summaryrefslogtreecommitdiff
path: root/vendor
diff options
context:
space:
mode:
Diffstat (limited to 'vendor')
-rw-r--r--vendor/github.com/containers/common/pkg/config/config.go2
-rw-r--r--vendor/github.com/containers/common/pkg/config/containers.conf9
-rw-r--r--vendor/github.com/containers/common/version/version.go2
-rw-r--r--vendor/github.com/cri-o/ocicni/pkg/ocicni/ocicni.go93
-rw-r--r--vendor/github.com/cri-o/ocicni/pkg/ocicni/types.go18
-rw-r--r--vendor/github.com/cri-o/ocicni/pkg/ocicni/util_linux.go79
-rw-r--r--vendor/github.com/cri-o/ocicni/pkg/ocicni/util_unsupported.go19
-rw-r--r--vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/parent.go2
-rw-r--r--vendor/modules.txt6
9 files changed, 167 insertions, 63 deletions
diff --git a/vendor/github.com/containers/common/pkg/config/config.go b/vendor/github.com/containers/common/pkg/config/config.go
index 18fab5485..c6a9a660e 100644
--- a/vendor/github.com/containers/common/pkg/config/config.go
+++ b/vendor/github.com/containers/common/pkg/config/config.go
@@ -282,7 +282,7 @@ type EngineConfig struct {
PullPolicy string `toml:"pull_policy,omitempty"`
// Indicates whether the application should be running in Remote mode
- Remote bool `toml:"-"`
+ Remote bool `toml:"remote,omitempty"`
// RemoteURI is deprecated, see ActiveService
// RemoteURI containers connection information used to connect to remote system.
diff --git a/vendor/github.com/containers/common/pkg/config/containers.conf b/vendor/github.com/containers/common/pkg/config/containers.conf
index 261cfd1cb..e8519b251 100644
--- a/vendor/github.com/containers/common/pkg/config/containers.conf
+++ b/vendor/github.com/containers/common/pkg/config/containers.conf
@@ -76,10 +76,10 @@ default_capabilities = [
# A list of sysctls to be set in containers by default,
# specified as "name=value",
-# for example:"net.ipv4.ping_group_range = 0 1".
+# for example:"net.ipv4.ping_group_range = 0 0".
#
default_sysctls = [
- "net.ipv4.ping_group_range=0 1",
+ "net.ipv4.ping_group_range=0 0",
]
# A list of ulimits to be set in containers by default, specified as
@@ -357,6 +357,11 @@ default_sysctls = [
# Whether to pull new image before running a container
# pull_policy = "missing"
+# Indicates whether the application should be running in remote mode. This flag modifies the
+# --remote option on container engines. Setting the flag to true will default
+# `podman --remote=true` for access to the remote Podman service.
+# remote = false
+
# Directory for persistent engine files (database, etc)
# By default, this will be configured relative to where the containers/storage
# stores containers
diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go
index 8e497e7fa..ef7c612e2 100644
--- a/vendor/github.com/containers/common/version/version.go
+++ b/vendor/github.com/containers/common/version/version.go
@@ -1,4 +1,4 @@
package version
// Version is the version of the build.
-const Version = "0.26.3"
+const Version = "0.27.0"
diff --git a/vendor/github.com/cri-o/ocicni/pkg/ocicni/ocicni.go b/vendor/github.com/cri-o/ocicni/pkg/ocicni/ocicni.go
index a8e2fbfa8..ee09adc8d 100644
--- a/vendor/github.com/cri-o/ocicni/pkg/ocicni/ocicni.go
+++ b/vendor/github.com/cri-o/ocicni/pkg/ocicni/ocicni.go
@@ -24,7 +24,6 @@ import (
type cniNetworkPlugin struct {
cniConfig *libcni.CNIConfig
- loNetwork *cniNetwork
sync.RWMutex
defaultNetName netName
@@ -217,7 +216,6 @@ func initCNI(exec cniinvoke.Exec, cacheDir, defaultNetName string, confDir strin
changeable: defaultNetName == "",
},
networks: make(map[string]*cniNetwork),
- loNetwork: getLoNetwork(),
confDir: confDir,
binDirs: binDirs,
shutdownChan: make(chan struct{}),
@@ -335,31 +333,9 @@ func loadNetworks(confDir string, cni *libcni.CNIConfig) (map[string]*cniNetwork
}
const (
- loIfname string = "lo"
- loNetname string = "cni-loopback"
+ loIfname string = "lo"
)
-func getLoNetwork() *cniNetwork {
- loConfig, err := libcni.ConfListFromBytes([]byte(fmt.Sprintf(`{
- "cniVersion": "0.3.1",
- "name": "%s",
- "plugins": [{
- "type": "loopback"
- }]
-}`, loNetname)))
- if err != nil {
- // The hardcoded config above should always be valid and unit tests will
- // catch this
- panic(err)
- }
- loNetwork := &cniNetwork{
- name: loIfname,
- config: loConfig,
- }
-
- return loNetwork
-}
-
func (plugin *cniNetworkPlugin) syncNetworkConfig() error {
networks, defaultNetName, err := loadNetworks(plugin.confDir, plugin.cniConfig)
if err != nil {
@@ -525,16 +501,11 @@ func (plugin *cniNetworkPlugin) forEachNetwork(podNetwork *PodNetwork, fromCache
return nil
}
-func buildLoopbackRuntimeConf(cacheDir string, podNetwork *PodNetwork) *libcni.RuntimeConf {
- return &libcni.RuntimeConf{
- ContainerID: podNetwork.ID,
- NetNS: podNetwork.NetNS,
- CacheDir: cacheDir,
- IfName: loIfname,
- }
+func (plugin *cniNetworkPlugin) SetUpPod(podNetwork PodNetwork) ([]NetResult, error) {
+ return plugin.SetUpPodWithContext(context.Background(), podNetwork)
}
-func (plugin *cniNetworkPlugin) SetUpPod(podNetwork PodNetwork) ([]NetResult, error) {
+func (plugin *cniNetworkPlugin) SetUpPodWithContext(ctx context.Context, podNetwork PodNetwork) ([]NetResult, error) {
if err := plugin.networksAvailable(&podNetwork); err != nil {
return nil, err
}
@@ -542,15 +513,15 @@ func (plugin *cniNetworkPlugin) SetUpPod(podNetwork PodNetwork) ([]NetResult, er
plugin.podLock(podNetwork).Lock()
defer plugin.podUnlock(podNetwork)
- loRt := buildLoopbackRuntimeConf(plugin.cacheDir, &podNetwork)
- if _, err := plugin.loNetwork.addToNetwork(loRt, plugin.cniConfig); err != nil {
- logrus.Errorf("Error while adding to cni lo network: %s", err)
+ // Set up loopback interface
+ if err := bringUpLoopback(podNetwork.NetNS); err != nil {
+ logrus.Errorf(err.Error())
return nil, err
}
results := make([]NetResult, 0)
if err := plugin.forEachNetwork(&podNetwork, false, func(network *cniNetwork, podNetwork *PodNetwork, rt *libcni.RuntimeConf) error {
- result, err := network.addToNetwork(rt, plugin.cniConfig)
+ result, err := network.addToNetwork(ctx, rt, plugin.cniConfig)
if err != nil {
logrus.Errorf("Error while adding pod to CNI network %q: %s", network.name, err)
return err
@@ -622,7 +593,7 @@ func (plugin *cniNetworkPlugin) getCachedNetworkInfo(containerID string) ([]NetA
continue
}
// Ignore the loopback interface; it's handled separately
- if cachedInfo.IfName == loIfname && cachedInfo.NetName == loNetname {
+ if cachedInfo.IfName == loIfname && cachedInfo.NetName == "cni-loopback" {
continue
}
if cachedInfo.IfName == "" || cachedInfo.NetName == "" {
@@ -641,6 +612,10 @@ func (plugin *cniNetworkPlugin) getCachedNetworkInfo(containerID string) ([]NetA
// TearDownPod tears down pod networks. Prefers cached pod attachment information
// but falls back to given network attachment information.
func (plugin *cniNetworkPlugin) TearDownPod(podNetwork PodNetwork) error {
+ return plugin.TearDownPodWithContext(context.Background(), podNetwork)
+}
+
+func (plugin *cniNetworkPlugin) TearDownPodWithContext(ctx context.Context, podNetwork PodNetwork) error {
if len(podNetwork.Networks) == 0 {
attachments, err := plugin.getCachedNetworkInfo(podNetwork.ID)
if err == nil && len(attachments) > 0 {
@@ -652,17 +627,16 @@ func (plugin *cniNetworkPlugin) TearDownPod(podNetwork PodNetwork) error {
return err
}
- loRt := buildLoopbackRuntimeConf(plugin.cacheDir, &podNetwork)
- if err := plugin.loNetwork.deleteFromNetwork(loRt, plugin.cniConfig); err != nil {
- logrus.Errorf("Error while removing pod from CNI lo network: %v", err)
- // Loopback teardown errors are not fatal
- }
-
plugin.podLock(podNetwork).Lock()
defer plugin.podUnlock(podNetwork)
+ if err := tearDownLoopback(podNetwork.NetNS); err != nil {
+ // ignore error
+ logrus.Errorf("Ignoring error tearing down loopback interface: %v", err)
+ }
+
return plugin.forEachNetwork(&podNetwork, true, func(network *cniNetwork, podNetwork *PodNetwork, rt *libcni.RuntimeConf) error {
- if err := network.deleteFromNetwork(rt, plugin.cniConfig); err != nil {
+ if err := network.deleteFromNetwork(ctx, rt, plugin.cniConfig); err != nil {
logrus.Errorf("Error while removing pod from CNI network %q: %s", network.name, err)
return err
}
@@ -673,12 +647,23 @@ func (plugin *cniNetworkPlugin) TearDownPod(podNetwork PodNetwork) error {
// GetPodNetworkStatus returns IP addressing and interface details for all
// networks attached to the pod.
func (plugin *cniNetworkPlugin) GetPodNetworkStatus(podNetwork PodNetwork) ([]NetResult, error) {
+ return plugin.GetPodNetworkStatusWithContext(context.Background(), podNetwork)
+}
+
+// GetPodNetworkStatusWithContext returns IP addressing and interface details for all
+// networks attached to the pod.
+func (plugin *cniNetworkPlugin) GetPodNetworkStatusWithContext(ctx context.Context, podNetwork PodNetwork) ([]NetResult, error) {
plugin.podLock(podNetwork).Lock()
defer plugin.podUnlock(podNetwork)
+ if err := checkLoopback(podNetwork.NetNS); err != nil {
+ logrus.Errorf(err.Error())
+ return nil, err
+ }
+
results := make([]NetResult, 0)
if err := plugin.forEachNetwork(&podNetwork, true, func(network *cniNetwork, podNetwork *PodNetwork, rt *libcni.RuntimeConf) error {
- result, err := network.checkNetwork(rt, plugin.cniConfig, plugin.nsManager, podNetwork.NetNS)
+ result, err := network.checkNetwork(ctx, rt, plugin.cniConfig, plugin.nsManager, podNetwork.NetNS)
if err != nil {
logrus.Errorf("Error while checking pod to CNI network %q: %s", network.name, err)
return err
@@ -700,9 +685,9 @@ func (plugin *cniNetworkPlugin) GetPodNetworkStatus(podNetwork PodNetwork) ([]Ne
return results, nil
}
-func (network *cniNetwork) addToNetwork(rt *libcni.RuntimeConf, cni *libcni.CNIConfig) (cnitypes.Result, error) {
+func (network *cniNetwork) addToNetwork(ctx context.Context, rt *libcni.RuntimeConf, cni *libcni.CNIConfig) (cnitypes.Result, error) {
logrus.Infof("About to add CNI network %s (type=%v)", network.name, network.config.Plugins[0].Network.Type)
- res, err := cni.AddNetworkList(context.Background(), network.config, rt)
+ res, err := cni.AddNetworkList(ctx, network.config, rt)
if err != nil {
logrus.Errorf("Error adding network: %v", err)
return nil, err
@@ -711,7 +696,7 @@ func (network *cniNetwork) addToNetwork(rt *libcni.RuntimeConf, cni *libcni.CNIC
return res, nil
}
-func (network *cniNetwork) checkNetwork(rt *libcni.RuntimeConf, cni *libcni.CNIConfig, nsManager *nsManager, netns string) (cnitypes.Result, error) {
+func (network *cniNetwork) checkNetwork(ctx context.Context, rt *libcni.RuntimeConf, cni *libcni.CNIConfig, nsManager *nsManager, netns string) (cnitypes.Result, error) {
logrus.Infof("About to check CNI network %s (type=%v)", network.name, network.config.Plugins[0].Network.Type)
gtet, err := cniversion.GreaterThanOrEqualTo(network.config.CNIVersion, "0.4.0")
@@ -723,7 +708,7 @@ func (network *cniNetwork) checkNetwork(rt *libcni.RuntimeConf, cni *libcni.CNIC
// When CNIVersion supports Check, use it. Otherwise fall back on what was done initially.
if gtet {
- err = cni.CheckNetworkList(context.Background(), network.config, rt)
+ err = cni.CheckNetworkList(ctx, network.config, rt)
logrus.Infof("Checking CNI network %s (config version=%v)", network.name, network.config.CNIVersion)
if err != nil {
logrus.Errorf("Error checking network: %v", err)
@@ -783,9 +768,9 @@ func (network *cniNetwork) checkNetwork(rt *libcni.RuntimeConf, cni *libcni.CNIC
return converted, nil
}
-func (network *cniNetwork) deleteFromNetwork(rt *libcni.RuntimeConf, cni *libcni.CNIConfig) error {
+func (network *cniNetwork) deleteFromNetwork(ctx context.Context, rt *libcni.RuntimeConf, cni *libcni.CNIConfig) error {
logrus.Infof("About to del CNI network %s (type=%v)", network.name, network.config.Plugins[0].Network.Type)
- if err := cni.DelNetworkList(context.Background(), network.config, rt); err != nil {
+ if err := cni.DelNetworkList(ctx, network.config, rt); err != nil {
logrus.Errorf("Error deleting network: %v", err)
return err
}
@@ -848,6 +833,10 @@ func buildCNIRuntimeConf(cacheDir string, podNetwork *PodNetwork, ifName string,
rt.CapabilityArgs["ipRanges"] = runtimeConfig.IpRanges
}
+ // Set Aliases in Capabilities
+ if len(podNetwork.Aliases) > 0 {
+ rt.CapabilityArgs["aliases"] = podNetwork.Aliases
+ }
return rt, nil
}
diff --git a/vendor/github.com/cri-o/ocicni/pkg/ocicni/types.go b/vendor/github.com/cri-o/ocicni/pkg/ocicni/types.go
index 717ecda33..7326b4b40 100644
--- a/vendor/github.com/cri-o/ocicni/pkg/ocicni/types.go
+++ b/vendor/github.com/cri-o/ocicni/pkg/ocicni/types.go
@@ -1,6 +1,8 @@
package ocicni
import (
+ "context"
+
"github.com/containernetworking/cni/pkg/types"
)
@@ -87,6 +89,11 @@ type PodNetwork struct {
// It is optional, and can be omitted for some or all specified networks
// without issue.
RuntimeConfig map[string]RuntimeConfig
+
+ // Aliases are network-scoped names for resolving a container
+ // by name. The key value is the network name and the value is
+ // is a string slice of aliases
+ Aliases map[string][]string
}
// NetAttachment describes a container network attachment
@@ -122,12 +129,21 @@ type CNIPlugin interface {
// pod are launched.
SetUpPod(network PodNetwork) ([]NetResult, error)
+ // SetUpPodWithContext is the same as SetUpPod but takes a context
+ SetUpPodWithContext(ctx context.Context, network PodNetwork) ([]NetResult, error)
+
// TearDownPod is the method called before a pod's sandbox container will be deleted
TearDownPod(network PodNetwork) error
- // Status is the method called to obtain the ipv4 or ipv6 addresses of the pod sandbox
+ // TearDownPodWithContext is the same as TearDownPod but takes a context
+ TearDownPodWithContext(ctx context.Context, network PodNetwork) error
+
+ // GetPodNetworkStatus is the method called to obtain the ipv4 or ipv6 addresses of the pod sandbox
GetPodNetworkStatus(network PodNetwork) ([]NetResult, error)
+ // GetPodNetworkStatusWithContext is the same as GetPodNetworkStatus but takes a context
+ GetPodNetworkStatusWithContext(ctx context.Context, network PodNetwork) ([]NetResult, error)
+
// NetworkStatus returns error if the network plugin is in error state
Status() error
diff --git a/vendor/github.com/cri-o/ocicni/pkg/ocicni/util_linux.go b/vendor/github.com/cri-o/ocicni/pkg/ocicni/util_linux.go
index d263ae4df..53c22f83f 100644
--- a/vendor/github.com/cri-o/ocicni/pkg/ocicni/util_linux.go
+++ b/vendor/github.com/cri-o/ocicni/pkg/ocicni/util_linux.go
@@ -7,6 +7,9 @@ import (
"net"
"os/exec"
"strings"
+
+ "github.com/containernetworking/plugins/pkg/ns"
+ "github.com/vishvananda/netlink"
)
var defaultNamespaceEnterCommandName = "nsenter"
@@ -69,3 +72,79 @@ func getContainerDetails(nsm *nsManager, netnsPath, interfaceName, addrType stri
return ipNet, &mac, nil
}
+
+func tearDownLoopback(netns string) error {
+ return ns.WithNetNSPath(netns, func(_ ns.NetNS) error {
+ link, err := netlink.LinkByName(loIfname)
+ if err != nil {
+ return err // not tested
+ }
+ err = netlink.LinkSetDown(link)
+ if err != nil {
+ return err // not tested
+ }
+ return nil
+ })
+}
+
+func bringUpLoopback(netns string) error {
+ if err := ns.WithNetNSPath(netns, func(_ ns.NetNS) error {
+ link, err := netlink.LinkByName(loIfname)
+ if err == nil {
+ err = netlink.LinkSetUp(link)
+ }
+ if err != nil {
+ return err
+ }
+
+ v4Addrs, err := netlink.AddrList(link, netlink.FAMILY_V4)
+ if err != nil {
+ return err
+ }
+ if len(v4Addrs) != 0 {
+ // sanity check that this is a loopback address
+ for _, addr := range v4Addrs {
+ if !addr.IP.IsLoopback() {
+ return fmt.Errorf("loopback interface found with non-loopback address %q", addr.IP)
+ }
+ }
+ }
+
+ v6Addrs, err := netlink.AddrList(link, netlink.FAMILY_V6)
+ if err != nil {
+ return err
+ }
+ if len(v6Addrs) != 0 {
+ // sanity check that this is a loopback address
+ for _, addr := range v6Addrs {
+ if !addr.IP.IsLoopback() {
+ return fmt.Errorf("loopback interface found with non-loopback address %q", addr.IP)
+ }
+ }
+ }
+
+ return nil
+ }); err != nil {
+ return fmt.Errorf("error adding loopback interface: %s", err)
+ }
+ return nil
+}
+
+func checkLoopback(netns string) error {
+ // Make sure loopback interface is up
+ if err := ns.WithNetNSPath(netns, func(_ ns.NetNS) error {
+ link, err := netlink.LinkByName(loIfname)
+ if err != nil {
+ return err
+ }
+
+ if link.Attrs().Flags&net.FlagUp != net.FlagUp {
+ return fmt.Errorf("loopback interface is down")
+ }
+
+ return nil
+ }); err != nil {
+ return fmt.Errorf("error checking loopback interface: %v", err)
+ }
+ return nil
+}
diff --git a/vendor/github.com/cri-o/ocicni/pkg/ocicni/util_unsupported.go b/vendor/github.com/cri-o/ocicni/pkg/ocicni/util_unsupported.go
index 0b1c72208..b87f0d373 100644
--- a/vendor/github.com/cri-o/ocicni/pkg/ocicni/util_unsupported.go
+++ b/vendor/github.com/cri-o/ocicni/pkg/ocicni/util_unsupported.go
@@ -3,17 +3,32 @@
package ocicni
import (
- "fmt"
+ "errors"
"net"
)
type nsManager struct {
}
+var errUnsupportedPlatform = errors.New("unsupported platform")
+
func (nsm *nsManager) init() error {
return nil
}
func getContainerDetails(nsm *nsManager, netnsPath, interfaceName, addrType string) (*net.IPNet, *net.HardwareAddr, error) {
- return nil, nil, fmt.Errorf("not supported yet")
+ return nil, nil, errUnsupportedPlatform
+}
+
+func tearDownLoopback(netns string) error {
+ return errUnsupportedPlatform
+}
+
+func bringUpLoopback(netns string) error {
+ return errUnsupportedPlatform
+}
+
+func checkLoopback(netns string) error {
+ return errUnsupportedPlatform
+
}
diff --git a/vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/parent.go b/vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/parent.go
index 49252a06d..f6e5e56ed 100644
--- a/vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/parent.go
+++ b/vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/parent.go
@@ -111,7 +111,7 @@ func annotateEPERM(origErr error, spec port.Spec) error {
// origErr is unrelated to ip_unprivileged_port_start
return origErr
}
- text := fmt.Sprintf("cannot expose privileged port %d, you might need to add \"net.ipv4.ip_unprivileged_port_start=0\" (currently %d) to /etc/sysctl.conf", spec.ParentPort, start)
+ text := fmt.Sprintf("cannot expose privileged port %d, you can add 'net.ipv4.ip_unprivileged_port_start=%d' to /etc/sysctl.conf (currently %d)", spec.ParentPort, spec.ParentPort, start)
if filepath.Base(os.Args[0]) == "rootlesskit" {
// NOTE: The following sentence is appended only if Args[0] == "rootlesskit", because it does not apply to Podman (as of Podman v1.9).
// Podman launches the parent driver in the child user namespace (but in the parent network namespace), which disables the file capability.
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 79db4807e..6264a8d51 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -87,7 +87,7 @@ github.com/containers/buildah/pkg/secrets
github.com/containers/buildah/pkg/supplemented
github.com/containers/buildah/pkg/umask
github.com/containers/buildah/util
-# github.com/containers/common v0.26.3
+# github.com/containers/common v0.27.0
github.com/containers/common/pkg/apparmor
github.com/containers/common/pkg/apparmor/internal/supported
github.com/containers/common/pkg/auth
@@ -216,7 +216,7 @@ github.com/coreos/go-systemd/v22/dbus
github.com/coreos/go-systemd/v22/internal/dlopen
github.com/coreos/go-systemd/v22/journal
github.com/coreos/go-systemd/v22/sdjournal
-# github.com/cri-o/ocicni v0.2.0
+# github.com/cri-o/ocicni v0.2.1-0.20201102180012-75c612fda1a2 => github.com/cri-o/ocicni v0.2.1-0.20201109200316-afdc16ba66df
github.com/cri-o/ocicni/pkg/ocicni
# github.com/cyphar/filepath-securejoin v0.2.2
github.com/cyphar/filepath-securejoin
@@ -478,7 +478,7 @@ github.com/prometheus/common/model
# github.com/prometheus/procfs v0.0.3
github.com/prometheus/procfs
github.com/prometheus/procfs/internal/fs
-# github.com/rootless-containers/rootlesskit v0.11.0
+# github.com/rootless-containers/rootlesskit v0.11.1
github.com/rootless-containers/rootlesskit/pkg/msgutil
github.com/rootless-containers/rootlesskit/pkg/port
github.com/rootless-containers/rootlesskit/pkg/port/builtin