From 7c8b51068e7e74fc7e5f45b408215f862840ca00 Mon Sep 17 00:00:00 2001 From: Urvashi Mohnani Date: Wed, 11 Oct 2023 11:30:49 -0400 Subject: [PATCH] Vendor containers/common Pick up changes to move the platform code to its own directory. [NO NEW TESTS NEEDED] Signed-off-by: Urvashi Mohnani --- go.mod | 2 +- go.sum | 6 +- internal/util/util.go | 3 +- .../containers/common/libimage/copier.go | 3 +- .../common/libimage/define/platform.go | 11 +++ .../containers/common/libimage/image.go | 34 +++++++ .../containers/common/libimage/platform.go | 96 +++---------------- .../common/libimage/platform/platform.go | 57 +++++++++++ .../containers/common/libimage/runtime.go | 10 +- .../common/pkg/apparmor/apparmor_linux.go | 5 + .../containers/common/pkg/config/config.go | 37 +++---- .../common/pkg/config/containers.conf | 22 ++++- .../common/pkg/config/containers.conf-freebsd | 22 ++++- .../common/pkg/config/db_backend.go | 17 ++-- .../containers/common/pkg/config/default.go | 4 - vendor/modules.txt | 3 +- 16 files changed, 195 insertions(+), 137 deletions(-) create mode 100644 vendor/github.com/containers/common/libimage/define/platform.go create mode 100644 vendor/github.com/containers/common/libimage/platform/platform.go diff --git a/go.mod b/go.mod index 57fd30ce42f..7d7e2671353 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( github.com/containerd/containerd v1.7.7 github.com/containernetworking/cni v1.1.2 github.com/containernetworking/plugins v1.3.0 - github.com/containers/common v0.56.1-0.20231003103624-88925362c276 + github.com/containers/common v0.56.1-0.20231013064012-9f2f68b89872 github.com/containers/image/v5 v5.28.0 github.com/containers/luksy v0.0.0-20230912175440-6df88cb7f0dd github.com/containers/ocicrypt v1.1.8 diff --git a/go.sum b/go.sum index 7776a8a0b3e..e5b7937512d 100644 --- a/go.sum +++ b/go.sum @@ -54,8 +54,8 @@ github.com/containernetworking/cni v1.1.2 h1:wtRGZVv7olUHMOqouPpn3cXJWpJgM6+EUl3 github.com/containernetworking/cni v1.1.2/go.mod h1:sDpYKmGVENF3s6uvMvGgldDWeG8dMxakj/u+i9ht9vw= github.com/containernetworking/plugins v1.3.0 h1:QVNXMT6XloyMUoO2wUOqWTC1hWFV62Q6mVDp5H1HnjM= github.com/containernetworking/plugins v1.3.0/go.mod h1:Pc2wcedTQQCVuROOOaLBPPxrEXqqXBFt3cZ+/yVg6l0= -github.com/containers/common v0.56.1-0.20231003103624-88925362c276 h1:pdg8Sws/kWeZ2Ideb5i/fIxqZifMTE7wSLM80Bydvwg= -github.com/containers/common v0.56.1-0.20231003103624-88925362c276/go.mod h1:8gifkvVxN1oOHJ9Yp/SHWcN6MlxdC0gZCF2+MaWjErc= +github.com/containers/common v0.56.1-0.20231013064012-9f2f68b89872 h1:8dydB0ivba6JVt04WuJmTlznJTGZNyQePU8aHqxLTFI= +github.com/containers/common v0.56.1-0.20231013064012-9f2f68b89872/go.mod h1:LM6Uyz5lq80P/DRnhs8NxvPIvBk2zmS2L/oednAGI/s= github.com/containers/image/v5 v5.28.0 h1:H4cWbdI88UA/mDb6SxMo3IxpmS1BSs/Kifvhwt9g048= github.com/containers/image/v5 v5.28.0/go.mod h1:9aPnNkwHNHgGl9VlQxXEshvmOJRbdRAc1rNDD6sP2eU= github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYglewc+UyGf6lc8Mj2UaPTHy/iF2De0/77CA= @@ -311,7 +311,7 @@ github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vv github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= github.com/onsi/ginkgo/v2 v2.1.3/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c= -github.com/onsi/ginkgo/v2 v2.12.1 h1:uHNEO1RP2SpuZApSkel9nEh1/Mu+hmQe7Q+Pepg5OYA= +github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= diff --git a/internal/util/util.go b/internal/util/util.go index 819501a06a4..01f4b1051c7 100644 --- a/internal/util/util.go +++ b/internal/util/util.go @@ -8,6 +8,7 @@ import ( "github.com/containers/buildah/define" "github.com/containers/common/libimage" + lplatform "github.com/containers/common/libimage/platform" "github.com/containers/image/v5/types" "github.com/containers/storage" "github.com/containers/storage/pkg/archive" @@ -41,7 +42,7 @@ func LookupImage(ctx *types.SystemContext, store storage.Store, image string) (* // Wrapper around libimage.NormalizePlatform to return and consume // v1.Platform instead of independent os, arch and variant. func NormalizePlatform(platform v1.Platform) v1.Platform { - os, arch, variant := libimage.NormalizePlatform(platform.OS, platform.Architecture, platform.Variant) + os, arch, variant := lplatform.Normalize(platform.OS, platform.Architecture, platform.Variant) return v1.Platform{ OS: os, Architecture: arch, diff --git a/vendor/github.com/containers/common/libimage/copier.go b/vendor/github.com/containers/common/libimage/copier.go index fd10dd72df6..27b4e59df5b 100644 --- a/vendor/github.com/containers/common/libimage/copier.go +++ b/vendor/github.com/containers/common/libimage/copier.go @@ -11,6 +11,7 @@ import ( "time" "github.com/containers/common/libimage/manifests" + "github.com/containers/common/libimage/platform" "github.com/containers/common/pkg/config" "github.com/containers/common/pkg/retry" "github.com/containers/image/v5/copy" @@ -239,7 +240,7 @@ func (r *Runtime) newCopier(options *CopyOptions) (*copier, error) { c.systemContext.DockerArchiveAdditionalTags = options.dockerArchiveAdditionalTags - c.systemContext.OSChoice, c.systemContext.ArchitectureChoice, c.systemContext.VariantChoice = NormalizePlatform(options.OS, options.Architecture, options.Variant) + c.systemContext.OSChoice, c.systemContext.ArchitectureChoice, c.systemContext.VariantChoice = platform.Normalize(options.OS, options.Architecture, options.Variant) if options.SignaturePolicyPath != "" { c.systemContext.SignaturePolicyPath = options.SignaturePolicyPath diff --git a/vendor/github.com/containers/common/libimage/define/platform.go b/vendor/github.com/containers/common/libimage/define/platform.go new file mode 100644 index 00000000000..7e13abffd7c --- /dev/null +++ b/vendor/github.com/containers/common/libimage/define/platform.go @@ -0,0 +1,11 @@ +package define + +// PlatformPolicy controls the behavior of image-platform matching. +type PlatformPolicy int + +const ( + // Only debug log if an image does not match the expected platform. + PlatformPolicyDefault PlatformPolicy = iota + // Warn if an image does not match the expected platform. + PlatformPolicyWarn +) diff --git a/vendor/github.com/containers/common/libimage/image.go b/vendor/github.com/containers/common/libimage/image.go index e4198a792c2..6ff04453030 100644 --- a/vendor/github.com/containers/common/libimage/image.go +++ b/vendor/github.com/containers/common/libimage/image.go @@ -9,6 +9,8 @@ import ( "strings" "time" + "github.com/containerd/containerd/platforms" + "github.com/containers/common/libimage/platform" "github.com/containers/image/v5/docker/reference" "github.com/containers/image/v5/manifest" storageTransport "github.com/containers/image/v5/storage" @@ -1021,3 +1023,35 @@ func getImageID(ctx context.Context, src types.ImageReference, sys *types.System } return "@" + imageDigest.Encoded(), nil } + +// Checks whether the image matches the specified platform. +// Returns +// - 1) a matching error that can be used for logging (or returning) what does not match +// - 2) a bool indicating whether architecture, os or variant were set (some callers need that to decide whether they need to throw an error) +// - 3) a fatal error that occurred prior to check for matches (e.g., storage errors etc.) +func (i *Image) matchesPlatform(ctx context.Context, os, arch, variant string) (error, bool, error) { + if err := i.isCorrupted(""); err != nil { + return err, false, nil + } + inspectInfo, err := i.inspectInfo(ctx) + if err != nil { + return nil, false, fmt.Errorf("inspecting image: %w", err) + } + + customPlatform := len(os)+len(arch)+len(variant) != 0 + + expected, err := platforms.Parse(platform.ToString(os, arch, variant)) + if err != nil { + return nil, false, fmt.Errorf("parsing host platform: %v", err) + } + fromImage, err := platforms.Parse(platform.ToString(inspectInfo.Os, inspectInfo.Architecture, inspectInfo.Variant)) + if err != nil { + return nil, false, fmt.Errorf("parsing image platform: %v", err) + } + + if platforms.NewMatcher(expected).Match(fromImage) { + return nil, customPlatform, nil + } + + return fmt.Errorf("image platform (%s) does not match the expected platform (%s)", platforms.Format(fromImage), platforms.Format(expected)), customPlatform, nil +} diff --git a/vendor/github.com/containers/common/libimage/platform.go b/vendor/github.com/containers/common/libimage/platform.go index 06c15ee648f..fc0e002fabf 100644 --- a/vendor/github.com/containers/common/libimage/platform.go +++ b/vendor/github.com/containers/common/libimage/platform.go @@ -1,100 +1,26 @@ package libimage import ( - "context" - "fmt" - "runtime" - - "github.com/containerd/containerd/platforms" - v1 "github.com/opencontainers/image-spec/specs-go/v1" - "github.com/sirupsen/logrus" + "github.com/containers/common/libimage/define" + "github.com/containers/common/libimage/platform" ) // PlatformPolicy controls the behavior of image-platform matching. -type PlatformPolicy int +// Deprecated: new code should use define.PlatformPolicy directly. +type PlatformPolicy = define.PlatformPolicy const ( // Only debug log if an image does not match the expected platform. - PlatformPolicyDefault PlatformPolicy = iota + // Deprecated: new code should reference define.PlatformPolicyDefault directly. + PlatformPolicyDefault = define.PlatformPolicyDefault // Warn if an image does not match the expected platform. - PlatformPolicyWarn + // Deprecated: new code should reference define.PlatformPolicyWarn directly. + PlatformPolicyWarn = define.PlatformPolicyWarn ) // NormalizePlatform normalizes (according to the OCI spec) the specified os, -// arch and variant. If left empty, the individual item will be normalized. +// arch and variant. If left empty, the individual item will be normalized. +// Deprecated: new code should call libimage/platform.Normalize() instead. func NormalizePlatform(rawOS, rawArch, rawVariant string) (os, arch, variant string) { - platformSpec := v1.Platform{ - OS: rawOS, - Architecture: rawArch, - Variant: rawVariant, - } - normalizedSpec := platforms.Normalize(platformSpec) - if normalizedSpec.Variant == "" && rawVariant != "" { - normalizedSpec.Variant = rawVariant - } - rawPlatform := toPlatformString(normalizedSpec.OS, normalizedSpec.Architecture, normalizedSpec.Variant) - normalizedPlatform, err := platforms.Parse(rawPlatform) - if err != nil { - logrus.Debugf("Error normalizing platform: %v", err) - return rawOS, rawArch, rawVariant - } - logrus.Debugf("Normalized platform %s to %s", rawPlatform, normalizedPlatform) - os = rawOS - if rawOS != "" { - os = normalizedPlatform.OS - } - arch = rawArch - if rawArch != "" { - arch = normalizedPlatform.Architecture - } - variant = rawVariant - if rawVariant != "" || (rawVariant == "" && normalizedPlatform.Variant != "") { - variant = normalizedPlatform.Variant - } - return os, arch, variant -} - -func toPlatformString(os, arch, variant string) string { - if os == "" { - os = runtime.GOOS - } - if arch == "" { - arch = runtime.GOARCH - } - if variant == "" { - return fmt.Sprintf("%s/%s", os, arch) - } - return fmt.Sprintf("%s/%s/%s", os, arch, variant) -} - -// Checks whether the image matches the specified platform. -// Returns -// - 1) a matching error that can be used for logging (or returning) what does not match -// - 2) a bool indicating whether architecture, os or variant were set (some callers need that to decide whether they need to throw an error) -// - 3) a fatal error that occurred prior to check for matches (e.g., storage errors etc.) -func (i *Image) matchesPlatform(ctx context.Context, os, arch, variant string) (error, bool, error) { - if err := i.isCorrupted(""); err != nil { - return err, false, nil - } - inspectInfo, err := i.inspectInfo(ctx) - if err != nil { - return nil, false, fmt.Errorf("inspecting image: %w", err) - } - - customPlatform := len(os)+len(arch)+len(variant) != 0 - - expected, err := platforms.Parse(toPlatformString(os, arch, variant)) - if err != nil { - return nil, false, fmt.Errorf("parsing host platform: %v", err) - } - fromImage, err := platforms.Parse(toPlatformString(inspectInfo.Os, inspectInfo.Architecture, inspectInfo.Variant)) - if err != nil { - return nil, false, fmt.Errorf("parsing image platform: %v", err) - } - - if platforms.NewMatcher(expected).Match(fromImage) { - return nil, customPlatform, nil - } - - return fmt.Errorf("image platform (%s) does not match the expected platform (%s)", platforms.Format(fromImage), platforms.Format(expected)), customPlatform, nil + return platform.Normalize(rawOS, rawArch, rawVariant) } diff --git a/vendor/github.com/containers/common/libimage/platform/platform.go b/vendor/github.com/containers/common/libimage/platform/platform.go new file mode 100644 index 00000000000..2272cee757c --- /dev/null +++ b/vendor/github.com/containers/common/libimage/platform/platform.go @@ -0,0 +1,57 @@ +package platform + +import ( + "fmt" + "runtime" + + "github.com/containerd/containerd/platforms" + v1 "github.com/opencontainers/image-spec/specs-go/v1" + "github.com/sirupsen/logrus" +) + +// Normalize normalizes (according to the OCI spec) the specified os, +// arch and variant. If left empty, the individual item will be normalized. +func Normalize(rawOS, rawArch, rawVariant string) (os, arch, variant string) { + platformSpec := v1.Platform{ + OS: rawOS, + Architecture: rawArch, + Variant: rawVariant, + } + normalizedSpec := platforms.Normalize(platformSpec) + if normalizedSpec.Variant == "" && rawVariant != "" { + normalizedSpec.Variant = rawVariant + } + rawPlatform := ToString(normalizedSpec.OS, normalizedSpec.Architecture, normalizedSpec.Variant) + normalizedPlatform, err := platforms.Parse(rawPlatform) + if err != nil { + logrus.Debugf("Error normalizing platform: %v", err) + return rawOS, rawArch, rawVariant + } + logrus.Debugf("Normalized platform %s to %s", rawPlatform, normalizedPlatform) + os = rawOS + if rawOS != "" { + os = normalizedPlatform.OS + } + arch = rawArch + if rawArch != "" { + arch = normalizedPlatform.Architecture + } + variant = rawVariant + if rawVariant != "" || (rawVariant == "" && normalizedPlatform.Variant != "") { + variant = normalizedPlatform.Variant + } + return os, arch, variant +} + +func ToString(os, arch, variant string) string { + if os == "" { + os = runtime.GOOS + } + if arch == "" { + arch = runtime.GOARCH + } + if variant == "" { + return fmt.Sprintf("%s/%s", os, arch) + } + return fmt.Sprintf("%s/%s/%s", os, arch, variant) +} diff --git a/vendor/github.com/containers/common/libimage/runtime.go b/vendor/github.com/containers/common/libimage/runtime.go index 6d90272c387..33f515e99dc 100644 --- a/vendor/github.com/containers/common/libimage/runtime.go +++ b/vendor/github.com/containers/common/libimage/runtime.go @@ -7,6 +7,8 @@ import ( "os" "strings" + "github.com/containers/common/libimage/define" + "github.com/containers/common/libimage/platform" "github.com/containers/common/pkg/config" "github.com/containers/image/v5/docker/reference" "github.com/containers/image/v5/pkg/shortnames" @@ -184,7 +186,7 @@ type LookupImageOptions struct { Variant string // Controls the behavior when checking the platform of an image. - PlatformPolicy PlatformPolicy + PlatformPolicy define.PlatformPolicy // If set, do not look for items/instances in the manifest list that // match the current platform but return the manifest list as is. @@ -283,7 +285,7 @@ func (r *Runtime) LookupImage(name string, options *LookupImageOptions) (*Image, options.Variant = r.systemContext.VariantChoice } // Normalize platform to be OCI compatible (e.g., "aarch64" -> "arm64"). - options.OS, options.Architecture, options.Variant = NormalizePlatform(options.OS, options.Architecture, options.Variant) + options.OS, options.Architecture, options.Variant = platform.Normalize(options.OS, options.Architecture, options.Variant) // Second, try out the candidates as resolved by shortnames. This takes // "localhost/" prefixed images into account as well. @@ -435,9 +437,9 @@ func (r *Runtime) lookupImageInLocalStorage(name, candidate string, namedCandida return nil, nil } switch options.PlatformPolicy { - case PlatformPolicyDefault: + case define.PlatformPolicyDefault: logrus.Debugf("%v", matchError) - case PlatformPolicyWarn: + case define.PlatformPolicyWarn: logrus.Warnf("%v", matchError) } } diff --git a/vendor/github.com/containers/common/pkg/apparmor/apparmor_linux.go b/vendor/github.com/containers/common/pkg/apparmor/apparmor_linux.go index 7ba63ba7447..435422c27de 100644 --- a/vendor/github.com/containers/common/pkg/apparmor/apparmor_linux.go +++ b/vendor/github.com/containers/common/pkg/apparmor/apparmor_linux.go @@ -212,6 +212,11 @@ func parseAAParserVersion(output string) (int, error) { words := strings.Split(lines[0], " ") version := words[len(words)-1] + // trim "-beta1" suffix from version="3.0.0-beta1" if exists + version = strings.SplitN(version, "-", 2)[0] + // also trim "~..." suffix used historically (https://gitlab.com/apparmor/apparmor/-/commit/bca67d3d27d219d11ce8c9cc70612bd637f88c10) + version = strings.SplitN(version, "~", 2)[0] + // split by major minor version v := strings.Split(version, ".") if len(v) == 0 || len(v) > 3 { diff --git a/vendor/github.com/containers/common/pkg/config/config.go b/vendor/github.com/containers/common/pkg/config/config.go index b0c85abdacc..2be4e6326f2 100644 --- a/vendor/github.com/containers/common/pkg/config/config.go +++ b/vendor/github.com/containers/common/pkg/config/config.go @@ -30,24 +30,6 @@ const ( bindirPrefix = "$BINDIR" ) -// RuntimeStateStore is a constant indicating which state store implementation -// should be used by engine -type RuntimeStateStore int - -const ( - // InvalidStateStore is an invalid state store - InvalidStateStore RuntimeStateStore = iota - // InMemoryStateStore is an in-memory state that will not persist data - // on containers and pods between engine instances or after system - // reboot - InMemoryStateStore RuntimeStateStore = iota - // SQLiteStateStore is a state backed by a SQLite database - // It is presently disabled - SQLiteStateStore RuntimeStateStore = iota - // BoltDBStateStore is a state backed by a BoltDB database - BoltDBStateStore RuntimeStateStore = iota -) - var validImageVolumeModes = []string{_typeBind, "tmpfs", "ignore"} // ProxyEnv is a list of Proxy Environment variables @@ -213,6 +195,18 @@ type ContainersConfig struct { // performance implications. PrepareVolumeOnCreate bool `toml:"prepare_volume_on_create,omitempty"` + // Give extended privileges to all containers. A privileged container + // turns off the security features that isolate the container from the + // host. Dropped Capabilities, limited devices, read-only mount points, + // Apparmor/SELinux separation, and Seccomp filters are all disabled. + // Due to the disabled security features the privileged field should + // almost never be set as containers can easily break out of + // confinment. + // + // Containers running in a user namespace (e.g., rootless containers) + // cannot have more privileges than the user that launched them. + Privileged bool `toml:"privileged,omitempty"` + // ReadOnly causes engine to run all containers with root file system mounted read-only ReadOnly bool `toml:"read_only,omitempty"` @@ -471,13 +465,6 @@ type EngineConfig struct { // readiness using the SD_NOTIFY mechanism. SDNotify bool `toml:"-"` - // StateType is the type of the backing state store. Avoid using multiple - // values for this with the same containers/storage configuration on the - // same system. Different state types do not interact, and each will see a - // separate set of containers, which may cause conflicts in - // containers/storage. As such this is not exposed via the config file. - StateType RuntimeStateStore `toml:"-"` - // ServiceTimeout is the number of seconds to wait without a connection // before the `podman system service` times out and exits ServiceTimeout uint `toml:"service_timeout,omitempty,omitzero"` diff --git a/vendor/github.com/containers/common/pkg/config/containers.conf b/vendor/github.com/containers/common/pkg/config/containers.conf index 1840ab10e13..37b17071dd8 100644 --- a/vendor/github.com/containers/common/pkg/config/containers.conf +++ b/vendor/github.com/containers/common/pkg/config/containers.conf @@ -237,6 +237,18 @@ default_sysctls = [ # #prepare_volume_on_create = false +# Give extended privileges to all containers. A privileged container turns off +# the security features that isolate the container from the host. Dropped +# Capabilities, limited devices, read-only mount points, Apparmor/SELinux +# separation, and Seccomp filters are all disabled. Due to the disabled +# security features the privileged field should almost never be set as +# containers can easily break out of confinment. +# +# Containers running in a user namespace (e.g., rootless containers) cannot +# have more privileges than the user that launched them. +# +#privileged = false + # Run all containers with root file system mounted read-only # # read_only = false @@ -442,10 +454,14 @@ default_sysctls = [ # short-name aliases defined in containers-registries.conf(5). #compat_api_enforce_docker_hub = true -# The database backend of Podman. Supported values are "boltdb" (default) and -# "sqlite". Please run `podman-system-reset` prior to changing the database +# The database backend of Podman. Supported values are "" (default), "boltdb" +# and "sqlite". An empty value means it will check whenever a boltdb already +# exists and use it when it does, otherwise it will use sqlite as default +# (e.g. new installs). This allows for backwards compatibility with older versions. +# Please run `podman-system-reset` prior to changing the database # backend of an existing deployment, to make sure Podman can operate correctly. -#database_backend="boltdb" +# +#database_backend = "" # Specify the keys sequence used to detach a container. # Format is a single character [a-Z] or a comma separated sequence of diff --git a/vendor/github.com/containers/common/pkg/config/containers.conf-freebsd b/vendor/github.com/containers/common/pkg/config/containers.conf-freebsd index f247b61261d..de2bf682e55 100644 --- a/vendor/github.com/containers/common/pkg/config/containers.conf-freebsd +++ b/vendor/github.com/containers/common/pkg/config/containers.conf-freebsd @@ -29,10 +29,14 @@ # #base_hosts_file = "" -# The database backend of Podman. Supported values are "boltdb" (default) and -# "sqlite". Please run `podman-system-reset` prior to changing the database +# The database backend of Podman. Supported values are "" (default), "boltdb" +# and "sqlite". An empty value means it will check whenever a boltdb already +# exists and use it when it does, otherwise it will use sqlite as default +# (e.g. new installs). This allows for backwards compatibility with older versions. +# Please run `podman-system-reset` prior to changing the database # backend of an existing deployment, to make sure Podman can operate correctly. -#database_backend="boltdb" +# +#database_backend = "" # List of default capabilities for containers. If it is empty or commented out, # the default capabilities defined in the container engine will be added. @@ -200,6 +204,18 @@ default_sysctls = [ # #prepare_volume_on_create = false +# Give extended privileges to all containers. A privileged container turns off +# the security features that isolate the container from the host. Dropped +# Capabilities, limited devices, read-only mount points, Apparmor/SELinux +# separation, and Seccomp filters are all disabled. Due to the disabled +# security features the privileged field should almost never be set as +# containers can easily break out of confinment. +# +# Containers running in a user namespace (e.g., rootless containers) cannot +# have more privileges than the user that launched them. +# +#privileged = false + # Set timezone in container. Takes IANA timezones as well as "local", # which sets the timezone in the container to match the host machine. # diff --git a/vendor/github.com/containers/common/pkg/config/db_backend.go b/vendor/github.com/containers/common/pkg/config/db_backend.go index 8fd78165bbe..a2fda8e02d2 100644 --- a/vendor/github.com/containers/common/pkg/config/db_backend.go +++ b/vendor/github.com/containers/common/pkg/config/db_backend.go @@ -13,6 +13,12 @@ const ( // SQLite backend. DBBackendSQLite + // DBBackendDefault describes that no explicit backend has been set. + // It should default to sqlite unless there is already an existing boltdb, + // this allows for backwards compatibility on upgrades. The actual detection + // logic must live in podman as we only know there were to look for the file. + DBBackendDefault + stringBoltDB = "boltdb" stringSQLite = "sqlite" ) @@ -24,6 +30,8 @@ func (d DBBackend) String() string { return stringBoltDB case DBBackendSQLite: return stringSQLite + case DBBackendDefault: + return "" default: return fmt.Sprintf("unsupported database backend: %d", d) } @@ -32,7 +40,7 @@ func (d DBBackend) String() string { // Validate returns whether the DBBackend is supported. func (d DBBackend) Validate() error { switch d { - case DBBackendBoltDB, DBBackendSQLite: + case DBBackendBoltDB, DBBackendSQLite, DBBackendDefault: return nil default: return fmt.Errorf("unsupported database backend: %d", d) @@ -49,12 +57,9 @@ func ParseDBBackend(raw string) (DBBackend, error) { return DBBackendBoltDB, nil case stringSQLite: return DBBackendSQLite, nil + case "": + return DBBackendDefault, nil default: return DBBackendUnsupported, fmt.Errorf("unsupported database backend: %q", raw) } } - -// DBBackend returns the configured database backend. -func (c *Config) DBBackend() (DBBackend, error) { - return ParseDBBackend(c.Engine.DBBackend) -} diff --git a/vendor/github.com/containers/common/pkg/config/default.go b/vendor/github.com/containers/common/pkg/config/default.go index 3599c27222b..b7167ed1b56 100644 --- a/vendor/github.com/containers/common/pkg/config/default.go +++ b/vendor/github.com/containers/common/pkg/config/default.go @@ -120,8 +120,6 @@ const ( CgroupfsCgroupsManager = "cgroupfs" // DefaultApparmorProfile specifies the default apparmor profile for the container. DefaultApparmorProfile = apparmor.Profile - // DefaultDBBackend specifies the default database backend to be used by Podman. - DefaultDBBackend = DBBackendBoltDB // DefaultHostsFile is the default path to the hosts file. DefaultHostsFile = "/etc/hosts" // SystemdCgroupsManager represents systemd native cgroup manager. @@ -317,7 +315,6 @@ func defaultEngineConfig() (*EngineConfig, error) { c.HooksDir = DefaultHooksDirs c.ImageDefaultTransport = _defaultTransport c.ImageVolumeMode = _defaultImageVolumeMode - c.StateType = BoltDBStateStore c.ImageBuildFormat = "oci" @@ -424,7 +421,6 @@ func defaultEngineConfig() (*EngineConfig, error) { "/run/current-system/sw/bin/conmonrs", } c.PullPolicy = DefaultPullPolicy - c.DBBackend = stringBoltDB c.RuntimeSupportsJSON = []string{ "crun", "runc", diff --git a/vendor/modules.txt b/vendor/modules.txt index 7a1af811716..4aa677c22dc 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -94,12 +94,13 @@ github.com/containernetworking/cni/pkg/version # github.com/containernetworking/plugins v1.3.0 ## explicit; go 1.20 github.com/containernetworking/plugins/pkg/ns -# github.com/containers/common v0.56.1-0.20231003103624-88925362c276 +# github.com/containers/common v0.56.1-0.20231013064012-9f2f68b89872 ## explicit; go 1.18 github.com/containers/common/libimage github.com/containers/common/libimage/define github.com/containers/common/libimage/filter github.com/containers/common/libimage/manifests +github.com/containers/common/libimage/platform github.com/containers/common/libnetwork/cni github.com/containers/common/libnetwork/etchosts github.com/containers/common/libnetwork/internal/util