aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.cirrus.yml4
-rw-r--r--Makefile2
-rw-r--r--README.md2
-rw-r--r--RELEASE_NOTES.md11
-rw-r--r--changelog.txt32
-rw-r--r--cmd/podman/build.go4
-rw-r--r--cmd/podman/commands.go11
-rw-r--r--cmd/podman/libpodruntime/runtime.go58
-rw-r--r--cmd/podman/ps.go4
-rw-r--r--cmd/podman/shared/create.go10
-rw-r--r--completions/bash/podman26
-rw-r--r--contrib/fedora-minimal/Dockerfile1
-rw-r--r--contrib/fedora-minimal/README.md4
-rw-r--r--contrib/spec/podman.spec.in2
-rw-r--r--contrib/systemd/README.md78
-rw-r--r--contrib/systemd/system/podman.service2
-rw-r--r--contrib/systemd/user/podman.service2
-rw-r--r--docs/source/markdown/podman-ps.1.md1
-rw-r--r--docs/source/markdown/podman-system-service.1.md (renamed from docs/source/markdown/podman-service.1.md)6
-rw-r--r--docs/source/markdown/podman-system.1.md2
-rw-r--r--docs/source/markdown/podman.1.md1
-rw-r--r--go.mod4
-rw-r--r--go.sum15
-rw-r--r--install.md529
-rw-r--r--libpod/container.go2
-rw-r--r--libpod/container_internal.go6
-rw-r--r--libpod/image/image.go5
-rw-r--r--libpod/image/pull.go1
-rw-r--r--libpod/runtime_pod_linux.go12
-rw-r--r--pkg/api/server/register_images.go72
-rw-r--r--pkg/bindings/errors.go3
-rw-r--r--pkg/bindings/test/images_test.go35
-rw-r--r--pkg/specgen/specgen.go399
-rw-r--r--pkg/varlinkapi/images.go10
-rw-r--r--test/e2e/build_test.go37
-rw-r--r--test/e2e/ps_test.go16
-rw-r--r--vendor/github.com/acarl005/stripansi/LICENSE21
-rw-r--r--vendor/github.com/acarl005/stripansi/README.md30
-rw-r--r--vendor/github.com/acarl005/stripansi/stripansi.go13
-rw-r--r--vendor/github.com/containers/image/v5/copy/copy.go33
-rw-r--r--vendor/github.com/containers/image/v5/copy/manifest.go14
-rw-r--r--vendor/github.com/containers/image/v5/directory/directory_dest.go21
-rw-r--r--vendor/github.com/containers/image/v5/docker/docker_client.go124
-rw-r--r--vendor/github.com/containers/image/v5/docker/docker_image.go2
-rw-r--r--vendor/github.com/containers/image/v5/docker/docker_image_dest.go11
-rw-r--r--vendor/github.com/containers/image/v5/docker/docker_image_src.go99
-rw-r--r--vendor/github.com/containers/image/v5/docker/errors.go11
-rw-r--r--vendor/github.com/containers/image/v5/docker/tarfile/dest.go3
-rw-r--r--vendor/github.com/containers/image/v5/docker/tarfile/src.go9
-rw-r--r--vendor/github.com/containers/image/v5/image/docker_schema2.go4
-rw-r--r--vendor/github.com/containers/image/v5/image/oci.go4
-rw-r--r--vendor/github.com/containers/image/v5/internal/iolimits/iolimits.go60
-rw-r--r--vendor/github.com/containers/image/v5/openshift/openshift.go4
-rw-r--r--vendor/github.com/containers/image/v5/signature/mechanism_gpgme.go4
-rw-r--r--vendor/github.com/containers/image/v5/signature/mechanism_openpgp.go2
-rw-r--r--vendor/github.com/containers/image/v5/types/types.go2
-rw-r--r--vendor/github.com/containers/image/v5/version/version.go4
-rw-r--r--vendor/github.com/mtrmac/gpgme/.appveyor.yml40
-rw-r--r--vendor/github.com/mtrmac/gpgme/.travis.yml32
-rw-r--r--vendor/github.com/mtrmac/gpgme/data.go18
-rw-r--r--vendor/github.com/mtrmac/gpgme/go.mod3
-rw-r--r--vendor/github.com/mtrmac/gpgme/go_gpgme.c22
-rw-r--r--vendor/github.com/mtrmac/gpgme/go_gpgme.h12
-rw-r--r--vendor/github.com/mtrmac/gpgme/gpgme.go346
-rw-r--r--vendor/github.com/mtrmac/gpgme/unset_agent_info.go18
-rw-r--r--vendor/github.com/mtrmac/gpgme/unset_agent_info_windows.go14
-rw-r--r--vendor/github.com/onsi/ginkgo/.travis.yml18
-rw-r--r--vendor/github.com/onsi/ginkgo/CHANGELOG.md5
-rw-r--r--vendor/github.com/onsi/ginkgo/config/config.go2
-rw-r--r--vendor/github.com/onsi/ginkgo/go.mod9
-rw-r--r--vendor/github.com/onsi/ginkgo/go.sum26
-rw-r--r--vendor/github.com/vbauerster/mpb/v4/bar_option.go7
-rw-r--r--vendor/github.com/vbauerster/mpb/v4/decor/decorator.go27
-rw-r--r--vendor/github.com/vbauerster/mpb/v4/decor/merge.go45
-rw-r--r--vendor/github.com/vbauerster/mpb/v4/go.mod1
-rw-r--r--vendor/github.com/vbauerster/mpb/v4/go.sum2
-rw-r--r--vendor/github.com/vbauerster/mpb/v4/proxyreader.go8
-rw-r--r--vendor/modules.txt11
-rw-r--r--version/version.go2
79 files changed, 1574 insertions, 978 deletions
diff --git a/.cirrus.yml b/.cirrus.yml
index 8f355b3ba..655fa3830 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -683,9 +683,7 @@ docs_task:
# Only run this for PRs on mention, and after merge
only_if: >-
- $CIRRUS_BRANCH == $DEST_BRANCH &&
- $CIRRUS_CHANGE_MESSAGE !=~ '.*CI:IMG.*' &&
- $CIRRUS_CHANGE_MESSAGE =~ '.*CI:DOCS.*'
+ $CIRRUS_BRANCH != $DEST_BRANCH
depends_on:
- "gating"
diff --git a/Makefile b/Makefile
index 6713b8bae..1e5aa4d77 100644
--- a/Makefile
+++ b/Makefile
@@ -596,7 +596,7 @@ validate.completions: completions/bash/podman
if [ -x /bin/zsh ]; then /bin/zsh completions/zsh/_podman; fi
.PHONY: validate
-validate: lint gofmt .gitvalidation validate.completions man-page-check
+validate: gofmt lint .gitvalidation validate.completions man-page-check
.PHONY: build-all-new-commits
build-all-new-commits:
diff --git a/README.md b/README.md
index e7ab48fac..4fbe2ecea 100644
--- a/README.md
+++ b/README.md
@@ -5,7 +5,7 @@
Libpod provides a library for applications looking to use the Container Pod concept,
popularized by Kubernetes. Libpod also contains the Pod Manager tool `(Podman)`. Podman manages pods, containers, container images, and container volumes.
-* [Latest Version: 1.7.0](https://github.com/containers/libpod/releases/latest)
+* [Latest Version: 1.8.0](https://github.com/containers/libpod/releases/latest)
* [Continuous Integration:](contrib/cirrus/README.md) [![Build Status](https://api.cirrus-ci.com/github/containers/libpod.svg)](https://cirrus-ci.com/github/containers/libpod/master)
* [GoDoc: ![GoDoc](https://godoc.org/github.com/containers/libpod/libpod?status.svg)](https://godoc.org/github.com/containers/libpod/libpod)
* Automated continuous release downloads (including remote-client):
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
index d961b713e..fc528d70f 100644
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -2,7 +2,7 @@
## 1.8.0
### Features
-- The `podman service` command has been added, providing a preview of Podman's new Docker-compatible API. This API is still very new, and not yet ready for production use, but is available for early testing
+- The `podman system service` command has been added, providing a preview of Podman's new Docker-compatible API. This API is still very new, and not yet ready for production use, but is available for early testing
- Rootless Podman now uses Rootlesskit for port forwarding, which should greatly improve performance and capabilities
- The `podman untag` command has been added to remove tags from images without deleting them
- The `podman inspect` command on images now displays previous names they used
@@ -29,13 +29,20 @@
- Fixed a bug where `podman history` was not computing image sizes correctly ([#4916](https://github.com/containers/libpod/issues/4916))
- Fixed a bug where Podman would not error on invalid values to the `--sort` flag to `podman images`
- Fixed a bug where providing a name for the image made by `podman commit` was mandatory, not optional as it should be ([#5027](https://github.com/containers/libpod/issues/5027))
+- Fixed a bug where the remote Podman client would append an extra `"` to `%PATH` ([#4335](https://github.com/containers/libpod/issues/4335))
+- Fixed a bug where the `podman build` command would sometimes ignore the `-f` option and build the wrong Containerfile
+- Fixed a bug where the `podman ps --filter` command would only filter running containers, instead of all containers, if `--all` was not passed ([#5050](https://github.com/containers/libpod/issues/5050))
+- Fixed a bug where the `podman load` command on compressed images would leave an extra copy on disk
+- Fixed a bug where the `podman restart` command would not properly clean up the network, causing it to function differently from `podman stop; podman start` ([#5051](https://github.com/containers/libpod/issues/5051))
+- Fixed a bug where setting the `--memory-swap` flag to `podman create` and `podman run` to `-1` (to indicate unlimited) was not supported ([#5091](https://github.com/containers/libpod/issues/5091))
### Misc
- Initial work on version 2 of the Podman remote API has been merged, but is still in an alpha state and not ready for use. Read more [here](https://podman.io/releases/2020/01/17/podman-new-api.html)
- Many formatting corrections have been made to the manpages
- The changes to address ([#5009](https://github.com/containers/libpod/issues/5009)) may cause anonymous volumes created by Podman versions 1.6.3 to 1.7.0 to not be removed when their container is removed
- Updated vendored Buildah to v1.13.1
-- Updated vendored containers/storage to v1.15.7
+- Updated vendored containers/storage to v1.15.8
+- Updated vendored containers/image to v5.2.0
## 1.7.0
### Features
diff --git a/changelog.txt b/changelog.txt
index 996c87441..320526596 100644
--- a/changelog.txt
+++ b/changelog.txt
@@ -1,3 +1,35 @@
+- Changelog for v1.8.0 (2020-02-06)
+ * [CI:DOCS]update contrib systemd user
+ * [CI:DOCS]fix systemd files for apiv2
+ * Update release notes for final release of v1.8.0
+ * Move podman-service to podman-system-service
+ * Only modify conmon cgroup if we have running containers
+ * fix swagger docs and make sure docs validation runs
+ * Special case memory-swap=-1
+ * vendor github.com/mtrmac/gpgme@v0.1.2
+ * vendor github.com/containers/image/v5@v5.2.0
+ * Add Containerfile location e2e test
+ * [CI:DOCS]addition of specgen package
+ * {CI:DOCS] run gofmt before lint
+ * build(deps): bump github.com/onsi/ginkgo from 1.11.0 to 1.12.0
+ * Close tarSource when finished using it
+ * Force --all when --filter is passed to podman ps
+ * Initial implementation of a spec generator package
+ * Fix wrong Containerfile location on build
+ * Wrap error for failing ImageSize calls
+ * swagger: v2: libpod/images/{import,load,pull}
+ * seperate container create network options
+ * Cirrus: Fix gate task + make lint|validate
+ * Add a binding test to check image tag and list commands.
+ * Update /_ping support
+ * [CI:DOCS]add apiv2 endpoints for exec
+ * build(deps): bump github.com/containers/storage from 1.15.7 to 1.15.8
+ * build(deps): bump github.com/onsi/gomega from 1.8.1 to 1.9.0
+ * Tear down network when restarting containers
+ * Move install.md to podman.io, leave link page
+ * Update XML to not embed quote in PATH on windows
+ * Bump to v1.8.0-dev
+
- Changelog for v1.8.0-rc1 (2020-01-31)
* Fix a syntax error in hack/release.sh
* Minor update to release notes
diff --git a/cmd/podman/build.go b/cmd/podman/build.go
index 885f2ac51..1fcb98a0e 100644
--- a/cmd/podman/build.go
+++ b/cmd/podman/build.go
@@ -234,10 +234,6 @@ func buildCmd(c *cliconfig.BuildValues) error {
return errors.Wrapf(err, "error determining path to file %q", containerfiles[i])
}
contextDir = filepath.Dir(absFile)
- containerfiles[i], err = filepath.Rel(contextDir, absFile)
- if err != nil {
- return errors.Wrapf(err, "error determining path to file %q", containerfiles[i])
- }
break
}
}
diff --git a/cmd/podman/commands.go b/cmd/podman/commands.go
index ebd7aeb0c..d6018a6f4 100644
--- a/cmd/podman/commands.go
+++ b/cmd/podman/commands.go
@@ -26,9 +26,6 @@ func getMainCommands() []*cobra.Command {
if len(_varlinkCommand.Use) > 0 {
rootCommands = append(rootCommands, _varlinkCommand)
}
- if len(_serviceCommand.Use) > 0 {
- rootCommands = append(rootCommands, _serviceCommand)
- }
return rootCommands
}
@@ -71,9 +68,15 @@ func getTrustSubCommands() []*cobra.Command {
// Commands that the local client implements
func getSystemSubCommands() []*cobra.Command {
- return []*cobra.Command{
+ systemCommands := []*cobra.Command{
_renumberCommand,
_dfSystemCommand,
_migrateCommand,
}
+
+ if len(_serviceCommand.Use) > 0 {
+ systemCommands = append(systemCommands, _serviceCommand)
+ }
+
+ return systemCommands
}
diff --git a/cmd/podman/libpodruntime/runtime.go b/cmd/podman/libpodruntime/runtime.go
index 9425cfb9c..e9dc87de1 100644
--- a/cmd/podman/libpodruntime/runtime.go
+++ b/cmd/podman/libpodruntime/runtime.go
@@ -13,32 +13,66 @@ import (
"github.com/pkg/errors"
)
+type runtimeOptions struct {
+ name string
+ renumber bool
+ migrate bool
+ noStore bool
+ withFDS bool
+}
+
// GetRuntimeMigrate gets a libpod runtime that will perform a migration of existing containers
func GetRuntimeMigrate(ctx context.Context, c *cliconfig.PodmanCommand, newRuntime string) (*libpod.Runtime, error) {
- return getRuntime(ctx, c, false, true, false, true, newRuntime)
+ return getRuntime(ctx, c, &runtimeOptions{
+ name: newRuntime,
+ renumber: false,
+ migrate: true,
+ noStore: false,
+ withFDS: true,
+ })
}
// GetRuntimeDisableFDs gets a libpod runtime that will disable sd notify
func GetRuntimeDisableFDs(ctx context.Context, c *cliconfig.PodmanCommand) (*libpod.Runtime, error) {
- return getRuntime(ctx, c, false, false, false, false, "")
+ return getRuntime(ctx, c, &runtimeOptions{
+ renumber: false,
+ migrate: false,
+ noStore: false,
+ withFDS: false,
+ })
}
// GetRuntimeRenumber gets a libpod runtime that will perform a lock renumber
func GetRuntimeRenumber(ctx context.Context, c *cliconfig.PodmanCommand) (*libpod.Runtime, error) {
- return getRuntime(ctx, c, true, false, false, true, "")
+ return getRuntime(ctx, c, &runtimeOptions{
+ renumber: true,
+ migrate: false,
+ noStore: false,
+ withFDS: true,
+ })
}
// GetRuntime generates a new libpod runtime configured by command line options
func GetRuntime(ctx context.Context, c *cliconfig.PodmanCommand) (*libpod.Runtime, error) {
- return getRuntime(ctx, c, false, false, false, true, "")
+ return getRuntime(ctx, c, &runtimeOptions{
+ renumber: false,
+ migrate: false,
+ noStore: false,
+ withFDS: true,
+ })
}
// GetRuntimeNoStore generates a new libpod runtime configured by command line options
func GetRuntimeNoStore(ctx context.Context, c *cliconfig.PodmanCommand) (*libpod.Runtime, error) {
- return getRuntime(ctx, c, false, false, true, true, "")
+ return getRuntime(ctx, c, &runtimeOptions{
+ renumber: false,
+ migrate: false,
+ noStore: true,
+ withFDS: true,
+ })
}
-func getRuntime(ctx context.Context, c *cliconfig.PodmanCommand, renumber, migrate, noStore, withFDS bool, newRuntime string) (*libpod.Runtime, error) {
+func getRuntime(ctx context.Context, c *cliconfig.PodmanCommand, opts *runtimeOptions) (*libpod.Runtime, error) {
options := []libpod.RuntimeOption{}
storageOpts := storage.StoreOptions{}
storageSet := false
@@ -86,14 +120,14 @@ func getRuntime(ctx context.Context, c *cliconfig.PodmanCommand, renumber, migra
storageSet = true
storageOpts.GraphDriverOptions = c.GlobalFlags.StorageOpts
}
- if migrate {
+ if opts.migrate {
options = append(options, libpod.WithMigrate())
- if newRuntime != "" {
- options = append(options, libpod.WithMigrateRuntime(newRuntime))
+ if opts.name != "" {
+ options = append(options, libpod.WithMigrateRuntime(opts.name))
}
}
- if renumber {
+ if opts.renumber {
options = append(options, libpod.WithRenumber())
}
@@ -102,7 +136,7 @@ func getRuntime(ctx context.Context, c *cliconfig.PodmanCommand, renumber, migra
options = append(options, libpod.WithStorageConfig(storageOpts))
}
- if !storageSet && noStore {
+ if !storageSet && opts.noStore {
options = append(options, libpod.WithNoStore())
}
// TODO CLI flags for image config?
@@ -174,7 +208,7 @@ func getRuntime(ctx context.Context, c *cliconfig.PodmanCommand, renumber, migra
options = append(options, libpod.WithDefaultInfraCommand(infraCommand))
}
- if !withFDS {
+ if !opts.withFDS {
options = append(options, libpod.WithEnableSDNotify())
}
if c.Flags().Changed("config") {
diff --git a/cmd/podman/ps.go b/cmd/podman/ps.go
index d2c5e19e2..d93ccc24c 100644
--- a/cmd/podman/ps.go
+++ b/cmd/podman/ps.go
@@ -205,6 +205,10 @@ func checkFlagsPassed(c *cliconfig.PsValues) error {
if c.Last >= 0 && c.Latest {
return errors.Errorf("last and latest are mutually exclusive")
}
+ // Filter forces all
+ if len(c.Filter) > 0 {
+ c.All = true
+ }
// Quiet conflicts with size and namespace and is overridden by a Go
// template.
if c.Quiet {
diff --git a/cmd/podman/shared/create.go b/cmd/podman/shared/create.go
index 2f637694b..010c80373 100644
--- a/cmd/podman/shared/create.go
+++ b/cmd/podman/shared/create.go
@@ -309,9 +309,13 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod.
}
}
if c.String("memory-swap") != "" {
- memorySwap, err = units.RAMInBytes(c.String("memory-swap"))
- if err != nil {
- return nil, errors.Wrapf(err, "invalid value for memory-swap")
+ if c.String("memory-swap") == "-1" {
+ memorySwap = -1
+ } else {
+ memorySwap, err = units.RAMInBytes(c.String("memory-swap"))
+ if err != nil {
+ return nil, errors.Wrapf(err, "invalid value for memory-swap")
+ }
}
}
if c.String("kernel-memory") != "" {
diff --git a/completions/bash/podman b/completions/bash/podman
index 57b9547a7..56559c142 100644
--- a/completions/bash/podman
+++ b/completions/bash/podman
@@ -1200,6 +1200,19 @@ _podman_system_prune() {
esac
}
+_podman_system_service() {
+ local options_with_args="
+ -t
+ --timeout
+ "
+ local boolean_options="
+ --help
+ -h
+ --varlink
+ "
+ _complete_ "$options_with_args" "$boolean_options"
+}
+
_podman_system() {
local boolean_options="
--help
@@ -1755,19 +1768,6 @@ _podman_search() {
_complete_ "$options_with_args" "$boolean_options"
}
-_podman_service() {
- local options_with_args="
- -t
- --timeout
- "
- local boolean_options="
- --help
- -h
- --varlink
- "
- _complete_ "$options_with_args" "$boolean_options"
-}
-
_podman_unmount() {
_podman_umount $@
}
diff --git a/contrib/fedora-minimal/Dockerfile b/contrib/fedora-minimal/Dockerfile
new file mode 100644
index 000000000..8ea4e6765
--- /dev/null
+++ b/contrib/fedora-minimal/Dockerfile
@@ -0,0 +1 @@
+FROM fedora-minimal:latest
diff --git a/contrib/fedora-minimal/README.md b/contrib/fedora-minimal/README.md
new file mode 100644
index 000000000..52bf94b53
--- /dev/null
+++ b/contrib/fedora-minimal/README.md
@@ -0,0 +1,4 @@
+This dockerfile exists so that the container image can be "mirrored"
+onto quay.io automatically, so automated testing can be more resilient.
+
+https://quay.io/repository/libpod/fedora-minimal?tab=builds
diff --git a/contrib/spec/podman.spec.in b/contrib/spec/podman.spec.in
index a64f473f4..4e4dc5d21 100644
--- a/contrib/spec/podman.spec.in
+++ b/contrib/spec/podman.spec.in
@@ -43,7 +43,7 @@
%global shortcommit_conmon %(c=%{commit_conmon}; echo ${c:0:7})
Name: podman
-Version: 1.8.0
+Version: 1.8.1
Release: #COMMITDATE#.git%{shortcommit0}%{?dist}
Summary: Manage Pods, Containers and Container Images
License: ASL 2.0
diff --git a/contrib/systemd/README.md b/contrib/systemd/README.md
index ff266c6a5..9f1d37792 100644
--- a/contrib/systemd/README.md
+++ b/contrib/systemd/README.md
@@ -2,11 +2,6 @@
## system-wide (podman service run as root)
-The following unit file examples assume:
- 1. copied the `service` executable into `/usr/local/bin`
- 1. `chcon system_u:object_r:container_runtime_exec_t:s0 /usr/local/bin/service`
-
-then:
1. copy the `podman.service` and `podman.socket` files into `/etc/systemd/system`
1. `systemctl daemon-reload`
1. `systemctl enable podman.socket`
@@ -16,47 +11,12 @@ then:
Assuming the status messages show no errors, the libpod service is ready to respond to the APIv2 on the unix domain socket `/run/podman/podman.sock`
### podman.service
-```toml
-[Unit]
-Description=Podman API Service
-Requires=podman.socket
-After=podman.socket
-Documentation=man:podman-api(1)
-StartLimitIntervalSec=0
-
-[Service]
-Type=oneshot
-Environment=REGISTRIES_CONFIG_PATH=/etc/containers/registries.conf
-ExecStart=/usr/local/bin/service
-TimeoutStopSec=30
-KillMode=process
-
-[Install]
-WantedBy=multi-user.target
-Also=podman.socket
-```
+You can refer to [this example](https://github.com/containers/libpod/blob/master/contrib/systemd/system/podman.service) for a sample podman.service file.
### podman.socket
+You can refer to [this example](https://github.com/containers/libpod/blob/master/contrib/systemd/system/podman.socket) for a sample podman.socket file.
-```toml
-[Unit]
-Description=Podman API Socket
-Documentation=man:podman-api(1)
-
-[Socket]
-ListenStream=%t/podman/podman.sock
-SocketMode=0660
-
-[Install]
-WantedBy=sockets.target
-```
## user (podman service run as given user aka "rootless")
-The following unit file examples assume:
- 1. you have a created a directory `~/bin`
- 1. copied the `service` executable into `~/bin`
- 1. `chcon system_u:object_r:container_runtime_exec_t:s0 ~/bin/service`
-
-then:
1. `mkdir -p ~/.config/systemd/user`
1. copy the `podman.service` and `podman.socket` files into `~/.config/systemd/user`
1. `systemctl --user enable podman.socket`
@@ -66,37 +26,7 @@ then:
Assuming the status messages show no errors, the libpod service is ready to respond to the APIv2 on the unix domain socket `/run/user/$(id -u)/podman/podman.sock`
### podman.service
+You can refer to [this example](https://github.com/containers/libpod/blob/master/contrib/systemd/user/podman.service) for a rootless podman.service file.
-```toml
-[Unit]
-Description=Podman API Service
-Requires=podman.socket
-After=podman.socket
-Documentation=man:podman-api(1)
-StartLimitIntervalSec=0
-
-[Service]
-Type=oneshot
-Environment=REGISTRIES_CONFIG_PATH=/etc/containers/registries.conf
-ExecStart=%h/bin/service
-TimeoutStopSec=30
-KillMode=process
-
-[Install]
-WantedBy=multi-user.target
-Also=podman.socket
-```
### podman.socket
-
-```toml
-[Unit]
-Description=Podman API Socket
-Documentation=man:podman-api(1)
-
-[Socket]
-ListenStream=%t/podman/podman.sock
-SocketMode=0660
-
-[Install]
-WantedBy=sockets.target
-```
+You can refer to [this example](https://github.com/containers/libpod/blob/master/contrib/systemd/user/podman.socket) for a rootless podman.socket file.
diff --git a/contrib/systemd/system/podman.service b/contrib/systemd/system/podman.service
index 13d858627..eaa2ec437 100644
--- a/contrib/systemd/system/podman.service
+++ b/contrib/systemd/system/podman.service
@@ -8,7 +8,7 @@ StartLimitIntervalSec=0
[Service]
Type=oneshot
Environment=REGISTRIES_CONFIG_PATH=/etc/containers/registries.conf
-ExecStart=/usr/local/bin/service
+ExecStart=/usr/bin/podman system service
TimeoutStopSec=30
KillMode=process
diff --git a/contrib/systemd/user/podman.service b/contrib/systemd/user/podman.service
index 81fa55cf8..eaa2ec437 100644
--- a/contrib/systemd/user/podman.service
+++ b/contrib/systemd/user/podman.service
@@ -8,7 +8,7 @@ StartLimitIntervalSec=0
[Service]
Type=oneshot
Environment=REGISTRIES_CONFIG_PATH=/etc/containers/registries.conf
-ExecStart=%h/bin/service
+ExecStart=/usr/bin/podman system service
TimeoutStopSec=30
KillMode=process
diff --git a/docs/source/markdown/podman-ps.1.md b/docs/source/markdown/podman-ps.1.md
index 024b85ea5..23bf9f45d 100644
--- a/docs/source/markdown/podman-ps.1.md
+++ b/docs/source/markdown/podman-ps.1.md
@@ -96,6 +96,7 @@ Display namespace information
Filter what containers are shown in the output.
Multiple filters can be given with multiple uses of the --filter flag.
If multiple filters are given, only containers which match all of the given filters will be shown.
+Results will be drawn from all containers, regardless of whether --all was given.
Valid filters are listed below:
diff --git a/docs/source/markdown/podman-service.1.md b/docs/source/markdown/podman-system-service.1.md
index 5c55e20d3..a71ce9dc0 100644
--- a/docs/source/markdown/podman-service.1.md
+++ b/docs/source/markdown/podman-system-service.1.md
@@ -1,13 +1,13 @@
% podman-service(1)
## NAME
-podman\-service - Run an API service
+podman\-system\-service - Run an API service
## SYNOPSIS
-**podman service** [*options*]
+**podman system service** [*options*]
## DESCRIPTION
-The **podman service** command creates a listening service that will answer API calls for Podman. You may
+The **podman system service** command creates a listening service that will answer API calls for Podman. You may
optionally provide an endpoint for the API in URI form. For example, *unix://tmp/foobar.sock* or *tcp:localhost:8080*.
If no endpoint is provided, defaults will be used. The default endpoint for a rootfull
service is *unix:/run/podman/podman.sock* and rootless is *unix:/$XDG_RUNTIME_DIR/podman/podman.sock* (for
diff --git a/docs/source/markdown/podman-system.1.md b/docs/source/markdown/podman-system.1.md
index 1af97290d..5f163c6f0 100644
--- a/docs/source/markdown/podman-system.1.md
+++ b/docs/source/markdown/podman-system.1.md
@@ -19,6 +19,8 @@ The system command allows you to manage the podman systems
| prune | [podman-system-prune(1)](podman-system-prune.1.md) | Remove all unused container, image and volume data. |
| renumber | [podman-system-renumber(1)](podman-system-renumber.1.md)| Migrate lock numbers to handle a change in maximum number of locks. |
| reset | [podman-system-reset(1)](podman-system-reset.1.md) | Reset storage back to initial state. |
+| service | [podman-service(1)](podman-system-service.1.md) | Run an API service |
+
## SEE ALSO
podman(1)
diff --git a/docs/source/markdown/podman.1.md b/docs/source/markdown/podman.1.md
index af0e55925..853b5ecec 100644
--- a/docs/source/markdown/podman.1.md
+++ b/docs/source/markdown/podman.1.md
@@ -191,7 +191,6 @@ the exit codes follow the `chroot` standard, see below:
| [podman-rmi(1)](podman-rmi.1.md) | Removes one or more locally stored images. |
| [podman-run(1)](podman-run.1.md) | Run a command in a new container. |
| [podman-save(1)](podman-save.1.md) | Save an image to a container archive. |
-| [podman-service(1)](podman-service.1.md) | Run an API service |
| [podman-search(1)](podman-search.1.md) | Search a registry for an image. |
| [podman-start(1)](podman-start.1.md) | Start one or more containers. |
| [podman-stats(1)](podman-stats.1.md) | Display a live stream of one or more container's resource usage statistics. |
diff --git a/go.mod b/go.mod
index b6ad7bf14..994746704 100644
--- a/go.mod
+++ b/go.mod
@@ -12,7 +12,7 @@ require (
github.com/containernetworking/plugins v0.8.5
github.com/containers/buildah v1.13.1
github.com/containers/conmon v2.0.10+incompatible
- github.com/containers/image/v5 v5.1.0
+ github.com/containers/image/v5 v5.2.1
github.com/containers/psgo v1.4.0
github.com/containers/storage v1.15.8
github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f
@@ -46,7 +46,7 @@ require (
github.com/mrtazz/checkmake v0.0.0-20191009095831-03dd76b964dd // indirect
github.com/mrunalp/fileutils v0.0.0-20171103030105-7d4729fb3618
github.com/olekukonko/tablewriter v0.0.4 // indirect
- github.com/onsi/ginkgo v1.11.0
+ github.com/onsi/ginkgo v1.12.0
github.com/onsi/gomega v1.9.0
github.com/opencontainers/go-digest v1.0.0-rc1
github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6
diff --git a/go.sum b/go.sum
index 628ef0f95..95b20aad6 100644
--- a/go.sum
+++ b/go.sum
@@ -30,6 +30,8 @@ github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdko
github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
github.com/VividCortex/ewma v1.1.1 h1:MnEK4VOv6n0RSY4vtRe3h11qjxL3+t0B8yOL8iMXdcM=
github.com/VividCortex/ewma v1.1.1/go.mod h1:2Tkkvm3sRDVXaiyucHiACn4cqf7DpdyLvmxzcbUokwA=
+github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d h1:licZJFw2RwpHMqeKTCYkitsPqHNxTmd4SNR5r94FGM8=
+github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d/go.mod h1:asat636LX7Bqt5lYEZ27JNDcqxfjdBQuJ/MM4CN/Lzo=
github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
github.com/alexflint/go-filemutex v0.0.0-20171022225611-72bdc8eae2ae/go.mod h1:CgnQgUtFrFz9mxFNtED3jI5tLDjKlOM+oUF/sTk6ps0=
@@ -91,6 +93,10 @@ github.com/containers/image/v5 v5.0.0 h1:arnXgbt1ucsC/ndtSpiQY87rA0UjhF+/xQnPzqd
github.com/containers/image/v5 v5.0.0/go.mod h1:MgiLzCfIeo8lrHi+4Lb8HP+rh513sm0Mlk6RrhjFOLY=
github.com/containers/image/v5 v5.1.0 h1:5FjAvPJniamuNNIQHkh4PnsL+n+xzs6Aonzaz5dqTEo=
github.com/containers/image/v5 v5.1.0/go.mod h1:BKlMD34WxRo1ruGHHEOrPQP0Qci7SWoPwU6fS7arsCU=
+github.com/containers/image/v5 v5.2.0 h1:DowY5OII5x9Pb6Pt76vnHU79BgG4/jdwhZjeAj2R+t8=
+github.com/containers/image/v5 v5.2.0/go.mod h1:IAub4gDGvXoxaIAdNy4e3FbVTDPVNMv9F0UfVVFbYCU=
+github.com/containers/image/v5 v5.2.1 h1:rQR6QSUneWBoW1bTFpP9EJJTevQFv27YsKYQVJIzg+s=
+github.com/containers/image/v5 v5.2.1/go.mod h1:TfhmLwH+v1/HBVPIWH7diLs8XwcOkP3c7t7JFgqaUEc=
github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b h1:Q8ePgVfHDplZ7U33NwHZkrVELsZP5fYj9pM5WBZB2GE=
github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY=
github.com/containers/ocicrypt v0.0.0-20190930154801-b87a4a69c741 h1:8tQkOcednLJtUcZgK7sPglscXtxvMOnFOa6wd09VWLM=
@@ -370,6 +376,10 @@ github.com/mrunalp/fileutils v0.0.0-20171103030105-7d4729fb3618 h1:7InQ7/zrOh6Sl
github.com/mrunalp/fileutils v0.0.0-20171103030105-7d4729fb3618/go.mod h1:x8F1gnqOkIEiO4rqoeEEEqQbo7HjGMTvyoq3gej4iT0=
github.com/mtrmac/gpgme v0.0.0-20170102180018-b2432428689c h1:xa+eQWKuJ9MbB9FBL/eoNvDFvveAkz2LQoz8PzX7Q/4=
github.com/mtrmac/gpgme v0.0.0-20170102180018-b2432428689c/go.mod h1:GhAqVMEWnTcW2dxoD/SO3n2enrgWl3y6Dnx4m59GvcA=
+github.com/mtrmac/gpgme v0.1.1 h1:a5ISnvahzTzBH0m/klhehN68N+9+/jLwhpPFtH3oPAQ=
+github.com/mtrmac/gpgme v0.1.1/go.mod h1:GYYHnGSuS7HK3zVS2n3y73y0okK/BeKzwnn5jgiVFNI=
+github.com/mtrmac/gpgme v0.1.2 h1:dNOmvYmsrakgW7LcgiprD0yfRuQQe8/C8F6Z+zogO3s=
+github.com/mtrmac/gpgme v0.1.2/go.mod h1:GYYHnGSuS7HK3zVS2n3y73y0okK/BeKzwnn5jgiVFNI=
github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
@@ -386,6 +396,8 @@ github.com/onsi/ginkgo v1.10.3 h1:OoxbjfXVZyod1fmWYhI7SEyaD8B00ynP3T+D5GiyHOY=
github.com/onsi/ginkgo v1.10.3/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/ginkgo v1.11.0 h1:JAKSXpt1YjtLA7YpPiqO9ss6sNXEsPfSGdwN0UHqzrw=
github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.12.0 h1:Iw5WCbBcaAAd0fpRb1c9r5YCylv4XDoCSigm1zLevwU=
+github.com/onsi/ginkgo v1.12.0/go.mod h1:oUhWkIvk5aDxtKvDDuw8gItl8pKl42LzjC9KZE0HfGg=
github.com/onsi/gomega v0.0.0-20151007035656-2152b45fa28a/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
github.com/onsi/gomega v0.0.0-20190113212917-5533ce8a0da3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
@@ -544,6 +556,8 @@ github.com/vbauerster/mpb v3.4.0+incompatible h1:mfiiYw87ARaeRW6x5gWwYRUawxaW1tL
github.com/vbauerster/mpb v3.4.0+incompatible/go.mod h1:zAHG26FUhVKETRu+MWqYXcI70POlC6N8up9p1dID7SU=
github.com/vbauerster/mpb/v4 v4.11.1 h1:ZOYQSVHgmeanXsbyC44aDg76tBGCS/54Rk8VkL8dJGA=
github.com/vbauerster/mpb/v4 v4.11.1/go.mod h1:vMLa1J/ZKC83G2lB/52XpqT+ZZtFG4aZOdKhmpRL1uM=
+github.com/vbauerster/mpb/v4 v4.11.2 h1:ynkUoKzi65DZ1UsQPx7sgi/KN6G9f7br+Us2nKm35AM=
+github.com/vbauerster/mpb/v4 v4.11.2/go.mod h1:jIuIRCltGJUnm6DCyPVkwjlLUk4nHTH+m4eD14CdFF0=
github.com/vishvananda/netlink v0.0.0-20181108222139-023a6dafdcdf/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk=
github.com/vishvananda/netlink v1.0.0 h1:bqNY2lgheFIu1meHUFSH3d7vG93AFyqg3oGbJCOJgSM=
github.com/vishvananda/netlink v1.0.0/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk=
@@ -652,6 +666,7 @@ golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3 h1:7TYNF4UdlohbFwpNH04CoPMp1
golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191113165036-4c7a9d0fe056/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191127021746-63cb32ae39b2 h1:/J2nHFg1MTqaRLFO7M+J78ASNsJoz3r0cvHBPQ77fsE=
golang.org/x/sys v0.0.0-20191127021746-63cb32ae39b2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
diff --git a/install.md b/install.md
index b143c7f7a..12dc62b32 100644
--- a/install.md
+++ b/install.md
@@ -1,530 +1,5 @@
# libpod Installation Instructions
-## Installing packaged versions of Podman
+The installation instructions for Podman and libpod now reside **[here](https://podman.io/getting-started/installation)** in the **[podman.io](https://podman.io)** site. From the hompage, the installation instructions can be found under "Get Started->Installing Podman".
-#### [Arch Linux](https://www.archlinux.org) & [Manjaro Linux](https://manjaro.org)
-
-```bash
-sudo pacman -S podman
-```
-
-If you have problems when running Podman in [rootless](README.md#rootless) mode follow the instructions [here](https://wiki.archlinux.org/index.php/Linux_Containers#Enable_support_to_run_unprivileged_containers_(optional))
-
-#### [Debian](https://debian.org)
-
-The libpod package is [being worked on](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930440)
-for inclusion in the default Debian repos. Relevant status updates can also be
-found [here](https://github.com/containers/libpod/issues/1742).
-
-Alternatively, the [Kubic project](https://build.opensuse.org/project/show/devel:kubic:libcontainers:stable)
-provides packages for Debian 10, testing and unstable.
-
-```bash
-# Debian Unstable/Sid
-echo 'deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_Unstable/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
-wget -nv https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/Debian_Unstable/Release.key -O Release.key
-
-# Debian Testing
-echo 'deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_Testing/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
-wget -nv https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/Debian_Testing/Release.key -O Release.key
-
-# Debian 10
-echo 'deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_10/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
-wget -nv https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/Debian_10/Release.key -O Release.key
-
-sudo apt-key add - < Release.key
-sudo apt-get update -qq
-sudo apt-get -qq -y install podman
-```
-
-There are many [packages](https://packages.debian.org/search?keywords=libpod&searchon=names&suite=stable&section=all)
-with the libpod prefix available already on Debian. However, those are
-unrelated to this project.
-
-
-#### [Fedora](https://www.fedoraproject.org), [CentOS](https://www.centos.org)
-
-```bash
-sudo yum -y install podman
-```
-
-#### [Fedora-CoreOS](https://coreos.fedoraproject.org), [Fedora SilverBlue](https://silverblue.fedoraproject.org)
-
-Built-in, no need to install
-
-#### [Gentoo](https://www.gentoo.org)
-
-```bash
-sudo emerge app-emulation/libpod
-```
-
-#### [MacOS](https://www.apple.com/macos)
-
-Using [Homebrew](https://brew.sh/):
-
-```bash
-brew cask install podman
-```
-
-#### [OpenEmbedded](https://www.openembedded.org)
-
-Bitbake recipes for podman and its dependencies are available in the
-[meta-virtualization layer](https://git.yoctoproject.org/cgit/cgit.cgi/meta-virtualization/).
-Add the layer to your OpenEmbedded build environment and build podman using:
-
-```bash
-bitbake podman
-```
-
-#### [openSUSE](https://www.opensuse.org)
-
-```bash
-sudo zypper install podman
-```
-
-#### [openSUSE Kubic](https://kubic.opensuse.org)
-
-Built-in, no need to install
-
-
-#### [Raspbian](https://raspbian.org)
-
-The Kubic project provides packages for Raspbian 10.
-
-```bash
-# Raspbian 10
-echo 'deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Raspbian_10/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
-wget -nv https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/Raspbian_10/Release.key -O Release.key
-sudo apt-key add - < Release.key
-sudo apt-get update -qq
-sudo apt-get -qq -y install podman
-```
-
-
-#### [RHEL7](https://www.redhat.com/en/technologies/linux-platforms/enterprise-linux)
-
-Subscribe, then enable Extras channel and install Podman.
-
-```bash
-sudo subscription-manager repos --enable=rhel-7-server-extras-rpms
-sudo yum -y install podman
-```
-
-#### [RHEL8 Beta](https://www.redhat.com/en/blog/powering-its-future-while-preserving-present-introducing-red-hat-enterprise-linux-8-beta?intcmp=701f2000001Cz6OAAS)
-
-```bash
-sudo yum module enable -y container-tools:1.0
-sudo yum module install -y container-tools:1.0
-```
-
-
-#### [Ubuntu](https://www.ubuntu.com)
-
-The Kubic project provides packages for Ubuntu 18.04, 19.04 and 19.10.
-
-```bash
-. /etc/os-release
-sudo sh -c "echo 'deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list"
-wget -q https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/xUbuntu_${VERSION_ID}/Release.key -O- | sudo apt-key add -
-sudo apt-get update -qq
-sudo apt-get -qq -y install podman
-```
-
-There are many [packages](https://packages.ubuntu.com/search?keywords=libpod&searchon=names&suite=eoan&section=all)
-with the libpod prefix available already on Ubuntu. However, those are
-unrelated to this project.
-
-
-### Installing development versions of Podman
-
-#### Debian
-
-The Kubic project provides RC/testing packages for Debian 10, testing and
-unstable.
-
-```bash
-# Debian Unstable/Sid
-echo 'deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/testing/Debian_Unstable/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:testing.list
-wget -nv https://download.opensuse.org/repositories/devel:kubic:libcontainers:testing/Debian_Unstable/Release.key -O Release.key
-
-# Debian Testing
-echo 'deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/testing/Debian_Testing/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:testing.list
-wget -nv https://download.opensuse.org/repositories/devel:kubic:libcontainers:testing/Debian_Testing/Release.key -O Release.key
-
-# Debian 10
-echo 'deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/testing/Debian_10/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:testing.list
-wget -nv https://download.opensuse.org/repositories/devel:kubic:libcontainers:testing/Debian_10/Release.key -O Release.key
-
-# Raspbian 10
-echo 'deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/testing/Raspbian_10/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:testing.list
-wget -nv https://download.opensuse.org/repositories/devel:kubic:libcontainers:testing/Raspbian_10/Release.key -O Release.key
-
-sudo apt-key add - < Release.key
-sudo apt-get update -qq
-sudo apt-get -qq -y install podman
-```
-
-
-#### Fedora
-
-You can test the very latest Podman in Fedora's `updates-testing`
-repository before it goes out to all Fedora users.
-
-```console
-sudo yum distro-sync --enablerepo=updates-testing podman
-```
-
-If you use a newer Podman package from Fedora's `updates-testing`, we would
-appreciate your `+1` feedback in [Bodhi, Fedora's update management
-system](https://bodhi.fedoraproject.org/updates/?packages=podman).
-
-If you are running a non-rawhide Fedora distribution, you can also test the latest packages
-with our [COPR repository](https://copr.fedorainfracloud.org/coprs/baude/Upstream_CRIO_Family/).
-
-#### [Raspbian](https://raspbian.org)
-
-The Kubic project provides RC/testing packages for Raspbian 10.
-
-```bash
-# Raspbian 10
-echo 'deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/testing/Raspbian_10/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:testing.list
-wget -nv https://download.opensuse.org/repositories/devel:kubic:libcontainers:testing/Raspbian_10/Release.key -O Release.key
-sudo apt-key add - < Release.key
-sudo apt-get update -qq
-sudo apt-get -qq -y install podman
-```
-
-
-#### Ubuntu
-
-The Kubic project provides RC/testing packages for Ubuntu 18.04, 19.04 and 19.10.
-
-```bash
-. /etc/os-release
-sudo sh -c "echo 'deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/testing/x${NAME}_${VERSION_ID}/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:testing.list"
-wget -nv https://download.opensuse.org/repositories/devel:kubic:libcontainers:testing/x${NAME}_${VERSION_ID}/Release.key -O Release.key
-sudo apt-key add - < Release.key
-sudo apt-get update -qq
-sudo apt-get -qq -y install podman
-```
-
-
-## Building from scratch
-
-### Build and Run Dependencies
-
-**Required**
-
-Fedora, CentOS, RHEL, and related distributions you should try to run
-`make package-install` which will install dependencies, build the source,
-produce rpms for the current platform and install them in the end.
-
-```bash
-sudo yum install -y \
- atomic-registries \
- btrfs-progs-devel \
- containernetworking-cni \
- device-mapper-devel \
- git \
- glib2-devel \
- glibc-devel \
- glibc-static \
- go \
- golang-github-cpuguy83-go-md2man \
- gpgme-devel \
- iptables \
- libassuan-devel \
- libgpg-error-devel \
- libseccomp-devel \
- libselinux-devel \
- make \
- pkgconfig \
- runc \
- containers-common
-```
-
-Debian, Ubuntu, and related distributions:
-
-```bash
-sudo apt-get install \
- btrfs-tools \
- git \
- golang-go \
- go-md2man \
- iptables \
- libassuan-dev \
- libbtrfs-dev \
- libc6-dev \
- libdevmapper-dev \
- libglib2.0-dev \
- libgpgme-dev \
- libgpg-error-dev \
- libprotobuf-dev \
- libprotobuf-c0-dev \
- libseccomp-dev \
- libselinux1-dev \
- libsystemd-dev \
- pkg-config \
- runc \
- uidmap
-```
-
-On openSUSE Leap 15.x and Tumbleweed:
-
-```bash
-sudo zypper -n in libseccomp-devel libgpgme-devel
-```
-
-On Manjaro (and maybe other Linux distributions):
-
-Make sure that the Linux kernel supports user namespaces:
-
-```
-> zgrep CONFIG_USER_NS /proc/config.gz
-CONFIG_USER_NS=y
-
-```
-
-If not, please update the kernel.
-For Manjaro Linux the instructions can be found here:
-https://wiki.manjaro.org/index.php/Manjaro_Kernels
-
-After that enable user namespaces:
-
-```
-sudo sysctl kernel.unprivileged_userns_clone=1
-```
-
-To enable the user namespaces permanently:
-
-```
-echo 'kernel.unprivileged_userns_clone=1' > /etc/sysctl.d/userns.conf
-```
-
-### Building missing dependencies
-
-If any dependencies cannot be installed or are not sufficiently current, they have to be built from source.
-This will mainly affect Debian, Ubuntu, and related distributions, or RHEL where no subscription is active (e.g. Cloud VMs).
-
-#### golang
-
-Be careful to double-check that the version of golang is new enough (i.e. `go version`), version 1.10.x or higher is required.
-If needed, golang kits are available at https://golang.org/dl/. Alternatively, go can be built from source as follows
-(it's helpful to leave the system-go installed, to avoid having to [bootstrap go](https://golang.org/doc/install/source):
-
-```bash
-export GOPATH=~/go
-git clone https://go.googlesource.com/go $GOPATH
-cd $GOPATH
-git checkout tags/go1.10.8 # optional
-cd src
-./all.bash
-export PATH=$GOPATH/bin:$PATH
-```
-
-#### conmon
-
-The latest version of `conmon` is expected to be installed on the system. Conmon is used to monitor OCI Runtimes.
-To build from source, use the following:
-
-```bash
-git clone https://github.com/containers/conmon
-cd conmon
-export GOCACHE="$(mktemp -d)"
-make
-sudo make podman
-```
-
-#### runc
-
-The latest version of `runc` is expected to be installed on the system. It is picked up as the default runtime by Podman.
-Version 1.0.0-rc4 is the minimal requirement, which is available in Ubuntu 18.04 already.
-To double-check, `runc --version` should produce at least `spec: 1.0.1`, otherwise build your own:
-
-```bash
-git clone https://github.com/opencontainers/runc.git $GOPATH/src/github.com/opencontainers/runc
-cd $GOPATH/src/github.com/opencontainers/runc
-make BUILDTAGS="selinux seccomp"
-sudo cp runc /usr/bin/runc
-```
-
-#### CNI plugins
-
-#### Setup CNI networking
-
-A proper description of setting up CNI networking is given in the [`cni` README](cni/README.md).
-
-A basic setup for CNI networking is done by default during the installation or make processes and
-no further configuration is needed to start using Podman.
-
-#### Add configuration
-
-```bash
-sudo mkdir -p /etc/containers
-sudo curl https://raw.githubusercontent.com/projectatomic/registries/master/registries.fedora -o /etc/containers/registries.conf
-sudo curl https://raw.githubusercontent.com/containers/skopeo/master/default-policy.json -o /etc/containers/policy.json
-```
-
-
-#### Optional packages
-
-Fedora, CentOS, RHEL, and related distributions:
-
-(no optional packages)
-
-Debian, Ubuntu, and related distributions:
-
-```bash
-apt-get install -y \
- libapparmor-dev
-```
-
-### Get Source Code
-
-As with other Go projects, Podman must be cloned into a directory structure like:
-
-```
-GOPATH
-└── src
- └── github.com
- └── containers
- └── libpod
-```
-
-First, ensure that the go version that is found first on the $PATH (in case you built your own; see [above](#golang)) is sufficiently recent -
-`go version` must be higher than 1.10.x). Then we can finally build Podman (assuming we already have a `$GOPATH` and the corresponding folder,
-`export GOPATH=~/go && mkdir -p $GOPATH`):
-
-```bash
-git clone https://github.com/containers/libpod/ $GOPATH/src/github.com/containers/libpod
-cd $GOPATH/src/github.com/containers/libpod
-make BUILDTAGS="selinux seccomp"
-sudo make install PREFIX=/usr
-```
-
-#### Build Tags
-
-Otherwise, if you do not want to build Podman with seccomp or selinux support you can add `BUILDTAGS=""` when running make.
-
-```bash
-make BUILDTAGS=""
-sudo make install
-```
-
-Podman supports optional build tags for compiling support of various features.
-To add build tags to the make option the `BUILDTAGS` variable must be set, for example:
-
-```bash
-make BUILDTAGS='seccomp apparmor'
-```
-
-| Build Tag | Feature | Dependency |
-|----------------------------------|------------------------------------|----------------------|
-| apparmor | apparmor support | libapparmor |
-| exclude_graphdriver_btrfs | exclude btrfs | libbtrfs |
-| exclude_graphdriver_devicemapper | exclude device-mapper | libdm |
-| libdm_no_deferred_remove | exclude deferred removal in libdm | libdm |
-| seccomp | syscall filtering | libseccomp |
-| selinux | selinux process and mount labeling | |
-| systemd | journald logging | libsystemd |
-
-Note that Podman does not officially support device-mapper. Thus, the `exclude_graphdriver_devicemapper` tag is mandatory.
-
-### Vendoring - Dependency Management
-
-This project is using [go modules](https://github.com/golang/go/wiki/Modules) for dependency management. If the CI is complaining about a pull request leaving behind an unclean state, it is very likely right about it. After changing dependencies, make sure to run `make vendor` to synchronize the code with the go module and repopulate the `./vendor` directory.
-
-## Configuration files
-
-### [registries.conf](https://src.fedoraproject.org/rpms/skopeo/blob/master/f/registries.conf)
-
-#### Man Page: [registries.conf.5](https://github.com/containers/image/blob/master/docs/registries.conf.5.md)
-
-`/etc/containers/registries.conf`
-
-registries.conf is the configuration file which specifies which container registries should be consulted when completing image names which do not include a registry or domain portion.
-
-#### Example from the Fedora `containers-common` package
-
-```
-cat /etc/containers/registries.conf
-# This is a system-wide configuration file used to
-# keep track of registries for various container backends.
-# It adheres to TOML format and does not support recursive
-# lists of registries.
-
-# The default location for this configuration file is /etc/containers/registries.conf.
-
-# The only valid categories are: 'registries.search', 'registries.insecure',
-# and 'registries.block'.
-
-[registries.search]
-registries = ['docker.io', 'registry.fedoraproject.org', 'quay.io', 'registry.access.redhat.com', 'registry.centos.org']
-
-# If you need to access insecure registries, add the registry's fully-qualified name.
-# An insecure registry is one that does not have a valid SSL certificate or only does HTTP.
-[registries.insecure]
-registries = []
-
-
-# If you need to block pull access from a registry, uncomment the section below
-# and add the registries fully-qualified name.
-#
-[registries.block]
-registries = []
-```
-
-### [mounts.conf](https://src.fedoraproject.org/rpms/skopeo/blob/master/f/mounts.conf)
-
-`/usr/share/containers/mounts.conf` and optionally `/etc/containers/mounts.conf`
-
-The mounts.conf files specify volume mount directories that are automatically mounted inside containers when executing the `podman run` or `podman build` commands. Container process can then use this content. The volume mount content does not get committed to the final image.
-
-Usually these directories are used for passing secrets or credentials required by the package software to access remote package repositories.
-
-For example, a mounts.conf with the line "`/usr/share/rhel/secrets:/run/secrets`", the content of `/usr/share/rhel/secrets` directory is mounted on `/run/secrets` inside the container. This mountpoint allows Red Hat Enterprise Linux subscriptions from the host to be used within the container.
-
-Note this is not a volume mount. The content of the volumes is copied into container storage, not bind mounted directly from the host.
-
-#### Example from the Fedora `containers-common` package:
-
-```
-cat /usr/share/containers/mounts.conf
-/usr/share/rhel/secrets:/run/secrets
-```
-
-### [seccomp.json](https://src.fedoraproject.org/rpms/skopeo/blob/master/f/seccomp.json)
-
-`/usr/share/containers/seccomp.json`
-
-seccomp.json contains the whitelist of seccomp rules to be allowed inside of
-containers. This file is usually provided by the containers-common package.
-
-The link above takes you to the seccomp.json
-
-### [policy.json](https://github.com/containers/skopeo/blob/master/default-policy.json)
-
-`/etc/containers/policy.json`
-
-#### Man Page: [policy.json.5](https://github.com/containers/image/blob/master/docs/policy.json.md)
-
-
-#### Example from the Fedora `containers-common` package:
-
-```
-cat /etc/containers/policy.json
-{
- "default": [
- {
- "type": "insecureAcceptAnything"
- }
- ],
- "transports":
- {
- "docker-daemon":
- {
- "": [{"type":"insecureAcceptAnything"}]
- }
- }
-}
-```
+The podman.io site resides in a GitHub under the Containers repository at [https://github.com/containers/podman.io](https://github.com/containers/podman.io). If you see a change that needs to happen to the installation instructions, please feel free to open a pull request there, we're always happy to have new contributors!
diff --git a/libpod/container.go b/libpod/container.go
index f29cebf20..5e5c8ab26 100644
--- a/libpod/container.go
+++ b/libpod/container.go
@@ -244,7 +244,7 @@ type ContainerConfig struct {
// UID/GID mappings used by the storage
IDMappings storage.IDMappingOptions `json:"idMappingsOptions,omitempty"`
- // Information on the image used for the root filesystem/
+ // Information on the image used for the root filesystem
RootfsImageID string `json:"rootfsImageID,omitempty"`
RootfsImageName string `json:"rootfsImageName,omitempty"`
// Rootfs to use for the container, this conflicts with RootfsImageID
diff --git a/libpod/container_internal.go b/libpod/container_internal.go
index 0e883588c..78ec09f29 100644
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@@ -1254,6 +1254,12 @@ func (c *Container) restartWithTimeout(ctx context.Context, timeout uint) (err e
}
}
}
+ // Ensure we tear down the container network so it will be
+ // recreated - otherwise, behavior of restart differs from stop
+ // and start
+ if err := c.cleanupNetwork(); err != nil {
+ return err
+ }
}
defer func() {
if err != nil {
diff --git a/libpod/image/image.go b/libpod/image/image.go
index 355249b12..ba1080a71 100644
--- a/libpod/image/image.go
+++ b/libpod/image/image.go
@@ -709,11 +709,12 @@ func (i *Image) Size(ctx context.Context) (*uint64, error) {
}
i.image = localImage
}
- if sum, err := i.imageruntime.store.ImageSize(i.ID()); err == nil && sum >= 0 {
+ sum, err := i.imageruntime.store.ImageSize(i.ID())
+ if err == nil && sum >= 0 {
usum := uint64(sum)
return &usum, nil
}
- return nil, errors.Errorf("unable to determine size")
+ return nil, errors.Wrap(err, "unable to determine size")
}
// toImageRef returns an Image Reference type from an image
diff --git a/libpod/image/pull.go b/libpod/image/pull.go
index 76294ba06..fd359d593 100644
--- a/libpod/image/pull.go
+++ b/libpod/image/pull.go
@@ -126,6 +126,7 @@ func (ir *Runtime) pullGoalFromImageReference(ctx context.Context, srcRef types.
if err != nil {
return nil, err
}
+ defer tarSource.Close()
manifest, err := tarSource.LoadTarManifest()
if err != nil {
diff --git a/libpod/runtime_pod_linux.go b/libpod/runtime_pod_linux.go
index 5b0111b85..4afd5760a 100644
--- a/libpod/runtime_pod_linux.go
+++ b/libpod/runtime_pod_linux.go
@@ -193,8 +193,6 @@ func (r *Runtime) removePod(ctx context.Context, p *Pod, removeCtrs, force bool)
}
}
- var removalErr error
-
// We're going to be removing containers.
// If we are CGroupfs cgroup driver, to avoid races, we need to hit
// the pod and conmon CGroups with a PID limit to prevent them from
@@ -205,7 +203,7 @@ func (r *Runtime) removePod(ctx context.Context, p *Pod, removeCtrs, force bool)
conmonCgroupPath := filepath.Join(p.state.CgroupPath, "conmon")
conmonCgroup, err := cgroups.Load(conmonCgroupPath)
if err != nil && err != cgroups.ErrCgroupDeleted && err != cgroups.ErrCgroupV1Rootless {
- removalErr = errors.Wrapf(err, "error retrieving pod %s conmon cgroup %s", p.ID(), conmonCgroupPath)
+ logrus.Errorf("Error retrieving pod %s conmon cgroup %s: %v", p.ID(), conmonCgroupPath, err)
}
// New resource limits
@@ -216,15 +214,13 @@ func (r *Runtime) removePod(ctx context.Context, p *Pod, removeCtrs, force bool)
// Don't try if we failed to retrieve the cgroup
if err == nil {
if err := conmonCgroup.Update(resLimits); err != nil {
- if removalErr == nil {
- removalErr = errors.Wrapf(err, "error updating pod %s conmon group", p.ID())
- } else {
- logrus.Errorf("Error updating pod %s conmon cgroup %s: %v", p.ID(), conmonCgroupPath, err)
- }
+ logrus.Warnf("Error updating pod %s conmon cgroup %s PID limit: %v", p.ID(), conmonCgroupPath, err)
}
}
}
+ var removalErr error
+
ctrNamedVolumes := make(map[string]*ContainerNamedVolume)
// Second loop - all containers are good, so we should be clear to
diff --git a/pkg/api/server/register_images.go b/pkg/api/server/register_images.go
index 2959e604a..4a46b6ee6 100644
--- a/pkg/api/server/register_images.go
+++ b/pkg/api/server/register_images.go
@@ -638,25 +638,24 @@ func (s *APIServer) registerImagesHandlers(r *mux.Router) error {
// summary: Load image
// description: Load an image (oci-archive or docker-archive) stream.
// parameters:
- // - in: query
- // name: change
- // description: "Apply the following possible instructions to the created image (default []): CMD | ENTRYPOINT | ENV | EXPOSE | LABEL | STOPSIGNAL | USER | VOLUME | WORKDIR. JSON encoded string"
- // type: string
- // - in: query
- // name: message
- // description: Set commit message for imported image
- // type: string
- // - in: body
- // name: request
- // description: tarball of container image
- // required: true
- // schema:
- // type: string
+ // - in: query
+ // name: change
+ // description: "Apply the following possible instructions to the created image (default []): CMD | ENTRYPOINT | ENV | EXPOSE | LABEL | STOPSIGNAL | USER | VOLUME | WORKDIR. JSON encoded string"
+ // type: string
+ // - in: query
+ // name: message
+ // description: Set commit message for imported image
+ // type: string
+ // - in: formData
+ // name: upload
+ // description: tarball of container image
+ // type: file
+ // required: true
// produces:
// - application/json
// responses:
// 200:
- // $ref: "#/response/LibpodImagesLoadResponse"
+ // $ref: "#/responses/DocsLibpodImagesLoadResponse"
// 500:
// $ref: '#/responses/InternalError'
r.Handle(VersionedPath("/libpod/images/load"), APIHandler(s.Context, libpod.ImagesLoad)).Methods(http.MethodPost)
@@ -665,31 +664,30 @@ func (s *APIServer) registerImagesHandlers(r *mux.Router) error {
// tags:
// - images
// summary: Import image
- // description: Import a previosly exported tarball as an image.
+ // description: Import a previously exported tarball as an image.
// parameters:
- // - in: query
- // name: change
- // description: "Apply the following possible instructions to the created image (default []): CMD | ENTRYPOINT | ENV | EXPOSE | LABEL | STOPSIGNAL | USER | VOLUME | WORKDIR. JSON encoded string"
- // type: string
- // - in: query
- // name: message
- // description: Set commit message for imported image
- // type: string
- // - in: query
- // name: url
- // description: Specify a URL instead of a tarball
- // type: bool
- // - in: body
- // name: request
- // description: Tarball of (or URL to) container image
- // required: true
- // schema:
- // type: string
+ // - in: query
+ // name: change
+ // description: "Apply the following possible instructions to the created image (default []): CMD | ENTRYPOINT | ENV | EXPOSE | LABEL | STOPSIGNAL | USER | VOLUME | WORKDIR. JSON encoded string"
+ // type: string
+ // - in: query
+ // name: message
+ // description: Set commit message for imported image
+ // type: string
+ // - in: query
+ // name: url
+ // description: Specify a URL instead of a tarball
+ // type: boolean
+ // - in: formData
+ // name: upload
+ // type: file
+ // required: true
+ // description: tarball for imported image
// produces:
// - application/json
// responses:
// 200:
- // $ref: "#/response/LibpodImagesImportResponse"
+ // $ref: "#/responses/DocsLibpodImagesImportResponse"
// 500:
// $ref: '#/responses/InternalError'
r.Handle(VersionedPath("/libpod/images/import"), APIHandler(s.Context, libpod.ImagesImport)).Methods(http.MethodPost)
@@ -711,13 +709,13 @@ func (s *APIServer) registerImagesHandlers(r *mux.Router) error {
// - in: query
// name: tls-verify
// description: Require TLS verification.
- // type: bool
+ // type: boolean
// default: true
// produces:
// - application/json
// responses:
// 200:
- // $ref: "#/response/LibpodImagesPullResponse"
+ // $ref: "#/responses/DocsLibpodImagesPullResponse"
// 500:
// $ref: '#/responses/InternalError'
r.Handle(VersionedPath("/libpod/images/pull"), APIHandler(s.Context, libpod.ImagesPull)).Methods(http.MethodPost)
diff --git a/pkg/bindings/errors.go b/pkg/bindings/errors.go
index 8bd40f804..1bcaac3f0 100644
--- a/pkg/bindings/errors.go
+++ b/pkg/bindings/errors.go
@@ -3,7 +3,6 @@ package bindings
import (
"encoding/json"
"io/ioutil"
- "net/http"
"github.com/containers/libpod/pkg/api/handlers/utils"
"github.com/pkg/errors"
@@ -26,7 +25,7 @@ func (a APIResponse) Process(unmarshalInto interface{}) error {
if err != nil {
return errors.Wrap(err, "unable to process API response")
}
- if a.Response.StatusCode == http.StatusOK {
+ if a.IsSuccess() {
if unmarshalInto != nil {
return json.Unmarshal(data, unmarshalInto)
}
diff --git a/pkg/bindings/test/images_test.go b/pkg/bindings/test/images_test.go
index 227f28d16..f2dc856b2 100644
--- a/pkg/bindings/test/images_test.go
+++ b/pkg/bindings/test/images_test.go
@@ -89,4 +89,39 @@ var _ = Describe("Podman images", func() {
})
+ //Tests to validate the image tag command.
+ It("tag image", func() {
+ // Validates if invalid image name is given a bad response is encountered.
+ err = images.Tag(connText, "dummy", "demo", "alpine")
+ Expect(err).ToNot(BeNil())
+ code, _ := bindings.CheckResponseCode(err)
+ Expect(code).To(BeNumerically("==", 404))
+
+ // Validates if the image is tagged sucessfully.
+ err = images.Tag(connText, "alpine", "demo", "alpine")
+ Expect(err).To(BeNil())
+
+ //Validates if name updates when the image is retagged.
+ _, err := images.GetImage(connText, "alpine:demo", nil)
+ Expect(err).To(BeNil())
+
+ })
+
+ //Test to validate the List images command.
+ It("List image", func() {
+ //Array to hold the list of images returned
+ imageSummary, err := images.List(connText, nil, nil)
+ //There Should be no errors in the response.
+ Expect(err).To(BeNil())
+ //Since in the begin context only one image is created the list context should have only one image
+ Expect(len(imageSummary)).To(Equal(1))
+
+ //To be written create a new image and check list count again
+ //imageSummary, err = images.List(connText, nil, nil)
+
+ //Since in the begin context only one image adding one more image should
+ ///Expect(len(imageSummary)).To(Equal(2)
+
+ })
+
})
diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go
new file mode 100644
index 000000000..e22ee598f
--- /dev/null
+++ b/pkg/specgen/specgen.go
@@ -0,0 +1,399 @@
+package specgen
+
+import (
+ "net"
+
+ "github.com/containers/image/v5/manifest"
+ "github.com/containers/libpod/libpod"
+ "github.com/containers/libpod/libpod/define"
+ "github.com/containers/storage"
+ "github.com/cri-o/ocicni/pkg/ocicni"
+ spec "github.com/opencontainers/runtime-spec/specs-go"
+)
+
+// TODO
+// mheon provided this an off the cuff suggestion. Adding it here to retain
+// for history as we implement it. When this struct is implemented, we need
+// to remove the nolints.
+type Namespace struct {
+ isHost bool //nolint
+ isPath string //nolint
+ isContainer string //nolint
+ isPod bool //nolint
+}
+
+// ContainerBasicConfig contains the basic parts of a container.
+type ContainerBasicConfig struct {
+ // Name is the name the container will be given.
+ // If no name is provided, one will be randomly generated.
+ // Optional.
+ Name string `json:"name,omitempty"`
+ // Pod is the ID of the pod the container will join.
+ // Optional.
+ Pod string `json:"pod,omitempty"`
+ // Entrypoint is the container's entrypoint.
+ // If not given and Image is specified, this will be populated by the
+ // image's configuration.
+ // Optional.
+ Entrypoint []string `json:"entrypoint,omitempty"`
+ // Command is the container's command.
+ // If not given and Image is specified, this will be populated by the
+ // image's configuration.
+ // Optional.
+ Command []string `json:"command,omitempty"`
+ // Env is a set of environment variables that will be set in the
+ // container.
+ // Optional.
+ Env map[string]string `json:"env,omitempty"`
+ // Terminal is whether the container will create a PTY.
+ Terminal bool `json:"terminal,omitempty"`
+ // Stdin is whether the container will keep its STDIN open.
+ Stdin bool `json:"stdin,omitempty"`
+ // Labels are key-valid labels that are used to add metadata to
+ // containers.
+ // Optional.
+ Labels map[string]string `json:"labels,omitempty"`
+ // Annotations are key-value options passed into the container runtime
+ // that can be used to trigger special behavior.
+ // Optional.
+ Annotations map[string]string `json:"annotations,omitempty"`
+ // StopSignal is the signal that will be used to stop the container.
+ // Must be a non-zero integer below SIGRTMAX.
+ // If not provided, the default, SIGTERM, will be used.
+ // Will conflict with Systemd if Systemd is set to "true" or "always".
+ // Optional.
+ StopSignal *uint `json:"stop_signal,omitempty"`
+ // StopTimeout is a timeout between the container's stop signal being
+ // sent and SIGKILL being sent.
+ // If not provided, the default will be used.
+ // If 0 is used, stop signal will not be sent, and SIGKILL will be sent
+ // instead.
+ // Optional.
+ StopTimeout *uint `json:"stop_timeout,omitempty"`
+ // LogDriver is the container's log driver.
+ // Optional.
+ LogDriver string `json:"log_driver,omitempty"`
+ // LogPath is the path the container's logs will be stored at.
+ // Only available if LogDriver is set to "json-file" or "k8s-file".
+ // Optional.
+ LogPath string `json:"log_path,omitempty"`
+ // ConmonPidFile is a path at which a PID file for Conmon will be
+ // placed.
+ // If not given, a default location will be used.
+ // Optional.
+ ConmonPidFile string `json:"conmon_pid_file,omitempty"`
+ // RestartPolicy is the container's restart policy - an action which
+ // will be taken when the container exits.
+ // If not given, the default policy, which does nothing, will be used.
+ // Optional.
+ RestartPolicy string `json:"restart_policy,omitempty"`
+ // RestartRetries is the number of attempts that will be made to restart
+ // the container.
+ // Only available when RestartPolicy is set to "on-failure".
+ // Optional.
+ RestartRetries *uint `json:"restart_tries,omitempty"`
+ // OCIRuntime is the name of the OCI runtime that will be used to create
+ // the container.
+ // If not specified, the default will be used.
+ // Optional.
+ OCIRuntime string `json:"oci_runtime,omitempty"`
+ // Systemd is whether the container will be started in systemd mode.
+ // Valid options are "true", "false", and "always".
+ // "true" enables this mode only if the binary run in the container is
+ // /sbin/init or systemd. "always" unconditionally enables systemd mode.
+ // "false" unconditionally disables systemd mode.
+ // If enabled, mounts and stop signal will be modified.
+ // If set to "always" or set to "true" and conditionally triggered,
+ // conflicts with StopSignal.
+ // If not specified, "false" will be assumed.
+ // Optional.
+ Systemd string `json:"systemd,omitempty"`
+ // Namespace is the libpod namespace the container will be placed in.
+ // Optional.
+ Namespace string `json:"namespace,omitempty"`
+
+ // PidNS is the container's PID namespace.
+ // It defaults to private.
+ // Mandatory.
+ PidNS Namespace `json:"pidns,omitempty"`
+
+ // UtsNS is the container's UTS namespace.
+ // It defaults to private.
+ // Must be set to Private to set Hostname.
+ // Mandatory.
+ UtsNS Namespace `json:"utsns,omitempty"`
+ // Hostname is the container's hostname. If not set, the hostname will
+ // not be modified (if UtsNS is not private) or will be set to the
+ // container ID (if UtsNS is private).
+ // Conflicts with UtsNS if UtsNS is not set to private.
+ // Optional.
+ Hostname string `json:"hostname,omitempty"`
+}
+
+// ContainerStorageConfig contains information on the storage configuration of a
+// container.
+type ContainerStorageConfig struct {
+ // Image is the image the container will be based on. The image will be
+ // used as the container's root filesystem, and its environment vars,
+ // volumes, and other configuration will be applied to the container.
+ // Conflicts with Rootfs.
+ // At least one of Image or Rootfs must be specified.
+ Image string `json:"image"`
+ // Rootfs is the path to a directory that will be used as the
+ // container's root filesystem. No modification will be made to the
+ // directory, it will be directly mounted into the container as root.
+ // Conflicts with Image.
+ // At least one of Image or Rootfs must be specified.
+ Rootfs string `json:"rootfs,omitempty"`
+ // ImageVolumeMode indicates how image volumes will be created.
+ // Supported modes are "ignore" (do not create), "tmpfs" (create as
+ // tmpfs), and "anonymous" (create as anonymous volumes).
+ // The default is anonymous.
+ // Optional.
+ ImageVolumeMode string `json:"image_volume_mode,omitempty"`
+ // VolumesFrom is a list of containers whose volumes will be added to
+ // this container. Supported mount options may be added after the
+ // container name with a : and include "ro" and "rw".
+ // Optional.
+ VolumesFrom []string `json:"volumes_from,omitempty"`
+ // Mounts are mounts that will be added to the container.
+ // These will supersede Image Volumes and VolumesFrom volumes where
+ // there are conflicts.
+ // Optional.
+ Mounts []spec.Mount `json:"mounts,omitempty"`
+ // Volumes are named volumes that will be added to the container.
+ // These will supersede Image Volumes and VolumesFrom volumes where
+ // there are conflicts.
+ // Optional.
+ Volumes []*libpod.ContainerNamedVolume `json:"volumes,omitempty"`
+ // Devices are devices that will be added to the container.
+ // Optional.
+ Devices []spec.LinuxDevice `json:"devices,omitempty"`
+ // IpcNS is the container's IPC namespace.
+ // Default is private.
+ // Conflicts with ShmSize if not set to private.
+ // Mandatory.
+ IpcNS Namespace `json:"ipcns,omitempty"`
+ // ShmSize is the size of the tmpfs to mount in at /dev/shm, in bytes.
+ // Conflicts with ShmSize if ShmSize is not private.
+ // Optional.
+ ShmSize *int64 `json:"shm_size,omitempty"`
+ // WorkDir is the container's working directory.
+ // If unset, the default, /, will be used.
+ // Optional.
+ WorkDir string `json:"work_dir,omitempty"`
+ // RootfsPropagation is the rootfs propagation mode for the container.
+ // If not set, the default of rslave will be used.
+ // Optional.
+ RootfsPropagation string `json:"rootfs_propagation,omitempty"`
+}
+
+// ContainerSecurityConfig is a container's security features, including
+// SELinux, Apparmor, and Seccomp.
+type ContainerSecurityConfig struct {
+ // Privileged is whether the container is privileged.
+ // Privileged does the following:
+ // - Adds all devices on the system to the container.
+ // - Adds all capabilities to the container.
+ // - Disables Seccomp, SELinux, and Apparmor confinement.
+ // TODO: this conflicts with things.
+ // TODO: this does more.
+ Privileged bool `json:"privileged,omitempty"`
+ // User is the user the container will be run as.
+ // Can be given as a UID or a username; if a username, it will be
+ // resolved within the container, using the container's /etc/passwd.
+ // If unset, the container will be run as root.
+ // Optional.
+ User string `json:"user,omitempty"`
+ // Groups are a list of supplemental groups the container's user will
+ // be granted access to.
+ // Optional.
+ Groups []string `json:"groups,omitempty"`
+ // CapAdd are capabilities which will be added to the container.
+ // Conflicts with Privileged.
+ // Optional.
+ CapAdd []string `json:"cap_add,omitempty"`
+ // CapDrop are capabilities which will be removed from the container.
+ // Conflicts with Privileged.
+ // Optional.
+ CapDrop []string `json:"cap_drop,omitempty"`
+ // SelinuxProcessLabel is the process label the container will use.
+ // If SELinux is enabled and this is not specified, a label will be
+ // automatically generated if not specified.
+ // Optional.
+ SelinuxProcessLabel string `json:"selinux_process_label,omitempty"`
+ // SelinuxMountLabel is the mount label the container will use.
+ // If SELinux is enabled and this is not specified, a label will be
+ // automatically generated if not specified.
+ // Optional.
+ SelinuxMountLabel string `json:"selinux_mount_label,omitempty"`
+ // SelinuxOpts are options for configuring SELinux.
+ // Optional.
+ SelinuxOpts []string `json:"selinux_opts,omitempty"`
+ // ApparmorProfile is the name of the Apparmor profile the container
+ // will use.
+ // Optional.
+ ApparmorProfile string `json:"apparmor_profile,omitempty"`
+ // SeccompProfilePath is the path to a JSON file containing the
+ // container's Seccomp profile.
+ // If not specified, no Seccomp profile will be used.
+ // Optional.
+ SeccompProfilePath string `json:"seccomp_profile_path,omitempty"`
+ // NoNewPrivileges is whether the container will set the no new
+ // privileges flag on create, which disables gaining additional
+ // privileges (e.g. via setuid) in the container.
+ NoNewPrivileges bool `json:"no_new_privileges,omitempty"`
+ // UserNS is the container's user namespace.
+ // It defaults to host, indicating that no user namespace will be
+ // created.
+ // If set to private, IDMappings must be set.
+ // Mandatory.
+ UserNS Namespace `json:"userns,omitempty"`
+ // IDMappings are UID and GID mappings that will be used by user
+ // namespaces.
+ // Required if UserNS is private.
+ IDMappings storage.IDMappingOptions `json:"idmappings,omitempty"`
+}
+
+// ContainerCgroupConfig contains configuration information about a container's
+// cgroups.
+type ContainerCgroupConfig struct {
+ // CgroupNS is the container's cgroup namespace.
+ // It defaults to private.
+ // Conflicts with NoCgroups if not set to host.
+ // Mandatory.
+ CgroupNS Namespace `json:"cgroupns,omitempty"`
+ // NoCgroups indicates that the container should not create CGroups.
+ // Conflicts with CgroupParent and CgroupNS if CgroupNS is not set to
+ // host.
+ NoCgroups bool `json:"no_cgroups,omitempty"`
+ // CgroupParent is the container's CGroup parent.
+ // If not set, the default for the current cgroup driver will be used.
+ // Conflicts with NoCgroups.
+ // Optional.
+ CgroupParent string `json:"cgroup_parent,omitempty"`
+}
+
+// ContainerNetworkConfig contains information on a container's network
+// configuration.
+type ContainerNetworkConfig struct {
+ // NetNS is the configuration to use for the container's network
+ // namespace.
+ // Mandatory.
+ NetNS Namespace `json:"netns,omitempty"`
+ // ConfigureNetNS is whether Libpod will configure the container's
+ // network namespace to send and receive traffic.
+ // Only available is NetNS is private - conflicts with other NetNS
+ // modes.
+ ConfigureNetNS bool `json:"configure_netns,omitempty"`
+ // StaticIP is the a IPv4 address of the container.
+ // Only available if ConfigureNetNS is true.
+ // Optional.
+ StaticIP *net.IP `json:"static_ip,omitempty"`
+ // StaticIPv6 is a static IPv6 address to set in the container.
+ // Only available if ConfigureNetNS is true.
+ // Optional.
+ StaticIPv6 *net.IP `json:"static_ipv6,omitempty"`
+ // StaticMAC is a static MAC address to set in the container.
+ // Only available if ConfigureNetNS is true.
+ // Optional.
+ StaticMAC *net.HardwareAddr `json:"static_mac,omitempty"`
+ // PortBindings is a set of ports to map into the container.
+ // Only available if ConfigureNetNS is true.
+ // Optional.
+ PortMappings []ocicni.PortMapping `json:"portmappings,omitempty"`
+ // PublishImagePorts will publish ports specified in the image to random
+ // ports outside.
+ // Requires Image to be set.
+ PublishImagePorts bool `json:"publish_image_ports,omitempty"`
+ // CNINetworks is a list of CNI networks to join the container to.
+ // If this list is empty, the default CNI network will be joined
+ // instead. If at least one entry is present, we will not join the
+ // default network (unless it is part of this list).
+ // Only available if ConfigureNetNS is true.
+ // Optional.
+ CNINetworks []string `json:"cni_networks,omitempty"`
+ // UseImageResolvConf indicates that resolv.conf should not be managed
+ // by Podman, but instead sourced from the image.
+ // Conflicts with DNSServer, DNSSearch, DNSOption.
+ UseImageResolvConf bool `json:"use_image_resolve_conf,omitempty"`
+ // DNSServer is a set of DNS servers that will be used in the
+ // container's resolv.conf, replacing the host's DNS Servers which are
+ // used by default.
+ // Conflicts with UseImageResolvConf.
+ // Optional.
+ DNSServer []net.IP `json:"dns_server,omitempty"`
+ // DNSSearch is a set of DNS search domains that will be used in the
+ // container's resolv.conf, replacing the host's DNS search domains
+ // which are used by default.
+ // Conflicts with UseImageResolvConf.
+ // Optional.
+ DNSSearch []string `json:"dns_search,omitempty"`
+ // DNSOption is a set of DNS options that will be used in the
+ // container's resolv.conf, replacing the host's DNS options which are
+ // used by default.
+ // Conflicts with UseImageResolvConf.
+ // Optional.
+ DNSOption []string `json:"dns_option,omitempty"`
+ // UseImageHosts indicates that /etc/hosts should not be managed by
+ // Podman, and instead sourced from the image.
+ // Conflicts with HostAdd.
+ UseImageHosts bool `json:"use_image_hosts,omitempty"`
+ // HostAdd is a set of hosts which will be added to the container's
+ // /etc/hosts file.
+ // Conflicts with UseImageHosts.
+ // Optional.
+ HostAdd []string `json:"hostadd,omitempty"`
+}
+
+// ContainerResourceConfig contains information on container resource limits.
+type ContainerResourceConfig struct {
+ // ResourceLimits are resource limits to apply to the container.
+ // Can only be set as root on cgroups v1 systems, but can be set as
+ // rootless as well for cgroups v2.
+ // Optional.
+ ResourceLimits *spec.LinuxResources `json:"resource_limits,omitempty"`
+ // Rlimits are POSIX rlimits to apply to the container.
+ // Optional.
+ Rlimits []spec.POSIXRlimit `json:"r_limits,omitempty"`
+ // OOMScoreAdj adjusts the score used by the OOM killer to determine
+ // processes to kill for the container's process.
+ // Optional.
+ OOMScoreAdj *int `json:"oom_score_adj,omitempty"`
+}
+
+// ContainerHealthCheckConfig describes a container healthcheck with attributes
+// like command, retries, interval, start period, and timeout.
+type ContainerHealthCheckConfig struct {
+ HealthConfig manifest.Schema2HealthConfig `json:"healthconfig,omitempty"`
+}
+
+// SpecGenerator creates an OCI spec and Libpod configuration options to create
+// a container based on the given configuration.
+type SpecGenerator struct {
+ ContainerBasicConfig
+ ContainerStorageConfig
+ ContainerSecurityConfig
+ ContainerCgroupConfig
+ ContainerNetworkConfig
+ ContainerResourceConfig
+ ContainerHealthCheckConfig
+}
+
+// NewSpecGenerator returns a SpecGenerator struct given one of two mandatory inputs
+func NewSpecGenerator(image, rootfs *string) (*SpecGenerator, error) {
+ _ = image
+ _ = rootfs
+ return &SpecGenerator{}, define.ErrNotImplemented
+}
+
+// Validate verifies that the given SpecGenerator is valid and satisfies required
+// input for creating a container.
+func (s *SpecGenerator) Validate() error {
+ return define.ErrNotImplemented
+}
+
+// MakeContainer creates a container based on the SpecGenerator
+func (s *SpecGenerator) MakeContainer() (*libpod.Container, error) {
+ return nil, define.ErrNotImplemented
+}
diff --git a/pkg/varlinkapi/images.go b/pkg/varlinkapi/images.go
index 333595a96..b144bfa5e 100644
--- a/pkg/varlinkapi/images.go
+++ b/pkg/varlinkapi/images.go
@@ -143,6 +143,7 @@ func (i *LibpodAPI) GetImage(call iopodman.VarlinkCall, id string) error {
func (i *LibpodAPI) BuildImage(call iopodman.VarlinkCall, config iopodman.BuildInfo) error {
var (
namespace []buildah.NamespaceOption
+ imageID string
err error
)
@@ -249,7 +250,8 @@ func (i *LibpodAPI) BuildImage(call iopodman.VarlinkCall, config iopodman.BuildI
c := make(chan error)
go func() {
- _, _, err := i.Runtime.Build(getContext(), options, newPathDockerFiles...)
+ iid, _, err := i.Runtime.Build(getContext(), options, newPathDockerFiles...)
+ imageID = iid
c <- err
close(c)
}()
@@ -291,13 +293,9 @@ func (i *LibpodAPI) BuildImage(call iopodman.VarlinkCall, config iopodman.BuildI
}
call.Continues = false
- newImage, err := i.Runtime.ImageRuntime().NewFromLocal(config.Output)
- if err != nil {
- return call.ReplyErrorOccurred(err.Error())
- }
br := iopodman.MoreResponse{
Logs: log,
- Id: newImage.ID(),
+ Id: imageID,
}
return call.ReplyBuildImage(br)
}
diff --git a/test/e2e/build_test.go b/test/e2e/build_test.go
index 71f5d1b02..b4e400549 100644
--- a/test/e2e/build_test.go
+++ b/test/e2e/build_test.go
@@ -3,7 +3,9 @@
package integration
import (
+ "io/ioutil"
"os"
+ "path/filepath"
"strings"
. "github.com/containers/libpod/test/utils"
@@ -105,4 +107,39 @@ var _ = Describe("Podman build", func() {
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
})
+
+ It("podman build Containerfile locations", func() {
+ // Given
+ // Switch to temp dir and restore it afterwards
+ cwd, err := os.Getwd()
+ Expect(err).To(BeNil())
+ Expect(os.Chdir(os.TempDir())).To(BeNil())
+ defer Expect(os.Chdir(cwd)).To(BeNil())
+
+ // Write target and fake files
+ targetPath := filepath.Join(os.TempDir(), "dir")
+ Expect(os.MkdirAll(targetPath, 0755)).To(BeNil())
+
+ fakeFile := filepath.Join(os.TempDir(), "Containerfile")
+ Expect(ioutil.WriteFile(fakeFile, []byte("FROM alpine"), 0755)).To(BeNil())
+
+ targetFile := filepath.Join(targetPath, "Containerfile")
+ Expect(ioutil.WriteFile(targetFile, []byte("FROM scratch"), 0755)).To(BeNil())
+
+ defer func() {
+ Expect(os.RemoveAll(fakeFile)).To(BeNil())
+ Expect(os.RemoveAll(targetFile)).To(BeNil())
+ }()
+
+ // When
+ session := podmanTest.PodmanNoCache([]string{
+ "build", "-f", targetFile, "-t", "test-locations",
+ })
+ session.WaitWithDefaultTimeout()
+
+ // Then
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(strings.Fields(session.OutputToString())).
+ To(ContainElement("scratch"))
+ })
})
diff --git a/test/e2e/ps_test.go b/test/e2e/ps_test.go
index 12bfdfe41..fccc5c93b 100644
--- a/test/e2e/ps_test.go
+++ b/test/e2e/ps_test.go
@@ -227,6 +227,22 @@ var _ = Describe("Podman ps", func() {
Expect(output[0]).To(Equal(fullCid))
})
+ It("podman ps filter by exited does not need all", func() {
+ ctr := podmanTest.Podman([]string{"run", "-t", "-i", ALPINE, "ls", "/"})
+ ctr.WaitWithDefaultTimeout()
+ Expect(ctr.ExitCode()).To(Equal(0))
+
+ psAll := podmanTest.Podman([]string{"ps", "-aq", "--no-trunc"})
+ psAll.WaitWithDefaultTimeout()
+ Expect(psAll.ExitCode()).To(Equal(0))
+
+ psFilter := podmanTest.Podman([]string{"ps", "--no-trunc", "--quiet", "--filter", "status=exited"})
+ psFilter.WaitWithDefaultTimeout()
+ Expect(psFilter.ExitCode()).To(Equal(0))
+
+ Expect(psAll.OutputToString()).To(Equal(psFilter.OutputToString()))
+ })
+
It("podman ps mutually exclusive flags", func() {
session := podmanTest.Podman([]string{"ps", "-aqs"})
session.WaitWithDefaultTimeout()
diff --git a/vendor/github.com/acarl005/stripansi/LICENSE b/vendor/github.com/acarl005/stripansi/LICENSE
new file mode 100644
index 000000000..00abe0dbf
--- /dev/null
+++ b/vendor/github.com/acarl005/stripansi/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2018 Andrew Carlson
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/vendor/github.com/acarl005/stripansi/README.md b/vendor/github.com/acarl005/stripansi/README.md
new file mode 100644
index 000000000..8bdb1f505
--- /dev/null
+++ b/vendor/github.com/acarl005/stripansi/README.md
@@ -0,0 +1,30 @@
+Strip ANSI
+==========
+
+This Go package removes ANSI escape codes from strings.
+
+Ideally, we would prevent these from appearing in any text we want to process.
+However, sometimes this can't be helped, and we need to be able to deal with that noise.
+This will use a regexp to remove those unwanted escape codes.
+
+
+## Install
+
+```sh
+$ go get -u github.com/acarl005/stripansi
+```
+
+## Usage
+
+```go
+import (
+ "fmt"
+ "github.com/acarl005/stripansi"
+)
+
+func main() {
+ msg := "\x1b[38;5;140m foo\x1b[0m bar"
+ cleanMsg := stripansi.Strip(msg)
+ fmt.Println(cleanMsg) // " foo bar"
+}
+```
diff --git a/vendor/github.com/acarl005/stripansi/stripansi.go b/vendor/github.com/acarl005/stripansi/stripansi.go
new file mode 100644
index 000000000..235732a78
--- /dev/null
+++ b/vendor/github.com/acarl005/stripansi/stripansi.go
@@ -0,0 +1,13 @@
+package stripansi
+
+import (
+ "regexp"
+)
+
+const ansi = "[\u001B\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[a-zA-Z\\d]*)*)?\u0007)|(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PRZcf-ntqry=><~]))"
+
+var re = regexp.MustCompile(ansi)
+
+func Strip(str string) string {
+ return re.ReplaceAllString(str, "")
+}
diff --git a/vendor/github.com/containers/image/v5/copy/copy.go b/vendor/github.com/containers/image/v5/copy/copy.go
index 29660b6b2..8432dbe32 100644
--- a/vendor/github.com/containers/image/v5/copy/copy.go
+++ b/vendor/github.com/containers/image/v5/copy/copy.go
@@ -380,6 +380,7 @@ func (c *copier) copyMultipleImages(ctx context.Context, policyContext *signatur
return nil, "", errors.Wrap(err, "Can not copy signatures")
}
}
+ canModifyManifestList := (len(sigs) == 0)
// Determine if we'll need to convert the manifest list to a different format.
forceListMIMEType := options.ForceManifestMIMEType
@@ -394,7 +395,6 @@ func (c *copier) copyMultipleImages(ctx context.Context, policyContext *signatur
return nil, "", errors.Wrapf(err, "Error determining manifest list type to write to destination")
}
if selectedListType != list.MIMEType() {
- canModifyManifestList := (len(sigs) == 0)
if !canModifyManifestList {
return nil, "", errors.Errorf("Error: manifest list must be converted to type %q to be written to destination, but that would invalidate signatures", selectedListType)
}
@@ -451,12 +451,6 @@ func (c *copier) copyMultipleImages(ctx context.Context, policyContext *signatur
return nil, "", errors.Wrapf(err, "Error updating manifest list")
}
- // Check if the updates meaningfully changed the list of images.
- listIsModified := false
- if !reflect.DeepEqual(list.Instances(), originalList.Instances()) {
- listIsModified = true
- }
-
// Perform the list conversion.
if selectedListType != list.MIMEType() {
list, err = list.ConvertToMIMEType(selectedListType)
@@ -465,12 +459,23 @@ func (c *copier) copyMultipleImages(ctx context.Context, policyContext *signatur
}
}
- // If we can't use the original value, but we have to change it, flag an error.
- if listIsModified {
- manifestList, err = list.Serialize()
- if err != nil {
- return nil, "", errors.Wrapf(err, "Error encoding updated manifest list (%q: %#v)", list.MIMEType(), list.Instances())
+ // Check if the updates or a type conversion meaningfully changed the list of images
+ // by serializing them both so that we can compare them.
+ updatedManifestList, err := list.Serialize()
+ if err != nil {
+ return nil, "", errors.Wrapf(err, "Error encoding updated manifest list (%q: %#v)", list.MIMEType(), list.Instances())
+ }
+ originalManifestList, err := originalList.Serialize()
+ if err != nil {
+ return nil, "", errors.Wrapf(err, "Error encoding original manifest list for comparison (%q: %#v)", originalList.MIMEType(), originalList.Instances())
+ }
+
+ // If we can't just use the original value, but we have to change it, flag an error.
+ if !bytes.Equal(updatedManifestList, originalManifestList) {
+ if !canModifyManifestList {
+ return nil, "", errors.Errorf("Error: manifest list must be converted to type %q to be written to destination, but that would invalidate signatures", selectedListType)
}
+ manifestList = updatedManifestList
logrus.Debugf("Manifest list has been updated")
}
@@ -709,7 +714,7 @@ func checkImageDestinationForCurrentRuntime(ctx context.Context, sys *types.Syst
wantedOS = sys.OSChoice
}
if wantedOS != c.OS {
- return fmt.Errorf("Image operating system mismatch: image uses %q, expecting %q", c.OS, wantedOS)
+ logrus.Infof("Image operating system mismatch: image uses %q, expecting %q", c.OS, wantedOS)
}
wantedArch := runtime.GOARCH
@@ -717,7 +722,7 @@ func checkImageDestinationForCurrentRuntime(ctx context.Context, sys *types.Syst
wantedArch = sys.ArchitectureChoice
}
if wantedArch != c.Architecture {
- return fmt.Errorf("Image architecture mismatch: image uses %q, expecting %q", c.Architecture, wantedArch)
+ logrus.Infof("Image architecture mismatch: image uses %q, expecting %q", c.Architecture, wantedArch)
}
}
return nil
diff --git a/vendor/github.com/containers/image/v5/copy/manifest.go b/vendor/github.com/containers/image/v5/copy/manifest.go
index bcf082df3..5a3cf06a4 100644
--- a/vendor/github.com/containers/image/v5/copy/manifest.go
+++ b/vendor/github.com/containers/image/v5/copy/manifest.go
@@ -127,14 +127,14 @@ func isMultiImage(ctx context.Context, img types.UnparsedImage) (bool, error) {
// forced value, and returns the MIME type to which we should convert the list
// of manifests, whether we are converting to it or using it unmodified.
func (c *copier) determineListConversion(currentListMIMEType string, destSupportedMIMETypes []string, forcedListMIMEType string) (string, error) {
- // If we're forcing it, we prefer the forced value over everything else.
- if forcedListMIMEType != "" {
- return forcedListMIMEType, nil
- }
// If there's no list of supported types, then anything we support is expected to be supported.
if len(destSupportedMIMETypes) == 0 {
destSupportedMIMETypes = manifest.SupportedListMIMETypes
}
+ // If we're forcing it, replace the list of supported types with the forced value.
+ if forcedListMIMEType != "" {
+ destSupportedMIMETypes = []string{forcedListMIMEType}
+ }
var selectedType string
for i := range destSupportedMIMETypes {
// The second priority is the first member of the list of acceptable types that is a list,
@@ -148,9 +148,15 @@ func (c *copier) determineListConversion(currentListMIMEType string, destSupport
selectedType = destSupportedMIMETypes[i]
}
}
+ logrus.Debugf("Manifest list has MIME type %s, ordered candidate list [%s]", currentListMIMEType, strings.Join(destSupportedMIMETypes, ", "))
if selectedType == "" {
return "", errors.Errorf("destination does not support any supported manifest list types (%v)", manifest.SupportedListMIMETypes)
}
+ if selectedType != currentListMIMEType {
+ logrus.Debugf("... will convert to %s", selectedType)
+ } else {
+ logrus.Debugf("... will use the original manifest list type")
+ }
// Done.
return selectedType, nil
}
diff --git a/vendor/github.com/containers/image/v5/directory/directory_dest.go b/vendor/github.com/containers/image/v5/directory/directory_dest.go
index caa7a207f..d70b6c07f 100644
--- a/vendor/github.com/containers/image/v5/directory/directory_dest.go
+++ b/vendor/github.com/containers/image/v5/directory/directory_dest.go
@@ -6,6 +6,7 @@ import (
"io/ioutil"
"os"
"path/filepath"
+ "runtime"
"github.com/containers/image/v5/types"
"github.com/opencontainers/go-digest"
@@ -142,8 +143,11 @@ func (d *dirImageDestination) PutBlob(ctx context.Context, stream io.Reader, inp
return types.BlobInfo{}, err
}
succeeded := false
+ explicitClosed := false
defer func() {
- blobFile.Close()
+ if !explicitClosed {
+ blobFile.Close()
+ }
if !succeeded {
os.Remove(blobFile.Name())
}
@@ -164,10 +168,21 @@ func (d *dirImageDestination) PutBlob(ctx context.Context, stream io.Reader, inp
if err := blobFile.Sync(); err != nil {
return types.BlobInfo{}, err
}
- if err := blobFile.Chmod(0644); err != nil {
- return types.BlobInfo{}, err
+
+ // On POSIX systems, blobFile was created with mode 0600, so we need to make it readable.
+ // On Windows, the “permissions of newly created files” argument to syscall.Open is
+ // ignored and the file is already readable; besides, blobFile.Chmod, i.e. syscall.Fchmod,
+ // always fails on Windows.
+ if runtime.GOOS != "windows" {
+ if err := blobFile.Chmod(0644); err != nil {
+ return types.BlobInfo{}, err
+ }
}
+
blobPath := d.ref.layerPath(computedDigest)
+ // need to explicitly close the file, since a rename won't otherwise not work on Windows
+ blobFile.Close()
+ explicitClosed = true
if err := os.Rename(blobFile.Name(), blobPath); err != nil {
return types.BlobInfo{}, err
}
diff --git a/vendor/github.com/containers/image/v5/docker/docker_client.go b/vendor/github.com/containers/image/v5/docker/docker_client.go
index 986bcb986..aa8463d18 100644
--- a/vendor/github.com/containers/image/v5/docker/docker_client.go
+++ b/vendor/github.com/containers/image/v5/docker/docker_client.go
@@ -6,7 +6,6 @@ import (
"encoding/json"
"fmt"
"io"
- "io/ioutil"
"net/http"
"net/url"
"os"
@@ -17,6 +16,7 @@ import (
"time"
"github.com/containers/image/v5/docker/reference"
+ "github.com/containers/image/v5/internal/iolimits"
"github.com/containers/image/v5/pkg/docker/config"
"github.com/containers/image/v5/pkg/sysregistriesv2"
"github.com/containers/image/v5/pkg/tlsclientconfig"
@@ -45,6 +45,10 @@ const (
extensionSignatureSchemaVersion = 2 // extensionSignature.Version
extensionSignatureTypeAtomic = "atomic" // extensionSignature.Type
+
+ backoffNumIterations = 5
+ backoffInitialDelay = 2 * time.Second
+ backoffMaxDelay = 60 * time.Second
)
var systemPerHostCertDirPaths = [2]string{"/etc/containers/certs.d", "/etc/docker/certs.d"}
@@ -277,7 +281,7 @@ func CheckAuth(ctx context.Context, sys *types.SystemContext, username, password
}
defer resp.Body.Close()
- return httpResponseToError(resp)
+ return httpResponseToError(resp, "")
}
// SearchResult holds the information of each matching image
@@ -351,7 +355,7 @@ func SearchRegistry(ctx context.Context, sys *types.SystemContext, registry, ima
} else {
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
- logrus.Debugf("error getting search results from v1 endpoint %q: %v", registry, httpResponseToError(resp))
+ logrus.Debugf("error getting search results from v1 endpoint %q: %v", registry, httpResponseToError(resp, ""))
} else {
if err := json.NewDecoder(resp.Body).Decode(v1Res); err != nil {
return nil, err
@@ -368,7 +372,7 @@ func SearchRegistry(ctx context.Context, sys *types.SystemContext, registry, ima
} else {
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
- logrus.Errorf("error getting search results from v2 endpoint %q: %v", registry, httpResponseToError(resp))
+ logrus.Errorf("error getting search results from v2 endpoint %q: %v", registry, httpResponseToError(resp, ""))
} else {
if err := json.NewDecoder(resp.Body).Decode(v2Res); err != nil {
return nil, err
@@ -400,74 +404,64 @@ func (c *dockerClient) makeRequest(ctx context.Context, method, path string, hea
return c.makeRequestToResolvedURL(ctx, method, url, headers, stream, -1, auth, extraScope)
}
+// parseRetryAfter determines the delay required by the "Retry-After" header in res and returns it,
+// silently falling back to fallbackDelay if the header is missing or invalid.
+func parseRetryAfter(res *http.Response, fallbackDelay time.Duration) time.Duration {
+ after := res.Header.Get("Retry-After")
+ if after == "" {
+ return fallbackDelay
+ }
+ logrus.Debugf("Detected 'Retry-After' header %q", after)
+ // First, check if we have a numerical value.
+ if num, err := strconv.ParseInt(after, 10, 64); err == nil {
+ return time.Duration(num) * time.Second
+ }
+ // Second, check if we have an HTTP date.
+ // If the delta between the date and now is positive, use it.
+ // Otherwise, fall back to using the default exponential back off.
+ if t, err := http.ParseTime(after); err == nil {
+ delta := time.Until(t)
+ if delta > 0 {
+ return delta
+ }
+ logrus.Debugf("Retry-After date in the past, ignoring it")
+ return fallbackDelay
+ }
+ // If the header contents are bogus, fall back to using the default exponential back off.
+ logrus.Debugf("Invalid Retry-After format, ignoring it")
+ return fallbackDelay
+}
+
// makeRequestToResolvedURL creates and executes a http.Request with the specified parameters, adding authentication and TLS options for the Docker client.
// streamLen, if not -1, specifies the length of the data expected on stream.
// makeRequest should generally be preferred.
-// In case of an http 429 status code in the response, it performs an exponential back off starting at 2 seconds for at most 5 iterations.
-// If the `Retry-After` header is set in the response, the specified value or date is
-// If the stream is non-nil, no back off will be performed.
+// In case of an HTTP 429 status code in the response, it may automatically retry a few times.
// TODO(runcom): too many arguments here, use a struct
func (c *dockerClient) makeRequestToResolvedURL(ctx context.Context, method, url string, headers map[string][]string, stream io.Reader, streamLen int64, auth sendAuth, extraScope *authScope) (*http.Response, error) {
- var (
- res *http.Response
- err error
- delay int64
- )
- delay = 2
- const numIterations = 5
- const maxDelay = 60
-
- // math.Min() only supports float64, so have an anonymous func to avoid
- // casting.
- min := func(a int64, b int64) int64 {
- if a < b {
- return a
+ delay := backoffInitialDelay
+ attempts := 0
+ for {
+ res, err := c.makeRequestToResolvedURLOnce(ctx, method, url, headers, stream, streamLen, auth, extraScope)
+ attempts++
+ if res == nil || res.StatusCode != http.StatusTooManyRequests || // Only retry on StatusTooManyRequests, success or other failure is returned to caller immediately
+ stream != nil || // We can't retry with a body (which is not restartable in the general case)
+ attempts == backoffNumIterations {
+ return res, err
}
- return b
- }
- nextDelay := func(r *http.Response, delay int64) int64 {
- after := res.Header.Get("Retry-After")
- if after == "" {
- return min(delay, maxDelay)
- }
- logrus.Debugf("detected 'Retry-After' header %q", after)
- // First check if we have a numerical value.
- if num, err := strconv.ParseInt(after, 10, 64); err == nil {
- return min(num, maxDelay)
+ delay = parseRetryAfter(res, delay)
+ if delay > backoffMaxDelay {
+ delay = backoffMaxDelay
}
- // Secondly check if we have an http date.
- // If the delta between the date and now is positive, use it.
- // Otherwise, fall back to using the default exponential back off.
- if t, err := http.ParseTime(after); err == nil {
- delta := int64(time.Until(t).Seconds())
- if delta > 0 {
- return min(delta, maxDelay)
- }
- logrus.Debugf("negative date: falling back to using %d seconds", delay)
- return min(delay, maxDelay)
+ logrus.Debugf("Too many requests to %s: sleeping for %f seconds before next attempt", url, delay.Seconds())
+ select {
+ case <-ctx.Done():
+ return nil, ctx.Err()
+ case <-time.After(delay):
+ // Nothing
}
- // If the header contains bogus, fall back to using the default
- // exponential back off.
- logrus.Debugf("invalid format: falling back to using %d seconds", delay)
- return min(delay, maxDelay)
- }
-
- for i := 0; i < numIterations; i++ {
- res, err = c.makeRequestToResolvedURLOnce(ctx, method, url, headers, stream, streamLen, auth, extraScope)
- if stream == nil && res != nil && res.StatusCode == http.StatusTooManyRequests {
- if i < numIterations-1 {
- logrus.Errorf("HEADER %v", res.Header)
- delay = nextDelay(res, delay) // compute next delay - does NOT exceed maxDelay
- logrus.Debugf("too many request to %s: sleeping for %d seconds before next attempt", url, delay)
- time.Sleep(time.Duration(delay) * time.Second)
- delay = delay * 2 // exponential back off
- }
- continue
- }
- break
+ delay = delay * 2 // exponential back off
}
- return res, err
}
// makeRequestToResolvedURLOnce creates and executes a http.Request with the specified parameters, adding authentication and TLS options for the Docker client.
@@ -597,7 +591,7 @@ func (c *dockerClient) getBearerToken(ctx context.Context, challenge challenge,
default:
return nil, errors.Errorf("unexpected http code: %d (%s), URL: %s", res.StatusCode, http.StatusText(res.StatusCode), authReq.URL)
}
- tokenBlob, err := ioutil.ReadAll(res.Body)
+ tokenBlob, err := iolimits.ReadAtMost(res.Body, iolimits.MaxAuthTokenBodySize)
if err != nil {
return nil, err
}
@@ -627,7 +621,7 @@ func (c *dockerClient) detectPropertiesHelper(ctx context.Context) error {
defer resp.Body.Close()
logrus.Debugf("Ping %s status %d", url, resp.StatusCode)
if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusUnauthorized {
- return httpResponseToError(resp)
+ return httpResponseToError(resp, "")
}
c.challenges = parseAuthHeader(resp.Header)
c.scheme = scheme
@@ -690,7 +684,7 @@ func (c *dockerClient) getExtensionsSignatures(ctx context.Context, ref dockerRe
return nil, errors.Wrapf(clientLib.HandleErrorResponse(res), "Error downloading signatures for %s in %s", manifestDigest, ref.ref.Name())
}
- body, err := ioutil.ReadAll(res.Body)
+ body, err := iolimits.ReadAtMost(res.Body, iolimits.MaxSignatureListBodySize)
if err != nil {
return nil, err
}
diff --git a/vendor/github.com/containers/image/v5/docker/docker_image.go b/vendor/github.com/containers/image/v5/docker/docker_image.go
index dad382cd0..483581dbc 100644
--- a/vendor/github.com/containers/image/v5/docker/docker_image.go
+++ b/vendor/github.com/containers/image/v5/docker/docker_image.go
@@ -70,7 +70,7 @@ func GetRepositoryTags(ctx context.Context, sys *types.SystemContext, ref types.
return nil, err
}
defer res.Body.Close()
- if err := httpResponseToError(res); err != nil {
+ if err := httpResponseToError(res, "Error fetching tags list"); err != nil {
return nil, err
}
diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
index 47a73d868..ab74e1607 100644
--- a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
+++ b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
@@ -15,6 +15,7 @@ import (
"strings"
"github.com/containers/image/v5/docker/reference"
+ "github.com/containers/image/v5/internal/iolimits"
"github.com/containers/image/v5/manifest"
"github.com/containers/image/v5/pkg/blobinfocache/none"
"github.com/containers/image/v5/types"
@@ -58,14 +59,16 @@ func (d *dockerImageDestination) Close() error {
}
func (d *dockerImageDestination) SupportedManifestMIMETypes() []string {
- return []string{
+ mimeTypes := []string{
imgspecv1.MediaTypeImageManifest,
manifest.DockerV2Schema2MediaType,
imgspecv1.MediaTypeImageIndex,
manifest.DockerV2ListMediaType,
- manifest.DockerV2Schema1SignedMediaType,
- manifest.DockerV2Schema1MediaType,
}
+ if d.c.sys == nil || !d.c.sys.DockerDisableDestSchema1MIMETypes {
+ mimeTypes = append(mimeTypes, manifest.DockerV2Schema1SignedMediaType, manifest.DockerV2Schema1MediaType)
+ }
+ return mimeTypes
}
// SupportsSignatures returns an error (to be displayed to the user) if the destination certainly can't store signatures.
@@ -620,7 +623,7 @@ sigExists:
}
defer res.Body.Close()
if res.StatusCode != http.StatusCreated {
- body, err := ioutil.ReadAll(res.Body)
+ body, err := iolimits.ReadAtMost(res.Body, iolimits.MaxErrorBodySize)
if err == nil {
logrus.Debugf("Error body %s", string(body))
}
diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_src.go b/vendor/github.com/containers/image/v5/docker/docker_image_src.go
index 35beb30e5..967845e72 100644
--- a/vendor/github.com/containers/image/v5/docker/docker_image_src.go
+++ b/vendor/github.com/containers/image/v5/docker/docker_image_src.go
@@ -10,8 +10,10 @@ import (
"net/url"
"os"
"strconv"
+ "strings"
"github.com/containers/image/v5/docker/reference"
+ "github.com/containers/image/v5/internal/iolimits"
"github.com/containers/image/v5/manifest"
"github.com/containers/image/v5/pkg/sysregistriesv2"
"github.com/containers/image/v5/types"
@@ -53,43 +55,77 @@ func newImageSource(ctx context.Context, sys *types.SystemContext, ref dockerRef
// non-mirror original location last; this both transparently handles the case
// of no mirrors configured, and ensures we return the error encountered when
// acessing the upstream location if all endpoints fail.
- manifestLoadErr := errors.New("Internal error: newImageSource returned without trying any endpoint")
pullSources, err := registry.PullSourcesFromReference(ref.ref)
if err != nil {
return nil, err
}
+ type attempt struct {
+ ref reference.Named
+ err error
+ }
+ attempts := []attempt{}
for _, pullSource := range pullSources {
- logrus.Debugf("Trying to pull %q", pullSource.Reference)
- dockerRef, err := newReference(pullSource.Reference)
- if err != nil {
- return nil, err
+ logrus.Debugf("Trying to access %q", pullSource.Reference)
+ s, err := newImageSourceAttempt(ctx, sys, pullSource, primaryDomain)
+ if err == nil {
+ return s, nil
}
-
- endpointSys := sys
- // sys.DockerAuthConfig does not explicitly specify a registry; we must not blindly send the credentials intended for the primary endpoint to mirrors.
- if endpointSys != nil && endpointSys.DockerAuthConfig != nil && reference.Domain(dockerRef.ref) != primaryDomain {
- copy := *endpointSys
- copy.DockerAuthConfig = nil
- endpointSys = &copy
+ logrus.Debugf("Accessing %q failed: %v", pullSource.Reference, err)
+ attempts = append(attempts, attempt{
+ ref: pullSource.Reference,
+ err: err,
+ })
+ }
+ switch len(attempts) {
+ case 0:
+ return nil, errors.New("Internal error: newImageSource returned without trying any endpoint")
+ case 1:
+ return nil, attempts[0].err // If no mirrors are used, perfectly preserve the error type and add no noise.
+ default:
+ // Don’t just build a string, try to preserve the typed error.
+ primary := &attempts[len(attempts)-1]
+ extras := []string{}
+ for i := 0; i < len(attempts)-1; i++ {
+ // This is difficult to fit into a single-line string, when the error can contain arbitrary strings including any metacharacters we decide to use.
+ // The paired [] at least have some chance of being unambiguous.
+ extras = append(extras, fmt.Sprintf("[%s: %v]", attempts[i].ref.String(), attempts[i].err))
}
+ return nil, errors.Wrapf(primary.err, "(Mirrors also failed: %s): %s", strings.Join(extras, "\n"), primary.ref.String())
+ }
+}
- client, err := newDockerClientFromRef(endpointSys, dockerRef, false, "pull")
- if err != nil {
- return nil, err
- }
- client.tlsClientConfig.InsecureSkipVerify = pullSource.Endpoint.Insecure
+// newImageSourceAttempt is an internal helper for newImageSource. Everyone else must call newImageSource.
+// Given a pullSource and primaryDomain, return a dockerImageSource if it is reachable.
+// The caller must call .Close() on the returned ImageSource.
+func newImageSourceAttempt(ctx context.Context, sys *types.SystemContext, pullSource sysregistriesv2.PullSource, primaryDomain string) (*dockerImageSource, error) {
+ ref, err := newReference(pullSource.Reference)
+ if err != nil {
+ return nil, err
+ }
- testImageSource := &dockerImageSource{
- ref: dockerRef,
- c: client,
- }
+ endpointSys := sys
+ // sys.DockerAuthConfig does not explicitly specify a registry; we must not blindly send the credentials intended for the primary endpoint to mirrors.
+ if endpointSys != nil && endpointSys.DockerAuthConfig != nil && reference.Domain(ref.ref) != primaryDomain {
+ copy := *endpointSys
+ copy.DockerAuthConfig = nil
+ endpointSys = &copy
+ }
- manifestLoadErr = testImageSource.ensureManifestIsLoaded(ctx)
- if manifestLoadErr == nil {
- return testImageSource, nil
- }
+ client, err := newDockerClientFromRef(endpointSys, ref, false, "pull")
+ if err != nil {
+ return nil, err
}
- return nil, manifestLoadErr
+ client.tlsClientConfig.InsecureSkipVerify = pullSource.Endpoint.Insecure
+
+ s := &dockerImageSource{
+ ref: ref,
+ c: client,
+ }
+
+ if err := s.ensureManifestIsLoaded(ctx); err != nil {
+ return nil, err
+ }
+ return s, nil
}
// Reference returns the reference used to set up this source, _as specified by the user_
@@ -156,7 +192,8 @@ func (s *dockerImageSource) fetchManifest(ctx context.Context, tagOrDigest strin
if res.StatusCode != http.StatusOK {
return nil, "", errors.Wrapf(client.HandleErrorResponse(res), "Error reading manifest %s in %s", tagOrDigest, s.ref.ref.Name())
}
- manblob, err := ioutil.ReadAll(res.Body)
+
+ manblob, err := iolimits.ReadAtMost(res.Body, iolimits.MaxManifestBodySize)
if err != nil {
return nil, "", err
}
@@ -239,7 +276,7 @@ func (s *dockerImageSource) GetBlob(ctx context.Context, info types.BlobInfo, ca
if err != nil {
return nil, 0, err
}
- if err := httpResponseToError(res); err != nil {
+ if err := httpResponseToError(res, "Error fetching blob"); err != nil {
return nil, 0, err
}
cache.RecordKnownLocation(s.ref.Transport(), bicTransportScope(s.ref), info.Digest, newBICLocationReference(s.ref))
@@ -342,7 +379,7 @@ func (s *dockerImageSource) getOneSignature(ctx context.Context, url *url.URL) (
} else if res.StatusCode != http.StatusOK {
return nil, false, errors.Errorf("Error reading signature from %s: status %d (%s)", url.String(), res.StatusCode, http.StatusText(res.StatusCode))
}
- sig, err := ioutil.ReadAll(res.Body)
+ sig, err := iolimits.ReadAtMost(res.Body, iolimits.MaxSignatureBodySize)
if err != nil {
return nil, false, err
}
@@ -401,7 +438,7 @@ func deleteImage(ctx context.Context, sys *types.SystemContext, ref dockerRefere
return err
}
defer get.Body.Close()
- manifestBody, err := ioutil.ReadAll(get.Body)
+ manifestBody, err := iolimits.ReadAtMost(get.Body, iolimits.MaxManifestBodySize)
if err != nil {
return err
}
@@ -424,7 +461,7 @@ func deleteImage(ctx context.Context, sys *types.SystemContext, ref dockerRefere
}
defer delete.Body.Close()
- body, err := ioutil.ReadAll(delete.Body)
+ body, err := iolimits.ReadAtMost(delete.Body, iolimits.MaxErrorBodySize)
if err != nil {
return err
}
diff --git a/vendor/github.com/containers/image/v5/docker/errors.go b/vendor/github.com/containers/image/v5/docker/errors.go
index 860868f41..f626cc7da 100644
--- a/vendor/github.com/containers/image/v5/docker/errors.go
+++ b/vendor/github.com/containers/image/v5/docker/errors.go
@@ -14,7 +14,7 @@ var (
// docker V1 registry.
ErrV1NotSupported = errors.New("can't talk to a V1 docker registry")
// ErrTooManyRequests is returned when the status code returned is 429
- ErrTooManyRequests = errors.New("too many request to registry")
+ ErrTooManyRequests = errors.New("too many requests to registry")
)
// ErrUnauthorizedForCredentials is returned when the status code returned is 401
@@ -26,9 +26,9 @@ func (e ErrUnauthorizedForCredentials) Error() string {
return fmt.Sprintf("unable to retrieve auth token: invalid username/password: %s", e.Err.Error())
}
-// httpResponseToError translates the https.Response into an error. It returns
+// httpResponseToError translates the https.Response into an error, possibly prefixing it with the supplied context. It returns
// nil if the response is not considered an error.
-func httpResponseToError(res *http.Response) error {
+func httpResponseToError(res *http.Response, context string) error {
switch res.StatusCode {
case http.StatusOK:
return nil
@@ -38,6 +38,9 @@ func httpResponseToError(res *http.Response) error {
err := client.HandleErrorResponse(res)
return ErrUnauthorizedForCredentials{Err: err}
default:
- return perrors.Errorf("invalid status code from registry %d (%s)", res.StatusCode, http.StatusText(res.StatusCode))
+ if context != "" {
+ context = context + ": "
+ }
+ return perrors.Errorf("%sinvalid status code from registry %d (%s)", context, res.StatusCode, http.StatusText(res.StatusCode))
}
}
diff --git a/vendor/github.com/containers/image/v5/docker/tarfile/dest.go b/vendor/github.com/containers/image/v5/docker/tarfile/dest.go
index c322156b5..c171da505 100644
--- a/vendor/github.com/containers/image/v5/docker/tarfile/dest.go
+++ b/vendor/github.com/containers/image/v5/docker/tarfile/dest.go
@@ -13,6 +13,7 @@ import (
"time"
"github.com/containers/image/v5/docker/reference"
+ "github.com/containers/image/v5/internal/iolimits"
"github.com/containers/image/v5/internal/tmpdir"
"github.com/containers/image/v5/manifest"
"github.com/containers/image/v5/types"
@@ -143,7 +144,7 @@ func (d *Destination) PutBlob(ctx context.Context, stream io.Reader, inputInfo t
}
if isConfig {
- buf, err := ioutil.ReadAll(stream)
+ buf, err := iolimits.ReadAtMost(stream, iolimits.MaxConfigBodySize)
if err != nil {
return types.BlobInfo{}, errors.Wrap(err, "Error reading Config file stream")
}
diff --git a/vendor/github.com/containers/image/v5/docker/tarfile/src.go b/vendor/github.com/containers/image/v5/docker/tarfile/src.go
index 80dd753e4..c1f1a0f27 100644
--- a/vendor/github.com/containers/image/v5/docker/tarfile/src.go
+++ b/vendor/github.com/containers/image/v5/docker/tarfile/src.go
@@ -11,6 +11,7 @@ import (
"path"
"sync"
+ "github.com/containers/image/v5/internal/iolimits"
"github.com/containers/image/v5/internal/tmpdir"
"github.com/containers/image/v5/manifest"
"github.com/containers/image/v5/pkg/compression"
@@ -203,13 +204,13 @@ func findTarComponent(inputFile io.Reader, path string) (*tar.Reader, *tar.Heade
}
// readTarComponent returns full contents of componentPath.
-func (s *Source) readTarComponent(path string) ([]byte, error) {
+func (s *Source) readTarComponent(path string, limit int) ([]byte, error) {
file, err := s.openTarComponent(path)
if err != nil {
return nil, errors.Wrapf(err, "Error loading tar component %s", path)
}
defer file.Close()
- bytes, err := ioutil.ReadAll(file)
+ bytes, err := iolimits.ReadAtMost(file, limit)
if err != nil {
return nil, err
}
@@ -240,7 +241,7 @@ func (s *Source) ensureCachedDataIsPresentPrivate() error {
}
// Read and parse config.
- configBytes, err := s.readTarComponent(tarManifest[0].Config)
+ configBytes, err := s.readTarComponent(tarManifest[0].Config, iolimits.MaxConfigBodySize)
if err != nil {
return err
}
@@ -266,7 +267,7 @@ func (s *Source) ensureCachedDataIsPresentPrivate() error {
// loadTarManifest loads and decodes the manifest.json.
func (s *Source) loadTarManifest() ([]ManifestItem, error) {
// FIXME? Do we need to deal with the legacy format?
- bytes, err := s.readTarComponent(manifestFileName)
+ bytes, err := s.readTarComponent(manifestFileName, iolimits.MaxTarFileManifestSize)
if err != nil {
return nil, err
}
diff --git a/vendor/github.com/containers/image/v5/image/docker_schema2.go b/vendor/github.com/containers/image/v5/image/docker_schema2.go
index 7891562b7..1e2114d7e 100644
--- a/vendor/github.com/containers/image/v5/image/docker_schema2.go
+++ b/vendor/github.com/containers/image/v5/image/docker_schema2.go
@@ -7,10 +7,10 @@ import (
"encoding/hex"
"encoding/json"
"fmt"
- "io/ioutil"
"strings"
"github.com/containers/image/v5/docker/reference"
+ "github.com/containers/image/v5/internal/iolimits"
"github.com/containers/image/v5/manifest"
"github.com/containers/image/v5/pkg/blobinfocache/none"
"github.com/containers/image/v5/types"
@@ -102,7 +102,7 @@ func (m *manifestSchema2) ConfigBlob(ctx context.Context) ([]byte, error) {
return nil, err
}
defer stream.Close()
- blob, err := ioutil.ReadAll(stream)
+ blob, err := iolimits.ReadAtMost(stream, iolimits.MaxConfigBodySize)
if err != nil {
return nil, err
}
diff --git a/vendor/github.com/containers/image/v5/image/oci.go b/vendor/github.com/containers/image/v5/image/oci.go
index 059d84977..b5ddb9aaa 100644
--- a/vendor/github.com/containers/image/v5/image/oci.go
+++ b/vendor/github.com/containers/image/v5/image/oci.go
@@ -4,9 +4,9 @@ import (
"context"
"encoding/json"
"fmt"
- "io/ioutil"
"github.com/containers/image/v5/docker/reference"
+ "github.com/containers/image/v5/internal/iolimits"
"github.com/containers/image/v5/manifest"
"github.com/containers/image/v5/pkg/blobinfocache/none"
"github.com/containers/image/v5/types"
@@ -67,7 +67,7 @@ func (m *manifestOCI1) ConfigBlob(ctx context.Context) ([]byte, error) {
return nil, err
}
defer stream.Close()
- blob, err := ioutil.ReadAll(stream)
+ blob, err := iolimits.ReadAtMost(stream, iolimits.MaxConfigBodySize)
if err != nil {
return nil, err
}
diff --git a/vendor/github.com/containers/image/v5/internal/iolimits/iolimits.go b/vendor/github.com/containers/image/v5/internal/iolimits/iolimits.go
new file mode 100644
index 000000000..3fed1995c
--- /dev/null
+++ b/vendor/github.com/containers/image/v5/internal/iolimits/iolimits.go
@@ -0,0 +1,60 @@
+package iolimits
+
+import (
+ "io"
+ "io/ioutil"
+
+ "github.com/pkg/errors"
+)
+
+// All constants below are intended to be used as limits for `ReadAtMost`. The
+// immediate use-case for limiting the size of in-memory copied data is to
+// protect against OOM DOS attacks as described inCVE-2020-1702. Instead of
+// copying data until running out of memory, we error out after hitting the
+// specified limit.
+const (
+ // megaByte denotes one megabyte and is intended to be used as a limit in
+ // `ReadAtMost`.
+ megaByte = 1 << 20
+ // MaxManifestBodySize is the maximum allowed size of a manifest. The limit
+ // of 4 MB aligns with the one of a Docker registry:
+ // https://github.com/docker/distribution/blob/a8371794149d1d95f1e846744b05c87f2f825e5a/registry/handlers/manifests.go#L30
+ MaxManifestBodySize = 4 * megaByte
+ // MaxAuthTokenBodySize is the maximum allowed size of an auth token.
+ // The limit of 1 MB is considered to be greatly sufficient.
+ MaxAuthTokenBodySize = megaByte
+ // MaxSignatureListBodySize is the maximum allowed size of a signature list.
+ // The limit of 4 MB is considered to be greatly sufficient.
+ MaxSignatureListBodySize = 4 * megaByte
+ // MaxSignatureBodySize is the maximum allowed size of a signature.
+ // The limit of 4 MB is considered to be greatly sufficient.
+ MaxSignatureBodySize = 4 * megaByte
+ // MaxErrorBodySize is the maximum allowed size of an error-response body.
+ // The limit of 1 MB is considered to be greatly sufficient.
+ MaxErrorBodySize = megaByte
+ // MaxConfigBodySize is the maximum allowed size of a config blob.
+ // The limit of 4 MB is considered to be greatly sufficient.
+ MaxConfigBodySize = 4 * megaByte
+ // MaxOpenShiftStatusBody is the maximum allowed size of an OpenShift status body.
+ // The limit of 4 MB is considered to be greatly sufficient.
+ MaxOpenShiftStatusBody = 4 * megaByte
+ // MaxTarFileManifestSize is the maximum allowed size of a (docker save)-like manifest (which may contain multiple images)
+ // The limit of 1 MB is considered to be greatly sufficient.
+ MaxTarFileManifestSize = megaByte
+)
+
+// ReadAtMost reads from reader and errors out if the specified limit (in bytes) is exceeded.
+func ReadAtMost(reader io.Reader, limit int) ([]byte, error) {
+ limitedReader := io.LimitReader(reader, int64(limit+1))
+
+ res, err := ioutil.ReadAll(limitedReader)
+ if err != nil {
+ return nil, err
+ }
+
+ if len(res) > limit {
+ return nil, errors.Errorf("exceeded maximum allowed size of %d bytes", limit)
+ }
+
+ return res, nil
+}
diff --git a/vendor/github.com/containers/image/v5/openshift/openshift.go b/vendor/github.com/containers/image/v5/openshift/openshift.go
index b9242da6e..28bfc456d 100644
--- a/vendor/github.com/containers/image/v5/openshift/openshift.go
+++ b/vendor/github.com/containers/image/v5/openshift/openshift.go
@@ -7,13 +7,13 @@ import (
"encoding/json"
"fmt"
"io"
- "io/ioutil"
"net/http"
"net/url"
"strings"
"github.com/containers/image/v5/docker"
"github.com/containers/image/v5/docker/reference"
+ "github.com/containers/image/v5/internal/iolimits"
"github.com/containers/image/v5/manifest"
"github.com/containers/image/v5/types"
"github.com/containers/image/v5/version"
@@ -102,7 +102,7 @@ func (c *openshiftClient) doRequest(ctx context.Context, method, path string, re
return nil, err
}
defer res.Body.Close()
- body, err := ioutil.ReadAll(res.Body)
+ body, err := iolimits.ReadAtMost(res.Body, iolimits.MaxOpenShiftStatusBody)
if err != nil {
return nil, err
}
diff --git a/vendor/github.com/containers/image/v5/signature/mechanism_gpgme.go b/vendor/github.com/containers/image/v5/signature/mechanism_gpgme.go
index 4825ab27c..277fba16b 100644
--- a/vendor/github.com/containers/image/v5/signature/mechanism_gpgme.go
+++ b/vendor/github.com/containers/image/v5/signature/mechanism_gpgme.go
@@ -139,7 +139,7 @@ func (m *gpgmeSigningMechanism) Sign(input []byte, keyIdentity string) ([]byte,
}
// Verify parses unverifiedSignature and returns the content and the signer's identity
-func (m gpgmeSigningMechanism) Verify(unverifiedSignature []byte) (contents []byte, keyIdentity string, err error) {
+func (m *gpgmeSigningMechanism) Verify(unverifiedSignature []byte) (contents []byte, keyIdentity string, err error) {
signedBuffer := bytes.Buffer{}
signedData, err := gpgme.NewDataWriter(&signedBuffer)
if err != nil {
@@ -170,6 +170,6 @@ func (m gpgmeSigningMechanism) Verify(unverifiedSignature []byte) (contents []by
// WARNING: The short key identifier (which correponds to "Key ID" for OpenPGP keys)
// is NOT the same as a "key identity" used in other calls ot this interface, and
// the values may have no recognizable relationship if the public key is not available.
-func (m gpgmeSigningMechanism) UntrustedSignatureContents(untrustedSignature []byte) (untrustedContents []byte, shortKeyIdentifier string, err error) {
+func (m *gpgmeSigningMechanism) UntrustedSignatureContents(untrustedSignature []byte) (untrustedContents []byte, shortKeyIdentifier string, err error) {
return gpgUntrustedSignatureContents(untrustedSignature)
}
diff --git a/vendor/github.com/containers/image/v5/signature/mechanism_openpgp.go b/vendor/github.com/containers/image/v5/signature/mechanism_openpgp.go
index eccd610c9..51f20f310 100644
--- a/vendor/github.com/containers/image/v5/signature/mechanism_openpgp.go
+++ b/vendor/github.com/containers/image/v5/signature/mechanism_openpgp.go
@@ -154,6 +154,6 @@ func (m *openpgpSigningMechanism) Verify(unverifiedSignature []byte) (contents [
// WARNING: The short key identifier (which correponds to "Key ID" for OpenPGP keys)
// is NOT the same as a "key identity" used in other calls ot this interface, and
// the values may have no recognizable relationship if the public key is not available.
-func (m openpgpSigningMechanism) UntrustedSignatureContents(untrustedSignature []byte) (untrustedContents []byte, shortKeyIdentifier string, err error) {
+func (m *openpgpSigningMechanism) UntrustedSignatureContents(untrustedSignature []byte) (untrustedContents []byte, shortKeyIdentifier string, err error) {
return gpgUntrustedSignatureContents(untrustedSignature)
}
diff --git a/vendor/github.com/containers/image/v5/types/types.go b/vendor/github.com/containers/image/v5/types/types.go
index d38a17fab..ba249ca25 100644
--- a/vendor/github.com/containers/image/v5/types/types.go
+++ b/vendor/github.com/containers/image/v5/types/types.go
@@ -547,6 +547,8 @@ type SystemContext struct {
// Note that this field is used mainly to integrate containers/image into projectatomic/docker
// in order to not break any existing docker's integration tests.
DockerDisableV1Ping bool
+ // If true, dockerImageDestination.SupportedManifestMIMETypes will omit the Schema1 media types from the supported list
+ DockerDisableDestSchema1MIMETypes bool
// Directory to use for OSTree temporary files
OSTreeTmpDirPath string
diff --git a/vendor/github.com/containers/image/v5/version/version.go b/vendor/github.com/containers/image/v5/version/version.go
index a92774466..0fd7a4a37 100644
--- a/vendor/github.com/containers/image/v5/version/version.go
+++ b/vendor/github.com/containers/image/v5/version/version.go
@@ -6,9 +6,9 @@ const (
// VersionMajor is for an API incompatible changes
VersionMajor = 5
// VersionMinor is for functionality in a backwards-compatible manner
- VersionMinor = 1
+ VersionMinor = 2
// VersionPatch is for backwards-compatible bug fixes
- VersionPatch = 0
+ VersionPatch = 1
// VersionDev indicates development branch. Releases will be empty string.
VersionDev = ""
diff --git a/vendor/github.com/mtrmac/gpgme/.appveyor.yml b/vendor/github.com/mtrmac/gpgme/.appveyor.yml
new file mode 100644
index 000000000..2fdc09ab5
--- /dev/null
+++ b/vendor/github.com/mtrmac/gpgme/.appveyor.yml
@@ -0,0 +1,40 @@
+---
+version: 0.{build}
+platform: x86
+branches:
+ only:
+ - master
+
+clone_folder: c:\gopath\src\github.com\proglottis\gpgme
+
+environment:
+ GOPATH: c:\gopath
+ GOROOT: C:\go-x86
+ CGO_LDFLAGS: -LC:\gpg\lib
+ CGO_CFLAGS: -IC:\gpg\include
+ GPG_DIR: C:\gpg
+
+install:
+ - nuget install 7ZipCLI -ExcludeVersion
+ - set PATH=%appveyor_build_folder%\7ZipCLI\tools;%PATH%
+ - appveyor DownloadFile https://www.gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.1.20_20170403.exe -FileName gnupg-w32-2.1.20_20170403.exe
+ - 7z x -o%GPG_DIR% gnupg-w32-2.1.20_20170403.exe
+ - copy "%GPG_DIR%\lib\libgpg-error.imp" "%GPG_DIR%\lib\libgpg-error.a"
+ - copy "%GPG_DIR%\lib\libassuan.imp" "%GPG_DIR%\lib\libassuan.a"
+ - copy "%GPG_DIR%\lib\libgpgme.imp" "%GPG_DIR%\lib\libgpgme.a"
+ - set PATH=%GOPATH%\bin;%GOROOT%\bin;%GPG_DIR%\bin;C:\MinGW\bin;%PATH%
+ - C:\cygwin\bin\sed -i 's/"GPG_AGENT_INFO"/"GPG_AGENT_INFO="/;s/C.unsetenv(v)/C.putenv(v)/' %APPVEYOR_BUILD_FOLDER%\gpgme.go
+
+test_script:
+ - go test -v github.com/proglottis/gpgme
+
+
+build_script:
+ - go build -o example_decrypt.exe -i %APPVEYOR_BUILD_FOLDER%\examples\decrypt.go
+ - go build -o example_encrypt.exe -i %APPVEYOR_BUILD_FOLDER%\examples\encrypt.go
+
+artifacts:
+ - path: example_decrypt.exe
+ name: decrypt example binary
+ - path: example_encrypt.exe
+ name: encrypt example binary \ No newline at end of file
diff --git a/vendor/github.com/mtrmac/gpgme/.travis.yml b/vendor/github.com/mtrmac/gpgme/.travis.yml
new file mode 100644
index 000000000..619e33721
--- /dev/null
+++ b/vendor/github.com/mtrmac/gpgme/.travis.yml
@@ -0,0 +1,32 @@
+---
+language: go
+os:
+ - linux
+ - osx
+ - windows
+dist: xenial
+sudo: false
+
+go:
+ - 1.11
+ - 1.12
+ - 1.13
+
+addons:
+ apt:
+ packages:
+ - libgpgme11-dev
+ homebrew:
+ packages:
+ - gnupg
+ - gnupg@1.4
+ - gpgme
+ update: true
+
+matrix:
+ allow_failures:
+ - os: windows
+
+before_install:
+ - if [[ "$TRAVIS_OS_NAME" == "windows" ]]; then choco install msys2; fi
+ - if [[ "$TRAVIS_OS_NAME" == "windows" ]]; then choco install gpg4win; fi
diff --git a/vendor/github.com/mtrmac/gpgme/data.go b/vendor/github.com/mtrmac/gpgme/data.go
index eebc97263..eee32c032 100644
--- a/vendor/github.com/mtrmac/gpgme/data.go
+++ b/vendor/github.com/mtrmac/gpgme/data.go
@@ -50,25 +50,25 @@ func gogpgme_writefunc(handle, buffer unsafe.Pointer, size C.size_t) C.ssize_t {
}
//export gogpgme_seekfunc
-func gogpgme_seekfunc(handle unsafe.Pointer, offset C.off_t, whence C.int) C.off_t {
+func gogpgme_seekfunc(handle unsafe.Pointer, offset C.gpgme_off_t, whence C.int) C.gpgme_off_t {
d := callbackLookup(uintptr(handle)).(*Data)
n, err := d.s.Seek(int64(offset), int(whence))
if err != nil {
C.gpgme_err_set_errno(C.EIO)
return -1
}
- return C.off_t(n)
+ return C.gpgme_off_t(n)
}
// The Data buffer used to communicate with GPGME
type Data struct {
- dh C.gpgme_data_t
+ dh C.gpgme_data_t // WARNING: Call runtime.KeepAlive(d) after ANY passing of d.dh to C
buf []byte
cbs C.struct_gpgme_data_cbs
r io.Reader
w io.Writer
s io.Seeker
- cbc uintptr
+ cbc uintptr // WARNING: Call runtime.KeepAlive(d) after ANY use of d.cbc in C (typically via d.dh)
}
func newData() *Data {
@@ -154,12 +154,14 @@ func (d *Data) Close() error {
callbackDelete(d.cbc)
}
_, err := C.gpgme_data_release(d.dh)
+ runtime.KeepAlive(d)
d.dh = nil
return err
}
func (d *Data) Write(p []byte) (int, error) {
n, err := C.gpgme_data_write(d.dh, unsafe.Pointer(&p[0]), C.size_t(len(p)))
+ runtime.KeepAlive(d)
if err != nil {
return 0, err
}
@@ -171,6 +173,7 @@ func (d *Data) Write(p []byte) (int, error) {
func (d *Data) Read(p []byte) (int, error) {
n, err := C.gpgme_data_read(d.dh, unsafe.Pointer(&p[0]), C.size_t(len(p)))
+ runtime.KeepAlive(d)
if err != nil {
return 0, err
}
@@ -181,11 +184,14 @@ func (d *Data) Read(p []byte) (int, error) {
}
func (d *Data) Seek(offset int64, whence int) (int64, error) {
- n, err := C.gpgme_data_seek(d.dh, C.off_t(offset), C.int(whence))
+ n, err := C.gogpgme_data_seek(d.dh, C.gpgme_off_t(offset), C.int(whence))
+ runtime.KeepAlive(d)
return int64(n), err
}
// Name returns the associated filename if any
func (d *Data) Name() string {
- return C.GoString(C.gpgme_data_get_file_name(d.dh))
+ res := C.GoString(C.gpgme_data_get_file_name(d.dh))
+ runtime.KeepAlive(d)
+ return res
}
diff --git a/vendor/github.com/mtrmac/gpgme/go.mod b/vendor/github.com/mtrmac/gpgme/go.mod
new file mode 100644
index 000000000..3dd09c9fb
--- /dev/null
+++ b/vendor/github.com/mtrmac/gpgme/go.mod
@@ -0,0 +1,3 @@
+module github.com/mtrmac/gpgme
+
+go 1.11
diff --git a/vendor/github.com/mtrmac/gpgme/go_gpgme.c b/vendor/github.com/mtrmac/gpgme/go_gpgme.c
index b887574e0..00da3ab30 100644
--- a/vendor/github.com/mtrmac/gpgme/go_gpgme.c
+++ b/vendor/github.com/mtrmac/gpgme/go_gpgme.c
@@ -8,6 +8,28 @@ void gogpgme_set_passphrase_cb(gpgme_ctx_t ctx, gpgme_passphrase_cb_t cb, uintpt
gpgme_set_passphrase_cb(ctx, cb, (void *)handle);
}
+gpgme_off_t gogpgme_data_seek(gpgme_data_t dh, gpgme_off_t offset, int whence) {
+ return gpgme_data_seek(dh, offset, whence);
+}
+
+gpgme_error_t gogpgme_op_assuan_transact_ext(
+ gpgme_ctx_t ctx,
+ char* cmd,
+ uintptr_t data_h,
+ uintptr_t inquiry_h,
+ uintptr_t status_h,
+ gpgme_error_t *operr
+ ){
+ return gpgme_op_assuan_transact_ext(
+ ctx,
+ cmd,
+ (gpgme_assuan_data_cb_t) gogpgme_assuan_data_callback, (void *)data_h,
+ (gpgme_assuan_inquire_cb_t) gogpgme_assuan_inquiry_callback, (void *)inquiry_h,
+ (gpgme_assuan_status_cb_t) gogpgme_assuan_status_callback, (void *)status_h,
+ operr
+ );
+}
+
unsigned int key_revoked(gpgme_key_t k) {
return k->revoked;
}
diff --git a/vendor/github.com/mtrmac/gpgme/go_gpgme.h b/vendor/github.com/mtrmac/gpgme/go_gpgme.h
index a3678b127..d4826ab36 100644
--- a/vendor/github.com/mtrmac/gpgme/go_gpgme.h
+++ b/vendor/github.com/mtrmac/gpgme/go_gpgme.h
@@ -6,12 +6,24 @@
#include <gpgme.h>
+/* GPGME_VERSION_NUMBER was introduced in 1.4.0 */
+#if !defined(GPGME_VERSION_NUMBER) || GPGME_VERSION_NUMBER < 0x010402
+typedef off_t gpgme_off_t; /* Introduced in 1.4.2 */
+#endif
+
extern ssize_t gogpgme_readfunc(void *handle, void *buffer, size_t size);
extern ssize_t gogpgme_writefunc(void *handle, void *buffer, size_t size);
extern off_t gogpgme_seekfunc(void *handle, off_t offset, int whence);
extern gpgme_error_t gogpgme_passfunc(void *hook, char *uid_hint, char *passphrase_info, int prev_was_bad, int fd);
extern gpgme_error_t gogpgme_data_new_from_cbs(gpgme_data_t *dh, gpgme_data_cbs_t cbs, uintptr_t handle);
extern void gogpgme_set_passphrase_cb(gpgme_ctx_t ctx, gpgme_passphrase_cb_t cb, uintptr_t handle);
+extern gpgme_off_t gogpgme_data_seek(gpgme_data_t dh, gpgme_off_t offset, int whence);
+
+extern gpgme_error_t gogpgme_op_assuan_transact_ext(gpgme_ctx_t ctx, char *cmd, uintptr_t data_h, uintptr_t inquiry_h , uintptr_t status_h, gpgme_error_t *operr);
+
+extern gpgme_error_t gogpgme_assuan_data_callback(void *opaque, void* data, size_t datalen );
+extern gpgme_error_t gogpgme_assuan_inquiry_callback(void *opaque, char* name, char* args);
+extern gpgme_error_t gogpgme_assuan_status_callback(void *opaque, char* status, char* args);
extern unsigned int key_revoked(gpgme_key_t k);
extern unsigned int key_expired(gpgme_key_t k);
diff --git a/vendor/github.com/mtrmac/gpgme/gpgme.go b/vendor/github.com/mtrmac/gpgme/gpgme.go
index 20aad737c..c19b9aebc 100644
--- a/vendor/github.com/mtrmac/gpgme/gpgme.go
+++ b/vendor/github.com/mtrmac/gpgme/gpgme.go
@@ -7,7 +7,6 @@ package gpgme
// #include <gpgme.h>
// #include "go_gpgme.h"
import "C"
-
import (
"fmt"
"io"
@@ -48,9 +47,8 @@ const (
ProtocolAssuan Protocol = C.GPGME_PROTOCOL_ASSUAN
ProtocolG13 Protocol = C.GPGME_PROTOCOL_G13
ProtocolUIServer Protocol = C.GPGME_PROTOCOL_UISERVER
- // ProtocolSpawn Protocol = C.GPGME_PROTOCOL_SPAWN // Unavailable in 1.4.3
- ProtocolDefault Protocol = C.GPGME_PROTOCOL_DEFAULT
- ProtocolUnknown Protocol = C.GPGME_PROTOCOL_UNKNOWN
+ ProtocolDefault Protocol = C.GPGME_PROTOCOL_DEFAULT
+ ProtocolUnknown Protocol = C.GPGME_PROTOCOL_UNKNOWN
)
type PinEntryMode int
@@ -70,7 +68,6 @@ const (
EncryptNoEncryptTo EncryptFlag = C.GPGME_ENCRYPT_NO_ENCRYPT_TO
EncryptPrepare EncryptFlag = C.GPGME_ENCRYPT_PREPARE
EncryptExceptSign EncryptFlag = C.GPGME_ENCRYPT_EXPECT_SIGN
- // EncryptNoCompress EncryptFlag = C.GPGME_ENCRYPT_NO_COMPRESS // Unavailable in 1.4.3
)
type HashAlgo int
@@ -84,7 +81,6 @@ const (
KeyListModeExtern KeyListMode = C.GPGME_KEYLIST_MODE_EXTERN
KeyListModeSigs KeyListMode = C.GPGME_KEYLIST_MODE_SIGS
KeyListModeSigNotations KeyListMode = C.GPGME_KEYLIST_MODE_SIG_NOTATIONS
- // KeyListModeWithSecret KeyListMode = C.GPGME_KEYLIST_MODE_WITH_SECRET // Unavailable in 1.4.3
KeyListModeEphemeral KeyListMode = C.GPGME_KEYLIST_MODE_EPHEMERAL
KeyListModeModeValidate KeyListMode = C.GPGME_KEYLIST_MODE_VALIDATE
)
@@ -168,39 +164,60 @@ func EngineCheckVersion(p Protocol) error {
}
type EngineInfo struct {
- info C.gpgme_engine_info_t
+ next *EngineInfo
+ protocol Protocol
+ fileName string
+ homeDir string
+ version string
+ requiredVersion string
}
-func (e *EngineInfo) Next() *EngineInfo {
- if e.info.next == nil {
- return nil
+func copyEngineInfo(info C.gpgme_engine_info_t) *EngineInfo {
+ res := &EngineInfo{
+ next: nil,
+ protocol: Protocol(info.protocol),
+ fileName: C.GoString(info.file_name),
+ homeDir: C.GoString(info.home_dir),
+ version: C.GoString(info.version),
+ requiredVersion: C.GoString(info.req_version),
+ }
+ if info.next != nil {
+ res.next = copyEngineInfo(info.next)
}
- return &EngineInfo{info: e.info.next}
+ return res
+}
+
+func (e *EngineInfo) Next() *EngineInfo {
+ return e.next
}
func (e *EngineInfo) Protocol() Protocol {
- return Protocol(e.info.protocol)
+ return e.protocol
}
func (e *EngineInfo) FileName() string {
- return C.GoString(e.info.file_name)
+ return e.fileName
}
func (e *EngineInfo) Version() string {
- return C.GoString(e.info.version)
+ return e.version
}
func (e *EngineInfo) RequiredVersion() string {
- return C.GoString(e.info.req_version)
+ return e.requiredVersion
}
func (e *EngineInfo) HomeDir() string {
- return C.GoString(e.info.home_dir)
+ return e.homeDir
}
func GetEngineInfo() (*EngineInfo, error) {
- info := &EngineInfo{}
- return info, handleError(C.gpgme_get_engine_info(&info.info))
+ var cInfo C.gpgme_engine_info_t
+ err := handleError(C.gpgme_get_engine_info(&cInfo))
+ if err != nil {
+ return nil, err
+ }
+ return copyEngineInfo(cInfo), nil // It is up to the caller not to invalidate cInfo concurrently until this is done.
}
func SetEngineInfo(proto Protocol, fileName, homeDir string) error {
@@ -261,9 +278,9 @@ type Context struct {
KeyError error
callback Callback
- cbc uintptr
+ cbc uintptr // WARNING: Call runtime.KeepAlive(c) after ANY use of c.cbc in C (typically via c.ctx)
- ctx C.gpgme_ctx_t
+ ctx C.gpgme_ctx_t // WARNING: Call runtime.KeepAlive(c) after ANY passing of c.ctx to C
}
func New() (*Context, error) {
@@ -281,49 +298,68 @@ func (c *Context) Release() {
callbackDelete(c.cbc)
}
C.gpgme_release(c.ctx)
+ runtime.KeepAlive(c)
c.ctx = nil
}
func (c *Context) SetArmor(yes bool) {
C.gpgme_set_armor(c.ctx, cbool(yes))
+ runtime.KeepAlive(c)
}
func (c *Context) Armor() bool {
- return C.gpgme_get_armor(c.ctx) != 0
+ res := C.gpgme_get_armor(c.ctx) != 0
+ runtime.KeepAlive(c)
+ return res
}
func (c *Context) SetTextMode(yes bool) {
C.gpgme_set_textmode(c.ctx, cbool(yes))
+ runtime.KeepAlive(c)
}
func (c *Context) TextMode() bool {
- return C.gpgme_get_textmode(c.ctx) != 0
+ res := C.gpgme_get_textmode(c.ctx) != 0
+ runtime.KeepAlive(c)
+ return res
}
func (c *Context) SetProtocol(p Protocol) error {
- return handleError(C.gpgme_set_protocol(c.ctx, C.gpgme_protocol_t(p)))
+ err := handleError(C.gpgme_set_protocol(c.ctx, C.gpgme_protocol_t(p)))
+ runtime.KeepAlive(c)
+ return err
}
func (c *Context) Protocol() Protocol {
- return Protocol(C.gpgme_get_protocol(c.ctx))
+ res := Protocol(C.gpgme_get_protocol(c.ctx))
+ runtime.KeepAlive(c)
+ return res
}
func (c *Context) SetKeyListMode(m KeyListMode) error {
- return handleError(C.gpgme_set_keylist_mode(c.ctx, C.gpgme_keylist_mode_t(m)))
+ err := handleError(C.gpgme_set_keylist_mode(c.ctx, C.gpgme_keylist_mode_t(m)))
+ runtime.KeepAlive(c)
+ return err
}
func (c *Context) KeyListMode() KeyListMode {
- return KeyListMode(C.gpgme_get_keylist_mode(c.ctx))
+ res := KeyListMode(C.gpgme_get_keylist_mode(c.ctx))
+ runtime.KeepAlive(c)
+ return res
}
// Unavailable in 1.3.2:
// func (c *Context) SetPinEntryMode(m PinEntryMode) error {
-// return handleError(C.gpgme_set_pinentry_mode(c.ctx, C.gpgme_pinentry_mode_t(m)))
+// err := handleError(C.gpgme_set_pinentry_mode(c.ctx, C.gpgme_pinentry_mode_t(m)))
+// runtime.KeepAlive(c)
+// return err
// }
// Unavailable in 1.3.2:
// func (c *Context) PinEntryMode() PinEntryMode {
-// return PinEntryMode(C.gpgme_get_pinentry_mode(c.ctx))
+// res := PinEntryMode(C.gpgme_get_pinentry_mode(c.ctx))
+// runtime.KeepAlive(c)
+// return res
// }
func (c *Context) SetCallback(callback Callback) error {
@@ -340,11 +376,17 @@ func (c *Context) SetCallback(callback Callback) error {
c.cbc = 0
_, err = C.gogpgme_set_passphrase_cb(c.ctx, nil, 0)
}
+ runtime.KeepAlive(c)
return err
}
func (c *Context) EngineInfo() *EngineInfo {
- return &EngineInfo{info: C.gpgme_ctx_get_engine_info(c.ctx)}
+ cInfo := C.gpgme_ctx_get_engine_info(c.ctx)
+ runtime.KeepAlive(c)
+ // NOTE: c must be live as long as we are accessing cInfo.
+ res := copyEngineInfo(cInfo)
+ runtime.KeepAlive(c) // for accesses to cInfo
+ return res
}
func (c *Context) SetEngineInfo(proto Protocol, fileName, homeDir string) error {
@@ -357,19 +399,23 @@ func (c *Context) SetEngineInfo(proto Protocol, fileName, homeDir string) error
chome = C.CString(homeDir)
defer C.free(unsafe.Pointer(chome))
}
- return handleError(C.gpgme_ctx_set_engine_info(c.ctx, C.gpgme_protocol_t(proto), cfn, chome))
+ err := handleError(C.gpgme_ctx_set_engine_info(c.ctx, C.gpgme_protocol_t(proto), cfn, chome))
+ runtime.KeepAlive(c)
+ return err
}
func (c *Context) KeyListStart(pattern string, secretOnly bool) error {
cpattern := C.CString(pattern)
defer C.free(unsafe.Pointer(cpattern))
- err := C.gpgme_op_keylist_start(c.ctx, cpattern, cbool(secretOnly))
- return handleError(err)
+ err := handleError(C.gpgme_op_keylist_start(c.ctx, cpattern, cbool(secretOnly)))
+ runtime.KeepAlive(c)
+ return err
}
func (c *Context) KeyListNext() bool {
c.Key = newKey()
err := handleError(C.gpgme_op_keylist_next(c.ctx, &c.Key.k))
+ runtime.KeepAlive(c) // implies runtime.KeepAlive(c.Key)
if err != nil {
if e, ok := err.(Error); ok && e.Code() == ErrorEOF {
c.KeyError = nil
@@ -383,7 +429,9 @@ func (c *Context) KeyListNext() bool {
}
func (c *Context) KeyListEnd() error {
- return handleError(C.gpgme_op_keylist_end(c.ctx))
+ err := handleError(C.gpgme_op_keylist_end(c.ctx))
+ runtime.KeepAlive(c)
+ return err
}
func (c *Context) GetKey(fingerprint string, secret bool) (*Key, error) {
@@ -391,7 +439,11 @@ func (c *Context) GetKey(fingerprint string, secret bool) (*Key, error) {
cfpr := C.CString(fingerprint)
defer C.free(unsafe.Pointer(cfpr))
err := handleError(C.gpgme_get_key(c.ctx, cfpr, &key.k, cbool(secret)))
- if e, ok := err.(Error); key.k == nil && ok && e.Code() == ErrorEOF {
+ runtime.KeepAlive(c)
+ runtime.KeepAlive(key)
+ keyKIsNil := key.k == nil
+ runtime.KeepAlive(key)
+ if e, ok := err.(Error); keyKIsNil && ok && e.Code() == ErrorEOF {
return nil, fmt.Errorf("key %q not found", fingerprint)
}
if err != nil {
@@ -401,11 +453,19 @@ func (c *Context) GetKey(fingerprint string, secret bool) (*Key, error) {
}
func (c *Context) Decrypt(ciphertext, plaintext *Data) error {
- return handleError(C.gpgme_op_decrypt(c.ctx, ciphertext.dh, plaintext.dh))
+ err := handleError(C.gpgme_op_decrypt(c.ctx, ciphertext.dh, plaintext.dh))
+ runtime.KeepAlive(c)
+ runtime.KeepAlive(ciphertext)
+ runtime.KeepAlive(plaintext)
+ return err
}
func (c *Context) DecryptVerify(ciphertext, plaintext *Data) error {
- return handleError(C.gpgme_op_decrypt_verify(c.ctx, ciphertext.dh, plaintext.dh))
+ err := handleError(C.gpgme_op_decrypt_verify(c.ctx, ciphertext.dh, plaintext.dh))
+ runtime.KeepAlive(c)
+ runtime.KeepAlive(ciphertext)
+ runtime.KeepAlive(plaintext)
+ return err
}
type Signature struct {
@@ -432,10 +492,20 @@ func (c *Context) Verify(sig, signedText, plain *Data) (string, []Signature, err
plainPtr = plain.dh
}
err := handleError(C.gpgme_op_verify(c.ctx, sig.dh, signedTextPtr, plainPtr))
+ runtime.KeepAlive(c)
+ runtime.KeepAlive(sig)
+ if signedText != nil {
+ runtime.KeepAlive(signedText)
+ }
+ if plain != nil {
+ runtime.KeepAlive(plain)
+ }
if err != nil {
return "", nil, err
}
res := C.gpgme_op_verify_result(c.ctx)
+ runtime.KeepAlive(c)
+ // NOTE: c must be live as long as we are accessing res.
sigs := []Signature{}
for s := res.signatures; s != nil; s = s.next {
sig := Signature{
@@ -455,7 +525,9 @@ func (c *Context) Verify(sig, signedText, plain *Data) (string, []Signature, err
}
sigs = append(sigs, sig)
}
- return C.GoString(res.file_name), sigs, nil
+ fileName := C.GoString(res.file_name)
+ runtime.KeepAlive(c) // for all accesses to res above
+ return fileName, sigs, nil
}
func (c *Context) Encrypt(recipients []*Key, flags EncryptFlag, plaintext, ciphertext *Data) error {
@@ -467,18 +539,116 @@ func (c *Context) Encrypt(recipients []*Key, flags EncryptFlag, plaintext, ciphe
*ptr = recipients[i].k
}
err := C.gpgme_op_encrypt(c.ctx, (*C.gpgme_key_t)(recp), C.gpgme_encrypt_flags_t(flags), plaintext.dh, ciphertext.dh)
+ runtime.KeepAlive(c)
+ runtime.KeepAlive(recipients)
+ runtime.KeepAlive(plaintext)
+ runtime.KeepAlive(ciphertext)
return handleError(err)
}
func (c *Context) Sign(signers []*Key, plain, sig *Data, mode SigMode) error {
C.gpgme_signers_clear(c.ctx)
+ runtime.KeepAlive(c)
for _, k := range signers {
- if err := handleError(C.gpgme_signers_add(c.ctx, k.k)); err != nil {
+ err := handleError(C.gpgme_signers_add(c.ctx, k.k))
+ runtime.KeepAlive(c)
+ runtime.KeepAlive(k)
+ if err != nil {
C.gpgme_signers_clear(c.ctx)
+ runtime.KeepAlive(c)
return err
}
}
- return handleError(C.gpgme_op_sign(c.ctx, plain.dh, sig.dh, C.gpgme_sig_mode_t(mode)))
+ err := handleError(C.gpgme_op_sign(c.ctx, plain.dh, sig.dh, C.gpgme_sig_mode_t(mode)))
+ runtime.KeepAlive(c)
+ runtime.KeepAlive(plain)
+ runtime.KeepAlive(sig)
+ return err
+}
+
+type AssuanDataCallback func(data []byte) error
+type AssuanInquireCallback func(name, args string) error
+type AssuanStatusCallback func(status, args string) error
+
+// AssuanSend sends a raw Assuan command to gpg-agent
+func (c *Context) AssuanSend(
+ cmd string,
+ data AssuanDataCallback,
+ inquiry AssuanInquireCallback,
+ status AssuanStatusCallback,
+) error {
+ var operr C.gpgme_error_t
+
+ dataPtr := callbackAdd(&data)
+ inquiryPtr := callbackAdd(&inquiry)
+ statusPtr := callbackAdd(&status)
+ cmdCStr := C.CString(cmd)
+ defer C.free(unsafe.Pointer(cmdCStr))
+ err := C.gogpgme_op_assuan_transact_ext(
+ c.ctx,
+ cmdCStr,
+ C.uintptr_t(dataPtr),
+ C.uintptr_t(inquiryPtr),
+ C.uintptr_t(statusPtr),
+ &operr,
+ )
+ runtime.KeepAlive(c)
+
+ if handleError(operr) != nil {
+ return handleError(operr)
+ }
+ return handleError(err)
+}
+
+//export gogpgme_assuan_data_callback
+func gogpgme_assuan_data_callback(handle unsafe.Pointer, data unsafe.Pointer, datalen C.size_t) C.gpgme_error_t {
+ c := callbackLookup(uintptr(handle)).(*AssuanDataCallback)
+ if *c == nil {
+ return 0
+ }
+ (*c)(C.GoBytes(data, C.int(datalen)))
+ return 0
+}
+
+//export gogpgme_assuan_inquiry_callback
+func gogpgme_assuan_inquiry_callback(handle unsafe.Pointer, cName *C.char, cArgs *C.char) C.gpgme_error_t {
+ name := C.GoString(cName)
+ args := C.GoString(cArgs)
+ c := callbackLookup(uintptr(handle)).(*AssuanInquireCallback)
+ if *c == nil {
+ return 0
+ }
+ (*c)(name, args)
+ return 0
+}
+
+//export gogpgme_assuan_status_callback
+func gogpgme_assuan_status_callback(handle unsafe.Pointer, cStatus *C.char, cArgs *C.char) C.gpgme_error_t {
+ status := C.GoString(cStatus)
+ args := C.GoString(cArgs)
+ c := callbackLookup(uintptr(handle)).(*AssuanStatusCallback)
+ if *c == nil {
+ return 0
+ }
+ (*c)(status, args)
+ return 0
+}
+
+// ExportModeFlags defines how keys are exported from Export
+type ExportModeFlags uint
+
+const (
+ ExportModeExtern ExportModeFlags = C.GPGME_EXPORT_MODE_EXTERN
+ ExportModeMinimal ExportModeFlags = C.GPGME_EXPORT_MODE_MINIMAL
+)
+
+func (c *Context) Export(pattern string, mode ExportModeFlags, data *Data) error {
+ pat := C.CString(pattern)
+ defer C.free(unsafe.Pointer(pat))
+ err := handleError(C.gpgme_op_export(c.ctx, pat, C.gpgme_export_mode_t(mode), data.dh))
+ runtime.KeepAlive(c)
+ runtime.KeepAlive(data)
+ return err
}
// ImportStatusFlags describes the type of ImportStatus.Status. The C API in gpgme.h simply uses "unsigned".
@@ -517,10 +687,14 @@ type ImportResult struct {
func (c *Context) Import(keyData *Data) (*ImportResult, error) {
err := handleError(C.gpgme_op_import(c.ctx, keyData.dh))
+ runtime.KeepAlive(c)
+ runtime.KeepAlive(keyData)
if err != nil {
return nil, err
}
res := C.gpgme_op_import_result(c.ctx)
+ runtime.KeepAlive(c)
+ // NOTE: c must be live as long as we are accessing res.
imports := []ImportStatus{}
for s := res.imports; s != nil; s = s.next {
imports = append(imports, ImportStatus{
@@ -529,7 +703,7 @@ func (c *Context) Import(keyData *Data) (*ImportResult, error) {
Status: ImportStatusFlags(s.status),
})
}
- return &ImportResult{
+ importResult := &ImportResult{
Considered: int(res.considered),
NoUserID: int(res.no_user_id),
Imported: int(res.imported),
@@ -544,11 +718,13 @@ func (c *Context) Import(keyData *Data) (*ImportResult, error) {
SecretUnchanged: int(res.secret_unchanged),
NotImported: int(res.not_imported),
Imports: imports,
- }, nil
+ }
+ runtime.KeepAlive(c) // for all accesses to res above
+ return importResult, nil
}
type Key struct {
- k C.gpgme_key_t
+ k C.gpgme_key_t // WARNING: Call Runtime.KeepAlive(k) after ANY passing of k.k to C
}
func newKey() *Key {
@@ -559,85 +735,122 @@ func newKey() *Key {
func (k *Key) Release() {
C.gpgme_key_release(k.k)
+ runtime.KeepAlive(k)
k.k = nil
}
func (k *Key) Revoked() bool {
- return C.key_revoked(k.k) != 0
+ res := C.key_revoked(k.k) != 0
+ runtime.KeepAlive(k)
+ return res
}
func (k *Key) Expired() bool {
- return C.key_expired(k.k) != 0
+ res := C.key_expired(k.k) != 0
+ runtime.KeepAlive(k)
+ return res
}
func (k *Key) Disabled() bool {
- return C.key_disabled(k.k) != 0
+ res := C.key_disabled(k.k) != 0
+ runtime.KeepAlive(k)
+ return res
}
func (k *Key) Invalid() bool {
- return C.key_invalid(k.k) != 0
+ res := C.key_invalid(k.k) != 0
+ runtime.KeepAlive(k)
+ return res
}
func (k *Key) CanEncrypt() bool {
- return C.key_can_encrypt(k.k) != 0
+ res := C.key_can_encrypt(k.k) != 0
+ runtime.KeepAlive(k)
+ return res
}
func (k *Key) CanSign() bool {
- return C.key_can_sign(k.k) != 0
+ res := C.key_can_sign(k.k) != 0
+ runtime.KeepAlive(k)
+ return res
}
func (k *Key) CanCertify() bool {
- return C.key_can_certify(k.k) != 0
+ res := C.key_can_certify(k.k) != 0
+ runtime.KeepAlive(k)
+ return res
}
func (k *Key) Secret() bool {
- return C.key_secret(k.k) != 0
+ res := C.key_secret(k.k) != 0
+ runtime.KeepAlive(k)
+ return res
}
func (k *Key) CanAuthenticate() bool {
- return C.key_can_authenticate(k.k) != 0
+ res := C.key_can_authenticate(k.k) != 0
+ runtime.KeepAlive(k)
+ return res
}
func (k *Key) IsQualified() bool {
- return C.key_is_qualified(k.k) != 0
+ res := C.key_is_qualified(k.k) != 0
+ runtime.KeepAlive(k)
+ return res
}
func (k *Key) Protocol() Protocol {
- return Protocol(k.k.protocol)
+ res := Protocol(k.k.protocol)
+ runtime.KeepAlive(k)
+ return res
}
func (k *Key) IssuerSerial() string {
- return C.GoString(k.k.issuer_serial)
+ res := C.GoString(k.k.issuer_serial)
+ runtime.KeepAlive(k)
+ return res
}
func (k *Key) IssuerName() string {
- return C.GoString(k.k.issuer_name)
+ res := C.GoString(k.k.issuer_name)
+ runtime.KeepAlive(k)
+ return res
}
func (k *Key) ChainID() string {
- return C.GoString(k.k.chain_id)
+ res := C.GoString(k.k.chain_id)
+ runtime.KeepAlive(k)
+ return res
}
func (k *Key) OwnerTrust() Validity {
- return Validity(k.k.owner_trust)
+ res := Validity(k.k.owner_trust)
+ runtime.KeepAlive(k)
+ return res
}
func (k *Key) SubKeys() *SubKey {
- if k.k.subkeys == nil {
+ subKeys := k.k.subkeys
+ runtime.KeepAlive(k)
+ if subKeys == nil {
return nil
}
- return &SubKey{k: k.k.subkeys, parent: k}
+ return &SubKey{k: subKeys, parent: k} // The parent: k reference ensures subKeys remains valid
}
func (k *Key) UserIDs() *UserID {
- if k.k.uids == nil {
+ uids := k.k.uids
+ runtime.KeepAlive(k)
+ if uids == nil {
return nil
}
- return &UserID{u: k.k.uids, parent: k}
+ return &UserID{u: uids, parent: k} // The parent: k reference ensures uids remains valid
}
func (k *Key) KeyListMode() KeyListMode {
- return KeyListMode(k.k.keylist_mode)
+ res := KeyListMode(k.k.keylist_mode)
+ runtime.KeepAlive(k)
+ return res
}
type SubKey struct {
@@ -737,12 +950,3 @@ func (u *UserID) Comment() string {
func (u *UserID) Email() string {
return C.GoString(u.u.email)
}
-
-// This is somewhat of a horrible hack. We need to unset GPG_AGENT_INFO so that gpgme does not pass --use-agent to GPG.
-// os.Unsetenv should be enough, but that only calls the underlying C library (which gpgme uses) if cgo is involved
-// - and cgo can't be used in tests. So, provide this helper for test initialization.
-func unsetenvGPGAgentInfo() {
- v := C.CString("GPG_AGENT_INFO")
- defer C.free(unsafe.Pointer(v))
- C.unsetenv(v)
-}
diff --git a/vendor/github.com/mtrmac/gpgme/unset_agent_info.go b/vendor/github.com/mtrmac/gpgme/unset_agent_info.go
new file mode 100644
index 000000000..986aca59f
--- /dev/null
+++ b/vendor/github.com/mtrmac/gpgme/unset_agent_info.go
@@ -0,0 +1,18 @@
+// +build !windows
+
+package gpgme
+
+// #include <stdlib.h>
+import "C"
+import (
+ "unsafe"
+)
+
+// This is somewhat of a horrible hack. We need to unset GPG_AGENT_INFO so that gpgme does not pass --use-agent to GPG.
+// os.Unsetenv should be enough, but that only calls the underlying C library (which gpgme uses) if cgo is involved
+// - and cgo can't be used in tests. So, provide this helper for test initialization.
+func unsetenvGPGAgentInfo() {
+ v := C.CString("GPG_AGENT_INFO")
+ defer C.free(unsafe.Pointer(v))
+ C.unsetenv(v)
+}
diff --git a/vendor/github.com/mtrmac/gpgme/unset_agent_info_windows.go b/vendor/github.com/mtrmac/gpgme/unset_agent_info_windows.go
new file mode 100644
index 000000000..431ec86d3
--- /dev/null
+++ b/vendor/github.com/mtrmac/gpgme/unset_agent_info_windows.go
@@ -0,0 +1,14 @@
+package gpgme
+
+// #include <stdlib.h>
+import "C"
+import (
+ "unsafe"
+)
+
+// unsetenv is not available in mingw
+func unsetenvGPGAgentInfo() {
+ v := C.CString("GPG_AGENT_INFO=")
+ defer C.free(unsafe.Pointer(v))
+ C.putenv(v)
+}
diff --git a/vendor/github.com/onsi/ginkgo/.travis.yml b/vendor/github.com/onsi/ginkgo/.travis.yml
index b454d643c..65dc3002b 100644
--- a/vendor/github.com/onsi/ginkgo/.travis.yml
+++ b/vendor/github.com/onsi/ginkgo/.travis.yml
@@ -4,14 +4,22 @@ go:
- 1.13.x
- tip
+cache:
+ directories:
+ - $GOPATH/pkg/mod
+
# allow internal package imports, necessary for forked repositories
go_import_path: github.com/onsi/ginkgo
install:
- - go get -v -t ./...
- - go get golang.org/x/tools/cmd/cover
- - go get github.com/onsi/gomega
- - go install github.com/onsi/ginkgo/ginkgo
+ - GO111MODULE="off" go get -v -t ./...
+ - GO111MODULE="off" go get golang.org/x/tools/cmd/cover
+ - GO111MODULE="off" go get github.com/onsi/gomega
+ - GO111MODULE="off" go install github.com/onsi/ginkgo/ginkgo
- export PATH=$PATH:$HOME/gopath/bin
-script: $HOME/gopath/bin/ginkgo -r --randomizeAllSpecs --randomizeSuites --race --trace && go vet
+script:
+ - GO111MODULE="on" go mod tidy
+ - diff -u <(echo -n) <(git diff go.mod)
+ - diff -u <(echo -n) <(git diff go.sum)
+ - $HOME/gopath/bin/ginkgo -r --randomizeAllSpecs --randomizeSuites --race --trace && go vet
diff --git a/vendor/github.com/onsi/ginkgo/CHANGELOG.md b/vendor/github.com/onsi/ginkgo/CHANGELOG.md
index 96f03ad7c..84b479404 100644
--- a/vendor/github.com/onsi/ginkgo/CHANGELOG.md
+++ b/vendor/github.com/onsi/ginkgo/CHANGELOG.md
@@ -1,3 +1,8 @@
+## 1.12.0
+
+### Features
+- Add module definition (#630) [78916ab]
+
## 1.11.0
### Features
diff --git a/vendor/github.com/onsi/ginkgo/config/config.go b/vendor/github.com/onsi/ginkgo/config/config.go
index 14c82ec3a..949f8130f 100644
--- a/vendor/github.com/onsi/ginkgo/config/config.go
+++ b/vendor/github.com/onsi/ginkgo/config/config.go
@@ -20,7 +20,7 @@ import (
"fmt"
)
-const VERSION = "1.11.0"
+const VERSION = "1.12.0"
type GinkgoConfigType struct {
RandomSeed int64
diff --git a/vendor/github.com/onsi/ginkgo/go.mod b/vendor/github.com/onsi/ginkgo/go.mod
new file mode 100644
index 000000000..15a4ab571
--- /dev/null
+++ b/vendor/github.com/onsi/ginkgo/go.mod
@@ -0,0 +1,9 @@
+module github.com/onsi/ginkgo
+
+require (
+ github.com/hpcloud/tail v1.0.0
+ github.com/onsi/gomega v1.7.1
+ golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e
+)
+
+go 1.12
diff --git a/vendor/github.com/onsi/ginkgo/go.sum b/vendor/github.com/onsi/ginkgo/go.sum
new file mode 100644
index 000000000..29adce41a
--- /dev/null
+++ b/vendor/github.com/onsi/ginkgo/go.sum
@@ -0,0 +1,26 @@
+github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
+github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
+github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
+github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/gomega v1.7.1 h1:K0jcRCwNQM3vFGh1ppMtDh/+7ApJrjldlX8fA0jDTLQ=
+github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
+golang.org/x/net v0.0.0-20180906233101-161cd47e91fd h1:nTDtHvHSdCn1m6ITfMRqtOd/9+7a3s8RBNOZ3eYZzJA=
+golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f h1:wMNYb4v58l5UBM7MYRLPG6ZhfOqbKu7X5eyFl8ZhKvA=
+golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e h1:N7DeIrjYszNmSW409R3frPPwglRwMkXSBzwVbkOjLLA=
+golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4=
+gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I=
+gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
diff --git a/vendor/github.com/vbauerster/mpb/v4/bar_option.go b/vendor/github.com/vbauerster/mpb/v4/bar_option.go
index bb79ac6a4..7fb152562 100644
--- a/vendor/github.com/vbauerster/mpb/v4/bar_option.go
+++ b/vendor/github.com/vbauerster/mpb/v4/bar_option.go
@@ -10,11 +10,10 @@ import (
// BarOption is a function option which changes the default behavior of a bar.
type BarOption func(*bState)
-type mergeWrapper interface {
- MergeUnwrap() []decor.Decorator
-}
-
func (s *bState) addDecorators(dest *[]decor.Decorator, decorators ...decor.Decorator) {
+ type mergeWrapper interface {
+ MergeUnwrap() []decor.Decorator
+ }
for _, decorator := range decorators {
if mw, ok := decorator.(mergeWrapper); ok {
*dest = append(*dest, mw.MergeUnwrap()...)
diff --git a/vendor/github.com/vbauerster/mpb/v4/decor/decorator.go b/vendor/github.com/vbauerster/mpb/v4/decor/decorator.go
index 5c0d16880..2271cbbe1 100644
--- a/vendor/github.com/vbauerster/mpb/v4/decor/decorator.go
+++ b/vendor/github.com/vbauerster/mpb/v4/decor/decorator.go
@@ -4,6 +4,8 @@ import (
"fmt"
"time"
"unicode/utf8"
+
+ "github.com/acarl005/stripansi"
)
const (
@@ -117,25 +119,29 @@ var (
// W represents width and C represents bit set of width related config.
// A decorator should embed WC, to enable width synchronization.
type WC struct {
- W int
- C int
- dynFormat string
- staticFormat string
- wsync chan int
+ W int
+ C int
+ dynFormat string
+ wsync chan int
}
// FormatMsg formats final message according to WC.W and WC.C.
// Should be called by any Decorator implementation.
func (wc *WC) FormatMsg(msg string) string {
+ var format string
+ runeCount := utf8.RuneCountInString(stripansi.Strip(msg))
+ ansiCount := utf8.RuneCountInString(msg) - runeCount
if (wc.C & DSyncWidth) != 0 {
- wc.wsync <- utf8.RuneCountInString(msg)
- max := <-wc.wsync
if (wc.C & DextraSpace) != 0 {
- max++
+ runeCount++
}
- return fmt.Sprintf(fmt.Sprintf(wc.dynFormat, max), msg)
+ wc.wsync <- runeCount
+ max := <-wc.wsync
+ format = fmt.Sprintf(wc.dynFormat, ansiCount+max)
+ } else {
+ format = fmt.Sprintf(wc.dynFormat, ansiCount+wc.W)
}
- return fmt.Sprintf(wc.staticFormat, msg)
+ return fmt.Sprintf(format, msg)
}
// Init initializes width related config.
@@ -145,7 +151,6 @@ func (wc *WC) Init() WC {
wc.dynFormat += "-"
}
wc.dynFormat += "%ds"
- wc.staticFormat = fmt.Sprintf(wc.dynFormat, wc.W)
if (wc.C & DSyncWidth) != 0 {
// it's deliberate choice to override wsync on each Init() call,
// this way globals like WCSyncSpace can be reused
diff --git a/vendor/github.com/vbauerster/mpb/v4/decor/merge.go b/vendor/github.com/vbauerster/mpb/v4/decor/merge.go
index fdf9e107b..723869209 100644
--- a/vendor/github.com/vbauerster/mpb/v4/decor/merge.go
+++ b/vendor/github.com/vbauerster/mpb/v4/decor/merge.go
@@ -2,6 +2,7 @@ package decor
import (
"fmt"
+ "strings"
"unicode/utf8"
)
@@ -28,10 +29,7 @@ func Merge(decorator Decorator, placeholders ...WC) Decorator {
if (wc.C & DSyncWidth) == 0 {
return decorator
}
- md.placeHolders[i] = &placeHolderDecorator{
- WC: wc.Init(),
- wch: make(chan int),
- }
+ md.placeHolders[i] = &placeHolderDecorator{wc.Init()}
}
return md
}
@@ -69,29 +67,40 @@ func (d *mergeDecorator) Base() Decorator {
func (d *mergeDecorator) Decor(st *Statistics) string {
msg := d.Decorator.Decor(st)
msgLen := utf8.RuneCountInString(msg)
-
- var space int
- for _, ph := range d.placeHolders {
- space += <-ph.wch
+ if (d.wc.C & DextraSpace) != 0 {
+ msgLen++
}
- d.wc.wsync <- msgLen - space
+ var total int
+ max := utf8.RuneCountInString(d.placeHolders[0].FormatMsg(""))
+ total += max
+ pw := (msgLen - max) / len(d.placeHolders)
+ rem := (msgLen - max) % len(d.placeHolders)
- max := <-d.wc.wsync
- if (d.wc.C & DextraSpace) != 0 {
- max++
+ var diff int
+ for i := 1; i < len(d.placeHolders); i++ {
+ ph := d.placeHolders[i]
+ width := pw - diff
+ if (ph.WC.C & DextraSpace) != 0 {
+ width--
+ if width < 0 {
+ width = 0
+ }
+ }
+ max = utf8.RuneCountInString(ph.FormatMsg(strings.Repeat(" ", width)))
+ total += max
+ diff = max - pw
}
- return fmt.Sprintf(fmt.Sprintf(d.wc.dynFormat, max+space), msg)
+
+ d.wc.wsync <- pw + rem
+ max = <-d.wc.wsync
+ return fmt.Sprintf(fmt.Sprintf(d.wc.dynFormat, max+total), msg)
}
type placeHolderDecorator struct {
WC
- wch chan int
}
-func (d *placeHolderDecorator) Decor(st *Statistics) string {
- go func() {
- d.wch <- utf8.RuneCountInString(d.FormatMsg(""))
- }()
+func (d *placeHolderDecorator) Decor(_ *Statistics) string {
return ""
}
diff --git a/vendor/github.com/vbauerster/mpb/v4/go.mod b/vendor/github.com/vbauerster/mpb/v4/go.mod
index 0c5ce51f1..9e7287d5d 100644
--- a/vendor/github.com/vbauerster/mpb/v4/go.mod
+++ b/vendor/github.com/vbauerster/mpb/v4/go.mod
@@ -2,6 +2,7 @@ module github.com/vbauerster/mpb/v4
require (
github.com/VividCortex/ewma v1.1.1
+ github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d
golang.org/x/crypto v0.0.0-20191112222119-e1110fd1c708
golang.org/x/sys v0.0.0-20191113165036-4c7a9d0fe056 // indirect
)
diff --git a/vendor/github.com/vbauerster/mpb/v4/go.sum b/vendor/github.com/vbauerster/mpb/v4/go.sum
index 94a9f1a28..5a1316274 100644
--- a/vendor/github.com/vbauerster/mpb/v4/go.sum
+++ b/vendor/github.com/vbauerster/mpb/v4/go.sum
@@ -1,5 +1,7 @@
github.com/VividCortex/ewma v1.1.1 h1:MnEK4VOv6n0RSY4vtRe3h11qjxL3+t0B8yOL8iMXdcM=
github.com/VividCortex/ewma v1.1.1/go.mod h1:2Tkkvm3sRDVXaiyucHiACn4cqf7DpdyLvmxzcbUokwA=
+github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d h1:licZJFw2RwpHMqeKTCYkitsPqHNxTmd4SNR5r94FGM8=
+github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d/go.mod h1:asat636LX7Bqt5lYEZ27JNDcqxfjdBQuJ/MM4CN/Lzo=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20191112222119-e1110fd1c708 h1:pXVtWnwHkrWD9ru3sDxY/qFK/bfc0egRovX91EjWjf4=
golang.org/x/crypto v0.0.0-20191112222119-e1110fd1c708/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
diff --git a/vendor/github.com/vbauerster/mpb/v4/proxyreader.go b/vendor/github.com/vbauerster/mpb/v4/proxyreader.go
index 736142412..0e4b51f09 100644
--- a/vendor/github.com/vbauerster/mpb/v4/proxyreader.go
+++ b/vendor/github.com/vbauerster/mpb/v4/proxyreader.go
@@ -18,9 +18,7 @@ func (prox *proxyReader) Read(p []byte) (n int, err error) {
prox.iT = time.Now()
}
if err == io.EOF {
- go func() {
- prox.bar.SetTotal(0, true)
- }()
+ go prox.bar.SetTotal(0, true)
}
return
}
@@ -37,9 +35,7 @@ func (prox *proxyWriterTo) WriteTo(w io.Writer) (n int64, err error) {
prox.iT = time.Now()
}
if err == io.EOF {
- go func() {
- prox.bar.SetTotal(0, true)
- }()
+ go prox.bar.SetTotal(0, true)
}
return
}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 2a384e865..5c2485f38 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -29,6 +29,8 @@ github.com/Microsoft/hcsshim/internal/wclayer
github.com/Microsoft/hcsshim/osversion
# github.com/VividCortex/ewma v1.1.1
github.com/VividCortex/ewma
+# github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d
+github.com/acarl005/stripansi
# github.com/beorn7/perks v1.0.1
github.com/beorn7/perks/quantile
# github.com/blang/semver v3.5.1+incompatible
@@ -80,7 +82,7 @@ github.com/containers/common/pkg/cgroups
github.com/containers/common/pkg/unshare
# github.com/containers/conmon v2.0.10+incompatible
github.com/containers/conmon/runner/config
-# github.com/containers/image/v5 v5.1.0
+# github.com/containers/image/v5 v5.2.1
github.com/containers/image/v5/copy
github.com/containers/image/v5/directory
github.com/containers/image/v5/directory/explicitfilepath
@@ -91,6 +93,7 @@ github.com/containers/image/v5/docker/policyconfiguration
github.com/containers/image/v5/docker/reference
github.com/containers/image/v5/docker/tarfile
github.com/containers/image/v5/image
+github.com/containers/image/v5/internal/iolimits
github.com/containers/image/v5/internal/pkg/keyctl
github.com/containers/image/v5/internal/tmpdir
github.com/containers/image/v5/manifest
@@ -337,9 +340,9 @@ github.com/modern-go/reflect2
github.com/morikuni/aec
# github.com/mrunalp/fileutils v0.0.0-20171103030105-7d4729fb3618
github.com/mrunalp/fileutils
-# github.com/mtrmac/gpgme v0.0.0-20170102180018-b2432428689c
+# github.com/mtrmac/gpgme v0.1.2
github.com/mtrmac/gpgme
-# github.com/onsi/ginkgo v1.11.0
+# github.com/onsi/ginkgo v1.12.0
github.com/onsi/ginkgo
github.com/onsi/ginkgo/config
github.com/onsi/ginkgo/extensions/table
@@ -510,7 +513,7 @@ github.com/varlink/go/varlink/idl
github.com/vbatts/tar-split/archive/tar
github.com/vbatts/tar-split/tar/asm
github.com/vbatts/tar-split/tar/storage
-# github.com/vbauerster/mpb/v4 v4.11.1
+# github.com/vbauerster/mpb/v4 v4.11.2
github.com/vbauerster/mpb/v4
github.com/vbauerster/mpb/v4/cwriter
github.com/vbauerster/mpb/v4/decor
diff --git a/version/version.go b/version/version.go
index 4665023a4..d5926d744 100644
--- a/version/version.go
+++ b/version/version.go
@@ -4,7 +4,7 @@ package version
// NOTE: remember to bump the version at the top
// of the top-level README.md file when this is
// bumped.
-const Version = "1.8.0-dev"
+const Version = "1.8.1-dev"
// RemoteAPIVersion is the version for the remote
// client API. It is used to determine compatibility