Bump github.com/containers/common from 0.6.1 to 0.8.0

Bumps [github.com/containers/common](https://github.com/containers/common) from 0.6.1 to 0.8.0.
- [Release notes](https://github.com/containers/common/releases)
- [Commits](https://github.com/containers/common/compare/v0.6.1...v0.8.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

vendor/github.com/containers/common/pkg/config/config.go

@@ -11,7 +11,7 @@ import (
 
 	"github.com/BurntSushi/toml"
 	"github.com/containers/common/pkg/capabilities"
-	"github.com/containers/common/pkg/unshare"
+	"github.com/containers/storage/pkg/unshare"
 	units "github.com/docker/go-units"
 	selinux "github.com/opencontainers/selinux/go-selinux"
 	"github.com/pkg/errors"
@@ -173,7 +173,7 @@ type ContainersConfig struct {
 // EngineConfig contains configuration options used to set up a engine runtime
 type EngineConfig struct {
 	// CgroupCheck indicates the configuration has been rewritten after an
-	// upgrade to Fedora 31 to change the default OCI runtime for cgroupsv2.
+	// upgrade to Fedora 31 to change the default OCI runtime for cgroupv2v2.
 	CgroupCheck bool `toml:"cgroup_check,omitempty"`
 
 	// CGroupManager is the CGroup Manager to use Valid values are "cgroupfs"
@@ -269,7 +269,7 @@ type EngineConfig struct {
 
 	// RuntimeSupportsNoCgroups is a list of OCI runtimes that support
 	// running containers without CGroups.
-	RuntimeSupportsNoCgroups []string `toml:"runtime_supports_nocgroups"`
+	RuntimeSupportsNoCgroups []string `toml:"runtime_supports_nocgroupv2"`
 
 	// SetOptions contains a subset of config options. It's used to indicate if
 	// a given option has either been set by the user or by the parsed
@@ -373,7 +373,7 @@ type NetworkConfig struct {
 // running as root or rootless, we then merge the system configuration followed
 // by merging the default config (hard-coded default in memory).
 // Note that the OCI runtime is hard-set to `crun` if we're running on a system
-// with cgroupsv2. Other OCI runtimes are not yet supporting cgroupsv2. This
+// with cgroupv2v2. Other OCI runtimes are not yet supporting cgroupv2v2. This
 // might change in the future.
 func NewConfig(userConfigPath string) (*Config, error) {
 
@@ -494,7 +494,7 @@ func (c *Config) CheckCgroupsAndAdjustConfig() {
 	}
 
 	if !hasSession {
-		logrus.Warningf("The cgroups manager is set to systemd but there is no systemd user session available")
+		logrus.Warningf("The cgroupv2 manager is set to systemd but there is no systemd user session available")
 		logrus.Warningf("For using systemd, you may need to login using an user session")
 		logrus.Warningf("Alternatively, you can enable lingering with: `loginctl enable-linger %d` (possibly as root)", unshare.GetRootlessUID())
 		logrus.Warningf("Falling back to --cgroup-manager=cgroupfs")
@@ -806,9 +806,35 @@ func IsValidDeviceMode(mode string) bool {
 	return true
 }
 
+// resolveHomeDir converts a path referencing the home directory via "~"
+// to an absolute path
+func resolveHomeDir(path string) (string, error) {
+	// check if the path references the home dir to avoid work
+	// don't use strings.HasPrefix(path, "~") as this doesn't match "~" alone
+	// use strings.HasPrefix(...) to not match "something/~/something"
+	if !(path == "~" || strings.HasPrefix(path, "~/")) {
+		// path does not reference home dir -> Nothing to do
+		return path, nil
+	}
+
+	// only get HomeDir when necessary
+	home, err := unshare.HomeDir()
+	if err != nil {
+		return "", err
+	}
+
+	// replace the first "~" (start of path) with the HomeDir to resolve "~"
+	return strings.Replace(path, "~", home, 1), nil
+}
+
 // isDirectory tests whether the given path exists and is a directory. It
 // follows symlinks.
 func isDirectory(path string) error {
+	path, err := resolveHomeDir(path)
+	if err != nil {
+		return err
+	}
+
 	info, err := os.Stat(path)
 	if err != nil {
 		return err

vendor/github.com/containers/common/pkg/config/containers.conf

@@ -288,7 +288,7 @@
 # associated with the  pod.  This container does nothing other then sleep,
 # reserving the pods resources for the lifetime of the pod.
 #
-# infra_image = "k8s.gcr.io/pause:3.1"
+# infra_image = "k8s.gcr.io/pause:3.2"
 
 # Specify the locking mechanism to use; valid values are "shm" and "file".
 # Change the default only if you are sure of what you are doing, in general
@@ -345,9 +345,9 @@
 # List of the OCI runtimes that support --format=json.  When json is supported
 # engine will use it for reporting nicer errors.
 #
-# runtime_supports_json = ["crun", "runc"]
+# runtime_supports_json = ["crun", "runc", "kata"]
 
-# Paths to look for a valid OCI runtime (runc, runv, etc)
+# Paths to look for a valid OCI runtime (runc, runv, kata, etc)
 [engine.runtimes]
 # runc = [
 #        "/usr/bin/runc",
@@ -369,6 +369,15 @@
 #            "/run/current-system/sw/bin/crun",
 # ]
 
+# kata = [
+#            "/usr/bin/kata-runtime",
+#            "/usr/sbin/kata-runtime",
+#            "/usr/local/bin/kata-runtime",
+#            "/usr/local/sbin/kata-runtime",
+#            "/sbin/kata-runtime",
+#            "/bin/kata-runtime",
+# ]
+
 # Number of seconds to wait for container to exit before sending kill signal.
 #stop_timeout = 10
 

vendor/github.com/containers/common/pkg/config/default.go

@@ -2,14 +2,19 @@ package config
 
 import (
 	"bytes"
+	"fmt"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"regexp"
 	"strconv"
 
-	"github.com/containers/common/pkg/unshare"
+	"github.com/containers/common/pkg/apparmor"
+	"github.com/containers/common/pkg/cgroupv2"
+	"github.com/containers/common/pkg/sysinfo"
 	"github.com/containers/storage"
+	"github.com/containers/storage/pkg/unshare"
+	"github.com/opencontainers/selinux/go-selinux"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
@@ -40,7 +45,7 @@ var (
 	// DefaultInitPath is the default path to the container-init binary
 	DefaultInitPath = "/usr/libexec/podman/catatonit"
 	// DefaultInfraImage to use for infra container
-	DefaultInfraImage = "k8s.gcr.io/pause:3.1"
+	DefaultInfraImage = "k8s.gcr.io/pause:3.2"
 	// DefaultInfraCommand to be run in an infra container
 	DefaultInfraCommand = "/pause"
 	// DefaultRootlessSHMLockPath is the default path for rootless SHM locks
@@ -87,7 +92,7 @@ const (
 	// CgroupfsCgroupsManager represents cgroupfs native cgroup manager
 	CgroupfsCgroupsManager = "cgroupfs"
 	// DefaultApparmorProfile  specifies the default apparmor profile for the container.
-	DefaultApparmorProfile = "container-default"
+	DefaultApparmorProfile = apparmor.Profile
 	// SystemdCgroupsManager represents systemd native cgroup manager
 	SystemdCgroupsManager = "systemd"
 	// DefaultLogDriver is the default type of log files
@@ -207,11 +212,11 @@ func defaultConfigFromMemory() (*EngineConfig, error) {
 	c.StateType = BoltDBStateStore
 
 	c.OCIRuntime = "runc"
-	// If we're running on cgroups v2, default to using crun.
-	if onCgroupsv2, _ := isCgroup2UnifiedMode(); onCgroupsv2 {
+	// If we're running on cgroupv2 v2, default to using crun.
+	if cgroup2, _ := cgroupv2.Enabled(); cgroup2 {
 		c.OCIRuntime = "crun"
 	}
-	c.CgroupManager = SystemdCgroupsManager
+	c.CgroupManager = defaultCgroupManager()
 	c.StopTimeout = uint(10)
 
 	c.OCIRuntimes = map[string][]string{
@@ -234,6 +239,14 @@ func defaultConfigFromMemory() (*EngineConfig, error) {
 			"/bin/crun",
 			"/run/current-system/sw/bin/crun",
 		},
+		"kata": {
+			"/usr/bin/kata-runtime",
+			"/usr/sbin/kata-runtime",
+			"/usr/local/bin/kata-runtime",
+			"/usr/local/sbin/kata-runtime",
+			"/sbin/kata-runtime",
+			"/bin/kata-runtime",
+		},
 	}
 	c.ConmonEnvVars = []string{
 		"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
@@ -261,7 +274,7 @@ func defaultConfigFromMemory() (*EngineConfig, error) {
 	c.InfraImage = DefaultInfraImage
 	c.EnablePortReservation = true
 	c.NumLocks = 2048
-	c.EventsLogger = "journald"
+	c.EventsLogger = defaultEventsLogger()
 	c.DetachKeys = DefaultDetachKeys
 	c.SDNotify = false
 	// TODO - ideally we should expose a `type LockType string` along with
@@ -344,3 +357,112 @@ func probeConmon(conmonBinary string) error {
 
 	return nil
 }
+
+// NetNS returns the default network namespace
+func (c *Config) NetNS() string {
+	if c.Containers.NetNS == "private" && unshare.IsRootless() {
+		return "slirp4netns"
+	}
+	return c.Containers.NetNS
+}
+
+// SecurityOptions returns the default security options
+func (c *Config) SecurityOptions() []string {
+	securityOpts := []string{}
+	if c.Containers.SeccompProfile != "" && c.Containers.SeccompProfile != SeccompDefaultPath {
+		securityOpts = append(securityOpts, fmt.Sprintf("seccomp=%s", c.Containers.SeccompProfile))
+	}
+	if apparmor.IsEnabled() && c.Containers.ApparmorProfile != "" {
+		securityOpts = append(securityOpts, fmt.Sprintf("apparmor=%s", c.Containers.ApparmorProfile))
+	}
+	if selinux.GetEnabled() && !c.Containers.EnableLabeling {
+		securityOpts = append(securityOpts, fmt.Sprintf("label=%s", selinux.DisableSecOpt()[0]))
+	}
+	return securityOpts
+}
+
+// Sysctls returns the default sysctls
+func (c *Config) Sysctls() []string {
+	return c.Containers.DefaultSysctls
+}
+
+// Volumes returns the default additional volumes for containersvolumes
+func (c *Config) Volumes() []string {
+	return c.Containers.Volumes
+}
+
+// Devices returns the default additional devices for containers
+func (c *Config) Devices() []string {
+	return c.Containers.Devices
+}
+
+// DNSServers returns the default DNS servers to add to resolv.conf in containers
+func (c *Config) DNSServers() []string {
+	return c.Containers.DNSServers
+}
+
+// DNSSerches returns the default DNS searches to add to resolv.conf in containers
+func (c *Config) DNSSearches() []string {
+	return c.Containers.DNSSearches
+}
+
+// DNSOptions returns the default DNS options to add to resolv.conf in containers
+func (c *Config) DNSOptions() []string {
+	return c.Containers.DNSOptions
+}
+
+// Env returns the default additional environment variables to add to containers
+func (c *Config) Env() []string {
+	return c.Containers.Env
+}
+
+// InitPath returns the default init path to add to containers
+func (c *Config) InitPath() string {
+	return c.Containers.InitPath
+}
+
+// IPCNS returns the default IPC Namespace configuration to run containers with
+func (c *Config) IPCNS() string {
+	return c.Containers.IPCNS
+}
+
+// PIDNS returns the default PID Namespace configuration to run containers with
+func (c *Config) PidNS() string {
+	return c.Containers.PidNS
+}
+
+// CgroupNS returns the default Cgroup Namespace configuration to run containers with
+func (c *Config) CgroupNS() string {
+	return c.Containers.CgroupNS
+}
+
+// UTSNS returns the default UTS Namespace configuration to run containers with
+func (c *Config) UTSNS() string {
+	return c.Containers.UTSNS
+}
+
+// ShmSize returns the default size for temporary file systems to use in containers
+func (c *Config) ShmSize() string {
+	return c.Containers.ShmSize
+}
+
+// Ulimits returns the default ulimits to use in containers
+func (c *Config) Ulimits() []string {
+	return c.Containers.DefaultUlimits
+}
+
+// PidsLimit returns the default maximum number of pids to use in containers
+func (c *Config) PidsLimit() int64 {
+	if unshare.IsRootless() {
+		cgroup2, _ := cgroupv2.Enabled()
+		if cgroup2 {
+			return c.Containers.PidsLimit
+		}
+	}
+	return sysinfo.GetDefaultPidsLimit()
+}
+
+// DetachKeys returns the default detach keys to detach from a container
+func (c *Config) DetachKeys() string {
+	return c.Engine.DetachKeys
+}

vendor/github.com/containers/common/pkg/config/default_linux.go

@@ -5,24 +5,10 @@ import (
 	"io/ioutil"
 	"strconv"
 	"strings"
-	"syscall"
 
 	"golang.org/x/sys/unix"
 )
 
-// isCgroup2UnifiedMode returns whether we are running in cgroup2 mode.
-func isCgroup2UnifiedMode() (isUnified bool, isUnifiedErr error) {
-	cgroupRoot := "/sys/fs/cgroup"
-
-	var st syscall.Statfs_t
-	if err := syscall.Statfs(cgroupRoot, &st); err != nil {
-		isUnified, isUnifiedErr = false, err
-	} else {
-		isUnified, isUnifiedErr = int64(st.Type) == int64(unix.CGROUP2_SUPER_MAGIC), nil
-	}
-	return
-}
-
 const (
 	oldMaxSize = uint64(1048576)
 )

vendor/github.com/containers/common/pkg/config/libpodConfig.go

@@ -9,7 +9,8 @@ import (
 	"path/filepath"
 
 	"github.com/BurntSushi/toml"
-	"github.com/containers/common/pkg/unshare"
+	"github.com/containers/common/pkg/cgroupv2"
+	"github.com/containers/storage/pkg/unshare"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
@@ -69,7 +70,7 @@ type ConfigFromLibpod struct {
 
 	// RuntimeSupportsNoCgroups is a list of OCI runtimes that support
 	// running containers without CGroups.
-	RuntimeSupportsNoCgroups []string `toml:"runtime_supports_nocgroups,omitempty"`
+	RuntimeSupportsNoCgroups []string `toml:"runtime_supports_nocgroupv2,omitempty"`
 
 	// RuntimePath is the path to OCI runtime binary for launching containers.
 	// The first path pointing to a valid file will be used This is used only
@@ -175,7 +176,7 @@ type ConfigFromLibpod struct {
 	SDNotify bool `toml:",omitempty"`
 
 	// CgroupCheck indicates the configuration has been rewritten after an
-	// upgrade to Fedora 31 to change the default OCI runtime for cgroupsv2.
+	// upgrade to Fedora 31 to change the default OCI runtime for cgroupv2v2.
 	CgroupCheck bool `toml:"cgroup_check,omitempty"`
 }
 
@@ -183,7 +184,7 @@ type ConfigFromLibpod struct {
 // Depending if we're running as root or rootless, we then merge the system configuration followed
 // by merging the default config (hard-coded default in memory).
 // Note that the OCI runtime is hard-set to `crun` if we're running on a system
-// with cgroupsv2. Other OCI runtimes are not yet supporting cgroupsv2. This
+// with cgroupv2v2. Other OCI runtimes are not yet supporting cgroupv2v2. This
 // might change in the future.
 func newLibpodConfig(c *Config) error {
 	// Start with the default config and interatively merge
@@ -205,13 +206,13 @@ func newLibpodConfig(c *Config) error {
 
 	// Since runc does not currently support cgroupV2
 	// Change to default crun on first running of libpod.conf
-	// TODO Once runc has support for cgroups, this function should be removed.
+	// TODO Once runc has support for cgroupv2, this function should be removed.
 	if !config.CgroupCheck && unshare.IsRootless() {
-		cgroupsV2, err := isCgroup2UnifiedMode()
+		cgroup2, err := cgroupv2.Enabled()
 		if err != nil {
 			return err
 		}
-		if cgroupsV2 {
+		if cgroup2 {
 			path, err := exec.LookPath("crun")
 			if err != nil {
 				// Can't find crun path so do nothing

vendor/github.com/containers/common/pkg/config/nosystemd.go

@@ -0,0 +1,11 @@
+// +build !systemd
+
+package config
+
+func defaultCgroupManager() string {
+	return "cgroupfs"
+}
+
+func defaultEventsLogger() string {
+	return "file"
+}

vendor/github.com/containers/common/pkg/config/systemd.go

@@ -0,0 +1,10 @@
+// +build systemd
+
+package config
+
+func defaultCgroupManager() string {
+	return SystemdCgroupsManager
+}
+func defaultEventsLogger() string {
+	return "journald"
+}

vendor/github.com/containers/common/pkg/config/util_supported.go

@@ -9,7 +9,7 @@ import (
 	"sync"
 	"syscall"
 
-	"github.com/containers/common/pkg/unshare"
+	"github.com/containers/storage/pkg/unshare"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )