Vendor in containers/(storage,image, common, buildah)

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2025-12-06 05:37:49 +08:00 · 2022-07-11 10:03:44 -04:00
parent 5f848d89ed
commit f67ab1eb20
576 changed files with 40399 additions and 10219 deletions
--- a/vendor/github.com/containers/common/libnetwork/cni/cni_conversion.go
+++ b/vendor/github.com/containers/common/libnetwork/cni/cni_conversion.go
@@ -5,6 +5,8 @@ package cni

 import (
 	"encoding/json"
+	"errors"
+	"fmt"
 	"io/ioutil"
 	"net"
 	"os"
@@ -18,7 +20,6 @@ import (
 	"github.com/containers/common/libnetwork/types"
 	"github.com/containers/common/libnetwork/util"
 	pkgutil "github.com/containers/common/pkg/util"
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
 )
@@ -35,7 +36,7 @@ func createNetworkFromCNIConfigList(conf *libcni.NetworkConfigList, confPath str
 	cniJSON := make(map[string]interface{})
 	err := json.Unmarshal(conf.Bytes, &cniJSON)
 	if err != nil {
-		return nil, errors.Wrapf(err, "failed to unmarshal network config %s", conf.Name)
+		return nil, fmt.Errorf("failed to unmarshal network config %s: %w", conf.Name, err)
 	}
 	if args, ok := cniJSON["args"]; ok {
 		if key, ok := args.(map[string]interface{}); ok {
@@ -59,7 +60,7 @@ func createNetworkFromCNIConfigList(conf *libcni.NetworkConfigList, confPath str
 		var bridge hostLocalBridge
 		err := json.Unmarshal(firstPlugin.Bytes, &bridge)
 		if err != nil {
-			return nil, errors.Wrapf(err, "failed to unmarshal the bridge plugin config in %s", confPath)
+			return nil, fmt.Errorf("failed to unmarshal the bridge plugin config in %s: %w", confPath, err)
 		}
 		network.NetworkInterface = bridge.BrName

@@ -70,10 +71,10 @@ func createNetworkFromCNIConfigList(conf *libcni.NetworkConfigList, confPath str

 		// set network options
 		if bridge.MTU != 0 {
-			network.Options["mtu"] = strconv.Itoa(bridge.MTU)
+			network.Options[types.MTUOption] = strconv.Itoa(bridge.MTU)
 		}
 		if bridge.Vlan != 0 {
-			network.Options["vlan"] = strconv.Itoa(bridge.Vlan)
+			network.Options[types.VLANOption] = strconv.Itoa(bridge.Vlan)
 		}

 		err = convertIPAMConfToNetwork(&network, &bridge.IPAM, confPath)
@@ -85,17 +86,17 @@ func createNetworkFromCNIConfigList(conf *libcni.NetworkConfigList, confPath str
 		var vlan VLANConfig
 		err := json.Unmarshal(firstPlugin.Bytes, &vlan)
 		if err != nil {
-			return nil, errors.Wrapf(err, "failed to unmarshal the macvlan plugin config in %s", confPath)
+			return nil, fmt.Errorf("failed to unmarshal the macvlan plugin config in %s: %w", confPath, err)
 		}
 		network.NetworkInterface = vlan.Master

 		// set network options
 		if vlan.MTU != 0 {
-			network.Options["mtu"] = strconv.Itoa(vlan.MTU)
+			network.Options[types.MTUOption] = strconv.Itoa(vlan.MTU)
 		}

 		if vlan.Mode != "" {
-			network.Options["mode"] = vlan.Mode
+			network.Options[types.ModeOption] = vlan.Mode
 		}

 		err = convertIPAMConfToNetwork(&network, &vlan.IPAM, confPath)
@@ -110,18 +111,31 @@ func createNetworkFromCNIConfigList(conf *libcni.NetworkConfigList, confPath str
 	}

 	// check if the dnsname plugin is configured
-	network.DNSEnabled = findPluginByName(conf.Plugins, "dnsname")
+	network.DNSEnabled = findPluginByName(conf.Plugins, "dnsname") != nil
+
+	// now get isolation mode from firewall plugin
+	firewall := findPluginByName(conf.Plugins, "firewall")
+	if firewall != nil {
+		var firewallConf firewallConfig
+		err := json.Unmarshal(firewall.Bytes, &firewallConf)
+		if err != nil {
+			return nil, fmt.Errorf("failed to unmarshal the firewall plugin config in %s: %w", confPath, err)
+		}
+		if firewallConf.IngressPolicy == ingressPolicySameBridge {
+			network.Options[types.IsolateOption] = "true"
+		}
+	}

 	return &network, nil
 }

-func findPluginByName(plugins []*libcni.NetworkConfig, name string) bool {
-	for _, plugin := range plugins {
-		if plugin.Network.Type == name {
-			return true
+func findPluginByName(plugins []*libcni.NetworkConfig, name string) *libcni.NetworkConfig {
+	for i := range plugins {
+		if plugins[i].Network.Type == name {
+			return plugins[i]
 		}
 	}
-	return false
+	return nil
 }

 // convertIPAMConfToNetwork converts A cni IPAMConfig to libpod network subnets.
@@ -151,7 +165,7 @@ func convertIPAMConfToNetwork(network *types.Network, ipam *ipamConfig, confPath
 				if ipam.Gateway != "" {
 					gateway = net.ParseIP(ipam.Gateway)
 					if gateway == nil {
-						return errors.Errorf("failed to parse gateway ip %s", ipam.Gateway)
+						return fmt.Errorf("failed to parse gateway ip %s", ipam.Gateway)
 					}
 					// convert to 4 byte if ipv4
 					util.NormalizeIP(&gateway)
@@ -159,7 +173,7 @@ func convertIPAMConfToNetwork(network *types.Network, ipam *ipamConfig, confPath
 					// only add a gateway address if the network is not internal
 					gateway, err = util.FirstIPInSubnet(sub)
 					if err != nil {
-						return errors.Errorf("failed to get first ip in subnet %s", sub.String())
+						return fmt.Errorf("failed to get first ip in subnet %s", sub.String())
 					}
 				}
 				s.Gateway = gateway
@@ -169,13 +183,13 @@ func convertIPAMConfToNetwork(network *types.Network, ipam *ipamConfig, confPath
 				if ipam.RangeStart != "" {
 					rangeStart = net.ParseIP(ipam.RangeStart)
 					if rangeStart == nil {
-						return errors.Errorf("failed to parse range start ip %s", ipam.RangeStart)
+						return fmt.Errorf("failed to parse range start ip %s", ipam.RangeStart)
 					}
 				}
 				if ipam.RangeEnd != "" {
 					rangeEnd = net.ParseIP(ipam.RangeEnd)
 					if rangeEnd == nil {
-						return errors.Errorf("failed to parse range end ip %s", ipam.RangeEnd)
+						return fmt.Errorf("failed to parse range end ip %s", ipam.RangeEnd)
 					}
 				}
 				if rangeStart != nil || rangeEnd != nil {
@@ -267,7 +281,7 @@ func (n *cniNetwork) createCNIConfigListFromNetwork(network *types.Network, writ
 	case types.NoneIPAMDriver:
 		// do nothing
 	default:
-		return nil, "", errors.Errorf("unsupported ipam driver %q", ipamDriver)
+		return nil, "", fmt.Errorf("unsupported ipam driver %q", ipamDriver)
 	}

 	opts, err := parseOptions(network.Options, network.Driver)
@@ -291,7 +305,7 @@ func (n *cniNetwork) createCNIConfigListFromNetwork(network *types.Network, writ
 	switch network.Driver {
 	case types.BridgeNetworkDriver:
 		bridge := newHostLocalBridge(network.NetworkInterface, isGateway, ipMasq, opts.mtu, opts.vlan, ipamConf)
-		plugins = append(plugins, bridge, newPortMapPlugin(), newFirewallPlugin(), newTuningPlugin())
+		plugins = append(plugins, bridge, newPortMapPlugin(), newFirewallPlugin(opts.isolate), newTuningPlugin())
 		// if we find the dnsname plugin we add configuration for it
 		if hasDNSNamePlugin(n.cniPluginDirs) && network.DNSEnabled {
 			// Note: in the future we might like to allow for dynamic domain names
@@ -305,7 +319,7 @@ func (n *cniNetwork) createCNIConfigListFromNetwork(network *types.Network, writ
 		plugins = append(plugins, newVLANPlugin(types.IPVLANNetworkDriver, network.NetworkInterface, opts.vlanPluginMode, opts.mtu, ipamConf))

 	default:
-		return nil, "", errors.Errorf("driver %q is not supported by cni", network.Driver)
+		return nil, "", fmt.Errorf("driver %q is not supported by cni", network.Driver)
 	}
 	ncList["plugins"] = plugins
 	b, err := json.MarshalIndent(ncList, "", "   ")
@@ -344,7 +358,7 @@ func convertSpecgenPortsToCNIPorts(ports []types.PortMapping) ([]cniPortMapEntry

 		for _, protocol := range protocols {
 			if !pkgutil.StringInSlice(protocol, []string{"tcp", "udp", "sctp"}) {
-				return nil, errors.Errorf("unknown port protocol %s", protocol)
+				return nil, fmt.Errorf("unknown port protocol %s", protocol)
 			}
 			cniPort := cniPortMapEntry{
 				HostPort:      int(port.HostPort),
@@ -382,6 +396,7 @@ type options struct {
 	vlan           int
 	mtu            int
 	vlanPluginMode string
+	isolate        bool
 }

 func parseOptions(networkOptions map[string]string, networkDriver string) (*options, error) {
@@ -389,35 +404,44 @@ func parseOptions(networkOptions map[string]string, networkDriver string) (*opti
 	var err error
 	for k, v := range networkOptions {
 		switch k {
-		case "mtu":
+		case types.MTUOption:
 			opt.mtu, err = internalutil.ParseMTU(v)
 			if err != nil {
 				return nil, err
 			}

-		case "vlan":
+		case types.VLANOption:
 			opt.vlan, err = internalutil.ParseVlan(v)
 			if err != nil {
 				return nil, err
 			}

-		case "mode":
+		case types.ModeOption:
 			switch networkDriver {
 			case types.MacVLANNetworkDriver:
 				if !pkgutil.StringInSlice(v, types.ValidMacVLANModes) {
-					return nil, errors.Errorf("unknown macvlan mode %q", v)
+					return nil, fmt.Errorf("unknown macvlan mode %q", v)
 				}
 			case types.IPVLANNetworkDriver:
 				if !pkgutil.StringInSlice(v, types.ValidIPVLANModes) {
-					return nil, errors.Errorf("unknown ipvlan mode %q", v)
+					return nil, fmt.Errorf("unknown ipvlan mode %q", v)
 				}
 			default:
-				return nil, errors.Errorf("cannot set option \"mode\" with driver %q", networkDriver)
+				return nil, fmt.Errorf("cannot set option \"mode\" with driver %q", networkDriver)
 			}
 			opt.vlanPluginMode = v

+		case types.IsolateOption:
+			if networkDriver != types.BridgeNetworkDriver {
+				return nil, errors.New("isolate option is only supported with the bridge driver")
+			}
+			opt.isolate, err = strconv.ParseBool(v)
+			if err != nil {
+				return nil, fmt.Errorf("failed to parse isolate option: %w", err)
+			}
+
 		default:
-			return nil, errors.Errorf("unsupported network option %s", k)
+			return nil, fmt.Errorf("unsupported network option %s", k)
 		}
 	}
 	return opt, nil
--- a/vendor/github.com/containers/common/libnetwork/cni/cni_types.go
+++ b/vendor/github.com/containers/common/libnetwork/cni/cni_types.go
@@ -26,6 +26,9 @@ const (

 	// podmanOptionsKey key used to store the podman network options in a cni config
 	podmanOptionsKey = "podman_options"
+
+	// ingressPolicySameBridge is used to only allow connection on the same bridge network
+	ingressPolicySameBridge = "same-bridge"
 )

 // cniPortMapEntry struct is used by the portmap plugin
@@ -95,8 +98,9 @@ type VLANConfig struct {

 // firewallConfig describes the firewall plugin
 type firewallConfig struct {
-	PluginType string `json:"type"`
-	Backend    string `json:"backend"`
+	PluginType    string `json:"type"`
+	Backend       string `json:"backend"`
+	IngressPolicy string `json:"ingressPolicy,omitempty"`
 }

 // tuningConfig describes the tuning plugin
@@ -222,10 +226,14 @@ func newPortMapPlugin() portMapConfig {
 }

 // newFirewallPlugin creates a generic firewall plugin
-func newFirewallPlugin() firewallConfig {
-	return firewallConfig{
+func newFirewallPlugin(isolate bool) firewallConfig {
+	fw := firewallConfig{
 		PluginType: "firewall",
 	}
+	if isolate {
+		fw.IngressPolicy = ingressPolicySameBridge
+	}
+	return fw
 }

 // newTuningPlugin creates a generic tuning section
--- a/vendor/github.com/containers/common/libnetwork/cni/config.go
+++ b/vendor/github.com/containers/common/libnetwork/cni/config.go
@@ -4,13 +4,14 @@
 package cni

 import (
+	"errors"
+	"fmt"
 	"net"
 	"os"

 	internalutil "github.com/containers/common/libnetwork/internal/util"
 	"github.com/containers/common/libnetwork/types"
 	pkgutil "github.com/containers/common/pkg/util"
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )

@@ -43,7 +44,7 @@ func (n *cniNetwork) networkCreate(newNetwork *types.Network, defaultNet bool) (
 	// FIXME: Should we use a different type for network create without the ID field?
 	// the caller is not allowed to set a specific ID
 	if newNetwork.ID != "" {
-		return nil, errors.Wrap(types.ErrInvalidArg, "ID can not be set for network create")
+		return nil, fmt.Errorf("ID can not be set for network create: %w", types.ErrInvalidArg)
 	}

 	err := internalutil.CommonNetworkCreate(n, newNetwork)
@@ -83,7 +84,7 @@ func (n *cniNetwork) networkCreate(newNetwork *types.Network, defaultNet bool) (
 			return nil, err
 		}
 	default:
-		return nil, errors.Wrapf(types.ErrInvalidArg, "unsupported driver %s", newNetwork.Driver)
+		return nil, fmt.Errorf("unsupported driver %s: %w", newNetwork.Driver, types.ErrInvalidArg)
 	}

 	err = internalutil.ValidateSubnets(newNetwork, !newNetwork.Internal, usedNetworks)
@@ -127,7 +128,7 @@ func (n *cniNetwork) NetworkRemove(nameOrID string) error {

 	// Removing the default network is not allowed.
 	if network.libpodNet.Name == n.defaultNetwork {
-		return errors.Errorf("default network %s cannot be removed", n.defaultNetwork)
+		return fmt.Errorf("default network %s cannot be removed", n.defaultNetwork)
 	}

 	// Remove the bridge network interface on the host.
@@ -193,7 +194,7 @@ func createIPMACVLAN(network *types.Network) error {
 			return err
 		}
 		if !pkgutil.StringInSlice(network.NetworkInterface, interfaceNames) {
-			return errors.Errorf("parent interface %s does not exist", network.NetworkInterface)
+			return fmt.Errorf("parent interface %s does not exist", network.NetworkInterface)
 		}
 	}

@@ -224,10 +225,10 @@ func validateIPAMDriver(n *types.Network) error {
 	case "", types.HostLocalIPAMDriver:
 	case types.DHCPIPAMDriver, types.NoneIPAMDriver:
 		if len(n.Subnets) > 0 {
-			return errors.Errorf("%s ipam driver is set but subnets are given", ipamDriver)
+			return fmt.Errorf("%s ipam driver is set but subnets are given", ipamDriver)
 		}
 	default:
-		return errors.Errorf("unsupported ipam driver %q", ipamDriver)
+		return fmt.Errorf("unsupported ipam driver %q", ipamDriver)
 	}
 	return nil
 }
--- a/vendor/github.com/containers/common/libnetwork/cni/network.go
+++ b/vendor/github.com/containers/common/libnetwork/cni/network.go
@@ -7,6 +7,8 @@ import (
 	"context"
 	"crypto/sha256"
 	"encoding/hex"
+	"errors"
+	"fmt"
 	"os"
 	"path/filepath"
 	"strings"
@@ -16,7 +18,6 @@ import (
 	"github.com/containers/common/libnetwork/types"
 	"github.com/containers/common/pkg/config"
 	"github.com/containers/storage/pkg/lockfile"
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )

@@ -94,7 +95,7 @@ func NewCNINetworkInterface(conf *InitConfig) (types.ContainerNetwork, error) {
 	}
 	defaultNet, err := types.ParseCIDR(defaultSubnet)
 	if err != nil {
-		return nil, errors.Wrap(err, "failed to parse default subnet")
+		return nil, fmt.Errorf("failed to parse default subnet: %w", err)
 	}

 	defaultSubnetPools := conf.DefaultsubnetPools
@@ -201,7 +202,7 @@ func (n *cniNetwork) loadNetworks() error {
 	if networks[n.defaultNetwork] == nil {
 		networkInfo, err := n.createDefaultNetwork()
 		if err != nil {
-			return errors.Wrapf(err, "failed to create default network %s", n.defaultNetwork)
+			return fmt.Errorf("failed to create default network %s: %w", n.defaultNetwork, err)
 		}
 		networks[n.defaultNetwork] = networkInfo
 	}
@@ -243,7 +244,7 @@ func (n *cniNetwork) getNetwork(nameOrID string) (*network, error) {

 		if strings.HasPrefix(val.libpodNet.ID, nameOrID) {
 			if net != nil {
-				return nil, errors.Errorf("more than one result for network ID %s", nameOrID)
+				return nil, fmt.Errorf("more than one result for network ID %s", nameOrID)
 			}
 			net = val
 		}
@@ -251,7 +252,7 @@ func (n *cniNetwork) getNetwork(nameOrID string) (*network, error) {
 	if net != nil {
 		return net, nil
 	}
-	return nil, errors.Wrapf(types.ErrNoSuchNetwork, "unable to find network with name or ID %s", nameOrID)
+	return nil, fmt.Errorf("unable to find network with name or ID %s: %w", nameOrID, types.ErrNoSuchNetwork)
 }

 // getNetworkIDFromName creates a network ID from the name. It is just the
--- a/vendor/github.com/containers/common/libnetwork/cni/run.go
+++ b/vendor/github.com/containers/common/libnetwork/cni/run.go
@@ -5,6 +5,7 @@ package cni

 import (
 	"context"
+	"fmt"
 	"net"
 	"os"
 	"strings"
@@ -15,7 +16,6 @@ import (
 	"github.com/containers/common/libnetwork/internal/util"
 	"github.com/containers/common/libnetwork/types"
 	"github.com/hashicorp/go-multierror"
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )

@@ -36,7 +36,7 @@ func (n *cniNetwork) Setup(namespacePath string, options types.SetupOptions) (ma

 	err = setupLoopback(namespacePath)
 	if err != nil {
-		return nil, errors.Wrapf(err, "failed to set the loopback adapter up")
+		return nil, fmt.Errorf("failed to set the loopback adapter up: %w", err)
 	}

 	var retErr error
@@ -108,7 +108,7 @@ func CNIResultToStatus(res cnitypes.Result) (types.StatusBlock, error) {
 	for _, nameserver := range cniResult.DNS.Nameservers {
 		ip := net.ParseIP(nameserver)
 		if ip == nil {
-			return result, errors.Errorf("failed to parse cni nameserver ip %s", nameserver)
+			return result, fmt.Errorf("failed to parse cni nameserver ip %s", nameserver)
 		}
 		nameservers = append(nameservers, ip)
 	}
@@ -133,7 +133,7 @@ func CNIResultToStatus(res cnitypes.Result) (types.StatusBlock, error) {
 				continue
 			}
 			if len(cniResult.Interfaces) <= *ip.Interface {
-				return result, errors.Errorf("invalid cni result, interface index %d out of range", *ip.Interface)
+				return result, fmt.Errorf("invalid cni result, interface index %d out of range", *ip.Interface)
 			}

 			// when we have a ip for this interface add it to the subnets
@@ -236,7 +236,7 @@ func (n *cniNetwork) teardown(namespacePath string, options types.TeardownOption
 			logrus.Warnf("Failed to load cached network config: %v, falling back to loading network %s from disk", err, name)
 			network := n.networks[name]
 			if network == nil {
-				multiErr = multierror.Append(multiErr, errors.Wrapf(types.ErrNoSuchNetwork, "network %s", name))
+				multiErr = multierror.Append(multiErr, fmt.Errorf("network %s: %w", name, types.ErrNoSuchNetwork))
 				continue
 			}
 			cniConfList = network.cniNet
@@ -258,7 +258,7 @@ func getCachedNetworkConfig(cniConf *libcni.CNIConfig, name string, rt *libcni.R
 	if err != nil {
 		return nil, nil, err
 	} else if confBytes == nil {
-		return nil, nil, errors.Errorf("network %s not found in CNI cache", name)
+		return nil, nil, fmt.Errorf("network %s not found in CNI cache", name)
 	}

 	cniConfList, err = libcni.ConfListFromBytes(confBytes)