Hello community,
here is the log from the commit of package podman for openSUSE:Factory checked in at 2020-05-01 11:07:25
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/podman (Old)
and /work/SRC/openSUSE:Factory/.podman.new.2738 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "podman"
Fri May 1 11:07:25 2020 rev:62 rq:798807 version:1.9.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/podman/podman.changes 2020-04-18 00:29:08.237891652 +0200
+++ /work/SRC/openSUSE:Factory/.podman.new.2738/podman.changes 2020-05-01 11:07:40.031105511 +0200
@@ -1,0 +2,16 @@
+Wed Apr 29 06:34:51 UTC 2020 - Sascha Grunert
+
+- Update podman to v1.9.1:
+ * Bugfixes
+ - Fixed a bug where healthchecks could become nonfunctional if
+ container log paths were manually set with --log-path and
+ multiple container logs were placed in the same directory
+ - Fixed a bug where rootless Podman could, when using an older
+ libpod.conf, print numerous warning messages about an invalid
+ CGroup manager config
+ - Fixed a bug where rootless Podman would sometimes fail to
+ close the rootless user namespace when joining it
+ * Misc
+ - Updated containers/common to v0.8.2
+
+-------------------------------------------------------------------
@@ -5 +21 @@
-- Update podman to v1.8.2:
+- Update podman to v1.9.0:
Old:
----
podman-1.9.0.tar.xz
New:
----
podman-1.9.1.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ podman.spec ++++++
--- /var/tmp/diff_new_pack.OXIPZ6/_old 2020-05-01 11:07:43.075112131 +0200
+++ /var/tmp/diff_new_pack.OXIPZ6/_new 2020-05-01 11:07:43.075112131 +0200
@@ -22,7 +22,7 @@
%define with_libostree 1
%endif
Name: podman
-Version: 1.9.0
+Version: 1.9.1
Release: 0
Summary: Daemon-less container engine for managing containers, pods and images
License: Apache-2.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.OXIPZ6/_old 2020-05-01 11:07:43.115112218 +0200
+++ /var/tmp/diff_new_pack.OXIPZ6/_new 2020-05-01 11:07:43.119112227 +0200
@@ -4,8 +4,8 @@
<param name="url">https://github.com/containers/libpod.git</param>
<param name="scm">git</param>
<param name="filename">podman</param>
-<param name="versionformat">1.9.0</param>
-<param name="revision">v1.9.0</param>
+<param name="versionformat">1.9.1</param>
+<param name="revision">v1.9.1</param>
</service>
<service name="set_version" mode="disabled">
++++++ podman-1.9.0.tar.xz -> podman-1.9.1.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/.cirrus.yml new/podman-1.9.1/.cirrus.yml
--- old/podman-1.9.0/.cirrus.yml 2020-04-15 16:51:28.000000000 +0200
+++ new/podman-1.9.1/.cirrus.yml 2020-04-28 22:29:37.000000000 +0200
@@ -14,7 +14,7 @@
#### Global variables used for all tasks
####
# Name of the ultimate destination branch for this CI run, PR or post-merge.
- DEST_BRANCH: "master"
+ DEST_BRANCH: "v1.9"
# Overrides default location (/tmp/cirrus) for repo clone
GOPATH: "/var/tmp/go"
GOBIN: "${GOPATH}/bin"
@@ -106,7 +106,7 @@
# Note: Image has dual purpose, see contrib/gate/README.md
# The entrypoint.sh script ensures a prestine copy of $SRCPATH is
# available at $GOSRC before executing make instructions.
- image: "quay.io/libpod/gate:master"
+ image: "quay.io/libpod/gate:v1.9"
cpu: 8
memory: 12
@@ -234,7 +234,7 @@
# Runs within Cirrus's "community cluster"
container:
# Note: Image has dual purpose, see contrib/gate/README.md
- image: "quay.io/libpod/gate:master"
+ image: "quay.io/libpod/gate:v1.9"
cpu: 4
memory: 12
@@ -321,7 +321,7 @@
- "build_without_cgo"
container:
- image: "quay.io/libpod/imgts:master" # see contrib/imgts
+ image: "quay.io/libpod/imgts:v1.9" # see contrib/imgts
cpu: 1
memory: 1
@@ -346,32 +346,6 @@
script: '$CIRRUS_WORKING_DIR/$SCRIPT_BASE/update_meta.sh |& ${TIMESTAMP}'
-# Remove old and disused images based on labels set by meta_task
-image_prune_task:
-
- # This should ONLY ever run from the master branch, and never
- # anywhere else so it's behavior is always consistent, even
- # as new branches are created.
- only_if: $CIRRUS_BRANCH == "master"
-
- depends_on:
- - "meta"
-
- container:
- image: "quay.io/libpod/imgprune:master" # see contrib/imgprune
- cpu: 1
- memory: 1
-
- env:
- <<: *meta_env_vars
- GCPJSON: ENCRYPTED[4c11d8e09c904c30fc70eecb95c73dec0ddf19976f9b981a0f80f3f6599e8f990bcef93c253ac0277f200850d98528e7]
- GCPNAME: ENCRYPTED[7f54557ba6e5a437f11283a53e71baec9ca546f48a9835538cc54d297f79968eb1337d4596a1025b14f9d1c5723fbd29]
-
- timeout_in: 10m
-
- script: '/usr/local/bin/entrypoint.sh |& ${TIMESTAMP}'
-
-
# This task does the unit and integration testing for every platform
testing_task:
alias: "testing"
@@ -766,7 +740,6 @@
- "build_each_commit"
- "build_without_cgo"
- "meta"
- - "image_prune"
- "testing"
- "rpmbuild"
- "special_testing_rootless"
@@ -785,7 +758,7 @@
container:
# Note: Image has dual purpose, see contrib/gate/README.md
- image: "quay.io/libpod/gate:master"
+ image: "quay.io/libpod/gate:v1.9"
cpu: 1
memory: 1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/RELEASE_NOTES.md new/podman-1.9.1/RELEASE_NOTES.md
--- old/podman-1.9.0/RELEASE_NOTES.md 2020-04-15 16:51:28.000000000 +0200
+++ new/podman-1.9.1/RELEASE_NOTES.md 2020-04-28 22:29:37.000000000 +0200
@@ -1,5 +1,14 @@
# Release Notes
+## 1.9.1
+### Bugfixes
+- Fixed a bug where healthchecks could become nonfunctional if container log paths were manually set with `--log-path` and multiple container logs were placed in the same directory ([#5915](https://github.com/containers/libpod/issues/5915))
+- Fixed a bug where rootless Podman could, when using an older `libpod.conf`, print numerous warning messages about an invalid CGroup manager config
+- Fixed a bug where rootless Podman would sometimes fail to close the rootless user namespace when joining it ([#5873](https://github.com/containers/libpod/issues/5873))
+
+### Misc
+- Updated containers/common to v0.8.2
+
## 1.9.0
### Features
- Experimental support has been added for `podman run --userns=auto`, which automatically allocates a unique UID and GID range for the new container's user namespace
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/changelog.txt new/podman-1.9.1/changelog.txt
--- old/podman-1.9.0/changelog.txt 2020-04-15 16:51:28.000000000 +0200
+++ new/podman-1.9.1/changelog.txt 2020-04-28 22:29:37.000000000 +0200
@@ -1,3 +1,15 @@
+- Changelog for v1.9.1 (2020-04-28):
+ * Update release notes for v1.9.1
+ * separate healthcheck and container log paths
+ * Update vendor to containers/common v0.8.2
+ * rootless: move join namespace inside child process
+ * rootless: skip looking up parent user ns
+ * Don't check configuration until user input is applied
+ * Move selinux labeling support from pkg/util to pkg/selinux
+ * Cirrus: Necessary changes for v1.9 branch automation
+ * Cirrus: Fix gate container build failure
+ * logformat: handle apiv2 results, add anchor links
+
- Changelog for v1.9.0 (2020-04-15)
* podmanV2: fix nil deref
* v2specgen prune libpod
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/cmd/podman/cliconfig/config.go new/podman-1.9.1/cmd/podman/cliconfig/config.go
--- old/podman-1.9.0/cmd/podman/cliconfig/config.go 2020-04-15 16:51:28.000000000 +0200
+++ new/podman-1.9.1/cmd/podman/cliconfig/config.go 2020-04-28 22:29:37.000000000 +0200
@@ -708,7 +708,6 @@
func GetDefaultConfig() *config.Config {
var err error
conf, err := config.NewConfig("")
- conf.CheckCgroupsAndAdjustConfig()
if err != nil {
logrus.Errorf("Error loading container config %v\n", err)
os.Exit(1)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/cmd/podman/main.go new/podman-1.9.1/cmd/podman/main.go
--- old/podman-1.9.0/cmd/podman/main.go 2020-04-15 16:51:28.000000000 +0200
+++ new/podman-1.9.1/cmd/podman/main.go 2020-04-28 22:29:37.000000000 +0200
@@ -126,6 +126,9 @@
return err
}
+ defaultContainerConfig.Engine.CgroupManager = MainGlobalOpts.CGroupManager
+ defaultContainerConfig.CheckCgroupsAndAdjustConfig()
+
if err := setupRootless(cmd, args); err != nil {
return err
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/cmd/podman/shared/create.go new/podman-1.9.1/cmd/podman/shared/create.go
--- old/podman-1.9.0/cmd/podman/shared/create.go 2020-04-15 16:51:28.000000000 +0200
+++ new/podman-1.9.1/cmd/podman/shared/create.go 2020-04-28 22:29:37.000000000 +0200
@@ -376,6 +376,10 @@
}
}
+ usernsType := c.String("userns")
+ if !c.IsSet("userns") && !idmappings.HostUIDMapping {
+ usernsType = "private"
+ }
// Kernel Namespaces
// TODO Fix handling of namespace from pod
// Instead of integrating here, should be done in libpod
@@ -386,7 +390,7 @@
"pid": c.String("pid"),
"net": c.String("network"),
"ipc": c.String("ipc"),
- "user": c.String("userns"),
+ "user": usernsType,
"uts": c.String("uts"),
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/contrib/cirrus/lib.sh new/podman-1.9.1/contrib/cirrus/lib.sh
--- old/podman-1.9.0/contrib/cirrus/lib.sh 2020-04-15 16:51:28.000000000 +0200
+++ new/podman-1.9.1/contrib/cirrus/lib.sh 2020-04-28 22:29:37.000000000 +0200
@@ -50,7 +50,7 @@
# Defaults when not running under CI
export CI="${CI:-false}"
CIRRUS_CI="${CIRRUS_CI:-false}"
-DEST_BRANCH="${DEST_BRANCH:-master}"
+DEST_BRANCH="${DEST_BRANCH:-v1.9}"
CONTINUOUS_INTEGRATION="${CONTINUOUS_INTEGRATION:-false}"
CIRRUS_REPO_NAME=${CIRRUS_REPO_NAME:-libpod}
CIRRUS_BASE_SHA=${CIRRUS_BASE_SHA:-unknown$(date +%s)} # difficult to reliably discover
@@ -71,7 +71,7 @@
# IN_PODMAN container image
IN_PODMAN_IMAGE="quay.io/libpod/in_podman:$DEST_BRANCH"
# Image for uploading releases
-UPLDREL_IMAGE="quay.io/libpod/upldrel:master"
+UPLDREL_IMAGE="quay.io/libpod/upldrel:v1.9"
# Avoid getting stuck waiting for user input
export DEBIAN_FRONTEND="noninteractive"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/contrib/cirrus/logformatter new/podman-1.9.1/contrib/cirrus/logformatter
--- old/podman-1.9.0/contrib/cirrus/logformatter 2020-04-15 16:51:28.000000000 +0200
+++ new/podman-1.9.1/contrib/cirrus/logformatter 2020-04-28 22:29:37.000000000 +0200
@@ -220,8 +220,8 @@
$cirrus_task = $1;
}
- # BATS handling
- if ($line =~ /^1\.\.\d+$/) {
+ # BATS handling (used also for apiv2 tests, which emit TAP output)
+ if ($line =~ /^1\.\.\d+$/ || $line =~ m!/test-apiv2!) {
$looks_like_bats = 1;
}
if ($looks_like_bats) {
@@ -234,6 +234,10 @@
elsif ($line =~ /^#\s/) { $css = 'log' }
if ($css) {
+ # Make it linkable, e.g. foo.html#t--00001
+ if ($line =~ /^(not\s+)?ok\s+(\d+)/) {
+ $line = sprintf("<a name='t--%05d'>%s</a>", $2, $line);
+ }
$line = "<span class='bats-$css'>$line</span>";
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/contrib/gate/Dockerfile new/podman-1.9.1/contrib/gate/Dockerfile
--- old/podman-1.9.0/contrib/gate/Dockerfile 2020-04-15 16:51:28.000000000 +0200
+++ new/podman-1.9.1/contrib/gate/Dockerfile 2020-04-28 22:29:37.000000000 +0200
@@ -21,6 +21,7 @@
procps-ng \
python \
python3-dateutil \
+ python3-pip \
python3-psutil \
python3-pytoml \
python3-pyyaml \
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/go.mod new/podman-1.9.1/go.mod
--- old/podman-1.9.0/go.mod 2020-04-15 16:51:28.000000000 +0200
+++ new/podman-1.9.1/go.mod 2020-04-28 22:29:37.000000000 +0200
@@ -10,7 +10,7 @@
github.com/containernetworking/cni v0.7.2-0.20200304161608-4fae32b84921
github.com/containernetworking/plugins v0.8.5
github.com/containers/buildah v1.14.8
- github.com/containers/common v0.8.1
+ github.com/containers/common v0.8.2
github.com/containers/conmon v2.0.14+incompatible
github.com/containers/image/v5 v5.4.3
github.com/containers/psgo v1.4.0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/go.sum new/podman-1.9.1/go.sum
--- old/podman-1.9.0/go.sum 2020-04-15 16:51:28.000000000 +0200
+++ new/podman-1.9.1/go.sum 2020-04-28 22:29:37.000000000 +0200
@@ -67,6 +67,8 @@
github.com/containers/buildah v1.14.8/go.mod h1:ytEjHJQnRXC1ygXMyc0FqYkjcoCydqBQkOdxbH563QU=
github.com/containers/common v0.8.1 h1:1IUwAtZ4mC7GYRr4AC23cHf2oXCuoLzTUoSzIkSgnYw=
github.com/containers/common v0.8.1/go.mod h1:VxDJbaA1k6N1TNv9Rt6bQEF4hyKVHNfOfGA5L91ADEs=
+github.com/containers/common v0.8.2 h1:TzbHcY1C6xAcZyPk0UJLAKVpW77AUkw5DWoApWB8Ge8=
+github.com/containers/common v0.8.2/go.mod h1:VxDJbaA1k6N1TNv9Rt6bQEF4hyKVHNfOfGA5L91ADEs=
github.com/containers/conmon v2.0.14+incompatible h1:knU1O1QxXy5YxtjMQVKEyCajROaehizK9FHaICl+P5Y=
github.com/containers/conmon v2.0.14+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
github.com/containers/image/v5 v5.4.3 h1:zn2HR7uu4hpvT5QQHgjqonOzKDuM1I1UHUEmzZT5sbs=
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/libpod/healthcheck.go new/podman-1.9.1/libpod/healthcheck.go
--- old/podman-1.9.0/libpod/healthcheck.go 2020-04-15 16:51:28.000000000 +0200
+++ new/podman-1.9.1/libpod/healthcheck.go 2020-04-28 22:29:37.000000000 +0200
@@ -238,7 +238,7 @@
// HealthCheckLogPath returns the path for where the health check log is
func (c *Container) healthCheckLogPath() string {
- return filepath.Join(filepath.Dir(c.LogPath()), "healthcheck.log")
+ return filepath.Join(filepath.Dir(c.state.RunDir), "healthcheck.log")
}
// GetHealthCheckLog returns HealthCheck results by reading the container's
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/libpod/runtime.go new/podman-1.9.1/libpod/runtime.go
--- old/podman-1.9.0/libpod/runtime.go 2020-04-15 16:51:28.000000000 +0200
+++ new/podman-1.9.1/libpod/runtime.go 2020-04-28 22:29:37.000000000 +0200
@@ -131,8 +131,9 @@
if err != nil {
return nil, err
}
+ runtime, err = newRuntimeFromConfig(ctx, conf, options...)
conf.CheckCgroupsAndAdjustConfig()
- return newRuntimeFromConfig(ctx, conf, options...)
+ return runtime, err
}
// NewRuntimeFromConfig creates a new container runtime using the given
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/pkg/rootless/rootless_linux.c new/podman-1.9.1/pkg/rootless/rootless_linux.c
--- old/podman-1.9.0/pkg/rootless/rootless_linux.c 2020-04-15 16:51:28.000000000 +0200
+++ new/podman-1.9.1/pkg/rootless/rootless_linux.c 2020-04-28 22:29:37.000000000 +0200
@@ -535,8 +535,36 @@
}
}
+static void
+join_namespace_or_die (int pid_to_join, const char *ns_file)
+{
+ char ns_path[PATH_MAX];
+ int ret;
+ int fd;
+
+ ret = snprintf (ns_path, PATH_MAX, "/proc/%d/ns/%s", pid_to_join, ns_file);
+ if (ret == PATH_MAX)
+ {
+ fprintf (stderr, "internal error: namespace path too long\n");
+ _exit (EXIT_FAILURE);
+ }
+
+ fd = open (ns_path, O_CLOEXEC | O_RDONLY);
+ if (fd < 0)
+ {
+ fprintf (stderr, "cannot open: %s\n", ns_path);
+ _exit (EXIT_FAILURE);
+ }
+ if (setns (fd, 0) < 0)
+ {
+ fprintf (stderr, "cannot set namespace to %s: %s\n", ns_path, strerror (errno));
+ _exit (EXIT_FAILURE);
+ }
+ close (fd);
+}
+
int
-reexec_userns_join (int userns, int mountns, char *pause_pid_file_path)
+reexec_userns_join (int pid_to_join, char *pause_pid_file_path)
{
char uid[16];
char gid[16];
@@ -606,19 +634,8 @@
_exit (EXIT_FAILURE);
}
- if (setns (userns, 0) < 0)
- {
- fprintf (stderr, "cannot setns: %s\n", strerror (errno));
- _exit (EXIT_FAILURE);
- }
- close (userns);
-
- if (mountns >= 0 && setns (mountns, 0) < 0)
- {
- fprintf (stderr, "cannot setns: %s\n", strerror (errno));
- _exit (EXIT_FAILURE);
- }
- close (mountns);
+ join_namespace_or_die (pid_to_join, "user");
+ join_namespace_or_die (pid_to_join, "mnt");
if (syscall_setresgid (0, 0, 0) < 0)
{
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/pkg/rootless/rootless_linux.go new/podman-1.9.1/pkg/rootless/rootless_linux.go
--- old/podman-1.9.0/pkg/rootless/rootless_linux.go 2020-04-15 16:51:28.000000000 +0200
+++ new/podman-1.9.1/pkg/rootless/rootless_linux.go 2020-04-28 22:29:37.000000000 +0200
@@ -31,7 +31,7 @@
extern uid_t rootless_gid();
extern int reexec_in_user_namespace(int ready, char *pause_pid_file_path, char *file_to_read, int fd);
extern int reexec_in_user_namespace_wait(int pid, int options);
-extern int reexec_userns_join(int userns, int mountns, char *pause_pid_file_path);
+extern int reexec_userns_join(int pid, char *pause_pid_file_path);
*/
import "C"
@@ -124,91 +124,6 @@
return nil
}
-func readUserNs(path string) (string, error) {
- b := make([]byte, 256)
- _, err := unix.Readlink(path, b)
- if err != nil {
- return "", err
- }
- return string(b), nil
-}
-
-func readUserNsFd(fd uintptr) (string, error) {
- return readUserNs(fmt.Sprintf("/proc/self/fd/%d", fd))
-}
-
-func getParentUserNs(fd uintptr) (uintptr, error) {
- const nsGetParent = 0xb702
- ret, _, errno := unix.Syscall(unix.SYS_IOCTL, fd, uintptr(nsGetParent), 0)
- if errno != 0 {
- return 0, errno
- }
- return (uintptr)(unsafe.Pointer(ret)), nil
-}
-
-// getUserNSFirstChild returns an open FD for the first direct child user namespace that created the process
-// Each container creates a new user namespace where the runtime runs. The current process in the container
-// might have created new user namespaces that are child of the initial namespace we created.
-// This function finds the initial namespace created for the container that is a child of the current namespace.
-//
-// current ns
-// / \
-// TARGET -> a [other containers]
-// /
-// b
-// /
-// NS READ USING THE PID -> c
-func getUserNSFirstChild(fd uintptr) (*os.File, error) {
- currentNS, err := readUserNs("/proc/self/ns/user")
- if err != nil {
- return nil, err
- }
-
- ns, err := readUserNsFd(fd)
- if err != nil {
- return nil, errors.Wrapf(err, "cannot read user namespace")
- }
- if ns == currentNS {
- return nil, errors.New("process running in the same user namespace")
- }
-
- for {
- nextFd, err := getParentUserNs(fd)
- if err != nil {
- if err == unix.ENOTTY {
- return os.NewFile(fd, "userns child"), nil
- }
- return nil, errors.Wrapf(err, "cannot get parent user namespace")
- }
-
- ns, err = readUserNsFd(nextFd)
- if err != nil {
- return nil, errors.Wrapf(err, "cannot read user namespace")
- }
-
- if ns == currentNS {
- if err := unix.Close(int(nextFd)); err != nil {
- return nil, err
- }
-
- // Drop O_CLOEXEC for the fd.
- _, _, errno := unix.Syscall(unix.SYS_FCNTL, fd, unix.F_SETFD, 0)
- if errno != 0 {
- if err := unix.Close(int(fd)); err != nil {
- logrus.Errorf("failed to close file descriptor %d", fd)
- }
- return nil, errno
- }
-
- return os.NewFile(fd, "userns child"), nil
- }
- if err := unix.Close(int(fd)); err != nil {
- return nil, err
- }
- fd = nextFd
- }
-}
-
// joinUserAndMountNS re-exec podman in a new userNS and join the user and mount
// namespace of the specified PID without looking up its parent. Useful to join directly
// the conmon process.
@@ -220,31 +135,7 @@
cPausePid := C.CString(pausePid)
defer C.free(unsafe.Pointer(cPausePid))
- userNS, err := os.Open(fmt.Sprintf("/proc/%d/ns/user", pid))
- if err != nil {
- return false, -1, err
- }
- defer func() {
- if err := userNS.Close(); err != nil {
- logrus.Errorf("unable to close namespace: %q", err)
- }
- }()
-
- mountNS, err := os.Open(fmt.Sprintf("/proc/%d/ns/mnt", pid))
- if err != nil {
- return false, -1, err
- }
- defer func() {
- if err := mountNS.Close(); err != nil {
- logrus.Errorf("unable to close namespace: %q", err)
- }
- }()
-
- fd, err := getUserNSFirstChild(userNS.Fd())
- if err != nil {
- return false, -1, err
- }
- pidC := C.reexec_userns_join(C.int(fd.Fd()), C.int(mountNS.Fd()), cPausePid)
+ pidC := C.reexec_userns_join(C.int(pid), cPausePid)
if int(pidC) < 0 {
return false, -1, errors.Errorf("cannot re-exec process")
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/pkg/selinux/selinux.go new/podman-1.9.1/pkg/selinux/selinux.go
--- old/podman-1.9.0/pkg/selinux/selinux.go 1970-01-01 01:00:00.000000000 +0100
+++ new/podman-1.9.1/pkg/selinux/selinux.go 2020-04-28 22:29:37.000000000 +0200
@@ -0,0 +1,40 @@
+package util
+
+import (
+ "github.com/opencontainers/selinux/go-selinux"
+)
+
+// SELinuxKVMLabel returns labels for running kvm isolated containers
+func SELinuxKVMLabel(cLabel string) (string, error) {
+ if cLabel == "" {
+ // selinux is disabled
+ return "", nil
+ }
+ processLabel, _ := selinux.KVMContainerLabels()
+ selinux.ReleaseLabel(processLabel)
+ return swapSELinuxLabel(cLabel, processLabel)
+}
+
+// SELinuxInitLabel returns labels for running systemd based containers
+func SELinuxInitLabel(cLabel string) (string, error) {
+ if cLabel == "" {
+ // selinux is disabled
+ return "", nil
+ }
+ processLabel, _ := selinux.InitContainerLabels()
+ selinux.ReleaseLabel(processLabel)
+ return swapSELinuxLabel(cLabel, processLabel)
+}
+
+func swapSELinuxLabel(cLabel, processLabel string) (string, error) {
+ dcon, err := selinux.NewContext(cLabel)
+ if err != nil {
+ return "", err
+ }
+ scon, err := selinux.NewContext(processLabel)
+ if err != nil {
+ return "", err
+ }
+ dcon["type"] = scon["type"]
+ return dcon.Get(), nil
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/test/apiv2/test-apiv2 new/podman-1.9.1/test/apiv2/test-apiv2
--- old/podman-1.9.0/test/apiv2/test-apiv2 2020-04-15 16:51:28.000000000 +0200
+++ new/podman-1.9.1/test/apiv2/test-apiv2 2020-04-28 22:29:37.000000000 +0200
@@ -355,7 +355,7 @@
if [ -n "$service_pid" ]; then
kill $service_pid
- wait -f $service_pid
+ wait $service_pid
fi
test_count=$(<$testcounter_file)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/vendor/github.com/containers/common/pkg/config/containers.conf new/podman-1.9.1/vendor/github.com/containers/common/pkg/config/containers.conf
--- old/podman-1.9.0/vendor/github.com/containers/common/pkg/config/containers.conf 2020-04-15 16:51:28.000000000 +0200
+++ new/podman-1.9.1/vendor/github.com/containers/common/pkg/config/containers.conf 2020-04-28 22:29:37.000000000 +0200
@@ -376,6 +376,8 @@
# "/usr/local/sbin/kata-runtime",
# "/sbin/kata-runtime",
# "/bin/kata-runtime",
+# "/usr/bin/kata-qemu",
+# "/usr/bin/kata-fc",
# ]
# Number of seconds to wait for container to exit before sending kill signal.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/vendor/github.com/containers/common/pkg/config/default.go new/podman-1.9.1/vendor/github.com/containers/common/pkg/config/default.go
--- old/podman-1.9.0/vendor/github.com/containers/common/pkg/config/default.go 2020-04-15 16:51:28.000000000 +0200
+++ new/podman-1.9.1/vendor/github.com/containers/common/pkg/config/default.go 2020-04-28 22:29:37.000000000 +0200
@@ -141,13 +141,18 @@
netns = "slirp4netns"
}
+ cgroupNS := "host"
+ if cgroup2, _ := cgroupv2.Enabled(); cgroup2 {
+ cgroupNS = "private"
+ }
+
return &Config{
Containers: ContainersConfig{
Devices: []string{},
Volumes: []string{},
Annotations: []string{},
ApparmorProfile: DefaultApparmorProfile,
- CgroupNS: "private",
+ CgroupNS: cgroupNS,
DefaultCapabilities: DefaultCapabilities,
DefaultSysctls: []string{},
DefaultUlimits: getDefaultProcessLimits(),
@@ -172,7 +177,7 @@
SeccompProfile: SeccompDefaultPath,
ShmSize: DefaultShmSize,
UTSNS: "private",
- UserNS: "private",
+ UserNS: "host",
UserNSSize: DefaultUserNSSize,
},
Network: NetworkConfig{
@@ -246,6 +251,8 @@
"/usr/local/sbin/kata-runtime",
"/sbin/kata-runtime",
"/bin/kata-runtime",
+ "/usr/bin/kata-qemu",
+ "/usr/bin/kata-fc",
},
}
c.ConmonEnvVars = []string{
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/vendor/github.com/containers/common/pkg/config/libpodConfig.go new/podman-1.9.1/vendor/github.com/containers/common/pkg/config/libpodConfig.go
--- old/podman-1.9.0/vendor/github.com/containers/common/pkg/config/libpodConfig.go 2020-04-15 16:51:28.000000000 +0200
+++ new/podman-1.9.1/vendor/github.com/containers/common/pkg/config/libpodConfig.go 2020-04-28 22:29:37.000000000 +0200
@@ -224,6 +224,12 @@
}
}
+ // hard code EventsLogger to "file" to match older podman versions.
+ if config.EventsLogger != "file" {
+ logrus.Debugf("Ignoring lipod.conf EventsLogger setting %q. Use containers.conf if you want to change this setting and remove libpod.conf files.", config.EventsLogger)
+ config.EventsLogger = "file"
+ }
+
c.libpodToContainersConfig(config)
return nil
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/vendor/modules.txt new/podman-1.9.1/vendor/modules.txt
--- old/podman-1.9.0/vendor/modules.txt 2020-04-15 16:51:28.000000000 +0200
+++ new/podman-1.9.1/vendor/modules.txt 2020-04-28 22:29:37.000000000 +0200
@@ -82,7 +82,7 @@
github.com/containers/buildah/pkg/supplemented
github.com/containers/buildah/pkg/umask
github.com/containers/buildah/util
-# github.com/containers/common v0.8.1
+# github.com/containers/common v0.8.2
github.com/containers/common/pkg/apparmor
github.com/containers/common/pkg/capabilities
github.com/containers/common/pkg/cgroupv2
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/version/version.go new/podman-1.9.1/version/version.go
--- old/podman-1.9.0/version/version.go 2020-04-15 16:51:28.000000000 +0200
+++ new/podman-1.9.1/version/version.go 2020-04-28 22:29:37.000000000 +0200
@@ -4,7 +4,7 @@
// NOTE: remember to bump the version at the top
// of the top-level README.md file when this is
// bumped.
-const Version = "1.9.0"
+const Version = "1.9.1"
// RemoteAPIVersion is the version for the remote
// client API. It is used to determine compatibility