diff options
57 files changed, 781 insertions, 502 deletions
diff --git a/.cirrus.yml b/.cirrus.yml index d2a8cb660..6f8cd0a30 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -34,16 +34,16 @@ env: #### #### Cache-image names to test with (double-quotes around names are critical) ### - FEDORA_NAME: "fedora" - PRIOR_FEDORA_NAME: "prior-fedora" - UBUNTU_NAME: "ubuntu" - PRIOR_UBUNTU_NAME: "prior-ubuntu" + FEDORA_NAME: "fedora-32" + PRIOR_FEDORA_NAME: "fedora-31" + UBUNTU_NAME: "ubuntu-20" + PRIOR_UBUNTU_NAME: "ubuntu-19" - _BUILT_IMAGE_SUFFIX: "c6110627968057344" - FEDORA_CACHE_IMAGE_NAME: "${FEDORA_NAME}-${_BUILT_IMAGE_SUFFIX}" - PRIOR_FEDORA_CACHE_IMAGE_NAME: "${PRIOR_FEDORA_NAME}-${_BUILT_IMAGE_SUFFIX}" - UBUNTU_CACHE_IMAGE_NAME: "${UBUNTU_NAME}-${_BUILT_IMAGE_SUFFIX}" - PRIOR_UBUNTU_CACHE_IMAGE_NAME: "${PRIOR_UBUNTU_NAME}-${_BUILT_IMAGE_SUFFIX}" + _BUILT_IMAGE_SUFFIX: "c4948709391728640" + FEDORA_CACHE_IMAGE_NAME: "fedora-${_BUILT_IMAGE_SUFFIX}" + PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${_BUILT_IMAGE_SUFFIX}" + UBUNTU_CACHE_IMAGE_NAME: "ubuntu-${_BUILT_IMAGE_SUFFIX}" + PRIOR_UBUNTU_CACHE_IMAGE_NAME: "prior-ubuntu-${_BUILT_IMAGE_SUFFIX}" #### #### Default to NOT operating in any special-case testing mode @@ -290,7 +290,7 @@ build_without_cgo_task: meta_task: container: - image: "quay.io/libpod/imgts:master" # see contrib/imgts + image: "quay.io/libpod/imgts:${_BUILT_IMAGE_SUFFIX}" cpu: 1 memory: 1 @@ -301,7 +301,6 @@ meta_task: ${PRIOR_FEDORA_CACHE_IMAGE_NAME} ${UBUNTU_CACHE_IMAGE_NAME} ${PRIOR_UBUNTU_CACHE_IMAGE_NAME} - ${IMAGE_BUILDER_CACHE_IMAGE_NAME} BUILDID: "${CIRRUS_BUILD_ID}" REPOREF: "${CIRRUS_CHANGE_IN_REPO}" GCPJSON: ENCRYPTED[3a198350077849c8df14b723c0f4c9fece9ebe6408d35982e7adf2105a33f8e0e166ed3ed614875a0887e1af2b8775f4] @@ -5,7 +5,7 @@ Podman (the POD MANager) is a tool for managing containers and images, volumes mounted into those containers, and pods made from groups of containers. Podman is based on libpod, a library for container lifecycle management that is also contained in this repository. The libpod library provides APIs for managing containers, pods, container images, and volumes. -* [Latest Version: 2.1.0](https://github.com/containers/podman/releases/latest) +* [Latest Version: 2.1.1](https://github.com/containers/podman/releases/latest) * Latest Remote client for Windows * Latest Remote client for MacOs * Latest Static Remote client for Linux diff --git a/cmd/podman/common/createparse.go b/cmd/podman/common/createparse.go index 059f9050f..09ee5aa0c 100644 --- a/cmd/podman/common/createparse.go +++ b/cmd/podman/common/createparse.go @@ -10,7 +10,7 @@ import ( func (c *ContainerCLIOpts) validate() error { var () if c.Rm && c.Restart != "" && c.Restart != "no" { - return errors.Errorf("the --rm option conflicts with --restart") + return errors.Errorf(`the --rm option conflicts with --restart, when the restartPolicy is not "" and "no"`) } if _, err := util.ValidatePullType(c.Pull); err != nil { diff --git a/cmd/podman/common/specgen.go b/cmd/podman/common/specgen.go index e7b88eb3f..84ae70b6a 100644 --- a/cmd/podman/common/specgen.go +++ b/cmd/podman/common/specgen.go @@ -233,7 +233,7 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string // validate flags as needed if err := c.validate(); err != nil { - return nil + return err } s.User = c.User diff --git a/cmd/podman/containers/diff.go b/cmd/podman/containers/diff.go index 227c13f4c..a3ca6edf9 100644 --- a/cmd/podman/containers/diff.go +++ b/cmd/podman/containers/diff.go @@ -1,6 +1,7 @@ package containers import ( + "github.com/containers/podman/v2/cmd/podman/parse" "github.com/containers/podman/v2/cmd/podman/registry" "github.com/containers/podman/v2/cmd/podman/report" "github.com/containers/podman/v2/cmd/podman/validate" @@ -52,11 +53,11 @@ func diff(cmd *cobra.Command, args []string) error { return err } - switch diffOpts.Format { - case "": - return report.ChangesToTable(results) - case "json": + switch { + case parse.MatchesJSONFormat(diffOpts.Format): return report.ChangesToJSON(results) + case diffOpts.Format == "": + return report.ChangesToTable(results) default: return errors.New("only supported value for '--format' is 'json'") } diff --git a/cmd/podman/images/list.go b/cmd/podman/images/list.go index ffb341fc4..239da9d28 100644 --- a/cmd/podman/images/list.go +++ b/cmd/podman/images/list.go @@ -11,7 +11,9 @@ import ( "unicode" "github.com/containers/image/v5/docker/reference" + "github.com/containers/podman/v2/cmd/podman/parse" "github.com/containers/podman/v2/cmd/podman/registry" + "github.com/containers/podman/v2/cmd/podman/report" "github.com/containers/podman/v2/pkg/domain/entities" "github.com/docker/go-units" "github.com/pkg/errors" @@ -106,9 +108,12 @@ func images(cmd *cobra.Command, args []string) error { switch { case listFlag.quiet: return writeID(imgs) - case cmd.Flag("format").Changed && listFlag.format == "json": + case parse.MatchesJSONFormat(listFlag.format): return writeJSON(imgs) default: + if cmd.Flag("format").Changed { + listFlag.noHeading = true // V1 compatibility + } return writeTemplate(imgs) } } @@ -156,25 +161,29 @@ func writeJSON(images []imageReporter) error { } func writeTemplate(imgs []imageReporter) error { - var ( - hdr, row string - ) - if len(listFlag.format) < 1 { - hdr, row = imageListFormat(listFlag) + hdrs := report.Headers(imageReporter{}, map[string]string{ + "ID": "IMAGE ID", + "ReadOnly": "R/O", + }) + + var row string + if listFlag.format == "" { + row = lsFormatFromFlags(listFlag) } else { - row = listFlag.format - if !strings.HasSuffix(row, "\n") { - row += "\n" - } + row = report.NormalizeFormat(listFlag.format) } - format := hdr + "{{range . }}" + row + "{{end}}" - tmpl, err := template.New("list").Parse(format) - if err != nil { - return err - } - tmpl = template.Must(tmpl, nil) + + format := "{{range . }}" + row + "{{end}}" + tmpl := template.Must(template.New("list").Parse(format)) w := tabwriter.NewWriter(os.Stdout, 8, 2, 2, ' ', 0) defer w.Flush() + + if !listFlag.noHeading { + if err := tmpl.Execute(w, hdrs); err != nil { + return err + } + } + return tmpl.Execute(w, imgs) } @@ -276,40 +285,27 @@ func sortFunc(key string, data []imageReporter) func(i, j int) bool { } } -func imageListFormat(flags listFlagType) (string, string) { - // Defaults - hdr := "REPOSITORY\tTAG" - row := "{{.Repository}}\t{{if .Tag}}{{.Tag}}{{else}}<none>{{end}}" +func lsFormatFromFlags(flags listFlagType) string { + row := []string{ + "{{if .Repository}}{{.Repository}}{{else}}<none>{{end}}", + "{{if .Tag}}{{.Tag}}{{else}}<none>{{end}}", + } if flags.digests { - hdr += "\tDIGEST" - row += "\t{{.Digest}}" + row = append(row, "{{.Digest}}") } - hdr += "\tIMAGE ID" - row += "\t{{.ID}}" - - hdr += "\tCREATED\tSIZE" - row += "\t{{.Created}}\t{{.Size}}" + row = append(row, "{{.ID}}", "{{.Created}}", "{{.Size}}") if flags.history { - hdr += "\tHISTORY" - row += "\t{{if .History}}{{.History}}{{else}}<none>{{end}}" + row = append(row, "{{if .History}}{{.History}}{{else}}<none>{{end}}") } if flags.readOnly { - hdr += "\tReadOnly" - row += "\t{{.ReadOnly}}" - } - - if flags.noHeading { - hdr = "" - } else { - hdr += "\n" + row = append(row, "{{.ReadOnly}}") } - row += "\n" - return hdr, row + return strings.Join(row, "\t") + "\n" } type imageReporter struct { diff --git a/cmd/podman/parse/json.go b/cmd/podman/parse/json.go index 95a6633b8..40ac415db 100644 --- a/cmd/podman/parse/json.go +++ b/cmd/podman/parse/json.go @@ -2,8 +2,9 @@ package parse import "regexp" -var jsonFormatRegex = regexp.MustCompile(`^(\s*json\s*|\s*{{\s*json\s*\.\s*}}\s*)$`) +var jsonFormatRegex = regexp.MustCompile(`^\s*(json|{{\s*json\s*( \.)?\s*}})\s*$`) +// MatchesJSONFormat test CLI --format string to be a JSON request func MatchesJSONFormat(s string) bool { return jsonFormatRegex.Match([]byte(s)) } diff --git a/cmd/podman/parse/json_test.go b/cmd/podman/parse/json_test.go index 5cad185fd..ec3b5664b 100644 --- a/cmd/podman/parse/json_test.go +++ b/cmd/podman/parse/json_test.go @@ -1,6 +1,8 @@ package parse import ( + "fmt" + "strings" "testing" "github.com/stretchr/testify/assert" @@ -13,18 +15,31 @@ func TestMatchesJSONFormat(t *testing.T) { }{ {"json", true}, {" json", true}, - {"json ", true}, + {" json ", true}, {" json ", true}, + {"{{json}}", true}, + {"{{json }}", true}, {"{{json .}}", true}, {"{{ json .}}", true}, - {"{{json . }}", true}, - {" {{ json . }} ", true}, - {"{{json }}", false}, - {"{{json .", false}, + {"{{ json . }}", true}, + {" {{ json . }} ", true}, + {"{{ json .", false}, {"json . }}", false}, + {"{{.ID }} json .", false}, + {"json .", false}, + {"{{json.}}", false}, } for _, tt := range tests { assert.Equal(t, tt.expected, MatchesJSONFormat(tt.input)) } + + for _, tc := range tests { + tc := tc + label := "MatchesJSONFormat/" + strings.ReplaceAll(tc.input, " ", "_") + t.Run(label, func(t *testing.T) { + t.Parallel() + assert.Equal(t, tc.expected, MatchesJSONFormat(tc.input), fmt.Sprintf("Scanning %q failed", tc.input)) + }) + } } diff --git a/cmd/podman/report/format.go b/cmd/podman/report/format.go new file mode 100644 index 000000000..32d92bec5 --- /dev/null +++ b/cmd/podman/report/format.go @@ -0,0 +1,68 @@ +package report + +import ( + "reflect" + "strings" +) + +// tableReplacer will remove 'table ' prefix and clean up tabs +var tableReplacer = strings.NewReplacer( + "table ", "", + `\t`, "\t", + `\n`, "\n", + " ", "\t", +) + +// escapedReplacer will clean up escaped characters from CLI +var escapedReplacer = strings.NewReplacer( + `\t`, "\t", + `\n`, "\n", +) + +// NormalizeFormat reads given go template format provided by CLI and munges it into what we need +func NormalizeFormat(format string) string { + f := format + // two replacers used so we only remove the prefix keyword `table` + if strings.HasPrefix(f, "table ") { + f = tableReplacer.Replace(f) + } else { + f = escapedReplacer.Replace(format) + } + + if !strings.HasSuffix(f, "\n") { + f += "\n" + } + + return f +} + +// Headers queries the interface for field names +func Headers(object interface{}, overrides map[string]string) []map[string]string { + value := reflect.ValueOf(object) + if value.Kind() == reflect.Ptr { + value = value.Elem() + } + + // Column header will be field name upper-cased. + headers := make(map[string]string, value.NumField()) + for i := 0; i < value.Type().NumField(); i++ { + field := value.Type().Field(i) + // Recurse to find field names from promoted structs + if field.Type.Kind() == reflect.Struct && field.Anonymous { + h := Headers(reflect.New(field.Type).Interface(), nil) + for k, v := range h[0] { + headers[k] = v + } + continue + } + headers[field.Name] = strings.ToUpper(field.Name) + } + + if len(overrides) > 0 { + // Override column header as provided + for k, v := range overrides { + headers[k] = strings.ToUpper(v) + } + } + return []map[string]string{headers} +} diff --git a/cmd/podman/report/format_test.go b/cmd/podman/report/format_test.go new file mode 100644 index 000000000..7dd62e899 --- /dev/null +++ b/cmd/podman/report/format_test.go @@ -0,0 +1,35 @@ +package report + +import ( + "strings" + "testing" +) + +func TestNormalizeFormat(t *testing.T) { + cases := []struct { + format string + expected string + }{ + {"table {{.ID}}", "{{.ID}}\n"}, + {"table {{.ID}} {{.C}}", "{{.ID}}\t{{.C}}\n"}, + {"{{.ID}}", "{{.ID}}\n"}, + {"{{.ID}}\n", "{{.ID}}\n"}, + {"{{.ID}} {{.C}}", "{{.ID}} {{.C}}\n"}, + {"\t{{.ID}}", "\t{{.ID}}\n"}, + {`\t` + "{{.ID}}", "\t{{.ID}}\n"}, + {"table {{.ID}}\t{{.C}}", "{{.ID}}\t{{.C}}\n"}, + {"{{.ID}} table {{.C}}", "{{.ID}} table {{.C}}\n"}, + } + for _, tc := range cases { + tc := tc + + label := strings.ReplaceAll(tc.format, " ", "<sp>") + t.Run("NormalizeFormat/"+label, func(t *testing.T) { + t.Parallel() + actual := NormalizeFormat(tc.format) + if actual != tc.expected { + t.Errorf("Expected %q, actual %q", tc.expected, actual) + } + }) + } +} diff --git a/completions/bash/podman b/completions/bash/podman index a83cfc790..e12862126 100644 --- a/completions/bash/podman +++ b/completions/bash/podman @@ -407,7 +407,7 @@ __podman_local_interfaces() { __podman_complete_restart() { case "$prev" in --restart) - COMPREPLY=( $( compgen -W "always no on-failure" -- "$cur") ) + COMPREPLY=( $( compgen -W "always no on-failure unless-stopped" -- "$cur") ) return ;; esac diff --git a/contrib/cirrus/logformatter b/contrib/cirrus/logformatter index f97638b6f..2ab8aa117 100755 --- a/contrib/cirrus/logformatter +++ b/contrib/cirrus/logformatter @@ -31,6 +31,12 @@ our $CSS = <<'END_CSS'; /* wrap long lines - don't require user to scroll right */ pre { line-break: normal; overflow-wrap: normal; white-space: pre-wrap; } +/* synopsis table at top */ +table.synopsis { border: none; border-collapse: collapse; margin-left: 2em; margin-top: 2ex; } +.synopsis th { font-weight: normal; font-size: 110%; text-align: right; } +.synopsis td { font-weight: bold; font-size: 120%; font-family: monospace; } + +/* test results */ .boring { color: #999; } .timestamp { color: #999; } .log-debug { color: #999; } @@ -171,9 +177,20 @@ window.addEventListener("load", scrollToBottom, false); </script> </head> <body> -<pre> <!-- begin processed output --> END_HTML + # Synopsis of this job: show job environment, links to PR and Cirrus + print { $out_fh } "<h2>Synopsis</h2>\n<hr/>\n", + job_synopsis($test_name), "<hr/>\n"; + + # FOR DEBUGGING: dump environment, but in HTML comments to not clutter + print { $out_fh } "<!-- Environment: -->\n"; + for my $e (sort keys %ENV) { + my $val = escapeHTML($ENV{$e}); + $val =~ s/--/--/g; # double dash not valid in comments + printf { $out_fh } "<!-- %-20s %s -->\n", $e, $val; + } + # State variables my $previous_timestamp = ''; # timestamp of previous line my $cirrus_task; # Cirrus task number, used for linking @@ -185,6 +202,8 @@ END_HTML my $looks_like_bats; # binary flag: for detecting BATS results my %bats_count; # For summary line: count of pass/fail/skip + print { $out_fh } "<pre> <!-- begin processed output -->\n"; + # Main loop: read input, one line at a time, and write out reformatted LINE: while (my $line = <STDIN>) { @@ -232,8 +251,9 @@ END_HTML my $css; # Readability: /long/path/to/podman -> podman (hover for full path) - $line =~ s{^(#\s+(#|\$)\s+)(\S+/)(podman\S*)\s} - {$1<span title="$3$4">$4</span> }; + # Also make it boldface, to make commands stand out + $line =~ s{^(#\s+(#|\$)\s+)(\S+/)(podman\S*)(\s.*)} + {$1<b><span title="$3$4">$4</span>$5</b>}; if ($line =~ /^ok\s.*\s# skip/) { $css = 'skipped' } elsif ($line =~ /^ok\s/) { $css = 'passed' } @@ -470,6 +490,83 @@ sub make_id { } +############################################################################### +# BEGIN job_synopsis and related helpers + +################## +# job_synopsis # Job details, links to github/cirrus +################## +sub job_synopsis { + my $subtest_name = shift; # e.g. integration_test + + my $s = <<"END_SYNOPSIS"; +<table class="synopsis"> +END_SYNOPSIS + + # PR 1234 - title of the pr + my $pr_title = escapeHTML(_env_replace("{CIRRUS_CHANGE_TITLE}")); + $s .= _tr("Github PR", sprintf("%s - %s", + _a("{CIRRUS_PR}", "https://{CIRRUS_REPO_CLONE_HOST}/{CIRRUS_REPO_FULL_NAME}/pull/{CIRRUS_PR}"), + $pr_title)); + + # PR author, if signed-off-by + if (my $msg = _env_replace("{CIRRUS_COMMIT_MESSAGE}")) { + while ($msg =~ /^Signed-off-by:\s+(\S.*\S)$/gmi) { + $s .= _tr("Author", escapeHTML($1)); + } + } + + # eg "test fedora", "special_testing_rootless" + my $test_name = _env_replace("{CIRRUS_TASK_NAME}"); + if (my $rcli = $ENV{RCLI}) { + $test_name .= " [remote]" if $rcli eq 'true'; + } + else { + $test_name .= " [no RCLI; cannot determine remote/local]"; + } + $s .= _tr("Test name", $test_name); + + # Subtest, e.g. system_test + $s .= _tr("Subtest", $subtest_name); + + # Link to further Cirrus results, e.g. other runs. + # Build is mostly boring, it's usually TASK that we want to see. + $s .= _tr("Cirrus Build ID", "<small>" . _a("{CIRRUS_BUILD_ID}", "https://cirrus-ci.com/build/{CIRRUS_BUILD_ID}") . "</small>"); + $s .= _tr("Cirrus <b>Task</b> ID", _a("{CIRRUS_TASK_ID}", "https://cirrus-ci.com/task/{CIRRUS_TASK_ID}")); + + # "none", "rootless" + $s .= _tr("Special mode", _env_replace("{SPECIALMODE}")); + + $s .= "</table>\n"; + return $s; +} + + +sub _tr { + my ($th, $td) = @_; + return "<tr><th>$th:</th><td>$td</td></tr>\n"; +} + +sub _a { + my ($name, $href) = map { _env_replace($_) } @_; + + if ($href =~ /UNDEFINED/) { + return "$name ($href)"; + } + return "<a href='$href'>$name</a>"; +} + +sub _env_replace { + my $s_in = shift; + + $s_in =~ s[\{(.*?)\}][$ENV{$1} || "[$1 UNDEFINED]"]ge; + + return $s_in; +} + +# END job_synopsis and related helpers +############################################################################### +# BEGIN html-formatting helpers sub escapeHTML { my $s = shift; @@ -492,5 +589,7 @@ sub unescapeHTML { return $s; } +# END html-formatting helpers +############################################################################### 1; diff --git a/contrib/cirrus/logformatter.t b/contrib/cirrus/logformatter.t index 2075bff96..bd4179b5e 100755 --- a/contrib/cirrus/logformatter.t +++ b/contrib/cirrus/logformatter.t @@ -96,7 +96,7 @@ ok 4 blah <span class='bats-passed'><a name='t--00001'>ok 1 hi</a></span> <span class='bats-skipped'><a name='t--00002'>ok 2 bye # skip no reason</a></span> <span class='bats-failed'><a name='t--00003'>not ok 3 fail</a></span> -<span class='bats-log'># $ <span title="/path/to/podman">podman</span> foo -bar</span> +<span class='bats-log'># $ <b><span title="/path/to/podman">podman</span> foo -bar</b></span> <span class='bats-log-esm'># #| FAIL: exit code is 123; expected 321</span> <span class='bats-passed'><a name='t--00004'>ok 4 blah</a></span> <hr/><span class='bats-summary'>Summary: <span class='bats-passed'>2 Passed</span>, <span class='bats-failed'>1 Failed</span>, <span class='bats-skipped'>1 Skipped</span>. Total tests: 4</span> @@ -147,11 +147,11 @@ $SCRIPT_BASE/integration_test.sh |& ${TIMESTAMP} <pre> <span class="timestamp">[+0103s] </span>Podman pod restart <span class="timestamp"> </span><a name='t--podman-pod-restart-single-empty-pod--1'><h2> podman pod restart single empty pod</h2></a> -<span class="timestamp"> </span> /var/tmp/go/src/github.com<a class="codelink" href='https://github.com/containers/podman/blob/40f5d8b1becd381c4e8283ed3940d09193e4fe06/test/e2e/pod_restart_test.go#L41'>/containers/libpod/test/e2e/pod_restart_test.go:41</a> +<span class="timestamp"> </span> /var/tmp/go/src/github.com<a class="codelink" href='https://github.com/containers/podman/blob/40f5d8b1becd381c4e8283ed3940d09193e4fe06/test/e2e/pod_restart_test.go#L41'>/containers/podman/test/e2e/pod_restart_test.go:41</a> <span class="timestamp"> </span>[BeforeEach] Podman pod restart -<span class="timestamp"> </span> /var/tmp/go/src/github.com<a class="codelink" href='https://github.com/containers/podman/blob/40f5d8b1becd381c4e8283ed3940d09193e4fe06/test/e2e/pod_restart_test.go#L18'>/containers/libpod/test/e2e/pod_restart_test.go:18</a> +<span class="timestamp"> </span> /var/tmp/go/src/github.com<a class="codelink" href='https://github.com/containers/podman/blob/40f5d8b1becd381c4e8283ed3940d09193e4fe06/test/e2e/pod_restart_test.go#L18'>/containers/podman/test/e2e/pod_restart_test.go:18</a> <span class="timestamp"> </span>[It] podman pod restart single empty pod -<span class="timestamp"> </span> /var/tmp/go/src/github.com<a class="codelink" href='https://github.com/containers/podman/blob/40f5d8b1becd381c4e8283ed3940d09193e4fe06/test/e2e/pod_restart_test.go#L41'>/containers/libpod/test/e2e/pod_restart_test.go:41</a> +<span class="timestamp"> </span> /var/tmp/go/src/github.com<a class="codelink" href='https://github.com/containers/podman/blob/40f5d8b1becd381c4e8283ed3940d09193e4fe06/test/e2e/pod_restart_test.go#L41'>/containers/podman/test/e2e/pod_restart_test.go:41</a> <span class="timestamp"> </span>Running: <span title="/var/tmp/go/src/github.com/containers/podman/bin/podman"><b>podman</b></span> <span class="boring" title="--storage-opt vfs.imagestore=/tmp/podman/imagecachedir --root /tmp/podman_test553496330/crio --runroot /tmp/podman_test553496330/crio-run @@ -176,7 +176,7 @@ $SCRIPT_BASE/integration_test.sh |& ${TIMESTAMP} <span class="timestamp"> </span><span class='log-warn'>Error: no containers in pod 4810be0cfbd42241e349dbe7d50fbc54405cd320a6637c65fd5323f34d64af89 have no dependencies, cannot start pod: no such container</span> <span class="timestamp"> </span>output: <span class="timestamp"> </span>[AfterEach] Podman pod restart -<span class="timestamp"> </span> /var/tmp/go/src/github.com<a class="codelink" href='https://github.com/containers/podman/blob/40f5d8b1becd381c4e8283ed3940d09193e4fe06/test/e2e/pod_restart_test.go#L28'>/containers/libpod/test/e2e/pod_restart_test.go:28</a> +<span class="timestamp"> </span> /var/tmp/go/src/github.com<a class="codelink" href='https://github.com/containers/podman/blob/40f5d8b1becd381c4e8283ed3940d09193e4fe06/test/e2e/pod_restart_test.go#L28'>/containers/podman/test/e2e/pod_restart_test.go:28</a> <span class="timestamp"> </span>Running: <span title="/var/tmp/go/src/github.com/containers/podman/bin/podman"><b>podman</b></span> <span class="boring" title="--storage-opt vfs.imagestore=/tmp/podman/imagecachedir --root /tmp/podman_test553496330/crio --runroot /tmp/podman_test553496330/crio-run diff --git a/contrib/imgprune/Dockerfile b/contrib/imgprune/Dockerfile deleted file mode 100644 index b0dc77da5..000000000 --- a/contrib/imgprune/Dockerfile +++ /dev/null @@ -1,7 +0,0 @@ -FROM quay.io/libpod/imgts:latest - -RUN yum -y update && \ - yum clean all - -COPY /contrib/imgprune/entrypoint.sh /usr/local/bin/entrypoint.sh -RUN chmod 755 /usr/local/bin/entrypoint.sh diff --git a/contrib/imgprune/README.md b/contrib/imgprune/README.md deleted file mode 100644 index 48abc2028..000000000 --- a/contrib/imgprune/README.md +++ /dev/null @@ -1,11 +0,0 @@ - - -A container image for maintaining the collection of -VM images used by CI/CD on this project and several others. -Acts upon metadata maintained by the imgts container. - -Example build (from repository root): - -```bash -sudo podman build -t $IMAGE_NAME -f contrib/imgprune/Dockerfile . -``` diff --git a/contrib/imgprune/entrypoint.sh b/contrib/imgprune/entrypoint.sh deleted file mode 100755 index fd80d9b26..000000000 --- a/contrib/imgprune/entrypoint.sh +++ /dev/null @@ -1,106 +0,0 @@ -#!/usr/bin/env bash - -set -e - -source /usr/local/bin/lib_entrypoint.sh - -req_env_var GCPJSON GCPNAME GCPPROJECT IMGNAMES - -unset BASE_IMAGES -# When executing under Cirrus-CI, script have access to current source -LIB="$CIRRUS_WORKING_DIR/$SCRIPT_BASE/lib.sh" -if [[ "$CI" == "true" ]] && [[ -r "$LIB" ]] -then - # Avoid importing anything that might conflict - for env in $(sed -ne 's/^[^#]\+_BASE_IMAGE=/img=/p' "$LIB") - do - eval $env - BASE_IMAGES="$BASE_IMAGES $img" - done -else - # metadata labeling may have broken for some reason in the future - echo "Warning: Running outside of Cirrus-CI, very minor-risk of base-image deletion." -fi - -gcloud_init - -# For safety's sake + limit nr background processes -PRUNE_LIMIT=5 -THEFUTURE=$(date --date='+1 hour' +%s) -TOO_OLD='30 days ago' -THRESHOLD=$(date --date="$TOO_OLD" +%s) -# Format Ref: https://cloud.google.com/sdk/gcloud/reference/topic/formats -FORMAT='value[quote](name,selfLink,creationTimestamp,labels)' -PROJRE="/v1/projects/$GCPPROJECT/global/" -RECENTLY=$(date --date='3 days ago' --iso-8601=date) -# Filter Ref: https://cloud.google.com/sdk/gcloud/reference/topic/filters -FILTER="selfLink~$PROJRE AND creationTimestamp<$RECENTLY AND NOT name=($IMGNAMES $BASE_IMAGES)" -TODELETE=$(mktemp -p '' todelete.XXXXXX) -IMGCOUNT=$(mktemp -p '' imgcount.XXXXXX) - -# Search-loop runs in a sub-process, must store count in file -echo "0" > "$IMGCOUNT" -count_image() { - local count - count=$(<"$IMGCOUNT") - let 'count+=1' - echo "$count" > "$IMGCOUNT" -} - -echo "Using filter: $FILTER" -echo "Searching images for pruning candidates older than $TOO_OLD ($(date --date="$TOO_OLD" --iso-8601=date)):" -$GCLOUD compute images list --format="$FORMAT" --filter="$FILTER" | \ - while read name selfLink creationTimestamp labels - do - count_image - created_ymd=$(date --date=$creationTimestamp --iso-8601=date) - last_used=$(egrep --only-matching --max-count=1 'last-used=[[:digit:]]+' <<< $labels || true) - markmsgpfx="Marking $name (created $created_ymd) for deletion" - if [[ -z "$last_used" ]] - then # image pre-dates addition of tracking labels - echo "$markmsgpfx: Missing 'last-used' metadata, labels: '$labels'" - echo "$name" >> $TODELETE - continue - fi - - last_used_timestamp=$(date --date=@$(cut -d= -f2 <<< $last_used || true) +%s || true) - last_used_ymd=$(date --date=@$last_used_timestamp --iso-8601=date) - if [[ -z "$last_used_timestamp" ]] || [[ "$last_used_timestamp" -ge "$THEFUTURE" ]] - then - echo "$markmsgpfx: Missing or invalid last-used timestamp: '$last_used_timestamp'" - echo "$name" >> $TODELETE - continue - fi - - if [[ "$last_used_timestamp" -le "$THRESHOLD" ]] - then - echo "$markmsgpfx: Used over $TOO_OLD on $last_used_ymd" - echo "$name" >> $TODELETE - continue - fi - done - -COUNT=$(<"$IMGCOUNT") -echo "########################################################################" -echo "Deleting up to $PRUNE_LIMIT images marked ($(wc -l < $TODELETE)) of all searched ($COUNT):" - -# Require a minimum number of images to exist -NEED="$[$PRUNE_LIMIT*2]" -if [[ "$COUNT" -lt "$NEED" ]] -then - die 0 Safety-net Insufficient images \($COUNT\) to process deletions \($NEED\) - exit 0 -fi - -for image_name in $(sort --random-sort $TODELETE | tail -$PRUNE_LIMIT) -do - if echo "$IMGNAMES $BASE_IMAGES" | grep -q "$image_name" - then - # double-verify in-use images were filtered out in search loop above - die 8 FATAL ATTEMPT TO DELETE IN-USE IMAGE \'$image_name\' - THIS SHOULD NEVER HAPPEN - fi - echo "Deleting $image_name in parallel..." - $GCLOUD compute images delete $image_name & -done - -wait || true # Nothing to delete: No background jobs diff --git a/contrib/imgts/Dockerfile b/contrib/imgts/Dockerfile deleted file mode 100644 index deaadb899..000000000 --- a/contrib/imgts/Dockerfile +++ /dev/null @@ -1,20 +0,0 @@ -FROM centos:7 - -# Only needed for installing build-time dependencies -COPY /contrib/imgts/google-cloud-sdk.repo /etc/yum.repos.d/google-cloud-sdk.repo -RUN yum -y update && \ - yum -y install epel-release && \ - yum -y install google-cloud-sdk && \ - yum clean all - -ENV GCPJSON="__unknown__" \ - GCPNAME="__unknown__" \ - GCPPROJECT="__unknown__" \ - IMGNAMES="__unknown__" \ - BUILDID="__unknown__" \ - REPOREF="__unknown__" - -COPY ["/contrib/imgts/entrypoint.sh", "/contrib/imgts/lib_entrypoint.sh", "/usr/local/bin/"] -RUN chmod 755 /usr/local/bin/entrypoint.sh - -ENTRYPOINT ["/usr/local/bin/entrypoint.sh"] diff --git a/contrib/imgts/README.md b/contrib/imgts/README.md deleted file mode 100644 index ad5ed4172..000000000 --- a/contrib/imgts/README.md +++ /dev/null @@ -1,11 +0,0 @@ - - -A container image for tracking automation metadata. -Currently this is used to update last-used timestamps on -VM images. - -Example build (from repository root): - -```bash -sudo podman build -t $IMAGE_NAME -f contrib/imgts/Dockerfile . -``` diff --git a/contrib/imgts/entrypoint.sh b/contrib/imgts/entrypoint.sh deleted file mode 100755 index b089e1e9b..000000000 --- a/contrib/imgts/entrypoint.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/usr/bin/env bash - -set -e - -source /usr/local/bin/lib_entrypoint.sh - -req_env_var GCPJSON GCPNAME GCPPROJECT IMGNAMES BUILDID REPOREF - -gcloud_init - -ARGS=" - --update-labels=last-used=$(date +%s) - --update-labels=build-id=$BUILDID - --update-labels=repo-ref=$REPOREF - --update-labels=project=$GCPPROJECT -" - -for image in $IMGNAMES -do - $GCLOUD compute images update "$image" $ARGS & -done - -wait || echo "Warning: No \$IMGNAMES were specified." diff --git a/contrib/imgts/google-cloud-sdk.repo b/contrib/imgts/google-cloud-sdk.repo deleted file mode 100644 index 45b1e43bb..000000000 --- a/contrib/imgts/google-cloud-sdk.repo +++ /dev/null @@ -1,8 +0,0 @@ -[google-cloud-sdk] -name=Google Cloud SDK -baseurl=https://packages.cloud.google.com/yum/repos/cloud-sdk-el7-x86_64 -enabled=1 -gpgcheck=1 -repo_gpgcheck=1 -gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg - https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg diff --git a/contrib/imgts/lib_entrypoint.sh b/contrib/imgts/lib_entrypoint.sh deleted file mode 100644 index 6eb5cdc2f..000000000 --- a/contrib/imgts/lib_entrypoint.sh +++ /dev/null @@ -1,49 +0,0 @@ -#!/usr/bin/env bash - -set -e - -RED="\e[1;36;41m" -YEL="\e[1;33;44m" -NOR="\e[0m" -SENTINEL="__unknown__" # default set in dockerfile -# Disable all input prompts -# https://cloud.google.com/sdk/docs/scripting-gcloud -GCLOUD="gcloud --quiet" - -die() { - EXIT=$1 - PFX=$2 - shift 2 - MSG="$@" - echo -e "${RED}${PFX}:${NOR} ${YEL}$MSG${NOR}" - [[ "$EXIT" -eq "0" ]] || exit "$EXIT" -} - -# Pass in a list of one or more envariable names; exit non-zero with -# helpful error message if any value is empty -req_env_var() { - for i; do - if [[ -z "${!i}" ]] - then - die 1 FATAL entrypoint.sh requires \$$i to be non-empty. - elif [[ "${!i}" == "$SENTINEL" ]] - then - die 2 FATAL entrypoint.sh requires \$$i to be explicitly set. - fi - done -} - -gcloud_init() { - set +xe - if [[ -n "$1" ]] && [[ -r "$1" ]] - then - TMPF="$1" - else - TMPF=$(mktemp -p '' .$(uuidgen)_XXXX.json) - trap "rm -f $TMPF &> /dev/null" EXIT - echo "$GCPJSON" > $TMPF - fi - $GCLOUD auth activate-service-account --project="$GCPPROJECT" --key-file="$TMPF" || \ - die 5 FATAL auth - rm -f $TMPF &> /dev/null || true # ignore any read-only error -} diff --git a/contrib/upldrel/Dockerfile b/contrib/upldrel/Dockerfile deleted file mode 100644 index 54a58c521..000000000 --- a/contrib/upldrel/Dockerfile +++ /dev/null @@ -1,9 +0,0 @@ -FROM quay.io/libpod/imgts:latest - -RUN yum -y update && \ - yum -y install unzip && \ - rpm -V unzip && \ - yum clean all - -COPY /contrib/upldrel/entrypoint.sh /usr/local/bin/entrypoint.sh -RUN chmod 755 /usr/local/bin/entrypoint.sh diff --git a/contrib/upldrel/README.md b/contrib/upldrel/README.md deleted file mode 100644 index 41f5ffef0..000000000 --- a/contrib/upldrel/README.md +++ /dev/null @@ -1,9 +0,0 @@ - - -A container image for canonical-naming and uploading of -libpod and remote-client archives. Only intended to ever -be used by CI/CD, and depends heavily on an embedded -`release.txt` file produced by `make`. - -Build script: [../cirrus/build_release.sh](../cirrus/build_release.sh) -Upload script: [../cirrus/upload_release_archive.sh](../cirrus/upload_release_archive.sh) diff --git a/contrib/upldrel/entrypoint.sh b/contrib/upldrel/entrypoint.sh deleted file mode 100755 index 6eb1b8f94..000000000 --- a/contrib/upldrel/entrypoint.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/env bash - -set -e - -source /usr/local/bin/lib_entrypoint.sh - -req_env_var GCPJSON_FILEPATH GCPNAME GCPPROJECT BUCKET FROM_FILEPATH TO_FILENAME - -[[ -r "$FROM_FILEPATH" ]] || \ - die 2 ERROR Cannot read release archive file: "$FROM_FILEPATH" - -[[ -r "$GCPJSON_FILEPATH" ]] || \ - die 3 ERROR Cannot read GCP credentials file: "$GCPJSON_FILEPATH" - -echo "Authenticating to google cloud for upload" -gcloud_init "$GCPJSON_FILEPATH" - -echo "Uploading archive as $TO_FILENAME" -gsutil cp "$FROM_FILEPATH" "gs://$BUCKET/$TO_FILENAME" -[[ -z "$ALSO_FILENAME" ]] || \ - gsutil cp "$FROM_FILEPATH" "gs://$BUCKET/$ALSO_FILENAME" - -echo "." -echo "Release now available for download at:" -echo " https://storage.googleapis.com/$BUCKET/$TO_FILENAME" -[[ -z "$ALSO_FILENAME" ]] || \ - echo " https://storage.googleapis.com/$BUCKET/$ALSO_FILENAME" diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md index 4a8b311f0..28c340d2f 100644 --- a/docs/source/markdown/podman-create.1.md +++ b/docs/source/markdown/podman-create.1.md @@ -215,6 +215,10 @@ Note: if the user only has access rights via a group, accessing the device from inside a rootless container will fail. The **crun**(1) runtime offers a workaround for this by adding the option **--annotation run.oci.keep_original_groups=1**. +Podman may load kernel modules required for using the specified +device. The devices that podman will load modules when necessary are: +/dev/fuse. + **--device-cgroup-rule**="type major:minor mode" Add a rule to the cgroup allowed devices list. The rule is expected to be in the format specified in the Linux kernel documentation (Documentation/cgroup-v1/devices.txt): diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md index 47aa8827f..a27b1b175 100644 --- a/docs/source/markdown/podman-run.1.md +++ b/docs/source/markdown/podman-run.1.md @@ -231,6 +231,10 @@ Note: if the user only has access rights via a group, accessing the device from inside a rootless container will fail. The **crun**(1) runtime offers a workaround for this by adding the option **--annotation run.oci.keep_original_groups=1**. +Podman may load kernel modules required for using the specified +device. The devices that podman will load modules when necessary are: +/dev/fuse. + **--device-cgroup-rule**=rule Add a rule to the cgroup allowed devices list @@ -11,8 +11,8 @@ require ( github.com/containerd/containerd v1.4.1 // indirect github.com/containernetworking/cni v0.8.0 github.com/containernetworking/plugins v0.8.7 - github.com/containers/buildah v1.16.2 - github.com/containers/common v0.23.0 + github.com/containers/buildah v1.16.4 + github.com/containers/common v0.24.0 github.com/containers/conmon v2.0.20+incompatible github.com/containers/image/v5 v5.6.0 github.com/containers/psgo v1.5.1 @@ -70,11 +70,11 @@ github.com/containernetworking/cni v0.8.0 h1:BT9lpgGoH4jw3lFC7Odz2prU5ruiYKcgAjM github.com/containernetworking/cni v0.8.0/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY= github.com/containernetworking/plugins v0.8.7 h1:bU7QieuAp+sACI2vCzESJ3FoT860urYP+lThyZkb/2M= github.com/containernetworking/plugins v0.8.7/go.mod h1:R7lXeZaBzpfqapcAbHRW8/CYwm0dHzbz0XEjofx0uB0= -github.com/containers/buildah v1.16.2 h1:u8RA0r9sp3d5df/QRm0glG7L6ZN40UVJcYedwcZGt8w= -github.com/containers/buildah v1.16.2/go.mod h1:i1XqXgpCROnfcq4oNtfrFEk7UzNDxLJ/PZ+CnPyoIq8= +github.com/containers/buildah v1.16.4 h1:bxthp2FoGcpc2O/RyvbGUAZoefmc5hRBqWQi3BjRu7w= +github.com/containers/buildah v1.16.4/go.mod h1:i1XqXgpCROnfcq4oNtfrFEk7UzNDxLJ/PZ+CnPyoIq8= github.com/containers/common v0.21.0/go.mod h1:8w8SVwc+P2p1MOnRMbSKNWXt1Iwd2bKFu2LLZx55DTM= -github.com/containers/common v0.23.0 h1:+g4mI3wUYSzOtoWU9TNVoV4K52/aN6JEz0qs1YdPEe8= -github.com/containers/common v0.23.0/go.mod h1:E56/N0beWGf+lrrJX32atuo2hkjzHwSC8n1vCG+TAR0= +github.com/containers/common v0.24.0 h1:5C03ROzmRvZCyooNJVkZ4Q8T2d04g+VVyPMQ428XC4Y= +github.com/containers/common v0.24.0/go.mod h1:BFRo6uRh1TbkZgR2oYTILxc2BNZTBtBffa9xtu881QI= github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg= github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I= github.com/containers/image/v5 v5.5.2/go.mod h1:4PyNYR0nwlGq/ybVJD9hWlhmIsNra4Q8uOQX2s6E2uM= diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index eba732d2a..514cdaee1 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -7,6 +7,7 @@ import ( "fmt" "io" "io/ioutil" + "math" "net" "os" "os/user" @@ -35,6 +36,7 @@ import ( "github.com/containers/podman/v2/pkg/util" "github.com/containers/podman/v2/utils" "github.com/containers/storage/pkg/archive" + "github.com/containers/storage/pkg/idtools" securejoin "github.com/cyphar/filepath-securejoin" runcuser "github.com/opencontainers/runc/libcontainer/user" spec "github.com/opencontainers/runtime-spec/specs-go" @@ -416,9 +418,43 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { // Look up and add groups the user belongs to, if a group wasn't directly specified if !strings.Contains(c.config.User, ":") { + // the gidMappings that are present inside the container user namespace + var gidMappings []idtools.IDMap + + switch { + case len(c.config.IDMappings.GIDMap) > 0: + gidMappings = c.config.IDMappings.GIDMap + case rootless.IsRootless(): + // Check whether the current user namespace has enough gids available. + availableGids, err := rootless.GetAvailableGids() + if err != nil { + return nil, errors.Wrapf(err, "cannot read number of available GIDs") + } + gidMappings = []idtools.IDMap{{ + ContainerID: 0, + HostID: 0, + Size: int(availableGids), + }} + default: + gidMappings = []idtools.IDMap{{ + ContainerID: 0, + HostID: 0, + Size: math.MaxInt32, + }} + } for _, gid := range execUser.Sgids { - // FIXME: We need to add a flag to containers.conf to not add these for HPC Users. - g.AddProcessAdditionalGid(uint32(gid)) + isGidAvailable := false + for _, m := range gidMappings { + if gid >= m.ContainerID && gid < m.ContainerID+m.Size { + isGidAvailable = true + break + } + } + if isGidAvailable { + g.AddProcessAdditionalGid(uint32(gid)) + } else { + logrus.Warnf("additional gid=%d is not present in the user namespace, skip setting it", gid) + } } } diff --git a/libpod/container_log_linux.go b/libpod/container_log_linux.go index 73c2df76e..d895171cf 100644 --- a/libpod/container_log_linux.go +++ b/libpod/container_log_linux.go @@ -33,7 +33,7 @@ const ( func (c *Container) readFromJournal(ctx context.Context, options *logs.LogOptions, logChannel chan *logs.LogLine) error { var config journal.JournalReaderConfig if options.Tail < 0 { - config.NumFromTail = math.MaxUint64 + config.NumFromTail = 0 } else { config.NumFromTail = uint64(options.Tail) } diff --git a/libpod/image/prune.go b/libpod/image/prune.go index fcc65fb03..b38265a7e 100644 --- a/libpod/image/prune.go +++ b/libpod/image/prune.go @@ -125,29 +125,39 @@ func (ir *Runtime) PruneImages(ctx context.Context, all bool, filter []string) ( filterFuncs = append(filterFuncs, generatedFunc) } - pruneImages, err := ir.GetPruneImages(ctx, all, filterFuncs) - if err != nil { - return nil, errors.Wrap(err, "unable to get images to prune") - } - prunedCids := make([]string, 0, len(pruneImages)) - for _, p := range pruneImages { - repotags, err := p.RepoTags() + pruned := []string{} + prev := 0 + for { + toPrune, err := ir.GetPruneImages(ctx, all, filterFuncs) if err != nil { - return nil, err + return nil, errors.Wrap(err, "unable to get images to prune") } - if err := p.Remove(ctx, true); err != nil { - if errors.Cause(err) == storage.ErrImageUsedByContainer { - logrus.Warnf("Failed to prune image %s as it is in use: %v.\nA container associated with containers/storage i.e. Buildah, CRI-O, etc., maybe associated with this image.\nUsing the rmi command with the --force option will remove the container and image, but may cause failures for other dependent systems.", p.ID(), err) - continue - } - return nil, errors.Wrap(err, "failed to prune image") + numImages := len(toPrune) + if numImages == 0 || numImages == prev { + // If there's nothing left to do, return. + break } - defer p.newImageEvent(events.Prune) - nameOrID := p.ID() - if len(repotags) > 0 { - nameOrID = repotags[0] + prev = numImages + for _, img := range toPrune { + repotags, err := img.RepoTags() + if err != nil { + return nil, err + } + if err := img.Remove(ctx, false); err != nil { + if errors.Cause(err) == storage.ErrImageUsedByContainer { + logrus.Warnf("Failed to prune image %s as it is in use: %v.\nA container associated with containers/storage (e.g., Buildah, CRI-O, etc.) maybe associated with this image.\nUsing the rmi command with the --force option will remove the container and image, but may cause failures for other dependent systems.", img.ID(), err) + continue + } + return nil, errors.Wrap(err, "failed to prune image") + } + defer img.newImageEvent(events.Prune) + nameOrID := img.ID() + if len(repotags) > 0 { + nameOrID = repotags[0] + } + pruned = append(pruned, nameOrID) } - prunedCids = append(prunedCids, nameOrID) + } - return prunedCids, nil + return pruned, nil } diff --git a/libpod/util_linux.go b/libpod/util_linux.go index 03c3ab061..5184ed393 100644 --- a/libpod/util_linux.go +++ b/libpod/util_linux.go @@ -90,19 +90,23 @@ func assembleSystemdCgroupName(baseSlice, newSlice string) (string, error) { return final, nil } +var lvpRelabel = label.Relabel +var lvpInitLabels = label.InitLabels +var lvpReleaseLabel = label.ReleaseLabel + // LabelVolumePath takes a mount path for a volume and gives it an // selinux label of either shared or not func LabelVolumePath(path string) error { - _, mountLabel, err := label.InitLabels([]string{}) + _, mountLabel, err := lvpInitLabels([]string{}) if err != nil { return errors.Wrapf(err, "error getting default mountlabels") } - if err := label.ReleaseLabel(mountLabel); err != nil { + if err := lvpReleaseLabel(mountLabel); err != nil { return errors.Wrapf(err, "error releasing label %q", mountLabel) } - if err := label.Relabel(path, mountLabel, true); err != nil { - if err != syscall.ENOTSUP { + if err := lvpRelabel(path, mountLabel, true); err != nil { + if err == syscall.ENOTSUP { logrus.Debugf("Labeling not supported on %q", path) } else { return errors.Wrapf(err, "error setting selinux label for %s to %q as shared", path, mountLabel) diff --git a/libpod/util_linux_test.go b/libpod/util_linux_test.go new file mode 100644 index 000000000..5fcb04beb --- /dev/null +++ b/libpod/util_linux_test.go @@ -0,0 +1,39 @@ +package libpod + +import ( + "syscall" + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestLabelVolumePath(t *testing.T) { + // Set up mocked SELinux functions for testing. + oldRelabel := lvpRelabel + oldInitLabels := lvpInitLabels + oldReleaseLabel := lvpReleaseLabel + defer func() { + lvpRelabel = oldRelabel + lvpInitLabels = oldInitLabels + lvpReleaseLabel = oldReleaseLabel + }() + + // Relabel returns ENOTSUP unconditionally. + lvpRelabel = func(path string, fileLabel string, shared bool) error { + return syscall.ENOTSUP + } + + // InitLabels and ReleaseLabel both return dummy values and nil errors. + lvpInitLabels = func(options []string) (string, string, error) { + pLabel := "system_u:system_r:container_t:s0:c1,c2" + mLabel := "system_u:object_r:container_file_t:s0:c1,c2" + return pLabel, mLabel, nil + } + lvpReleaseLabel = func(label string) error { + return nil + } + + // LabelVolumePath should not return an error if the operation is unsupported. + err := LabelVolumePath("/foo/bar") + assert.NoError(t, err) +} diff --git a/pkg/api/handlers/compat/images.go b/pkg/api/handlers/compat/images.go index 940b57343..cc67ebcd1 100644 --- a/pkg/api/handlers/compat/images.go +++ b/pkg/api/handlers/compat/images.go @@ -20,9 +20,25 @@ import ( "github.com/containers/podman/v2/pkg/domain/entities" "github.com/docker/docker/api/types" "github.com/gorilla/schema" + "github.com/opencontainers/go-digest" "github.com/pkg/errors" ) +// mergeNameAndTagOrDigest creates an image reference as string from the +// provided image name and tagOrDigest which can be a tag, a digest or empty. +func mergeNameAndTagOrDigest(name, tagOrDigest string) string { + if len(tagOrDigest) == 0 { + return name + } + + separator := ":" // default to tag + if _, err := digest.Parse(tagOrDigest); err == nil { + // We have a digest, so let's change the separator. + separator = "@" + } + return fmt.Sprintf("%s%s%s", name, separator, tagOrDigest) +} + func ExportImage(w http.ResponseWriter, r *http.Request) { // 200 ok // 500 server @@ -252,10 +268,7 @@ func CreateImageFromImage(w http.ResponseWriter, r *http.Request) { return } - fromImage := query.FromImage - if len(query.Tag) >= 1 { - fromImage = fmt.Sprintf("%s:%s", fromImage, query.Tag) - } + fromImage := mergeNameAndTagOrDigest(query.FromImage, query.Tag) authConf, authfile, key, err := auth.GetCredentials(r) if err != nil { diff --git a/pkg/domain/infra/abi/images.go b/pkg/domain/infra/abi/images.go index d56dc7d94..965c63bec 100644 --- a/pkg/domain/infra/abi/images.go +++ b/pkg/domain/infra/abi/images.go @@ -46,11 +46,7 @@ func (ir *ImageEngine) Exists(_ context.Context, nameOrID string) (*entities.Boo } func (ir *ImageEngine) Prune(ctx context.Context, opts entities.ImagePruneOptions) (*entities.ImagePruneReport, error) { - return ir.pruneImagesHelper(ctx, opts.All, opts.Filter) -} - -func (ir *ImageEngine) pruneImagesHelper(ctx context.Context, all bool, filters []string) (*entities.ImagePruneReport, error) { - results, err := ir.Libpod.ImageRuntime().PruneImages(ctx, all, filters) + results, err := ir.Libpod.ImageRuntime().PruneImages(ctx, opts.All, opts.Filter) if err != nil { return nil, err } diff --git a/pkg/domain/infra/tunnel/helpers.go b/pkg/domain/infra/tunnel/helpers.go index 5944f855a..7d28f1bd3 100644 --- a/pkg/domain/infra/tunnel/helpers.go +++ b/pkg/domain/infra/tunnel/helpers.go @@ -2,74 +2,118 @@ package tunnel import ( "context" - "strings" "github.com/containers/podman/v2/libpod/define" "github.com/containers/podman/v2/pkg/bindings" "github.com/containers/podman/v2/pkg/bindings/containers" "github.com/containers/podman/v2/pkg/bindings/pods" "github.com/containers/podman/v2/pkg/domain/entities" - "github.com/containers/podman/v2/pkg/util" + "github.com/containers/podman/v2/pkg/errorhandling" "github.com/pkg/errors" ) +// FIXME: the `ignore` parameter is very likely wrong here as it should rather +// be used on *errors* from operations such as remove. func getContainersByContext(contextWithConnection context.Context, all, ignore bool, namesOrIDs []string) ([]entities.ListContainer, error) { - var ( - cons []entities.ListContainer - ) if all && len(namesOrIDs) > 0 { return nil, errors.New("cannot lookup containers and all") } - c, err := containers.List(contextWithConnection, nil, bindings.PTrue, nil, nil, bindings.PTrue) + + allContainers, err := containers.List(contextWithConnection, nil, bindings.PTrue, nil, nil, bindings.PTrue) if err != nil { return nil, err } if all { - return c, err + return allContainers, err } - for _, id := range namesOrIDs { - var found bool - for _, con := range c { - if id == con.ID || strings.HasPrefix(con.ID, id) || util.StringInSlice(id, con.Names) { - cons = append(cons, con) + + // Note: it would be nicer if the lists endpoint would support that as + // we could use the libpod backend for looking up containers rather + // than risking diverging the local and remote lookups. + // + // A `--filter nameOrId=abc` that can be specified multiple times would + // be awesome to have. + filtered := []entities.ListContainer{} + for _, nameOrID := range namesOrIDs { + // First determine if the container exists by doing an inspect. + // Inspect takes supports names and IDs and let's us determine + // a containers full ID. + inspectData, err := containers.Inspect(contextWithConnection, nameOrID, bindings.PFalse) + if err != nil { + if ignore && errorhandling.Contains(err, define.ErrNoSuchCtr) { + continue + } + return nil, err + } + + // Now we can do a full match of the ID to find the right + // container. Note that we *really* need a full ID match to + // prevent any ambiguities between IDs and names (see #7837). + found := false + for _, ctr := range allContainers { + if ctr.ID == inspectData.ID { + filtered = append(filtered, ctr) found = true break } + } + if !found && !ignore { - return nil, errors.Wrapf(define.ErrNoSuchCtr, "unable to find container %q", id) + return nil, errors.Wrapf(define.ErrNoSuchCtr, "unable to find container %q", nameOrID) } } - return cons, nil + return filtered, nil } func getPodsByContext(contextWithConnection context.Context, all bool, namesOrIDs []string) ([]*entities.ListPodsReport, error) { - var ( - sPods []*entities.ListPodsReport - ) if all && len(namesOrIDs) > 0 { return nil, errors.New("cannot lookup specific pods and all") } - fPods, err := pods.List(contextWithConnection, nil) + allPods, err := pods.List(contextWithConnection, nil) if err != nil { return nil, err } if all { - return fPods, nil + return allPods, nil } + + filtered := []*entities.ListPodsReport{} + // Note: it would be nicer if the lists endpoint would support that as + // we could use the libpod backend for looking up pods rather than + // risking diverging the local and remote lookups. + // + // A `--filter nameOrId=abc` that can be specified multiple times would + // be awesome to have. for _, nameOrID := range namesOrIDs { - var found bool - for _, f := range fPods { - if f.Name == nameOrID || strings.HasPrefix(f.Id, nameOrID) { - sPods = append(sPods, f) + // First determine if the pod exists by doing an inspect. + // Inspect takes supports names and IDs and let's us determine + // a containers full ID. + inspectData, err := pods.Inspect(contextWithConnection, nameOrID) + if err != nil { + if errorhandling.Contains(err, define.ErrNoSuchPod) { + return nil, errors.Wrapf(define.ErrNoSuchPod, "unable to find pod %q", nameOrID) + } + return nil, err + } + + // Now we can do a full match of the ID to find the right pod. + // Note that we *really* need a full ID match to prevent any + // ambiguities between IDs and names (see #7837). + found := false + for _, pod := range allPods { + if pod.Id == inspectData.ID { + filtered = append(filtered, pod) found = true break } + } + if !found { return nil, errors.Wrapf(define.ErrNoSuchPod, "unable to find pod %q", nameOrID) } } - return sPods, nil + return filtered, nil } diff --git a/pkg/rootless/rootless.go b/pkg/rootless/rootless.go index d02721ea9..799c793d8 100644 --- a/pkg/rootless/rootless.go +++ b/pkg/rootless/rootless.go @@ -2,8 +2,10 @@ package rootless import ( "os" + "sync" "github.com/containers/storage" + "github.com/opencontainers/runc/libcontainer/user" "github.com/pkg/errors" ) @@ -46,3 +48,26 @@ func TryJoinPauseProcess(pausePidPath string) (bool, int, error) { } return became, ret, err } + +var ( + availableGids int64 + availableGidsErr error + availableGidsOnce sync.Once +) + +// GetAvailableGids returns how many GIDs are available in the +// current user namespace. +func GetAvailableGids() (int64, error) { + availableGidsOnce.Do(func() { + idMap, err := user.ParseIDMapFile("/proc/self/gid_map") + if err != nil { + availableGidsErr = err + return + } + availableGids = int64(0) + for _, r := range idMap { + availableGids += r.Count + } + }) + return availableGids, availableGidsErr +} diff --git a/pkg/specgen/generate/config_linux.go b/pkg/specgen/generate/config_linux.go index 1d5dcd8e7..fac02ad01 100644 --- a/pkg/specgen/generate/config_linux.go +++ b/pkg/specgen/generate/config_linux.go @@ -248,6 +248,13 @@ func addDevice(g *generate.Generator, device string) error { } g.Config.Mounts = append(g.Config.Mounts, devMnt) return nil + } else if src == "/dev/fuse" { + // if the user is asking for fuse inside the container + // make sure the module is loaded. + f, err := unix.Open(src, unix.O_RDONLY|unix.O_NONBLOCK, 0) + if err == nil { + unix.Close(f) + } } dev.Path = dst g.AddDevice(*dev) diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go index b57ddf1aa..f02432f5b 100644 --- a/pkg/specgen/generate/oci.go +++ b/pkg/specgen/generate/oci.go @@ -10,7 +10,6 @@ import ( "github.com/containers/podman/v2/libpod/image" "github.com/containers/podman/v2/pkg/rootless" "github.com/containers/podman/v2/pkg/specgen" - "github.com/opencontainers/runc/libcontainer/user" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" "github.com/pkg/errors" @@ -200,7 +199,7 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt } gid5Available := true if isRootless { - nGids, err := GetAvailableGids() + nGids, err := rootless.GetAvailableGids() if err != nil { return nil, err } @@ -360,15 +359,3 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt return configSpec, nil } - -func GetAvailableGids() (int64, error) { - idMap, err := user.ParseIDMapFile("/proc/self/gid_map") - if err != nil { - return 0, err - } - count := int64(0) - for _, r := range idMap { - count += r.Count - } - return count, nil -} diff --git a/test/apiv2/10-images.at b/test/apiv2/10-images.at index a204df65c..bdc298ae3 100644 --- a/test/apiv2/10-images.at +++ b/test/apiv2/10-images.at @@ -39,7 +39,11 @@ t GET images/$iid/json 200 \ .Id=sha256:$iid \ .RepoTags[0]=$IMAGE -#t POST images/create fromImage=alpine 201 foo +t POST "images/create?fromImage=alpine" '' 200 + +t POST "images/create?fromImage=alpine&tag=latest" '' 200 + +t POST "images/create?fromImage=docker.io/library/alpine&tag=sha256:acd3ca9941a85e8ed16515bfc5328e4e2f8c128caa72959a58a127b7801ee01f" '' 200 # Display the image history t GET libpod/images/nonesuch/history 404 diff --git a/test/e2e/info_test.go b/test/e2e/info_test.go index bcbfdd80a..49f5f0ce6 100644 --- a/test/e2e/info_test.go +++ b/test/e2e/info_test.go @@ -50,15 +50,17 @@ var _ = Describe("Podman Info", func() { {"{{ json .}}", true, 0}, {"{{json . }}", true, 0}, {" {{ json . }} ", true, 0}, - {"{{json }}", false, 125}, + {"{{json }}", true, 0}, {"{{json .", false, 125}, - {"json . }}", false, 0}, // Note: this does NOT fail but produces garbage + {"json . }}", false, 0}, // without opening {{ template seen as string literal } for _, tt := range tests { session := podmanTest.Podman([]string{"info", "--format", tt.input}) session.WaitWithDefaultTimeout() - Expect(session).Should(Exit(tt.exitCode)) - Expect(session.IsJSONOutputValid()).To(Equal(tt.success)) + + desc := fmt.Sprintf("JSON test(%q)", tt.input) + Expect(session).Should(Exit(tt.exitCode), desc) + Expect(session.IsJSONOutputValid()).To(Equal(tt.success), desc) } }) diff --git a/test/e2e/logs_test.go b/test/e2e/logs_test.go index 3aa3cf409..67ab71d20 100644 --- a/test/e2e/logs_test.go +++ b/test/e2e/logs_test.go @@ -203,6 +203,7 @@ var _ = Describe("Podman logs", func() { results.WaitWithDefaultTimeout() Expect(results).To(Exit(0)) Expect(len(results.OutputToStringArray())).To(Equal(3)) + Expect(results.OutputToString()).To(Equal("podman podman podman")) }) It("using journald tail two lines", func() { diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index 292df529c..05aede122 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -67,6 +67,30 @@ var _ = Describe("Podman run", func() { Expect(session.ExitCode()).To(Equal(0)) }) + It("podman run --rm with --restart", func() { + session := podmanTest.Podman([]string{"run", "--rm", "--restart", "", ALPINE}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + + session = podmanTest.Podman([]string{"run", "--rm", "--restart", "no", ALPINE}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + + // the --rm option conflicts with --restart, when the restartPolicy is not "" and "no" + // so the exitCode should not equal 0 + session = podmanTest.Podman([]string{"run", "--rm", "--restart", "on-failure", ALPINE}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Not(Equal(0))) + + session = podmanTest.Podman([]string{"run", "--rm", "--restart", "always", ALPINE}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Not(Equal(0))) + + session = podmanTest.Podman([]string{"run", "--rm", "--restart", "unless-stopped", ALPINE}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Not(Equal(0))) + }) + It("podman run a container based on on a short name with localhost", func() { tag := podmanTest.Podman([]string{"tag", nginx, "localhost/libpod/alpine_nginx:latest"}) tag.WaitWithDefaultTimeout() diff --git a/test/e2e/version_test.go b/test/e2e/version_test.go index 695cccc11..903748b58 100644 --- a/test/e2e/version_test.go +++ b/test/e2e/version_test.go @@ -1,6 +1,7 @@ package integration import ( + "fmt" "os" . "github.com/containers/podman/v2/test/utils" @@ -68,15 +69,17 @@ var _ = Describe("Podman version", func() { {"{{ json .}}", true, 0}, {"{{json . }}", true, 0}, {" {{ json . }} ", true, 0}, - {"{{json }}", false, 125}, + {"{{json }}", true, 0}, {"{{json .", false, 125}, - {"json . }}", false, 0}, // Note: this does NOT fail but produces garbage + {"json . }}", false, 0}, // without opening {{ template seen as string literal } for _, tt := range tests { session := podmanTest.Podman([]string{"version", "--format", tt.input}) session.WaitWithDefaultTimeout() - Expect(session).Should(Exit(tt.exitCode)) - Expect(session.IsJSONOutputValid()).To(Equal(tt.success)) + + desc := fmt.Sprintf("JSON test(%q)", tt.input) + Expect(session).Should(Exit(tt.exitCode), desc) + Expect(session.IsJSONOutputValid()).To(Equal(tt.success), desc) } }) diff --git a/test/system/035-logs.bats b/test/system/035-logs.bats index cbb2091e5..130bc5243 100644 --- a/test/system/035-logs.bats +++ b/test/system/035-logs.bats @@ -50,4 +50,15 @@ ${cid[1]} c ${cid[0]} d" "Sequential output from logs" } +@test "podman logs over journald" { + msg=$(random_string 20) + + run_podman run --name myctr --log-driver journald $IMAGE echo $msg + + run_podman logs myctr + is "$output" "$msg" "check that log output equals the container output" + + run_podman rm myctr +} + # vim: filetype=sh diff --git a/test/system/500-networking.bats b/test/system/500-networking.bats index 150626ded..a923402ac 100644 --- a/test/system/500-networking.bats +++ b/test/system/500-networking.bats @@ -82,6 +82,8 @@ load helpers # "network create" now works rootless, with the help of a special container @test "podman network create" { + skip_if_remote "FIXME: pending #7808" + local mynetname=testnet-$(random_string 10) local mysubnet=$(random_rfc1918_subnet) diff --git a/vendor/github.com/containers/buildah/.golangci.yml b/vendor/github.com/containers/buildah/.golangci.yml index 888d89afa..f8247f049 100644 --- a/vendor/github.com/containers/buildah/.golangci.yml +++ b/vendor/github.com/containers/buildah/.golangci.yml @@ -7,38 +7,26 @@ run: # Don't exceed number of threads available when running under CI concurrency: 4 linters: - disable-all: true - enable: - - bodyclose + enable-all: true + disable: + # All these break for one reason or another - deadcode - depguard - dupl - errcheck - - gofmt - - goimports + - gochecknoglobals + - gochecknoinits + - goconst + - gocritic + - gocyclo - golint - # Broken? Unpredictably dies w/o any error well before deadline/timeout expires - # - gosimple - - govet - - ineffassign - - interfacer - - misspell - - nakedret - - staticcheck + - gosec + - gosimple + - lll + - maligned + - prealloc + - scopelint - structcheck - - stylecheck - typecheck - unconvert - - unparam - - unused - varcheck - # - gochecknoglobals - # - gochecknoinits - # - goconst - # - gocritic - # - gocyclo - # - gosec - # - lll - # - maligned - # - prealloc - # - scopelint diff --git a/vendor/github.com/containers/buildah/CHANGELOG.md b/vendor/github.com/containers/buildah/CHANGELOG.md index 6168dc317..ca6a98889 100644 --- a/vendor/github.com/containers/buildah/CHANGELOG.md +++ b/vendor/github.com/containers/buildah/CHANGELOG.md @@ -2,10 +2,21 @@ # Changelog +## v1.16.4 (2020-10-01) + ADD: only expand archives at the right time + +## v1.16.3 (2020-09-30) + Lint: Use same linters as podman + add: preserve ownerships and permissions on ADDed archives + chroot: fix handling of errno seccomp rules + git-validation.sh: set the base for comparison to v1.16.0 + chroot: create bind mount targets 0755 instead of 0700 + ## v1.16.2 (2020-09-21) Add(): fix handling of relative paths with no ContextDir ## v1.16.1 (2020-09-10) + CI: use release-1.16 as the basis for validation tests copier.Get(): hard link targets shouldn't be relative paths ## v1.16.0 (2020-09-03) diff --git a/vendor/github.com/containers/buildah/add.go b/vendor/github.com/containers/buildah/add.go index bbfdda9c1..a3f3c7a37 100644 --- a/vendor/github.com/containers/buildah/add.go +++ b/vendor/github.com/containers/buildah/add.go @@ -33,7 +33,8 @@ type AddAndCopyOptions struct { Chown string // PreserveOwnership, if Chown is not set, tells us to avoid setting // ownership of copied items to 0:0, instead using whatever ownership - // information is already set. Not meaningful for remote sources. + // information is already set. Not meaningful for remote sources or + // local archives that we extract. PreserveOwnership bool // All of the data being copied will pass through Hasher, if set. // If the sources are URLs or files, their contents will be passed to @@ -210,7 +211,6 @@ func (b *Builder) Add(destination string, extract bool, options AddAndCopyOption // Find out which user (and group) the destination should belong to. var chownDirs, chownFiles *idtools.IDPair - var chmodDirs, chmodFiles *os.FileMode var user specs.User if options.Chown != "" { user, _, err = b.user(mountPoint, options.Chown) @@ -319,9 +319,9 @@ func (b *Builder) Add(destination string, extract bool, options AddAndCopyOption UIDMap: destUIDMap, GIDMap: destGIDMap, ChownDirs: chownDirs, - ChmodDirs: chmodDirs, + ChmodDirs: nil, ChownFiles: chownFiles, - ChmodFiles: chmodFiles, + ChmodFiles: nil, } putErr = copier.Put(mountPoint, extractDirectory, putOptions, io.TeeReader(pipeReader, hasher)) } @@ -396,6 +396,10 @@ func (b *Builder) Add(destination string, extract bool, options AddAndCopyOption GIDMap: srcGIDMap, Excludes: options.Excludes, ExpandArchives: extract, + ChownDirs: chownDirs, + ChmodDirs: nil, + ChownFiles: chownFiles, + ChmodFiles: nil, StripSetuidBit: options.StripSetuidBit, StripSetgidBit: options.StripSetgidBit, StripStickyBit: options.StripStickyBit, @@ -423,12 +427,14 @@ func (b *Builder) Add(destination string, extract bool, options AddAndCopyOption _, putErr = io.Copy(hasher, pipeReader) } else { putOptions := copier.PutOptions{ - UIDMap: destUIDMap, - GIDMap: destGIDMap, - ChownDirs: chownDirs, - ChmodDirs: chmodDirs, - ChownFiles: chownFiles, - ChmodFiles: chmodFiles, + UIDMap: destUIDMap, + GIDMap: destGIDMap, + DefaultDirOwner: chownDirs, + DefaultDirMode: nil, + ChownDirs: nil, + ChmodDirs: nil, + ChownFiles: nil, + ChmodFiles: nil, } putErr = copier.Put(mountPoint, extractDirectory, putOptions, io.TeeReader(pipeReader, hasher)) } diff --git a/vendor/github.com/containers/buildah/buildah.go b/vendor/github.com/containers/buildah/buildah.go index e63cfff3a..2ac0210bd 100644 --- a/vendor/github.com/containers/buildah/buildah.go +++ b/vendor/github.com/containers/buildah/buildah.go @@ -28,7 +28,7 @@ const ( Package = "buildah" // Version for the Package. Bump version in contrib/rpm/buildah.spec // too. - Version = "1.16.2" + Version = "1.16.4" // The value we use to identify what type of information, currently a // serialized Builder structure, we are using as per-container state. // This should only be changed when we make incompatible changes to diff --git a/vendor/github.com/containers/buildah/changelog.txt b/vendor/github.com/containers/buildah/changelog.txt index d34ede417..048dc61c1 100644 --- a/vendor/github.com/containers/buildah/changelog.txt +++ b/vendor/github.com/containers/buildah/changelog.txt @@ -1,7 +1,18 @@ +- Changelog for v1.16.4 (2020-10-01) + * ADD: only expand archives at the right time + +- Changelog for v1.16.3 (2020-09-30) + * Lint: Use same linters as podman + * add: preserve ownerships and permissions on ADDed archives + * chroot: fix handling of errno seccomp rules + * git-validation.sh: set the base for comparison to v1.16.0 + * chroot: create bind mount targets 0755 instead of 0700 + - Changelog for v1.16.2 (2020-09-21) * Add(): fix handling of relative paths with no ContextDir - Changelog for v1.16.1 (2020-09-10) + * CI: use release-1.16 as the basis for validation tests * copier.Get(): hard link targets shouldn't be relative paths - Changelog for v1.16.0 (2020-09-03) diff --git a/vendor/github.com/containers/buildah/chroot/run.go b/vendor/github.com/containers/buildah/chroot/run.go index 7a83a73a3..e8842f7a9 100644 --- a/vendor/github.com/containers/buildah/chroot/run.go +++ b/vendor/github.com/containers/buildah/chroot/run.go @@ -1047,7 +1047,7 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func( subDev := filepath.Join(spec.Root.Path, "/dev") if err := unix.Mount("/dev", subDev, "bind", devFlags, ""); err != nil { if os.IsNotExist(err) { - err = os.Mkdir(subDev, 0700) + err = os.Mkdir(subDev, 0755) if err == nil { err = unix.Mount("/dev", subDev, "bind", devFlags, "") } @@ -1071,7 +1071,7 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func( subProc := filepath.Join(spec.Root.Path, "/proc") if err := unix.Mount("/proc", subProc, "bind", procFlags, ""); err != nil { if os.IsNotExist(err) { - err = os.Mkdir(subProc, 0700) + err = os.Mkdir(subProc, 0755) if err == nil { err = unix.Mount("/proc", subProc, "bind", procFlags, "") } @@ -1086,7 +1086,7 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func( subSys := filepath.Join(spec.Root.Path, "/sys") if err := unix.Mount("/sys", subSys, "bind", sysFlags, ""); err != nil { if os.IsNotExist(err) { - err = os.Mkdir(subSys, 0700) + err = os.Mkdir(subSys, 0755) if err == nil { err = unix.Mount("/sys", subSys, "bind", sysFlags, "") } @@ -1163,15 +1163,15 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func( } // The target isn't there yet, so create it. if srcinfo.IsDir() { - if err = os.MkdirAll(target, 0111); err != nil { + if err = os.MkdirAll(target, 0755); err != nil { return undoBinds, errors.Wrapf(err, "error creating mountpoint %q in mount namespace", target) } } else { - if err = os.MkdirAll(filepath.Dir(target), 0111); err != nil { + if err = os.MkdirAll(filepath.Dir(target), 0755); err != nil { return undoBinds, errors.Wrapf(err, "error ensuring parent of mountpoint %q (%q) is present in mount namespace", target, filepath.Dir(target)) } var file *os.File - if file, err = os.OpenFile(target, os.O_WRONLY|os.O_CREATE, 0); err != nil { + if file, err = os.OpenFile(target, os.O_WRONLY|os.O_CREATE, 0755); err != nil { return undoBinds, errors.Wrapf(err, "error creating mountpoint %q in mount namespace", target) } file.Close() diff --git a/vendor/github.com/containers/buildah/chroot/seccomp.go b/vendor/github.com/containers/buildah/chroot/seccomp.go index 12a9b0032..1ca0a159e 100644 --- a/vendor/github.com/containers/buildah/chroot/seccomp.go +++ b/vendor/github.com/containers/buildah/chroot/seccomp.go @@ -15,18 +15,28 @@ func setSeccomp(spec *specs.Spec) error { if spec.Linux.Seccomp == nil { return nil } - mapAction := func(specAction specs.LinuxSeccompAction) libseccomp.ScmpAction { + mapAction := func(specAction specs.LinuxSeccompAction, errnoRet *uint) libseccomp.ScmpAction { switch specAction { case specs.ActKill: return libseccomp.ActKill case specs.ActTrap: return libseccomp.ActTrap case specs.ActErrno: - return libseccomp.ActErrno + action := libseccomp.ActErrno + if errnoRet != nil { + action = action.SetReturnCode(int16(*errnoRet)) + } + return action case specs.ActTrace: return libseccomp.ActTrace case specs.ActAllow: return libseccomp.ActAllow + case specs.ActLog: + return libseccomp.ActLog + case specs.ActKillProcess: + return libseccomp.ActKillProcess + default: + logrus.Errorf("unmappable action %v", specAction) } return libseccomp.ActInvalid } @@ -68,6 +78,8 @@ func setSeccomp(spec *specs.Spec) error { /* fallthrough */ /* for now */ case specs.ArchPARISC64: /* fallthrough */ /* for now */ + default: + logrus.Errorf("unmappable arch %v", specArch) } return libseccomp.ArchInvalid } @@ -87,11 +99,13 @@ func setSeccomp(spec *specs.Spec) error { return libseccomp.CompareGreater case specs.OpMaskedEqual: return libseccomp.CompareMaskedEqual + default: + logrus.Errorf("unmappable op %v", op) } return libseccomp.CompareInvalid } - filter, err := libseccomp.NewFilter(mapAction(spec.Linux.Seccomp.DefaultAction)) + filter, err := libseccomp.NewFilter(mapAction(spec.Linux.Seccomp.DefaultAction, nil)) if err != nil { return errors.Wrapf(err, "error creating seccomp filter with default action %q", spec.Linux.Seccomp.DefaultAction) } @@ -112,7 +126,7 @@ func setSeccomp(spec *specs.Spec) error { } for scnum := range scnames { if len(rule.Args) == 0 { - if err = filter.AddRule(scnum, mapAction(rule.Action)); err != nil { + if err = filter.AddRule(scnum, mapAction(rule.Action, rule.ErrnoRet)); err != nil { return errors.Wrapf(err, "error adding a rule (%q:%q) to seccomp filter", scnames[scnum], rule.Action) } continue @@ -129,7 +143,7 @@ func setSeccomp(spec *specs.Spec) error { } conditions = append(conditions, condition) } - if err = filter.AddRuleConditional(scnum, mapAction(rule.Action), conditions); err != nil { + if err = filter.AddRuleConditional(scnum, mapAction(rule.Action, rule.ErrnoRet), conditions); err != nil { // Okay, if the rules specify multiple equality // checks, assume someone thought that they // were OR'd, when in fact they're ordinarily @@ -137,7 +151,7 @@ func setSeccomp(spec *specs.Spec) error { // different rules to get that OR effect. if len(rule.Args) > 1 && opsAreAllEquality && err.Error() == "two checks on same syscall argument" { for i := range conditions { - if err = filter.AddRuleConditional(scnum, mapAction(rule.Action), conditions[i:i+1]); err != nil { + if err = filter.AddRuleConditional(scnum, mapAction(rule.Action, rule.ErrnoRet), conditions[i:i+1]); err != nil { return errors.Wrapf(err, "error adding a conditional rule (%q:%q[%d]) to seccomp filter", scnames[scnum], rule.Action, i) } } diff --git a/vendor/github.com/containers/buildah/copier/copier.go b/vendor/github.com/containers/buildah/copier/copier.go index a980fe292..1021aeb6f 100644 --- a/vendor/github.com/containers/buildah/copier/copier.go +++ b/vendor/github.com/containers/buildah/copier/copier.go @@ -222,6 +222,10 @@ type GetOptions struct { UIDMap, GIDMap []idtools.IDMap // map from hostIDs to containerIDs in the output archive Excludes []string // contents to pretend don't exist, using the OS-specific path separator ExpandArchives bool // extract the contents of named items that are archives + ChownDirs *idtools.IDPair // set ownership on directories. no effect on archives being extracted + ChmodDirs *os.FileMode // set permissions on directories. no effect on archives being extracted + ChownFiles *idtools.IDPair // set ownership of files. no effect on archives being extracted + ChmodFiles *os.FileMode // set permissions on files. no effect on archives being extracted StripSetuidBit bool // strip the setuid bit off of items being copied. no effect on archives being extracted StripSetgidBit bool // strip the setgid bit off of items being copied. no effect on archives being extracted StripStickyBit bool // strip the sticky bit off of items being copied. no effect on archives being extracted @@ -265,6 +269,8 @@ func Get(root string, directory string, options GetOptions, globs []string, bulk // PutOptions controls parts of Put()'s behavior. type PutOptions struct { UIDMap, GIDMap []idtools.IDMap // map from containerIDs to hostIDs when writing contents to disk + DefaultDirOwner *idtools.IDPair // set ownership of implicitly-created directories, default is ChownDirs, or 0:0 if ChownDirs not set + DefaultDirMode *os.FileMode // set permissions on implicitly-created directories, default is ChmodDirs, or 0755 if ChmodDirs not set ChownDirs *idtools.IDPair // set ownership of newly-created directories ChmodDirs *os.FileMode // set permissions on newly-created directories ChownFiles *idtools.IDPair // set ownership of newly-created files @@ -1032,6 +1038,9 @@ func copierHandlerGet(bulkWriter io.Writer, req request, pm *fileutils.PatternMa } // evaluate excludes relative to the root directory if info.Mode().IsDir() { + // we don't expand any of the contents that are archives + options := req.GetOptions + options.ExpandArchives = false walkfn := func(path string, info os.FileInfo, err error) error { // compute the path of this item // relative to the top-level directory, @@ -1073,7 +1082,7 @@ func copierHandlerGet(bulkWriter io.Writer, req request, pm *fileutils.PatternMa symlinkTarget = target } // add the item to the outgoing tar stream - return copierHandlerGetOne(info, symlinkTarget, rel, path, req.GetOptions, tw, hardlinkChecker, idMappings) + return copierHandlerGetOne(info, symlinkTarget, rel, path, options, tw, hardlinkChecker, idMappings) } // walk the directory tree, checking/adding items individually if err := filepath.Walk(item, walkfn); err != nil { @@ -1193,6 +1202,22 @@ func copierHandlerGetOne(srcfi os.FileInfo, symlinkTarget, name, contentPath str return errors.Wrapf(err, "error mapping host filesystem owners %#v to container filesystem owners", hostPair) } } + // force ownership and/or permissions, if requested + if hdr.Typeflag == tar.TypeDir { + if options.ChownDirs != nil { + hdr.Uid, hdr.Gid = options.ChownDirs.UID, options.ChownDirs.GID + } + if options.ChmodDirs != nil { + hdr.Mode = int64(*options.ChmodDirs) + } + } else { + if options.ChownFiles != nil { + hdr.Uid, hdr.Gid = options.ChownFiles.UID, options.ChownFiles.GID + } + if options.ChmodFiles != nil { + hdr.Mode = int64(*options.ChmodFiles) + } + } // output the header if err = tw.WriteHeader(hdr); err != nil { return errors.Wrapf(err, "error writing header for %s (%s)", contentPath, hdr.Name) @@ -1220,13 +1245,20 @@ func copierHandlerPut(bulkReader io.Reader, req request, idMappings *idtools.IDM errorResponse := func(fmtspec string, args ...interface{}) (*response, func() error, error) { return &response{Error: fmt.Sprintf(fmtspec, args...), Put: putResponse{}}, nil, nil } - dirUID, dirGID := 0, 0 + dirUID, dirGID, defaultDirUID, defaultDirGID := 0, 0, 0, 0 if req.PutOptions.ChownDirs != nil { dirUID, dirGID = req.PutOptions.ChownDirs.UID, req.PutOptions.ChownDirs.GID + defaultDirUID, defaultDirGID = dirUID, dirGID } - dirMode := os.FileMode(0755) + defaultDirMode := os.FileMode(0755) if req.PutOptions.ChmodDirs != nil { - dirMode = *req.PutOptions.ChmodDirs + defaultDirMode = *req.PutOptions.ChmodDirs + } + if req.PutOptions.DefaultDirOwner != nil { + defaultDirUID, defaultDirGID = req.PutOptions.DefaultDirOwner.UID, req.PutOptions.DefaultDirOwner.GID + } + if req.PutOptions.DefaultDirMode != nil { + defaultDirMode = *req.PutOptions.DefaultDirMode } var fileUID, fileGID *int if req.PutOptions.ChownFiles != nil { @@ -1258,11 +1290,11 @@ func copierHandlerPut(bulkReader io.Reader, req request, idMappings *idtools.IDM subdir = filepath.Join(subdir, component) path := filepath.Join(req.Root, subdir) if err := os.Mkdir(path, 0700); err == nil { - if err = lchown(path, dirUID, dirGID); err != nil { - return errors.Wrapf(err, "copier: put: error setting owner of %q to %d:%d", path, dirUID, dirGID) + if err = lchown(path, defaultDirUID, defaultDirGID); err != nil { + return errors.Wrapf(err, "copier: put: error setting owner of %q to %d:%d", path, defaultDirUID, defaultDirGID) } - if err = os.Chmod(path, dirMode); err != nil { - return errors.Wrapf(err, "copier: put: error setting permissions on %q to 0%o", path, dirMode) + if err = os.Chmod(path, defaultDirMode); err != nil { + return errors.Wrapf(err, "copier: put: error setting permissions on %q to 0%o", path, defaultDirMode) } } else { if !os.IsExist(err) { diff --git a/vendor/github.com/containers/common/pkg/completion/completion.go b/vendor/github.com/containers/common/pkg/completion/completion.go index 6e7ddff30..07451e992 100644 --- a/vendor/github.com/containers/common/pkg/completion/completion.go +++ b/vendor/github.com/containers/common/pkg/completion/completion.go @@ -1,6 +1,14 @@ package completion -import "github.com/spf13/cobra" +import ( + "bufio" + "os" + "strings" + "unicode" + + "github.com/containers/common/pkg/capabilities" + "github.com/spf13/cobra" +) // FlagCompletions - hold flag completion functions to be applied later with CompleteCommandFlags() type FlagCompletions map[string]func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) @@ -24,3 +32,62 @@ func AutocompleteNone(cmd *cobra.Command, args []string, toComplete string) ([]s func AutocompleteDefault(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { return nil, cobra.ShellCompDirectiveDefault } + +// AutocompleteCapabilities - Autocomplete linux capabilities options. +// Used by --cap-add and --cap-drop. +func AutocompleteCapabilities(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { + caps := capabilities.AllCapabilities() + + // convertCase will convert a string to lowercase only if the user input is lowercase + convertCase := func(s string) string { return s } + if len(toComplete) > 0 && unicode.IsLower(rune(toComplete[0])) { + convertCase = strings.ToLower + } + + // offset is used to trim "CAP_" if the user doesn't type CA... or ca... + offset := 0 + if !strings.HasPrefix(toComplete, convertCase("CA")) { + // setting the offset to 4 is safe since each cap starts with CAP_ + offset = 4 + } + + var completions []string + for _, cap := range caps { + completions = append(completions, convertCase(cap)[offset:]) + } + + // add ALL here which is also a valid argument + completions = append(completions, convertCase(capabilities.All)) + return completions, cobra.ShellCompDirectiveNoFileComp +} + +// autocompleteSubIDName - autocomplete the names in /etc/subuid or /etc/subgid +func autocompleteSubIDName(filename string) ([]string, cobra.ShellCompDirective) { + file, err := os.Open(filename) + if err != nil { + return nil, cobra.ShellCompDirectiveError + } + defer file.Close() + + var names []string + scanner := bufio.NewScanner(file) + for scanner.Scan() { + name := strings.SplitN(scanner.Text(), ":", 2)[0] + names = append(names, name) + } + if err = scanner.Err(); err != nil { + return nil, cobra.ShellCompDirectiveError + } + + return names, cobra.ShellCompDirectiveNoFileComp +} + +// AutocompleteSubgidName - Autocomplete subgidname based on the names in the /etc/subgid file. +func AutocompleteSubgidName(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { + return autocompleteSubIDName("/etc/subgid") +} + +// AutocompleteSubuidName - Autocomplete subuidname based on the names in the /etc/subuid file. +func AutocompleteSubuidName(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { + return autocompleteSubIDName("/etc/subuid") +} diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go index eaa728791..8e69c7daf 100644 --- a/vendor/github.com/containers/common/version/version.go +++ b/vendor/github.com/containers/common/version/version.go @@ -1,4 +1,4 @@ package version // Version is the version of the build. -const Version = "0.23.0" +const Version = "0.24.0" diff --git a/vendor/modules.txt b/vendor/modules.txt index 3c7749b57..e1c2b6300 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -67,7 +67,7 @@ github.com/containernetworking/plugins/pkg/utils/hwaddr github.com/containernetworking/plugins/pkg/utils/sysctl github.com/containernetworking/plugins/plugins/ipam/host-local/backend github.com/containernetworking/plugins/plugins/ipam/host-local/backend/allocator -# github.com/containers/buildah v1.16.2 +# github.com/containers/buildah v1.16.4 github.com/containers/buildah github.com/containers/buildah/bind github.com/containers/buildah/chroot @@ -87,7 +87,7 @@ github.com/containers/buildah/pkg/secrets github.com/containers/buildah/pkg/supplemented github.com/containers/buildah/pkg/umask github.com/containers/buildah/util -# github.com/containers/common v0.23.0 +# github.com/containers/common v0.24.0 github.com/containers/common/pkg/apparmor github.com/containers/common/pkg/apparmor/internal/supported github.com/containers/common/pkg/auth |