diff --git a/go.mod b/go.mod index a13189f0..ee249170 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ toolchain go1.21.0 require ( github.com/containers/common v0.59.1 github.com/containers/image/v5 v5.31.1 - github.com/containers/podman/v5 v5.1.1 + github.com/containers/podman/v5 v5.1.2 github.com/go-kit/log v0.2.1 github.com/onsi/ginkgo/v2 v2.19.0 github.com/onsi/gomega v1.33.1 diff --git a/go.sum b/go.sum index bbf44859..3ec1feb9 100644 --- a/go.sum +++ b/go.sum @@ -76,8 +76,8 @@ github.com/containers/luksy v0.0.0-20240506205542-84b50f50f3ee h1:QU6XNrPcxyGejc github.com/containers/luksy v0.0.0-20240506205542-84b50f50f3ee/go.mod h1:cEhy3LVQzQqf/BHx0WS6CXmZp+RZZaUKmhQaFZ4NiiU= github.com/containers/ocicrypt v1.1.10 h1:r7UR6o8+lyhkEywetubUUgcKFjOWOaWz8cEBrCPX0ic= github.com/containers/ocicrypt v1.1.10/go.mod h1:YfzSSr06PTHQwSTUKqDSjish9BeW1E4HUmreluQcMd8= -github.com/containers/podman/v5 v5.1.1 h1:Rm0BdJ2gyvf0atynwHsBdHX7NVmnHSAZnyQM6bMLDww= -github.com/containers/podman/v5 v5.1.1/go.mod h1:AAzQ0cVMH8XymapWXCPbxBXah/oEn47dlT6hY4zFwtk= +github.com/containers/podman/v5 v5.1.2 h1:m/X0AfY64ud5EC8Hhy4jP1HfQ2G9LOcBnprOR13uyPk= +github.com/containers/podman/v5 v5.1.2/go.mod h1:HVlVjQbmFAFHRS9r8adDDuLmPS2uXCAeh2tibhV3lK0= github.com/containers/psgo v1.9.0 h1:eJ74jzSaCHnWt26OlKZROSyUyRcGDf+gYBdXnxrMW4g= github.com/containers/psgo v1.9.0/go.mod h1:0YoluUm43Mz2UnBIh1P+6V6NWcbpTL5uRtXyOcH0B5A= github.com/containers/storage v1.54.0 h1:xwYAlf6n9OnIlURQLLg3FYHbO74fQ/2W2N6EtQEUM4I= diff --git a/vendor/github.com/containers/podman/v5/libpod/container_internal_common.go b/vendor/github.com/containers/podman/v5/libpod/container_internal_common.go index 70f6f741..7364770d 100644 --- a/vendor/github.com/containers/podman/v5/libpod/container_internal_common.go +++ b/vendor/github.com/containers/podman/v5/libpod/container_internal_common.go @@ -1712,6 +1712,15 @@ func (c *Container) restore(ctx context.Context, options ContainerCheckpointOpti } } + // setup hosts/resolv.conf files + // Note this should normally be called after the container is created in the runtime but before it is started. + // However restore starts the container right away. This means that if we do the call afterwards there is a + // short interval where the file is still empty. Thus I decided to call it before which makes it not working + // with PostConfigureNetNS (userns) but as this does not work anyway today so I don't see it as problem. + if err := c.completeNetworkSetup(); err != nil { + return nil, 0, fmt.Errorf("complete network setup: %w", err) + } + runtimeRestoreDuration, err = c.ociRuntime.CreateContainer(c, &options) if err != nil { return nil, 0, err diff --git a/vendor/github.com/containers/podman/v5/libpod/container_top_linux.c b/vendor/github.com/containers/podman/v5/libpod/container_top_linux.c index a7192c54..0988a7a1 100644 --- a/vendor/github.com/containers/podman/v5/libpod/container_top_linux.c +++ b/vendor/github.com/containers/podman/v5/libpod/container_top_linux.c @@ -3,6 +3,8 @@ #define _GNU_SOURCE #include +#include +#include #include #include #include @@ -11,6 +13,7 @@ /* keep special_exit_code in sync with container_top_linux.go */ int special_exit_code = 255; +int join_userns = 0; char **argv = NULL; void @@ -33,6 +36,12 @@ set_argv (int pos, char *arg) argv[pos] = arg; } +void +set_userns () +{ + join_userns = 1; +} + /* We use cgo code here so we can fork then exec separately, this is done so we can mount proc after the fork because the pid namespace is @@ -64,6 +73,23 @@ fork_exec_ps () fprintf (stderr, "mount proc: %m"); exit (special_exit_code); } + if (join_userns) + { + // join the userns to make sure uid mapping match + // we are already part of the pidns so so pid 1 is the main container process + r = open ("/proc/1/ns/user", O_CLOEXEC | O_RDONLY); + if (r < 0) + { + fprintf (stderr, "open /proc/1/ns/user: %m"); + exit (special_exit_code); + } + if ((status = setns (r, CLONE_NEWUSER)) < 0) + { + fprintf (stderr, "setns NEWUSER: %m"); + exit (special_exit_code); + } + } + /* use execve to unset all env vars, we do not want to leak anything into the container */ execve (argv[0], argv, NULL); fprintf (stderr, "execve: %m"); diff --git a/vendor/github.com/containers/podman/v5/libpod/container_top_linux.go b/vendor/github.com/containers/podman/v5/libpod/container_top_linux.go index 7dff9731..0b85a5a7 100644 --- a/vendor/github.com/containers/podman/v5/libpod/container_top_linux.go +++ b/vendor/github.com/containers/podman/v5/libpod/container_top_linux.go @@ -31,6 +31,7 @@ import ( void fork_exec_ps(); void create_argv(int len); void set_argv(int pos, char *arg); +void set_userns(); */ import "C" @@ -56,13 +57,13 @@ func podmanTopMain() { os.Exit(0) } -// podmanTopInner os.Args = {command name} {pid} {psPath} [args...] +// podmanTopInner os.Args = {command name} {pid} {userns(1/0)} {psPath} [args...] // We are rexxec'd in a new mountns, then we need to set some security settings in order // to safely execute ps in the container pid namespace. Most notably make sure podman and // ps are read only to prevent a process from overwriting it. func podmanTopInner() error { - if len(os.Args) < 3 { - return fmt.Errorf("internal error, need at least two arguments") + if len(os.Args) < 4 { + return fmt.Errorf("internal error, need at least three arguments") } // We have to lock the thread as we a) switch namespace below and b) use PR_SET_PDEATHSIG @@ -84,7 +85,7 @@ func podmanTopInner() error { return fmt.Errorf("make / mount private: %w", err) } - psPath := os.Args[2] + psPath := os.Args[3] // try to mount everything read only if err := unix.MountSetattr(0, "/", unix.AT_RECURSIVE, &unix.MountAttr{ @@ -122,8 +123,13 @@ func podmanTopInner() error { } pidFD.Close() + userns := os.Args[2] + if userns == "1" { + C.set_userns() + } + args := []string{psPath} - args = append(args, os.Args[3:]...) + args = append(args, os.Args[4:]...) C.create_argv(C.int(len(args))) for i, arg := range args { @@ -317,7 +323,14 @@ func (c *Container) execPS(psArgs []string) ([]string, bool, error) { wPipe.Close() return nil, true, err } - args := append([]string{podmanTopCommand, strconv.Itoa(c.state.PID), psPath}, psArgs...) + + // see podmanTopInner() + userns := "0" + if len(c.config.IDMappings.UIDMap) > 0 { + userns = "1" + } + + args := append([]string{podmanTopCommand, strconv.Itoa(c.state.PID), userns, psPath}, psArgs...) cmd := reexec.Command(args...) cmd.SysProcAttr = &syscall.SysProcAttr{ diff --git a/vendor/github.com/containers/podman/v5/pkg/domain/entities/engine.go b/vendor/github.com/containers/podman/v5/pkg/domain/entities/engine.go index 1a2fcefd..5c169901 100644 --- a/vendor/github.com/containers/podman/v5/pkg/domain/entities/engine.go +++ b/vendor/github.com/containers/podman/v5/pkg/domain/entities/engine.go @@ -48,6 +48,7 @@ type PodmanConfig struct { Trace bool // Hidden: Trace execution URI string // URI to RESTful API Service FarmNodeName string // Name of farm node + ConnectionError error // Error when looking up the connection in setupRemoteConnection() Runroot string ImageStore string diff --git a/vendor/github.com/containers/podman/v5/pkg/specgenutil/specgen.go b/vendor/github.com/containers/podman/v5/pkg/specgenutil/specgen.go index 912193b4..c9dc0775 100644 --- a/vendor/github.com/containers/podman/v5/pkg/specgenutil/specgen.go +++ b/vendor/github.com/containers/podman/v5/pkg/specgenutil/specgen.go @@ -222,7 +222,8 @@ func setNamespaces(rtc *config.Config, s *specgen.SpecGenerator, c *entities.Con } } userns := c.UserNS - if userns == "" && c.Pod == "" { + // caller must make sure s.Pod is set before calling this function. + if userns == "" && s.Pod == "" { if ns, ok := os.LookupEnv("PODMAN_USERNS"); ok { userns = ns } else { @@ -388,6 +389,22 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions s.StartupHealthConfig.Successes = int(c.StartupHCSuccesses) } + if len(s.Pod) == 0 || len(c.Pod) > 0 { + s.Pod = c.Pod + } + + if len(c.PodIDFile) > 0 { + if len(s.Pod) > 0 { + return errors.New("cannot specify both --pod and --pod-id-file") + } + podID, err := ReadPodIDFile(c.PodIDFile) + if err != nil { + return err + } + s.Pod = podID + } + + // Important s.Pod must be set above here. if err := setNamespaces(rtc, s, c); err != nil { return err } @@ -408,21 +425,6 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions s.PublishExposedPorts = &c.PublishAll } - if len(s.Pod) == 0 || len(c.Pod) > 0 { - s.Pod = c.Pod - } - - if len(c.PodIDFile) > 0 { - if len(s.Pod) > 0 { - return errors.New("cannot specify both --pod and --pod-id-file") - } - podID, err := ReadPodIDFile(c.PodIDFile) - if err != nil { - return err - } - s.Pod = podID - } - expose, err := CreateExpose(c.Expose) if err != nil { return err diff --git a/vendor/github.com/containers/podman/v5/version/rawversion/version.go b/vendor/github.com/containers/podman/v5/version/rawversion/version.go index 9152f480..860e5bec 100644 --- a/vendor/github.com/containers/podman/v5/version/rawversion/version.go +++ b/vendor/github.com/containers/podman/v5/version/rawversion/version.go @@ -7,4 +7,4 @@ package rawversion // // NOTE: remember to bump the version at the top of the top-level README.md // file when this is bumped. -const RawVersion = "5.1.1" +const RawVersion = "5.1.2" diff --git a/vendor/modules.txt b/vendor/modules.txt index 93e2c49d..e8aa8599 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -298,7 +298,7 @@ github.com/containers/ocicrypt/keywrap/pkcs7 github.com/containers/ocicrypt/spec github.com/containers/ocicrypt/utils github.com/containers/ocicrypt/utils/keyprovider -# github.com/containers/podman/v5 v5.1.1 +# github.com/containers/podman/v5 v5.1.2 ## explicit; go 1.21 github.com/containers/podman/v5/cmd/podman/parse github.com/containers/podman/v5/cmd/podman/registry