Merge pull request containers#12040 from mheon/341_release

Bump to v3.4.1
Luap99 · Oct 20, 2021 · 09aade7 · 09aade7
2 parents c15c154 + 46f7d2a
commit 09aade7
Show file tree

Hide file tree

Showing 41 changed files with 458 additions and 180 deletions.
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
@@ -1,5 +1,25 @@
 # Release Notes
 
+## 3.4.1
+### Bugfixes
+- Fixed a bug where `podman machine init` could, under some circumstances, create invalid machine configurations which could not be started ([#11824](https://github.com/containers/podman/issues/11824)).
+- Fixed a bug where the `podman machine list` command would not properly populate some output fields.
+- Fixed a bug where `podman machine rm` could leave dangling sockets from the removed machine ([#11393](https://github.com/containers/podman/issues/11393)).
+- Fixed a bug where `podman run --pids-limit=-1` was not supported (it now sets the PID limit in the container to unlimited) ([#11782](https://github.com/containers/podman/issues/11782)).
+- Fixed a bug where `podman run` and `podman attach` could throw errors about a closed network connection when STDIN was closed by the client ([#11856](https://github.com/containers/podman/issues/11856)).
+- Fixed a bug where the `podman stop` command could fail when run on a container that had another `podman stop` command run on it previously.
+- Fixed a bug where the `--sync` flag to `podman ps` was nonfunctional.
+- Fixed a bug where the Windows and OS X remote clients' `podman stats` command would fail ([#11909](https://github.com/containers/podman/issues/11909)).
+- Fixed a bug where the `podman play kube` command did not properly handle environment variables whose values contained an `=` ([#11891](https://github.com/containers/podman/issues/11891)).
+- Fixed a bug where the `podman generate kube` command could generate invalid annotations when run on containers with volumes that use SELinux relabelling (`:z` or `:Z`) ([#11929](https://github.com/containers/podman/issues/11929)).
+- Fixed a bug where the `podman generate kube` command would generate YAML including some unnecessary (set to default) fields (e.g. user and group, entrypoint, default protocol for forwarded ports) ([#11914](https://github.com/containers/podman/issues/11914), [#11915](https://github.com/containers/podman/issues/11915), and [#11965](https://github.com/containers/podman/issues/11965)).
+- Fixed a bug where the `podman generate kube` command could, under some circumstances, generate YAML including an invalid `targetPort` field for forwarded ports ([#11930](https://github.com/containers/podman/issues/11930)).
+- Fixed a bug where rootless Podman's `podman info` command could, under some circumstances, not read available CGroup controllers ([#11931](https://github.com/containers/podman/issues/11931)).
+- Fixed a bug where `podman container checkpoint --export` would fail to checkpoint any container created with `--log-driver=none` ([#11974](https://github.com/containers/podman/issues/11974)).
+
+### API
+- Fixed a bug where the Compat Create endpoint for Containers could panic when no options were passed to a bind mount of tmpfs ([#11961](https://github.com/containers/podman/issues/11961)).
+
 ## 3.4.0
 ### Features
 - Pods now support init containers! Init containers are containers which run before the rest of the pod starts. There are two types of init containers: "always", which always run before the pod is started, and "once", which only run the first time the pod starts and are subsequently removed. They can be added using the `podman create` command's `--init-ctr` option.

diff --git a/cmd/podman/common/create.go b/cmd/podman/common/create.go
@@ -433,7 +433,7 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
 		pidsLimitFlagName := "pids-limit"
 		createFlags.Int64(
 			pidsLimitFlagName, pidsLimit(),
-			"Tune container pids limit (set 0 for unlimited, -1 for server defaults)",
+			"Tune container pids limit (set -1 for unlimited)",
 		)
 		_ = cmd.RegisterFlagCompletionFunc(pidsLimitFlagName, completion.AutocompleteNone)
 

diff --git a/cmd/podman/common/create_opts.go b/cmd/podman/common/create_opts.go
@@ -104,15 +104,18 @@ func ContainerCreateToContainerCLIOpts(cc handlers.CreateContainerConfig, rtc *c
 		addField(&builder, "target", m.Target)
 		addField(&builder, "ro", strconv.FormatBool(m.ReadOnly))
 		addField(&builder, "consistency", string(m.Consistency))
-
 		// Map any specialized mount options that intersect between *Options and cli options
 		switch m.Type {
 		case mount.TypeBind:
-			addField(&builder, "bind-propagation", string(m.BindOptions.Propagation))
-			addField(&builder, "bind-nonrecursive", strconv.FormatBool(m.BindOptions.NonRecursive))
+			if m.BindOptions != nil {
+				addField(&builder, "bind-propagation", string(m.BindOptions.Propagation))
+				addField(&builder, "bind-nonrecursive", strconv.FormatBool(m.BindOptions.NonRecursive))
+			}
 		case mount.TypeTmpfs:
-			addField(&builder, "tmpfs-size", strconv.FormatInt(m.TmpfsOptions.SizeBytes, 10))
-			addField(&builder, "tmpfs-mode", strconv.FormatUint(uint64(m.TmpfsOptions.Mode), 10))
+			if m.TmpfsOptions != nil {
+				addField(&builder, "tmpfs-size", strconv.FormatInt(m.TmpfsOptions.SizeBytes, 10))
+				addField(&builder, "tmpfs-mode", strconv.FormatUint(uint64(m.TmpfsOptions.Mode), 10))
+			}
 		case mount.TypeVolume:
 			// All current VolumeOpts are handled above
 			// See vendor/github.com/containers/common/pkg/parse/parse.go:ValidateVolumeOpts()

diff --git a/cmd/podman/containers/create.go b/cmd/podman/containers/create.go
@@ -224,6 +224,10 @@ func CreateInit(c *cobra.Command, vals entities.ContainerCreateOptions, isInfra
 
 		if c.Flags().Changed("pids-limit") {
 			val := c.Flag("pids-limit").Value.String()
+			// Convert -1 to 0, so that -1 maps to unlimited pids limit
+			if val == "-1" {
+				val = "0"
+			}
 			pidsLimit, err := strconv.ParseInt(val, 10, 32)
 			if err != nil {
 				return vals, err

diff --git a/cmd/podman/containers/stats.go b/cmd/podman/containers/stats.go
@@ -11,9 +11,7 @@ import (
 	"github.com/containers/podman/v3/cmd/podman/registry"
 	"github.com/containers/podman/v3/cmd/podman/validate"
 	"github.com/containers/podman/v3/libpod/define"
-	"github.com/containers/podman/v3/pkg/cgroups"
 	"github.com/containers/podman/v3/pkg/domain/entities"
-	"github.com/containers/podman/v3/pkg/rootless"
 	"github.com/containers/podman/v3/utils"
 	"github.com/docker/go-units"
 	"github.com/pkg/errors"
@@ -113,16 +111,6 @@ func checkStatOptions(cmd *cobra.Command, args []string) error {
 }
 
 func stats(cmd *cobra.Command, args []string) error {
-	if rootless.IsRootless() {
-		unified, err := cgroups.IsCgroup2UnifiedMode()
-		if err != nil {
-			return err
-		}
-		if !unified {
-			return errors.New("stats is not supported in rootless mode without cgroups v2")
-		}
-	}
-
 	// Convert to the entities options.  We should not leak CLI-only
 	// options into the backend and separate concerns.
 	opts := entities.ContainerStatsOptions{

diff --git a/cmd/podman/diff/diff.go b/cmd/podman/diff/diff.go
@@ -8,7 +8,7 @@ import (
 	"github.com/containers/common/pkg/report"
 	"github.com/containers/podman/v3/cmd/podman/registry"
 	"github.com/containers/podman/v3/pkg/domain/entities"
-	"github.com/docker/docker/pkg/archive"
+	"github.com/containers/storage/pkg/archive"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 )

diff --git a/contrib/cirrus/pr-should-include-tests b/contrib/cirrus/pr-should-include-tests
@@ -8,7 +8,10 @@ if [[ "${CIRRUS_CHANGE_TITLE}" =~ CI:DOCS ]]; then
     exit 0
 fi
 
-# So are PRs where 'NO TESTS NEEDED' appears in the Github message
+# So are PRs where 'NO NEW TESTS NEEDED' appears in the Github message
+if [[ "${CIRRUS_CHANGE_MESSAGE}" =~ NO.NEW.TESTS.NEEDED ]]; then
+    exit 0
+fi
 if [[ "${CIRRUS_CHANGE_MESSAGE}" =~ NO.TESTS.NEEDED ]]; then
     exit 0
 fi
@@ -49,8 +52,11 @@ if [[ -z "$filtered_changes" ]]; then
     exit 0
 fi
 
-# One last chance: perhaps the developer included the magic '[NO TESTS NEEDED]'
+# One last chance: perhaps the developer included the magic '[NO (NEW) TESTS NEEDED]'
 # string in an amended commit.
+if git log --format=%B ${base}..${head} | fgrep '[NO NEW TESTS NEEDED]'; then
+   exit 0
+fi
 if git log --format=%B ${base}..${head} | fgrep '[NO TESTS NEEDED]'; then
    exit 0
 fi
@@ -67,7 +73,7 @@ tests, possibly just adding a small step to a similar existing test.
 Every second counts in CI.
 
 If your commit really, truly does not need tests, you can proceed
-by adding '[NO TESTS NEEDED]' to the body of your commit message.
+by adding '[NO NEW TESTS NEEDED]' to the body of your commit message.
 Please think carefully before doing so.
 EOF
 

diff --git a/contrib/cirrus/pr-should-include-tests.t b/contrib/cirrus/pr-should-include-tests.t
@@ -36,9 +36,9 @@ tests="
 0  a47515008  ecedda63a   PR 8816, unit tests only
 0  caa84cd35  e55320efd   PR 8565, hack/podman-socat only
 0  c342583da  12f835d12   PR 8523, version.go + podman.spec.in
-0  c342583da  db1d2ff11   version bump to v2.2.0
 0  8f75ed958  7b3ad6d89   PR 8835, only a README.md change
 0  b6db60e58  f06dd45e0   PR 9420, a test rename
+0  c6a896b0c  4ea5d6971   PR 11833, includes magic string
 "
 
 # The script we're testing

diff --git a/contrib/podmanimage/upstream/Dockerfile b/contrib/podmanimage/upstream/Dockerfile
@@ -40,7 +40,8 @@ RUN yum -y update; rpm --restore shadow-utils 2>/dev/null;  yum -y install --exc
      crun \
      fuse-overlayfs \
      fuse3 \
-     containers-common; \
+     containers-common \
+     podman-plugins; \
      mkdir /root/podman; \
      git clone https://github.com/containers/podman /root/podman/src/github.com/containers/podman; \
      cd /root/podman/src/github.com/containers/podman; \

diff --git a/contrib/spec/podman.spec.in b/contrib/spec/podman.spec.in
@@ -36,7 +36,7 @@ Epoch: 99
 %else
 Epoch: 0
 %endif
-Version: 3.4.1
+Version: 3.4.2
 Release: #COMMITDATE#.git%{shortcommit0}%{?dist}
 Summary: Manage Pods, Containers and Container Images
 License: ASL 2.0

diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md
@@ -721,7 +721,7 @@ Default is to create a private PID namespace for the container
 
 #### **--pids-limit**=*limit*
 
-Tune the container's pids limit. Set `0` to have unlimited pids for the container. (default "4096" on systems that support PIDS cgroups).
+Tune the container's pids limit. Set `-1` to have unlimited pids for the container. (default "4096" on systems that support PIDS cgroups).
 
 #### **--platform**=*OS/ARCH*
 

diff --git a/docs/source/markdown/podman-manifest.1.md b/docs/source/markdown/podman-manifest.1.md
@@ -24,5 +24,49 @@ The `podman manifest` command provides subcommands which can be used to:
 | remove   | [podman-manifest-remove(1)](podman-manifest-remove.1.md)     | Remove an image from a manifest list or image index.                        |
 | rm       | [podman-manifest-rme(1)](podman-manifest-rm.1.md)            | Remove manifest list or image index from local storage.                |
 
+## EXAMPLES
+
+### Building a multi-arch manifest list from a Containerfile
+
+Assuming the `Containerfile` uses `RUN` instructions, the host needs
+a way to execute non-native binaries.  Configuring this is beyond
+the scope of this example.  Building a multi-arch manifest list
+`shazam` in parallel across 4-threads can be done like this:
+
+        $ platarch=linux/amd64,linux/ppc64le,linux/arm64,linux/s390x
+        $ podman build --jobs=4 --platform=$platarch --manifest shazam .
+
+**Note:** The `--jobs` argument is optional, and the `-t` or `--tag`
+option should *not* be used.
+
+### Assembling a multi-arch manifest from separately built images
+
+Assuming `example.com/example/shazam:$arch` images are built separately
+on other hosts and pushed to the `example.com` registry.  They may
+be combined into a manifest list, and pushed using a simple loop:
+
+        $ REPO=example.com/example/shazam
+        $ podman manifest create $REPO:latest
+        $ for IMGTAG in amd64 s390x ppc64le arm64; do \
+                  podman manifest add $REPO:latest docker://$REPO:IMGTAG; \
+              done
+        $ podman manifest push --all $REPO:latest
+
+**Note:** The `add` instruction argument order is `<manifest>` then `<image>`.
+Also, the `--all` push option is required to ensure all contents are
+pushed, not just the native platform/arch.
+
+### Removing and tagging a manifest list before pushing
+
+Special care is needed when removing and pushing manifest lists, as opposed
+to the contents.  You almost always want to use the `manifest rm` and
+`manifest push --all` subcommands.  For example, a rename and push could
+be performed like this:
+
+        $ podman tag localhost/shazam example.com/example/shazam
+        $ podman manifest rm localhost/shazam
+        $ podman manifest push --all example.com/example/shazam
+
+
 ## SEE ALSO
 podman(1), podman-manifest-add(1), podman-manifest-annotate(1), podman-manifest-create(1), podman-manifest-inspect(1), podman-manifest-push(1), podman-manifest-remove(1)
diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md
@@ -743,7 +743,7 @@ The default is to create a private PID namespace for the container.
 
 #### **--pids-limit**=*limit*
 
-Tune the container's pids limit. Set to **0** to have unlimited pids for the container. The default is **4096** on systems that support "pids" cgroup controller.
+Tune the container's pids limit. Set to **-1** to have unlimited pids for the container. The default is **4096** on systems that support "pids" cgroup controller.
 
 #### **--platform**=*OS/ARCH*
 

diff --git a/docs/source/markdown/podman.1.md b/docs/source/markdown/podman.1.md
@@ -82,7 +82,7 @@ Remote connections use local containers.conf for default.
 
 #### **--log-level**=*level*
 
-Log messages above specified level: debug, info, warn, error (default), fatal or panic (default: "error")
+Log messages at and above specified level: debug, info, warn, error, fatal or panic (default: "warn")
 
 #### **--namespace**=*namespace*
 

diff --git a/libpod/container_api.go b/libpod/container_api.go
@@ -184,7 +184,7 @@ func (c *Container) StopWithTimeout(timeout uint) error {
 		return define.ErrCtrStopped
 	}
 
-	if !c.ensureState(define.ContainerStateCreated, define.ContainerStateRunning) {
+	if !c.ensureState(define.ContainerStateCreated, define.ContainerStateRunning, define.ContainerStateStopping) {
 		return errors.Wrapf(define.ErrCtrStateInvalid, "can only stop created or running containers. %s is in state %s", c.ID(), c.state.State.String())
 	}
 
@@ -686,7 +686,7 @@ func (c *Container) Sync() error {
 
 	// If runtime knows about the container, update its status in runtime
 	// And then save back to disk
-	if c.ensureState(define.ContainerStateCreated, define.ContainerStateRunning, define.ContainerStatePaused, define.ContainerStateStopped) {
+	if c.ensureState(define.ContainerStateCreated, define.ContainerStateRunning, define.ContainerStatePaused, define.ContainerStateStopped, define.ContainerStateStopping) {
 		oldState := c.state.State
 		if err := c.ociRuntime.UpdateContainerStatus(c); err != nil {
 			return err

diff --git a/libpod/container_copy_linux.go b/libpod/container_copy_linux.go
@@ -15,8 +15,8 @@ import (
 	"github.com/containers/buildah/util"
 	"github.com/containers/podman/v3/libpod/define"
 	"github.com/containers/podman/v3/pkg/rootless"
+	"github.com/containers/storage/pkg/archive"
 	"github.com/containers/storage/pkg/idtools"
-	"github.com/docker/docker/pkg/archive"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"

diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
@@ -974,12 +974,15 @@ func (c *Container) exportCheckpoint(options ContainerCheckpointOptions) error {
 
 	includeFiles := []string{
 		"artifacts",
-		"ctr.log",
 		metadata.ConfigDumpFile,
 		metadata.SpecDumpFile,
 		metadata.NetworkStatusFile,
 	}
 
+	if c.LogDriver() == define.KubernetesLogging ||
+		c.LogDriver() == define.JSONLogging {
+		includeFiles = append(includeFiles, "ctr.log")
+	}
 	if options.PreCheckPoint {
 		includeFiles = append(includeFiles, preCheckpointDir)
 	} else {

diff --git a/libpod/kube.go b/libpod/kube.go
@@ -25,6 +25,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	v12 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
 )
 
 // GenerateForKube takes a slice of libpod containers and generates
@@ -196,10 +197,11 @@ func containerPortsToServicePorts(containerPorts []v1.ContainerPort) []v1.Servic
 	for _, cp := range containerPorts {
 		nodePort := 30000 + rand.Intn(32767-30000+1)
 		servicePort := v1.ServicePort{
-			Protocol: cp.Protocol,
-			Port:     cp.ContainerPort,
-			NodePort: int32(nodePort),
-			Name:     strconv.Itoa(int(cp.ContainerPort)),
+			Protocol:   cp.Protocol,
+			Port:       cp.ContainerPort,
+			NodePort:   int32(nodePort),
+			Name:       strconv.Itoa(int(cp.ContainerPort)),
+			TargetPort: intstr.Parse(strconv.Itoa(int(cp.ContainerPort))),
 		}
 		sps = append(sps, servicePort)
 	}
@@ -246,7 +248,7 @@ func (p *Pod) podWithContainers(ctx context.Context, containers []*Container, po
 				return nil, err
 			}
 			for k, v := range annotations {
-				podAnnotations[define.BindMountPrefix+k] = v
+				podAnnotations[define.BindMountPrefix+k] = strings.TrimSpace(v)
 			}
 			// Since port bindings for the pod are handled by the
 			// infra container, wipe them here.
@@ -366,7 +368,7 @@ func simplePodWithV1Containers(ctx context.Context, ctrs []*Container) (*v1.Pod,
 			return nil, err
 		}
 		for k, v := range annotations {
-			kubeAnnotations[define.BindMountPrefix+k] = v
+			kubeAnnotations[define.BindMountPrefix+k] = strings.TrimSpace(v)
 		}
 		if isInit {
 			kubeInitCtrs = append(kubeInitCtrs, kubeCtr)
@@ -481,10 +483,16 @@ func containerToV1Container(ctx context.Context, c *Container) (v1.Container, []
 	if err != nil {
 		return kubeContainer, kubeVolumes, nil, annotations, err
 	}
-	if reflect.DeepEqual(imgData.Config.Cmd, kubeContainer.Command) {
+	// If the user doesn't set a command/entrypoint when creating the container with podman and
+	// is using the image command or entrypoint from the image, don't add it to the generated kube yaml
+	if reflect.DeepEqual(imgData.Config.Cmd, kubeContainer.Command) || reflect.DeepEqual(imgData.Config.Entrypoint, kubeContainer.Command) {
 		kubeContainer.Command = nil
 	}
 
+	if imgData.User == c.User() {
+		kubeSec.RunAsGroup, kubeSec.RunAsUser = nil, nil
+	}
+
 	kubeContainer.WorkingDir = c.WorkingDir()
 	kubeContainer.Ports = ports
 	// This should not be applicable
@@ -572,7 +580,8 @@ func ocicniPortMappingToContainerPort(portMappings []ocicni.PortMapping) ([]v1.C
 		var protocol v1.Protocol
 		switch strings.ToUpper(p.Protocol) {
 		case "TCP":
-			protocol = v1.ProtocolTCP
+			// do nothing as it is the default protocol in k8s, there is no need to explicitly
+			// add it to the generated yaml
 		case "UDP":
 			protocol = v1.ProtocolUDP
 		default: