From 5f86fae71fb5793de78a5dc09ffa357fb536771c Mon Sep 17 00:00:00 2001 From: Valentin Rothberg Date: Thu, 23 Mar 2023 15:09:32 +0100 Subject: [PATCH] vendor containers/common@main Also adjust the e2e tests to account for SYS_CHROOT having made it back to the default caps. Signed-off-by: Valentin Rothberg --- go.mod | 2 +- go.sum | 4 ++-- test/e2e/run_test.go | 12 +++++----- .../containers/common/pkg/config/config.go | 24 ++++++++++++++----- .../common/pkg/config/containers.conf | 1 + .../containers/common/pkg/config/default.go | 1 + .../containers/common/version/version.go | 2 +- vendor/modules.txt | 2 +- 8 files changed, 31 insertions(+), 17 deletions(-) diff --git a/go.mod b/go.mod index 0e2e76f0cb..45f1559bfe 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( github.com/containernetworking/cni v1.1.2 github.com/containernetworking/plugins v1.2.0 github.com/containers/buildah v1.29.1-0.20230201192322-e56eb25575c7 - github.com/containers/common v0.51.1-0.20230316131336-0be880eaeb02 + github.com/containers/common v0.51.1-0.20230323135459-03a2cc01973c github.com/containers/conmon v2.0.20+incompatible github.com/containers/image/v5 v5.24.3-0.20230314083015-0c6d07e02a9a github.com/containers/libhvee v0.0.1 diff --git a/go.sum b/go.sum index 335b7e8756..b0c185e446 100644 --- a/go.sum +++ b/go.sum @@ -247,8 +247,8 @@ github.com/containernetworking/plugins v1.2.0 h1:SWgg3dQG1yzUo4d9iD8cwSVh1VqI+bP github.com/containernetworking/plugins v1.2.0/go.mod h1:/VjX4uHecW5vVimFa1wkG4s+r/s9qIfPdqlLF4TW8c4= github.com/containers/buildah v1.29.1-0.20230201192322-e56eb25575c7 h1:GmQhTfsGuYgGfuYWEF4Ed+rEvlSWRmxisLBL2J8rCb4= github.com/containers/buildah v1.29.1-0.20230201192322-e56eb25575c7/go.mod h1:sFvOi+WMtMtrkxx1Dn8EhF5/ddXNyC1f5LAj4ZGzjAs= -github.com/containers/common v0.51.1-0.20230316131336-0be880eaeb02 h1:u8ahsfyLhCnTCbxzBuFbcQdGFx2dvz9RWMCe5yNISZ0= -github.com/containers/common v0.51.1-0.20230316131336-0be880eaeb02/go.mod h1:RyY5B1E+PsFnZOW28xgFkjce0oCAMN7c/zskaCYmAkQ= +github.com/containers/common v0.51.1-0.20230323135459-03a2cc01973c h1:j/52772OnuMHg3B2sgMM038S6C/uAJ8cXj9l4jNOjvo= +github.com/containers/common v0.51.1-0.20230323135459-03a2cc01973c/go.mod h1:RyY5B1E+PsFnZOW28xgFkjce0oCAMN7c/zskaCYmAkQ= github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg= github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I= github.com/containers/image/v5 v5.24.3-0.20230314083015-0c6d07e02a9a h1:2xIif78r5x2nmdb5uhjXBZuexiDAt1c/XIXFxFhfKSk= diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index a4939fdb5d..506dc37042 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -494,7 +494,7 @@ var _ = Describe("Podman run", func() { session := podmanTest.Podman([]string{"run", "--rm", "--user", "bin", ALPINE, "grep", "CapBnd", "/proc/self/status"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring("00000000800005fb")) + Expect(session.OutputToString()).To(ContainSubstring("00000000800405fb")) session = podmanTest.Podman([]string{"run", "--rm", "--user", "bin", ALPINE, "grep", "CapEff", "/proc/self/status"}) session.WaitWithDefaultTimeout() @@ -509,12 +509,12 @@ var _ = Describe("Podman run", func() { session = podmanTest.Podman([]string{"run", "--rm", "--user", "root", ALPINE, "grep", "CapBnd", "/proc/self/status"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring("00000000800005fb")) + Expect(session.OutputToString()).To(ContainSubstring("00000000800405fb")) session = podmanTest.Podman([]string{"run", "--rm", "--user", "root", ALPINE, "grep", "CapEff", "/proc/self/status"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring("00000000800005fb")) + Expect(session.OutputToString()).To(ContainSubstring("00000000800405fb")) session = podmanTest.Podman([]string{"run", "--rm", "--user", "root", ALPINE, "grep", "CapInh", "/proc/self/status"}) session.WaitWithDefaultTimeout() @@ -524,12 +524,12 @@ var _ = Describe("Podman run", func() { session = podmanTest.Podman([]string{"run", "--rm", ALPINE, "grep", "CapBnd", "/proc/self/status"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring("00000000800005fb")) + Expect(session.OutputToString()).To(ContainSubstring("00000000800405fb")) session = podmanTest.Podman([]string{"run", "--rm", ALPINE, "grep", "CapEff", "/proc/self/status"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring("00000000800005fb")) + Expect(session.OutputToString()).To(ContainSubstring("00000000800405fb")) session = podmanTest.Podman([]string{"run", "--user=1000:1000", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapAmb", "/proc/self/status"}) session.WaitWithDefaultTimeout() @@ -597,7 +597,7 @@ USER bin`, BB) session := podmanTest.Podman([]string{"run", "--rm", "--user", "bin", "test", "grep", "CapBnd", "/proc/self/status"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring("00000000800005fb")) + Expect(session.OutputToString()).To(ContainSubstring("00000000800405fb")) session = podmanTest.Podman([]string{"run", "--rm", "--user", "bin", "test", "grep", "CapEff", "/proc/self/status"}) session.WaitWithDefaultTimeout() diff --git a/vendor/github.com/containers/common/pkg/config/config.go b/vendor/github.com/containers/common/pkg/config/config.go index de5de3429a..bc06e7411d 100644 --- a/vendor/github.com/containers/common/pkg/config/config.go +++ b/vendor/github.com/containers/common/pkg/config/config.go @@ -765,11 +765,21 @@ func addConfigs(dirPath string, configs []string) ([]string, error) { // Returns the list of configuration files, if they exist in order of hierarchy. // The files are read in order and each new file can/will override previous // file settings. -func systemConfigs() ([]string, error) { - var err error - configs := []string{} - path := os.Getenv("CONTAINERS_CONF") - if path != "" { +func systemConfigs() (configs []string, finalErr error) { + if path := os.Getenv("CONTAINERS_CONF_OVERRIDE"); path != "" { + if _, err := os.Stat(path); err != nil { + return nil, fmt.Errorf("CONTAINERS_CONF_OVERRIDE file: %w", err) + } + // Add the override config last to make sure it can override any + // previous settings. + defer func() { + if finalErr == nil { + configs = append(configs, path) + } + }() + } + + if path := os.Getenv("CONTAINERS_CONF"); path != "" { if _, err := os.Stat(path); err != nil { return nil, fmt.Errorf("CONTAINERS_CONF file: %w", err) } @@ -781,12 +791,14 @@ func systemConfigs() ([]string, error) { if _, err := os.Stat(OverrideContainersConfig); err == nil { configs = append(configs, OverrideContainersConfig) } + + var err error configs, err = addConfigs(OverrideContainersConfig+".d", configs) if err != nil { return nil, err } - path, err = ifRootlessConfigPath() + path, err := ifRootlessConfigPath() if err != nil { return nil, err } diff --git a/vendor/github.com/containers/common/pkg/config/containers.conf b/vendor/github.com/containers/common/pkg/config/containers.conf index 9a2d243979..b38c798cb4 100644 --- a/vendor/github.com/containers/common/pkg/config/containers.conf +++ b/vendor/github.com/containers/common/pkg/config/containers.conf @@ -68,6 +68,7 @@ # "SETGID", # "SETPCAP", # "SETUID", +# "SYS_CHROOT", #] # A list of sysctls to be set in containers by default, diff --git a/vendor/github.com/containers/common/pkg/config/default.go b/vendor/github.com/containers/common/pkg/config/default.go index a811d01835..6d5500aaee 100644 --- a/vendor/github.com/containers/common/pkg/config/default.go +++ b/vendor/github.com/containers/common/pkg/config/default.go @@ -60,6 +60,7 @@ var ( "CAP_SETGID", "CAP_SETPCAP", "CAP_SETUID", + "CAP_SYS_CHROOT", } // Search these locations in which CNIPlugins can be installed. diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go index 9fbd43e537..ef6a4d2c3b 100644 --- a/vendor/github.com/containers/common/version/version.go +++ b/vendor/github.com/containers/common/version/version.go @@ -1,4 +1,4 @@ package version // Version is the version of the build. -const Version = "0.51.1-dev" +const Version = "0.52.0-dev" diff --git a/vendor/modules.txt b/vendor/modules.txt index 01a08063c9..dad6cd59f9 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -123,7 +123,7 @@ github.com/containers/buildah/pkg/rusage github.com/containers/buildah/pkg/sshagent github.com/containers/buildah/pkg/util github.com/containers/buildah/util -# github.com/containers/common v0.51.1-0.20230316131336-0be880eaeb02 +# github.com/containers/common v0.51.1-0.20230323135459-03a2cc01973c ## explicit; go 1.18 github.com/containers/common/libimage github.com/containers/common/libimage/define