diff --git a/go.mod b/go.mod index 2548d9b2bc..7eb7e157bc 100644 --- a/go.mod +++ b/go.mod @@ -11,14 +11,14 @@ require ( github.com/checkpoint-restore/go-criu/v7 v7.0.0 github.com/containernetworking/plugins v1.4.0 github.com/containers/buildah v1.34.1-0.20240201124221-b850c711ff5c - github.com/containers/common v0.57.1-0.20240207210145-1eeaf97594e9 + github.com/containers/common v0.57.1-0.20240229151045-1c65e0de241a github.com/containers/conmon v2.0.20+incompatible github.com/containers/gvisor-tap-vsock v0.7.3 github.com/containers/image/v5 v5.29.3-0.20240227090231-5bef5e1e1506 github.com/containers/libhvee v0.6.1-0.20240225143609-c1bda9d3838c github.com/containers/ocicrypt v1.1.9 github.com/containers/psgo v1.9.0 - github.com/containers/storage v1.52.1-0.20240227082351-387d7c8480b0 + github.com/containers/storage v1.52.1-0.20240229151339-eadc620e74e7 github.com/containers/winquit v1.1.0 github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09 github.com/coreos/stream-metadata-go v0.4.4 diff --git a/go.sum b/go.sum index 308caa2f99..78d5090cbd 100644 --- a/go.sum +++ b/go.sum @@ -76,8 +76,8 @@ github.com/containernetworking/plugins v1.4.0 h1:+w22VPYgk7nQHw7KT92lsRmuToHvb7w github.com/containernetworking/plugins v1.4.0/go.mod h1:UYhcOyjefnrQvKvmmyEKsUA+M9Nfn7tqULPpH0Pkcj0= github.com/containers/buildah v1.34.1-0.20240201124221-b850c711ff5c h1:r+1vFyTAoXptJrsPsnOMI3G0jm4+BCfXAcIyuA33lzo= github.com/containers/buildah v1.34.1-0.20240201124221-b850c711ff5c/go.mod h1:Hw4qo2URFpWvZ2tjLstoQMpNC6+gR4PtxQefvV/UKaA= -github.com/containers/common v0.57.1-0.20240207210145-1eeaf97594e9 h1:JFkj+j5hSOJdCpLhpx+xp1pEbMfXj2xtorRx223PqYo= -github.com/containers/common v0.57.1-0.20240207210145-1eeaf97594e9/go.mod h1:0NtD59teSfqhgJqcgg73on5AuaGo8XbbVLv+i2bl0oY= +github.com/containers/common v0.57.1-0.20240229151045-1c65e0de241a h1:N/AOv7bQBTD/+inld7Qpc2WzxtpbsPgPDB/gg7JGQKA= +github.com/containers/common v0.57.1-0.20240229151045-1c65e0de241a/go.mod h1:8irlyBcVooYx0F+YmoY7PQPAIgdJvCj17bvL7PqeaxI= github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg= github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I= github.com/containers/gvisor-tap-vsock v0.7.3 h1:yORnf15sP+sLFhxLNLgmB5/lOhldn9dRMHx/tmYtSOQ= @@ -94,8 +94,8 @@ github.com/containers/ocicrypt v1.1.9 h1:2Csfba4jse85Raxk5HIyEk8OwZNjRvfkhEGijOj github.com/containers/ocicrypt v1.1.9/go.mod h1:dTKx1918d8TDkxXvarscpNVY+lyPakPNFN4jwA9GBys= github.com/containers/psgo v1.9.0 h1:eJ74jzSaCHnWt26OlKZROSyUyRcGDf+gYBdXnxrMW4g= github.com/containers/psgo v1.9.0/go.mod h1:0YoluUm43Mz2UnBIh1P+6V6NWcbpTL5uRtXyOcH0B5A= -github.com/containers/storage v1.52.1-0.20240227082351-387d7c8480b0 h1:n5UoWBdTeOGN5rlV49ZqS8E4vgo8Z6LxFFgbCDNaU+c= -github.com/containers/storage v1.52.1-0.20240227082351-387d7c8480b0/go.mod h1:mFA6QpUoT9qTa3q2DD1CvSo3Az3syNkw1P9X+4nUYdY= +github.com/containers/storage v1.52.1-0.20240229151339-eadc620e74e7 h1:rL6WUiGo7uyDY8WRfpLidnzSZuPPepcQLuc9p29Y9k8= +github.com/containers/storage v1.52.1-0.20240229151339-eadc620e74e7/go.mod h1:mFA6QpUoT9qTa3q2DD1CvSo3Az3syNkw1P9X+4nUYdY= github.com/containers/winquit v1.1.0 h1:jArun04BNDQvt2W0Y78kh9TazN2EIEMG5Im6/JY7+pE= github.com/containers/winquit v1.1.0/go.mod h1:PsPeZlnbkmGGIToMPHF1zhWjBUkd8aHjMOr/vFcPxw8= github.com/coreos/go-oidc/v3 v3.9.0 h1:0J/ogVOd4y8P0f0xUh8l9t07xRP/d8tccvjHl2dcsSo= diff --git a/vendor/github.com/containers/common/libimage/manifest_list.go b/vendor/github.com/containers/common/libimage/manifest_list.go index 7a4eacc47c..d7ee5e6b67 100644 --- a/vendor/github.com/containers/common/libimage/manifest_list.go +++ b/vendor/github.com/containers/common/libimage/manifest_list.go @@ -19,6 +19,7 @@ import ( structcopier "github.com/jinzhu/copier" "github.com/opencontainers/go-digest" imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1" + "golang.org/x/exp/maps" "golang.org/x/exp/slices" ) @@ -294,7 +295,7 @@ func (m *ManifestList) Inspect() (*define.ManifestListData, error) { return &inspectList, nil } -// Options for adding a manifest list. +// Options for adding an image or artifact to a manifest list. type ManifestListAddOptions struct { // Add all images to the list if the to-be-added image itself is a // manifest list. @@ -371,6 +372,104 @@ func (m *ManifestList) Add(ctx context.Context, name string, options *ManifestLi return newDigest, nil } +// Options for creating an artifact manifest for one or more files and adding +// the artifact manifest to a manifest list. +type ManifestListAddArtifactOptions struct { + // The artifactType to set in the artifact manifest. + Type *string `json:"artifact_type"` + // The mediaType to set in the config.MediaType field in the artifact manifest. + ConfigType string `json:"artifact_config_type"` + // Content to point to from the config field in the artifact manifest. + Config string `json:"artifact_config"` + // The mediaType to set in the layer descriptors in the artifact manifest. + LayerType string `json:"artifact_layer_type"` + // Whether or not to suppress the org.opencontainers.image.title annotation in layer descriptors. + ExcludeTitles bool `json:"exclude_layer_titles"` + // Annotations to set in the artifact manifest. + Annotations map[string]string `json:"annotations"` + // Subject to set in the artifact manifest. + Subject string `json:"subject"` +} + +// Add adds one or more manifests to the manifest list and returns the digest +// of the added instance. +func (m *ManifestList) AddArtifact(ctx context.Context, options *ManifestListAddArtifactOptions, files ...string) (digest.Digest, error) { + if options == nil { + options = &ManifestListAddArtifactOptions{} + } + opts := manifests.AddArtifactOptions{ + ManifestArtifactType: options.Type, + Annotations: maps.Clone(options.Annotations), + ExcludeTitles: options.ExcludeTitles, + } + if options.ConfigType != "" { + opts.ConfigDescriptor = &imgspecv1.Descriptor{ + MediaType: options.ConfigType, + Digest: imgspecv1.DescriptorEmptyJSON.Digest, + Size: imgspecv1.DescriptorEmptyJSON.Size, + Data: slices.Clone(imgspecv1.DescriptorEmptyJSON.Data), + } + } + if options.Config != "" { + if opts.ConfigDescriptor == nil { + opts.ConfigDescriptor = &imgspecv1.Descriptor{ + MediaType: imgspecv1.MediaTypeImageConfig, + } + } + opts.ConfigDescriptor.Digest = digest.FromString(options.Config) + opts.ConfigDescriptor.Size = int64(len(options.Config)) + opts.ConfigDescriptor.Data = slices.Clone([]byte(options.Config)) + } + if opts.ConfigDescriptor == nil { + empty := imgspecv1.DescriptorEmptyJSON + opts.ConfigDescriptor = &empty + } + if options.LayerType != "" { + opts.LayerMediaType = &options.LayerType + } + if options.Subject != "" { + ref, err := alltransports.ParseImageName(options.Subject) + if err != nil { + withDocker := fmt.Sprintf("%s://%s", docker.Transport.Name(), options.Subject) + ref, err = alltransports.ParseImageName(withDocker) + if err != nil { + image, _, err := m.image.runtime.LookupImage(options.Subject, &LookupImageOptions{ManifestList: true}) + if err != nil { + return "", fmt.Errorf("locating subject for artifact manifest: %w", err) + } + ref = image.storageReference + } + } + opts.SubjectReference = ref + } + + // Lock the image record where this list lives. + locker, err := manifests.LockerForImage(m.image.runtime.store, m.ID()) + if err != nil { + return "", err + } + locker.Lock() + defer locker.Unlock() + + systemContext := m.image.runtime.systemContextCopy() + + // Make sure to reload the image from the containers storage to fetch + // the latest data (e.g., new or delete digests). + if err := m.reload(); err != nil { + return "", err + } + newDigest, err := m.list.AddArtifact(ctx, systemContext, opts, files...) + if err != nil { + return "", err + } + + // Write the changes to disk. + if err := m.saveAndReload(); err != nil { + return "", err + } + return newDigest, nil +} + // Options for annotating a manifest list. type ManifestListAnnotateOptions struct { // Add the specified annotations to the added image. @@ -387,10 +486,16 @@ type ManifestListAnnotateOptions struct { OSVersion string // Add the specified variant to the added image. Variant string + // Add the specified annotations to the index itself. + IndexAnnotations map[string]string + // Set the subject to which the index refers. + Subject string } // Annotate an image instance specified by `d` in the manifest list. func (m *ManifestList) AnnotateInstance(d digest.Digest, options *ManifestListAnnotateOptions) error { + ctx := context.Background() + if options == nil { return nil } @@ -430,6 +535,54 @@ func (m *ManifestList) AnnotateInstance(d digest.Digest, options *ManifestListAn return err } } + if len(options.IndexAnnotations) > 0 { + if err := m.list.SetAnnotations(nil, options.IndexAnnotations); err != nil { + return err + } + } + if options.Subject != "" { + ref, err := alltransports.ParseImageName(options.Subject) + if err != nil { + withDocker := fmt.Sprintf("%s://%s", docker.Transport.Name(), options.Subject) + ref, err = alltransports.ParseImageName(withDocker) + if err != nil { + image, _, err := m.image.runtime.LookupImage(options.Subject, &LookupImageOptions{ManifestList: true}) + if err != nil { + return fmt.Errorf("locating subject for image index: %w", err) + } + ref = image.storageReference + } + } + src, err := ref.NewImageSource(ctx, &m.image.runtime.systemContext) + if err != nil { + return err + } + defer src.Close() + subjectManifestBytes, subjectManifestType, err := src.GetManifest(ctx, nil) + if err != nil { + return err + } + subjectManifestDigest, err := manifest.Digest(subjectManifestBytes) + if err != nil { + return err + } + var subjectArtifactType string + if !manifest.MIMETypeIsMultiImage(subjectManifestType) { + var subjectManifest imgspecv1.Manifest + if json.Unmarshal(subjectManifestBytes, &subjectManifest) == nil { + subjectArtifactType = subjectManifest.ArtifactType + } + } + descriptor := &imgspecv1.Descriptor{ + MediaType: subjectManifestType, + ArtifactType: subjectArtifactType, + Digest: subjectManifestDigest, + Size: int64(len(subjectManifestBytes)), + } + if err := m.list.SetSubject(descriptor); err != nil { + return err + } + } // Write the changes to disk. return m.saveAndReload() diff --git a/vendor/github.com/containers/common/libimage/manifests/manifests.go b/vendor/github.com/containers/common/libimage/manifests/manifests.go index aab8045385..594ce437bd 100644 --- a/vendor/github.com/containers/common/libimage/manifests/manifests.go +++ b/vendor/github.com/containers/common/libimage/manifests/manifests.go @@ -711,10 +711,18 @@ func (l *list) AddArtifact(ctx context.Context, sys *types.SystemContext, option if err != nil { return "", fmt.Errorf("digesting manifest of subject %q: %w", transports.ImageName(options.SubjectReference), err) } + var subjectArtifactType string + if !manifest.MIMETypeIsMultiImage(subjectManifestType) { + var subjectManifest v1.Manifest + if json.Unmarshal(subjectManifestBytes, &subjectManifest) == nil { + subjectArtifactType = subjectManifest.ArtifactType + } + } subject = &v1.Descriptor{ - MediaType: subjectManifestType, - Digest: subjectManifestDigest, - Size: int64(len(subjectManifestBytes)), + MediaType: subjectManifestType, + ArtifactType: subjectArtifactType, + Digest: subjectManifestDigest, + Size: int64(len(subjectManifestBytes)), } } diff --git a/vendor/github.com/containers/common/libimage/pull.go b/vendor/github.com/containers/common/libimage/pull.go index ea51cd294b..19d9f3a879 100644 --- a/vendor/github.com/containers/common/libimage/pull.go +++ b/vendor/github.com/containers/common/libimage/pull.go @@ -60,6 +60,23 @@ func (r *Runtime) Pull(ctx context.Context, name string, pullPolicy config.PullP options = &PullOptions{} } + defaultConfig, err := config.Default() + if err != nil { + return nil, err + } + if options.MaxRetries == nil { + options.MaxRetries = &defaultConfig.Engine.Retry + } + if options.RetryDelay == nil { + if defaultConfig.Engine.RetryDelay != "" { + duration, err := time.ParseDuration(defaultConfig.Engine.RetryDelay) + if err != nil { + return nil, fmt.Errorf("failed to parse containers.conf retry_delay: %w", err) + } + options.RetryDelay = &duration + } + } + var possiblyUnqualifiedName string // used for short-name resolution ref, err := alltransports.ParseImageName(name) if err != nil { diff --git a/vendor/github.com/containers/common/libimage/push.go b/vendor/github.com/containers/common/libimage/push.go index c71f036c87..f89b8fc070 100644 --- a/vendor/github.com/containers/common/libimage/push.go +++ b/vendor/github.com/containers/common/libimage/push.go @@ -4,10 +4,14 @@ package libimage import ( "context" + "fmt" "time" + "github.com/containers/common/pkg/config" dockerArchiveTransport "github.com/containers/image/v5/docker/archive" + dockerDaemonTransport "github.com/containers/image/v5/docker/daemon" "github.com/containers/image/v5/docker/reference" + "github.com/containers/image/v5/manifest" "github.com/containers/image/v5/transports/alltransports" "github.com/sirupsen/logrus" ) @@ -31,6 +35,23 @@ func (r *Runtime) Push(ctx context.Context, source, destination string, options options = &PushOptions{} } + defaultConfig, err := config.Default() + if err != nil { + return nil, err + } + if options.MaxRetries == nil { + options.MaxRetries = &defaultConfig.Engine.Retry + } + if options.RetryDelay == nil { + if defaultConfig.Engine.RetryDelay != "" { + duration, err := time.ParseDuration(defaultConfig.Engine.RetryDelay) + if err != nil { + return nil, fmt.Errorf("failed to parse containers.conf retry_delay: %w", err) + } + options.RetryDelay = &duration + } + } + // Look up the local image. Note that we need to ignore the platform // and push what the user specified (containers/podman/issues/10344). image, resolvedSource, err := r.LookupImage(source, nil) @@ -65,6 +86,14 @@ func (r *Runtime) Push(ctx context.Context, source, destination string, options destRef = dockerRef } + // docker-archive and only DockerV2Schema2MediaType support Gzip compression + if options.CompressionFormat != nil && + (destRef.Transport().Name() == dockerArchiveTransport.Transport.Name() || + destRef.Transport().Name() == dockerDaemonTransport.Transport.Name() || + options.ManifestMIMEType == manifest.DockerV2Schema2MediaType) { + options.CompressionFormat = nil + } + if r.eventChannel != nil { defer r.writeEvent(&Event{ID: image.ID(), Name: destination, Time: time.Now(), Type: EventTypeImagePush}) } diff --git a/vendor/github.com/containers/common/libnetwork/pasta/pasta.go b/vendor/github.com/containers/common/libnetwork/pasta/pasta.go index b787a7814c..702444231c 100644 --- a/vendor/github.com/containers/common/libnetwork/pasta/pasta.go +++ b/vendor/github.com/containers/common/libnetwork/pasta/pasta.go @@ -47,6 +47,7 @@ func Setup(opts *SetupOptions) error { NoTCPNamespacePorts := true NoUDPNamespacePorts := true NoMapGW := true + NoDNS := true path, err := opts.Config.FindHelperBinary(BinaryName, true) if err != nil { @@ -102,6 +103,8 @@ func Setup(opts *SetupOptions) error { NoMapGW = false // not an actual pasta(1) option cmdArgs = append(cmdArgs[:i], cmdArgs[i+1:]...) + case "-D", "--dns", "--dns-forward": + NoDNS = false } } @@ -120,21 +123,36 @@ func Setup(opts *SetupOptions) error { if NoMapGW { cmdArgs = append(cmdArgs, "--no-map-gw") } + if NoDNS { + // disable pasta reading from /etc/resolv.conf which hides the + // "Couldn't get any nameserver address" warning when only + // localhost resolvers are configured. + cmdArgs = append(cmdArgs, "--dns", "none") + } - cmdArgs = append(cmdArgs, "--netns", opts.Netns) + // always pass --quiet to silence the info output from pasta + cmdArgs = append(cmdArgs, "--quiet", "--netns", opts.Netns) logrus.Debugf("pasta arguments: %s", strings.Join(cmdArgs, " ")) // pasta forks once ready, and quits once we delete the target namespace - _, err = exec.Command(path, cmdArgs...).Output() + out, err := exec.Command(path, cmdArgs...).CombinedOutput() if err != nil { exitErr := &exec.ExitError{} if errors.As(err, &exitErr) { return fmt.Errorf("pasta failed with exit code %d:\n%s", - exitErr.ExitCode(), exitErr.Stderr) + exitErr.ExitCode(), string(out)) } return fmt.Errorf("failed to start pasta: %w", err) } + if len(out) > 0 { + // TODO: This should be warning but right now pasta still prints + // things with --quiet that we do not care about. + // For now info is fine and we can bump it up later, it is only a + // nice to have. + logrus.Infof("pasta logged warnings: %q", string(out)) + } + return nil } diff --git a/vendor/github.com/containers/common/pkg/config/config.go b/vendor/github.com/containers/common/pkg/config/config.go index d52187a00c..15c91860c1 100644 --- a/vendor/github.com/containers/common/pkg/config/config.go +++ b/vendor/github.com/containers/common/pkg/config/config.go @@ -370,11 +370,6 @@ type EngineConfig struct { // LockType is the type of locking to use. LockType string `toml:"lock_type,omitempty"` - // MachineEnabled indicates if Podman is running in a podman-machine VM - // - // This method is soft deprecated, use machine.IsPodmanMachine instead - MachineEnabled bool `toml:"machine_enabled,omitempty"` - // MultiImageArchive - if true, the container engine allows for storing // archives (e.g., of the docker-archive transport) with multiple // images. By default, Podman creates single-image archives. @@ -421,6 +416,14 @@ type EngineConfig struct { // Indicates whether the application should be running in Remote mode Remote bool `toml:"remote,omitempty"` + // Number of times to retry pulling/pushing images in case of failure + Retry uint `toml:"retry,omitempty"` + + // Delay between retries in case pulling/pushing image fails + // If set, container engines will retry at the set interval, + // otherwise they delay 2 seconds and then exponentially back off. + RetryDelay string `toml:"retry_delay,omitempty"` + // RemoteURI is deprecated, see ActiveService // RemoteURI containers connection information used to connect to remote system. RemoteURI string `toml:"remote_uri,omitempty"` @@ -660,6 +663,8 @@ type MachineConfig struct { Volumes attributedstring.Slice `toml:"volumes,omitempty"` // Provider is the virtualization provider used to run podman-machine VM Provider string `toml:"provider,omitempty"` + // Rosetta is the flag to enable Rosetta in the podman-machine VM on Apple Silicon + Rosetta bool `toml:"rosetta,omitempty"` } // FarmConfig represents the "farm" TOML config tables diff --git a/vendor/github.com/containers/common/pkg/config/containers.conf b/vendor/github.com/containers/common/pkg/config/containers.conf index e1e624c1f7..22dd4713de 100644 --- a/vendor/github.com/containers/common/pkg/config/containers.conf +++ b/vendor/github.com/containers/common/pkg/config/containers.conf @@ -435,6 +435,9 @@ default_sysctls = [ # The compression format to use when pushing an image. # Valid options are: `gzip`, `zstd` and `zstd:chunked`. +# This field is ignored when pushing images to the docker-daemon and +# docker-archive formats. It is also ignored when the manifest format is set +# to v2s2. # #compression_format = "gzip" @@ -636,7 +639,8 @@ default_sysctls = [ # #no_pivot_root = false -# Number of locks available for containers and pods. +# Number of locks available for containers, pods, and volumes. Each container, +# pod, and volume consumes 1 lock for as long as it exists. # If this is changed, a lock renumber must be performed (e.g. with the # 'podman system renumber' command). # @@ -655,6 +659,16 @@ default_sysctls = [ # #remote = false +# Number of times to retry pulling/pushing images in case of failure +# +#retry = 3 + +# Delay between retries in case pulling/pushing image fails. +# If set, container engines will retry at the set interval, +# otherwise they delay 2 seconds and then exponentially back off. +# +#retry_delay = "2s" + # Default OCI runtime # #runtime = "crun" @@ -809,16 +823,15 @@ default_sysctls = [ # #disk_size=10 -# Default image URI when creating a new VM using `podman machine init`. -# Options: On Linux/Mac, `testing`, `stable`, `next`. On Windows, the major -# version of the OS (e.g `36`) for Fedora 36. For all platforms you can -# alternatively specify a custom download URL to an image. Container engines -# translate URIs $OS and $ARCH to the native OS and ARCH. URI -# "https://example.com/$OS/$ARCH/foobar.ami" becomes +# Default Image used when creating a new VM using `podman machine init`. +# Can be specified as registry with a bootable OCI artifact, download URL, or a local path. +# Registry target must be in the form of `docker://registry/repo/image:version`. +# Container engines translate URIs $OS and $ARCH to the native OS and ARCH. +# URI "https://example.com/$OS/$ARCH/foobar.ami" would become # "https://example.com/linux/amd64/foobar.ami" on a Linux AMD machine. -# The default value is `testing`. +# If unspecified, the default Podman machine image will be used. # -#image = "testing" +#image = "" # Memory in MB a machine is created with. # @@ -843,6 +856,11 @@ default_sysctls = [ # #provider = "" +# Rosetta supports running x86_64 Linux binaries on a Podman machine on Apple silicon. +# The default value is `true`. Supported on AppleHV(arm64) machines only. +# +#rosetta=true + # The [machine] table MUST be the last entry in this file. # (Unless another table is added) # TOML does not provide a way to end a table other than a further table being diff --git a/vendor/github.com/containers/common/pkg/config/default.go b/vendor/github.com/containers/common/pkg/config/default.go index caccace8a9..c8f34b1257 100644 --- a/vendor/github.com/containers/common/pkg/config/default.go +++ b/vendor/github.com/containers/common/pkg/config/default.go @@ -286,10 +286,14 @@ func defaultMachineConfig() MachineConfig { return MachineConfig{ CPUs: uint64(cpus), DiskSize: 100, - Image: getDefaultMachineImage(), - Memory: 2048, - User: getDefaultMachineUser(), - Volumes: attributedstring.NewSlice(getDefaultMachineVolumes()), + // TODO: Set machine image default here + // Currently the default is set in Podman as we need time to stabilize + // VM images and locations between different providers. + Image: "", + Memory: 2048, + User: getDefaultMachineUser(), + Volumes: attributedstring.NewSlice(getDefaultMachineVolumes()), + Rosetta: true, } } @@ -354,6 +358,7 @@ func defaultEngineConfig() (*EngineConfig, error) { c.PodmanshTimeout = uint(30) c.ExitCommandDelay = uint(5 * 60) c.Remote = isRemote() + c.Retry = 3 c.OCIRuntimes = map[string][]string{ "crun": { "/usr/bin/crun", @@ -479,7 +484,6 @@ func defaultEngineConfig() (*EngineConfig, error) { // TODO - ideally we should expose a `type LockType string` along with // constants. c.LockType = getDefaultLockType() - c.MachineEnabled = false c.ChownCopiedFiles = true c.PodExitPolicy = defaultPodExitPolicy @@ -648,11 +652,6 @@ func (c *Config) LogDriver() string { return c.Containers.LogDriver } -// MachineEnabled returns if podman is running inside a VM or not. -func (c *Config) MachineEnabled() bool { - return c.Engine.MachineEnabled -} - // MachineVolumes returns volumes to mount into the VM. func (c *Config) MachineVolumes() ([]string, error) { return machineVolumes(c.Machine.Volumes.Get()) @@ -682,12 +681,6 @@ func getDefaultSSHConfig() string { return filepath.Join(dirname, ".ssh", "config") } -// getDefaultImage returns the default machine image stream -// On Windows this refers to the Fedora major release number -func getDefaultMachineImage() string { - return "testing" -} - // getDefaultMachineUser returns the user to use for rootless podman // This is only for the apple, hyperv, and qemu implementations. // WSL's user will be hardcoded in podman to "user" diff --git a/vendor/github.com/containers/common/pkg/config/default_windows.go b/vendor/github.com/containers/common/pkg/config/default_windows.go index 4f1362bd28..70627cbda8 100644 --- a/vendor/github.com/containers/common/pkg/config/default_windows.go +++ b/vendor/github.com/containers/common/pkg/config/default_windows.go @@ -1,6 +1,13 @@ package config -import "os" +import ( + "fmt" + "os" + "path/filepath" + "strings" + + "github.com/containers/storage/pkg/homedir" +) // isCgroup2UnifiedMode returns whether we are running in cgroup2 mode. func isCgroup2UnifiedMode() (isUnified bool, isUnifiedErr error) { @@ -36,7 +43,10 @@ func getLibpodTmpDir() string { // getDefaultMachineVolumes returns default mounted volumes (possibly with env vars, which will be expanded) func getDefaultMachineVolumes() []string { - return []string{} + hd := homedir.Get() + vol := filepath.VolumeName(hd) + hostMnt := filepath.ToSlash(strings.TrimPrefix(hd, vol)) + return []string{fmt.Sprintf("%s:%s", hd, hostMnt)} } func getDefaultComposeProviders() []string { diff --git a/vendor/github.com/containers/common/pkg/hooks/hooks.go b/vendor/github.com/containers/common/pkg/hooks/hooks.go index 2758d122d1..0b4ad052ba 100644 --- a/vendor/github.com/containers/common/pkg/hooks/hooks.go +++ b/vendor/github.com/containers/common/pkg/hooks/hooks.go @@ -122,10 +122,8 @@ func (m *Manager) Hooks(config *rspec.Spec, annotations map[string]string, hasBi switch stage { case "createContainer": config.Hooks.CreateContainer = append(config.Hooks.CreateContainer, namedHook.hook.Hook) - case "createRuntime": + case "createRuntime", "prestart": config.Hooks.CreateRuntime = append(config.Hooks.CreateRuntime, namedHook.hook.Hook) - case "prestart": - config.Hooks.Prestart = append(config.Hooks.Prestart, namedHook.hook.Hook) case "poststart": config.Hooks.Poststart = append(config.Hooks.Poststart, namedHook.hook.Hook) case "poststop": diff --git a/vendor/github.com/containers/common/pkg/machine/machine.go b/vendor/github.com/containers/common/pkg/machine/machine.go index a75a61f380..57797a445f 100644 --- a/vendor/github.com/containers/common/pkg/machine/machine.go +++ b/vendor/github.com/containers/common/pkg/machine/machine.go @@ -4,9 +4,6 @@ import ( "os" "strings" "sync" - - "github.com/containers/common/pkg/config" - "github.com/sirupsen/logrus" ) type Marker struct { @@ -29,9 +26,7 @@ var ( func loadMachineMarker(file string) { var kind string - - // Support deprecated config value for compatibility - enabled := isLegacyConfigSet() + enabled := false if content, err := os.ReadFile(file); err == nil { enabled = true @@ -41,17 +36,6 @@ func loadMachineMarker(file string) { marker = &Marker{enabled, kind} } -func isLegacyConfigSet() bool { - config, err := config.Default() - if err != nil { - logrus.Warnf("could not obtain container configuration") - return false - } - - //nolint:staticcheck //lint:ignore SA1019 deprecated call - return config.Engine.MachineEnabled -} - func IsPodmanMachine() bool { return GetMachineMarker().Enabled } diff --git a/vendor/github.com/containers/common/pkg/netns/netns_linux.go b/vendor/github.com/containers/common/pkg/netns/netns_linux.go index 5b5e0daebb..5936653291 100644 --- a/vendor/github.com/containers/common/pkg/netns/netns_linux.go +++ b/vendor/github.com/containers/common/pkg/netns/netns_linux.go @@ -177,16 +177,26 @@ func newNSPath(nsPath string) (ns.NetNS, error) { // UnmountNS unmounts the given netns path func UnmountNS(nsPath string) error { + var rErr error // Only unmount if it's been bind-mounted (don't touch namespaces in /proc...) if !strings.HasPrefix(nsPath, "/proc/") { if err := unix.Unmount(nsPath, unix.MNT_DETACH); err != nil { - return fmt.Errorf("failed to unmount NS: at %s: %v", nsPath, err) + // Do not return here, always try to remove below. + // This is important in case podman now is in a new userns compared to + // when the netns was created. The umount will fail EINVAL but removing + // the file will work and the kernel will destroy the bind mount in the + // other ns because of this. We also need it so pasta doesn't leak. + rErr = fmt.Errorf("failed to unmount NS: at %s: %w", nsPath, err) } if err := os.Remove(nsPath); err != nil { - return fmt.Errorf("failed to remove ns path %s: %v", nsPath, err) + err := fmt.Errorf("failed to remove ns path: %w", err) + if rErr != nil { + err = fmt.Errorf("%v, %w", err, rErr) + } + rErr = err } } - return nil + return rErr } diff --git a/vendor/github.com/containers/storage/drivers/overlay/overlay.go b/vendor/github.com/containers/storage/drivers/overlay/overlay.go index 938313d349..7f79d4baaa 100644 --- a/vendor/github.com/containers/storage/drivers/overlay/overlay.go +++ b/vendor/github.com/containers/storage/drivers/overlay/overlay.go @@ -1696,7 +1696,13 @@ func (d *Driver) get(id string, disableShifting bool, options graphdriver.MountO } if err := idtools.MkdirAllAs(diffDir, perms, rootUID, rootGID); err != nil { - return "", err + if !inAdditionalStore { + return "", err + } + // if it is in an additional store, do not fail if the directory already exists + if _, err2 := os.Stat(diffDir); err2 != nil { + return "", err + } } mergedDir := path.Join(workDirBase, "merged") @@ -1867,7 +1873,7 @@ func (d *Driver) get(id string, disableShifting bool, options graphdriver.MountO // Put unmounts the mount path created for the give id. func (d *Driver) Put(id string) error { - dir := d.dir(id) + dir, _, inAdditionalStore := d.dir2(id) if _, err := os.Stat(dir); err != nil { return err } @@ -1928,11 +1934,27 @@ func (d *Driver) Put(id string) error { } } - if err := unix.Rmdir(mountpoint); err != nil && !os.IsNotExist(err) { - logrus.Debugf("Failed to remove mountpoint %s overlay: %s - %v", id, mountpoint, err) - return fmt.Errorf("removing mount point %q: %w", mountpoint, err) - } + if !inAdditionalStore { + uid, gid := int(0), int(0) + fi, err := os.Stat(mountpoint) + if err != nil { + return err + } + if stat, ok := fi.Sys().(*syscall.Stat_t); ok { + uid, gid = int(stat.Uid), int(stat.Gid) + } + tmpMountpoint := path.Join(dir, "merged.1") + if err := idtools.MkdirAs(tmpMountpoint, 0o700, uid, gid); err != nil && !errors.Is(err, os.ErrExist) { + return err + } + // rename(2) can be used on an empty directory, as it is the mountpoint after umount, and it retains + // its atomic semantic. In this way the "merged" directory is never removed. + if err := unix.Rename(tmpMountpoint, mountpoint); err != nil { + logrus.Debugf("Failed to replace mountpoint %s overlay: %s - %v", id, mountpoint, err) + return fmt.Errorf("replacing mount point %q: %w", mountpoint, err) + } + } return nil } diff --git a/vendor/github.com/containers/storage/pkg/archive/archive.go b/vendor/github.com/containers/storage/pkg/archive/archive.go index e47e3491d7..70f76d66d4 100644 --- a/vendor/github.com/containers/storage/pkg/archive/archive.go +++ b/vendor/github.com/containers/storage/pkg/archive/archive.go @@ -416,7 +416,7 @@ func ReadUserXattrToTarHeader(path string, hdr *tar.Header) error { return err } for _, key := range xattrs { - if strings.HasPrefix(key, "user.") { + if strings.HasPrefix(key, "user.") && !strings.HasPrefix(key, "user.overlay.") { value, err := system.Lgetxattr(path, key) if err != nil { if errors.Is(err, system.E2BIG) { diff --git a/vendor/github.com/containers/storage/pkg/chunked/cache_linux.go b/vendor/github.com/containers/storage/pkg/chunked/cache_linux.go index aa4f57e6fb..1e3ad86d1a 100644 --- a/vendor/github.com/containers/storage/pkg/chunked/cache_linux.go +++ b/vendor/github.com/containers/storage/pkg/chunked/cache_linux.go @@ -25,7 +25,7 @@ import ( const ( cacheKey = "chunked-manifest-cache" - cacheVersion = 1 + cacheVersion = 2 digestSha256Empty = "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" ) @@ -207,9 +207,9 @@ func calculateHardLinkFingerprint(f *internal.FileMetadata) (string, error) { return string(digester.Digest()), nil } -// generateFileLocation generates a file location in the form $OFFSET@$PATH -func generateFileLocation(path string, offset uint64) []byte { - return []byte(fmt.Sprintf("%d@%s", offset, path)) +// generateFileLocation generates a file location in the form $OFFSET:$LEN:$PATH +func generateFileLocation(path string, offset, len uint64) []byte { + return []byte(fmt.Sprintf("%d:%d:%s", offset, len, path)) } // generateTag generates a tag in the form $DIGEST$OFFSET@LEN. @@ -245,7 +245,7 @@ func writeCache(manifest []byte, format graphdriver.DifferOutputFormat, id strin var tags []string for _, k := range toc { if k.Digest != "" { - location := generateFileLocation(k.Name, 0) + location := generateFileLocation(k.Name, 0, uint64(k.Size)) off := uint64(vdata.Len()) l := uint64(len(location)) @@ -276,7 +276,7 @@ func writeCache(manifest []byte, format graphdriver.DifferOutputFormat, id strin digestLen = len(k.Digest) } if k.ChunkDigest != "" { - location := generateFileLocation(k.Name, uint64(k.ChunkOffset)) + location := generateFileLocation(k.Name, uint64(k.ChunkOffset), uint64(k.ChunkSize)) off := uint64(vdata.Len()) l := uint64(len(location)) d := generateTag(k.ChunkDigest, off, l) @@ -490,7 +490,9 @@ func findTag(digest string, metadata *metadata) (string, uint64, uint64) { if digest == d { startOff := i*metadata.tagLen + metadata.digestLen parts := strings.Split(string(metadata.tags[startOff:(i+1)*metadata.tagLen]), "@") + off, _ := strconv.ParseInt(parts[0], 10, 64) + len, _ := strconv.ParseInt(parts[1], 10, 64) return digest, uint64(off), uint64(len) } @@ -507,12 +509,16 @@ func (c *layersCache) findDigestInternal(digest string) (string, string, int64, defer c.mutex.RUnlock() for _, layer := range c.layers { - digest, off, len := findTag(digest, layer.metadata) + digest, off, tagLen := findTag(digest, layer.metadata) if digest != "" { - position := string(layer.metadata.vdata[off : off+len]) - parts := strings.SplitN(position, "@", 2) + position := string(layer.metadata.vdata[off : off+tagLen]) + parts := strings.SplitN(position, ":", 3) + if len(parts) != 3 { + continue + } offFile, _ := strconv.ParseInt(parts[0], 10, 64) - return layer.target, parts[1], offFile, nil + // parts[1] is the chunk length, currently unused. + return layer.target, parts[2], offFile, nil } } diff --git a/vendor/github.com/containers/storage/pkg/chunked/storage_linux.go b/vendor/github.com/containers/storage/pkg/chunked/storage_linux.go index 7b81d790d7..048889c3cc 100644 --- a/vendor/github.com/containers/storage/pkg/chunked/storage_linux.go +++ b/vendor/github.com/containers/storage/pkg/chunked/storage_linux.go @@ -1819,13 +1819,17 @@ func (c *chunkedDiffer) ApplyDiff(dest string, options *archive.TarOptions, diff mode := os.FileMode(r.Mode) - r.Name = filepath.Clean(r.Name) - r.Linkname = filepath.Clean(r.Linkname) - t, err := typeToTarType(r.Type) if err != nil { return output, err } + + r.Name = filepath.Clean(r.Name) + // do not modify the value of symlinks + if r.Linkname != "" && t != tar.TypeSymlink { + r.Linkname = filepath.Clean(r.Linkname) + } + if whiteoutConverter != nil { hdr := archivetar.Header{ Typeflag: t, diff --git a/vendor/modules.txt b/vendor/modules.txt index 2c3af1056e..7f33f64eb9 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -171,7 +171,7 @@ github.com/containers/buildah/pkg/sshagent github.com/containers/buildah/pkg/util github.com/containers/buildah/pkg/volumes github.com/containers/buildah/util -# github.com/containers/common v0.57.1-0.20240207210145-1eeaf97594e9 +# github.com/containers/common v0.57.1-0.20240229151045-1c65e0de241a ## explicit; go 1.20 github.com/containers/common/internal github.com/containers/common/internal/attributedstring @@ -353,7 +353,7 @@ github.com/containers/psgo/internal/dev github.com/containers/psgo/internal/host github.com/containers/psgo/internal/proc github.com/containers/psgo/internal/process -# github.com/containers/storage v1.52.1-0.20240227082351-387d7c8480b0 +# github.com/containers/storage v1.52.1-0.20240229151339-eadc620e74e7 ## explicit; go 1.20 github.com/containers/storage github.com/containers/storage/drivers