aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.cirrus.yml1
-rw-r--r--go.mod2
-rw-r--r--go.sum4
-rw-r--r--libpod/container_inspect.go16
-rw-r--r--libpod/define/container_inspect.go8
-rw-r--r--pkg/specgenutil/specgen.go8
-rw-r--r--podman.spec.rpkg45
-rw-r--r--test/e2e/run_userns_test.go29
-rw-r--r--vendor/github.com/containers/common/libnetwork/network/interface.go67
-rw-r--r--vendor/github.com/containers/common/pkg/config/config.go15
-rw-r--r--vendor/github.com/containers/common/pkg/config/containers.conf26
-rw-r--r--vendor/github.com/containers/common/pkg/config/default.go14
-rw-r--r--vendor/modules.txt2
13 files changed, 191 insertions, 46 deletions
diff --git a/.cirrus.yml b/.cirrus.yml
index c33ed9c0c..9837c2814 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -327,6 +327,7 @@ alt_build_task:
osx_alt_build_task:
name: "OSX Cross"
alias: osx_alt_build
+ only_if: $CI != $CI # Temporarily disabled while infra. non-functional
depends_on:
- build
env:
diff --git a/go.mod b/go.mod
index b425969d2..8456eaab8 100644
--- a/go.mod
+++ b/go.mod
@@ -12,7 +12,7 @@ require (
github.com/containernetworking/cni v1.0.1
github.com/containernetworking/plugins v1.0.1
github.com/containers/buildah v1.23.1-0.20220112160421-d744ebc4b1d5
- github.com/containers/common v0.46.1-0.20220112112017-31e8cc4aeeab
+ github.com/containers/common v0.46.1-0.20220117145719-da777f8b15b1
github.com/containers/conmon v2.0.20+incompatible
github.com/containers/image/v5 v5.18.0
github.com/containers/ocicrypt v1.1.2
diff --git a/go.sum b/go.sum
index 371fa1a33..6879fe79d 100644
--- a/go.sum
+++ b/go.sum
@@ -315,8 +315,8 @@ github.com/containernetworking/plugins v1.0.1/go.mod h1:QHCfGpaTwYTbbH+nZXKVTxNB
github.com/containers/buildah v1.23.1-0.20220112160421-d744ebc4b1d5 h1:J4ZMQgpzjClLNuRDCIYDY2KZE1yO9A1I3A/jEaFvtaY=
github.com/containers/buildah v1.23.1-0.20220112160421-d744ebc4b1d5/go.mod h1:pA9nL58rY+rtoyZkzPmkv02Nwb9ifvYlChg95gKkNAY=
github.com/containers/common v0.46.1-0.20220110165509-08c2c97e5e25/go.mod h1:hXUU9gtA8V9dSLHhizp/k/s0ZXBzrnUSScUfrsw8z2Y=
-github.com/containers/common v0.46.1-0.20220112112017-31e8cc4aeeab h1:Pf1kwI8sZPiPMuen619noeltwtB2cIFC1iY42fE87AY=
-github.com/containers/common v0.46.1-0.20220112112017-31e8cc4aeeab/go.mod h1:hXUU9gtA8V9dSLHhizp/k/s0ZXBzrnUSScUfrsw8z2Y=
+github.com/containers/common v0.46.1-0.20220117145719-da777f8b15b1 h1:TGXTygk3STL+G4F1zGgSITdIEE5i+BgsSDLOmGuUYTY=
+github.com/containers/common v0.46.1-0.20220117145719-da777f8b15b1/go.mod h1:lJkY5VdkdU2BEDdbO5vgi3G69KWEgWBWXi6tNgm2BlM=
github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
github.com/containers/image/v5 v5.17.1-0.20220106205022-73f80d60f0e1/go.mod h1:daAiRXgcGIf/7eD7B2EkuHHw084/8M8Kh35rzOu56y0=
diff --git a/libpod/container_inspect.go b/libpod/container_inspect.go
index 615a7522b..086d51f04 100644
--- a/libpod/container_inspect.go
+++ b/libpod/container_inspect.go
@@ -9,6 +9,7 @@ import (
"github.com/containers/podman/v3/libpod/define"
"github.com/containers/podman/v3/libpod/driver"
"github.com/containers/podman/v3/pkg/util"
+ "github.com/containers/storage/types"
units "github.com/docker/go-units"
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate"
@@ -403,6 +404,17 @@ func (c *Container) generateInspectContainerConfig(spec *spec.Spec) *define.Insp
return ctrConfig
}
+func generateIDMappings(idMappings types.IDMappingOptions) *define.InspectIDMappings {
+ var inspectMappings define.InspectIDMappings
+ for _, uid := range idMappings.UIDMap {
+ inspectMappings.UIDMap = append(inspectMappings.UIDMap, fmt.Sprintf("%d:%d:%d", uid.ContainerID, uid.HostID, uid.Size))
+ }
+ for _, gid := range idMappings.GIDMap {
+ inspectMappings.GIDMap = append(inspectMappings.GIDMap, fmt.Sprintf("%d:%d:%d", gid.ContainerID, gid.HostID, gid.Size))
+ }
+ return &inspectMappings
+}
+
// Generate the InspectContainerHostConfig struct for the HostConfig field of
// Inspect.
func (c *Container) generateInspectContainerHostConfig(ctrSpec *spec.Spec, namedVolumes []*ContainerNamedVolume, mounts []spec.Mount) (*define.InspectContainerHostConfig, error) {
@@ -815,7 +827,9 @@ func (c *Container) generateInspectContainerHostConfig(ctrSpec *spec.Spec, named
}
}
hostConfig.UsernsMode = usernsMode
-
+ if c.config.IDMappings.UIDMap != nil && c.config.IDMappings.GIDMap != nil {
+ hostConfig.IDMappings = generateIDMappings(c.config.IDMappings)
+ }
// Devices
// Do not include if privileged - assumed that all devices will be
// included.
diff --git a/libpod/define/container_inspect.go b/libpod/define/container_inspect.go
index 6db1b025e..804b2b143 100644
--- a/libpod/define/container_inspect.go
+++ b/libpod/define/container_inspect.go
@@ -6,6 +6,11 @@ import (
"github.com/containers/image/v5/manifest"
)
+type InspectIDMappings struct {
+ UIDMap []string `json:"UidMap"`
+ GIDMap []string `json:"GidMap"`
+}
+
// InspectContainerConfig holds further data about how a container was initially
// configured.
type InspectContainerConfig struct {
@@ -401,7 +406,10 @@ type InspectContainerHostConfig struct {
// TODO Rootless has an additional 'keep-id' option, presently not
// reflected here.
UsernsMode string `json:"UsernsMode"`
+ // IDMappings is the UIDMapping and GIDMapping used within the container
+ IDMappings *InspectIDMappings `json:"IDMappings,omitempty"`
// ShmSize is the size of the container's SHM device.
+
ShmSize int64 `json:"ShmSize"`
// Runtime is provided purely for Docker compatibility.
// It is set unconditionally to "oci" as Podman does not presently
diff --git a/pkg/specgenutil/specgen.go b/pkg/specgenutil/specgen.go
index 59ac19c2c..ee089695e 100644
--- a/pkg/specgenutil/specgen.go
+++ b/pkg/specgenutil/specgen.go
@@ -206,9 +206,13 @@ func setNamespaces(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions)
return err
}
}
- // userns must be treated differently
+ userns := os.Getenv("PODMAN_USERNS")
if c.UserNS != "" {
- s.UserNS, err = specgen.ParseUserNamespace(c.UserNS)
+ userns = c.UserNS
+ }
+ // userns must be treated differently
+ if userns != "" {
+ s.UserNS, err = specgen.ParseUserNamespace(userns)
if err != nil {
return err
}
diff --git a/podman.spec.rpkg b/podman.spec.rpkg
index cff5eb3d9..5c203b24a 100644
--- a/podman.spec.rpkg
+++ b/podman.spec.rpkg
@@ -52,9 +52,52 @@ VCS: {{{ git_dir_vcs }}}
# and returns its filename. The tarball will be used to build the rpm.
Source: {{{ git_dir_pack }}}
+%if 0%{?fedora} && ! 0%{?rhel}
+BuildRequires: btrfs-progs-devel
+%endif
+BuildRequires: gcc
+BuildRequires: golang >= 1.16.6
+BuildRequires: glib2-devel
+BuildRequires: glibc-devel
+BuildRequires: glibc-static
+BuildRequires: git-core
+BuildRequires: go-md2man
+BuildRequires: go-rpm-macros
+BuildRequires: gpgme-devel
+BuildRequires: libassuan-devel
+BuildRequires: libgpg-error-devel
+BuildRequires: libseccomp-devel
+BuildRequires: libselinux-devel
+%if 0%{?fedora} >= 35
+BuildRequires: shadow-utils-subid-devel
+%endif
+BuildRequires: pkgconfig
+BuildRequires: make
+BuildRequires: ostree-devel
+BuildRequires: systemd
+BuildRequires: systemd-devel
+Requires: conmon >= 2:2.0.30-2
+Requires: containers-common >= 4:1-30
+Requires: containernetworking-plugins >= 1.0.0-15.1
+Requires: iptables
+Requires: nftables
+Requires: netavark
+Recommends: %{name}-plugins = %{epoch}:%{version}-%{release}
+Recommends: catatonit
+Suggests: qemu-user-static
+
# More detailed description of the package
%description
-This is a hello world package.
+%{name} (Pod Manager) is a fully featured container engine that is a simple
+daemonless tool. %{name} provides a Docker-CLI comparable command line that
+eases the transition from other container engines and allows the management of
+pods, containers and images. Simply put: alias docker=%{name}.
+Most %{name} commands can be run as a regular user, without requiring
+additional privileges.
+
+%{name} uses Buildah(1) internally to create container images.
+Both tools share image (not container) storage, hence each can use or
+manipulate images (but not containers) created by the other.
%package docker
Summary: Emulate Docker CLI using %{name}
diff --git a/test/e2e/run_userns_test.go b/test/e2e/run_userns_test.go
index c1645af06..e8ba42cf0 100644
--- a/test/e2e/run_userns_test.go
+++ b/test/e2e/run_userns_test.go
@@ -301,5 +301,34 @@ var _ = Describe("Podman UserNS support", func() {
Expect(inspectGID).Should(Exit(0))
Expect(inspectGID.OutputToString()).To(Equal(tt.gid))
}
+
+ })
+ It("podman PODMAN_USERNS", func() {
+ SkipIfNotRootless("keep-id only works in rootless mode")
+
+ podmanUserns, podmanUserusSet := os.LookupEnv("PODMAN_USERNS")
+ os.Setenv("PODMAN_USERNS", "keep-id")
+ defer func() {
+ if podmanUserusSet {
+ os.Setenv("PODMAN_USERNS", podmanUserns)
+ } else {
+ os.Unsetenv("PODMAN_USERNS")
+ }
+ }()
+ if IsRemote() {
+ podmanTest.RestartRemoteService()
+ }
+
+ result := podmanTest.Podman([]string{"create", ALPINE, "true"})
+ result.WaitWithDefaultTimeout()
+ Expect(result).Should(Exit(0))
+
+ inspect := podmanTest.Podman([]string{"inspect", "--format", "{{ .HostConfig.IDMappings }}", result.OutputToString()})
+ inspect.WaitWithDefaultTimeout()
+ Expect(inspect.OutputToString()).To(Not(Equal("<nil>")))
+
+ if IsRemote() {
+ podmanTest.RestartRemoteService()
+ }
})
})
diff --git a/vendor/github.com/containers/common/libnetwork/network/interface.go b/vendor/github.com/containers/common/libnetwork/network/interface.go
index 190e6945b..37a910a24 100644
--- a/vendor/github.com/containers/common/libnetwork/network/interface.go
+++ b/vendor/github.com/containers/common/libnetwork/network/interface.go
@@ -14,11 +14,24 @@ import (
"github.com/containers/common/libnetwork/types"
"github.com/containers/common/pkg/config"
"github.com/containers/storage"
+ "github.com/containers/storage/pkg/homedir"
"github.com/containers/storage/pkg/ioutils"
+ "github.com/containers/storage/pkg/unshare"
"github.com/sirupsen/logrus"
)
-const defaultNetworkBackendFileName = "defaultNetworkBackend"
+const (
+ // defaultNetworkBackendFileName is the file name for sentinel file to store the backend
+ defaultNetworkBackendFileName = "defaultNetworkBackend"
+ // cniConfigDir is the directory where cni configuration is found
+ cniConfigDir = "/etc/cni/net.d/"
+ // cniConfigDirRootless is the directory in XDG_CONFIG_HOME for cni plugins
+ cniConfigDirRootless = "cni/net.d/"
+ // netavarkConfigDir is the config directory for the rootful network files
+ netavarkConfigDir = "/etc/containers/networks"
+ // netavarkRunDir is the run directory for the rootful temporary network files such as the ipam db
+ netavarkRunDir = "/run/containers/networks"
+)
// NetworkBackend returns the network backend name and interface
// It returns either the CNI or netavark backend depending on what is set in the config.
@@ -42,9 +55,24 @@ func NetworkBackend(store storage.Store, conf *config.Config, syslog bool) (type
if err != nil {
return "", nil, err
}
+
+ confDir := conf.Network.NetworkConfigDir
+ if confDir == "" {
+ confDir = getDefaultNetavarkConfigDir(store)
+ }
+
+ // We cannot use the runroot for rootful since the network namespace is shared for all
+ // libpod instances they also have to share the same ipam db.
+ // For rootless we have our own network namespace per libpod instances,
+ // so this is not a problem there.
+ runDir := netavarkRunDir
+ if unshare.IsRootless() {
+ runDir = filepath.Join(store.RunRoot(), "networks")
+ }
+
netInt, err := netavark.NewNetworkInterface(&netavark.InitConfig{
- NetworkConfigDir: filepath.Join(store.GraphRoot(), "networks"),
- NetworkRunDir: filepath.Join(store.RunRoot(), "networks"),
+ NetworkConfigDir: confDir,
+ NetworkRunDir: runDir,
NetavarkBinary: netavarkBin,
DefaultNetwork: conf.Network.DefaultNetwork,
DefaultSubnet: conf.Network.DefaultSubnet,
@@ -122,11 +150,42 @@ func defaultNetworkBackend(store storage.Store, conf *config.Config) (backend ty
}
func getCniInterface(conf *config.Config) (types.ContainerNetwork, error) {
+ confDir := conf.Network.NetworkConfigDir
+ if confDir == "" {
+ var err error
+ confDir, err = getDefultCNIConfigDir()
+ if err != nil {
+ return nil, err
+ }
+ }
return cni.NewCNINetworkInterface(&cni.InitConfig{
- CNIConfigDir: conf.Network.NetworkConfigDir,
+ CNIConfigDir: confDir,
CNIPluginDirs: conf.Network.CNIPluginDirs,
DefaultNetwork: conf.Network.DefaultNetwork,
DefaultSubnet: conf.Network.DefaultSubnet,
IsMachine: conf.Engine.MachineEnabled,
})
}
+
+func getDefultCNIConfigDir() (string, error) {
+ if !unshare.IsRootless() {
+ return cniConfigDir, nil
+ }
+
+ configHome, err := homedir.GetConfigHome()
+ if err != nil {
+ return "", err
+ }
+ return filepath.Join(configHome, cniConfigDirRootless), nil
+}
+
+// getDefaultNetavarkConfigDir return the netavark config dir. For rootful it will
+// use "/etc/containers/networks" and for rootless "$graphroot/networks". We cannot
+// use the graphroot for rootful since the network namespace is shared for all
+// libpod instances.
+func getDefaultNetavarkConfigDir(store storage.Store) string {
+ if !unshare.IsRootless() {
+ return netavarkConfigDir
+ }
+ return filepath.Join(store.GraphRoot(), "networks")
+}
diff --git a/vendor/github.com/containers/common/pkg/config/config.go b/vendor/github.com/containers/common/pkg/config/config.go
index 7f89b9252..6837a378a 100644
--- a/vendor/github.com/containers/common/pkg/config/config.go
+++ b/vendor/github.com/containers/common/pkg/config/config.go
@@ -822,21 +822,6 @@ func (c *ContainersConfig) Validate() error {
// execution checks. It returns an `error` on validation failure, otherwise
// `nil`.
func (c *NetworkConfig) Validate() error {
- expectedConfigDir := _cniConfigDir
- if unshare.IsRootless() {
- home, err := unshare.HomeDir()
- if err != nil {
- return err
- }
- expectedConfigDir = filepath.Join(home, _cniConfigDirRootless)
- }
- if c.NetworkConfigDir != expectedConfigDir {
- err := isDirectory(c.NetworkConfigDir)
- if err != nil && !os.IsNotExist(err) {
- return errors.Wrapf(err, "invalid network_config_dir: %s", c.NetworkConfigDir)
- }
- }
-
if stringsEq(c.CNIPluginDirs, DefaultCNIPluginDirs) {
return nil
}
diff --git a/vendor/github.com/containers/common/pkg/config/containers.conf b/vendor/github.com/containers/common/pkg/config/containers.conf
index 4e8ad21f8..b1e6f5435 100644
--- a/vendor/github.com/containers/common/pkg/config/containers.conf
+++ b/vendor/github.com/containers/common/pkg/config/containers.conf
@@ -249,9 +249,6 @@ default_sysctls = [
#
#volumes = []
-# The network table contains settings pertaining to the management of
-# CNI plugins.
-
[secrets]
#driver = "file"
@@ -260,9 +257,15 @@ default_sysctls = [
[network]
-# Network backend to use. Default "CNI".
+# Network backend determines what network driver will be used to set up and tear down container networks.
+# Valid values are "cni" and "netavark".
+# The default value is empty which means that it will automatically choose CNI or netavark. If there are
+# already containers/images or CNI networks preset it will choose CNI.
+#
+# Before changing this value all containers must be stopped otherwise it is likely that
+# iptables rules and network interfaces might leak on the host. A reboot will fix this.
#
-#network_backend = "cni"
+#network_backend = ""
# Path to directory where CNI plugin binaries are located.
#
@@ -274,18 +277,22 @@ default_sysctls = [
# "/opt/cni/bin",
#]
-# The network name of the default CNI network to attach pods to.
+# The network name of the default network to attach pods to.
#
#default_network = "podman"
-# The default subnet for the default CNI network given in default_network.
+# The default subnet for the default network given in default_network.
# If a network with that name does not exist, a new network using that name and
# this subnet will be created.
# Must be a valid IPv4 CIDR prefix.
#
#default_subnet = "10.88.0.0/16"
-# Path to the directory where CNI configuration files are located.
+# Path to the directory where network configuration files are located.
+# For the CNI backend the default is "/etc/cni/net.d" as root
+# and "$HOME/.config/cni/net.d" as rootless.
+# For the netavark backend "/etc/containers/networks" is used as root
+# and "$graphroot/networks" as rootless.
#
#network_config_dir = "/etc/cni/net.d/"
@@ -351,6 +358,9 @@ default_sysctls = [
#
#env = []
+# Define where event logs will be stored, when events_logger is "file".
+#events_logfile_path=""
+
# Selects which logging mechanism to use for container engine events.
# Valid values are `journald`, `file` and `none`.
#
diff --git a/vendor/github.com/containers/common/pkg/config/default.go b/vendor/github.com/containers/common/pkg/config/default.go
index 561158b12..55e4e4b67 100644
--- a/vendor/github.com/containers/common/pkg/config/default.go
+++ b/vendor/github.com/containers/common/pkg/config/default.go
@@ -94,10 +94,6 @@ const (
// InstallPrefix is the prefix where podman will be installed.
// It can be overridden at build time.
_installPrefix = "/usr"
- // _cniConfigDir is the directory where cni configuration is found
- _cniConfigDir = "/etc/cni/net.d/"
- // _cniConfigDirRootless is the directory in XDG_CONFIG_HOME for cni plugins
- _cniConfigDirRootless = "cni/net.d/"
// CgroupfsCgroupsManager represents cgroupfs native cgroup manager
CgroupfsCgroupsManager = "cgroupfs"
// DefaultApparmorProfile specifies the default apparmor profile for the container.
@@ -141,8 +137,6 @@ func DefaultConfig() (*Config, error) {
return nil, err
}
- cniConfig := _cniConfigDir
-
defaultEngineConfig.SignaturePolicyPath = DefaultSignaturePolicyPath
if unshare.IsRootless() {
configHome, err := homedir.GetConfigHome()
@@ -156,7 +150,6 @@ func DefaultConfig() (*Config, error) {
defaultEngineConfig.SignaturePolicyPath = DefaultSignaturePolicyPath
}
}
- cniConfig = filepath.Join(configHome, _cniConfigDirRootless)
}
cgroupNS := "host"
@@ -203,10 +196,9 @@ func DefaultConfig() (*Config, error) {
UserNSSize: DefaultUserNSSize,
},
Network: NetworkConfig{
- DefaultNetwork: "podman",
- DefaultSubnet: DefaultSubnet,
- NetworkConfigDir: cniConfig,
- CNIPluginDirs: DefaultCNIPluginDirs,
+ DefaultNetwork: "podman",
+ DefaultSubnet: DefaultSubnet,
+ CNIPluginDirs: DefaultCNIPluginDirs,
},
Engine: *defaultEngineConfig,
Secrets: defaultSecretConfig(),
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 671f37644..abf1fbbc2 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -109,7 +109,7 @@ github.com/containers/buildah/pkg/rusage
github.com/containers/buildah/pkg/sshagent
github.com/containers/buildah/pkg/util
github.com/containers/buildah/util
-# github.com/containers/common v0.46.1-0.20220112112017-31e8cc4aeeab
+# github.com/containers/common v0.46.1-0.20220117145719-da777f8b15b1
## explicit
github.com/containers/common/libimage
github.com/containers/common/libimage/manifests