From c837ebc44e5b9eeca643d18b65653e52af59bcc7 Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Fri, 17 May 2024 11:32:20 +0200 Subject: [PATCH 1/2] vendor latest c/common main Includes a new libnetwork API to get the rootlessnetns ips. Signed-off-by: Paul Holzinger --- go.mod | 8 ++-- go.sum | 16 ++++---- .../containers/common/libnetwork/cni/run.go | 7 ++++ .../internal/rootlessnetns/netns_freebsd.go | 5 +++ .../internal/rootlessnetns/netns_linux.go | 35 +++++++++++++++++- .../common/libnetwork/netavark/run.go | 7 ++++ .../common/libnetwork/types/network.go | 10 +++++ .../containers/common/pkg/secrets/secrets.go | 11 +++--- .../stefanberger/go-pkcs11uri/.travis.yml | 4 +- .../stefanberger/go-pkcs11uri/pkcs11uri.go | 37 +++++++++++++++++-- vendor/modules.txt | 10 ++--- 11 files changed, 122 insertions(+), 28 deletions(-) diff --git a/go.mod b/go.mod index 5feef5b21b2..c8d4460df8b 100644 --- a/go.mod +++ b/go.mod @@ -14,7 +14,7 @@ require ( github.com/checkpoint-restore/go-criu/v7 v7.1.0 github.com/containernetworking/plugins v1.4.1 github.com/containers/buildah v1.35.1-0.20240510150258-77f239ae12e5 - github.com/containers/common v0.58.1-0.20240509172903-2c88a3f280bb + github.com/containers/common v0.58.1-0.20240517090124-fa276b325847 github.com/containers/conmon v2.0.20+incompatible github.com/containers/gvisor-tap-vsock v0.7.4-0.20240408151405-d744d71db363 github.com/containers/image/v5 v5.30.2-0.20240509191815-9318d0eaaf78 @@ -30,7 +30,7 @@ require ( github.com/cyphar/filepath-securejoin v0.2.5 github.com/digitalocean/go-qemu v0.0.0-20230711162256-2e3d0186973e github.com/docker/distribution v2.8.3+incompatible - github.com/docker/docker v26.1.2+incompatible + github.com/docker/docker v26.1.3+incompatible github.com/docker/go-connections v0.5.0 github.com/docker/go-plugins-helpers v0.0.0-20211224144127-6eecb7beb651 github.com/docker/go-units v0.5.0 @@ -98,7 +98,7 @@ require ( github.com/chenzhuoyu/iasm v0.9.1 // indirect github.com/chzyer/readline v1.5.1 // indirect github.com/containerd/cgroups/v3 v3.0.3 // indirect - github.com/containerd/containerd v1.7.16 // indirect + github.com/containerd/containerd v1.7.17 // indirect github.com/containerd/errdefs v0.1.0 // indirect github.com/containerd/log v0.1.0 // indirect github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect @@ -194,7 +194,7 @@ require ( github.com/sigstore/rekor v1.3.6 // indirect github.com/sigstore/sigstore v1.8.3 // indirect github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect - github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980 // indirect + github.com/stefanberger/go-pkcs11uri v0.0.0-20230803200340-78284954bff6 // indirect github.com/sylabs/sif/v2 v2.16.0 // indirect github.com/tchap/go-patricia/v2 v2.3.1 // indirect github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect diff --git a/go.sum b/go.sum index 72a6edd6c07..0632edde602 100644 --- a/go.sum +++ b/go.sum @@ -63,8 +63,8 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/containerd/cgroups/v3 v3.0.3 h1:S5ByHZ/h9PMe5IOQoN7E+nMc2UcLEM/V48DGDJ9kip0= github.com/containerd/cgroups/v3 v3.0.3/go.mod h1:8HBe7V3aWGLFPd/k03swSIsGjZhHI2WzJmticMgVuz0= -github.com/containerd/containerd v1.7.16 h1:7Zsfe8Fkj4Wi2My6DXGQ87hiqIrmOXolm72ZEkFU5Mg= -github.com/containerd/containerd v1.7.16/go.mod h1:NL49g7A/Fui7ccmxV6zkBWwqMgmMxFWzujYCc+JLt7k= +github.com/containerd/containerd v1.7.17 h1:KjNnn0+tAVQHAoaWRjmdak9WlvnFR/8rU1CHHy8Rm2A= +github.com/containerd/containerd v1.7.17/go.mod h1:vK+hhT4TIv2uejlcDlbVIc8+h/BqtKLIyNrtCZol8lI= github.com/containerd/errdefs v0.1.0 h1:m0wCRBiu1WJT/Fr+iOoQHMQS/eP5myQ8lCv4Dz5ZURM= github.com/containerd/errdefs v0.1.0/go.mod h1:YgWiiHtLmSeBrvpw+UfPijzbLaB77mEG1WwJTDETIV0= github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= @@ -79,8 +79,8 @@ github.com/containernetworking/plugins v1.4.1 h1:+sJRRv8PKhLkXIl6tH1D7RMi+CbbHut github.com/containernetworking/plugins v1.4.1/go.mod h1:n6FFGKcaY4o2o5msgu/UImtoC+fpQXM3076VHfHbj60= github.com/containers/buildah v1.35.1-0.20240510150258-77f239ae12e5 h1:xtKtw/g2iDkirqSw6Dvvc2ZMPxBYhyN9xPdH81a7hO4= github.com/containers/buildah v1.35.1-0.20240510150258-77f239ae12e5/go.mod h1:ezOOMchy0Dcu/jKNNsTJbtxvOrhdogVkbG+UxkG77EY= -github.com/containers/common v0.58.1-0.20240509172903-2c88a3f280bb h1:mb5e8J/kErkytiM1J5hqdZENBJfSQyQ37Cgx0hinVYs= -github.com/containers/common v0.58.1-0.20240509172903-2c88a3f280bb/go.mod h1:SCOYkp6ul27v6WoNkbgvhAhhSEM6fYKl2My9/WuESdA= +github.com/containers/common v0.58.1-0.20240517090124-fa276b325847 h1:34cLMWNLLytr35gxiklxsKfjrbYIW/GArhTF7hakx2Q= +github.com/containers/common v0.58.1-0.20240517090124-fa276b325847/go.mod h1:9BdyHXC2fM6q+gqTVmnaf1tdGLnne0votxdPOTN3aY4= github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg= github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I= github.com/containers/gvisor-tap-vsock v0.7.4-0.20240408151405-d744d71db363 h1:EqWMZeFa08y2c1GniaFkfjlO5AjegoG2foWo6NlDfUY= @@ -136,8 +136,8 @@ github.com/docker/cli v26.1.2+incompatible h1:/MWZpUMMlr1hCGyquL8QNbL1hbivQ1kLuT github.com/docker/cli v26.1.2+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v26.1.2+incompatible h1:UVX5ZOrrfTGZZYEP+ZDq3Xn9PdHNXaSYMFPDumMqG2k= -github.com/docker/docker v26.1.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v26.1.3+incompatible h1:lLCzRbrVZrljpVNobJu1J2FHk8V0s4BawoZippkc+xo= +github.com/docker/docker v26.1.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.8.1 h1:j/eKUktUltBtMzKqmfLB0PAgqYyMHOp5vfsD1807oKo= github.com/docker/docker-credential-helpers v0.8.1/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= @@ -485,8 +485,8 @@ github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980 h1:lIOOHPEbXzO3vnmx2gok1Tfs31Q8GQqKLc8vVqyQq/I= -github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980/go.mod h1:AO3tvPzVZ/ayst6UlUKUv6rcPQInYe3IknH3jYhAKu8= +github.com/stefanberger/go-pkcs11uri v0.0.0-20230803200340-78284954bff6 h1:pnnLyeX7o/5aX8qUQ69P/mLojDqwda8hFOCBTmP/6hw= +github.com/stefanberger/go-pkcs11uri v0.0.0-20230803200340-78284954bff6/go.mod h1:39R/xuhNgVhi+K0/zst4TLrJrVmbm6LVgl4A0+ZFS5M= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= diff --git a/vendor/github.com/containers/common/libnetwork/cni/run.go b/vendor/github.com/containers/common/libnetwork/cni/run.go index d8fb4775911..337a27b8efd 100644 --- a/vendor/github.com/containers/common/libnetwork/cni/run.go +++ b/vendor/github.com/containers/common/libnetwork/cni/run.go @@ -295,3 +295,10 @@ func (n *cniNetwork) RunInRootlessNetns(toRun func() error) error { } return n.rootlessNetns.Run(n.lock, toRun) } + +func (n *cniNetwork) RootlessNetnsInfo() (*types.RootlessNetnsInfo, error) { + if n.rootlessNetns == nil { + return nil, types.ErrNotRootlessNetns + } + return n.rootlessNetns.Info(), nil +} diff --git a/vendor/github.com/containers/common/libnetwork/internal/rootlessnetns/netns_freebsd.go b/vendor/github.com/containers/common/libnetwork/internal/rootlessnetns/netns_freebsd.go index a176d2d8227..27ef1f4c28b 100644 --- a/vendor/github.com/containers/common/libnetwork/internal/rootlessnetns/netns_freebsd.go +++ b/vendor/github.com/containers/common/libnetwork/internal/rootlessnetns/netns_freebsd.go @@ -3,6 +3,7 @@ package rootlessnetns import ( "errors" + "github.com/containers/common/libnetwork/types" "github.com/containers/common/pkg/config" "github.com/containers/storage/pkg/lockfile" ) @@ -26,3 +27,7 @@ func (n *Netns) Teardown(nets int, toRun func() error) error { func (n *Netns) Run(lock *lockfile.LockFile, toRun func() error) error { return ErrNotSupported } + +func (n *Netns) Info() *types.RootlessNetnsInfo { + return &types.RootlessNetnsInfo{} +} diff --git a/vendor/github.com/containers/common/libnetwork/internal/rootlessnetns/netns_linux.go b/vendor/github.com/containers/common/libnetwork/internal/rootlessnetns/netns_linux.go index 78fe8e32507..ffd65f1fbcf 100644 --- a/vendor/github.com/containers/common/libnetwork/internal/rootlessnetns/netns_linux.go +++ b/vendor/github.com/containers/common/libnetwork/internal/rootlessnetns/netns_linux.go @@ -4,6 +4,7 @@ import ( "errors" "fmt" "io/fs" + "net" "os" "path/filepath" "strconv" @@ -13,6 +14,7 @@ import ( "github.com/containers/common/libnetwork/pasta" "github.com/containers/common/libnetwork/resolvconf" "github.com/containers/common/libnetwork/slirp4netns" + "github.com/containers/common/libnetwork/types" "github.com/containers/common/pkg/config" "github.com/containers/common/pkg/netns" "github.com/containers/common/pkg/systemd" @@ -51,6 +53,12 @@ type Netns struct { // config contains containers.conf options. config *config.Config + + // ipAddresses used in the netns, this is needed to store + // the netns ips that are used by pasta. This is then handed + // back to the caller via IPAddresses() which then can make + // sure to not use them for host.containers.internal. + ipAddresses []net.IP } type rootlessNetnsError struct { @@ -521,7 +529,24 @@ func (n *Netns) runInner(toRun func() error) (err error) { if err := n.setupMounts(); err != nil { return err } - return toRun() + if err := toRun(); err != nil { + return err + } + + // get the current active addresses in the netns, and store them + addrs, err := net.InterfaceAddrs() + if err != nil { + return err + } + ips := make([]net.IP, 0, len(addrs)) + for _, addr := range addrs { + // make sure to skip localhost and other special addresses + if ipnet, ok := addr.(*net.IPNet); ok && ipnet.IP.IsGlobalUnicast() { + ips = append(ips, ipnet.IP) + } + } + n.ipAddresses = ips + return nil }) } @@ -597,6 +622,14 @@ func (n *Netns) Run(lock *lockfile.LockFile, toRun func() error) error { return inErr } +// IPAddresses returns the currently used ip addresses in the netns +// These should then not be assigned for the host.containers.internal entry. +func (n *Netns) Info() *types.RootlessNetnsInfo { + return &types.RootlessNetnsInfo{ + IPAddresses: n.ipAddresses, + } +} + func refCount(dir string, inc int) (int, error) { file := filepath.Join(dir, refCountFile) content, err := os.ReadFile(file) diff --git a/vendor/github.com/containers/common/libnetwork/netavark/run.go b/vendor/github.com/containers/common/libnetwork/netavark/run.go index 9a04120b594..3d121d64aa4 100644 --- a/vendor/github.com/containers/common/libnetwork/netavark/run.go +++ b/vendor/github.com/containers/common/libnetwork/netavark/run.go @@ -187,3 +187,10 @@ func (n *netavarkNetwork) RunInRootlessNetns(toRun func() error) error { } return n.rootlessNetns.Run(n.lock, toRun) } + +func (n *netavarkNetwork) RootlessNetnsInfo() (*types.RootlessNetnsInfo, error) { + if n.rootlessNetns == nil { + return nil, types.ErrNotRootlessNetns + } + return n.rootlessNetns.Info(), nil +} diff --git a/vendor/github.com/containers/common/libnetwork/types/network.go b/vendor/github.com/containers/common/libnetwork/types/network.go index 9e30975cb0a..9741103f5be 100644 --- a/vendor/github.com/containers/common/libnetwork/types/network.go +++ b/vendor/github.com/containers/common/libnetwork/types/network.go @@ -31,6 +31,11 @@ type ContainerNetwork interface { // Only used as rootless and should return an error as root. RunInRootlessNetns(toRun func() error) error + // RootlessNetnsInfo return extra information about the rootless netns. + // Only valid when called after Setup(). + // Only used as rootless and should return an error as root. + RootlessNetnsInfo() (*RootlessNetnsInfo, error) + // Drivers will return the list of supported network drivers // for this interface. Drivers() []string @@ -334,6 +339,11 @@ type TeardownOptions struct { NetworkOptions } +type RootlessNetnsInfo struct { + // IPAddresses used in the netns, must not be used for host.containers.internal + IPAddresses []net.IP +} + // FilterFunc can be passed to NetworkList to filter the networks. type FilterFunc func(Network) bool diff --git a/vendor/github.com/containers/common/pkg/secrets/secrets.go b/vendor/github.com/containers/common/pkg/secrets/secrets.go index 8ffcc738bd8..09a49ad40b6 100644 --- a/vendor/github.com/containers/common/pkg/secrets/secrets.go +++ b/vendor/github.com/containers/common/pkg/secrets/secrets.go @@ -218,11 +218,12 @@ func (s *SecretsManager) Store(name string, data []byte, driverType string, opti } if options.Replace { - if err := driver.Delete(secr.ID); err != nil && !errors.Is(err, define.ErrNoSuchSecret) { - return "", fmt.Errorf("deleting secret %s: %w", secr.ID, err) - } - - if err == nil { + err := driver.Delete(secr.ID) + if err != nil { + if !errors.Is(err, define.ErrNoSuchSecret) { + return "", fmt.Errorf("deleting driver secret %s: %w", secr.ID, err) + } + } else { if err := s.delete(secr.ID); err != nil && !errors.Is(err, define.ErrNoSuchSecret) { return "", fmt.Errorf("deleting secret %s: %w", secr.ID, err) } diff --git a/vendor/github.com/stefanberger/go-pkcs11uri/.travis.yml b/vendor/github.com/stefanberger/go-pkcs11uri/.travis.yml index f5f274f96da..45c00cb9ce2 100644 --- a/vendor/github.com/stefanberger/go-pkcs11uri/.travis.yml +++ b/vendor/github.com/stefanberger/go-pkcs11uri/.travis.yml @@ -5,7 +5,7 @@ os: - linux go: - - "1.13.x" + - "1.19.x" matrix: include: @@ -17,7 +17,7 @@ addons: - softhsm2 install: - - curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b $(go env GOPATH)/bin v1.30.0 + - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.53.2 script: - make diff --git a/vendor/github.com/stefanberger/go-pkcs11uri/pkcs11uri.go b/vendor/github.com/stefanberger/go-pkcs11uri/pkcs11uri.go index 39b06548efa..82c32e3c86b 100644 --- a/vendor/github.com/stefanberger/go-pkcs11uri/pkcs11uri.go +++ b/vendor/github.com/stefanberger/go-pkcs11uri/pkcs11uri.go @@ -19,7 +19,6 @@ package pkcs11uri import ( "errors" "fmt" - "io/ioutil" "net/url" "os" "path/filepath" @@ -128,6 +127,12 @@ func (uri *Pkcs11URI) SetPathAttribute(name, value string) error { return uri.setAttribute(uri.pathAttributes, name, value) } +// SetPathAttributeUnencoded sets the value for a path attribute given as byte[]. +// The value must not have been pct-encoded already. +func (uri *Pkcs11URI) SetPathAttributeUnencoded(name string, value []byte) { + uri.pathAttributes[name] = string(value) +} + // AddPathAttribute adds a path attribute; it returns an error if an attribute with the same // name already existed or if the given value cannot be pct-unescaped func (uri *Pkcs11URI) AddPathAttribute(name, value string) error { @@ -137,6 +142,16 @@ func (uri *Pkcs11URI) AddPathAttribute(name, value string) error { return uri.SetPathAttribute(name, value) } +// AddPathAttributeUnencoded adds a path attribute given as byte[] which must not already be pct-encoded; +// it returns an error if an attribute with the same name already existed +func (uri *Pkcs11URI) AddPathAttributeUnencoded(name string, value []byte) error { + if _, ok := uri.pathAttributes[name]; ok { + return errors.New("duplicate path attribute") + } + uri.SetPathAttributeUnencoded(name, value) + return nil +} + // RemovePathAttribute removes a path attribute func (uri *Pkcs11URI) RemovePathAttribute(name string) { delete(uri.pathAttributes, name) @@ -173,6 +188,12 @@ func (uri *Pkcs11URI) SetQueryAttribute(name, value string) error { return uri.setAttribute(uri.queryAttributes, name, value) } +// SetQueryAttributeUnencoded sets the value for a quiery attribute given as byte[]. +// The value must not have been pct-encoded already. +func (uri *Pkcs11URI) SetQueryAttributeUnencoded(name string, value []byte) { + uri.queryAttributes[name] = string(value) +} + // AddQueryAttribute adds a query attribute; it returns an error if an attribute with the same // name already existed or if the given value cannot be pct-unescaped func (uri *Pkcs11URI) AddQueryAttribute(name, value string) error { @@ -182,6 +203,16 @@ func (uri *Pkcs11URI) AddQueryAttribute(name, value string) error { return uri.SetQueryAttribute(name, value) } +// AddQueryAttributeUnencoded adds a query attribute given as byte[] which must not already be pct-encoded; +// it returns an error if an attribute with the same name already existed +func (uri *Pkcs11URI) AddQueryAttributeUnencoded(name string, value []byte) error { + if _, ok := uri.queryAttributes[name]; ok { + return errors.New("duplicate query attribute") + } + uri.SetQueryAttributeUnencoded(name, value) + return nil +} + // RemoveQueryAttribute removes a path attribute func (uri *Pkcs11URI) RemoveQueryAttribute(name string) { delete(uri.queryAttributes, name) @@ -257,7 +288,7 @@ func (uri *Pkcs11URI) GetPIN() (string, error) { if !filepath.IsAbs(pinuri.Path) { return "", fmt.Errorf("PIN URI path '%s' is not absolute", pinuri.Path) } - pin, err := ioutil.ReadFile(pinuri.Path) + pin, err := os.ReadFile(pinuri.Path) if err != nil { return "", fmt.Errorf("Could not open PIN file: %s", err) } @@ -426,7 +457,7 @@ func (uri *Pkcs11URI) GetModule() (string, error) { moduleName = strings.ToLower(moduleName) for _, dir := range searchdirs { - files, err := ioutil.ReadDir(dir) + files, err := os.ReadDir(dir) if err != nil { continue } diff --git a/vendor/modules.txt b/vendor/modules.txt index 869c5950326..dadd793c397 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -107,7 +107,7 @@ github.com/chzyer/readline # github.com/containerd/cgroups/v3 v3.0.3 ## explicit; go 1.18 github.com/containerd/cgroups/v3/cgroup1/stats -# github.com/containerd/containerd v1.7.16 +# github.com/containerd/containerd v1.7.17 ## explicit; go 1.21 github.com/containerd/containerd/errdefs github.com/containerd/containerd/log @@ -171,7 +171,7 @@ github.com/containers/buildah/pkg/sshagent github.com/containers/buildah/pkg/util github.com/containers/buildah/pkg/volumes github.com/containers/buildah/util -# github.com/containers/common v0.58.1-0.20240509172903-2c88a3f280bb +# github.com/containers/common v0.58.1-0.20240517090124-fa276b325847 ## explicit; go 1.21 github.com/containers/common/internal github.com/containers/common/internal/attributedstring @@ -469,7 +469,7 @@ github.com/distribution/reference github.com/docker/distribution/registry/api/errcode github.com/docker/distribution/registry/api/v2 github.com/docker/distribution/registry/client/auth/challenge -# github.com/docker/docker v26.1.2+incompatible +# github.com/docker/docker v26.1.3+incompatible ## explicit github.com/docker/docker/api github.com/docker/docker/api/types @@ -1022,8 +1022,8 @@ github.com/spf13/cobra # github.com/spf13/pflag v1.0.5 ## explicit; go 1.12 github.com/spf13/pflag -# github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980 -## explicit +# github.com/stefanberger/go-pkcs11uri v0.0.0-20230803200340-78284954bff6 +## explicit; go 1.19 github.com/stefanberger/go-pkcs11uri # github.com/stretchr/testify v1.9.0 ## explicit; go 1.17 From d1a86a4b619363f2b6f556d09d4a5f8c5112bafb Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Fri, 17 May 2024 11:35:14 +0200 Subject: [PATCH 2/2] fix incorrect host.containers.internal entry for rootless bridge mode We have to exclude the ips in the rootless netns as they are not the host. Now that fix only works if there are more than one ip one the host available, if there is only one we do not set the entry at all which I consider better as failing to resolve this name is a much better error for users than connecting to a wrong ip. It also matches what --network pasta already does. The test is bit more compilcated as I would like, however it must deal with both cases one ip, more than one so there is no way around it I think. Fixes #22653 Signed-off-by: Paul Holzinger --- libpod/container_internal_common.go | 9 +++++++++ test/system/505-networking-pasta.bats | 29 ++++++++++++++++++++++++++- 2 files changed, 37 insertions(+), 1 deletion(-) diff --git a/libpod/container_internal_common.go b/libpod/container_internal_common.go index 78dd31b39cd..d76dea29958 100644 --- a/libpod/container_internal_common.go +++ b/libpod/container_internal_common.go @@ -2299,6 +2299,15 @@ func (c *Container) addHosts() error { var exclude []net.IP if c.pastaResult != nil { exclude = c.pastaResult.IPAddresses + } else if c.config.NetMode.IsBridge() { + // When running rootless we have to check the rootless netns ip addresses + // to not assign a ip that is already used in the rootless netns as it would + // not be routed to the host. + // https://github.com/containers/podman/issues/22653 + info, err := c.runtime.network.RootlessNetnsInfo() + if err == nil { + exclude = info.IPAddresses + } } return etchosts.New(&etchosts.Params{ diff --git a/test/system/505-networking-pasta.bats b/test/system/505-networking-pasta.bats index 9a96c618368..80282e1c428 100644 --- a/test/system/505-networking-pasta.bats +++ b/test/system/505-networking-pasta.bats @@ -778,7 +778,7 @@ EOF assert "$output" =~ "$mac2" "mac address from cli is set on custom interface" } -### Rootless unshare testins +### Rootless unshare testing @test "Podman unshare --rootless-netns with Pasta" { skip_if_remote "unshare is local-only" @@ -794,3 +794,30 @@ EOF run_podman unshare --rootless-netns ip addr is "$output" ".*${pasta_iface}.*" } + +# https://github.com/containers/podman/issues/22653 +@test "pasta/bridge and host.containers.internal" { + skip_if_no_ipv4 "IPv4 not routable on the host" + pasta_ip="$(default_addr 4)" + + for network in "pasta" "bridge"; do + # special exit code logic needed here, it is possible that there is no host.containers.internal + # when there is only one ip one the host and that one is used by pasta. + # As such we have to deal with both cases. + run_podman '?' run --rm --network=$network $IMAGE grep host.containers.internal /etc/hosts + if [ "$status" -eq 0 ]; then + assert "$output" !~ "$pasta_ip" "pasta host ip must not be assigned ($network)" + assert "$(hostname -I)" =~ "$(cut -f1 <<<$output)" "ip is one of the host ips ($network)" + elif [ "$status" -eq 1 ]; then + # if only pasta ip then we cannot have a host.containers.internal entry + # make sure this fact is actually the case + assert "$pasta_ip" == "$(hostname -I | tr -d '[:space:]')" "pasta ip must the only one one the host ($network)" + else + die "unexpected exit code '$status' from grep or podman ($network)" + fi + done + + host_ip=$(hostname -I | cut -f 1 -d " ") + run_podman run --rm --network=pasta:-a,169.254.0.2,-g,169.254.0.1,-n,24 $IMAGE grep host.containers.internal /etc/hosts + assert "$output" =~ "^$host_ip" "uses host first ip" +}