Update containers/common to latest main

Update the containers/common dependency to the latest main with the needed changes in Podmansh. Signed-off-by: phoenix <felix.niederwanger@suse.com>
2025-10-19 12:12:36 +08:00 · 2024-05-23 10:53:20 +02:00
parent fa05adba67
commit 4fd425429b
74 changed files with 731 additions and 399 deletions
--- a/vendor/github.com/containers/common/pkg/apparmor/apparmor_linux_template.go
+++ b/vendor/github.com/containers/common/pkg/apparmor/apparmor_linux_template.go
@ -21,6 +21,10 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
  # Allow signals from privileged profiles and from within the same profile
  signal (receive) peer=unconfined,
  signal (send,receive) peer={{.Name}},
+  # Allow certain signals from OCI runtimes (podman, runc and crun)
+  signal (receive) peer={/usr/bin/,/usr/sbin/,}runc,
+  signal (receive) peer={/usr/bin/,/usr/sbin/,}crun*,
+  signal (receive) set=(int, quit, kill, term) peer={/usr/bin/,/usr/sbin/,}podman,
 {{end}}

  deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)
--- a/vendor/github.com/containers/common/pkg/config/config.go
+++ b/vendor/github.com/containers/common/pkg/config/config.go
@ -57,6 +57,8 @@ type Config struct {
 	ConfigMaps ConfigMapConfig `toml:"configmaps"`
 	// Farms defines configurations for the buildfarm farms
 	Farms FarmConfig `toml:"farms"`
+	// Podmansh defined configurations for the podman shell
+	Podmansh PodmanshConfig `toml:"podmansh"`

 	loadedModules []string // only used at runtime to store which modules were loaded
 }
@ -543,6 +545,7 @@ type EngineConfig struct {
 	// PodmanshTimeout is the number of seconds to wait for podmansh logins.
 	// In other words, the timeout for the `podmansh` container to be in running
 	// state.
+	// Deprecated: Use podmansh.Timeout instead. podmansh.Timeout has precedence.
 	PodmanshTimeout uint `toml:"podmansh_timeout,omitempty,omitzero"`
 }

@ -695,6 +698,19 @@ type Destination struct {
 	IsMachine bool `json:",omitempty" toml:"is_machine,omitempty"`
 }

+// PodmanshConfig represents configuration for the podman shell
+type PodmanshConfig struct {
+	// Shell to start in container, default: "/bin/sh"
+	Shell string `toml:"shell,omitempty"`
+	// Name of the container the podmansh user should join
+	Container string `toml:"container,omitempty"`
+
+	// Timeout is the number of seconds to wait for podmansh logins.
+	// In other words, the timeout for the `podmansh` container to be in running
+	// state.
+	Timeout uint `toml:"timeout,omitempty,omitzero"`
+}
+
 // Consumes container image's os and arch and returns if any dedicated runtime was
 // configured otherwise returns default runtime.
 func (c *EngineConfig) ImagePlatformToRuntime(os string, arch string) string {
@ -713,9 +729,19 @@ func (c *Config) CheckCgroupsAndAdjustConfig() {
 		return
 	}

-	session := os.Getenv("DBUS_SESSION_BUS_ADDRESS")
-	hasSession := session != ""
-	if hasSession {
+	hasSession := false
+
+	session, found := os.LookupEnv("DBUS_SESSION_BUS_ADDRESS")
+	if !found {
+		sessionAddr := filepath.Join(os.Getenv("XDG_RUNTIME_DIR"), "bus")
+		if err := fileutils.Exists(sessionAddr); err == nil {
+			sessionAddr, err = filepath.EvalSymlinks(sessionAddr)
+			if err == nil {
+				os.Setenv("DBUS_SESSION_BUS_ADDRESS", "unix:path="+sessionAddr)
+				hasSession = true
+			}
+		}
+	} else {
 		for _, part := range strings.Split(session, ",") {
 			if strings.HasPrefix(part, "unix:path=") {
 				err := fileutils.Exists(strings.TrimPrefix(part, "unix:path="))
@ -1197,3 +1223,13 @@ func (c *Config) FindInitBinary() (string, error) {
 	}
 	return c.FindHelperBinary(defaultInitName, true)
 }
+
+// PodmanshTimeout returns the timeout in seconds for podmansh to connect to the container.
+// Returns podmansh.Timeout if set, otherwise engine.PodmanshTimeout for backwards compatibility.
+func (c *Config) PodmanshTimeout() uint {
+	// podmansh.Timeout has precedence, if set
+	if c.Podmansh.Timeout > 0 {
+		return c.Podmansh.Timeout
+	}
+	return c.Engine.PodmanshTimeout
+}
--- a/vendor/github.com/containers/common/pkg/config/containers.conf
+++ b/vendor/github.com/containers/common/pkg/config/containers.conf
@ -759,9 +759,6 @@ default_sysctls = [
 # A value of 0 is treated as no timeout.
 #volume_plugin_timeout = 5

-# Default timeout in seconds for podmansh logins.
-#podmansh_timeout = 30
-
 # Paths to look for a valid OCI runtime (crun, runc, kata, runsc, krun, etc)
 [engine.runtimes]
 #crun = [
@ -889,3 +886,14 @@ default_sysctls = [
 #
 # map of existing farms
 #[farms.list]
+
+[podmansh]
+# Shell to spawn in container. Default: /bin/sh.
+#shell = "/bin/sh"
+# 
+# Name of the container the podmansh user should join.
+#container = "podmansh"
+# 
+# Default timeout in seconds for podmansh logins.
+# Favored over the deprecated "podmansh_timeout" field.
+#timeout = 30
--- a/vendor/github.com/containers/common/pkg/config/default.go
+++ b/vendor/github.com/containers/common/pkg/config/default.go
@ -265,10 +265,11 @@ func defaultConfig() (*Config, error) {
 			CNIPluginDirs:             attributedstring.NewSlice(DefaultCNIPluginDirs),
 			NetavarkPluginDirs:        attributedstring.NewSlice(DefaultNetavarkPluginDirs),
 		},
-		Engine:  *defaultEngineConfig,
-		Secrets: defaultSecretConfig(),
-		Machine: defaultMachineConfig(),
-		Farms:   defaultFarmConfig(),
+		Engine:   *defaultEngineConfig,
+		Secrets:  defaultSecretConfig(),
+		Machine:  defaultMachineConfig(),
+		Farms:    defaultFarmConfig(),
+		Podmansh: defaultPodmanshConfig(),
 	}, nil
 }

@ -307,6 +308,18 @@ func defaultFarmConfig() FarmConfig {
 	}
 }

+// defaultPodmanshConfig returns the default podmansh configuration.
+func defaultPodmanshConfig() PodmanshConfig {
+	return PodmanshConfig{
+		Shell:     "/bin/sh",
+		Container: "podmansh",
+
+		// A value of 0 means "not set", needed to distinguish if engine.podmansh_timeout or podmansh.timeout should be used
+		// This is needed to keep backwards compatibility to engine.PodmanshTimeout.
+		Timeout: uint(0),
+	}
+}
+
 // defaultEngineConfig returns a default engine configuration. Note that the
 // config is different for root and rootless. It also parses the storage.conf.
 func defaultEngineConfig() (*EngineConfig, error) {
@ -360,7 +373,7 @@ func defaultEngineConfig() (*EngineConfig, error) {
 	c.CgroupManager = defaultCgroupManager()
 	c.ServiceTimeout = uint(5)
 	c.StopTimeout = uint(10)
-	c.PodmanshTimeout = uint(30)
+	c.PodmanshTimeout = uint(30) // deprecated: use podmansh.timeout instead, kept for backwards-compatibility
 	c.ExitCommandDelay = uint(5 * 60)
 	c.Remote = isRemote()
 	c.Retry = 3
--- a/vendor/github.com/containers/common/pkg/hooks/monitor.go
+++ b/vendor/github.com/containers/common/pkg/hooks/monitor.go
@ -48,6 +48,7 @@ func (m *Manager) Monitor(ctx context.Context, sync chan<- error) {
 	for {
 		select {
 		case event := <-watcher.Events:
+			m.lock.Lock()
 			m.hooks = make(map[string]*current.Hook)
 			for _, dir := range m.directories {
 				err = ReadDir(dir, m.extensionStages, m.hooks)
@ -55,6 +56,7 @@ func (m *Manager) Monitor(ctx context.Context, sync chan<- error) {
 					logrus.Errorf("Failed loading hooks for %s: %v", event.Name, err)
 				}
 			}
+			m.lock.Unlock()
 		case <-ctx.Done():
 			err = ctx.Err()
 			logrus.Debugf("hook monitoring canceled: %v", err)
--- a/vendor/github.com/containers/common/version/version.go
+++ b/vendor/github.com/containers/common/version/version.go
@ -1,4 +1,4 @@
 package version

 // Version is the version of the build.
-const Version = "0.59.0-dev"
+const Version = "0.60.0-dev"