diff options
Diffstat (limited to 'vendor')
9 files changed, 161 insertions, 134 deletions
diff --git a/vendor/github.com/containers/common/libimage/image.go b/vendor/github.com/containers/common/libimage/image.go index 3bcdbabec..f1272f507 100644 --- a/vendor/github.com/containers/common/libimage/image.go +++ b/vendor/github.com/containers/common/libimage/image.go @@ -61,6 +61,24 @@ func (i *Image) reload() error { return nil } +// isCorrupted returns an error if the image may be corrupted. +func (i *Image) isCorrupted(name string) error { + // If it's a manifest list, we're good for now. + if _, err := i.getManifestList(); err == nil { + return nil + } + + ref, err := i.StorageReference() + if err != nil { + return err + } + + if _, err := ref.NewImage(context.Background(), nil); err != nil { + return errors.Errorf("Image %s exists in local storage but may be corrupted: %v", name, err) + } + return nil +} + // Names returns associated names with the image which may be a mix of tags and // digests. func (i *Image) Names() []string { diff --git a/vendor/github.com/containers/common/libimage/pull.go b/vendor/github.com/containers/common/libimage/pull.go index 0271f0051..0a5e49fd2 100644 --- a/vendor/github.com/containers/common/libimage/pull.go +++ b/vendor/github.com/containers/common/libimage/pull.go @@ -105,6 +105,20 @@ func (r *Runtime) Pull(ctx context.Context, name string, pullPolicy config.PullP r.writeEvent(&Event{ID: "", Name: name, Time: time.Now(), Type: EventTypeImagePull}) } + // Some callers may set the platform via the system context at creation + // time of the runtime. We need this information to decide whether we + // need to enforce pulling from a registry (see + // containers/podman/issues/10682). + if options.Architecture == "" { + options.Architecture = r.systemContext.ArchitectureChoice + } + if options.OS == "" { + options.OS = r.systemContext.OSChoice + } + if options.Variant == "" { + options.Variant = r.systemContext.VariantChoice + } + var ( pulledImages []string pullError error @@ -333,7 +347,7 @@ func (r *Runtime) copyFromRegistry(ctx context.Context, ref types.ImageReference // from a registry. On successful pull it returns the used fully-qualified // name that can later be used to look up the image in the local containers // storage. -func (r *Runtime) copySingleImageFromRegistry(ctx context.Context, imageName string, pullPolicy config.PullPolicy, options *PullOptions) ([]string, error) { +func (r *Runtime) copySingleImageFromRegistry(ctx context.Context, imageName string, pullPolicy config.PullPolicy, options *PullOptions) ([]string, error) { //nolint:gocyclo // Sanity check. if err := pullPolicy.Validate(); err != nil { return nil, err @@ -349,11 +363,41 @@ func (r *Runtime) copySingleImageFromRegistry(ctx context.Context, imageName str // resolved name for pulling. Assume we're doing a `pull foo`. // If there's already a local image "localhost/foo", then we should // attempt pulling that instead of doing the full short-name dance. - localImage, resolvedImageName, err = r.LookupImage(imageName, nil) + lookupOptions := &LookupImageOptions{ + // NOTE: we must ignore the platform of a local image when + // doing lookups. Some images set an incorrect or even invalid + // platform (see containers/podman/issues/10682). Doing the + // lookup while ignoring the platform checks prevents + // redundantly downloading the same image. + IgnorePlatform: true, + } + localImage, resolvedImageName, err = r.LookupImage(imageName, lookupOptions) if err != nil && errors.Cause(err) != storage.ErrImageUnknown { logrus.Errorf("Looking up %s in local storage: %v", imageName, err) } + // If the local image is corrupted, we need to repull it. + if localImage != nil { + if err := localImage.isCorrupted(imageName); err != nil { + logrus.Error(err) + localImage = nil + } + } + + // Unless the pull policy is "always", we must pessimistically assume + // that the local image has an invalid architecture (see + // containers/podman/issues/10682). Hence, whenever the user requests + // a custom platform, set the pull policy to "always" to make sure + // we're pulling down the image. + // + // NOTE that this is will even override --pull={false,never}. This is + // very likely a bug but a consistent one in Podman/Buildah and should + // be addressed at a later point. + if pullPolicy != config.PullPolicyAlways && len(options.Architecture)+len(options.OS)+len(options.Variant) > 0 { + logrus.Debugf("Enforcing pull policy to %q to support custom platform (arch: %q, os: %q, variant: %q)", "always", options.Architecture, options.OS, options.Variant) + pullPolicy = config.PullPolicyAlways + } + if pullPolicy == config.PullPolicyNever { if localImage != nil { logrus.Debugf("Pull policy %q but no local image has been found for %s", pullPolicy, imageName) diff --git a/vendor/github.com/containers/common/libimage/runtime.go b/vendor/github.com/containers/common/libimage/runtime.go index efa182544..3cbd3dcf4 100644 --- a/vendor/github.com/containers/common/libimage/runtime.go +++ b/vendor/github.com/containers/common/libimage/runtime.go @@ -144,9 +144,8 @@ func (r *Runtime) Exists(name string) (bool, error) { if image == nil { return false, nil } - // Inspect the image to make sure if it's corrupted or not. - if _, err := image.Inspect(context.Background(), false); err != nil { - logrus.Errorf("Image %s exists in local storage but may be corrupted: %v", name, err) + if err := image.isCorrupted(name); err != nil { + logrus.Error(err) return false, nil } return true, nil @@ -159,6 +158,13 @@ type LookupImageOptions struct { // the platform does not matter, for instance, for image removal. IgnorePlatform bool + // Lookup an image matching the specified architecture. + Architecture string + // Lookup an image matching the specified OS. + OS string + // Lookup an image matching the specified variant. + Variant string + // If set, do not look for items/instances in the manifest list that // match the current platform but return the manifest list as is. lookupManifest bool @@ -210,6 +216,25 @@ func (r *Runtime) LookupImage(name string, options *LookupImageOptions) (*Image, name = strings.TrimPrefix(name, "sha256:") } + // Set the platform for matching local images. + if !options.IgnorePlatform { + if options.Architecture == "" { + options.Architecture = r.systemContext.ArchitectureChoice + } + if options.Architecture == "" { + options.Architecture = runtime.GOARCH + } + if options.OS == "" { + options.OS = r.systemContext.OSChoice + } + if options.OS == "" { + options.OS = runtime.GOOS + } + if options.Variant == "" { + options.Variant = r.systemContext.VariantChoice + } + } + // First, check if we have an exact match in the storage. Maybe an ID // or a fully-qualified image name. img, err := r.lookupImageInLocalStorage(name, name, options) @@ -295,7 +320,7 @@ func (r *Runtime) lookupImageInLocalStorage(name, candidate string, options *Loo if err != nil { return nil, err } - instance, err := manifestList.LookupInstance(context.Background(), "", "", "") + instance, err := manifestList.LookupInstance(context.Background(), options.Architecture, options.OS, options.Variant) if err != nil { // NOTE: If we are not looking for a specific platform // and already found the manifest list, then return it @@ -316,7 +341,7 @@ func (r *Runtime) lookupImageInLocalStorage(name, candidate string, options *Loo return image, nil } - matches, err := imageReferenceMatchesContext(context.Background(), ref, &r.systemContext) + matches, err := r.imageReferenceMatchesContext(ref, options) if err != nil { return nil, err } @@ -428,12 +453,13 @@ func (r *Runtime) ResolveName(name string) (string, error) { } // imageReferenceMatchesContext return true if the specified reference matches -// the platform (os, arch, variant) as specified by the system context. -func imageReferenceMatchesContext(ctx context.Context, ref types.ImageReference, sys *types.SystemContext) (bool, error) { - if sys == nil { +// the platform (os, arch, variant) as specified by the lookup options. +func (r *Runtime) imageReferenceMatchesContext(ref types.ImageReference, options *LookupImageOptions) (bool, error) { + if options.IgnorePlatform { return true, nil } - img, err := ref.NewImage(ctx, sys) + ctx := context.Background() + img, err := ref.NewImage(ctx, &r.systemContext) if err != nil { return false, err } @@ -442,16 +468,8 @@ func imageReferenceMatchesContext(ctx context.Context, ref types.ImageReference, if err != nil { return false, err } - osChoice := sys.OSChoice - if osChoice == "" { - osChoice = runtime.GOOS - } - arch := sys.ArchitectureChoice - if arch == "" { - arch = runtime.GOARCH - } - if osChoice == data.Os && arch == data.Architecture { - if sys.VariantChoice == "" || sys.VariantChoice == data.Variant { + if options.OS == data.Os && options.Architecture == data.Architecture { + if options.Variant == "" || options.Variant == data.Variant { return true, nil } } diff --git a/vendor/github.com/containers/common/pkg/config/config.go b/vendor/github.com/containers/common/pkg/config/config.go index 0d23d6ac6..af6efbbf2 100644 --- a/vendor/github.com/containers/common/pkg/config/config.go +++ b/vendor/github.com/containers/common/pkg/config/config.go @@ -1053,7 +1053,7 @@ func (c *Config) Write() error { if err := os.MkdirAll(filepath.Dir(path), 0755); err != nil { return err } - configFile, err := os.OpenFile(path, os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0600) + configFile, err := os.OpenFile(path, os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0644) if err != nil { return err } diff --git a/vendor/github.com/containers/common/pkg/seccomp/default_linux.go b/vendor/github.com/containers/common/pkg/seccomp/default_linux.go index edb1294d6..725e0bfc7 100644 --- a/vendor/github.com/containers/common/pkg/seccomp/default_linux.go +++ b/vendor/github.com/containers/common/pkg/seccomp/default_linux.go @@ -51,14 +51,9 @@ func DefaultProfile() *Seccomp { { Names: []string{ "bdflush", - "clone3", "io_pgetevents", - "io_uring_enter", - "io_uring_register", - "io_uring_setup", "kexec_file_load", "kexec_load", - "membarrier", "migrate_pages", "move_pages", "nfsservctl", @@ -71,10 +66,6 @@ func DefaultProfile() *Seccomp { "pciconfig_iobase", "pciconfig_read", "pciconfig_write", - "pkey_alloc", - "pkey_free", - "pkey_mprotect", - "rseq", "sgetmask", "ssetmask", "swapcontext", @@ -118,6 +109,7 @@ func DefaultProfile() *Seccomp { "clock_nanosleep", "clock_nanosleep_time64", "clone", + "clone3", "close", "close_range", "connect", @@ -191,6 +183,7 @@ func DefaultProfile() *Seccomp { "getgroups", "getgroups32", "getitimer", + "get_mempolicy", "getpeername", "getpgid", "getpgrp", @@ -241,6 +234,7 @@ func DefaultProfile() *Seccomp { "lstat", "lstat64", "madvise", + "mbind", "memfd_create", "mincore", "mkdir", @@ -286,6 +280,9 @@ func DefaultProfile() *Seccomp { "pipe", "pipe2", "pivot_root", + "pkey_alloc", + "pkey_free", + "pkey_mprotect", "poll", "ppoll", "ppoll_time64", @@ -318,6 +315,7 @@ func DefaultProfile() *Seccomp { "renameat2", "restart_syscall", "rmdir", + "rseq", "rt_sigaction", "rt_sigpending", "rt_sigprocmask", @@ -354,6 +352,7 @@ func DefaultProfile() *Seccomp { "sendmsg", "sendto", "setns", + "set_mempolicy", "set_robust_list", "set_thread_area", "set_tid_address", @@ -665,31 +664,6 @@ func DefaultProfile() *Seccomp { }, { Names: []string{ - "get_mempolicy", - "mbind", - "set_mempolicy", - }, - Action: ActAllow, - Args: []*Arg{}, - Includes: Filter{ - Caps: []string{"CAP_SYS_NICE"}, - }, - }, - { - Names: []string{ - "get_mempolicy", - "mbind", - "set_mempolicy", - }, - Action: ActErrno, - ErrnoRet: &eperm, - Args: []*Arg{}, - Excludes: Filter{ - Caps: []string{"CAP_SYS_NICE"}, - }, - }, - { - Names: []string{ "acct", }, Action: ActAllow, diff --git a/vendor/github.com/containers/common/pkg/seccomp/seccomp.json b/vendor/github.com/containers/common/pkg/seccomp/seccomp.json index 885240e50..eeb41d5d8 100644 --- a/vendor/github.com/containers/common/pkg/seccomp/seccomp.json +++ b/vendor/github.com/containers/common/pkg/seccomp/seccomp.json @@ -54,14 +54,9 @@ { "names": [ "bdflush", - "clone3", "io_pgetevents", - "io_uring_enter", - "io_uring_register", - "io_uring_setup", "kexec_file_load", "kexec_load", - "membarrier", "migrate_pages", "move_pages", "nfsservctl", @@ -74,10 +69,6 @@ "pciconfig_iobase", "pciconfig_read", "pciconfig_write", - "pkey_alloc", - "pkey_free", - "pkey_mprotect", - "rseq", "sgetmask", "ssetmask", "swapcontext", @@ -124,6 +115,7 @@ "clock_nanosleep", "clock_nanosleep_time64", "clone", + "clone3", "close", "close_range", "connect", @@ -197,6 +189,7 @@ "getgroups", "getgroups32", "getitimer", + "get_mempolicy", "getpeername", "getpgid", "getpgrp", @@ -247,6 +240,7 @@ "lstat", "lstat64", "madvise", + "mbind", "memfd_create", "mincore", "mkdir", @@ -292,6 +286,9 @@ "pipe", "pipe2", "pivot_root", + "pkey_alloc", + "pkey_free", + "pkey_mprotect", "poll", "ppoll", "ppoll_time64", @@ -324,6 +321,7 @@ "renameat2", "restart_syscall", "rmdir", + "rseq", "rt_sigaction", "rt_sigpending", "rt_sigprocmask", @@ -360,6 +358,7 @@ "sendmsg", "sendto", "setns", + "set_mempolicy", "set_robust_list", "set_thread_area", "set_tid_address", @@ -761,39 +760,6 @@ }, { "names": [ - "get_mempolicy", - "mbind", - "set_mempolicy" - ], - "action": "SCMP_ACT_ALLOW", - "args": [], - "comment": "", - "includes": { - "caps": [ - "CAP_SYS_NICE" - ] - }, - "excludes": {} - }, - { - "names": [ - "get_mempolicy", - "mbind", - "set_mempolicy" - ], - "action": "SCMP_ACT_ERRNO", - "args": [], - "comment": "", - "includes": {}, - "excludes": { - "caps": [ - "CAP_SYS_NICE" - ] - }, - "errnoRet": 1 - }, - { - "names": [ "acct" ], "action": "SCMP_ACT_ALLOW", diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go index 6c899987a..8907e21ab 100644 --- a/vendor/github.com/containers/common/version/version.go +++ b/vendor/github.com/containers/common/version/version.go @@ -1,4 +1,4 @@ package version // Version is the version of the build. -const Version = "0.40.1-dev" +const Version = "0.40.2-dev" diff --git a/vendor/github.com/cri-o/ocicni/pkg/ocicni/ocicni.go b/vendor/github.com/cri-o/ocicni/pkg/ocicni/ocicni.go index b38340126..90d5b6c50 100644 --- a/vendor/github.com/cri-o/ocicni/pkg/ocicni/ocicni.go +++ b/vendor/github.com/cri-o/ocicni/pkg/ocicni/ocicni.go @@ -195,16 +195,21 @@ func (plugin *cniNetworkPlugin) monitorConfDir(start *sync.WaitGroup) { // If defaultNetName is empty, CNI config files should be reloaded real-time and // defaultNetName should be changeable and determined by file sorting. func InitCNI(defaultNetName string, confDir string, binDirs ...string) (CNIPlugin, error) { - return initCNI(nil, "", defaultNetName, confDir, binDirs...) + return initCNI(nil, "", defaultNetName, confDir, true, binDirs...) } // InitCNIWithCache works like InitCNI except that it takes the cni cache directory as third param. func InitCNIWithCache(defaultNetName, confDir, cacheDir string, binDirs ...string) (CNIPlugin, error) { - return initCNI(nil, cacheDir, defaultNetName, confDir, binDirs...) + return initCNI(nil, cacheDir, defaultNetName, confDir, true, binDirs...) +} + +// InitCNINoInotify works like InitCNI except that it does not use inotify to watch for changes in the CNI config dir. +func InitCNINoInotify(defaultNetName, confDir, cacheDir string, binDirs ...string) (CNIPlugin, error) { + return initCNI(nil, cacheDir, defaultNetName, confDir, false, binDirs...) } // Internal function to allow faking out exec functions for testing -func initCNI(exec cniinvoke.Exec, cacheDir, defaultNetName string, confDir string, binDirs ...string) (CNIPlugin, error) { +func initCNI(exec cniinvoke.Exec, cacheDir, defaultNetName string, confDir string, useInotify bool, binDirs ...string) (CNIPlugin, error) { if confDir == "" { confDir = DefaultConfDir } @@ -245,22 +250,26 @@ func initCNI(exec cniinvoke.Exec, cacheDir, defaultNetName string, confDir strin plugin.syncNetworkConfig() - plugin.watcher, err = newWatcher(plugin.confDir) - if err != nil { - return nil, err - } + if useInotify { + plugin.watcher, err = newWatcher(plugin.confDir) + if err != nil { + return nil, err + } - startWg := sync.WaitGroup{} - startWg.Add(1) - go plugin.monitorConfDir(&startWg) - startWg.Wait() + startWg := sync.WaitGroup{} + startWg.Add(1) + go plugin.monitorConfDir(&startWg) + startWg.Wait() + } return plugin, nil } func (plugin *cniNetworkPlugin) Shutdown() error { close(plugin.shutdownChan) - plugin.watcher.Close() + if plugin.watcher != nil { + plugin.watcher.Close() + } plugin.done.Wait() return nil } @@ -539,10 +548,11 @@ func (plugin *cniNetworkPlugin) SetUpPodWithContext(ctx context.Context, podNetw results := make([]NetResult, 0) if err := plugin.forEachNetwork(&podNetwork, false, func(network *cniNetwork, podNetwork *PodNetwork, rt *libcni.RuntimeConf) error { + fullPodName := buildFullPodName(*podNetwork) + logrus.Infof("Adding pod %s to CNI network %q (type=%v)", fullPodName, network.name, network.config.Plugins[0].Network.Type) result, err := network.addToNetwork(ctx, rt, plugin.cniConfig) if err != nil { - logrus.Errorf("Error while adding pod to CNI network %q: %s", network.name, err) - return err + return fmt.Errorf("error adding pod %s to CNI network %q: %v", fullPodName, network.name, err) } results = append(results, NetResult{ Result: result, @@ -654,8 +664,10 @@ func (plugin *cniNetworkPlugin) TearDownPodWithContext(ctx context.Context, podN } return plugin.forEachNetwork(&podNetwork, true, func(network *cniNetwork, podNetwork *PodNetwork, rt *libcni.RuntimeConf) error { + fullPodName := buildFullPodName(*podNetwork) + logrus.Infof("Deleting pod %s from CNI network %q (type=%v)", fullPodName, network.name, network.config.Plugins[0].Network.Type) if err := network.deleteFromNetwork(ctx, rt, plugin.cniConfig); err != nil { - return fmt.Errorf("Error while removing pod from CNI network %q: %s", network.name, err) + return fmt.Errorf("error removing pod %s from CNI network %q: %v", fullPodName, network.name, err) } return nil }) @@ -680,10 +692,11 @@ func (plugin *cniNetworkPlugin) GetPodNetworkStatusWithContext(ctx context.Conte results := make([]NetResult, 0) if err := plugin.forEachNetwork(&podNetwork, true, func(network *cniNetwork, podNetwork *PodNetwork, rt *libcni.RuntimeConf) error { + fullPodName := buildFullPodName(*podNetwork) + logrus.Infof("Checking pod %s for CNI network %s (type=%v)", fullPodName, network.name, network.config.Plugins[0].Network.Type) result, err := network.checkNetwork(ctx, rt, plugin.cniConfig, plugin.nsManager, podNetwork.NetNS) if err != nil { - logrus.Errorf("Error while checking pod to CNI network %q: %s", network.name, err) - return err + return fmt.Errorf("error checking pod %s for CNI network %q: %v", fullPodName, network.name, err) } if result != nil { results = append(results, NetResult{ @@ -703,19 +716,10 @@ func (plugin *cniNetworkPlugin) GetPodNetworkStatusWithContext(ctx context.Conte } func (network *cniNetwork) addToNetwork(ctx context.Context, rt *libcni.RuntimeConf, cni *libcni.CNIConfig) (cnitypes.Result, error) { - logrus.Infof("About to add CNI network %s (type=%v)", network.name, network.config.Plugins[0].Network.Type) - res, err := cni.AddNetworkList(ctx, network.config, rt) - if err != nil { - logrus.Errorf("Error adding network: %v", err) - return nil, err - } - - return res, nil + return cni.AddNetworkList(ctx, network.config, rt) } func (network *cniNetwork) checkNetwork(ctx context.Context, rt *libcni.RuntimeConf, cni *libcni.CNIConfig, nsManager *nsManager, netns string) (cnitypes.Result, error) { - logrus.Infof("About to check CNI network %s (type=%v)", network.name, network.config.Plugins[0].Network.Type) - gtet, err := cniversion.GreaterThanOrEqualTo(network.config.CNIVersion, "0.4.0") if err != nil { return nil, err @@ -786,11 +790,7 @@ func (network *cniNetwork) checkNetwork(ctx context.Context, rt *libcni.RuntimeC } func (network *cniNetwork) deleteFromNetwork(ctx context.Context, rt *libcni.RuntimeConf, cni *libcni.CNIConfig) error { - logrus.Infof("About to del CNI network %s (type=%v)", network.name, network.config.Plugins[0].Network.Type) - if err := cni.DelNetworkList(ctx, network.config, rt); err != nil { - return err - } - return nil + return cni.DelNetworkList(ctx, network.config, rt) } func buildCNIRuntimeConf(podNetwork *PodNetwork, ifName string, runtimeConfig RuntimeConfig) (*libcni.RuntimeConf, error) { @@ -809,6 +809,13 @@ func buildCNIRuntimeConf(podNetwork *PodNetwork, ifName string, runtimeConfig Ru CapabilityArgs: map[string]interface{}{}, } + // Propagate existing CNI_ARGS to non-k8s consumers + for _, kvpairs := range strings.Split(os.Getenv("CNI_ARGS"), ";") { + if keyval := strings.SplitN(kvpairs, "=", 2); len(keyval) == 2 { + rt.Args = append(rt.Args, [2]string{keyval[0], keyval[1]}) + } + } + // Add requested static IP to CNI_ARGS ip := runtimeConfig.IP if ip != "" { diff --git a/vendor/modules.txt b/vendor/modules.txt index 913076526..c4cfc0d83 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -93,7 +93,7 @@ github.com/containers/buildah/pkg/overlay github.com/containers/buildah/pkg/parse github.com/containers/buildah/pkg/rusage github.com/containers/buildah/util -# github.com/containers/common v0.40.1-0.20210617134614-c6578d76fb0d +# github.com/containers/common v0.40.2-0.20210623133759-d13a31743aec github.com/containers/common/libimage github.com/containers/common/libimage/manifests github.com/containers/common/pkg/apparmor @@ -254,7 +254,7 @@ github.com/coreos/stream-metadata-go/fedoracoreos github.com/coreos/stream-metadata-go/fedoracoreos/internals github.com/coreos/stream-metadata-go/stream github.com/coreos/stream-metadata-go/stream/rhcos -# github.com/cri-o/ocicni v0.2.1-0.20210301205850-541cf7c703cf +# github.com/cri-o/ocicni v0.2.1-0.20210621164014-d0acc7862283 github.com/cri-o/ocicni/pkg/ocicni # github.com/cyphar/filepath-securejoin v0.2.2 github.com/cyphar/filepath-securejoin @@ -788,7 +788,7 @@ gopkg.in/tomb.v1 gopkg.in/yaml.v2 # gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 gopkg.in/yaml.v3 -# k8s.io/api v0.21.1 +# k8s.io/api v0.21.2 k8s.io/api/apps/v1 k8s.io/api/core/v1 # k8s.io/apimachinery v0.21.2 |