diff options
85 files changed, 269 insertions, 387 deletions
diff --git a/.golangci.yml b/.golangci.yml index 582a38206..a3c9c4a8b 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -50,7 +50,6 @@ linters: - gosec - maligned - gomoddirectives - - revive - containedctx - contextcheck - cyclop @@ -60,6 +59,10 @@ linters: - varnamelen - maintidx - nilnil + # deprecated linters + - golint # replaced by revive + - scopelint # replaced by exportloopref + - interfacer linters-settings: errcheck: check-blank: false @@ -616,18 +616,24 @@ remotesystem: fi;\ exit $$rc -.PHONY: localapiv2 -localapiv2: - # Order is important running python tests first causes the bash tests to fail, see 12-imagesMore - # FIXME order of tests should not matter +.PHONY: localapiv2-bash +localapiv2-bash: env PODMAN=./bin/podman stdbuf -o0 -e0 ./test/apiv2/test-apiv2 + +.PHONY: localapiv2-python +localapiv2-python: env CONTAINERS_CONF=$(CURDIR)/test/apiv2/containers.conf PODMAN=./bin/podman \ - pytest --disable-warnings ./test/apiv2/python + pytest --verbose --disable-warnings ./test/apiv2/python touch test/__init__.py env CONTAINERS_CONF=$(CURDIR)/test/apiv2/containers.conf PODMAN=./bin/podman \ - pytest --disable-warnings ./test/python/docker + pytest --verbose --disable-warnings ./test/python/docker rm -f test/__init__.py +# Order is important running python tests first causes the bash tests +# to fail, see 12-imagesMore. FIXME order of tests should not matter +.PHONY: localapiv2 +localapiv2: localapiv2-bash localapiv2-python + .PHONY: remoteapiv2 remoteapiv2: true diff --git a/cmd/podman/images/list.go b/cmd/podman/images/list.go index 9bddf1cff..58fb3e919 100644 --- a/cmd/podman/images/list.go +++ b/cmd/podman/images/list.go @@ -225,7 +225,7 @@ func sortImages(imageS []*entities.ImageSummary) ([]imageReporter, error) { h.ImageSummary = *e h.Repository, h.Tag, err = tokenRepoTag(tag) if err != nil { - return nil, errors.Wrapf(err, "error parsing repository tag %q:", tag) + return nil, errors.Wrapf(err, "error parsing repository tag: %q", tag) } if h.Tag == "<none>" { untagged = append(untagged, h) diff --git a/cmd/podman/images/load.go b/cmd/podman/images/load.go index 6f85fb7e7..dbb7c32fa 100644 --- a/cmd/podman/images/load.go +++ b/cmd/podman/images/load.go @@ -91,7 +91,7 @@ func load(cmd *cobra.Command, args []string) error { } } else { if term.IsTerminal(int(os.Stdin.Fd())) { - return errors.Errorf("cannot read from terminal. Use command-line redirection or the --input flag.") + return errors.Errorf("cannot read from terminal, use command-line redirection or the --input flag") } outFile, err := ioutil.TempFile(util.Tmpdir(), "podman") if err != nil { diff --git a/cmd/podman/machine/init.go b/cmd/podman/machine/init.go index 06c1f7248..2d0afbf05 100644 --- a/cmd/podman/machine/init.go +++ b/cmd/podman/machine/init.go @@ -12,7 +12,6 @@ import ( "github.com/containers/podman/v4/pkg/machine" "github.com/pkg/errors" "github.com/spf13/cobra" - "github.com/spf13/pflag" ) var ( @@ -107,18 +106,8 @@ func init() { flags.StringVar(&initOpts.IgnitionPath, IgnitionPathFlagName, "", "Path to ignition file") _ = initCmd.RegisterFlagCompletionFunc(IgnitionPathFlagName, completion.AutocompleteDefault) - rootfullFlagName := "rootfull" - flags.BoolVar(&initOpts.Rootfull, rootfullFlagName, false, "Whether this machine should prefer rootfull container execution") - flags.SetNormalizeFunc(aliasFlags) -} - -// aliasFlags is a function to handle backwards compatibility with old flags -func aliasFlags(f *pflag.FlagSet, name string) pflag.NormalizedName { - switch name { - case "rootful": - name = "rootfull" - } - return pflag.NormalizedName(name) + rootfulFlagName := "rootful" + flags.BoolVar(&initOpts.Rootful, rootfulFlagName, false, "Whether this machine should prefer rootful container execution") } // TODO should we allow for a users to append to the qemu cmdline? diff --git a/cmd/podman/machine/set.go b/cmd/podman/machine/set.go index b1dfb51da..4c15f1de1 100644 --- a/cmd/podman/machine/set.go +++ b/cmd/podman/machine/set.go @@ -17,7 +17,7 @@ var ( Long: "Sets an updatable virtual machine setting", RunE: setMachine, Args: cobra.MaximumNArgs(1), - Example: `podman machine set --rootfull=false`, + Example: `podman machine set --rootful=false`, ValidArgsFunction: completion.AutocompleteNone, } ) @@ -33,9 +33,8 @@ func init() { }) flags := setCmd.Flags() - rootfullFlagName := "rootfull" - flags.BoolVar(&setOpts.Rootfull, rootfullFlagName, false, "Whether this machine should prefer rootfull container execution") - flags.SetNormalizeFunc(aliasFlags) + rootfulFlagName := "rootful" + flags.BoolVar(&setOpts.Rootful, rootfulFlagName, false, "Whether this machine should prefer rootful container execution") } func setMachine(cmd *cobra.Command, args []string) error { diff --git a/cmd/podman/root.go b/cmd/podman/root.go index 500a475bd..9b1aa778b 100644 --- a/cmd/podman/root.go +++ b/cmd/podman/root.go @@ -429,6 +429,10 @@ func rootFlags(cmd *cobra.Command, opts *entities.PodmanConfig) { pFlags.BoolVar(&opts.Trace, "trace", false, "Enable opentracing output (default false)") + volumePathFlagName := "volumepath" + pFlags.StringVar(&opts.Engine.VolumePath, volumePathFlagName, "", "Path to the volume directory in which volume data is stored") + _ = cmd.RegisterFlagCompletionFunc(volumePathFlagName, completion.AutocompleteDefault) + // Hide these flags for both ABI and Tunneling for _, f := range []string{ "cpu-profile", diff --git a/cmd/podman/validate/args.go b/cmd/podman/validate/args.go index 743ee1837..669456bd3 100644 --- a/cmd/podman/validate/args.go +++ b/cmd/podman/validate/args.go @@ -23,9 +23,9 @@ func SubCommandExists(cmd *cobra.Command, args []string) error { if len(args) > 0 { suggestions := cmd.SuggestionsFor(args[0]) if len(suggestions) == 0 { - return errors.Errorf("unrecognized command `%[1]s %[2]s`\nTry '%[1]s --help' for more information.", cmd.CommandPath(), args[0]) + return errors.Errorf("unrecognized command `%[1]s %[2]s`\nTry '%[1]s --help' for more information", cmd.CommandPath(), args[0]) } - return errors.Errorf("unrecognized command `%[1]s %[2]s`\n\nDid you mean this?\n\t%[3]s\n\nTry '%[1]s --help' for more information.", cmd.CommandPath(), args[0], strings.Join(suggestions, "\n\t")) + return errors.Errorf("unrecognized command `%[1]s %[2]s`\n\nDid you mean this?\n\t%[3]s\n\nTry '%[1]s --help' for more information", cmd.CommandPath(), args[0], strings.Join(suggestions, "\n\t")) } cmd.Help() // nolint: errcheck return errors.Errorf("missing command '%[1]s COMMAND'", cmd.CommandPath()) diff --git a/contrib/cirrus/logformatter b/contrib/cirrus/logformatter index 3c52e612b..e45f03df9 100755 --- a/contrib/cirrus/logformatter +++ b/contrib/cirrus/logformatter @@ -20,6 +20,9 @@ use warnings; our $VERSION = '0.1'; +# Autoflush stdout +$| = 1; + # For debugging, show data structures using DumpTree($var) #use Data::TreeDumper; $Data::TreeDumper::Displayaddress = 0; @@ -204,7 +207,7 @@ END_HTML print { $out_fh } "<pre> <!-- begin processed output -->\n"; - # Assume rootfull prompt, check for rootless (here and in log itself, below) + # Assume rootful prompt, check for rootless (here and in log itself, below) my $Prompt = '#'; $Prompt = '$' if $test_name =~ /rootless/; diff --git a/contrib/cirrus/runner.sh b/contrib/cirrus/runner.sh index 8f956d7f5..1953c477e 100755 --- a/contrib/cirrus/runner.sh +++ b/contrib/cirrus/runner.sh @@ -59,8 +59,11 @@ function _run_unit() { function _run_apiv2() { _bail_if_test_can_be_skipped test/apiv2 - source .venv/requests/bin/activate - make localapiv2 |& logformatter + ( + make localapiv2-bash + source .venv/requests/bin/activate + make localapiv2-python + ) |& logformatter } function _run_compose() { @@ -118,6 +121,7 @@ function _run_bindings() { function _run_docker-py() { source .venv/docker-py/bin/activate + make binaries make run-docker-py-tests } diff --git a/contrib/podmanimage/README.md b/contrib/podmanimage/README.md index 58c14be72..4f184ca28 100644 --- a/contrib/podmanimage/README.md +++ b/contrib/podmanimage/README.md @@ -70,4 +70,4 @@ file to `/etc/modules.load.d`. See `man modules-load.d` for more details. ### Blog Post with Details -Dan Walsh wrote a blog post on the [Enable Sysadmin](https://www.redhat.com/sysadmin/) site titled [How to use Podman inside of a container](https://www.redhat.com/sysadmin/podman-inside-container). In it, he details how to use these images as a rootfull and as a rootless user. Please refer to this blog for more detailed information. +Dan Walsh wrote a blog post on the [Enable Sysadmin](https://www.redhat.com/sysadmin/) site titled [How to use Podman inside of a container](https://www.redhat.com/sysadmin/podman-inside-container). In it, he details how to use these images as a rootful and as a rootless user. Please refer to this blog for more detailed information. diff --git a/contrib/remote/containers.conf b/contrib/remote/containers.conf index 45f58171a..9b0b62c42 100644 --- a/contrib/remote/containers.conf +++ b/contrib/remote/containers.conf @@ -7,5 +7,5 @@ # Default Remote URI to access the Podman service. # Examples: # remote rootless ssh://engineering.lab.company.com/run/user/1000/podman/podman.sock -# remote rootfull ssh://root@10.10.1.136:22/run/podman/podman.sock +# remote rootful ssh://root@10.10.1.136:22/run/podman/podman.sock # remote_uri= "" diff --git a/docs/source/markdown/podman-build.1.md b/docs/source/markdown/podman-build.1.md index 406dfcd89..bd1e673b8 100644 --- a/docs/source/markdown/podman-build.1.md +++ b/docs/source/markdown/podman-build.1.md @@ -429,7 +429,7 @@ container full access to local system services such as D-bus and is therefore considered insecure. - **ns:**_path_: path to a network namespace to join. - **private**: create a new namespace for the container (default) -- **\<network name|ID\>**: Join the network with the given name or ID, e.g. use `--network mynet` to join the network with the name mynet. Only supported for rootfull users. +- **\<network name|ID\>**: Join the network with the given name or ID, e.g. use `--network mynet` to join the network with the name mynet. Only supported for rootful users. #### **--no-cache** @@ -685,7 +685,7 @@ suitable group name to use as the default setting for this option. **NOTE:** When this option is specified by a rootless user, the specified mappings are relative to the rootless user namespace in the container, rather -than being relative to the host as it would be when run rootfull. +than being relative to the host as it would be when run rootful. #### **--userns-uid-map**=*mapping* @@ -721,7 +721,7 @@ suitable user name to use as the default setting for this option. **NOTE:** When this option is specified by a rootless user, the specified mappings are relative to the rootless user namespace in the container, rather -than being relative to the host as it would be when run rootfull. +than being relative to the host as it would be when run rootful. #### **--uts**=*how* diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md index 15ae28dc3..c63e8814b 100644 --- a/docs/source/markdown/podman-create.1.md +++ b/docs/source/markdown/podman-create.1.md @@ -704,7 +704,7 @@ Set the network mode for the container. Invalid if using **--dns**, **--dns-opt* Valid _mode_ values are: -- **bridge[:OPTIONS,...]**: Create a network stack on the default bridge. This is the default for rootfull containers. It is possible to specify these additional options: +- **bridge[:OPTIONS,...]**: Create a network stack on the default bridge. This is the default for rootful containers. It is possible to specify these additional options: - **alias=name**: Add network-scoped alias for the container. - **ip=IPv4**: Specify a static ipv4 address for this container. - **ip=IPv6**: Specify a static ipv6 address for this container. @@ -717,7 +717,7 @@ Valid _mode_ values are: - **container:**_id_: Reuse another container's network stack. - **host**: Do not create a network namespace, the container will use the host's network. Note: The host mode gives the container full access to local system services such as D-bus and is therefore considered insecure. - **ns:**_path_: Path to a network namespace to join. -- **private**: Create a new namespace for the container. This will use the **bridge** mode for rootfull containers and **slirp4netns** for rootless ones. +- **private**: Create a new namespace for the container. This will use the **bridge** mode for rootful containers and **slirp4netns** for rootless ones. - **slirp4netns[:OPTIONS,...]**: use **slirp4netns**(1) to create a user network stack. This is the default for rootless containers. It is possible to specify these additional options, they can also be set with `network_cmd_options` in containers.conf: - **allow_host_loopback=true|false**: Allow the slirp4netns to reach the host loopback IP (`10.0.2.2`). Default is false. - **mtu=MTU**: Specify the MTU to use for this network. (Default is `65520`). @@ -1118,8 +1118,8 @@ option conflicts with the **--userns** and **--subuidname** options. This option provides a way to map host UIDs to container UIDs. It can be passed several times to map different ranges. -The _from_uid_ value is based upon the user running the command, either rootfull or rootless users. -* rootfull user: *container_uid*:*host_uid*:*amount* +The _from_uid_ value is based upon the user running the command, either rootful or rootless users. +* rootful user: *container_uid*:*host_uid*:*amount* * rootless user: *container_uid*:*intermediate_uid*:*amount* When **podman create** is called by a privileged user, the option **--uidmap** diff --git a/docs/source/markdown/podman-image-scp.1.md b/docs/source/markdown/podman-image-scp.1.md index 6d5a51298..1d902da91 100644 --- a/docs/source/markdown/podman-image-scp.1.md +++ b/docs/source/markdown/podman-image-scp.1.md @@ -8,7 +8,7 @@ podman-image-scp - Securely copy an image from one host to another ## DESCRIPTION **podman image scp** copies container images between hosts on a network. You can load to the remote host or from the remote host as well as in between two remote hosts. -Note: `::` is used to specify the image name depending on if you are saving or loading. Images can also be transferred from rootfull to rootless storage on the same machine without using sshd. This feature is not supported on the remote client, including Mac and Windows (excluding WSL2) machines. +Note: `::` is used to specify the image name depending on if you are saving or loading. Images can also be transferred from rootful to rootless storage on the same machine without using sshd. This feature is not supported on the remote client, including Mac and Windows (excluding WSL2) machines. **podman image scp [GLOBAL OPTIONS]** diff --git a/docs/source/markdown/podman-machine-init.1.md b/docs/source/markdown/podman-machine-init.1.md index e42c5025b..33947bbba 100644 --- a/docs/source/markdown/podman-machine-init.1.md +++ b/docs/source/markdown/podman-machine-init.1.md @@ -59,9 +59,9 @@ Memory (in MB). Start the virtual machine immediately after it has been initialized. -#### **--rootfull**=*true|false* +#### **--rootful**=*true|false* -Whether this machine should prefer rootfull (`true`) or rootless (`false`) +Whether this machine should prefer rootful (`true`) or rootless (`false`) container execution. This option will also determine the remote connection default if there is no existing remote connection configurations. @@ -95,7 +95,7 @@ Driver to use for mounting volumes from the host, such as `virtfs`. ``` $ podman machine init $ podman machine init myvm -$ podman machine init --rootfull +$ podman machine init --rootful $ podman machine init --disk-size 50 $ podman machine init --memory=1024 myvm $ podman machine init -v /Users:/mnt/Users diff --git a/docs/source/markdown/podman-machine-set.1.md b/docs/source/markdown/podman-machine-set.1.md index e69a7dc14..a4918eacf 100644 --- a/docs/source/markdown/podman-machine-set.1.md +++ b/docs/source/markdown/podman-machine-set.1.md @@ -19,39 +19,39 @@ subset can be changed after machine initialization. Print usage statement. -#### **--rootfull**=*true|false* +#### **--rootful**=*true|false* -Whether this machine should prefer rootfull (`true`) or rootless (`false`) +Whether this machine should prefer rootful (`true`) or rootless (`false`) container execution. This option will also update the current podman remote connection default if it is currently pointing at the specified machine name (or `podman-machine-default` if no name is specified). Unlike [**podman system connection default**](podman-system-connection-default.1.md) -this option will also make the API socket, if available, forward to the rootfull/rootless +this option will also make the API socket, if available, forward to the rootful/rootless socket in the VM. ## EXAMPLES -To switch the default VM `podman-machine-default` from rootless to rootfull: +To switch the default VM `podman-machine-default` from rootless to rootful: ``` -$ podman machine set --rootfull +$ podman machine set --rootful ``` or more explicitly: ``` -$ podman machine set --rootfull=true +$ podman machine set --rootful=true ``` -To switch the default VM `podman-machine-default` from rootfull to rootless: +To switch the default VM `podman-machine-default` from rootful to rootless: ``` -$ podman machine set --rootfull=false +$ podman machine set --rootful=false ``` -To switch the VM `myvm` from rootless to rootfull: +To switch the VM `myvm` from rootless to rootful: ``` -$ podman machine set --rootfull myvm +$ podman machine set --rootful myvm ``` ## SEE ALSO diff --git a/docs/source/markdown/podman-network-reload.1.md b/docs/source/markdown/podman-network-reload.1.md index 5cbe9b9bf..31d10829e 100644 --- a/docs/source/markdown/podman-network-reload.1.md +++ b/docs/source/markdown/podman-network-reload.1.md @@ -9,7 +9,7 @@ podman\-network\-reload - Reload network configuration for containers ## DESCRIPTION Reload one or more container network configurations. -Rootfull Podman relies on iptables rules in order to provide network connectivity. If the iptables rules are deleted, +Rootful Podman relies on iptables rules in order to provide network connectivity. If the iptables rules are deleted, this happens for example with `firewall-cmd --reload`, the container loses network connectivity. This command restores the network connectivity. diff --git a/docs/source/markdown/podman-play-kube.1.md b/docs/source/markdown/podman-play-kube.1.md index 8b56d109a..8ed71b734 100644 --- a/docs/source/markdown/podman-play-kube.1.md +++ b/docs/source/markdown/podman-play-kube.1.md @@ -188,7 +188,7 @@ Note: When joining multiple networks you should use the **--network name:mac=\<m Change the network mode of the pod. The host network mode should be configured in the YAML file. Valid _mode_ values are: -- **bridge[:OPTIONS,...]**: Create a network stack on the default bridge. This is the default for rootfull containers. It is possible to specify these additional options: +- **bridge[:OPTIONS,...]**: Create a network stack on the default bridge. This is the default for rootful containers. It is possible to specify these additional options: - **alias=name**: Add network-scoped alias for the container. - **ip=IPv4**: Specify a static ipv4 address for this container. - **ip=IPv6**: Specify a static ipv6 address for this container. @@ -200,7 +200,7 @@ Valid _mode_ values are: - **none**: Create a network namespace for the container but do not configure network interfaces for it, thus the container has no network connectivity. - **container:**_id_: Reuse another container's network stack. - **ns:**_path_: Path to a network namespace to join. -- **private**: Create a new namespace for the container. This will use the **bridge** mode for rootfull containers and **slirp4netns** for rootless ones. +- **private**: Create a new namespace for the container. This will use the **bridge** mode for rootful containers and **slirp4netns** for rootless ones. - **slirp4netns[:OPTIONS,...]**: use **slirp4netns**(1) to create a user network stack. This is the default for rootless containers. It is possible to specify these additional options, they can also be set with `network_cmd_options` in containers.conf: - **allow_host_loopback=true|false**: Allow the slirp4netns to reach the host loopback IP (`10.0.2.2`). Default is false. - **mtu=MTU**: Specify the MTU to use for this network. (Default is `65520`). diff --git a/docs/source/markdown/podman-pod-create.1.md b/docs/source/markdown/podman-pod-create.1.md index 403a317ea..714909b98 100644 --- a/docs/source/markdown/podman-pod-create.1.md +++ b/docs/source/markdown/podman-pod-create.1.md @@ -156,7 +156,7 @@ Set the network mode for the pod. Invalid if using **--dns**, **--dns-opt**, or Valid _mode_ values are: -- **bridge[:OPTIONS,...]**: Create a network stack on the default bridge. This is the default for rootfull containers. It is possible to specify these additional options: +- **bridge[:OPTIONS,...]**: Create a network stack on the default bridge. This is the default for rootful containers. It is possible to specify these additional options: - **alias=name**: Add network-scoped alias for the container. - **ip=IPv4**: Specify a static ipv4 address for this container. - **ip=IPv6**: Specify a static ipv6 address for this container. @@ -169,7 +169,7 @@ Valid _mode_ values are: - **container:**_id_: Reuse another container's network stack. - **host**: Do not create a network namespace, the container will use the host's network. Note: The host mode gives the container full access to local system services such as D-bus and is therefore considered insecure. - **ns:**_path_: Path to a network namespace to join. -- **private**: Create a new namespace for the container. This will use the **bridge** mode for rootfull containers and **slirp4netns** for rootless ones. +- **private**: Create a new namespace for the container. This will use the **bridge** mode for rootful containers and **slirp4netns** for rootless ones. - **slirp4netns[:OPTIONS,...]**: use **slirp4netns**(1) to create a user network stack. This is the default for rootless containers. It is possible to specify these additional options, they can also be set with `network_cmd_options` in containers.conf: - **allow_host_loopback=true|false**: Allow the slirp4netns to reach the host loopback IP (`10.0.2.2`). Default is false. - **mtu=MTU**: Specify the MTU to use for this network. (Default is `65520`). diff --git a/docs/source/markdown/podman-pull.1.md b/docs/source/markdown/podman-pull.1.md index 00a86aa71..928bbc6fe 100644 --- a/docs/source/markdown/podman-pull.1.md +++ b/docs/source/markdown/podman-pull.1.md @@ -117,7 +117,7 @@ Using short names is subject to the risk of hitting squatted registry namespaces While it is highly recommended to always use fully-qualified image references, existing deployments using short names may not be easily changed. To circumvent the aforementioned ambiguity, so called short-name aliases can be configured that point to a fully-qualified image reference. Distributions often ship a default shortnames.conf expansion file in /etc/containers/registries.conf.d/ directory. Administrators can use this directory to add their own local short-name expansion files. When pulling an image, if the user does not specify the complete registry, container engines attempt to expand the short-name into a full name. If the command is executed with a tty, the user will be prompted to select a registry from the -default list unqualified registries defined in registries.conf. The user's selection is then stored in a cache file to be used in all future short-name expansions. Rootfull short-names are stored in /var/cache/containers/short-name-aliases.conf. Rootless short-names are stored in the $HOME/.cache/containers/short-name-aliases.conf file. +default list unqualified registries defined in registries.conf. The user's selection is then stored in a cache file to be used in all future short-name expansions. Rootful short-names are stored in /var/cache/containers/short-name-aliases.conf. Rootless short-names are stored in the $HOME/.cache/containers/short-name-aliases.conf file. For more information on short-names, see `containers-registries.conf(5)` diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md index 578acf379..9d9394020 100644 --- a/docs/source/markdown/podman-run.1.md +++ b/docs/source/markdown/podman-run.1.md @@ -730,7 +730,7 @@ Set the network mode for the container. Invalid if using **--dns**, **--dns-opt* Valid _mode_ values are: -- **bridge[:OPTIONS,...]**: Create a network stack on the default bridge. This is the default for rootfull containers. It is possible to specify these additional options: +- **bridge[:OPTIONS,...]**: Create a network stack on the default bridge. This is the default for rootful containers. It is possible to specify these additional options: - **alias=name**: Add network-scoped alias for the container. - **ip=IPv4**: Specify a static ipv4 address for this container. - **ip=IPv6**: Specify a static ipv6 address for this container. @@ -743,7 +743,7 @@ Valid _mode_ values are: - **container:**_id_: Reuse another container's network stack. - **host**: Do not create a network namespace, the container will use the host's network. Note: The host mode gives the container full access to local system services such as D-bus and is therefore considered insecure. - **ns:**_path_: Path to a network namespace to join. -- **private**: Create a new namespace for the container. This will use the **bridge** mode for rootfull containers and **slirp4netns** for rootless ones. +- **private**: Create a new namespace for the container. This will use the **bridge** mode for rootful containers and **slirp4netns** for rootless ones. - **slirp4netns[:OPTIONS,...]**: use **slirp4netns**(1) to create a user network stack. This is the default for rootless containers. It is possible to specify these additional options, they can also be set with `network_cmd_options` in containers.conf: - **allow_host_loopback=true|false**: Allow the slirp4netns to reach the host loopback IP (`10.0.2.2`). Default is false. - **mtu=MTU**: Specify the MTU to use for this network. (Default is `65520`). @@ -1185,8 +1185,8 @@ option conflicts with the **--userns** and **--subuidname** options. This option provides a way to map host UIDs to container UIDs. It can be passed several times to map different ranges. -The _from_uid_ value is based upon the user running the command, either rootfull or rootless users. -* rootfull user: *container_uid*:*host_uid*:*amount* +The _from_uid_ value is based upon the user running the command, either rootful or rootless users. +* rootful user: *container_uid*:*host_uid*:*amount* * rootless user: *container_uid*:*intermediate_uid*:*amount* When **podman run** is called by a privileged user, the option **--uidmap** diff --git a/docs/source/markdown/podman-system-service.1.md b/docs/source/markdown/podman-system-service.1.md index 678f08a20..176d73eda 100644 --- a/docs/source/markdown/podman-system-service.1.md +++ b/docs/source/markdown/podman-system-service.1.md @@ -9,7 +9,7 @@ podman\-system\-service - Run an API service ## DESCRIPTION The **podman system service** command creates a listening service that will answer API calls for Podman. You may optionally provide an endpoint for the API in URI form. For example, *unix:///tmp/foobar.sock* or *tcp:localhost:8080*. -If no endpoint is provided, defaults will be used. The default endpoint for a rootfull +If no endpoint is provided, defaults will be used. The default endpoint for a rootful service is *unix:///run/podman/podman.sock* and rootless is *unix://$XDG_RUNTIME_DIR/podman/podman.sock* (for example *unix:///run/user/1000/podman/podman.sock*) diff --git a/docs/source/markdown/podman.1.md b/docs/source/markdown/podman.1.md index aad12c584..3d1578ea1 100644 --- a/docs/source/markdown/podman.1.md +++ b/docs/source/markdown/podman.1.md @@ -193,6 +193,10 @@ Some example URL values in valid formats: Print the version +#### **--volumepath**=*value* + +Volume directory where builtin volume information is stored (default: "/var/lib/containers/storage/volumes" for UID 0, "$HOME/.local/share/containers/storage/volumes" for other users). Default volume path can be overridden in `containers.conf`. + ## Environment Variables Podman can set up environment variables from env of [engine] table in containers.conf. These variables can be overridden by passing environment variables before the `podman` commands. diff --git a/docs/tutorials/basic_networking.md b/docs/tutorials/basic_networking.md index e341df531..396994596 100644 --- a/docs/tutorials/basic_networking.md +++ b/docs/tutorials/basic_networking.md @@ -7,15 +7,15 @@ It seems once people master the basics of containers, networking is one of the first aspects they begin experimenting with. And regarding networking, it takes very little experimentation before ending up on the deep end of the pool. The following -guide shows the most common network setups for Podman rootfull and rootless containers. +guide shows the most common network setups for Podman rootful and rootless containers. Each setup is supported with an example. -## Differences between rootfull and rootless container networking +## Differences between rootful and rootless container networking One of the guiding factors on networking for containers with Podman is going to be whether or not the container is run by a root user or not. This is because unprivileged -users cannot create networking interfaces on the host. Therefore, with rootfull +users cannot create networking interfaces on the host. Therefore, with rootful containers, the default networking mode is to use netavark. For rootless, the default network mode is slirp4netns. Because of the limited privileges, slirp4netns lacks some of @@ -32,13 +32,13 @@ ports being opened automatically due to running a container with a port mapping example). If container traffic does not seem to work properly, check the firewall and allow traffic on ports the container is using. A common problem is that reloading the firewall deletes the cni iptables rules resulting in a loss of -network connectivity for rootfull containers. Podman v3 provides the podman +network connectivity for rootful containers. Podman v3 provides the podman network reload command to restore this without having to restart the container. ## Basic Network Setups Most containers and pods being run with Podman adhere to a couple of simple scenarios. -By default, rootfull Podman will create a bridged network. This is the most straightforward +By default, rootful Podman will create a bridged network. This is the most straightforward and preferred network setup for Podman. Bridge networking creates an interface for the container on an internal bridge network, which is then connected to the internet via Network Address Translation(NAT). We also see users wanting to use `macvlan` @@ -79,7 +79,7 @@ command. Containers can be joined to a network when they are created with the As mentioned earlier, slirp4netns is the default network configuration for rootless users. But as of Podman version 4.0, rootless users can also use netavark. -The user experience of rootless netavark is very akin to a rootfull netavark, except that +The user experience of rootless netavark is very akin to a rootful netavark, except that there is no default network configuration provided. You simply need to create a network, and the one will be created as a bridge network. If you would like to switch from CNI networking to netvaark, you must issue the `podman system reset --force` command. @@ -95,17 +95,17 @@ will be executed inside an extra network namespace. To join this namespace, use #### Example -By default, rootfull containers use the netavark for its default network if +By default, rootful containers use the netavark for its default network if you have not migrated from Podman v3. In this case, no network name must be passed to Podman. However, you can create additional bridged networks with the podman create command. The following example shows how to set up a web server and expose it to the network -outside the host as both rootfull and rootless. It will also show how an outside +outside the host as both rootful and rootless. It will also show how an outside client can connect to the container. ``` -(rootfull) $ sudo podman run -dt --name webserver -p 8080:80 quay.io/libpod/banner +(rootful) $ sudo podman run -dt --name webserver -p 8080:80 quay.io/libpod/banner 00f3440c7576aae2d5b193c40513c29c7964e96bf797cf0cc352c2b68ccbe66a ``` @@ -120,7 +120,7 @@ how the host and container ports can be mapped for external access. The port co very well have been 80 as well (except for rootless users). To connect from an outside client to the webserver, simply point an HTTP client to -the host’s IP address at port 8080 for rootfull and port 8081 for rootless. +the host’s IP address at port 8080 for rootful and port 8081 for rootless. ``` (outside_host): $ curl 192.168.99.109:8080 ___ __ @@ -8,7 +8,7 @@ require ( github.com/buger/goterm v1.0.4 github.com/checkpoint-restore/checkpointctl v0.0.0-20220321135231-33f4a66335f0 github.com/checkpoint-restore/go-criu/v5 v5.3.0 - github.com/container-orchestrated-devices/container-device-interface v0.3.2 + github.com/container-orchestrated-devices/container-device-interface v0.4.0 github.com/containernetworking/cni v1.0.1 github.com/containernetworking/plugins v1.1.1 github.com/containers/buildah v1.25.2-0.20220406205807-5b8e79118057 @@ -29,7 +29,7 @@ require ( github.com/docker/go-plugins-helpers v0.0.0-20211224144127-6eecb7beb651 github.com/docker/go-units v0.4.0 github.com/dtylman/scp v0.0.0-20181017070807-f3000a34aef4 - github.com/fsnotify/fsnotify v1.5.2 + github.com/fsnotify/fsnotify v1.5.3 github.com/ghodss/yaml v1.0.0 github.com/godbus/dbus/v5 v5.1.0 github.com/google/gofuzz v1.2.0 @@ -245,8 +245,8 @@ github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:z github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5/go.mod h1:h6jFvWxBdQXxjopDMZyH2UVceIRfR84bdzbkoKrsWNo= github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA= github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f/go.mod h1:i/u985jwjWRlyHXQbwatDASoW0RMlZ/3i9yJHE2xLkI= -github.com/container-orchestrated-devices/container-device-interface v0.3.2 h1:vZVaQwmFFddi7Y9mJgQTLPFxTWg81+OIHEMu/Th1wuw= -github.com/container-orchestrated-devices/container-device-interface v0.3.2/go.mod h1:E1zcucIkq9P3eyNmY+68dBQsTcsXJh9cgRo2IVNScKQ= +github.com/container-orchestrated-devices/container-device-interface v0.4.0 h1:b/mROkfDr1W8fJ25T66iVheHFnWixgyxTOSbO8i7jp4= +github.com/container-orchestrated-devices/container-device-interface v0.4.0/go.mod h1:E1zcucIkq9P3eyNmY+68dBQsTcsXJh9cgRo2IVNScKQ= github.com/containerd/aufs v0.0.0-20200908144142-dab0cbea06f4/go.mod h1:nukgQABAEopAHvB6j7cnP5zJ+/3aVcE7hCYqvIwAHyE= github.com/containerd/aufs v0.0.0-20201003224125-76a6863f2989/go.mod h1:AkGGQs9NM2vtYHaUen+NljV0/baGCAPELGm2q9ZXpWU= github.com/containerd/aufs v0.0.0-20210316121734-20793ff83c97/go.mod h1:kL5kd6KM5TzQjR79jljyi4olc1Vrx6XBlcyj3gNv2PU= @@ -513,8 +513,8 @@ github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= github.com/fsnotify/fsnotify v1.5.1/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5Ai1i3InKU= -github.com/fsnotify/fsnotify v1.5.2 h1:M+aHumjFDOySyAjWICQHrDfuizRTP7nzkRHxXfyRP68= -github.com/fsnotify/fsnotify v1.5.2/go.mod h1:VKyWoa5earkjWzuYFJOy3s0DLrlWgSh5nf5hjFuJcAw= +github.com/fsnotify/fsnotify v1.5.3 h1:vNFpj2z7YIbwh2bw7x35sqYpp2wfuq+pivKbWG09B8c= +github.com/fsnotify/fsnotify v1.5.3/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5Ai1i3InKU= github.com/fsouza/go-dockerclient v1.7.7/go.mod h1:njNCXvoZj3sLPjf3yO0DPHf1mdLdCPDYPc14GskKA4Y= github.com/fsouza/go-dockerclient v1.7.10 h1:KIda66AP88BWQpyg+8ve9LQmn1ZZ/usCbmxeBoMth3U= github.com/fsouza/go-dockerclient v1.7.10/go.mod h1:rdD3Eq3rHwMA8p/xrn+gLb+3ov7uRJGVkV1HsUFY39A= diff --git a/libpod/container_exec.go b/libpod/container_exec.go index 140267f28..d782bebf8 100644 --- a/libpod/container_exec.go +++ b/libpod/container_exec.go @@ -79,11 +79,11 @@ type ExecConfig struct { type ExecSession struct { // Id is the ID of the exec session. // Named somewhat strangely to not conflict with ID(). - // nolint:stylecheck,golint + // nolint:stylecheck,revive Id string `json:"id"` // ContainerId is the ID of the container this exec session belongs to. // Named somewhat strangely to not conflict with ContainerID(). - // nolint:stylecheck,golint + // nolint:stylecheck,revive ContainerId string `json:"containerId"` // State is the state of the exec session. diff --git a/libpod/container_internal.go b/libpod/container_internal.go index 6c0d51df3..5c6719bdf 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -266,7 +266,7 @@ func (c *Container) handleRestartPolicy(ctx context.Context) (_ bool, retErr err if c.ensureState(define.ContainerStateRunning, define.ContainerStatePaused) { return false, nil } else if c.state.State == define.ContainerStateUnknown { - return false, errors.Wrapf(define.ErrInternal, "invalid container state encountered in restart attempt!") + return false, errors.Wrapf(define.ErrInternal, "invalid container state encountered in restart attempt") } c.newContainerEvent(events.Restart) diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index 63ef26bfc..9f8b7c686 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -3134,7 +3134,7 @@ func (c *Container) getOCICgroupPath() (string, error) { } func (c *Container) copyTimezoneFile(zonePath string) (string, error) { - var localtimeCopy string = filepath.Join(c.state.RunDir, "localtime") + localtimeCopy := filepath.Join(c.state.RunDir, "localtime") file, err := os.Stat(zonePath) if err != nil { return "", err diff --git a/libpod/kube.go b/libpod/kube.go index 22fbb5f9f..eb62643fe 100644 --- a/libpod/kube.go +++ b/libpod/kube.go @@ -213,7 +213,7 @@ type YAMLContainer struct { func ConvertV1PodToYAMLPod(pod *v1.Pod) *YAMLPod { cs := []*YAMLContainer{} for _, cc := range pod.Spec.Containers { - var res *v1.ResourceRequirements = nil + var res *v1.ResourceRequirements if len(cc.Resources.Limits) > 0 || len(cc.Resources.Requests) > 0 { res = &cc.Resources } @@ -525,9 +525,9 @@ func simplePodWithV1Containers(ctx context.Context, ctrs []*Container) (*v1.Pod, } podName := strings.ReplaceAll(ctrs[0].Name(), "_", "") // Check if the pod name and container name will end up conflicting - // Append _pod if so + // Append -pod if so if util.StringInSlice(podName, ctrNames) { - podName = podName + "_pod" + podName = podName + "-pod" } return newPodObject( diff --git a/libpod/lock/in_memory_locks.go b/libpod/lock/in_memory_locks.go index f3c842f89..f7f47760c 100644 --- a/libpod/lock/in_memory_locks.go +++ b/libpod/lock/in_memory_locks.go @@ -49,7 +49,7 @@ type InMemoryManager struct { // of locks. func NewInMemoryManager(numLocks uint32) (Manager, error) { if numLocks == 0 { - return nil, errors.Errorf("must provide a non-zero number of locks!") + return nil, errors.Errorf("must provide a non-zero number of locks") } manager := new(InMemoryManager) diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go index 937dc4fae..3cfe19517 100644 --- a/libpod/networking_linux.go +++ b/libpod/networking_linux.go @@ -5,7 +5,7 @@ package libpod import ( "crypto/rand" - "crypto/sha1" + "crypto/sha256" "fmt" "io/ioutil" "net" @@ -402,7 +402,7 @@ func (r *Runtime) GetRootlessNetNs(new bool) (*RootlessNetNS, error) { // the cleanup will check if there are running containers // if you run a several libpod instances with different root/runroot directories this check will fail // we want one netns for each libpod static dir so we use the hash to prevent name collisions - hash := sha1.Sum([]byte(r.config.Engine.StaticDir)) + hash := sha256.Sum256([]byte(r.config.Engine.StaticDir)) netnsName := fmt.Sprintf("%s-%x", rootlessNetNsName, hash[:10]) path := filepath.Join(nsDir, netnsName) diff --git a/libpod/networking_slirp4netns.go b/libpod/networking_slirp4netns.go index 4b1203dc3..4a0ef0b3a 100644 --- a/libpod/networking_slirp4netns.go +++ b/libpod/networking_slirp4netns.go @@ -210,7 +210,7 @@ func createBasicSlirp4netnsCmdArgs(options *slirp4netnsNetworkOptions, features return cmdArgs, nil } -// setupSlirp4netns can be called in rootfull as well as in rootless +// setupSlirp4netns can be called in rootful as well as in rootless func (r *Runtime) setupSlirp4netns(ctr *Container, netns ns.NetNS) error { path := r.config.Engine.NetworkCmdPath if path == "" { diff --git a/pkg/api/handlers/compat/containers_archive.go b/pkg/api/handlers/compat/containers_archive.go index f2ff4d100..45b13818b 100644 --- a/pkg/api/handlers/compat/containers_archive.go +++ b/pkg/api/handlers/compat/containers_archive.go @@ -2,7 +2,6 @@ package compat import ( "encoding/json" - "fmt" "net/http" "os" @@ -28,7 +27,7 @@ func Archive(w http.ResponseWriter, r *http.Request) { case http.MethodHead, http.MethodGet: handleHeadAndGet(w, r, decoder, runtime) default: - utils.Error(w, http.StatusNotImplemented, errors.New(fmt.Sprintf("unsupported method: %v", r.Method))) + utils.Error(w, http.StatusNotImplemented, errors.Errorf("unsupported method: %v", r.Method)) } } diff --git a/pkg/api/handlers/libpod/containers_create.go b/pkg/api/handlers/libpod/containers_create.go index 1043dec4d..4fff9e345 100644 --- a/pkg/api/handlers/libpod/containers_create.go +++ b/pkg/api/handlers/libpod/containers_create.go @@ -45,7 +45,7 @@ func CreateContainer(w http.ResponseWriter, r *http.Request) { // need to check for memory limit to adjust swap if sg.ResourceLimits != nil && sg.ResourceLimits.Memory != nil { s := "" - var l int64 = 0 + var l int64 if sg.ResourceLimits.Memory.Swap != nil { s = strconv.Itoa(int(*sg.ResourceLimits.Memory.Swap)) } diff --git a/pkg/bindings/README.md b/pkg/bindings/README.md index 713adb104..ebc8a13d1 100644 --- a/pkg/bindings/README.md +++ b/pkg/bindings/README.md @@ -9,7 +9,7 @@ The bindings require that the Podman system service is running for the specified by calling the service directly. ### Starting the service with system -The command to start the Podman service differs slightly depending on the user that is running the service. For a rootfull service, +The command to start the Podman service differs slightly depending on the user that is running the service. For a rootful service, start the service like this: ``` # systemctl start podman.socket @@ -26,7 +26,7 @@ It can be handy to run the system service manually. Doing so allows you to enab $ podman --log-level=debug system service -t0 ``` If you do not provide a specific path for the socket, a default is provided. The location of that socket for -rootfull connections is `/run/podman/podman.sock` and for rootless it is `/run/USERID#/podman/podman.sock`. For more +rootful connections is `/run/podman/podman.sock` and for rootless it is `/run/USERID#/podman/podman.sock`. For more information about the Podman system service, see `man podman-system-service`. ### Creating a connection @@ -35,7 +35,7 @@ as they will be required to compile a Go program making use of the bindings. The first step for using the bindings is to create a connection to the socket. As mentioned earlier, the destination -of the socket depends on the user who owns it. In this case, a rootfull connection is made. +of the socket depends on the user who owns it. In this case, a rootful connection is made. ``` import ( @@ -59,7 +59,7 @@ The `conn` variable returned from the `bindings.NewConnection` function can then to interact with containers. ### Examples -The following examples build upon the connection example from above. They are all rootfull connections as well. +The following examples build upon the connection example from above. They are all rootful connections as well. Note: Optional arguments to the bindings methods are set using With*() methods on *Option structures. Composite types are not duplicated rather the address is used. As such, you should not change an underlying diff --git a/pkg/bindings/connection.go b/pkg/bindings/connection.go index 36e47e5ed..3739ec404 100644 --- a/pkg/bindings/connection.go +++ b/pkg/bindings/connection.go @@ -289,7 +289,7 @@ func sshClient(_url *url.URL, secure bool, passPhrase string, identity string) ( }, ) if err != nil { - return Connection{}, errors.Wrapf(err, "Connection to bastion host (%s) failed.", _url.String()) + return Connection{}, errors.Wrapf(err, "connection to bastion host (%s) failed", _url.String()) } connection := Connection{URI: _url} diff --git a/pkg/bindings/test/common_test.go b/pkg/bindings/test/common_test.go index f2602967b..950fd21e6 100644 --- a/pkg/bindings/test/common_test.go +++ b/pkg/bindings/test/common_test.go @@ -51,7 +51,7 @@ var ( shortName: "busybox", tarballName: "busybox.tar", } - CACHE_IMAGES = []testImage{alpine, busybox} //nolint:golint,stylecheck + CACHE_IMAGES = []testImage{alpine, busybox} //nolint:revive,stylecheck ) type bindingTest struct { diff --git a/pkg/domain/entities/network.go b/pkg/domain/entities/network.go index a057640b3..134ad126a 100644 --- a/pkg/domain/entities/network.go +++ b/pkg/domain/entities/network.go @@ -22,7 +22,7 @@ type NetworkReloadOptions struct { // NetworkReloadReport describes the results of reloading a container network. type NetworkReloadReport struct { - // nolint:stylecheck,golint + // nolint:stylecheck,revive Id string Err error } diff --git a/pkg/domain/filters/containers.go b/pkg/domain/filters/containers.go index 4c6964a00..3e5b9cad9 100644 --- a/pkg/domain/filters/containers.go +++ b/pkg/domain/filters/containers.go @@ -52,8 +52,8 @@ func GenerateContainerFilterFuncs(filter string, filterValues []string, r *libpo }, nil case "status": for _, filterValue := range filterValues { - if !util.StringInSlice(filterValue, []string{"created", "running", "paused", "stopped", "exited", "unknown"}) { - return nil, errors.Errorf("%s is not a valid status", filterValue) + if _, err := define.StringToContainerStatus(filterValue); err != nil { + return nil, err } } return func(c *libpod.Container) bool { @@ -270,7 +270,7 @@ func GenerateContainerFilterFuncs(filter string, filterValues []string, r *libpo invalidPolicyNames = append(invalidPolicyNames, policy) } } - var filterValueError error = nil + var filterValueError error if len(invalidPolicyNames) > 0 { errPrefix := "invalid restart policy" if len(invalidPolicyNames) > 1 { diff --git a/pkg/domain/infra/abi/images.go b/pkg/domain/infra/abi/images.go index 43440b594..74478b26d 100644 --- a/pkg/domain/infra/abi/images.go +++ b/pkg/domain/infra/abi/images.go @@ -367,7 +367,7 @@ func (ir *ImageEngine) Transfer(ctx context.Context, source entities.ImageScpOpt if rootless.IsRootless() && (len(dest.User) == 0 || dest.User == "root") { // if we are rootless and do not have a destination user we can just use sudo return transferRootless(source, dest, podman, parentFlags) } - return transferRootfull(source, dest, podman, parentFlags) + return transferRootful(source, dest, podman, parentFlags) } func (ir *ImageEngine) Tag(ctx context.Context, nameOrID string, tags []string, options entities.ImageTagOptions) error { @@ -785,8 +785,8 @@ func transferRootless(source entities.ImageScpOptions, dest entities.ImageScpOpt return cmdLoad.Run() } -// transferRootfull creates new podman processes using exec.Command and a new uid/gid alongside a cleared environment -func transferRootfull(source entities.ImageScpOptions, dest entities.ImageScpOptions, podman string, parentFlags []string) error { +// TransferRootful creates new podman processes using exec.Command and a new uid/gid alongside a cleared environment +func transferRootful(source entities.ImageScpOptions, dest entities.ImageScpOptions, podman string, parentFlags []string) error { basicCommand := []string{podman} basicCommand = append(basicCommand, parentFlags...) saveCommand := append(basicCommand, "save") diff --git a/pkg/domain/infra/abi/manifest.go b/pkg/domain/infra/abi/manifest.go index 0e999a019..8b52c335c 100644 --- a/pkg/domain/infra/abi/manifest.go +++ b/pkg/domain/infra/abi/manifest.go @@ -110,6 +110,10 @@ func (ir *ImageEngine) remoteManifestInspect(ctx context.Context, name string) ( if latestErr == nil { latestErr = e } else { + // FIXME should we use multierror package instead? + + // we want the new line here so ignore the linter + //nolint:revive latestErr = errors.Wrapf(latestErr, "tried %v\n", e) } } diff --git a/pkg/domain/infra/abi/trust.go b/pkg/domain/infra/abi/trust.go index df4081349..d53fe16d1 100644 --- a/pkg/domain/infra/abi/trust.go +++ b/pkg/domain/infra/abi/trust.go @@ -84,7 +84,7 @@ func (ir *ImageEngine) SetTrust(ctx context.Context, args []string, options enti policyContentStruct.Default = newReposContent } else { if len(policyContentStruct.Default) == 0 { - return errors.Errorf("Default trust policy must be set.") + return errors.Errorf("default trust policy must be set") } registryExists := false for transport, transportval := range policyContentStruct.Transports { diff --git a/pkg/domain/infra/runtime_libpod.go b/pkg/domain/infra/runtime_libpod.go index 5fdc252e2..ac557e9de 100644 --- a/pkg/domain/infra/runtime_libpod.go +++ b/pkg/domain/infra/runtime_libpod.go @@ -209,6 +209,10 @@ func getRuntime(ctx context.Context, fs *flag.FlagSet, opts *engineOpts) (*libpo options = append(options, libpod.WithEventsLogger(cfg.Engine.EventsLogger)) } + if fs.Changed("volumepath") { + options = append(options, libpod.WithVolumePath(cfg.Engine.VolumePath)) + } + if fs.Changed("cgroup-manager") { options = append(options, libpod.WithCgroupManager(cfg.Engine.CgroupManager)) } else { diff --git a/pkg/k8s.io/api/core/v1/resource.go b/pkg/k8s.io/api/core/v1/resource.go index 9270054b3..2fbb663c7 100644 --- a/pkg/k8s.io/api/core/v1/resource.go +++ b/pkg/k8s.io/api/core/v1/resource.go @@ -26,7 +26,7 @@ func (rn ResourceName) String() string { } // Cpu returns the Cpu limit if specified. -// nolint:golint,stylecheck +//nolint:revive,stylecheck func (rl *ResourceList) Cpu() *resource.Quantity { return rl.Name(ResourceCPU, resource.DecimalSI) } diff --git a/pkg/k8s.io/apimachinery/pkg/api/resource/quantity.go b/pkg/k8s.io/apimachinery/pkg/api/resource/quantity.go index 352cc028f..965d2ccaf 100644 --- a/pkg/k8s.io/apimachinery/pkg/api/resource/quantity.go +++ b/pkg/k8s.io/apimachinery/pkg/api/resource/quantity.go @@ -138,7 +138,7 @@ const ( var ( // Errors that could happen while parsing a string. - // nolint:golint + //nolint:revive ErrFormatWrong = errors.New("quantities must match the regular expression '" + splitREString + "'") ErrNumeric = errors.New("unable to parse numeric part of quantity") ErrSuffix = errors.New("unable to parse quantity's suffix") diff --git a/pkg/machine/config.go b/pkg/machine/config.go index 5dc5f6105..6c2fab0e5 100644 --- a/pkg/machine/config.go +++ b/pkg/machine/config.go @@ -28,7 +28,7 @@ type InitOptions struct { URI url.URL Username string ReExec bool - Rootfull bool + Rootful bool // The numerical userid of the user that called machine UID string } @@ -95,7 +95,7 @@ type ListResponse struct { } type SetOptions struct { - Rootfull bool + Rootful bool } type SSHOptions struct { diff --git a/pkg/machine/fcos.go b/pkg/machine/fcos.go index 88e35dd04..872ca889e 100644 --- a/pkg/machine/fcos.go +++ b/pkg/machine/fcos.go @@ -26,8 +26,8 @@ import ( // These should eventually be moved into machine/qemu as // they are specific to running qemu var ( - artifact string = "qemu" - Format string = "qcow2.xz" + artifact = "qemu" + Format = "qcow2.xz" ) const ( diff --git a/pkg/machine/qemu/config.go b/pkg/machine/qemu/config.go index 6ab25b951..7340de604 100644 --- a/pkg/machine/qemu/config.go +++ b/pkg/machine/qemu/config.go @@ -57,8 +57,8 @@ type MachineVMV1 struct { QMPMonitor Monitorv1 // RemoteUsername of the vm user RemoteUsername string - // Whether this machine should run in a rootfull or rootless manner - Rootfull bool + // Whether this machine should run in a rootful or rootless manner + Rootful bool // UID is the numerical id of the user that called machine UID int } @@ -99,8 +99,8 @@ type ImageConfig struct { // HostUser describes the host user type HostUser struct { - // Whether this machine should run in a rootfull or rootless manner - Rootfull bool + // Whether this machine should run in a rootful or rootless manner + Rootful bool // UID is the numerical id of the user that called machine UID int } @@ -162,7 +162,7 @@ type Monitor struct { var ( // defaultQMPTimeout is the timeout duration for the // qmp monitor interactions. - defaultQMPTimeout time.Duration = 2 * time.Second + defaultQMPTimeout = 2 * time.Second ) // GetPath returns the working path for a machinefile. it returns diff --git a/pkg/machine/qemu/machine.go b/pkg/machine/qemu/machine.go index 4cfd4e8b0..c57fa32fb 100644 --- a/pkg/machine/qemu/machine.go +++ b/pkg/machine/qemu/machine.go @@ -204,7 +204,7 @@ func migrateVM(configPath string, config []byte, vm *MachineVM) error { vm.QMPMonitor = qmpMonitor vm.ReadySocket = readySocket vm.RemoteUsername = old.RemoteUsername - vm.Rootfull = old.Rootfull + vm.Rootful = old.Rootful vm.UID = old.UID // Backup the original config file @@ -258,7 +258,7 @@ func (v *MachineVM) Init(opts machine.InitOptions) (bool, error) { ) sshDir := filepath.Join(homedir.Get(), ".ssh") v.IdentityPath = filepath.Join(sshDir, v.Name) - v.Rootfull = opts.Rootfull + v.Rootful = opts.Rootful switch opts.ImagePath { case Testing, Next, Stable, "": @@ -356,8 +356,8 @@ func (v *MachineVM) Init(opts machine.InitOptions) (bool, error) { names := []string{v.Name, v.Name + "-root"} // The first connection defined when connections is empty will become the default - // regardless of IsDefault, so order according to rootfull - if opts.Rootfull { + // regardless of IsDefault, so order according to rootful + if opts.Rootful { uris[0], names[0], uris[1], names[1] = uris[1], names[1], uris[0], names[0] } @@ -435,7 +435,7 @@ func (v *MachineVM) Init(opts machine.InitOptions) (bool, error) { } func (v *MachineVM) Set(_ string, opts machine.SetOptions) error { - if v.Rootfull == opts.Rootfull { + if v.Rootful == opts.Rootful { return nil } @@ -459,7 +459,7 @@ func (v *MachineVM) Set(_ string, opts machine.SetOptions) error { if changeCon { newDefault := v.Name - if opts.Rootfull { + if opts.Rootful { newDefault += "-root" } if err := machine.ChangeDefault(newDefault); err != nil { @@ -467,7 +467,7 @@ func (v *MachineVM) Set(_ string, opts machine.SetOptions) error { } } - v.Rootfull = opts.Rootfull + v.Rootful = opts.Rootful return v.writeConfig() } @@ -907,7 +907,7 @@ func (v *MachineVM) SSH(_ string, opts machine.SSHOptions) error { return err } if state != machine.Running { - return errors.Errorf("vm %q is not running.", v.Name) + return errors.Errorf("vm %q is not running", v.Name) } username := opts.Username @@ -1117,7 +1117,7 @@ func (v *MachineVM) setupAPIForwarding(cmd []string) ([]string, string, apiForwa destSock := fmt.Sprintf("/run/user/%d/podman/podman.sock", v.UID) forwardUser := "core" - if v.Rootfull { + if v.Rootful { destSock = "/run/podman/podman.sock" forwardUser = "root" } @@ -1323,11 +1323,11 @@ func (v *MachineVM) waitAPIAndPrintInfo(forwardState apiForwardingState, forward } waitAndPingAPI(forwardSock) - if !v.Rootfull { + if !v.Rootful { fmt.Printf("\nThis machine is currently configured in rootless mode. If your containers\n") fmt.Printf("require root permissions (e.g. ports < 1024), or if you run into compatibility\n") fmt.Printf("issues with non-podman clients, you can switch using the following command: \n") - fmt.Printf("\n\tpodman machine set --rootfull%s\n\n", suffix) + fmt.Printf("\n\tpodman machine set --rootful%s\n\n", suffix) } fmt.Printf("API forwarding listening on: %s\n", forwardSock) diff --git a/pkg/machine/wsl/machine.go b/pkg/machine/wsl/machine.go index dc3f33fa7..dff7bfef9 100644 --- a/pkg/machine/wsl/machine.go +++ b/pkg/machine/wsl/machine.go @@ -165,8 +165,8 @@ type MachineVM struct { Port int // RemoteUsername of the vm user RemoteUsername string - // Whether this machine should run in a rootfull or rootless manner - Rootfull bool + // Whether this machine should run in a rootful or rootless manner + Rootful bool } type ExitCodeError struct { @@ -232,7 +232,7 @@ func (v *MachineVM) Init(opts machine.InitOptions) (bool, error) { homeDir := homedir.Get() sshDir := filepath.Join(homeDir, ".ssh") v.IdentityPath = filepath.Join(sshDir, v.Name) - v.Rootfull = opts.Rootfull + v.Rootful = opts.Rootful if err := downloadDistro(v, opts); err != nil { return false, err @@ -316,8 +316,8 @@ func setupConnections(v *MachineVM, opts machine.InitOptions, sshDir string) err names := []string{v.Name, v.Name + "-root"} // The first connection defined when connections is empty will become the default - // regardless of IsDefault, so order according to rootfull - if opts.Rootfull { + // regardless of IsDefault, so order according to rootful + if opts.Rootful { uris[0], names[0], uris[1], names[1] = uris[1], names[1], uris[0], names[0] } @@ -733,7 +733,7 @@ func pipeCmdPassThrough(name string, input string, arg ...string) error { } func (v *MachineVM) Set(name string, opts machine.SetOptions) error { - if v.Rootfull == opts.Rootfull { + if v.Rootful == opts.Rootful { return nil } @@ -744,7 +744,7 @@ func (v *MachineVM) Set(name string, opts machine.SetOptions) error { if changeCon { newDefault := v.Name - if opts.Rootfull { + if opts.Rootful { newDefault += "-root" } if err := machine.ChangeDefault(newDefault); err != nil { @@ -752,7 +752,7 @@ func (v *MachineVM) Set(name string, opts machine.SetOptions) error { } } - v.Rootfull = opts.Rootfull + v.Rootful = opts.Rootful return v.writeConfig() } @@ -768,7 +768,7 @@ func (v *MachineVM) Start(name string, _ machine.StartOptions) error { return errors.Wrap(err, "WSL bootstrap script failed") } - if !v.Rootfull { + if !v.Rootful { fmt.Printf("\nThis machine is currently configured in rootless mode. If your containers\n") fmt.Printf("require root permissions (e.g. ports < 1024), or if you run into compatibility\n") fmt.Printf("issues with non-podman clients, you can switch using the following command: \n") @@ -777,7 +777,7 @@ func (v *MachineVM) Start(name string, _ machine.StartOptions) error { if name != machine.DefaultMachineName { suffix = " " + name } - fmt.Printf("\n\tpodman machine set --rootfull%s\n\n", suffix) + fmt.Printf("\n\tpodman machine set --rootful%s\n\n", suffix) } globalName, pipeName, err := launchWinProxy(v) @@ -833,7 +833,7 @@ func launchWinProxy(v *MachineVM) (bool, string, error) { destSock := "/run/user/1000/podman/podman.sock" forwardUser := v.RemoteUsername - if v.Rootfull { + if v.Rootful { destSock = "/run/podman/podman.sock" forwardUser = "root" } diff --git a/pkg/specgen/generate/kube/seccomp.go b/pkg/specgen/generate/kube/seccomp.go index 1e681e977..8f93b34ff 100644 --- a/pkg/specgen/generate/kube/seccomp.go +++ b/pkg/specgen/generate/kube/seccomp.go @@ -11,7 +11,7 @@ import ( // KubeSeccompPaths holds information about a pod YAML's seccomp configuration // it holds both container and pod seccomp paths -// nolint:golint +//nolint:revive type KubeSeccompPaths struct { containerPaths map[string]string podPath string diff --git a/pkg/specgen/generate/kube/volume.go b/pkg/specgen/generate/kube/volume.go index 987f11569..27881e77a 100644 --- a/pkg/specgen/generate/kube/volume.go +++ b/pkg/specgen/generate/kube/volume.go @@ -17,7 +17,7 @@ const ( kubeFilePermission = 0644 ) -// nolint:golint +//nolint:revive type KubeVolumeType int const ( @@ -26,7 +26,7 @@ const ( KubeVolumeTypeConfigMap KubeVolumeType = iota ) -// nolint:golint +//nolint:revive type KubeVolume struct { // Type of volume to create Type KubeVolumeType diff --git a/pkg/specgen/namespaces.go b/pkg/specgen/namespaces.go index eaf2daad9..7a7ca2706 100644 --- a/pkg/specgen/namespaces.go +++ b/pkg/specgen/namespaces.go @@ -231,14 +231,14 @@ func ParseNamespace(ns string) (Namespace, error) { case strings.HasPrefix(ns, "ns:"): split := strings.SplitN(ns, ":", 2) if len(split) != 2 { - return toReturn, errors.Errorf("must provide a path to a namespace when specifying ns:") + return toReturn, errors.Errorf("must provide a path to a namespace when specifying \"ns:\"") } toReturn.NSMode = Path toReturn.Value = split[1] case strings.HasPrefix(ns, "container:"): split := strings.SplitN(ns, ":", 2) if len(split) != 2 { - return toReturn, errors.Errorf("must provide name or ID or a container when specifying container:") + return toReturn, errors.Errorf("must provide name or ID or a container when specifying \"container:\"") } toReturn.NSMode = FromContainer toReturn.Value = split[1] @@ -349,14 +349,14 @@ func ParseNetworkNamespace(ns string, rootlessDefaultCNI bool) (Namespace, map[s case strings.HasPrefix(ns, "ns:"): split := strings.SplitN(ns, ":", 2) if len(split) != 2 { - return toReturn, nil, errors.Errorf("must provide a path to a namespace when specifying ns:") + return toReturn, nil, errors.Errorf("must provide a path to a namespace when specifying \"ns:\"") } toReturn.NSMode = Path toReturn.Value = split[1] case strings.HasPrefix(ns, string(FromContainer)+":"): split := strings.SplitN(ns, ":", 2) if len(split) != 2 { - return toReturn, nil, errors.Errorf("must provide name or ID or a container when specifying container:") + return toReturn, nil, errors.Errorf("must provide name or ID or a container when specifying \"container:\"") } toReturn.NSMode = FromContainer toReturn.Value = split[1] @@ -427,14 +427,14 @@ func ParseNetworkFlag(networks []string) (Namespace, map[string]types.PerNetwork case strings.HasPrefix(ns, "ns:"): split := strings.SplitN(ns, ":", 2) if len(split) != 2 { - return toReturn, nil, nil, errors.Errorf("must provide a path to a namespace when specifying ns:") + return toReturn, nil, nil, errors.Errorf("must provide a path to a namespace when specifying \"ns:\"") } toReturn.NSMode = Path toReturn.Value = split[1] case strings.HasPrefix(ns, string(FromContainer)+":"): split := strings.SplitN(ns, ":", 2) if len(split) != 2 { - return toReturn, nil, nil, errors.Errorf("must provide name or ID or a container when specifying container:") + return toReturn, nil, nil, errors.Errorf("must provide name or ID or a container when specifying \"container:\"") } toReturn.NSMode = FromContainer toReturn.Value = split[1] diff --git a/pkg/specgenutil/util.go b/pkg/specgenutil/util.go index 80d31398b..fa2e90457 100644 --- a/pkg/specgenutil/util.go +++ b/pkg/specgenutil/util.go @@ -281,6 +281,7 @@ func CreateExitCommandArgs(storageConfig storageTypes.StoreOptions, config *conf "--tmpdir", config.Engine.TmpDir, "--network-config-dir", config.Network.NetworkConfigDir, "--network-backend", config.Network.NetworkBackend, + "--volumepath", config.Engine.VolumePath, } if config.Engine.OCIRuntime != "" { command = append(command, []string{"--runtime", config.Engine.OCIRuntime}...) diff --git a/rootless.md b/rootless.md index d485290f2..39c961d2a 100644 --- a/rootless.md +++ b/rootless.md @@ -18,7 +18,7 @@ can easily fail * Some system unit configuration options do not work in the rootless container * systemd fails to apply several options and failures are silently ignored (e.g. CPUShares, MemoryLimit). Should work on cgroup V2. * Use of certain options will cause service startup failures (e.g. PrivateNetwork). The systemd services requiring `PrivateNetwork` can be made to work by passing `--cap-add SYS_ADMIN`, but the security implications should be carefully evaluated. In most cases, it's better to create an override.conf drop-in that sets `PrivateNetwork=no`. This also applies to containers run by root. -* Can not share container images with CRI-O or other rootfull users +* Can not share container images with CRI-O or other rootful users * Difficult to use additional stores for sharing content * Does not work on NFS or parallel filesystem homedirs (e.g. [GPFS](https://www.ibm.com/support/knowledgecenter/en/SSFKCN/gpfs_welcome.html)) * NFS and parallel filesystems enforce file creation on different UIDs on the server side and does not understand User Namespace. diff --git a/test/apiv2/20-containers.at b/test/apiv2/20-containers.at index 2d5754077..7a38dfea0 100644 --- a/test/apiv2/20-containers.at +++ b/test/apiv2/20-containers.at @@ -321,7 +321,11 @@ t GET containers/json?filters='garb1age}' 500 \ t GET containers/json?filters='{"label":["testl' 500 \ .cause="unexpected end of JSON input" + #libpod api list containers sanity checks +t GET libpod/containers/json?filters='{"status":["removing"]}' 200 length=0 +t GET libpod/containers/json?filters='{"status":["bogus"]}' 500 \ + .cause="invalid argument" t GET libpod/containers/json?filters='garb1age}' 500 \ .cause="invalid character 'g' looking for beginning of value" t GET libpod/containers/json?filters='{"label":["testl' 500 \ diff --git a/test/apiv2/python/rest_api/fixtures/podman.py b/test/apiv2/python/rest_api/fixtures/podman.py index c700571b9..f2db6f498 100644 --- a/test/apiv2/python/rest_api/fixtures/podman.py +++ b/test/apiv2/python/rest_api/fixtures/podman.py @@ -20,10 +20,6 @@ class Podman: cgroupfs = os.getenv("CGROUP_MANAGER", "systemd") self.cmd.append(f"--cgroup-manager={cgroupfs}") - if os.getenv("DEBUG"): - self.cmd.append("--log-level=debug") - self.cmd.append("--syslog=true") - self.anchor_directory = tempfile.mkdtemp(prefix="podman_restapi_") self.cmd.append("--root=" + os.path.join(self.anchor_directory, "crio")) self.cmd.append("--runroot=" + os.path.join(self.anchor_directory, "crio-run")) diff --git a/test/e2e/common_test.go b/test/e2e/common_test.go index c5cdd2c1d..766f39964 100644 --- a/test/e2e/common_test.go +++ b/test/e2e/common_test.go @@ -35,12 +35,12 @@ import ( var ( //lint:ignore ST1003 - PODMAN_BINARY string //nolint:golint,stylecheck - INTEGRATION_ROOT string //nolint:golint,stylecheck - CGROUP_MANAGER = "systemd" //nolint:golint,stylecheck - RESTORE_IMAGES = []string{ALPINE, BB, nginx} //nolint:golint,stylecheck + PODMAN_BINARY string //nolint:revive,stylecheck + INTEGRATION_ROOT string //nolint:revive,stylecheck + CGROUP_MANAGER = "systemd" //nolint:revive,stylecheck + RESTORE_IMAGES = []string{ALPINE, BB, nginx} //nolint:revive,stylecheck defaultWaitTimeout = 90 - CGROUPSV2, _ = cgroups.IsCgroup2UnifiedMode() //nolint:golint,stylecheck + CGROUPSV2, _ = cgroups.IsCgroup2UnifiedMode() //nolint:revive,stylecheck ) // PodmanTestIntegration struct for command line options diff --git a/test/e2e/config_amd64.go b/test/e2e/config_amd64.go index 9293fdd44..c4cb97b2e 100644 --- a/test/e2e/config_amd64.go +++ b/test/e2e/config_amd64.go @@ -1,16 +1,16 @@ package integration var ( - STORAGE_FS = "vfs" //nolint:golint,stylecheck - STORAGE_OPTIONS = "--storage-driver vfs" //nolint:golint,stylecheck - ROOTLESS_STORAGE_FS = "vfs" //nolint:golint,stylecheck - ROOTLESS_STORAGE_OPTIONS = "--storage-driver vfs" //nolint:golint,stylecheck - CACHE_IMAGES = []string{ALPINE, BB, fedoraMinimal, nginx, redis, registry, infra, labels, healthcheck, UBI_INIT, UBI_MINIMAL, fedoraToolbox} //nolint:golint,stylecheck + STORAGE_FS = "vfs" //nolint:revive,stylecheck + STORAGE_OPTIONS = "--storage-driver vfs" //nolint:revive,stylecheck + ROOTLESS_STORAGE_FS = "vfs" //nolint:revive,stylecheck + ROOTLESS_STORAGE_OPTIONS = "--storage-driver vfs" //nolint:revive,stylecheck + CACHE_IMAGES = []string{ALPINE, BB, fedoraMinimal, nginx, redis, registry, infra, labels, healthcheck, UBI_INIT, UBI_MINIMAL, fedoraToolbox} //nolint:revive,stylecheck nginx = "quay.io/libpod/alpine_nginx:latest" - BB_GLIBC = "docker.io/library/busybox:glibc" //nolint:golint,stylecheck + BB_GLIBC = "docker.io/library/busybox:glibc" //nolint:revive,stylecheck registry = "quay.io/libpod/registry:2.6" labels = "quay.io/libpod/alpine_labels:latest" - UBI_MINIMAL = "registry.access.redhat.com/ubi8-minimal" //nolint:golint,stylecheck - UBI_INIT = "registry.access.redhat.com/ubi8-init" //nolint:golint,stylecheck + UBI_MINIMAL = "registry.access.redhat.com/ubi8-minimal" //nolint:revive,stylecheck + UBI_INIT = "registry.access.redhat.com/ubi8-init" //nolint:revive,stylecheck cirros = "quay.io/libpod/cirros:latest" ) diff --git a/test/e2e/exec_test.go b/test/e2e/exec_test.go index 4cfaa9a2e..3987746d0 100644 --- a/test/e2e/exec_test.go +++ b/test/e2e/exec_test.go @@ -123,7 +123,7 @@ var _ = Describe("Podman exec", func() { }) It("podman exec in keep-id container drops privileges", func() { - SkipIfNotRootless("This function is not enabled for rootfull podman") + SkipIfNotRootless("This function is not enabled for rootful podman") ctrName := "testctr1" testCtr := podmanTest.Podman([]string{"run", "-d", "--name", ctrName, "--userns=keep-id", ALPINE, "top"}) testCtr.WaitWithDefaultTimeout() diff --git a/test/e2e/generate_kube_test.go b/test/e2e/generate_kube_test.go index 44c906eed..9c99c3d93 100644 --- a/test/e2e/generate_kube_test.go +++ b/test/e2e/generate_kube_test.go @@ -71,7 +71,7 @@ var _ = Describe("Podman generate kube", func() { Expect(pod.Spec.DNSConfig).To(BeNil()) Expect(pod.Spec.Containers[0].WorkingDir).To(Equal("")) Expect(pod.Spec.Containers[0].Env).To(BeNil()) - Expect(pod.Name).To(Equal("top_pod")) + Expect(pod.Name).To(Equal("top-pod")) numContainers := 0 for range pod.Spec.Containers { diff --git a/test/e2e/mount_rootless_test.go b/test/e2e/mount_rootless_test.go index 830c2dcda..30d7ce8a9 100644 --- a/test/e2e/mount_rootless_test.go +++ b/test/e2e/mount_rootless_test.go @@ -17,7 +17,7 @@ var _ = Describe("Podman mount", func() { ) BeforeEach(func() { - SkipIfNotRootless("This function is not enabled for rootfull podman") + SkipIfNotRootless("This function is not enabled for rootful podman") SkipIfRemote("Podman mount not supported for remote connections") tempdir, err = CreateTempDirInTempDir() if err != nil { diff --git a/test/e2e/network_test.go b/test/e2e/network_test.go index a7981a4d8..89a9005f5 100644 --- a/test/e2e/network_test.go +++ b/test/e2e/network_test.go @@ -254,7 +254,7 @@ var _ = Describe("Podman network", func() { expectedNetworks := []string{name} if !rootless.IsRootless() { - // rootfull image contains "podman/cni/87-podman-bridge.conflist" for "podman" network + // rootful image contains "podman/cni/87-podman-bridge.conflist" for "podman" network expectedNetworks = append(expectedNetworks, "podman") } session := podmanTest.Podman(append([]string{"network", "inspect"}, expectedNetworks...)) diff --git a/test/system/005-info.bats b/test/system/005-info.bats index 1d84ede9b..333553b07 100644 --- a/test/system/005-info.bats +++ b/test/system/005-info.bats @@ -107,4 +107,12 @@ host.slirp4netns.executable | $expr_path fi } +@test "podman --root PATH --volumepath info - basic output" { + volumePath=${PODMAN_TMPDIR}/volumesGoHere + if ! is_remote; then + run_podman --storage-driver=vfs --root ${PODMAN_TMPDIR}/nothing-here-move-along --volumepath ${volumePath} info --format '{{ .Store.VolumePath }}' + is "$output" "${volumePath}" "'podman --volumepath should reset VolumePath" + fi +} + # vim: filetype=sh diff --git a/test/system/270-socket-activation.bats b/test/system/270-socket-activation.bats index 19f68abdd..6d582be18 100644 --- a/test/system/270-socket-activation.bats +++ b/test/system/270-socket-activation.bats @@ -90,7 +90,7 @@ function teardown() { @test "podman system service - socket activation - kill rootless pause" { if ! is_rootless; then - skip "there is no pause process when running rootfull" + skip "there is no pause process when running rootful" fi run_podman run -d $IMAGE sleep 90 cid="$output" diff --git a/test/system/450-interactive.bats b/test/system/450-interactive.bats index a642a2e95..e6e67a8a7 100644 --- a/test/system/450-interactive.bats +++ b/test/system/450-interactive.bats @@ -75,7 +75,7 @@ function teardown() { @test "podman load - will not read from tty" { run_podman 125 load <$PODMAN_TEST_PTY is "$output" \ - "Error: cannot read from terminal. Use command-line redirection or the --input flag." \ + "Error: cannot read from terminal, use command-line redirection or the --input flag" \ "Diagnostic from 'podman load' without redirection or -i" } diff --git a/test/system/500-networking.bats b/test/system/500-networking.bats index 0c3062a7e..01571d176 100644 --- a/test/system/500-networking.bats +++ b/test/system/500-networking.bats @@ -83,8 +83,7 @@ load helpers } # Issue #5466 - port-forwarding doesn't work with this option and -d -@test "podman networking: port with --userns=keep-id" { - skip_if_not_rootless "--userns=keep-id only works in rootless mode" +@test "podman networking: port with --userns=keep-id for rootless or --uidmap=* for rootful" { for cidr in "" "$(random_rfc1918_subnet).0/24"; do myport=$(random_free_port 52000-52999) if [[ -z $cidr ]]; then @@ -106,7 +105,9 @@ load helpers # remote IP is not 127.0.0.1 (podman PR #9052). # We could get more parseable output by using $NCAT_REMOTE_ADDR, # but busybox nc doesn't support that. - run_podman run -d --userns=keep-id $network_arg -p 127.0.0.1:$myport:$myport \ + userns="--userns=keep-id" + is_rootless || userns="--uidmap=0:1111111:65536 --gidmap=0:1111111:65536" + run_podman run -d ${userns} $network_arg -p 127.0.0.1:$myport:$myport \ $IMAGE nc -l -n -v -p $myport cid="$output" diff --git a/test/system/helpers.bash b/test/system/helpers.bash index 1a1dc0df9..138d668f4 100644 --- a/test/system/helpers.bash +++ b/test/system/helpers.bash @@ -423,7 +423,7 @@ function skip_if_rootless() { ###################### function skip_if_not_rootless() { if ! is_rootless; then - local msg=$(_add_label_if_missing "$1" "rootfull") + local msg=$(_add_label_if_missing "$1" "rootful") skip "${msg:-not applicable under rootlfull podman}" fi } @@ -483,7 +483,7 @@ function skip_if_root_ubuntu { if is_ubuntu; then if ! is_remote; then if ! is_rootless; then - skip "Cannot run this test on rootfull ubuntu, usually due to user errors" + skip "Cannot run this test on rootful ubuntu, usually due to user errors" fi fi fi diff --git a/test/testvol/main.go b/test/testvol/main.go index 00b462eb2..30ab365b3 100644 --- a/test/testvol/main.go +++ b/test/testvol/main.go @@ -31,7 +31,7 @@ type cliConfig struct { } // Default configuration is stored here. Will be overwritten by flags. -var config cliConfig = cliConfig{ +var config = cliConfig{ logLevel: "error", sockName: "test-volume-plugin", } diff --git a/test/utils/matchers.go b/test/utils/matchers.go index 0c0948e4b..c56bd55c3 100644 --- a/test/utils/matchers.go +++ b/test/utils/matchers.go @@ -6,7 +6,7 @@ import ( "net/url" "github.com/containers/common/pkg/config" - . "github.com/onsi/gomega" //nolint:golint,stylecheck + . "github.com/onsi/gomega" //nolint:revive,stylecheck "github.com/onsi/gomega/format" "github.com/onsi/gomega/gexec" "github.com/onsi/gomega/matchers" diff --git a/test/utils/utils.go b/test/utils/utils.go index 9695835e5..0867570c1 100644 --- a/test/utils/utils.go +++ b/test/utils/utils.go @@ -15,9 +15,9 @@ import ( "github.com/sirupsen/logrus" "github.com/containers/storage/pkg/parsers/kernel" - . "github.com/onsi/ginkgo" //nolint:golint,stylecheck - . "github.com/onsi/gomega" //nolint:golint,stylecheck - . "github.com/onsi/gomega/gexec" //nolint:golint,stylecheck + . "github.com/onsi/ginkgo" //nolint:revive,stylecheck + . "github.com/onsi/gomega" //nolint:revive,stylecheck + . "github.com/onsi/gomega/gexec" //nolint:revive,stylecheck ) type NetworkBackend int diff --git a/vendor/github.com/container-orchestrated-devices/container-device-interface/pkg/cdi/spec.go b/vendor/github.com/container-orchestrated-devices/container-device-interface/pkg/cdi/spec.go index 59f01acb7..46fca2dac 100644 --- a/vendor/github.com/container-orchestrated-devices/container-device-interface/pkg/cdi/spec.go +++ b/vendor/github.com/container-orchestrated-devices/container-device-interface/pkg/cdi/spec.go @@ -34,6 +34,7 @@ var ( "0.1.0": {}, "0.2.0": {}, "0.3.0": {}, + "0.4.0": {}, } // Externally set CDI Spec validation function. diff --git a/vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/config.go b/vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/config.go index 090e30e43..e16174f9d 100644 --- a/vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/config.go +++ b/vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/config.go @@ -3,7 +3,7 @@ package specs import "os" // CurrentVersion is the current version of the Spec. -const CurrentVersion = "0.3.0" +const CurrentVersion = "0.4.0" // Spec is the base configuration for CDI type Spec struct { @@ -45,6 +45,7 @@ type Mount struct { HostPath string `json:"hostPath"` ContainerPath string `json:"containerPath"` Options []string `json:"options,omitempty"` + Type string `json:"type,omitempty"` } // Hook represents a hook that needs to be added to the OCI spec. diff --git a/vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/oci.go b/vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/oci.go index 10bc9fa23..14a0f6a0b 100644 --- a/vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/oci.go +++ b/vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/oci.go @@ -95,6 +95,7 @@ func (m *Mount) ToOCI() spec.Mount { Source: m.HostPath, Destination: m.ContainerPath, Options: m.Options, + Type: m.Type, } } diff --git a/vendor/github.com/fsnotify/fsnotify/CONTRIBUTING.md b/vendor/github.com/fsnotify/fsnotify/CONTRIBUTING.md index 8a642563d..828a60b24 100644 --- a/vendor/github.com/fsnotify/fsnotify/CONTRIBUTING.md +++ b/vendor/github.com/fsnotify/fsnotify/CONTRIBUTING.md @@ -48,6 +48,18 @@ fsnotify uses build tags to compile different code on Linux, BSD, macOS, and Win Before doing a pull request, please do your best to test your changes on multiple platforms, and list which platforms you were able/unable to test on. +To aid in cross-platform testing there is a Vagrantfile for Linux and BSD. + +* Install [Vagrant](http://www.vagrantup.com/) and [VirtualBox](https://www.virtualbox.org/) +* Setup [Vagrant Gopher](https://github.com/nathany/vagrant-gopher) in your `src` folder. +* Run `vagrant up` from the project folder. You can also setup just one box with `vagrant up linux` or `vagrant up bsd` (note: the BSD box doesn't support Windows hosts at this time, and NFS may prompt for your host OS password) +* Once setup, you can run the test suite on a given OS with a single command `vagrant ssh linux -c 'cd fsnotify/fsnotify; go test'`. +* When you're done, you will want to halt or destroy the Vagrant boxes. + +Notice: fsnotify file system events won't trigger in shared folders. The tests get around this limitation by using the /tmp directory. + +Right now there is no equivalent solution for Windows and macOS, but there are Windows VMs [freely available from Microsoft](http://www.modern.ie/en-us/virtualization-tools#downloads). + ### Maintainers Help maintaining fsnotify is welcome. To be a maintainer: @@ -55,6 +67,11 @@ Help maintaining fsnotify is welcome. To be a maintainer: * Submit a pull request and sign the CLA as above. * You must be able to run the test suite on Mac, Windows, Linux and BSD. +To keep master clean, the fsnotify project uses the "apply mail" workflow outlined in Nathaniel Talbott's post ["Merge pull request" Considered Harmful][am]. This requires installing [hub][]. + All code changes should be internal pull requests. Releases are tagged using [Semantic Versioning](http://semver.org/). + +[hub]: https://github.com/github/hub +[am]: http://blog.spreedly.com/2014/06/24/merge-pull-request-considered-harmful/#.VGa5yZPF_Zs diff --git a/vendor/github.com/fsnotify/fsnotify/README.md b/vendor/github.com/fsnotify/fsnotify/README.md index 7797745da..34488e621 100644 --- a/vendor/github.com/fsnotify/fsnotify/README.md +++ b/vendor/github.com/fsnotify/fsnotify/README.md @@ -1,122 +1,40 @@ -# File system notifications for Go +# WARNING -[](https://pkg.go.dev/github.com/fsnotify/fsnotify) [](https://goreportcard.com/report/github.com/fsnotify/fsnotify) [](https://github.com/fsnotify/fsnotify/issues/413) +If you are reading this, you use `master` branch of this repository, +which is wrong. +This branch + - should not be used; + - is not maintained; + - is not supported; + - will be removed soon. +You should switch to using the default branch instead. -fsnotify utilizes [golang.org/x/sys](https://godoc.org/golang.org/x/sys) rather than `syscall` from the standard library. +## Using git -Cross platform: Windows, Linux, BSD and macOS. +Here's how to switch your existing local copy of this repository from `master` +to `main` (assuming the remote name is `origin`): -| Adapter | OS | Status | -| --------------------- | -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------- | -| inotify | Linux 2.6.27 or later, Android\* | Supported | -| kqueue | BSD, macOS, iOS\* | Supported | -| ReadDirectoryChangesW | Windows | Supported | -| FSEvents | macOS | [Planned](https://github.com/fsnotify/fsnotify/issues/11) | -| FEN | Solaris 11 | [In Progress](https://github.com/fsnotify/fsnotify/pull/371) | -| fanotify | Linux 2.6.37+ | [Maybe](https://github.com/fsnotify/fsnotify/issues/114) | -| USN Journals | Windows | [Maybe](https://github.com/fsnotify/fsnotify/issues/53) | -| Polling | *All* | [Maybe](https://github.com/fsnotify/fsnotify/issues/9) | - -\* Android and iOS are untested. - -Please see [the documentation](https://pkg.go.dev/github.com/fsnotify/fsnotify) and consult the [FAQ](#faq) for usage information. - -## API stability - -fsnotify is a fork of [howeyc/fsnotify](https://github.com/howeyc/fsnotify) with a new API as of v1.0. The API is based on [this design document](http://goo.gl/MrYxyA). - -All [releases](https://github.com/fsnotify/fsnotify/releases) are tagged based on [Semantic Versioning](http://semver.org/). - -## Usage - -```go -package main - -import ( - "log" - - "github.com/fsnotify/fsnotify" -) - -func main() { - watcher, err := fsnotify.NewWatcher() - if err != nil { - log.Fatal(err) - } - defer watcher.Close() - - done := make(chan bool) - go func() { - for { - select { - case event, ok := <-watcher.Events: - if !ok { - return - } - log.Println("event:", event) - if event.Op&fsnotify.Write == fsnotify.Write { - log.Println("modified file:", event.Name) - } - case err, ok := <-watcher.Errors: - if !ok { - return - } - log.Println("error:", err) - } - } - }() - - err = watcher.Add("/tmp/foo") - if err != nil { - log.Fatal(err) - } - <-done -} +``` +git branch -m master main +git fetch origin +git branch -u origin/main main +git remote set-head origin -a ``` -## Contributing - -Please refer to [CONTRIBUTING][] before opening an issue or pull request. - -## FAQ - -**When a file is moved to another directory is it still being watched?** - -No (it shouldn't be, unless you are watching where it was moved to). - -**When I watch a directory, are all subdirectories watched as well?** - -No, you must add watches for any directory you want to watch (a recursive watcher is on the roadmap [#18][]). - -**Do I have to watch the Error and Event channels in a separate goroutine?** - -As of now, yes. Looking into making this single-thread friendly (see [howeyc #7][#7]) - -**Why am I receiving multiple events for the same file on OS X?** - -Spotlight indexing on OS X can result in multiple events (see [howeyc #62][#62]). A temporary workaround is to add your folder(s) to the *Spotlight Privacy settings* until we have a native FSEvents implementation (see [#11][]). - -**How many files can be watched at once?** - -There are OS-specific limits as to how many watches can be created: -* Linux: /proc/sys/fs/inotify/max_user_watches contains the limit, reaching this limit results in a "no space left on device" error. -* BSD / OSX: sysctl variables "kern.maxfiles" and "kern.maxfilesperproc", reaching these limits results in a "too many open files" error. - -**Why don't notifications work with NFS filesystems or filesystem in userspace (FUSE)?** - -fsnotify requires support from underlying OS to work. The current NFS protocol does not provide network level support for file notifications. - -[#62]: https://github.com/howeyc/fsnotify/issues/62 -[#18]: https://github.com/fsnotify/fsnotify/issues/18 -[#11]: https://github.com/fsnotify/fsnotify/issues/11 -[#7]: https://github.com/howeyc/fsnotify/issues/7 +In addition to the above, if you want to remove the leftover `origin/master` +remote branch (NOTE this also removes all other remote branches that no longer +exist in `origin`): -[contributing]: https://github.com/fsnotify/fsnotify/blob/master/CONTRIBUTING.md +``` +git remote prune origin +``` -## Related Projects +## Background -* [notify](https://github.com/rjeczalik/notify) -* [fsevents](https://github.com/fsnotify/fsevents) +The `master` branch was renamed to `main`, causing an issue with +Yocto/OpenEmbedded's meta-virtualization layer, which explicitly refers +to `master` branch of this repository (see #426). +This temporary branch is created to alleviate the Yocto/OE issue. diff --git a/vendor/github.com/fsnotify/fsnotify/fsnotify_unsupported.go b/vendor/github.com/fsnotify/fsnotify/fsnotify_unsupported.go deleted file mode 100644 index eb25cb407..000000000 --- a/vendor/github.com/fsnotify/fsnotify/fsnotify_unsupported.go +++ /dev/null @@ -1,36 +0,0 @@ -// Copyright 2022 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !darwin && !dragonfly && !freebsd && !linux && !netbsd && !solaris && !windows -// +build !darwin,!dragonfly,!freebsd,!linux,!netbsd,!solaris,!windows - -package fsnotify - -import ( - "fmt" - "runtime" -) - -// Watcher watches a set of files, delivering events to a channel. -type Watcher struct{} - -// NewWatcher establishes a new watcher with the underlying OS and begins waiting for events. -func NewWatcher() (*Watcher, error) { - return nil, fmt.Errorf("fsnotify not supported on %s", runtime.GOOS) -} - -// Close removes all watches and closes the events channel. -func (w *Watcher) Close() error { - return nil -} - -// Add starts watching the named file or directory (non-recursively). -func (w *Watcher) Add(name string) error { - return nil -} - -// Remove stops watching the the named file or directory (non-recursively). -func (w *Watcher) Remove(name string) error { - return nil -} diff --git a/vendor/github.com/fsnotify/fsnotify/go.mod b/vendor/github.com/fsnotify/fsnotify/go.mod index 8d1fc1295..54089e48b 100644 --- a/vendor/github.com/fsnotify/fsnotify/go.mod +++ b/vendor/github.com/fsnotify/fsnotify/go.mod @@ -1,6 +1,6 @@ module github.com/fsnotify/fsnotify -go 1.16 +go 1.13 require golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c diff --git a/vendor/github.com/fsnotify/fsnotify/inotify.go b/vendor/github.com/fsnotify/fsnotify/inotify.go index a6d0e0ec8..eb87699b5 100644 --- a/vendor/github.com/fsnotify/fsnotify/inotify.go +++ b/vendor/github.com/fsnotify/fsnotify/inotify.go @@ -163,19 +163,6 @@ func (w *Watcher) Remove(name string) error { return nil } -// WatchList returns the directories and files that are being monitered. -func (w *Watcher) WatchList() []string { - w.mu.Lock() - defer w.mu.Unlock() - - entries := make([]string, 0, len(w.watches)) - for pathname := range w.watches { - entries = append(entries, pathname) - } - - return entries -} - type watch struct { wd uint32 // Watch descriptor (as returned by the inotify_add_watch() syscall) flags uint32 // inotify flags of this watch (see inotify(7) for the list of valid flags) diff --git a/vendor/github.com/fsnotify/fsnotify/inotify_poller.go b/vendor/github.com/fsnotify/fsnotify/inotify_poller.go index b572a37c3..e9ff9439f 100644 --- a/vendor/github.com/fsnotify/fsnotify/inotify_poller.go +++ b/vendor/github.com/fsnotify/fsnotify/inotify_poller.go @@ -38,6 +38,7 @@ func newFdPoller(fd int) (*fdPoller, error) { poller.close() } }() + poller.fd = fd // Create epoll fd poller.epfd, errno = unix.EpollCreate1(unix.EPOLL_CLOEXEC) diff --git a/vendor/github.com/fsnotify/fsnotify/kqueue.go b/vendor/github.com/fsnotify/fsnotify/kqueue.go index 6fb8d8532..368f5b790 100644 --- a/vendor/github.com/fsnotify/fsnotify/kqueue.go +++ b/vendor/github.com/fsnotify/fsnotify/kqueue.go @@ -148,19 +148,6 @@ func (w *Watcher) Remove(name string) error { return nil } -// WatchList returns the directories and files that are being monitered. -func (w *Watcher) WatchList() []string { - w.mu.Lock() - defer w.mu.Unlock() - - entries := make([]string, 0, len(w.watches)) - for pathname := range w.watches { - entries = append(entries, pathname) - } - - return entries -} - // Watch all events (except NOTE_EXTEND, NOTE_LINK, NOTE_REVOKE) const noteAllEvents = unix.NOTE_DELETE | unix.NOTE_WRITE | unix.NOTE_ATTRIB | unix.NOTE_RENAME diff --git a/vendor/github.com/fsnotify/fsnotify/windows.go b/vendor/github.com/fsnotify/fsnotify/windows.go index ddc69ef87..c02b75f7c 100644 --- a/vendor/github.com/fsnotify/fsnotify/windows.go +++ b/vendor/github.com/fsnotify/fsnotify/windows.go @@ -12,7 +12,6 @@ import ( "fmt" "os" "path/filepath" - "reflect" "runtime" "sync" "syscall" @@ -97,21 +96,6 @@ func (w *Watcher) Remove(name string) error { return <-in.reply } -// WatchList returns the directories and files that are being monitered. -func (w *Watcher) WatchList() []string { - w.mu.Lock() - w.mu.Unlock() - - entries := make([]string, 0, len(w.watches)) - for _, entry := range w.watches { - for _, watchEntry := range entry { - entries = append(entries, watchEntry.path) - } - } - - return entries -} - const ( // Options for AddWatch sysFSONESHOT = 0x80000000 @@ -468,16 +452,8 @@ func (w *Watcher) readEvents() { // Point "raw" to the event in the buffer raw := (*syscall.FileNotifyInformation)(unsafe.Pointer(&watch.buf[offset])) - // TODO: Consider using unsafe.Slice that is available from go1.17 - // https://stackoverflow.com/questions/51187973/how-to-create-an-array-or-a-slice-from-an-array-unsafe-pointer-in-golang - // instead of using a fixed syscall.MAX_PATH buf, we create a buf that is the size of the path name - size := int(raw.FileNameLength / 2) - var buf []uint16 - sh := (*reflect.SliceHeader)(unsafe.Pointer(&buf)) - sh.Data = uintptr(unsafe.Pointer(&raw.FileName)) - sh.Len = size - sh.Cap = size - name := syscall.UTF16ToString(buf) + buf := (*[syscall.MAX_PATH]uint16)(unsafe.Pointer(&raw.FileName)) + name := syscall.UTF16ToString(buf[:raw.FileNameLength/2]) fullname := filepath.Join(watch.path, name) var mask uint64 diff --git a/vendor/modules.txt b/vendor/modules.txt index 137975ced..b1e0e3a23 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -57,7 +57,7 @@ github.com/checkpoint-restore/go-criu/v5/rpc github.com/checkpoint-restore/go-criu/v5/stats # github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e github.com/chzyer/readline -# github.com/container-orchestrated-devices/container-device-interface v0.3.2 +# github.com/container-orchestrated-devices/container-device-interface v0.4.0 ## explicit github.com/container-orchestrated-devices/container-device-interface/pkg/cdi github.com/container-orchestrated-devices/container-device-interface/specs-go @@ -387,7 +387,7 @@ github.com/docker/libnetwork/types github.com/dtylman/scp # github.com/felixge/httpsnoop v1.0.1 github.com/felixge/httpsnoop -# github.com/fsnotify/fsnotify v1.5.2 +# github.com/fsnotify/fsnotify v1.5.3 ## explicit github.com/fsnotify/fsnotify # github.com/fsouza/go-dockerclient v1.7.10 |