In podman 1.* regression on --cap-add

In podman 1.0 if  you executed a command like:

podman run --user dwalsh --cap-add net_bind_service alpine nc -l 80

It would work, and the user dwalsh would get the capability,  in
podman 2.0, only root and the binding set gets the capability.

This change restores us back to the way podman 1.0 worked.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

vendor/github.com/containers/common/pkg/apparmor/apparmor.go

@@ -15,7 +15,6 @@ const (
 )
 
 var (
-
 	// ErrApparmorUnsupported indicates that AppArmor support is not supported.
 	ErrApparmorUnsupported = errors.New("AppArmor is not supported")
 	// ErrApparmorRootless indicates that AppArmor support is not supported in rootless mode.

vendor/github.com/containers/common/pkg/apparmor/apparmor_linux.go

@@ -5,7 +5,6 @@ package apparmor
 import (
 	"bufio"
 	"bytes"
-	"fmt"
 	"io"
 	"os"
 	"os/exec"
@@ -47,7 +46,7 @@ type profileData struct {
 func (p *profileData) generateDefault(out io.Writer) error {
 	compiled, err := template.New("apparmor_profile").Parse(defaultProfileTemplate)
 	if err != nil {
-		return err
+		return errors.Wrap(err, "create AppArmor profile from template")
 	}
 
 	if macroExists("tunables/global") {
@@ -62,11 +61,11 @@ func (p *profileData) generateDefault(out io.Writer) error {
 
 	ver, err := getAAParserVersion()
 	if err != nil {
-		return err
+		return errors.Wrap(err, "get AppArmor version")
 	}
 	p.Version = ver
 
-	return compiled.Execute(out, p)
+	return errors.Wrap(compiled.Execute(out, p), "execute compiled profile")
 }
 
 // macrosExists checks if the passed macro exists.
@@ -89,28 +88,29 @@ func InstallDefault(name string) error {
 	cmd := exec.Command("apparmor_parser", "-Kr")
 	pipe, err := cmd.StdinPipe()
 	if err != nil {
-		return err
+		return errors.Wrap(err, "execute apparmor_parser")
 	}
 	if err := cmd.Start(); err != nil {
 		if pipeErr := pipe.Close(); pipeErr != nil {
-			logrus.Errorf("unable to close apparmor pipe: %q", pipeErr)
+			logrus.Errorf("unable to close AppArmor pipe: %q", pipeErr)
 		}
-		return err
+		return errors.Wrap(err, "start apparmor_parser command")
 	}
 	if err := p.generateDefault(pipe); err != nil {
 		if pipeErr := pipe.Close(); pipeErr != nil {
-			logrus.Errorf("unable to close apparmor pipe: %q", pipeErr)
+			logrus.Errorf("unable to close AppArmor pipe: %q", pipeErr)
 		}
 		if cmdErr := cmd.Wait(); cmdErr != nil {
-			logrus.Errorf("unable to wait for apparmor command: %q", cmdErr)
+			logrus.Errorf("unable to wait for AppArmor command: %q", cmdErr)
 		}
-		return err
+		return errors.Wrap(err, "generate default profile into pipe")
 	}
 
 	if pipeErr := pipe.Close(); pipeErr != nil {
-		logrus.Errorf("unable to close apparmor pipe: %q", pipeErr)
+		logrus.Errorf("unable to close AppArmor pipe: %q", pipeErr)
 	}
-	return cmd.Wait()
+
+	return errors.Wrap(cmd.Wait(), "wait for AppArmor command")
 }
 
 // DefaultContent returns the default profile content as byte slice. The
@@ -120,7 +120,7 @@ func DefaultContent(name string) ([]byte, error) {
 	p := profileData{Name: name}
 	var bytes bytes.Buffer
 	if err := p.generateDefault(&bytes); err != nil {
-		return nil, err
+		return nil, errors.Wrap(err, "generate default AppAmor profile")
 	}
 	return bytes.Bytes(), nil
 }
@@ -137,7 +137,7 @@ func IsLoaded(name string) (bool, error) {
 		if os.IsNotExist(err) {
 			return false, nil
 		}
-		return false, err
+		return false, errors.Wrap(err, "open AppArmor profile path")
 	}
 	defer file.Close()
 
@@ -148,7 +148,7 @@ func IsLoaded(name string) (bool, error) {
 			break
 		}
 		if err != nil {
-			return false, err
+			return false, errors.Wrap(err, "reading AppArmor profile")
 		}
 		if strings.HasPrefix(p, name+" ") {
 			return true, nil
@@ -163,9 +163,9 @@ func execAAParser(dir string, args ...string) (string, error) {
 	c := exec.Command("apparmor_parser", args...)
 	c.Dir = dir
 
-	output, err := c.CombinedOutput()
+	output, err := c.Output()
 	if err != nil {
-		return "", fmt.Errorf("running `%s %s` failed with output: %s\nerror: %v", c.Path, strings.Join(c.Args, " "), output, err)
+		return "", errors.Errorf("running `%s %s` failed with output: %s\nerror: %v", c.Path, strings.Join(c.Args, " "), output, err)
 	}
 
 	return string(output), nil
@@ -175,7 +175,7 @@ func execAAParser(dir string, args ...string) (string, error) {
 func getAAParserVersion() (int, error) {
 	output, err := execAAParser("", "--version")
 	if err != nil {
-		return -1, err
+		return -1, errors.Wrap(err, "execute apparmor_parser")
 	}
 	return parseAAParserVersion(output)
 }
@@ -194,7 +194,7 @@ func parseAAParserVersion(output string) (int, error) {
 	// split by major minor version
 	v := strings.Split(version, ".")
 	if len(v) == 0 || len(v) > 3 {
-		return -1, fmt.Errorf("parsing version failed for output: `%s`", output)
+		return -1, errors.Errorf("parsing version failed for output: `%s`", output)
 	}
 
 	// Default the versions to 0.
@@ -202,19 +202,19 @@ func parseAAParserVersion(output string) (int, error) {
 
 	majorVersion, err := strconv.Atoi(v[0])
 	if err != nil {
-		return -1, err
+		return -1, errors.Wrap(err, "convert AppArmor major version")
 	}
 
 	if len(v) > 1 {
 		minorVersion, err = strconv.Atoi(v[1])
 		if err != nil {
-			return -1, err
+			return -1, errors.Wrap(err, "convert AppArmor minor version")
 		}
 	}
 	if len(v) > 2 {
 		patchLevel, err = strconv.Atoi(v[2])
 		if err != nil {
-			return -1, err
+			return -1, errors.Wrap(err, "convert AppArmor patch version")
 		}
 	}
 
@@ -251,7 +251,7 @@ func CheckProfileAndLoadDefault(name string) (string, error) {
 		if name == "" {
 			return "", nil
 		} else {
-			return "", fmt.Errorf("profile %q specified but AppArmor is disabled on the host", name)
+			return "", errors.Errorf("profile %q specified but AppArmor is disabled on the host", name)
 		}
 	}
 
@@ -262,10 +262,10 @@ func CheckProfileAndLoadDefault(name string) (string, error) {
 		// name.
 		isLoaded, err := IsLoaded(name)
 		if err != nil {
-			return "", err
+			return "", errors.Wrapf(err, "verify if profile %s is loaded", name)
 		}
 		if !isLoaded {
-			return "", fmt.Errorf("AppArmor profile %q specified but not loaded", name)
+			return "", errors.Errorf("AppArmor profile %q specified but not loaded", name)
 		}
 		return name, nil
 	}
@@ -274,12 +274,12 @@ func CheckProfileAndLoadDefault(name string) (string, error) {
 	// if it's loaded before installing it.
 	isLoaded, err := IsLoaded(name)
 	if err != nil {
-		return "", err
+		return "", errors.Wrapf(err, "verify if profile %s is loaded", name)
 	}
 	if !isLoaded {
 		err = InstallDefault(name)
 		if err != nil {
-			return "", err
+			return "", errors.Wrapf(err, "install profile %s", name)
 		}
 		logrus.Infof("successfully loaded AppAmor profile %q", name)
 	} else {

vendor/github.com/containers/common/pkg/auth/auth.go

@@ -150,9 +150,6 @@ func getRegistryName(server string) string {
 	// gets the registry from the input. If the input is of the form
 	// quay.io/myuser/myimage, it will parse it and just return quay.io
 	split := strings.Split(server, "/")
-	if len(split) > 1 {
-		return split[0]
-	}
 	return split[0]
 }
 

vendor/github.com/containers/common/pkg/capabilities/capabilities.go

@@ -57,9 +57,9 @@ func AllCapabilities() []string {
 	return capabilityList
 }
 
-// normalizeCapabilities normalizes caps by adding a "CAP_" prefix (if not yet
+// NormalizeCapabilities normalizes caps by adding a "CAP_" prefix (if not yet
 // present).
-func normalizeCapabilities(caps []string) ([]string, error) {
+func NormalizeCapabilities(caps []string) ([]string, error) {
 	normalized := make([]string, len(caps))
 	for i, c := range caps {
 		c = strings.ToUpper(c)
@@ -98,7 +98,7 @@ func MergeCapabilities(base, adds, drops []string) ([]string, error) {
 	var caps []string
 
 	// Normalize the base capabilities
-	base, err := normalizeCapabilities(base)
+	base, err := NormalizeCapabilities(base)
 	if err != nil {
 		return nil, err
 	}
@@ -106,11 +106,11 @@ func MergeCapabilities(base, adds, drops []string) ([]string, error) {
 		// Nothing to tweak; we're done
 		return base, nil
 	}
-	capDrop, err := normalizeCapabilities(drops)
+	capDrop, err := NormalizeCapabilities(drops)
 	if err != nil {
 		return nil, err
 	}
-	capAdd, err := normalizeCapabilities(adds)
+	capAdd, err := NormalizeCapabilities(adds)
 	if err != nil {
 		return nil, err
 	}

vendor/github.com/containers/common/pkg/config/config.go

@@ -244,6 +244,11 @@ type EngineConfig struct {
 	// LockType is the type of locking to use.
 	LockType string `toml:"lock_type,omitempty"`
 
+	// MultiImageArchive - if true, the container engine allows for storing
+	// archives (e.g., of the docker-archive transport) with multiple
+	// images.  By default, Podman creates single-image archives.
+	MultiImageArchive bool `toml:"multi_image_archive,omitempty"`
+
 	// Namespace is the engine namespace to use. Namespaces are used to create
 	// scopes to separate containers and pods in the state. When namespace is
 	// set, engine will only view containers and pods in the same namespace. All

vendor/github.com/containers/common/pkg/config/config_local.go

@@ -7,6 +7,7 @@ import (
 	"os"
 	"path/filepath"
 	"regexp"
+	"strings"
 	"syscall"
 
 	units "github.com/docker/go-units"
@@ -81,12 +82,24 @@ func (c *ContainersConfig) validateTZ() error {
 	if c.TZ == "local" {
 		return nil
 	}
-	zonePath := filepath.Join("/usr/share/zoneinfo", c.TZ)
-	_, err := os.Stat(zonePath)
-	if err != nil {
-		return fmt.Errorf("Unrecognized timezone %s", zonePath)
+
+	lookupPaths := []string{
+		"/usr/share/zoneinfo",
+		"/etc/zoneinfo",
 	}
-	return nil
+
+	for _, paths := range lookupPaths {
+		zonePath := filepath.Join(paths, c.TZ)
+		if _, err := os.Stat(zonePath); err == nil {
+			// found zone information
+			return nil
+		}
+	}
+
+	return fmt.Errorf(
+		"unable to find timezone %s in paths: %s",
+		c.TZ, strings.Join(lookupPaths, ", "),
+	)
 }
 
 func (c *ContainersConfig) validateUmask() error {

vendor/github.com/containers/common/pkg/config/containers.conf

@@ -116,18 +116,13 @@
 #
 # env = [
 #    "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+#    "TERM=xterm",
 # ]
 
 # Pass all host environment variables into the container.
 #
 # env_host = false
 
-# Path to OCI hooks directories for automatically executed hooks.
-#
-# hooks_dir = [
-#     "/usr/share/containers/oci/hooks.d",
-# ]
-
 # Default proxy environment variables passed into the container.
 # The environment variables passed in include:
 # http_proxy, https_proxy, ftp_proxy, no_proxy, and the upper case versions of
@@ -299,6 +294,12 @@
 #
 # events_logger = "journald"
 
+# Path to OCI hooks directories for automatically executed hooks.
+#
+# hooks_dir = [
+#     "/usr/share/containers/oci/hooks.d",
+# ]
+
 # Default transport method for pulling and pushing for images
 #
 # image_default_transport = "docker://"
@@ -322,6 +323,12 @@
 #
 # lock_type** = "shm"
 
+# MultiImageArchive - if true, the container engine allows for storing archives
+# (e.g., of the docker-archive transport) with multiple images.  By default,
+# Podman creates single-image archives.
+#
+# multi_image_archive = "false"
+
 # Default engine namespace
 # If engine is joined to a namespace, it will see only containers and pods
 # that were created in the same namespace, and will create new containers and
@@ -331,6 +338,10 @@
 #
 # namespace = ""
 
+# Path to the slirp4netns binary
+#
+# network_cmd_path=""
+
 # Whether to use chroot instead of pivot_root in the runtime
 #
 # no_pivot_root = false

vendor/github.com/containers/common/pkg/config/default.go

@@ -12,6 +12,7 @@ import (
 	"github.com/containers/common/pkg/apparmor"
 	"github.com/containers/common/pkg/cgroupv2"
 	"github.com/containers/storage"
+	"github.com/containers/storage/pkg/homedir"
 	"github.com/containers/storage/pkg/unshare"
 	"github.com/opencontainers/selinux/go-selinux"
 	"github.com/pkg/errors"
@@ -94,8 +95,8 @@ const (
 	_installPrefix = "/usr"
 	// _cniConfigDir is the directory where cni configuration is found
 	_cniConfigDir = "/etc/cni/net.d/"
-	// _cniConfigDirRootless is the directory where cni plugins are found
-	_cniConfigDirRootless = ".config/cni/net.d/"
+	// _cniConfigDirRootless is the directory in XDG_CONFIG_HOME for cni plugins
+	_cniConfigDirRootless = "cni/net.d/"
 	// CgroupfsCgroupsManager represents cgroupfs native cgroup manager
 	CgroupfsCgroupsManager = "cgroupfs"
 	// DefaultApparmorProfile  specifies the default apparmor profile for the container.
@@ -115,9 +116,9 @@ const (
 	// DefaultSignaturePolicyPath is the default value for the
 	// policy.json file.
 	DefaultSignaturePolicyPath = "/etc/containers/policy.json"
-	// DefaultRootlessSignaturePolicyPath is the default value for the
-	// rootless policy.json file.
-	DefaultRootlessSignaturePolicyPath = ".config/containers/policy.json"
+	// DefaultRootlessSignaturePolicyPath is the location within
+	// XDG_CONFIG_HOME of the rootless policy.json file.
+	DefaultRootlessSignaturePolicyPath = "containers/policy.json"
 	// DefaultShmSize default value
 	DefaultShmSize = "65536k"
 	// DefaultUserNSSize default value
@@ -144,11 +145,11 @@ func DefaultConfig() (*Config, error) {
 
 	defaultEngineConfig.SignaturePolicyPath = DefaultSignaturePolicyPath
 	if unshare.IsRootless() {
-		home, err := unshare.HomeDir()
+		configHome, err := homedir.GetConfigHome()
 		if err != nil {
 			return nil, err
 		}
-		sigPath := filepath.Join(home, DefaultRootlessSignaturePolicyPath)
+		sigPath := filepath.Join(configHome, DefaultRootlessSignaturePolicyPath)
 		defaultEngineConfig.SignaturePolicyPath = sigPath
 		if _, err := os.Stat(sigPath); err != nil {
 			if _, err := os.Stat(DefaultSignaturePolicyPath); err == nil {
@@ -156,7 +157,7 @@ func DefaultConfig() (*Config, error) {
 			}
 		}
 		netns = "slirp4netns"
-		cniConfig = filepath.Join(home, _cniConfigDirRootless)
+		cniConfig = filepath.Join(configHome, _cniConfigDirRootless)
 	}
 
 	cgroupNS := "host"
@@ -181,6 +182,7 @@ func DefaultConfig() (*Config, error) {
 			EnableLabeling:      selinuxEnabled(),
 			Env: []string{
 				"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+				"TERM=xterm",
 			},
 			EnvHost:        false,
 			HTTPProxy:      false,
@@ -222,10 +224,16 @@ func defaultConfigFromMemory() (*EngineConfig, error) {
 
 	c.EventsLogFilePath = filepath.Join(c.TmpDir, "events", "events.log")
 
-	storeOpts, err := storage.DefaultStoreOptions(unshare.IsRootless(), unshare.GetRootlessUID())
-	if err != nil {
-		return nil, err
+	var storeOpts storage.StoreOptions
+	if path, ok := os.LookupEnv("CONTAINERS_STORAGE_CONF"); ok {
+		storage.ReloadConfigurationFile(path, &storeOpts)
+	} else {
+		storeOpts, err = storage.DefaultStoreOptions(unshare.IsRootless(), unshare.GetRootlessUID())
+		if err != nil {
+			return nil, err
+		}
 	}
+
 	if storeOpts.GraphRoot == "" {
 		logrus.Warnf("Storage configuration is unset - using hardcoded default graph root %q", _defaultGraphRoot)
 		storeOpts.GraphRoot = _defaultGraphRoot

vendor/github.com/containers/common/pkg/config/libpodConfig.go

@@ -197,6 +197,10 @@ func newLibpodConfig(c *Config) error {
 		return errors.Wrapf(err, "error finding config on system")
 	}
 
+	if len(configs) == 0 {
+		return nil
+	}
+
 	for _, path := range configs {
 		config, err = readLibpodConfigFromFile(path, config)
 		if err != nil {
@@ -226,7 +230,7 @@ func newLibpodConfig(c *Config) error {
 
 	// hard code EventsLogger to "file" to match older podman versions.
 	if config.EventsLogger != "file" {
-		logrus.Debugf("Ignoring libpod.conf EventsLogger setting %q. Use %q if you want to change this setting and remove libpod.conf files.", Path(), config.EventsLogger)
+		logrus.Warnf("Ignoring libpod.conf EventsLogger setting %q. Use %q if you want to change this setting and remove libpod.conf files.", config.EventsLogger, Path())
 		config.EventsLogger = "file"
 	}
 
@@ -260,9 +264,7 @@ func systemLibpodConfigs() ([]string, error) {
 			if err != nil {
 				containersConfPath = filepath.Join("$HOME", UserOverrideContainersConfig)
 			}
-			// TODO: Raise to Warnf, when Podman is updated to
-			// remove libpod.conf by default
-			logrus.Debugf("Found deprecated file %s, please remove. Use %s to override defaults.\n", Path(), containersConfPath)
+			logrus.Warnf("Found deprecated file %s, please remove. Use %s to override defaults.\n", path, containersConfPath)
 			return []string{path}, nil
 		}
 		return nil, err
@@ -270,15 +272,11 @@ func systemLibpodConfigs() ([]string, error) {
 
 	configs := []string{}
 	if _, err := os.Stat(_rootConfigPath); err == nil {
-		// TODO: Raise to Warnf, when Podman is updated to
-		// remove libpod.conf by default
-		logrus.Debugf("Found deprecated file %s, please remove. Use %s to override defaults.\n", _rootConfigPath, OverrideContainersConfig)
+		logrus.Warnf("Found deprecated file %s, please remove. Use %s to override defaults.\n", _rootConfigPath, OverrideContainersConfig)
 		configs = append(configs, _rootConfigPath)
 	}
 	if _, err := os.Stat(_rootOverrideConfigPath); err == nil {
-		// TODO: Raise to Warnf, when Podman is updated to
-		// remove libpod.conf by default
-		logrus.Debugf("Found deprecated file %s, please remove. Use %s to override defaults.\n", _rootOverrideConfigPath, OverrideContainersConfig)
+		logrus.Warnf("Found deprecated file %s, please remove. Use %s to override defaults.\n", _rootOverrideConfigPath, OverrideContainersConfig)
 		configs = append(configs, _rootOverrideConfigPath)
 	}
 	return configs, nil

vendor/github.com/containers/common/version/version.go

@@ -1,4 +1,4 @@
 package version
 
 // Version is the version of the build.
-const Version = "0.18.0"
+const Version = "0.20.3"