diff options
43 files changed, 233 insertions, 118 deletions
@@ -149,7 +149,7 @@ err_if_empty = $(if $(strip $($(1))),$(strip $($(1))),$(error Required variable # Podman does not work w/o CGO_ENABLED, except in some very specific cases CGO_ENABLED ?= 1 -# Default to the native OS type and archetecture unless otherwise specified +# Default to the native OS type and architecture unless otherwise specified GOOS ?= $(shell $(GO) env GOOS) ifeq ($(call err_if_empty,GOOS),windows) BINSFX := .exe @@ -255,7 +255,7 @@ test/goecho/goecho: .gopathok $(wildcard test/goecho/*.go) .PHONY: codespell codespell: - codespell -S bin,vendor,.git,go.sum,changelog.txt,.cirrus.yml,"RELEASE_NOTES.md,*.xz,*.gz,*.tar,*.tgz,bin2img,*ico,*.png,*.1,*.5,copyimg,*.orig,apidoc.go" -L uint,iff,od,seeked,splitted,marge,ERRO,hist -w + codespell -S bin,vendor,.git,go.sum,changelog.txt,.cirrus.yml,"RELEASE_NOTES.md,*.xz,*.gz,*.tar,*.tgz,bin2img,*ico,*.png,*.1,*.5,copyimg,*.orig,apidoc.go" -L uint,iff,od,seeked,splitted,marge,ERRO,hist,ether -w .PHONY: validate validate: gofmt lint .gitvalidation validate.completions man-page-check swagger-check tests-included diff --git a/RELEASE_PROCESS.md b/RELEASE_PROCESS.md index 52c08c3f2..e063fa617 100644 --- a/RELEASE_PROCESS.md +++ b/RELEASE_PROCESS.md @@ -196,7 +196,7 @@ spelled with complete minutiae. 1. Merge the PR (or ask someone else to review and merge, to be safer). 1. **Note:** This is the last point where any test-failures can be addressed by code changes. After pushing the new version-tag upstream, no further - changes can be made to the code without lots of unpleasent efforts. Please + changes can be made to the code without lots of unpleasant efforts. Please seek assistance if needed, before proceeding. 1. Assuming the "Bump to ..." PR merged successfully, and you're **really** diff --git a/cmd/podman/common/create.go b/cmd/podman/common/create.go index da391d30d..d496ae308 100644 --- a/cmd/podman/common/create.go +++ b/cmd/podman/common/create.go @@ -277,7 +277,7 @@ func DefineCreateFlags(cmd *cobra.Command, cf *ContainerCLIOpts) { createFlags.StringSliceVar( &cf.GroupAdd, groupAddFlagName, []string{}, - "Add additional groups to join", + "Add additional groups to the primary container process. 'keep-groups' allows container processes to use suplementary groups.", ) _ = cmd.RegisterFlagCompletionFunc(groupAddFlagName, completion.AutocompleteNone) diff --git a/cmd/podman/containers/create.go b/cmd/podman/containers/create.go index 507e9c221..3f495e19b 100644 --- a/cmd/podman/containers/create.go +++ b/cmd/podman/containers/create.go @@ -193,6 +193,25 @@ func createInit(c *cobra.Command) error { val := c.Flag("entrypoint").Value.String() cliVals.Entrypoint = &val } + + if c.Flags().Changed("group-add") { + groups := []string{} + for _, g := range cliVals.GroupAdd { + if g == "keep-groups" { + if len(cliVals.GroupAdd) > 1 { + return errors.New("the '--group-add keep-groups' option is not allowed with any other --group-add options") + } + if registry.IsRemote() { + return errors.New("the '--group-add keep-groups' option is not supported in remote mode") + } + cliVals.Annotation = append(cliVals.Annotation, "run.oci.keep_original_groups=1") + } else { + groups = append(groups, g) + } + } + cliVals.GroupAdd = groups + } + if c.Flags().Changed("pids-limit") { val := c.Flag("pids-limit").Value.String() pidsLimit, err := strconv.ParseInt(val, 10, 32) diff --git a/cmd/podman/machine/stop.go b/cmd/podman/machine/stop.go index 4235b64f1..4307d3eeb 100644 --- a/cmd/podman/machine/stop.go +++ b/cmd/podman/machine/stop.go @@ -30,7 +30,7 @@ func init() { }) } -// TODO Name shouldnt be required, need to create a default vm +// TODO Name shouldn't be required, need to create a default vm func stop(cmd *cobra.Command, args []string) error { var ( err error diff --git a/completions/powershell/podman-remote.ps1 b/completions/powershell/podman-remote.ps1 index 9cdbabc52..875684b34 100644 --- a/completions/powershell/podman-remote.ps1 +++ b/completions/powershell/podman-remote.ps1 @@ -161,7 +161,7 @@ Register-ArgumentCompleter -CommandName 'podman-remote' -ScriptBlock { $Values | ForEach-Object { - # store temporay because switch will overwrite $_ + # store temporary because switch will overwrite $_ $comp = $_ # PowerShell supports three different completion modes @@ -216,7 +216,7 @@ Register-ArgumentCompleter -CommandName 'podman-remote' -ScriptBlock { Default { # Like MenuComplete but we don't want to add a space here because # the user need to press space anyway to get the completion. - # Description will not be shown because thats not possible with TabCompleteNext + # Description will not be shown because that's not possible with TabCompleteNext [System.Management.Automation.CompletionResult]::new($($comp.Name | __podman-remote_escapeStringWithSpecialChars), "$($comp.Name)", 'ParameterValue', "$($comp.Description)") } } diff --git a/completions/powershell/podman.ps1 b/completions/powershell/podman.ps1 index 6b6f832d2..619c5beea 100644 --- a/completions/powershell/podman.ps1 +++ b/completions/powershell/podman.ps1 @@ -161,7 +161,7 @@ Register-ArgumentCompleter -CommandName 'podman' -ScriptBlock { $Values | ForEach-Object { - # store temporay because switch will overwrite $_ + # store temporary because switch will overwrite $_ $comp = $_ # PowerShell supports three different completion modes @@ -216,7 +216,7 @@ Register-ArgumentCompleter -CommandName 'podman' -ScriptBlock { Default { # Like MenuComplete but we don't want to add a space here because # the user need to press space anyway to get the completion. - # Description will not be shown because thats not possible with TabCompleteNext + # Description will not be shown because that's not possible with TabCompleteNext [System.Management.Automation.CompletionResult]::new($($comp.Name | __podman_escapeStringWithSpecialChars), "$($comp.Name)", 'ParameterValue', "$($comp.Description)") } } diff --git a/contrib/cirrus/runner.sh b/contrib/cirrus/runner.sh index b463745d1..47f3c9405 100755 --- a/contrib/cirrus/runner.sh +++ b/contrib/cirrus/runner.sh @@ -277,7 +277,7 @@ logformatter() { |& awk --file "${CIRRUS_WORKING_DIR}/${SCRIPT_BASE}/timestamp.awk" \ |& "${CIRRUS_WORKING_DIR}/${SCRIPT_BASE}/logformatter" "$output_name" else - # Assume script is run by a human, they want output immediatly + # Assume script is run by a human, they want output immediately cat - fi } diff --git a/docs/remote-docs.sh b/docs/remote-docs.sh index 2b7d73cd3..939c7264c 100755 --- a/docs/remote-docs.sh +++ b/docs/remote-docs.sh @@ -6,7 +6,7 @@ PLATFORM=$1 ## linux, windows or darwin TARGET=${2} ## where to output files SOURCES=${@:3} ## directories to find markdown files -# Overriden for testing. Native podman-remote binary expected filepaths +# Overridden for testing. Native podman-remote binary expected filepaths if [[ -z "$PODMAN" ]]; then case $(env -i HOME=$HOME PATH=$PATH go env GOOS) in windows) diff --git a/docs/source/markdown/podman-build.1.md b/docs/source/markdown/podman-build.1.md index 876bfe412..791e2d907 100644 --- a/docs/source/markdown/podman-build.1.md +++ b/docs/source/markdown/podman-build.1.md @@ -688,7 +688,7 @@ Set the architecture variant of the image to be pulled. bind mounts `/HOST-DIR` in the host to `/CONTAINER-DIR` in the Podman container. (This option is not available with the remote Podman client) - The `OPTIONS` are a comma delimited list and can be: <sup>[[1]](#Footnote1)</sup> + The `OPTIONS` are a comma-separated list and can be: <sup>[[1]](#Footnote1)</sup> * [rw|ro] * [z|Z|O] diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md index 059a09ae1..1ea9d1ea6 100644 --- a/docs/source/markdown/podman-create.1.md +++ b/docs/source/markdown/podman-create.1.md @@ -261,8 +261,8 @@ Note: if _host_device_ is a symbolic link then it will be resolved first. The container will only store the major and minor numbers of the host device. Note: if the user only has access rights via a group, accessing the device -from inside a rootless container will fail. The **crun**(1) runtime offers a -workaround for this by adding the option **\-\-annotation run.oci.keep_original_groups=1**. +from inside a rootless container will fail. Use the `--group-add keep-groups` +flag to pass the user's supplementary group access into the container. Podman may load kernel modules required for using the specified device. The devices that podman will load modules when necessary are: @@ -361,9 +361,17 @@ GID map for the user namespace. Using this flag will run the container with user The following example maps uids 0-2000 in the container to the uids 30000-31999 on the host and gids 0-2000 in the container to the gids 30000-31999 on the host. `--gidmap=0:30000:2000` -#### **\-\-group-add**=*group* +#### **\-\-group-add**=*group|keep-groups* -Add additional groups to run as +Add additional groups to assign to primary user running within the container process. + +- `keep-groups` is a special flag that tells Podman to keep the supplementary group access. + +Allows container to use the user's supplementary group access. If file systems or +devices are only accessible by the rootless user's group, this flag tells the OCI +runtime to pass the group access into the container. Currently only available +with the `crun` OCI runtime. Note: `keep-groups` is exclusive, you cannot add any other groups +with this flag. (Not available for remote commands) #### **\-\-health-cmd**=*"command"* | *'["command", "arg1", ...]'* @@ -634,7 +642,7 @@ Valid _mode_ values are: - **none**: no networking; - **container:**_id_: reuse another container's network stack; - **host**: use the Podman host network stack. Note: the host mode gives the container full access to local system services such as D-bus and is therefore considered insecure; -- _network-id_: connect to a user-defined network, multiple networks should be comma separated; +- _network-id_: connect to a user-defined network, multiple networks should be comma-separated; - **ns:**_path_: path to a network namespace to join; - **private**: create a new namespace for the container (default) - **slirp4netns[:OPTIONS,...]**: use **slirp4netns**(1) to create a user network stack. This is the default for rootless containers. It is possible to specify these additional options: @@ -861,6 +869,8 @@ Security Options - `label=filetype:TYPE` : Set the label file type for the container files - `label=disable` : Turn off label separation for the container +Note: Labeling can be disabled for all containers by setting label=false in the **containers.conf** (`/etc/containers/containers.conf` or `$HOME/.config/containers/containers.conf`) file. + - `mask=/path/1:/path/2` : The paths to mask separated by a colon. A masked path cannot be accessed inside the container. @@ -869,13 +879,13 @@ Security Options - `seccomp=unconfined` : Turn off seccomp confinement for the container - `seccomp=profile.json` : White listed syscalls seccomp Json file to be used as a seccomp filter +- `proc-opts=OPTIONS` : Comma-separated list of options to use for the /proc mount. More details for the + possible mount options are specified in the **proc(5)** man page. + - `unmask=ALL or /path/1:/path/2` : Paths to unmask separated by a colon. If set to **ALL**, it will unmask all the paths that are masked or made read only by default. The default masked paths are **/proc/acpi, /proc/kcore, /proc/keys, /proc/latency_stats, /proc/sched_debug, /proc/scsi, /proc/timer_list, /proc/timer_stats, /sys/firmware, and /sys/fs/selinux.** The default paths that are read only are **/proc/asound, /proc/bus, /proc/fs, /proc/irq, /proc/sys, /proc/sysrq-trigger, /sys/fs/cgroup**. -- `proc-opts=OPTIONS` : Comma separated list of options to use for the /proc mount. More details for the - possible mount options are specified at **proc(5)** man page. - Note: Labeling can be disabled for all containers by setting label=false in the **containers.conf** (`/etc/containers/containers.conf` or `$HOME/.config/containers/containers.conf`) file. #### **\-\-shm-size**=*size* @@ -1093,9 +1103,9 @@ Create a bind mount. If you specify, ` -v /HOST-DIR:/CONTAINER-DIR`, Podman bind mounts `/HOST-DIR` in the host to `/CONTAINER-DIR` in the Podman container. Similarly, `-v SOURCE-VOLUME:/CONTAINER-DIR` will mount the volume in the host to the container. If no such named volume exists, Podman will -create one. The `OPTIONS` are a comma delimited list and can be: <sup>[[1]](#Footnote1)</sup> (Note when using the remote client, the volumes will be mounted from the remote server, not necessarly the client machine.) +create one. The `OPTIONS` are a comma-separated list and can be: <sup>[[1]](#Footnote1)</sup> (Note when using the remote client, the volumes will be mounted from the remote server, not necessarly the client machine.) -The _options_ is a comma delimited list and can be: +The _options_ is a comma-separated list and can be: * **rw**|**ro** * **z**|**Z** @@ -1185,7 +1195,7 @@ host into the container to allow speeding up builds. Content mounted into the container is labeled with the private label. On SELinux systems, labels in the source directory must be readable by the container label. Usually containers can read/execute `container_share_t` -and can read/write `container_file_t`. If you can not change the labels on a +and can read/write `container_file_t`. If you cannot change the labels on a source volume, SELinux container separation must be disabled for the container to work. - The source directory mounted into the container with an overlay mount @@ -1245,10 +1255,14 @@ will convert /foo into a `shared` mount point. Alternatively one can directly change propagation properties of source mount. Say `/` is source mount for `/foo`, then use `mount --make-shared /` to convert `/` into a `shared` mount. +Note: if the user only has access rights via a group, accessing the volume +from inside a rootless container will fail. Use the `--group-add keep-groups` +flag to pass the user's supplementary group access into the container. + #### **\-\-volumes-from**[=*CONTAINER*[:*OPTIONS*]] Mount volumes from the specified container(s). Used to share volumes between -containers. The *options* is a comma delimited list with the following available elements: +containers. The *options* is a comma-separated list with the following available elements: * **rw**|**ro** * **z** @@ -1351,6 +1365,11 @@ $ podman create --name container1 -t -i fedora bash $ podman create --name container2 -t -i fedora bash $ podman create --name container3 --requires container1,container2 -t -i fedora bash $ podman start --attach container3 + +### Configure keep supplemental groups for access to volume + +``` +$ podman create -v /var/lib/design:/var/lib/design --group-add keep-groups ubi8 ``` ### Rootless Containers diff --git a/docs/source/markdown/podman-pod-create.1.md b/docs/source/markdown/podman-pod-create.1.md index 9ecde1ca3..6f3d7f1ca 100644 --- a/docs/source/markdown/podman-pod-create.1.md +++ b/docs/source/markdown/podman-pod-create.1.md @@ -125,7 +125,7 @@ If another pod with the same name already exists, replace and remove it. The de #### **\-\-share**=*namespace* -A comma delimited list of kernel namespaces to share. If none or "" is specified, no namespaces will be shared. The namespaces to choose from are ipc, net, pid, uts. +A comma-separated list of kernel namespaces to share. If none or "" is specified, no namespaces will be shared. The namespaces to choose from are ipc, net, pid, uts. The operator can identify a pod in three ways: UUID long identifier (“f78375b1c487e03c9438c729345e54db9d20cfa2ac1fc3494b6eb60872e74778”) diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md index b607a65ff..3a2651f98 100644 --- a/docs/source/markdown/podman-run.1.md +++ b/docs/source/markdown/podman-run.1.md @@ -299,8 +299,8 @@ Note: if _host_device_ is a symbolic link then it will be resolved first. The container will only store the major and minor numbers of the host device. Note: if the user only has access rights via a group, accessing the device -from inside a rootless container will fail. The **crun**(1) runtime offers a -workaround for this by adding the option **\-\-annotation run.oci.keep_original_groups=1**. +from inside a rootless container will fail. Use the `--group-add keep-groups` +flag to pass the user's supplementary group access into the container. Podman may load kernel modules required for using the specified device. The devices that Podman will load modules when necessary are: @@ -405,9 +405,17 @@ Meaning **groupname** is initially mapped to gid **100000** which is referenced above: The group **groupname** is mapped to group **100000** of the initial namespace then the **30000**st id of this namespace (which is gid 130000 in this namespace) is mapped to container namespace group id **0**. (groupname -> 100000 / 30000 -> 0) -#### **\-\-group-add**=*group* +#### **\-\-group-add**=*group|keep-groups* -Add additional groups to run as +Add additional groups to assign to primary user running within the container process. + +- `keep-groups` is a special flag that tells Podman to keep the supplementary group access. + +Allows container to use the user's supplementary group access. If file systems or +devices are only accessible by the rootless user's group, this flag tells the OCI +runtime to pass the group access into the container. Currently only available +with the `crun` OCI runtime. Note: `keep-groups` is exclusive, you cannot add any other groups +with this flag. (Not available for remote commands) #### **\-\-health-cmd**=*"command"* | *'["command", "arg1", ...]'* @@ -670,7 +678,7 @@ Valid _mode_ values are: - **none**: no networking; - **container:**_id_: reuse another container's network stack; - **host**: use the Podman host network stack. Note: the host mode gives the container full access to local system services such as D-bus and is therefore considered insecure; -- _network-id_: connect to a user-defined network, multiple networks should be comma separated; +- _network-id_: connect to a user-defined network, multiple networks should be comma-separated; - **ns:**_path_: path to a network namespace to join; - **private**: create a new namespace for the container (default) - **slirp4netns[:OPTIONS,...]**: use **slirp4netns**(1) to create a user network stack. This is the default for rootless containers. It is possible to specify these additional options: @@ -905,19 +913,27 @@ Security Options - **apparmor=unconfined** : Turn off apparmor confinement for the container - **apparmor**=_your-profile_ : Set the apparmor confinement profile for the container + - **label=user:**_USER_: Set the label user for the container processes - **label=role:**_ROLE_: Set the label role for the container processes - **label=type:**_TYPE_: Set the label process type for the container processes - **label=level:**_LEVEL_: Set the label level for the container processes - **label=filetype:**TYPE_: Set the label file type for the container files - **label=disable**: Turn off label separation for the container + +Note: Labeling can be disabled for all containers by setting label=false in the **containers.conf** (`/etc/containers/containers.conf` or `$HOME/.config/containers/containers.conf`) file. + - **mask**=_/path/1:/path/2_: The paths to mask separated by a colon. A masked path cannot be accessed inside the container. + - **no-new-privileges**: Disable container processes from gaining additional privileges + - **seccomp=unconfined**: Turn off seccomp confinement for the container - **seccomp**=_profile.json_: Allowed syscall list seccomp JSON file to be used as a seccomp filter -- **proc-opts**=_OPTIONS_ : Comma separated list of options to use for the /proc mount. More details - for the possible mount options are specified at **proc(5)** man page. + +- **proc-opts**=_OPTIONS_ : Comma-separated list of options to use for the /proc mount. More details + for the possible mount options are specified in the **proc(5)** man page. + - **unmask**=_ALL_ or _/path/1:/path/2_: Paths to unmask separated by a colon. If set to **ALL**, it will unmask all the paths that are masked or made read only by default. The default masked paths are **/proc/acpi, /proc/kcore, /proc/keys, /proc/latency_stats, /proc/sched_debug, /proc/scsi, /proc/timer_list, /proc/timer_stats, /sys/firmware, and /sys/fs/selinux.**. The default paths that are read only are **/proc/asound**, **/proc/bus**, **/proc/fs**, **/proc/irq**, **/proc/sys**, **/proc/sysrq-trigger**, **/sys/fs/cgroup**. @@ -1164,7 +1180,7 @@ container. Similarly, _SOURCE-VOLUME_:_/CONTAINER-DIR_ will mount the volume in the host to the container. If no such named volume exists, Podman will create one. (Note when using the remote client, the volumes will be mounted from the remote server, not necessarly the client machine.) -The _options_ is a comma delimited list and can be: <sup>[[1]](#Footnote1)</sup> +The _options_ is a comma-separated list and can be: <sup>[[1]](#Footnote1)</sup> * **rw**|**ro** * **z**|**Z** @@ -1252,7 +1268,7 @@ host into the container to allow speeding up builds. Content mounted into the container is labeled with the private label. On SELinux systems, labels in the source directory must be readable by the container label. Usually containers can read/execute `container_share_t` -and can read/write `container_file_t`. If you can not change the labels on a +and can read/write `container_file_t`. If you cannot change the labels on a source volume, SELinux container separation must be disabled for the container to work. - The source directory mounted into the container with an overlay mount @@ -1314,10 +1330,14 @@ will convert /foo into a shared mount point. Alternatively, one can directly change propagation properties of source mount. Say, if _/_ is source mount for _/foo_, then use **mount --make-shared /** to convert _/_ into a shared mount. +Note: if the user only has access rights via a group, accessing the volume +from inside a rootless container will fail. Use the `--group-add keep-groups` +flag to pass the user's supplementary group access into the container. + #### **\-\-volumes-from**[=*CONTAINER*[:*OPTIONS*]] Mount volumes from the specified container(s). Used to share volumes between -containers. The *options* is a comma delimited list with the following available elements: +containers. The *options* is a comma-separated list with the following available elements: * **rw**|**ro** * **z** @@ -1699,6 +1719,11 @@ Multiple containers can be required. $ podman create --name container1 -t -i fedora bash $ podman create --name container2 -t -i fedora bash $ podman run --name container3 --requires container1,container2 -t -i fedora bash + +### Configure keep supplemental groups for access to volume + +``` +$ podman run -v /var/lib/design:/var/lib/design --group-add keep-groups ubi8 ``` ### Rootless Containers diff --git a/docs/source/markdown/podman-secret-create.1.md b/docs/source/markdown/podman-secret-create.1.md index ca92dd38e..f5a97a0f3 100644 --- a/docs/source/markdown/podman-secret-create.1.md +++ b/docs/source/markdown/podman-secret-create.1.md @@ -16,7 +16,7 @@ A secret is a blob of sensitive data which a container needs at runtime but should not be stored in the image or in source control, such as usernames and passwords, TLS certificates and keys, SSH keys or other important generic strings or binary content (up to 500 kb in size). -Secrets will not be commited to an image with `podman commit`, and will not be in the archive created by a `podman export` +Secrets will not be committed to an image with `podman commit`, and will not be in the archive created by a `podman export` ## OPTIONS @@ -11,7 +11,7 @@ require ( github.com/containernetworking/cni v0.8.1 github.com/containernetworking/plugins v0.9.1 github.com/containers/buildah v1.20.1-0.20210402144408-36a37402d0c8 - github.com/containers/common v0.36.0 + github.com/containers/common v0.37.0 github.com/containers/conmon v2.0.20+incompatible github.com/containers/image/v5 v5.11.1 github.com/containers/ocicrypt v1.1.1 @@ -193,8 +193,8 @@ github.com/containernetworking/plugins v0.9.1/go.mod h1:xP/idU2ldlzN6m4p5LmGiwRD github.com/containers/buildah v1.20.1-0.20210402144408-36a37402d0c8 h1:RlqbDlfE3+qrq4bNTZG7NVPqCDzfZrgE/yicu0VAykQ= github.com/containers/buildah v1.20.1-0.20210402144408-36a37402d0c8/go.mod h1:iowyscoAC5jwNDhs3c5CLGdBZ9FJk5UOoN2I5TdmXFs= github.com/containers/common v0.35.4/go.mod h1:rMzxgD7nMGw++cEbsp+NZv0UJO4rgXbm7F7IbJPTwIE= -github.com/containers/common v0.36.0 h1:7/0GM3oi2ROmKAg/8pDWJ8BU2BXdbmy7Gk2/SFCTV38= -github.com/containers/common v0.36.0/go.mod h1:rMzxgD7nMGw++cEbsp+NZv0UJO4rgXbm7F7IbJPTwIE= +github.com/containers/common v0.37.0 h1:RRyR8FITTJXfrF7J9KXKSplywY4zsXoA2kuQXMaUaNo= +github.com/containers/common v0.37.0/go.mod h1:dgbJcccCPTmncqxhma56+XW+6d5VzqGF6jtkMHyu3v0= github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg= github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I= github.com/containers/image/v5 v5.10.5/go.mod h1:SgIbWEedCNBbn2FI5cH0/jed1Ecy2s8XK5zTxvJTzII= diff --git a/libpod/container_internal.go b/libpod/container_internal.go index 041fa13e7..80c00a622 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -1313,7 +1313,7 @@ func (c *Container) stop(timeout uint) error { } // We have to check stopErr *after* we lock again - otherwise, we have a - // change of panicing on a double-unlock. Ref: GH Issue 9615 + // change of panicking on a double-unlock. Ref: GH Issue 9615 if stopErr != nil { return stopErr } @@ -1676,7 +1676,7 @@ func (c *Container) chownVolume(volumeName string) error { // TODO: For now, I've disabled chowning volumes owned by non-Podman // drivers. This may be safe, but it's really going to be a case-by-case - // thing, I think - safest to leave disabled now and reenable later if + // thing, I think - safest to leave disabled now and re-enable later if // there is a demand. if vol.state.NeedsChown && !vol.UsesVolumeDriver() { vol.state.NeedsChown = false diff --git a/libpod/define/fileinfo.go b/libpod/define/fileinfo.go index 2c7b6fe99..eec99e300 100644 --- a/libpod/define/fileinfo.go +++ b/libpod/define/fileinfo.go @@ -5,7 +5,7 @@ import ( "time" ) -// FileInfo describes the attributes of a file or diretory. +// FileInfo describes the attributes of a file or directory. type FileInfo struct { Name string `json:"name"` Size int64 `json:"size"` diff --git a/libpod/image/utils.go b/libpod/image/utils.go index 0b4264112..dfe35c017 100644 --- a/libpod/image/utils.go +++ b/libpod/image/utils.go @@ -50,7 +50,7 @@ func findImageInRepotags(search imageParts, images []*Image) (*storage.Image, er // If more then one candidate and the candidates all have same name // and only one is read/write return it. - // Othewise return error with the list of candidates + // Otherwise return error with the list of candidates if len(candidates) > 1 { var ( rwImage *Image diff --git a/libpod/shutdown/handler.go b/libpod/shutdown/handler.go index ac1d33910..848b6729a 100644 --- a/libpod/shutdown/handler.go +++ b/libpod/shutdown/handler.go @@ -18,7 +18,7 @@ var ( stopped bool sigChan chan os.Signal cancelChan chan bool - // Syncronize accesses to the map + // Synchronize accesses to the map handlerLock sync.Mutex // Definitions of all on-shutdown handlers handlers map[string]func(os.Signal) error diff --git a/pkg/api/handlers/utils/containers.go b/pkg/api/handlers/utils/containers.go index 91e02abf1..c4c9cc2ea 100644 --- a/pkg/api/handlers/utils/containers.go +++ b/pkg/api/handlers/utils/containers.go @@ -76,7 +76,7 @@ func WaitContainerDocker(w http.ResponseWriter, r *http.Request) { exitCode, err := waitDockerCondition(ctx, name, interval, condition) msg := "" if err != nil { - logrus.Errorf("error while waiting on condtion: %q", err) + logrus.Errorf("error while waiting on condition: %q", err) msg = err.Error() } responseData := handlers.ContainerWaitOKBody{ diff --git a/pkg/domain/infra/abi/play.go b/pkg/domain/infra/abi/play.go index 4a13a8029..6ddd4a042 100644 --- a/pkg/domain/infra/abi/play.go +++ b/pkg/domain/infra/abi/play.go @@ -428,7 +428,7 @@ func readConfigMapFromFile(r io.Reader) (v1.ConfigMap, error) { return cm, nil } -// splitMultiDocYAML reads mutiple documents in a YAML file and +// splitMultiDocYAML reads multiple documents in a YAML file and // returns them as a list. func splitMultiDocYAML(yamlContent []byte) ([][]byte, error) { var documentList [][]byte @@ -471,7 +471,7 @@ func getKubeKind(obj []byte) (string, error) { } // sortKubeKinds adds the correct creation order for the kube kinds. -// Any pod dependecy will be created first like volumes, secrets, etc. +// Any pod dependency will be created first like volumes, secrets, etc. func sortKubeKinds(documentList [][]byte) ([][]byte, error) { var sortedDocumentList [][]byte diff --git a/pkg/machine/pull.go b/pkg/machine/pull.go index 41abe6993..d9f34057f 100644 --- a/pkg/machine/pull.go +++ b/pkg/machine/pull.go @@ -170,7 +170,7 @@ func Decompress(localPath, uncompressedPath string) error { // Will error out if file without .xz already exists // Maybe extracting then renameing is a good idea here.. -// depends on xz: not pre-installed on mac, so it becomes a brew dependecy +// depends on xz: not pre-installed on mac, so it becomes a brew dependency func decompressXZ(src string, output io.Writer) error { fmt.Println("Extracting compressed file") cmd := exec.Command("xzcat", "-k", src) diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go index 7aeec9d41..1347ed1e0 100644 --- a/pkg/specgen/generate/kube/kube.go +++ b/pkg/specgen/generate/kube/kube.go @@ -56,7 +56,7 @@ func ToPodGen(ctx context.Context, podName string, podYAML *v1.PodTemplateSpec) } p.DNSServer = servers } - // search domans + // search domains if domains := dnsConfig.Searches; len(domains) > 0 { p.DNSSearch = domains } diff --git a/pkg/systemd/generate/common_test.go b/pkg/systemd/generate/common_test.go index 30e758127..fdcc9d21b 100644 --- a/pkg/systemd/generate/common_test.go +++ b/pkg/systemd/generate/common_test.go @@ -199,8 +199,8 @@ func TestEscapeSystemdArguments(t *testing.T) { []string{"foo", `"command with backslash \\"`}, }, { - []string{"foo", `command with two backslashs \\`}, - []string{"foo", `"command with two backslashs \\\\"`}, + []string{"foo", `command with two backslashes \\`}, + []string{"foo", `"command with two backslashes \\\\"`}, }, } diff --git a/pkg/util/filters.go b/pkg/util/filters.go index 43bf646f1..e252c1ddf 100644 --- a/pkg/util/filters.go +++ b/pkg/util/filters.go @@ -94,7 +94,7 @@ func PrepareFilters(r *http.Request) (*map[string][]string, error) { return &filterMap, nil } -// MatchLabelFilters matches labels and returs true if they are valid +// MatchLabelFilters matches labels and returns true if they are valid func MatchLabelFilters(filterValues []string, labels map[string]string) bool { outer: for _, filterValue := range filterValues { diff --git a/test/apiv2/rest_api/test_rest_v2_0_0.py b/test/apiv2/rest_api/test_rest_v2_0_0.py index bf0ee0603..3b089e2f2 100644 --- a/test/apiv2/rest_api/test_rest_v2_0_0.py +++ b/test/apiv2/rest_api/test_rest_v2_0_0.py @@ -378,7 +378,7 @@ class TestApi(unittest.TestCase): self.assertEqual(r.status_code, 200, r.text) objs = json.loads(r.text) self.assertIn(type(objs), (list,)) - # There should be only one offical image + # There should be only one official image self.assertEqual(len(objs), 1) def do_search4(): diff --git a/test/system/050-stop.bats b/test/system/050-stop.bats index a9495e350..2ed791429 100644 --- a/test/system/050-stop.bats +++ b/test/system/050-stop.bats @@ -114,7 +114,7 @@ load helpers @test "podman stop - unlock while waiting for timeout" { # Test that the container state transitions to "stopping" and that other # commands can get the container's lock. To do that, run a container that - # ingores SIGTERM such that the Podman would wait 20 seconds for the stop + # ignores SIGTERM such that the Podman would wait 20 seconds for the stop # to finish. This gives us enough time to try some commands and inspect # the container's status. diff --git a/test/system/070-build.bats b/test/system/070-build.bats index d4017ae01..6ae78de2e 100644 --- a/test/system/070-build.bats +++ b/test/system/070-build.bats @@ -354,7 +354,7 @@ Cmd[1] | $s_echo WorkingDir | $workdir Labels.$label_name | $label_value " - # FIXME: 2021-02-24: Fixed in buildah #3036; reenable this once podman + # FIXME: 2021-02-24: Fixed in buildah #3036; re-enable this once podman # vendors in a newer buildah! # Labels.\"io.buildah.version\" | $buildah_version diff --git a/test/system/170-run-userns.bats b/test/system/170-run-userns.bats new file mode 100644 index 000000000..2dc5b078f --- /dev/null +++ b/test/system/170-run-userns.bats @@ -0,0 +1,45 @@ +#!/usr/bin/env bats -*- bats -*- +# shellcheck disable=SC2096 +# +# Tests for podman build +# + +load helpers + +@test "podman --group-add keep-groups while in a userns" { + skip_if_rootless "choot is not allowed in rootless mode" + skip_if_remote "--group-add keep-groups not supported in remote mode" + run chroot --groups 1234 / ${PODMAN} run --uidmap 0:200000:5000 --group-add keep-groups $IMAGE id + is "$output" ".*65534(nobody)" "Check group leaked into user namespace" +} + +@test "podman --group-add keep-groups while not in a userns" { + skip_if_rootless "choot is not allowed in rootless mode" + skip_if_remote "--group-add keep-groups not supported in remote mode" + run chroot --groups 1234,5678 / ${PODMAN} run --group-add keep-groups $IMAGE id + is "$output" ".*1234" "Check group leaked into container" +} + +@test "podman --group-add without keep-groups while in a userns" { + skip_if_rootless "choot is not allowed in rootless mode" + skip_if_remote "--group-add keep-groups not supported in remote mode" + run chroot --groups 1234,5678 / ${PODMAN} run --uidmap 0:200000:5000 --group-add 457 $IMAGE id + is "$output" ".*457" "Check group leaked into container" +} + +@test "podman --remote --group-add keep-groups " { + if is_remote; then + run_podman 125 run --group-add keep-groups $IMAGE id + is "$output" ".*not supported in remote mode" "Remote check --group-add keep-groups" + fi +} + +@test "podman --group-add without keep-groups " { + run_podman run --group-add 457 $IMAGE id + is "$output" ".*457" "Check group leaked into container" +} + +@test "podman --group-add keep-groups plus added groups " { + run_podman 125 run --group-add keep-groups --group-add 457 $IMAGE id + is "$output" ".*the '--group-add keep-groups' option is not allowed with any other --group-add options" "Check group leaked into container" +} diff --git a/vendor/github.com/containers/common/pkg/auth/auth.go b/vendor/github.com/containers/common/pkg/auth/auth.go index 88028d9f8..a9ad60f43 100644 --- a/vendor/github.com/containers/common/pkg/auth/auth.go +++ b/vendor/github.com/containers/common/pkg/auth/auth.go @@ -5,6 +5,7 @@ import ( "context" "fmt" "os" + "path/filepath" "strings" "github.com/containers/image/v5/docker" @@ -13,18 +14,20 @@ import ( "github.com/containers/image/v5/types" "github.com/pkg/errors" "github.com/sirupsen/logrus" - "golang.org/x/crypto/ssh/terminal" + terminal "golang.org/x/term" ) // GetDefaultAuthFile returns env value REGISTRY_AUTH_FILE as default // --authfile path used in multiple --authfile flag definitions // Will fail over to DOCKER_CONFIG if REGISTRY_AUTH_FILE environment is not set func GetDefaultAuthFile() string { - authfile := os.Getenv("REGISTRY_AUTH_FILE") - if authfile == "" { - authfile = os.Getenv("DOCKER_CONFIG") + if authfile := os.Getenv("REGISTRY_AUTH_FILE"); authfile != "" { + return authfile + } + if auth_env := os.Getenv("DOCKER_CONFIG"); auth_env != "" { + return filepath.Join(auth_env, "config.json") } - return authfile + return "" } // CheckAuthFile validates filepath given by --authfile @@ -34,7 +37,7 @@ func CheckAuthFile(authfile string) error { return nil } if _, err := os.Stat(authfile); err != nil { - return errors.Wrapf(err, "error checking authfile path %s", authfile) + return errors.Wrap(err, "checking authfile") } return nil } @@ -70,11 +73,11 @@ func Login(ctx context.Context, systemContext *types.SystemContext, opts *LoginO err error ) if len(args) > 1 { - return errors.Errorf("login accepts only one registry to login to") + return errors.New("login accepts only one registry to login to") } if len(args) == 0 { if !opts.AcceptUnspecifiedRegistry { - return errors.Errorf("please provide a registry to login to") + return errors.New("please provide a registry to login to") } if server, err = defaultRegistryWhenUnspecified(systemContext); err != nil { return err @@ -85,7 +88,7 @@ func Login(ctx context.Context, systemContext *types.SystemContext, opts *LoginO } authConfig, err := config.GetCredentials(systemContext, server) if err != nil { - return errors.Wrapf(err, "error reading auth file") + return errors.Wrap(err, "reading auth file") } if opts.GetLoginSet { if authConfig.Username == "" { @@ -95,17 +98,17 @@ func Login(ctx context.Context, systemContext *types.SystemContext, opts *LoginO return nil } if authConfig.IdentityToken != "" { - return errors.Errorf("currently logged in, auth file contains an Identity token") + return errors.New("currently logged in, auth file contains an Identity token") } password := opts.Password if opts.StdinPassword { var stdinPasswordStrBuilder strings.Builder if opts.Password != "" { - return errors.Errorf("Can't specify both --password-stdin and --password") + return errors.New("Can't specify both --password-stdin and --password") } if opts.Username == "" { - return errors.Errorf("Must provide --username with --password-stdin") + return errors.New("Must provide --username with --password-stdin") } scanner := bufio.NewScanner(opts.Stdin) for scanner.Scan() { @@ -126,7 +129,7 @@ func Login(ctx context.Context, systemContext *types.SystemContext, opts *LoginO username, password, err := getUserAndPass(opts, password, authConfig.Username) if err != nil { - return errors.Wrapf(err, "error getting username and password") + return errors.Wrap(err, "getting username and password") } if err = docker.CheckAuth(ctx, systemContext, username, password, server); err == nil { @@ -143,7 +146,7 @@ func Login(ctx context.Context, systemContext *types.SystemContext, opts *LoginO logrus.Debugf("error logging into %q: %v", server, unauthorized) return errors.Errorf("error logging into %q: invalid username/password", server) } - return errors.Wrapf(err, "error authenticating creds for %q", server) + return errors.Wrapf(err, "authenticating creds for %q", server) } // getRegistryName scrubs and parses the input to get the server name @@ -172,7 +175,7 @@ func getUserAndPass(opts *LoginOptions, password, userFromAuthFile string) (user } username, err = reader.ReadString('\n') if err != nil { - return "", "", errors.Wrapf(err, "error reading username") + return "", "", errors.Wrap(err, "reading username") } // If the user just hit enter, use the displayed user from the // the authentication file. This allows to do a lazy @@ -186,7 +189,7 @@ func getUserAndPass(opts *LoginOptions, password, userFromAuthFile string) (user fmt.Fprint(opts.Stdout, "Password: ") pass, err := terminal.ReadPassword(0) if err != nil { - return "", "", errors.Wrapf(err, "error reading password") + return "", "", errors.Wrap(err, "reading password") } password = string(pass) fmt.Fprintln(opts.Stdout) @@ -206,11 +209,11 @@ func Logout(systemContext *types.SystemContext, opts *LogoutOptions, args []stri err error ) if len(args) > 1 { - return errors.Errorf("logout accepts only one registry to logout from") + return errors.New("logout accepts only one registry to logout from") } if len(args) == 0 && !opts.All { if !opts.AcceptUnspecifiedRegistry { - return errors.Errorf("please provide a registry to logout from") + return errors.New("please provide a registry to logout from") } if server, err = defaultRegistryWhenUnspecified(systemContext); err != nil { return err @@ -219,7 +222,7 @@ func Logout(systemContext *types.SystemContext, opts *LogoutOptions, args []stri } if len(args) != 0 { if opts.All { - return errors.Errorf("--all takes no arguments") + return errors.New("--all takes no arguments") } server = getRegistryName(args[0]) } @@ -240,7 +243,7 @@ func Logout(systemContext *types.SystemContext, opts *LogoutOptions, args []stri case config.ErrNotLoggedIn: authConfig, err := config.GetCredentials(systemContext, server) if err != nil { - return errors.Wrapf(err, "error reading auth file") + return errors.Wrap(err, "reading auth file") } authInvalid := docker.CheckAuth(context.Background(), systemContext, authConfig.Username, authConfig.Password, server) if authConfig.Username != "" && authConfig.Password != "" && authInvalid == nil { @@ -249,7 +252,7 @@ func Logout(systemContext *types.SystemContext, opts *LogoutOptions, args []stri } return errors.Errorf("Not logged into %s\n", server) default: - return errors.Wrapf(err, "error logging out of %q", server) + return errors.Wrapf(err, "logging out of %q", server) } } @@ -258,10 +261,10 @@ func Logout(systemContext *types.SystemContext, opts *LogoutOptions, args []stri func defaultRegistryWhenUnspecified(systemContext *types.SystemContext) (string, error) { registriesFromFile, err := sysregistriesv2.UnqualifiedSearchRegistries(systemContext) if err != nil { - return "", errors.Wrapf(err, "error getting registry from registry.conf, please specify a registry") + return "", errors.Wrap(err, "getting registry from registry.conf, please specify a registry") } if len(registriesFromFile) == 0 { - return "", errors.Errorf("no registries found in registries.conf, a registry must be provided") + return "", errors.New("no registries found in registries.conf, a registry must be provided") } return registriesFromFile[0], nil } diff --git a/vendor/github.com/containers/common/pkg/chown/chown_unix.go b/vendor/github.com/containers/common/pkg/chown/chown_unix.go index 82342f6af..921927de4 100644 --- a/vendor/github.com/containers/common/pkg/chown/chown_unix.go +++ b/vendor/github.com/containers/common/pkg/chown/chown_unix.go @@ -16,7 +16,7 @@ func ChangeHostPathOwnership(path string, recursive bool, uid, gid int) error { // Validate if host path can be chowned isDangerous, err := DangerousHostPath(path) if err != nil { - return errors.Wrapf(err, "failed to validate if host path is dangerous") + return errors.Wrap(err, "failed to validate if host path is dangerous") } if isDangerous { @@ -42,13 +42,13 @@ func ChangeHostPathOwnership(path string, recursive bool, uid, gid int) error { }) if err != nil { - return errors.Wrapf(err, "failed to chown recursively host path") + return errors.Wrap(err, "failed to chown recursively host path") } } else { // Get host path info f, err := os.Lstat(path) if err != nil { - return errors.Wrapf(err, "failed to get host path information") + return errors.Wrap(err, "failed to get host path information") } // Get current ownership @@ -57,7 +57,7 @@ func ChangeHostPathOwnership(path string, recursive bool, uid, gid int) error { if uid != currentUID || gid != currentGID { if err := os.Lchown(path, uid, gid); err != nil { - return errors.Wrapf(err, "failed to chown host path") + return errors.Wrap(err, "failed to chown host path") } } } diff --git a/vendor/github.com/containers/common/pkg/chown/chown_windows.go b/vendor/github.com/containers/common/pkg/chown/chown_windows.go index ad6039a90..0c4b8e1b5 100644 --- a/vendor/github.com/containers/common/pkg/chown/chown_windows.go +++ b/vendor/github.com/containers/common/pkg/chown/chown_windows.go @@ -7,5 +7,5 @@ import ( // ChangeHostPathOwnership changes the uid and gid ownership of a directory or file within the host. // This is used by the volume U flag to change source volumes ownership func ChangeHostPathOwnership(path string, recursive bool, uid, gid int) error { - return errors.Errorf("windows not supported") + return errors.New("windows not supported") } diff --git a/vendor/github.com/containers/common/pkg/config/config.go b/vendor/github.com/containers/common/pkg/config/config.go index 4a98c7e92..1629bea29 100644 --- a/vendor/github.com/containers/common/pkg/config/config.go +++ b/vendor/github.com/containers/common/pkg/config/config.go @@ -465,16 +465,17 @@ func NewConfig(userConfigPath string) (*Config, error) { // Now, gather the system configs and merge them as needed. configs, err := systemConfigs() if err != nil { - return nil, errors.Wrapf(err, "error finding config on system") + return nil, errors.Wrap(err, "finding config on system") } for _, path := range configs { // Merge changes in later configs with the previous configs. // Each config file that specified fields, will override the // previous fields. if err = readConfigFromFile(path, config); err != nil { - return nil, errors.Wrapf(err, "error reading system config %q", path) + return nil, errors.Wrapf(err, "reading system config %q", path) } - logrus.Debugf("Merged system config %q: %+v", path, config) + logrus.Debugf("Merged system config %q", path) + logrus.Tracef("%+v", config) } // If the caller specified a config path to use, then we read it to @@ -484,9 +485,10 @@ func NewConfig(userConfigPath string) (*Config, error) { // readConfigFromFile reads in container config in the specified // file and then merge changes with the current default. if err = readConfigFromFile(userConfigPath, config); err != nil { - return nil, errors.Wrapf(err, "error reading user config %q", userConfigPath) + return nil, errors.Wrapf(err, "reading user config %q", userConfigPath) } - logrus.Debugf("Merged user config %q: %+v", userConfigPath, config) + logrus.Debugf("Merged user config %q", userConfigPath) + logrus.Tracef("%+v", config) } config.addCAPPrefix() @@ -502,9 +504,9 @@ func NewConfig(userConfigPath string) (*Config, error) { // default config. If the path, only specifies a few fields in the Toml file // the defaults from the config parameter will be used for all other fields. func readConfigFromFile(path string, config *Config) error { - logrus.Debugf("Reading configuration file %q", path) + logrus.Tracef("Reading configuration file %q", path) if _, err := toml.DecodeFile(path, config); err != nil { - return errors.Wrapf(err, "unable to decode configuration %v", path) + return errors.Wrapf(err, "decode configuration %v", path) } return nil } @@ -517,7 +519,7 @@ func systemConfigs() ([]string, error) { path := os.Getenv("CONTAINERS_CONF") if path != "" { if _, err := os.Stat(path); err != nil { - return nil, errors.Wrapf(err, "failed to stat of %s from CONTAINERS_CONF environment variable", path) + return nil, errors.Wrap(err, "CONTAINERS_CONF file") } return append(configs, path), nil } @@ -554,7 +556,7 @@ func (c *Config) CheckCgroupsAndAdjustConfig() { hasSession = err == nil } - if !hasSession { + if !hasSession && unshare.GetRootlessUID() != 0 { logrus.Warningf("The cgroupv2 manager is set to systemd but there is no systemd user session available") logrus.Warningf("For using systemd, you may need to login using an user session") logrus.Warningf("Alternatively, you can enable lingering with: `loginctl enable-linger %d` (possibly as root)", unshare.GetRootlessUID()) @@ -579,7 +581,7 @@ func (c *Config) addCAPPrefix() { func (c *Config) Validate() error { if err := c.Containers.Validate(); err != nil { - return errors.Wrapf(err, " error validating containers config") + return errors.Wrap(err, "validating containers config") } if !c.Containers.EnableLabeling { @@ -587,11 +589,11 @@ func (c *Config) Validate() error { } if err := c.Engine.Validate(); err != nil { - return errors.Wrapf(err, "error validating engine configs") + return errors.Wrap(err, "validating engine configs") } if err := c.Network.Validate(); err != nil { - return errors.Wrapf(err, "error validating network configs") + return errors.Wrap(err, "validating network configs") } return nil @@ -606,7 +608,7 @@ func (c *EngineConfig) findRuntime() string { } } if path, err := exec.LookPath(name); err == nil { - logrus.Warningf("Found default OCIruntime %s path which is missing from [engine.runtimes] in containers.conf", path) + logrus.Debugf("Found default OCI runtime %s path via PATH environment variable", path) return name } } @@ -1001,7 +1003,7 @@ func (c *Config) Write() error { } configFile, err := os.OpenFile(path, os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0600) if err != nil { - return errors.Wrapf(err, "cannot open %s", path) + return err } defer configFile.Close() enc := toml.NewEncoder(configFile) diff --git a/vendor/github.com/containers/common/pkg/config/default.go b/vendor/github.com/containers/common/pkg/config/default.go index 4c55af5c1..72744bb12 100644 --- a/vendor/github.com/containers/common/pkg/config/default.go +++ b/vendor/github.com/containers/common/pkg/config/default.go @@ -331,10 +331,10 @@ func defaultTmpDir() (string, error) { if err := os.Mkdir(libpodRuntimeDir, 0700|os.ModeSticky); err != nil { if !os.IsExist(err) { - return "", errors.Wrapf(err, "cannot mkdir %s", libpodRuntimeDir) + return "", err } else if err := os.Chmod(libpodRuntimeDir, 0700|os.ModeSticky); err != nil { // The directory already exist, just set the sticky bit - return "", errors.Wrapf(err, "could not set sticky bit on %s", libpodRuntimeDir) + return "", errors.Wrap(err, "set sticky bit on") } } return filepath.Join(libpodRuntimeDir, "tmp"), nil diff --git a/vendor/github.com/containers/common/pkg/config/util_supported.go b/vendor/github.com/containers/common/pkg/config/util_supported.go index 326e7973a..417e3a375 100644 --- a/vendor/github.com/containers/common/pkg/config/util_supported.go +++ b/vendor/github.com/containers/common/pkg/config/util_supported.go @@ -40,7 +40,7 @@ func getRuntimeDir() (string, error) { if runtimeDir == "" { tmpDir := filepath.Join("/run", "user", uid) if err := os.MkdirAll(tmpDir, 0700); err != nil { - logrus.Debugf("unable to make temp dir %s", tmpDir) + logrus.Debugf("unable to make temp dir: %v", err) } st, err := os.Stat(tmpDir) if err == nil && int(st.Sys().(*syscall.Stat_t).Uid) == os.Geteuid() && st.Mode().Perm() == 0700 { @@ -50,7 +50,7 @@ func getRuntimeDir() (string, error) { if runtimeDir == "" { tmpDir := filepath.Join(os.TempDir(), fmt.Sprintf("run-%s", uid)) if err := os.MkdirAll(tmpDir, 0700); err != nil { - logrus.Debugf("unable to make temp dir %s", tmpDir) + logrus.Debugf("unable to make temp dir %v", err) } st, err := os.Stat(tmpDir) if err == nil && int(st.Sys().(*syscall.Stat_t).Uid) == os.Geteuid() && st.Mode().Perm() == 0700 { @@ -65,7 +65,7 @@ func getRuntimeDir() (string, error) { } resolvedHome, err := filepath.EvalSymlinks(home) if err != nil { - rootlessRuntimeDirError = errors.Wrapf(err, "cannot resolve %s", home) + rootlessRuntimeDirError = errors.Wrap(err, "cannot resolve home") return } runtimeDir = filepath.Join(resolvedHome, "rundir") diff --git a/vendor/github.com/containers/common/pkg/parse/parse.go b/vendor/github.com/containers/common/pkg/parse/parse.go index 882953309..1a25957d6 100644 --- a/vendor/github.com/containers/common/pkg/parse/parse.go +++ b/vendor/github.com/containers/common/pkg/parse/parse.go @@ -138,11 +138,11 @@ func isValidDeviceMode(mode string) bool { // ValidateVolumeHostDir validates a volume mount's source directory func ValidateVolumeHostDir(hostDir string) error { if hostDir == "" { - return errors.Errorf("host directory cannot be empty") + return errors.New("host directory cannot be empty") } if filepath.IsAbs(hostDir) { if _, err := os.Stat(hostDir); err != nil { - return errors.Wrapf(err, "error checking path %q", hostDir) + return err } } // If hostDir is not an absolute path, that means the user wants to create a @@ -153,7 +153,7 @@ func ValidateVolumeHostDir(hostDir string) error { // ValidateVolumeCtrDir validates a volume mount's destination directory. func ValidateVolumeCtrDir(ctrDir string) error { if ctrDir == "" { - return errors.Errorf("container directory cannot be empty") + return errors.New("container directory cannot be empty") } if !filepath.IsAbs(ctrDir) { return errors.Errorf("invalid container path %q, must be an absolute path", ctrDir) diff --git a/vendor/github.com/containers/common/pkg/parse/parse_unix.go b/vendor/github.com/containers/common/pkg/parse/parse_unix.go index c07471c93..ce4446a1b 100644 --- a/vendor/github.com/containers/common/pkg/parse/parse_unix.go +++ b/vendor/github.com/containers/common/pkg/parse/parse_unix.go @@ -22,7 +22,7 @@ func DeviceFromPath(device string) ([]devices.Device, error) { } srcInfo, err := os.Stat(src) if err != nil { - return nil, errors.Wrapf(err, "error getting info of source device %s", src) + return nil, err } if !srcInfo.IsDir() { diff --git a/vendor/github.com/containers/common/pkg/seccomp/default_linux.go b/vendor/github.com/containers/common/pkg/seccomp/default_linux.go index 24077778e..f86f3e2ba 100644 --- a/vendor/github.com/containers/common/pkg/seccomp/default_linux.go +++ b/vendor/github.com/containers/common/pkg/seccomp/default_linux.go @@ -299,6 +299,7 @@ func DefaultProfile() *Seccomp { "sendmmsg", "sendmsg", "sendto", + "setns", "set_robust_list", "set_thread_area", "set_tid_address", diff --git a/vendor/github.com/containers/common/pkg/seccomp/seccomp.json b/vendor/github.com/containers/common/pkg/seccomp/seccomp.json index 48420905c..8d799fd02 100644 --- a/vendor/github.com/containers/common/pkg/seccomp/seccomp.json +++ b/vendor/github.com/containers/common/pkg/seccomp/seccomp.json @@ -303,6 +303,7 @@ "sendmmsg", "sendmsg", "sendto", + "setns", "set_robust_list", "set_thread_area", "set_tid_address", diff --git a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go index 6aa66b0c8..4b7253b31 100644 --- a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go +++ b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go @@ -225,7 +225,7 @@ func addSubscriptionsFromMountsFile(filePath, mountLabel, containerWorkingDir st logrus.Warnf("Path %q from %q doesn't exist, skipping", hostDirOrFile, filePath) continue } - return nil, errors.Wrapf(err, "failed to stat %q", hostDirOrFile) + return nil, err } ctrDirOrFileOnHost := filepath.Join(containerWorkingDir, ctrDirOrFile) @@ -246,11 +246,11 @@ func addSubscriptionsFromMountsFile(filePath, mountLabel, containerWorkingDir st switch mode := fileInfo.Mode(); { case mode.IsDir(): if err = os.MkdirAll(ctrDirOrFileOnHost, mode.Perm()); err != nil { - return nil, errors.Wrapf(err, "making container directory %q failed", ctrDirOrFileOnHost) + return nil, errors.Wrap(err, "making container directory") } data, err := getHostSubscriptionData(hostDirOrFile, mode.Perm()) if err != nil { - return nil, errors.Wrapf(err, "getting host subscription data failed") + return nil, errors.Wrap(err, "getting host subscription data") } for _, s := range data { if err := s.saveTo(ctrDirOrFileOnHost); err != nil { @@ -260,7 +260,7 @@ func addSubscriptionsFromMountsFile(filePath, mountLabel, containerWorkingDir st case mode.IsRegular(): data, err := readFileOrDir("", hostDirOrFile, mode.Perm()) if err != nil { - return nil, errors.Wrapf(err, "error reading file %q", hostDirOrFile) + return nil, err } for _, s := range data { @@ -268,7 +268,7 @@ func addSubscriptionsFromMountsFile(filePath, mountLabel, containerWorkingDir st return nil, err } if err := ioutil.WriteFile(ctrDirOrFileOnHost, s.data, s.mode); err != nil { - return nil, errors.Wrapf(err, "error saving data to container filesystem on host %q", ctrDirOrFileOnHost) + return nil, errors.Wrap(err, "saving data to container filesystem") } } default: @@ -285,7 +285,7 @@ func addSubscriptionsFromMountsFile(filePath, mountLabel, containerWorkingDir st } } } else if err != nil { - return nil, errors.Wrapf(err, "error getting status of %q", ctrDirOrFileOnHost) + return nil, err } m := rspec.Mount{ @@ -309,10 +309,10 @@ func addFIPSModeSubscription(mounts *[]rspec.Mount, containerWorkingDir, mountPo ctrDirOnHost := filepath.Join(containerWorkingDir, subscriptionsDir) if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) { if err = idtools.MkdirAllAs(ctrDirOnHost, 0755, uid, gid); err != nil { //nolint - return errors.Wrapf(err, "making container directory %q on host failed", ctrDirOnHost) + return err } if err = label.Relabel(ctrDirOnHost, mountLabel, false); err != nil { - return errors.Wrapf(err, "error applying correct labels on %q", ctrDirOnHost) + return errors.Wrapf(err, "applying correct labels on %q", ctrDirOnHost) } } fipsFile := filepath.Join(ctrDirOnHost, "system-fips") @@ -320,7 +320,7 @@ func addFIPSModeSubscription(mounts *[]rspec.Mount, containerWorkingDir, mountPo if _, err := os.Stat(fipsFile); os.IsNotExist(err) { file, err := os.Create(fipsFile) if err != nil { - return errors.Wrapf(err, "error creating system-fips file in container for FIPS mode") + return errors.Wrap(err, "creating system-fips file in container for FIPS mode") } defer file.Close() } @@ -342,7 +342,7 @@ func addFIPSModeSubscription(mounts *[]rspec.Mount, containerWorkingDir, mountPo if os.IsNotExist(err) { return nil } - return errors.Wrapf(err, "failed to stat FIPS Backend directory %q", ctrDirOnHost) + return errors.Wrap(err, "FIPS Backend directory") } if !mountExists(*mounts, destDir) { diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go index 67f454c9a..d9e7ffec7 100644 --- a/vendor/github.com/containers/common/version/version.go +++ b/vendor/github.com/containers/common/version/version.go @@ -1,4 +1,4 @@ package version // Version is the version of the build. -const Version = "0.36.0" +const Version = "0.37.0" diff --git a/vendor/modules.txt b/vendor/modules.txt index f647ea8f2..77dcb9744 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -93,7 +93,7 @@ github.com/containers/buildah/pkg/parse github.com/containers/buildah/pkg/rusage github.com/containers/buildah/pkg/supplemented github.com/containers/buildah/util -# github.com/containers/common v0.36.0 +# github.com/containers/common v0.37.0 github.com/containers/common/pkg/apparmor github.com/containers/common/pkg/apparmor/internal/supported github.com/containers/common/pkg/auth |