From 4315ec16fdc81d101e5bc3fbb96cdc077be88027 Mon Sep 17 00:00:00 2001 From: Max Goltzsche Date: Mon, 20 May 2024 02:51:40 +0200 Subject: [PATCH] fix: upgrade podman 5.0.3, drop CNI support * podman 5.0.3 * drop CNI networking in favour of netavark * build statically linked netavark * conmon 2.1.11 * crun 1.15 * build using golang 1.21, use alpine 3.19 base container --- Dockerfile | 69 +++++++++++++++++++--------------------------- Dockerfile-remote | 4 +-- Makefile | 4 +-- README.md | 10 +++++-- test/rootless.bats | 2 +- 5 files changed, 41 insertions(+), 48 deletions(-) diff --git a/Dockerfile b/Dockerfile index 5eaf1d1..48285e9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,10 +1,10 @@ # Download gpg -FROM alpine:3.18 AS gpg +FROM alpine:3.19 AS gpg RUN apk add --no-cache gnupg # runc -FROM golang:1.20-alpine3.18 AS runc +FROM golang:1.21-alpine3.19 AS runc ARG RUNC_VERSION=v1.1.12 # Download runc binary release since static build doesn't work with musl libc anymore since 1.1.8, see https://github.com/opencontainers/runc/issues/3950 RUN set -eux; \ @@ -16,7 +16,7 @@ RUN set -eux; \ # podman build base -FROM golang:1.20-alpine3.18 AS podmanbuildbase +FROM golang:1.21-alpine3.19 AS podmanbuildbase RUN apk add --update --no-cache git make gcc pkgconf musl-dev \ btrfs-progs btrfs-progs-dev libassuan-dev lvm2-dev device-mapper \ glib-static libc-dev gpgme-dev protobuf-dev protobuf-c-dev \ @@ -27,7 +27,7 @@ RUN apk add --update --no-cache git make gcc pkgconf musl-dev \ # podman (without systemd support) FROM podmanbuildbase AS podman RUN apk add --update --no-cache tzdata curl -ARG PODMAN_VERSION=v5.0.0 +ARG PODMAN_VERSION=v5.0.3 ARG PODMAN_BUILDTAGS='seccomp selinux apparmor exclude_graphdriver_devicemapper containers_image_openpgp' ARG PODMAN_CGO=1 RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch ${PODMAN_VERSION} https://github.com/containers/podman src/github.com/containers/podman @@ -47,7 +47,7 @@ RUN set -ex; \ # conmon (without systemd support) FROM podmanbuildbase AS conmon -ARG CONMON_VERSION=v2.1.10 +ARG CONMON_VERSION=v2.1.11 RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch ${CONMON_VERSION} https://github.com/containers/conmon.git /conmon WORKDIR /conmon RUN set -ex; \ @@ -55,26 +55,13 @@ RUN set -ex; \ bin/conmon --help >/dev/null -# CNI plugins -FROM podmanbuildbase AS cniplugins -ARG CNI_PLUGIN_VERSION=v1.4.1 -ARG CNI_PLUGINS="ipam/host-local main/loopback main/bridge meta/portmap meta/tuning meta/firewall" -RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch=${CNI_PLUGIN_VERSION} https://github.com/containernetworking/plugins /go/src/github.com/containernetworking/plugins -WORKDIR /go/src/github.com/containernetworking/plugins -RUN set -ex; \ - for PLUGINDIR in $CNI_PLUGINS; do \ - PLUGINBIN=/usr/local/lib/cni/$(basename $PLUGINDIR); \ - CGO_ENABLED=0 go build -o $PLUGINBIN -ldflags "-s -w -extldflags '-static'" ./plugins/$PLUGINDIR; \ - ! ldd $PLUGINBIN; \ - done - - # slirp4netns +# TODO: remove in favour of netavark + pasta?! FROM podmanbuildbase AS slirp4netns WORKDIR / RUN apk add --update --no-cache autoconf automake meson ninja linux-headers libcap-static libcap-dev clang llvm # Build libslirp -ARG LIBSLIRP_VERSION=v4.7.0 +ARG LIBSLIRP_VERSION=v4.8.0 RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch=${LIBSLIRP_VERSION} https://gitlab.freedesktop.org/slirp/libslirp.git WORKDIR /libslirp RUN set -ex; \ @@ -84,7 +71,7 @@ RUN set -ex; \ ninja -C build install # Build slirp4netns WORKDIR / -ARG SLIRP4NETNS_VERSION=v1.2.3 +ARG SLIRP4NETNS_VERSION=v1.3.1 RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch $SLIRP4NETNS_VERSION https://github.com/rootless-containers/slirp4netns.git WORKDIR /slirp4netns RUN set -ex; \ @@ -92,26 +79,30 @@ RUN set -ex; \ LDFLAGS=-static ./configure --prefix=/usr; \ make + # netavark -FROM podmanbuildbase AS netavark -WORKDIR / -RUN apk add --update --no-cache cargo -# Build passt +FROM rust:1.78-alpine3.19 AS netavark +RUN apk add --update --no-cache git make musl-dev protoc ARG NETAVARK_VERSION=v1.10.3 -RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch=${NETAVARK_VERSION} https://github.com/containers/netavark +RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch=$NETAVARK_VERSION https://github.com/containers/netavark WORKDIR /netavark -RUN LDFLAGS=-static make +ENV RUSTFLAGS='-C link-arg=-s' +RUN cargo build --release # passt FROM podmanbuildbase AS passt WORKDIR / RUN apk add --update --no-cache autoconf automake meson ninja linux-headers libcap-static libcap-dev clang llvm coreutils -# Build passt -ARG PASST_VERSION=2024_04_05.954589b -RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch=${PASST_VERSION} git://passt.top/passt +ARG PASST_VERSION=2024_05_10.7288448 +RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch=$PASST_VERSION git://passt.top/passt WORKDIR /passt -RUN make static +RUN set -ex; \ + make static; \ + mkdir bin; \ + cp pasta bin/; \ + [ ! -f pasta.avx2 ] || cp pasta.avx2 bin/; \ + ! ldd /passt/bin/pasta # fuse-overlayfs (derived from https://github.com/containers/fuse-overlayfs/blob/master/Dockerfile.static) @@ -129,7 +120,7 @@ RUN set -ex; \ ninja install; \ fusermount3 -V ARG FUSEOVERLAYFS_VERSION=v1.13 -RUN git clone -c advice.detachedHead=false --depth=1 --branch=$FUSEOVERLAYFS_VERSION https://github.com/containers/fuse-overlayfs /fuse-overlayfs +RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch=$FUSEOVERLAYFS_VERSION https://github.com/containers/fuse-overlayfs /fuse-overlayfs WORKDIR /fuse-overlayfs RUN set -ex; \ sh autogen.sh; \ @@ -143,7 +134,7 @@ RUN set -ex; \ FROM podmanbuildbase AS catatonit RUN apk add --update --no-cache autoconf automake libtool ARG CATATONIT_VERSION=v0.2.0 -RUN git clone --branch=$CATATONIT_VERSION https://github.com/openSUSE/catatonit.git /catatonit +RUN git clone -c 'advice.detachedHead=false' --branch=$CATATONIT_VERSION https://github.com/openSUSE/catatonit.git /catatonit WORKDIR /catatonit RUN set -ex; \ ./autogen.sh; \ @@ -153,7 +144,7 @@ RUN set -ex; \ # Build podman base image -FROM alpine:3.18 AS podmanbase +FROM alpine:3.19 AS podmanbase LABEL maintainer="Max Goltzsche " RUN apk add --no-cache tzdata ca-certificates COPY --from=conmon /conmon/bin/conmon /usr/local/lib/podman/conmon @@ -187,7 +178,7 @@ COPY --from=runc /usr/local/bin/runc /usr/local/bin/runc # Download crun # (switched keyserver from sks to ubuntu since sks is offline now and gpg refuses to import keys from keys.openpgp.org because it does not provide a user ID with the key.) FROM gpg AS crun -ARG CRUN_VERSION=1.14.4 +ARG CRUN_VERSION=1.15 RUN set -ex; \ ARCH="`uname -m | sed 's!x86_64!amd64!; s!aarch64!arm64!'`"; \ wget -O /usr/local/bin/crun https://github.com/containers/crun/releases/download/$CRUN_VERSION/crun-${CRUN_VERSION}-linux-${ARCH}-disable-systemd; \ @@ -202,12 +193,10 @@ FROM rootlesspodmanbase AS rootlesspodmanminimal COPY --from=crun /usr/local/bin/crun /usr/local/bin/crun COPY conf/crun-containers.conf /etc/containers/containers.conf -# Build podman image with rootless binaries and CNI plugins +# Build podman image with rootless binaries FROM rootlesspodmanrunc AS podmanall RUN apk add --no-cache iptables ip6tables COPY --from=slirp4netns /slirp4netns/slirp4netns /usr/local/bin/slirp4netns -COPY --from=passt /passt/pasta /usr/local/bin/pasta -COPY --from=netavark /netavark/bin/netavark /usr/local/lib/podman/netavark -COPY --from=cniplugins /usr/local/lib/cni /usr/local/lib/cni +COPY --from=passt /passt/bin/ /usr/local/bin/ +COPY --from=netavark /netavark/target/release/netavark /usr/local/lib/podman/netavark COPY --from=catatonit /catatonit/catatonit /usr/local/lib/podman/catatonit -COPY conf/cni /etc/cni diff --git a/Dockerfile-remote b/Dockerfile-remote index 248035b..11e4662 100644 --- a/Dockerfile-remote +++ b/Dockerfile-remote @@ -1,5 +1,5 @@ # podman build base -FROM golang:1.20-alpine3.18 AS podmanbuildbase +FROM golang:1.21-alpine3.19 AS podmanbuildbase RUN apk add --update --no-cache git make gcc pkgconf musl-dev \ btrfs-progs btrfs-progs-dev libassuan-dev lvm2-dev device-mapper \ glib-static libc-dev gpgme-dev protobuf-dev protobuf-c-dev \ @@ -9,7 +9,7 @@ RUN apk add --update --no-cache git make gcc pkgconf musl-dev \ # podman remote FROM podmanbuildbase AS podman-remote RUN apk add --update --no-cache curl -ARG PODMAN_VERSION=v5.0.0 +ARG PODMAN_VERSION=v5.0.3 RUN git clone -c advice.detachedHead=false --depth=1 --branch=${PODMAN_VERSION} https://github.com/containers/podman src/github.com/containers/podman WORKDIR $GOPATH/src/github.com/containers/podman RUN set -eux; \ diff --git a/Makefile b/Makefile index 770dc8d..51edfe9 100644 --- a/Makefile +++ b/Makefile @@ -12,7 +12,7 @@ GPG_IMAGE = gpg-signer BUILD_DIR = ./build -BATS_VERSION = v1.8.2 +BATS_VERSION = v1.11.0 BATS_DIR := $(BUILD_DIR)/bats-$(BATS_VERSION) BATS = $(BATS_DIR)/bin/bats BATS_TEST ?= test @@ -145,7 +145,7 @@ run: $(PODMAN_IMAGE) /bin/sh clean: - $(DOCKER) run --rm -v "`pwd`:/work" alpine:3.18 rm -rf /work/build + $(DOCKER) run --rm -v "`pwd`:/work" alpine:3.19 rm -rf /work/build run-server: podman-ssh # TODO: make sshd log to stdout (while still ensuring that we know when it is available) diff --git a/README.md b/README.md index 9b6691a..4d7ed28 100644 --- a/README.md +++ b/README.md @@ -6,16 +6,18 @@ This project provides alpine-based podman container images and statically linked * [conmon](https://github.com/containers/conmon) * [fuse-overlayfs](https://github.com/containers/fuse-overlayfs) and [libfuse](https://github.com/libfuse/libfuse) * [slirp4netns](https://github.com/rootless-containers/slirp4netns) (with [libslirp](https://gitlab.freedesktop.org/slirp/libslirp)) -* [CNI plugins](https://github.com/containernetworking/plugins): loopback, bridge, host-local, portmap, firewall, tuning +* [Netavark](https://github.com/containers/netavark): container network stack and default in podman 5 or later * [catatonit](https://github.com/openSUSE/catatonit) +CNI networking has been replaced with Netavark since Podman version 5. + ## Container image The following image tags are supported: | Tag | Description | | --- | ----------- | -| `latest`, `` | podman with both rootless and rootful dependencies: runc, conmon, fuse-overlayfs, slirp4netns, CNI plugins, catatonit. | +| `latest`, `` | podman with both rootless and rootful dependencies: runc, conmon, fuse-overlayfs, slirp4netns, netavark, catatonit. | | `minimal`, `-minimal` | podman, crun, fuse-overlayfs and conmon binaries, configured to use the host's existing namespaces (low isolation level). | | `remote`, `-remote` | the podman remote binary. | @@ -73,6 +75,8 @@ The following binaries should be installed on your host: * `nsenter` * `uidmap` (for rootless mode) +[nftables](https://netfilter.org/projects/nftables/) (with or without optional iptables-nft wrapper) to be included in the future [WIP](https://github.com/containers/netavark/pull/883). + In order to run rootless containers that use multiple uids/gids you may want to set up a uid/gid mapping for your user on your host: ``` sudo sh -c "echo $(id -un):100000:200000 >> /etc/subuid" @@ -80,7 +84,7 @@ sudo sh -c "echo $(id -gn):100000:200000 >> /etc/subgid" ``` _Please make sure you don't add the mapping multiple times._ -To support applications that use the `docker` command you may want to link it to `podman` as follows: +To support applications that rely on the `docker` command, a quick option is to link `podman` as follows: ```sh sudo ln -s /usr/local/bin/podman /usr/local/bin/docker ``` diff --git a/test/rootless.bats b/test/rootless.bats index f70eaab..c43f527 100644 --- a/test/rootless.bats +++ b/test/rootless.bats @@ -31,7 +31,7 @@ teardown_file() { } @test "$TEST_PREFIX podman - unmapped uid" { - $DOCKER run --rm --privileged --user 9000:9000 \ + $DOCKER run --rm --privileged --user 9000:9000 -e HOME=/tmp \ --pull=never "${PODMAN_IMAGE}" \ docker run --rm alpine:3.17 wget -O /dev/null http://example.org }