From a4a70b4506ec4abb8b3bbc3873ee5ca015a8ed08 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Thu, 24 Oct 2019 10:37:22 -0400 Subject: bump containers/image to v5.0.0, buildah to v1.11.4 Move to containers/image v5 and containers/buildah to v1.11.4. Replace an equality check with a type assertion when checking for a docker.ErrUnauthorizedForCredentials in `podman login`. Signed-off-by: Nalin Dahyabhai --- cmd/podman/shared/container.go | 2 +- cmd/podman/shared/create.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'cmd/podman/shared') diff --git a/cmd/podman/shared/container.go b/cmd/podman/shared/container.go index 15bbb46d2..bc64d63a9 100644 --- a/cmd/podman/shared/container.go +++ b/cmd/podman/shared/container.go @@ -13,7 +13,7 @@ import ( "sync" "time" - "github.com/containers/image/v4/types" + "github.com/containers/image/v5/types" "github.com/containers/libpod/libpod" "github.com/containers/libpod/libpod/define" "github.com/containers/libpod/libpod/image" diff --git a/cmd/podman/shared/create.go b/cmd/podman/shared/create.go index bf9410b72..f37f5fa62 100644 --- a/cmd/podman/shared/create.go +++ b/cmd/podman/shared/create.go @@ -12,7 +12,7 @@ import ( "syscall" "time" - "github.com/containers/image/v4/manifest" + "github.com/containers/image/v5/manifest" "github.com/containers/libpod/cmd/podman/shared/parse" "github.com/containers/libpod/libpod" "github.com/containers/libpod/libpod/image" -- cgit v1.2.3-54-g00ecf From b9313d355e8cd6307d8772ad9c21958ffe981e5b Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Wed, 16 Oct 2019 11:57:45 -0400 Subject: pull/create: add --override-arch/--override-os flags Add --override-arch and --override-os as hidden flags, in line with the global flag names that skopeo uses, so that we can test behavior around manifest lists without having to conditionalize more of it by arch. Signed-off-by: Nalin Dahyabhai --- API.md | 4 ++++ cmd/podman/build.go | 7 ++++++- cmd/podman/cliconfig/config.go | 2 ++ cmd/podman/common.go | 10 ++++++++++ cmd/podman/pull.go | 6 ++++++ cmd/podman/shared/create.go | 7 ++++++- cmd/podman/shared/intermediate.go | 2 ++ cmd/podman/shared/intermediate_varlink.go | 4 ++++ cmd/podman/varlink/io.podman.varlink | 2 ++ libpod/image/docker_registry_options.go | 8 ++++++++ libpod/image/pull.go | 8 ++++++++ 11 files changed, 58 insertions(+), 2 deletions(-) (limited to 'cmd/podman/shared') diff --git a/API.md b/API.md index 1cbdacb12..e79f6ee5e 100755 --- a/API.md +++ b/API.md @@ -1557,6 +1557,10 @@ oomKillDisable [?bool](#?bool) oomScoreAdj [?int](#?int) +overrideArch [?string](#?string) + +overrideOS [?string](#?string) + pid [?string](#?string) pidsLimit [?int](#?int) diff --git a/cmd/podman/build.go b/cmd/podman/build.go index f4efea544..e9ebc50aa 100644 --- a/cmd/podman/build.go +++ b/cmd/podman/build.go @@ -9,6 +9,7 @@ import ( "github.com/containers/buildah" "github.com/containers/buildah/imagebuildah" buildahcli "github.com/containers/buildah/pkg/cli" + "github.com/containers/image/v5/types" "github.com/containers/libpod/cmd/podman/cliconfig" "github.com/containers/libpod/libpod" "github.com/containers/libpod/pkg/adapter" @@ -360,7 +361,11 @@ func buildCmd(c *cliconfig.BuildValues) error { RuntimeArgs: runtimeFlags, SignaturePolicyPath: c.SignaturePolicy, Squash: c.Squash, - Target: c.Target, + SystemContext: &types.SystemContext{ + OSChoice: c.OverrideOS, + ArchitectureChoice: c.OverrideArch, + }, + Target: c.Target, } return runtime.Build(getContext(), c, options, containerfiles) } diff --git a/cmd/podman/cliconfig/config.go b/cmd/podman/cliconfig/config.go index 86258a543..1bb5fa30c 100644 --- a/cmd/podman/cliconfig/config.go +++ b/cmd/podman/cliconfig/config.go @@ -431,6 +431,8 @@ type PullValues struct { Authfile string CertDir string Creds string + OverrideArch string + OverrideOS string Quiet bool SignaturePolicy string TlsVerify bool diff --git a/cmd/podman/common.go b/cmd/podman/common.go index e93586b62..33a848553 100644 --- a/cmd/podman/common.go +++ b/cmd/podman/common.go @@ -370,6 +370,16 @@ func getCreateFlags(c *cliconfig.PodmanCommand) { "oom-score-adj", 0, "Tune the host's OOM preferences (-1000 to 1000)", ) + createFlags.String( + "override-arch", "", + "use `ARCH` instead of the architecture of the machine for choosing images", + ) + markFlagHidden(createFlags, "override-arch") + createFlags.String( + "override-os", "", + "use `OS` instead of the running OS for choosing images", + ) + markFlagHidden(createFlags, "override-os") createFlags.String( "pid", "", "PID namespace to use", diff --git a/cmd/podman/pull.go b/cmd/podman/pull.go index 905b1987d..d64793147 100644 --- a/cmd/podman/pull.go +++ b/cmd/podman/pull.go @@ -54,6 +54,10 @@ func init() { flags.BoolVar(&pullCommand.AllTags, "all-tags", false, "All tagged images in the repository will be pulled") flags.StringVar(&pullCommand.Creds, "creds", "", "`Credentials` (USERNAME:PASSWORD) to use for authenticating to a registry") flags.BoolVarP(&pullCommand.Quiet, "quiet", "q", false, "Suppress output information when pulling images") + flags.StringVar(&pullCommand.OverrideArch, "override-arch", "", "use `ARCH` instead of the architecture of the machine for choosing images") + markFlagHidden(flags, "override-arch") + flags.StringVar(&pullCommand.OverrideOS, "override-os", "", "use `OS` instead of the running OS for choosing images") + markFlagHidden(flags, "override-os") // Disabled flags for the remote client if !remote { flags.StringVar(&pullCommand.Authfile, "authfile", shared.GetAuthFile(""), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override") @@ -122,6 +126,8 @@ func pullCmd(c *cliconfig.PullValues) (retError error) { dockerRegistryOptions := image.DockerRegistryOptions{ DockerRegistryCreds: registryCreds, DockerCertPath: c.CertDir, + OSChoice: c.OverrideOS, + ArchitectureChoice: c.OverrideArch, } if c.IsSet("tls-verify") { dockerRegistryOptions.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!c.TlsVerify) diff --git a/cmd/podman/shared/create.go b/cmd/podman/shared/create.go index f37f5fa62..759903c19 100644 --- a/cmd/podman/shared/create.go +++ b/cmd/podman/shared/create.go @@ -89,7 +89,12 @@ func CreateContainer(ctx context.Context, c *GenericCLIResults, runtime *libpod. return nil, nil, err } - newImage, err := runtime.ImageRuntime().New(ctx, name, rtc.SignaturePolicyPath, GetAuthFile(c.String("authfile")), writer, nil, image.SigningOptions{}, nil, pullType) + dockerRegistryOptions := image.DockerRegistryOptions{ + OSChoice: c.String("override-os"), + ArchitectureChoice: c.String("override-arch"), + } + + newImage, err := runtime.ImageRuntime().New(ctx, name, rtc.SignaturePolicyPath, GetAuthFile(c.String("authfile")), writer, &dockerRegistryOptions, image.SigningOptions{}, nil, pullType) if err != nil { return nil, nil, err } diff --git a/cmd/podman/shared/intermediate.go b/cmd/podman/shared/intermediate.go index 0f71dc087..bc12bd2a5 100644 --- a/cmd/podman/shared/intermediate.go +++ b/cmd/podman/shared/intermediate.go @@ -428,6 +428,8 @@ func NewIntermediateLayer(c *cliconfig.PodmanCommand, remote bool) GenericCLIRes m["no-hosts"] = newCRBool(c, "no-hosts") m["oom-kill-disable"] = newCRBool(c, "oom-kill-disable") m["oom-score-adj"] = newCRInt(c, "oom-score-adj") + m["override-arch"] = newCRString(c, "override-arch") + m["override-os"] = newCRString(c, "override-os") m["pid"] = newCRString(c, "pid") m["pids-limit"] = newCRInt64(c, "pids-limit") m["pod"] = newCRString(c, "pod") diff --git a/cmd/podman/shared/intermediate_varlink.go b/cmd/podman/shared/intermediate_varlink.go index c95470a72..89bd52324 100644 --- a/cmd/podman/shared/intermediate_varlink.go +++ b/cmd/podman/shared/intermediate_varlink.go @@ -131,6 +131,8 @@ func (g GenericCLIResults) MakeVarlink() iopodman.Create { Network: StringToPtr(g.Find("network")), OomKillDisable: BoolToPtr(g.Find("oom-kill-disable")), OomScoreAdj: AnyIntToInt64Ptr(g.Find("oom-score-adj")), + OverrideOS: StringToPtr(g.Find("override-os")), + OverrideArch: StringToPtr(g.Find("override-arch")), Pid: StringToPtr(g.Find("pid")), PidsLimit: AnyIntToInt64Ptr(g.Find("pids-limit")), Pod: StringToPtr(g.Find("pod")), @@ -389,6 +391,8 @@ func VarlinkCreateToGeneric(opts iopodman.Create) GenericCLIResults { m["no-hosts"] = boolFromVarlink(opts.NoHosts, "no-hosts", false) m["oom-kill-disable"] = boolFromVarlink(opts.OomKillDisable, "oon-kill-disable", false) m["oom-score-adj"] = intFromVarlink(opts.OomScoreAdj, "oom-score-adj", nil) + m["override-os"] = stringFromVarlink(opts.OverrideOS, "override-os", nil) + m["override-arch"] = stringFromVarlink(opts.OverrideArch, "override-arch", nil) m["pid"] = stringFromVarlink(opts.Pid, "pid", nil) m["pids-limit"] = int64FromVarlink(opts.PidsLimit, "pids-limit", nil) m["pod"] = stringFromVarlink(opts.Pod, "pod", nil) diff --git a/cmd/podman/varlink/io.podman.varlink b/cmd/podman/varlink/io.podman.varlink index dca366bc5..9ec7d1172 100644 --- a/cmd/podman/varlink/io.podman.varlink +++ b/cmd/podman/varlink/io.podman.varlink @@ -342,6 +342,8 @@ type Create ( noHosts: ?bool, oomKillDisable: ?bool, oomScoreAdj: ?int, + overrideArch: ?string, + overrideOS: ?string, pid: ?string, pidsLimit: ?int, pod: ?string, diff --git a/libpod/image/docker_registry_options.go b/libpod/image/docker_registry_options.go index 75417fe8b..62a4af465 100644 --- a/libpod/image/docker_registry_options.go +++ b/libpod/image/docker_registry_options.go @@ -26,6 +26,10 @@ type DockerRegistryOptions struct { // certificates and allows connecting to registries without encryption // - or forces it on even if registries.conf has the registry configured as insecure. DockerInsecureSkipTLSVerify types.OptionalBool + // If not "", overrides the use of platform.GOOS when choosing an image or verifying OS match. + OSChoice string + // If not "", overrides the use of platform.GOARCH when choosing an image or verifying architecture match. + ArchitectureChoice string } // GetSystemContext constructs a new system context from a parent context. the values in the DockerRegistryOptions, and other parameters. @@ -35,12 +39,16 @@ func (o DockerRegistryOptions) GetSystemContext(parent *types.SystemContext, add DockerCertPath: o.DockerCertPath, DockerInsecureSkipTLSVerify: o.DockerInsecureSkipTLSVerify, DockerArchiveAdditionalTags: additionalDockerArchiveTags, + OSChoice: o.OSChoice, + ArchitectureChoice: o.ArchitectureChoice, } if parent != nil { sc.SignaturePolicyPath = parent.SignaturePolicyPath sc.AuthFilePath = parent.AuthFilePath sc.DirForceCompress = parent.DirForceCompress sc.DockerRegistryUserAgent = parent.DockerRegistryUserAgent + sc.OSChoice = parent.OSChoice + sc.ArchitectureChoice = parent.ArchitectureChoice } return sc } diff --git a/libpod/image/pull.go b/libpod/image/pull.go index 7584ed9d8..7f5dc33b9 100644 --- a/libpod/image/pull.go +++ b/libpod/image/pull.go @@ -223,6 +223,10 @@ func (ir *Runtime) pullImageFromHeuristicSource(ctx context.Context, inputName s var goal *pullGoal sc := GetSystemContext(signaturePolicyPath, authfile, false) + if dockerOptions != nil { + sc.OSChoice = dockerOptions.OSChoice + sc.ArchitectureChoice = dockerOptions.ArchitectureChoice + } sc.BlobInfoCacheDir = filepath.Join(ir.store.GraphRoot(), "cache") srcRef, err := alltransports.ParseImageName(inputName) if err != nil { @@ -246,6 +250,10 @@ func (ir *Runtime) pullImageFromReference(ctx context.Context, srcRef types.Imag defer span.Finish() sc := GetSystemContext(signaturePolicyPath, authfile, false) + if dockerOptions != nil { + sc.OSChoice = dockerOptions.OSChoice + sc.ArchitectureChoice = dockerOptions.ArchitectureChoice + } goal, err := ir.pullGoalFromImageReference(ctx, srcRef, transports.ImageName(srcRef), sc) if err != nil { return nil, errors.Wrapf(err, "error determining pull goal for image %q", transports.ImageName(srcRef)) -- cgit v1.2.3-54-g00ecf From 66c126d6dee178f96f8a120f13372802d46ea9b5 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 29 Oct 2019 13:33:44 -0400 Subject: Set default seccomp.json file for podman play kube Currently podman play kube is not using the system default seccomp.json file. This PR will use the default or override location for podman play. Signed-off-by: Daniel J Walsh --- cmd/podman/shared/create.go | 17 ++++------------- libpod/util.go | 17 +++++++++++++++++ pkg/adapter/pods.go | 5 +++++ 3 files changed, 26 insertions(+), 13 deletions(-) (limited to 'cmd/podman/shared') diff --git a/cmd/podman/shared/create.go b/cmd/podman/shared/create.go index 759903c19..dc343e694 100644 --- a/cmd/podman/shared/create.go +++ b/cmd/podman/shared/create.go @@ -251,19 +251,10 @@ func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string, runtime *l } if config.SeccompProfilePath == "" { - if _, err := os.Stat(libpod.SeccompOverridePath); err == nil { - config.SeccompProfilePath = libpod.SeccompOverridePath - } else { - if !os.IsNotExist(err) { - return errors.Wrapf(err, "can't check if %q exists", libpod.SeccompOverridePath) - } - if _, err := os.Stat(libpod.SeccompDefaultPath); err != nil { - if !os.IsNotExist(err) { - return errors.Wrapf(err, "can't check if %q exists", libpod.SeccompDefaultPath) - } - } else { - config.SeccompProfilePath = libpod.SeccompDefaultPath - } + var err error + config.SeccompProfilePath, err = libpod.DefaultSeccompPath() + if err != nil { + return err } } config.LabelOpts = labelOpts diff --git a/libpod/util.go b/libpod/util.go index 84fd490bf..5ae5ab491 100644 --- a/libpod/util.go +++ b/libpod/util.go @@ -189,3 +189,20 @@ func programVersion(mountProgram string) (string, error) { } return strings.TrimSuffix(output, "\n"), nil } + +func DefaultSeccompPath() (string, error) { + _, err := os.Stat(SeccompOverridePath) + if err == nil { + return SeccompOverridePath, nil + } + if !os.IsNotExist(err) { + return "", errors.Wrapf(err, "can't check if %q exists", SeccompOverridePath) + } + if _, err := os.Stat(SeccompDefaultPath); err != nil { + if !os.IsNotExist(err) { + return "", errors.Wrapf(err, "can't check if %q exists", SeccompDefaultPath) + } + return "", nil + } + return SeccompDefaultPath, nil +} diff --git a/pkg/adapter/pods.go b/pkg/adapter/pods.go index 9be294929..d8d5b884f 100644 --- a/pkg/adapter/pods.go +++ b/pkg/adapter/pods.go @@ -713,6 +713,11 @@ func kubeContainerToCreateConfig(ctx context.Context, containerYAML v1.Container } } } + var err error + containerConfig.SeccompProfilePath, err = libpod.DefaultSeccompPath() + if err != nil { + return nil, err + } containerConfig.Command = []string{} if imageData != nil && imageData.Config != nil { -- cgit v1.2.3-54-g00ecf