diff options
Diffstat (limited to 'contrib')
| -rwxr-xr-x | contrib/dependabot-dance | 114 | ||||
| -rw-r--r-- | contrib/imgprune/Dockerfile | 7 | ||||
| -rw-r--r-- | contrib/imgprune/README.md | 11 | ||||
| -rwxr-xr-x | contrib/imgprune/entrypoint.sh | 106 | ||||
| -rw-r--r-- | contrib/imgts/Dockerfile | 20 | ||||
| -rw-r--r-- | contrib/imgts/README.md | 11 | ||||
| -rwxr-xr-x | contrib/imgts/entrypoint.sh | 23 | ||||
| -rw-r--r-- | contrib/imgts/google-cloud-sdk.repo | 8 | ||||
| -rw-r--r-- | contrib/imgts/lib_entrypoint.sh | 49 | ||||
| -rw-r--r-- | contrib/rootless-cni-infra/Containerfile | 5 | ||||
| -rw-r--r-- | contrib/rootless-cni-infra/README.md | 3 | ||||
| -rwxr-xr-x | contrib/rootless-cni-infra/rootless-cni-infra | 30 | ||||
| -rw-r--r-- | contrib/spec/podman.spec.in | 2 | ||||
| -rw-r--r-- | contrib/upldrel/Dockerfile | 9 | ||||
| -rw-r--r-- | contrib/upldrel/README.md | 9 | ||||
| -rwxr-xr-x | contrib/upldrel/entrypoint.sh | 27 |
16 files changed, 147 insertions, 287 deletions
diff --git a/contrib/dependabot-dance b/contrib/dependabot-dance new file mode 100755 index 000000000..3cf740753 --- /dev/null +++ b/contrib/dependabot-dance @@ -0,0 +1,114 @@ +#! /usr/bin/env bash +# +# dependabot-dance - invoked to perform manual steps on podman dependabot PRs +# +# As best I can tell (please correct me if mistaken), dependabot's job is +# to submit PRs with a change only in 'go.mod' but without actually +# running 'make vendor' to update the source files under vendor. This +# requires a human to run those steps. +# +# This script automates that, with a few safety checks. +# +ME=$(basename $0) +missing=" argument is missing; see $ME --help for details" +usage="Usage: $ME [--help] [-v|--verbose] + +$ME performs a series of magical steps to get dependabot PRs +ready for merge. The important one is 'make vendor-in-container', +everything else is scaffolding to check out the PR and push it back. + +Flags: + --help display usage message + -v, --verbose verbose output +" + +verbose= +for i +do + value=$(expr "$i" : '[^=]*=\(.*\)') + case "$i" in + -h*|--help) echo "$usage"; exit 0;; + -v|--verbose) verbose=$i; shift;; + -*) echo "$ME: unrecognized option $i" >&2 + echo "$usage" >&2 + exit 1;; + *) break;; + esac +done + +die () { + echo "$ME: $*" >&2 + exit 1 +} + +function branch_dance() { + local branch="$1" + + # User will appreciate seeing 'git' and 'make' commands, but nothing else + set -x + git checkout -t $branch + set +x + + # Commit must be from dependabot + author=$(git show --no-patch --format='format:%an' HEAD) + if ! [[ $author =~ dependabot ]]; then + echo + echo "Commit author is '$author' (expected 'dependabot')" + echo -n "Continue? [y/N] " + read ans + case "$ans" in + [yY]*) ;; + *) exit 1;; + esac + fi + + # This is what does all the work + set -x + make vendor-in-container + set +x + + # Now make sure at least *something* changed under vendor + modified=$(git ls-files -m vendor) + if [[ -z "$modified" ]]; then + echo "No files changed under 'vendor' -- nothing to do!" + return + fi + + # Okay, here we go + set -x + git add vendor + git commit -a --amend -s --no-edit + git push --force + set +x + + # Try to leave things in relatively clean state; remove local branch copy + local tracking_branch=$(git branch --show-current) + git checkout master + git branch -d $tracking_branch +} + + + + +# Make sure we're cd'ed to the top level of a podman repo +test -d .git || die "No .git subdirectory (please cd to top level)" + +# Clear all dependabot remote branches +git branch -r | grep /dependabot/go_modules/ \ + | xargs --no-run-if-empty git branch -r -d + +# ...and pull new ones +git pull --all + +# Abort on any error from here on +set -e + +# We cannot have any git-modified files +modified=$(git ls-files -m) +test -z "$modified" || die "Modified files exist: $modified" + +for branch in $(git branch -r | grep /dependabot/go_modules/); do + echo + echo ">>>>> $branch" + branch_dance $branch +done diff --git a/contrib/imgprune/Dockerfile b/contrib/imgprune/Dockerfile deleted file mode 100644 index b0dc77da5..000000000 --- a/contrib/imgprune/Dockerfile +++ /dev/null @@ -1,7 +0,0 @@ -FROM quay.io/libpod/imgts:latest - -RUN yum -y update && \ - yum clean all - -COPY /contrib/imgprune/entrypoint.sh /usr/local/bin/entrypoint.sh -RUN chmod 755 /usr/local/bin/entrypoint.sh diff --git a/contrib/imgprune/README.md b/contrib/imgprune/README.md deleted file mode 100644 index 48abc2028..000000000 --- a/contrib/imgprune/README.md +++ /dev/null @@ -1,11 +0,0 @@ - - -A container image for maintaining the collection of -VM images used by CI/CD on this project and several others. -Acts upon metadata maintained by the imgts container. - -Example build (from repository root): - -```bash -sudo podman build -t $IMAGE_NAME -f contrib/imgprune/Dockerfile . -``` diff --git a/contrib/imgprune/entrypoint.sh b/contrib/imgprune/entrypoint.sh deleted file mode 100755 index fd80d9b26..000000000 --- a/contrib/imgprune/entrypoint.sh +++ /dev/null @@ -1,106 +0,0 @@ -#!/usr/bin/env bash - -set -e - -source /usr/local/bin/lib_entrypoint.sh - -req_env_var GCPJSON GCPNAME GCPPROJECT IMGNAMES - -unset BASE_IMAGES -# When executing under Cirrus-CI, script have access to current source -LIB="$CIRRUS_WORKING_DIR/$SCRIPT_BASE/lib.sh" -if [[ "$CI" == "true" ]] && [[ -r "$LIB" ]] -then - # Avoid importing anything that might conflict - for env in $(sed -ne 's/^[^#]\+_BASE_IMAGE=/img=/p' "$LIB") - do - eval $env - BASE_IMAGES="$BASE_IMAGES $img" - done -else - # metadata labeling may have broken for some reason in the future - echo "Warning: Running outside of Cirrus-CI, very minor-risk of base-image deletion." -fi - -gcloud_init - -# For safety's sake + limit nr background processes -PRUNE_LIMIT=5 -THEFUTURE=$(date --date='+1 hour' +%s) -TOO_OLD='30 days ago' -THRESHOLD=$(date --date="$TOO_OLD" +%s) -# Format Ref: https://cloud.google.com/sdk/gcloud/reference/topic/formats -FORMAT='value[quote](name,selfLink,creationTimestamp,labels)' -PROJRE="/v1/projects/$GCPPROJECT/global/" -RECENTLY=$(date --date='3 days ago' --iso-8601=date) -# Filter Ref: https://cloud.google.com/sdk/gcloud/reference/topic/filters -FILTER="selfLink~$PROJRE AND creationTimestamp<$RECENTLY AND NOT name=($IMGNAMES $BASE_IMAGES)" -TODELETE=$(mktemp -p '' todelete.XXXXXX) -IMGCOUNT=$(mktemp -p '' imgcount.XXXXXX) - -# Search-loop runs in a sub-process, must store count in file -echo "0" > "$IMGCOUNT" -count_image() { - local count - count=$(<"$IMGCOUNT") - let 'count+=1' - echo "$count" > "$IMGCOUNT" -} - -echo "Using filter: $FILTER" -echo "Searching images for pruning candidates older than $TOO_OLD ($(date --date="$TOO_OLD" --iso-8601=date)):" -$GCLOUD compute images list --format="$FORMAT" --filter="$FILTER" | \ - while read name selfLink creationTimestamp labels - do - count_image - created_ymd=$(date --date=$creationTimestamp --iso-8601=date) - last_used=$(egrep --only-matching --max-count=1 'last-used=[[:digit:]]+' <<< $labels || true) - markmsgpfx="Marking $name (created $created_ymd) for deletion" - if [[ -z "$last_used" ]] - then # image pre-dates addition of tracking labels - echo "$markmsgpfx: Missing 'last-used' metadata, labels: '$labels'" - echo "$name" >> $TODELETE - continue - fi - - last_used_timestamp=$(date --date=@$(cut -d= -f2 <<< $last_used || true) +%s || true) - last_used_ymd=$(date --date=@$last_used_timestamp --iso-8601=date) - if [[ -z "$last_used_timestamp" ]] || [[ "$last_used_timestamp" -ge "$THEFUTURE" ]] - then - echo "$markmsgpfx: Missing or invalid last-used timestamp: '$last_used_timestamp'" - echo "$name" >> $TODELETE - continue - fi - - if [[ "$last_used_timestamp" -le "$THRESHOLD" ]] - then - echo "$markmsgpfx: Used over $TOO_OLD on $last_used_ymd" - echo "$name" >> $TODELETE - continue - fi - done - -COUNT=$(<"$IMGCOUNT") -echo "########################################################################" -echo "Deleting up to $PRUNE_LIMIT images marked ($(wc -l < $TODELETE)) of all searched ($COUNT):" - -# Require a minimum number of images to exist -NEED="$[$PRUNE_LIMIT*2]" -if [[ "$COUNT" -lt "$NEED" ]] -then - die 0 Safety-net Insufficient images \($COUNT\) to process deletions \($NEED\) - exit 0 -fi - -for image_name in $(sort --random-sort $TODELETE | tail -$PRUNE_LIMIT) -do - if echo "$IMGNAMES $BASE_IMAGES" | grep -q "$image_name" - then - # double-verify in-use images were filtered out in search loop above - die 8 FATAL ATTEMPT TO DELETE IN-USE IMAGE \'$image_name\' - THIS SHOULD NEVER HAPPEN - fi - echo "Deleting $image_name in parallel..." - $GCLOUD compute images delete $image_name & -done - -wait || true # Nothing to delete: No background jobs diff --git a/contrib/imgts/Dockerfile b/contrib/imgts/Dockerfile deleted file mode 100644 index deaadb899..000000000 --- a/contrib/imgts/Dockerfile +++ /dev/null @@ -1,20 +0,0 @@ -FROM centos:7 - -# Only needed for installing build-time dependencies -COPY /contrib/imgts/google-cloud-sdk.repo /etc/yum.repos.d/google-cloud-sdk.repo -RUN yum -y update && \ - yum -y install epel-release && \ - yum -y install google-cloud-sdk && \ - yum clean all - -ENV GCPJSON="__unknown__" \ - GCPNAME="__unknown__" \ - GCPPROJECT="__unknown__" \ - IMGNAMES="__unknown__" \ - BUILDID="__unknown__" \ - REPOREF="__unknown__" - -COPY ["/contrib/imgts/entrypoint.sh", "/contrib/imgts/lib_entrypoint.sh", "/usr/local/bin/"] -RUN chmod 755 /usr/local/bin/entrypoint.sh - -ENTRYPOINT ["/usr/local/bin/entrypoint.sh"] diff --git a/contrib/imgts/README.md b/contrib/imgts/README.md deleted file mode 100644 index ad5ed4172..000000000 --- a/contrib/imgts/README.md +++ /dev/null @@ -1,11 +0,0 @@ - - -A container image for tracking automation metadata. -Currently this is used to update last-used timestamps on -VM images. - -Example build (from repository root): - -```bash -sudo podman build -t $IMAGE_NAME -f contrib/imgts/Dockerfile . -``` diff --git a/contrib/imgts/entrypoint.sh b/contrib/imgts/entrypoint.sh deleted file mode 100755 index b089e1e9b..000000000 --- a/contrib/imgts/entrypoint.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/usr/bin/env bash - -set -e - -source /usr/local/bin/lib_entrypoint.sh - -req_env_var GCPJSON GCPNAME GCPPROJECT IMGNAMES BUILDID REPOREF - -gcloud_init - -ARGS=" - --update-labels=last-used=$(date +%s) - --update-labels=build-id=$BUILDID - --update-labels=repo-ref=$REPOREF - --update-labels=project=$GCPPROJECT -" - -for image in $IMGNAMES -do - $GCLOUD compute images update "$image" $ARGS & -done - -wait || echo "Warning: No \$IMGNAMES were specified." diff --git a/contrib/imgts/google-cloud-sdk.repo b/contrib/imgts/google-cloud-sdk.repo deleted file mode 100644 index 45b1e43bb..000000000 --- a/contrib/imgts/google-cloud-sdk.repo +++ /dev/null @@ -1,8 +0,0 @@ -[google-cloud-sdk] -name=Google Cloud SDK -baseurl=https://packages.cloud.google.com/yum/repos/cloud-sdk-el7-x86_64 -enabled=1 -gpgcheck=1 -repo_gpgcheck=1 -gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg - https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg diff --git a/contrib/imgts/lib_entrypoint.sh b/contrib/imgts/lib_entrypoint.sh deleted file mode 100644 index 6eb5cdc2f..000000000 --- a/contrib/imgts/lib_entrypoint.sh +++ /dev/null @@ -1,49 +0,0 @@ -#!/usr/bin/env bash - -set -e - -RED="\e[1;36;41m" -YEL="\e[1;33;44m" -NOR="\e[0m" -SENTINEL="__unknown__" # default set in dockerfile -# Disable all input prompts -# https://cloud.google.com/sdk/docs/scripting-gcloud -GCLOUD="gcloud --quiet" - -die() { - EXIT=$1 - PFX=$2 - shift 2 - MSG="$@" - echo -e "${RED}${PFX}:${NOR} ${YEL}$MSG${NOR}" - [[ "$EXIT" -eq "0" ]] || exit "$EXIT" -} - -# Pass in a list of one or more envariable names; exit non-zero with -# helpful error message if any value is empty -req_env_var() { - for i; do - if [[ -z "${!i}" ]] - then - die 1 FATAL entrypoint.sh requires \$$i to be non-empty. - elif [[ "${!i}" == "$SENTINEL" ]] - then - die 2 FATAL entrypoint.sh requires \$$i to be explicitly set. - fi - done -} - -gcloud_init() { - set +xe - if [[ -n "$1" ]] && [[ -r "$1" ]] - then - TMPF="$1" - else - TMPF=$(mktemp -p '' .$(uuidgen)_XXXX.json) - trap "rm -f $TMPF &> /dev/null" EXIT - echo "$GCPJSON" > $TMPF - fi - $GCLOUD auth activate-service-account --project="$GCPPROJECT" --key-file="$TMPF" || \ - die 5 FATAL auth - rm -f $TMPF &> /dev/null || true # ignore any read-only error -} diff --git a/contrib/rootless-cni-infra/Containerfile b/contrib/rootless-cni-infra/Containerfile index c5d812a6e..dd80fda28 100644 --- a/contrib/rootless-cni-infra/Containerfile +++ b/contrib/rootless-cni-infra/Containerfile @@ -2,8 +2,7 @@ ARG GOLANG_VERSION=1.15 ARG ALPINE_VERSION=3.12 ARG CNI_VERSION=v0.8.0 ARG CNI_PLUGINS_VERSION=v0.8.7 -# Aug 20, 2020 -ARG DNSNAME_VESION=78b4da7bbfc51c27366da630e1df1c4f2e8b1b5b +ARG DNSNAME_VESION=v1.0.0 FROM golang:${GOLANG_VERSION}-alpine${ALPINE_VERSION} AS golang-base RUN apk add --no-cache git @@ -33,3 +32,5 @@ COPY --from=dnsname /dnsname /opt/cni/bin COPY rootless-cni-infra /usr/local/bin ENV CNI_PATH=/opt/cni/bin CMD ["sleep", "infinity"] + +ENV ROOTLESS_CNI_INFRA_VERSION=3 diff --git a/contrib/rootless-cni-infra/README.md b/contrib/rootless-cni-infra/README.md index 937e057fb..c43b4cf49 100644 --- a/contrib/rootless-cni-infra/README.md +++ b/contrib/rootless-cni-infra/README.md @@ -16,7 +16,10 @@ Podman then allocates a CNI netns in the infra container, by executing an equiva The allocated netns is deallocated when the container is being removed, by executing an equivalent of: `podman exec rootless-cni-infra rootless-cni-infra dealloc $CONTAINER_ID $NETWORK_NAME`. +The container images live on `quay.io/libpod/rootless-cni-infra`. The tags have the format `$version-$architecture`. Please make sure to increase the version number in the Containerfile (i.e., `ROOTLESS_CNI_INFRA_VERSION`) when applying changes to this directory. After committing the changes, upload the image(s) with the corresponding tag. + ## Directory layout * `/run/rootless-cni-infra/${CONTAINER_ID}/pid`: PID of the `sleep infinity` process that corresponds to the allocated netns * `/run/rootless-cni-infra/${CONTAINER_ID}/attached/${NETWORK_NAME}`: CNI result +* `/run/rootless-cni-infra/${CONTAINER_ID}/attached-args/${NETWORK_NAME}`: CNI args diff --git a/contrib/rootless-cni-infra/rootless-cni-infra b/contrib/rootless-cni-infra/rootless-cni-infra index 5a574d2eb..463254c7f 100755 --- a/contrib/rootless-cni-infra/rootless-cni-infra +++ b/contrib/rootless-cni-infra/rootless-cni-infra @@ -2,9 +2,25 @@ set -eu ARG0="$0" -VERSION="0.1.0" BASE="/run/rootless-cni-infra" +wait_unshare_net() { + pid="$1" + # NOTE: busybox shell doesn't support the `for ((i=0; i < $MAX; i++)); do foo; done` statement + i=0 + while :; do + if [ "$(readlink /proc/self/ns/net)" != "$(readlink /proc/${pid}/ns/net)" ]; then + break + fi + sleep 0.1 + if [ $i -ge 10 ]; then + echo >&2 "/proc/${pid}/ns/net cannot be unshared" + exit 1 + fi + i=$((i + 1)) + done +} + # CLI subcommand: "alloc $CONTAINER_ID $NETWORK_NAME $POD_NAME" cmd_entrypoint_alloc() { if [ "$#" -ne 3 ]; then @@ -17,7 +33,7 @@ cmd_entrypoint_alloc() { K8S_POD_NAME="$3" dir="${BASE}/${ID}" - mkdir -p "${dir}/attached" + mkdir -p "${dir}/attached" "${dir}/attached-args" pid="" if [ -f "${dir}/pid" ]; then @@ -25,6 +41,7 @@ cmd_entrypoint_alloc() { else unshare -n sleep infinity & pid="$!" + wait_unshare_net "${pid}" echo "${pid}" >"${dir}/pid" nsenter -t "${pid}" -n ip link set lo up fi @@ -33,6 +50,7 @@ cmd_entrypoint_alloc() { CNI_IFNAME="eth${nwcount}" export CNI_ARGS CNI_IFNAME cnitool add "${NET}" "/proc/${pid}/ns/net" >"${dir}/attached/${NET}" + echo "${CNI_ARGS}" >"${dir}/attached-args/${NET}" # return the result ns="/proc/${pid}/ns/net" @@ -54,8 +72,12 @@ cmd_entrypoint_dealloc() { exit 0 fi pid=$(cat "${dir}/pid") + if [ -f "${dir}/attached-args/${NET}" ]; then + CNI_ARGS=$(cat "${dir}/attached-args/${NET}") + export CNI_ARGS + fi cnitool del "${NET}" "/proc/${pid}/ns/net" - rm -f "${dir}/attached/${NET}" + rm -f "${dir}/attached/${NET}" "${dir}/attached-args/${NET}" nwcount=$(find "${dir}/attached" -type f | wc -l) if [ "${nwcount}" = 0 ]; then @@ -126,7 +148,7 @@ cmd_entrypoint_help() { # CLI subcommand: "version" cmd_entrypoint_version() { - echo "{\"version\": \"${VERSION}\"}" + echo "{\"version\": \"${ROOTLESS_CNI_INFRA_VERSION}\"}" } # parse args diff --git a/contrib/spec/podman.spec.in b/contrib/spec/podman.spec.in index 363aa60d7..2e266b59f 100644 --- a/contrib/spec/podman.spec.in +++ b/contrib/spec/podman.spec.in @@ -42,7 +42,7 @@ Epoch: 99 %else Epoch: 0 %endif -Version: 2.1.0 +Version: 2.2.0 Release: #COMMITDATE#.git%{shortcommit0}%{?dist} Summary: Manage Pods, Containers and Container Images License: ASL 2.0 diff --git a/contrib/upldrel/Dockerfile b/contrib/upldrel/Dockerfile deleted file mode 100644 index 54a58c521..000000000 --- a/contrib/upldrel/Dockerfile +++ /dev/null @@ -1,9 +0,0 @@ -FROM quay.io/libpod/imgts:latest - -RUN yum -y update && \ - yum -y install unzip && \ - rpm -V unzip && \ - yum clean all - -COPY /contrib/upldrel/entrypoint.sh /usr/local/bin/entrypoint.sh -RUN chmod 755 /usr/local/bin/entrypoint.sh diff --git a/contrib/upldrel/README.md b/contrib/upldrel/README.md deleted file mode 100644 index 41f5ffef0..000000000 --- a/contrib/upldrel/README.md +++ /dev/null @@ -1,9 +0,0 @@ - - -A container image for canonical-naming and uploading of -libpod and remote-client archives. Only intended to ever -be used by CI/CD, and depends heavily on an embedded -`release.txt` file produced by `make`. - -Build script: [../cirrus/build_release.sh](../cirrus/build_release.sh) -Upload script: [../cirrus/upload_release_archive.sh](../cirrus/upload_release_archive.sh) diff --git a/contrib/upldrel/entrypoint.sh b/contrib/upldrel/entrypoint.sh deleted file mode 100755 index 6eb1b8f94..000000000 --- a/contrib/upldrel/entrypoint.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/env bash - -set -e - -source /usr/local/bin/lib_entrypoint.sh - -req_env_var GCPJSON_FILEPATH GCPNAME GCPPROJECT BUCKET FROM_FILEPATH TO_FILENAME - -[[ -r "$FROM_FILEPATH" ]] || \ - die 2 ERROR Cannot read release archive file: "$FROM_FILEPATH" - -[[ -r "$GCPJSON_FILEPATH" ]] || \ - die 3 ERROR Cannot read GCP credentials file: "$GCPJSON_FILEPATH" - -echo "Authenticating to google cloud for upload" -gcloud_init "$GCPJSON_FILEPATH" - -echo "Uploading archive as $TO_FILENAME" -gsutil cp "$FROM_FILEPATH" "gs://$BUCKET/$TO_FILENAME" -[[ -z "$ALSO_FILENAME" ]] || \ - gsutil cp "$FROM_FILEPATH" "gs://$BUCKET/$ALSO_FILENAME" - -echo "." -echo "Release now available for download at:" -echo " https://storage.googleapis.com/$BUCKET/$TO_FILENAME" -[[ -z "$ALSO_FILENAME" ]] || \ - echo " https://storage.googleapis.com/$BUCKET/$ALSO_FILENAME" |