Merge pull request #13611 from rvandernoort/vendor_filters

Vendor c/common for filters
2025-08-06 11:32:07 +08:00 · 2022-03-28 00:49:28 +02:00
parent 463c0b9f2d 446c35efdf
commit 0ebf0bc560
12 changed files with 107 additions and 60 deletions
--- a/go.mod
+++ b/go.mod
@ -12,7 +12,7 @@ require (
 	github.com/containernetworking/cni v1.0.1
 	github.com/containernetworking/plugins v1.1.1
 	github.com/containers/buildah v1.24.3-0.20220310160415-5ec70bf01ea5
-	github.com/containers/common v0.47.5-0.20220318125043-0ededd18a1f9
+	github.com/containers/common v0.47.5-0.20220323125147-7dc6e944d625
 	github.com/containers/conmon v2.0.20+incompatible
 	github.com/containers/image/v5 v5.20.1-0.20220310094651-0d8056ee346f
 	github.com/containers/ocicrypt v1.1.3
--- a/go.sum
+++ b/go.sum
@ -355,8 +355,8 @@ github.com/containernetworking/plugins v1.1.1/go.mod h1:Sr5TH/eBsGLXK/h71HeLfX19
 github.com/containers/buildah v1.24.3-0.20220310160415-5ec70bf01ea5 h1:RMJG1wCPQqZX7o9xGzpmR0U7NppgquSQunTi8qmP9Do=
 github.com/containers/buildah v1.24.3-0.20220310160415-5ec70bf01ea5/go.mod h1:C5+kt1nmYVf1N+/pk4WepycLD+m4lEIRgJQ0eXqhADo=
 github.com/containers/common v0.47.4/go.mod h1:HgX0mFXyB0Tbe2REEIp9x9CxET6iSzmHfwR6S/t2LZc=
-github.com/containers/common v0.47.5-0.20220318125043-0ededd18a1f9 h1:+uNhZTl7nBm4GLCKb4Np8BDhw2uMmC8+D/KuH8nIjGA=
-github.com/containers/common v0.47.5-0.20220318125043-0ededd18a1f9/go.mod h1:j1nTHtSRoBgVqAoV6X13EGIrTU5jP1GYyEsE4N9DXng=
+github.com/containers/common v0.47.5-0.20220323125147-7dc6e944d625 h1:5DjLA4CnjyBKyNgmzB1TDV2Rd3uTBPrLdlSQM0/Fw9c=
+github.com/containers/common v0.47.5-0.20220323125147-7dc6e944d625/go.mod h1:2BKzvlHRLfsdBTCu5IvIxhHS+RcH3J53UDh/DpWInJg=
 github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
 github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
 github.com/containers/image/v5 v5.19.1/go.mod h1:ewoo3u+TpJvGmsz64XgzbyTHwHtM94q7mgK/pX+v2SE=
--- a/pkg/namespaces/namespaces.go
+++ b/pkg/namespaces/namespaces.go
@ -254,7 +254,7 @@ func (n IpcMode) IsHost() bool {
 	return n == hostType
 }

-// IsShareable indicates whether the container's ipc namespace can be shared with another container.
+// IsShareable indicates whether the container uses its own shareable ipc namespace which can be shared.
 func (n IpcMode) IsShareable() bool {
 	return n == shareableType
 }
--- a/pkg/specgen/container_validate.go
+++ b/pkg/specgen/container_validate.go
@ -76,8 +76,8 @@ func (s *SpecGenerator) Validate() error {
 			s.ContainerStorageConfig.ImageVolumeMode, strings.Join(ImageVolumeModeValues, ","))
 	}
 	// shmsize conflicts with IPC namespace
-	if s.ContainerStorageConfig.ShmSize != nil && !s.ContainerStorageConfig.IpcNS.IsPrivate() {
-		return errors.New("cannot set shmsize when running in the host IPC Namespace")
+	if s.ContainerStorageConfig.ShmSize != nil && (s.ContainerStorageConfig.IpcNS.IsHost() || s.ContainerStorageConfig.IpcNS.IsNone()) {
+		return errors.Errorf("cannot set shmsize when running in the %s IPC Namespace", s.ContainerStorageConfig.IpcNS)
 	}

 	//
@ -166,7 +166,7 @@ func (s *SpecGenerator) Validate() error {
 	if err := s.UtsNS.validate(); err != nil {
 		return err
 	}
-	if err := s.IpcNS.validate(); err != nil {
+	if err := validateIPCNS(&s.IpcNS); err != nil {
 		return err
 	}
 	if err := s.PidNS.validate(); err != nil {
--- a/pkg/specgen/generate/namespaces.go
+++ b/pkg/specgen/generate/namespaces.go
@ -59,7 +59,7 @@ func GetDefaultNamespaceMode(nsType string, cfg *config.Config, pod *libpod.Pod)
 	case "pid":
 		return specgen.ParseNamespace(cfg.Containers.PidNS)
 	case "ipc":
-		return specgen.ParseNamespace(cfg.Containers.IPCNS)
+		return specgen.ParseIPCNamespace(cfg.Containers.IPCNS)
 	case "uts":
 		return specgen.ParseNamespace(cfg.Containers.UTSNS)
 	case "user":
--- a/pkg/specgen/namespaces.go
+++ b/pkg/specgen/namespaces.go
@ -35,6 +35,10 @@ const (
 	FromPod NamespaceMode = "pod"
 	// Private indicates the namespace is private
 	Private NamespaceMode = "private"
+	// Shareable indicates the namespace is shareable
+	Shareable NamespaceMode = "shareable"
+	// None indicates the IPC namespace is created without mounting /dev/shm
+	None NamespaceMode = "none"
 	// NoNetwork indicates no network namespace should
 	// be joined.  loopback should still exists.
 	// Only used with the network namespace, invalid otherwise.
@ -77,6 +81,11 @@ func (n *Namespace) IsHost() bool {
 	return n.NSMode == Host
 }

+// IsNone returns a bool if the namespace is set to none
+func (n *Namespace) IsNone() bool {
+	return n.NSMode == None
+}
+
 // IsBridge returns a bool if the namespace is a Bridge
 func (n *Namespace) IsBridge() bool {
 	return n.NSMode == Bridge
@ -158,6 +167,17 @@ func validateNetNS(n *Namespace) error {
 	return nil
 }

+func validateIPCNS(n *Namespace) error {
+	if n == nil {
+		return nil
+	}
+	switch n.NSMode {
+	case Shareable, None:
+		return nil
+	}
+	return n.validate()
+}
+
 // Validate perform simple validation on the namespace to make sure it is not
 // invalid from the get-go
 func (n *Namespace) validate() error {
@ -237,7 +257,7 @@ func ParseCgroupNamespace(ns string) (Namespace, error) {
 		case "private", "":
 			toReturn.NSMode = Private
 		default:
-			return toReturn, errors.Errorf("unrecognized namespace mode %s passed", ns)
+			return toReturn, errors.Errorf("unrecognized cgroup namespace mode %s passed", ns)
 		}
 	} else {
 		toReturn.NSMode = Host
@ -245,6 +265,21 @@ func ParseCgroupNamespace(ns string) (Namespace, error) {
 	return toReturn, nil
 }

+// ParseIPCNamespace parses a ipc namespace specification in string
+// form.
+func ParseIPCNamespace(ns string) (Namespace, error) {
+	toReturn := Namespace{}
+	switch {
+	case ns == "shareable", ns == "":
+		toReturn.NSMode = Shareable
+		return toReturn, nil
+	case ns == "none":
+		toReturn.NSMode = None
+		return toReturn, nil
+	}
+	return ParseNamespace(ns)
+}
+
 // ParseUserNamespace parses a user namespace specification in string
 // form.
 func ParseUserNamespace(ns string) (Namespace, error) {
--- a/vendor/github.com/containers/common/libimage/filters.go
+++ b/vendor/github.com/containers/common/libimage/filters.go
@ -95,9 +95,15 @@ func (r *Runtime) compileImageFilters(ctx context.Context, options *ListImagesOp
 	for _, f := range options.Filters {
 		var key, value string
 		var filter filterFunc
-		split := strings.SplitN(f, "=", 2)
-		if len(split) != 2 {
-			return nil, errors.Errorf("invalid image filter %q: must be in the format %q", f, "filter=value")
+		negate := false
+		split := strings.SplitN(f, "!=", 2)
+		if len(split) == 2 {
+			negate = true
+		} else {
+			split = strings.SplitN(f, "=", 2)
+			if len(split) != 2 {
+				return nil, errors.Errorf("invalid image filter %q: must be in the format %q", f, "filter=value or filter!=value")
+			}
 		}

 		key = split[0]
@ -182,12 +188,22 @@ func (r *Runtime) compileImageFilters(ctx context.Context, options *ListImagesOp
 		default:
 			return nil, errors.Errorf("unsupported image filter %q", key)
 		}
+		if negate {
+			filter = negateFilter(filter)
+		}
 		filters[key] = append(filters[key], filter)
 	}

 	return filters, nil
 }

+func negateFilter(f filterFunc) filterFunc {
+	return func(img *Image) (bool, error) {
+		b, err := f(img)
+		return !b, err
+	}
+}
+
 func (r *Runtime) containers(duplicate map[string]string, key, value string, externalFunc IsExternalContainerFunc) error {
 	if exists, ok := duplicate[key]; ok && exists != value {
 		return errors.Errorf("specifying %q filter more than once with different values is not supported", key)
--- a/vendor/github.com/containers/common/pkg/config/containers.conf
+++ b/vendor/github.com/containers/common/pkg/config/containers.conf
@ -133,10 +133,12 @@ default_sysctls = [

 # Default way to to create an IPC namespace (POSIX SysV IPC) for the container
 # Options are:
-# `private` Create private IPC Namespace for the container.
-# `host`    Share host IPC Namespace with the container.
+#  "host"     Share host IPC Namespace with the container.
+#  "none"     Create shareable IPC Namespace for the container without a private /dev/shm.
+#  "private"  Create private IPC Namespace for the container, other containers are not allowed to share it.
+#  "shareable" Create shareable IPC Namespace for the container.
 #
-#ipcns = "private"
+#ipcns = "shareable"

 # keyring tells the container engine whether to create
 # a kernel keyring for use within the container.
--- a/vendor/github.com/containers/common/pkg/config/default.go
+++ b/vendor/github.com/containers/common/pkg/config/default.go
@ -205,7 +205,7 @@ func DefaultConfig() (*Config, error) {
 			HTTPProxy:  true,
 			Init:       false,
 			InitPath:   "",
-			IPCNS:      "private",
+			IPCNS:      "shareable",
 			LogDriver:  defaultLogDriver(),
 			LogSizeMax: DefaultLogSizeMax,
 			NetNS:      "private",
--- a/vendor/github.com/containers/common/pkg/seccomp/default_linux.go
+++ b/vendor/github.com/containers/common/pkg/seccomp/default_linux.go
@ -169,6 +169,7 @@ func DefaultProfile() *Seccomp {
 				"futex",
 				"futex_time64",
 				"futimesat",
+				"get_mempolicy",
 				"get_robust_list",
 				"get_thread_area",
 				"getcpu",
@ -184,7 +185,6 @@ func DefaultProfile() *Seccomp {
 				"getgroups",
 				"getgroups32",
 				"getitimer",
-				"get_mempolicy",
 				"getpeername",
 				"getpgid",
 				"getpgrp",
@ -274,9 +274,9 @@ func DefaultProfile() *Seccomp {
 				"nanosleep",
 				"newfstatat",
 				"open",
+				"open_tree",
 				"openat",
 				"openat2",
-				"open_tree",
 				"pause",
 				"pidfd_getfd",
 				"pidfd_open",
@ -296,8 +296,11 @@ func DefaultProfile() *Seccomp {
 				"preadv2",
 				"prlimit64",
 				"process_mrelease",
+				"process_vm_readv",
+				"process_vm_writev",
 				"pselect6",
 				"pselect6_time64",
+				"ptrace",
 				"pwrite64",
 				"pwritev",
 				"pwritev2",
@ -356,7 +359,6 @@ func DefaultProfile() *Seccomp {
 				"sendmmsg",
 				"sendmsg",
 				"sendto",
-				"setns",
 				"set_mempolicy",
 				"set_robust_list",
 				"set_thread_area",
@ -370,6 +372,7 @@ func DefaultProfile() *Seccomp {
 				"setgroups",
 				"setgroups32",
 				"setitimer",
+				"setns",
 				"setpgid",
 				"setpriority",
 				"setregid",
@ -527,10 +530,10 @@ func DefaultProfile() *Seccomp {
 			Names: []string{
 				"arm_fadvise64_64",
 				"arm_sync_file_range",
-				"sync_file_range2",
 				"breakpoint",
 				"cacheflush",
 				"set_tls",
+				"sync_file_range2",
 			},
 			Action: ActAllow,
 			Args:   []*Arg{},
@ -653,8 +656,8 @@ func DefaultProfile() *Seccomp {
 		{
 			Names: []string{
 				"delete_module",
-				"init_module",
 				"finit_module",
+				"init_module",
 				"query_module",
 			},
 			Action: ActAllow,
@ -666,8 +669,8 @@ func DefaultProfile() *Seccomp {
 		{
 			Names: []string{
 				"delete_module",
-				"init_module",
 				"finit_module",
+				"init_module",
 				"query_module",
 			},
 			Action:   ActErrno,
@ -704,9 +707,6 @@ func DefaultProfile() *Seccomp {
 			Names: []string{
 				"kcmp",
 				"process_madvise",
-				"process_vm_readv",
-				"process_vm_writev",
-				"ptrace",
 			},
 			Action: ActAllow,
 			Args:   []*Arg{},
@ -718,9 +718,6 @@ func DefaultProfile() *Seccomp {
 			Names: []string{
 				"kcmp",
 				"process_madvise",
-				"process_vm_readv",
-				"process_vm_writev",
-				"ptrace",
 			},
 			Action:   ActErrno,
 			Errno:    "EPERM",
@ -732,8 +729,8 @@ func DefaultProfile() *Seccomp {
 		},
 		{
 			Names: []string{
-				"iopl",
 				"ioperm",
+				"iopl",
 			},
 			Action: ActAllow,
 			Args:   []*Arg{},
@ -743,8 +740,8 @@ func DefaultProfile() *Seccomp {
 		},
 		{
 			Names: []string{
-				"iopl",
 				"ioperm",
+				"iopl",
 			},
 			Action:   ActErrno,
 			Errno:    "EPERM",
@ -756,10 +753,10 @@ func DefaultProfile() *Seccomp {
 		},
 		{
 			Names: []string{
-				"settimeofday",
-				"stime",
 				"clock_settime",
 				"clock_settime64",
+				"settimeofday",
+				"stime",
 			},
 			Action: ActAllow,
 			Args:   []*Arg{},
@ -769,10 +766,10 @@ func DefaultProfile() *Seccomp {
 		},
 		{
 			Names: []string{
-				"settimeofday",
-				"stime",
 				"clock_settime",
 				"clock_settime64",
+				"settimeofday",
+				"stime",
 			},
 			Action:   ActErrno,
 			Errno:    "EPERM",
--- a/vendor/github.com/containers/common/pkg/seccomp/seccomp.json
+++ b/vendor/github.com/containers/common/pkg/seccomp/seccomp.json
@ -176,6 +176,7 @@
 				"futex",
 				"futex_time64",
 				"futimesat",
+				"get_mempolicy",
 				"get_robust_list",
 				"get_thread_area",
 				"getcpu",
@ -191,7 +192,6 @@
 				"getgroups",
 				"getgroups32",
 				"getitimer",
-				"get_mempolicy",
 				"getpeername",
 				"getpgid",
 				"getpgrp",
@ -281,9 +281,9 @@
 				"nanosleep",
 				"newfstatat",
 				"open",
+				"open_tree",
 				"openat",
 				"openat2",
-				"open_tree",
 				"pause",
 				"pidfd_getfd",
 				"pidfd_open",
@ -303,8 +303,11 @@
 				"preadv2",
 				"prlimit64",
 				"process_mrelease",
+				"process_vm_readv",
+				"process_vm_writev",
 				"pselect6",
 				"pselect6_time64",
+				"ptrace",
 				"pwrite64",
 				"pwritev",
 				"pwritev2",
@ -363,7 +366,6 @@
 				"sendmmsg",
 				"sendmsg",
 				"sendto",
-				"setns",
 				"set_mempolicy",
 				"set_robust_list",
 				"set_thread_area",
@ -377,6 +379,7 @@
 				"setgroups",
 				"setgroups32",
 				"setitimer",
+				"setns",
 				"setpgid",
 				"setpriority",
 				"setregid",
@ -571,10 +574,10 @@
 			"names": [
 				"arm_fadvise64_64",
 				"arm_sync_file_range",
-				"sync_file_range2",
 				"breakpoint",
 				"cacheflush",
-				"set_tls"
+				"set_tls",
+				"sync_file_range2"
 			],
 			"action": "SCMP_ACT_ALLOW",
 			"args": [],
@ -742,8 +745,8 @@
 		{
 			"names": [
 				"delete_module",
-				"init_module",
 				"finit_module",
+				"init_module",
 				"query_module"
 			],
 			"action": "SCMP_ACT_ALLOW",
@ -759,8 +762,8 @@
 		{
 			"names": [
 				"delete_module",
-				"init_module",
 				"finit_module",
+				"init_module",
 				"query_module"
 			],
 			"action": "SCMP_ACT_ERRNO",
@ -808,10 +811,7 @@
 		{
 			"names": [
 				"kcmp",
-				"process_madvise",
-				"process_vm_readv",
-				"process_vm_writev",
-				"ptrace"
+				"process_madvise"
 			],
 			"action": "SCMP_ACT_ALLOW",
 			"args": [],
@ -826,10 +826,7 @@
 		{
 			"names": [
 				"kcmp",
-				"process_madvise",
-				"process_vm_readv",
-				"process_vm_writev",
-				"ptrace"
+				"process_madvise"
 			],
 			"action": "SCMP_ACT_ERRNO",
 			"args": [],
@ -845,8 +842,8 @@
 		},
 		{
 			"names": [
-				"iopl",
-				"ioperm"
+				"ioperm",
+				"iopl"
 			],
 			"action": "SCMP_ACT_ALLOW",
 			"args": [],
@ -860,8 +857,8 @@
 		},
 		{
 			"names": [
-				"iopl",
-				"ioperm"
+				"ioperm",
+				"iopl"
 			],
 			"action": "SCMP_ACT_ERRNO",
 			"args": [],
@ -877,10 +874,10 @@
 		},
 		{
 			"names": [
-				"settimeofday",
-				"stime",
 				"clock_settime",
-				"clock_settime64"
+				"clock_settime64",
+				"settimeofday",
+				"stime"
 			],
 			"action": "SCMP_ACT_ALLOW",
 			"args": [],
@ -894,10 +891,10 @@
 		},
 		{
 			"names": [
-				"settimeofday",
-				"stime",
 				"clock_settime",
-				"clock_settime64"
+				"clock_settime64",
+				"settimeofday",
+				"stime"
 			],
 			"action": "SCMP_ACT_ERRNO",
 			"args": [],
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -109,7 +109,7 @@ github.com/containers/buildah/pkg/rusage
 github.com/containers/buildah/pkg/sshagent
 github.com/containers/buildah/pkg/util
 github.com/containers/buildah/util
-# github.com/containers/common v0.47.5-0.20220318125043-0ededd18a1f9
+# github.com/containers/common v0.47.5-0.20220323125147-7dc6e944d625
 ## explicit
 github.com/containers/common/libimage
 github.com/containers/common/libimage/manifests