From 54ce5c6af179d451d1bd2e99d8dc1f3e1344ef60 Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Fri, 17 May 2024 11:32:20 +0200 Subject: [PATCH 1/2] vendor latest c/common main Includes a new libnetwork API to get the rootlessnetns ips. Signed-off-by: Paul Holzinger --- go.mod | 8 ++-- go.sum | 16 ++++---- .../containers/common/libnetwork/cni/run.go | 7 ++++ .../internal/rootlessnetns/netns_freebsd.go | 5 +++ .../internal/rootlessnetns/netns_linux.go | 35 +++++++++++++++++- .../common/libnetwork/netavark/run.go | 7 ++++ .../common/libnetwork/types/network.go | 10 +++++ .../containers/common/pkg/secrets/secrets.go | 11 +++--- .../stefanberger/go-pkcs11uri/.travis.yml | 4 +- .../stefanberger/go-pkcs11uri/pkcs11uri.go | 37 +++++++++++++++++-- vendor/modules.txt | 10 ++--- 11 files changed, 122 insertions(+), 28 deletions(-) diff --git a/go.mod b/go.mod index f2bfd1856e..f25d922d05 100644 --- a/go.mod +++ b/go.mod @@ -14,7 +14,7 @@ require ( github.com/checkpoint-restore/go-criu/v7 v7.1.0 github.com/containernetworking/plugins v1.4.1 github.com/containers/buildah v1.35.1-0.20240510150258-77f239ae12e5 - github.com/containers/common v0.58.1-0.20240509172903-2c88a3f280bb + github.com/containers/common v0.58.1-0.20240517090124-fa276b325847 github.com/containers/conmon v2.0.20+incompatible github.com/containers/gvisor-tap-vsock v0.7.4-0.20240515153903-01a1a0cd3f70 github.com/containers/image/v5 v5.30.2-0.20240509191815-9318d0eaaf78 @@ -30,7 +30,7 @@ require ( github.com/cyphar/filepath-securejoin v0.2.5 github.com/digitalocean/go-qemu v0.0.0-20230711162256-2e3d0186973e github.com/docker/distribution v2.8.3+incompatible - github.com/docker/docker v26.1.2+incompatible + github.com/docker/docker v26.1.3+incompatible github.com/docker/go-connections v0.5.0 github.com/docker/go-plugins-helpers v0.0.0-20211224144127-6eecb7beb651 github.com/docker/go-units v0.5.0 @@ -98,7 +98,7 @@ require ( github.com/chenzhuoyu/iasm v0.9.1 // indirect github.com/chzyer/readline v1.5.1 // indirect github.com/containerd/cgroups/v3 v3.0.3 // indirect - github.com/containerd/containerd v1.7.16 // indirect + github.com/containerd/containerd v1.7.17 // indirect github.com/containerd/errdefs v0.1.0 // indirect github.com/containerd/log v0.1.0 // indirect github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect @@ -194,7 +194,7 @@ require ( github.com/sigstore/rekor v1.3.6 // indirect github.com/sigstore/sigstore v1.8.3 // indirect github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect - github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980 // indirect + github.com/stefanberger/go-pkcs11uri v0.0.0-20230803200340-78284954bff6 // indirect github.com/sylabs/sif/v2 v2.16.0 // indirect github.com/tchap/go-patricia/v2 v2.3.1 // indirect github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect diff --git a/go.sum b/go.sum index f5c60a412a..e4b1d34fa4 100644 --- a/go.sum +++ b/go.sum @@ -63,8 +63,8 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/containerd/cgroups/v3 v3.0.3 h1:S5ByHZ/h9PMe5IOQoN7E+nMc2UcLEM/V48DGDJ9kip0= github.com/containerd/cgroups/v3 v3.0.3/go.mod h1:8HBe7V3aWGLFPd/k03swSIsGjZhHI2WzJmticMgVuz0= -github.com/containerd/containerd v1.7.16 h1:7Zsfe8Fkj4Wi2My6DXGQ87hiqIrmOXolm72ZEkFU5Mg= -github.com/containerd/containerd v1.7.16/go.mod h1:NL49g7A/Fui7ccmxV6zkBWwqMgmMxFWzujYCc+JLt7k= +github.com/containerd/containerd v1.7.17 h1:KjNnn0+tAVQHAoaWRjmdak9WlvnFR/8rU1CHHy8Rm2A= +github.com/containerd/containerd v1.7.17/go.mod h1:vK+hhT4TIv2uejlcDlbVIc8+h/BqtKLIyNrtCZol8lI= github.com/containerd/errdefs v0.1.0 h1:m0wCRBiu1WJT/Fr+iOoQHMQS/eP5myQ8lCv4Dz5ZURM= github.com/containerd/errdefs v0.1.0/go.mod h1:YgWiiHtLmSeBrvpw+UfPijzbLaB77mEG1WwJTDETIV0= github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= @@ -79,8 +79,8 @@ github.com/containernetworking/plugins v1.4.1 h1:+sJRRv8PKhLkXIl6tH1D7RMi+CbbHut github.com/containernetworking/plugins v1.4.1/go.mod h1:n6FFGKcaY4o2o5msgu/UImtoC+fpQXM3076VHfHbj60= github.com/containers/buildah v1.35.1-0.20240510150258-77f239ae12e5 h1:xtKtw/g2iDkirqSw6Dvvc2ZMPxBYhyN9xPdH81a7hO4= github.com/containers/buildah v1.35.1-0.20240510150258-77f239ae12e5/go.mod h1:ezOOMchy0Dcu/jKNNsTJbtxvOrhdogVkbG+UxkG77EY= -github.com/containers/common v0.58.1-0.20240509172903-2c88a3f280bb h1:mb5e8J/kErkytiM1J5hqdZENBJfSQyQ37Cgx0hinVYs= -github.com/containers/common v0.58.1-0.20240509172903-2c88a3f280bb/go.mod h1:SCOYkp6ul27v6WoNkbgvhAhhSEM6fYKl2My9/WuESdA= +github.com/containers/common v0.58.1-0.20240517090124-fa276b325847 h1:34cLMWNLLytr35gxiklxsKfjrbYIW/GArhTF7hakx2Q= +github.com/containers/common v0.58.1-0.20240517090124-fa276b325847/go.mod h1:9BdyHXC2fM6q+gqTVmnaf1tdGLnne0votxdPOTN3aY4= github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg= github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I= github.com/containers/gvisor-tap-vsock v0.7.4-0.20240515153903-01a1a0cd3f70 h1:aACcXSIgcuPq5QdNZZ8B53BCdhqYvw33/8QmZWJATvg= @@ -136,8 +136,8 @@ github.com/docker/cli v26.1.2+incompatible h1:/MWZpUMMlr1hCGyquL8QNbL1hbivQ1kLuT github.com/docker/cli v26.1.2+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v26.1.2+incompatible h1:UVX5ZOrrfTGZZYEP+ZDq3Xn9PdHNXaSYMFPDumMqG2k= -github.com/docker/docker v26.1.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v26.1.3+incompatible h1:lLCzRbrVZrljpVNobJu1J2FHk8V0s4BawoZippkc+xo= +github.com/docker/docker v26.1.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.8.1 h1:j/eKUktUltBtMzKqmfLB0PAgqYyMHOp5vfsD1807oKo= github.com/docker/docker-credential-helpers v0.8.1/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= @@ -485,8 +485,8 @@ github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980 h1:lIOOHPEbXzO3vnmx2gok1Tfs31Q8GQqKLc8vVqyQq/I= -github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980/go.mod h1:AO3tvPzVZ/ayst6UlUKUv6rcPQInYe3IknH3jYhAKu8= +github.com/stefanberger/go-pkcs11uri v0.0.0-20230803200340-78284954bff6 h1:pnnLyeX7o/5aX8qUQ69P/mLojDqwda8hFOCBTmP/6hw= +github.com/stefanberger/go-pkcs11uri v0.0.0-20230803200340-78284954bff6/go.mod h1:39R/xuhNgVhi+K0/zst4TLrJrVmbm6LVgl4A0+ZFS5M= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= diff --git a/vendor/github.com/containers/common/libnetwork/cni/run.go b/vendor/github.com/containers/common/libnetwork/cni/run.go index d8fb477591..337a27b8ef 100644 --- a/vendor/github.com/containers/common/libnetwork/cni/run.go +++ b/vendor/github.com/containers/common/libnetwork/cni/run.go @@ -295,3 +295,10 @@ func (n *cniNetwork) RunInRootlessNetns(toRun func() error) error { } return n.rootlessNetns.Run(n.lock, toRun) } + +func (n *cniNetwork) RootlessNetnsInfo() (*types.RootlessNetnsInfo, error) { + if n.rootlessNetns == nil { + return nil, types.ErrNotRootlessNetns + } + return n.rootlessNetns.Info(), nil +} diff --git a/vendor/github.com/containers/common/libnetwork/internal/rootlessnetns/netns_freebsd.go b/vendor/github.com/containers/common/libnetwork/internal/rootlessnetns/netns_freebsd.go index a176d2d822..27ef1f4c28 100644 --- a/vendor/github.com/containers/common/libnetwork/internal/rootlessnetns/netns_freebsd.go +++ b/vendor/github.com/containers/common/libnetwork/internal/rootlessnetns/netns_freebsd.go @@ -3,6 +3,7 @@ package rootlessnetns import ( "errors" + "github.com/containers/common/libnetwork/types" "github.com/containers/common/pkg/config" "github.com/containers/storage/pkg/lockfile" ) @@ -26,3 +27,7 @@ func (n *Netns) Teardown(nets int, toRun func() error) error { func (n *Netns) Run(lock *lockfile.LockFile, toRun func() error) error { return ErrNotSupported } + +func (n *Netns) Info() *types.RootlessNetnsInfo { + return &types.RootlessNetnsInfo{} +} diff --git a/vendor/github.com/containers/common/libnetwork/internal/rootlessnetns/netns_linux.go b/vendor/github.com/containers/common/libnetwork/internal/rootlessnetns/netns_linux.go index 78fe8e3250..ffd65f1fbc 100644 --- a/vendor/github.com/containers/common/libnetwork/internal/rootlessnetns/netns_linux.go +++ b/vendor/github.com/containers/common/libnetwork/internal/rootlessnetns/netns_linux.go @@ -4,6 +4,7 @@ import ( "errors" "fmt" "io/fs" + "net" "os" "path/filepath" "strconv" @@ -13,6 +14,7 @@ import ( "github.com/containers/common/libnetwork/pasta" "github.com/containers/common/libnetwork/resolvconf" "github.com/containers/common/libnetwork/slirp4netns" + "github.com/containers/common/libnetwork/types" "github.com/containers/common/pkg/config" "github.com/containers/common/pkg/netns" "github.com/containers/common/pkg/systemd" @@ -51,6 +53,12 @@ type Netns struct { // config contains containers.conf options. config *config.Config + + // ipAddresses used in the netns, this is needed to store + // the netns ips that are used by pasta. This is then handed + // back to the caller via IPAddresses() which then can make + // sure to not use them for host.containers.internal. + ipAddresses []net.IP } type rootlessNetnsError struct { @@ -521,7 +529,24 @@ func (n *Netns) runInner(toRun func() error) (err error) { if err := n.setupMounts(); err != nil { return err } - return toRun() + if err := toRun(); err != nil { + return err + } + + // get the current active addresses in the netns, and store them + addrs, err := net.InterfaceAddrs() + if err != nil { + return err + } + ips := make([]net.IP, 0, len(addrs)) + for _, addr := range addrs { + // make sure to skip localhost and other special addresses + if ipnet, ok := addr.(*net.IPNet); ok && ipnet.IP.IsGlobalUnicast() { + ips = append(ips, ipnet.IP) + } + } + n.ipAddresses = ips + return nil }) } @@ -597,6 +622,14 @@ func (n *Netns) Run(lock *lockfile.LockFile, toRun func() error) error { return inErr } +// IPAddresses returns the currently used ip addresses in the netns +// These should then not be assigned for the host.containers.internal entry. +func (n *Netns) Info() *types.RootlessNetnsInfo { + return &types.RootlessNetnsInfo{ + IPAddresses: n.ipAddresses, + } +} + func refCount(dir string, inc int) (int, error) { file := filepath.Join(dir, refCountFile) content, err := os.ReadFile(file) diff --git a/vendor/github.com/containers/common/libnetwork/netavark/run.go b/vendor/github.com/containers/common/libnetwork/netavark/run.go index 9a04120b59..3d121d64aa 100644 --- a/vendor/github.com/containers/common/libnetwork/netavark/run.go +++ b/vendor/github.com/containers/common/libnetwork/netavark/run.go @@ -187,3 +187,10 @@ func (n *netavarkNetwork) RunInRootlessNetns(toRun func() error) error { } return n.rootlessNetns.Run(n.lock, toRun) } + +func (n *netavarkNetwork) RootlessNetnsInfo() (*types.RootlessNetnsInfo, error) { + if n.rootlessNetns == nil { + return nil, types.ErrNotRootlessNetns + } + return n.rootlessNetns.Info(), nil +} diff --git a/vendor/github.com/containers/common/libnetwork/types/network.go b/vendor/github.com/containers/common/libnetwork/types/network.go index 9e30975cb0..9741103f5b 100644 --- a/vendor/github.com/containers/common/libnetwork/types/network.go +++ b/vendor/github.com/containers/common/libnetwork/types/network.go @@ -31,6 +31,11 @@ type ContainerNetwork interface { // Only used as rootless and should return an error as root. RunInRootlessNetns(toRun func() error) error + // RootlessNetnsInfo return extra information about the rootless netns. + // Only valid when called after Setup(). + // Only used as rootless and should return an error as root. + RootlessNetnsInfo() (*RootlessNetnsInfo, error) + // Drivers will return the list of supported network drivers // for this interface. Drivers() []string @@ -334,6 +339,11 @@ type TeardownOptions struct { NetworkOptions } +type RootlessNetnsInfo struct { + // IPAddresses used in the netns, must not be used for host.containers.internal + IPAddresses []net.IP +} + // FilterFunc can be passed to NetworkList to filter the networks. type FilterFunc func(Network) bool diff --git a/vendor/github.com/containers/common/pkg/secrets/secrets.go b/vendor/github.com/containers/common/pkg/secrets/secrets.go index 8ffcc738bd..09a49ad40b 100644 --- a/vendor/github.com/containers/common/pkg/secrets/secrets.go +++ b/vendor/github.com/containers/common/pkg/secrets/secrets.go @@ -218,11 +218,12 @@ func (s *SecretsManager) Store(name string, data []byte, driverType string, opti } if options.Replace { - if err := driver.Delete(secr.ID); err != nil && !errors.Is(err, define.ErrNoSuchSecret) { - return "", fmt.Errorf("deleting secret %s: %w", secr.ID, err) - } - - if err == nil { + err := driver.Delete(secr.ID) + if err != nil { + if !errors.Is(err, define.ErrNoSuchSecret) { + return "", fmt.Errorf("deleting driver secret %s: %w", secr.ID, err) + } + } else { if err := s.delete(secr.ID); err != nil && !errors.Is(err, define.ErrNoSuchSecret) { return "", fmt.Errorf("deleting secret %s: %w", secr.ID, err) } diff --git a/vendor/github.com/stefanberger/go-pkcs11uri/.travis.yml b/vendor/github.com/stefanberger/go-pkcs11uri/.travis.yml index f5f274f96d..45c00cb9ce 100644 --- a/vendor/github.com/stefanberger/go-pkcs11uri/.travis.yml +++ b/vendor/github.com/stefanberger/go-pkcs11uri/.travis.yml @@ -5,7 +5,7 @@ os: - linux go: - - "1.13.x" + - "1.19.x" matrix: include: @@ -17,7 +17,7 @@ addons: - softhsm2 install: - - curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b $(go env GOPATH)/bin v1.30.0 + - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.53.2 script: - make diff --git a/vendor/github.com/stefanberger/go-pkcs11uri/pkcs11uri.go b/vendor/github.com/stefanberger/go-pkcs11uri/pkcs11uri.go index 39b06548ef..82c32e3c86 100644 --- a/vendor/github.com/stefanberger/go-pkcs11uri/pkcs11uri.go +++ b/vendor/github.com/stefanberger/go-pkcs11uri/pkcs11uri.go @@ -19,7 +19,6 @@ package pkcs11uri import ( "errors" "fmt" - "io/ioutil" "net/url" "os" "path/filepath" @@ -128,6 +127,12 @@ func (uri *Pkcs11URI) SetPathAttribute(name, value string) error { return uri.setAttribute(uri.pathAttributes, name, value) } +// SetPathAttributeUnencoded sets the value for a path attribute given as byte[]. +// The value must not have been pct-encoded already. +func (uri *Pkcs11URI) SetPathAttributeUnencoded(name string, value []byte) { + uri.pathAttributes[name] = string(value) +} + // AddPathAttribute adds a path attribute; it returns an error if an attribute with the same // name already existed or if the given value cannot be pct-unescaped func (uri *Pkcs11URI) AddPathAttribute(name, value string) error { @@ -137,6 +142,16 @@ func (uri *Pkcs11URI) AddPathAttribute(name, value string) error { return uri.SetPathAttribute(name, value) } +// AddPathAttributeUnencoded adds a path attribute given as byte[] which must not already be pct-encoded; +// it returns an error if an attribute with the same name already existed +func (uri *Pkcs11URI) AddPathAttributeUnencoded(name string, value []byte) error { + if _, ok := uri.pathAttributes[name]; ok { + return errors.New("duplicate path attribute") + } + uri.SetPathAttributeUnencoded(name, value) + return nil +} + // RemovePathAttribute removes a path attribute func (uri *Pkcs11URI) RemovePathAttribute(name string) { delete(uri.pathAttributes, name) @@ -173,6 +188,12 @@ func (uri *Pkcs11URI) SetQueryAttribute(name, value string) error { return uri.setAttribute(uri.queryAttributes, name, value) } +// SetQueryAttributeUnencoded sets the value for a quiery attribute given as byte[]. +// The value must not have been pct-encoded already. +func (uri *Pkcs11URI) SetQueryAttributeUnencoded(name string, value []byte) { + uri.queryAttributes[name] = string(value) +} + // AddQueryAttribute adds a query attribute; it returns an error if an attribute with the same // name already existed or if the given value cannot be pct-unescaped func (uri *Pkcs11URI) AddQueryAttribute(name, value string) error { @@ -182,6 +203,16 @@ func (uri *Pkcs11URI) AddQueryAttribute(name, value string) error { return uri.SetQueryAttribute(name, value) } +// AddQueryAttributeUnencoded adds a query attribute given as byte[] which must not already be pct-encoded; +// it returns an error if an attribute with the same name already existed +func (uri *Pkcs11URI) AddQueryAttributeUnencoded(name string, value []byte) error { + if _, ok := uri.queryAttributes[name]; ok { + return errors.New("duplicate query attribute") + } + uri.SetQueryAttributeUnencoded(name, value) + return nil +} + // RemoveQueryAttribute removes a path attribute func (uri *Pkcs11URI) RemoveQueryAttribute(name string) { delete(uri.queryAttributes, name) @@ -257,7 +288,7 @@ func (uri *Pkcs11URI) GetPIN() (string, error) { if !filepath.IsAbs(pinuri.Path) { return "", fmt.Errorf("PIN URI path '%s' is not absolute", pinuri.Path) } - pin, err := ioutil.ReadFile(pinuri.Path) + pin, err := os.ReadFile(pinuri.Path) if err != nil { return "", fmt.Errorf("Could not open PIN file: %s", err) } @@ -426,7 +457,7 @@ func (uri *Pkcs11URI) GetModule() (string, error) { moduleName = strings.ToLower(moduleName) for _, dir := range searchdirs { - files, err := ioutil.ReadDir(dir) + files, err := os.ReadDir(dir) if err != nil { continue } diff --git a/vendor/modules.txt b/vendor/modules.txt index 7014d0778d..07a9789ab7 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -107,7 +107,7 @@ github.com/chzyer/readline # github.com/containerd/cgroups/v3 v3.0.3 ## explicit; go 1.18 github.com/containerd/cgroups/v3/cgroup1/stats -# github.com/containerd/containerd v1.7.16 +# github.com/containerd/containerd v1.7.17 ## explicit; go 1.21 github.com/containerd/containerd/errdefs github.com/containerd/containerd/log @@ -171,7 +171,7 @@ github.com/containers/buildah/pkg/sshagent github.com/containers/buildah/pkg/util github.com/containers/buildah/pkg/volumes github.com/containers/buildah/util -# github.com/containers/common v0.58.1-0.20240509172903-2c88a3f280bb +# github.com/containers/common v0.58.1-0.20240517090124-fa276b325847 ## explicit; go 1.21 github.com/containers/common/internal github.com/containers/common/internal/attributedstring @@ -469,7 +469,7 @@ github.com/distribution/reference github.com/docker/distribution/registry/api/errcode github.com/docker/distribution/registry/api/v2 github.com/docker/distribution/registry/client/auth/challenge -# github.com/docker/docker v26.1.2+incompatible +# github.com/docker/docker v26.1.3+incompatible ## explicit github.com/docker/docker/api github.com/docker/docker/api/types @@ -1022,8 +1022,8 @@ github.com/spf13/cobra # github.com/spf13/pflag v1.0.5 ## explicit; go 1.12 github.com/spf13/pflag -# github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980 -## explicit +# github.com/stefanberger/go-pkcs11uri v0.0.0-20230803200340-78284954bff6 +## explicit; go 1.19 github.com/stefanberger/go-pkcs11uri # github.com/stretchr/testify v1.9.0 ## explicit; go 1.17 From fb2ab832a7b99e48dabde99df4b212630788ce03 Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Fri, 17 May 2024 11:35:14 +0200 Subject: [PATCH 2/2] fix incorrect host.containers.internal entry for rootless bridge mode We have to exclude the ips in the rootless netns as they are not the host. Now that fix only works if there are more than one ip one the host available, if there is only one we do not set the entry at all which I consider better as failing to resolve this name is a much better error for users than connecting to a wrong ip. It also matches what --network pasta already does. The test is bit more compilcated as I would like, however it must deal with both cases one ip, more than one so there is no way around it I think. Fixes #22653 Signed-off-by: Paul Holzinger --- libpod/container_internal_common.go | 9 +++++++++ test/system/505-networking-pasta.bats | 29 ++++++++++++++++++++++++++- 2 files changed, 37 insertions(+), 1 deletion(-) diff --git a/libpod/container_internal_common.go b/libpod/container_internal_common.go index 78dd31b39c..d76dea2995 100644 --- a/libpod/container_internal_common.go +++ b/libpod/container_internal_common.go @@ -2299,6 +2299,15 @@ func (c *Container) addHosts() error { var exclude []net.IP if c.pastaResult != nil { exclude = c.pastaResult.IPAddresses + } else if c.config.NetMode.IsBridge() { + // When running rootless we have to check the rootless netns ip addresses + // to not assign a ip that is already used in the rootless netns as it would + // not be routed to the host. + // https://github.com/containers/podman/issues/22653 + info, err := c.runtime.network.RootlessNetnsInfo() + if err == nil { + exclude = info.IPAddresses + } } return etchosts.New(&etchosts.Params{ diff --git a/test/system/505-networking-pasta.bats b/test/system/505-networking-pasta.bats index 9a96c61836..80282e1c42 100644 --- a/test/system/505-networking-pasta.bats +++ b/test/system/505-networking-pasta.bats @@ -778,7 +778,7 @@ EOF assert "$output" =~ "$mac2" "mac address from cli is set on custom interface" } -### Rootless unshare testins +### Rootless unshare testing @test "Podman unshare --rootless-netns with Pasta" { skip_if_remote "unshare is local-only" @@ -794,3 +794,30 @@ EOF run_podman unshare --rootless-netns ip addr is "$output" ".*${pasta_iface}.*" } + +# https://github.com/containers/podman/issues/22653 +@test "pasta/bridge and host.containers.internal" { + skip_if_no_ipv4 "IPv4 not routable on the host" + pasta_ip="$(default_addr 4)" + + for network in "pasta" "bridge"; do + # special exit code logic needed here, it is possible that there is no host.containers.internal + # when there is only one ip one the host and that one is used by pasta. + # As such we have to deal with both cases. + run_podman '?' run --rm --network=$network $IMAGE grep host.containers.internal /etc/hosts + if [ "$status" -eq 0 ]; then + assert "$output" !~ "$pasta_ip" "pasta host ip must not be assigned ($network)" + assert "$(hostname -I)" =~ "$(cut -f1 <<<$output)" "ip is one of the host ips ($network)" + elif [ "$status" -eq 1 ]; then + # if only pasta ip then we cannot have a host.containers.internal entry + # make sure this fact is actually the case + assert "$pasta_ip" == "$(hostname -I | tr -d '[:space:]')" "pasta ip must the only one one the host ($network)" + else + die "unexpected exit code '$status' from grep or podman ($network)" + fi + done + + host_ip=$(hostname -I | cut -f 1 -d " ") + run_podman run --rm --network=pasta:-a,169.254.0.2,-g,169.254.0.1,-n,24 $IMAGE grep host.containers.internal /etc/hosts + assert "$output" =~ "^$host_ip" "uses host first ip" +}