From 89818f72b740195215520c7765a686ca843e46a7 Mon Sep 17 00:00:00 2001 From: Jhon Honce Date: Mon, 9 Aug 2021 09:19:21 -0700 Subject: For compatibility, ignore Content-Type Endpoint /build logs an info entry when a client uses the wrong Content-Type for build payload. Given Content-Type is ignored and assumed to be "application/x-tar". Endpoint /libpod/build will fail unless "application/x-tar" or "application/tar" is given for Content-Type. "application/tar" will be logged as an info entry. Fixes #11012 Signed-off-by: Jhon Honce --- pkg/api/handlers/compat/images_build.go | 11 +++++++---- test/apiv2/10-images.at | 34 ++++++++++++++++++++++++++++++++- 2 files changed, 40 insertions(+), 5 deletions(-) diff --git a/pkg/api/handlers/compat/images_build.go b/pkg/api/handlers/compat/images_build.go index 08d1df4b8..0fcca1821 100644 --- a/pkg/api/handlers/compat/images_build.go +++ b/pkg/api/handlers/compat/images_build.go @@ -34,13 +34,16 @@ func BuildImage(w http.ResponseWriter, r *http.Request) { contentType := hdr[0] switch contentType { case "application/tar": - logrus.Warnf("tar file content type is %s, should use \"application/x-tar\" content type", contentType) + logrus.Infof("tar file content type is %s, should use \"application/x-tar\" content type", contentType) case "application/x-tar": break default: - utils.BadRequest(w, "Content-Type", hdr[0], - fmt.Errorf("Content-Type: %s is not supported. Should be \"application/x-tar\"", hdr[0])) - return + if utils.IsLibpodRequest(r) { + utils.BadRequest(w, "Content-Type", hdr[0], + fmt.Errorf("Content-Type: %s is not supported. Should be \"application/x-tar\"", hdr[0])) + return + } + logrus.Infof("tar file content type is %s, should use \"application/x-tar\" content type", contentType) } } diff --git a/test/apiv2/10-images.at b/test/apiv2/10-images.at index 195b11ff0..abc8d44b7 100644 --- a/test/apiv2/10-images.at +++ b/test/apiv2/10-images.at @@ -173,7 +173,7 @@ curl -XPOST --data-binary @<(cat $CONTAINERFILE_TAR) \ BUILD_TEST_ERROR="" if ! grep -q '200 OK' "${TMPD}/headers.txt"; then - echo -e "${red}NOK: Image build from tar failed response was not 200 OK" + echo -e "${red}NOK: Image build from tar failed response was not 200 OK (application/x-tar)" BUILD_TEST_ERROR="1" fi @@ -182,6 +182,38 @@ if ! grep -q 'quay.io/libpod/alpine_labels' "${TMPD}/response.txt"; then BUILD_TEST_ERROR="1" fi +curl -XPOST --data-binary @<(cat $CONTAINERFILE_TAR) \ + -H "content-type: application/tar" \ + --dump-header "${TMPD}/headers.txt" \ + -o /dev/null \ + "http://$HOST:$PORT/v1.40/libpod/build?dockerfile=containerfile" &> /dev/null +if ! grep -q '200 OK' "${TMPD}/headers.txt"; then + echo -e "${red}NOK: Image build from tar failed response was not 200 OK (application/tar)" + BUILD_TEST_ERROR="1" +fi + +# Yes, this is very un-RESTful re: Content-Type header ignored when compatibility endpoint used +# See https://github.com/containers/podman/issues/11012 +curl -XPOST --data-binary @<(cat $CONTAINERFILE_TAR) \ + -H "content-type: application/json" \ + --dump-header "${TMPD}/headers.txt" \ + -o /dev/null \ + "http://$HOST:$PORT/v1.40/build?dockerfile=containerfile" &> /dev/null +if ! grep -q '200 OK' "${TMPD}/headers.txt"; then + echo -e "${red}NOK: Image build from tar failed response was not 200 OK (application/tar)" + BUILD_TEST_ERROR="1" +fi + +curl -XPOST --data-binary @<(cat $CONTAINERFILE_TAR) \ + -H "content-type: application/json" \ + --dump-header "${TMPD}/headers.txt" \ + -o /dev/null \ + "http://$HOST:$PORT/v1.40/libpod/build?dockerfile=containerfile" &> /dev/null +if ! grep -q '400 Bad Request' "${TMPD}/headers.txt"; then + echo -e "${red}NOK: Image build should have failed with 400 (wrong Content-Type)" + BUILD_TEST_ERROR="1" +fi + cleanBuildTest if [[ "${BUILD_TEST_ERROR}" ]]; then exit 1 -- cgit v1.2.3-54-g00ecf From f0d0c48d2e38a6a34e687ef8c75caef30790bcdd Mon Sep 17 00:00:00 2001 From: Matthew Heon Date: Wed, 18 Aug 2021 14:19:11 -0400 Subject: Volumes: Only remove from DB if plugin removal succeeds Originally, Podman would unconditionally remove volumes from the DB, even if they failed to be removed from the volume plugin; this was a safety measure to ensure that `volume rm` can always remove a volume from the database, even if the plugin is misbehaving. However, this is a significant deivation from Docker, which refuses to remove if the plugin errors. These errors can be legitimate configuration issues which the user should address before the volume is removed, so Podman should also use this behaviour. Fixes #11214 Signed-off-by: Matthew Heon --- libpod/runtime_volume_linux.go | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/libpod/runtime_volume_linux.go b/libpod/runtime_volume_linux.go index 3d5bc8bb2..f489fbbb5 100644 --- a/libpod/runtime_volume_linux.go +++ b/libpod/runtime_volume_linux.go @@ -234,11 +234,6 @@ func (r *Runtime) removeVolume(ctx context.Context, v *Volume, force bool) error // Set volume as invalid so it can no longer be used v.valid = false - // Remove the volume from the state - if err := r.state.RemoveVolume(v); err != nil { - return errors.Wrapf(err, "error removing volume %s", v.Name()) - } - var removalErr error // If we use a volume plugin, we need to remove from the plugin. @@ -266,11 +261,19 @@ func (r *Runtime) removeVolume(ctx context.Context, v *Volume, force bool) error req := new(pluginapi.RemoveRequest) req.Name = v.Name() if err := v.plugin.RemoveVolume(req); err != nil { - removalErr = errors.Wrapf(err, "volume %s could not be removed from plugin %s, but it has been removed from Podman", v.Name(), v.Driver()) + return errors.Wrapf(err, "volume %s could not be removed from plugin %s", v.Name(), v.Driver()) } } } + // Remove the volume from the state + if err := r.state.RemoveVolume(v); err != nil { + if removalErr != nil { + logrus.Errorf("Error removing volume %s from plugin %s: %v", v.Name(), v.Driver(), removalErr) + } + return errors.Wrapf(err, "error removing volume %s", v.Name()) + } + // Free the volume's lock if err := v.lock.Free(); err != nil { if removalErr == nil { -- cgit v1.2.3-54-g00ecf From b71ef443a4f5539ccdda7a1f635e41f9a5818eb2 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Wed, 18 Aug 2021 09:52:56 -0400 Subject: pkg/bindings/images.nTar(): slashify hdr.Name values When setting path names in the build context archive, convert path names to use forward slashes, as is normal for those archives, so that directory hierarchies archived on Windows hosts extract correctly everywhere. Not really sure how to run the remote client in CI on a system that uses `\` as a path separator, which is where this error crops up, so [NO TESTS NEEDED] Signed-off-by: Nalin Dahyabhai --- pkg/bindings/images/build.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/bindings/images/build.go b/pkg/bindings/images/build.go index e1aeae244..39e0fc5df 100644 --- a/pkg/bindings/images/build.go +++ b/pkg/bindings/images/build.go @@ -481,9 +481,9 @@ func nTar(excludes []string, sources ...string) (io.ReadCloser, error) { return nil // skip root dir } - name := strings.TrimPrefix(path, s+string(filepath.Separator)) + name := filepath.ToSlash(strings.TrimPrefix(path, s+string(filepath.Separator))) - excluded, err := pm.Matches(filepath.ToSlash(name)) // nolint:staticcheck + excluded, err := pm.Matches(name) // nolint:staticcheck if err != nil { return errors.Wrapf(err, "error checking if %q is excluded", name) } -- cgit v1.2.3-54-g00ecf From a52b6bf23864073c39fda753b8c88a391bfe3555 Mon Sep 17 00:00:00 2001 From: Guillaume Rose Date: Thu, 19 Aug 2021 16:14:06 +0200 Subject: machine: check for file exists instead of listing directory [NO TESTS NEEDED] Signed-off-by: Guillaume Rose --- pkg/machine/fcos.go | 23 ++++++++--------------- 1 file changed, 8 insertions(+), 15 deletions(-) diff --git a/pkg/machine/fcos.go b/pkg/machine/fcos.go index 11936aee7..943b9fd3c 100644 --- a/pkg/machine/fcos.go +++ b/pkg/machine/fcos.go @@ -6,6 +6,7 @@ import ( "crypto/sha256" "io/ioutil" url2 "net/url" + "os" "path/filepath" "runtime" "strings" @@ -91,24 +92,16 @@ func UpdateAvailable(d *Download) (bool, error) { // check the sha of the local image if it exists // get the sha of the remote image // == dont bother to pull - files, err := ioutil.ReadDir(filepath.Dir(d.LocalPath)) + if _, err := os.Stat(d.LocalPath); os.IsNotExist(err) { + return false, nil + } + b, err := ioutil.ReadFile(d.LocalPath) if err != nil { return false, err } - for _, file := range files { - if filepath.Base(d.LocalPath) == file.Name() { - b, err := ioutil.ReadFile(d.LocalPath) - if err != nil { - return false, err - } - s := sha256.Sum256(b) - sum := digest.NewDigestFromBytes(digest.SHA256, s[:]) - if sum.Encoded() == d.Sha256sum { - return true, nil - } - } - } - return false, nil + s := sha256.Sum256(b) + sum := digest.NewDigestFromBytes(digest.SHA256, s[:]) + return sum.Encoded() == d.Sha256sum, nil } func getFcosArch() string { -- cgit v1.2.3-54-g00ecf From b5e04ae115e0ed6a337d33a98ef70c8f45504040 Mon Sep 17 00:00:00 2001 From: Guillaume Rose Date: Thu, 19 Aug 2021 16:17:23 +0200 Subject: machine: compute sha256 as we read the image file It avoids to have the full file in memory. [NO TESTS NEEDED] Signed-off-by: Guillaume Rose --- pkg/machine/fcos.go | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/pkg/machine/fcos.go b/pkg/machine/fcos.go index 943b9fd3c..49ec01e67 100644 --- a/pkg/machine/fcos.go +++ b/pkg/machine/fcos.go @@ -3,8 +3,6 @@ package machine import ( - "crypto/sha256" - "io/ioutil" url2 "net/url" "os" "path/filepath" @@ -12,6 +10,7 @@ import ( "strings" digest "github.com/opencontainers/go-digest" + "github.com/sirupsen/logrus" ) // These should eventually be moved into machine/qemu as @@ -95,12 +94,19 @@ func UpdateAvailable(d *Download) (bool, error) { if _, err := os.Stat(d.LocalPath); os.IsNotExist(err) { return false, nil } - b, err := ioutil.ReadFile(d.LocalPath) + fd, err := os.Open(d.LocalPath) + if err != nil { + return false, err + } + defer func() { + if err := fd.Close(); err != nil { + logrus.Error(err) + } + }() + sum, err := digest.SHA256.FromReader(fd) if err != nil { return false, err } - s := sha256.Sum256(b) - sum := digest.NewDigestFromBytes(digest.SHA256, s[:]) return sum.Encoded() == d.Sha256sum, nil } -- cgit v1.2.3-54-g00ecf From dd3a4970387b267b6086891cbf69f681806ffb58 Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Fri, 20 Aug 2021 10:49:33 +0200 Subject: Fix network aliases with network id When a network id is used to create a container we translate it to use the name internally for the db. The network aliases are also stored with the network name as key so we have to also translate them for the db. Also removed some outdated skips from the e2e tests. Fixes #11285 Signed-off-by: Paul Holzinger --- libpod/runtime_ctr.go | 14 ++++++++++++++ test/e2e/network_connect_disconnect_test.go | 8 ++------ test/e2e/run_networking_test.go | 1 - 3 files changed, 16 insertions(+), 7 deletions(-) diff --git a/libpod/runtime_ctr.go b/libpod/runtime_ctr.go index 059f56798..02bbb6981 100644 --- a/libpod/runtime_ctr.go +++ b/libpod/runtime_ctr.go @@ -246,6 +246,20 @@ func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (_ *Contai ctr.config.Networks = netNames } + // https://github.com/containers/podman/issues/11285 + // normalize the networks aliases to use network names and never ids + if len(ctr.config.NetworkAliases) > 0 { + netAliases := make(map[string][]string, len(ctr.config.NetworkAliases)) + for nameOrID, aliases := range ctr.config.NetworkAliases { + netName, err := network.NormalizeName(r.config, nameOrID) + if err != nil { + return nil, err + } + netAliases[netName] = aliases + } + ctr.config.NetworkAliases = netAliases + } + // Inhibit shutdown until creation succeeds shutdown.Inhibit() defer shutdown.Uninhibit() diff --git a/test/e2e/network_connect_disconnect_test.go b/test/e2e/network_connect_disconnect_test.go index b1f3607ab..217efdeec 100644 --- a/test/e2e/network_connect_disconnect_test.go +++ b/test/e2e/network_connect_disconnect_test.go @@ -236,8 +236,6 @@ var _ = Describe("Podman network connect and disconnect", func() { }) It("podman network connect and run with network ID", func() { - SkipIfRemote("remote flakes to much I will fix this in another PR") - SkipIfRootless("network connect and disconnect are only rootful") netName := "ID" + stringid.GenerateNonCryptoID() session := podmanTest.Podman([]string{"network", "create", netName}) session.WaitWithDefaultTimeout() @@ -249,7 +247,7 @@ var _ = Describe("Podman network connect and disconnect", func() { Expect(session).Should(Exit(0)) netID := session.OutputToString() - ctr := podmanTest.Podman([]string{"run", "-dt", "--name", "test", "--network", netID, ALPINE, "top"}) + ctr := podmanTest.Podman([]string{"run", "-dt", "--name", "test", "--network", netID, "--network-alias", "somealias", ALPINE, "top"}) ctr.WaitWithDefaultTimeout() Expect(ctr).Should(Exit(0)) @@ -269,7 +267,7 @@ var _ = Describe("Podman network connect and disconnect", func() { Expect(session).Should(Exit(0)) newNetID := session.OutputToString() - connect := podmanTest.Podman([]string{"network", "connect", newNetID, "test"}) + connect := podmanTest.Podman([]string{"network", "connect", "--alias", "secondalias", newNetID, "test"}) connect.WaitWithDefaultTimeout() Expect(connect).Should(Exit(0)) @@ -324,8 +322,6 @@ var _ = Describe("Podman network connect and disconnect", func() { }) It("podman network disconnect and run with network ID", func() { - SkipIfRemote("remote flakes to much I will fix this in another PR") - SkipIfRootless("network connect and disconnect are only rootful") netName := "aliasTest" + stringid.GenerateNonCryptoID() session := podmanTest.Podman([]string{"network", "create", netName}) session.WaitWithDefaultTimeout() diff --git a/test/e2e/run_networking_test.go b/test/e2e/run_networking_test.go index 92388b099..8eabeba97 100644 --- a/test/e2e/run_networking_test.go +++ b/test/e2e/run_networking_test.go @@ -764,7 +764,6 @@ var _ = Describe("Podman run networking", func() { }) It("podman run check dnsname adds dns search domain", func() { - Skip("needs dnsname#57") net := "dnsname" + stringid.GenerateNonCryptoID() session := podmanTest.Podman([]string{"network", "create", net}) session.WaitWithDefaultTimeout() -- cgit v1.2.3-54-g00ecf From 2408247f432e637558e664a5d6fffcf8794e2acf Mon Sep 17 00:00:00 2001 From: Matthew Heon Date: Fri, 20 Aug 2021 11:41:09 -0400 Subject: Final release notes for v3.3.0 Signed-off-by: Matthew Heon --- RELEASE_NOTES.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index 18bf4a530..9649e7abb 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -41,6 +41,7 @@ - The output of `podman system connection list` is now deterministic, with connections being sorted alpabetically by their name. - The auto-update service (`podman-auto-update.service`) has had its default timer adjusted so it now starts at a random time up to 15 minutes after midnight, to help prevent system congestion from numerous daily services run at once. - Systemd unit files generated by `podman generate systemd` now depend on `network-online.target` by default ([#10655](https://github.com/containers/podman/issues/10655)). +- Systemd unit files generated by `podman generate systemd` now use `Type=notify` by default, instead of using PID files. - The `podman info` command's logic for detecting package versions on Gentoo has been improved, and should be significantly faster. ### Bugfixes @@ -61,8 +62,10 @@ - Fixed a bug where the remote Podman client's `podman build` command would only respect `.containerignore` and not `.dockerignore` files (when both are present, `.containerignore` will be preferred) ([#10907](https://github.com/containers/podman/issues/10907)). - Fixed a bug where the remote Podman client's `podman build` command would fail to send the Dockerfile being built to the server when it was excluded by the `.dockerignore` file, resulting in an error ([#9867](https://github.com/containers/podman/issues/9867)). - Fixed a bug where the remote Podman client's `podman build` command could unexpectedly stop streaming the output of the build ([#10154](https://github.com/containers/podman/issues/10154)). +- Fixed a bug where the remote Podman client's `podman build` command would fail to build when run on Windows ([#11259](https://github.com/containers/podman/issues/11259)). - Fixed a bug where the `podman manifest create` command accepted at most two arguments (an arbitrary number of images are allowed as arguments, which will be added to the manifest). - Fixed a bug where named volumes would not be properly chowned to the UID and GID of the directory they were mounted over when first mounted into a container ([#10776](https://github.com/containers/podman/issues/10776)). +- Fixed a bug where named volumes created using a volume plugin would be removed from Podman, even if the plugin reported a failure to remove the volume ([#11214](https://github.com/containers/podman/issues/11214)). - Fixed a bug where the remote Podman client's `podman exec -i` command would hang when input was provided via shell redirection (e.g. `podman --remote exec -i foo cat <<<"hello"`) ([#7360](https://github.com/containers/podman/issues/7360)). - Fixed a bug where containers created with `--rm` were not immediately removed after being started by `podman start` if they failed to start ([#10935](https://github.com/containers/podman/issues/10935)). - Fixed a bug where the `--storage-opt` flag to `podman create` and `podman run` was nonfunctional ([#10264](https://github.com/containers/podman/issues/10264)). @@ -78,6 +81,9 @@ - Fixed a bug where the `podman unpause --all` command would throw an error for every container that was not paused ([#11098](https://github.com/containers/podman/issues/11098)). - Fixed a bug where timestamps for the `since` and `until` filters using Unix timestamps with a nanoseconds portion could not be parsed ([#11131](https://github.com/containers/podman/issues/11131)). - Fixed a bug where the `podman info` command would sometimes print the wrong path for the `slirp4netns` binary. +- Fixed a bug where rootless Podman containers joined to a CNI network would not have functional DNS when the host used systemd-resolved without the resolved stub resolver being enabled ([#11222](https://github.com/containers/podman/issues/11222)). +- Fixed a bug where `podman network connect` and `podman network disconnect` of rootless containers could sometimes break port forwarding to the container ([#11248](https://github.com/containers/podman/issues/11248)). +- Fixed a bug where joining a container to a CNI network by ID and adding network aliases to this network would cause the container to fail to start ([#11285](https://github.com/containers/podman/issues/11285)). ### API - Fixed a bug where the Compat List endpoint for Containers included healthcheck information for all containers, even those that did not have a configured healthcheck. @@ -86,6 +92,7 @@ - Fixed a bug where the Compat Wait endpoint for Containers would always send an empty string error message when no error occurred. - Fixed a bug where the Libpod Stats endpoint for Containers would not error when run on rootless containers on cgroups v1 systems (nonsensical results would be returned, as this configuration cannot be supportable). - Fixed a bug where the Compat List endpoint for Images omitted the `ContainerConfig` field ([#10795](https://github.com/containers/podman/issues/10795)). +- Fixed a bug where the Compat Build endpoint for Images was too strict when validating the `Content-Type` header, rejecting content that Docker would have accepted ([#11022](https://github.com/containers/podman/issues/11012)). - Fixed a bug where the Compat Pull endpoint for Images could fail, but return a 200 status code, if an image name that could not be parsed was provided. - Fixed a bug where the Compat Pull endpoint for Images would continue to pull images after the client disconnected. - Fixed a bug where the Compat List endpoint for Networks would fail for non-bridge (e.g. macvlan) networks ([#10266](https://github.com/containers/podman/issues/10266)). @@ -95,9 +102,9 @@ - The Compat Pull endpoint for Images now supports the `platform` query parameter. ### Misc -- Updated Buildah to v1.22.0 +- Updated Buildah to v1.22.3 - Updated the containers/storage library to v1.34.1 -- Updated the containers/image library to v5.15.1 +- Updated the containers/image library to v5.15.2 - Updated the containers/common library to v0.42.1 ## 3.2.3 -- cgit v1.2.3-54-g00ecf