diff --git a/go.mod b/go.mod index 70ad276d17..d4d92167ca 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( github.com/containernetworking/cni v1.1.2 github.com/containernetworking/plugins v1.2.0 github.com/containers/buildah v1.29.0 - github.com/containers/common v0.51.0 + github.com/containers/common v0.51.2 github.com/containers/conmon v2.0.20+incompatible github.com/containers/image/v5 v5.24.1 github.com/containers/ocicrypt v1.1.7 diff --git a/go.sum b/go.sum index 8369b6efc2..2030bf506b 100644 --- a/go.sum +++ b/go.sum @@ -268,8 +268,8 @@ github.com/containernetworking/plugins v1.2.0 h1:SWgg3dQG1yzUo4d9iD8cwSVh1VqI+bP github.com/containernetworking/plugins v1.2.0/go.mod h1:/VjX4uHecW5vVimFa1wkG4s+r/s9qIfPdqlLF4TW8c4= github.com/containers/buildah v1.29.0 h1:rA3S2SXJffrJjvY2kyxOsAaIseDY6Ib77FsD7n88Mj4= github.com/containers/buildah v1.29.0/go.mod h1:mah+CGmpOjkBJJ5rhOP0M2ETnODhiuhtnXusfh0hc6Q= -github.com/containers/common v0.51.0 h1:Ax4YHNTG8cEPHZJcMYRoP7sfBgOISceeyOvmZzmSucg= -github.com/containers/common v0.51.0/go.mod h1:3W2WIdalgQfrsX/T5tjX+6CxgT3ThJVN2G9sNuFjuCM= +github.com/containers/common v0.51.2 h1:tJ6Nt+zAC6t8nm8qvlVKNjpp/uh3ane80gyj63BwP0Y= +github.com/containers/common v0.51.2/go.mod h1:3W2WIdalgQfrsX/T5tjX+6CxgT3ThJVN2G9sNuFjuCM= github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg= github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I= github.com/containers/image/v5 v5.24.1 h1:XaRw3FJmvZtI297uBVTJluUVH4AQJ//YpHviaOw0C4M= diff --git a/pkg/api/handlers/compat/auth.go b/pkg/api/handlers/compat/auth.go index ee478b9e3a..7b1d5154f1 100644 --- a/pkg/api/handlers/compat/auth.go +++ b/pkg/api/handlers/compat/auth.go @@ -4,9 +4,11 @@ import ( "encoding/json" "errors" "fmt" + "io" "net/http" "strings" + "github.com/containers/common/pkg/auth" DockerClient "github.com/containers/image/v5/docker" "github.com/containers/image/v5/types" "github.com/containers/podman/v4/libpod" @@ -16,13 +18,6 @@ import ( docker "github.com/docker/docker/api/types" ) -func stripAddressOfScheme(address string) string { - for _, s := range []string{"https", "http"} { - address = strings.TrimPrefix(address, s+"://") - } - return address -} - func Auth(w http.ResponseWriter, r *http.Request) { var authConfig docker.AuthConfig err := json.NewDecoder(r.Body).Decode(&authConfig) @@ -41,9 +36,13 @@ func Auth(w http.ResponseWriter, r *http.Request) { sysCtx := runtime.SystemContext() sysCtx.DockerInsecureSkipTLSVerify = skipTLS - fmt.Println("Authenticating with existing credentials...") - registry := stripAddressOfScheme(authConfig.ServerAddress) - if err := DockerClient.CheckAuth(r.Context(), sysCtx, authConfig.Username, authConfig.Password, registry); err == nil { + loginOpts := &auth.LoginOptions{ + Username: authConfig.Username, + Password: authConfig.Password, + Stdout: io.Discard, + NoWriteBack: true, // to prevent credentials to be written on disk + } + if err := auth.Login(r.Context(), sysCtx, loginOpts, []string{authConfig.ServerAddress}); err == nil { utils.WriteResponse(w, http.StatusOK, entities.AuthReport{ IdentityToken: "", Status: "Login Succeeded", diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index 6715589dff..6dd0bf5da5 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -494,7 +494,7 @@ var _ = Describe("Podman run", func() { session := podmanTest.Podman([]string{"run", "--rm", "--user", "bin", ALPINE, "grep", "CapBnd", "/proc/self/status"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring("00000000800005fb")) + Expect(session.OutputToString()).To(ContainSubstring("00000000800405fb")) session = podmanTest.Podman([]string{"run", "--rm", "--user", "bin", ALPINE, "grep", "CapEff", "/proc/self/status"}) session.WaitWithDefaultTimeout() @@ -509,12 +509,12 @@ var _ = Describe("Podman run", func() { session = podmanTest.Podman([]string{"run", "--rm", "--user", "root", ALPINE, "grep", "CapBnd", "/proc/self/status"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring("00000000800005fb")) + Expect(session.OutputToString()).To(ContainSubstring("00000000800405fb")) session = podmanTest.Podman([]string{"run", "--rm", "--user", "root", ALPINE, "grep", "CapEff", "/proc/self/status"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring("00000000800005fb")) + Expect(session.OutputToString()).To(ContainSubstring("00000000800405fb")) session = podmanTest.Podman([]string{"run", "--rm", "--user", "root", ALPINE, "grep", "CapInh", "/proc/self/status"}) session.WaitWithDefaultTimeout() @@ -524,12 +524,12 @@ var _ = Describe("Podman run", func() { session = podmanTest.Podman([]string{"run", "--rm", ALPINE, "grep", "CapBnd", "/proc/self/status"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring("00000000800005fb")) + Expect(session.OutputToString()).To(ContainSubstring("00000000800405fb")) session = podmanTest.Podman([]string{"run", "--rm", ALPINE, "grep", "CapEff", "/proc/self/status"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring("00000000800005fb")) + Expect(session.OutputToString()).To(ContainSubstring("00000000800405fb")) session = podmanTest.Podman([]string{"run", "--user=1000:1000", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapAmb", "/proc/self/status"}) session.WaitWithDefaultTimeout() @@ -597,7 +597,7 @@ USER bin`, BB) session := podmanTest.Podman([]string{"run", "--rm", "--user", "bin", "test", "grep", "CapBnd", "/proc/self/status"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring("00000000800005fb")) + Expect(session.OutputToString()).To(ContainSubstring("00000000800405fb")) session = podmanTest.Podman([]string{"run", "--rm", "--user", "bin", "test", "grep", "CapEff", "/proc/self/status"}) session.WaitWithDefaultTimeout() diff --git a/vendor/github.com/containers/common/libnetwork/netavark/config.go b/vendor/github.com/containers/common/libnetwork/netavark/config.go index 4b1ab7d5a1..02109362ef 100644 --- a/vendor/github.com/containers/common/libnetwork/netavark/config.go +++ b/vendor/github.com/containers/common/libnetwork/netavark/config.go @@ -57,6 +57,17 @@ func (n *netavarkNetwork) NetworkUpdate(name string, options types.NetworkUpdate if err != nil { return err } + // Nameservers must be IP Addresses. + for _, dnsServer := range options.AddDNSServers { + if net.ParseIP(dnsServer) == nil { + return fmt.Errorf("unable to parse ip %s specified in AddDNSServer: %w", dnsServer, types.ErrInvalidArg) + } + } + for _, dnsServer := range options.RemoveDNSServers { + if net.ParseIP(dnsServer) == nil { + return fmt.Errorf("unable to parse ip %s specified in RemoveDNSServer: %w", dnsServer, types.ErrInvalidArg) + } + } networkDNSServersBefore := network.NetworkDNSServers networkDNSServersAfter := []string{} for _, server := range networkDNSServersBefore { diff --git a/vendor/github.com/containers/common/pkg/auth/auth.go b/vendor/github.com/containers/common/pkg/auth/auth.go index 85af829623..5cec049164 100644 --- a/vendor/github.com/containers/common/pkg/auth/auth.go +++ b/vendor/github.com/containers/common/pkg/auth/auth.go @@ -19,6 +19,23 @@ import ( terminal "golang.org/x/term" ) +// ErrNewCredentialsInvalid means that the new user-provided credentials are +// not accepted by the registry. +type ErrNewCredentialsInvalid struct { + underlyingError error + message string +} + +// Error returns the error message as a string. +func (e ErrNewCredentialsInvalid) Error() string { + return e.message +} + +// Unwrap returns the underlying error. +func (e ErrNewCredentialsInvalid) Unwrap() error { + return e.underlyingError +} + // GetDefaultAuthFile returns env value REGISTRY_AUTH_FILE as default // --authfile path used in multiple --authfile flag definitions // Will fail over to DOCKER_CONFIG if REGISTRY_AUTH_FILE environment is not set @@ -143,22 +160,25 @@ func Login(ctx context.Context, systemContext *types.SystemContext, opts *LoginO } if err = docker.CheckAuth(ctx, systemContext, username, password, registry); err == nil { - // Write the new credentials to the authfile - desc, err := config.SetCredentials(systemContext, key, username, password) - if err != nil { - return err - } - if opts.Verbose { - fmt.Fprintln(opts.Stdout, "Used: ", desc) + if !opts.NoWriteBack { + // Write the new credentials to the authfile + desc, err := config.SetCredentials(systemContext, key, username, password) + if err != nil { + return err + } + if opts.Verbose { + fmt.Fprintln(opts.Stdout, "Used: ", desc) + } } - } - if err == nil { fmt.Fprintln(opts.Stdout, "Login Succeeded!") return nil } if unauthorized, ok := err.(docker.ErrUnauthorizedForCredentials); ok { logrus.Debugf("error logging into %q: %v", key, unauthorized) - return fmt.Errorf("logging into %q: invalid username/password", key) + return ErrNewCredentialsInvalid{ + underlyingError: err, + message: fmt.Sprintf("logging into %q: invalid username/password", key), + } } return fmt.Errorf("authenticating creds for %q: %w", key, err) } diff --git a/vendor/github.com/containers/common/pkg/auth/cli.go b/vendor/github.com/containers/common/pkg/auth/cli.go index 7266bf48bd..26727f35cc 100644 --- a/vendor/github.com/containers/common/pkg/auth/cli.go +++ b/vendor/github.com/containers/common/pkg/auth/cli.go @@ -26,6 +26,7 @@ type LoginOptions struct { Stdin io.Reader // set to os.Stdin Stdout io.Writer // set to os.Stdout AcceptUnspecifiedRegistry bool // set to true if allows login with unspecified registry + NoWriteBack bool // set to true to not write the credentials to the authfile/cred helpers } // LogoutOptions represents the results for flags in logout diff --git a/vendor/github.com/containers/common/pkg/config/containers.conf b/vendor/github.com/containers/common/pkg/config/containers.conf index 8339617358..f2f226907a 100644 --- a/vendor/github.com/containers/common/pkg/config/containers.conf +++ b/vendor/github.com/containers/common/pkg/config/containers.conf @@ -63,6 +63,7 @@ # "SETGID", # "SETPCAP", # "SETUID", +# "SYS_CHROOT", #] # A list of sysctls to be set in containers by default, diff --git a/vendor/github.com/containers/common/pkg/config/default.go b/vendor/github.com/containers/common/pkg/config/default.go index e27f630647..edc695f784 100644 --- a/vendor/github.com/containers/common/pkg/config/default.go +++ b/vendor/github.com/containers/common/pkg/config/default.go @@ -60,6 +60,7 @@ var ( "CAP_SETGID", "CAP_SETPCAP", "CAP_SETUID", + "CAP_SYS_CHROOT", } // Search these locations in which CNIPlugins can be installed. diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go index 44362e6af0..e59a5952e7 100644 --- a/vendor/github.com/containers/common/version/version.go +++ b/vendor/github.com/containers/common/version/version.go @@ -1,4 +1,4 @@ package version // Version is the version of the build. -const Version = "0.51.0" +const Version = "0.51.2" diff --git a/vendor/modules.txt b/vendor/modules.txt index 26f1ad8672..b34c9773f2 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -121,7 +121,7 @@ github.com/containers/buildah/pkg/rusage github.com/containers/buildah/pkg/sshagent github.com/containers/buildah/pkg/util github.com/containers/buildah/util -# github.com/containers/common v0.51.0 +# github.com/containers/common v0.51.2 ## explicit; go 1.17 github.com/containers/common/libimage github.com/containers/common/libimage/define