diff options
| -rw-r--r-- | .cirrus.yml | 117 | ||||
| -rwxr-xr-x | contrib/cirrus/build_vm_images.sh | 59 | ||||
| -rwxr-xr-x | contrib/cirrus/integration_test.sh | 28 | ||||
| -rw-r--r-- | contrib/cirrus/lib.sh | 258 | ||||
| -rwxr-xr-x | contrib/cirrus/ooe.sh | 39 | ||||
| -rw-r--r-- | contrib/cirrus/packer/README.md | 2 | ||||
| -rw-r--r-- | contrib/cirrus/packer/centos_setup.sh | 69 | ||||
| -rw-r--r-- | contrib/cirrus/packer/fedora_setup.sh | 72 | ||||
| -rw-r--r-- | contrib/cirrus/packer/libpod_images.json | 124 | ||||
| -rw-r--r-- | contrib/cirrus/packer/rhel_setup.sh | 111 | ||||
| -rw-r--r-- | contrib/cirrus/packer/ubuntu_setup.sh | 93 | ||||
| -rwxr-xr-x | contrib/cirrus/setup_environment.sh | 77 | ||||
| -rwxr-xr-x | contrib/cirrus/unit_test.sh | 30 | ||||
| -rw-r--r-- | libpod/container_easyjson.go | 2 | ||||
| -rw-r--r-- | libpod/container_internal.go | 104 | ||||
| -rw-r--r-- | pkg/resolvconf/dns/resolvconf.go | 28 | ||||
| -rw-r--r-- | pkg/resolvconf/resolvconf.go | 242 |
17 files changed, 1385 insertions, 70 deletions
diff --git a/.cirrus.yml b/.cirrus.yml index e69de29bb..a06d17493 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -0,0 +1,117 @@ +--- + +# Only github users with write-access can define or use encrypted variables +# This credential represents a service account with access to manage both VMs +# and storage. +gcp_credentials: ENCRYPTED[885c6e4297dd8d6f67593c42b810353af0c505a7a670e2c6fd830c56e86bbb2debcc3c18f942d0d46ab36b63521061d4] + +# Default VM to use for testing, unless values overriden by specific tasks (below) +gce_instance: + image_project: "libpod-218412" + zone: "us-central1-a" # Required by Cirrus for the time being + cpu: 4 + memory: "8Gb" + disk: 40 + +# Main collection of env. varss to set for all scripts. All others +# are cooked in by $SCRIPT_BASE/setup_environment.sh +env: + CNI_COMMIT: "7480240de9749f9a0a5c8614b17f1f03e0c06ab9" + CRIO_COMMIT: "662dbb31b5d4f5ed54511a47cde7190c61c28677" + RUNC_COMMIT: "ad0f5255060d36872be04de22f8731f38ef2d7b1" + # File to update in home-dir with task-specific env. var values + ENVLIB: ".bash_profile" + # Overrides default location (/tmp/cirrus) for repo clone + CIRRUS_WORKING_DIR: "/go/src/github.com/containers/libpod" + # Required so $ENVLIB gets loaded + CIRRUS_SHELL: "/bin/bash" + # Save a little typing (path relative to $CIRRUS_WORKING_DIR) + SCRIPT_BASE: "./contrib/cirrus" + PACKER_BASE: "./contrib/cirrus/packer" + +# Every *_task runs in parallel in separate VMs. The name prefix only for reference +# in WebUI, and will be followed by matrix details. This task does all the +# per-pr unit/integration testing. +full_vm_testing_task: + + gce_instance: + # Generate multiple 'test' tasks, covering all possible + # 'matrix' combinations. All run in parallel. + matrix: + # Images are generated separetly, from build_images_task (below) + image_name: "ubuntu-1804-bionic-v20180911-libpod-5763563410948096" + # TODO: Make these work (also build_images_task below) + #image_name: "rhel-server-ec2-7-5-165-1-libpod-5358668723781632" + #image_name: "centos-7-v20180911-libpod-5358668723781632" + #image_name: "fedora-cloud-base-28-1-1-7-libpod-5358668723781632" + + timeout_in: 120m + + # Every *_script runs in sequence, for each task. The name prefix is for + # WebUI reference. The values may be strings... + setup_environment_script: $SCRIPT_BASE/setup_environment.sh + + # ...or lists of strings + unit_test_script: + - whoami # root! + - $SCRIPT_BASE/unit_test.sh + + integration_test_script: $SCRIPT_BASE/integration_test.sh + + +# This task build new images for future PR testing, but only after a PR merge. +# These images save needing to install/setup the same environment to test every +# PR. The 'active' image for testing is selected by the 'image_name' items in +# task above. Currently this requires manually updating them, but this could +# be automated (see comment at end). + +build_vm_images_task: + # Only produce new images after a PR merge + only_if: $CIRRUS_BRANCH == 'master' + + # Require tests to pass first. + depends_on: + - test # i.e. 'test_task' + + env: + # CSV of packer builder names to enable (see $PACKER_BASE/libpod_images.json) + PACKER_BUILDS: "ubuntu-18" + # TODO: Make these work (also full_vm_testing_task above) + # PACKER_BUILDS: "rhel-7,centos-7,fedora-28,ubuntu-18" + # Command to register a RHEL VM + RHSM_COMMAND: ENCRYPTED[fec01433222af1ed0b8e40e89e7d18f6ee2fa9f49a1e721dc72f7eed3c740661215d1bd05cb54ac66a1a62116b92bdce] + # Additional environment variables needed to build GCE images, within a GCE VM + SERVICE_ACCOUNT: ENCRYPTED[02e03838b1156eb9516c7cc1e888e287910759842275f3c7bc2b4d56075cc6740e29ffa0ab71ebdbbd079673361dd8c9] + GCE_SSH_USERNAME: ENCRYPTED[a19a4ec62423e3e0fe4e7d1a5c9f11eda8fde321b9047ab5ed5590c2b1d7a2d12091c2be1531f949eae927059c2ae531] + GCP_PROJECT_ID: ENCRYPTED[77cb2d392bbc8d17412547d7d91f8d190089bf6e6b96eab9927994bbff6ab2c691ba0329ac7a650ba6182fbbab9fb68d] + # Existing base values to use, output images get epoc stamped names + PACKER_VER: "1.3.1" + # low-level base VM image name inputs to packer + CENTOS_BASE_IMAGE: "centos-7-v20180911" + RHEL_BASE_IMAGE: "rhel-server-ec2-7-5-165-1" + FEDORA_BASE_IMAGE: "fedora-cloud-base-28-1-1-7" + UBUNTU_BASE_IMAGE: "ubuntu-1804-bionic-v20180911" + + gce_instance: + image_name: "image-builder-image" # Simply CentOS 7 + packer dependencies + # Additional permissions for building GCE images, within a GCE VM + scopes: + - compute + - devstorage.full_control + # Doesn't need many local resources to run + cpu: 2 + memory: "2Gb" + disk: 20 + environment_script: $SCRIPT_BASE/setup_environment.sh + build_vm_images_script: $SCRIPT_BASE/build_vm_images.sh + + # TODO,Continuous Delivery: Automaticly open a libpod PR after using 'sed' to replace + # the image_names with the new (just build) images. That will + # cause a new round of testing to happen (via the PR) using + # the new images. When all is good, the PR may be manually + # merged so all PR testing uses the new images. The script + # names (below) describe their purpose in this workflow. + # deploy_images_script: + # - clone_podman_release_branch.sh + # - modify_cirrus_yaml_image_names.sh + # - commit_and_create_upstream_pr.sh diff --git a/contrib/cirrus/build_vm_images.sh b/contrib/cirrus/build_vm_images.sh new file mode 100755 index 000000000..8538ee910 --- /dev/null +++ b/contrib/cirrus/build_vm_images.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +set -e +source $(dirname $0)/lib.sh + +req_env_var " +CNI_COMMIT $CNI_COMMIT +CRIO_COMMIT $CRIO_COMMIT +RUNC_COMMIT $RUNC_COMMIT +PACKER_BUILDS $PACKER_BUILDS +CENTOS_BASE_IMAGE $CENTOS_BASE_IMAGE +UBUNTU_BASE_IMAGE $UBUNTU_BASE_IMAGE +FEDORA_BASE_IMAGE $FEDORA_BASE_IMAGE +RHEL_BASE_IMAGE $RHEL_BASE_IMAGE +RHSM_COMMAND $RHSM_COMMAND +CIRRUS_BUILD_ID $CIRRUS_BUILD_ID +SERVICE_ACCOUNT $SERVICE_ACCOUNT +GCE_SSH_USERNAME $GCE_SSH_USERNAME +GCP_PROJECT_ID $GCP_PROJECT_ID +PACKER_VER $PACKER_VER +SCRIPT_BASE $SCRIPT_BASE +PACKER_BASE $PACKER_BASE +" + +# TODO: Skip building images if $CIRRUS_BRANCH =~ "master" and +# commit message of $CIRRUS_CHANGE_IN_REPO contains a magic word +# produced by 'commit_and_create_upstream_pr.sh' script (see .cirrus.yml) + +show_env_vars + +# Everything here is running on the 'image-builder-image' GCE image +# Assume basic dependencies are all met, but there could be a newer version +# of the packer binary +PACKER_FILENAME="packer_${PACKER_VER}_linux_amd64.zip" +mkdir -p "$HOME/packer" +cd "$HOME/packer" +# image_builder_image has packer pre-installed, check if same version requested +if ! [[ -r "$PACKER_FILENAME" ]] +then + curl -L -O https://releases.hashicorp.com/packer/$PACKER_VER/$PACKER_FILENAME + curl -L https://releases.hashicorp.com/packer/${PACKER_VER}/packer_${PACKER_VER}_SHA256SUMS | \ + grep 'linux_amd64' > ./sha256sums + sha256sum --check ./sha256sums + unzip -o $PACKER_FILENAME + ./packer --help &> /dev/null # verify exit(0) +fi + +set -x + +cd "$GOSRC" +# N/B: /usr/sbin/packer is a DIFFERENT tool, and will exit 0 given the args below :( +TEMPLATE="./$PACKER_BASE/libpod_images.json" + +$HOME/packer/packer inspect "$TEMPLATE" + +#$HOME/packer/packer build -machine-readable "-only=$PACKER_BUILDS" "$TEMPLATE" | tee /tmp/packer_log.csv +$HOME/packer/packer build "-only=$PACKER_BUILDS" "$TEMPLATE" + +# TODO: Report back to PR names of built images diff --git a/contrib/cirrus/integration_test.sh b/contrib/cirrus/integration_test.sh new file mode 100755 index 000000000..226053724 --- /dev/null +++ b/contrib/cirrus/integration_test.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +set -e +source $(dirname $0)/lib.sh + +req_env_var " +GOSRC $GOSRC +OS_RELEASE_ID $OS_RELEASE_ID +OS_RELEASE_VER $OS_RELEASE_VER +" + +show_env_vars + +set -x +cd "$GOSRC" +case "${OS_RELEASE_ID}-${OS_RELEASE_VER}" in + ubuntu-18) + make install PREFIX=/usr ETCDIR=/etc "BUILDTAGS=$BUILDTAGS" + make test-binaries "BUILDTAGS=$BUILDTAGS" + SKIP_USERNS=1 make localintegration "BUILDTAGS=$BUILDTAGS" + ;; + fedora-28) ;& # Continue to the next item + centos-7) ;& + rhel-7) + stub 'integration testing not working on $OS_RELEASE_ID' + ;; + *) bad_os_id_ver ;; +esac diff --git a/contrib/cirrus/lib.sh b/contrib/cirrus/lib.sh new file mode 100644 index 000000000..e69f1e040 --- /dev/null +++ b/contrib/cirrus/lib.sh @@ -0,0 +1,258 @@ + + +# Library of common, shared utility functions. This file is intended +# to be sourced by other scripts, not called directly. + +# Under some contexts these values are not set, make sure they are. +USER="$(whoami)" +HOME="$(getent passwd $USER | cut -d : -f 6)" +if ! [[ "$PATH" =~ "/usr/local/bin" ]] +then + export PATH="$PATH:/usr/local/bin" +fi + +# In ci/testing environment, ensure variables are always loaded +if [[ -r "$HOME/$ENVLIB" ]] && [[ -n "$CI" ]] +then + # Make sure this is always loaded + source "$HOME/$ENVLIB" +fi + +# Pass in a line delimited list of, space delimited name/value pairs +# exit non-zero with helpful error message if any value is empty +req_env_var() { + echo "$1" | while read NAME VALUE + do + if [[ -n "$NAME" ]] && [[ -z "$VALUE" ]] + then + echo "Required env. var. \$$NAME is not set" + exit 9 + fi + done +} + +# Some env. vars may contain secrets. Display values for known "safe" +# and useful variables. +# ref: https://cirrus-ci.org/guide/writing-tasks/#environment-variables +show_env_vars() { + echo " +BUILDTAGS $BUILDTAGS +CI $CI +CIRRUS_CI $CIRRUS_CI +CI_NODE_INDEX $CI_NODE_INDEX +CI_NODE_TOTAL $CI_NODE_TOTAL +CONTINUOUS_INTEGRATION $CONTINUOUS_INTEGRATION +CIRRUS_BASE_BRANCH $CIRRUS_BASE_BRANCH +CIRRUS_BASE_SHA $CIRRUS_BASE_SHA +CIRRUS_BRANCH $CIRRUS_BRANCH +CIRRUS_BUILD_ID $CIRRUS_BUILD_ID +CIRRUS_CHANGE_IN_REPO $CIRRUS_CHANGE_IN_REPO +CIRRUS_CHANGE_MESSAGE $CIRRUS_CHANGE_MESSAGE +CIRRUS_CLONE_DEPTH $CIRRUS_CLONE_DEPTH +CIRRUS_DEFAULT_BRANCH $CIRRUS_DEFAULT_BRANCH +CIRRUS_PR $CIRRUS_PR +CIRRUS_TAG $CIRRUS_TAG +CIRRUS_OS $CIRRUS_OS +OS $OS +CIRRUS_TASK_NAME $CIRRUS_TASK_NAME +CIRRUS_TASK_ID $CIRRUS_TASK_ID +CIRRUS_REPO_NAME $CIRRUS_REPO_NAME +CIRRUS_REPO_OWNER $CIRRUS_REPO_OWNER +CIRRUS_REPO_FULL_NAME $CIRRUS_REPO_FULL_NAME +CIRRUS_REPO_CLONE_URL $CIRRUS_REPO_CLONE_URL +CIRRUS_SHELL $CIRRUS_SHELL +CIRRUS_USER_COLLABORATOR $CIRRUS_USER_COLLABORATOR +CIRRUS_USER_PERMISSION $CIRRUS_USER_PERMISSION +CIRRUS_WORKING_DIR $CIRRUS_WORKING_DIR +CIRRUS_HTTP_CACHE_HOST $CIRRUS_HTTP_CACHE_HOST +$(go env) + " | while read NAME VALUE + do + [[ -z "$NAME" ]] || echo "export $NAME=\"$VALUE\"" + done +} + +# Return a GCE image-name compatible string representation of distribution name +os_release_id() { + eval "$(egrep -m 1 '^ID=' /etc/os-release | tr -d \' | tr -d \")" + echo "$ID" +} + +# Return a GCE image-name compatible string representation of distribution major version +os_release_ver() { + eval "$(egrep -m 1 '^VERSION_ID=' /etc/os-release | tr -d \' | tr -d \")" + echo "$VERSION_ID" | cut -d '.' -f 1 +} + +bad_os_id_ver() { + echo "Unknown/Unsupported distro. $OS_RELEASE_ID and/or version $OS_RELEASE_VER for $ARGS" + exit 42 +} + +stub() { + echo "STUB: Pretending to do $1" +} + +# Run sudo in directory with GOPATH set +cdsudo() { + DIR="$1" + shift + CMD="cd $DIR && $@" + sudo --preserve-env=GOPATH --non-interactive bash -c "$CMD" +} + + +# Helper/wrapper script to only show stderr/stdout on non-zero exit +install_ooe() { + req_env_var "SCRIPT_BASE $SCRIPT_BASE" + echo "Installing script to mask stdout/stderr unless non-zero exit." + sudo install -D -m 755 "/tmp/libpod/$SCRIPT_BASE/ooe.sh" /usr/local/bin/ooe.sh +} + +# Grab a newer version of git from software collections +# https://www.softwarecollections.org/en/ +# and use it with a wrapper +install_scl_git() { + echo "Installing SoftwareCollections updated 'git' version." + ooe.sh sudo yum -y install rh-git29 + cat << "EOF" | sudo tee /usr/bin/git +#!/bin/bash + +scl enable rh-git29 -- git $@ +EOF + sudo chmod 755 /usr/bin/git +} + +install_cni_plugins() { + echo "Installing CNI Plugins from commit $CNI_COMMIT" + req_env_var " + GOPATH $GOPATH + CNI_COMMIT $CNI_COMMIT + " + DEST="$GOPATH/src/github.com/containernetworking/plugins" + rm -rf "$DEST" + ooe.sh git clone "https://github.com/containernetworking/plugins.git" "$DEST" + cd "$DEST" + ooe.sh git checkout -q "$CNI_COMMIT" + ooe.sh ./build.sh + sudo mkdir -p /usr/libexec/cni + sudo cp bin/* /usr/libexec/cni +} + +install_runc(){ + OS_RELEASE_ID=$(os_release_id) + echo "Installing RunC from commit $RUNC_COMMIT" + echo "Platform is $OS_RELEASE_ID" + req_env_var " + GOPATH $GOPATH + RUNC_COMMIT $RUNC_COMMIT + OS_RELEASE_ID $OS_RELEASE_ID + " + if [[ "$OS_RELEASE_ID" =~ "ubuntu" ]]; then + echo "Running make install.libseccomp.sudo for ubuntu" + if ! [[ -d "/tmp/libpod" ]] + then + echo "Expecting a copy of libpod repository in /tmp/libpod" + exit 5 + fi + mkdir -p "$GOPATH/src/github.com/containers/" + # Symlinks don't work with Go + cp -a /tmp/libpod "$GOPATH/src/github.com/containers/" + cd "$GOPATH/src/github.com/containers/libpod" + ooe.sh sudo make install.libseccomp.sudo + fi + DEST="$GOPATH/src/github.com/opencontainers/runc" + rm -rf "$DEST" + ooe.sh git clone https://github.com/opencontainers/runc.git "$DEST" + cd "$DEST" + ooe.sh git fetch origin --tags + ooe.sh git checkout -q "$RUNC_COMMIT" + ooe.sh make static BUILDTAGS="seccomp selinux" + sudo install -m 755 runc /usr/bin/runc +} + +install_buildah() { + echo "Installing buildah from latest upstream master" + req_env_var "GOPATH $GOPATH" + DEST="$GOPATH/src/github.com/containers/buildah" + rm -rf "$DEST" + ooe.sh git clone https://github.com/containers/buildah "$DEST" + cd "$DEST" + ooe.sh make + ooe.sh sudo make install +} + +# Requires $GOPATH and $CRIO_COMMIT to be set +install_conmon(){ + echo "Installing conmon from commit $CRIO_COMMIT" + req_env_var " + GOPATH $GOPATH + CRIO_COMMIT $CRIO_COMMIT + " + DEST="$GOPATH/src/github.com/kubernetes-sigs/cri-o.git" + rm -rf "$DEST" + ooe.sh git clone https://github.com/kubernetes-sigs/cri-o.git "$DEST" + cd "$DEST" + ooe.sh git fetch origin --tags + ooe.sh git checkout -q "$CRIO_COMMIT" + ooe.sh make + sudo install -D -m 755 bin/conmon /usr/libexec/podman/conmon +} + +# Runs in testing VM, not image building +install_testing_dependencies() { + echo "Installing ginkgo, gomega, and easyjson into \$GOPATH=$GOPATH" + req_env_var " + GOPATH $GOPATH + GOSRC $GOSRC + " + cd "$GOSRC" + ooe.sh go get -u github.com/onsi/ginkgo/ginkgo + ooe.sh install -D -m 755 "$GOPATH"/bin/ginkgo /usr/bin/ + ooe.sh go get github.com/onsi/gomega/... + ooe.sh go get -u github.com/mailru/easyjson/... + sudo install -D -m 755 "$GOPATH"/bin/easyjson /usr/bin/ +} + +install_packer_copied_files(){ + # Install cni config, policy and registry config + sudo install -D -m 755 /tmp/libpod/cni/87-podman-bridge.conflist \ + /etc/cni/net.d/87-podman-bridge.conflist + sudo install -D -m 755 /tmp/libpod/test/policy.json \ + /etc/containers/policy.json + sudo install -D -m 755 /tmp/libpod/test/redhat_sigstore.yaml \ + /etc/containers/registries.d/registry.access.redhat.com.yaml +} + +install_varlink(){ + echo "Installing varlink from the cheese-factory" + ooe.sh sudo -H pip3 install varlink +} + +_finalize(){ + echo "Removing leftover giblets from cloud-init" + cd / + sudo rm -rf /var/lib/cloud + sudo rm -rf /root/.ssh/* + sudo rm -rf /home/* +} + +rh_finalize(){ + # Allow root ssh-logins + if [[ -r /etc/cloud/cloud.cfg ]] + then + sudo sed -re 's/^disable_root:.*/disable_root: 0/g' -i /etc/cloud/cloud.cfg + fi + echo "Resetting to fresh-state for usage as cloud-image." + sudo $(type -P dnf || type -P yum) clean all + sudo rm -rf /var/cache/{yum,dnf} + sudo rm -f /etc/udev/rules.d/*-persistent-*.rules + sudo touch /.unconfigured # force firstboot to run + _finalize +} + +ubuntu_finalize(){ + echo "Resetting to fresh-state for usage as cloud-image." + sudo rm -rf /var/cache/apt + _finalize +} diff --git a/contrib/cirrus/ooe.sh b/contrib/cirrus/ooe.sh new file mode 100755 index 000000000..d79e574b2 --- /dev/null +++ b/contrib/cirrus/ooe.sh @@ -0,0 +1,39 @@ +#!/bin/bash + +# This script executes a command while logging all output to a temporary +# file. If the command exits non-zero, then all output is sent to the console, +# before returning the exit code. If the script itself fails, the exit code 121 +# is returned. + +set -eo pipefail + +SCRIPT_PATH="$0" + +badusage() { + echo "Incorrect usage: $(basename $SCRIPT_PATH) <command> [options]" > /dev/stderr + echo "ERROR: $1" + exit 121 +} + +COMMAND="$@" +[[ -n "$COMMAND" ]] || badusage "No command specified" + +OUTPUT_TMPFILE="$(mktemp -p '' $(basename $0)_output_XXXX)" +output_on_error() { + RET=$? + set +e + if [[ "$RET" -ne "0" ]] + then + echo "---------------------------" + cat "$OUTPUT_TMPFILE" + echo "[$(date --iso-8601=second)] <exit $RET> $COMMAND" + fi + rm -f "$OUTPUT_TMPFILE" +} +trap "output_on_error" EXIT + +"$@" 2>&1 | while IFS='' read LINE # Preserve leading/trailing whitespace +do + # Every stdout and (copied) stderr line + echo "[$(date --iso-8601=second)] $LINE" +done >> "$OUTPUT_TMPFILE" diff --git a/contrib/cirrus/packer/README.md b/contrib/cirrus/packer/README.md new file mode 100644 index 000000000..8ff6947e9 --- /dev/null +++ b/contrib/cirrus/packer/README.md @@ -0,0 +1,2 @@ +These are definitions and scripts consumed by packer to produce the +various distribution images used for CI testing. diff --git a/contrib/cirrus/packer/centos_setup.sh b/contrib/cirrus/packer/centos_setup.sh new file mode 100644 index 000000000..2253d7b35 --- /dev/null +++ b/contrib/cirrus/packer/centos_setup.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# This script is called by packer on the subject CentOS VM, to setup the podman +# build/test environment. It's not intended to be used outside of this context. + +set -e + +# Load in library (copied by packer, before this script was run) +source /tmp/libpod/$SCRIPT_BASE/lib.sh + +req_env_var " +SCRIPT_BASE $SCRIPT_BASE +CNI_COMMIT $CNI_COMMIT +CRIO_COMMIT $CRIO_COMMIT +" + +install_ooe + +export GOPATH="$(mktemp -d)" +trap "sudo rm -rf $GOPATH" EXIT + +ooe.sh sudo yum -y update + +ooe.sh sudo yum -y install centos-release-scl epel-release + +ooe.sh sudo yum -y install \ + atomic-registries \ + btrfs-progs-devel \ + bzip2 \ + device-mapper-devel \ + findutils \ + glib2-devel \ + glibc-static \ + gnupg \ + golang \ + golang-github-cpuguy83-go-md2man \ + golang-github-cpuguy83-go-md2man \ + gpgme-devel \ + iptables \ + libassuan-devel \ + libseccomp-devel \ + libselinux-devel \ + lsof \ + make \ + nmap-ncat \ + ostree-devel \ + python \ + python3-dateutil \ + python3-psutil \ + python3-pytoml \ + runc \ + skopeo-containers \ + unzip \ + which \ + xz + +install_scl_git + +install_cni_plugins + +install_buildah + +install_conmon + +install_packer_copied_files + +rh_finalize + +echo "SUCCESS!" diff --git a/contrib/cirrus/packer/fedora_setup.sh b/contrib/cirrus/packer/fedora_setup.sh new file mode 100644 index 000000000..53709fbdd --- /dev/null +++ b/contrib/cirrus/packer/fedora_setup.sh @@ -0,0 +1,72 @@ +#!/bin/bash + +# This script is called by packer on the subject fedora VM, to setup the podman +# build/test environment. It's not intended to be used outside of this context. + +set -e + +# Load in library (copied by packer, before this script was run) +source /tmp/libpod/$SCRIPT_BASE/lib.sh + +req_env_var " +SCRIPT_BASE $SCRIPT_BASE +CNI_COMMIT $CNI_COMMIT +CRIO_COMMIT $CRIO_COMMIT +RUNC_COMMIT $RUNC_COMMIT +" + +install_ooe + +export GOPATH="$(mktemp -d)" +trap "sudo rm -rf $GOPATH" EXIT + +# breaks networking on f28/29 in GCE +# ooe.sh sudo dnf update -y + +ooe.sh sudo dnf install -y \ + atomic-registries \ + btrfs-progs-devel \ + bzip2 \ + conmon \ + device-mapper-devel \ + findutils \ + git \ + glib2-devel \ + glibc-static \ + gnupg \ + golang \ + golang-github-cpuguy83-go-md2man \ + golang-github-cpuguy83-go-md2man \ + gpgme-devel \ + iptables \ + libassuan-devel \ + libseccomp-devel \ + libselinux-devel \ + lsof \ + make \ + nmap-ncat \ + ostree-devel \ + procps-ng \ + python \ + python3-dateutil \ + python3-psutil \ + python3-pytoml \ + runc \ + skopeo-containers \ + slirp4netns \ + which\ + xz + +install_varlink + +install_cni_plugins + +install_buildah + +install_conmon + +install_packer_copied_files + +rh_finalize # N/B: Halts system! + +echo "SUCCESS!" diff --git a/contrib/cirrus/packer/libpod_images.json b/contrib/cirrus/packer/libpod_images.json new file mode 100644 index 000000000..82a41ca25 --- /dev/null +++ b/contrib/cirrus/packer/libpod_images.json @@ -0,0 +1,124 @@ +{ + "variables": { + "CNI_COMMIT": "{{env `CNI_COMMIT`}}", + "CRIO_COMMIT": "{{env `CRIO_COMMIT`}}", + "RUNC_COMMIT": "{{env `RUNC_COMMIT`}}", + + "CENTOS_BASE_IMAGE": "{{env `CENTOS_BASE_IMAGE`}}" , + "UBUNTU_BASE_IMAGE": "{{env `UBUNTU_BASE_IMAGE`}}", + "FEDORA_BASE_IMAGE": "{{env `FEDORA_BASE_IMAGE`}}", + "RHEL_BASE_IMAGE": "{{env `RHEL_BASE_IMAGE`}}", + + "GOSRC": "{{env `GOSRC`}}", + "PACKER_BASE": "{{env `PACKER_BASE`}}", + "SCRIPT_BASE": "{{env `SCRIPT_BASE`}}", + + "SERVICE_ACCOUNT": "{{env `SERVICE_ACCOUNT`}}", + "GCP_PROJECT_ID": "{{env `GCP_PROJECT_ID`}}", + "CIRRUS_BUILD_ID": "{{env `CIRRUS_BUILD_ID`}}", + "GCE_SSH_USERNAME": "{{env `GCE_SSH_USERNAME`}}", + "RHSM_COMMAND": "{{env `RHSM_COMMAND`}}" + }, + "sensitive-variables": [ + "GCP_PROJECT_ID", "SERVICE_ACCOUNT", "GCE_SSH_USERNAME", "RHSM_COMMAND" + ], + "builders": [ + { + "name": "rhel-7", + "type": "googlecompute", + "project_id": "{{user `GCP_PROJECT_ID`}}", + "zone": "us-central1-a", + "source_image": "{{user `RHEL_BASE_IMAGE`}}", + "image_name": "{{user `RHEL_BASE_IMAGE`}}-libpod-{{user `CIRRUS_BUILD_ID`}}", + "image_family": "{{user `RHEL_BASE_IMAGE`}}-libpod", + "service_account_email": "{{user `SERVICE_ACCOUNT`}}", + "communicator": "ssh", + "ssh_username": "ec2-user", + "ssh_pty": "true" + },{ + "name": "centos-7", + "type": "googlecompute", + "project_id": "{{user `GCP_PROJECT_ID`}}", + "zone": "us-central1-a", + "source_image": "{{user `CENTOS_BASE_IMAGE`}}", + "image_name": "{{user `CENTOS_BASE_IMAGE`}}-libpod-{{user `CIRRUS_BUILD_ID`}}", + "image_family": "{{user `CENTOS_BASE_IMAGE`}}-libpod", + "service_account_email": "{{user `SERVICE_ACCOUNT`}}", + "communicator": "ssh", + "ssh_username": "{{user `GCE_SSH_USERNAME`}}", + "ssh_pty": "true" + },{ + "name": "fedora-28", + "type": "googlecompute", + "project_id": "{{user `GCP_PROJECT_ID`}}", + "zone": "us-central1-a", + "source_image": "{{user `FEDORA_BASE_IMAGE`}}", + "image_name": "{{user `FEDORA_BASE_IMAGE`}}-libpod-{{user `CIRRUS_BUILD_ID`}}", + "image_family": "{{user `FEDORA_BASE_IMAGE`}}-libpod", + "service_account_email": "{{user `SERVICE_ACCOUNT`}}", + "communicator": "ssh", + "ssh_username": "fedora", + "ssh_pty": "true" + },{ + "name": "ubuntu-18", + "type": "googlecompute", + "project_id": "{{user `GCP_PROJECT_ID`}}", + "zone": "us-central1-a", + "source_image": "{{user `UBUNTU_BASE_IMAGE`}}", + "image_name": "{{user `UBUNTU_BASE_IMAGE`}}-libpod-{{user `CIRRUS_BUILD_ID`}}", + "image_family": "{{user `UBUNTU_BASE_IMAGE`}}-libpod", + "service_account_email": "{{user `SERVICE_ACCOUNT`}}", + "communicator": "ssh", + "ssh_username": "{{user `GCE_SSH_USERNAME`}}", + "ssh_pty": "true" + } + ], + "provisioners": [ + { + "type": "file", + "source": "{{user `GOSRC`}}", + "destination": "/tmp/libpod" + },{ + "type": "shell", + "only": ["rhel-7"], + "script": "{{user `GOSRC`}}/{{user `PACKER_BASE`}}/rhel_setup.sh", + "environment_vars": [ + "SCRIPT_BASE={{user `SCRIPT_BASE`}}", + "CNI_COMMIT={{user `CNI_COMMIT`}}", + "CRIO_COMMIT={{user `CRIO_COMMIT`}}", + "RUNC_COMMIT={{user `RUNC_COMMIT`}}", + "RHSM_COMMAND={{user `RHSM_COMMAND`}}" + ] + },{ + "type": "shell", + "only": ["centos-7"], + "script": "{{user `GOSRC`}}/{{user `PACKER_BASE`}}/centos_setup.sh", + "environment_vars": [ + "SCRIPT_BASE={{user `SCRIPT_BASE`}}", + "CNI_COMMIT={{user `CNI_COMMIT`}}", + "CRIO_COMMIT={{user `CRIO_COMMIT`}}", + "RUNC_COMMIT={{user `RUNC_COMMIT`}}" + ] + },{ + "type": "shell", + "only": ["fedora-28"], + "script": "{{user `GOSRC`}}/{{user `PACKER_BASE`}}/fedora_setup.sh", + "environment_vars": [ + "SCRIPT_BASE={{user `SCRIPT_BASE`}}", + "CNI_COMMIT={{user `CNI_COMMIT`}}", + "CRIO_COMMIT={{user `CRIO_COMMIT`}}", + "RUNC_COMMIT={{user `RUNC_COMMIT`}}" + ] + },{ + "type": "shell", + "only": ["ubuntu-18"], + "script": "{{user `GOSRC`}}/{{user `PACKER_BASE`}}/ubuntu_setup.sh", + "environment_vars": [ + "SCRIPT_BASE={{user `SCRIPT_BASE`}}", + "CNI_COMMIT={{user `CNI_COMMIT`}}", + "CRIO_COMMIT={{user `CRIO_COMMIT`}}", + "RUNC_COMMIT={{user `RUNC_COMMIT`}}" + ] + } + ] +} diff --git a/contrib/cirrus/packer/rhel_setup.sh b/contrib/cirrus/packer/rhel_setup.sh new file mode 100644 index 000000000..b776a0d97 --- /dev/null +++ b/contrib/cirrus/packer/rhel_setup.sh @@ -0,0 +1,111 @@ +#!/bin/bash + +# This script is called by packer on the subject CentOS VM, to setup the podman +# build/test environment. It's not intended to be used outside of this context. + +set -e + +# Load in library (copied by packer, before this script was run) +source /tmp/libpod/$SCRIPT_BASE/lib.sh + +req_env_var " +SCRIPT_BASE $SCRIPT_BASE +CNI_COMMIT $CNI_COMMIT +CRIO_COMMIT $CRIO_COMMIT +RHSM_COMMAND $RHSM_COMMAND +" + +install_ooe + +export GOPATH="$(mktemp -d)" +export RHSMCMD="$(mktemp)" + +exit_handler() { + set +ex + cd / + sudo rm -rf "$RHSMCMD" + sudo rm -rf "$GOPATH" + sudo subscription-manager remove --all + sudo subscription-manager unregister + sudo subscription-manager clean +} +trap "exit_handler" EXIT + +# Avoid logging sensitive details +echo "$RHSM_COMMAND" > "$RHSMCMD" +ooe.sh sudo bash "$RHSMCMD" +sudo rm -rf "$RHSMCMD" + +ooe.sh sudo yum -y erase "rh-amazon-rhui-client*" +ooe.sh sudo subscription-manager repos "--disable=*" +ooe.sh sudo subscription-manager repos \ + --enable=rhel-7-server-rpms \ + --enable=rhel-7-server-optional-rpms \ + --enable=rhel-7-server-extras-rpms \ + --enable=rhel-server-rhscl-7-rpms + +ooe.sh sudo yum -y update + +# Frequently needed +ooe.sh sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm + +# Required for google to manage ssh keys +sudo tee -a /etc/yum.repos.d/google-cloud-sdk.repo << EOM +[google-cloud-compute] +name=google-cloud-compute +baseurl=https://packages.cloud.google.com/yum/repos/google-cloud-compute-el7-x86_64 +enabled=1 +gpgcheck=1 +repo_gpgcheck=1 +gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg + https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg +EOM + +ooe.sh sudo yum -y install \ + atomic-registries \ + btrfs-progs-devel \ + bzip2 \ + device-mapper-devel \ + findutils \ + glib2-devel \ + glibc-static \ + gnupg \ + golang \ + golang-github-cpuguy83-go-md2man \ + golang-github-cpuguy83-go-md2man \ + google-compute-engine \ + google-compute-engine-oslogin \ + gpgme-devel \ + iptables \ + libassuan-devel \ + libseccomp-devel \ + libselinux-devel \ + lsof \ + make \ + nmap-ncat \ + ostree-devel \ + python \ + python34-dateutil \ + python34-psutil \ + python34-pytoml \ + runc \ + skopeo-containers \ + unzip \ + which \ + xz + +install_scl_git + +install_cni_plugins + +install_buildah + +install_conmon + +install_packer_copied_files + +exit_handler # release subscription! + +rh_finalize + +echo "SUCCESS!" diff --git a/contrib/cirrus/packer/ubuntu_setup.sh b/contrib/cirrus/packer/ubuntu_setup.sh new file mode 100644 index 000000000..96b3a573f --- /dev/null +++ b/contrib/cirrus/packer/ubuntu_setup.sh @@ -0,0 +1,93 @@ +#!/bin/bash + +# This script is called by packer on the subject Ubuntu VM, to setup the podman +# build/test environment. It's not intended to be used outside of this context. + +set -e + +# Load in library (copied by packer, before this script was run) +source /tmp/libpod/$SCRIPT_BASE/lib.sh + +req_env_var " +SCRIPT_BASE $SCRIPT_BASE +CNI_COMMIT $CNI_COMMIT +CRIO_COMMIT $CRIO_COMMIT +RUNC_COMMIT $RUNC_COMMIT +" + +install_ooe + +export GOPATH="$(mktemp -d)" +trap "sudo rm -rf $GOPATH" EXIT + +ooe.sh sudo apt-get -qq update +ooe.sh sudo apt-get -qq update # sometimes it needs to get it twice :S +ooe.sh sudo apt-get -qq upgrade +ooe.sh sudo apt-get -qq install --no-install-recommends \ + apparmor \ + autoconf \ + automake \ + bison \ + btrfs-tools \ + build-essential \ + curl \ + e2fslibs-dev \ + gawk \ + gettext \ + golang \ + go-md2man \ + iptables \ + libaio-dev \ + libapparmor-dev \ + libcap-dev \ + libdevmapper-dev \ + libdevmapper1.02.1 \ + libfuse-dev \ + libglib2.0-dev \ + libgpgme11-dev \ + liblzma-dev \ + libostree-dev \ + libprotobuf-c0-dev \ + libprotobuf-dev \ + libtool \ + libtool \ + libudev-dev \ + lsof \ + netcat \ + pkg-config \ + protobuf-c-compiler \ + protobuf-compiler \ + python-minimal \ + python3-dateutil \ + python3-pip \ + python3-psutil \ + python3-pytoml \ + python3-setuptools \ + socat \ + unzip \ + xz-utils + +echo "Fixing Ubuntu kernel not enabling swap accounting by default" +SEDCMD='s/^GRUB_CMDLINE_LINUX="(.*)"/GRUB_CMDLINE_LINUX="\1 cgroup_enable=memory swapaccount=1"/g' +ooe.sh sudo sed -re "$SEDCMD" -i /etc/default/grub.d/* +ooe.sh sudo sed -re "$SEDCMD" -i /etc/default/grub +ooe.sh sudo update-grub + +install_runc + +install_conmon + +install_cni_plugins + +install_buildah + +install_packer_copied_files + +install_varlink + +sudo curl https://raw.githubusercontent.com/projectatomic/registries/master/registries.fedora\ + -o /etc/containers/registries.conf + +ubuntu_finalize + +echo "SUCCESS!" diff --git a/contrib/cirrus/setup_environment.sh b/contrib/cirrus/setup_environment.sh new file mode 100755 index 000000000..2302f0e15 --- /dev/null +++ b/contrib/cirrus/setup_environment.sh @@ -0,0 +1,77 @@ +#!/bin/bash + +set -e +source $(dirname $0)/lib.sh + +req_env_var " +CI $CI +USER $USER +HOME $HOME +ENVLIB $ENVLIB +SCRIPT_BASE $SCRIPT_BASE +CIRRUS_BUILD_ID $CIRRUS_BUILD_ID" + +[[ "$SHELL" =~ "bash" ]] || chsh -s /bin/bash + +cd "$CIRRUS_WORKING_DIR" # for clarity of initial conditions + +# Verify basic dependencies +for depbin in go rsync unzip sha256sum curl make +do + if ! type -P "$depbin" &> /dev/null + then + echo "ERROR: $depbin binary not found in $PATH" + exit 2 + fi +done + +# Setup env. vars common to all tasks/scripts/platforms and +# ensure they return for every following script execution. +MARK="# Added by $0, manual changes will be lost." +touch "$HOME/$ENVLIB" +if ! grep -q "$MARK" "$HOME/$ENVLIB" +then + cp "$HOME/$ENVLIB" "$HOME/${ENVLIB}_original" + # N/B: Single-quote items evaluated every time, double-quotes only once (right now). + for envstr in \ + "$MARK" \ + "export HEAD=\"$CIRRUS_CHANGE_IN_REPO\"" \ + "export TRAVIS=\"1\"" \ + "export GOSRC=\"$CIRRUS_WORKING_DIR\"" \ + "export OS_RELEASE_ID=\"$(os_release_id)\"" \ + "export OS_RELEASE_VER=\"$(os_release_ver)\"" \ + "export OS_REL_VER=\"${OS_RELEASE_ID}-${OS_RELEASE_VER}\"" \ + "export GOPATH=\"/go\"" \ + 'export PATH="$HOME/bin:$GOPATH/bin:/usr/local/bin:$PATH"' \ + 'export LD_LIBRARY_PATH="/usr/local/lib${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}"' + do + # Make permanent in later shells, and set in current shell + X=$(echo "$envstr" | tee -a "$HOME/$ENVLIB") && eval "$X" && echo "$X" + done + + # Some setup needs to vary between distros + case "${OS_RELEASE_ID}-${OS_RELEASE_VER}" in + ubuntu-18) + envstr='export BUILDTAGS="seccomp $($GOSRC/hack/btrfs_tag.sh) $($GOSRC/hack/btrfs_installed_tag.sh) $($GOSRC/hack/ostree_tag.sh) varlink exclude_graphdriver_devicemapper"' + ;; + fedora-28) ;& # Continue to the next item + centos-7) ;& + rhel-7) + envstr='unset BUILDTAGS' # Use default from Makefile + ;; + *) bad_os_id_ver ;; + esac + X=$(echo "$envstr" | tee -a "$HOME/$ENVLIB") && eval "$X" && echo "$X" + + # Do the same for golang env. vars + go env | while read envline + do + X=$(echo "export $envline" | tee -a "$HOME/$ENVLIB") && eval "$X" && echo "$X" + done + + cd "${GOSRC}/" + source "$SCRIPT_BASE/lib.sh" + + # Only testing-VMs need deps installed + [[ -n "$PACKER_BUILDS" ]] || install_testing_dependencies # must exist in $GOPATH +fi diff --git a/contrib/cirrus/unit_test.sh b/contrib/cirrus/unit_test.sh new file mode 100755 index 000000000..cacc23045 --- /dev/null +++ b/contrib/cirrus/unit_test.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +set -e +source $(dirname $0)/lib.sh + +req_env_var " +GOSRC $GOSRC +OS_RELEASE_ID $OS_RELEASE_ID +OS_RELEASE_VER $OS_RELEASE_VER +" + +show_env_vars + +set -x +cd "$GOSRC" +case "${OS_RELEASE_ID}-${OS_RELEASE_VER}" in + ubuntu-18) + make localunit "BUILDTAGS=$BUILDTAGS" + make "BUILDTAGS=$BUILDTAGS" + ;; + fedora-28) + make localunit + make + ;; + centos-7) ;& # Continue to the next item + rhel-7) + stub 'unit testing not working on $OS_RELEASE_ID' + ;; + *) bad_os_id_ver ;; +esac diff --git a/libpod/container_easyjson.go b/libpod/container_easyjson.go index 2d0481f3b..916118aec 100644 --- a/libpod/container_easyjson.go +++ b/libpod/container_easyjson.go @@ -1,3 +1,5 @@ +// +build seccomp ostree selinux varlink exclude_graphdriver_devicemapper + // Code generated by easyjson for marshaling/unmarshaling. DO NOT EDIT. package libpod diff --git a/libpod/container_internal.go b/libpod/container_internal.go index c925f070b..77bba9e85 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -15,9 +15,9 @@ import ( "github.com/containers/libpod/pkg/chrootuser" "github.com/containers/libpod/pkg/hooks" "github.com/containers/libpod/pkg/hooks/exec" + "github.com/containers/libpod/pkg/resolvconf" "github.com/containers/libpod/pkg/rootless" "github.com/containers/libpod/pkg/secrets" - "github.com/containers/libpod/pkg/util" "github.com/containers/storage" "github.com/containers/storage/pkg/archive" "github.com/containers/storage/pkg/chrootarchive" @@ -1017,12 +1017,6 @@ func (c *Container) writeStringToRundir(destFile, output string) (string, error) return filepath.Join(c.state.DestinationRunDir, destFile), nil } -type resolvConf struct { - nameServers []string - searchDomains []string - options []string -} - // generateResolvConf generates a containers resolv.conf func (c *Container) generateResolvConf() (string, error) { // Determine the endpoint for resolv.conf in case it is a symlink @@ -1030,86 +1024,56 @@ func (c *Container) generateResolvConf() (string, error) { if err != nil { return "", err } - orig, err := ioutil.ReadFile(resolvPath) + + contents, err := ioutil.ReadFile(resolvPath) if err != nil { return "", errors.Wrapf(err, "unable to read %s", resolvPath) } - if len(c.config.DNSServer) == 0 && len(c.config.DNSSearch) == 0 && len(c.config.DNSOption) == 0 { - return c.writeStringToRundir("resolv.conf", fmt.Sprintf("%s", orig)) - } - - // Read and organize the hosts /etc/resolv.conf - resolv := createResolv(string(orig[:])) - // Populate the resolv struct with user's dns search domains - if len(c.config.DNSSearch) > 0 { - resolv.searchDomains = nil - // The . character means the user doesnt want any search domains in the container - if !util.StringInSlice(".", c.config.DNSSearch) { - resolv.searchDomains = append(resolv.searchDomains, c.Config().DNSSearch...) - } + // Process the file to remove localhost nameservers + // TODO: set ipv6 enable bool more sanely + resolv, err := resolvconf.FilterResolvDNS(contents, true) + if err != nil { + return "", errors.Wrapf(err, "error parsing host resolv.conf") } - // Populate the resolv struct with user's dns servers + // Make a new resolv.conf + nameservers := resolvconf.GetNameservers(resolv.Content) if len(c.config.DNSServer) > 0 { - resolv.nameServers = nil - for _, i := range c.config.DNSServer { - resolv.nameServers = append(resolv.nameServers, i.String()) + // We store DNS servers as net.IP, so need to convert to string + nameservers = []string{} + for _, server := range c.config.DNSServer { + nameservers = append(nameservers, server.String()) } } - // Populate the resolve struct with the users dns options + search := resolvconf.GetSearchDomains(resolv.Content) + if len(c.config.DNSSearch) > 0 { + search = c.config.DNSSearch + } + + options := resolvconf.GetOptions(resolv.Content) if len(c.config.DNSOption) > 0 { - resolv.options = nil - resolv.options = append(resolv.options, c.Config().DNSOption...) + options = c.config.DNSOption } - return c.writeStringToRundir("resolv.conf", resolv.ToString()) -} -// createResolv creates a resolv struct from an input string -func createResolv(input string) resolvConf { - var resolv resolvConf - for _, line := range strings.Split(input, "\n") { - if strings.HasPrefix(line, "search") { - fields := strings.Fields(line) - if len(fields) < 2 { - logrus.Debugf("invalid resolv.conf line %s", line) - continue - } - resolv.searchDomains = append(resolv.searchDomains, fields[1:]...) - } else if strings.HasPrefix(line, "nameserver") { - fields := strings.Fields(line) - if len(fields) < 2 { - logrus.Debugf("invalid resolv.conf line %s", line) - continue - } - resolv.nameServers = append(resolv.nameServers, fields[1]) - } else if strings.HasPrefix(line, "options") { - fields := strings.Fields(line) - if len(fields) < 2 { - logrus.Debugf("invalid resolv.conf line %s", line) - continue - } - resolv.options = append(resolv.options, fields[1:]...) - } + destPath := filepath.Join(c.state.RunDir, "resolv.conf") + + if err := os.Remove(destPath); err != nil && !os.IsNotExist(err) { + return "", errors.Wrapf(err, "error removing resolv.conf for container %s", c.ID()) } - return resolv -} -//ToString returns a resolv struct in the form of a resolv.conf -func (r resolvConf) ToString() string { - var result string - // Populate the output string with search domains - result += fmt.Sprintf("search %s\n", strings.Join(r.searchDomains, " ")) - // Populate the output string with name servers - for _, i := range r.nameServers { - result += fmt.Sprintf("nameserver %s\n", i) + // Build resolv.conf + if _, err = resolvconf.Build(destPath, nameservers, search, options); err != nil { + return "", errors.Wrapf(err, "error building resolv.conf for container %s") } - // Populate the output string with dns options - for _, i := range r.options { - result += fmt.Sprintf("options %s\n", i) + + // Relabel resolv.conf for the container + if err := label.Relabel(destPath, c.config.MountLabel, false); err != nil { + return "", err } - return result + + return filepath.Join(c.state.DestinationRunDir, "resolv.conf"), nil } // generateHosts creates a containers hosts file diff --git a/pkg/resolvconf/dns/resolvconf.go b/pkg/resolvconf/dns/resolvconf.go new file mode 100644 index 000000000..cb4bd1033 --- /dev/null +++ b/pkg/resolvconf/dns/resolvconf.go @@ -0,0 +1,28 @@ +// Originally from github.com/docker/libnetwork/resolvconf/dns + +package dns + +import ( + "regexp" +) + +// IPLocalhost is a regex pattern for IPv4 or IPv6 loopback range. +const IPLocalhost = `((127\.([0-9]{1,3}\.){2}[0-9]{1,3})|(::1)$)` + +// IPv4Localhost is a regex pattern for IPv4 localhost address range. +const IPv4Localhost = `(127\.([0-9]{1,3}\.){2}[0-9]{1,3})` + +var localhostIPRegexp = regexp.MustCompile(IPLocalhost) +var localhostIPv4Regexp = regexp.MustCompile(IPv4Localhost) + +// IsLocalhost returns true if ip matches the localhost IP regular expression. +// Used for determining if nameserver settings are being passed which are +// localhost addresses +func IsLocalhost(ip string) bool { + return localhostIPRegexp.MatchString(ip) +} + +// IsIPv4Localhost returns true if ip matches the IPv4 localhost regular expression. +func IsIPv4Localhost(ip string) bool { + return localhostIPv4Regexp.MatchString(ip) +} diff --git a/pkg/resolvconf/resolvconf.go b/pkg/resolvconf/resolvconf.go new file mode 100644 index 000000000..fccd60093 --- /dev/null +++ b/pkg/resolvconf/resolvconf.go @@ -0,0 +1,242 @@ +// Package resolvconf provides utility code to query and update DNS configuration in /etc/resolv.conf. +// Originally from github.com/docker/libnetwork/resolvconf. +package resolvconf + +import ( + "bytes" + "io/ioutil" + "regexp" + "strings" + "sync" + + "github.com/containers/libpod/pkg/resolvconf/dns" + "github.com/docker/docker/pkg/ioutils" + "github.com/sirupsen/logrus" +) + +const ( + // DefaultResolvConf points to the default file used for dns configuration on a linux machine + DefaultResolvConf = "/etc/resolv.conf" +) + +var ( + // Note: the default IPv4 & IPv6 resolvers are set to Google's Public DNS + defaultIPv4Dns = []string{"nameserver 8.8.8.8", "nameserver 8.8.4.4"} + defaultIPv6Dns = []string{"nameserver 2001:4860:4860::8888", "nameserver 2001:4860:4860::8844"} + ipv4NumBlock = `(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)` + ipv4Address = `(` + ipv4NumBlock + `\.){3}` + ipv4NumBlock + // This is not an IPv6 address verifier as it will accept a super-set of IPv6, and also + // will *not match* IPv4-Embedded IPv6 Addresses (RFC6052), but that and other variants + // -- e.g. other link-local types -- either won't work in containers or are unnecessary. + // For readability and sufficiency for Docker purposes this seemed more reasonable than a + // 1000+ character regexp with exact and complete IPv6 validation + ipv6Address = `([0-9A-Fa-f]{0,4}:){2,7}([0-9A-Fa-f]{0,4})(%\w+)?` + + localhostNSRegexp = regexp.MustCompile(`(?m)^nameserver\s+` + dns.IPLocalhost + `\s*\n*`) + nsIPv6Regexp = regexp.MustCompile(`(?m)^nameserver\s+` + ipv6Address + `\s*\n*`) + nsRegexp = regexp.MustCompile(`^\s*nameserver\s*((` + ipv4Address + `)|(` + ipv6Address + `))\s*$`) + searchRegexp = regexp.MustCompile(`^\s*search\s*(([^\s]+\s*)*)$`) + optionsRegexp = regexp.MustCompile(`^\s*options\s*(([^\s]+\s*)*)$`) +) + +var lastModified struct { + sync.Mutex + sha256 string + contents []byte +} + +// File contains the resolv.conf content and its hash +type File struct { + Content []byte + Hash string +} + +// Get returns the contents of /etc/resolv.conf and its hash +func Get() (*File, error) { + return GetSpecific(DefaultResolvConf) +} + +// GetSpecific returns the contents of the user specified resolv.conf file and its hash +func GetSpecific(path string) (*File, error) { + resolv, err := ioutil.ReadFile(path) + if err != nil { + return nil, err + } + hash, err := ioutils.HashData(bytes.NewReader(resolv)) + if err != nil { + return nil, err + } + return &File{Content: resolv, Hash: hash}, nil +} + +// GetIfChanged retrieves the host /etc/resolv.conf file, checks against the last hash +// and, if modified since last check, returns the bytes and new hash. +// This feature is used by the resolv.conf updater for containers +func GetIfChanged() (*File, error) { + lastModified.Lock() + defer lastModified.Unlock() + + resolv, err := ioutil.ReadFile("/etc/resolv.conf") + if err != nil { + return nil, err + } + newHash, err := ioutils.HashData(bytes.NewReader(resolv)) + if err != nil { + return nil, err + } + if lastModified.sha256 != newHash { + lastModified.sha256 = newHash + lastModified.contents = resolv + return &File{Content: resolv, Hash: newHash}, nil + } + // nothing changed, so return no data + return nil, nil +} + +// GetLastModified retrieves the last used contents and hash of the host resolv.conf. +// Used by containers updating on restart +func GetLastModified() *File { + lastModified.Lock() + defer lastModified.Unlock() + + return &File{Content: lastModified.contents, Hash: lastModified.sha256} +} + +// FilterResolvDNS cleans up the config in resolvConf. It has two main jobs: +// 1. It looks for localhost (127.*|::1) entries in the provided +// resolv.conf, removing local nameserver entries, and, if the resulting +// cleaned config has no defined nameservers left, adds default DNS entries +// 2. Given the caller provides the enable/disable state of IPv6, the filter +// code will remove all IPv6 nameservers if it is not enabled for containers +// +func FilterResolvDNS(resolvConf []byte, ipv6Enabled bool) (*File, error) { + cleanedResolvConf := localhostNSRegexp.ReplaceAll(resolvConf, []byte{}) + // if IPv6 is not enabled, also clean out any IPv6 address nameserver + if !ipv6Enabled { + cleanedResolvConf = nsIPv6Regexp.ReplaceAll(cleanedResolvConf, []byte{}) + } + // if the resulting resolvConf has no more nameservers defined, add appropriate + // default DNS servers for IPv4 and (optionally) IPv6 + if len(GetNameservers(cleanedResolvConf)) == 0 { + logrus.Infof("No non-localhost DNS nameservers are left in resolv.conf. Using default external servers: %v", defaultIPv4Dns) + dns := defaultIPv4Dns + if ipv6Enabled { + logrus.Infof("IPv6 enabled; Adding default IPv6 external servers: %v", defaultIPv6Dns) + dns = append(dns, defaultIPv6Dns...) + } + cleanedResolvConf = append(cleanedResolvConf, []byte("\n"+strings.Join(dns, "\n"))...) + } + hash, err := ioutils.HashData(bytes.NewReader(cleanedResolvConf)) + if err != nil { + return nil, err + } + return &File{Content: cleanedResolvConf, Hash: hash}, nil +} + +// getLines parses input into lines and strips away comments. +func getLines(input []byte, commentMarker []byte) [][]byte { + lines := bytes.Split(input, []byte("\n")) + var output [][]byte + for _, currentLine := range lines { + var commentIndex = bytes.Index(currentLine, commentMarker) + if commentIndex == -1 { + output = append(output, currentLine) + } else { + output = append(output, currentLine[:commentIndex]) + } + } + return output +} + +// GetNameservers returns nameservers (if any) listed in /etc/resolv.conf +func GetNameservers(resolvConf []byte) []string { + nameservers := []string{} + for _, line := range getLines(resolvConf, []byte("#")) { + ns := nsRegexp.FindSubmatch(line) + if len(ns) > 0 { + nameservers = append(nameservers, string(ns[1])) + } + } + return nameservers +} + +// GetNameserversAsCIDR returns nameservers (if any) listed in +// /etc/resolv.conf as CIDR blocks (e.g., "1.2.3.4/32") +// This function's output is intended for net.ParseCIDR +func GetNameserversAsCIDR(resolvConf []byte) []string { + nameservers := []string{} + for _, nameserver := range GetNameservers(resolvConf) { + var address string + // If IPv6, strip zone if present + if strings.Contains(nameserver, ":") { + address = strings.Split(nameserver, "%")[0] + "/128" + } else { + address = nameserver + "/32" + } + nameservers = append(nameservers, address) + } + return nameservers +} + +// GetSearchDomains returns search domains (if any) listed in /etc/resolv.conf +// If more than one search line is encountered, only the contents of the last +// one is returned. +func GetSearchDomains(resolvConf []byte) []string { + domains := []string{} + for _, line := range getLines(resolvConf, []byte("#")) { + match := searchRegexp.FindSubmatch(line) + if match == nil { + continue + } + domains = strings.Fields(string(match[1])) + } + return domains +} + +// GetOptions returns options (if any) listed in /etc/resolv.conf +// If more than one options line is encountered, only the contents of the last +// one is returned. +func GetOptions(resolvConf []byte) []string { + options := []string{} + for _, line := range getLines(resolvConf, []byte("#")) { + match := optionsRegexp.FindSubmatch(line) + if match == nil { + continue + } + options = strings.Fields(string(match[1])) + } + return options +} + +// Build writes a configuration file to path containing a "nameserver" entry +// for every element in dns, a "search" entry for every element in +// dnsSearch, and an "options" entry for every element in dnsOptions. +func Build(path string, dns, dnsSearch, dnsOptions []string) (*File, error) { + content := bytes.NewBuffer(nil) + if len(dnsSearch) > 0 { + if searchString := strings.Join(dnsSearch, " "); strings.Trim(searchString, " ") != "." { + if _, err := content.WriteString("search " + searchString + "\n"); err != nil { + return nil, err + } + } + } + for _, dns := range dns { + if _, err := content.WriteString("nameserver " + dns + "\n"); err != nil { + return nil, err + } + } + if len(dnsOptions) > 0 { + if optsString := strings.Join(dnsOptions, " "); strings.Trim(optsString, " ") != "" { + if _, err := content.WriteString("options " + optsString + "\n"); err != nil { + return nil, err + } + } + } + + hash, err := ioutils.HashData(bytes.NewReader(content.Bytes())) + if err != nil { + return nil, err + } + + return &File{Content: content.Bytes(), Hash: hash}, ioutil.WriteFile(path, content.Bytes(), 0644) +} |