diff options
| -rw-r--r-- | Makefile | 4 | ||||
| -rw-r--r-- | contrib/gate/Dockerfile | 2 | ||||
| -rw-r--r-- | docs/tutorials/rootless_tutorial.md | 6 | ||||
| -rwxr-xr-x | hack/podman-registry | 17 | ||||
| -rw-r--r-- | pkg/bindings/connection.go | 14 | ||||
| -rw-r--r-- | pkg/bindings/containers/containers.go | 61 | ||||
| -rw-r--r-- | pkg/bindings/containers/logs.go | 1 | ||||
| -rw-r--r-- | test/e2e/attach_test.go | 1 |
8 files changed, 65 insertions, 41 deletions
@@ -318,7 +318,7 @@ localunit: test/goecho/goecho varlink_generate ginkgo \ -r \ $(TESTFLAGS) \ - --skipPackage test/e2e,pkg/apparmor,test/endpoint,pkg/bindings \ + --skipPackage test/e2e,pkg/apparmor,test/endpoint,pkg/bindings,hack \ --cover \ --covermode atomic \ --tags "$(BUILDTAGS)" \ @@ -326,7 +326,7 @@ localunit: test/goecho/goecho varlink_generate .PHONY: ginkgo ginkgo: - ginkgo -v $(TESTFLAGS) -tags "$(BUILDTAGS)" $(GINKGOTIMEOUT) -cover -flakeAttempts 3 -progress -trace -noColor -nodes 3 -debug test/e2e/. + ginkgo -v $(TESTFLAGS) -tags "$(BUILDTAGS)" $(GINKGOTIMEOUT) -cover -flakeAttempts 3 -progress -trace -noColor -nodes 3 -debug test/e2e/. hack/. .PHONY: ginkgo-remote ginkgo-remote: diff --git a/contrib/gate/Dockerfile b/contrib/gate/Dockerfile index aa827c385..f86709b00 100644 --- a/contrib/gate/Dockerfile +++ b/contrib/gate/Dockerfile @@ -12,7 +12,7 @@ COPY . $GOSRC # Install packages from dependencies.txt, ignoring commented lines # Note: adding conmon and crun so podman command checks will work RUN dnf -y install \ - $(grep "^[^#]" $GOSRC/contrib/dependencies.txt) diffutils containers-common fuse-overlayfs conmon crun runc --exclude container-selinux \ + $(grep "^[^#]" $GOSRC/contrib/dependencies.txt) diffutils containers-common fuse-overlayfs conmon crun runc --exclude container-selinux; \ sed -i -e 's|^#mount_program|mount_program|g' /etc/containers/storage.conf \ && dnf clean all diff --git a/docs/tutorials/rootless_tutorial.md b/docs/tutorials/rootless_tutorial.md index 93726b3b1..440e12062 100644 --- a/docs/tutorials/rootless_tutorial.md +++ b/docs/tutorials/rootless_tutorial.md @@ -58,7 +58,7 @@ The number of user namespaces that are allowed on the system is specified in the ### /etc/subuid and /etc/subgid configuration -Rootless podman requires the user running it to have a range of UIDs listed in /etc/subuid and /etc/subgid files. The `shadows-utils` or `newuid` package provides these files on different distributions and they must be installed on the system. These files will need someone with root privileges on the system to add or update the entries within them. The following is a summarization from the [How does rootless Podman work?](https://opensource.com/article/19/2/how-does-rootless-podman-work) article by Dan Walsh on [opensource.com](https://opensource.com) +Rootless Podman requires the user running it to have a range of UIDs listed in /etc/subuid and /etc/subgid files. The `shadows-utils` or `newuid` package provides these files on different distributions and they must be installed on the system. These files will need someone with root privileges on the system to add or update the entries within them. The following is a summarization from the [How does rootless Podman work?](https://opensource.com/article/19/2/how-does-rootless-podman-work) article by Dan Walsh on [opensource.com](https://opensource.com) Update the /etc/subuid and /etc/subgid with fields for each user that will be allowed to create containers that look like the following. Note that the values for each user must be unique and without any overlap. If there is an overlap, there is a potential for a user to use another’s namespace and they could corrupt it. @@ -112,7 +112,7 @@ The default authorization file used by the `podman login` and `podman logout` co ### Using volumes -Rootless Podman is not, and will never be, root; it's not a setuid binary, and gains no privileges when it runs. Instead, Podman makes use of a user namespace to shift the UIDs and GIDs of a block of users it is given access to on the host (via the newuidmap and newgidmap executables) and your own user within the containers that podman creates. +Rootless Podman is not, and will never be, root; it's not a setuid binary, and gains no privileges when it runs. Instead, Podman makes use of a user namespace to shift the UIDs and GIDs of a block of users it is given access to on the host (via the newuidmap and newgidmap executables) and your own user within the containers that Podman creates. If your container runs with the root user, then `root` in the container is actually your user on the host. UID/GID 1 is the first UID/GID specified in your user's mapping in `/etc/subuid` and `/etc/subgid`, etc. If you mount a directory from the host into a container as a rootless user, and create a file in that directory as root in the container, you'll see it's actually owned by your user on the host. @@ -143,7 +143,7 @@ total 0 We do recognize that this doesn't really match how many people intend to use rootless Podman - they want their UID inside and outside the container to match. Thus, we provide the `--userns=keep-id` flag, which ensures that your user is mapped to its own UID and GID inside the container. -It is also helpful to distinguish between running podman as a rootless user, and a container which is built to run rootless. If the container you're trying you run has a `USER` which is not root, then when mounting volumes you **must** use `--userns=keep-id`. This is because the container user would not be able to become `root` and access the mounted volumes. +It is also helpful to distinguish between running Podman as a rootless user, and a container which is built to run rootless. If the container you're trying you run has a `USER` which is not root, then when mounting volumes you **must** use `--userns=keep-id`. This is because the container user would not be able to become `root` and access the mounted volumes. Other considerations in regards to volumes: diff --git a/hack/podman-registry b/hack/podman-registry index 79dff8b70..fe79b7d9d 100755 --- a/hack/podman-registry +++ b/hack/podman-registry @@ -14,7 +14,7 @@ PODMAN_REGISTRY_PASS= PODMAN_REGISTRY_PORT= # Podman binary to run -PODMAN=${PODMAN:-$(type -p podman)} +PODMAN=${PODMAN:-$(dirname $0)/../bin/podman} # END defaults ############################################################################### @@ -176,11 +176,16 @@ function do_start() { -out ${AUTHDIR}/domain.crt \ -subj "/C=US/ST=Foo/L=Bar/O=Red Hat, Inc./CN=localhost" - # Store credentials where container will see them - must_pass podman run --rm \ - --entrypoint htpasswd ${PODMAN_REGISTRY_IMAGE} \ - -Bbn ${PODMAN_REGISTRY_USER} ${PODMAN_REGISTRY_PASS} \ - > $AUTHDIR/htpasswd + # Store credentials where container will see them. We can't run + # this one via must_pass because we need its stdout. + podman run --rm \ + --entrypoint htpasswd ${PODMAN_REGISTRY_IMAGE} \ + -Bbn ${PODMAN_REGISTRY_USER} ${PODMAN_REGISTRY_PASS} \ + > $AUTHDIR/htpasswd + if [ $? -ne 0 ]; then + rm -rf ${PODMAN_REGISTRY_WORKDIR} + die "Command failed: podman run [htpasswd]" + fi # In case someone needs to debug echo "${PODMAN_REGISTRY_USER}:${PODMAN_REGISTRY_PASS}" \ diff --git a/pkg/bindings/connection.go b/pkg/bindings/connection.go index d21d55beb..d30698c1d 100644 --- a/pkg/bindings/connection.go +++ b/pkg/bindings/connection.go @@ -16,7 +16,6 @@ import ( "time" "github.com/blang/semver" - "github.com/containers/libpod/pkg/api/types" jsoniter "github.com/json-iterator/go" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -28,7 +27,7 @@ var ( basePath = &url.URL{ Scheme: "http", Host: "d", - Path: "/v" + types.MinimalAPIVersion + "/libpod", + Path: "/v" + APIVersion.String() + "/libpod", } ) @@ -157,17 +156,22 @@ func pingNewConnection(ctx context.Context) error { } if response.StatusCode == http.StatusOK { - v, err := semver.ParseTolerant(response.Header.Get("Libpod-API-Version")) + versionHdr := response.Header.Get("Libpod-API-Version") + if versionHdr == "" { + logrus.Info("Service did not provide Libpod-API-Version Header") + return nil + } + versionSrv, err := semver.ParseTolerant(versionHdr) if err != nil { return err } - switch APIVersion.Compare(v) { + switch APIVersion.Compare(versionSrv) { case 1, 0: // Server's job when client version is equal or older return nil case -1: - return errors.Errorf("server API version is too old. client %q server %q", APIVersion.String(), v.String()) + return errors.Errorf("server API version is too old. client %q server %q", APIVersion.String(), versionSrv.String()) } } return errors.Errorf("ping response was %q", response.StatusCode) diff --git a/pkg/bindings/containers/containers.go b/pkg/bindings/containers/containers.go index 39a077f36..81e213d2b 100644 --- a/pkg/bindings/containers/containers.go +++ b/pkg/bindings/containers/containers.go @@ -9,6 +9,7 @@ import ( "net/url" "os" "os/signal" + "reflect" "strconv" "strings" @@ -347,6 +348,26 @@ func ContainerInit(ctx context.Context, nameOrID string) error { // Attach attaches to a running container func Attach(ctx context.Context, nameOrId string, detachKeys *string, logs, stream *bool, stdin io.Reader, stdout io.Writer, stderr io.Writer, attachReady chan bool) error { + isSet := struct { + stdin bool + stdout bool + stderr bool + }{ + stdin: !(stdin == nil || reflect.ValueOf(stdin).IsNil()), + stdout: !(stdout == nil || reflect.ValueOf(stdout).IsNil()), + stderr: !(stderr == nil || reflect.ValueOf(stderr).IsNil()), + } + // Ensure golang can determine that interfaces are "really" nil + if !isSet.stdin { + stdin = (io.Reader)(nil) + } + if !isSet.stdout { + stdout = (io.Writer)(nil) + } + if !isSet.stderr { + stderr = (io.Writer)(nil) + } + conn, err := bindings.GetClient(ctx) if err != nil { return err @@ -368,13 +389,13 @@ func Attach(ctx context.Context, nameOrId string, detachKeys *string, logs, stre if stream != nil { params.Add("stream", fmt.Sprintf("%t", *stream)) } - if stdin != nil { + if isSet.stdin { params.Add("stdin", "true") } - if stdout != nil { + if isSet.stdout { params.Add("stdout", "true") } - if stderr != nil { + if isSet.stderr { params.Add("stderr", "true") } @@ -422,32 +443,26 @@ func Attach(ctx context.Context, nameOrId string, detachKeys *string, logs, stre }() } - response, err := conn.DoRequest(nil, http.MethodPost, "/containers/%s/attach", params, nameOrId) + response, err := conn.DoRequest(stdin, http.MethodPost, "/containers/%s/attach", params, nameOrId) if err != nil { return err } - defer response.Body.Close() + if !(response.IsSuccess() || response.IsInformational()) { + return response.Process(nil) + } + // If we are attaching around a start, we need to "signal" // back that we are in fact attached so that started does // not execute before we can attach. if attachReady != nil { attachReady <- true } - if !(response.IsSuccess() || response.IsInformational()) { - return response.Process(nil) - } - - if stdin != nil { - go func() { - _, err := io.Copy(conn, stdin) - if err != nil { - logrus.Error("failed to write input to service: " + err.Error()) - } - }() - } buffer := make([]byte, 1024) if ctnr.Config.Tty { + if !isSet.stdout { + return fmt.Errorf("container %q requires stdout to be set", ctnr.ID) + } // If not multiplex'ed, read from server and write to stdout _, err := io.Copy(stdout, response.Body) if err != nil { @@ -469,25 +484,25 @@ func Attach(ctx context.Context, nameOrId string, detachKeys *string, logs, stre } switch { - case fd == 0 && stdin != nil: + case fd == 0 && isSet.stdout: _, err := stdout.Write(frame[0:l]) if err != nil { return err } - case fd == 1 && stdout != nil: + case fd == 1 && isSet.stdout: _, err := stdout.Write(frame[0:l]) if err != nil { return err } - case fd == 2 && stderr != nil: + case fd == 2 && isSet.stderr: _, err := stderr.Write(frame[0:l]) if err != nil { return err } case fd == 3: - return errors.New("error from service in stream: " + string(frame)) + return fmt.Errorf("error from service from stream: %s", frame) default: - return fmt.Errorf("unrecognized input header: %d", fd) + return fmt.Errorf("unrecognized channel in header: %d, 0-3 supported", fd) } } } @@ -520,6 +535,7 @@ func DemuxFrame(r io.Reader, buffer []byte, length int) (frame []byte, err error if len(buffer) < length { buffer = append(buffer, make([]byte, length-len(buffer)+1)...) } + n, err := io.ReadFull(r, buffer[0:length]) if err != nil { return nil, nil @@ -528,6 +544,7 @@ func DemuxFrame(r io.Reader, buffer []byte, length int) (frame []byte, err error err = io.ErrUnexpectedEOF return } + return buffer[0:length], nil } diff --git a/pkg/bindings/containers/logs.go b/pkg/bindings/containers/logs.go index 20c8b4292..7fea30003 100644 --- a/pkg/bindings/containers/logs.go +++ b/pkg/bindings/containers/logs.go @@ -50,7 +50,6 @@ func Logs(ctx context.Context, nameOrID string, opts LogOptions, stdoutChan, std if err != nil { return err } - defer response.Body.Close() buffer := make([]byte, 1024) for { diff --git a/test/e2e/attach_test.go b/test/e2e/attach_test.go index 7233d169c..e9050b53b 100644 --- a/test/e2e/attach_test.go +++ b/test/e2e/attach_test.go @@ -33,7 +33,6 @@ var _ = Describe("Podman attach", func() { podmanTest.Cleanup() f := CurrentGinkgoTestDescription() processTestResult(f) - }) It("podman attach to bogus container", func() { |