opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-05-25 19:16:59 +08:00
Code Issues Packages Projects Releases Wiki Activity

create: support images with invalid platform

Browse Source 
Much to my regret, there is a number of images in the wild with invalid
platforms breaking the platform checks in libimage that want to make
sure that a local image is matching the expected platform.

Imagine a `podman run --arch=arm64 fedora` with a local amd64 fedora
image.  We really shouldn't use the local one in this case and pull down
the arm64 one.

The strict platform checks in libimage in combination with invalid
platforms in images surfaced in Podman being able to pull an image but
failing to look it up in subsequent presence checks.  A `podman run`
would hence pull such an image but fail to create the container.

Support images with invalid platforms by vendoring the latest HEAD from
containers/common.  Also remove the partially implemented pull-policy
logic from Podman and let libimage handle that entirely.  However,
whenever --arch, --os or --platform are specified, the pull policy will
be forced to "newer".  This way, we pessimistically assume that the
local image has an invalid platform and we reach out to the registry.
If there's a newer image (i.e., one with a different digest), we'll pull
it down.

Please note that most of the logic has either already been implemented
in libimage or been moved down which allows for removing some clutter
from Podman.

[NO TESTS NEEDED] since c/common has new tests.  Podman can rely on the
existing tests.

Fixes: #10648
Fixes: #10682
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
This commit is contained in:
Valentin Rothberg
2021-06-21 10:51:51 +02:00
parent d3afc6b3b6
commit 5fc622f945
21 changed files with 197 additions and 166 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
cmd/podman/containers/create.go
View File

@ -8,7 +8,6 @@ import (
"strings"
"github.com/containers/common/pkg/config"
storageTransport "github.com/containers/image/v5/storage"
"github.com/containers/image/v5/transports/alltransports"
"github.com/containers/podman/v3/cmd/podman/common"
"github.com/containers/podman/v3/cmd/podman/registry"
@ -16,9 +15,7 @@ import (
"github.com/containers/podman/v3/pkg/domain/entities"
"github.com/containers/podman/v3/pkg/specgen"
"github.com/containers/podman/v3/pkg/util"
"github.com/containers/storage"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
"github.com/spf13/cobra"
)
@ -236,30 +233,12 @@ func createInit(c *cobra.Command) error {
return nil
}
// TODO: we should let the backend take care of the pull policy (which it
// does!). The code below is at risk of causing regression and code divergence.
func pullImage(imageName string) (string, error) {
pullPolicy, err := config.ValidatePullPolicy(cliVals.Pull)
if err != nil {
return "", err
}
// Check if the image is missing and hence if we need to pull it.
imageMissing := true
imageRef, err := alltransports.ParseImageName(imageName)
switch {
case err != nil:
// Assume we specified a local image without the explicit storage transport.
fallthrough
case imageRef.Transport().Name() == storageTransport.Transport.Name():
br, err := registry.ImageEngine().Exists(registry.GetContext(), imageName)
if err != nil {
return "", err
}
imageMissing = !br.Value
}
if cliVals.Platform != "" || cliVals.Arch != "" || cliVals.OS != "" {
if cliVals.Platform != "" {
if cliVals.Arch != "" || cliVals.OS != "" {
@ -271,17 +250,8 @@ func pullImage(imageName string) (string, error) {
cliVals.Arch = split[1]
}
}
if pullPolicy != config.PullPolicyAlways {
logrus.Info("--platform --arch and --os causes the pull policy to be \"always\"")
pullPolicy = config.PullPolicyAlways
}
}
if imageMissing || pullPolicy == config.PullPolicyAlways {
if pullPolicy == config.PullPolicyNever {
return "", errors.Wrap(storage.ErrImageUnknown, imageName)
}
pullReport, pullErr := registry.ImageEngine().Pull(registry.GetContext(), imageName, entities.ImagePullOptions{
Authfile: cliVals.Authfile,
Quiet: cliVals.Quiet,
@ -294,8 +264,14 @@ func pullImage(imageName string) (string, error) {
if pullErr != nil {
return "", pullErr
}
// Return the input name such that the image resolves to correct
// repo/tag in the backend (see #8082). Unless we're referring to
// the image via a transport.
if _, err := alltransports.ParseImageName(imageName); err == nil {
imageName = pullReport.Images[0]
}
return imageName, nil
}

2
go.mod
View File

@ -12,7 +12,7 @@ require (
github.com/containernetworking/cni v0.8.1
github.com/containernetworking/plugins v0.9.1
github.com/containers/buildah v1.21.1
github.com/containers/common v0.40.1-0.20210617134614-c6578d76fb0d
github.com/containers/common v0.40.2-0.20210623133759-d13a31743aec
github.com/containers/conmon v2.0.20+incompatible
github.com/containers/image/v5 v5.13.2
github.com/containers/ocicrypt v1.1.1

5
go.sum
View File

@ -221,12 +221,11 @@ github.com/containernetworking/plugins v0.9.1/go.mod h1:xP/idU2ldlzN6m4p5LmGiwRD
github.com/containers/buildah v1.21.1 h1:e9LmTCUKUBLg72v5DnIOT/wc8ffkfB7LbpQBywLZo20=
github.com/containers/buildah v1.21.1/go.mod h1:yPdlpVd93T+i91yGxrJbW1YOWrqN64j5ZhHOZmHUejs=
github.com/containers/common v0.38.4/go.mod h1:egfpX/Y3+19Dz4Wa1eRZDdgzoEOeneieF9CQppKzLBg=
github.com/containers/common v0.40.1-0.20210617134614-c6578d76fb0d h1:PaS/t2XcyxEDOr685T+3HPMyMqN99UPcj6I92nqIDH8=
github.com/containers/common v0.40.1-0.20210617134614-c6578d76fb0d/go.mod h1:+zxauZzkurY5tbQGDxrCV6rF694RX1olXyYRVJHrzWo=
github.com/containers/common v0.40.2-0.20210623133759-d13a31743aec h1:ZcteA2klZSZAZgVonwJAqezF6hdO9SMKUy49ZHXZd38=
github.com/containers/common v0.40.2-0.20210623133759-d13a31743aec/go.mod h1:J23CfuhN1fAg85q5HxS6SKYhKbGqmqieKQqoHaQbEI8=
github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
github.com/containers/image/v5 v5.12.0/go.mod h1:VasTuHmOw+uD0oHCfApQcMO2+36SfyncoSahU7513Xs=
github.com/containers/image/v5 v5.13.2-0.20210617132750-db0df5e0cf5e/go.mod h1:GkWursKDlDcUIT7L7vZf70tADvZCk/Ga0wgS0MuF0ag=
github.com/containers/image/v5 v5.13.2 h1:AgYunV/9d2fRkrmo23wH2MkqeHolFd6oQCkK+1PpuFA=
github.com/containers/image/v5 v5.13.2/go.mod h1:GkWursKDlDcUIT7L7vZf70tADvZCk/Ga0wgS0MuF0ag=
github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b h1:Q8ePgVfHDplZ7U33NwHZkrVELsZP5fYj9pM5WBZB2GE=

10
pkg/api/handlers/libpod/images_pull.go
View File

@ -32,8 +32,10 @@ func ImagesPull(w http.ResponseWriter, r *http.Request) {
Variant string `schema:"Variant"`
TLSVerify bool `schema:"tlsVerify"`
AllTags bool `schema:"allTags"`
PullPolicy string `schema:"policy"`
}{
TLSVerify: true,
PullPolicy: "always",
}
if err := decoder.Decode(&query, r.URL.Query()); err != nil {
@ -83,12 +85,18 @@ func ImagesPull(w http.ResponseWriter, r *http.Request) {
pullOptions.Writer = writer
pullPolicy, err := config.ParsePullPolicy(query.PullPolicy)
if err != nil {
utils.Error(w, "failed to parse pull policy", http.StatusBadRequest, err)
return
}
var pulledImages []*libimage.Image
var pullError error
runCtx, cancel := context.WithCancel(r.Context())
go func() {
defer cancel()
pulledImages, pullError = runtime.LibimageRuntime().Pull(runCtx, query.Reference, config.PullPolicyAlways, pullOptions)
pulledImages, pullError = runtime.LibimageRuntime().Pull(runCtx, query.Reference, pullPolicy, pullOptions)
}()
flush := func() {

4
pkg/api/server/register_images.go
View File

@ -974,6 +974,10 @@ func (s *APIServer) registerImagesHandlers(r *mux.Router) error {
// description: Pull image for the specified variant.
// type: string
// - in: query
// name: policy
// description: Pull policy, "always" (default), "missing", "newer", "never".
// type: string
// - in: query
// name: tlsVerify
// description: Require TLS verification.
// type: boolean

10
pkg/bindings/images/pull.go
View File

@ -13,7 +13,7 @@ import (
"github.com/containers/podman/v3/pkg/auth"
"github.com/containers/podman/v3/pkg/bindings"
"github.com/containers/podman/v3/pkg/domain/entities"
"github.com/hashicorp/go-multierror"
"github.com/containers/podman/v3/pkg/errorhandling"
"github.com/pkg/errors"
)
@ -65,7 +65,7 @@ func Pull(ctx context.Context, rawImage string, options *PullOptions) ([]string,
dec := json.NewDecoder(response.Body)
var images []string
var mErr error
var pullErrors []error
for {
var report entities.ImagePullReport
if err := dec.Decode(&report); err != nil {
@ -77,7 +77,7 @@ func Pull(ctx context.Context, rawImage string, options *PullOptions) ([]string,
select {
case <-response.Request.Context().Done():
return images, mErr
break
default:
// non-blocking select
}
@ -86,7 +86,7 @@ func Pull(ctx context.Context, rawImage string, options *PullOptions) ([]string,
case report.Stream != "":
fmt.Fprint(stderr, report.Stream)
case report.Error != "":
mErr = multierror.Append(mErr, errors.New(report.Error))
pullErrors = append(pullErrors, errors.New(report.Error))
case len(report.Images) > 0:
images = report.Images
case report.ID != "":
@ -94,5 +94,5 @@ func Pull(ctx context.Context, rawImage string, options *PullOptions) ([]string,
return images, errors.Errorf("failed to parse pull results stream, unexpected input: %v", report)
}
}
return images, mErr
return images, errorhandling.JoinErrors(pullErrors)
}

3
pkg/bindings/images/types.go
View File

@ -147,6 +147,9 @@ type PullOptions struct {
// OS will overwrite the local operating system (OS) for image
// pulls.
OS *string
// Policy is the pull policy. Supported values are "missing", "never",
// "newer", "always". An empty string defaults to "always".
Policy *string
// Password for authenticating against the registry.
Password *string
// Quiet can be specified to suppress pull progress when pulling. Ignored

16
pkg/bindings/images/types_pull_options.go
View File

@ -84,6 +84,22 @@ func (o *PullOptions) GetOS() string {
return *o.OS
}
// WithPolicy
func (o *PullOptions) WithPolicy(value string) *PullOptions {
v := &value
o.Policy = v
return o
}
// GetPolicy
func (o *PullOptions) GetPolicy() string {
var policy string
if o.Policy == nil {
return policy
}
return *o.Policy
}
// WithPassword
func (o *PullOptions) WithPassword(value string) *PullOptions {
v := &value

2
pkg/domain/infra/tunnel/images.go
View File

@ -107,7 +107,7 @@ func (ir *ImageEngine) Pull(ctx context.Context, rawImage string, opts entities.
options := new(images.PullOptions)
options.WithAllTags(opts.AllTags).WithAuthfile(opts.Authfile).WithArch(opts.Arch).WithOS(opts.OS)
options.WithVariant(opts.Variant).WithPassword(opts.Password)
options.WithQuiet(opts.Quiet).WithUsername(opts.Username)
options.WithQuiet(opts.Quiet).WithUsername(opts.Username).WithPolicy(opts.PullPolicy.String())
if s := opts.SkipTLSVerify; s != types.OptionalBoolUndefined {
if s == types.OptionalBoolTrue {
options.WithSkipTLSVerify(true)

9
pkg/errorhandling/errorhandling.go
View File

@ -15,6 +15,12 @@ func JoinErrors(errs []error) error {
return nil
}
// If there's just one error, return it. This prevents the "%d errors
// occurred:" header plus list from the multierror package.
if len(errs) == 1 {
return errs[0]
}
// `multierror` appends new lines which we need to remove to prevent
// blank lines when printing the error.
var multiE *multierror.Error
@ -24,9 +30,6 @@ func JoinErrors(errs []error) error {
if finalErr == nil {
return finalErr
}
if len(multiE.WrappedErrors()) == 1 && logrus.IsLevelEnabled(logrus.TraceLevel) {
return multiE.WrappedErrors()[0]
}
return errors.New(strings.TrimSpace(finalErr.Error()))
}

3
pkg/specgen/generate/container.go
View File

@ -24,7 +24,8 @@ func CompleteSpec(ctx context.Context, r *libpod.Runtime, s *specgen.SpecGenerat
var inspectData *libimage.ImageData
var err error
if s.Image != "" {
newImage, _, err = r.LibimageRuntime().LookupImage(s.Image, nil)
lookupOptions := &libimage.LookupImageOptions{IgnorePlatform: true}
newImage, _, err = r.LibimageRuntime().LookupImage(s.Image, lookupOptions)
if err != nil {
return nil, err
}

3
pkg/specgen/generate/container_create.go
View File

@ -92,7 +92,8 @@ func MakeContainer(ctx context.Context, rt *libpod.Runtime, s *specgen.SpecGener
options = append(options, libpod.WithRootFS(s.Rootfs))
} else {
var resolvedImageName string
newImage, resolvedImageName, err = rt.LibimageRuntime().LookupImage(s.Image, nil)
lookupOptions := &libimage.LookupImageOptions{IgnorePlatform: true}
newImage, resolvedImageName, err = rt.LibimageRuntime().LookupImage(s.Image, lookupOptions)
if err != nil {
return nil, err
}

2
test/system/255-auto-update.bats
View File

@ -194,7 +194,7 @@ function _confirm_update() {
run_podman 125 auto-update
update_log=$output
is "$update_log" ".*invalid auto-update policy.*" "invalid policy setup"
is "$update_log" ".*1 error occurred.*" "invalid policy setup"
is "$update_log" ".*Error: invalid auto-update policy.*" "invalid policy setup"
local n_updated=$(grep -c 'Trying to pull' <<<"$update_log")
is "$n_updated" "2" "Number of images updated from registry."

18
vendor/github.com/containers/common/libimage/image.go generated vendored
View File

@ -61,6 +61,24 @@ func (i *Image) reload() error {
return nil
}
// isCorrupted returns an error if the image may be corrupted.
func (i *Image) isCorrupted(name string) error {
// If it's a manifest list, we're good for now.
if _, err := i.getManifestList(); err == nil {
return nil
}
ref, err := i.StorageReference()
if err != nil {
return err
}
if _, err := ref.NewImage(context.Background(), nil); err != nil {
return errors.Errorf("Image %s exists in local storage but may be corrupted: %v", name, err)
}
return nil
}
// Names returns associated names with the image which may be a mix of tags and
// digests.
func (i *Image) Names() []string {

48
vendor/github.com/containers/common/libimage/pull.go generated vendored
View File

@ -105,6 +105,20 @@ func (r *Runtime) Pull(ctx context.Context, name string, pullPolicy config.PullP
r.writeEvent(&Event{ID: "", Name: name, Time: time.Now(), Type: EventTypeImagePull})
}
// Some callers may set the platform via the system context at creation
// time of the runtime. We need this information to decide whether we
// need to enforce pulling from a registry (see
// containers/podman/issues/10682).
if options.Architecture == "" {
options.Architecture = r.systemContext.ArchitectureChoice
}
if options.OS == "" {
options.OS = r.systemContext.OSChoice
}
if options.Variant == "" {
options.Variant = r.systemContext.VariantChoice
}
var (
pulledImages []string
pullError error
@ -333,7 +347,7 @@ func (r *Runtime) copyFromRegistry(ctx context.Context, ref types.ImageReference
// from a registry. On successful pull it returns the used fully-qualified
// name that can later be used to look up the image in the local containers
// storage.
func (r *Runtime) copySingleImageFromRegistry(ctx context.Context, imageName string, pullPolicy config.PullPolicy, options *PullOptions) ([]string, error) {
func (r *Runtime) copySingleImageFromRegistry(ctx context.Context, imageName string, pullPolicy config.PullPolicy, options *PullOptions) ([]string, error) { //nolint:gocyclo
// Sanity check.
if err := pullPolicy.Validate(); err != nil {
return nil, err
@ -349,11 +363,41 @@ func (r *Runtime) copySingleImageFromRegistry(ctx context.Context, imageName str
// resolved name for pulling. Assume we're doing a `pull foo`.
// If there's already a local image "localhost/foo", then we should
// attempt pulling that instead of doing the full short-name dance.
localImage, resolvedImageName, err = r.LookupImage(imageName, nil)
lookupOptions := &LookupImageOptions{
// NOTE: we must ignore the platform of a local image when
// doing lookups. Some images set an incorrect or even invalid
// platform (see containers/podman/issues/10682). Doing the
// lookup while ignoring the platform checks prevents
// redundantly downloading the same image.
IgnorePlatform: true,
}
localImage, resolvedImageName, err = r.LookupImage(imageName, lookupOptions)
if err != nil && errors.Cause(err) != storage.ErrImageUnknown {
logrus.Errorf("Looking up %s in local storage: %v", imageName, err)
}
// If the local image is corrupted, we need to repull it.
if localImage != nil {
if err := localImage.isCorrupted(imageName); err != nil {
logrus.Error(err)
localImage = nil
}
}
// Unless the pull policy is "always", we must pessimistically assume
// that the local image has an invalid architecture (see
// containers/podman/issues/10682). Hence, whenever the user requests
// a custom platform, set the pull policy to "always" to make sure
// we're pulling down the image.
//
// NOTE that this is will even override --pull={false,never}. This is
// very likely a bug but a consistent one in Podman/Buildah and should
// be addressed at a later point.
if pullPolicy != config.PullPolicyAlways && len(options.Architecture)+len(options.OS)+len(options.Variant) > 0 {
logrus.Debugf("Enforcing pull policy to %q to support custom platform (arch: %q, os: %q, variant: %q)", "always", options.Architecture, options.OS, options.Variant)
pullPolicy = config.PullPolicyAlways
}
if pullPolicy == config.PullPolicyNever {
if localImage != nil {
logrus.Debugf("Pull policy %q but no local image has been found for %s", pullPolicy, imageName)

56
vendor/github.com/containers/common/libimage/runtime.go generated vendored
View File

@ -144,9 +144,8 @@ func (r *Runtime) Exists(name string) (bool, error) {
if image == nil {
return false, nil
}
// Inspect the image to make sure if it's corrupted or not.
if _, err := image.Inspect(context.Background(), false); err != nil {
logrus.Errorf("Image %s exists in local storage but may be corrupted: %v", name, err)
if err := image.isCorrupted(name); err != nil {
logrus.Error(err)
return false, nil
}
return true, nil
@ -159,6 +158,13 @@ type LookupImageOptions struct {
// the platform does not matter, for instance, for image removal.
IgnorePlatform bool
// Lookup an image matching the specified architecture.
Architecture string
// Lookup an image matching the specified OS.
OS string
// Lookup an image matching the specified variant.
Variant string
// If set, do not look for items/instances in the manifest list that
// match the current platform but return the manifest list as is.
lookupManifest bool
@ -210,6 +216,25 @@ func (r *Runtime) LookupImage(name string, options *LookupImageOptions) (*Image,
name = strings.TrimPrefix(name, "sha256:")
}
// Set the platform for matching local images.
if !options.IgnorePlatform {
if options.Architecture == "" {
options.Architecture = r.systemContext.ArchitectureChoice
}
if options.Architecture == "" {
options.Architecture = runtime.GOARCH
}
if options.OS == "" {
options.OS = r.systemContext.OSChoice
}
if options.OS == "" {
options.OS = runtime.GOOS
}
if options.Variant == "" {
options.Variant = r.systemContext.VariantChoice
}
}
// First, check if we have an exact match in the storage. Maybe an ID
// or a fully-qualified image name.
img, err := r.lookupImageInLocalStorage(name, name, options)
@ -295,7 +320,7 @@ func (r *Runtime) lookupImageInLocalStorage(name, candidate string, options *Loo
if err != nil {
return nil, err
}
instance, err := manifestList.LookupInstance(context.Background(), "", "", "")
instance, err := manifestList.LookupInstance(context.Background(), options.Architecture, options.OS, options.Variant)
if err != nil {
// NOTE: If we are not looking for a specific platform
// and already found the manifest list, then return it
@ -316,7 +341,7 @@ func (r *Runtime) lookupImageInLocalStorage(name, candidate string, options *Loo
return image, nil
}
matches, err := imageReferenceMatchesContext(context.Background(), ref, &r.systemContext)
matches, err := r.imageReferenceMatchesContext(ref, options)
if err != nil {
return nil, err
}
@ -428,12 +453,13 @@ func (r *Runtime) ResolveName(name string) (string, error) {
}
// imageReferenceMatchesContext return true if the specified reference matches
// the platform (os, arch, variant) as specified by the system context.
func imageReferenceMatchesContext(ctx context.Context, ref types.ImageReference, sys *types.SystemContext) (bool, error) {
if sys == nil {
// the platform (os, arch, variant) as specified by the lookup options.
func (r *Runtime) imageReferenceMatchesContext(ref types.ImageReference, options *LookupImageOptions) (bool, error) {
if options.IgnorePlatform {
return true, nil
}
img, err := ref.NewImage(ctx, sys)
ctx := context.Background()
img, err := ref.NewImage(ctx, &r.systemContext)
if err != nil {
return false, err
}
@ -442,16 +468,8 @@ func imageReferenceMatchesContext(ctx context.Context, ref types.ImageReference,
if err != nil {
return false, err
}
osChoice := sys.OSChoice
if osChoice == "" {
osChoice = runtime.GOOS
}
arch := sys.ArchitectureChoice
if arch == "" {
arch = runtime.GOARCH
}
if osChoice == data.Os && arch == data.Architecture {
if sys.VariantChoice == "" || sys.VariantChoice == data.Variant {
if options.OS == data.Os && options.Architecture == data.Architecture {
if options.Variant == "" || options.Variant == data.Variant {
return true, nil
}
}

2
vendor/github.com/containers/common/pkg/config/config.go generated vendored
View File

@ -1053,7 +1053,7 @@ func (c *Config) Write() error {
if err := os.MkdirAll(filepath.Dir(path), 0755); err != nil {
return err
}
configFile, err := os.OpenFile(path, os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0600)
configFile, err := os.OpenFile(path, os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0644)
if err != nil {
return err
}

42
vendor/github.com/containers/common/pkg/seccomp/default_linux.go generated vendored
View File

@ -51,14 +51,9 @@ func DefaultProfile() *Seccomp {
{
Names: []string{
"bdflush",
"clone3",
"io_pgetevents",
"io_uring_enter",
"io_uring_register",
"io_uring_setup",
"kexec_file_load",
"kexec_load",
"membarrier",
"migrate_pages",
"move_pages",
"nfsservctl",
@ -71,10 +66,6 @@ func DefaultProfile() *Seccomp {
"pciconfig_iobase",
"pciconfig_read",
"pciconfig_write",
"pkey_alloc",
"pkey_free",
"pkey_mprotect",
"rseq",
"sgetmask",
"ssetmask",
"swapcontext",
@ -118,6 +109,7 @@ func DefaultProfile() *Seccomp {
"clock_nanosleep",
"clock_nanosleep_time64",
"clone",
"clone3",
"close",
"close_range",
"connect",
@ -191,6 +183,7 @@ func DefaultProfile() *Seccomp {
"getgroups",
"getgroups32",
"getitimer",
"get_mempolicy",
"getpeername",
"getpgid",
"getpgrp",
@ -241,6 +234,7 @@ func DefaultProfile() *Seccomp {
"lstat",
"lstat64",
"madvise",
"mbind",
"memfd_create",
"mincore",
"mkdir",
@ -286,6 +280,9 @@ func DefaultProfile() *Seccomp {
"pipe",
"pipe2",
"pivot_root",
"pkey_alloc",
"pkey_free",
"pkey_mprotect",
"poll",
"ppoll",
"ppoll_time64",
@ -318,6 +315,7 @@ func DefaultProfile() *Seccomp {
"renameat2",
"restart_syscall",
"rmdir",
"rseq",
"rt_sigaction",
"rt_sigpending",
"rt_sigprocmask",
@ -354,6 +352,7 @@ func DefaultProfile() *Seccomp {
"sendmsg",
"sendto",
"setns",
"set_mempolicy",
"set_robust_list",
"set_thread_area",
"set_tid_address",
@ -663,31 +662,6 @@ func DefaultProfile() *Seccomp {
Caps: []string{"CAP_SYS_MODULE"},
},
},
{
Names: []string{
"get_mempolicy",
"mbind",
"set_mempolicy",
},
Action: ActAllow,
Args: []*Arg{},
Includes: Filter{
Caps: []string{"CAP_SYS_NICE"},
},
},
{
Names: []string{
"get_mempolicy",
"mbind",
"set_mempolicy",
},
Action: ActErrno,
ErrnoRet: &eperm,
Args: []*Arg{},
Excludes: Filter{
Caps: []string{"CAP_SYS_NICE"},
},
},
{
Names: []string{
"acct",

50
vendor/github.com/containers/common/pkg/seccomp/seccomp.json generated vendored
View File

@ -54,14 +54,9 @@
{
"names": [
"bdflush",
"clone3",
"io_pgetevents",
"io_uring_enter",
"io_uring_register",
"io_uring_setup",
"kexec_file_load",
"kexec_load",
"membarrier",
"migrate_pages",
"move_pages",
"nfsservctl",
@ -74,10 +69,6 @@
"pciconfig_iobase",
"pciconfig_read",
"pciconfig_write",
"pkey_alloc",
"pkey_free",
"pkey_mprotect",
"rseq",
"sgetmask",
"ssetmask",
"swapcontext",
@ -124,6 +115,7 @@
"clock_nanosleep",
"clock_nanosleep_time64",
"clone",
"clone3",
"close",
"close_range",
"connect",
@ -197,6 +189,7 @@
"getgroups",
"getgroups32",
"getitimer",
"get_mempolicy",
"getpeername",
"getpgid",
"getpgrp",
@ -247,6 +240,7 @@
"lstat",
"lstat64",
"madvise",
"mbind",
"memfd_create",
"mincore",
"mkdir",
@ -292,6 +286,9 @@
"pipe",
"pipe2",
"pivot_root",
"pkey_alloc",
"pkey_free",
"pkey_mprotect",
"poll",
"ppoll",
"ppoll_time64",
@ -324,6 +321,7 @@
"renameat2",
"restart_syscall",
"rmdir",
"rseq",
"rt_sigaction",
"rt_sigpending",
"rt_sigprocmask",
@ -360,6 +358,7 @@
"sendmsg",
"sendto",
"setns",
"set_mempolicy",
"set_robust_list",
"set_thread_area",
"set_tid_address",
@ -759,39 +758,6 @@
},
"errnoRet": 1
},
{
"names": [
"get_mempolicy",
"mbind",
"set_mempolicy"
],
"action": "SCMP_ACT_ALLOW",
"args": [],
"comment": "",
"includes": {
"caps": [
"CAP_SYS_NICE"
]
},
"excludes": {}
},
{
"names": [
"get_mempolicy",
"mbind",
"set_mempolicy"
],
"action": "SCMP_ACT_ERRNO",
"args": [],
"comment": "",
"includes": {},
"excludes": {
"caps": [
"CAP_SYS_NICE"
]
},
"errnoRet": 1
},
{
"names": [
"acct"

2
vendor/github.com/containers/common/version/version.go generated vendored
View File

@ -1,4 +1,4 @@
package version
// Version is the version of the build.
const Version = "0.40.1-dev"
const Version = "0.40.2-dev"

2
vendor/modules.txt vendored
View File

@ -93,7 +93,7 @@ github.com/containers/buildah/pkg/overlay
github.com/containers/buildah/pkg/parse
github.com/containers/buildah/pkg/rusage
github.com/containers/buildah/util
# github.com/containers/common v0.40.1-0.20210617134614-c6578d76fb0d
# github.com/containers/common v0.40.2-0.20210623133759-d13a31743aec
github.com/containers/common/libimage
github.com/containers/common/libimage/manifests
github.com/containers/common/pkg/apparmor