diff options
| -rw-r--r-- | .github/workflows/multi-arch-build.yaml | 4 | ||||
| -rw-r--r-- | go.mod | 2 | ||||
| -rw-r--r-- | go.sum | 4 | ||||
| -rw-r--r-- | libpod/container_internal_linux.go | 13 | ||||
| -rw-r--r-- | libpod/runtime_ctr.go | 2 | ||||
| -rw-r--r-- | pkg/api/handlers/compat/containers.go | 5 | ||||
| -rw-r--r-- | test/apiv2/20-containers.at | 5 | ||||
| -rw-r--r-- | test/e2e/run_cgroup_parent_test.go | 35 | ||||
| -rwxr-xr-x | test/system/build-testimage | 6 | ||||
| -rw-r--r-- | test/system/helpers.bash | 4 | ||||
| -rw-r--r-- | troubleshooting.md | 12 | ||||
| -rw-r--r-- | vendor/modules.txt | 2 |
12 files changed, 76 insertions, 18 deletions
diff --git a/.github/workflows/multi-arch-build.yaml b/.github/workflows/multi-arch-build.yaml index 2a86bab7e..0f8a3df7e 100644 --- a/.github/workflows/multi-arch-build.yaml +++ b/.github/workflows/multi-arch-build.yaml @@ -24,6 +24,8 @@ jobs: # build several images (upstream, testing, stable) in parallel strategy: + # By default, failure of one matrix item cancels all others + fail-fast: false matrix: # Builds are located under contrib/podmanimage/<source> directory source: @@ -178,7 +180,7 @@ jobs: file: ./contrib/podmanimage/${{ matrix.source }}/Dockerfile platforms: ${{ env.PLATFORMS }} push: true - tags: ${{ steps.podman_push.outputs.fqin }} + tags: ${{ steps.podman_reg.outputs.fqin }} labels: | ${{ env.LABELS }} @@ -58,7 +58,7 @@ require ( github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.7.0 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 - github.com/uber/jaeger-client-go v2.27.0+incompatible + github.com/uber/jaeger-client-go v2.28.0+incompatible github.com/vbauerster/mpb/v6 v6.0.3 github.com/vishvananda/netlink v1.1.1-0.20201029203352-d40f9887b852 go.etcd.io/bbolt v1.3.5 @@ -790,8 +790,8 @@ github.com/tchap/go-patricia v2.3.0+incompatible/go.mod h1:bmLyhP68RS6kStMGxByiQ github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/u-root/u-root v7.0.0+incompatible/go.mod h1:RYkpo8pTHrNjW08opNd/U6p/RJE7K0D8fXO0d47+3YY= -github.com/uber/jaeger-client-go v2.27.0+incompatible h1:6WVONolFJiB8Vx9bq4z9ddyV/SXSpfvvtb7Yl/TGHiE= -github.com/uber/jaeger-client-go v2.27.0+incompatible/go.mod h1:WVhlPFC8FDjOFMMWRy2pZqQJSXxYSwNYOkTr/Z6d3Kk= +github.com/uber/jaeger-client-go v2.28.0+incompatible h1:G4QSBfvPKvg5ZM2j9MrJFdfI5iSljY/WnJqOGFao6HI= +github.com/uber/jaeger-client-go v2.28.0+incompatible/go.mod h1:WVhlPFC8FDjOFMMWRy2pZqQJSXxYSwNYOkTr/Z6d3Kk= github.com/ulikunitz/xz v0.5.9/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= github.com/ulikunitz/xz v0.5.10 h1:t92gobL9l3HE202wg3rlk19F6X+JOxl9BBrCCMYEYd8= github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index f4762b5ff..f6045f881 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -2224,8 +2224,19 @@ func (c *Container) getOCICgroupPath() (string, error) { } cgroupManager := c.CgroupManager() switch { - case (rootless.IsRootless() && (cgroupManager == config.CgroupfsCgroupsManager || !unified)) || c.config.NoCgroups: + case c.config.NoCgroups: return "", nil + case (rootless.IsRootless() && (cgroupManager == config.CgroupfsCgroupsManager || !unified)): + if c.config.CgroupParent == CgroupfsDefaultCgroupParent { + // old versions of podman were setting the CgroupParent to CgroupfsDefaultCgroupParent + // by default. Avoid breaking these versions and check whether the cgroup parent is + // set to the default and in this case enable the old behavior. It should not be a real + // problem because the default CgroupParent is usually owned by root so rootless users + // cannot access it. + // This check might be lifted in a future version of Podman. + return "", nil + } + return c.config.CgroupParent, nil case c.config.CgroupsMode == cgroupSplit: if c.config.CgroupParent != "" { return c.config.CgroupParent, nil diff --git a/libpod/runtime_ctr.go b/libpod/runtime_ctr.go index 0acf88cbc..328f47c12 100644 --- a/libpod/runtime_ctr.go +++ b/libpod/runtime_ctr.go @@ -296,7 +296,7 @@ func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (_ *Contai return nil, errors.Wrapf(define.ErrInternal, "pod %s cgroup is not set", pod.ID()) } ctr.config.CgroupParent = podCgroup - } else { + } else if !rootless.IsRootless() { ctr.config.CgroupParent = CgroupfsDefaultCgroupParent } } else if strings.HasSuffix(path.Base(ctr.config.CgroupParent), ".slice") { diff --git a/pkg/api/handlers/compat/containers.go b/pkg/api/handlers/compat/containers.go index d97a4d3bd..263d64a7b 100644 --- a/pkg/api/handlers/compat/containers.go +++ b/pkg/api/handlers/compat/containers.go @@ -22,6 +22,7 @@ import ( "github.com/containers/podman/v3/pkg/util" "github.com/docker/docker/api/types" "github.com/docker/docker/api/types/container" + "github.com/docker/docker/api/types/network" "github.com/docker/go-connections/nat" "github.com/docker/go-units" "github.com/gorilla/schema" @@ -526,6 +527,10 @@ func LibpodToContainerJSON(l *libpod.Container, sz bool) (*types.ContainerJSON, if err := json.Unmarshal(n, &networkSettings); err != nil { return nil, err } + // do not report null instead use an empty map + if networkSettings.Networks == nil { + networkSettings.Networks = map[string]*network.EndpointSettings{} + } c := types.ContainerJSON{ ContainerJSONBase: &cb, diff --git a/test/apiv2/20-containers.at b/test/apiv2/20-containers.at index 58b2dff0a..66ba099e3 100644 --- a/test/apiv2/20-containers.at +++ b/test/apiv2/20-containers.at @@ -205,10 +205,15 @@ t GET containers/$cid/json 200 \ t POST containers/create Image=$IMAGE Entrypoint='["top"]' 201 \ .Id~[0-9a-f]\\{64\\} cid_top=$(jq -r '.Id' <<<"$output") +network_expect="{}" +if root; then + network_expect='.podman.NetworkID=podman' +fi t GET containers/${cid_top}/json 200 \ .Config.Entrypoint[0]="top" \ .Config.Cmd='[]' \ .Path="top" + .NetworkSettings.Networks="$network_expect" t POST containers/${cid_top}/start 204 # make sure the container is running t GET containers/${cid_top}/json 200 \ diff --git a/test/e2e/run_cgroup_parent_test.go b/test/e2e/run_cgroup_parent_test.go index d68b1bb5f..1df4c4033 100644 --- a/test/e2e/run_cgroup_parent_test.go +++ b/test/e2e/run_cgroup_parent_test.go @@ -1,7 +1,10 @@ package integration import ( + "fmt" "os" + "path/filepath" + "strings" . "github.com/containers/podman/v3/test/utils" . "github.com/onsi/ginkgo" @@ -58,6 +61,38 @@ var _ = Describe("Podman run with --cgroup-parent", func() { Expect(ok).To(BeTrue()) }) + Specify("always honor --cgroup-parent", func() { + SkipIfCgroupV1("test not supported in cgroups v1") + if Containerized() || podmanTest.CgroupManager == "cgroupfs" { + Skip("Requires Systemd cgroup manager support") + } + if IsRemote() { + Skip("Not supported for remote") + } + + run := podmanTest.Podman([]string{"run", "-d", "--cgroupns=host", fedoraMinimal, "sleep", "100"}) + run.WaitWithDefaultTimeout() + Expect(run.ExitCode()).To(Equal(0)) + cid := run.OutputToString() + + exec := podmanTest.Podman([]string{"exec", cid, "cat", "/proc/self/cgroup"}) + exec.WaitWithDefaultTimeout() + Expect(exec.ExitCode()).To(Equal(0)) + + cgroup := filepath.Dir(strings.TrimRight(strings.Replace(exec.OutputToString(), "0::", "", -1), "\n")) + + run = podmanTest.Podman([]string{"--cgroup-manager=cgroupfs", "run", "-d", fmt.Sprintf("--cgroup-parent=%s", cgroup), fedoraMinimal, "sleep", "100"}) + run.WaitWithDefaultTimeout() + Expect(run.ExitCode()).To(Equal(0)) + + exec = podmanTest.Podman([]string{"exec", cid, "cat", "/proc/self/cgroup"}) + exec.WaitWithDefaultTimeout() + Expect(exec.ExitCode()).To(Equal(0)) + cgroupEffective := filepath.Dir(strings.TrimRight(strings.Replace(exec.OutputToString(), "0::", "", -1), "\n")) + + Expect(cgroupEffective).To(Equal(cgroup)) + }) + Specify("valid --cgroup-parent using slice", func() { if Containerized() || podmanTest.CgroupManager == "cgroupfs" { Skip("Requires Systemd cgroup manager support") diff --git a/test/system/build-testimage b/test/system/build-testimage index aac08e307..3e5b982ce 100755 --- a/test/system/build-testimage +++ b/test/system/build-testimage @@ -78,7 +78,7 @@ podman rmi -f testimage &> /dev/null || true # and because Dan says arch emulation is not currently working on podman # (no further details). # Arch emulation on Fedora requires the qemu-user-static package. -for arch in amd64 ppc64le s390x;do +for arch in amd64 arm64v8 ppc64le s390x;do ${BUILDAH} bud \ --arch=$arch \ --build-arg ARCH=$arch \ @@ -106,9 +106,9 @@ ${BUILDAH} manifest push --all ${remote_tag} docker://${remote_tag} # As of 2021-02-24 it is simply busybox, because it is super small, # but it's complicated because of multiarch: # -# img=quay.io/libpod/testimage:00000001 +# img=quay.io/libpod/testimage:0000000<current+1> # buildah manifest create $img -# for arch in amd64 ppc64le s390x;do +# for arch in amd64 arm64v8 ppc64le s390x;do # buildah pull --arch $arch docker.io/$arch/busybox:1.32.0 # buildah manifest add $img docker.io/$arch/busybox:1.32.0 # done diff --git a/test/system/helpers.bash b/test/system/helpers.bash index b9eacfd0b..1de7ddfd9 100644 --- a/test/system/helpers.bash +++ b/test/system/helpers.bash @@ -7,14 +7,14 @@ PODMAN=${PODMAN:-podman} PODMAN_TEST_IMAGE_REGISTRY=${PODMAN_TEST_IMAGE_REGISTRY:-"quay.io"} PODMAN_TEST_IMAGE_USER=${PODMAN_TEST_IMAGE_USER:-"libpod"} PODMAN_TEST_IMAGE_NAME=${PODMAN_TEST_IMAGE_NAME:-"testimage"} -PODMAN_TEST_IMAGE_TAG=${PODMAN_TEST_IMAGE_TAG:-"20210223"} +PODMAN_TEST_IMAGE_TAG=${PODMAN_TEST_IMAGE_TAG:-"20210427"} PODMAN_TEST_IMAGE_FQN="$PODMAN_TEST_IMAGE_REGISTRY/$PODMAN_TEST_IMAGE_USER/$PODMAN_TEST_IMAGE_NAME:$PODMAN_TEST_IMAGE_TAG" PODMAN_TEST_IMAGE_ID= # Remote image that we *DO NOT* fetch or keep by default; used for testing pull # This changed from 0 to 1 on 2021-02-24 due to multiarch considerations; it # should change only very rarely. -PODMAN_NONLOCAL_IMAGE_FQN="$PODMAN_TEST_IMAGE_REGISTRY/$PODMAN_TEST_IMAGE_USER/$PODMAN_TEST_IMAGE_NAME:00000001" +PODMAN_NONLOCAL_IMAGE_FQN="$PODMAN_TEST_IMAGE_REGISTRY/$PODMAN_TEST_IMAGE_USER/$PODMAN_TEST_IMAGE_NAME:00000002" # Because who wants to spell that out each time? IMAGE=$PODMAN_TEST_IMAGE_FQN diff --git a/troubleshooting.md b/troubleshooting.md index 1e21edab4..e320f20e7 100644 --- a/troubleshooting.md +++ b/troubleshooting.md @@ -495,10 +495,10 @@ $ podman unshare cat /proc/self/uid_map Reference [subuid](http://man7.org/linux/man-pages/man5/subuid.5.html) and [subgid](http://man7.org/linux/man-pages/man5/subgid.5.html) man pages for more detail. -### 20) Passed-in device can't be accessed in rootless container +### 20) Passed-in devices or files can't be accessed in rootless container -As a non-root user you have group access rights to a device that you want to -pass into a rootless container with `--device=...`. +As a non-root user you have group access rights to a device or files that you +want to pass into a rootless container with `--device=...` or `--volume=...` #### Symptom @@ -507,9 +507,9 @@ Any access inside the container is rejected with "Permission denied". #### Solution The runtime uses `setgroups(2)` hence the process looses all additional groups -the non-root user has. If you use the `crun` runtime, 0.10.4 or newer, -then you can enable a workaround by adding `--annotation io.crun.keep_original_groups=1` -to the `podman` command line. +the non-root user has. Use the `--group-add keep-groups` flag to pass the +user's supplementary group access into the container. Currently only available +with the `crun` OCI runtime. ### 21) A rootless container running in detached mode is closed at logout diff --git a/vendor/modules.txt b/vendor/modules.txt index 446081623..f7333e830 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -579,7 +579,7 @@ github.com/stretchr/testify/require github.com/syndtr/gocapability/capability # github.com/tchap/go-patricia v2.3.0+incompatible github.com/tchap/go-patricia/patricia -# github.com/uber/jaeger-client-go v2.27.0+incompatible +# github.com/uber/jaeger-client-go v2.28.0+incompatible github.com/uber/jaeger-client-go/log github.com/uber/jaeger-client-go/thrift github.com/uber/jaeger-client-go/thrift-gen/agent |