From 4fa94d7e14bcfb41b4a73093f0b08a51469b2c45 Mon Sep 17 00:00:00 2001
From: Matthew Heon <mheon@redhat.com>
Date: Wed, 2 Dec 2020 15:01:46 -0500
Subject: Do not mount sysfs as rootless in more cases

We can't mount sysfs as rootless unless we manage the network
namespace. Problem: slirp4netns is now creating and managing a
network namespace separate from the OCI runtime, so we can't
mount sysfs in many circumstances. The `crun` OCI runtime will
automatically handle this by falling back to a bind mount, but
`runc` will not, so we didn't notice until RHEL gating tests ran
on the new branch.

Signed-off-by: Matthew Heon <mheon@redhat.com>
---
 pkg/specgen/generate/oci.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'pkg/specgen/generate')

diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go
index 8454458a8..9649873fd 100644
--- a/pkg/specgen/generate/oci.go
+++ b/pkg/specgen/generate/oci.go
@@ -165,7 +165,7 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt
 			inUserNS = true
 		}
 	}
-	if inUserNS && s.NetNS.IsHost() {
+	if inUserNS && s.NetNS.NSMode != specgen.NoNetwork {
 		canMountSys = false
 	}
 
-- 
cgit v1.2.3-54-g00ecf


From 2ddb16d4c8ace2da51f4abd94efd463c637e8808 Mon Sep 17 00:00:00 2001
From: Valentin Rothberg <rothberg@redhat.com>
Date: Mon, 7 Dec 2020 11:58:10 +0100
Subject: container create: do not clear image name

When creating a container, do not clear the input-image name before
looking up image names.  Also add a regression test.

Fixes: #8558
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
<MH: Fixed cherry-pick conflicts>
Signed-off-by: Matthew Heon <mheon@redhat.com>
---
 pkg/specgen/generate/container_create.go |  1 -
 test/system/030-run.bats                 | 11 +++++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

(limited to 'pkg/specgen/generate')

diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go
index 45a374216..6a77d0807 100644
--- a/pkg/specgen/generate/container_create.go
+++ b/pkg/specgen/generate/container_create.go
@@ -98,7 +98,6 @@ func MakeContainer(ctx context.Context, rt *libpod.Runtime, s *specgen.SpecGener
 		// present.
 		imgName := newImage.InputName
 		if s.Image == newImage.InputName && strings.HasPrefix(newImage.ID(), s.Image) {
-			imgName = ""
 			names := newImage.Names()
 			if len(names) > 0 {
 				imgName = names[0]
diff --git a/test/system/030-run.bats b/test/system/030-run.bats
index 71831da10..bf7f67f7f 100644
--- a/test/system/030-run.bats
+++ b/test/system/030-run.bats
@@ -532,6 +532,17 @@ json-file | f
     run_podman untag $IMAGE $newtag $newtag2
 }
 
+# Regression test for issue #8558
+@test "podman run on untagged image: make sure that image metadata is set" {
+    run_podman inspect $IMAGE --format "{{.ID}}"
+    imageID="$output"
+
+    run_podman untag $IMAGE
+    run_podman run --rm $imageID ls
+
+    run_podman tag $imageID $IMAGE
+}
+
 @test "podman run with --net=host and --port prints warning" {
     run_podman run -d --rm -p 8080 --net=host $IMAGE ls > /dev/null
     is "$output" ".*Port mappings have been discarded as one of the Host, Container, Pod, and None network modes are in use"
-- 
cgit v1.2.3-54-g00ecf


From 0bbb997838c4828b63c7f45003866fff1fe517e7 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Wed, 2 Dec 2020 08:28:30 -0500
Subject: Support --network=default as if it was private

Docker defines an option of "default" which means to
use the default network.  We should support this with
the same code path as --network="".

This is important for compatibility with the Docker API.

Fixes: https://github.com/containers/podman/issues/8544

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
---
 pkg/specgen/generate/namespaces.go |  2 ++
 pkg/specgen/namespaces.go          | 16 +++++++---------
 test/e2e/run_networking_test.go    | 23 +++++++++++++++++++++--
 3 files changed, 30 insertions(+), 11 deletions(-)

(limited to 'pkg/specgen/generate')

diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go
index ddc73ca61..036c7b7a1 100644
--- a/pkg/specgen/generate/namespaces.go
+++ b/pkg/specgen/generate/namespaces.go
@@ -233,6 +233,8 @@ func namespaceOptions(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.
 			val = fmt.Sprintf("slirp4netns:%s", s.NetNS.Value)
 		}
 		toReturn = append(toReturn, libpod.WithNetNS(portMappings, postConfigureNetNS, val, nil))
+	case specgen.Private:
+		fallthrough
 	case specgen.Bridge:
 		portMappings, err := createPortMappings(ctx, s, img)
 		if err != nil {
diff --git a/pkg/specgen/namespaces.go b/pkg/specgen/namespaces.go
index d15745fa0..9d78a0210 100644
--- a/pkg/specgen/namespaces.go
+++ b/pkg/specgen/namespaces.go
@@ -258,24 +258,22 @@ func ParseNetworkNamespace(ns string) (Namespace, []string, error) {
 	var cniNetworks []string
 	// Net defaults to Slirp on rootless
 	switch {
-	case ns == "slirp4netns", strings.HasPrefix(ns, "slirp4netns:"):
+	case ns == string(Slirp), strings.HasPrefix(ns, string(Slirp)+":"):
 		toReturn.NSMode = Slirp
-	case ns == "pod":
+	case ns == string(FromPod):
 		toReturn.NSMode = FromPod
-	case ns == "":
+	case ns == "" || ns == string(Default) || ns == string(Private):
 		if rootless.IsRootless() {
 			toReturn.NSMode = Slirp
 		} else {
 			toReturn.NSMode = Bridge
 		}
-	case ns == "bridge":
+	case ns == string(Bridge):
 		toReturn.NSMode = Bridge
-	case ns == "none":
+	case ns == string(NoNetwork):
 		toReturn.NSMode = NoNetwork
-	case ns == "host":
+	case ns == string(Host):
 		toReturn.NSMode = Host
-	case ns == "private":
-		toReturn.NSMode = Private
 	case strings.HasPrefix(ns, "ns:"):
 		split := strings.SplitN(ns, ":", 2)
 		if len(split) != 2 {
@@ -283,7 +281,7 @@ func ParseNetworkNamespace(ns string) (Namespace, []string, error) {
 		}
 		toReturn.NSMode = Path
 		toReturn.Value = split[1]
-	case strings.HasPrefix(ns, "container:"):
+	case strings.HasPrefix(ns, string(FromContainer)+":"):
 		split := strings.SplitN(ns, ":", 2)
 		if len(split) != 2 {
 			return toReturn, nil, errors.Errorf("must provide name or ID or a container when specifying container:")
diff --git a/test/e2e/run_networking_test.go b/test/e2e/run_networking_test.go
index 3e80e953e..3fb00a28b 100644
--- a/test/e2e/run_networking_test.go
+++ b/test/e2e/run_networking_test.go
@@ -49,9 +49,28 @@ var _ = Describe("Podman run networking", func() {
 		Expect(session.ExitCode()).To(Equal(0))
 	})
 
+	It("podman run network connection with default", func() {
+		session := podmanTest.Podman([]string{"run", "--network", "default", ALPINE, "wget", "www.podman.io"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+	})
+
+	It("podman run network connection with none", func() {
+		session := podmanTest.Podman([]string{"run", "--network", "none", ALPINE, "wget", "www.podman.io"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(1))
+		Expect(session.ErrorToString()).To(ContainSubstring("wget: bad address 'www.podman.io'"))
+	})
+
+	It("podman run network connection with private", func() {
+		session := podmanTest.Podman([]string{"run", "--network", "private", ALPINE, "wget", "www.podman.io"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+	})
+
 	It("podman run network connection with loopback", func() {
-		session := podmanTest.Podman([]string{"run", "-dt", "--network", "host", ALPINE, "wget", "www.podman.io"})
-		session.Wait(90)
+		session := podmanTest.Podman([]string{"run", "--network", "host", ALPINE, "wget", "www.podman.io"})
+		session.WaitWithDefaultTimeout()
 		Expect(session.ExitCode()).To(Equal(0))
 	})
 
-- 
cgit v1.2.3-54-g00ecf


From 688a6f1dd57e847c4d4ad8dc900b7e0adfa70c04 Mon Sep 17 00:00:00 2001
From: Matthew Heon <mheon@redhat.com>
Date: Tue, 1 Dec 2020 14:51:11 -0500
Subject: Do not use "true" after "syslog" in exit commands

Instead of being interpreted as an argument to the boolean flag,
the 'true' is being intepreted as the Podman command to be run -
so we're trying to run `podman true`, which does not exist. This
causes the cleanup command to fail when `--log-level=debug` is
set, so containers are not cleaned up or removed.

This problem is easily reproduced with any command combining the
`--rm`, `-d`, and `--log-level=debug` flags - the command will
execute and exit, but the container will not be removed.

Separate, but worth looking into later: the errors we get on
trying `podman true` with any flags are terrible - if you just
type `podman true` you get a quite sane "Unrecognized command"
error, but if you try `podman true --rm` you get an "unknown flag
--rm" error - which makes very little sense given the command
itself doesn't exist.

Signed-off-by: Matthew Heon <mheon@redhat.com>
---
 pkg/specgen/generate/container_create.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'pkg/specgen/generate')

diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go
index 6a77d0807..4f36744ca 100644
--- a/pkg/specgen/generate/container_create.go
+++ b/pkg/specgen/generate/container_create.go
@@ -387,7 +387,7 @@ func CreateExitCommandArgs(storageConfig storage.StoreOptions, config *config.Co
 	}
 
 	if syslog {
-		command = append(command, "--syslog", "true")
+		command = append(command, "--syslog")
 	}
 	command = append(command, []string{"container", "cleanup"}...)
 
-- 
cgit v1.2.3-54-g00ecf