summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--cmd/podman/common/specgen.go7
-rw-r--r--cmd/podman/generate/kube.go8
-rw-r--r--cmd/podman/networks/reload.go69
-rw-r--r--docs/source/markdown/podman-create.1.md7
-rw-r--r--docs/source/markdown/podman-generate-kube.1.md8
-rw-r--r--docs/source/markdown/podman-image-sign.1.md10
-rw-r--r--docs/source/markdown/podman-network-reload.1.md62
-rw-r--r--docs/source/markdown/podman-network.1.md17
-rw-r--r--docs/source/network.rst2
-rw-r--r--go.mod2
-rw-r--r--go.sum2
-rw-r--r--libpod/container.go25
-rw-r--r--libpod/container_api.go26
-rw-r--r--libpod/container_config.go8
-rw-r--r--libpod/container_internal_linux.go13
-rw-r--r--libpod/container_internal_unsupported.go4
-rw-r--r--libpod/kube.go28
-rw-r--r--libpod/networking_linux.go92
-rw-r--r--libpod/networking_unsupported.go9
-rw-r--r--libpod/stats.go2
-rw-r--r--pkg/api/handlers/libpod/generate.go5
-rw-r--r--pkg/api/server/register_generate.go12
-rw-r--r--pkg/bindings/generate/generate.go11
-rw-r--r--pkg/domain/entities/engine_container.go3
-rw-r--r--pkg/domain/entities/network.go13
-rw-r--r--pkg/domain/infra/abi/generate.go54
-rw-r--r--pkg/domain/infra/abi/images.go61
-rw-r--r--pkg/domain/infra/abi/network.go20
-rw-r--r--pkg/domain/infra/tunnel/generate.go4
-rw-r--r--pkg/domain/infra/tunnel/network.go4
-rw-r--r--pkg/trust/trust.go25
-rw-r--r--test/apiv2/25-containersMore.at4
-rw-r--r--test/e2e/generate_kube_test.go70
-rw-r--r--test/e2e/network_test.go8
-rw-r--r--test/e2e/run_test.go8
-rw-r--r--test/e2e/stats_test.go10
-rw-r--r--test/system/500-networking.bats64
-rw-r--r--vendor/github.com/containers/image/v5/copy/copy.go12
-rw-r--r--vendor/github.com/containers/image/v5/pkg/compression/compression.go3
-rw-r--r--vendor/github.com/containers/image/v5/pkg/shortnames/shortnames.go15
-rw-r--r--vendor/github.com/containers/image/v5/signature/policy_config.go76
-rw-r--r--vendor/github.com/containers/image/v5/signature/policy_reference_match.go65
-rw-r--r--vendor/github.com/containers/image/v5/signature/policy_types.go11
-rw-r--r--vendor/github.com/containers/image/v5/version/version.go4
-rw-r--r--vendor/modules.txt2
45 files changed, 823 insertions, 142 deletions
diff --git a/cmd/podman/common/specgen.go b/cmd/podman/common/specgen.go
index e0da142ad..c416d0d7b 100644
--- a/cmd/podman/common/specgen.go
+++ b/cmd/podman/common/specgen.go
@@ -531,6 +531,13 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string
case "seccomp":
s.SeccompProfilePath = con[1]
s.Annotations[define.InspectAnnotationSeccomp] = con[1]
+ // this option is for docker compatibility, it is the same as unmask=ALL
+ case "systempaths":
+ if con[1] == "unconfined" {
+ s.ContainerSecurityConfig.Unmask = append(s.ContainerSecurityConfig.Unmask, []string{"ALL"}...)
+ } else {
+ return fmt.Errorf("invalid systempaths option %q, only `unconfined` is supported", con[1])
+ }
case "unmask":
s.ContainerSecurityConfig.Unmask = append(s.ContainerSecurityConfig.Unmask, strings.Split(con[1], ":")...)
default:
diff --git a/cmd/podman/generate/kube.go b/cmd/podman/generate/kube.go
index e47bd35b5..0517db19a 100644
--- a/cmd/podman/generate/kube.go
+++ b/cmd/podman/generate/kube.go
@@ -17,16 +17,16 @@ import (
var (
kubeOptions = entities.GenerateKubeOptions{}
kubeFile = ""
- kubeDescription = `Command generates Kubernetes pod and service YAML (v1 specification) from a Podman container or pod.
+ kubeDescription = `Command generates Kubernetes pod and service YAML (v1 specification) from Podman containers or a pod.
Whether the input is for a container or pod, Podman will always generate the specification as a pod.`
kubeCmd = &cobra.Command{
- Use: "kube [options] CONTAINER | POD",
+ Use: "kube [options] CONTAINER... | POD",
Short: "Generate Kubernetes YAML from a container or pod.",
Long: kubeDescription,
RunE: kube,
- Args: cobra.ExactArgs(1),
+ Args: cobra.MinimumNArgs(1),
ValidArgsFunction: common.AutocompleteContainersAndPods,
Example: `podman generate kube ctrID
podman generate kube podID
@@ -51,7 +51,7 @@ func init() {
}
func kube(cmd *cobra.Command, args []string) error {
- report, err := registry.ContainerEngine().GenerateKube(registry.GetContext(), args[0], kubeOptions)
+ report, err := registry.ContainerEngine().GenerateKube(registry.GetContext(), args, kubeOptions)
if err != nil {
return err
}
diff --git a/cmd/podman/networks/reload.go b/cmd/podman/networks/reload.go
new file mode 100644
index 000000000..16655c18c
--- /dev/null
+++ b/cmd/podman/networks/reload.go
@@ -0,0 +1,69 @@
+package network
+
+import (
+ "fmt"
+
+ "github.com/containers/podman/v2/cmd/podman/common"
+ "github.com/containers/podman/v2/cmd/podman/registry"
+ "github.com/containers/podman/v2/cmd/podman/utils"
+ "github.com/containers/podman/v2/cmd/podman/validate"
+ "github.com/containers/podman/v2/pkg/domain/entities"
+ "github.com/spf13/cobra"
+ "github.com/spf13/pflag"
+)
+
+var (
+ networkReloadDescription = `reload container networks, recreating firewall rules`
+ networkReloadCommand = &cobra.Command{
+ Use: "reload [options] [CONTAINER...]",
+ Short: "Reload firewall rules for one or more containers",
+ Long: networkReloadDescription,
+ RunE: networkReload,
+ Args: func(cmd *cobra.Command, args []string) error {
+ return validate.CheckAllLatestAndCIDFile(cmd, args, false, false)
+ },
+ ValidArgsFunction: common.AutocompleteContainers,
+ Example: `podman network reload --latest
+ podman network reload 3c13ef6dd843
+ podman network reload test1 test2`,
+ Annotations: map[string]string{
+ registry.ParentNSRequired: "",
+ },
+ }
+)
+
+var (
+ reloadOptions entities.NetworkReloadOptions
+)
+
+func reloadFlags(flags *pflag.FlagSet) {
+ flags.BoolVarP(&reloadOptions.All, "all", "a", false, "Reload network configuration of all containers")
+}
+
+func init() {
+ registry.Commands = append(registry.Commands, registry.CliCommand{
+ Mode: []entities.EngineMode{entities.ABIMode},
+ Command: networkReloadCommand,
+ Parent: networkCmd,
+ })
+ reloadFlags(networkReloadCommand.Flags())
+ validate.AddLatestFlag(networkReloadCommand, &reloadOptions.Latest)
+}
+
+func networkReload(cmd *cobra.Command, args []string) error {
+ responses, err := registry.ContainerEngine().NetworkReload(registry.Context(), args, reloadOptions)
+ if err != nil {
+ return err
+ }
+
+ var errs utils.OutputErrors
+ for _, r := range responses {
+ if r.Err == nil {
+ fmt.Println(r.Id)
+ } else {
+ errs = append(errs, r.Err)
+ }
+ }
+
+ return errs.PrintErrors()
+}
diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md
index 843e2b22f..64bfdb377 100644
--- a/docs/source/markdown/podman-create.1.md
+++ b/docs/source/markdown/podman-create.1.md
@@ -845,11 +845,18 @@ Security Options
- `label=filetype:TYPE` : Set the label file type for the container files
- `label=disable` : Turn off label separation for the container
+- `mask=/path/1:/path/2` : The paths to mask separated by a colon. A masked path
+ cannot be accessed inside the container.
+
- `no-new-privileges` : Disable container processes from gaining additional privileges
- `seccomp=unconfined` : Turn off seccomp confinement for the container
- `seccomp=profile.json` : White listed syscalls seccomp Json file to be used as a seccomp filter
+- `unmask=ALL or /path/1:/path/2` : Paths to unmask separated by a colon. If set to **ALL**, it will
+ unmask all the paths that are masked by default.
+ The default masked paths are **/proc/acpi, /proc/kcore, /proc/keys, /proc/latency_stats, /proc/sched_debug, /proc/scsi, /proc/timer_list, /proc/timer_stats, /sys/firmware, and /sys/fs/selinux.**
+
- `proc-opts=OPTIONS` : Comma separated list of options to use for the /proc mount. More details for the
possible mount options are specified at **proc(5)** man page.
diff --git a/docs/source/markdown/podman-generate-kube.1.md b/docs/source/markdown/podman-generate-kube.1.md
index 6fad89b1f..ed2143388 100644
--- a/docs/source/markdown/podman-generate-kube.1.md
+++ b/docs/source/markdown/podman-generate-kube.1.md
@@ -3,12 +3,12 @@
podman-generate-kube - Generate Kubernetes YAML based on a pod or container
## SYNOPSIS
-**podman generate kube** [*options*] *container* | *pod*
+**podman generate kube** [*options*] *container...* | *pod*
## DESCRIPTION
-**podman generate kube** will generate Kubernetes Pod YAML (v1 specification) from a Podman container or pod. Whether
-the input is for a container or pod, Podman will always generate the specification as a Pod. The input may be in the form
-of a pod or container name or ID.
+**podman generate kube** will generate Kubernetes Pod YAML (v1 specification) from Podman one or more containers or a single pod. Whether
+the input is for containers or a pod, Podman will always generate the specification as a Pod. The input may be in the form
+of a pod or one or more container names or IDs.
Note that the generated Kubernetes YAML file can be used to re-run the deployment via podman-play-kube(1).
diff --git a/docs/source/markdown/podman-image-sign.1.md b/docs/source/markdown/podman-image-sign.1.md
index 1bd6e5b9d..7a924b80b 100644
--- a/docs/source/markdown/podman-image-sign.1.md
+++ b/docs/source/markdown/podman-image-sign.1.md
@@ -9,7 +9,9 @@ podman-image-sign - Create a signature for an image
## DESCRIPTION
**podman image sign** will create a local signature for one or more local images that have
been pulled from a registry. The signature will be written to a directory
-derived from the registry configuration files in /etc/containers/registries.d. By default, the signature will be written into /var/lib/containers/sigstore directory.
+derived from the registry configuration files in `$HOME/.config/containers/registries.d` if it exists,
+otherwise `/etc/containers/registries.d` (unless overridden at compile-time), see **containers-registries.d(5)** for more information.
+By default, the signature will be written into `/var/lib/containers/sigstore` for root and `$HOME/.local/share/containers/sigstore` for non-root users
## OPTIONS
@@ -38,7 +40,8 @@ Sign the busybox image with the identify of foo@bar.com with a user's keyring an
## RELATED CONFIGURATION
The write (and read) location for signatures is defined in YAML-based
-configuration files in /etc/containers/registries.d/. When you sign
+configuration files in /etc/containers/registries.d/ for root,
+or $HOME/.config/containers/registries.d for non-root users. When you sign
an image, Podman will use those configuration files to determine
where to write the signature based on the the name of the originating
registry or a default storage value unless overridden with the --directory
@@ -53,5 +56,8 @@ the signature will be written into sub-directories of
/var/lib/containers/sigstore/privateregistry.example.com. The use of 'sigstore' also means
the signature will be 'read' from that same location on a pull-related function.
+## SEE ALSO
+containers-registries.d(5)
+
## HISTORY
November 2018, Originally compiled by Qi Wang (qiwan at redhat dot com)
diff --git a/docs/source/markdown/podman-network-reload.1.md b/docs/source/markdown/podman-network-reload.1.md
new file mode 100644
index 000000000..dd8047297
--- /dev/null
+++ b/docs/source/markdown/podman-network-reload.1.md
@@ -0,0 +1,62 @@
+% podman-network-reload(1)
+
+## NAME
+podman\-network\-reload - Reload network configuration for containers
+
+## SYNOPSIS
+**podman network reload** [*options*] [*container...*]
+
+## DESCRIPTION
+Reload one or more container network configurations.
+
+Rootful Podman relies on iptables rules in order to provide network connectivity. If the iptables rules are deleted,
+this happens for example with `firewall-cmd --reload`, the container loses network connectivity. This command restores
+the network connectivity.
+
+This command is not available for rootless users since rootless containers are not affected by such connectivity problems.
+
+## OPTIONS
+#### **--all**, **-a**
+
+Reload network configuration of all containers.
+
+#### **--latest**, **-l**
+
+Instead of providing the container name or ID, use the last created container. If you use methods other than Podman
+to run containers such as CRI-O, the last started container could be from either of those methods.
+
+The latest option is not supported on the remote client.
+
+## EXAMPLE
+
+Reload the network configuration after a firewall reload.
+
+```
+# podman run -p 80:80 -d nginx
+b1b538e8bc4078fc3ee1c95b666ebc7449b9a97bacd15bcbe464a29e1be59c1c
+# curl 127.0.0.1
+works
+# sudo firewall-cmd --reload
+success
+# curl 127.0.0.1
+hangs
+# podman network reload b1b538e8bc40
+b1b538e8bc4078fc3ee1c95b666ebc7449b9a97bacd15bcbe464a29e1be59c1c
+# curl 127.0.0.1
+works
+```
+
+Reload the network configuration for all containers.
+
+```
+# podman network reload --all
+b1b538e8bc4078fc3ee1c95b666ebc7449b9a97bacd15bcbe464a29e1be59c1c
+fe7e8eca56f844ec33af10f0aa3b31b44a172776e3277b9550a623ed5d96e72b
+```
+
+
+## SEE ALSO
+podman(1), podman-network(1)
+
+## HISTORY
+December 2020, Originally compiled by Paul Holzinger <paul.holzinger@web.de>
diff --git a/docs/source/markdown/podman-network.1.md b/docs/source/markdown/podman-network.1.md
index bc161659a..41e2ae885 100644
--- a/docs/source/markdown/podman-network.1.md
+++ b/docs/source/markdown/podman-network.1.md
@@ -11,14 +11,15 @@ The network command manages CNI networks for Podman.
## COMMANDS
-| Command | Man Page | Description |
-| ------- | --------------------------------------------------- | ---------------------------------------------------------------------------- |
-| connect | [podman-network-connect(1)](podman-network-connect.1.md)| Connect a container to a network|
-| create | [podman-network-create(1)](podman-network-create.1.md)| Create a Podman CNI network|
-| disconnect | [podman-network-disconnect(1)](podman-network-disconnect.1.md)| Disconnect a container from a network|
-| inspect | [podman-network-inspect(1)](podman-network-inspect.1.md)| Displays the raw CNI network configuration for one or more networks|
-| ls | [podman-network-ls(1)](podman-network-ls.1.md)| Display a summary of CNI networks |
-| rm | [podman-network-rm(1)](podman-network-rm.1.md)| Remove one or more CNI networks |
+| Command | Man Page | Description |
+| ---------- | -------------------------------------------------------------- | ------------------------------------------------------------------- |
+| connect | [podman-network-connect(1)](podman-network-connect.1.md) | Connect a container to a network |
+| create | [podman-network-create(1)](podman-network-create.1.md) | Create a Podman CNI network |
+| disconnect | [podman-network-disconnect(1)](podman-network-disconnect.1.md) | Disconnect a container from a network |
+| inspect | [podman-network-inspect(1)](podman-network-inspect.1.md) | Displays the raw CNI network configuration for one or more networks |
+| ls | [podman-network-ls(1)](podman-network-ls.1.md) | Display a summary of CNI networks |
+| reload | [podman-network-reload(1)](podman-network-reload.1.md) | Reload network configuration for containers |
+| rm | [podman-network-rm(1)](podman-network-rm.1.md) | Remove one or more CNI networks |
## SEE ALSO
podman(1)
diff --git a/docs/source/network.rst b/docs/source/network.rst
index 0414c0880..2ecb97858 100644
--- a/docs/source/network.rst
+++ b/docs/source/network.rst
@@ -11,4 +11,6 @@ Network
:doc:`ls <markdown/podman-network-ls.1>` network list
+:doc:`reload <markdown/podman-network-reload.1>` network reload
+
:doc:`rm <markdown/podman-network-rm.1>` network rm
diff --git a/go.mod b/go.mod
index f822e7994..966cc6057 100644
--- a/go.mod
+++ b/go.mod
@@ -13,7 +13,7 @@ require (
github.com/containers/buildah v1.18.1-0.20201125084616-dd26b137459c
github.com/containers/common v0.31.0
github.com/containers/conmon v2.0.20+incompatible
- github.com/containers/image/v5 v5.8.1
+ github.com/containers/image/v5 v5.9.0
github.com/containers/psgo v1.5.1
github.com/containers/storage v1.24.1
github.com/coreos/go-systemd/v22 v22.1.0
diff --git a/go.sum b/go.sum
index 111e9f7d2..89217e39c 100644
--- a/go.sum
+++ b/go.sum
@@ -101,6 +101,8 @@ github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6J
github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
github.com/containers/image/v5 v5.8.1 h1:aHW8a/Kd0dTJ7PTL/fc6y12sJqHxWgqilu+XyHfjD8Q=
github.com/containers/image/v5 v5.8.1/go.mod h1:blOEFd/iFdeyh891ByhCVUc+xAcaI3gBegXECwz9UbQ=
+github.com/containers/image/v5 v5.9.0 h1:dRmUtcluQcmasNo3DpnRoZjfU0rOu1qZeL6wlDJr10Q=
+github.com/containers/image/v5 v5.9.0/go.mod h1:blOEFd/iFdeyh891ByhCVUc+xAcaI3gBegXECwz9UbQ=
github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b h1:Q8ePgVfHDplZ7U33NwHZkrVELsZP5fYj9pM5WBZB2GE=
github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY=
github.com/containers/ocicrypt v1.0.3 h1:vYgl+RZ9Q3DPMuTfxmN+qp0X2Bj52uuY2vnt6GzVe1c=
diff --git a/libpod/container.go b/libpod/container.go
index 4e0687318..96a21736c 100644
--- a/libpod/container.go
+++ b/libpod/container.go
@@ -921,13 +921,33 @@ func (c *Container) CgroupManager() string {
return cgroupManager
}
-// CGroupPath returns a cgroups "path" for a given container.
+// CGroupPath returns a cgroups "path" for the given container.
+// Note that the container must be running. Otherwise, an error
+// is returned.
func (c *Container) CGroupPath() (string, error) {
+ if !c.batched {
+ c.lock.Lock()
+ defer c.lock.Unlock()
+ if err := c.syncContainer(); err != nil {
+ return "", errors.Wrapf(err, "error updating container %s state", c.ID())
+ }
+ }
+ return c.cGroupPath()
+}
+
+// cGroupPath returns a cgroups "path" for the given container.
+// Note that the container must be running. Otherwise, an error
+// is returned.
+// NOTE: only call this when owning the container's lock.
+func (c *Container) cGroupPath() (string, error) {
if c.config.NoCgroups || c.config.CgroupsMode == "disabled" {
return "", errors.Wrapf(define.ErrNoCgroups, "this container is not creating cgroups")
}
+ if c.state.State != define.ContainerStateRunning && c.state.State != define.ContainerStatePaused {
+ return "", errors.Wrapf(define.ErrCtrStopped, "cannot get cgroup path unless container %s is running", c.ID())
+ }
- // Read /proc/[PID]/cgroup and find the *longest* cgroup entry. That's
+ // Read /proc/{PID}/cgroup and find the *longest* cgroup entry. That's
// needed to account for hacks in cgroups v1, where each line in the
// file could potentially point to a cgroup. The longest one, however,
// is the libpod-specific one we're looking for.
@@ -952,7 +972,6 @@ func (c *Container) CGroupPath() (string, error) {
if len(path) > len(cgroupPath) {
cgroupPath = path
}
-
}
if len(cgroupPath) == 0 {
diff --git a/libpod/container_api.go b/libpod/container_api.go
index 6a7ddc421..1b33f16b4 100644
--- a/libpod/container_api.go
+++ b/libpod/container_api.go
@@ -639,6 +639,32 @@ func (c *Container) Sync() error {
return nil
}
+// ReloadNetwork reconfigures the container's network.
+// Technically speaking, it will tear down and then reconfigure the container's
+// network namespace, which will result in all firewall rules being recreated.
+// It is mostly intended to be used in cases where the system firewall has been
+// reloaded, and existing rules have been wiped out. It is expected that some
+// downtime will result, as the rules are destroyed as part of this process.
+// At present, this only works on root containers; it may be expanded to restart
+// slirp4netns in the future to work with rootless containers as well.
+// Requires that the container must be running or created.
+func (c *Container) ReloadNetwork() error {
+ if !c.batched {
+ c.lock.Lock()
+ defer c.lock.Unlock()
+
+ if err := c.syncContainer(); err != nil {
+ return err
+ }
+ }
+
+ if !c.ensureState(define.ContainerStateCreated, define.ContainerStateRunning) {
+ return errors.Wrapf(define.ErrCtrStateInvalid, "cannot reload network unless container network has been configured")
+ }
+
+ return c.reloadNetwork()
+}
+
// Refresh is DEPRECATED and REMOVED.
func (c *Container) Refresh(ctx context.Context) error {
// This has been deprecated for a long while, and is in the process of
diff --git a/libpod/container_config.go b/libpod/container_config.go
index cc3ad25ea..c95be9b55 100644
--- a/libpod/container_config.go
+++ b/libpod/container_config.go
@@ -135,7 +135,13 @@ type ContainerRootFSConfig struct {
// OverlayVolumes lists the overlay volumes to mount into the container.
OverlayVolumes []*ContainerOverlayVolume `json:"overlayVolumes,omitempty"`
// ImageVolumes lists the image volumes to mount into the container.
- ImageVolumes []*ContainerImageVolume `json:"imageVolumes,omitempty"`
+ // Please note that this is named ctrImageVolumes in JSON to
+ // distinguish between these and the old `imageVolumes` field in Podman
+ // pre-1.8, which was used in very old Podman versions to determine how
+ // image volumes were handled in Libpod (support for these eventually
+ // moved out of Libpod into pkg/specgen).
+ // Please DO NOT re-use the `imageVolumes` name in container JSON again.
+ ImageVolumes []*ContainerImageVolume `json:"ctrImageVolumes,omitempty"`
// CreateWorkingDir indicates that Libpod should create the container's
// working directory if it does not exist. Some OCI runtimes do this by
// default, but others do not.
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index 72eaeac8e..1bf044f9d 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -231,6 +231,19 @@ func (c *Container) cleanupNetwork() error {
return nil
}
+// reloadNetwork reloads the network for the given container, recreating
+// firewall rules.
+func (c *Container) reloadNetwork() error {
+ result, err := c.runtime.reloadContainerNetwork(c)
+ if err != nil {
+ return err
+ }
+
+ c.state.NetworkStatus = result
+
+ return c.save()
+}
+
func (c *Container) getUserOverrides() *lookup.Overrides {
var hasPasswdFile, hasGroupFile bool
overrides := lookup.Overrides{}
diff --git a/libpod/container_internal_unsupported.go b/libpod/container_internal_unsupported.go
index c22e9a4a4..7f6fc9ec9 100644
--- a/libpod/container_internal_unsupported.go
+++ b/libpod/container_internal_unsupported.go
@@ -50,6 +50,10 @@ func (c *Container) cleanupOverlayMounts() error {
return nil
}
+func (c *Container) reloadNetwork() error {
+ return define.ErrNotImplemented
+}
+
func (c *Container) getUserOverrides() *lookup.Overrides {
return nil
}
diff --git a/libpod/kube.go b/libpod/kube.go
index 067e7827d..bf041112a 100644
--- a/libpod/kube.go
+++ b/libpod/kube.go
@@ -21,9 +21,9 @@ import (
// GenerateForKube takes a slice of libpod containers and generates
// one v1.Pod description that includes just a single container.
-func (c *Container) GenerateForKube() (*v1.Pod, error) {
+func GenerateForKube(ctrs []*Container) (*v1.Pod, error) {
// Generate the v1.Pod yaml description
- return simplePodWithV1Container(c)
+ return simplePodWithV1Containers(ctrs)
}
// GenerateForKube takes a slice of libpod containers and generates
@@ -236,14 +236,20 @@ func addContainersAndVolumesToPodObject(containers []v1.Container, volumes []v1.
return &p
}
-// simplePodWithV1Container is a function used by inspect when kube yaml needs to be generated
+// simplePodWithV1Containers is a function used by inspect when kube yaml needs to be generated
// for a single container. we "insert" that container description in a pod.
-func simplePodWithV1Container(ctr *Container) (*v1.Pod, error) {
- kubeCtr, kubeVols, err := containerToV1Container(ctr)
- if err != nil {
- return nil, err
+func simplePodWithV1Containers(ctrs []*Container) (*v1.Pod, error) {
+ kubeCtrs := make([]v1.Container, 0, len(ctrs))
+ kubeVolumes := make([]v1.Volume, 0)
+ for _, ctr := range ctrs {
+ kubeCtr, kubeVols, err := containerToV1Container(ctr)
+ if err != nil {
+ return nil, err
+ }
+ kubeCtrs = append(kubeCtrs, kubeCtr)
+ kubeVolumes = append(kubeVolumes, kubeVols...)
}
- return addContainersAndVolumesToPodObject([]v1.Container{kubeCtr}, kubeVols, ctr.Name()), nil
+ return addContainersAndVolumesToPodObject(kubeCtrs, kubeVolumes, strings.ReplaceAll(ctrs[0].Name(), "_", "")), nil
}
@@ -294,6 +300,12 @@ func containerToV1Container(c *Container) (v1.Container, []v1.Volume, error) {
_, image := c.Image()
kubeContainer.Image = image
kubeContainer.Stdin = c.Stdin()
+
+ // prepend the entrypoint of the container to command
+ if ep := c.Entrypoint(); len(c.Entrypoint()) > 0 {
+ ep = append(ep, containerCommands...)
+ containerCommands = ep
+ }
kubeContainer.Command = containerCommands
// TODO need to figure out how we handle command vs entry point. Kube appears to prefer entrypoint.
// right now we just take the container's command
diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go
index 463378af7..bf27989bf 100644
--- a/libpod/networking_linux.go
+++ b/libpod/networking_linux.go
@@ -13,6 +13,7 @@ import (
"os"
"os/exec"
"path/filepath"
+ "regexp"
"sort"
"strings"
"syscall"
@@ -741,8 +742,9 @@ func (r *Runtime) closeNetNS(ctr *Container) error {
return nil
}
-// Tear down a network namespace, undoing all state associated with it.
-func (r *Runtime) teardownNetNS(ctr *Container) error {
+// Tear down a container's CNI network configuration, but do not tear down the
+// namespace itself.
+func (r *Runtime) teardownCNI(ctr *Container) error {
if ctr.state.NetNS == nil {
// The container has no network namespace, we're set
return nil
@@ -781,6 +783,19 @@ func (r *Runtime) teardownNetNS(ctr *Container) error {
return errors.Wrapf(err, "error tearing down CNI namespace configuration for container %s", ctr.ID())
}
}
+ return nil
+}
+
+// Tear down a network namespace, undoing all state associated with it.
+func (r *Runtime) teardownNetNS(ctr *Container) error {
+ if err := r.teardownCNI(ctr); err != nil {
+ return err
+ }
+
+ networks, _, err := ctr.networks()
+ if err != nil {
+ return err
+ }
// CNI-in-slirp4netns
if rootless.IsRootless() && len(networks) != 0 {
@@ -821,12 +836,73 @@ func getContainerNetNS(ctr *Container) (string, error) {
return "", nil
}
+// Reload only works with containers with a configured network.
+// It will tear down, and then reconfigure, the network of the container.
+// This is mainly used when a reload of firewall rules wipes out existing
+// firewall configuration.
+// Efforts will be made to preserve MAC and IP addresses, but this only works if
+// the container only joined a single CNI network, and was only assigned a
+// single MAC or IP.
+// Only works on root containers at present, though in the future we could
+// extend this to stop + restart slirp4netns
+func (r *Runtime) reloadContainerNetwork(ctr *Container) ([]*cnitypes.Result, error) {
+ if ctr.state.NetNS == nil {
+ return nil, errors.Wrapf(define.ErrCtrStateInvalid, "container %s network is not configured, refusing to reload", ctr.ID())
+ }
+ if rootless.IsRootless() || ctr.config.NetMode.IsSlirp4netns() {
+ return nil, errors.Wrapf(define.ErrRootless, "network reload only supported for root containers")
+ }
+
+ logrus.Infof("Going to reload container %s network", ctr.ID())
+
+ var requestedIP net.IP
+ var requestedMAC net.HardwareAddr
+ // Set requested IP and MAC address, if possible.
+ if len(ctr.state.NetworkStatus) == 1 {
+ result := ctr.state.NetworkStatus[0]
+ if len(result.IPs) == 1 {
+ resIP := result.IPs[0]
+
+ requestedIP = resIP.Address.IP
+ ctr.requestedIP = requestedIP
+ logrus.Debugf("Going to preserve container %s IP address %s", ctr.ID(), ctr.requestedIP.String())
+
+ if resIP.Interface != nil && *resIP.Interface < len(result.Interfaces) && *resIP.Interface >= 0 {
+ var err error
+ requestedMAC, err = net.ParseMAC(result.Interfaces[*resIP.Interface].Mac)
+ if err != nil {
+ return nil, errors.Wrapf(err, "error parsing container %s MAC address %s", ctr.ID(), result.Interfaces[*resIP.Interface].Mac)
+ }
+ ctr.requestedMAC = requestedMAC
+ logrus.Debugf("Going to preserve container %s MAC address %s", ctr.ID(), ctr.requestedMAC.String())
+ }
+ }
+ }
+
+ err := r.teardownCNI(ctr)
+ if err != nil {
+ // teardownCNI will error if the iptables rules do not exists and this is the case after
+ // a firewall reload. The purpose of network reload is to recreate the rules if they do
+ // not exists so we should not log this specific error as error. This would confuse users otherwise.
+ b, rerr := regexp.MatchString("Couldn't load target `CNI-[a-f0-9]{24}':No such file or directory", err.Error())
+ if rerr == nil && !b {
+ logrus.Error(err)
+ } else {
+ logrus.Info(err)
+ }
+ }
+
+ // teardownCNI will clean the requested IP and MAC so we need to set them again
+ ctr.requestedIP = requestedIP
+ ctr.requestedMAC = requestedMAC
+ return r.configureNetNS(ctr, ctr.state.NetNS)
+}
+
func getContainerNetIO(ctr *Container) (*netlink.LinkStatistics, error) {
var netStats *netlink.LinkStatistics
- // rootless v2 cannot seem to resolve its network connection to
- // collect statistics. For now, we allow stats to at least run
- // by returning nil
- if rootless.IsRootless() {
+ // With slirp4netns, we can't collect statistics at present.
+ // For now, we allow stats to at least run by returning nil
+ if rootless.IsRootless() || ctr.config.NetMode.IsSlirp4netns() {
return netStats, nil
}
netNSPath, netPathErr := getContainerNetNS(ctr)
@@ -984,12 +1060,12 @@ func resultToBasicNetworkConfig(result *cnitypes.Result) (define.InspectBasicNet
config.IPAddress = ctrIP.Address.IP.String()
config.IPPrefixLen = size
config.Gateway = ctrIP.Gateway.String()
- if ctrIP.Interface != nil && *ctrIP.Interface < len(result.Interfaces) && *ctrIP.Interface > 0 {
+ if ctrIP.Interface != nil && *ctrIP.Interface < len(result.Interfaces) && *ctrIP.Interface >= 0 {
config.MacAddress = result.Interfaces[*ctrIP.Interface].Mac
}
case ctrIP.Version == "4" && config.IPAddress != "":
config.SecondaryIPAddresses = append(config.SecondaryIPAddresses, ctrIP.Address.String())
- if ctrIP.Interface != nil && *ctrIP.Interface < len(result.Interfaces) && *ctrIP.Interface > 0 {
+ if ctrIP.Interface != nil && *ctrIP.Interface < len(result.Interfaces) && *ctrIP.Interface >= 0 {
config.AdditionalMacAddresses = append(config.AdditionalMacAddresses, result.Interfaces[*ctrIP.Interface].Mac)
}
case ctrIP.Version == "6" && config.IPAddress == "":
diff --git a/libpod/networking_unsupported.go b/libpod/networking_unsupported.go
index 76bb01424..9e5c4adde 100644
--- a/libpod/networking_unsupported.go
+++ b/libpod/networking_unsupported.go
@@ -2,7 +2,10 @@
package libpod
-import "github.com/containers/podman/v2/libpod/define"
+import (
+ cnitypes "github.com/containernetworking/cni/pkg/types/current"
+ "github.com/containers/podman/v2/libpod/define"
+)
func (r *Runtime) setupRootlessNetNS(ctr *Container) error {
return define.ErrNotImplemented
@@ -28,6 +31,10 @@ func (c *Container) getContainerNetworkInfo() (*define.InspectNetworkSettings, e
return nil, define.ErrNotImplemented
}
+func (r *Runtime) reloadContainerNetwork(ctr *Container) ([]*cnitypes.Result, error) {
+ return nil, define.ErrNotImplemented
+}
+
func getCNINetworksDir() (string, error) {
return "", define.ErrNotImplemented
}
diff --git a/libpod/stats.go b/libpod/stats.go
index e34739626..09d990017 100644
--- a/libpod/stats.go
+++ b/libpod/stats.go
@@ -34,7 +34,7 @@ func (c *Container) GetContainerStats(previousStats *define.ContainerStats) (*de
return stats, define.ErrCtrStateInvalid
}
- cgroupPath, err := c.CGroupPath()
+ cgroupPath, err := c.cGroupPath()
if err != nil {
return nil, err
}
diff --git a/pkg/api/handlers/libpod/generate.go b/pkg/api/handlers/libpod/generate.go
index 33bb75391..b3b8c1f16 100644
--- a/pkg/api/handlers/libpod/generate.go
+++ b/pkg/api/handlers/libpod/generate.go
@@ -60,7 +60,8 @@ func GenerateKube(w http.ResponseWriter, r *http.Request) {
runtime := r.Context().Value("runtime").(*libpod.Runtime)
decoder := r.Context().Value("decoder").(*schema.Decoder)
query := struct {
- Service bool `schema:"service"`
+ Names []string `schema:"names"`
+ Service bool `schema:"service"`
}{
// Defaults would go here.
}
@@ -73,7 +74,7 @@ func GenerateKube(w http.ResponseWriter, r *http.Request) {
containerEngine := abi.ContainerEngine{Libpod: runtime}
options := entities.GenerateKubeOptions{Service: query.Service}
- report, err := containerEngine.GenerateKube(r.Context(), utils.GetName(r), options)
+ report, err := containerEngine.GenerateKube(r.Context(), query.Names, options)
if err != nil {
utils.Error(w, "Something went wrong.", http.StatusInternalServerError, errors.Wrap(err, "error generating YAML"))
return
diff --git a/pkg/api/server/register_generate.go b/pkg/api/server/register_generate.go
index 60e5b03f7..bce5484ab 100644
--- a/pkg/api/server/register_generate.go
+++ b/pkg/api/server/register_generate.go
@@ -70,7 +70,7 @@ func (s *APIServer) registerGenerateHandlers(r *mux.Router) error {
// $ref: "#/responses/InternalError"
r.HandleFunc(VersionedPath("/libpod/generate/{name:.*}/systemd"), s.APIHandler(libpod.GenerateSystemd)).Methods(http.MethodGet)
- // swagger:operation GET /libpod/generate/{name:.*}/kube libpod libpodGenerateKube
+ // swagger:operation GET /libpod/generate/kube libpod libpodGenerateKube
// ---
// tags:
// - containers
@@ -78,9 +78,11 @@ func (s *APIServer) registerGenerateHandlers(r *mux.Router) error {
// summary: Generate a Kubernetes YAML file.
// description: Generate Kubernetes YAML based on a pod or container.
// parameters:
- // - in: path
- // name: name:.*
- // type: string
+ // - in: query
+ // name: names
+ // type: array
+ // items:
+ // type: string
// required: true
// description: Name or ID of the container or pod.
// - in: query
@@ -98,6 +100,6 @@ func (s *APIServer) registerGenerateHandlers(r *mux.Router) error {
// format: binary
// 500:
// $ref: "#/responses/InternalError"
- r.HandleFunc(VersionedPath("/libpod/generate/{name:.*}/kube"), s.APIHandler(libpod.GenerateKube)).Methods(http.MethodGet)
+ r.HandleFunc(VersionedPath("/libpod/generate/kube"), s.APIHandler(libpod.GenerateKube)).Methods(http.MethodGet)
return nil
}
diff --git a/pkg/bindings/generate/generate.go b/pkg/bindings/generate/generate.go
index dde1cc29c..8d0146ec1 100644
--- a/pkg/bindings/generate/generate.go
+++ b/pkg/bindings/generate/generate.go
@@ -2,6 +2,7 @@ package generate
import (
"context"
+ "errors"
"net/http"
"net/url"
"strconv"
@@ -37,15 +38,21 @@ func Systemd(ctx context.Context, nameOrID string, options entities.GenerateSyst
return report, response.Process(&report.Units)
}
-func Kube(ctx context.Context, nameOrID string, options entities.GenerateKubeOptions) (*entities.GenerateKubeReport, error) {
+func Kube(ctx context.Context, nameOrIDs []string, options entities.GenerateKubeOptions) (*entities.GenerateKubeReport, error) {
conn, err := bindings.GetClient(ctx)
if err != nil {
return nil, err
}
+ if len(nameOrIDs) < 1 {
+ return nil, errors.New("must provide the name or ID of one container or pod")
+ }
params := url.Values{}
+ for _, name := range nameOrIDs {
+ params.Add("names", name)
+ }
params.Set("service", strconv.FormatBool(options.Service))
- response, err := conn.DoRequest(nil, http.MethodGet, "/generate/%s/kube", params, nil, nameOrID)
+ response, err := conn.DoRequest(nil, http.MethodGet, "/generate/kube", params, nil)
if err != nil {
return nil, err
}
diff --git a/pkg/domain/entities/engine_container.go b/pkg/domain/entities/engine_container.go
index e1f40e307..5ad475133 100644
--- a/pkg/domain/entities/engine_container.go
+++ b/pkg/domain/entities/engine_container.go
@@ -46,7 +46,7 @@ type ContainerEngine interface {
ContainerWait(ctx context.Context, namesOrIds []string, options WaitOptions) ([]WaitReport, error)
Events(ctx context.Context, opts EventsOptions) error
GenerateSystemd(ctx context.Context, nameOrID string, opts GenerateSystemdOptions) (*GenerateSystemdReport, error)
- GenerateKube(ctx context.Context, nameOrID string, opts GenerateKubeOptions) (*GenerateKubeReport, error)
+ GenerateKube(ctx context.Context, nameOrIDs []string, opts GenerateKubeOptions) (*GenerateKubeReport, error)
SystemPrune(ctx context.Context, options SystemPruneOptions) (*SystemPruneReport, error)
HealthCheckRun(ctx context.Context, nameOrID string, options HealthCheckOptions) (*define.HealthCheckResults, error)
Info(ctx context.Context) (*define.Info, error)
@@ -55,6 +55,7 @@ type ContainerEngine interface {
NetworkDisconnect(ctx context.Context, networkname string, options NetworkDisconnectOptions) error
NetworkInspect(ctx context.Context, namesOrIds []string, options InspectOptions) ([]NetworkInspectReport, []error, error)
NetworkList(ctx context.Context, options NetworkListOptions) ([]*NetworkListReport, error)
+ NetworkReload(ctx context.Context, names []string, options NetworkReloadOptions) ([]*NetworkReloadReport, error)
NetworkRm(ctx context.Context, namesOrIds []string, options NetworkRmOptions) ([]*NetworkRmReport, error)
PlayKube(ctx context.Context, path string, opts PlayKubeOptions) (*PlayKubeReport, error)
PodCreate(ctx context.Context, opts PodCreateOptions) (*PodCreateReport, error)
diff --git a/pkg/domain/entities/network.go b/pkg/domain/entities/network.go
index 65a110fd9..b76bfcac7 100644
--- a/pkg/domain/entities/network.go
+++ b/pkg/domain/entities/network.go
@@ -22,6 +22,19 @@ type NetworkListReport struct {
// NetworkInspectReport describes the results from inspect networks
type NetworkInspectReport map[string]interface{}
+// NetworkReloadOptions describes options for reloading container network
+// configuration.
+type NetworkReloadOptions struct {
+ All bool
+ Latest bool
+}
+
+// NetworkReloadReport describes the results of reloading a container network.
+type NetworkReloadReport struct {
+ Id string
+ Err error
+}
+
// NetworkRmOptions describes options for removing networks
type NetworkRmOptions struct {
Force bool
diff --git a/pkg/domain/infra/abi/generate.go b/pkg/domain/infra/abi/generate.go
index 79bf2291e..79f55e2bd 100644
--- a/pkg/domain/infra/abi/generate.go
+++ b/pkg/domain/infra/abi/generate.go
@@ -41,28 +41,48 @@ func (ic *ContainerEngine) GenerateSystemd(ctx context.Context, nameOrID string,
return &entities.GenerateSystemdReport{Units: units}, nil
}
-func (ic *ContainerEngine) GenerateKube(ctx context.Context, nameOrID string, options entities.GenerateKubeOptions) (*entities.GenerateKubeReport, error) {
+func (ic *ContainerEngine) GenerateKube(ctx context.Context, nameOrIDs []string, options entities.GenerateKubeOptions) (*entities.GenerateKubeReport, error) {
var (
- pod *libpod.Pod
+ pods []*libpod.Pod
podYAML *k8sAPI.Pod
err error
- ctr *libpod.Container
+ ctrs []*libpod.Container
servicePorts []k8sAPI.ServicePort
serviceYAML k8sAPI.Service
)
- // Get the container in question.
- ctr, err = ic.Libpod.LookupContainer(nameOrID)
- if err != nil {
- pod, err = ic.Libpod.LookupPod(nameOrID)
+ for _, nameOrID := range nameOrIDs {
+ // Get the container in question
+ ctr, err := ic.Libpod.LookupContainer(nameOrID)
if err != nil {
- return nil, err
+ pod, err := ic.Libpod.LookupPod(nameOrID)
+ if err != nil {
+ return nil, err
+ }
+ pods = append(pods, pod)
+ if len(pods) > 1 {
+ return nil, errors.New("can only generate single pod at a time")
+ }
+ } else {
+ if len(ctr.Dependencies()) > 0 {
+ return nil, errors.Wrapf(define.ErrNotImplemented, "containers with dependencies")
+ }
+ // we cannot deal with ctrs already in a pod
+ if len(ctr.PodID()) > 0 {
+ return nil, errors.Errorf("container %s is associated with pod %s: use generate on the pod itself", ctr.ID(), ctr.PodID())
+ }
+ ctrs = append(ctrs, ctr)
}
- podYAML, servicePorts, err = pod.GenerateForKube()
+ }
+
+ // check our inputs
+ if len(pods) > 0 && len(ctrs) > 0 {
+ return nil, errors.New("cannot generate pods and containers at the same time")
+ }
+
+ if len(pods) == 1 {
+ podYAML, servicePorts, err = pods[0].GenerateForKube()
} else {
- if len(ctr.Dependencies()) > 0 {
- return nil, errors.Wrapf(define.ErrNotImplemented, "containers with dependencies")
- }
- podYAML, err = ctr.GenerateForKube()
+ podYAML, err = libpod.GenerateForKube(ctrs)
}
if err != nil {
return nil, err
@@ -72,7 +92,7 @@ func (ic *ContainerEngine) GenerateKube(ctx context.Context, nameOrID string, op
serviceYAML = libpod.GenerateKubeServiceFromV1Pod(podYAML, servicePorts)
}
- content, err := generateKubeOutput(podYAML, &serviceYAML)
+ content, err := generateKubeOutput(podYAML, &serviceYAML, options.Service)
if err != nil {
return nil, err
}
@@ -80,7 +100,7 @@ func (ic *ContainerEngine) GenerateKube(ctx context.Context, nameOrID string, op
return &entities.GenerateKubeReport{Reader: bytes.NewReader(content)}, nil
}
-func generateKubeOutput(podYAML *k8sAPI.Pod, serviceYAML *k8sAPI.Service) ([]byte, error) {
+func generateKubeOutput(podYAML *k8sAPI.Pod, serviceYAML *k8sAPI.Service, hasService bool) ([]byte, error) {
var (
output []byte
marshalledPod []byte
@@ -93,7 +113,7 @@ func generateKubeOutput(podYAML *k8sAPI.Pod, serviceYAML *k8sAPI.Service) ([]byt
return nil, err
}
- if serviceYAML != nil {
+ if hasService {
marshalledService, err = yaml.Marshal(serviceYAML)
if err != nil {
return nil, err
@@ -114,7 +134,7 @@ func generateKubeOutput(podYAML *k8sAPI.Pod, serviceYAML *k8sAPI.Service) ([]byt
output = append(output, []byte(fmt.Sprintf(header, podmanVersion.Version))...)
output = append(output, marshalledPod...)
- if serviceYAML != nil {
+ if hasService {
output = append(output, []byte("---\n")...)
output = append(output, marshalledService...)
}
diff --git a/pkg/domain/infra/abi/images.go b/pkg/domain/infra/abi/images.go
index ff2f2e7ae..57a2bc4cf 100644
--- a/pkg/domain/infra/abi/images.go
+++ b/pkg/domain/infra/abi/images.go
@@ -26,7 +26,6 @@ import (
"github.com/containers/podman/v2/pkg/domain/entities"
domainUtils "github.com/containers/podman/v2/pkg/domain/utils"
"github.com/containers/podman/v2/pkg/rootless"
- "github.com/containers/podman/v2/pkg/trust"
"github.com/containers/podman/v2/pkg/util"
"github.com/containers/storage"
imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
@@ -34,9 +33,6 @@ import (
"github.com/sirupsen/logrus"
)
-// SignatureStoreDir defines default directory to store signatures
-const SignatureStoreDir = "/var/lib/containers/sigstore"
-
func (ir *ImageEngine) Exists(_ context.Context, nameOrID string) (*entities.BoolReport, error) {
_, err := ir.Libpod.ImageRuntime().NewFromLocal(nameOrID)
if err != nil {
@@ -707,12 +703,6 @@ func (ir *ImageEngine) Sign(ctx context.Context, names []string, options entitie
sc := ir.Libpod.SystemContext()
sc.DockerCertPath = options.CertDir
- systemRegistriesDirPath := trust.RegistriesDirPath(sc)
- registryConfigs, err := trust.LoadAndMergeConfig(systemRegistriesDirPath)
- if err != nil {
- return nil, errors.Wrapf(err, "error reading registry configuration")
- }
-
for _, signimage := range names {
err = func() error {
srcRef, err := alltransports.ParseImageName(signimage)
@@ -738,37 +728,25 @@ func (ir *ImageEngine) Sign(ctx context.Context, names []string, options entitie
}
var sigStoreDir string
if options.Directory != "" {
- sigStoreDir = options.Directory
- }
- if sigStoreDir == "" {
- if rootless.IsRootless() {
- sigStoreDir = filepath.Join(filepath.Dir(ir.Libpod.StorageConfig().GraphRoot), "sigstore")
- } else {
- var sigStoreURI string
- registryInfo := trust.HaveMatchRegistry(rawSource.Reference().DockerReference().String(), registryConfigs)
- if registryInfo != nil {
- if sigStoreURI = registryInfo.SigStoreStaging; sigStoreURI == "" {
- sigStoreURI = registryInfo.SigStore
- }
- }
- if sigStoreURI == "" {
- return errors.Errorf("no signature storage configuration found for %s", rawSource.Reference().DockerReference().String())
-
- }
- sigStoreDir, err = localPathFromURI(sigStoreURI)
- if err != nil {
- return errors.Wrapf(err, "invalid signature storage %s", sigStoreURI)
- }
+ repo := reference.Path(dockerReference)
+ if path.Clean(repo) != repo { // Coverage: This should not be reachable because /./ and /../ components are not valid in docker references
+ return errors.Errorf("Unexpected path elements in Docker reference %s for signature storage", dockerReference.String())
+ }
+ sigStoreDir = filepath.Join(options.Directory, repo)
+ } else {
+ signatureURL, err := docker.SignatureStorageBaseURL(sc, rawSource.Reference(), true)
+ if err != nil {
+ return err
+ }
+ sigStoreDir, err = localPathFromURI(signatureURL)
+ if err != nil {
+ return err
}
}
manifestDigest, err := manifest.Digest(getManifest)
if err != nil {
return err
}
- repo := reference.Path(dockerReference)
- if path.Clean(repo) != repo { // Coverage: This should not be reachable because /./ and /../ components are not valid in docker references
- return errors.Errorf("Unexpected path elements in Docker reference %s for signature storage", dockerReference.String())
- }
// create signature
newSig, err := signature.SignDockerManifest(getManifest, dockerReference.String(), mech, options.SignBy)
@@ -776,7 +754,7 @@ func (ir *ImageEngine) Sign(ctx context.Context, names []string, options entitie
return errors.Wrapf(err, "error creating new signature")
}
// create the signstore file
- signatureDir := fmt.Sprintf("%s@%s=%s", filepath.Join(sigStoreDir, repo), manifestDigest.Algorithm(), manifestDigest.Hex())
+ signatureDir := fmt.Sprintf("%s@%s=%s", sigStoreDir, manifestDigest.Algorithm(), manifestDigest.Hex())
if err := os.MkdirAll(signatureDir, 0751); err != nil {
// The directory is allowed to exist
if !os.IsExist(err) {
@@ -822,14 +800,9 @@ func getSigFilename(sigStoreDirPath string) (string, error) {
}
}
-func localPathFromURI(sigStoreDir string) (string, error) {
- url, err := url.Parse(sigStoreDir)
- if err != nil {
- return sigStoreDir, errors.Wrapf(err, "invalid directory %s", sigStoreDir)
- }
+func localPathFromURI(url *url.URL) (string, error) {
if url.Scheme != "file" {
- return sigStoreDir, errors.Errorf("writing to %s is not supported. Use a supported scheme", sigStoreDir)
+ return "", errors.Errorf("writing to %s is not supported. Use a supported scheme", url.String())
}
- sigStoreDir = url.Path
- return sigStoreDir, nil
+ return url.Path, nil
}
diff --git a/pkg/domain/infra/abi/network.go b/pkg/domain/infra/abi/network.go
index 6a219edd5..e5ecf5c72 100644
--- a/pkg/domain/infra/abi/network.go
+++ b/pkg/domain/infra/abi/network.go
@@ -60,6 +60,26 @@ func (ic *ContainerEngine) NetworkInspect(ctx context.Context, namesOrIds []stri
return rawCNINetworks, errs, nil
}
+func (ic *ContainerEngine) NetworkReload(ctx context.Context, names []string, options entities.NetworkReloadOptions) ([]*entities.NetworkReloadReport, error) {
+ ctrs, err := getContainersByContext(options.All, options.Latest, names, ic.Libpod)
+ if err != nil {
+ return nil, err
+ }
+
+ reports := make([]*entities.NetworkReloadReport, 0, len(ctrs))
+ for _, ctr := range ctrs {
+ report := new(entities.NetworkReloadReport)
+ report.Id = ctr.ID()
+ report.Err = ctr.ReloadNetwork()
+ if options.All && errors.Cause(report.Err) == define.ErrCtrStateInvalid {
+ continue
+ }
+ reports = append(reports, report)
+ }
+
+ return reports, nil
+}
+
func (ic *ContainerEngine) NetworkRm(ctx context.Context, namesOrIds []string, options entities.NetworkRmOptions) ([]*entities.NetworkRmReport, error) {
reports := []*entities.NetworkRmReport{}
diff --git a/pkg/domain/infra/tunnel/generate.go b/pkg/domain/infra/tunnel/generate.go
index 966f707b1..ebbfa143f 100644
--- a/pkg/domain/infra/tunnel/generate.go
+++ b/pkg/domain/infra/tunnel/generate.go
@@ -11,6 +11,6 @@ func (ic *ContainerEngine) GenerateSystemd(ctx context.Context, nameOrID string,
return generate.Systemd(ic.ClientCxt, nameOrID, options)
}
-func (ic *ContainerEngine) GenerateKube(ctx context.Context, nameOrID string, options entities.GenerateKubeOptions) (*entities.GenerateKubeReport, error) {
- return generate.Kube(ic.ClientCxt, nameOrID, options)
+func (ic *ContainerEngine) GenerateKube(ctx context.Context, nameOrIDs []string, options entities.GenerateKubeOptions) (*entities.GenerateKubeReport, error) {
+ return generate.Kube(ic.ClientCxt, nameOrIDs, options)
}
diff --git a/pkg/domain/infra/tunnel/network.go b/pkg/domain/infra/tunnel/network.go
index 10ae03045..4845980f6 100644
--- a/pkg/domain/infra/tunnel/network.go
+++ b/pkg/domain/infra/tunnel/network.go
@@ -35,6 +35,10 @@ func (ic *ContainerEngine) NetworkInspect(ctx context.Context, namesOrIds []stri
return reports, errs, nil
}
+func (ic *ContainerEngine) NetworkReload(ctx context.Context, names []string, options entities.NetworkReloadOptions) ([]*entities.NetworkReloadReport, error) {
+ return nil, errors.New("not implemented")
+}
+
func (ic *ContainerEngine) NetworkRm(ctx context.Context, namesOrIds []string, options entities.NetworkRmOptions) ([]*entities.NetworkRmReport, error) {
reports := make([]*entities.NetworkRmReport, 0, len(namesOrIds))
for _, name := range namesOrIds {
diff --git a/pkg/trust/trust.go b/pkg/trust/trust.go
index a61e0ef10..a30611b74 100644
--- a/pkg/trust/trust.go
+++ b/pkg/trust/trust.go
@@ -12,6 +12,7 @@ import (
"strings"
"github.com/containers/image/v5/types"
+ "github.com/docker/docker/pkg/homedir"
"github.com/ghodss/yaml"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
@@ -60,6 +61,12 @@ type ShowOutput struct {
Sigstore string
}
+// systemRegistriesDirPath is the path to registries.d.
+const systemRegistriesDirPath = "/etc/containers/registries.d"
+
+// userRegistriesDir is the path to the per user registries.d.
+var userRegistriesDir = filepath.FromSlash(".config/containers/registries.d")
+
// DefaultPolicyPath returns a path to the default policy of the system.
func DefaultPolicyPath(sys *types.SystemContext) string {
systemDefaultPolicyPath := "/etc/containers/policy.json"
@@ -76,15 +83,17 @@ func DefaultPolicyPath(sys *types.SystemContext) string {
// RegistriesDirPath returns a path to registries.d
func RegistriesDirPath(sys *types.SystemContext) string {
- systemRegistriesDirPath := "/etc/containers/registries.d"
- if sys != nil {
- if sys.RegistriesDirPath != "" {
- return sys.RegistriesDirPath
- }
- if sys.RootForImplicitAbsolutePaths != "" {
- return filepath.Join(sys.RootForImplicitAbsolutePaths, systemRegistriesDirPath)
- }
+ if sys != nil && sys.RegistriesDirPath != "" {
+ return sys.RegistriesDirPath
+ }
+ userRegistriesDirPath := filepath.Join(homedir.Get(), userRegistriesDir)
+ if _, err := os.Stat(userRegistriesDirPath); err == nil {
+ return userRegistriesDirPath
}
+ if sys != nil && sys.RootForImplicitAbsolutePaths != "" {
+ return filepath.Join(sys.RootForImplicitAbsolutePaths, systemRegistriesDirPath)
+ }
+
return systemRegistriesDirPath
}
diff --git a/test/apiv2/25-containersMore.at b/test/apiv2/25-containersMore.at
index 9d774ef27..b88c798eb 100644
--- a/test/apiv2/25-containersMore.at
+++ b/test/apiv2/25-containersMore.at
@@ -65,13 +65,13 @@ t GET libpod/containers/json?last=1 200 \
cid=$(jq -r '.[0].Id' <<<"$output")
-t GET libpod/generate/$cid/kube 200
+t GET libpod/generate/kube?names=$cid 200
like "$output" ".*apiVersion:.*" "Check generated kube yaml - apiVersion"
like "$output" ".*kind:\\sPod.*" "Check generated kube yaml - kind: Pod"
like "$output" ".*metadata:.*" "Check generated kube yaml - metadata"
like "$output" ".*spec:.*" "Check generated kube yaml - spec"
-t GET libpod/generate/$cid/kube?service=true 200
+t GET "libpod/generate/kube?service=true&names=$cid" 200
like "$output" ".*apiVersion:.*" "Check generated kube yaml(service=true) - apiVersion"
like "$output" ".*kind:\\sPod.*" "Check generated kube yaml(service=true) - kind: Pod"
like "$output" ".*metadata:.*" "Check generated kube yaml(service=true) - metadata"
diff --git a/test/e2e/generate_kube_test.go b/test/e2e/generate_kube_test.go
index c8782c743..0950a9321 100644
--- a/test/e2e/generate_kube_test.go
+++ b/test/e2e/generate_kube_test.go
@@ -469,4 +469,74 @@ var _ = Describe("Podman generate kube", func() {
Expect(inspect.ExitCode()).To(Equal(0))
Expect(inspect.OutputToString()).To(ContainSubstring(`"pid"`))
})
+
+ It("podman generate kube multiple pods should fail", func() {
+ pod1 := podmanTest.Podman([]string{"run", "-dt", "--pod", "new:pod1", ALPINE, "top"})
+ pod1.WaitWithDefaultTimeout()
+ Expect(pod1.ExitCode()).To(Equal(0))
+
+ pod2 := podmanTest.Podman([]string{"run", "-dt", "--pod", "new:pod2", ALPINE, "top"})
+ pod2.WaitWithDefaultTimeout()
+ Expect(pod2.ExitCode()).To(Equal(0))
+
+ kube := podmanTest.Podman([]string{"generate", "kube", "pod1", "pod2"})
+ kube.WaitWithDefaultTimeout()
+ Expect(kube.ExitCode()).ToNot(Equal(0))
+ })
+
+ It("podman generate kube with pods and containers should fail", func() {
+ pod1 := podmanTest.Podman([]string{"run", "-dt", "--pod", "new:pod1", ALPINE, "top"})
+ pod1.WaitWithDefaultTimeout()
+ Expect(pod1.ExitCode()).To(Equal(0))
+
+ pod2 := podmanTest.Podman([]string{"run", "-dt", "--name", "top", ALPINE, "top"})
+ pod2.WaitWithDefaultTimeout()
+ Expect(pod2.ExitCode()).To(Equal(0))
+
+ kube := podmanTest.Podman([]string{"generate", "kube", "pod1", "top"})
+ kube.WaitWithDefaultTimeout()
+ Expect(kube.ExitCode()).ToNot(Equal(0))
+ })
+
+ It("podman generate kube with containers in a pod should fail", func() {
+ pod1 := podmanTest.Podman([]string{"pod", "create", "--name", "pod1"})
+ pod1.WaitWithDefaultTimeout()
+ Expect(pod1.ExitCode()).To(Equal(0))
+
+ con := podmanTest.Podman([]string{"run", "-dt", "--pod", "pod1", "--name", "top", ALPINE, "top"})
+ con.WaitWithDefaultTimeout()
+ Expect(con.ExitCode()).To(Equal(0))
+
+ kube := podmanTest.Podman([]string{"generate", "kube", "top"})
+ kube.WaitWithDefaultTimeout()
+ Expect(kube.ExitCode()).ToNot(Equal(0))
+ })
+
+ It("podman generate kube with multiple containers", func() {
+ con1 := podmanTest.Podman([]string{"run", "-dt", "--name", "con1", ALPINE, "top"})
+ con1.WaitWithDefaultTimeout()
+ Expect(con1.ExitCode()).To(Equal(0))
+
+ con2 := podmanTest.Podman([]string{"run", "-dt", "--name", "con2", ALPINE, "top"})
+ con2.WaitWithDefaultTimeout()
+ Expect(con2.ExitCode()).To(Equal(0))
+
+ kube := podmanTest.Podman([]string{"generate", "kube", "con1", "con2"})
+ kube.WaitWithDefaultTimeout()
+ Expect(kube.ExitCode()).To(Equal(0))
+ })
+
+ It("podman generate kube with containers in a pod should fail", func() {
+ pod1 := podmanTest.Podman([]string{"run", "-dt", "--pod", "new:pod1", "--name", "top1", ALPINE, "top"})
+ pod1.WaitWithDefaultTimeout()
+ Expect(pod1.ExitCode()).To(Equal(0))
+
+ pod2 := podmanTest.Podman([]string{"run", "-dt", "--pod", "new:pod2", "--name", "top2", ALPINE, "top"})
+ pod2.WaitWithDefaultTimeout()
+ Expect(pod2.ExitCode()).To(Equal(0))
+
+ kube := podmanTest.Podman([]string{"generate", "kube", "pod1", "pod2"})
+ kube.WaitWithDefaultTimeout()
+ Expect(kube.ExitCode()).ToNot(Equal(0))
+ })
})
diff --git a/test/e2e/network_test.go b/test/e2e/network_test.go
index ffc914bc2..4e8ab5ad5 100644
--- a/test/e2e/network_test.go
+++ b/test/e2e/network_test.go
@@ -119,7 +119,13 @@ var _ = Describe("Podman network", func() {
})
It("podman network list --filter invalid value", func() {
- session := podmanTest.Podman([]string{"network", "ls", "--filter", "namr=ab"})
+ net := "net" + stringid.GenerateNonCryptoID()
+ session := podmanTest.Podman([]string{"network", "create", net})
+ session.WaitWithDefaultTimeout()
+ defer podmanTest.removeCNINetwork(net)
+ Expect(session.ExitCode()).To(BeZero())
+
+ session = podmanTest.Podman([]string{"network", "ls", "--filter", "namr=ab"})
session.WaitWithDefaultTimeout()
Expect(session).To(ExitWithError())
Expect(session.ErrorToString()).To(ContainSubstring(`invalid filter "namr"`))
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index 58ef9a647..f73a15633 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -264,6 +264,14 @@ var _ = Describe("Podman run", func() {
session.WaitWithDefaultTimeout()
Expect(session.OutputToString()).To(BeEmpty())
Expect(session.ExitCode()).To(Equal(0))
+
+ session = podmanTest.Podman([]string{"run", "-d", "--name=maskCtr4", "--security-opt", "systempaths=unconfined", ALPINE, "sleep", "200"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ session = podmanTest.Podman([]string{"exec", "maskCtr4", "ls", "/sys/firmware"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.OutputToString()).To(Not(BeEmpty()))
+ Expect(session.ExitCode()).To(Equal(0))
})
It("podman run seccomp test", func() {
diff --git a/test/e2e/stats_test.go b/test/e2e/stats_test.go
index 5e8a7a3d0..ab117a2a0 100644
--- a/test/e2e/stats_test.go
+++ b/test/e2e/stats_test.go
@@ -128,6 +128,16 @@ var _ = Describe("Podman stats", func() {
Expect(session.ExitCode()).To(Equal(0))
})
+ It("podman stats on container with forced slirp4netns", func() {
+ // This will force the slirp4netns net mode to be tested as root
+ session := podmanTest.Podman([]string{"run", "-d", "--net", "slirp4netns", ALPINE, "top"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ session = podmanTest.Podman([]string{"stats", "--no-stream", "-a"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ })
+
// Regression test for #8265
It("podman stats with custom memory limits", func() {
// Run thre containers. One with a memory limit. Make sure
diff --git a/test/system/500-networking.bats b/test/system/500-networking.bats
index 44cc731cf..a824ebcd7 100644
--- a/test/system/500-networking.bats
+++ b/test/system/500-networking.bats
@@ -116,4 +116,68 @@ load helpers
fi
}
+@test "podman network reload" {
+ skip_if_remote "podman network reload does not have remote support"
+ skip_if_rootless "podman network reload does not work rootless"
+
+ random_1=$(random_string 30)
+ HOST_PORT=12345
+ SERVER=http://127.0.0.1:$HOST_PORT
+
+ # Create a test file with random content
+ INDEX1=$PODMAN_TMPDIR/hello.txt
+ echo $random_1 > $INDEX1
+
+ # Bind-mount this file with a different name to a container running httpd
+ run_podman run -d --name myweb -p "$HOST_PORT:80" \
+ -v $INDEX1:/var/www/index.txt \
+ -w /var/www \
+ $IMAGE /bin/busybox-extras httpd -f -p 80
+ cid=$output
+
+ run_podman inspect $cid --format "{{.NetworkSettings.IPAddress}}"
+ ip="$output"
+ run_podman inspect $cid --format "{{.NetworkSettings.MacAddress}}"
+ mac="$output"
+
+ # Verify http contents: curl from localhost
+ run curl -s $SERVER/index.txt
+ is "$output" "$random_1" "curl 127.0.0.1:/index.txt"
+
+ # flush the CNI iptables here
+ run iptables -t nat -F CNI-HOSTPORT-DNAT
+
+ # check that we cannot curl (timeout after 5 sec)
+ run timeout 5 curl -s $SERVER/index.txt
+ if [ "$status" -ne 124 ]; then
+ die "curl did not timeout, status code: $status"
+ fi
+
+ # reload the network to recreate the iptables rules
+ run_podman network reload $cid
+ is "$output" "$cid" "Output does not match container ID"
+
+ # check that we still have the same mac and ip
+ run_podman inspect $cid --format "{{.NetworkSettings.IPAddress}}"
+ is "$output" "$ip" "IP address changed after podman network reload"
+ run_podman inspect $cid --format "{{.NetworkSettings.MacAddress}}"
+ is "$output" "$mac" "MAC address changed after podman network reload"
+
+ # check that we can still curl
+ run curl -s $SERVER/index.txt
+ is "$output" "$random_1" "curl 127.0.0.1:/index.txt"
+
+ # make sure --all is working and that this
+ # cmd also works if the iptables still exists
+ run_podman network reload --all
+ is "$output" "$cid" "Output does not match container ID"
+
+ # check that we can still curl
+ run curl -s $SERVER/index.txt
+ is "$output" "$random_1" "curl 127.0.0.1:/index.txt"
+
+ # cleanup the container
+ run_podman rm -f $cid
+}
+
# vim: filetype=sh
diff --git a/vendor/github.com/containers/image/v5/copy/copy.go b/vendor/github.com/containers/image/v5/copy/copy.go
index 4d5b07689..485db4d30 100644
--- a/vendor/github.com/containers/image/v5/copy/copy.go
+++ b/vendor/github.com/containers/image/v5/copy/copy.go
@@ -53,6 +53,14 @@ var (
// compressionBufferSize is the buffer size used to compress a blob
var compressionBufferSize = 1048576
+// expectedCompressionFormats is used to check if a blob with a specified media type is compressed
+// using the algorithm that the media type says it should be compressed with
+var expectedCompressionFormats = map[string]*compression.Algorithm{
+ imgspecv1.MediaTypeImageLayerGzip: &compression.Gzip,
+ imgspecv1.MediaTypeImageLayerZstd: &compression.Zstd,
+ manifest.DockerV2Schema2LayerMediaType: &compression.Gzip,
+}
+
// newDigestingReader returns an io.Reader implementation with contents of source, which will eventually return a non-EOF error
// or set validationSucceeded/validationFailed to true if the source stream does/does not match expectedDigest.
// (neither is set if EOF is never reached).
@@ -1234,6 +1242,10 @@ func (c *copier) copyBlobFromStream(ctx context.Context, srcStream io.Reader, sr
isCompressed := decompressor != nil
destStream = bar.ProxyReader(destStream)
+ if expectedCompressionFormat, known := expectedCompressionFormats[srcInfo.MediaType]; known && isCompressed && compressionFormat.Name() != expectedCompressionFormat.Name() {
+ logrus.Debugf("blob %s with type %s should be compressed with %s, but compressor appears to be %s", srcInfo.Digest.String(), srcInfo.MediaType, expectedCompressionFormat.Name(), compressionFormat.Name())
+ }
+
// === Send a copy of the original, uncompressed, stream, to a separate path if necessary.
var originalLayerReader io.Reader // DO NOT USE this other than to drain the input if no other consumer in the pipeline has done so.
if getOriginalLayerCopyWriter != nil {
diff --git a/vendor/github.com/containers/image/v5/pkg/compression/compression.go b/vendor/github.com/containers/image/v5/pkg/compression/compression.go
index 04d231c6d..d5cfd8d31 100644
--- a/vendor/github.com/containers/image/v5/pkg/compression/compression.go
+++ b/vendor/github.com/containers/image/v5/pkg/compression/compression.go
@@ -91,7 +91,8 @@ func CompressStream(dest io.Writer, algo Algorithm, level *int) (io.WriteCloser,
return internal.AlgorithmCompressor(algo)(dest, level)
}
-// DetectCompressionFormat returns a DecompressorFunc if the input is recognized as a compressed format, nil otherwise.
+// DetectCompressionFormat returns an Algorithm and DecompressorFunc if the input is recognized as a compressed format, an invalid
+// value and nil otherwise.
// Because it consumes the start of input, other consumers must use the returned io.Reader instead to also read from the beginning.
func DetectCompressionFormat(input io.Reader) (Algorithm, DecompressorFunc, io.Reader, error) {
buffer := [8]byte{}
diff --git a/vendor/github.com/containers/image/v5/pkg/shortnames/shortnames.go b/vendor/github.com/containers/image/v5/pkg/shortnames/shortnames.go
index e02703d77..198ac1cc6 100644
--- a/vendor/github.com/containers/image/v5/pkg/shortnames/shortnames.go
+++ b/vendor/github.com/containers/image/v5/pkg/shortnames/shortnames.go
@@ -225,9 +225,8 @@ func (c *PullCandidate) Record() error {
// Note that tags and digests are stripped from the specified name before
// looking up an alias. Stripped off tags and digests are later on appended to
// all candidates. If neither tag nor digest is specified, candidates are
-// normalized with the "latest" tag. PullCandidates in the returned value may
-// be empty if there is no matching alias and no unqualified-search registries
-// are configured.
+// normalized with the "latest" tag. An error is returned if there is no
+// matching alias and no unqualified-search registries are configured.
//
// Note that callers *must* call `(PullCandidate).Record` after a returned
// item has been pulled successfully; this callback will record a new
@@ -312,6 +311,10 @@ func Resolve(ctx *types.SystemContext, name string) (*Resolved, error) {
if err != nil {
return nil, err
}
+ // Error out if there's no matching alias and no search registries.
+ if len(unqualifiedSearchRegistries) == 0 {
+ return nil, errors.Errorf("short-name %q did not resolve to an alias and no unqualified-search registries are defined in %q", name, usrConfig)
+ }
resolved.originDescription = usrConfig
for _, reg := range unqualifiedSearchRegistries {
@@ -331,10 +334,8 @@ func Resolve(ctx *types.SystemContext, name string) (*Resolved, error) {
return resolved, nil
}
- // If we have only one candidate, there's no ambiguity. In case of an
- // empty candidate slices, callers can implement custom logic or raise
- // an error.
- if len(resolved.PullCandidates) <= 1 {
+ // If we have only one candidate, there's no ambiguity.
+ if len(resolved.PullCandidates) == 1 {
return resolved, nil
}
diff --git a/vendor/github.com/containers/image/v5/signature/policy_config.go b/vendor/github.com/containers/image/v5/signature/policy_config.go
index a4873e9fa..d8cc4a09b 100644
--- a/vendor/github.com/containers/image/v5/signature/policy_config.go
+++ b/vendor/github.com/containers/image/v5/signature/policy_config.go
@@ -19,6 +19,7 @@ import (
"io/ioutil"
"os"
"path/filepath"
+ "regexp"
"github.com/containers/image/v5/docker/reference"
"github.com/containers/image/v5/transports"
@@ -507,6 +508,8 @@ func newPolicyReferenceMatchFromJSON(data []byte) (PolicyReferenceMatch, error)
res = &prmExactReference{}
case prmTypeExactRepository:
res = &prmExactRepository{}
+ case prmTypeRemapIdentity:
+ res = &prmRemapIdentity{}
default:
return nil, InvalidPolicyFormatError(fmt.Sprintf("Unknown policy reference match type \"%s\"", typeField.Type))
}
@@ -693,3 +696,76 @@ func (prm *prmExactRepository) UnmarshalJSON(data []byte) error {
*prm = *res
return nil
}
+
+// Private objects for validateIdentityRemappingPrefix
+var (
+ // remapIdentityDomainRegexp matches exactly a reference domain (name[:port])
+ remapIdentityDomainRegexp = regexp.MustCompile("^" + reference.DomainRegexp.String() + "$")
+ // remapIdentityDomainPrefixRegexp matches a reference that starts with a domain;
+ // we need this because reference.NameRegexp accepts short names with docker.io implied.
+ remapIdentityDomainPrefixRegexp = regexp.MustCompile("^" + reference.DomainRegexp.String() + "/")
+ // remapIdentityNameRegexp matches exactly a reference.Named name (possibly unnormalized)
+ remapIdentityNameRegexp = regexp.MustCompile("^" + reference.NameRegexp.String() + "$")
+)
+
+// validateIdentityRemappingPrefix returns an InvalidPolicyFormatError if s is detected to be invalid
+// for the Prefix or SignedPrefix values of prmRemapIdentity.
+// Note that it may not recognize _all_ invalid values.
+func validateIdentityRemappingPrefix(s string) error {
+ if remapIdentityDomainRegexp.MatchString(s) ||
+ (remapIdentityNameRegexp.MatchString(s) && remapIdentityDomainPrefixRegexp.MatchString(s)) {
+ // FIXME? This does not reject "shortname" nor "ns/shortname", because docker/reference
+ // does not provide an API for the short vs. long name logic.
+ // It will either not match, or fail in the ParseNamed call of
+ // prmRemapIdentity.remapReferencePrefix when trying to use such a prefix.
+ return nil
+ }
+ return InvalidPolicyFormatError(fmt.Sprintf("prefix %q is not valid", s))
+}
+
+// newPRMRemapIdentity is NewPRMRemapIdentity, except it returns the private type.
+func newPRMRemapIdentity(prefix, signedPrefix string) (*prmRemapIdentity, error) {
+ if err := validateIdentityRemappingPrefix(prefix); err != nil {
+ return nil, err
+ }
+ if err := validateIdentityRemappingPrefix(signedPrefix); err != nil {
+ return nil, err
+ }
+ return &prmRemapIdentity{
+ prmCommon: prmCommon{Type: prmTypeRemapIdentity},
+ Prefix: prefix,
+ SignedPrefix: signedPrefix,
+ }, nil
+}
+
+// NewPRMRemapIdentity returns a new "remapIdentity" PolicyRepositoryMatch.
+func NewPRMRemapIdentity(prefix, signedPrefix string) (PolicyReferenceMatch, error) {
+ return newPRMRemapIdentity(prefix, signedPrefix)
+}
+
+// Compile-time check that prmRemapIdentity implements json.Unmarshaler.
+var _ json.Unmarshaler = (*prmRemapIdentity)(nil)
+
+// UnmarshalJSON implements the json.Unmarshaler interface.
+func (prm *prmRemapIdentity) UnmarshalJSON(data []byte) error {
+ *prm = prmRemapIdentity{}
+ var tmp prmRemapIdentity
+ if err := paranoidUnmarshalJSONObjectExactFields(data, map[string]interface{}{
+ "type": &tmp.Type,
+ "prefix": &tmp.Prefix,
+ "signedPrefix": &tmp.SignedPrefix,
+ }); err != nil {
+ return err
+ }
+
+ if tmp.Type != prmTypeRemapIdentity {
+ return InvalidPolicyFormatError(fmt.Sprintf("Unexpected policy requirement type \"%s\"", tmp.Type))
+ }
+
+ res, err := newPRMRemapIdentity(tmp.Prefix, tmp.SignedPrefix)
+ if err != nil {
+ return err
+ }
+ *prm = *res
+ return nil
+}
diff --git a/vendor/github.com/containers/image/v5/signature/policy_reference_match.go b/vendor/github.com/containers/image/v5/signature/policy_reference_match.go
index e2a21f01d..064866cf6 100644
--- a/vendor/github.com/containers/image/v5/signature/policy_reference_match.go
+++ b/vendor/github.com/containers/image/v5/signature/policy_reference_match.go
@@ -4,6 +4,7 @@ package signature
import (
"fmt"
+ "strings"
"github.com/containers/image/v5/docker/reference"
"github.com/containers/image/v5/transports"
@@ -36,12 +37,9 @@ func (prm *prmMatchExact) matchesDockerReference(image types.UnparsedImage, sign
return signature.String() == intended.String()
}
-func (prm *prmMatchRepoDigestOrExact) matchesDockerReference(image types.UnparsedImage, signatureDockerReference string) bool {
- intended, signature, err := parseImageAndDockerReference(image, signatureDockerReference)
- if err != nil {
- return false
- }
-
+// matchRepoDigestOrExactReferenceValues implements prmMatchRepoDigestOrExact.matchesDockerReference
+// using reference.Named values.
+func matchRepoDigestOrExactReferenceValues(intended, signature reference.Named) bool {
// Do not add default tags: image.Reference().DockerReference() should contain it already, and signatureDockerReference should be exact; so, verify that now.
if reference.IsNameOnly(signature) {
return false
@@ -58,6 +56,13 @@ func (prm *prmMatchRepoDigestOrExact) matchesDockerReference(image types.Unparse
return false
}
}
+func (prm *prmMatchRepoDigestOrExact) matchesDockerReference(image types.UnparsedImage, signatureDockerReference string) bool {
+ intended, signature, err := parseImageAndDockerReference(image, signatureDockerReference)
+ if err != nil {
+ return false
+ }
+ return matchRepoDigestOrExactReferenceValues(intended, signature)
+}
func (prm *prmMatchRepository) matchesDockerReference(image types.UnparsedImage, signatureDockerReference string) bool {
intended, signature, err := parseImageAndDockerReference(image, signatureDockerReference)
@@ -99,3 +104,51 @@ func (prm *prmExactRepository) matchesDockerReference(image types.UnparsedImage,
}
return signature.Name() == intended.Name()
}
+
+// refMatchesPrefix returns true if ref matches prm.Prefix.
+func (prm *prmRemapIdentity) refMatchesPrefix(ref reference.Named) bool {
+ name := ref.Name()
+ switch {
+ case len(name) < len(prm.Prefix):
+ return false
+ case len(name) == len(prm.Prefix):
+ return name == prm.Prefix
+ case len(name) > len(prm.Prefix):
+ // We are matching only ref.Name(), not ref.String(), so the only separator we are
+ // expecting is '/':
+ // - '@' is only valid to separate a digest, i.e. not a part of ref.Name()
+ // - similarly ':' to mark a tag would not be a part of ref.Name(); it can be a part of a
+ // host:port domain syntax, but we don't treat that specially and require an exact match
+ // of the domain.
+ return strings.HasPrefix(name, prm.Prefix) && name[len(prm.Prefix)] == '/'
+ default:
+ panic("Internal error: impossible comparison outcome")
+ }
+}
+
+// remapReferencePrefix returns the result of remapping ref, if it matches prm.Prefix
+// or the original ref if it does not.
+func (prm *prmRemapIdentity) remapReferencePrefix(ref reference.Named) (reference.Named, error) {
+ if !prm.refMatchesPrefix(ref) {
+ return ref, nil
+ }
+ refString := ref.String()
+ newNamedRef := strings.Replace(refString, prm.Prefix, prm.SignedPrefix, 1)
+ newParsedRef, err := reference.ParseNamed(newNamedRef)
+ if err != nil {
+ return nil, fmt.Errorf(`error rewriting reference from "%s" to "%s": %v`, refString, newNamedRef, err)
+ }
+ return newParsedRef, nil
+}
+
+func (prm *prmRemapIdentity) matchesDockerReference(image types.UnparsedImage, signatureDockerReference string) bool {
+ intended, signature, err := parseImageAndDockerReference(image, signatureDockerReference)
+ if err != nil {
+ return false
+ }
+ intended, err = prm.remapReferencePrefix(intended)
+ if err != nil {
+ return false
+ }
+ return matchRepoDigestOrExactReferenceValues(intended, signature)
+}
diff --git a/vendor/github.com/containers/image/v5/signature/policy_types.go b/vendor/github.com/containers/image/v5/signature/policy_types.go
index d3b33bb7a..c6819929b 100644
--- a/vendor/github.com/containers/image/v5/signature/policy_types.go
+++ b/vendor/github.com/containers/image/v5/signature/policy_types.go
@@ -121,6 +121,7 @@ const (
prmTypeMatchRepository prmTypeIdentifier = "matchRepository"
prmTypeExactReference prmTypeIdentifier = "exactReference"
prmTypeExactRepository prmTypeIdentifier = "exactRepository"
+ prmTypeRemapIdentity prmTypeIdentifier = "remapIdentity"
)
// prmMatchExact is a PolicyReferenceMatch with type = prmMatchExact: the two references must match exactly.
@@ -150,3 +151,13 @@ type prmExactRepository struct {
prmCommon
DockerRepository string `json:"dockerRepository"`
}
+
+// prmRemapIdentity is a PolicyReferenceMatch with type = prmRemapIdentity: like prmMatchRepoDigestOrExact,
+// except that a namespace (at least a host:port, at most a single repository) is substituted before matching the two references.
+type prmRemapIdentity struct {
+ prmCommon
+ Prefix string `json:"prefix"`
+ SignedPrefix string `json:"signedPrefix"`
+ // Possibly let the users make a choice for tag/digest matching behavior
+ // similar to prmMatchExact/prmMatchRepository?
+}
diff --git a/vendor/github.com/containers/image/v5/version/version.go b/vendor/github.com/containers/image/v5/version/version.go
index 14e553c9f..48ecf938c 100644
--- a/vendor/github.com/containers/image/v5/version/version.go
+++ b/vendor/github.com/containers/image/v5/version/version.go
@@ -6,9 +6,9 @@ const (
// VersionMajor is for an API incompatible changes
VersionMajor = 5
// VersionMinor is for functionality in a backwards-compatible manner
- VersionMinor = 8
+ VersionMinor = 9
// VersionPatch is for backwards-compatible bug fixes
- VersionPatch = 1
+ VersionPatch = 0
// VersionDev indicates development branch. Releases will be empty string.
VersionDev = ""
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 3ad53c73c..518000970 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -104,7 +104,7 @@ github.com/containers/common/pkg/umask
github.com/containers/common/version
# github.com/containers/conmon v2.0.20+incompatible
github.com/containers/conmon/runner/config
-# github.com/containers/image/v5 v5.8.1
+# github.com/containers/image/v5 v5.9.0
github.com/containers/image/v5/copy
github.com/containers/image/v5/directory
github.com/containers/image/v5/directory/explicitfilepath