From 0a897f03f81ac0d07621abba60561c575e5ec36b Mon Sep 17 00:00:00 2001 From: Valentin Rothberg Date: Wed, 22 Mar 2023 15:17:42 +0100 Subject: [PATCH] vendor github.com/containers/common@v0.51.1 Pulls in fixes to add back the SYS_CHROOT to the default set of capabilities and to pull in fixes for the Docker-compat /auth endpoint which will be cherry-picked in a subsequent commit. Signed-off-by: Valentin Rothberg --- go.mod | 2 +- go.sum | 4 +- test/e2e/run_test.go | 12 +++--- .../containers/common/pkg/auth/auth.go | 40 ++++++++++++++----- .../containers/common/pkg/auth/cli.go | 1 + .../common/pkg/config/containers.conf | 1 + .../containers/common/pkg/config/default.go | 1 + .../containers/common/version/version.go | 2 +- vendor/modules.txt | 2 +- 9 files changed, 44 insertions(+), 21 deletions(-) diff --git a/go.mod b/go.mod index 70ad276d17..cc8f273952 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( github.com/containernetworking/cni v1.1.2 github.com/containernetworking/plugins v1.2.0 github.com/containers/buildah v1.29.0 - github.com/containers/common v0.51.0 + github.com/containers/common v0.51.1 github.com/containers/conmon v2.0.20+incompatible github.com/containers/image/v5 v5.24.1 github.com/containers/ocicrypt v1.1.7 diff --git a/go.sum b/go.sum index 8369b6efc2..aac8f9b230 100644 --- a/go.sum +++ b/go.sum @@ -268,8 +268,8 @@ github.com/containernetworking/plugins v1.2.0 h1:SWgg3dQG1yzUo4d9iD8cwSVh1VqI+bP github.com/containernetworking/plugins v1.2.0/go.mod h1:/VjX4uHecW5vVimFa1wkG4s+r/s9qIfPdqlLF4TW8c4= github.com/containers/buildah v1.29.0 h1:rA3S2SXJffrJjvY2kyxOsAaIseDY6Ib77FsD7n88Mj4= github.com/containers/buildah v1.29.0/go.mod h1:mah+CGmpOjkBJJ5rhOP0M2ETnODhiuhtnXusfh0hc6Q= -github.com/containers/common v0.51.0 h1:Ax4YHNTG8cEPHZJcMYRoP7sfBgOISceeyOvmZzmSucg= -github.com/containers/common v0.51.0/go.mod h1:3W2WIdalgQfrsX/T5tjX+6CxgT3ThJVN2G9sNuFjuCM= +github.com/containers/common v0.51.1 h1:xMQpFSuUovZgPRWJu1+uBixKsPcRrD4aHADkouz2K9Q= +github.com/containers/common v0.51.1/go.mod h1:3W2WIdalgQfrsX/T5tjX+6CxgT3ThJVN2G9sNuFjuCM= github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg= github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I= github.com/containers/image/v5 v5.24.1 h1:XaRw3FJmvZtI297uBVTJluUVH4AQJ//YpHviaOw0C4M= diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index 6715589dff..6dd0bf5da5 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -494,7 +494,7 @@ var _ = Describe("Podman run", func() { session := podmanTest.Podman([]string{"run", "--rm", "--user", "bin", ALPINE, "grep", "CapBnd", "/proc/self/status"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring("00000000800005fb")) + Expect(session.OutputToString()).To(ContainSubstring("00000000800405fb")) session = podmanTest.Podman([]string{"run", "--rm", "--user", "bin", ALPINE, "grep", "CapEff", "/proc/self/status"}) session.WaitWithDefaultTimeout() @@ -509,12 +509,12 @@ var _ = Describe("Podman run", func() { session = podmanTest.Podman([]string{"run", "--rm", "--user", "root", ALPINE, "grep", "CapBnd", "/proc/self/status"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring("00000000800005fb")) + Expect(session.OutputToString()).To(ContainSubstring("00000000800405fb")) session = podmanTest.Podman([]string{"run", "--rm", "--user", "root", ALPINE, "grep", "CapEff", "/proc/self/status"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring("00000000800005fb")) + Expect(session.OutputToString()).To(ContainSubstring("00000000800405fb")) session = podmanTest.Podman([]string{"run", "--rm", "--user", "root", ALPINE, "grep", "CapInh", "/proc/self/status"}) session.WaitWithDefaultTimeout() @@ -524,12 +524,12 @@ var _ = Describe("Podman run", func() { session = podmanTest.Podman([]string{"run", "--rm", ALPINE, "grep", "CapBnd", "/proc/self/status"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring("00000000800005fb")) + Expect(session.OutputToString()).To(ContainSubstring("00000000800405fb")) session = podmanTest.Podman([]string{"run", "--rm", ALPINE, "grep", "CapEff", "/proc/self/status"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring("00000000800005fb")) + Expect(session.OutputToString()).To(ContainSubstring("00000000800405fb")) session = podmanTest.Podman([]string{"run", "--user=1000:1000", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapAmb", "/proc/self/status"}) session.WaitWithDefaultTimeout() @@ -597,7 +597,7 @@ USER bin`, BB) session := podmanTest.Podman([]string{"run", "--rm", "--user", "bin", "test", "grep", "CapBnd", "/proc/self/status"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring("00000000800005fb")) + Expect(session.OutputToString()).To(ContainSubstring("00000000800405fb")) session = podmanTest.Podman([]string{"run", "--rm", "--user", "bin", "test", "grep", "CapEff", "/proc/self/status"}) session.WaitWithDefaultTimeout() diff --git a/vendor/github.com/containers/common/pkg/auth/auth.go b/vendor/github.com/containers/common/pkg/auth/auth.go index 85af829623..5cec049164 100644 --- a/vendor/github.com/containers/common/pkg/auth/auth.go +++ b/vendor/github.com/containers/common/pkg/auth/auth.go @@ -19,6 +19,23 @@ import ( terminal "golang.org/x/term" ) +// ErrNewCredentialsInvalid means that the new user-provided credentials are +// not accepted by the registry. +type ErrNewCredentialsInvalid struct { + underlyingError error + message string +} + +// Error returns the error message as a string. +func (e ErrNewCredentialsInvalid) Error() string { + return e.message +} + +// Unwrap returns the underlying error. +func (e ErrNewCredentialsInvalid) Unwrap() error { + return e.underlyingError +} + // GetDefaultAuthFile returns env value REGISTRY_AUTH_FILE as default // --authfile path used in multiple --authfile flag definitions // Will fail over to DOCKER_CONFIG if REGISTRY_AUTH_FILE environment is not set @@ -143,22 +160,25 @@ func Login(ctx context.Context, systemContext *types.SystemContext, opts *LoginO } if err = docker.CheckAuth(ctx, systemContext, username, password, registry); err == nil { - // Write the new credentials to the authfile - desc, err := config.SetCredentials(systemContext, key, username, password) - if err != nil { - return err - } - if opts.Verbose { - fmt.Fprintln(opts.Stdout, "Used: ", desc) + if !opts.NoWriteBack { + // Write the new credentials to the authfile + desc, err := config.SetCredentials(systemContext, key, username, password) + if err != nil { + return err + } + if opts.Verbose { + fmt.Fprintln(opts.Stdout, "Used: ", desc) + } } - } - if err == nil { fmt.Fprintln(opts.Stdout, "Login Succeeded!") return nil } if unauthorized, ok := err.(docker.ErrUnauthorizedForCredentials); ok { logrus.Debugf("error logging into %q: %v", key, unauthorized) - return fmt.Errorf("logging into %q: invalid username/password", key) + return ErrNewCredentialsInvalid{ + underlyingError: err, + message: fmt.Sprintf("logging into %q: invalid username/password", key), + } } return fmt.Errorf("authenticating creds for %q: %w", key, err) } diff --git a/vendor/github.com/containers/common/pkg/auth/cli.go b/vendor/github.com/containers/common/pkg/auth/cli.go index 7266bf48bd..26727f35cc 100644 --- a/vendor/github.com/containers/common/pkg/auth/cli.go +++ b/vendor/github.com/containers/common/pkg/auth/cli.go @@ -26,6 +26,7 @@ type LoginOptions struct { Stdin io.Reader // set to os.Stdin Stdout io.Writer // set to os.Stdout AcceptUnspecifiedRegistry bool // set to true if allows login with unspecified registry + NoWriteBack bool // set to true to not write the credentials to the authfile/cred helpers } // LogoutOptions represents the results for flags in logout diff --git a/vendor/github.com/containers/common/pkg/config/containers.conf b/vendor/github.com/containers/common/pkg/config/containers.conf index 8339617358..f2f226907a 100644 --- a/vendor/github.com/containers/common/pkg/config/containers.conf +++ b/vendor/github.com/containers/common/pkg/config/containers.conf @@ -63,6 +63,7 @@ # "SETGID", # "SETPCAP", # "SETUID", +# "SYS_CHROOT", #] # A list of sysctls to be set in containers by default, diff --git a/vendor/github.com/containers/common/pkg/config/default.go b/vendor/github.com/containers/common/pkg/config/default.go index e27f630647..edc695f784 100644 --- a/vendor/github.com/containers/common/pkg/config/default.go +++ b/vendor/github.com/containers/common/pkg/config/default.go @@ -60,6 +60,7 @@ var ( "CAP_SETGID", "CAP_SETPCAP", "CAP_SETUID", + "CAP_SYS_CHROOT", } // Search these locations in which CNIPlugins can be installed. diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go index 44362e6af0..0654ec78db 100644 --- a/vendor/github.com/containers/common/version/version.go +++ b/vendor/github.com/containers/common/version/version.go @@ -1,4 +1,4 @@ package version // Version is the version of the build. -const Version = "0.51.0" +const Version = "0.51.1" diff --git a/vendor/modules.txt b/vendor/modules.txt index 26f1ad8672..a7b2b85cd8 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -121,7 +121,7 @@ github.com/containers/buildah/pkg/rusage github.com/containers/buildah/pkg/sshagent github.com/containers/buildah/pkg/util github.com/containers/buildah/util -# github.com/containers/common v0.51.0 +# github.com/containers/common v0.51.1 ## explicit; go 1.17 github.com/containers/common/libimage github.com/containers/common/libimage/define