summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--cmd/podman/networks/prune.go82
-rw-r--r--docs/source/markdown/podman-network-prune.1.md31
-rw-r--r--docs/source/markdown/podman-network.1.md1
-rw-r--r--docs/source/network.rst2
-rw-r--r--go.mod2
-rw-r--r--go.sum2
-rw-r--r--libpod/network/network.go50
-rw-r--r--pkg/api/handlers/compat/networks.go22
-rw-r--r--pkg/api/handlers/compat/swagger.go7
-rw-r--r--pkg/api/handlers/libpod/networks.go14
-rw-r--r--pkg/api/server/register_networks.go66
-rw-r--r--pkg/bindings/network/network.go18
-rw-r--r--pkg/bindings/network/types.go6
-rw-r--r--pkg/bindings/network/types_prune_options.go75
-rw-r--r--pkg/domain/entities/engine_container.go1
-rw-r--r--pkg/domain/entities/network.go12
-rw-r--r--pkg/domain/infra/abi/network.go25
-rw-r--r--pkg/domain/infra/tunnel/network.go5
-rw-r--r--test/apiv2/rest_api/test_rest_v2_0_0.py2
-rw-r--r--test/e2e/network_test.go50
-rw-r--r--vendor/github.com/containers/common/pkg/cgroupv2/cgroups_linux.go2
-rw-r--r--vendor/github.com/containers/common/pkg/cgroupv2/cgroups_unsupported.go2
-rw-r--r--vendor/github.com/containers/common/pkg/config/config.go19
-rw-r--r--vendor/github.com/containers/common/pkg/config/containers.conf11
-rw-r--r--vendor/github.com/containers/common/pkg/config/default.go6
-rw-r--r--vendor/github.com/containers/common/pkg/config/util_supported.go11
-rw-r--r--vendor/github.com/containers/common/pkg/parse/parse.go7
-rw-r--r--vendor/github.com/containers/common/pkg/report/doc.go12
-rw-r--r--vendor/github.com/containers/common/pkg/report/template.go54
-rw-r--r--vendor/github.com/containers/common/pkg/seccomp/default_linux.go79
-rw-r--r--vendor/github.com/containers/common/pkg/seccomp/seccomp.json85
-rw-r--r--vendor/github.com/containers/common/version/version.go2
-rw-r--r--vendor/modules.txt2
33 files changed, 584 insertions, 181 deletions
diff --git a/cmd/podman/networks/prune.go b/cmd/podman/networks/prune.go
new file mode 100644
index 000000000..d6c7d3a7f
--- /dev/null
+++ b/cmd/podman/networks/prune.go
@@ -0,0 +1,82 @@
+package network
+
+import (
+ "bufio"
+ "fmt"
+ "os"
+ "strings"
+
+ "github.com/containers/podman/v2/cmd/podman/common"
+ "github.com/containers/podman/v2/cmd/podman/registry"
+ "github.com/containers/podman/v2/cmd/podman/utils"
+ "github.com/containers/podman/v2/cmd/podman/validate"
+ "github.com/containers/podman/v2/pkg/domain/entities"
+ "github.com/spf13/cobra"
+ "github.com/spf13/pflag"
+)
+
+var (
+ networkPruneDescription = `Prune unused networks`
+ networkPruneCommand = &cobra.Command{
+ Use: "prune [options]",
+ Short: "network prune",
+ Long: networkPruneDescription,
+ RunE: networkPrune,
+ Example: `podman network prune`,
+ Args: validate.NoArgs,
+ ValidArgsFunction: common.AutocompleteNetworks,
+ }
+)
+
+var (
+ networkPruneOptions entities.NetworkPruneOptions
+ force bool
+)
+
+func networkPruneFlags(flags *pflag.FlagSet) {
+ //TODO: Not implemented but for future reference
+ //flags.StringSliceVar(&networkPruneOptions.Filters,"filters", []string{}, "provide filter values (e.g. 'until=<timestamp>')")
+ flags.BoolVarP(&force, "force", "f", false, "do not prompt for confirmation")
+}
+
+func init() {
+ registry.Commands = append(registry.Commands, registry.CliCommand{
+ Mode: []entities.EngineMode{entities.ABIMode, entities.TunnelMode},
+ Command: networkPruneCommand,
+ Parent: networkCmd,
+ })
+ flags := networkPruneCommand.Flags()
+ networkPruneFlags(flags)
+}
+
+func networkPrune(cmd *cobra.Command, _ []string) error {
+ var (
+ errs utils.OutputErrors
+ )
+ if !force {
+ reader := bufio.NewReader(os.Stdin)
+ fmt.Println("WARNING! This will remove all networks not used by at least one container.")
+ fmt.Print("Are you sure you want to continue? [y/N] ")
+ answer, err := reader.ReadString('\n')
+ if err != nil {
+ return err
+ }
+ if strings.ToLower(answer)[0] != 'y' {
+ return nil
+ }
+ }
+ responses, err := registry.ContainerEngine().NetworkPrune(registry.Context(), networkPruneOptions)
+ if err != nil {
+ setExitCode(err)
+ return err
+ }
+ for _, r := range responses {
+ if r.Error == nil {
+ fmt.Println(r.Name)
+ } else {
+ setExitCode(r.Error)
+ errs = append(errs, r.Error)
+ }
+ }
+ return errs.PrintErrors()
+}
diff --git a/docs/source/markdown/podman-network-prune.1.md b/docs/source/markdown/podman-network-prune.1.md
new file mode 100644
index 000000000..af0a7295d
--- /dev/null
+++ b/docs/source/markdown/podman-network-prune.1.md
@@ -0,0 +1,31 @@
+% podman-network-prune(1)
+
+## NAME
+podman\-network\-prune - Remove all unused networks
+
+## SYNOPSIS
+**podman network prune** [*options*]
+
+## DESCRIPTION
+Remove all unused networks. An unused network is defined by a network which
+has no containers connected or configured to connect to it. It will not remove
+the so-called default network which goes by the name of *podman*.
+
+## OPTIONS
+#### **--force**, **-f**
+
+Do not prompt for confirmation
+
+## EXAMPLE
+Prune networks
+
+```
+podman network prune
+```
+
+
+## SEE ALSO
+podman(1), podman-network(1), podman-network-remove(1)
+
+## HISTORY
+February 2021, Originally compiled by Brent Baude <bbaude@redhat.com>
diff --git a/docs/source/markdown/podman-network.1.md b/docs/source/markdown/podman-network.1.md
index 3ad37b8bf..885c957b6 100644
--- a/docs/source/markdown/podman-network.1.md
+++ b/docs/source/markdown/podman-network.1.md
@@ -19,6 +19,7 @@ The network command manages CNI networks for Podman.
| exists | [podman-network-exists(1)](podman-network-exists.1.md) | Check if the given network exists |
| inspect | [podman-network-inspect(1)](podman-network-inspect.1.md) | Displays the raw CNI network configuration for one or more networks |
| ls | [podman-network-ls(1)](podman-network-ls.1.md) | Display a summary of CNI networks |
+| prune | [podman-network-prune(1)](podman-network-prune.1.md) | Remove all unused networks |
| reload | [podman-network-reload(1)](podman-network-reload.1.md) | Reload network configuration for containers |
| rm | [podman-network-rm(1)](podman-network-rm.1.md) | Remove one or more CNI networks |
diff --git a/docs/source/network.rst b/docs/source/network.rst
index b5829876e..eb0c2c7f9 100644
--- a/docs/source/network.rst
+++ b/docs/source/network.rst
@@ -13,6 +13,8 @@ Network
:doc:`ls <markdown/podman-network-ls.1>` network list
+:doc:`prune <markdown/podman-network-prune.1>` network prune
+
:doc:`reload <markdown/podman-network-reload.1>` network reload
:doc:`rm <markdown/podman-network-rm.1>` network rm
diff --git a/go.mod b/go.mod
index 6847a49c7..e3ac45844 100644
--- a/go.mod
+++ b/go.mod
@@ -11,7 +11,7 @@ require (
github.com/containernetworking/cni v0.8.1
github.com/containernetworking/plugins v0.9.0
github.com/containers/buildah v1.19.3
- github.com/containers/common v0.33.1
+ github.com/containers/common v0.34.3-0.20210208115708-8668c76dd577
github.com/containers/conmon v2.0.20+incompatible
github.com/containers/image/v5 v5.10.1
github.com/containers/psgo v1.5.2
diff --git a/go.sum b/go.sum
index 9eb760693..93c5cc6fa 100644
--- a/go.sum
+++ b/go.sum
@@ -101,6 +101,8 @@ github.com/containers/buildah v1.19.3 h1:U0E1UKzqW5C11W7giHhLZI06xkZiV40ZKDK/c1j
github.com/containers/buildah v1.19.3/go.mod h1:uZb6GuE36tmRSOcIXGfiYqdpr+GPXWmlUIJSk5sn19w=
github.com/containers/common v0.33.1 h1:XpDiq8Cta8+u1s4kpYSEWdB140ZmqgyIXfWkLqKx3z0=
github.com/containers/common v0.33.1/go.mod h1:mjDo/NKeweL/onaspLhZ38WnHXaYmrELHclIdvSnYpY=
+github.com/containers/common v0.34.3-0.20210208115708-8668c76dd577 h1:tUJcLouJ1bC3w9gdqgKqZBsj2uCuM8D8jSR592lxbhE=
+github.com/containers/common v0.34.3-0.20210208115708-8668c76dd577/go.mod h1:mwZ9H8sK4+dtWxsnVLyWcjxK/gEQClrLsXsqLvbEKbI=
github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
github.com/containers/image/v5 v5.9.0 h1:dRmUtcluQcmasNo3DpnRoZjfU0rOu1qZeL6wlDJr10Q=
diff --git a/libpod/network/network.go b/libpod/network/network.go
index 0ff14c1f7..cdaef6c13 100644
--- a/libpod/network/network.go
+++ b/libpod/network/network.go
@@ -11,6 +11,7 @@ import (
"github.com/containernetworking/plugins/plugins/ipam/host-local/backend/allocator"
"github.com/containers/common/pkg/config"
"github.com/containers/podman/v2/libpod/define"
+ "github.com/containers/podman/v2/pkg/domain/entities"
"github.com/containers/podman/v2/pkg/rootless"
"github.com/containers/podman/v2/pkg/util"
"github.com/pkg/errors"
@@ -174,14 +175,9 @@ func ValidateUserNetworkIsAvailable(config *config.Config, userNet *net.IPNet) e
return nil
}
-// RemoveNetwork removes a given network by name. If the network has container associated with it, that
-// must be handled outside the context of this.
-func RemoveNetwork(config *config.Config, name string) error {
- l, err := acquireCNILock(config)
- if err != nil {
- return err
- }
- defer l.releaseCNILock()
+// removeNetwork is removes a cni network without a lock and should only be called
+// when a lock was otherwise acquired.
+func removeNetwork(config *config.Config, name string) error {
cniPath, err := GetCNIConfigPathByNameOrID(config, name)
if err != nil {
return err
@@ -213,6 +209,17 @@ func RemoveNetwork(config *config.Config, name string) error {
return nil
}
+// RemoveNetwork removes a given network by name. If the network has container associated with it, that
+// must be handled outside the context of this.
+func RemoveNetwork(config *config.Config, name string) error {
+ l, err := acquireCNILock(config)
+ if err != nil {
+ return err
+ }
+ defer l.releaseCNILock()
+ return removeNetwork(config, name)
+}
+
// InspectNetwork reads a CNI config and returns its configuration
func InspectNetwork(config *config.Config, name string) (map[string]interface{}, error) {
b, err := ReadRawCNIConfByName(config, name)
@@ -243,3 +250,30 @@ func GetNetworkID(name string) string {
hash := sha256.Sum256([]byte(name))
return hex.EncodeToString(hash[:])
}
+
+// PruneNetworks removes networks that are not being used and that is not the default
+// network. To keep proper fencing for imports, you must provide the used networks
+// to this function as a map. the key is meaningful in the map, the book is a no-op
+func PruneNetworks(rtc *config.Config, usedNetworks map[string]bool) ([]*entities.NetworkPruneReport, error) {
+ var reports []*entities.NetworkPruneReport
+ lock, err := acquireCNILock(rtc)
+ if err != nil {
+ return nil, err
+ }
+ defer lock.releaseCNILock()
+ nets, err := GetNetworkNamesFromFileSystem(rtc)
+ if err != nil {
+ return nil, err
+ }
+ for _, n := range nets {
+ _, found := usedNetworks[n]
+ // Remove is not default network and not found in the used list
+ if n != rtc.Network.DefaultNetwork && !found {
+ reports = append(reports, &entities.NetworkPruneReport{
+ Name: n,
+ Error: removeNetwork(rtc, n),
+ })
+ }
+ }
+ return reports, nil
+}
diff --git a/pkg/api/handlers/compat/networks.go b/pkg/api/handlers/compat/networks.go
index f0b922885..f7a70816f 100644
--- a/pkg/api/handlers/compat/networks.go
+++ b/pkg/api/handlers/compat/networks.go
@@ -388,3 +388,25 @@ func Disconnect(w http.ResponseWriter, r *http.Request) {
}
utils.WriteResponse(w, http.StatusOK, "OK")
}
+
+// Prune removes unused networks
+func Prune(w http.ResponseWriter, r *http.Request) {
+ // TODO Filters are not implemented
+ runtime := r.Context().Value("runtime").(*libpod.Runtime)
+ ic := abi.ContainerEngine{Libpod: runtime}
+ pruneOptions := entities.NetworkPruneOptions{}
+ pruneReports, err := ic.NetworkPrune(r.Context(), pruneOptions)
+ if err != nil {
+ utils.Error(w, "Something went wrong.", http.StatusInternalServerError, err)
+ return
+ }
+ var prunedNetworks []string //nolint
+ for _, pr := range pruneReports {
+ if pr.Error != nil {
+ logrus.Error(pr.Error)
+ continue
+ }
+ prunedNetworks = append(prunedNetworks, pr.Name)
+ }
+ utils.WriteResponse(w, http.StatusOK, prunedNetworks)
+}
diff --git a/pkg/api/handlers/compat/swagger.go b/pkg/api/handlers/compat/swagger.go
index 0a514822b..1d1f1ecf2 100644
--- a/pkg/api/handlers/compat/swagger.go
+++ b/pkg/api/handlers/compat/swagger.go
@@ -77,3 +77,10 @@ type swagCompatNetworkDisconnectRequest struct {
// in:body
Body struct{ types.NetworkDisconnect }
}
+
+// Network prune
+// swagger:response NetworkPruneResponse
+type swagCompatNetworkPruneResponse struct {
+ // in:body
+ Body []string
+}
diff --git a/pkg/api/handlers/libpod/networks.go b/pkg/api/handlers/libpod/networks.go
index d3bf06988..998f89d96 100644
--- a/pkg/api/handlers/libpod/networks.go
+++ b/pkg/api/handlers/libpod/networks.go
@@ -175,3 +175,17 @@ func ExistsNetwork(w http.ResponseWriter, r *http.Request) {
}
utils.WriteResponse(w, http.StatusNoContent, "")
}
+
+// Prune removes unused networks
+func Prune(w http.ResponseWriter, r *http.Request) {
+ // TODO Filters are not implemented
+ runtime := r.Context().Value("runtime").(*libpod.Runtime)
+ ic := abi.ContainerEngine{Libpod: runtime}
+ pruneOptions := entities.NetworkPruneOptions{}
+ pruneReports, err := ic.NetworkPrune(r.Context(), pruneOptions)
+ if err != nil {
+ utils.Error(w, "Something went wrong.", http.StatusInternalServerError, err)
+ return
+ }
+ utils.WriteResponse(w, http.StatusOK, pruneReports)
+}
diff --git a/pkg/api/server/register_networks.go b/pkg/api/server/register_networks.go
index 3d9e7fb89..d3345d8da 100644
--- a/pkg/api/server/register_networks.go
+++ b/pkg/api/server/register_networks.go
@@ -9,19 +9,6 @@ import (
)
func (s *APIServer) registerNetworkHandlers(r *mux.Router) error {
- // swagger:operation POST /networks/prune compat compatPruneNetwork
- // ---
- // tags:
- // - networks (compat)
- // Summary: Delete unused networks
- // description: Not supported
- // produces:
- // - application/json
- // responses:
- // 404:
- // $ref: "#/responses/NoSuchNetwork"
- r.HandleFunc(VersionedPath("/networks/prune"), compat.UnsupportedHandler).Methods(http.MethodPost)
- r.HandleFunc("/networks/prune", compat.UnsupportedHandler).Methods(http.MethodPost)
// swagger:operation DELETE /networks/{name} compat compatRemoveNetwork
// ---
// tags:
@@ -172,6 +159,35 @@ func (s *APIServer) registerNetworkHandlers(r *mux.Router) error {
// $ref: "#/responses/InternalError"
r.HandleFunc(VersionedPath("/networks/{name}/disconnect"), s.APIHandler(compat.Disconnect)).Methods(http.MethodPost)
r.HandleFunc("/networks/{name}/disconnect", s.APIHandler(compat.Disconnect)).Methods(http.MethodPost)
+ // swagger:operation POST /networks/prune compat compatPruneNetwork
+ // ---
+ // tags:
+ // - networks (compat)
+ // summary: Delete unused networks
+ // description: Remove CNI networks that do not have containers
+ // produces:
+ // - application/json
+ // parameters:
+ // - in: query
+ // name: filters
+ // type: string
+ // description: |
+ // NOT IMPLEMENTED
+ // Filters to process on the prune list, encoded as JSON (a map[string][]string).
+ // Available filters:
+ // - until=<timestamp> Prune networks created before this timestamp. The <timestamp> can be Unix timestamps, date formatted timestamps, or Go duration strings (e.g. 10m, 1h30m) computed relative to the daemon machine’s time.
+ // - label (label=<key>, label=<key>=<value>, label!=<key>, or label!=<key>=<value>) Prune networks with (or without, in case label!=... is used) the specified labels.
+ // responses:
+ // 200:
+ // description: OK
+ // schema:
+ // type: array
+ // items:
+ // type: string
+ // 500:
+ // $ref: "#/responses/InternalError"
+ r.HandleFunc(VersionedPath("/networks/prune"), s.APIHandler(compat.Prune)).Methods(http.MethodPost)
+ r.HandleFunc("/networks/prune", s.APIHandler(compat.Prune)).Methods(http.MethodPost)
// swagger:operation DELETE /libpod/networks/{name} libpod libpodRemoveNetwork
// ---
@@ -353,5 +369,29 @@ func (s *APIServer) registerNetworkHandlers(r *mux.Router) error {
// 500:
// $ref: "#/responses/InternalError"
r.HandleFunc(VersionedPath("/libpod/networks/{name}/disconnect"), s.APIHandler(compat.Disconnect)).Methods(http.MethodPost)
+ // swagger:operation POST /libpod/networks/prune libpod libpodPruneNetwork
+ // ---
+ // tags:
+ // - networks
+ // summary: Delete unused networks
+ // description: Remove CNI networks that do not have containers
+ // produces:
+ // - application/json
+ // parameters:
+ // - in: query
+ // name: filters
+ // type: string
+ // description: |
+ // NOT IMPLEMENTED
+ // Filters to process on the prune list, encoded as JSON (a map[string][]string).
+ // Available filters:
+ // - until=<timestamp> Prune networks created before this timestamp. The <timestamp> can be Unix timestamps, date formatted timestamps, or Go duration strings (e.g. 10m, 1h30m) computed relative to the daemon machine’s time.
+ // - label (label=<key>, label=<key>=<value>, label!=<key>, or label!=<key>=<value>) Prune networks with (or without, in case label!=... is used) the specified labels.
+ // responses:
+ // 200:
+ // $ref: "#/responses/NetworkPruneResponse"
+ // 500:
+ // $ref: "#/responses/InternalError"
+ r.HandleFunc(VersionedPath("/libpod/networks/prune"), s.APIHandler(libpod.Prune)).Methods(http.MethodPost)
return nil
}
diff --git a/pkg/bindings/network/network.go b/pkg/bindings/network/network.go
index 8debeee84..428e60cf2 100644
--- a/pkg/bindings/network/network.go
+++ b/pkg/bindings/network/network.go
@@ -180,3 +180,21 @@ func Exists(ctx context.Context, nameOrID string, options *ExistsOptions) (bool,
}
return response.IsSuccess(), nil
}
+
+// Prune removes unused CNI networks
+func Prune(ctx context.Context, options *PruneOptions) ([]*entities.NetworkPruneReport, error) {
+ // TODO Filters is not implemented
+ var (
+ prunedNetworks []*entities.NetworkPruneReport
+ )
+ conn, err := bindings.GetClient(ctx)
+ if err != nil {
+ return nil, err
+ }
+
+ response, err := conn.DoRequest(nil, http.MethodPost, "/networks/prune", nil, nil)
+ if err != nil {
+ return nil, err
+ }
+ return prunedNetworks, response.Process(&prunedNetworks)
+}
diff --git a/pkg/bindings/network/types.go b/pkg/bindings/network/types.go
index 91cbcf044..47dce67c7 100644
--- a/pkg/bindings/network/types.go
+++ b/pkg/bindings/network/types.go
@@ -74,3 +74,9 @@ type ConnectOptions struct {
// if a network exists
type ExistsOptions struct {
}
+
+//go:generate go run ../generator/generator.go PruneOptions
+// PruneOptions are optional options for removing unused
+// CNI networks
+type PruneOptions struct {
+}
diff --git a/pkg/bindings/network/types_prune_options.go b/pkg/bindings/network/types_prune_options.go
new file mode 100644
index 000000000..c56dcd0d3
--- /dev/null
+++ b/pkg/bindings/network/types_prune_options.go
@@ -0,0 +1,75 @@
+package network
+
+import (
+ "net/url"
+ "reflect"
+ "strings"
+
+ "github.com/containers/podman/v2/pkg/bindings/util"
+ jsoniter "github.com/json-iterator/go"
+ "github.com/pkg/errors"
+)
+
+/*
+This file is generated automatically by go generate. Do not edit.
+*/
+
+// Changed
+func (o *PruneOptions) Changed(fieldName string) bool {
+ r := reflect.ValueOf(o)
+ value := reflect.Indirect(r).FieldByName(fieldName)
+ return !value.IsNil()
+}
+
+// ToParams
+func (o *PruneOptions) ToParams() (url.Values, error) {
+ params := url.Values{}
+ if o == nil {
+ return params, nil
+ }
+ json := jsoniter.ConfigCompatibleWithStandardLibrary
+ s := reflect.ValueOf(o)
+ if reflect.Ptr == s.Kind() {
+ s = s.Elem()
+ }
+ sType := s.Type()
+ for i := 0; i < s.NumField(); i++ {
+ fieldName := sType.Field(i).Name
+ if !o.Changed(fieldName) {
+ continue
+ }
+ fieldName = strings.ToLower(fieldName)
+ f := s.Field(i)
+ if reflect.Ptr == f.Kind() {
+ f = f.Elem()
+ }
+ switch {
+ case util.IsSimpleType(f):
+ params.Set(fieldName, util.SimpleTypeToParam(f))
+ case f.Kind() == reflect.Slice:
+ for i := 0; i < f.Len(); i++ {
+ elem := f.Index(i)
+ if util.IsSimpleType(elem) {
+ params.Add(fieldName, util.SimpleTypeToParam(elem))
+ } else {
+ return nil, errors.New("slices must contain only simple types")
+ }
+ }
+ case f.Kind() == reflect.Map:
+ lowerCaseKeys := make(map[string][]string)
+ iter := f.MapRange()
+ for iter.Next() {
+ lowerCaseKeys[iter.Key().Interface().(string)] = iter.Value().Interface().([]string)
+
+ }
+ s, err := json.MarshalToString(lowerCaseKeys)
+ if err != nil {
+ return nil, err
+ }
+
+ params.Set(fieldName, s)
+ }
+
+ }
+ return params, nil
+}
diff --git a/pkg/domain/entities/engine_container.go b/pkg/domain/entities/engine_container.go
index 39bda1d72..2c97d7baf 100644
--- a/pkg/domain/entities/engine_container.go
+++ b/pkg/domain/entities/engine_container.go
@@ -63,6 +63,7 @@ type ContainerEngine interface {
NetworkExists(ctx context.Context, networkname string) (*BoolReport, error)
NetworkInspect(ctx context.Context, namesOrIds []string, options InspectOptions) ([]NetworkInspectReport, []error, error)
NetworkList(ctx context.Context, options NetworkListOptions) ([]*NetworkListReport, error)
+ NetworkPrune(ctx context.Context, options NetworkPruneOptions) ([]*NetworkPruneReport, error)
NetworkReload(ctx context.Context, names []string, options NetworkReloadOptions) ([]*NetworkReloadReport, error)
NetworkRm(ctx context.Context, namesOrIds []string, options NetworkRmOptions) ([]*NetworkRmReport, error)
PlayKube(ctx context.Context, path string, opts PlayKubeOptions) (*PlayKubeReport, error)
diff --git a/pkg/domain/entities/network.go b/pkg/domain/entities/network.go
index b76bfcac7..1859f920e 100644
--- a/pkg/domain/entities/network.go
+++ b/pkg/domain/entities/network.go
@@ -80,3 +80,15 @@ type NetworkConnectOptions struct {
Aliases []string
Container string
}
+
+// NetworkPruneReport containers the name of network and an error
+// associated in its pruning (removal)
+// swagger:model NetworkPruneReport
+type NetworkPruneReport struct {
+ Name string
+ Error error
+}
+
+// NetworkPruneOptions describes options for pruning
+// unused cni networks
+type NetworkPruneOptions struct{}
diff --git a/pkg/domain/infra/abi/network.go b/pkg/domain/infra/abi/network.go
index bc4328fcd..13fabe89d 100644
--- a/pkg/domain/infra/abi/network.go
+++ b/pkg/domain/infra/abi/network.go
@@ -155,3 +155,28 @@ func (ic *ContainerEngine) NetworkExists(ctx context.Context, networkname string
Value: exists,
}, nil
}
+
+// Network prune removes unused cni networks
+func (ic *ContainerEngine) NetworkPrune(ctx context.Context, options entities.NetworkPruneOptions) ([]*entities.NetworkPruneReport, error) {
+ runtimeConfig, err := ic.Libpod.GetConfig()
+ if err != nil {
+ return nil, err
+ }
+ cons, err := ic.Libpod.GetAllContainers()
+ if err != nil {
+ return nil, err
+ }
+ // Gather up all the non-default networks that the
+ // containers want
+ usedNetworks := make(map[string]bool)
+ for _, c := range cons {
+ nets, _, err := c.Networks()
+ if err != nil {
+ return nil, err
+ }
+ for _, n := range nets {
+ usedNetworks[n] = true
+ }
+ }
+ return network.PruneNetworks(runtimeConfig, usedNetworks)
+}
diff --git a/pkg/domain/infra/tunnel/network.go b/pkg/domain/infra/tunnel/network.go
index bdb1beb03..990bfa880 100644
--- a/pkg/domain/infra/tunnel/network.go
+++ b/pkg/domain/infra/tunnel/network.go
@@ -89,3 +89,8 @@ func (ic *ContainerEngine) NetworkExists(ctx context.Context, networkname string
Value: exists,
}, nil
}
+
+// Network prune removes unused cni networks
+func (ic *ContainerEngine) NetworkPrune(ctx context.Context, options entities.NetworkPruneOptions) ([]*entities.NetworkPruneReport, error) {
+ return network.Prune(ic.ClientCtx, nil)
+}
diff --git a/test/apiv2/rest_api/test_rest_v2_0_0.py b/test/apiv2/rest_api/test_rest_v2_0_0.py
index 9ce0803fb..73db35cc1 100644
--- a/test/apiv2/rest_api/test_rest_v2_0_0.py
+++ b/test/apiv2/rest_api/test_rest_v2_0_0.py
@@ -484,7 +484,7 @@ class TestApi(unittest.TestCase):
self.assertEqual(inspect.status_code, 404, inspect.content)
prune = requests.post(PODMAN_URL + "/v1.40/networks/prune")
- self.assertEqual(prune.status_code, 404, prune.content)
+ self.assertEqual(prune.status_code, 200, prune.content)
def test_volumes_compat(self):
name = "Volume_" + "".join(random.choice(string.ascii_letters) for i in range(10))
diff --git a/test/e2e/network_test.go b/test/e2e/network_test.go
index c6010ba43..d4e1a3698 100644
--- a/test/e2e/network_test.go
+++ b/test/e2e/network_test.go
@@ -540,4 +540,54 @@ var _ = Describe("Podman network", func() {
nc.WaitWithDefaultTimeout()
Expect(nc.ExitCode()).To(Equal(0))
})
+
+ It("podman network prune", func() {
+ // Create two networks
+ // Check they are there
+ // Run a container on one of them
+ // Network Prune
+ // Check that one has been pruned, other remains
+ net := "macvlan" + stringid.GenerateNonCryptoID()
+ net1 := net + "1"
+ net2 := net + "2"
+ nc := podmanTest.Podman([]string{"network", "create", net1})
+ nc.WaitWithDefaultTimeout()
+ defer podmanTest.removeCNINetwork(net1)
+ Expect(nc.ExitCode()).To(Equal(0))
+
+ nc2 := podmanTest.Podman([]string{"network", "create", net2})
+ nc2.WaitWithDefaultTimeout()
+ defer podmanTest.removeCNINetwork(net2)
+ Expect(nc2.ExitCode()).To(Equal(0))
+
+ list := podmanTest.Podman([]string{"network", "ls", "--format", "{{.Name}}"})
+ list.WaitWithDefaultTimeout()
+ Expect(list.ExitCode()).To(BeZero())
+
+ Expect(StringInSlice(net1, list.OutputToStringArray())).To(BeTrue())
+ Expect(StringInSlice(net2, list.OutputToStringArray())).To(BeTrue())
+ if !isRootless() {
+ Expect(StringInSlice("podman", list.OutputToStringArray())).To(BeTrue())
+ }
+
+ session := podmanTest.Podman([]string{"run", "-dt", "--net", net2, ALPINE, "top"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(BeZero())
+
+ prune := podmanTest.Podman([]string{"network", "prune", "-f"})
+ prune.WaitWithDefaultTimeout()
+ Expect(prune.ExitCode()).To(BeZero())
+
+ listAgain := podmanTest.Podman([]string{"network", "ls", "--format", "{{.Name}}"})
+ listAgain.WaitWithDefaultTimeout()
+ Expect(listAgain.ExitCode()).To(BeZero())
+
+ Expect(StringInSlice(net1, listAgain.OutputToStringArray())).To(BeFalse())
+ Expect(StringInSlice(net2, listAgain.OutputToStringArray())).To(BeTrue())
+ // Make sure default network 'podman' still exists
+ if !isRootless() {
+ Expect(StringInSlice("podman", list.OutputToStringArray())).To(BeTrue())
+ }
+
+ })
})
diff --git a/vendor/github.com/containers/common/pkg/cgroupv2/cgroups_linux.go b/vendor/github.com/containers/common/pkg/cgroupv2/cgroups_linux.go
index b11eafebb..749c89932 100644
--- a/vendor/github.com/containers/common/pkg/cgroupv2/cgroups_linux.go
+++ b/vendor/github.com/containers/common/pkg/cgroupv2/cgroups_linux.go
@@ -13,7 +13,7 @@ var (
isCgroupV2Err error
)
-// Enabled returns whether we are running in cgroup 2 cgroup2 mode.
+// Enabled returns whether we are running on cgroup v2
func Enabled() (bool, error) {
isCgroupV2Once.Do(func() {
var st syscall.Statfs_t
diff --git a/vendor/github.com/containers/common/pkg/cgroupv2/cgroups_unsupported.go b/vendor/github.com/containers/common/pkg/cgroupv2/cgroups_unsupported.go
index cda68b405..61b3653e5 100644
--- a/vendor/github.com/containers/common/pkg/cgroupv2/cgroups_unsupported.go
+++ b/vendor/github.com/containers/common/pkg/cgroupv2/cgroups_unsupported.go
@@ -2,7 +2,7 @@
package cgroupv2
-// Enabled returns whether we are running in cgroup 2 cgroup2 mode.
+// Enabled returns whether we are running on cgroup v2
func Enabled() (bool, error) {
return false, nil
}
diff --git a/vendor/github.com/containers/common/pkg/config/config.go b/vendor/github.com/containers/common/pkg/config/config.go
index 3b8baf87a..4a98c7e92 100644
--- a/vendor/github.com/containers/common/pkg/config/config.go
+++ b/vendor/github.com/containers/common/pkg/config/config.go
@@ -187,10 +187,6 @@ type ContainersConfig struct {
// EngineConfig contains configuration options used to set up a engine runtime
type EngineConfig struct {
- // ImageBuildFormat indicates the default image format to building
- // container images. Valid values are "oci" (default) or "docker".
- ImageBuildFormat string `toml:"image_build_format,omitempty"`
-
// CgroupCheck indicates the configuration has been rewritten after an
// upgrade to Fedora 31 to change the default OCI runtime for cgroupv2v2.
CgroupCheck bool `toml:"cgroup_check,omitempty"`
@@ -235,10 +231,25 @@ type EngineConfig struct {
// this slice takes precedence.
HooksDir []string `toml:"hooks_dir,omitempty"`
+ // ImageBuildFormat (DEPRECATED) indicates the default image format to
+ // building container images. Should use ImageDefaultFormat
+ ImageBuildFormat string `toml:"image_build_format,omitempty"`
+
// ImageDefaultTransport is the default transport method used to fetch
// images.
ImageDefaultTransport string `toml:"image_default_transport,omitempty"`
+ // ImageParallelCopies indicates the maximum number of image layers
+ // to be copied simultaneously. If this is zero, container engines
+ // will fall back to containers/image defaults.
+ ImageParallelCopies uint `toml:"image_parallel_copies,omitempty"`
+
+ // ImageDefaultFormat sepecified the manifest Type (oci, v2s2, or v2s1)
+ // to use when pulling, pushing, building container images. By default
+ // image pulled and pushed match the format of the source image.
+ // Building/committing defaults to OCI.
+ ImageDefaultFormat string `toml:"image_default_format,omitempty"`
+
// InfraCommand is the command run to start up a pod infra container.
InfraCommand string `toml:"infra_command,omitempty"`
diff --git a/vendor/github.com/containers/common/pkg/config/containers.conf b/vendor/github.com/containers/common/pkg/config/containers.conf
index 0587469b2..18243f296 100644
--- a/vendor/github.com/containers/common/pkg/config/containers.conf
+++ b/vendor/github.com/containers/common/pkg/config/containers.conf
@@ -246,9 +246,14 @@ default_sysctls = [
# network_config_dir = "/etc/cni/net.d/"
[engine]
-# ImageBuildFormat indicates the default image format to building
-# container images. Valid values are "oci" (default) or "docker".
-# image_build_format = "oci"
+# Maximum number of image layers to be copied (pulled/pushed) simultaneously.
+# Not setting this field, or setting it to zero, will fall back to containers/image defaults.
+# image_parallel_copies=0
+
+# Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
+# container images. By default image pulled and pushed match the format of the
+# source image. Building/commiting defaults to OCI.
+# image_default_format = ""
# Cgroup management implementation used for the runtime.
# Valid options "systemd" or "cgroupfs"
diff --git a/vendor/github.com/containers/common/pkg/config/default.go b/vendor/github.com/containers/common/pkg/config/default.go
index 2e26fb7b8..918ce93e5 100644
--- a/vendor/github.com/containers/common/pkg/config/default.go
+++ b/vendor/github.com/containers/common/pkg/config/default.go
@@ -518,3 +518,9 @@ func (c *Config) TZ() string {
func (c *Config) Umask() string {
return c.Containers.Umask
}
+
+// LogDriver returns the logging driver to be used
+// currently k8s-file or journald
+func (c *Config) LogDriver() string {
+ return c.Containers.LogDriver
+}
diff --git a/vendor/github.com/containers/common/pkg/config/util_supported.go b/vendor/github.com/containers/common/pkg/config/util_supported.go
index 4595716d1..326e7973a 100644
--- a/vendor/github.com/containers/common/pkg/config/util_supported.go
+++ b/vendor/github.com/containers/common/pkg/config/util_supported.go
@@ -25,6 +25,17 @@ func getRuntimeDir() (string, error) {
rootlessRuntimeDirOnce.Do(func() {
runtimeDir := os.Getenv("XDG_RUNTIME_DIR")
+ if runtimeDir != "" {
+ st, err := os.Stat(runtimeDir)
+ if err != nil {
+ rootlessRuntimeDirError = err
+ return
+ }
+ if int(st.Sys().(*syscall.Stat_t).Uid) != os.Geteuid() {
+ rootlessRuntimeDirError = fmt.Errorf("XDG_RUNTIME_DIR directory %q is not owned by the current user", runtimeDir)
+ return
+ }
+ }
uid := fmt.Sprintf("%d", unshare.GetRootlessUID())
if runtimeDir == "" {
tmpDir := filepath.Join("/run", "user", uid)
diff --git a/vendor/github.com/containers/common/pkg/parse/parse.go b/vendor/github.com/containers/common/pkg/parse/parse.go
index 611b2e84b..882953309 100644
--- a/vendor/github.com/containers/common/pkg/parse/parse.go
+++ b/vendor/github.com/containers/common/pkg/parse/parse.go
@@ -13,7 +13,7 @@ import (
// ValidateVolumeOpts validates a volume's options
func ValidateVolumeOpts(options []string) ([]string, error) {
- var foundRootPropagation, foundRWRO, foundLabelChange, bindType, foundExec, foundDev, foundSuid int
+ var foundRootPropagation, foundRWRO, foundLabelChange, bindType, foundExec, foundDev, foundSuid, foundChown int
finalOpts := make([]string, 0, len(options))
for _, opt := range options {
switch opt {
@@ -42,6 +42,11 @@ func ValidateVolumeOpts(options []string) ([]string, error) {
if foundLabelChange > 1 {
return nil, errors.Errorf("invalid options %q, can only specify 1 'z', 'Z', or 'O' option", strings.Join(options, ", "))
}
+ case "U":
+ foundChown++
+ if foundChown > 1 {
+ return nil, errors.Errorf("invalid options %q, can only specify 1 'U' option", strings.Join(options, ", "))
+ }
case "private", "rprivate", "shared", "rshared", "slave", "rslave", "unbindable", "runbindable":
foundRootPropagation++
if foundRootPropagation > 1 {
diff --git a/vendor/github.com/containers/common/pkg/report/doc.go b/vendor/github.com/containers/common/pkg/report/doc.go
index 60d954d7e..326b315f2 100644
--- a/vendor/github.com/containers/common/pkg/report/doc.go
+++ b/vendor/github.com/containers/common/pkg/report/doc.go
@@ -38,7 +38,17 @@ Helpers:
... process JSON and output
}
-and
+Template Functions:
+
+The following template functions are added to the template when parsed:
+ - join strings.Join, {{join .Field separator}}
+ - lower strings.ToLower {{ .Field | lower }}
+ - split strings.Split {{ .Field | split }}
+ - title strings.Title {{ .Field | title }}
+ - upper strings.ToUpper {{ .Field | upper }}
+
+report.Funcs() may be used to add additional template functions.
+Adding an existing function will replace that function for the life of that template.
Note: Your code should not ignore errors
diff --git a/vendor/github.com/containers/common/pkg/report/template.go b/vendor/github.com/containers/common/pkg/report/template.go
index 551fbb3cf..559c1625b 100644
--- a/vendor/github.com/containers/common/pkg/report/template.go
+++ b/vendor/github.com/containers/common/pkg/report/template.go
@@ -1,6 +1,8 @@
package report
import (
+ "bytes"
+ "encoding/json"
"reflect"
"strings"
"text/template"
@@ -21,16 +23,32 @@ type FuncMap template.FuncMap
var tableReplacer = strings.NewReplacer(
"table ", "",
`\t`, "\t",
- `\n`, "\n",
" ", "\t",
)
// escapedReplacer will clean up escaped characters from CLI
var escapedReplacer = strings.NewReplacer(
`\t`, "\t",
- `\n`, "\n",
)
+var DefaultFuncs = FuncMap{
+ "join": strings.Join,
+ "json": func(v interface{}) string {
+ buf := &bytes.Buffer{}
+ enc := json.NewEncoder(buf)
+ enc.SetEscapeHTML(false)
+ enc.Encode(v)
+ // Remove the trailing new line added by the encoder
+ return strings.TrimSpace(buf.String())
+ },
+ "lower": strings.ToLower,
+ "pad": padWithSpace,
+ "split": strings.Split,
+ "title": strings.Title,
+ "truncate": truncateWithLength,
+ "upper": strings.ToUpper,
+}
+
// NormalizeFormat reads given go template format provided by CLI and munges it into what we need
func NormalizeFormat(format string) string {
var f string
@@ -47,6 +65,22 @@ func NormalizeFormat(format string) string {
return f
}
+// padWithSpace adds spaces*prefix and spaces*suffix to the input when it is non-empty
+func padWithSpace(source string, prefix, suffix int) string {
+ if source == "" {
+ return source
+ }
+ return strings.Repeat(" ", prefix) + source + strings.Repeat(" ", suffix)
+}
+
+// truncateWithLength truncates the source string up to the length provided by the input
+func truncateWithLength(source string, length int) string {
+ if len(source) < length {
+ return source
+ }
+ return source[:length]
+}
+
// Headers queries the interface for field names.
// Array of map is returned to support range templates
// Note: unexported fields can be supported by adding field to overrides
@@ -88,7 +122,7 @@ func Headers(object interface{}, overrides map[string]string) []map[string]strin
// NewTemplate creates a new template object
func NewTemplate(name string) *Template {
- return &Template{template.New(name), false}
+ return &Template{Template: template.New(name).Funcs(template.FuncMap(DefaultFuncs))}
}
// Parse parses text as a template body for t
@@ -100,13 +134,21 @@ func (t *Template) Parse(text string) (*Template, error) {
text = NormalizeFormat(text)
}
- tt, err := t.Template.Parse(text)
+ tt, err := t.Template.Funcs(template.FuncMap(DefaultFuncs)).Parse(text)
return &Template{tt, t.isTable}, err
}
-// Funcs adds the elements of the argument map to the template's function map
+// Funcs adds the elements of the argument map to the template's function map.
+// A default template function will be replace if there is a key collision.
func (t *Template) Funcs(funcMap FuncMap) *Template {
- return &Template{t.Template.Funcs(template.FuncMap(funcMap)), t.isTable}
+ m := make(FuncMap)
+ for k, v := range DefaultFuncs {
+ m[k] = v
+ }
+ for k, v := range funcMap {
+ m[k] = v
+ }
+ return &Template{Template: t.Template.Funcs(template.FuncMap(m)), isTable: t.isTable}
}
// IsTable returns true if format string defines a "table"
diff --git a/vendor/github.com/containers/common/pkg/seccomp/default_linux.go b/vendor/github.com/containers/common/pkg/seccomp/default_linux.go
index 5c4427318..24077778e 100644
--- a/vendor/github.com/containers/common/pkg/seccomp/default_linux.go
+++ b/vendor/github.com/containers/common/pkg/seccomp/default_linux.go
@@ -5,8 +5,6 @@
package seccomp
import (
- "syscall"
-
"golang.org/x/sys/unix"
)
@@ -45,7 +43,7 @@ func arches() []Architecture {
// DefaultProfile defines the allowlist for the default seccomp profile.
func DefaultProfile() *Seccomp {
- einval := uint(syscall.EINVAL)
+ einval := uint(unix.EINVAL)
syscalls := []*Syscall{
{
@@ -87,6 +85,7 @@ func DefaultProfile() *Seccomp {
"epoll_ctl",
"epoll_ctl_old",
"epoll_pwait",
+ "epoll_pwait2",
"epoll_wait",
"epoll_wait_old",
"eventfd",
@@ -115,7 +114,11 @@ func DefaultProfile() *Seccomp {
"flock",
"fork",
"fremovexattr",
+ "fsconfig",
"fsetxattr",
+ "fsmount",
+ "fsopen",
+ "fspick",
"fstat",
"fstat64",
"fstatat64",
@@ -203,6 +206,7 @@ func DefaultProfile() *Seccomp {
"mmap",
"mmap2",
"mount",
+ "move_mount",
"mprotect",
"mq_getsetattr",
"mq_notify",
@@ -225,6 +229,7 @@ func DefaultProfile() *Seccomp {
"open",
"openat",
"openat2",
+ "open_tree",
"pause",
"pidfd_getfd",
"pidfd_open",
@@ -331,7 +336,6 @@ func DefaultProfile() *Seccomp {
"signalfd",
"signalfd4",
"sigreturn",
- "socket",
"socketcall",
"socketpair",
"splice",
@@ -512,19 +516,13 @@ func DefaultProfile() *Seccomp {
{
Names: []string{
"bpf",
- "clone",
"fanotify_init",
"lookup_dcookie",
- "mount",
- "name_to_handle_at",
"perf_event_open",
"quotactl",
"setdomainname",
"sethostname",
"setns",
- "umount",
- "umount2",
- "unshare",
},
Action: ActAllow,
Args: []*Arg{},
@@ -534,55 +532,6 @@ func DefaultProfile() *Seccomp {
},
{
Names: []string{
- "clone",
- },
- Action: ActAllow,
- Args: []*Arg{
- {
- Index: 0,
- Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET,
- ValueTwo: 0,
- Op: OpMaskedEqual,
- },
- },
- Excludes: Filter{
- Caps: []string{"CAP_SYS_ADMIN"},
- Arches: []string{"s390", "s390x"},
- },
- },
- {
- Names: []string{
- "clone",
- },
- Action: ActAllow,
- Args: []*Arg{
- {
- Index: 1,
- Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET,
- ValueTwo: 0,
- Op: OpMaskedEqual,
- },
- },
- Comment: "s390 parameter ordering for clone is different",
- Includes: Filter{
- Arches: []string{"s390", "s390x"},
- },
- Excludes: Filter{
- Caps: []string{"CAP_SYS_ADMIN"},
- },
- },
- {
- Names: []string{
- "reboot",
- },
- Action: ActAllow,
- Args: []*Arg{},
- Includes: Filter{
- Caps: []string{"CAP_SYS_BOOT"},
- },
- },
- {
- Names: []string{
"chroot",
},
Action: ActAllow,
@@ -608,7 +557,6 @@ func DefaultProfile() *Seccomp {
Names: []string{
"get_mempolicy",
"mbind",
- "name_to_handle_at",
"set_mempolicy",
},
Action: ActAllow,
@@ -630,6 +578,7 @@ func DefaultProfile() *Seccomp {
{
Names: []string{
"kcmp",
+ "process_madvise",
"process_vm_readv",
"process_vm_writev",
"ptrace",
@@ -683,12 +632,12 @@ func DefaultProfile() *Seccomp {
Args: []*Arg{
{
Index: 0,
- Value: syscall.AF_NETLINK,
+ Value: unix.AF_NETLINK,
Op: OpEqualTo,
},
{
Index: 2,
- Value: syscall.NETLINK_AUDIT,
+ Value: unix.NETLINK_AUDIT,
Op: OpEqualTo,
},
},
@@ -704,7 +653,7 @@ func DefaultProfile() *Seccomp {
Args: []*Arg{
{
Index: 2,
- Value: syscall.NETLINK_AUDIT,
+ Value: unix.NETLINK_AUDIT,
Op: OpNotEqual,
},
},
@@ -720,7 +669,7 @@ func DefaultProfile() *Seccomp {
Args: []*Arg{
{
Index: 0,
- Value: syscall.AF_NETLINK,
+ Value: unix.AF_NETLINK,
Op: OpNotEqual,
},
},
@@ -736,7 +685,7 @@ func DefaultProfile() *Seccomp {
Args: []*Arg{
{
Index: 2,
- Value: syscall.NETLINK_AUDIT,
+ Value: unix.NETLINK_AUDIT,
Op: OpNotEqual,
},
},
diff --git a/vendor/github.com/containers/common/pkg/seccomp/seccomp.json b/vendor/github.com/containers/common/pkg/seccomp/seccomp.json
index d6f3f4938..48420905c 100644
--- a/vendor/github.com/containers/common/pkg/seccomp/seccomp.json
+++ b/vendor/github.com/containers/common/pkg/seccomp/seccomp.json
@@ -89,6 +89,7 @@
"epoll_ctl",
"epoll_ctl_old",
"epoll_pwait",
+ "epoll_pwait2",
"epoll_wait",
"epoll_wait_old",
"eventfd",
@@ -117,7 +118,11 @@
"flock",
"fork",
"fremovexattr",
+ "fsconfig",
"fsetxattr",
+ "fsmount",
+ "fsopen",
+ "fspick",
"fstat",
"fstat64",
"fstatat64",
@@ -177,6 +182,7 @@
"ioprio_get",
"ioprio_set",
"ipc",
+ "keyctl",
"kill",
"lchown",
"lchown32",
@@ -204,6 +210,7 @@
"mmap",
"mmap2",
"mount",
+ "move_mount",
"mprotect",
"mq_getsetattr",
"mq_notify",
@@ -226,6 +233,7 @@
"open",
"openat",
"openat2",
+ "open_tree",
"pause",
"pidfd_getfd",
"pidfd_open",
@@ -574,19 +582,13 @@
{
"names": [
"bpf",
- "clone",
"fanotify_init",
"lookup_dcookie",
- "mount",
- "name_to_handle_at",
"perf_event_open",
"quotactl",
"setdomainname",
"sethostname",
- "setns",
- "umount",
- "umount2",
- "unshare"
+ "setns"
],
"action": "SCMP_ACT_ALLOW",
"args": [],
@@ -600,71 +602,6 @@
},
{
"names": [
- "clone"
- ],
- "action": "SCMP_ACT_ALLOW",
- "args": [
- {
- "index": 0,
- "value": 2080505856,
- "valueTwo": 0,
- "op": "SCMP_CMP_MASKED_EQ"
- }
- ],
- "comment": "",
- "includes": {},
- "excludes": {
- "caps": [
- "CAP_SYS_ADMIN"
- ],
- "arches": [
- "s390",
- "s390x"
- ]
- }
- },
- {
- "names": [
- "clone"
- ],
- "action": "SCMP_ACT_ALLOW",
- "args": [
- {
- "index": 1,
- "value": 2080505856,
- "valueTwo": 0,
- "op": "SCMP_CMP_MASKED_EQ"
- }
- ],
- "comment": "s390 parameter ordering for clone is different",
- "includes": {
- "arches": [
- "s390",
- "s390x"
- ]
- },
- "excludes": {
- "caps": [
- "CAP_SYS_ADMIN"
- ]
- }
- },
- {
- "names": [
- "reboot"
- ],
- "action": "SCMP_ACT_ALLOW",
- "args": [],
- "comment": "",
- "includes": {
- "caps": [
- "CAP_SYS_BOOT"
- ]
- },
- "excludes": {}
- },
- {
- "names": [
"chroot"
],
"action": "SCMP_ACT_ALLOW",
@@ -698,7 +635,6 @@
"names": [
"get_mempolicy",
"mbind",
- "name_to_handle_at",
"set_mempolicy"
],
"action": "SCMP_ACT_ALLOW",
@@ -728,6 +664,7 @@
{
"names": [
"kcmp",
+ "process_madvise",
"process_vm_readv",
"process_vm_writev",
"ptrace"
@@ -894,4 +831,4 @@
"excludes": {}
}
]
-}
+} \ No newline at end of file
diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go
index 7d7cf59f1..8efc8b8a2 100644
--- a/vendor/github.com/containers/common/version/version.go
+++ b/vendor/github.com/containers/common/version/version.go
@@ -1,4 +1,4 @@
package version
// Version is the version of the build.
-const Version = "0.33.1"
+const Version = "0.34.3-dev"
diff --git a/vendor/modules.txt b/vendor/modules.txt
index ef33a0dcc..e8b5edf8c 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -89,7 +89,7 @@ github.com/containers/buildah/pkg/parse
github.com/containers/buildah/pkg/rusage
github.com/containers/buildah/pkg/supplemented
github.com/containers/buildah/util
-# github.com/containers/common v0.33.1
+# github.com/containers/common v0.34.3-0.20210208115708-8668c76dd577
github.com/containers/common/pkg/apparmor
github.com/containers/common/pkg/apparmor/internal/supported
github.com/containers/common/pkg/auth