diff options
30 files changed, 472 insertions, 65 deletions
diff --git a/cmd/podman/networks/list.go b/cmd/podman/networks/list.go index 6d8d35589..2181f850b 100644 --- a/cmd/podman/networks/list.go +++ b/cmd/podman/networks/list.go @@ -1,7 +1,6 @@ package network import ( - "encoding/json" "fmt" "os" "strings" @@ -11,7 +10,6 @@ import ( "github.com/containers/common/pkg/completion" "github.com/containers/common/pkg/report" "github.com/containers/podman/v3/cmd/podman/common" - "github.com/containers/podman/v3/cmd/podman/parse" "github.com/containers/podman/v3/cmd/podman/registry" "github.com/containers/podman/v3/cmd/podman/validate" "github.com/containers/podman/v3/libpod/network" @@ -78,13 +76,38 @@ func networkList(cmd *cobra.Command, args []string) error { } switch { - case report.IsJSON(networkListOptions.Format): - return jsonOut(responses) + // quiet means we only print the network names case networkListOptions.Quiet: - // quiet means we only print the network names - return quietOut(responses) + quietOut(responses) + + // JSON output formatting + case report.IsJSON(networkListOptions.Format): + err = jsonOut(responses) + + // table or other format output + default: + err = templateOut(responses, cmd) + } + + return err +} + +func quietOut(responses []*entities.NetworkListReport) { + for _, r := range responses { + fmt.Println(r.Name) + } +} + +func jsonOut(responses []*entities.NetworkListReport) error { + prettyJSON, err := json.MarshalIndent(responses, "", " ") + if err != nil { + return err } + fmt.Println(string(prettyJSON)) + return nil +} +func templateOut(responses []*entities.NetworkListReport, cmd *cobra.Command) error { nlprs := make([]ListPrintReports, 0, len(responses)) for _, r := range responses { nlprs = append(nlprs, ListPrintReports{r}) @@ -99,13 +122,16 @@ func networkList(cmd *cobra.Command, args []string) error { "Labels": "labels", "ID": "network id", }) - renderHeaders := true - row := "{{.Name}}\t{{.Version}}\t{{.Plugins}}\n" + + renderHeaders := report.HasTable(networkListOptions.Format) + var row, format string if cmd.Flags().Changed("format") { - renderHeaders = parse.HasTable(networkListOptions.Format) row = report.NormalizeFormat(networkListOptions.Format) + } else { // 'podman network ls' equivalent to 'podman network ls --format="table {{.ID}} {{.Name}} {{.Version}} {{.Plugins}}" ' + renderHeaders = true + row = "{{.ID}}\t{{.Name}}\t{{.Version}}\t{{.Plugins}}\n" } - format := parse.EnforceRange(row) + format = report.EnforceRange(row) tmpl, err := template.New("listNetworks").Parse(format) if err != nil { @@ -122,34 +148,22 @@ func networkList(cmd *cobra.Command, args []string) error { return tmpl.Execute(w, nlprs) } -func quietOut(responses []*entities.NetworkListReport) error { - for _, r := range responses { - fmt.Println(r.Name) - } - return nil -} - -func jsonOut(responses []*entities.NetworkListReport) error { - b, err := json.MarshalIndent(responses, "", " ") - if err != nil { - return err - } - fmt.Println(string(b)) - return nil -} - +// ListPrintReports returns the network list report type ListPrintReports struct { *entities.NetworkListReport } +// Version returns the CNI version func (n ListPrintReports) Version() string { return n.CNIVersion } +// Plugins returns the CNI Plugins func (n ListPrintReports) Plugins() string { return network.GetCNIPlugins(n.NetworkConfigList) } +// Labels returns any labels added to a Network func (n ListPrintReports) Labels() string { list := make([]string, 0, len(n.NetworkListReport.Labels)) for k, v := range n.NetworkListReport.Labels { @@ -158,6 +172,7 @@ func (n ListPrintReports) Labels() string { return strings.Join(list, ",") } +// ID returns the Podman Network ID func (n ListPrintReports) ID() string { length := 12 if noTrunc { diff --git a/cmd/podman/networks/network.go b/cmd/podman/networks/network.go index e729f35f3..4d6cd8abd 100644 --- a/cmd/podman/networks/network.go +++ b/cmd/podman/networks/network.go @@ -8,6 +8,9 @@ import ( ) var ( + // Pull in configured json library + json = registry.JSONLibrary() + // Command: podman _network_ networkCmd = &cobra.Command{ Use: "network", diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md index 7782949a9..30cadf703 100644 --- a/docs/source/markdown/podman-create.1.md +++ b/docs/source/markdown/podman-create.1.md @@ -1036,6 +1036,7 @@ The _options_ is a comma delimited list and can be: * [**no**]**dev** * [**no**]**suid** * [**O**] +* [**U**] The `CONTAINER-DIR` must be an absolute path such as `/src/docs`. The volume will be mounted into the container at this directory. @@ -1065,6 +1066,14 @@ You can add `:ro` or `:rw` suffix to a volume to mount it read-only or read-write mode, respectively. By default, the volumes are mounted read-write. See examples. + `Chowning Volume Mounts` + +By default, Podman does not change the owner and group of source volume directories mounted into containers. If a container is created in a new user namespace, the UID and GID in the container may correspond to another UID and GID on the host. + +The `:U` suffix tells Podman to use the correct host UID and GID based on the UID and GID within the container, to change recursively the owner and group of the source volume. + +**Warning** use with caution since this will modify the host filesystem. + `Labeling Volume Mounts` Labeling systems like SELinux require that proper labels are placed on volume diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md index 8c0b12e90..a633df94e 100644 --- a/docs/source/markdown/podman-run.1.md +++ b/docs/source/markdown/podman-run.1.md @@ -1111,6 +1111,7 @@ The _options_ is a comma delimited list and can be: <sup>[[1]](#Footnote1)</sup> * [**no**]**dev** * [**no**]**suid** * [**O**] +* [**U**] The `CONTAINER-DIR` must be an absolute path such as `/src/docs`. The volume will be mounted into the container at this directory. @@ -1139,6 +1140,14 @@ container. You can add **:ro** or **:rw** option to mount a volume in read-only or read-write mode, respectively. By default, the volumes are mounted read-write. + `Chowning Volume Mounts` + +By default, Podman does not change the owner and group of source volume directories mounted into containers. If a container is created in a new user namespace, the UID and GID in the container may correspond to another UID and GID on the host. + +The `:U` suffix tells Podman to use the correct host UID and GID based on the UID and GID within the container, to change recursively the owner and group of the source volume. + +**Warning** use with caution since this will modify the host filesystem. + `Labeling Volume Mounts` Labeling systems like SELinux require that proper labels are placed on volume @@ -1450,6 +1459,8 @@ $ podman run -v /var/db:/data1 -i -t fedora bash $ podman run -v data:/data2 -i -t fedora bash $ podman run -v /var/cache/dnf:/var/cache/dnf:O -ti fedora dnf -y update + +$ podman run -d -e MYSQL_ROOT_PASSWORD=root --user mysql --userns=keep-id -v ~/data:/var/lib/mysql:z,U mariadb ``` Using **--mount** flags to mount a host directory as a container folder, specify diff --git a/docs/source/markdown/podman-system-connection.1.md b/docs/source/markdown/podman-system-connection.1.md index 0673aaee1..6cd4a5fa8 100644 --- a/docs/source/markdown/podman-system-connection.1.md +++ b/docs/source/markdown/podman-system-connection.1.md @@ -3,7 +3,7 @@ ## NAME podman\-system\-connection - Manage the destination(s) for Podman service(s) -## SYNOPSISManage the destination(s) for Podman service(s) +## SYNOPSIS **podman system connection** *subcommand* ## DESCRIPTION @@ -11,7 +11,7 @@ require ( github.com/containernetworking/cni v0.8.1 github.com/containernetworking/plugins v0.9.0 github.com/containers/buildah v1.19.6 - github.com/containers/common v0.34.3-0.20210208115708-8668c76dd577 + github.com/containers/common v0.35.0 github.com/containers/conmon v2.0.20+incompatible github.com/containers/image/v5 v5.10.2 github.com/containers/ocicrypt v1.1.0 @@ -50,7 +50,7 @@ require ( github.com/opentracing/opentracing-go v1.2.0 github.com/pkg/errors v0.9.1 github.com/pmezard/go-difflib v1.0.0 - github.com/rootless-containers/rootlesskit v0.13.1 + github.com/rootless-containers/rootlesskit v0.13.2 github.com/sirupsen/logrus v1.8.0 github.com/spf13/cobra v1.1.3 github.com/spf13/pflag v1.0.5 @@ -68,6 +68,6 @@ require ( google.golang.org/appengine v1.6.6 // indirect gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 // indirect k8s.io/api v0.0.0-20190620084959-7cf5895f2711 - k8s.io/apimachinery v0.20.3 + k8s.io/apimachinery v0.20.4 k8s.io/client-go v0.0.0-20190620085101-78d2af792bab ) @@ -99,8 +99,8 @@ github.com/containernetworking/plugins v0.9.0/go.mod h1:dbWv4dI0QrBGuVgj+TuVQ6wJ github.com/containers/buildah v1.19.6 h1:8mPysB7QzHxX9okR+Bwq/lsKAZA/FjDcqB+vebgwI1g= github.com/containers/buildah v1.19.6/go.mod h1:VnyHWgNmfR1d89/zJ/F4cbwOzaQS+6sBky46W7dCo3E= github.com/containers/common v0.33.4/go.mod h1:PhgL71XuC4jJ/1BIqeP7doke3aMFkCP90YBXwDeUr9g= -github.com/containers/common v0.34.3-0.20210208115708-8668c76dd577 h1:tUJcLouJ1bC3w9gdqgKqZBsj2uCuM8D8jSR592lxbhE= -github.com/containers/common v0.34.3-0.20210208115708-8668c76dd577/go.mod h1:mwZ9H8sK4+dtWxsnVLyWcjxK/gEQClrLsXsqLvbEKbI= +github.com/containers/common v0.35.0 h1:1OLZ2v+Tj/CN9BTQkKZ5VOriOiArJedinMMqfJRUI38= +github.com/containers/common v0.35.0/go.mod h1:gs1th7XFTOvVUl4LDPdQjOfOeNiVRDbQ7CNrZ0wS6F8= github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg= github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I= github.com/containers/image/v5 v5.10.1 h1:tHhGQ8RCMxJfJLD/PEW1qrOKX8nndledW9qz6UiAxns= @@ -524,8 +524,8 @@ github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDa github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= -github.com/rootless-containers/rootlesskit v0.13.1 h1:QIMHxf00SaUinpJ2r9vwD4z6E3Yq8kk/aZ6ItNXIPHA= -github.com/rootless-containers/rootlesskit v0.13.1/go.mod h1:DwE/9ASct8sj7bueOXqKiwcdzyZ+yV6qhTAtJUO7988= +github.com/rootless-containers/rootlesskit v0.13.2 h1:NoSyGw0+0Js0L6nI/rfm8laV0QBI+sUxjFSGWfQgtr0= +github.com/rootless-containers/rootlesskit v0.13.2/go.mod h1:P+T/zWEzrIidEJIsYkuVWFLPebBvdehdIem7s36glh8= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= @@ -907,8 +907,8 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt k8s.io/api v0.0.0-20190620084959-7cf5895f2711 h1:BblVYz/wE5WtBsD/Gvu54KyBUTJMflolzc5I2DTvh50= k8s.io/api v0.0.0-20190620084959-7cf5895f2711/go.mod h1:TBhBqb1AWbBQbW3XRusr7n7E4v2+5ZY8r8sAMnyFC5A= k8s.io/apimachinery v0.0.0-20190612205821-1799e75a0719/go.mod h1:I4A+glKBHiTgiEjQiCCQfCAIcIMFGt291SmsvcrFzJA= -k8s.io/apimachinery v0.20.3 h1:P0heYNTI2km9gTUAb0PX5qRd8oHAaesICvkg13k97y4= -k8s.io/apimachinery v0.20.3/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= +k8s.io/apimachinery v0.20.4 h1:vhxQ0PPUUU2Ns1b9r4/UFp13UPs8cw2iOoTjnY9faa0= +k8s.io/apimachinery v0.20.4/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= k8s.io/client-go v0.0.0-20190620085101-78d2af792bab h1:E8Fecph0qbNsAbijJJQryKu4Oi9QTp5cVpjTE+nqg6g= k8s.io/client-go v0.0.0-20190620085101-78d2af792bab/go.mod h1:E95RaSlHr79aHaX0aGSwcPNfygDiPKOVXdmivCIZT0k= k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= diff --git a/libpod/container.go b/libpod/container.go index 9841bddf7..ee6e243ac 100644 --- a/libpod/container.go +++ b/libpod/container.go @@ -236,6 +236,8 @@ type ContainerOverlayVolume struct { Dest string `json:"dest"` // Source specifies the source path of the mount. Source string `json:"source,omitempty"` + // Options holds overlay volume options. + Options []string `json:"options,omitempty"` } // ContainerImageVolume is a volume based on a container image. The container diff --git a/libpod/container_exec.go b/libpod/container_exec.go index 7b1d797bb..8d63ef90f 100644 --- a/libpod/container_exec.go +++ b/libpod/container_exec.go @@ -954,18 +954,22 @@ func (c *Container) removeAllExecSessions() error { } // Delete all exec sessions if err := c.runtime.state.RemoveContainerExecSessions(c); err != nil { - if lastErr != nil { - logrus.Errorf("Error stopping container %s exec sessions: %v", c.ID(), lastErr) + if errors.Cause(err) != define.ErrCtrRemoved { + if lastErr != nil { + logrus.Errorf("Error stopping container %s exec sessions: %v", c.ID(), lastErr) + } + lastErr = err } - lastErr = err } c.state.ExecSessions = nil c.state.LegacyExecSessions = nil if err := c.save(); err != nil { - if lastErr != nil { - logrus.Errorf("Error stopping container %s exec sessions: %v", c.ID(), lastErr) + if errors.Cause(err) != define.ErrCtrRemoved { + if lastErr != nil { + logrus.Errorf("Error stopping container %s exec sessions: %v", c.ID(), lastErr) + } + lastErr = err } - lastErr = err } return lastErr diff --git a/libpod/container_inspect.go b/libpod/container_inspect.go index 399eff845..e0569e2d4 100644 --- a/libpod/container_inspect.go +++ b/libpod/container_inspect.go @@ -2,6 +2,7 @@ package libpod import ( "fmt" + "sort" "strings" "github.com/containers/common/pkg/config" @@ -698,6 +699,8 @@ func (c *Container) generateInspectContainerHostConfig(ctrSpec *spec.Spec, named for cap := range boundingCaps { capDrop = append(capDrop, cap) } + // Sort CapDrop so it displays in consistent order (GH #9490) + sort.Strings(capDrop) } hostConfig.CapAdd = capAdd hostConfig.CapDrop = capDrop diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index 43a345ea9..dc0418148 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -23,7 +23,9 @@ import ( "github.com/containernetworking/plugins/pkg/ns" "github.com/containers/buildah/pkg/chrootuser" "github.com/containers/buildah/pkg/overlay" + butil "github.com/containers/buildah/util" "github.com/containers/common/pkg/apparmor" + "github.com/containers/common/pkg/chown" "github.com/containers/common/pkg/config" "github.com/containers/common/pkg/subscriptions" "github.com/containers/common/pkg/umask" @@ -356,13 +358,28 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { return nil, err } - // Check if the spec file mounts contain the label Relabel flags z or Z. - // If they do, relabel the source directory and then remove the option. + // Get host UID and GID based on the container process UID and GID. + hostUID, hostGID, err := butil.GetHostIDs(util.IDtoolsToRuntimeSpec(c.config.IDMappings.UIDMap), util.IDtoolsToRuntimeSpec(c.config.IDMappings.GIDMap), uint32(execUser.Uid), uint32(execUser.Gid)) + if err != nil { + return nil, err + } + + // Check if the spec file mounts contain the options z, Z or U. + // If they have z or Z, relabel the source directory and then remove the option. + // If they have U, chown the source directory and them remove the option. for i := range g.Config.Mounts { m := &g.Config.Mounts[i] var options []string for _, o := range m.Options { switch o { + case "U": + if m.Type == "tmpfs" { + options = append(options, []string{fmt.Sprintf("uid=%d", execUser.Uid), fmt.Sprintf("gid=%d", execUser.Gid)}...) + } else { + if err := chown.ChangeHostPathOwnership(m.Source, true, int(hostUID), int(hostGID)); err != nil { + return nil, err + } + } case "z": fallthrough case "Z": @@ -427,6 +444,21 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { if err != nil { return nil, errors.Wrapf(err, "mounting overlay failed %q", overlayVol.Source) } + + // Check overlay volume options + for _, o := range overlayVol.Options { + switch o { + case "U": + if err := chown.ChangeHostPathOwnership(overlayVol.Source, true, int(hostUID), int(hostGID)); err != nil { + return nil, err + } + + if err := chown.ChangeHostPathOwnership(contentDir, true, int(hostUID), int(hostGID)); err != nil { + return nil, err + } + } + } + g.AddMount(overlayMount) } @@ -1681,8 +1713,9 @@ rootless=%d // generateResolvConf generates a containers resolv.conf func (c *Container) generateResolvConf() (string, error) { var ( - nameservers []string - cniNameServers []string + nameservers []string + cniNameServers []string + cniSearchDomains []string ) resolvConf := "/etc/resolv.conf" @@ -1734,6 +1767,10 @@ func (c *Container) generateResolvConf() (string, error) { cniNameServers = append(cniNameServers, i.DNS.Nameservers...) logrus.Debugf("adding nameserver(s) from cni response of '%q'", i.DNS.Nameservers) } + if i.DNS.Search != nil { + cniSearchDomains = append(cniSearchDomains, i.DNS.Search...) + logrus.Debugf("adding search domain(s) from cni response of '%q'", i.DNS.Search) + } } dns := make([]net.IP, 0, len(c.runtime.config.Containers.DNSServers)) @@ -1765,10 +1802,11 @@ func (c *Container) generateResolvConf() (string, error) { } var search []string - if len(c.config.DNSSearch) > 0 || len(c.runtime.config.Containers.DNSSearches) > 0 { + if len(c.config.DNSSearch) > 0 || len(c.runtime.config.Containers.DNSSearches) > 0 || len(cniSearchDomains) > 0 { if !util.StringInSlice(".", c.config.DNSSearch) { search = c.runtime.config.Containers.DNSSearches search = append(search, c.config.DNSSearch...) + search = append(search, cniSearchDomains...) } } else { search = resolvconf.GetSearchDomains(resolv.Content) diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go index c1b2c694d..0526e646e 100644 --- a/libpod/networking_linux.go +++ b/libpod/networking_linux.go @@ -1134,6 +1134,11 @@ func (w *logrusDebugWriter) Write(p []byte) (int, error) { // NetworkDisconnect removes a container from the network func (c *Container) NetworkDisconnect(nameOrID, netName string, force bool) error { + // only the bridge mode supports cni networks + if !c.config.NetMode.IsBridge() { + return errors.Errorf("network mode %q is not supported", c.config.NetMode) + } + networks, err := c.networksByNameIndex() if err != nil { return err @@ -1190,6 +1195,11 @@ func (c *Container) NetworkDisconnect(nameOrID, netName string, force bool) erro // ConnectNetwork connects a container to a given network func (c *Container) NetworkConnect(nameOrID, netName string, aliases []string) error { + // only the bridge mode supports cni networks + if !c.config.NetMode.IsBridge() { + return errors.Errorf("network mode %q is not supported", c.config.NetMode) + } + networks, err := c.networksByNameIndex() if err != nil { return err diff --git a/libpod/options.go b/libpod/options.go index 627ea8c57..6344e1acc 100644 --- a/libpod/options.go +++ b/libpod/options.go @@ -1429,8 +1429,9 @@ func WithOverlayVolumes(volumes []*ContainerOverlayVolume) CtrCreateOption { for _, vol := range volumes { ctr.config.OverlayVolumes = append(ctr.config.OverlayVolumes, &ContainerOverlayVolume{ - Dest: vol.Dest, - Source: vol.Source, + Dest: vol.Dest, + Source: vol.Source, + Options: vol.Options, }) } diff --git a/pkg/domain/infra/abi/containers.go b/pkg/domain/infra/abi/containers.go index 938a5a92b..4790bd58c 100644 --- a/pkg/domain/infra/abi/containers.go +++ b/pkg/domain/infra/abi/containers.go @@ -319,12 +319,18 @@ func (ic *ContainerEngine) ContainerRm(ctx context.Context, namesOrIds []string, errMap, err := parallelctr.ContainerOp(ctx, ctrs, func(c *libpod.Container) error { err := ic.Libpod.RemoveContainer(ctx, c, options.Force, options.Volumes) - if err != nil { - if options.Ignore && errors.Cause(err) == define.ErrNoSuchCtr { + if err == nil { + return nil + } + logrus.Debugf("Failed to remove container %s: %s", c.ID(), err.Error()) + switch errors.Cause(err) { + case define.ErrNoSuchCtr: + if options.Ignore { logrus.Debugf("Ignoring error (--allow-missing): %v", err) return nil } - logrus.Debugf("Failed to remove container %s: %s", c.ID(), err.Error()) + case define.ErrCtrRemoved: + return nil } return err }) diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go index 3b7112959..03697b353 100644 --- a/pkg/specgen/generate/container_create.go +++ b/pkg/specgen/generate/container_create.go @@ -247,8 +247,9 @@ func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen. var vols []*libpod.ContainerOverlayVolume for _, v := range overlays { vols = append(vols, &libpod.ContainerOverlayVolume{ - Dest: v.Destination, - Source: v.Source, + Dest: v.Destination, + Source: v.Source, + Options: v.Options, }) } options = append(options, libpod.WithOverlayVolumes(vols)) diff --git a/pkg/specgen/volumes.go b/pkg/specgen/volumes.go index 83634b4ef..d85d2bdd1 100644 --- a/pkg/specgen/volumes.go +++ b/pkg/specgen/volumes.go @@ -31,6 +31,8 @@ type OverlayVolume struct { Destination string `json:"destination"` // Source specifies the source path of the mount. Source string `json:"source,omitempty"` + // Options holds overlay volume options. + Options []string `json:"options,omitempty"` } // ImageVolume is a volume based on a container image. The container image is @@ -100,10 +102,17 @@ func GenVolumeMounts(volumeFlag []string) (map[string]spec.Mount, map[string]*Na if strings.HasPrefix(src, "/") || strings.HasPrefix(src, ".") { // This is not a named volume overlayFlag := false + chownFlag := false for _, o := range options { if o == "O" { overlayFlag = true - if len(options) > 1 { + + joinedOpts := strings.Join(options, "") + if strings.Contains(joinedOpts, "U") { + chownFlag = true + } + + if len(options) > 2 || (len(options) == 2 && !chownFlag) { return nil, nil, nil, errors.New("can't use 'O' with other options") } } @@ -113,6 +122,8 @@ func GenVolumeMounts(volumeFlag []string) (map[string]spec.Mount, map[string]*Na newOverlayVol := new(OverlayVolume) newOverlayVol.Destination = cleanDest newOverlayVol.Source = src + newOverlayVol.Options = options + if _, ok := overlayVolumes[newOverlayVol.Destination]; ok { return nil, nil, nil, errors.Wrapf(errDuplicateDest, newOverlayVol.Destination) } diff --git a/pkg/util/mountOpts.go b/pkg/util/mountOpts.go index b3a38f286..f13dc94ec 100644 --- a/pkg/util/mountOpts.go +++ b/pkg/util/mountOpts.go @@ -25,7 +25,7 @@ type defaultMountOptions struct { // The sourcePath variable, if not empty, contains a bind mount source. func ProcessOptions(options []string, isTmpfs bool, sourcePath string) ([]string, error) { var ( - foundWrite, foundSize, foundProp, foundMode, foundExec, foundSuid, foundDev, foundCopyUp, foundBind, foundZ bool + foundWrite, foundSize, foundProp, foundMode, foundExec, foundSuid, foundDev, foundCopyUp, foundBind, foundZ, foundU bool ) newOptions := make([]string, 0, len(options)) @@ -116,6 +116,11 @@ func ProcessOptions(options []string, isTmpfs bool, sourcePath string) ([]string return nil, errors.Wrapf(ErrDupeMntOption, "only one of 'z' and 'Z' can be used") } foundZ = true + case "U": + if foundU { + return nil, errors.Wrapf(ErrDupeMntOption, "the 'U' option can only be set once") + } + foundU = true default: return nil, errors.Wrapf(ErrBadMntOption, "unknown mount option %q", opt) } diff --git a/pkg/util/utils.go b/pkg/util/utils.go index c6ecd91f6..a4c8f3a64 100644 --- a/pkg/util/utils.go +++ b/pkg/util/utils.go @@ -23,6 +23,7 @@ import ( "github.com/containers/storage" "github.com/containers/storage/pkg/idtools" v1 "github.com/opencontainers/image-spec/specs-go/v1" + "github.com/opencontainers/runtime-spec/specs-go" "github.com/pkg/errors" "github.com/sirupsen/logrus" "golang.org/x/crypto/ssh/terminal" @@ -692,3 +693,16 @@ func CoresToPeriodAndQuota(cores float64) (uint64, int64) { func PeriodAndQuotaToCores(period uint64, quota int64) float64 { return float64(quota) / float64(period) } + +// IDtoolsToRuntimeSpec converts idtools ID mapping to the one of the runtime spec. +func IDtoolsToRuntimeSpec(idMaps []idtools.IDMap) (convertedIDMap []specs.LinuxIDMapping) { + for _, idmap := range idMaps { + tempIDMap := specs.LinuxIDMapping{ + ContainerID: uint32(idmap.ContainerID), + HostID: uint32(idmap.HostID), + Size: uint32(idmap.Size), + } + convertedIDMap = append(convertedIDMap, tempIDMap) + } + return convertedIDMap +} diff --git a/test/e2e/inspect_test.go b/test/e2e/inspect_test.go index d417fc49d..772ebed05 100644 --- a/test/e2e/inspect_test.go +++ b/test/e2e/inspect_test.go @@ -490,4 +490,22 @@ var _ = Describe("Podman inspect", func() { } Expect(found).To(BeTrue()) }) + + It("Dropped capabilities are sorted", func() { + ctrName := "testCtr" + session := podmanTest.Podman([]string{"run", "-d", "--cap-drop", "CAP_AUDIT_WRITE", "--cap-drop", "CAP_MKNOD", "--cap-drop", "CAP_NET_RAW", "--name", ctrName, ALPINE, "top"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(BeZero()) + + inspect := podmanTest.Podman([]string{"inspect", ctrName}) + inspect.WaitWithDefaultTimeout() + Expect(inspect.ExitCode()).To(BeZero()) + + data := inspect.InspectContainerToJSON() + Expect(len(data)).To(Equal(1)) + Expect(len(data[0].HostConfig.CapDrop)).To(Equal(3)) + Expect(data[0].HostConfig.CapDrop[0]).To(Equal("CAP_AUDIT_WRITE")) + Expect(data[0].HostConfig.CapDrop[1]).To(Equal("CAP_MKNOD")) + Expect(data[0].HostConfig.CapDrop[2]).To(Equal("CAP_NET_RAW")) + }) }) diff --git a/test/e2e/network_connect_disconnect_test.go b/test/e2e/network_connect_disconnect_test.go index 3be95e254..eb8ad7181 100644 --- a/test/e2e/network_connect_disconnect_test.go +++ b/test/e2e/network_connect_disconnect_test.go @@ -37,7 +37,6 @@ var _ = Describe("Podman network connect and disconnect", func() { dis := podmanTest.Podman([]string{"network", "disconnect", "foobar", "test"}) dis.WaitWithDefaultTimeout() Expect(dis.ExitCode()).ToNot(BeZero()) - }) It("bad container name in network disconnect should result in error", func() { @@ -51,7 +50,25 @@ var _ = Describe("Podman network connect and disconnect", func() { dis := podmanTest.Podman([]string{"network", "disconnect", netName, "foobar"}) dis.WaitWithDefaultTimeout() Expect(dis.ExitCode()).ToNot(BeZero()) + }) + + It("network disconnect with net mode slirp4netns should result in error", func() { + SkipIfRootless("network connect and disconnect are only rootful") + netName := "slirp" + stringid.GenerateNonCryptoID() + session := podmanTest.Podman([]string{"network", "create", netName}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(BeZero()) + defer podmanTest.removeCNINetwork(netName) + session = podmanTest.Podman([]string{"create", "--name", "test", "--network", "slirp4netns", ALPINE}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(BeZero()) + defer podmanTest.removeCNINetwork(netName) + + con := podmanTest.Podman([]string{"network", "disconnect", netName, "test"}) + con.WaitWithDefaultTimeout() + Expect(con.ExitCode()).ToNot(BeZero()) + Expect(con.ErrorToString()).To(ContainSubstring(`network mode "slirp4netns" is not supported`)) }) It("podman network disconnect", func() { @@ -89,7 +106,6 @@ var _ = Describe("Podman network connect and disconnect", func() { dis := podmanTest.Podman([]string{"network", "connect", "foobar", "test"}) dis.WaitWithDefaultTimeout() Expect(dis.ExitCode()).ToNot(BeZero()) - }) It("bad container name in network connect should result in error", func() { @@ -103,7 +119,25 @@ var _ = Describe("Podman network connect and disconnect", func() { dis := podmanTest.Podman([]string{"network", "connect", netName, "foobar"}) dis.WaitWithDefaultTimeout() Expect(dis.ExitCode()).ToNot(BeZero()) + }) + + It("network connect with net mode slirp4netns should result in error", func() { + SkipIfRootless("network connect and disconnect are only rootful") + netName := "slirp" + stringid.GenerateNonCryptoID() + session := podmanTest.Podman([]string{"network", "create", netName}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(BeZero()) + defer podmanTest.removeCNINetwork(netName) + session = podmanTest.Podman([]string{"create", "--name", "test", "--network", "slirp4netns", ALPINE}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(BeZero()) + defer podmanTest.removeCNINetwork(netName) + + con := podmanTest.Podman([]string{"network", "connect", netName, "test"}) + con.WaitWithDefaultTimeout() + Expect(con.ExitCode()).ToNot(BeZero()) + Expect(con.ErrorToString()).To(ContainSubstring(`network mode "slirp4netns" is not supported`)) }) It("podman connect on a container that already is connected to the network should error", func() { diff --git a/test/e2e/network_test.go b/test/e2e/network_test.go index a7eb6e629..53521cdc4 100644 --- a/test/e2e/network_test.go +++ b/test/e2e/network_test.go @@ -150,6 +150,13 @@ var _ = Describe("Podman network", func() { defer podmanTest.removeCNINetwork(net) Expect(session.ExitCode()).To(BeZero()) + // Tests Default Table Output + session = podmanTest.Podman([]string{"network", "ls", "--filter", "id=" + netID}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(BeZero()) + expectedTable := "NETWORK ID NAME VERSION PLUGINS" + Expect(session.OutputToString()).To(ContainSubstring(expectedTable)) + session = podmanTest.Podman([]string{"network", "ls", "--format", "{{.Name}} {{.ID}}", "--filter", "id=" + netID}) session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(BeZero()) diff --git a/test/e2e/run_networking_test.go b/test/e2e/run_networking_test.go index a6237a49a..0e6e636bc 100644 --- a/test/e2e/run_networking_test.go +++ b/test/e2e/run_networking_test.go @@ -766,4 +766,18 @@ var _ = Describe("Podman run networking", func() { session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(BeZero()) }) + + It("podman run check dnsname adds dns search domain", func() { + Skip("needs dnsname#57") + net := "dnsname" + stringid.GenerateNonCryptoID() + session := podmanTest.Podman([]string{"network", "create", net}) + session.WaitWithDefaultTimeout() + defer podmanTest.removeCNINetwork(net) + Expect(session.ExitCode()).To(BeZero()) + + session = podmanTest.Podman([]string{"run", "--network", net, ALPINE, "cat", "/etc/resolv.conf"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(BeZero()) + Expect(session.OutputToString()).To(ContainSubstring("search dns.podman")) + }) }) diff --git a/test/e2e/run_volume_test.go b/test/e2e/run_volume_test.go index 20c43bf4a..454dfdc83 100644 --- a/test/e2e/run_volume_test.go +++ b/test/e2e/run_volume_test.go @@ -2,8 +2,10 @@ package integration import ( "fmt" + "io/ioutil" "os" "os/exec" + "os/user" "path/filepath" "strings" @@ -590,4 +592,55 @@ VOLUME /test/` Expect(session.ExitCode()).To(Equal(0)) Expect(len(session.OutputToStringArray())).To(Equal(2)) }) + + It("podman run with U volume flag", func() { + SkipIfRemote("Overlay volumes only work locally") + + u, err := user.Current() + Expect(err).To(BeNil()) + name := u.Username + if name == "root" { + name = "containers" + } + + content, err := ioutil.ReadFile("/etc/subuid") + if err != nil { + Skip("cannot read /etc/subuid") + } + if !strings.Contains(string(content), name) { + Skip("cannot find mappings for the current user") + } + + if os.Getenv("container") != "" { + Skip("Overlay mounts not supported when running in a container") + } + if rootless.IsRootless() { + if _, err := exec.LookPath("fuse_overlay"); err != nil { + Skip("Fuse-Overlayfs required for rootless overlay mount test") + } + } + + mountPath := filepath.Join(podmanTest.TempDir, "secrets") + os.Mkdir(mountPath, 0755) + vol := mountPath + ":" + dest + ":U" + + session := podmanTest.Podman([]string{"run", "--rm", "--user", "888:888", "-v", vol, ALPINE, "stat", "-c", "%u:%g", dest}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + found, _ := session.GrepString("888:888") + Expect(found).Should(BeTrue()) + + session = podmanTest.Podman([]string{"run", "--rm", "--user", "888:888", "--userns", "auto", "-v", vol, ALPINE, "stat", "-c", "%u:%g", dest}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + found, _ = session.GrepString("888:888") + Expect(found).Should(BeTrue()) + + vol = vol + ",O" + session = podmanTest.Podman([]string{"run", "--rm", "--user", "888:888", "--userns", "keep-id", "-v", vol, ALPINE, "stat", "-c", "%u:%g", dest}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + found, _ = session.GrepString("888:888") + Expect(found).Should(BeTrue()) + }) }) diff --git a/test/system/055-rm.bats b/test/system/055-rm.bats index 0107114b5..a5770f20f 100644 --- a/test/system/055-rm.bats +++ b/test/system/055-rm.bats @@ -51,6 +51,13 @@ load helpers run_podman rm $rand $external_cid } +@test "podman rm <-> run --rm race" { + # A container's lock is released before attempting to stop it. This opens + # the window for race conditions that led to #9479. + run_podman run --rm -d $IMAGE sleep infinity + run_podman rm -af +} + # I'm sorry! This test takes 13 seconds. There's not much I can do about it, # please know that I think it's justified: podman 1.5.0 had a strange bug # in with exit status was not preserved on some code paths with 'rm -f' diff --git a/vendor/github.com/containers/common/pkg/chown/chown.go b/vendor/github.com/containers/common/pkg/chown/chown.go new file mode 100644 index 000000000..fe794304e --- /dev/null +++ b/vendor/github.com/containers/common/pkg/chown/chown.go @@ -0,0 +1,122 @@ +package chown + +import ( + "os" + "os/user" + "path/filepath" + "syscall" + + "github.com/containers/storage/pkg/homedir" + "github.com/pkg/errors" +) + +// DangerousHostPath validates if a host path is dangerous and should not be modified +func DangerousHostPath(path string) (bool, error) { + excludePaths := map[string]bool{ + "/": true, + "/bin": true, + "/boot": true, + "/dev": true, + "/etc": true, + "/etc/passwd": true, + "/etc/pki": true, + "/etc/shadow": true, + "/home": true, + "/lib": true, + "/lib64": true, + "/media": true, + "/opt": true, + "/proc": true, + "/root": true, + "/run": true, + "/sbin": true, + "/srv": true, + "/sys": true, + "/tmp": true, + "/usr": true, + "/var": true, + "/var/lib": true, + "/var/log": true, + } + + if home := homedir.Get(); home != "" { + excludePaths[home] = true + } + + if sudoUser := os.Getenv("SUDO_USER"); sudoUser != "" { + if usr, err := user.Lookup(sudoUser); err == nil { + excludePaths[usr.HomeDir] = true + } + } + + absPath, err := filepath.Abs(path) + if err != nil { + return true, err + } + + realPath, err := filepath.EvalSymlinks(absPath) + if err != nil { + return true, err + } + + if excludePaths[realPath] { + return true, nil + } + + return false, nil +} + +// ChangeHostPathOwnership changes the uid and gid ownership of a directory or file within the host. +// This is used by the volume U flag to change source volumes ownership +func ChangeHostPathOwnership(path string, recursive bool, uid, gid int) error { + // Validate if host path can be chowned + isDangerous, err := DangerousHostPath(path) + if err != nil { + return errors.Wrapf(err, "failed to validate if host path is dangerous") + } + + if isDangerous { + return errors.Errorf("chowning host path %q is not allowed. You can manually `chown -R %d:%d %s`", path, uid, gid, path) + } + + // Chown host path + if recursive { + err := filepath.Walk(path, func(filePath string, f os.FileInfo, err error) error { + if err != nil { + return err + } + + // Get current ownership + currentUID := int(f.Sys().(*syscall.Stat_t).Uid) + currentGID := int(f.Sys().(*syscall.Stat_t).Gid) + + if uid != currentUID || gid != currentGID { + return os.Lchown(filePath, uid, gid) + } + + return nil + }) + + if err != nil { + return errors.Wrapf(err, "failed to chown recursively host path") + } + } else { + // Get host path info + f, err := os.Lstat(path) + if err != nil { + return errors.Wrapf(err, "failed to get host path information") + } + + // Get current ownership + currentUID := int(f.Sys().(*syscall.Stat_t).Uid) + currentGID := int(f.Sys().(*syscall.Stat_t).Gid) + + if uid != currentUID || gid != currentGID { + if err := os.Lchown(path, uid, gid); err != nil { + return errors.Wrapf(err, "failed to chown host path") + } + } + } + + return nil +} diff --git a/vendor/github.com/containers/common/pkg/config/containers.conf b/vendor/github.com/containers/common/pkg/config/containers.conf index 18243f296..0114f2975 100644 --- a/vendor/github.com/containers/common/pkg/config/containers.conf +++ b/vendor/github.com/containers/common/pkg/config/containers.conf @@ -73,7 +73,6 @@ default_capabilities = [ "SYS_CHROOT" ] - # A list of sysctls to be set in containers by default, # specified as "name=value", # for example:"net.ipv4.ping_group_range = 0 0". @@ -241,6 +240,9 @@ default_sysctls = [ # # cni_plugin_dirs = ["/usr/libexec/cni"] +# The network name of the default CNI network to attach pods to. +# default_network = "podman" + # Path to the directory where CNI configuration files are located. # # network_config_dir = "/etc/cni/net.d/" @@ -324,7 +326,7 @@ default_sysctls = [ # associated with the pod. This container does nothing other then sleep, # reserving the pods resources for the lifetime of the pod. # -# infra_image = "k8s.gcr.io/pause:3.2" +# infra_image = "k8s.gcr.io/pause:3.4.1" # Specify the locking mechanism to use; valid values are "shm" and "file". # Change the default only if you are sure of what you are doing, in general diff --git a/vendor/github.com/containers/common/pkg/config/default.go b/vendor/github.com/containers/common/pkg/config/default.go index 918ce93e5..57f64c395 100644 --- a/vendor/github.com/containers/common/pkg/config/default.go +++ b/vendor/github.com/containers/common/pkg/config/default.go @@ -45,7 +45,7 @@ var ( // DefaultInitPath is the default path to the container-init binary DefaultInitPath = "/usr/libexec/podman/catatonit" // DefaultInfraImage to use for infra container - DefaultInfraImage = "k8s.gcr.io/pause:3.2" + DefaultInfraImage = "k8s.gcr.io/pause:3.4.1" // DefaultRootlessSHMLockPath is the default path for rootless SHM locks DefaultRootlessSHMLockPath = "/libpod_rootless_lock" // DefaultDetachKeys is the default keys sequence for detaching a diff --git a/vendor/github.com/containers/common/pkg/report/template.go b/vendor/github.com/containers/common/pkg/report/template.go index 559c1625b..f7b4506bb 100644 --- a/vendor/github.com/containers/common/pkg/report/template.go +++ b/vendor/github.com/containers/common/pkg/report/template.go @@ -4,6 +4,7 @@ import ( "bytes" "encoding/json" "reflect" + "regexp" "strings" "text/template" @@ -155,3 +156,18 @@ func (t *Template) Funcs(funcMap FuncMap) *Template { func (t *Template) IsTable() bool { return t.isTable } + +var rangeRegex = regexp.MustCompile(`{{\s*range\s*\.\s*}}.*{{\s*end\s*}}`) + +// EnforceRange ensures that the format string contains a range +func EnforceRange(format string) string { + if !rangeRegex.MatchString(format) { + return "{{range .}}" + format + "{{end}}" + } + return format +} + +// HasTable returns whether the format is a table +func HasTable(format string) bool { + return strings.HasPrefix(format, "table ") +} diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go index 8efc8b8a2..ff95a6522 100644 --- a/vendor/github.com/containers/common/version/version.go +++ b/vendor/github.com/containers/common/version/version.go @@ -1,4 +1,4 @@ package version // Version is the version of the build. -const Version = "0.34.3-dev" +const Version = "0.35.0" diff --git a/vendor/modules.txt b/vendor/modules.txt index 8fb3197de..632ef3f87 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -89,12 +89,13 @@ github.com/containers/buildah/pkg/parse github.com/containers/buildah/pkg/rusage github.com/containers/buildah/pkg/supplemented github.com/containers/buildah/util -# github.com/containers/common v0.34.3-0.20210208115708-8668c76dd577 +# github.com/containers/common v0.35.0 github.com/containers/common/pkg/apparmor github.com/containers/common/pkg/apparmor/internal/supported github.com/containers/common/pkg/auth github.com/containers/common/pkg/capabilities github.com/containers/common/pkg/cgroupv2 +github.com/containers/common/pkg/chown github.com/containers/common/pkg/completion github.com/containers/common/pkg/config github.com/containers/common/pkg/parse @@ -518,7 +519,7 @@ github.com/prometheus/common/model # github.com/prometheus/procfs v0.0.3 github.com/prometheus/procfs github.com/prometheus/procfs/internal/fs -# github.com/rootless-containers/rootlesskit v0.13.1 +# github.com/rootless-containers/rootlesskit v0.13.2 github.com/rootless-containers/rootlesskit/pkg/msgutil github.com/rootless-containers/rootlesskit/pkg/port github.com/rootless-containers/rootlesskit/pkg/port/builtin @@ -782,7 +783,7 @@ gopkg.in/yaml.v3 # k8s.io/api v0.0.0-20190620084959-7cf5895f2711 k8s.io/api/apps/v1 k8s.io/api/core/v1 -# k8s.io/apimachinery v0.20.3 +# k8s.io/apimachinery v0.20.4 k8s.io/apimachinery/pkg/api/errors k8s.io/apimachinery/pkg/api/resource k8s.io/apimachinery/pkg/apis/meta/v1 |