session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) - results := podmanTest.Podman([]string{"attach", "-l"}) + cid := "-l" + if IsRemote() { + cid = "test2" + } + results := podmanTest.Podman([]string{"attach", cid}) time.Sleep(2 * time.Second) results.Signal(syscall.SIGTSTP) Expect(results.OutputToString()).To(ContainSubstring("test2")) diff --git a/test/e2e/libpod_suite_remote_test.go b/test/e2e/libpod_suite_remote_test.go index 874789b5e..e74d9bf7c 100644 --- a/test/e2e/libpod_suite_remote_test.go +++ b/test/e2e/libpod_suite_remote_test.go @@ -19,6 +19,10 @@ import ( "github.com/onsi/ginkgo" ) +func IsRemote() bool { + return true +} + func SkipIfRemote() { ginkgo.Skip("This function is not enabled for remote podman") } diff --git a/test/e2e/libpod_suite_test.go b/test/e2e/libpod_suite_test.go index bfd898108..0f33798b7 100644 --- a/test/e2e/libpod_suite_test.go +++ b/test/e2e/libpod_suite_test.go @@ -12,6 +12,10 @@ import ( . "github.com/onsi/ginkgo" ) +func IsRemote() bool { + return false +} + func SkipIfRemote() { } diff --git a/test/e2e/libpod_suite_varlink_test.go b/test/e2e/libpod_suite_varlink_test.go index 750c8cd09..0d7032429 100644 --- a/test/e2e/libpod_suite_varlink_test.go +++ b/test/e2e/libpod_suite_varlink_test.go @@ -19,6 +19,10 @@ import ( "github.com/onsi/ginkgo" ) +func IsRemote() bool { + return true +} + func SkipIfRemote() { ginkgo.Skip("This function is not enabled for remote podman") } diff --git a/test/e2e/mount_test.go b/test/e2e/mount_test.go index a2b448337..1fbb92b09 100644 --- a/test/e2e/mount_test.go +++ b/test/e2e/mount_test.go @@ -348,6 +348,25 @@ var _ = Describe("Podman mount", func() { Expect(umount.ExitCode()).To(Equal(0)) }) + It("podman umount --all", func() { + setup := podmanTest.PodmanNoCache([]string{"pull", fedoraMinimal}) + setup.WaitWithDefaultTimeout() + Expect(setup.ExitCode()).To(Equal(0)) + + setup = podmanTest.PodmanNoCache([]string{"pull", ALPINE}) + setup.WaitWithDefaultTimeout() + Expect(setup.ExitCode()).To(Equal(0)) + + mount := podmanTest.Podman([]string{"image", "mount", fedoraMinimal}) + mount.WaitWithDefaultTimeout() + Expect(mount.ExitCode()).To(Equal(0)) + + umount := podmanTest.Podman([]string{"image", "umount", "--all"}) + umount.WaitWithDefaultTimeout() + Expect(umount.ExitCode()).To(Equal(0)) + Expect(len(umount.OutputToStringArray())).To(Equal(1)) + }) + It("podman mount many", func() { setup := podmanTest.PodmanNoCache([]string{"pull", fedoraMinimal}) setup.WaitWithDefaultTimeout() @@ -402,6 +421,10 @@ var _ = Describe("Podman mount", func() { Expect(mount.ExitCode()).To(Equal(0)) Expect(mount.OutputToString()).To(Equal("")) + umount = podmanTest.PodmanNoCache([]string{"image", "umount", fedoraMinimal, ALPINE}) + umount.WaitWithDefaultTimeout() + Expect(umount.ExitCode()).To(Equal(0)) + mount1 = podmanTest.PodmanNoCache([]string{"image", "mount", "--all"}) mount1.WaitWithDefaultTimeout() Expect(mount1.ExitCode()).To(Equal(0)) diff --git a/version/version.go b/version/version.go index df2e4f2ba..e6b1425ef 100644 --- a/version/version.go +++ b/version/version.go @@ -8,7 +8,7 @@ import ( // NOTE: remember to bump the version at the top // of the top-level README.md file when this is // bumped. -var Version = semver.MustParse("2.1.0-dev") +var Version = semver.MustParse("2.2.0-dev") // APIVersion is the version for the remote // client API. It is used to determine compatibility |