diff options
31 files changed, 1001 insertions, 26 deletions
diff --git a/.github/workflows/multi-arch-build.yaml b/.github/workflows/multi-arch-build.yaml new file mode 100644 index 000000000..e4ab88544 --- /dev/null +++ b/.github/workflows/multi-arch-build.yaml @@ -0,0 +1,199 @@ +name: build multi-arch images + +on: + # Upstream podman tends to be very active, with many merges per day. + # Only run this daily via cron schedule, or manually, not by branch push. + schedule: + - cron: '0 8 * * *' + # allows to run this workflow manually from the Actions tab + workflow_dispatch: + +jobs: + multi: + name: multi-arch Podman build + env: + PODMAN_QUAY_REGISTRY: quay.io/podman + CONTAINERS_QUAY_REGISTRY: quay.io/containers + # list of architectures for build + PLATFORMS: linux/amd64,linux/s390x,linux/ppc64le,linux/arm64 + + # build several images (upstream, testing, stable) in parallel + strategy: + matrix: + # Builds are located under contrib/podmanimage/<source> directory + source: + - upstream + - testing + - stable + runs-on: ubuntu-latest + # internal registry caches build for inspection before push + services: + registry: + image: quay.io/libpod/registry:2 + ports: + - 5000:5000 + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v1 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + with: + driver-opts: network=host + install: true + + - name: Build and locally push Podman + uses: docker/build-push-action@v2 + with: + context: contrib/podmanimage/${{ matrix.source }} + file: ./contrib/podmanimage/${{ matrix.source }}/Dockerfile + platforms: ${{ env.PLATFORMS }} + push: true + tags: localhost:5000/podman/${{ matrix.source }} + + # Simple verification that container works + grab version number + - name: amd64 container sniff test + id: sniff_test + run: | + VERSION_OUTPUT="$(docker run localhost:5000/podman/${{ matrix.source }} \ + podman --storage-driver=vfs version)" + echo "$VERSION_OUTPUT" + VERSION=$(grep -Em1 '^Version: ' <<<"$VERSION_OUTPUT" | awk '{print $2}') + test -n "$VERSION" + echo "::set-output name=version::${VERSION}" + + # Generate image FQINs, labels, check whether to push + - name: Generate image information + id: image_info + run: | + VERSION='v${{ steps.sniff_test.outputs.version }}' + # workaround vim syntax-hilighting bug: ' + if [[ "${{ matrix.source }}" == 'stable' ]]; then + # quay.io/podman/stable:vX.X.X + ALLTAGS=$(skopeo list-tags \ + docker://$PODMAN_QUAY_REGISTRY/stable | \ + jq -r '.Tags[]') + PUSH="false" + if ! fgrep -qx "$VERSION" <<<"$ALLTAGS"; then + PUSH="true" + fi + + FQIN="$PODMAN_QUAY_REGISTRY/stable:$VERSION" + # Only push if version tag does not exist + if [[ "$PUSH" == "true" ]]; then + echo "Will push $FQIN" + echo "::set-output name=podman_push::true" + echo "::set-output name=podman_fqin::${FQIN}" + else + echo "Not pushing, $FQIN already exists." + fi + + # quay.io/containers/podman:vX.X.X + unset ALLTAGS + ALLTAGS=$(skopeo list-tags \ + docker://$CONTAINERS_QUAY_REGISTRY/podman | \ + jq -r '.Tags[]') + PUSH="false" + if ! fgrep -qx "$VERSION" <<<"$ALLTAGS"; then + PUSH="true" + fi + + FQIN="$CONTAINERS_QUAY_REGISTRY/podman:$VERSION" + # Only push if version tag does not exist + if [[ "$PUSH" == "true" ]]; then + echo "Will push $FQIN" + echo "::set-output name=containers_push::true" + echo "::set-output name=containers_fqin::$FQIN" + else + echo "Not pushing, $FQIN already exists." + fi + elif [[ "${{ matrix.source }}" == 'testing' ]]; then + P_FQIN="$PODMAN_QUAY_REGISTRY/testing:master" + echo "Will push $P_FQIN" + echo "::set-output name=podman_fqin::${P_FQIN}" + echo '::set-output name=podman_push::true' + elif [[ "${{ matrix.source }}" == 'upstream' ]]; then + P_FQIN="$PODMAN_QUAY_REGISTRY/upstream:master" + C_FQIN="$CONTAINERS_QUAY_REGISTRY/podman:master" + echo "Will push $P_FQIN and $C_FQIN" + echo "::set-output name=podman_fqin::${P_FQIN}" + echo "::set-output name=containers_fqin::${C_FQIN}" + # Always push 'master' tag + echo '::set-output name=podman_push::true' + echo '::set-output name=containers_push::true' + else + echo "::error ::Unknown matrix value ${{ matrix.source }}" + exit 1 + fi + + - name: Define LABELS multi-line env. var. value + run: | + # This is a really hacky/strange workflow idiom, required + # for setting multi-line $LABELS value for consumption in + # a future step. + # https://docs.github.com/en/actions/reference/workflow-commands-for-github-actions#multiline-strings + cat << EOF | tee -a $GITHUB_ENV + LABELS<<DELIMITER + org.opencontainers.image.source=https://github.com/${{ github.repository }}.git + org.opencontainers.image.revision=${{ github.sha }} + org.opencontainers.image.created=$(date -u --iso-8601=seconds) + DELIMITER + EOF + + # Separate steps to login and push for podman and containers quay + # repositories are required, because 2 sets of credentials are used and `docker + # login` as well as `podman login` do not support having 2 different + # credential sets for 1 registry. + # At the same time reuse of non-shell steps is not supported by Github Actions + # via anchors or composite actions + + # Push to 'podman' Quay repo for stable, testing. and upstream + - name: Login to 'podman' Quay registry + uses: docker/login-action@v1 + if: ${{ steps.image_info.outputs.podman_push == 'true' }} + with: + registry: ${{ env.PODMAN_QUAY_REGISTRY }} + # N/B: Secrets are not passed to workflows that are triggered + # by a pull request from a fork + username: ${{ secrets.PODMAN_QUAY_USERNAME }} + password: ${{ secrets.PODMAN_QUAY_PASSWORD }} + + - name: Push images to 'podman' Quay + uses: docker/build-push-action@v2 + if: ${{ steps.image_info.outputs.podman_push == 'true' }} + with: + cache-from: type=registry,ref=localhost:5000/podman/${{ matrix.source }} + cache-to: type=inline + context: contrib/podmanimage/${{ matrix.source }} + file: ./contrib/podmanimage/${{ matrix.source }}/Dockerfile + platforms: ${{ env.PLATFORMS }} + push: true + tags: ${{ steps.image_info.outputs.podman_fqin }} + labels: | + ${{ env.LABELS }} + + # Push to 'containers' Quay repo only stable podman + - name: Login to 'containers' Quay registry + if: ${{ steps.image_info.outputs.containers_push == 'true' }} + uses: docker/login-action@v1 + with: + registry: ${{ env.CONTAINERS_QUAY_REGISTRY}} + username: ${{ secrets.CONTAINERS_QUAY_USERNAME }} + password: ${{ secrets.CONTAINERS_QUAY_PASSWORD }} + + - name: Push images to 'containers' Quay + if: ${{ steps.image_info.outputs.containers_push == 'true' }} + uses: docker/build-push-action@v2 + with: + cache-from: type=registry,ref=localhost:5000/podman/${{ matrix.source }} + cache-to: type=inline + context: contrib/podmanimage/${{ matrix.source }} + file: ./contrib/podmanimage/${{ matrix.source }}/Dockerfile + platforms: ${{ env.PLATFORMS }} + push: true + tags: ${{ steps.image_info.outputs.containers_fqin }} + labels: | + ${{ env.LABELS }} diff --git a/cmd/podman/common/create_opts.go b/cmd/podman/common/create_opts.go index 040dc6570..983b9e5ca 100644 --- a/cmd/podman/common/create_opts.go +++ b/cmd/podman/common/create_opts.go @@ -252,21 +252,24 @@ func ContainerCreateToContainerCLIOpts(cc handlers.CreateContainerConfig, cgroup return nil, nil, err } - netNS := specgen.Namespace{ - NSMode: nsmode.NSMode, - Value: nsmode.Value, + var netOpts map[string][]string + parts := strings.SplitN(string(cc.HostConfig.NetworkMode), ":", 2) + if len(parts) > 1 { + netOpts = make(map[string][]string) + netOpts[parts[0]] = strings.Split(parts[1], ",") } // network // Note: we cannot emulate compat exactly here. we only allow specifics of networks to be // defined when there is only one network. netInfo := entities.NetOptions{ - AddHosts: cc.HostConfig.ExtraHosts, - DNSOptions: cc.HostConfig.DNSOptions, - DNSSearch: cc.HostConfig.DNSSearch, - DNSServers: dns, - Network: netNS, - PublishPorts: specPorts, + AddHosts: cc.HostConfig.ExtraHosts, + DNSOptions: cc.HostConfig.DNSOptions, + DNSSearch: cc.HostConfig.DNSSearch, + DNSServers: dns, + Network: nsmode, + PublishPorts: specPorts, + NetworkOptions: netOpts, } // network names diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md index 1ea9d1ea6..229bb82f5 100644 --- a/docs/source/markdown/podman-create.1.md +++ b/docs/source/markdown/podman-create.1.md @@ -1365,6 +1365,7 @@ $ podman create --name container1 -t -i fedora bash $ podman create --name container2 -t -i fedora bash $ podman create --name container3 --requires container1,container2 -t -i fedora bash $ podman start --attach container3 +``` ### Configure keep supplemental groups for access to volume diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md index 3a2651f98..2e6d97a05 100644 --- a/docs/source/markdown/podman-run.1.md +++ b/docs/source/markdown/podman-run.1.md @@ -1719,6 +1719,7 @@ Multiple containers can be required. $ podman create --name container1 -t -i fedora bash $ podman create --name container2 -t -i fedora bash $ podman run --name container3 --requires container1,container2 -t -i fedora bash +``` ### Configure keep supplemental groups for access to volume @@ -8,6 +8,7 @@ require ( github.com/buger/goterm v0.0.0-20181115115552-c206103e1f37 github.com/checkpoint-restore/checkpointctl v0.0.0-20210301084134-a2024f5584e7 github.com/checkpoint-restore/go-criu v0.0.0-20190109184317-bdb7599cd87b + github.com/container-orchestrated-devices/container-device-interface v0.0.0-20210325223243-f99e8b6c10b9 github.com/containernetworking/cni v0.8.1 github.com/containernetworking/plugins v0.9.1 github.com/containers/buildah v1.20.1-0.20210402144408-36a37402d0c8 @@ -120,6 +120,8 @@ github.com/cilium/ebpf v0.2.0/go.mod h1:To2CFviqOWL/M0gIMsvSMlqe7em/l1ALkX1PyjrX github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= +github.com/container-orchestrated-devices/container-device-interface v0.0.0-20210325223243-f99e8b6c10b9 h1:Kn0s9/APRtr5dk/83aXj97WX0+PYnJK9BO8g0Xclm0I= +github.com/container-orchestrated-devices/container-device-interface v0.0.0-20210325223243-f99e8b6c10b9/go.mod h1:eQt66kIaJpUhCrjCtBFQGQxGLbAUl0OuuwjTH16ON4s= github.com/containerd/aufs v0.0.0-20200908144142-dab0cbea06f4/go.mod h1:nukgQABAEopAHvB6j7cnP5zJ+/3aVcE7hCYqvIwAHyE= github.com/containerd/aufs v0.0.0-20201003224125-76a6863f2989/go.mod h1:AkGGQs9NM2vtYHaUen+NljV0/baGCAPELGm2q9ZXpWU= github.com/containerd/aufs v0.0.0-20210316121734-20793ff83c97/go.mod h1:kL5kd6KM5TzQjR79jljyi4olc1Vrx6XBlcyj3gNv2PU= diff --git a/libpod/container_config.go b/libpod/container_config.go index e6c3be1bd..d0572fbc2 100644 --- a/libpod/container_config.go +++ b/libpod/container_config.go @@ -366,4 +366,6 @@ type ContainerMiscConfig struct { Umask string `json:"umask,omitempty"` // PidFile is the file that saves the pid of the container process PidFile string `json:"pid_file,omitempty"` + // CDIDevices contains devices that use the CDI + CDIDevices []string `json:"cdiDevices,omitempty"` } diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index 1986f7438..f4762b5ff 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -20,6 +20,7 @@ import ( "time" metadata "github.com/checkpoint-restore/checkpointctl/lib" + cdi "github.com/container-orchestrated-devices/container-device-interface/pkg" cnitypes "github.com/containernetworking/cni/pkg/types/current" "github.com/containernetworking/plugins/pkg/ns" "github.com/containers/buildah/pkg/chrootuser" @@ -704,6 +705,13 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { } g.SetLinuxCgroupsPath(cgroupPath) + // Warning: CDI may alter g.Config in place. + if len(c.config.CDIDevices) > 0 { + if err = cdi.UpdateOCISpecForDevices(g.Config, c.config.CDIDevices); err != nil { + return nil, errors.Wrapf(err, "error setting up CDI devices") + } + } + // Mounts need to be sorted so paths will not cover other paths mounts := sortMounts(g.Mounts()) g.ClearMounts() diff --git a/libpod/image/prune.go b/libpod/image/prune.go index 0e41fde44..e0480d3d1 100644 --- a/libpod/image/prune.go +++ b/libpod/image/prune.go @@ -30,7 +30,7 @@ func generatePruneFilterFuncs(filter, filterValue string) (ImageFilter, error) { return nil, err } return func(i *Image) bool { - if !until.IsZero() && i.Created().After((until)) { + if !until.IsZero() && i.Created().Before(until) { return true } return false diff --git a/libpod/image/pull_test.go b/libpod/image/pull_test.go index 2e1464ad3..d2930451c 100644 --- a/libpod/image/pull_test.go +++ b/libpod/image/pull_test.go @@ -308,6 +308,12 @@ func TestPullGoalFromPossiblyUnqualifiedName(t *testing.T) { sc.UserShortNameAliasConfPath = aliasesConf.Name() sc.SystemRegistriesConfPath = registriesConf.Name() + // Make sure to not sure the system's registries.conf.d + dir, err := ioutil.TempDir("", "example") + require.NoError(t, err) + sc.SystemRegistriesConfDirPath = dir + defer os.RemoveAll(dir) // clean up + for _, c := range []struct { input string expected []pullRefStrings diff --git a/libpod/options.go b/libpod/options.go index 5cd0f7b88..103a9a80a 100644 --- a/libpod/options.go +++ b/libpod/options.go @@ -293,6 +293,17 @@ func WithHooksDir(hooksDirs ...string) RuntimeOption { } } +// WithCDI sets the devices to check for for CDI configuration. +func WithCDI(devices []string) CtrCreateOption { + return func(ctr *Container) error { + if ctr.valid { + return define.ErrCtrFinalized + } + ctr.config.CDIDevices = devices + return nil + } +} + // WithDefaultMountsFile sets the file to look at for default mounts (mainly // secrets). // Note we are not saving this in the database as it is for testing purposes diff --git a/libpod/runtime.go b/libpod/runtime.go index dc53d5ef1..3518ed25a 100644 --- a/libpod/runtime.go +++ b/libpod/runtime.go @@ -29,6 +29,7 @@ import ( "github.com/containers/podman/v3/pkg/rootless" "github.com/containers/podman/v3/pkg/util" "github.com/containers/storage" + "github.com/containers/storage/pkg/unshare" "github.com/cri-o/ocicni/pkg/ocicni" "github.com/docker/docker/pkg/namesgenerator" spec "github.com/opencontainers/runtime-spec/specs-go" @@ -338,9 +339,16 @@ func makeRuntime(ctx context.Context, runtime *Runtime) (retErr error) { } logrus.Debugf("Set libpod namespace to %q", runtime.config.Engine.Namespace) + hasCapSysAdmin, err := unshare.HasCapSysAdmin() + if err != nil { + return err + } + + needsUserns := !hasCapSysAdmin + // Set up containers/storage var store storage.Store - if os.Geteuid() != 0 { + if needsUserns { logrus.Debug("Not configuring container store") } else if runtime.noStore { logrus.Debug("No store required. Not opening container store.") @@ -480,7 +488,7 @@ func makeRuntime(ctx context.Context, runtime *Runtime) (retErr error) { // If we need to refresh, then it is safe to assume there are // no containers running. Create immediately a namespace, as // we will need to access the storage. - if os.Geteuid() != 0 { + if needsUserns { aliveLock.Unlock() // Unlock to avoid deadlock as BecomeRootInUserNS will reexec. pausePid, err := util.GetRootlessPauseProcessPidPathGivenDir(runtime.config.Engine.TmpDir) if err != nil { diff --git a/pkg/api/handlers/compat/containers.go b/pkg/api/handlers/compat/containers.go index e7146a5d8..d97a4d3bd 100644 --- a/pkg/api/handlers/compat/containers.go +++ b/pkg/api/handlers/compat/containers.go @@ -26,6 +26,7 @@ import ( "github.com/docker/go-units" "github.com/gorilla/schema" "github.com/pkg/errors" + "github.com/sirupsen/logrus" ) func RemoveContainer(w http.ResponseWriter, r *http.Request) { @@ -148,14 +149,19 @@ func ListContainers(w http.ResponseWriter, r *http.Request) { containers = containers[:query.Limit] } } - var list = make([]*handlers.Container, len(containers)) - for i, ctnr := range containers { + list := make([]*handlers.Container, 0, len(containers)) + for _, ctnr := range containers { api, err := LibpodToContainer(ctnr, query.Size) if err != nil { + if errors.Cause(err) == define.ErrNoSuchCtr { + // container was removed between the initial fetch of the list and conversion + logrus.Debugf("Container %s removed between initial fetch and conversion, ignoring in output", ctnr.ID()) + continue + } utils.InternalServerError(w, err) return } - list[i] = api + list = append(list, api) } utils.WriteResponse(w, http.StatusOK, list) } diff --git a/pkg/domain/filters/containers.go b/pkg/domain/filters/containers.go index 45791cd84..9ac72e415 100644 --- a/pkg/domain/filters/containers.go +++ b/pkg/domain/filters/containers.go @@ -83,7 +83,19 @@ func GenerateContainerFilterFuncs(filter string, filterValues []string, r *libpo return func(c *libpod.Container) bool { for _, filterValue := range filterValues { containerConfig := c.Config() - if strings.Contains(containerConfig.RootfsImageID, filterValue) || strings.Contains(containerConfig.RootfsImageName, filterValue) { + var imageTag string + var imageNameWithoutTag string + // Compare with ImageID, ImageName + // Will match ImageName if running image has tag latest for other tags exact complete filter must be given + imageNameSlice := strings.SplitN(containerConfig.RootfsImageName, ":", 2) + if len(imageNameSlice) == 2 { + imageNameWithoutTag = imageNameSlice[0] + imageTag = imageNameSlice[1] + } + + if (containerConfig.RootfsImageID == filterValue) || + (containerConfig.RootfsImageName == filterValue) || + (imageNameWithoutTag == filterValue && imageTag == "latest") { return true } } diff --git a/pkg/domain/infra/abi/system.go b/pkg/domain/infra/abi/system.go index 6319c1ab1..9bba0fa6c 100644 --- a/pkg/domain/infra/abi/system.go +++ b/pkg/domain/infra/abi/system.go @@ -21,6 +21,7 @@ import ( "github.com/containers/podman/v3/pkg/util" "github.com/containers/podman/v3/utils" "github.com/containers/storage" + "github.com/containers/storage/pkg/unshare" "github.com/pkg/errors" "github.com/sirupsen/logrus" "github.com/spf13/cobra" @@ -58,7 +59,11 @@ func (ic *ContainerEngine) Info(ctx context.Context) (*define.Info, error) { func (ic *ContainerEngine) SetupRootless(_ context.Context, cmd *cobra.Command) error { // do it only after podman has already re-execed and running with uid==0. - if os.Geteuid() == 0 { + hasCapSysAdmin, err := unshare.HasCapSysAdmin() + if err != nil { + return err + } + if hasCapSysAdmin { ownsCgroup, err := cgroups.UserOwnsCurrentSystemdCgroup() if err != nil { logrus.Infof("Failed to detect the owner for the current cgroup: %v", err) diff --git a/pkg/machine/ignition.go b/pkg/machine/ignition.go index cc5c01de6..00068a136 100644 --- a/pkg/machine/ignition.go +++ b/pkg/machine/ignition.go @@ -168,6 +168,22 @@ func getFiles(usrName string) []File { }, FileEmbedded1: FileEmbedded1{Mode: intToPtr(420)}, }) + + // Set machine_enabled to true to indicate we're in a VM + files = append(files, File{ + Node: Node{ + Group: getNodeGrp("root"), + Path: "/etc/containers/containers.conf", + User: getNodeUsr("root"), + }, + FileEmbedded1: FileEmbedded1{ + Append: nil, + Contents: Resource{ + Source: strToPtr("data:,%5Bengine%5D%0Amachine_enabled%3Dtrue%0A"), + }, + Mode: intToPtr(420), + }, + }) return files } diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go index dda230dbc..fdfeed854 100644 --- a/pkg/rootless/rootless_linux.go +++ b/pkg/rootless/rootless_linux.go @@ -4,6 +4,7 @@ package rootless import ( "bufio" + "bytes" "fmt" "io" "io/ioutil" @@ -18,6 +19,7 @@ import ( "github.com/containers/podman/v3/pkg/errorhandling" "github.com/containers/storage/pkg/idtools" + "github.com/containers/storage/pkg/unshare" "github.com/pkg/errors" "github.com/sirupsen/logrus" "golang.org/x/sys/unix" @@ -67,6 +69,15 @@ func IsRootless() bool { } } isRootless = os.Geteuid() != 0 || os.Getenv("_CONTAINERS_USERNS_CONFIGURED") != "" + if !isRootless { + hasCapSysAdmin, err := unshare.HasCapSysAdmin() + if err != nil { + logrus.Warnf("failed to read CAP_SYS_ADMIN presence for the current process") + } + if err == nil && !hasCapSysAdmin { + isRootless = true + } + } }) return isRootless } @@ -142,8 +153,12 @@ func tryMappingTool(uid bool, pid int, hostID int, mappings []idtools.IDMap) err // namespace of the specified PID without looking up its parent. Useful to join directly // the conmon process. func joinUserAndMountNS(pid uint, pausePid string) (bool, int, error) { - if os.Geteuid() == 0 || os.Getenv("_CONTAINERS_USERNS_CONFIGURED") != "" { - return false, -1, nil + hasCapSysAdmin, err := unshare.HasCapSysAdmin() + if err != nil { + return false, 0, err + } + if hasCapSysAdmin || os.Getenv("_CONTAINERS_USERNS_CONFIGURED") != "" { + return false, 0, nil } cPausePid := C.CString(pausePid) @@ -180,8 +195,11 @@ func GetConfiguredMappings() ([]idtools.IDMap, []idtools.IDMap, error) { } mappings, err := idtools.NewIDMappings(username, username) if err != nil { - logrus.Errorf( - "cannot find UID/GID for user %s: %v - check rootless mode in man pages.", username, err) + logLevel := logrus.ErrorLevel + if os.Geteuid() == 0 && GetRootlessUID() == 0 { + logLevel = logrus.DebugLevel + } + logrus.StandardLogger().Logf(logLevel, "cannot find UID/GID for user %s: %v - check rootless mode in man pages.", username, err) } else { uids = mappings.UIDs() gids = mappings.GIDs() @@ -189,8 +207,28 @@ func GetConfiguredMappings() ([]idtools.IDMap, []idtools.IDMap, error) { return uids, gids, nil } +func copyMappings(from, to string) error { + content, err := ioutil.ReadFile(from) + if err != nil { + return err + } + // Both runc and crun check whether the current process is in a user namespace + // by looking up 4294967295 in /proc/self/uid_map. If the mappings would be + // copied as they are, the check in the OCI runtimes would fail. So just split + // it in two different ranges. + if bytes.Contains(content, []byte("4294967295")) { + content = []byte("0 0 1\n1 1 4294967294\n") + } + return ioutil.WriteFile(to, content, 0600) +} + func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ bool, _ int, retErr error) { - if os.Geteuid() == 0 || os.Getenv("_CONTAINERS_USERNS_CONFIGURED") != "" { + hasCapSysAdmin, err := unshare.HasCapSysAdmin() + if err != nil { + return false, 0, err + } + + if hasCapSysAdmin || os.Getenv("_CONTAINERS_USERNS_CONFIGURED") != "" { if os.Getenv("_CONTAINERS_USERNS_CONFIGURED") == "init" { return false, 0, runInUser() } @@ -247,8 +285,16 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ boo return false, -1, err } + uidMap := fmt.Sprintf("/proc/%d/uid_map", pid) + gidMap := fmt.Sprintf("/proc/%d/gid_map", pid) + uidsMapped := false - if uids != nil { + + if err := copyMappings("/proc/self/uid_map", uidMap); err == nil { + uidsMapped = true + } + + if uids != nil && !uidsMapped { err := tryMappingTool(true, pid, os.Geteuid(), uids) // If some mappings were specified, do not ignore the error if err != nil && len(uids) > 0 { @@ -265,7 +311,6 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ boo } logrus.Debugf("write setgroups file exited with 0") - uidMap := fmt.Sprintf("/proc/%d/uid_map", pid) err = ioutil.WriteFile(uidMap, []byte(fmt.Sprintf("%d %d 1\n", 0, os.Geteuid())), 0666) if err != nil { return false, -1, errors.Wrapf(err, "cannot write uid_map") @@ -274,7 +319,10 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ boo } gidsMapped := false - if gids != nil { + if err := copyMappings("/proc/self/gid_map", gidMap); err == nil { + gidsMapped = true + } + if gids != nil && !gidsMapped { err := tryMappingTool(false, pid, os.Getegid(), gids) // If some mappings were specified, do not ignore the error if err != nil && len(gids) > 0 { @@ -283,7 +331,6 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ boo gidsMapped = err == nil } if !gidsMapped { - gidMap := fmt.Sprintf("/proc/%d/gid_map", pid) err = ioutil.WriteFile(gidMap, []byte(fmt.Sprintf("%d %d 1\n", 0, os.Getegid())), 0666) if err != nil { return false, -1, errors.Wrapf(err, "cannot write gid_map") diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go index 13d4b4926..2f623bf10 100644 --- a/pkg/specgen/generate/container_create.go +++ b/pkg/specgen/generate/container_create.go @@ -6,12 +6,14 @@ import ( "path/filepath" "strings" + cdi "github.com/container-orchestrated-devices/container-device-interface/pkg" "github.com/containers/common/pkg/config" "github.com/containers/podman/v3/libpod" "github.com/containers/podman/v3/libpod/image" "github.com/containers/podman/v3/pkg/specgen" "github.com/containers/podman/v3/pkg/util" "github.com/containers/storage/types" + spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -136,6 +138,11 @@ func MakeContainer(ctx context.Context, rt *libpod.Runtime, s *specgen.SpecGener options = append(options, libpod.WithNetworkAliases(s.Aliases)) } + if len(s.Devices) > 0 { + opts = extractCDIDevices(s) + options = append(options, opts...) + } + runtimeSpec, err := SpecGenToOCI(ctx, s, rt, rtc, newImage, finalMounts, pod, command) if err != nil { return nil, err @@ -143,6 +150,32 @@ func MakeContainer(ctx context.Context, rt *libpod.Runtime, s *specgen.SpecGener return rt.NewContainer(ctx, runtimeSpec, options...) } +func extractCDIDevices(s *specgen.SpecGenerator) []libpod.CtrCreateOption { + devs := make([]spec.LinuxDevice, 0, len(s.Devices)) + var cdiDevs []string + var options []libpod.CtrCreateOption + + for _, device := range s.Devices { + isCDIDevice, err := cdi.HasDevice(device.Path) + if err != nil { + logrus.Debugf("CDI HasDevice Error: %v", err) + } + if err == nil && isCDIDevice { + cdiDevs = append(cdiDevs, device.Path) + continue + } + + devs = append(devs, device) + } + + s.Devices = devs + if len(cdiDevs) > 0 { + options = append(options, libpod.WithCDI(cdiDevs)) + } + + return options +} + func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen.SpecGenerator, pod *libpod.Pod, volumes []*specgen.NamedVolume, overlays []*specgen.OverlayVolume, img *image.Image, command []string) ([]libpod.CtrCreateOption, error) { var options []libpod.CtrCreateOption var err error diff --git a/test/apiv2/10-images.at b/test/apiv2/10-images.at index f854d38ab..a08393668 100644 --- a/test/apiv2/10-images.at +++ b/test/apiv2/10-images.at @@ -126,6 +126,20 @@ t DELETE libpod/images/test:test 200 t GET images/json?filters='{"label":["xyz"]}' 200 length=0 t GET libpod/images/json?filters='{"label":["xyz"]}' 200 length=0 + +# to be used in prune until filter tests +podman image build -t test1:latest -<<EOF +from alpine +RUN >file3 +EOF + +# image should not be deleted +t GET images/json?filters='{"reference":["test1"]}' 200 length=1 +t POST images/prune?filters='{"until":["500000"]}' 200 +t GET images/json?filters='{"reference":["test1"]}' 200 length=1 + +t DELETE libpod/images/test1:latest 200 + # Export more than one image # FIXME FIXME FIXME, this doesn't work: # not ok 64 [10-images] GET images/get?names=alpine,busybox : status diff --git a/test/compose/slirp4netns_opts/docker-compose.yml b/test/compose/slirp4netns_opts/docker-compose.yml new file mode 100644 index 000000000..dcdcae04c --- /dev/null +++ b/test/compose/slirp4netns_opts/docker-compose.yml @@ -0,0 +1,5 @@ +services: + alpine: + image: alpine + network_mode: "slirp4netns:allow_host_loopback=true" + command: sh -c "echo teststring | nc 10.0.2.2 5001" diff --git a/test/compose/slirp4netns_opts/setup.sh b/test/compose/slirp4netns_opts/setup.sh new file mode 100644 index 000000000..35bbf7c70 --- /dev/null +++ b/test/compose/slirp4netns_opts/setup.sh @@ -0,0 +1,8 @@ +# -*- bash -*- + +# create tempfile to store nc output +OUTFILE=$(mktemp) +# listen on a port, the container will try to connect to it +nc -l 5001 > $OUTFILE & + +nc_pid=$! diff --git a/test/compose/slirp4netns_opts/teardown.sh b/test/compose/slirp4netns_opts/teardown.sh new file mode 100644 index 000000000..656724363 --- /dev/null +++ b/test/compose/slirp4netns_opts/teardown.sh @@ -0,0 +1,4 @@ +# -*- bash -*- + +kill $nc_pid &> /dev/null +rm -f $OUTFILE diff --git a/test/compose/slirp4netns_opts/tests.sh b/test/compose/slirp4netns_opts/tests.sh new file mode 100644 index 000000000..1efce45c4 --- /dev/null +++ b/test/compose/slirp4netns_opts/tests.sh @@ -0,0 +1,6 @@ +# -*- bash -*- + +output="$(cat $OUTFILE)" +expected="teststring" + +is "$output" "$expected" "$testname : nc received teststring" diff --git a/test/e2e/cdi/device.json b/test/e2e/cdi/device.json new file mode 100644 index 000000000..f49470c88 --- /dev/null +++ b/test/e2e/cdi/device.json @@ -0,0 +1,14 @@ +{ + "cdiVersion": "0.2.0", + "kind": "vendor.com/device", + "devices": [ + { + "name": "myKmsg", + "containerEdits": { + "mounts": [ + {"hostPath": "/dev/kmsg", "containerPath": "/dev/kmsg1", "options": ["rw", "rprivate", "rbind"]} + ] + } + } + ] +} diff --git a/test/e2e/ps_test.go b/test/e2e/ps_test.go index 37b6516c1..d5269f415 100644 --- a/test/e2e/ps_test.go +++ b/test/e2e/ps_test.go @@ -269,6 +269,12 @@ var _ = Describe("Podman ps", func() { result.WaitWithDefaultTimeout() Expect(result.ExitCode()).To(Equal(0)) Expect(result.OutputToString()).To(Equal(cid)) + + // Query by trunctated image name should not match ( should return empty output ) + result = podmanTest.Podman([]string{"ps", "-q", "--no-trunc", "-a", "--filter", "ancestor=quay.io/libpod/alpi"}) + result.WaitWithDefaultTimeout() + Expect(result.ExitCode()).To(Equal(0)) + Expect(result.OutputToString()).To(Equal("")) }) It("podman ps id filter flag", func() { diff --git a/test/e2e/run_device_test.go b/test/e2e/run_device_test.go index 5a32ed827..3137e3fe4 100644 --- a/test/e2e/run_device_test.go +++ b/test/e2e/run_device_test.go @@ -2,6 +2,7 @@ package integration import ( "os" + "os/exec" . "github.com/containers/podman/v3/test/utils" . "github.com/onsi/ginkgo" @@ -94,4 +95,22 @@ var _ = Describe("Podman run device", func() { session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) }) + + It("podman run CDI device test", func() { + SkipIfRootless("Rootless will not be able to create files/folders in /etc") + cdiDir := "/etc/cdi" + if _, err := os.Stat(cdiDir); os.IsNotExist(err) { + Expect(os.MkdirAll(cdiDir, os.ModePerm)).To(BeNil()) + } + defer os.RemoveAll(cdiDir) + + cmd := exec.Command("cp", "cdi/device.json", cdiDir) + err = cmd.Run() + Expect(err).To(BeNil()) + + session := podmanTest.Podman([]string{"run", "-q", "--security-opt", "label=disable", "--device", "myKmsg", ALPINE, "ls", "--color=never", "/dev/kmsg1"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(Equal("/dev/kmsg1")) + }) }) diff --git a/vendor/github.com/container-orchestrated-devices/container-device-interface/LICENSE b/vendor/github.com/container-orchestrated-devices/container-device-interface/LICENSE new file mode 100644 index 000000000..261eeb9e9 --- /dev/null +++ b/vendor/github.com/container-orchestrated-devices/container-device-interface/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/vendor/github.com/container-orchestrated-devices/container-device-interface/pkg/devices.go b/vendor/github.com/container-orchestrated-devices/container-device-interface/pkg/devices.go new file mode 100644 index 000000000..e66fd36c0 --- /dev/null +++ b/vendor/github.com/container-orchestrated-devices/container-device-interface/pkg/devices.go @@ -0,0 +1,180 @@ +package pkg + +import ( + "encoding/json" + "fmt" + "io/ioutil" + "os" + "path/filepath" + "strings" + + cdispec "github.com/container-orchestrated-devices/container-device-interface/specs-go" + spec "github.com/opencontainers/runtime-spec/specs-go" +) + +const ( + root = "/etc/cdi" +) + +func collectCDISpecs() (map[string]*cdispec.Spec, error) { + var files []string + vendor := make(map[string]*cdispec.Spec) + + err := filepath.Walk(root, func(path string, info os.FileInfo, err error) error { + if info == nil || info.IsDir() { + return nil + } + + if filepath.Ext(path) != ".json" { + return nil + } + + files = append(files, path) + return nil + }) + + if err != nil { + return nil, err + } + + for _, path := range files { + spec, err := loadCDIFile(path) + if err != nil { + continue + } + + if _, ok := vendor[spec.Kind]; ok { + continue + } + + vendor[spec.Kind] = spec + } + + return vendor, nil +} + +// TODO: Validate (e.g: duplicate device names) +func loadCDIFile(path string) (*cdispec.Spec, error) { + file, err := ioutil.ReadFile(path) + if err != nil { + return nil, err + } + + var spec *cdispec.Spec + err = json.Unmarshal([]byte(file), &spec) + if err != nil { + return nil, err + } + + return spec, nil +} + +/* +* Pattern "vendor.com/device=myDevice" with the vendor being optional + */ +func extractVendor(dev string) (string, string) { + if strings.IndexByte(dev, '=') == -1 { + return "", dev + } + + split := strings.SplitN(dev, "=", 2) + return split[0], split[1] +} + +// GetCDIForDevice returns the CDI specification that matches the device name the user provided. +func GetCDIForDevice(dev string, specs map[string]*cdispec.Spec) (*cdispec.Spec, error) { + vendor, device := extractVendor(dev) + + if vendor != "" { + s, ok := specs[vendor] + if !ok { + return nil, fmt.Errorf("Could not find vendor %q for device %q", vendor, device) + } + + for _, d := range s.Devices { + if d.Name != device { + continue + } + + return s, nil + } + + return nil, fmt.Errorf("Could not find device %q for vendor %q", device, vendor) + } + + var found []*cdispec.Spec + var vendors []string + for vendor, spec := range specs { + + for _, d := range spec.Devices { + if d.Name != device { + continue + } + + found = append(found, spec) + vendors = append(vendors, vendor) + } + } + + if len(found) > 1 { + return nil, fmt.Errorf("%q is ambiguous and currently refers to multiple devices from different vendors: %q", dev, vendors) + } + + if len(found) == 1 { + return found[0], nil + } + + return nil, fmt.Errorf("Could not find device %q", dev) +} + +// HasDevice returns true if a device is a CDI device +// an error may be returned in cases where permissions may be required +func HasDevice(dev string) (bool, error) { + specs, err := collectCDISpecs() + if err != nil { + return false, err + } + + d, err := GetCDIForDevice(dev, specs) + if err != nil { + return false, err + } + + return d != nil, nil +} + +// UpdateOCISpecForDevices updates the given OCI spec based on the requested CDI devices +func UpdateOCISpecForDevices(ociconfig *spec.Spec, devs []string) error { + specs, err := collectCDISpecs() + if err != nil { + return err + } + + return UpdateOCISpecForDevicesWithSpec(ociconfig, devs, specs) +} + +// UpdateOCISpecForDevicesWithLoggerAndSpecs is mainly used for testing +func UpdateOCISpecForDevicesWithSpec(ociconfig *spec.Spec, devs []string, specs map[string]*cdispec.Spec) error { + edits := make(map[string]*cdispec.Spec) + + for _, d := range devs { + spec, err := GetCDIForDevice(d, specs) + if err != nil { + return err + } + + edits[spec.Kind] = spec + err = cdispec.ApplyOCIEditsForDevice(ociconfig, spec, d) + if err != nil { + return err + } + } + + for _, spec := range edits { + if err := cdispec.ApplyOCIEdits(ociconfig, spec); err != nil { + return err + } + } + + return nil +} diff --git a/vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/config.go b/vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/config.go new file mode 100644 index 000000000..0223bb703 --- /dev/null +++ b/vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/config.go @@ -0,0 +1,50 @@ +package specs + +// Spec is the base configuration for CDI +type Spec struct { + Version string `json:"cdiVersion"` + Kind string `json:"kind"` + KindShort []string `json:"kindShort,omitempty"` + ContainerRuntime []string `json:"containerRuntime,omitempty"` + + Devices []Devices `json:"devices"` + ContainerEdits ContainerEdits `json:"containerEdits,omitempty"` +} + +// Devices is a "Device" a container runtime can add to a container +type Devices struct { + Name string `json:"name"` + NameShort []string `json:"nameShort"` + ContainerEdits ContainerEdits `json:"containerEdits"` +} + +// ContainerEdits are edits a container runtime must make to the OCI spec to expose the device. +type ContainerEdits struct { + Env []string `json:"env,omitempty"` + DeviceNodes []*DeviceNode `json:"deviceNodes,omitempty"` + Hooks []*Hook `json:"hooks,omitempty"` + Mounts []*Mount `json:"mounts,omitempty"` +} + +// DeviceNode represents a device node that needs to be added to the OCI spec. +type DeviceNode struct { + HostPath string `json:"hostPath"` + ContainerPath string `json:"containerPath"` + Permissions []string `json:"permissions,omitempty"` +} + +// Mount represents a mount that needs to be added to the OCI spec. +type Mount struct { + HostPath string `json:"hostPath"` + ContainerPath string `json:"containerPath"` + Options []string `json:"options,omitempty"` +} + +// Hook represents a hook that needs to be added to the OCI spec. +type Hook struct { + HookName string `json:"hookName"` + Path string `json:"path"` + Args []string `json:"args,omitempty"` + Env []string `json:"env,omitempty"` + Timeout *int `json:"timeout,omitempty"` +} diff --git a/vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/oci.go b/vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/oci.go new file mode 100644 index 000000000..c59cda55d --- /dev/null +++ b/vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/oci.go @@ -0,0 +1,104 @@ +package specs + +import ( + "errors" + "fmt" + + spec "github.com/opencontainers/runtime-spec/specs-go" +) + +// ApplyOCIEditsForDevice applies devices OCI edits, in other words +// it finds the device in the CDI spec and applies the OCI patches that device +// requires to the OCI specification. +func ApplyOCIEditsForDevice(config *spec.Spec, cdi *Spec, dev string) error { + for _, d := range cdi.Devices { + if d.Name != dev { + continue + } + + return ApplyEditsToOCISpec(config, &d.ContainerEdits) + } + + return fmt.Errorf("CDI: device %q not found for spec %q", dev, cdi.Kind) +} + +// ApplyOCIEdits applies the OCI edits the CDI spec declares globablly +func ApplyOCIEdits(config *spec.Spec, cdi *Spec) error { + return ApplyEditsToOCISpec(config, &cdi.ContainerEdits) +} + +// ApplyEditsToOCISpec applies the specified edits to the OCI spec. +func ApplyEditsToOCISpec(config *spec.Spec, edits *ContainerEdits) error { + if config == nil { + return errors.New("spec is nil") + } + if edits == nil { + return nil + } + + if len(edits.Env) > 0 { + + if config.Process == nil { + config.Process = &spec.Process{} + } + + config.Process.Env = append(config.Process.Env, edits.Env...) + } + + for _, d := range edits.DeviceNodes { + config.Mounts = append(config.Mounts, toOCIDevice(d)) + } + + for _, m := range edits.Mounts { + config.Mounts = append(config.Mounts, toOCIMount(m)) + } + + for _, h := range edits.Hooks { + if config.Hooks == nil { + config.Hooks = &spec.Hooks{} + } + switch h.HookName { + case "prestart": + config.Hooks.Prestart = append(config.Hooks.Prestart, toOCIHook(h)) + case "createRuntime": + config.Hooks.CreateRuntime = append(config.Hooks.CreateRuntime, toOCIHook(h)) + case "createContainer": + config.Hooks.CreateContainer = append(config.Hooks.CreateContainer, toOCIHook(h)) + case "startContainer": + config.Hooks.StartContainer = append(config.Hooks.StartContainer, toOCIHook(h)) + case "poststart": + config.Hooks.Poststart = append(config.Hooks.Poststart, toOCIHook(h)) + case "poststop": + config.Hooks.Poststop = append(config.Hooks.Poststop, toOCIHook(h)) + default: + fmt.Printf("CDI: Unknown hook %q\n", h.HookName) + } + } + + return nil +} + +func toOCIHook(h *Hook) spec.Hook { + return spec.Hook{ + Path: h.Path, + Args: h.Args, + Env: h.Env, + Timeout: h.Timeout, + } +} + +func toOCIMount(m *Mount) spec.Mount { + return spec.Mount{ + Source: m.HostPath, + Destination: m.ContainerPath, + Options: m.Options, + } +} + +func toOCIDevice(d *DeviceNode) spec.Mount { + return spec.Mount{ + Source: d.HostPath, + Destination: d.ContainerPath, + Options: d.Permissions, + } +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 77dcb9744..b0658df5b 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -49,6 +49,9 @@ github.com/checkpoint-restore/go-criu github.com/checkpoint-restore/go-criu/rpc # github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e github.com/chzyer/readline +# github.com/container-orchestrated-devices/container-device-interface v0.0.0-20210325223243-f99e8b6c10b9 +github.com/container-orchestrated-devices/container-device-interface/pkg +github.com/container-orchestrated-devices/container-device-interface/specs-go # github.com/containerd/cgroups v0.0.0-20210114181951-8a68de567b68 github.com/containerd/cgroups/stats/v1 # github.com/containerd/containerd v1.5.0-beta.4 |