diff options
37 files changed, 911 insertions, 88 deletions
diff --git a/.cirrus.yml b/.cirrus.yml index f044b98ab..e56ba9086 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -26,11 +26,11 @@ env: #### FEDORA_NAME: "fedora-34beta" PRIOR_FEDORA_NAME: "fedora-33" - UBUNTU_NAME: "ubuntu-2010" - PRIOR_UBUNTU_NAME: "ubuntu-2004" + UBUNTU_NAME: "ubuntu-2104" + PRIOR_UBUNTU_NAME: "ubuntu-2010" # Google-cloud VM Images - IMAGE_SUFFIX: "c5032481331085312" + IMAGE_SUFFIX: "c6731272010596352" FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}" PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${IMAGE_SUFFIX}" UBUNTU_CACHE_IMAGE_NAME: "ubuntu-${IMAGE_SUFFIX}" diff --git a/.github/workflows/multi-arch-build.yaml b/.github/workflows/multi-arch-build.yaml index 1781604fe..e4ab88544 100644 --- a/.github/workflows/multi-arch-build.yaml +++ b/.github/workflows/multi-arch-build.yaml @@ -69,55 +69,73 @@ jobs: - name: Generate image information id: image_info run: | + VERSION='v${{ steps.sniff_test.outputs.version }}' + # workaround vim syntax-hilighting bug: ' if [[ "${{ matrix.source }}" == 'stable' ]]; then # quay.io/podman/stable:vX.X.X ALLTAGS=$(skopeo list-tags \ - docker://${{ env.PODMAN_QUAY_REGISTRY }}/stable | \ + docker://$PODMAN_QUAY_REGISTRY/stable | \ jq -r '.Tags[]') PUSH="false" - if fgrep -qx "$VERSION" <<<"$ALLTAGS"; then + if ! fgrep -qx "$VERSION" <<<"$ALLTAGS"; then PUSH="true" fi - FQIN='${{ env.PODMAN_QUAY_REGISTRY }}/stable:v${{ steps.sniff_test.outputs.version }}' # workaround vim syntax-hilighting bug: ' + FQIN="$PODMAN_QUAY_REGISTRY/stable:$VERSION" # Only push if version tag does not exist if [[ "$PUSH" == "true" ]]; then echo "Will push $FQIN" - echo "::set-output name=podman_push::${PUSH}" + echo "::set-output name=podman_push::true" echo "::set-output name=podman_fqin::${FQIN}" + else + echo "Not pushing, $FQIN already exists." fi # quay.io/containers/podman:vX.X.X unset ALLTAGS ALLTAGS=$(skopeo list-tags \ - docker://${{ env.CONTAINERS_QUAY_REGISTRY }}/podman | \ + docker://$CONTAINERS_QUAY_REGISTRY/podman | \ jq -r '.Tags[]') PUSH="false" - if fgrep -qx "$VERSION" <<<"$ALLTAGS"; then + if ! fgrep -qx "$VERSION" <<<"$ALLTAGS"; then PUSH="true" fi - FQIN='${{ env.CONTAINERS_QUAY_REGISTRY}}/podman:v${{ steps.sniff_test.outputs.version }}' # workaround vim syntax-hilighting bug: ' + FQIN="$CONTAINERS_QUAY_REGISTRY/podman:$VERSION" # Only push if version tag does not exist if [[ "$PUSH" == "true" ]]; then echo "Will push $FQIN" - echo "::set-output name=containers_push::${PUSH}" + echo "::set-output name=containers_push::true" echo "::set-output name=containers_fqin::$FQIN" + else + echo "Not pushing, $FQIN already exists." fi - else # upstream and testing podman image - P_FQIN='${{ env.PODMAN_QUAY_REGISTRY }}/${{ matrix.source }}:master' # workaround vim syntax-hilighting bug: ' - C_FQIN='${{ env.CONTAINERS_QUAY_REGISTRY}}/podman:master' # workaround vim syntax-hilighting bug: ' + elif [[ "${{ matrix.source }}" == 'testing' ]]; then + P_FQIN="$PODMAN_QUAY_REGISTRY/testing:master" + echo "Will push $P_FQIN" + echo "::set-output name=podman_fqin::${P_FQIN}" + echo '::set-output name=podman_push::true' + elif [[ "${{ matrix.source }}" == 'upstream' ]]; then + P_FQIN="$PODMAN_QUAY_REGISTRY/upstream:master" + C_FQIN="$CONTAINERS_QUAY_REGISTRY/podman:master" echo "Will push $P_FQIN and $C_FQIN" echo "::set-output name=podman_fqin::${P_FQIN}" echo "::set-output name=containers_fqin::${C_FQIN}" # Always push 'master' tag echo '::set-output name=podman_push::true' echo '::set-output name=containers_push::true' + else + echo "::error ::Unknown matrix value ${{ matrix.source }}" + exit 1 fi - # Hack to set $LABELS env. var. in _future_ steps. + - name: Define LABELS multi-line env. var. value + run: | + # This is a really hacky/strange workflow idiom, required + # for setting multi-line $LABELS value for consumption in + # a future step. # https://docs.github.com/en/actions/reference/workflow-commands-for-github-actions#multiline-strings - cat << EOF | tee $GITHUB_ENV + cat << EOF | tee -a $GITHUB_ENV LABELS<<DELIMITER org.opencontainers.image.source=https://github.com/${{ github.repository }}.git org.opencontainers.image.revision=${{ github.sha }} @@ -425,8 +425,8 @@ pkg/api/swagger.yaml: .gopathok make -C pkg/api $(MANPAGES): %: %.md .install.md2man docdir - @sed -e 's/\((podman.*\.md)\)//' -e 's/\[\(podman.*\)\]/\1/' \ - -e 's;<\(/\)\?\(a[^>]*\|sup\)>;;g' $< | \ + @sed -e 's/\((podman[^)]*\.md)\)//g' -e 's/\[\(podman[^]]*\)\]/\1/g' \ + -e 's;<\(/\)\?\(a\|a\s\+[^>]*\|sup\)>;;g' $< | \ $(GOMD2MAN) -in /dev/stdin -out $(subst source/markdown,build/man,$@) .PHONY: docdir diff --git a/contrib/cirrus/lib.sh b/contrib/cirrus/lib.sh index 2cd28e34a..16eb6735a 100644 --- a/contrib/cirrus/lib.sh +++ b/contrib/cirrus/lib.sh @@ -10,27 +10,17 @@ set -a # handling of the (otherwise) default shell setup is non-uniform. Rather # than attempt to workaround differences, simply force-load/set required # items every time this library is utilized. -_waserrexit=0 -if [[ "$SHELLOPTS" =~ errexit ]]; then _waserrexit=1; fi -set +e # Assumed in F33 for setting global vars -if [[ -r "/etc/automation_environment" ]]; then - source /etc/automation_environment -else # prior to automation library v2.0, this was necessary - source /etc/profile - source /etc/environment -fi -if [[ -r "/etc/ci_environment" ]]; then source /etc/ci_environment; fi USER="$(whoami)" HOME="$(getent passwd $USER | cut -d : -f 6)" # Some platforms set and make this read-only [[ -n "$UID" ]] || \ UID=$(getent passwd $USER | cut -d : -f 3) -if ((_waserrexit)); then set -e; fi -# During VM Image build, the 'containers/automation' installation -# was performed. The final step of installation sets the library -# location $AUTOMATION_LIB_PATH in /etc/environment or in the -# default shell profile depending on distribution. +# Automation library installed at image-build time, +# defining $AUTOMATION_LIB_PATH in this file. +if [[ -r "/etc/automation_environment" ]]; then + source /etc/automation_environment +fi # shellcheck disable=SC2154 if [[ -n "$AUTOMATION_LIB_PATH" ]]; then # shellcheck source=/usr/share/automation/lib/common_lib.sh @@ -43,6 +33,9 @@ else ) > /dev/stderr fi +# Managed by setup_environment.sh; holds task-specific definitions. +if [[ -r "/etc/ci_environment" ]]; then source /etc/ci_environment; fi + OS_RELEASE_ID="$(source /etc/os-release; echo $ID)" # GCE image-name compatible string representation of distribution _major_ version OS_RELEASE_VER="$(source /etc/os-release; echo $VERSION_ID | tr -d '.')" diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md index a3e40cae7..482509e01 100644 --- a/docs/source/markdown/podman-create.1.md +++ b/docs/source/markdown/podman-create.1.md @@ -1371,6 +1371,7 @@ $ podman create --name container1 -t -i fedora bash $ podman create --name container2 -t -i fedora bash $ podman create --name container3 --requires container1,container2 -t -i fedora bash $ podman start --attach container3 +``` ### Configure keep supplemental groups for access to volume diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md index 6e8d9c2ad..0d1771cd4 100644 --- a/docs/source/markdown/podman-run.1.md +++ b/docs/source/markdown/podman-run.1.md @@ -1725,6 +1725,7 @@ Multiple containers can be required. $ podman create --name container1 -t -i fedora bash $ podman create --name container2 -t -i fedora bash $ podman run --name container3 --requires container1,container2 -t -i fedora bash +``` ### Configure keep supplemental groups for access to volume @@ -8,6 +8,7 @@ require ( github.com/buger/goterm v0.0.0-20181115115552-c206103e1f37 github.com/checkpoint-restore/checkpointctl v0.0.0-20210301084134-a2024f5584e7 github.com/checkpoint-restore/go-criu v0.0.0-20190109184317-bdb7599cd87b + github.com/container-orchestrated-devices/container-device-interface v0.0.0-20210325223243-f99e8b6c10b9 github.com/containernetworking/cni v0.8.1 github.com/containernetworking/plugins v0.9.1 github.com/containers/buildah v1.20.1-0.20210402144408-36a37402d0c8 @@ -120,6 +120,8 @@ github.com/cilium/ebpf v0.2.0/go.mod h1:To2CFviqOWL/M0gIMsvSMlqe7em/l1ALkX1PyjrX github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= +github.com/container-orchestrated-devices/container-device-interface v0.0.0-20210325223243-f99e8b6c10b9 h1:Kn0s9/APRtr5dk/83aXj97WX0+PYnJK9BO8g0Xclm0I= +github.com/container-orchestrated-devices/container-device-interface v0.0.0-20210325223243-f99e8b6c10b9/go.mod h1:eQt66kIaJpUhCrjCtBFQGQxGLbAUl0OuuwjTH16ON4s= github.com/containerd/aufs v0.0.0-20200908144142-dab0cbea06f4/go.mod h1:nukgQABAEopAHvB6j7cnP5zJ+/3aVcE7hCYqvIwAHyE= github.com/containerd/aufs v0.0.0-20201003224125-76a6863f2989/go.mod h1:AkGGQs9NM2vtYHaUen+NljV0/baGCAPELGm2q9ZXpWU= github.com/containerd/aufs v0.0.0-20210316121734-20793ff83c97/go.mod h1:kL5kd6KM5TzQjR79jljyi4olc1Vrx6XBlcyj3gNv2PU= diff --git a/libpod/container_config.go b/libpod/container_config.go index 379e17285..ede6b1aab 100644 --- a/libpod/container_config.go +++ b/libpod/container_config.go @@ -368,4 +368,6 @@ type ContainerMiscConfig struct { Umask string `json:"umask,omitempty"` // PidFile is the file that saves the pid of the container process PidFile string `json:"pid_file,omitempty"` + // CDIDevices contains devices that use the CDI + CDIDevices []string `json:"cdiDevices,omitempty"` } diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index 1986f7438..f4762b5ff 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -20,6 +20,7 @@ import ( "time" metadata "github.com/checkpoint-restore/checkpointctl/lib" + cdi "github.com/container-orchestrated-devices/container-device-interface/pkg" cnitypes "github.com/containernetworking/cni/pkg/types/current" "github.com/containernetworking/plugins/pkg/ns" "github.com/containers/buildah/pkg/chrootuser" @@ -704,6 +705,13 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { } g.SetLinuxCgroupsPath(cgroupPath) + // Warning: CDI may alter g.Config in place. + if len(c.config.CDIDevices) > 0 { + if err = cdi.UpdateOCISpecForDevices(g.Config, c.config.CDIDevices); err != nil { + return nil, errors.Wrapf(err, "error setting up CDI devices") + } + } + // Mounts need to be sorted so paths will not cover other paths mounts := sortMounts(g.Mounts()) g.ClearMounts() diff --git a/libpod/image/prune.go b/libpod/image/prune.go index 0e41fde44..e0480d3d1 100644 --- a/libpod/image/prune.go +++ b/libpod/image/prune.go @@ -30,7 +30,7 @@ func generatePruneFilterFuncs(filter, filterValue string) (ImageFilter, error) { return nil, err } return func(i *Image) bool { - if !until.IsZero() && i.Created().After((until)) { + if !until.IsZero() && i.Created().Before(until) { return true } return false diff --git a/libpod/image/pull_test.go b/libpod/image/pull_test.go index 2e1464ad3..d2930451c 100644 --- a/libpod/image/pull_test.go +++ b/libpod/image/pull_test.go @@ -308,6 +308,12 @@ func TestPullGoalFromPossiblyUnqualifiedName(t *testing.T) { sc.UserShortNameAliasConfPath = aliasesConf.Name() sc.SystemRegistriesConfPath = registriesConf.Name() + // Make sure to not sure the system's registries.conf.d + dir, err := ioutil.TempDir("", "example") + require.NoError(t, err) + sc.SystemRegistriesConfDirPath = dir + defer os.RemoveAll(dir) // clean up + for _, c := range []struct { input string expected []pullRefStrings diff --git a/libpod/kube.go b/libpod/kube.go index 11ccaeadc..adcfe92c9 100644 --- a/libpod/kube.go +++ b/libpod/kube.go @@ -1,6 +1,7 @@ package libpod import ( + "fmt" "math/rand" "os" "strconv" @@ -539,11 +540,17 @@ func libpodMountsToKubeVolumeMounts(c *Container) ([]v1.VolumeMount, []v1.Volume namedVolumes, mounts := c.sortUserVolumes(c.config.Spec) vms := make([]v1.VolumeMount, 0, len(mounts)) vos := make([]v1.Volume, 0, len(mounts)) - for _, m := range mounts { + + var suffix string + for index, m := range mounts { vm, vo, err := generateKubeVolumeMount(m) if err != nil { return vms, vos, err } + // Name will be the same, so use the index as suffix + suffix = fmt.Sprintf("-%d", index) + vm.Name += suffix + vo.Name += suffix vms = append(vms, vm) vos = append(vos, vo) } diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go index 6e2c2880f..cfed5a1f2 100644 --- a/libpod/networking_linux.go +++ b/libpod/networking_linux.go @@ -577,7 +577,7 @@ func (r *Runtime) setupRootlessNetNS(ctr *Container) error { // set up port forwarder for CNI-in-slirp4netns netnsPath := ctr.state.NetNS.Path() // TODO: support slirp4netns port forwarder as well - return r.setupRootlessPortMappingViaRLK(ctr, netnsPath) + return r.setupRootlessPortMappingViaRLK(ctr, netnsPath, "") } return nil } diff --git a/libpod/networking_slirp4netns.go b/libpod/networking_slirp4netns.go index 72ab3c919..c46dc6972 100644 --- a/libpod/networking_slirp4netns.go +++ b/libpod/networking_slirp4netns.go @@ -312,7 +312,7 @@ func (r *Runtime) setupSlirp4netns(ctr *Container) error { if netOptions.isSlirpHostForward { return r.setupRootlessPortMappingViaSlirp(ctr, cmd, apiSocket) } - return r.setupRootlessPortMappingViaRLK(ctr, netnsPath) + return r.setupRootlessPortMappingViaRLK(ctr, netnsPath, netOptions.cidr) } return nil } @@ -363,7 +363,7 @@ func waitForSync(syncR *os.File, cmd *exec.Cmd, logFile io.ReadSeeker, timeout t return nil } -func (r *Runtime) setupRootlessPortMappingViaRLK(ctr *Container, netnsPath string) error { +func (r *Runtime) setupRootlessPortMappingViaRLK(ctr *Container, netnsPath, slirp4CIDR string) error { syncR, syncW, err := os.Pipe() if err != nil { return errors.Wrapf(err, "failed to open pipe") @@ -391,6 +391,16 @@ func (r *Runtime) setupRootlessPortMappingViaRLK(ctr *Container, netnsPath strin } childIP := slirp4netnsIP + // set the correct childIP when a custom cidr is set + if slirp4CIDR != "" { + _, cidr, err := net.ParseCIDR(slirp4CIDR) + if err != nil { + return errors.Wrap(err, "failed to parse slirp4netns cidr") + } + // the slirp container ip is always the hundredth ip in the subnet + cidr.IP[len(cidr.IP)-1] = cidr.IP[len(cidr.IP)-1] + 100 + childIP = cidr.IP.String() + } outer: for _, r := range ctr.state.NetworkStatus { for _, i := range r.IPs { diff --git a/libpod/options.go b/libpod/options.go index c5c23ee16..39415a817 100644 --- a/libpod/options.go +++ b/libpod/options.go @@ -293,6 +293,17 @@ func WithHooksDir(hooksDirs ...string) RuntimeOption { } } +// WithCDI sets the devices to check for for CDI configuration. +func WithCDI(devices []string) CtrCreateOption { + return func(ctr *Container) error { + if ctr.valid { + return define.ErrCtrFinalized + } + ctr.config.CDIDevices = devices + return nil + } +} + // WithDefaultMountsFile sets the file to look at for default mounts (mainly // secrets). // Note we are not saving this in the database as it is for testing purposes diff --git a/libpod/runtime.go b/libpod/runtime.go index dc53d5ef1..3518ed25a 100644 --- a/libpod/runtime.go +++ b/libpod/runtime.go @@ -29,6 +29,7 @@ import ( "github.com/containers/podman/v3/pkg/rootless" "github.com/containers/podman/v3/pkg/util" "github.com/containers/storage" + "github.com/containers/storage/pkg/unshare" "github.com/cri-o/ocicni/pkg/ocicni" "github.com/docker/docker/pkg/namesgenerator" spec "github.com/opencontainers/runtime-spec/specs-go" @@ -338,9 +339,16 @@ func makeRuntime(ctx context.Context, runtime *Runtime) (retErr error) { } logrus.Debugf("Set libpod namespace to %q", runtime.config.Engine.Namespace) + hasCapSysAdmin, err := unshare.HasCapSysAdmin() + if err != nil { + return err + } + + needsUserns := !hasCapSysAdmin + // Set up containers/storage var store storage.Store - if os.Geteuid() != 0 { + if needsUserns { logrus.Debug("Not configuring container store") } else if runtime.noStore { logrus.Debug("No store required. Not opening container store.") @@ -480,7 +488,7 @@ func makeRuntime(ctx context.Context, runtime *Runtime) (retErr error) { // If we need to refresh, then it is safe to assume there are // no containers running. Create immediately a namespace, as // we will need to access the storage. - if os.Geteuid() != 0 { + if needsUserns { aliveLock.Unlock() // Unlock to avoid deadlock as BecomeRootInUserNS will reexec. pausePid, err := util.GetRootlessPauseProcessPidPathGivenDir(runtime.config.Engine.TmpDir) if err != nil { diff --git a/pkg/api/handlers/compat/volumes.go b/pkg/api/handlers/compat/volumes.go index d86fc1e19..1ff1468e7 100644 --- a/pkg/api/handlers/compat/volumes.go +++ b/pkg/api/handlers/compat/volumes.go @@ -96,11 +96,17 @@ func CreateVolume(w http.ResponseWriter, r *http.Request) { return } - // See if the volume exists already - existingVolume, err := runtime.GetVolume(input.Name) - if err != nil && errors.Cause(err) != define.ErrNoSuchVolume { - utils.InternalServerError(w, err) - return + var ( + existingVolume *libpod.Volume + err error + ) + if len(input.Name) != 0 { + // See if the volume exists already + existingVolume, err = runtime.GetVolume(input.Name) + if err != nil && errors.Cause(err) != define.ErrNoSuchVolume { + utils.InternalServerError(w, err) + return + } } // if using the compat layer and the volume already exists, we diff --git a/pkg/domain/filters/containers.go b/pkg/domain/filters/containers.go index 45791cd84..9ac72e415 100644 --- a/pkg/domain/filters/containers.go +++ b/pkg/domain/filters/containers.go @@ -83,7 +83,19 @@ func GenerateContainerFilterFuncs(filter string, filterValues []string, r *libpo return func(c *libpod.Container) bool { for _, filterValue := range filterValues { containerConfig := c.Config() - if strings.Contains(containerConfig.RootfsImageID, filterValue) || strings.Contains(containerConfig.RootfsImageName, filterValue) { + var imageTag string + var imageNameWithoutTag string + // Compare with ImageID, ImageName + // Will match ImageName if running image has tag latest for other tags exact complete filter must be given + imageNameSlice := strings.SplitN(containerConfig.RootfsImageName, ":", 2) + if len(imageNameSlice) == 2 { + imageNameWithoutTag = imageNameSlice[0] + imageTag = imageNameSlice[1] + } + + if (containerConfig.RootfsImageID == filterValue) || + (containerConfig.RootfsImageName == filterValue) || + (imageNameWithoutTag == filterValue && imageTag == "latest") { return true } } diff --git a/pkg/domain/infra/abi/system.go b/pkg/domain/infra/abi/system.go index 6319c1ab1..9bba0fa6c 100644 --- a/pkg/domain/infra/abi/system.go +++ b/pkg/domain/infra/abi/system.go @@ -21,6 +21,7 @@ import ( "github.com/containers/podman/v3/pkg/util" "github.com/containers/podman/v3/utils" "github.com/containers/storage" + "github.com/containers/storage/pkg/unshare" "github.com/pkg/errors" "github.com/sirupsen/logrus" "github.com/spf13/cobra" @@ -58,7 +59,11 @@ func (ic *ContainerEngine) Info(ctx context.Context) (*define.Info, error) { func (ic *ContainerEngine) SetupRootless(_ context.Context, cmd *cobra.Command) error { // do it only after podman has already re-execed and running with uid==0. - if os.Geteuid() == 0 { + hasCapSysAdmin, err := unshare.HasCapSysAdmin() + if err != nil { + return err + } + if hasCapSysAdmin { ownsCgroup, err := cgroups.UserOwnsCurrentSystemdCgroup() if err != nil { logrus.Infof("Failed to detect the owner for the current cgroup: %v", err) diff --git a/pkg/machine/ignition.go b/pkg/machine/ignition.go index cc5c01de6..00068a136 100644 --- a/pkg/machine/ignition.go +++ b/pkg/machine/ignition.go @@ -168,6 +168,22 @@ func getFiles(usrName string) []File { }, FileEmbedded1: FileEmbedded1{Mode: intToPtr(420)}, }) + + // Set machine_enabled to true to indicate we're in a VM + files = append(files, File{ + Node: Node{ + Group: getNodeGrp("root"), + Path: "/etc/containers/containers.conf", + User: getNodeUsr("root"), + }, + FileEmbedded1: FileEmbedded1{ + Append: nil, + Contents: Resource{ + Source: strToPtr("data:,%5Bengine%5D%0Amachine_enabled%3Dtrue%0A"), + }, + Mode: intToPtr(420), + }, + }) return files } diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go index dda230dbc..6eff25eb9 100644 --- a/pkg/rootless/rootless_linux.go +++ b/pkg/rootless/rootless_linux.go @@ -4,6 +4,7 @@ package rootless import ( "bufio" + "bytes" "fmt" "io" "io/ioutil" @@ -18,6 +19,7 @@ import ( "github.com/containers/podman/v3/pkg/errorhandling" "github.com/containers/storage/pkg/idtools" + "github.com/containers/storage/pkg/unshare" "github.com/pkg/errors" "github.com/sirupsen/logrus" "golang.org/x/sys/unix" @@ -67,6 +69,15 @@ func IsRootless() bool { } } isRootless = os.Geteuid() != 0 || os.Getenv("_CONTAINERS_USERNS_CONFIGURED") != "" + if !isRootless { + hasCapSysAdmin, err := unshare.HasCapSysAdmin() + if err != nil { + logrus.Warnf("failed to read CAP_SYS_ADMIN presence for the current process") + } + if err == nil && !hasCapSysAdmin { + isRootless = true + } + } }) return isRootless } @@ -105,7 +116,7 @@ func tryMappingTool(uid bool, pid int, hostID int, mappings []idtools.IDMap) err } path, err := exec.LookPath(tool) if err != nil { - return errors.Wrapf(err, "cannot find %s", tool) + return errors.Wrapf(err, "command required for rootless mode with multiple IDs") } appendTriplet := func(l []string, a, b, c int) []string { @@ -142,8 +153,12 @@ func tryMappingTool(uid bool, pid int, hostID int, mappings []idtools.IDMap) err // namespace of the specified PID without looking up its parent. Useful to join directly // the conmon process. func joinUserAndMountNS(pid uint, pausePid string) (bool, int, error) { - if os.Geteuid() == 0 || os.Getenv("_CONTAINERS_USERNS_CONFIGURED") != "" { - return false, -1, nil + hasCapSysAdmin, err := unshare.HasCapSysAdmin() + if err != nil { + return false, 0, err + } + if hasCapSysAdmin || os.Getenv("_CONTAINERS_USERNS_CONFIGURED") != "" { + return false, 0, nil } cPausePid := C.CString(pausePid) @@ -180,8 +195,11 @@ func GetConfiguredMappings() ([]idtools.IDMap, []idtools.IDMap, error) { } mappings, err := idtools.NewIDMappings(username, username) if err != nil { - logrus.Errorf( - "cannot find UID/GID for user %s: %v - check rootless mode in man pages.", username, err) + logLevel := logrus.ErrorLevel + if os.Geteuid() == 0 && GetRootlessUID() == 0 { + logLevel = logrus.DebugLevel + } + logrus.StandardLogger().Logf(logLevel, "cannot find UID/GID for user %s: %v - check rootless mode in man pages.", username, err) } else { uids = mappings.UIDs() gids = mappings.GIDs() @@ -189,8 +207,28 @@ func GetConfiguredMappings() ([]idtools.IDMap, []idtools.IDMap, error) { return uids, gids, nil } +func copyMappings(from, to string) error { + content, err := ioutil.ReadFile(from) + if err != nil { + return err + } + // Both runc and crun check whether the current process is in a user namespace + // by looking up 4294967295 in /proc/self/uid_map. If the mappings would be + // copied as they are, the check in the OCI runtimes would fail. So just split + // it in two different ranges. + if bytes.Contains(content, []byte("4294967295")) { + content = []byte("0 0 1\n1 1 4294967294\n") + } + return ioutil.WriteFile(to, content, 0600) +} + func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ bool, _ int, retErr error) { - if os.Geteuid() == 0 || os.Getenv("_CONTAINERS_USERNS_CONFIGURED") != "" { + hasCapSysAdmin, err := unshare.HasCapSysAdmin() + if err != nil { + return false, 0, err + } + + if hasCapSysAdmin || os.Getenv("_CONTAINERS_USERNS_CONFIGURED") != "" { if os.Getenv("_CONTAINERS_USERNS_CONFIGURED") == "init" { return false, 0, runInUser() } @@ -247,8 +285,16 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ boo return false, -1, err } + uidMap := fmt.Sprintf("/proc/%d/uid_map", pid) + gidMap := fmt.Sprintf("/proc/%d/gid_map", pid) + uidsMapped := false - if uids != nil { + + if err := copyMappings("/proc/self/uid_map", uidMap); err == nil { + uidsMapped = true + } + + if uids != nil && !uidsMapped { err := tryMappingTool(true, pid, os.Geteuid(), uids) // If some mappings were specified, do not ignore the error if err != nil && len(uids) > 0 { @@ -265,7 +311,6 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ boo } logrus.Debugf("write setgroups file exited with 0") - uidMap := fmt.Sprintf("/proc/%d/uid_map", pid) err = ioutil.WriteFile(uidMap, []byte(fmt.Sprintf("%d %d 1\n", 0, os.Geteuid())), 0666) if err != nil { return false, -1, errors.Wrapf(err, "cannot write uid_map") @@ -274,7 +319,10 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ boo } gidsMapped := false - if gids != nil { + if err := copyMappings("/proc/self/gid_map", gidMap); err == nil { + gidsMapped = true + } + if gids != nil && !gidsMapped { err := tryMappingTool(false, pid, os.Getegid(), gids) // If some mappings were specified, do not ignore the error if err != nil && len(gids) > 0 { @@ -283,7 +331,6 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ boo gidsMapped = err == nil } if !gidsMapped { - gidMap := fmt.Sprintf("/proc/%d/gid_map", pid) err = ioutil.WriteFile(gidMap, []byte(fmt.Sprintf("%d %d 1\n", 0, os.Getegid())), 0666) if err != nil { return false, -1, errors.Wrapf(err, "cannot write gid_map") diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go index 700f582db..277435ef1 100644 --- a/pkg/specgen/generate/container_create.go +++ b/pkg/specgen/generate/container_create.go @@ -6,12 +6,14 @@ import ( "path/filepath" "strings" + cdi "github.com/container-orchestrated-devices/container-device-interface/pkg" "github.com/containers/common/pkg/config" "github.com/containers/podman/v3/libpod" "github.com/containers/podman/v3/libpod/image" "github.com/containers/podman/v3/pkg/specgen" "github.com/containers/podman/v3/pkg/util" "github.com/containers/storage/types" + spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -136,6 +138,11 @@ func MakeContainer(ctx context.Context, rt *libpod.Runtime, s *specgen.SpecGener options = append(options, libpod.WithNetworkAliases(s.Aliases)) } + if len(s.Devices) > 0 { + opts = extractCDIDevices(s) + options = append(options, opts...) + } + runtimeSpec, err := SpecGenToOCI(ctx, s, rt, rtc, newImage, finalMounts, pod, command) if err != nil { return nil, err @@ -143,6 +150,32 @@ func MakeContainer(ctx context.Context, rt *libpod.Runtime, s *specgen.SpecGener return rt.NewContainer(ctx, runtimeSpec, options...) } +func extractCDIDevices(s *specgen.SpecGenerator) []libpod.CtrCreateOption { + devs := make([]spec.LinuxDevice, 0, len(s.Devices)) + var cdiDevs []string + var options []libpod.CtrCreateOption + + for _, device := range s.Devices { + isCDIDevice, err := cdi.HasDevice(device.Path) + if err != nil { + logrus.Debugf("CDI HasDevice Error: %v", err) + } + if err == nil && isCDIDevice { + cdiDevs = append(cdiDevs, device.Path) + continue + } + + devs = append(devs, device) + } + + s.Devices = devs + if len(cdiDevs) > 0 { + options = append(options, libpod.WithCDI(cdiDevs)) + } + + return options +} + func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen.SpecGenerator, pod *libpod.Pod, volumes []*specgen.NamedVolume, overlays []*specgen.OverlayVolume, img *image.Image, command []string) ([]libpod.CtrCreateOption, error) { var options []libpod.CtrCreateOption var err error diff --git a/test/apiv2/10-images.at b/test/apiv2/10-images.at index f854d38ab..a08393668 100644 --- a/test/apiv2/10-images.at +++ b/test/apiv2/10-images.at @@ -126,6 +126,20 @@ t DELETE libpod/images/test:test 200 t GET images/json?filters='{"label":["xyz"]}' 200 length=0 t GET libpod/images/json?filters='{"label":["xyz"]}' 200 length=0 + +# to be used in prune until filter tests +podman image build -t test1:latest -<<EOF +from alpine +RUN >file3 +EOF + +# image should not be deleted +t GET images/json?filters='{"reference":["test1"]}' 200 length=1 +t POST images/prune?filters='{"until":["500000"]}' 200 +t GET images/json?filters='{"reference":["test1"]}' 200 length=1 + +t DELETE libpod/images/test1:latest 200 + # Export more than one image # FIXME FIXME FIXME, this doesn't work: # not ok 64 [10-images] GET images/get?names=alpine,busybox : status diff --git a/test/apiv2/30-volumes.at b/test/apiv2/30-volumes.at index 623e691e3..ed606134a 100644 --- a/test/apiv2/30-volumes.at +++ b/test/apiv2/30-volumes.at @@ -13,6 +13,13 @@ t POST libpod/volumes/create name=foo1 201 \ .CreatedAt~[0-9]\\{4\\}-[0-9]\\{2\\}-[0-9]\\{2\\}.* \ .Labels={} \ .Options={} +t POST volumes/create 201 \ + .Name~[0-9a-f]\\{64\\} + .Driver=local \ + .Mountpoint=$volumepath/~[0-9a-f]\\{64\\}/_data \ + .CreatedAt~[0-9]\\{4\\}-[0-9]\\{2\\}-[0-9]\\{2\\}.* \ + .Labels={} \ + .Options={} t POST libpod/volumes/create 201 t POST libpod/volumes/create \ Name=foo2 \ diff --git a/test/e2e/cdi/device.json b/test/e2e/cdi/device.json new file mode 100644 index 000000000..f49470c88 --- /dev/null +++ b/test/e2e/cdi/device.json @@ -0,0 +1,14 @@ +{ + "cdiVersion": "0.2.0", + "kind": "vendor.com/device", + "devices": [ + { + "name": "myKmsg", + "containerEdits": { + "mounts": [ + {"hostPath": "/dev/kmsg", "containerPath": "/dev/kmsg1", "options": ["rw", "rprivate", "rbind"]} + ] + } + } + ] +} diff --git a/test/e2e/generate_kube_test.go b/test/e2e/generate_kube_test.go index c3586d9b6..611e8ddac 100644 --- a/test/e2e/generate_kube_test.go +++ b/test/e2e/generate_kube_test.go @@ -496,6 +496,29 @@ var _ = Describe("Podman generate kube", func() { Expect(inspect.OutputToString()).To(ContainSubstring(vol1)) }) + It("podman generate kube when bind-mounting '/' and '/root' at the same time ", func() { + // Fixes https://github.com/containers/podman/issues/9764 + + ctrName := "mount-root-ctr" + session1 := podmanTest.Podman([]string{"run", "-d", "--pod", "new:mount-root-conflict", "--name", ctrName, + "-v", "/:/volume1/", + "-v", "/root:/volume2/", + "alpine", "top"}) + session1.WaitWithDefaultTimeout() + Expect(session1.ExitCode()).To(Equal(0)) + + kube := podmanTest.Podman([]string{"generate", "kube", "mount-root-conflict"}) + kube.WaitWithDefaultTimeout() + Expect(kube.ExitCode()).To(Equal(0)) + + pod := new(v1.Pod) + err := yaml.Unmarshal(kube.Out.Contents(), pod) + Expect(err).To(BeNil()) + + Expect(len(pod.Spec.Volumes)).To(Equal(2)) + + }) + It("podman generate kube with persistent volume claim", func() { vol := "vol-test-persistent-volume-claim" diff --git a/test/e2e/ps_test.go b/test/e2e/ps_test.go index 37b6516c1..d5269f415 100644 --- a/test/e2e/ps_test.go +++ b/test/e2e/ps_test.go @@ -269,6 +269,12 @@ var _ = Describe("Podman ps", func() { result.WaitWithDefaultTimeout() Expect(result.ExitCode()).To(Equal(0)) Expect(result.OutputToString()).To(Equal(cid)) + + // Query by trunctated image name should not match ( should return empty output ) + result = podmanTest.Podman([]string{"ps", "-q", "--no-trunc", "-a", "--filter", "ancestor=quay.io/libpod/alpi"}) + result.WaitWithDefaultTimeout() + Expect(result.ExitCode()).To(Equal(0)) + Expect(result.OutputToString()).To(Equal("")) }) It("podman ps id filter flag", func() { diff --git a/test/e2e/run_device_test.go b/test/e2e/run_device_test.go index 5a32ed827..3137e3fe4 100644 --- a/test/e2e/run_device_test.go +++ b/test/e2e/run_device_test.go @@ -2,6 +2,7 @@ package integration import ( "os" + "os/exec" . "github.com/containers/podman/v3/test/utils" . "github.com/onsi/ginkgo" @@ -94,4 +95,22 @@ var _ = Describe("Podman run device", func() { session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) }) + + It("podman run CDI device test", func() { + SkipIfRootless("Rootless will not be able to create files/folders in /etc") + cdiDir := "/etc/cdi" + if _, err := os.Stat(cdiDir); os.IsNotExist(err) { + Expect(os.MkdirAll(cdiDir, os.ModePerm)).To(BeNil()) + } + defer os.RemoveAll(cdiDir) + + cmd := exec.Command("cp", "cdi/device.json", cdiDir) + err = cmd.Run() + Expect(err).To(BeNil()) + + session := podmanTest.Podman([]string{"run", "-q", "--security-opt", "label=disable", "--device", "myKmsg", ALPINE, "ls", "--color=never", "/dev/kmsg1"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(Equal("/dev/kmsg1")) + }) }) diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index 93505d742..74bdfce2c 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -582,6 +582,9 @@ USER bin`, BB) if _, err := os.Stat("/sys/fs/cgroup/io.stat"); os.IsNotExist(err) { Skip("Kernel does not have io.stat") } + if _, err := os.Stat("/sys/fs/cgroup/system.slice/io.bfq.weight"); os.IsNotExist(err) { + Skip("Kernel does not support BFQ IO scheduler") + } session := podmanTest.Podman([]string{"run", "--rm", "--blkio-weight=15", ALPINE, "sh", "-c", "cat /sys/fs/cgroup/io.bfq.weight"}) session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) diff --git a/test/system/500-networking.bats b/test/system/500-networking.bats index 8da864798..21240e521 100644 --- a/test/system/500-networking.bats +++ b/test/system/500-networking.bats @@ -77,35 +77,47 @@ load helpers # FIXME: randomize port, and create second random host port myport=54321 - # Container will exit as soon as 'nc' receives input - # We use '-n -v' to give us log messages showing an incoming connection - # and its IP address; the purpose of that is guaranteeing that the - # remote IP is not 127.0.0.1 (podman PR #9052). - # We could get more parseable output by using $NCAT_REMOTE_ADDR, - # but busybox nc doesn't support that. - run_podman run -d --userns=keep-id -p 127.0.0.1:$myport:$myport \ - $IMAGE nc -l -n -v -p $myport - cid="$output" - - # emit random string, and check it - teststring=$(random_string 30) - echo "$teststring" | nc 127.0.0.1 $myport - - run_podman logs $cid - # Sigh. We can't check line-by-line, because 'nc' output order is - # unreliable. We usually get the 'connect to' line before the random - # string, but sometimes we get it after. So, just do substring checks. - is "$output" ".*listening on \[::\]:$myport .*" "nc -v shows right port" - - # This is the truly important check: make sure the remote IP is - # in the 10.X range, not 127.X. - is "$output" \ - ".*connect to \[::ffff:10\..*\]:$myport from \[::ffff:10\..*\]:.*" \ - "nc -v shows remote IP address in 10.X space (not 127.0.0.1)" - is "$output" ".*${teststring}.*" "test string received on container" - - # Clean up - run_podman rm $cid + for cidr in "" "$(random_rfc1918_subnet).0/24"; do + myport=$(( myport + 1 )) + if [[ -z $cidr ]]; then + # regex to match that we are in 10.X subnet + match="10\..*" + else + # Issue #9828 make sure a custom slir4netns cidr also works + network_arg="--network slirp4netns:cidr=$cidr" + # slirp4netns interface ip is always .100 + match="${cidr%.*}.100" + fi + + # Container will exit as soon as 'nc' receives input + # We use '-n -v' to give us log messages showing an incoming connection + # and its IP address; the purpose of that is guaranteeing that the + # remote IP is not 127.0.0.1 (podman PR #9052). + # We could get more parseable output by using $NCAT_REMOTE_ADDR, + # but busybox nc doesn't support that. + run_podman run -d --userns=keep-id $network_arg -p 127.0.0.1:$myport:$myport \ + $IMAGE nc -l -n -v -p $myport + cid="$output" + + # emit random string, and check it + teststring=$(random_string 30) + echo "$teststring" | nc 127.0.0.1 $myport + + run_podman logs $cid + # Sigh. We can't check line-by-line, because 'nc' output order is + # unreliable. We usually get the 'connect to' line before the random + # string, but sometimes we get it after. So, just do substring checks. + is "$output" ".*listening on \[::\]:$myport .*" "nc -v shows right port" + + # This is the truly important check: make sure the remote IP is not 127.X. + is "$output" \ + ".*connect to \[::ffff:$match*\]:$myport from \[::ffff:$match\]:.*" \ + "nc -v shows remote IP address is not 127.0.0.1" + is "$output" ".*${teststring}.*" "test string received on container" + + # Clean up + run_podman rm $cid + done } # "network create" now works rootless, with the help of a special container diff --git a/troubleshooting.md b/troubleshooting.md index 077e342cd..c5c592a8e 100644 --- a/troubleshooting.md +++ b/troubleshooting.md @@ -203,12 +203,12 @@ Rootless Podman requires the newuidmap and newgidmap programs to be installed. #### Symptom -If you are running Podman or buildah as a not root user, you get an error complaining about +If you are running Podman or Buildah as a rootless user, you get an error complaining about a missing newuidmap executable. ``` podman run -ti fedora sh -cannot find newuidmap: exec: "newuidmap": executable file not found in $PATH +command required for rootless mode with multiple IDs: exec: "newuidmap": executable file not found in $PATH ``` #### Solution diff --git a/vendor/github.com/container-orchestrated-devices/container-device-interface/LICENSE b/vendor/github.com/container-orchestrated-devices/container-device-interface/LICENSE new file mode 100644 index 000000000..261eeb9e9 --- /dev/null +++ b/vendor/github.com/container-orchestrated-devices/container-device-interface/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/vendor/github.com/container-orchestrated-devices/container-device-interface/pkg/devices.go b/vendor/github.com/container-orchestrated-devices/container-device-interface/pkg/devices.go new file mode 100644 index 000000000..e66fd36c0 --- /dev/null +++ b/vendor/github.com/container-orchestrated-devices/container-device-interface/pkg/devices.go @@ -0,0 +1,180 @@ +package pkg + +import ( + "encoding/json" + "fmt" + "io/ioutil" + "os" + "path/filepath" + "strings" + + cdispec "github.com/container-orchestrated-devices/container-device-interface/specs-go" + spec "github.com/opencontainers/runtime-spec/specs-go" +) + +const ( + root = "/etc/cdi" +) + +func collectCDISpecs() (map[string]*cdispec.Spec, error) { + var files []string + vendor := make(map[string]*cdispec.Spec) + + err := filepath.Walk(root, func(path string, info os.FileInfo, err error) error { + if info == nil || info.IsDir() { + return nil + } + + if filepath.Ext(path) != ".json" { + return nil + } + + files = append(files, path) + return nil + }) + + if err != nil { + return nil, err + } + + for _, path := range files { + spec, err := loadCDIFile(path) + if err != nil { + continue + } + + if _, ok := vendor[spec.Kind]; ok { + continue + } + + vendor[spec.Kind] = spec + } + + return vendor, nil +} + +// TODO: Validate (e.g: duplicate device names) +func loadCDIFile(path string) (*cdispec.Spec, error) { + file, err := ioutil.ReadFile(path) + if err != nil { + return nil, err + } + + var spec *cdispec.Spec + err = json.Unmarshal([]byte(file), &spec) + if err != nil { + return nil, err + } + + return spec, nil +} + +/* +* Pattern "vendor.com/device=myDevice" with the vendor being optional + */ +func extractVendor(dev string) (string, string) { + if strings.IndexByte(dev, '=') == -1 { + return "", dev + } + + split := strings.SplitN(dev, "=", 2) + return split[0], split[1] +} + +// GetCDIForDevice returns the CDI specification that matches the device name the user provided. +func GetCDIForDevice(dev string, specs map[string]*cdispec.Spec) (*cdispec.Spec, error) { + vendor, device := extractVendor(dev) + + if vendor != "" { + s, ok := specs[vendor] + if !ok { + return nil, fmt.Errorf("Could not find vendor %q for device %q", vendor, device) + } + + for _, d := range s.Devices { + if d.Name != device { + continue + } + + return s, nil + } + + return nil, fmt.Errorf("Could not find device %q for vendor %q", device, vendor) + } + + var found []*cdispec.Spec + var vendors []string + for vendor, spec := range specs { + + for _, d := range spec.Devices { + if d.Name != device { + continue + } + + found = append(found, spec) + vendors = append(vendors, vendor) + } + } + + if len(found) > 1 { + return nil, fmt.Errorf("%q is ambiguous and currently refers to multiple devices from different vendors: %q", dev, vendors) + } + + if len(found) == 1 { + return found[0], nil + } + + return nil, fmt.Errorf("Could not find device %q", dev) +} + +// HasDevice returns true if a device is a CDI device +// an error may be returned in cases where permissions may be required +func HasDevice(dev string) (bool, error) { + specs, err := collectCDISpecs() + if err != nil { + return false, err + } + + d, err := GetCDIForDevice(dev, specs) + if err != nil { + return false, err + } + + return d != nil, nil +} + +// UpdateOCISpecForDevices updates the given OCI spec based on the requested CDI devices +func UpdateOCISpecForDevices(ociconfig *spec.Spec, devs []string) error { + specs, err := collectCDISpecs() + if err != nil { + return err + } + + return UpdateOCISpecForDevicesWithSpec(ociconfig, devs, specs) +} + +// UpdateOCISpecForDevicesWithLoggerAndSpecs is mainly used for testing +func UpdateOCISpecForDevicesWithSpec(ociconfig *spec.Spec, devs []string, specs map[string]*cdispec.Spec) error { + edits := make(map[string]*cdispec.Spec) + + for _, d := range devs { + spec, err := GetCDIForDevice(d, specs) + if err != nil { + return err + } + + edits[spec.Kind] = spec + err = cdispec.ApplyOCIEditsForDevice(ociconfig, spec, d) + if err != nil { + return err + } + } + + for _, spec := range edits { + if err := cdispec.ApplyOCIEdits(ociconfig, spec); err != nil { + return err + } + } + + return nil +} diff --git a/vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/config.go b/vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/config.go new file mode 100644 index 000000000..0223bb703 --- /dev/null +++ b/vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/config.go @@ -0,0 +1,50 @@ +package specs + +// Spec is the base configuration for CDI +type Spec struct { + Version string `json:"cdiVersion"` + Kind string `json:"kind"` + KindShort []string `json:"kindShort,omitempty"` + ContainerRuntime []string `json:"containerRuntime,omitempty"` + + Devices []Devices `json:"devices"` + ContainerEdits ContainerEdits `json:"containerEdits,omitempty"` +} + +// Devices is a "Device" a container runtime can add to a container +type Devices struct { + Name string `json:"name"` + NameShort []string `json:"nameShort"` + ContainerEdits ContainerEdits `json:"containerEdits"` +} + +// ContainerEdits are edits a container runtime must make to the OCI spec to expose the device. +type ContainerEdits struct { + Env []string `json:"env,omitempty"` + DeviceNodes []*DeviceNode `json:"deviceNodes,omitempty"` + Hooks []*Hook `json:"hooks,omitempty"` + Mounts []*Mount `json:"mounts,omitempty"` +} + +// DeviceNode represents a device node that needs to be added to the OCI spec. +type DeviceNode struct { + HostPath string `json:"hostPath"` + ContainerPath string `json:"containerPath"` + Permissions []string `json:"permissions,omitempty"` +} + +// Mount represents a mount that needs to be added to the OCI spec. +type Mount struct { + HostPath string `json:"hostPath"` + ContainerPath string `json:"containerPath"` + Options []string `json:"options,omitempty"` +} + +// Hook represents a hook that needs to be added to the OCI spec. +type Hook struct { + HookName string `json:"hookName"` + Path string `json:"path"` + Args []string `json:"args,omitempty"` + Env []string `json:"env,omitempty"` + Timeout *int `json:"timeout,omitempty"` +} diff --git a/vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/oci.go b/vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/oci.go new file mode 100644 index 000000000..c59cda55d --- /dev/null +++ b/vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/oci.go @@ -0,0 +1,104 @@ +package specs + +import ( + "errors" + "fmt" + + spec "github.com/opencontainers/runtime-spec/specs-go" +) + +// ApplyOCIEditsForDevice applies devices OCI edits, in other words +// it finds the device in the CDI spec and applies the OCI patches that device +// requires to the OCI specification. +func ApplyOCIEditsForDevice(config *spec.Spec, cdi *Spec, dev string) error { + for _, d := range cdi.Devices { + if d.Name != dev { + continue + } + + return ApplyEditsToOCISpec(config, &d.ContainerEdits) + } + + return fmt.Errorf("CDI: device %q not found for spec %q", dev, cdi.Kind) +} + +// ApplyOCIEdits applies the OCI edits the CDI spec declares globablly +func ApplyOCIEdits(config *spec.Spec, cdi *Spec) error { + return ApplyEditsToOCISpec(config, &cdi.ContainerEdits) +} + +// ApplyEditsToOCISpec applies the specified edits to the OCI spec. +func ApplyEditsToOCISpec(config *spec.Spec, edits *ContainerEdits) error { + if config == nil { + return errors.New("spec is nil") + } + if edits == nil { + return nil + } + + if len(edits.Env) > 0 { + + if config.Process == nil { + config.Process = &spec.Process{} + } + + config.Process.Env = append(config.Process.Env, edits.Env...) + } + + for _, d := range edits.DeviceNodes { + config.Mounts = append(config.Mounts, toOCIDevice(d)) + } + + for _, m := range edits.Mounts { + config.Mounts = append(config.Mounts, toOCIMount(m)) + } + + for _, h := range edits.Hooks { + if config.Hooks == nil { + config.Hooks = &spec.Hooks{} + } + switch h.HookName { + case "prestart": + config.Hooks.Prestart = append(config.Hooks.Prestart, toOCIHook(h)) + case "createRuntime": + config.Hooks.CreateRuntime = append(config.Hooks.CreateRuntime, toOCIHook(h)) + case "createContainer": + config.Hooks.CreateContainer = append(config.Hooks.CreateContainer, toOCIHook(h)) + case "startContainer": + config.Hooks.StartContainer = append(config.Hooks.StartContainer, toOCIHook(h)) + case "poststart": + config.Hooks.Poststart = append(config.Hooks.Poststart, toOCIHook(h)) + case "poststop": + config.Hooks.Poststop = append(config.Hooks.Poststop, toOCIHook(h)) + default: + fmt.Printf("CDI: Unknown hook %q\n", h.HookName) + } + } + + return nil +} + +func toOCIHook(h *Hook) spec.Hook { + return spec.Hook{ + Path: h.Path, + Args: h.Args, + Env: h.Env, + Timeout: h.Timeout, + } +} + +func toOCIMount(m *Mount) spec.Mount { + return spec.Mount{ + Source: m.HostPath, + Destination: m.ContainerPath, + Options: m.Options, + } +} + +func toOCIDevice(d *DeviceNode) spec.Mount { + return spec.Mount{ + Source: d.HostPath, + Destination: d.ContainerPath, + Options: d.Permissions, + } +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 77dcb9744..b0658df5b 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -49,6 +49,9 @@ github.com/checkpoint-restore/go-criu github.com/checkpoint-restore/go-criu/rpc # github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e github.com/chzyer/readline +# github.com/container-orchestrated-devices/container-device-interface v0.0.0-20210325223243-f99e8b6c10b9 +github.com/container-orchestrated-devices/container-device-interface/pkg +github.com/container-orchestrated-devices/container-device-interface/specs-go # github.com/containerd/cgroups v0.0.0-20210114181951-8a68de567b68 github.com/containerd/cgroups/stats/v1 # github.com/containerd/containerd v1.5.0-beta.4 |