Vendor in latest containers/common with default capabilities

Also update vendor of containers/storage and image

Cleanup display of added/dropped capabilties as well

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

vendor/github.com/containers/common/libnetwork/cni/config.go

@@ -15,6 +15,10 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
+func (n *cniNetwork) NetworkUpdate(name string, options types.NetworkUpdateOptions) error {
+	return fmt.Errorf("NetworkUpdate is not supported for backend CNI: %w", types.ErrInvalidArg)
+}
+
 // NetworkCreate will take a partial filled Network and fill the
 // missing fields. It creates the Network and returns the full Network.
 func (n *cniNetwork) NetworkCreate(net types.Network, options *types.NetworkCreateOptions) (types.Network, error) {

vendor/github.com/containers/common/libnetwork/netavark/config.go

@@ -10,6 +10,7 @@ import (
 	"net"
 	"os"
 	"path/filepath"
+	"reflect"
 	"strconv"
 	"time"
 
@@ -19,6 +20,65 @@ import (
 	"github.com/containers/storage/pkg/stringid"
 )
 
+func sliceRemoveDuplicates(strList []string) []string {
+	list := make([]string, 0, len(strList))
+	for _, item := range strList {
+		if !util.StringInSlice(item, list) {
+			list = append(list, item)
+		}
+	}
+	return list
+}
+
+func (n *netavarkNetwork) commitNetwork(network *types.Network) error {
+	confPath := filepath.Join(n.networkConfigDir, network.Name+".json")
+	f, err := os.Create(confPath)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+	enc := json.NewEncoder(f)
+	enc.SetIndent("", "     ")
+	err = enc.Encode(network)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func (n *netavarkNetwork) NetworkUpdate(name string, options types.NetworkUpdateOptions) error {
+	n.lock.Lock()
+	defer n.lock.Unlock()
+	err := n.loadNetworks()
+	if err != nil {
+		return err
+	}
+	network, err := n.getNetwork(name)
+	if err != nil {
+		return err
+	}
+	networkDNSServersBefore := network.NetworkDNSServers
+	networkDNSServersAfter := []string{}
+	for _, server := range networkDNSServersBefore {
+		if util.StringInSlice(server, options.RemoveDNSServers) {
+			continue
+		}
+		networkDNSServersAfter = append(networkDNSServersAfter, server)
+	}
+	networkDNSServersAfter = append(networkDNSServersAfter, options.AddDNSServers...)
+	networkDNSServersAfter = sliceRemoveDuplicates(networkDNSServersAfter)
+	network.NetworkDNSServers = networkDNSServersAfter
+	if reflect.DeepEqual(networkDNSServersBefore, networkDNSServersAfter) {
+		return nil
+	}
+	err = n.commitNetwork(network)
+	if err != nil {
+		return err
+	}
+
+	return n.execUpdate(network.Name, network.NetworkDNSServers)
+}
+
 // NetworkCreate will take a partial filled Network and fill the
 // missing fields. It creates the Network and returns the full Network.
 func (n *netavarkNetwork) NetworkCreate(net types.Network, options *types.NetworkCreateOptions) (types.Network, error) {
@@ -163,15 +223,7 @@ func (n *netavarkNetwork) networkCreate(newNetwork *types.Network, defaultNet bo
 	newNetwork.Created = time.Now()
 
 	if !defaultNet {
-		confPath := filepath.Join(n.networkConfigDir, newNetwork.Name+".json")
-		f, err := os.Create(confPath)
-		if err != nil {
-			return nil, err
-		}
-		defer f.Close()
-		enc := json.NewEncoder(f)
-		enc.SetIndent("", "     ")
-		err = enc.Encode(newNetwork)
+		err = n.commitNetwork(newNetwork)
 		if err != nil {
 			return nil, err
 		}

vendor/github.com/containers/common/libnetwork/netavark/run.go

@@ -7,6 +7,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"strconv"
+	"strings"
 
 	"github.com/containers/common/libnetwork/internal/util"
 	"github.com/containers/common/libnetwork/types"
@@ -18,6 +19,11 @@ type netavarkOptions struct {
 	Networks map[string]*types.Network `json:"network_info"`
 }
 
+func (n *netavarkNetwork) execUpdate(networkName string, networkDNSServers []string) error {
+	retErr := n.execNetavark([]string{"update", networkName, "--network-dns-servers", strings.Join(networkDNSServers, ",")}, nil, nil)
+	return retErr
+}
+
 // Setup will setup the container network namespace. It returns
 // a map of StatusBlocks, the key is the network name.
 func (n *netavarkNetwork) Setup(namespacePath string, options types.SetupOptions) (map[string]types.StatusBlock, error) {

vendor/github.com/containers/common/libnetwork/types/network.go

@@ -10,6 +10,8 @@ type ContainerNetwork interface {
 	// NetworkCreate will take a partial filled Network and fill the
 	// missing fields. It creates the Network and returns the full Network.
 	NetworkCreate(Network, *NetworkCreateOptions) (Network, error)
+	// NetworkUpdate will take network name and ID and updates network DNS Servers.
+	NetworkUpdate(nameOrID string, options NetworkUpdateOptions) error
 	// NetworkRemove will remove the Network with the given name or ID.
 	NetworkRemove(nameOrID string) error
 	// NetworkList will return all known Networks. Optionally you can
@@ -70,6 +72,14 @@ type Network struct {
 	IPAMOptions map[string]string `json:"ipam_options,omitempty"`
 }
 
+// NetworkOptions for a given container.
+type NetworkUpdateOptions struct {
+	// List of custom DNS server for podman's DNS resolver.
+	// Priority order will be kept as defined by user in the configuration.
+	AddDNSServers    []string `json:"add_dns_servers,omitempty"`
+	RemoveDNSServers []string `json:"remove_dns_servers,omitempty"`
+}
+
 // IPNet is used as custom net.IPNet type to add Marshal/Unmarshal methods.
 type IPNet struct {
 	net.IPNet

vendor/github.com/containers/common/pkg/config/containers.conf

@@ -52,19 +52,18 @@
 # List of default capabilities for containers. If it is empty or commented out,
 # the default capabilities defined in the container engine will be added.
 #
-default_capabilities = [
-  "CHOWN",
-  "DAC_OVERRIDE",
-  "FOWNER",
-  "FSETID",
-  "KILL",
-  "NET_BIND_SERVICE",
-  "SETFCAP",
-  "SETGID",
-  "SETPCAP",
-  "SETUID",
-  "SYS_CHROOT"
-]
+#default_capabilities = [
+#  "CHOWN",
+#  "DAC_OVERRIDE",
+#  "FOWNER",
+#  "FSETID",
+#  "KILL",
+#  "NET_BIND_SERVICE",
+#  "SETFCAP",
+#  "SETGID",
+#  "SETPCAP",
+#  "SETUID",
+#]
 
 # A list of sysctls to be set in containers by default,
 # specified as "name=value",

vendor/github.com/containers/common/pkg/config/default.go

@@ -50,20 +50,16 @@ var (
 	DefaultHooksDirs = []string{"/usr/share/containers/oci/hooks.d"}
 	// DefaultCapabilities is the default for the default_capabilities option in the containers.conf file.
 	DefaultCapabilities = []string{
-		"CAP_AUDIT_WRITE",
 		"CAP_CHOWN",
 		"CAP_DAC_OVERRIDE",
 		"CAP_FOWNER",
 		"CAP_FSETID",
 		"CAP_KILL",
-		"CAP_MKNOD",
 		"CAP_NET_BIND_SERVICE",
-		"CAP_NET_RAW",
 		"CAP_SETFCAP",
 		"CAP_SETGID",
 		"CAP_SETPCAP",
 		"CAP_SETUID",
-		"CAP_SYS_CHROOT",
 	}
 
 	// Search these locations in which CNIPlugins can be installed.

vendor/github.com/containers/common/pkg/config/default_darwin.go

@@ -14,5 +14,9 @@ func getLibpodTmpDir() string {
 
 // getDefaultMachineVolumes returns default mounted volumes (possibly with env vars, which will be expanded)
 func getDefaultMachineVolumes() []string {
-	return []string{"$HOME:$HOME"}
+	return []string{
+		"/Users:/Users",
+		"/private:/private",
+		"/var/folders:/var/folders",
+	}
 }

vendor/github.com/containers/common/pkg/netns/netns_linux.go

@@ -179,14 +179,13 @@ func NewNSWithName(name string) (ns.NetNS, error) {
 	return ns.GetNS(nsPath)
 }
 
-// UnmountNS unmounts the NS held by the netns object
-func UnmountNS(netns ns.NetNS) error {
+// UnmountNS unmounts the given netns path
+func UnmountNS(nsPath string) error {
 	nsRunDir, err := GetNSRunDir()
 	if err != nil {
 		return err
 	}
 
-	nsPath := netns.Path()
 	// Only unmount if it's been bind-mounted (don't touch namespaces in /proc...)
 	if strings.HasPrefix(nsPath, nsRunDir) {
 		if err := unix.Unmount(nsPath, unix.MNT_DETACH); err != nil {

vendor/github.com/containers/common/pkg/report/doc.go

@@ -1,6 +1,8 @@
 /*
 Package report provides helper structs/methods/funcs for formatting output
 
+# Examples
+
 To format output for an array of structs:
 
 ExamplePodman:
@@ -54,7 +56,7 @@ Helpers:
 		... "table" keyword prefix in format text
 	}
 
-Template Functions:
+# Template Functions
 
 The following template functions are added to the template when parsed:
   - join  strings.Join, {{join .Field separator}}