From 9d3bcb58755e820fb3d7829260a5dd1292628f38 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Tue, 1 Feb 2022 13:23:49 +0100
Subject: libpod: report slirp4netns network stats

by default slirp4netns uses the tap0 device.  When slirp4netns is
used, use that device by default instead of eth0.

Closes: https://github.com/containers/podman/issues/11695

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 libpod/networking_linux.go | 37 +++++++++++++++++++++++--------------
 1 file changed, 23 insertions(+), 14 deletions(-)

(limited to 'libpod')

diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go
index f3707a77d..f490ac626 100644
--- a/libpod/networking_linux.go
+++ b/libpod/networking_linux.go
@@ -834,21 +834,25 @@ func (r *Runtime) teardownNetNS(ctr *Container) error {
 	return nil
 }
 
-func getContainerNetNS(ctr *Container) (string, error) {
+func getContainerNetNS(ctr *Container) (string, *Container, error) {
 	if ctr.state.NetNS != nil {
-		return ctr.state.NetNS.Path(), nil
+		return ctr.state.NetNS.Path(), nil, nil
 	}
 	if ctr.config.NetNsCtr != "" {
 		c, err := ctr.runtime.GetContainer(ctr.config.NetNsCtr)
 		if err != nil {
-			return "", err
+			return "", nil, err
 		}
 		if err = c.syncContainer(); err != nil {
-			return "", err
+			return "", c, err
 		}
-		return getContainerNetNS(c)
+		netNs, c2, err := getContainerNetNS(c)
+		if c2 != nil {
+			c = c2
+		}
+		return netNs, c, err
 	}
-	return "", nil
+	return "", nil, nil
 }
 
 // isBridgeNetMode checks if the given network mode is bridge.
@@ -919,12 +923,8 @@ func (r *Runtime) reloadContainerNetwork(ctr *Container) (map[string]types.Statu
 
 func getContainerNetIO(ctr *Container) (*netlink.LinkStatistics, error) {
 	var netStats *netlink.LinkStatistics
-	// With slirp4netns, we can't collect statistics at present.
-	// For now, we allow stats to at least run by returning nil
-	if rootless.IsRootless() || ctr.config.NetMode.IsSlirp4netns() {
-		return netStats, nil
-	}
-	netNSPath, netPathErr := getContainerNetNS(ctr)
+
+	netNSPath, otherCtr, netPathErr := getContainerNetNS(ctr)
 	if netPathErr != nil {
 		return nil, netPathErr
 	}
@@ -933,9 +933,18 @@ func getContainerNetIO(ctr *Container) (*netlink.LinkStatistics, error) {
 		// this is a valid state and thus return no error, nor any statistics
 		return nil, nil
 	}
+
+	// FIXME get the interface from the container netstatus
+	dev := "eth0"
+	netMode := ctr.config.NetMode
+	if otherCtr != nil {
+		netMode = otherCtr.config.NetMode
+	}
+	if netMode.IsSlirp4netns() {
+		dev = "tap0"
+	}
 	err := ns.WithNetNSPath(netNSPath, func(_ ns.NetNS) error {
-		// FIXME get the interface from the container netstatus
-		link, err := netlink.LinkByName("eth0")
+		link, err := netlink.LinkByName(dev)
 		if err != nil {
 			return err
 		}
-- 
cgit v1.2.3-54-g00ecf


From 06821627fb6fde0e55d70263469394a0a5299899 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Wed, 2 Feb 2022 10:03:13 +0100
Subject: libpod: enforce noexec,nosuid,nodev for /dev/shm

these mount flags are already used for the /dev/shm mount on the host,
but they are not set for the bind mount itself.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 libpod/container_internal_linux.go |  6 ++++++
 test/e2e/run_test.go               | 10 ++++++++++
 2 files changed, 16 insertions(+)

(limited to 'libpod')

diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index 5cc2a78fc..86d8586d0 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -510,6 +510,9 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 		if c.IsReadOnly() && dstPath != "/dev/shm" {
 			newMount.Options = append(newMount.Options, "ro", "nosuid", "noexec", "nodev")
 		}
+		if dstPath == "/dev/shm" && c.state.BindMounts["/dev/shm"] == c.config.ShmDir {
+			newMount.Options = append(newMount.Options, "nosuid", "noexec", "nodev")
+		}
 		if !MountExists(g.Mounts(), dstPath) {
 			g.AddMount(newMount)
 		} else {
@@ -1570,6 +1573,9 @@ func (c *Container) restore(ctx context.Context, options ContainerCheckpointOpti
 			if c.IsReadOnly() && dstPath != "/dev/shm" {
 				newMount.Options = append(newMount.Options, "ro", "nosuid", "noexec", "nodev")
 			}
+			if dstPath == "/dev/shm" && c.state.BindMounts["/dev/shm"] == c.config.ShmDir {
+				newMount.Options = append(newMount.Options, "nosuid", "noexec", "nodev")
+			}
 			if !MountExists(g.Mounts(), dstPath) {
 				g.AddMount(newMount)
 			}
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index 62a454e29..91a2eddad 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -1926,4 +1926,14 @@ WORKDIR /madethis`, BB)
 		Expect(session).Should(Exit(0))
 		Expect(session.OutputToString()).To(ContainSubstring("i686"))
 	})
+
+	It("podman run /dev/shm has nosuid,noexec,nodev", func() {
+		session := podmanTest.Podman([]string{"run", ALPINE, "grep", "/dev/shm", "/proc/self/mountinfo"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+		output := session.OutputToString()
+		Expect(output).To(ContainSubstring("nosuid"))
+		Expect(output).To(ContainSubstring("noexec"))
+		Expect(output).To(ContainSubstring("nodev"))
+	})
 })
-- 
cgit v1.2.3-54-g00ecf


From e0cbcdc335618ba0d53ecae9cc81230c7cb464e3 Mon Sep 17 00:00:00 2001
From: Paul Holzinger <pholzing@redhat.com>
Date: Wed, 2 Feb 2022 18:17:23 +0100
Subject: system prune: remove all networks

podman system prune should also remove all networks. When we want to
users to migrate to the new network stack we recommend to run podman
system reset. However this did not remove networks and if there were
still networks around we would continue to use cni since this was
considered an old system.

There is one exception for the default network. It should not be removed
since this could cause other issues when it no longer exists. The
network backend detection logic ignores the default network so this is
fine.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
---
 cmd/podman/system/reset.go                    |  6 +++---
 docs/source/markdown/podman-system-reset.1.md | 13 ++++++++++++-
 libpod/reset.go                               | 17 +++++++++++++++++
 test/e2e/system_reset_test.go                 | 18 ++++++++++++++----
 4 files changed, 46 insertions(+), 8 deletions(-)

(limited to 'libpod')

diff --git a/cmd/podman/system/reset.go b/cmd/podman/system/reset.go
index 85ee8557a..07904faaa 100644
--- a/cmd/podman/system/reset.go
+++ b/cmd/podman/system/reset.go
@@ -21,7 +21,7 @@ import (
 var (
 	systemResetDescription = `Reset podman storage back to default state"
 
-  All containers will be stopped and removed, and all images, volumes and container content will be removed.
+  All containers will be stopped and removed, and all images, volumes, networks and container content will be removed.
 `
 	systemResetCommand = &cobra.Command{
 		Annotations:       map[string]string{registry.EngineMode: registry.ABIMode},
@@ -55,11 +55,11 @@ func reset(cmd *cobra.Command, args []string) {
 	// Prompt for confirmation if --force is not set
 	if !forceFlag {
 		reader := bufio.NewReader(os.Stdin)
-		fmt.Println(`
-WARNING! This will remove:
+		fmt.Println(`WARNING! This will remove:
         - all containers
         - all pods
         - all images
+        - all networks
         - all build cache`)
 		if len(listCtn) > 0 {
 			fmt.Println(`WARNING! The following external containers will be purged:`)
diff --git a/docs/source/markdown/podman-system-reset.1.md b/docs/source/markdown/podman-system-reset.1.md
index 90bcb5f53..c463481e6 100644
--- a/docs/source/markdown/podman-system-reset.1.md
+++ b/docs/source/markdown/podman-system-reset.1.md
@@ -7,7 +7,7 @@ podman\-system\-reset - Reset storage back to initial state
 **podman system reset** [*options*]
 
 ## DESCRIPTION
-**podman system reset** removes all pods, containers, images and volumes.
+**podman system reset** removes all pods, containers, images, networks and volumes.
 
 This command must be run **before** changing any of the following fields in the
 `containers.conf` or `storage.conf` files: `driver`, `static_dir`, `tmp_dir`
@@ -28,6 +28,17 @@ Print usage statement
 
 ## EXAMPLES
 
+```
+$ podman system reset
+WARNING! This will remove:
+        - all containers
+        - all pods
+        - all images
+        - all networks
+        - all build cache
+Are you sure you want to continue? [y/N] y
+```
+
 ### Switching rootless user from VFS driver to overlay with fuse-overlayfs
 
 If the user ran rootless containers without having the `fuse-overlayfs` program
diff --git a/libpod/reset.go b/libpod/reset.go
index 2b2b586bc..28d0ee3f6 100644
--- a/libpod/reset.go
+++ b/libpod/reset.go
@@ -7,6 +7,7 @@ import (
 	"path/filepath"
 
 	"github.com/containers/common/libimage"
+	"github.com/containers/common/libnetwork/types"
 	"github.com/containers/podman/v4/libpod/define"
 	"github.com/containers/podman/v4/pkg/errorhandling"
 	"github.com/containers/podman/v4/pkg/rootless"
@@ -70,6 +71,22 @@ func (r *Runtime) Reset(ctx context.Context) error {
 		}
 	}
 
+	// remove all networks
+	nets, err := r.network.NetworkList()
+	if err != nil {
+		return err
+	}
+	for _, net := range nets {
+		// do not delete the default network
+		if net.Name == r.network.DefaultNetworkName() {
+			continue
+		}
+		// ignore not exists errors because of the TOCTOU problem
+		if err := r.network.NetworkRemove(net.Name); err != nil && !errors.Is(err, types.ErrNoSuchNetwork) {
+			logrus.Errorf("Removing network %s: %v", net.Name, err)
+		}
+	}
+
 	xdgRuntimeDir := filepath.Clean(os.Getenv("XDG_RUNTIME_DIR"))
 	_, prevError := r.store.Shutdown(true)
 	graphRoot := filepath.Clean(r.store.GraphRoot())
diff --git a/test/e2e/system_reset_test.go b/test/e2e/system_reset_test.go
index 641f98c38..f413ce147 100644
--- a/test/e2e/system_reset_test.go
+++ b/test/e2e/system_reset_test.go
@@ -38,6 +38,10 @@ var _ = Describe("podman system reset", func() {
 		SkipIfRemote("system reset not supported on podman --remote")
 		// system reset will not remove additional store images, so need to grab length
 
+		// change the network dir so that we do not conflict with other tests
+		// that would use the same network dir and cause unnecessary flakes
+		podmanTest.NetworkConfigDir = tempdir
+
 		session := podmanTest.Podman([]string{"rmi", "--force", "--all"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
@@ -56,16 +60,16 @@ var _ = Describe("podman system reset", func() {
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
 
+		session = podmanTest.Podman([]string{"network", "create"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+
 		session = podmanTest.Podman([]string{"system", "reset", "-f"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
 
 		Expect(session.ErrorToString()).To(Not(ContainSubstring("Failed to add pause process")))
 
-		// If remote then the API service should have exited
-		// On local tests this is a noop
-		podmanTest.StartRemoteService()
-
 		session = podmanTest.Podman([]string{"images", "-n"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
@@ -80,5 +84,11 @@ var _ = Describe("podman system reset", func() {
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
 		Expect(session.OutputToStringArray()).To(BeEmpty())
+
+		session = podmanTest.Podman([]string{"network", "ls", "-q"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+		// default network should exists
+		Expect(session.OutputToStringArray()).To(HaveLen(1))
 	})
 })
-- 
cgit v1.2.3-54-g00ecf