While this is a none issue normally because we run in a unprivileged
userns we cannot modify the host mounts in any way. However in case
where the rootless netns logic might be executed from a non userns
context we might change the mount tree if the mounts are shared which is
the systemd default. While this should never happen let's make sure we
never mess up the system by accident in case there are more bugs and
explicitly make our mount tree private.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The IsRootless() check is dangerous in a sense that it may not do what
you think it does. It also returns true even when podman is run as root
and not in the podman userns but as part of a different userns. Could be
a other container manager that configured the userns.
This results in us doing the rootless-netns logic even when we should
not need to. To fix this we now check for the
_CONTAINERS_USERNS_CONFIGURED env var to make sure we are not
re-exe'ed. This is what we actually care about.
This is a regression compared to podman 4.X, because the code was moved
into c/common the IsRootless() check was changed to the c/storage
version which has the userns special case.
Fixescontainers/podman#22218
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We have little to no control over what happens tot he slirp4netns/pasta
process after we started it. It could crash or get killed then we end up
in state where we think networking works when it doesn't.
To fix this each time we access the rootless-netns we should also make
to program is still running, if it is not try to recover by starting it
again. This ensures that we are much more fault tolerant.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When the netns program fails to configure the netns or we fail for any
other reason during the setup we must make sure to remove the netns
mount again. Without it the next command sees the existing mount and
thinks the netns was setup correctly but than later fails during the
custom resolv.conf mount because the resolv.conf source file was never
created.
For future we should consider adding checks due ensure pasta/slirp4netns
is still running when we access the netns to make it more fault
tolerant.
The reason this is a common problem is that on boot pasta can likely
fail if it was started before the networking was fully configured (i.e.
no default route).
Fixescontainers/podman#22168
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When adding a reference to a manifest list or image index, if we are
guessing that it's a reference to an image in a registry, check if we
can read something from that location instead of assuming it's correct,
and if we can't, check for a local image. This will let use use local
image IDs to refer to items that we want to add to a list or index.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Adds config to pass CDI spec directory, so that it can be overridden.
The enables rootless containers since otherwise users have to write to
one of the shared, usually only root writeable paths at in /etc or /var.
Signed-off-by: Micah Chambers <micahc.vt@gmail.com>
Signed-off-by: Micah Chambers (minerva) <mchambers@anduril.com>
When adding items from one index into another, preserve the annotations
and URLs which are set in the descriptors in the source index.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a LoadReference() method, for when we already know what format the
local image should be treated as, and we don't have the patience for
Load()'s guessing at it.
Teach libimage.Runtime.copyFromDefault() about the docker transport.
It's already required at build-time because it's directly referenced
elsewhere in the same file.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Previously dlocate was only used for half of the process, not both.
Use the dlocatedb for both lookups, both package list and file list.
Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
If there is a "slow" and a "quick" program (not missing),
do not look for the package again (if it is not there).
Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
This linter creates better assertions in ginkgo tests.
Fixes were made with `ginkgolinter -fix ./...`.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
My plan is to directly use the result in podman on the Container struct,
this is shared with freebsd even though slirp4netns will never be used
there. Thus we can simply move the type definition to the file that is
shared to not cause build problems.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
For callers like podman we might have to exclude certain ips for the use
of host.containers.internal as they might conflict with the inside
container ip otherwise.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
For some cases it may be required to get a local ip while excluding a
certain ip. This will be used to set a better host.containers.internal
name for pasta networks as it is likely that host eth0 ip == container
ip so in this case we must use different host ip.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This tells us if ipv6 is supported. And we should use the forward ips as
dns servers to make sure we can read localhost resolvers on the host.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
By default set 169.254.0.1 as nameserver in the container, right now we
do not do special dns handling which means if a user has only localhost
resolver or the same nameserver ip as the host ip used by pasta then dns
will most likely fail.
pasta allows us to remap one ipv4 for dns which will then automatically
get remapped to the host dns server from resolv.conf. For that we must
use --dns-forward, now the choice of which ip is arbitrary but using the
local link address 169.254.0.1 is unlikely to be used so it should avoid
conflicts.
Also return the ip in the result together with a ipv6 bool so that
podman can create a correct resolv.conf with that ip for the container.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Currently both callers in podman and buildah join and inspect the netns
to get the local ip configured by pasta in order to add it to
/etc/hosts. So instead of doing this in two places let's just do it here
once and return the result to the caller.
In order to not cause vendoring issues I decided against breaking the
API and added a new Setup2 function instead. I will then update
podman and buildah to make use of it.
Also I plan on adding more fields in the result, i.e. dns address.
Because this now depends on linux only functionality make sure to only
build it on linux, pasta only works on linux anyway so this is not a
problem.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
So apparently go 1.21 introduced a new toolchain directive that
specifies the minimum version that go uses to build. Also the go
directive is now a hard requirement. We are not ready for this at all,
podman CI still uses f38 with go 1.20.
We need to figure a proper way how to deal with this, for now do not
merge any PR's that set toolchain or bump the go version to 1.21.
see https://go.dev/doc/toolchain
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This and the referenced openshift/release PR will make `prow` (via the
`tide` bot) block merges unless the success aggregation task is green.
This must be configured independently from branch-protection rules which
tide does/can not manage due to write-only access.
Signed-off-by: Chris Evich <cevich@redhat.com>
These functions are currently used in Podman and CRI-O. Instead of CRI-O
including Podman files, let's move it to common.
Signed-off-by: Adrian Reber <areber@redhat.com>
As the title says. The third step in the vendor dance.
Bumps c/storage v1.53.0 and c/image to v5.30.0 all in
preparation of Podman v5.0
[NO NEW TESTS NEEDED]
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
1.19 is eol and likely no longer works to compile new code thus failing
all lints jobs that uses go 1.20 or newer features.
To fix that lets update to the latest stable version go 1.22.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Adds a couple of new linters with many new warnings:
- perfsprint (fixed in code, excluded for tests)
- revive (fix the problems, disabled the dot import check as we use it
for ginkgo)
- inamedparam (disabled because it is opinionated)
- testifylint (great linter but we have like 1000+ issues that I have no
time fixing now)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Paul Holzinger