diff --git a/go.mod b/go.mod index 33d9458c02e..b9daae6dfc8 100644 --- a/go.mod +++ b/go.mod @@ -41,3 +41,5 @@ require ( ) replace github.com/sirupsen/logrus => github.com/sirupsen/logrus v1.4.2 + +replace github.com/containers/common => github.com/vrothberg/common v0.0.3-0.20210621153102-f38374fa4c60 diff --git a/go.sum b/go.sum index 69d50b774a6..dcbcd2a03aa 100644 --- a/go.sum +++ b/go.sum @@ -204,8 +204,7 @@ github.com/containernetworking/cni v0.8.1 h1:7zpDnQ3T3s4ucOuJ/ZCLrYBxzkg0AELFfII github.com/containernetworking/cni v0.8.1/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY= github.com/containernetworking/plugins v0.8.6/go.mod h1:qnw5mN19D8fIwkqW7oHHYDHVlzhJpcY6TQxn/fUyDDM= github.com/containernetworking/plugins v0.9.1/go.mod h1:xP/idU2ldlzN6m4p5LmGiwRDjeJr6FLK6vuiUwoH7P8= -github.com/containers/common v0.40.1 h1:ehhWdMyglWC1+UWMNSZMeIemJ5wCEGP/0oGlCDg4q7M= -github.com/containers/common v0.40.1/go.mod h1:X4F+6vmeAWKMMTNHlOBwOnkf5TQAkQACcuNsKjfcodw= +github.com/containers/image/v5 v5.13.2-0.20210617132750-db0df5e0cf5e/go.mod h1:GkWursKDlDcUIT7L7vZf70tADvZCk/Ga0wgS0MuF0ag= github.com/containers/image/v5 v5.13.2 h1:AgYunV/9d2fRkrmo23wH2MkqeHolFd6oQCkK+1PpuFA= github.com/containers/image/v5 v5.13.2/go.mod h1:GkWursKDlDcUIT7L7vZf70tADvZCk/Ga0wgS0MuF0ag= github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b h1:Q8ePgVfHDplZ7U33NwHZkrVELsZP5fYj9pM5WBZB2GE= @@ -743,6 +742,8 @@ github.com/vishvananda/netns v0.0.0-20180720170159-13995c7128cc/go.mod h1:ZjcWmF github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU= github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae h1:4hwBBUfQCFe3Cym0ZtKyq7L16eZUtYKs+BaHDN6mAns= github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0= +github.com/vrothberg/common v0.0.3-0.20210621153102-f38374fa4c60 h1:NAxwa+59oCwNPyzrZuSmsFr6DBozw6XdqUpysWBcD/I= +github.com/vrothberg/common v0.0.3-0.20210621153102-f38374fa4c60/go.mod h1:+zxauZzkurY5tbQGDxrCV6rF694RX1olXyYRVJHrzWo= github.com/willf/bitset v1.1.11-0.20200630133818-d5bec3311243/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4= github.com/willf/bitset v1.1.11/go.mod h1:83CECat5yLh5zVOf4P1ErAgKA5UDvKtgyUABdr3+MjI= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= diff --git a/vendor/github.com/containers/common/libimage/image.go b/vendor/github.com/containers/common/libimage/image.go index 3bcdbabec73..f1272f507df 100644 --- a/vendor/github.com/containers/common/libimage/image.go +++ b/vendor/github.com/containers/common/libimage/image.go @@ -61,6 +61,24 @@ func (i *Image) reload() error { return nil } +// isCorrupted returns an error if the image may be corrupted. +func (i *Image) isCorrupted(name string) error { + // If it's a manifest list, we're good for now. + if _, err := i.getManifestList(); err == nil { + return nil + } + + ref, err := i.StorageReference() + if err != nil { + return err + } + + if _, err := ref.NewImage(context.Background(), nil); err != nil { + return errors.Errorf("Image %s exists in local storage but may be corrupted: %v", name, err) + } + return nil +} + // Names returns associated names with the image which may be a mix of tags and // digests. func (i *Image) Names() []string { diff --git a/vendor/github.com/containers/common/libimage/pull.go b/vendor/github.com/containers/common/libimage/pull.go index 22cb1a567c2..0a5e49fd2c5 100644 --- a/vendor/github.com/containers/common/libimage/pull.go +++ b/vendor/github.com/containers/common/libimage/pull.go @@ -105,6 +105,20 @@ func (r *Runtime) Pull(ctx context.Context, name string, pullPolicy config.PullP r.writeEvent(&Event{ID: "", Name: name, Time: time.Now(), Type: EventTypeImagePull}) } + // Some callers may set the platform via the system context at creation + // time of the runtime. We need this information to decide whether we + // need to enforce pulling from a registry (see + // containers/podman/issues/10682). + if options.Architecture == "" { + options.Architecture = r.systemContext.ArchitectureChoice + } + if options.OS == "" { + options.OS = r.systemContext.OSChoice + } + if options.Variant == "" { + options.Variant = r.systemContext.VariantChoice + } + var ( pulledImages []string pullError error @@ -333,7 +347,7 @@ func (r *Runtime) copyFromRegistry(ctx context.Context, ref types.ImageReference // from a registry. On successful pull it returns the used fully-qualified // name that can later be used to look up the image in the local containers // storage. -func (r *Runtime) copySingleImageFromRegistry(ctx context.Context, imageName string, pullPolicy config.PullPolicy, options *PullOptions) ([]string, error) { +func (r *Runtime) copySingleImageFromRegistry(ctx context.Context, imageName string, pullPolicy config.PullPolicy, options *PullOptions) ([]string, error) { //nolint:gocyclo // Sanity check. if err := pullPolicy.Validate(); err != nil { return nil, err @@ -350,15 +364,40 @@ func (r *Runtime) copySingleImageFromRegistry(ctx context.Context, imageName str // If there's already a local image "localhost/foo", then we should // attempt pulling that instead of doing the full short-name dance. lookupOptions := &LookupImageOptions{ - Architecture: options.Architecture, - OS: options.OS, - Variant: options.Variant, + // NOTE: we must ignore the platform of a local image when + // doing lookups. Some images set an incorrect or even invalid + // platform (see containers/podman/issues/10682). Doing the + // lookup while ignoring the platform checks prevents + // redundantly downloading the same image. + IgnorePlatform: true, } localImage, resolvedImageName, err = r.LookupImage(imageName, lookupOptions) if err != nil && errors.Cause(err) != storage.ErrImageUnknown { logrus.Errorf("Looking up %s in local storage: %v", imageName, err) } + // If the local image is corrupted, we need to repull it. + if localImage != nil { + if err := localImage.isCorrupted(imageName); err != nil { + logrus.Error(err) + localImage = nil + } + } + + // Unless the pull policy is "always", we must pessimistically assume + // that the local image has an invalid architecture (see + // containers/podman/issues/10682). Hence, whenever the user requests + // a custom platform, set the pull policy to "always" to make sure + // we're pulling down the image. + // + // NOTE that this is will even override --pull={false,never}. This is + // very likely a bug but a consistent one in Podman/Buildah and should + // be addressed at a later point. + if pullPolicy != config.PullPolicyAlways && len(options.Architecture)+len(options.OS)+len(options.Variant) > 0 { + logrus.Debugf("Enforcing pull policy to %q to support custom platform (arch: %q, os: %q, variant: %q)", "always", options.Architecture, options.OS, options.Variant) + pullPolicy = config.PullPolicyAlways + } + if pullPolicy == config.PullPolicyNever { if localImage != nil { logrus.Debugf("Pull policy %q but no local image has been found for %s", pullPolicy, imageName) diff --git a/vendor/github.com/containers/common/libimage/runtime.go b/vendor/github.com/containers/common/libimage/runtime.go index 58ac5864a61..3cbd3dcf448 100644 --- a/vendor/github.com/containers/common/libimage/runtime.go +++ b/vendor/github.com/containers/common/libimage/runtime.go @@ -144,9 +144,8 @@ func (r *Runtime) Exists(name string) (bool, error) { if image == nil { return false, nil } - // Inspect the image to make sure if it's corrupted or not. - if _, err := image.Inspect(context.Background(), false); err != nil { - logrus.Errorf("Image %s exists in local storage but may be corrupted: %v", name, err) + if err := image.isCorrupted(name); err != nil { + logrus.Error(err) return false, nil } return true, nil diff --git a/vendor/github.com/containers/common/pkg/seccomp/default_linux.go b/vendor/github.com/containers/common/pkg/seccomp/default_linux.go index 725e0bfc760..edb1294d618 100644 --- a/vendor/github.com/containers/common/pkg/seccomp/default_linux.go +++ b/vendor/github.com/containers/common/pkg/seccomp/default_linux.go @@ -51,9 +51,14 @@ func DefaultProfile() *Seccomp { { Names: []string{ "bdflush", + "clone3", "io_pgetevents", + "io_uring_enter", + "io_uring_register", + "io_uring_setup", "kexec_file_load", "kexec_load", + "membarrier", "migrate_pages", "move_pages", "nfsservctl", @@ -66,6 +71,10 @@ func DefaultProfile() *Seccomp { "pciconfig_iobase", "pciconfig_read", "pciconfig_write", + "pkey_alloc", + "pkey_free", + "pkey_mprotect", + "rseq", "sgetmask", "ssetmask", "swapcontext", @@ -109,7 +118,6 @@ func DefaultProfile() *Seccomp { "clock_nanosleep", "clock_nanosleep_time64", "clone", - "clone3", "close", "close_range", "connect", @@ -183,7 +191,6 @@ func DefaultProfile() *Seccomp { "getgroups", "getgroups32", "getitimer", - "get_mempolicy", "getpeername", "getpgid", "getpgrp", @@ -234,7 +241,6 @@ func DefaultProfile() *Seccomp { "lstat", "lstat64", "madvise", - "mbind", "memfd_create", "mincore", "mkdir", @@ -280,9 +286,6 @@ func DefaultProfile() *Seccomp { "pipe", "pipe2", "pivot_root", - "pkey_alloc", - "pkey_free", - "pkey_mprotect", "poll", "ppoll", "ppoll_time64", @@ -315,7 +318,6 @@ func DefaultProfile() *Seccomp { "renameat2", "restart_syscall", "rmdir", - "rseq", "rt_sigaction", "rt_sigpending", "rt_sigprocmask", @@ -352,7 +354,6 @@ func DefaultProfile() *Seccomp { "sendmsg", "sendto", "setns", - "set_mempolicy", "set_robust_list", "set_thread_area", "set_tid_address", @@ -662,6 +663,31 @@ func DefaultProfile() *Seccomp { Caps: []string{"CAP_SYS_MODULE"}, }, }, + { + Names: []string{ + "get_mempolicy", + "mbind", + "set_mempolicy", + }, + Action: ActAllow, + Args: []*Arg{}, + Includes: Filter{ + Caps: []string{"CAP_SYS_NICE"}, + }, + }, + { + Names: []string{ + "get_mempolicy", + "mbind", + "set_mempolicy", + }, + Action: ActErrno, + ErrnoRet: &eperm, + Args: []*Arg{}, + Excludes: Filter{ + Caps: []string{"CAP_SYS_NICE"}, + }, + }, { Names: []string{ "acct", diff --git a/vendor/github.com/containers/common/pkg/seccomp/seccomp.json b/vendor/github.com/containers/common/pkg/seccomp/seccomp.json index eeb41d5d826..885240e50c0 100644 --- a/vendor/github.com/containers/common/pkg/seccomp/seccomp.json +++ b/vendor/github.com/containers/common/pkg/seccomp/seccomp.json @@ -54,9 +54,14 @@ { "names": [ "bdflush", + "clone3", "io_pgetevents", + "io_uring_enter", + "io_uring_register", + "io_uring_setup", "kexec_file_load", "kexec_load", + "membarrier", "migrate_pages", "move_pages", "nfsservctl", @@ -69,6 +74,10 @@ "pciconfig_iobase", "pciconfig_read", "pciconfig_write", + "pkey_alloc", + "pkey_free", + "pkey_mprotect", + "rseq", "sgetmask", "ssetmask", "swapcontext", @@ -115,7 +124,6 @@ "clock_nanosleep", "clock_nanosleep_time64", "clone", - "clone3", "close", "close_range", "connect", @@ -189,7 +197,6 @@ "getgroups", "getgroups32", "getitimer", - "get_mempolicy", "getpeername", "getpgid", "getpgrp", @@ -240,7 +247,6 @@ "lstat", "lstat64", "madvise", - "mbind", "memfd_create", "mincore", "mkdir", @@ -286,9 +292,6 @@ "pipe", "pipe2", "pivot_root", - "pkey_alloc", - "pkey_free", - "pkey_mprotect", "poll", "ppoll", "ppoll_time64", @@ -321,7 +324,6 @@ "renameat2", "restart_syscall", "rmdir", - "rseq", "rt_sigaction", "rt_sigpending", "rt_sigprocmask", @@ -358,7 +360,6 @@ "sendmsg", "sendto", "setns", - "set_mempolicy", "set_robust_list", "set_thread_area", "set_tid_address", @@ -758,6 +759,39 @@ }, "errnoRet": 1 }, + { + "names": [ + "get_mempolicy", + "mbind", + "set_mempolicy" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_NICE" + ] + }, + "excludes": {} + }, + { + "names": [ + "get_mempolicy", + "mbind", + "set_mempolicy" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_NICE" + ] + }, + "errnoRet": 1 + }, { "names": [ "acct" diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go index 11276970715..6c899987af7 100644 --- a/vendor/github.com/containers/common/version/version.go +++ b/vendor/github.com/containers/common/version/version.go @@ -1,4 +1,4 @@ package version // Version is the version of the build. -const Version = "0.40.1" +const Version = "0.40.1-dev" diff --git a/vendor/modules.txt b/vendor/modules.txt index 33b58048fef..71dcc94f885 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -60,7 +60,7 @@ github.com/containernetworking/cni/pkg/types/020 github.com/containernetworking/cni/pkg/types/current github.com/containernetworking/cni/pkg/utils github.com/containernetworking/cni/pkg/version -# github.com/containers/common v0.40.1 +# github.com/containers/common v0.40.1 => github.com/vrothberg/common v0.0.3-0.20210621153102-f38374fa4c60 github.com/containers/common/libimage github.com/containers/common/libimage/manifests github.com/containers/common/pkg/apparmor