... and add a deprecated alias so backward compatibility is still
preserved (and users can gradually switch to the new name).
Done because this is now also reported by staticcheck
(in addition to revive) linter.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
When a vlan is used there should be no bridge name conflict check. It is
totally valid to have the same bridge with different vlans in two
configs and that is the intended use case.
Fixes#2095
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Contains fixes for new linters, removed depracted and removed linters
from the config.
Most notably because we use go 1.22 now we can get rid of the copy for
loop vars[1]. Also as of the go 1..2 we can use the new int range syntax
in for loops the new intrange linter checks that.
[1] https://go.dev/blog/loopvar-preview
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
For some unknown reason the podman container image sets the
_CONTAINERS_USERNS_CONFIGURED env to an empty value. I don't know what
the purpose of this is but is will trigger the check here which is wrong
when the container is privileged.
To fix this check that the value is set to done like it is by the reexec
logic. Also make sure the lock dir uses the same condition to stay
consistent.
Fixescontainers/podman#22791
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When using the bridge network mode as rootless we use the rootless netns
logic, for podman this looks like just as using bridge as root. The
issue is however due the extra namespace we block certain address there.
This can be seen best with pasta but actually effects other cases too.
The podman logic tries to use any host ip address for
host.containers.internal but we must make sure to exculde all these
address in the rootless netns as they are not actually the hostns as
thus cause great confusion.
For the --network pasta case I already fixed this by returning the ips on
the pasta.Setup2() call in 83573fa60c.
For the bridge mode this more complicated due several layers of function
calls. I decided to implement this as extra function call on the interface
to return the ips as this makes the usage in podman the easiest. And I
also didn't want to break the API as we only have to fix this in podman
not buildah.
It is needed to address #22653 but it needs podman changes as well to
use this new function.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Skip or remove tests that need dnsname in order to function.
As of fedora 40 dnsname is no longer packaged so our CI VM cannot use
it.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This linter creates better assertions in ginkgo tests.
Fixes were made with `ginkgolinter -fix ./...`.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
- add cni build tag to libnetwork/cni
- split libnetwork/network into multiple files so that cni support can be made
optionally available
- add -cni build targets to Makefile and build for amd64 with and without cni
- add a simple upgrade mechanism if the user never set the network backend explicitly
- add cni build tag to .golangci.yml to prevent false positives
See also https://issues.redhat.com/browse/RUN-1943
Signed-off-by: Dan Čermák <dcermak@suse.com>
Just pass down the full containers.conf as this is needed by
rootlessnetns code, also remove the now duplicated fields and read the
options directly from the config struct.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The old rootlessnetns logic overwrote PATH for the current process to
make sure /usr/sbin (where iptables is normally installed) is in $PATH.
Now instead of adding it for the current process we can just always set
it for the cni/iptables exec only.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
At this point we already read the config file but here we have to get
timestamp here so we can hit another ENOENT if it was removed in the
meantime. Just ignore this and do not log an error as this is normal
behavior when another process is deleting a network in parallel.
Fixescontainers/podman#20173
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This allows us to use a single jail for containers with networking since
CNI can initialise the network without needing a separate jail to own
the network namespace.
Signed-off-by: Doug Rabson <dfr@rabson.org>
NetworkInfo() return the network binary path, package version,
program version and DNS information.
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
Commit 2fae6d9fd6 caused a regression, previously the lockfile
package create the config directory. Now this is no longer the case
so we have to create it explicitly.
Note that netavark already did this so no change is needed there.
This was reported by the RHEL QE team.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The default /etc/containers/networks location might not be writeable,
while this breaks podman network create it does not need to break all
podman commands since the lock is created on libpod initialization.
ref https://github.com/containers/common/pull/1270
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
I want to switch podman over to only using strings for the netns path.
So we no longer pass this interface around. Buildah doesn't use this so
we only need to fix it in Podman. I have a WIP PR[1] for that.
[1] https://github.com/containers/podman/pull/16756
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
New features in netavark/aardvark allows users to update network dns
servers and all the containers attached to those networks uses updated
resolvers.
Following PR adds support in `libnetwork` to support
* Add support for higher level `NetworkUpdate` API
* Add support for `Update` exec call which can invoke netavark with a
new update option added here: https://github.com/containers/netavark/pull/503
Signed-off-by: Aditya R <arajan@redhat.com>
When creating macvlan or ipvlan network configs with the none ipam
driver we would always cause a segfault because of a nil pointer
dereference.
Add a test for both to prevent a regression.
Fixescontainers/podman#16620
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
For now, only add IgnoreIfExists flag.
Having this flag is very useful when using scripts or systemd unit files
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
libnetwork must allow to pass network_dns_servers so aardvark and
netavark can consume it and enabled network scoped dns.
Feature implemented at netavark and aardvark end
* Netavark: https://github.com/containers/netavark/pull/497
Signed-off-by: Aditya R <arajan@redhat.com>
Used `go fmt` rules to migrate away from deprecated functions, for
instance `gofmt -w -s -r 'ioutil.TempDir(a, b) -> os.MkdirTemp(a, b)'`
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
When the configuration directory is on a read-only filesystem,
there's no risk of concurrency issues as there's no possibility
of changing anything. As such, while it prevents the use of our
default lock location, it also removes any need for a lock at
all.
Making the lock entirely optional is a lot of code, so instead of
doing that let's just put it in our temporary files directory,
where it can't hurt anything.
Signed-off-by: Matthew Heon <mheon@redhat.com>
`github.com/pkg/errors` is deprecated since quite some time so we now
use the native error wrapping for more idiomatic golang.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
unparam and exportloopref already work without changes.
For revive I had to silence many naming issues. I decided to silence them
instead of changing the name because I didn't want to break any code.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Those were added by commit 4fcb18dca, but are apparently no longer
needed.
Reported-by: Paul Holzinger <pholzing@redhat.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This removes the questionable Sys().(*syscall.Stat_t) typecast.
OTOH we have to handle EINTR, so it's a tad more complicated than it
should be.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
gofumpt is a stricter version of gofmt, basically making the code more
readable, and fixing the gocritic's octalLiterar warnings like this one:
pkg/util/util_supported.go:26:17: octalLiteral: use new octal literal style, 0o722 (gocritic)
return (perm & 0722) == 0700
^
Generated by gofumpt -w .
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Kir Kolyshkin