Merge pull request #22896 from Luap99/reexec-env

pkg/rootless: set _CONTAINERS_USERNS_CONFIGURED correctly

go.mod

@@ -14,7 +14,7 @@ require (
 	github.com/checkpoint-restore/go-criu/v7 v7.1.0
 	github.com/containernetworking/plugins v1.5.0
 	github.com/containers/buildah v1.36.0
-	github.com/containers/common v0.59.0
+	github.com/containers/common v0.59.1-0.20240603155017-49ad520556e7
 	github.com/containers/conmon v2.0.20+incompatible
 	github.com/containers/gvisor-tap-vsock v0.7.4-0.20240515153903-01a1a0cd3f70
 	github.com/containers/image/v5 v5.31.1-0.20240530141348-2343e812b95b

go.sum

@@ -79,8 +79,8 @@ github.com/containernetworking/plugins v1.5.0 h1:P09DMlfvvsLSskDoftnuwXY7lwa7IAh
 github.com/containernetworking/plugins v1.5.0/go.mod h1:bcXMvG9gWGc6jVXeodmMzuXmXqpqMguZm6Zu/oIr7AA=
 github.com/containers/buildah v1.36.0 h1:e369nE9bx0yJtPVRDMsbr0OzkW59XCYAl+5poGhFjcs=
 github.com/containers/buildah v1.36.0/go.mod h1:qlEF4RuCnzEUTQhAnCyGr5WoYNZaU0k2mPcZscUR//c=
-github.com/containers/common v0.59.0 h1:fy9Jz0B7Qs1C030bm73YJtVddaiFSZD3558EV1tgN2g=
-github.com/containers/common v0.59.0/go.mod h1:53VicJCZ2AD0O+Br7VVoyrS7viXF4YmwlTIocWUT8XE=
+github.com/containers/common v0.59.1-0.20240603155017-49ad520556e7 h1:Vp0npRNqZJrtMrOeVPyLNDYojSPbkNm3pQVnuBULubs=
+github.com/containers/common v0.59.1-0.20240603155017-49ad520556e7/go.mod h1:G4vF3V1iWu+NxT/pquuJYBcWGsrVKibDhPu9h52nXyI=
 github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
 github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
 github.com/containers/gvisor-tap-vsock v0.7.4-0.20240515153903-01a1a0cd3f70 h1:aACcXSIgcuPq5QdNZZ8B53BCdhqYvw33/8QmZWJATvg=

pkg/rootless/rootless_linux.c

@@ -880,7 +880,7 @@ reexec_userns_join (int pid_to_join, char *pause_pid_file_path)
         setenv ("LISTEN_FDNAMES", saved_systemd_listen_fdnames, true);
     }
 
-  setenv ("_CONTAINERS_USERNS_CONFIGURED", "init", 1);
+  setenv ("_CONTAINERS_USERNS_CONFIGURED", "done", 1);
   setenv ("_CONTAINERS_ROOTLESS_UID", uid, 1);
   setenv ("_CONTAINERS_ROOTLESS_GID", gid, 1);
 
@@ -1081,7 +1081,7 @@ reexec_in_user_namespace (int ready, char *pause_pid_file_path, char *file_to_re
         setenv ("LISTEN_FDNAMES", saved_systemd_listen_fdnames, true);
     }
 
-  setenv ("_CONTAINERS_USERNS_CONFIGURED", "init", 1);
+  setenv ("_CONTAINERS_USERNS_CONFIGURED", "done", 1);
   setenv ("_CONTAINERS_ROOTLESS_UID", uid, 1);
   setenv ("_CONTAINERS_ROOTLESS_GID", gid, 1);
 

vendor/github.com/containers/common/libimage/manifests/manifests.go

@@ -663,6 +663,9 @@ func (l *list) Add(ctx context.Context, sys *types.SystemContext, ref types.Imag
 		if err != nil {
 			return "", fmt.Errorf("adding instance with digest %q: %w", *instanceInfo.instanceDigest, err)
 		}
+		if err := l.List.SetArtifactType(instanceInfo.instanceDigest, instanceInfo.ArtifactType); err != nil {
+			return "", fmt.Errorf("setting artifact manifest type for instance with digest %q: %w", *instanceInfo.instanceDigest, err)
+		}
 		if err = l.List.SetURLs(*instanceInfo.instanceDigest, instanceInfo.URLs); err != nil {
 			return "", fmt.Errorf("setting URLs for instance with digest %q: %w", *instanceInfo.instanceDigest, err)
 		}

vendor/github.com/containers/common/libnetwork/cni/network.go

@@ -82,9 +82,23 @@ type InitConfig struct {
 // NewCNINetworkInterface creates the ContainerNetwork interface for the CNI backend.
 // Note: The networks are not loaded from disk until a method is called.
 func NewCNINetworkInterface(conf *InitConfig) (types.ContainerNetwork, error) {
+	var netns *rootlessnetns.Netns
+	var err error
+	// Do not use unshare.IsRootless() here. We only care if we are running re-exec in the userns,
+	// IsRootless() also returns true if we are root in a userns which is not what we care about and
+	// causes issues as this slower more complicated rootless-netns logic should not be used as root.
+	val, ok := os.LookupEnv(unshare.UsernsEnvName)
+	useRootlessNetns := ok && val == "done"
+	if useRootlessNetns {
+		netns, err = rootlessnetns.New(conf.RunDir, rootlessnetns.CNI, conf.Config)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	// root needs to use a globally unique lock because there is only one host netns
 	lockPath := defaultRootLockPath
-	if unshare.IsRootless() {
+	if useRootlessNetns {
 		lockPath = filepath.Join(conf.CNIConfigDir, "cni.lock")
 	}
 
@@ -112,14 +126,6 @@ func NewCNINetworkInterface(conf *InitConfig) (types.ContainerNetwork, error) {
 		defaultSubnetPools = config.DefaultSubnetPools
 	}
 
-	var netns *rootlessnetns.Netns
-	if unshare.IsRootless() {
-		netns, err = rootlessnetns.New(conf.RunDir, rootlessnetns.CNI, conf.Config)
-		if err != nil {
-			return nil, err
-		}
-	}
-
 	cni := libcni.NewCNIConfig(conf.Config.Network.CNIPluginDirs.Values, &cniExec{})
 	n := &cniNetwork{
 		cniConfigDir:       conf.CNIConfigDir,

vendor/github.com/containers/common/libnetwork/netavark/network.go

@@ -96,9 +96,23 @@ type InitConfig struct {
 // NewNetworkInterface creates the ContainerNetwork interface for the netavark backend.
 // Note: The networks are not loaded from disk until a method is called.
 func NewNetworkInterface(conf *InitConfig) (types.ContainerNetwork, error) {
+	var netns *rootlessnetns.Netns
+	var err error
+	// Do not use unshare.IsRootless() here. We only care if we are running re-exec in the userns,
+	// IsRootless() also returns true if we are root in a userns which is not what we care about and
+	// causes issues as this slower more complicated rootless-netns logic should not be used as root.
+	val, ok := os.LookupEnv(unshare.UsernsEnvName)
+	useRootlessNetns := ok && val == "done"
+	if useRootlessNetns {
+		netns, err = rootlessnetns.New(conf.NetworkRunDir, rootlessnetns.Netavark, conf.Config)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	// root needs to use a globally unique lock because there is only one host netns
 	lockPath := defaultRootLockPath
-	if unshare.IsRootless() {
+	if useRootlessNetns {
 		lockPath = filepath.Join(conf.NetworkConfigDir, "netavark.lock")
 	}
 
@@ -134,18 +148,6 @@ func NewNetworkInterface(conf *InitConfig) (types.ContainerNetwork, error) {
 		defaultSubnetPools = config.DefaultSubnetPools
 	}
 
-	var netns *rootlessnetns.Netns
-	// Do not use unshare.IsRootless() here. We only care if we are running re-exec in the userns,
-	// IsRootless() also returns true if we are root in a userns which is not what we care about and
-	// causes issues as this slower more complicated rootless-netns logic should not be used as root.
-	_, useRootlessNetns := os.LookupEnv(unshare.UsernsEnvName)
-	if useRootlessNetns {
-		netns, err = rootlessnetns.New(conf.NetworkRunDir, rootlessnetns.Netavark, conf.Config)
-		if err != nil {
-			return nil, err
-		}
-	}
-
 	n := &netavarkNetwork{
 		networkConfigDir:   conf.NetworkConfigDir,
 		networkRunDir:      conf.NetworkRunDir,

vendor/github.com/containers/common/pkg/config/config_bsd.go

@@ -1,3 +1,5 @@
+//go:build (freebsd || netbsd || openbsd)
+
 package config
 
 const (

vendor/github.com/containers/common/pkg/config/config_windows.go

@@ -5,7 +5,7 @@ import "os"
 const (
 	// _configPath is the path to the containers/containers.conf
 	// inside a given config directory.
-	_configPath = "containers\\containers.conf"
+	_configPath = "\\containers\\containers.conf"
 
 	// DefaultContainersConfig holds the default containers config path
 	DefaultContainersConfig = ""

vendor/github.com/containers/common/pkg/config/containers.conf

@@ -350,9 +350,9 @@ default_sysctls = [
 
 # The firewall driver to be used by netavark.
 # The default is empty which means netavark will pick one accordingly. Current supported
-# drivers are "iptables", "none" (no firewall rules will be created) and "firewalld" (firewalld is
-# experimental at the moment and not recommend outside of testing). In the future we are
-# planning to add support for a "nftables" driver.
+# drivers are "iptables", "nftables", "none" (no firewall rules will be created) and "firewalld" (firewalld is
+# experimental at the moment and not recommend outside of testing).
+#
 #firewall_driver = ""
 
 
@@ -890,10 +890,10 @@ default_sysctls = [
 [podmansh]
 # Shell to spawn in container. Default: /bin/sh.
 #shell = "/bin/sh"
-# 
+#
 # Name of the container the podmansh user should join.
 #container = "podmansh"
-# 
+#
 # Default timeout in seconds for podmansh logins.
 # Favored over the deprecated "podmansh_timeout" field.
 #timeout = 30

vendor/github.com/containers/common/pkg/config/default_bsd.go

@@ -1,3 +1,5 @@
+//go:build (freebsd || netbsd || openbsd)
+
 package config
 
 // DefaultInitPath is the default path to the container-init binary.

vendor/github.com/containers/common/pkg/config/default_common.go

@@ -1,4 +1,4 @@
-//go:build !freebsd
+//go:build !freebsd && !netbsd
 
 package config
 

vendor/github.com/containers/common/pkg/password/password_supported.go

@@ -1,4 +1,4 @@
-//go:build linux || darwin || freebsd
+//go:build linux || darwin || freebsd || netbsd
 
 package password
 

vendor/github.com/containers/common/pkg/version/version.go

@@ -25,7 +25,8 @@ func queryPackageVersion(cmdArg ...string) string {
 		cmd := exec.Command(cmdArg[0], cmdArg[1:]...)
 		if outp, err := cmd.Output(); err == nil {
 			output = string(outp)
-			if cmdArg[0] == "/usr/bin/dlocate" {
+			switch cmdArg[0] {
+			case "/usr/bin/dlocate":
 				// can return multiple matches
 				l := strings.Split(output, "\n")
 				output = l[0]
@@ -44,19 +45,24 @@ func queryPackageVersion(cmdArg ...string) string {
 						}
 					}
 				}
-			} else if cmdArg[0] == "/usr/bin/dpkg" {
+			case "/usr/bin/dpkg":
 				r := strings.Split(output, ": ")
 				queryFormat := `${Package}_${Version}_${Architecture}`
 				cmd = exec.Command("/usr/bin/dpkg-query", "-f", queryFormat, "-W", r[0])
 				if outp, err := cmd.Output(); err == nil {
 					output = string(outp)
 				}
+			case "/usr/bin/pacman":
+				pkg := strings.Trim(output, "\n")
+				cmd = exec.Command(cmdArg[0], "-Q", "--", pkg)
+				if outp, err := cmd.Output(); err == nil {
+					output = strings.ReplaceAll(string(outp), " ", "-")
+				}
+			case "/sbin/apk":
+				prefix := cmdArg[len(cmdArg)-1] + " is owned by "
+				output = strings.Replace(output, prefix, "", 1)
 			}
 		}
-		if cmdArg[0] == "/sbin/apk" {
-			prefix := cmdArg[len(cmdArg)-1] + " is owned by "
-			output = strings.Replace(output, prefix, "", 1)
-		}
 	}
 	return strings.Trim(output, "\n")
 }
@@ -77,7 +83,7 @@ func Package(program string) string { // program is full path
 		{"rpm", []string{"/usr/bin/rpm", "-q", "-f"}},
 		{"deb", []string{"/usr/bin/dlocate", "-F"}},             // Debian, Ubuntu (quick)
 		{"deb", []string{"/usr/bin/dpkg", "-S"}},                // Debian, Ubuntu (slow)
-		{"pacman", []string{"/usr/bin/pacman", "-Qo"}},          // Arch
+		{"pacman", []string{"/usr/bin/pacman", "-Qoq"}},         // Arch
 		{"gentoo", []string{"/usr/bin/qfile", "-qv"}},           // Gentoo (quick)
 		{"gentoo", []string{"/usr/bin/equery", "b"}},            // Gentoo (slow)
 		{"apk", []string{"/sbin/apk", "info", "-W"}},            // Alpine

vendor/github.com/containers/common/version/version.go

@@ -1,4 +1,4 @@
 package version
 
 // Version is the version of the build.
-const Version = "0.59.0"
+const Version = "0.60.0-dev"

vendor/modules.txt

@@ -171,7 +171,7 @@ github.com/containers/buildah/pkg/sshagent
 github.com/containers/buildah/pkg/util
 github.com/containers/buildah/pkg/volumes
 github.com/containers/buildah/util
-# github.com/containers/common v0.59.0
+# github.com/containers/common v0.59.1-0.20240603155017-49ad520556e7
 ## explicit; go 1.21
 github.com/containers/common/internal
 github.com/containers/common/internal/attributedstring