diff options
55 files changed, 1079 insertions, 574 deletions
@@ -548,11 +548,14 @@ install.docker: install ${SELINUXOPT} -m 755 -d ${DESTDIR}${SYSTEMDDIR} ${DESTDIR}${USERSYSTEMDDIR} ${DESTDIR}${TMPFILESDIR} install ${SELINUXOPT} -m 644 contrib/systemd/system/podman-docker.conf -t ${DESTDIR}${TMPFILESDIR} -.PHONY: install.docker-docs -install.docker-docs: docker-docs +.PHONY: install.docker-docs-nobuild +install.docker-docs-nobuild: install ${SELINUXOPT} -d -m 755 $(DESTDIR)$(BINDIR) $(DESTDIR)$(MANDIR)/man1 install ${SELINUXOPT} -m 644 docs/build/man/docker*.1 -t $(DESTDIR)$(MANDIR)/man1 +.PHONY: install.docker-docs +install.docker-docs: docker-docs install.docker-docs-nobuild + .PHONY: install.systemd ifneq (,$(findstring systemd,$(BUILDTAGS))) install.systemd: diff --git a/cmd/podman/common/create_opts.go b/cmd/podman/common/create_opts.go index f945c9c54..6c91bedfe 100644 --- a/cmd/podman/common/create_opts.go +++ b/cmd/podman/common/create_opts.go @@ -3,6 +3,7 @@ package common import ( "fmt" "net" + "os" "path/filepath" "strconv" "strings" @@ -13,6 +14,7 @@ import ( "github.com/containers/podman/v3/pkg/domain/entities" "github.com/containers/podman/v3/pkg/rootless" "github.com/containers/podman/v3/pkg/specgen" + "github.com/pkg/errors" ) type ContainerCLIOpts struct { @@ -395,8 +397,16 @@ func ContainerCreateToContainerCLIOpts(cc handlers.CreateContainerConfig, cgroup cliOpts.Ulimit = ulimits } } + if cc.HostConfig.Resources.NanoCPUs > 0 { + if cliOpts.CPUPeriod != 0 || cliOpts.CPUQuota != 0 { + return nil, nil, errors.Errorf("NanoCpus conflicts with CpuPeriod and CpuQuota") + } + cliOpts.CPUPeriod = 100000 + cliOpts.CPUQuota = cc.HostConfig.Resources.NanoCPUs / 10000 + } // volumes + volSources := make(map[string]bool) volDestinations := make(map[string]bool) for _, vol := range cc.HostConfig.Binds { cliOpts.Volume = append(cliOpts.Volume, vol) @@ -407,6 +417,7 @@ func ContainerCreateToContainerCLIOpts(cc handlers.CreateContainerConfig, cgroup case 1: volDestinations[vol] = true default: + volSources[splitVol[0]] = true volDestinations[splitVol[1]] = true } } @@ -421,6 +432,19 @@ func ContainerCreateToContainerCLIOpts(cc handlers.CreateContainerConfig, cgroup } cliOpts.Volume = append(cliOpts.Volume, vol) } + // Make mount points for compat volumes + for vol := range volSources { + // This might be a named volume. + // Assume it is if it's not an absolute path. + if !filepath.IsAbs(vol) { + continue + } + if err := os.MkdirAll(vol, 0755); err != nil { + if !os.IsExist(err) { + return nil, nil, errors.Wrapf(err, "error making volume mountpoint for volume %s", vol) + } + } + } if len(cc.HostConfig.BlkioWeightDevice) > 0 { devices := make([]string, 0, len(cc.HostConfig.BlkioWeightDevice)) for _, d := range cc.HostConfig.BlkioWeightDevice { diff --git a/cmd/podman/containers/cp.go b/cmd/podman/containers/cp.go index 7887e9539..7a62d982c 100644 --- a/cmd/podman/containers/cp.go +++ b/cmd/podman/containers/cp.go @@ -189,8 +189,9 @@ func copyFromContainer(container string, containerPath string, hostPath string) } putOptions := buildahCopiah.PutOptions{ - ChownDirs: &idPair, - ChownFiles: &idPair, + ChownDirs: &idPair, + ChownFiles: &idPair, + IgnoreDevices: true, } if !containerInfo.IsDir && (!hostInfo.IsDir || hostInfoErr != nil) { // If we're having a file-to-file copy, make sure to diff --git a/docs/source/markdown/podman-system-service.1.md b/docs/source/markdown/podman-system-service.1.md index 70764823c..54ce3f040 100644 --- a/docs/source/markdown/podman-system-service.1.md +++ b/docs/source/markdown/podman-system-service.1.md @@ -34,7 +34,7 @@ Print usage statement. Run an API listening for 5 seconds using the default socket. ``` -podman system service --timeout 5000 +podman system service --time 5 ``` ## SEE ALSO @@ -11,7 +11,7 @@ require ( github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd // indirect github.com/containernetworking/cni v0.8.1 github.com/containernetworking/plugins v0.9.0 - github.com/containers/buildah v1.19.6 + github.com/containers/buildah v1.19.7 github.com/containers/common v0.35.0 github.com/containers/conmon v2.0.20+incompatible github.com/containers/image/v5 v5.10.2 @@ -97,8 +97,8 @@ github.com/containernetworking/cni v0.8.1/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ github.com/containernetworking/plugins v0.8.7/go.mod h1:R7lXeZaBzpfqapcAbHRW8/CYwm0dHzbz0XEjofx0uB0= github.com/containernetworking/plugins v0.9.0 h1:c+1gegKhR7+d0Caum9pEHugZlyhXPOG6v3V6xJgIGCI= github.com/containernetworking/plugins v0.9.0/go.mod h1:dbWv4dI0QrBGuVgj+TuVQ6wJRZVOhrCQj91YyC92sxg= -github.com/containers/buildah v1.19.6 h1:8mPysB7QzHxX9okR+Bwq/lsKAZA/FjDcqB+vebgwI1g= -github.com/containers/buildah v1.19.6/go.mod h1:VnyHWgNmfR1d89/zJ/F4cbwOzaQS+6sBky46W7dCo3E= +github.com/containers/buildah v1.19.7 h1:/g11GlhTo177xFex+5GHlF22hq01SyWaJuSA26UGFNU= +github.com/containers/buildah v1.19.7/go.mod h1:VnyHWgNmfR1d89/zJ/F4cbwOzaQS+6sBky46W7dCo3E= github.com/containers/common v0.33.4/go.mod h1:PhgL71XuC4jJ/1BIqeP7doke3aMFkCP90YBXwDeUr9g= github.com/containers/common v0.35.0 h1:1OLZ2v+Tj/CN9BTQkKZ5VOriOiArJedinMMqfJRUI38= github.com/containers/common v0.35.0/go.mod h1:gs1th7XFTOvVUl4LDPdQjOfOeNiVRDbQ7CNrZ0wS6F8= diff --git a/libpod/container.go b/libpod/container.go index ee6e243ac..65abbfd5e 100644 --- a/libpod/container.go +++ b/libpod/container.go @@ -904,6 +904,12 @@ func (c *Container) NamespacePath(linuxNS LinuxNS) (string, error) { //nolint:in } } + return c.namespacePath(linuxNS) +} + +// namespacePath returns the path of one of the container's namespaces +// If the container is not running, an error will be returned +func (c *Container) namespacePath(linuxNS LinuxNS) (string, error) { //nolint:interfacer if c.state.State != define.ContainerStateRunning && c.state.State != define.ContainerStatePaused { return "", errors.Wrapf(define.ErrCtrStopped, "cannot get namespace path unless container %s is running", c.ID()) } diff --git a/libpod/container_api.go b/libpod/container_api.go index 2818ac841..6fa8b27cd 100644 --- a/libpod/container_api.go +++ b/libpod/container_api.go @@ -2,6 +2,7 @@ package libpod import ( "context" + "io" "io/ioutil" "net/http" "os" @@ -349,10 +350,6 @@ func (c *Container) Mount() (string, error) { } } - if c.state.State == define.ContainerStateRemoving { - return "", errors.Wrapf(define.ErrCtrStateInvalid, "cannot mount container %s as it is being removed", c.ID()) - } - defer c.newContainerEvent(events.Mount) return c.mount() } @@ -367,7 +364,6 @@ func (c *Container) Unmount(force bool) error { return err } } - if c.state.Mounted { mounted, err := c.runtime.storageService.MountedContainerImage(c.ID()) if err != nil { @@ -847,31 +843,59 @@ func (c *Container) ShouldRestart(ctx context.Context) bool { return c.shouldRestart() } -// ResolvePath resolves the specified path on the root for the container. The -// root must either be the mounted image of the container or the already -// mounted container storage. -// -// It returns the resolved root and the resolved path. Note that the path may -// resolve to the container's mount point or to a volume or bind mount. -func (c *Container) ResolvePath(ctx context.Context, root string, path string) (string, string, error) { - logrus.Debugf("Resolving path %q (root %q) on container %s", path, root, c.ID()) +// CopyFromArchive copies the contents from the specified tarStream to path +// *inside* the container. +func (c *Container) CopyFromArchive(ctx context.Context, containerPath string, tarStream io.Reader) (func() error, error) { + if !c.batched { + c.lock.Lock() + defer c.lock.Unlock() - // Minimal sanity checks. - if len(root)*len(path) == 0 { - return "", "", errors.Wrapf(define.ErrInternal, "ResolvePath: root (%q) and path (%q) must be non empty", root, path) + if err := c.syncContainer(); err != nil { + return nil, err + } } - if _, err := os.Stat(root); err != nil { - return "", "", errors.Wrapf(err, "cannot locate root to resolve path on container %s", c.ID()) + + return c.copyFromArchive(ctx, containerPath, tarStream) +} + +// CopyToArchive copies the contents from the specified path *inside* the +// container to the tarStream. +func (c *Container) CopyToArchive(ctx context.Context, containerPath string, tarStream io.Writer) (func() error, error) { + if !c.batched { + c.lock.Lock() + defer c.lock.Unlock() + + if err := c.syncContainer(); err != nil { + return nil, err + } } + return c.copyToArchive(ctx, containerPath, tarStream) +} + +// Stat the specified path *inside* the container and return a file info. +func (c *Container) Stat(ctx context.Context, containerPath string) (*define.FileInfo, error) { if !c.batched { c.lock.Lock() defer c.lock.Unlock() if err := c.syncContainer(); err != nil { - return "", "", err + return nil, err + } + } + + var mountPoint string + var err error + if c.state.Mounted { + mountPoint = c.state.Mountpoint + } else { + mountPoint, err = c.mount() + if err != nil { + return nil, err } + defer c.unmount(false) } - return c.resolvePath(root, path) + info, _, _, err := c.stat(ctx, mountPoint, containerPath) + return info, err } diff --git a/libpod/container_copy_linux.go b/libpod/container_copy_linux.go new file mode 100644 index 000000000..66ccd2f1f --- /dev/null +++ b/libpod/container_copy_linux.go @@ -0,0 +1,266 @@ +// +build linux + +package libpod + +import ( + "context" + "io" + "os" + "path/filepath" + "runtime" + "strings" + + buildahCopiah "github.com/containers/buildah/copier" + "github.com/containers/buildah/pkg/chrootuser" + "github.com/containers/buildah/util" + "github.com/containers/podman/v3/libpod/define" + "github.com/containers/storage" + "github.com/containers/storage/pkg/idtools" + "github.com/docker/docker/pkg/archive" + "github.com/opencontainers/runtime-spec/specs-go" + "github.com/pkg/errors" + "github.com/sirupsen/logrus" + "golang.org/x/sys/unix" +) + +func (c *Container) copyFromArchive(ctx context.Context, path string, reader io.Reader) (func() error, error) { + var ( + mountPoint string + resolvedRoot string + resolvedPath string + unmount func() + err error + ) + + // Make sure that "/" copies the *contents* of the mount point and not + // the directory. + if path == "/" { + path = "/." + } + + // Optimization: only mount if the container is not already. + if c.state.Mounted { + mountPoint = c.state.Mountpoint + unmount = func() {} + } else { + // NOTE: make sure to unmount in error paths. + mountPoint, err = c.mount() + if err != nil { + return nil, err + } + unmount = func() { c.unmount(false) } + } + + if c.state.State == define.ContainerStateRunning { + resolvedRoot = "/" + resolvedPath = c.pathAbs(path) + } else { + resolvedRoot, resolvedPath, err = c.resolvePath(mountPoint, path) + if err != nil { + unmount() + return nil, err + } + } + + decompressed, err := archive.DecompressStream(reader) + if err != nil { + unmount() + return nil, err + } + + idMappings, idPair, err := getIDMappingsAndPair(c, mountPoint) + if err != nil { + decompressed.Close() + unmount() + return nil, err + } + + logrus.Debugf("Container copy *to* %q (resolved: %q) on container %q (ID: %s)", path, resolvedPath, c.Name(), c.ID()) + + return func() error { + defer unmount() + defer decompressed.Close() + putOptions := buildahCopiah.PutOptions{ + UIDMap: idMappings.UIDMap, + GIDMap: idMappings.GIDMap, + ChownDirs: idPair, + ChownFiles: idPair, + } + + return c.joinMountAndExec(ctx, + func() error { + return buildahCopiah.Put(resolvedRoot, resolvedPath, putOptions, decompressed) + }, + ) + }, nil +} + +func (c *Container) copyToArchive(ctx context.Context, path string, writer io.Writer) (func() error, error) { + var ( + mountPoint string + unmount func() + err error + ) + + // Optimization: only mount if the container is not already. + if c.state.Mounted { + mountPoint = c.state.Mountpoint + unmount = func() {} + } else { + // NOTE: make sure to unmount in error paths. + mountPoint, err = c.mount() + if err != nil { + return nil, err + } + unmount = func() { c.unmount(false) } + } + + statInfo, resolvedRoot, resolvedPath, err := c.stat(ctx, mountPoint, path) + if err != nil { + unmount() + return nil, err + } + + idMappings, idPair, err := getIDMappingsAndPair(c, mountPoint) + if err != nil { + unmount() + return nil, err + } + + logrus.Debugf("Container copy *from* %q (resolved: %q) on container %q (ID: %s)", path, resolvedPath, c.Name(), c.ID()) + + return func() error { + defer unmount() + getOptions := buildahCopiah.GetOptions{ + // Unless the specified points to ".", we want to copy the base directory. + KeepDirectoryNames: statInfo.IsDir && filepath.Base(path) != ".", + UIDMap: idMappings.UIDMap, + GIDMap: idMappings.GIDMap, + ChownDirs: idPair, + ChownFiles: idPair, + Excludes: []string{"dev", "proc", "sys"}, + } + return c.joinMountAndExec(ctx, + func() error { + return buildahCopiah.Get(resolvedRoot, "", getOptions, []string{resolvedPath}, writer) + }, + ) + }, nil +} + +// getIDMappingsAndPair returns the ID mappings for the container and the host +// ID pair. +func getIDMappingsAndPair(container *Container, containerMount string) (*storage.IDMappingOptions, *idtools.IDPair, error) { + user, err := getContainerUser(container, containerMount) + if err != nil { + return nil, nil, err + } + + idMappingOpts, err := container.IDMappings() + if err != nil { + return nil, nil, err + } + + hostUID, hostGID, err := util.GetHostIDs(idtoolsToRuntimeSpec(idMappingOpts.UIDMap), idtoolsToRuntimeSpec(idMappingOpts.GIDMap), user.UID, user.GID) + if err != nil { + return nil, nil, err + } + + idPair := idtools.IDPair{UID: int(hostUID), GID: int(hostGID)} + return &idMappingOpts, &idPair, nil +} + +// getContainerUser returns the specs.User of the container. +func getContainerUser(container *Container, mountPoint string) (specs.User, error) { + userspec := container.Config().User + + uid, gid, _, err := chrootuser.GetUser(mountPoint, userspec) + u := specs.User{ + UID: uid, + GID: gid, + Username: userspec, + } + + if !strings.Contains(userspec, ":") { + groups, err2 := chrootuser.GetAdditionalGroupsForUser(mountPoint, uint64(u.UID)) + if err2 != nil { + if errors.Cause(err2) != chrootuser.ErrNoSuchUser && err == nil { + err = err2 + } + } else { + u.AdditionalGids = groups + } + } + + return u, err +} + +// idtoolsToRuntimeSpec converts idtools ID mapping to the one of the runtime spec. +func idtoolsToRuntimeSpec(idMaps []idtools.IDMap) (convertedIDMap []specs.LinuxIDMapping) { + for _, idmap := range idMaps { + tempIDMap := specs.LinuxIDMapping{ + ContainerID: uint32(idmap.ContainerID), + HostID: uint32(idmap.HostID), + Size: uint32(idmap.Size), + } + convertedIDMap = append(convertedIDMap, tempIDMap) + } + return convertedIDMap +} + +// joinMountAndExec executes the specified function `f` inside the container's +// mount and PID namespace. That allows for having the exact view on the +// container's file system. +// +// Note, if the container is not running `f()` will be executed as is. +func (c *Container) joinMountAndExec(ctx context.Context, f func() error) error { + if c.state.State != define.ContainerStateRunning { + return f() + } + + // Container's running, so we need to execute `f()` inside its mount NS. + errChan := make(chan error) + go func() { + runtime.LockOSThread() + + // Join the mount and PID NS of the container. + getFD := func(ns LinuxNS) (*os.File, error) { + nsPath, err := c.namespacePath(ns) + if err != nil { + return nil, err + } + return os.Open(nsPath) + } + + mountFD, err := getFD(MountNS) + if err != nil { + errChan <- err + return + } + defer mountFD.Close() + + pidFD, err := getFD(PIDNS) + if err != nil { + errChan <- err + return + } + defer pidFD.Close() + if err := unix.Unshare(unix.CLONE_NEWNS); err != nil { + errChan <- err + return + } + if err := unix.Setns(int(pidFD.Fd()), unix.CLONE_NEWPID); err != nil { + errChan <- err + return + } + + if err := unix.Setns(int(mountFD.Fd()), unix.CLONE_NEWNS); err != nil { + errChan <- err + return + } + + // Last but not least, execute the workload. + errChan <- f() + }() + return <-errChan +} diff --git a/libpod/container_copy_unsupported.go b/libpod/container_copy_unsupported.go new file mode 100644 index 000000000..b2bdd3e3d --- /dev/null +++ b/libpod/container_copy_unsupported.go @@ -0,0 +1,16 @@ +// +build !linux + +package libpod + +import ( + "context" + "io" +) + +func (c *Container) copyFromArchive(ctx context.Context, path string, reader io.Reader) (func() error, error) { + return nil, nil +} + +func (c *Container) copyToArchive(ctx context.Context, path string, writer io.Writer) (func() error, error) { + return nil, nil +} diff --git a/libpod/container_internal.go b/libpod/container_internal.go index 7e8226de4..a7da7f395 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -2086,6 +2086,10 @@ func (c *Container) setupOCIHooks(ctx context.Context, config *spec.Spec) (map[s // mount mounts the container's root filesystem func (c *Container) mount() (string, error) { + if c.state.State == define.ContainerStateRemoving { + return "", errors.Wrapf(define.ErrCtrStateInvalid, "cannot mount container %s as it is being removed", c.ID()) + } + mountPoint, err := c.runtime.storageService.MountContainerImage(c.ID()) if err != nil { return "", errors.Wrapf(err, "error mounting storage for container %s", c.ID()) diff --git a/libpod/container_path_resolution.go b/libpod/container_path_resolution.go index 5245314ae..d798963b1 100644 --- a/libpod/container_path_resolution.go +++ b/libpod/container_path_resolution.go @@ -1,3 +1,4 @@ +// +linux package libpod import ( @@ -10,6 +11,19 @@ import ( "github.com/sirupsen/logrus" ) +// pathAbs returns an absolute path. If the specified path is +// relative, it will be resolved relative to the container's working dir. +func (c *Container) pathAbs(path string) string { + if !filepath.IsAbs(path) { + // If the containerPath is not absolute, it's relative to the + // container's working dir. To be extra careful, let's first + // join the working dir with "/", and the add the containerPath + // to it. + path = filepath.Join(filepath.Join("/", c.WorkingDir()), path) + } + return path +} + // resolveContainerPaths resolves the container's mount point and the container // path as specified by the user. Both may resolve to paths outside of the // container's mount point when the container path hits a volume or bind mount. @@ -20,14 +34,7 @@ import ( // the host). func (c *Container) resolvePath(mountPoint string, containerPath string) (string, string, error) { // Let's first make sure we have a path relative to the mount point. - pathRelativeToContainerMountPoint := containerPath - if !filepath.IsAbs(containerPath) { - // If the containerPath is not absolute, it's relative to the - // container's working dir. To be extra careful, let's first - // join the working dir with "/", and the add the containerPath - // to it. - pathRelativeToContainerMountPoint = filepath.Join(filepath.Join("/", c.WorkingDir()), containerPath) - } + pathRelativeToContainerMountPoint := c.pathAbs(containerPath) resolvedPathOnTheContainerMountPoint := filepath.Join(mountPoint, pathRelativeToContainerMountPoint) pathRelativeToContainerMountPoint = strings.TrimPrefix(pathRelativeToContainerMountPoint, mountPoint) pathRelativeToContainerMountPoint = filepath.Join("/", pathRelativeToContainerMountPoint) diff --git a/libpod/container_stat_linux.go b/libpod/container_stat_linux.go new file mode 100644 index 000000000..307b75c14 --- /dev/null +++ b/libpod/container_stat_linux.go @@ -0,0 +1,157 @@ +// +build linux + +package libpod + +import ( + "context" + "os" + "path/filepath" + "strings" + + "github.com/containers/buildah/copier" + "github.com/containers/podman/v3/libpod/define" + "github.com/containers/podman/v3/pkg/copy" + "github.com/pkg/errors" +) + +// statInsideMount stats the specified path *inside* the container's mount and PID +// namespace. It returns the file info along with the resolved root ("/") and +// the resolved path (relative to the root). +func (c *Container) statInsideMount(ctx context.Context, containerPath string) (*copier.StatForItem, string, string, error) { + resolvedRoot := "/" + resolvedPath := c.pathAbs(containerPath) + var statInfo *copier.StatForItem + + err := c.joinMountAndExec(ctx, + func() error { + var statErr error + statInfo, statErr = secureStat(resolvedRoot, resolvedPath) + return statErr + }, + ) + + return statInfo, resolvedRoot, resolvedPath, err +} + +// statOnHost stats the specified path *on the host*. It returns the file info +// along with the resolved root and the resolved path. Both paths are absolute +// to the host's root. Note that the paths may resolved outside the +// container's mount point (e.g., to a volume or bind mount). +func (c *Container) statOnHost(ctx context.Context, mountPoint string, containerPath string) (*copier.StatForItem, string, string, error) { + // Now resolve the container's path. It may hit a volume, it may hit a + // bind mount, it may be relative. + resolvedRoot, resolvedPath, err := c.resolvePath(mountPoint, containerPath) + if err != nil { + return nil, "", "", err + } + + statInfo, err := secureStat(resolvedRoot, resolvedPath) + return statInfo, resolvedRoot, resolvedPath, err +} + +func (c *Container) stat(ctx context.Context, containerMountPoint string, containerPath string) (*define.FileInfo, string, string, error) { + var ( + resolvedRoot string + resolvedPath string + absContainerPath string + statInfo *copier.StatForItem + statErr error + ) + + // Make sure that "/" copies the *contents* of the mount point and not + // the directory. + if containerPath == "/" { + containerPath = "/." + } + + if c.state.State == define.ContainerStateRunning { + // If the container is running, we need to join it's mount namespace + // and stat there. + statInfo, resolvedRoot, resolvedPath, statErr = c.statInsideMount(ctx, containerPath) + } else { + // If the container is NOT running, we need to resolve the path + // on the host. + statInfo, resolvedRoot, resolvedPath, statErr = c.statOnHost(ctx, containerMountPoint, containerPath) + } + + if statErr != nil { + if statInfo == nil { + return nil, "", "", statErr + } + // Not all errors from secureStat map to ErrNotExist, so we + // have to look into the error string. Turning it into an + // ENOENT let's the API handlers return the correct status code + // which is crucial for the remote client. + if os.IsNotExist(statErr) || strings.Contains(statErr.Error(), "o such file or directory") { + statErr = copy.ErrENOENT + } + } + + if statInfo.IsSymlink { + // Evaluated symlinks are always relative to the container's mount point. + absContainerPath = statInfo.ImmediateTarget + } else if strings.HasPrefix(resolvedPath, containerMountPoint) { + // If the path is on the container's mount point, strip it off. + absContainerPath = strings.TrimPrefix(resolvedPath, containerMountPoint) + absContainerPath = filepath.Join("/", absContainerPath) + } else { + // No symlink and not on the container's mount point, so let's + // move it back to the original input. It must have evaluated + // to a volume or bind mount but we cannot return host paths. + absContainerPath = containerPath + } + + // Preserve the base path as specified by the user. The `filepath` + // packages likes to remove trailing slashes and dots that are crucial + // to the copy logic. + absContainerPath = copy.PreserveBasePath(containerPath, absContainerPath) + resolvedPath = copy.PreserveBasePath(containerPath, resolvedPath) + + info := &define.FileInfo{ + IsDir: statInfo.IsDir, + Name: filepath.Base(absContainerPath), + Size: statInfo.Size, + Mode: statInfo.Mode, + ModTime: statInfo.ModTime, + LinkTarget: absContainerPath, + } + + return info, resolvedRoot, resolvedPath, statErr +} + +// secureStat extracts file info for path in a chroot'ed environment in root. +func secureStat(root string, path string) (*copier.StatForItem, error) { + var glob string + var err error + + // If root and path are equal, then dir must be empty and the glob must + // be ".". + if filepath.Clean(root) == filepath.Clean(path) { + glob = "." + } else { + glob, err = filepath.Rel(root, path) + if err != nil { + return nil, err + } + } + + globStats, err := copier.Stat(root, "", copier.StatOptions{}, []string{glob}) + if err != nil { + return nil, err + } + + if len(globStats) != 1 { + return nil, errors.Errorf("internal error: secureStat: expected 1 item but got %d", len(globStats)) + } + + stat, exists := globStats[0].Results[glob] // only one glob passed, so that's okay + if !exists { + return nil, copy.ErrENOENT + } + + var statErr error + if stat.Error != "" { + statErr = errors.New(stat.Error) + } + return stat, statErr +} diff --git a/libpod/container_stat_unsupported.go b/libpod/container_stat_unsupported.go new file mode 100644 index 000000000..c002e4d32 --- /dev/null +++ b/libpod/container_stat_unsupported.go @@ -0,0 +1,13 @@ +// +build !linux + +package libpod + +import ( + "context" + + "github.com/containers/podman/v3/libpod/define" +) + +func (c *Container) stat(ctx context.Context, containerMountPoint string, containerPath string) (*define.FileInfo, string, string, error) { + return nil, "", "", nil +} diff --git a/libpod/define/fileinfo.go b/libpod/define/fileinfo.go new file mode 100644 index 000000000..2c7b6fe99 --- /dev/null +++ b/libpod/define/fileinfo.go @@ -0,0 +1,16 @@ +package define + +import ( + "os" + "time" +) + +// FileInfo describes the attributes of a file or diretory. +type FileInfo struct { + Name string `json:"name"` + Size int64 `json:"size"` + Mode os.FileMode `json:"mode"` + ModTime time.Time `json:"mtime"` + IsDir bool `json:"isDir"` + LinkTarget string `json:"linkTarget"` +} diff --git a/libpod/define/version.go b/libpod/define/version.go index 67dc730ac..5249b5d84 100644 --- a/libpod/define/version.go +++ b/libpod/define/version.go @@ -5,7 +5,7 @@ import ( "strconv" "time" - podmanVersion "github.com/containers/podman/v3/version" + "github.com/containers/podman/v3/version" ) // Overwritten at build time @@ -42,8 +42,8 @@ func GetVersion() (Version, error) { } } return Version{ - APIVersion: podmanVersion.APIVersion.String(), - Version: podmanVersion.Version.String(), + APIVersion: version.APIVersion[version.Libpod][version.CurrentAPI].String(), + Version: version.Version.String(), GoVersion: runtime.Version(), GitCommit: gitCommit, BuiltTime: time.Unix(buildTime, 0).Format(time.ANSIC), diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go index 0526e646e..d6968a6b5 100644 --- a/libpod/networking_linux.go +++ b/libpod/networking_linux.go @@ -809,7 +809,7 @@ func (r *Runtime) teardownCNI(ctr *Container) error { requestedMAC = ctr.config.StaticMAC } - podNetwork := r.getPodNetwork(ctr.ID(), ctr.Name(), ctr.state.NetNS.Path(), networks, ctr.config.PortMappings, requestedIP, requestedMAC, ContainerNetworkDescriptions{}) + podNetwork := r.getPodNetwork(ctr.ID(), ctr.Name(), ctr.state.NetNS.Path(), networks, ctr.config.PortMappings, requestedIP, requestedMAC, ctr.state.NetInterfaceDescriptions) if err := r.netPlugin.TearDownPod(podNetwork); err != nil { return errors.Wrapf(err, "error tearing down CNI namespace configuration for container %s", ctr.ID()) diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go index 492bc807a..ef5f6fb0c 100644 --- a/libpod/oci_conmon_linux.go +++ b/libpod/oci_conmon_linux.go @@ -113,9 +113,11 @@ func newConmonOCIRuntime(name string, paths []string, conmonPath string, runtime // TODO: probe OCI runtime for feature and enable automatically if // available. - runtime.supportsJSON = supportsJSON[name] - runtime.supportsNoCgroups = supportsNoCgroups[name] - runtime.supportsKVM = supportsKVM[name] + + base := filepath.Base(name) + runtime.supportsJSON = supportsJSON[base] + runtime.supportsNoCgroups = supportsNoCgroups[base] + runtime.supportsKVM = supportsKVM[base] foundPath := false for _, path := range paths { diff --git a/pkg/api/handlers/compat/images_build.go b/pkg/api/handlers/compat/images_build.go index 009fcf7e8..e06f93b89 100644 --- a/pkg/api/handlers/compat/images_build.go +++ b/pkg/api/handlers/compat/images_build.go @@ -222,9 +222,17 @@ func BuildImage(w http.ResponseWriter, r *http.Request) { // convert label formats var labels = []string{} if _, found := r.URL.Query()["labels"]; found { - if err := json.Unmarshal([]byte(query.Labels), &labels); err != nil { - utils.BadRequest(w, "labels", query.Labels, err) - return + makeLabels := make(map[string]string) + err := json.Unmarshal([]byte(query.Labels), &makeLabels) + if err == nil { + for k, v := range makeLabels { + labels = append(labels, k+"="+v) + } + } else { + if err := json.Unmarshal([]byte(query.Labels), &labels); err != nil { + utils.BadRequest(w, "labels", query.Labels, err) + return + } } } jobs := 1 diff --git a/pkg/api/handlers/compat/version.go b/pkg/api/handlers/compat/version.go index d90a892c1..fae147440 100644 --- a/pkg/api/handlers/compat/version.go +++ b/pkg/api/handlers/compat/version.go @@ -10,6 +10,7 @@ import ( "github.com/containers/podman/v3/libpod/define" "github.com/containers/podman/v3/pkg/api/handlers/utils" "github.com/containers/podman/v3/pkg/domain/entities" + "github.com/containers/podman/v3/version" docker "github.com/docker/docker/api/types" "github.com/pkg/errors" ) @@ -35,20 +36,20 @@ func VersionHandler(w http.ResponseWriter, r *http.Request) { Name: "Podman Engine", Version: versionInfo.Version, Details: map[string]string{ - "APIVersion": utils.APIVersion[utils.LibpodTree][utils.CurrentAPIVersion].String(), + "APIVersion": version.APIVersion[version.Libpod][version.CurrentAPI].String(), "Arch": goRuntime.GOARCH, "BuildTime": time.Unix(versionInfo.Built, 0).Format(time.RFC3339), "Experimental": "true", "GitCommit": versionInfo.GitCommit, "GoVersion": versionInfo.GoVersion, "KernelVersion": infoData.Host.Kernel, - "MinAPIVersion": utils.APIVersion[utils.LibpodTree][utils.MinimalAPIVersion].String(), + "MinAPIVersion": version.APIVersion[version.Libpod][version.MinimalAPI].String(), "Os": goRuntime.GOOS, }, }} - apiVersion := utils.APIVersion[utils.CompatTree][utils.CurrentAPIVersion] - minVersion := utils.APIVersion[utils.CompatTree][utils.MinimalAPIVersion] + apiVersion := version.APIVersion[version.Compat][version.CurrentAPI] + minVersion := version.APIVersion[version.Compat][version.MinimalAPI] utils.WriteResponse(w, http.StatusOK, entities.ComponentVersion{ Version: docker.Version{ diff --git a/pkg/api/handlers/utils/handler.go b/pkg/api/handlers/utils/handler.go index b3c674788..7625f9546 100644 --- a/pkg/api/handlers/utils/handler.go +++ b/pkg/api/handlers/utils/handler.go @@ -10,49 +10,14 @@ import ( "unsafe" "github.com/blang/semver" + "github.com/containers/podman/v3/version" "github.com/gorilla/mux" jsoniter "github.com/json-iterator/go" "github.com/pkg/errors" "github.com/sirupsen/logrus" ) -type ( - // VersionTree determines which API endpoint tree for version - VersionTree int - // VersionLevel determines which API level, current or something from the past - VersionLevel int -) - -const ( - // LibpodTree supports Libpod endpoints - LibpodTree = VersionTree(iota) - // CompatTree supports Libpod endpoints - CompatTree - - // CurrentAPIVersion announces what is the current API level - CurrentAPIVersion = VersionLevel(iota) - // MinimalAPIVersion announces what is the oldest API level supported - MinimalAPIVersion -) - var ( - // See https://docs.docker.com/engine/api/v1.40/ - // libpod compat handlers are expected to honor docker API versions - - // APIVersion provides the current and minimal API versions for compat and libpod endpoint trees - // Note: GET|HEAD /_ping is never versioned and provides the API-Version and Libpod-API-Version headers to allow - // clients to shop for the Version they wish to support - APIVersion = map[VersionTree]map[VersionLevel]semver.Version{ - LibpodTree: { - CurrentAPIVersion: semver.MustParse("3.0.0"), - MinimalAPIVersion: semver.MustParse("3.0.0"), - }, - CompatTree: { - CurrentAPIVersion: semver.MustParse("1.40.0"), - MinimalAPIVersion: semver.MustParse("1.24.0"), - }, - } - // ErrVersionNotGiven returned when version not given by client ErrVersionNotGiven = errors.New("version not given in URL path") // ErrVersionNotSupported returned when given version is too old @@ -98,14 +63,14 @@ func SupportedVersion(r *http.Request, condition string) (semver.Version, error) // SupportedVersionWithDefaults validates that the version provided by client valid is supported by server // minimal API version <= client path version <= maximum API version focused on the endpoint tree from URL func SupportedVersionWithDefaults(r *http.Request) (semver.Version, error) { - tree := CompatTree + tree := version.Compat if IsLibpodRequest(r) { - tree = LibpodTree + tree = version.Libpod } return SupportedVersion(r, - fmt.Sprintf(">=%s <=%s", APIVersion[tree][MinimalAPIVersion].String(), - APIVersion[tree][CurrentAPIVersion].String())) + fmt.Sprintf(">=%s <=%s", version.APIVersion[tree][version.MinimalAPI].String(), + version.APIVersion[tree][version.CurrentAPI].String())) } // WriteResponse encodes the given value as JSON or string and renders it for http client diff --git a/pkg/api/handlers/utils/handler_test.go b/pkg/api/handlers/utils/handler_test.go index d9fd22b80..18a1d2678 100644 --- a/pkg/api/handlers/utils/handler_test.go +++ b/pkg/api/handlers/utils/handler_test.go @@ -7,17 +7,18 @@ import ( "net/http/httptest" "testing" + "github.com/containers/podman/v3/version" "github.com/gorilla/mux" ) func TestSupportedVersion(t *testing.T) { req, err := http.NewRequest("GET", - fmt.Sprintf("/v%s/libpod/testing/versions", APIVersion[LibpodTree][CurrentAPIVersion]), + fmt.Sprintf("/v%s/libpod/testing/versions", version.APIVersion[version.Libpod][version.CurrentAPI]), nil) if err != nil { t.Fatal(err) } - req = mux.SetURLVars(req, map[string]string{"version": APIVersion[LibpodTree][CurrentAPIVersion].String()}) + req = mux.SetURLVars(req, map[string]string{"version": version.APIVersion[version.Libpod][version.CurrentAPI].String()}) rr := httptest.NewRecorder() handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { diff --git a/pkg/api/server/handler_api.go b/pkg/api/server/handler_api.go index e7bf94fc6..28b8706a8 100644 --- a/pkg/api/server/handler_api.go +++ b/pkg/api/server/handler_api.go @@ -8,6 +8,7 @@ import ( "github.com/containers/podman/v3/pkg/api/handlers/utils" "github.com/containers/podman/v3/pkg/auth" + "github.com/containers/podman/v3/version" "github.com/google/uuid" "github.com/sirupsen/logrus" ) @@ -55,10 +56,10 @@ func (s *APIServer) APIHandler(h http.HandlerFunc) http.HandlerFunc { c = context.WithValue(c, "idletracker", s.idleTracker) // nolint r = r.WithContext(c) - cv := utils.APIVersion[utils.CompatTree][utils.CurrentAPIVersion] + cv := version.APIVersion[version.Compat][version.CurrentAPI] w.Header().Set("API-Version", fmt.Sprintf("%d.%d", cv.Major, cv.Minor)) - lv := utils.APIVersion[utils.LibpodTree][utils.CurrentAPIVersion].String() + lv := version.APIVersion[version.Libpod][version.CurrentAPI].String() w.Header().Set("Libpod-API-Version", lv) w.Header().Set("Server", "Libpod/"+lv+" ("+runtime.GOOS+")") @@ -72,5 +73,5 @@ func (s *APIServer) APIHandler(h http.HandlerFunc) http.HandlerFunc { // VersionedPath prepends the version parsing code // any handler may override this default when registering URL(s) func VersionedPath(p string) string { - return "/v{version:[0-9][0-9.]*}" + p + return "/v{version:[0-9][0-9A-Za-z.-]*}" + p } diff --git a/pkg/bindings/bindings.go b/pkg/bindings/bindings.go deleted file mode 100644 index 14f306910..000000000 --- a/pkg/bindings/bindings.go +++ /dev/null @@ -1,26 +0,0 @@ -// Package bindings provides golang-based access -// to the Podman REST API. Users can then interact with API endpoints -// to manage containers, images, pods, etc. -// -// This package exposes a series of methods that allow users to firstly -// create their connection with the API endpoints. Once the connection -// is established, users can then manage the Podman container runtime. -package bindings - -import ( - "github.com/blang/semver" -) - -var ( - // PTrue is a convenience variable that can be used in bindings where - // a pointer to a bool (optional parameter) is required. - pTrue = true - PTrue = &pTrue - // PFalse is a convenience variable that can be used in bindings where - // a pointer to a bool (optional parameter) is required. - pFalse = false - PFalse = &pFalse - - // APIVersion - podman will fail to run if this value is wrong - APIVersion = semver.MustParse("2.0.0") -) diff --git a/pkg/bindings/connection.go b/pkg/bindings/connection.go index ad16498d5..21a8e7a8b 100644 --- a/pkg/bindings/connection.go +++ b/pkg/bindings/connection.go @@ -14,6 +14,7 @@ import ( "github.com/blang/semver" "github.com/containers/podman/v3/pkg/terminal" + "github.com/containers/podman/v3/version" jsoniter "github.com/json-iterator/go" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -25,7 +26,7 @@ var ( BasePath = &url.URL{ Scheme: "http", Host: "d", - Path: "/v" + APIVersion.String() + "/libpod", + Path: "/v" + version.APIVersion[version.Libpod][version.CurrentAPI].String() + "/libpod", } ) @@ -168,15 +169,16 @@ func pingNewConnection(ctx context.Context) error { return err } - switch APIVersion.Compare(versionSrv) { + switch version.APIVersion[version.Libpod][version.MinimalAPI].Compare(versionSrv) { case -1, 0: // Server's job when Client version is equal or older return nil case 1: - return errors.Errorf("server API version is too old. Client %q server %q", APIVersion.String(), versionSrv.String()) + return errors.Errorf("server API version is too old. Client %q server %q", + version.APIVersion[version.Libpod][version.MinimalAPI].String(), versionSrv.String()) } } - return errors.Errorf("ping response was %q", response.StatusCode) + return errors.Errorf("ping response was %d", response.StatusCode) } func sshClient(_url *url.URL, secure bool, passPhrase string, identity string) (Connection, error) { diff --git a/pkg/bindings/test/attach_test.go b/pkg/bindings/test/attach_test.go index 16090e104..fbdf18d44 100644 --- a/pkg/bindings/test/attach_test.go +++ b/pkg/bindings/test/attach_test.go @@ -35,7 +35,7 @@ var _ = Describe("Podman containers attach", func() { It("can run top in container", func() { name := "TopAttachTest" - id, err := bt.RunTopContainer(&name, nil, nil) + id, err := bt.RunTopContainer(&name, nil) Expect(err).ShouldNot(HaveOccurred()) tickTock := time.NewTimer(2 * time.Second) diff --git a/pkg/bindings/test/common_test.go b/pkg/bindings/test/common_test.go index 588f38930..9bac4b620 100644 --- a/pkg/bindings/test/common_test.go +++ b/pkg/bindings/test/common_test.go @@ -188,14 +188,14 @@ func (b *bindingTest) restoreImageFromCache(i testImage) { // Run a container within or without a pod // and add or append the alpine image to it -func (b *bindingTest) RunTopContainer(containerName *string, insidePod *bool, podName *string) (string, error) { +func (b *bindingTest) RunTopContainer(containerName *string, podName *string) (string, error) { s := specgen.NewSpecGenerator(alpine.name, false) s.Terminal = false s.Command = []string{"/usr/bin/top"} if containerName != nil { s.Name = *containerName } - if insidePod != nil && podName != nil { + if podName != nil { s.Pod = *podName } ctr, err := containers.CreateWithSpec(b.conn, s, nil) diff --git a/pkg/bindings/test/containers_test.go b/pkg/bindings/test/containers_test.go index f2ab197ce..b0ddc7862 100644 --- a/pkg/bindings/test/containers_test.go +++ b/pkg/bindings/test/containers_test.go @@ -55,7 +55,7 @@ var _ = Describe("Podman containers ", func() { It("podman pause a running container by name", func() { // Pausing by name should work var name = "top" - _, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + _, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) err = containers.Pause(bt.conn, name, nil) Expect(err).To(BeNil()) @@ -69,7 +69,7 @@ var _ = Describe("Podman containers ", func() { It("podman pause a running container by id", func() { // Pausing by id should work var name = "top" - cid, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + cid, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) err = containers.Pause(bt.conn, cid, nil) Expect(err).To(BeNil()) @@ -83,7 +83,7 @@ var _ = Describe("Podman containers ", func() { It("podman unpause a running container by name", func() { // Unpausing by name should work var name = "top" - _, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + _, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) err = containers.Pause(bt.conn, name, nil) Expect(err).To(BeNil()) @@ -99,7 +99,7 @@ var _ = Describe("Podman containers ", func() { It("podman unpause a running container by ID", func() { // Unpausing by ID should work var name = "top" - _, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + _, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) // Pause by name err = containers.Pause(bt.conn, name, nil) @@ -118,7 +118,7 @@ var _ = Describe("Podman containers ", func() { It("podman pause a paused container by name", func() { // Pausing a paused container by name should fail var name = "top" - _, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + _, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) err = containers.Pause(bt.conn, name, nil) Expect(err).To(BeNil()) @@ -131,7 +131,7 @@ var _ = Describe("Podman containers ", func() { It("podman pause a paused container by id", func() { // Pausing a paused container by id should fail var name = "top" - cid, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + cid, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) err = containers.Pause(bt.conn, cid, nil) Expect(err).To(BeNil()) @@ -144,7 +144,7 @@ var _ = Describe("Podman containers ", func() { It("podman pause a stopped container by name", func() { // Pausing a stopped container by name should fail var name = "top" - _, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + _, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) err = containers.Stop(bt.conn, name, nil) Expect(err).To(BeNil()) @@ -157,7 +157,7 @@ var _ = Describe("Podman containers ", func() { It("podman pause a stopped container by id", func() { // Pausing a stopped container by id should fail var name = "top" - cid, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + cid, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) err = containers.Stop(bt.conn, cid, nil) Expect(err).To(BeNil()) @@ -170,7 +170,7 @@ var _ = Describe("Podman containers ", func() { It("podman remove a paused container by id without force", func() { // Removing a paused container without force should fail var name = "top" - cid, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + cid, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) err = containers.Pause(bt.conn, cid, nil) Expect(err).To(BeNil()) @@ -183,7 +183,7 @@ var _ = Describe("Podman containers ", func() { It("podman remove a paused container by id with force", func() { // Removing a paused container with force should work var name = "top" - cid, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + cid, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) err = containers.Pause(bt.conn, cid, nil) Expect(err).To(BeNil()) @@ -194,7 +194,7 @@ var _ = Describe("Podman containers ", func() { It("podman stop a paused container by name", func() { // Stopping a paused container by name should fail var name = "top" - _, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + _, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) err = containers.Pause(bt.conn, name, nil) Expect(err).To(BeNil()) @@ -207,7 +207,7 @@ var _ = Describe("Podman containers ", func() { It("podman stop a paused container by id", func() { // Stopping a paused container by id should fail var name = "top" - cid, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + cid, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) err = containers.Pause(bt.conn, cid, nil) Expect(err).To(BeNil()) @@ -220,7 +220,7 @@ var _ = Describe("Podman containers ", func() { It("podman stop a running container by name", func() { // Stopping a running container by name should work var name = "top" - _, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + _, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) err = containers.Stop(bt.conn, name, nil) Expect(err).To(BeNil()) @@ -234,7 +234,7 @@ var _ = Describe("Podman containers ", func() { It("podman stop a running container by ID", func() { // Stopping a running container by ID should work var name = "top" - cid, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + cid, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) err = containers.Stop(bt.conn, cid, nil) Expect(err).To(BeNil()) @@ -256,7 +256,7 @@ var _ = Describe("Podman containers ", func() { Expect(code).To(BeNumerically("==", http.StatusNotFound)) errChan := make(chan error) - _, err = bt.RunTopContainer(&name, nil, nil) + _, err = bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) go func() { exitCode, err = containers.Wait(bt.conn, name, nil) @@ -278,7 +278,7 @@ var _ = Describe("Podman containers ", func() { running = define.ContainerStateRunning ) errChan := make(chan error) - _, err := bt.RunTopContainer(&name, nil, nil) + _, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) go func() { exitCode, err = containers.Wait(bt.conn, name, new(containers.WaitOptions).WithCondition([]define.ContainerStatus{pause})) @@ -317,7 +317,7 @@ var _ = Describe("Podman containers ", func() { // a container that has no healthcheck should be a 409 var name = "top" - bt.RunTopContainer(&name, bindings.PFalse, nil) + bt.RunTopContainer(&name, nil) _, err = containers.RunHealthCheck(bt.conn, name, nil) Expect(err).ToNot(BeNil()) code, _ = bindings.CheckResponseCode(err) @@ -376,7 +376,7 @@ var _ = Describe("Podman containers ", func() { It("podman top", func() { var name = "top" - cid, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + cid, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) // By name @@ -414,7 +414,7 @@ var _ = Describe("Podman containers ", func() { It("podman container exists in local storage by name", func() { // Container existence check by name should work var name = "top" - _, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + _, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) containerExists, err := containers.Exists(bt.conn, name, nil) Expect(err).To(BeNil()) @@ -424,7 +424,7 @@ var _ = Describe("Podman containers ", func() { It("podman container exists in local storage by ID", func() { // Container existence check by ID should work var name = "top" - cid, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + cid, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) containerExists, err := containers.Exists(bt.conn, cid, nil) Expect(err).To(BeNil()) @@ -434,7 +434,7 @@ var _ = Describe("Podman containers ", func() { It("podman container exists in local storage by short ID", func() { // Container existence check by short ID should work var name = "top" - cid, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + cid, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) containerExists, err := containers.Exists(bt.conn, cid[0:12], nil) Expect(err).To(BeNil()) @@ -452,7 +452,7 @@ var _ = Describe("Podman containers ", func() { It("podman kill a running container by name with SIGINT", func() { // Killing a running container should work var name = "top" - _, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + _, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) err = containers.Kill(bt.conn, name, new(containers.KillOptions).WithSignal("SIGINT")) Expect(err).To(BeNil()) @@ -463,7 +463,7 @@ var _ = Describe("Podman containers ", func() { It("podman kill a running container by ID with SIGTERM", func() { // Killing a running container by ID should work var name = "top" - cid, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + cid, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) err = containers.Kill(bt.conn, cid, new(containers.KillOptions).WithSignal("SIGTERM")) Expect(err).To(BeNil()) @@ -474,7 +474,7 @@ var _ = Describe("Podman containers ", func() { It("podman kill a running container by ID with SIGKILL", func() { // Killing a running container by ID with TERM should work var name = "top" - cid, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + cid, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) err = containers.Kill(bt.conn, cid, new(containers.KillOptions).WithSignal("SIGKILL")) Expect(err).To(BeNil()) @@ -483,7 +483,7 @@ var _ = Describe("Podman containers ", func() { It("podman kill a running container by bogus signal", func() { //Killing a running container by bogus signal should fail var name = "top" - cid, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + cid, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) err = containers.Kill(bt.conn, cid, new(containers.KillOptions).WithSignal("foobar")) Expect(err).ToNot(BeNil()) @@ -495,9 +495,9 @@ var _ = Describe("Podman containers ", func() { // Killing latest container should work var name1 = "first" var name2 = "second" - _, err := bt.RunTopContainer(&name1, bindings.PFalse, nil) + _, err := bt.RunTopContainer(&name1, nil) Expect(err).To(BeNil()) - _, err = bt.RunTopContainer(&name2, bindings.PFalse, nil) + _, err = bt.RunTopContainer(&name2, nil) Expect(err).To(BeNil()) containerLatestList, err := containers.List(bt.conn, new(containers.ListOptions).WithLast(1)) Expect(err).To(BeNil()) @@ -526,7 +526,7 @@ var _ = Describe("Podman containers ", func() { It("podman prune stopped containers", func() { // Start and stop a container to enter in exited state. var name = "top" - _, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + _, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) err = containers.Stop(bt.conn, name, nil) Expect(err).To(BeNil()) @@ -541,7 +541,7 @@ var _ = Describe("Podman containers ", func() { It("podman prune stopped containers with filters", func() { // Start and stop a container to enter in exited state. var name = "top" - _, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + _, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) err = containers.Stop(bt.conn, name, nil) Expect(err).To(BeNil()) @@ -575,7 +575,7 @@ var _ = Describe("Podman containers ", func() { It("podman prune running containers", func() { // Start the container. var name = "top" - _, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + _, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) // Check if the container is running. @@ -598,7 +598,7 @@ var _ = Describe("Podman containers ", func() { It("podman inspect running container", func() { var name = "top" - _, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + _, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) // Inspecting running container should succeed _, err = containers.Inspect(bt.conn, name, nil) @@ -607,7 +607,7 @@ var _ = Describe("Podman containers ", func() { It("podman inspect stopped container", func() { var name = "top" - _, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + _, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) err = containers.Stop(bt.conn, name, nil) Expect(err).To(BeNil()) @@ -618,7 +618,7 @@ var _ = Describe("Podman containers ", func() { It("podman inspect running container with size", func() { var name = "top" - _, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + _, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) _, err = containers.Inspect(bt.conn, name, new(containers.InspectOptions).WithSize(true)) Expect(err).To(BeNil()) @@ -626,7 +626,7 @@ var _ = Describe("Podman containers ", func() { It("podman inspect stopped container with size", func() { var name = "top" - _, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + _, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) err = containers.Stop(bt.conn, name, nil) Expect(err).To(BeNil()) @@ -643,7 +643,7 @@ var _ = Describe("Podman containers ", func() { It("podman remove running container by name", func() { var name = "top" - _, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + _, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) // Removing running container should fail err = containers.Remove(bt.conn, name, nil) @@ -654,7 +654,7 @@ var _ = Describe("Podman containers ", func() { It("podman remove running container by ID", func() { var name = "top" - cid, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + cid, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) // Removing running container should fail err = containers.Remove(bt.conn, cid, nil) @@ -665,7 +665,7 @@ var _ = Describe("Podman containers ", func() { It("podman forcibly remove running container by name", func() { var name = "top" - _, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + _, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) // Removing running container should fail err = containers.Remove(bt.conn, name, new(containers.RemoveOptions).WithForce(true)) @@ -676,7 +676,7 @@ var _ = Describe("Podman containers ", func() { It("podman forcibly remove running container by ID", func() { var name = "top" - cid, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + cid, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) // Removing running container should fail err = containers.Remove(bt.conn, cid, new(containers.RemoveOptions).WithForce(true)) @@ -687,7 +687,7 @@ var _ = Describe("Podman containers ", func() { It("podman remove running container and volume by name", func() { var name = "top" - _, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + _, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) // Removing running container should fail err = containers.Remove(bt.conn, name, new(containers.RemoveOptions).WithVolumes(true)) @@ -698,7 +698,7 @@ var _ = Describe("Podman containers ", func() { It("podman remove running container and volume by ID", func() { var name = "top" - cid, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + cid, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) // Removing running container should fail err = containers.Remove(bt.conn, cid, new(containers.RemoveOptions).WithVolumes(true)) @@ -709,7 +709,7 @@ var _ = Describe("Podman containers ", func() { It("podman forcibly remove running container and volume by name", func() { var name = "top" - _, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + _, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) // Removing running container should fail err = containers.Remove(bt.conn, name, new(containers.RemoveOptions).WithVolumes(true).WithForce(true)) @@ -720,7 +720,7 @@ var _ = Describe("Podman containers ", func() { It("podman forcibly remove running container and volume by ID", func() { var name = "top" - cid, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + cid, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) // Removing running container should fail err = containers.Remove(bt.conn, cid, new(containers.RemoveOptions).WithForce(true).WithVolumes(true)) @@ -732,9 +732,9 @@ var _ = Describe("Podman containers ", func() { It("List containers with filters", func() { var name = "top" var name2 = "top2" - cid, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + cid, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) - _, err = bt.RunTopContainer(&name2, bindings.PFalse, nil) + _, err = bt.RunTopContainer(&name2, nil) Expect(err).To(BeNil()) s := specgen.NewSpecGenerator(alpine.name, false) s.Terminal = true @@ -753,7 +753,7 @@ var _ = Describe("Podman containers ", func() { podName := "testpod" ctrName := "testctr" bt.Podcreate(&podName) - _, err := bt.RunTopContainer(&ctrName, bindings.PTrue, &podName) + _, err := bt.RunTopContainer(&ctrName, &podName) Expect(err).To(BeNil()) lastNum := 1 diff --git a/pkg/bindings/test/exec_test.go b/pkg/bindings/test/exec_test.go index 7a21be77f..c10452eaf 100644 --- a/pkg/bindings/test/exec_test.go +++ b/pkg/bindings/test/exec_test.go @@ -4,7 +4,6 @@ import ( "time" "github.com/containers/podman/v3/pkg/api/handlers" - "github.com/containers/podman/v3/pkg/bindings" "github.com/containers/podman/v3/pkg/bindings/containers" . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" @@ -33,7 +32,7 @@ var _ = Describe("Podman containers exec", func() { It("Podman exec create makes an exec session", func() { name := "testCtr" - cid, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + cid, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) execConfig := new(handlers.ExecCreateConfig) @@ -53,7 +52,7 @@ var _ = Describe("Podman containers exec", func() { It("Podman exec create with bad command fails", func() { name := "testCtr" - _, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + _, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) execConfig := new(handlers.ExecCreateConfig) diff --git a/pkg/bindings/test/images_test.go b/pkg/bindings/test/images_test.go index db51d1e68..688bf049f 100644 --- a/pkg/bindings/test/images_test.go +++ b/pkg/bindings/test/images_test.go @@ -101,7 +101,7 @@ var _ = Describe("Podman images", func() { // Start a container with alpine image var top string = "top" - _, err = bt.RunTopContainer(&top, bindings.PFalse, nil) + _, err = bt.RunTopContainer(&top, nil) Expect(err).To(BeNil()) // we should now have a container called "top" running containerResponse, err := containers.Inspect(bt.conn, "top", nil) diff --git a/pkg/bindings/test/info_test.go b/pkg/bindings/test/info_test.go index 3ca4b99b3..f61e8c370 100644 --- a/pkg/bindings/test/info_test.go +++ b/pkg/bindings/test/info_test.go @@ -49,17 +49,17 @@ var _ = Describe("Podman info", func() { _, err := containers.CreateWithSpec(bt.conn, s, nil) Expect(err).To(BeNil()) - idPause, err := bt.RunTopContainer(nil, nil, nil) + idPause, err := bt.RunTopContainer(nil, nil) Expect(err).To(BeNil()) err = containers.Pause(bt.conn, idPause, nil) Expect(err).To(BeNil()) - idStop, err := bt.RunTopContainer(nil, nil, nil) + idStop, err := bt.RunTopContainer(nil, nil) Expect(err).To(BeNil()) err = containers.Stop(bt.conn, idStop, nil) Expect(err).To(BeNil()) - _, err = bt.RunTopContainer(nil, nil, nil) + _, err = bt.RunTopContainer(nil, nil) Expect(err).To(BeNil()) info, err := system.Info(bt.conn, nil) diff --git a/pkg/bindings/test/pods_test.go b/pkg/bindings/test/pods_test.go index 2b4eb05d3..b06ff31a2 100644 --- a/pkg/bindings/test/pods_test.go +++ b/pkg/bindings/test/pods_test.go @@ -63,7 +63,7 @@ var _ = Describe("Podman pods", func() { Expect(err).To(BeNil()) // Adding an alpine container to the existing pod - _, err = bt.RunTopContainer(nil, bindings.PTrue, &newpod) + _, err = bt.RunTopContainer(nil, &newpod) Expect(err).To(BeNil()) podSummary, err = pods.List(bt.conn, nil) // Verify no errors. @@ -93,7 +93,7 @@ var _ = Describe("Podman pods", func() { _, err = pods.Start(bt.conn, newpod, nil) Expect(err).To(BeNil()) - _, err = bt.RunTopContainer(nil, bindings.PTrue, &newpod) + _, err = bt.RunTopContainer(nil, &newpod) Expect(err).To(BeNil()) // Expected err with invalid filter params @@ -179,7 +179,7 @@ var _ = Describe("Podman pods", func() { Expect(code).To(BeNumerically("==", http.StatusNotFound)) // Adding an alpine container to the existing pod - _, err = bt.RunTopContainer(nil, bindings.PTrue, &newpod) + _, err = bt.RunTopContainer(nil, &newpod) Expect(err).To(BeNil()) // Binding needs to be modified to inspect the pod state. diff --git a/pkg/bindings/test/system_test.go b/pkg/bindings/test/system_test.go index a68a8099c..68e9d9301 100644 --- a/pkg/bindings/test/system_test.go +++ b/pkg/bindings/test/system_test.go @@ -4,7 +4,6 @@ import ( "sync" "time" - "github.com/containers/podman/v3/pkg/bindings" "github.com/containers/podman/v3/pkg/bindings/containers" "github.com/containers/podman/v3/pkg/bindings/pods" "github.com/containers/podman/v3/pkg/bindings/system" @@ -41,7 +40,7 @@ var _ = Describe("Podman system", func() { It("podman events", func() { var name = "top" - _, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + _, err := bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) filters := make(map[string][]string) @@ -72,7 +71,7 @@ var _ = Describe("Podman system", func() { Expect(err).To(BeNil()) // Start and stop a container to enter in exited state. var name = "top" - _, err = bt.RunTopContainer(&name, bindings.PFalse, nil) + _, err = bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) err = containers.Stop(bt.conn, name, nil) Expect(err).To(BeNil()) @@ -98,14 +97,14 @@ var _ = Describe("Podman system", func() { // Start and stop a container to enter in exited state. var name = "top" - _, err = bt.RunTopContainer(&name, bindings.PFalse, nil) + _, err = bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) err = containers.Stop(bt.conn, name, nil) Expect(err).To(BeNil()) // Start container and leave in running var name2 = "top2" - _, err = bt.RunTopContainer(&name2, bindings.PFalse, nil) + _, err = bt.RunTopContainer(&name2, nil) Expect(err).To(BeNil()) // Adding an unused volume @@ -132,14 +131,14 @@ var _ = Describe("Podman system", func() { // Start and stop a container to enter in exited state. var name = "top" - _, err = bt.RunTopContainer(&name, bindings.PFalse, nil) + _, err = bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) err = containers.Stop(bt.conn, name, nil) Expect(err).To(BeNil()) // Start second container and leave in running var name2 = "top2" - _, err = bt.RunTopContainer(&name2, bindings.PFalse, nil) + _, err = bt.RunTopContainer(&name2, nil) Expect(err).To(BeNil()) // Adding an unused volume should work @@ -167,14 +166,14 @@ var _ = Describe("Podman system", func() { // Start and stop a container to enter in exited state. var name = "top" - _, err = bt.RunTopContainer(&name, bindings.PFalse, nil) + _, err = bt.RunTopContainer(&name, nil) Expect(err).To(BeNil()) err = containers.Stop(bt.conn, name, nil) Expect(err).To(BeNil()) // Start second container and leave in running var name2 = "top2" - _, err = bt.RunTopContainer(&name2, bindings.PFalse, nil) + _, err = bt.RunTopContainer(&name2, nil) Expect(err).To(BeNil()) // Adding an unused volume should work diff --git a/pkg/copy/fileinfo.go b/pkg/copy/fileinfo.go index b95bcd90c..fb711311c 100644 --- a/pkg/copy/fileinfo.go +++ b/pkg/copy/fileinfo.go @@ -7,8 +7,8 @@ import ( "os" "path/filepath" "strings" - "time" + "github.com/containers/podman/v3/libpod/define" "github.com/pkg/errors" ) @@ -22,14 +22,7 @@ var ErrENOENT = errors.New("No such file or directory") // FileInfo describes a file or directory and is returned by // (*CopyItem).Stat(). -type FileInfo struct { - Name string `json:"name"` - Size int64 `json:"size"` - Mode os.FileMode `json:"mode"` - ModTime time.Time `json:"mtime"` - IsDir bool `json:"isDir"` - LinkTarget string `json:"linkTarget"` -} +type FileInfo = define.FileInfo // EncodeFileInfo serializes the specified FileInfo as a base64 encoded JSON // payload. Intended for Docker compat. diff --git a/pkg/domain/entities/containers.go b/pkg/domain/entities/containers.go index ac965834a..7d074f89d 100644 --- a/pkg/domain/entities/containers.go +++ b/pkg/domain/entities/containers.go @@ -8,7 +8,6 @@ import ( "github.com/containers/image/v5/types" "github.com/containers/podman/v3/libpod/define" - "github.com/containers/podman/v3/pkg/copy" "github.com/containers/podman/v3/pkg/specgen" "github.com/cri-o/ocicni/pkg/ocicni" ) @@ -145,7 +144,7 @@ type ContainerInspectReport struct { } type ContainerStatReport struct { - copy.FileInfo + define.FileInfo } type CommitOptions struct { diff --git a/pkg/domain/infra/abi/archive.go b/pkg/domain/infra/abi/archive.go index 528771ee7..2ea63aa5e 100644 --- a/pkg/domain/infra/abi/archive.go +++ b/pkg/domain/infra/abi/archive.go @@ -3,72 +3,16 @@ package abi import ( "context" "io" - "path/filepath" - "strings" - buildahCopiah "github.com/containers/buildah/copier" - "github.com/containers/buildah/pkg/chrootuser" - "github.com/containers/buildah/util" - "github.com/containers/podman/v3/libpod" "github.com/containers/podman/v3/pkg/domain/entities" - "github.com/containers/storage" - "github.com/containers/storage/pkg/archive" - "github.com/containers/storage/pkg/idtools" - "github.com/opencontainers/runtime-spec/specs-go" - "github.com/pkg/errors" - "github.com/sirupsen/logrus" ) -// NOTE: Only the parent directory of the container path must exist. The path -// itself may be created while copying. func (ic *ContainerEngine) ContainerCopyFromArchive(ctx context.Context, nameOrID string, containerPath string, reader io.Reader) (entities.ContainerCopyFunc, error) { container, err := ic.Libpod.LookupContainer(nameOrID) if err != nil { return nil, err } - - containerMountPoint, err := container.Mount() - if err != nil { - return nil, err - } - - unmount := func() { - if err := container.Unmount(false); err != nil { - logrus.Errorf("Error unmounting container: %v", err) - } - } - - _, resolvedRoot, resolvedContainerPath, err := ic.containerStat(container, containerMountPoint, containerPath) - if err != nil { - unmount() - return nil, err - } - - decompressed, err := archive.DecompressStream(reader) - if err != nil { - unmount() - return nil, err - } - - idMappings, idPair, err := getIDMappingsAndPair(container, resolvedRoot) - if err != nil { - unmount() - return nil, err - } - - logrus.Debugf("Container copy *to* %q (resolved: %q) on container %q (ID: %s)", containerPath, resolvedContainerPath, container.Name(), container.ID()) - - return func() error { - defer unmount() - defer decompressed.Close() - putOptions := buildahCopiah.PutOptions{ - UIDMap: idMappings.UIDMap, - GIDMap: idMappings.GIDMap, - ChownDirs: idPair, - ChownFiles: idPair, - } - return buildahCopiah.Put(resolvedRoot, resolvedContainerPath, putOptions, decompressed) - }, nil + return container.CopyFromArchive(ctx, containerPath, reader) } func (ic *ContainerEngine) ContainerCopyToArchive(ctx context.Context, nameOrID string, containerPath string, writer io.Writer) (entities.ContainerCopyFunc, error) { @@ -76,108 +20,5 @@ func (ic *ContainerEngine) ContainerCopyToArchive(ctx context.Context, nameOrID if err != nil { return nil, err } - - containerMountPoint, err := container.Mount() - if err != nil { - return nil, err - } - - unmount := func() { - if err := container.Unmount(false); err != nil { - logrus.Errorf("Error unmounting container: %v", err) - } - } - - // Make sure that "/" copies the *contents* of the mount point and not - // the directory. - if containerPath == "/" { - containerPath = "/." - } - - statInfo, resolvedRoot, resolvedContainerPath, err := ic.containerStat(container, containerMountPoint, containerPath) - if err != nil { - unmount() - return nil, err - } - - idMappings, idPair, err := getIDMappingsAndPair(container, resolvedRoot) - if err != nil { - unmount() - return nil, err - } - - logrus.Debugf("Container copy *from* %q (resolved: %q) on container %q (ID: %s)", containerPath, resolvedContainerPath, container.Name(), container.ID()) - - return func() error { - defer container.Unmount(false) - getOptions := buildahCopiah.GetOptions{ - // Unless the specified points to ".", we want to copy the base directory. - KeepDirectoryNames: statInfo.IsDir && filepath.Base(containerPath) != ".", - UIDMap: idMappings.UIDMap, - GIDMap: idMappings.GIDMap, - ChownDirs: idPair, - ChownFiles: idPair, - } - return buildahCopiah.Get(resolvedRoot, "", getOptions, []string{resolvedContainerPath}, writer) - }, nil -} - -// getIDMappingsAndPair returns the ID mappings for the container and the host -// ID pair. -func getIDMappingsAndPair(container *libpod.Container, containerMount string) (*storage.IDMappingOptions, *idtools.IDPair, error) { - user, err := getContainerUser(container, containerMount) - if err != nil { - return nil, nil, err - } - - idMappingOpts, err := container.IDMappings() - if err != nil { - return nil, nil, err - } - - hostUID, hostGID, err := util.GetHostIDs(idtoolsToRuntimeSpec(idMappingOpts.UIDMap), idtoolsToRuntimeSpec(idMappingOpts.GIDMap), user.UID, user.GID) - if err != nil { - return nil, nil, err - } - - idPair := idtools.IDPair{UID: int(hostUID), GID: int(hostGID)} - return &idMappingOpts, &idPair, nil -} - -// getContainerUser returns the specs.User of the container. -func getContainerUser(container *libpod.Container, mountPoint string) (specs.User, error) { - userspec := container.Config().User - - uid, gid, _, err := chrootuser.GetUser(mountPoint, userspec) - u := specs.User{ - UID: uid, - GID: gid, - Username: userspec, - } - - if !strings.Contains(userspec, ":") { - groups, err2 := chrootuser.GetAdditionalGroupsForUser(mountPoint, uint64(u.UID)) - if err2 != nil { - if errors.Cause(err2) != chrootuser.ErrNoSuchUser && err == nil { - err = err2 - } - } else { - u.AdditionalGids = groups - } - } - - return u, err -} - -// idtoolsToRuntimeSpec converts idtools ID mapping to the one of the runtime spec. -func idtoolsToRuntimeSpec(idMaps []idtools.IDMap) (convertedIDMap []specs.LinuxIDMapping) { - for _, idmap := range idMaps { - tempIDMap := specs.LinuxIDMapping{ - ContainerID: uint32(idmap.ContainerID), - HostID: uint32(idmap.HostID), - Size: uint32(idmap.Size), - } - convertedIDMap = append(convertedIDMap, tempIDMap) - } - return convertedIDMap + return container.CopyToArchive(ctx, containerPath, writer) } diff --git a/pkg/domain/infra/abi/containers_stat.go b/pkg/domain/infra/abi/containers_stat.go index 1baeb9178..98a23c70b 100644 --- a/pkg/domain/infra/abi/containers_stat.go +++ b/pkg/domain/infra/abi/containers_stat.go @@ -2,139 +2,20 @@ package abi import ( "context" - "os" - "path/filepath" - "strings" - buildahCopiah "github.com/containers/buildah/copier" - "github.com/containers/podman/v3/libpod" - "github.com/containers/podman/v3/pkg/copy" "github.com/containers/podman/v3/pkg/domain/entities" - "github.com/pkg/errors" - "github.com/sirupsen/logrus" ) -func (ic *ContainerEngine) containerStat(container *libpod.Container, containerMountPoint string, containerPath string) (*entities.ContainerStatReport, string, string, error) { - // Make sure that "/" copies the *contents* of the mount point and not - // the directory. - if containerPath == "/" { - containerPath += "/." - } - - // Now resolve the container's path. It may hit a volume, it may hit a - // bind mount, it may be relative. - resolvedRoot, resolvedContainerPath, err := container.ResolvePath(context.Background(), containerMountPoint, containerPath) - if err != nil { - return nil, "", "", err - } - - statInfo, statInfoErr := secureStat(resolvedRoot, resolvedContainerPath) - if statInfoErr != nil { - // Not all errors from secureStat map to ErrNotExist, so we - // have to look into the error string. Turning it into an - // ENOENT let's the API handlers return the correct status code - // which is crucial for the remote client. - if os.IsNotExist(err) || strings.Contains(statInfoErr.Error(), "o such file or directory") { - statInfoErr = copy.ErrENOENT - } - // If statInfo is nil, there's nothing we can do anymore. A - // non-nil statInfo may indicate a symlink where we must have - // a closer look. - if statInfo == nil { - return nil, "", "", statInfoErr - } - } - - // Now make sure that the info's LinkTarget is relative to the - // container's mount. - var absContainerPath string - - if statInfo.IsSymlink { - // Evaluated symlinks are always relative to the container's mount point. - absContainerPath = statInfo.ImmediateTarget - } else if strings.HasPrefix(resolvedContainerPath, containerMountPoint) { - // If the path is on the container's mount point, strip it off. - absContainerPath = strings.TrimPrefix(resolvedContainerPath, containerMountPoint) - absContainerPath = filepath.Join("/", absContainerPath) - } else { - // No symlink and not on the container's mount point, so let's - // move it back to the original input. It must have evaluated - // to a volume or bind mount but we cannot return host paths. - absContainerPath = containerPath - } - - // Now we need to make sure to preserve the base path as specified by - // the user. The `filepath` packages likes to remove trailing slashes - // and dots that are crucial to the copy logic. - absContainerPath = copy.PreserveBasePath(containerPath, absContainerPath) - resolvedContainerPath = copy.PreserveBasePath(containerPath, resolvedContainerPath) - - info := copy.FileInfo{ - IsDir: statInfo.IsDir, - Name: filepath.Base(absContainerPath), - Size: statInfo.Size, - Mode: statInfo.Mode, - ModTime: statInfo.ModTime, - LinkTarget: absContainerPath, - } - - return &entities.ContainerStatReport{FileInfo: info}, resolvedRoot, resolvedContainerPath, statInfoErr -} - func (ic *ContainerEngine) ContainerStat(ctx context.Context, nameOrID string, containerPath string) (*entities.ContainerStatReport, error) { container, err := ic.Libpod.LookupContainer(nameOrID) if err != nil { return nil, err } - containerMountPoint, err := container.Mount() - if err != nil { - return nil, err - } - - defer func() { - if err := container.Unmount(false); err != nil { - logrus.Errorf("Error unmounting container: %v", err) - } - }() - - statReport, _, _, err := ic.containerStat(container, containerMountPoint, containerPath) - return statReport, err -} - -// secureStat extracts file info for path in a chroot'ed environment in root. -func secureStat(root string, path string) (*buildahCopiah.StatForItem, error) { - var glob string - var err error - - // If root and path are equal, then dir must be empty and the glob must - // be ".". - if filepath.Clean(root) == filepath.Clean(path) { - glob = "." - } else { - glob, err = filepath.Rel(root, path) - if err != nil { - return nil, err - } - } - - globStats, err := buildahCopiah.Stat(root, "", buildahCopiah.StatOptions{}, []string{glob}) - if err != nil { - return nil, err - } - - if len(globStats) != 1 { - return nil, errors.Errorf("internal error: secureStat: expected 1 item but got %d", len(globStats)) - } - - stat, exists := globStats[0].Results[glob] // only one glob passed, so that's okay - if !exists { - return nil, copy.ErrENOENT - } + info, err := container.Stat(ctx, containerPath) - var statErr error - if stat.Error != "" { - statErr = errors.New(stat.Error) + if info != nil { + return &entities.ContainerStatReport{FileInfo: *info}, err } - return stat, statErr + return nil, err } diff --git a/pkg/domain/infra/abi/images.go b/pkg/domain/infra/abi/images.go index 562653403..ffd4856fe 100644 --- a/pkg/domain/infra/abi/images.go +++ b/pkg/domain/infra/abi/images.go @@ -583,8 +583,9 @@ func (ir *ImageEngine) Remove(ctx context.Context, images []string, opts entitie report.Deleted = append(report.Deleted, results.Deleted) report.Untagged = append(report.Untagged, results.Untagged...) return nil - case storage.ErrImageUnknown: - // The image must have been removed already (see #6510). + case storage.ErrImageUnknown, storage.ErrLayerUnknown: + // The image must have been removed already (see #6510) + // or the storage is corrupted (see #9617). report.Deleted = append(report.Deleted, img.ID()) report.Untagged = append(report.Untagged, img.ID()) return nil diff --git a/test/apiv2/01-basic.at b/test/apiv2/01-basic.at index 1ddf49c6f..1357e0ca6 100644 --- a/test/apiv2/01-basic.at +++ b/test/apiv2/01-basic.at @@ -18,7 +18,7 @@ t HEAD libpod/_ping 200 for i in /version version; do t GET $i 200 \ .Components[0].Name="Podman Engine" \ - .Components[0].Details.APIVersion=3.0.0 \ + .Components[0].Details.APIVersion=3.1.0-dev \ .Components[0].Details.MinAPIVersion=3.0.0 \ .Components[0].Details.Os=linux \ .ApiVersion=1.40 \ diff --git a/test/apiv2/20-containers.at b/test/apiv2/20-containers.at index 18364a47d..f73d03123 100644 --- a/test/apiv2/20-containers.at +++ b/test/apiv2/20-containers.at @@ -263,3 +263,12 @@ t GET containers/json 200 \ .[0].Ports[0].Type="tcp" podman stop bar + +# Test CPU limit (NanoCPUs) +t POST containers/create '"Image":"'$IMAGE'","HostConfig":{"NanoCpus":500000}' 201 \ + .Id~[0-9a-f]\\{64\\} +cid=$(jq -r '.Id' <<<"$output") +t GET containers/$cid/json 200 \ + .HostConfig.NanoCpus=500000 + +t DELETE containers/$cid?v=true 204 diff --git a/test/apiv2/44-mounts.at b/test/apiv2/44-mounts.at index fe202576d..5dc560852 100644 --- a/test/apiv2/44-mounts.at +++ b/test/apiv2/44-mounts.at @@ -4,7 +4,7 @@ podman pull $IMAGE &>/dev/null # Test various HostConfig options tmpfs_name="/mytmpfs" -t POST containers/create?name=hostconfig_test '"Image":"'$IMAGE'","Cmd":["df"],"HostConfig":{"TmpFs":{"'$tmpfs_name'":"rw"}}' 201 \ +t POST containers/create?name=hostconfig_test '"Image":"'$IMAGE'","Cmd":["df"],"HostConfig":{"Binds":["/tmp/doesnotexist:/test1"],"TmpFs":{"'$tmpfs_name'":"rw"}}' 201 \ .Id~[0-9a-f]\\{64\\} cid=$(jq -r '.Id' <<<"$output") diff --git a/test/e2e/cp_test.go b/test/e2e/cp_test.go index c0fb3f887..c0fb61544 100644 --- a/test/e2e/cp_test.go +++ b/test/e2e/cp_test.go @@ -212,6 +212,7 @@ var _ = Describe("Podman cp", func() { // Copy the root dir "/" of a container to the host. It("podman cp the root directory from the ctr to an existing directory on the host ", func() { + SkipIfRootless("cannot copy tty devices in rootless mode") container := "copyroottohost" session := podmanTest.RunTopContainer(container) session.WaitWithDefaultTimeout() diff --git a/test/e2e/network_connect_disconnect_test.go b/test/e2e/network_connect_disconnect_test.go index eb8ad7181..e9a7b421f 100644 --- a/test/e2e/network_connect_disconnect_test.go +++ b/test/e2e/network_connect_disconnect_test.go @@ -193,6 +193,13 @@ var _ = Describe("Podman network connect and disconnect", func() { exec = podmanTest.Podman([]string{"exec", "-it", "test", "ip", "addr", "show", "eth1"}) exec.WaitWithDefaultTimeout() Expect(exec.ExitCode()).To(BeZero()) + + // make sure no logrus errors are shown https://github.com/containers/podman/issues/9602 + rm := podmanTest.Podman([]string{"rm", "-f", "test"}) + rm.WaitWithDefaultTimeout() + Expect(rm.ExitCode()).To(BeZero()) + Expect(rm.ErrorToString()).To(Equal("")) + }) It("podman network connect when not running", func() { diff --git a/test/e2e/run_selinux_test.go b/test/e2e/run_selinux_test.go index 8c712b1be..6abe152a9 100644 --- a/test/e2e/run_selinux_test.go +++ b/test/e2e/run_selinux_test.go @@ -2,6 +2,7 @@ package integration import ( "os" + "path/filepath" . "github.com/containers/podman/v3/test/utils" . "github.com/onsi/ginkgo" @@ -294,4 +295,52 @@ var _ = Describe("Podman run", func() { Expect(session.ExitCode()).To(Equal(0)) Expect(session.OutputToString()).To(ContainSubstring("container_t")) }) + + It("podman test --ipc=net", func() { + session := podmanTest.Podman([]string{"run", "--net=host", ALPINE, "cat", "/proc/self/attr/current"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring("container_t")) + }) + + It("podman test --ipc=net", func() { + session := podmanTest.Podman([]string{"run", "--net=host", ALPINE, "cat", "/proc/self/attr/current"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring("container_t")) + }) + + It("podman test --runtime=/PATHTO/kata-runtime", func() { + runtime := podmanTest.OCIRuntime + podmanTest.OCIRuntime = filepath.Join(podmanTest.TempDir, "kata-runtime") + err := os.Symlink("/bin/true", podmanTest.OCIRuntime) + Expect(err).To(BeNil()) + if IsRemote() { + podmanTest.StopRemoteService() + podmanTest.StartRemoteService() + } + session := podmanTest.Podman([]string{"create", ALPINE}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + cid := session.OutputToString() + session = podmanTest.Podman([]string{"inspect", "--format", "{{ .ProcessLabel }}", cid}) + session.WaitWithDefaultTimeout() + Expect(session.OutputToString()).To(ContainSubstring("container_kvm_t")) + + podmanTest.OCIRuntime = runtime + if IsRemote() { + podmanTest.StopRemoteService() + podmanTest.StartRemoteService() + } + }) + + It("podman test init labels", func() { + session := podmanTest.Podman([]string{"create", ubi_init, "/sbin/init"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + cid := session.OutputToString() + session = podmanTest.Podman([]string{"inspect", "--format", "{{ .ProcessLabel }}", cid}) + session.WaitWithDefaultTimeout() + Expect(session.OutputToString()).To(ContainSubstring("container_init_t")) + }) }) diff --git a/test/python/docker/build_labels/Dockerfile b/test/python/docker/build_labels/Dockerfile new file mode 100644 index 000000000..f6e07066c --- /dev/null +++ b/test/python/docker/build_labels/Dockerfile @@ -0,0 +1 @@ +FROM quay.io/libpod/alpine:latest diff --git a/test/python/docker/compat/test_images.py b/test/python/docker/compat/test_images.py index 842e38f31..4a90069a9 100644 --- a/test/python/docker/compat/test_images.py +++ b/test/python/docker/compat/test_images.py @@ -149,6 +149,14 @@ class TestImages(unittest.TestCase): self.assertEqual(len(self.client.images.list()), 2) + def test_build_image(self): + labels = {"apple": "red", "grape": "green"} + _ = self.client.images.build(path="test/python/docker/build_labels", labels=labels, tag="labels") + image = self.client.images.get("labels") + self.assertEqual(image.labels["apple"], labels["apple"]) + self.assertEqual(image.labels["grape"], labels["grape"]) + + if __name__ == "__main__": # Setup temporary space diff --git a/test/system/065-cp.bats b/test/system/065-cp.bats index 312106b36..88ed983d8 100644 --- a/test/system/065-cp.bats +++ b/test/system/065-cp.bats @@ -15,6 +15,7 @@ load helpers random-1-$(random_string 15) random-2-$(random_string 20) ) + echo "${randomcontent[0]}" > $srcdir/hostfile0 echo "${randomcontent[1]}" > $srcdir/hostfile1 echo "${randomcontent[2]}" > $srcdir/hostfile2 @@ -24,6 +25,10 @@ load helpers run_podman run -d --name cpcontainer --workdir=/srv $IMAGE sleep infinity run_podman exec cpcontainer mkdir /srv/subdir + # Commit the image for testing non-running containers + run_podman commit -q cpcontainer + cpimage="$output" + # format is: <id> | <destination arg to cp> | <full dest path> | <test name> # where: # id is 0-2, one of the random strings/files @@ -44,8 +49,7 @@ load helpers 0 | subdir | /srv/subdir/hostfile0 | copy to workdir/subdir " - # Copy one of the files into container, exec+cat, confirm the file - # is there and matches what we expect + # RUNNING container while read id dest dest_fullname description; do run_podman cp $srcdir/hostfile$id cpcontainer:$dest run_podman exec cpcontainer cat $dest_fullname @@ -67,6 +71,44 @@ load helpers is "$output" 'Error: "/IdoNotExist/" could not be found on container cpcontainer: No such file or directory' \ "copy into nonexistent path in container" + run_podman kill cpcontainer + run_podman rm -f cpcontainer + + # CREATED container + while read id dest dest_fullname description; do + run_podman create --name cpcontainer --workdir=/srv $cpimage sleep infinity + run_podman cp $srcdir/hostfile$id cpcontainer:$dest + run_podman start cpcontainer + run_podman exec cpcontainer cat $dest_fullname + is "$output" "${randomcontent[$id]}" "$description (cp -> ctr:$dest)" + run_podman kill cpcontainer + run_podman rm -f cpcontainer + done < <(parse_table "$tests") + + run_podman rmi -f $cpimage +} + +@test "podman cp file from host to container tmpfs mount" { + srcdir=$PODMAN_TMPDIR/cp-test-file-host-to-ctr + mkdir -p $srcdir + content=tmpfile-content$(random_string 20) + echo $content > $srcdir/file + + # RUNNING container + run_podman run -d --mount type=tmpfs,dst=/tmp --name cpcontainer $IMAGE sleep infinity + run_podman cp $srcdir/file cpcontainer:/tmp + run_podman exec cpcontainer cat /tmp/file + is "$output" "${content}" "cp to running container's tmpfs" + run_podman kill cpcontainer + run_podman rm -f cpcontainer + + # CREATED container (with copy up) + run_podman create --mount type=tmpfs,dst=/tmp --name cpcontainer $IMAGE sleep infinity + run_podman cp $srcdir/file cpcontainer:/tmp + run_podman start cpcontainer + run_podman exec cpcontainer cat /tmp/file + is "$output" "${content}" "cp to created container's tmpfs" + run_podman kill cpcontainer run_podman rm -f cpcontainer } @@ -87,6 +129,10 @@ load helpers run_podman exec cpcontainer sh -c "echo ${randomcontent[1]} > /srv/containerfile1" run_podman exec cpcontainer sh -c "mkdir /srv/subdir; echo ${randomcontent[2]} > /srv/subdir/containerfile2" + # Commit the image for testing non-running containers + run_podman commit -q cpcontainer + cpimage="$output" + # format is: <id> | <source arg to cp> | <destination arg (appended to $srcdir) to cp> | <full dest path (appended to $srcdir)> | <test name> tests=" 0 | /tmp/containerfile | | /containerfile | copy to srcdir/ @@ -98,20 +144,33 @@ load helpers 2 | subdir/containerfile2 | / | /containerfile2 | copy from workdir/subdir (rel path) to srcdir " - # Copy one of the files to the host, cat, confirm the file - # is there and matches what we expect + # RUNNING container while read id src dest dest_fullname description; do # dest may be "''" for empty table cells if [[ $dest == "''" ]];then unset dest fi run_podman cp cpcontainer:$src "$srcdir$dest" - run cat $srcdir$dest_fullname - is "$output" "${randomcontent[$id]}" "$description (cp ctr:$src to \$srcdir$dest)" - rm $srcdir/$dest_fullname + is "$(< $srcdir$dest_fullname)" "${randomcontent[$id]}" "$description (cp ctr:$src to \$srcdir$dest)" + rm $srcdir$dest_fullname done < <(parse_table "$tests") + run_podman kill cpcontainer + run_podman rm -f cpcontainer + # Created container + run_podman create --name cpcontainer --workdir=/srv $cpimage + while read id src dest dest_fullname description; do + # dest may be "''" for empty table cells + if [[ $dest == "''" ]];then + unset dest + fi + run_podman cp cpcontainer:$src "$srcdir$dest" + is "$(< $srcdir$dest_fullname)" "${randomcontent[$id]}" "$description (cp ctr:$src to \$srcdir$dest)" + rm $srcdir$dest_fullname + done < <(parse_table "$tests") run_podman rm -f cpcontainer + + run_podman rmi -f $cpimage } @@ -134,6 +193,10 @@ load helpers run_podman run -d --name cpcontainer --workdir=/srv $IMAGE sleep infinity run_podman exec cpcontainer mkdir /srv/subdir + # Commit the image for testing non-running containers + run_podman commit -q cpcontainer + cpimage="$output" + # format is: <source arg to cp (appended to srcdir)> | <destination arg to cp> | <full dest path> | <test name> tests=" | / | /dir-test | copy to root @@ -141,9 +204,10 @@ load helpers / | /tmp | /tmp/dir-test | copy to tmp /. | /usr/ | /usr/ | copy contents of dir to usr/ | . | /srv/dir-test | copy to workdir (rel path) - | subdir/. | /srv/subdir/dir-test | copy to workdir subdir (rel path) + | subdir/. | /srv/subdir/dir-test | copy to workdir subdir (rel path) " + # RUNNING container while read src dest dest_fullname description; do # src may be "''" for empty table cells if [[ $src == "''" ]];then @@ -156,52 +220,97 @@ load helpers run_podman exec cpcontainer cat $dest_fullname/hostfile1 is "$output" "${randomcontent[1]}" "$description (cp -> ctr:$dest)" done < <(parse_table "$tests") - + run_podman kill cpcontainer run_podman rm -f cpcontainer + + # CREATED container + while read src dest dest_fullname description; do + # src may be "''" for empty table cells + if [[ $src == "''" ]];then + unset src + fi + run_podman create --name cpcontainer --workdir=/srv $cpimage sleep infinity + run_podman cp $srcdir$src cpcontainer:$dest + run_podman start cpcontainer + run_podman exec cpcontainer cat $dest_fullname/hostfile0 $dest_fullname/hostfile1 + is "${lines[0]}" "${randomcontent[0]}" "$description (cp -> ctr:$dest)" + is "${lines[1]}" "${randomcontent[1]}" "$description (cp -> ctr:$dest)" + run_podman kill cpcontainer + run_podman rm -f cpcontainer + done < <(parse_table "$tests") + + run_podman rmi -f $cpimage } @test "podman cp dir from container to host" { - srcdir=$PODMAN_TMPDIR/dir-test - mkdir -p $srcdir + destdir=$PODMAN_TMPDIR/cp-test-dir-ctr-to-host + mkdir -p $destdir + # Create 2 files with random content in the container. + local -a randomcontent=( + random-0-$(random_string 10) + random-1-$(random_string 15) + ) run_podman run -d --name cpcontainer --workdir=/srv $IMAGE sleep infinity - run_podman exec cpcontainer sh -c 'mkdir /srv/subdir; echo "This first file is on the container" > /srv/subdir/containerfile1' - run_podman exec cpcontainer sh -c 'echo "This second file is on the container as well" > /srv/subdir/containerfile2' + run_podman exec cpcontainer sh -c "mkdir /srv/subdir; echo ${randomcontent[0]} > /srv/subdir/containerfile0" + run_podman exec cpcontainer sh -c "echo ${randomcontent[1]} > /srv/subdir/containerfile1" # "." and "dir/." will copy the contents, so make sure that a dir ending # with dot is treated correctly. run_podman exec cpcontainer sh -c 'mkdir /tmp/subdir.; cp /srv/subdir/* /tmp/subdir./' - run_podman cp cpcontainer:/srv $srcdir - run cat $srcdir/srv/subdir/containerfile1 - is "$output" "This first file is on the container" - run cat $srcdir/srv/subdir/containerfile2 - is "$output" "This second file is on the container as well" - rm -rf $srcdir/srv/subdir - - run_podman cp cpcontainer:/srv/. $srcdir - run ls $srcdir/subdir - run cat $srcdir/subdir/containerfile1 - is "$output" "This first file is on the container" - run cat $srcdir/subdir/containerfile2 - is "$output" "This second file is on the container as well" - rm -rf $srcdir/subdir - - run_podman cp cpcontainer:/srv/subdir/. $srcdir - run cat $srcdir/containerfile1 - is "$output" "This first file is on the container" - run cat $srcdir/containerfile2 - is "$output" "This second file is on the container as well" - rm -rf $srcdir/subdir - - run_podman cp cpcontainer:/tmp/subdir. $srcdir - run cat $srcdir/subdir./containerfile1 - is "$output" "This first file is on the container" - run cat $srcdir/subdir./containerfile2 - is "$output" "This second file is on the container as well" - rm -rf $srcdir/subdir. + # Commit the image for testing non-running containers + run_podman commit -q cpcontainer + cpimage="$output" + + # format is: <source arg to cp (appended to /srv)> | <full dest path> | <test name> + tests=" + /srv | /srv/subdir | copy /srv + /srv/ | /srv/subdir | copy /srv/ + /srv/. | /subdir | copy /srv/. + /srv/subdir/. | | copy /srv/subdir/. + /tmp/subdir. | /subdir. | copy /tmp/subdir. +" + + # RUNNING container + while read src dest_fullname description; do + if [[ $src == "''" ]];then + unset src + fi + if [[ $dest == "''" ]];then + unset dest + fi + if [[ $dest_fullname == "''" ]];then + unset dest_fullname + fi + run_podman cp cpcontainer:$src $destdir + is "$(< $destdir$dest_fullname/containerfile0)" "${randomcontent[0]}" "$description" + is "$(< $destdir$dest_fullname/containerfile1)" "${randomcontent[1]}" "$description" + rm -rf $destdir/* + done < <(parse_table "$tests") + run_podman kill cpcontainer + run_podman rm -f cpcontainer + # CREATED container + run_podman create --name cpcontainer --workdir=/srv $cpimage + while read src dest_fullname description; do + if [[ $src == "''" ]];then + unset src + fi + if [[ $dest == "''" ]];then + unset dest + fi + if [[ $dest_fullname == "''" ]];then + unset dest_fullname + fi + run_podman cp cpcontainer:$src $destdir + is "$(< $destdir$dest_fullname/containerfile0)" "${randomcontent[0]}" "$description" + is "$(< $destdir$dest_fullname/containerfile1)" "${randomcontent[1]}" "$description" + rm -rf $destdir/* + done < <(parse_table "$tests") run_podman rm -f cpcontainer + + run_podman rmi -f $cpimage } @@ -228,9 +337,7 @@ load helpers run_podman create --name cpcontainer -v $volume1:/tmp/volume -v $volume2:/tmp/volume/sub-volume $IMAGE run_podman cp $srcdir/hostfile cpcontainer:/tmp/volume/sub-volume - - run cat $volume2_mount/hostfile - is "$output" "This file should be in volume2" + is "$(< $volume2_mount/hostfile)" "This file should be in volume2" # Volume 1 must be empty. run ls $volume1_mount @@ -254,9 +361,7 @@ load helpers run_podman create --name cpcontainer -v $volume:/tmp/volume -v $mountdir:/tmp/volume/mount $IMAGE run_podman cp $srcdir/hostfile cpcontainer:/tmp/volume/mount - - run cat $mountdir/hostfile - is "$output" "This file should be in the mount" + is "$(< $mountdir/hostfile)" "This file should be in the mount" run_podman rm -f cpcontainer run_podman volume rm $volume @@ -284,7 +389,7 @@ load helpers # cp no longer supports wildcarding run_podman 125 cp 'cpcontainer:/tmp/*' $dstdir - run_podman rm cpcontainer + run_podman rm -f cpcontainer } @@ -308,7 +413,7 @@ load helpers # make sure there are no files in dstdir is "$(/bin/ls -1 $dstdir)" "" "incorrectly copied symlink from host" - run_podman rm cpcontainer + run_podman rm -f cpcontainer } @@ -332,7 +437,7 @@ load helpers # make sure there are no files in dstdir is "$(/bin/ls -1 $dstdir)" "" "incorrectly copied symlink from host" - run_podman rm cpcontainer + run_podman rm -f cpcontainer } @@ -352,7 +457,7 @@ load helpers # dstdir must be empty is "$(/bin/ls -1 $dstdir)" "" "incorrectly copied symlink from host" - run_podman rm cpcontainer + run_podman rm -f cpcontainer } @@ -409,6 +514,7 @@ load helpers run_podman exec cpcontainer cat /tmp/d3/x is "$output" "$rand_content3" "cp creates file named x" + run_podman kill cpcontainer run_podman rm -f cpcontainer } @@ -446,6 +552,7 @@ load helpers run_podman exec cpcontainer cat $graphroot/$rand_filename is "$output" "$rand_content" "Contents of file copied into container" + run_podman kill cpcontainer run_podman rm -f cpcontainer } @@ -494,6 +601,7 @@ load helpers run_podman 125 cp - cpcontainer:/tmp/IdoNotExist < $tar_file is "$output" 'Error: destination must be a directory when copying from stdin' + run_podman kill cpcontainer run_podman rm -f cpcontainer } @@ -527,8 +635,7 @@ load helpers fi tar xvf $srcdir/stdout.tar -C $srcdir - run cat $srcdir/file.txt - is "$output" "$rand_content" + is "$(< $srcdir/file.txt)" "$rand_content" run 1 ls $srcdir/empty.txt rm -f $srcdir/* @@ -539,11 +646,10 @@ load helpers fi tar xvf $srcdir/stdout.tar -C $srcdir - run cat $srcdir/tmp/file.txt - is "$output" "$rand_content" - run cat $srcdir/tmp/empty.txt - is "$output" "" + is "$(< $srcdir/tmp/file.txt)" "$rand_content" + is "$(< $srcdir/tmp/empty.txt)" "" + run_podman kill cpcontainer run_podman rm -f cpcontainer } diff --git a/test/system/410-selinux.bats b/test/system/410-selinux.bats index 7482d3e55..215b2832e 100644 --- a/test/system/410-selinux.bats +++ b/test/system/410-selinux.bats @@ -39,17 +39,17 @@ function check_label() { } @test "podman selinux: container with label=disable" { - skip_if_rootless - check_label "--security-opt label=disable" "spc_t" } @test "podman selinux: privileged container" { - skip_if_rootless - check_label "--privileged --userns=host" "spc_t" } +@test "podman selinux: init container" { + check_label "--systemd=always" "container_init_t" +} + @test "podman selinux: pid=host" { # FIXME FIXME FIXME: Remove these lines once all VMs have >= 2.146.0 # (this is ugly, but better than an unconditional skip) @@ -74,6 +74,18 @@ function check_label() { check_label "--security-opt label=level:s0:c1,c2" "container_t" "s0:c1,c2" } +@test "podman selinux: inspect kvm labels" { + skip_if_no_selinux + skip_if_remote "runtime flag is not passed over remote" + if [ ! -e /usr/bin/kata-runtime ]; then + skip "kata-runtime not available" + fi + + run_podman create --runtime=kata --name myc $IMAGE + run_podman inspect --format='{{ .ProcessLabel }}' myc + is "$output" ".*container_kvm_t.*" +} + # pr #6752 @test "podman selinux: inspect multiple labels" { skip_if_no_selinux diff --git a/vendor/github.com/containers/buildah/add.go b/vendor/github.com/containers/buildah/add.go index 0903fc7db..cd466ccb3 100644 --- a/vendor/github.com/containers/buildah/add.go +++ b/vendor/github.com/containers/buildah/add.go @@ -324,13 +324,33 @@ func (b *Builder) Add(destination string, extract bool, options AddAndCopyOption return errors.Wrapf(err, "error processing excludes list %v", options.Excludes) } - // Copy each source in turn. + // Make sure that, if it's a symlink, we'll chroot to the target of the link; + // knowing that target requires that we resolve it within the chroot. + evalOptions := copier.EvalOptions{} + evaluated, err := copier.Eval(mountPoint, extractDirectory, evalOptions) + if err != nil { + return errors.Wrapf(err, "error checking on destination %v", extractDirectory) + } + extractDirectory = evaluated + + // Set up ID maps. var srcUIDMap, srcGIDMap []idtools.IDMap if options.IDMappingOptions != nil { srcUIDMap, srcGIDMap = convertRuntimeIDMaps(options.IDMappingOptions.UIDMap, options.IDMappingOptions.GIDMap) } destUIDMap, destGIDMap := convertRuntimeIDMaps(b.IDMappingOptions.UIDMap, b.IDMappingOptions.GIDMap) + // Create the target directory if it doesn't exist yet. + mkdirOptions := copier.MkdirOptions{ + UIDMap: destUIDMap, + GIDMap: destGIDMap, + ChownNew: chownDirs, + } + if err := copier.Mkdir(mountPoint, extractDirectory, mkdirOptions); err != nil { + return errors.Wrapf(err, "error ensuring target directory exists") + } + + // Copy each source in turn. for _, src := range sources { var multiErr *multierror.Error var getErr, closeErr, renameErr, putErr error @@ -363,7 +383,7 @@ func (b *Builder) Add(destination string, extract bool, options AddAndCopyOption ChmodFiles: nil, IgnoreDevices: rsystem.RunningInUserNS(), } - putErr = copier.Put(mountPoint, extractDirectory, putOptions, io.TeeReader(pipeReader, hasher)) + putErr = copier.Put(extractDirectory, extractDirectory, putOptions, io.TeeReader(pipeReader, hasher)) } hashCloser.Close() pipeReader.Close() @@ -498,7 +518,7 @@ func (b *Builder) Add(destination string, extract bool, options AddAndCopyOption ChmodFiles: nil, IgnoreDevices: rsystem.RunningInUserNS(), } - putErr = copier.Put(mountPoint, extractDirectory, putOptions, io.TeeReader(pipeReader, hasher)) + putErr = copier.Put(extractDirectory, extractDirectory, putOptions, io.TeeReader(pipeReader, hasher)) } hashCloser.Close() pipeReader.Close() diff --git a/vendor/github.com/containers/buildah/buildah.go b/vendor/github.com/containers/buildah/buildah.go index dd43ea99a..77d313c58 100644 --- a/vendor/github.com/containers/buildah/buildah.go +++ b/vendor/github.com/containers/buildah/buildah.go @@ -28,7 +28,7 @@ const ( Package = "buildah" // Version for the Package. Bump version in contrib/rpm/buildah.spec // too. - Version = "1.19.6" + Version = "1.19.7" // The value we use to identify what type of information, currently a // serialized Builder structure, we are using as per-container state. // This should only be changed when we make incompatible changes to diff --git a/vendor/github.com/containers/buildah/copier/copier.go b/vendor/github.com/containers/buildah/copier/copier.go index 63cdb1974..b5e107d4b 100644 --- a/vendor/github.com/containers/buildah/copier/copier.go +++ b/vendor/github.com/containers/buildah/copier/copier.go @@ -70,6 +70,7 @@ func isArchivePath(path string) bool { type requestType string const ( + requestEval requestType = "EVAL" requestStat requestType = "STAT" requestGet requestType = "GET" requestPut requestType = "PUT" @@ -95,6 +96,8 @@ type request struct { func (req *request) Excludes() []string { switch req.Request { + case requestEval: + return nil case requestStat: return req.StatOptions.Excludes case requestGet: @@ -112,6 +115,8 @@ func (req *request) Excludes() []string { func (req *request) UIDMap() []idtools.IDMap { switch req.Request { + case requestEval: + return nil case requestStat: return nil case requestGet: @@ -129,6 +134,8 @@ func (req *request) UIDMap() []idtools.IDMap { func (req *request) GIDMap() []idtools.IDMap { switch req.Request { + case requestEval: + return nil case requestStat: return nil case requestGet: @@ -148,6 +155,7 @@ func (req *request) GIDMap() []idtools.IDMap { type response struct { Error string `json:",omitempty"` Stat statResponse + Eval evalResponse Get getResponse Put putResponse Mkdir mkdirResponse @@ -158,6 +166,11 @@ type statResponse struct { Globs []*StatsForGlob } +// evalResponse encodes a response for a single Eval request. +type evalResponse struct { + Evaluated string +} + // StatsForGlob encode results for a single glob pattern passed to Stat(). type StatsForGlob struct { Error string `json:",omitempty"` // error if the Glob pattern was malformed @@ -192,6 +205,33 @@ type putResponse struct { type mkdirResponse struct { } +// EvalOptions controls parts of Eval()'s behavior. +type EvalOptions struct { +} + +// Eval evaluates the directory's path, including any intermediate symbolic +// links. +// If root is specified and the current OS supports it, and the calling process +// has the necessary privileges, evaluation is performed in a chrooted context. +// If the directory is specified as an absolute path, it should either be the +// root directory or a subdirectory of the root directory. Otherwise, the +// directory is treated as a path relative to the root directory. +func Eval(root string, directory string, options EvalOptions) (string, error) { + req := request{ + Request: requestEval, + Root: root, + Directory: directory, + } + resp, err := copier(nil, nil, req) + if err != nil { + return "", err + } + if resp.Error != "" { + return "", errors.New(resp.Error) + } + return resp.Eval.Evaluated, nil +} + // StatOptions controls parts of Stat()'s behavior. type StatOptions struct { CheckForArchives bool // check for and populate the IsArchive bit in returned values @@ -243,6 +283,7 @@ type GetOptions struct { StripXattrs bool // don't record extended attributes of items being copied. no effect on archives being extracted KeepDirectoryNames bool // don't strip the top directory's basename from the paths of items in subdirectories Rename map[string]string // rename items with the specified names, or under the specified names + NoDerefSymlinks bool // don't follow symlinks when globs match them } // Get produces an archive containing items that match the specified glob @@ -557,6 +598,9 @@ func copierWithSubprocess(bulkReader io.Reader, bulkWriter io.Writer, req reques return killAndReturn(err, "error encoding request for copier subprocess") } if err = decoder.Decode(&resp); err != nil { + if errors.Is(err, io.EOF) && errorBuffer.Len() > 0 { + return killAndReturn(errors.New(errorBuffer.String()), "error in copier subprocess") + } return killAndReturn(err, "error decoding response from copier subprocess") } if err = encoder.Encode(&request{Request: requestQuit}); err != nil { @@ -667,7 +711,7 @@ func copierMain() { var err error chrooted, err = chroot(req.Root) if err != nil { - fmt.Fprintf(os.Stderr, "error changing to intended-new-root directory %q: %v", req.Root, err) + fmt.Fprintf(os.Stderr, "%v", err) os.Exit(1) } } @@ -762,6 +806,9 @@ func copierHandler(bulkReader io.Reader, bulkWriter io.Writer, req request) (*re switch req.Request { default: return nil, nil, errors.Errorf("not an implemented request type: %q", req.Request) + case requestEval: + resp := copierHandlerEval(req) + return resp, nil, nil case requestStat: resp := copierHandlerStat(req, pm) return resp, nil, nil @@ -870,6 +917,17 @@ func resolvePath(root, path string, pm *fileutils.PatternMatcher) (string, error return workingPath, nil } +func copierHandlerEval(req request) *response { + errorResponse := func(fmtspec string, args ...interface{}) *response { + return &response{Error: fmt.Sprintf(fmtspec, args...), Eval: evalResponse{}} + } + resolvedTarget, err := resolvePath(req.Root, req.Directory, nil) + if err != nil { + return errorResponse("copier: eval: error resolving %q: %v", req.Directory, err) + } + return &response{Eval: evalResponse{Evaluated: filepath.Join(req.rootPrefix, resolvedTarget)}} +} + func copierHandlerStat(req request, pm *fileutils.PatternMatcher) *response { errorResponse := func(fmtspec string, args ...interface{}) *response { return &response{Error: fmt.Sprintf(fmtspec, args...), Stat: statResponse{}} @@ -1024,7 +1082,7 @@ func copierHandlerGet(bulkWriter io.Writer, req request, pm *fileutils.PatternMa // chase links. if we hit a dead end, we should just fail followedLinks := 0 const maxFollowedLinks = 16 - for info.Mode()&os.ModeType == os.ModeSymlink && followedLinks < maxFollowedLinks { + for !req.GetOptions.NoDerefSymlinks && info.Mode()&os.ModeType == os.ModeSymlink && followedLinks < maxFollowedLinks { path, err := os.Readlink(item) if err != nil { continue @@ -1139,7 +1197,8 @@ func handleRename(rename map[string]string, name string) string { return path.Join(mappedPrefix, remainder) } if prefix[len(prefix)-1] == '/' { - if mappedPrefix, ok := rename[prefix[:len(prefix)-1]]; ok { + prefix = prefix[:len(prefix)-1] + if mappedPrefix, ok := rename[prefix]; ok { return path.Join(mappedPrefix, remainder) } } diff --git a/vendor/github.com/containers/buildah/copier/syscall_unix.go b/vendor/github.com/containers/buildah/copier/syscall_unix.go index 2c2806d0a..aa40f327c 100644 --- a/vendor/github.com/containers/buildah/copier/syscall_unix.go +++ b/vendor/github.com/containers/buildah/copier/syscall_unix.go @@ -3,10 +3,10 @@ package copier import ( - "fmt" "os" "time" + "github.com/pkg/errors" "golang.org/x/sys/unix" ) @@ -15,13 +15,13 @@ var canChroot = os.Getuid() == 0 func chroot(root string) (bool, error) { if canChroot { if err := os.Chdir(root); err != nil { - return false, fmt.Errorf("error changing to intended-new-root directory %q: %v", root, err) + return false, errors.Wrapf(err, "error changing to intended-new-root directory %q", root) } if err := unix.Chroot(root); err != nil { - return false, fmt.Errorf("error chrooting to directory %q: %v", root, err) + return false, errors.Wrapf(err, "error chrooting to directory %q", root) } if err := os.Chdir(string(os.PathSeparator)); err != nil { - return false, fmt.Errorf("error changing to just-became-root directory %q: %v", root, err) + return false, errors.Wrapf(err, "error changing to just-became-root directory %q", root) } return true, nil } diff --git a/vendor/github.com/containers/buildah/pkg/overlay/overlay.go b/vendor/github.com/containers/buildah/pkg/overlay/overlay.go index a3e5866ee..462561983 100644 --- a/vendor/github.com/containers/buildah/pkg/overlay/overlay.go +++ b/vendor/github.com/containers/buildah/pkg/overlay/overlay.go @@ -77,13 +77,11 @@ func mountHelper(contentDir, source, dest string, _, _ int, graphOptions []strin // Read-write overlay mounts want a lower, upper and a work layer. workDir := filepath.Join(contentDir, "work") upperDir := filepath.Join(contentDir, "upper") - st, err := os.Stat(dest) - if err == nil { - if err := os.Chmod(upperDir, st.Mode()); err != nil { - return mount, err - } + st, err := os.Stat(source) + if err != nil { + return mount, err } - if !os.IsNotExist(err) { + if err := os.Chmod(upperDir, st.Mode()); err != nil { return mount, err } overlayOptions = fmt.Sprintf("lowerdir=%s,upperdir=%s,workdir=%s,private", source, upperDir, workDir) diff --git a/vendor/modules.txt b/vendor/modules.txt index 1d192693d..b5e8d974e 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -72,7 +72,7 @@ github.com/containernetworking/plugins/pkg/utils/hwaddr github.com/containernetworking/plugins/pkg/utils/sysctl github.com/containernetworking/plugins/plugins/ipam/host-local/backend github.com/containernetworking/plugins/plugins/ipam/host-local/backend/allocator -# github.com/containers/buildah v1.19.6 +# github.com/containers/buildah v1.19.7 github.com/containers/buildah github.com/containers/buildah/bind github.com/containers/buildah/chroot diff --git a/version/version.go b/version/version.go index 520014bb7..6b93ed8ea 100644 --- a/version/version.go +++ b/version/version.go @@ -4,13 +4,44 @@ import ( "github.com/blang/semver" ) +type ( + // Tree determines which API endpoint tree for version + Tree int + // Level determines which API level, current or something from the past + Level int +) + +const ( + // Libpod supports Libpod endpoints + Libpod = Tree(iota) + // Compat supports Libpod endpoints + Compat + + // CurrentAPI announces what is the current API level + CurrentAPI = Level(iota) + // MinimalAPI announces what is the oldest API level supported + MinimalAPI +) + // Version is the version of the build. // NOTE: remember to bump the version at the top // of the top-level README.md file when this is // bumped. var Version = semver.MustParse("3.1.0-dev") -// APIVersion is the version for the remote -// client API. It is used to determine compatibility -// between a remote podman client and its backend -var APIVersion = semver.MustParse("3.0.0") +// See https://docs.docker.com/engine/api/v1.40/ +// libpod compat handlers are expected to honor docker API versions + +// APIVersion provides the current and minimal API versions for compat and libpod endpoint trees +// Note: GET|HEAD /_ping is never versioned and provides the API-Version and Libpod-API-Version headers to allow +// clients to shop for the Version they wish to support +var APIVersion = map[Tree]map[Level]semver.Version{ + Libpod: { + CurrentAPI: Version, + MinimalAPI: semver.MustParse("3.0.0"), + }, + Compat: { + CurrentAPI: semver.MustParse("1.40.0"), + MinimalAPI: semver.MustParse("1.24.0"), + }, +} |