Hello community, here is the log from the commit of package podman for openSUSE:Factory checked in at 2020-05-01 11:07:25 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/podman (Old) and /work/SRC/openSUSE:Factory/.podman.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "podman" Fri May 1 11:07:25 2020 rev:62 rq:798807 version:1.9.1 Changes: -------- --- /work/SRC/openSUSE:Factory/podman/podman.changes 2020-04-18 00:29:08.237891652 +0200 +++ /work/SRC/openSUSE:Factory/.podman.new.2738/podman.changes 2020-05-01 11:07:40.031105511 +0200 @@ -1,0 +2,16 @@ +Wed Apr 29 06:34:51 UTC 2020 - Sascha Grunert <[email protected]> + +- Update podman to v1.9.1: + * Bugfixes + - Fixed a bug where healthchecks could become nonfunctional if + container log paths were manually set with --log-path and + multiple container logs were placed in the same directory + - Fixed a bug where rootless Podman could, when using an older + libpod.conf, print numerous warning messages about an invalid + CGroup manager config + - Fixed a bug where rootless Podman would sometimes fail to + close the rootless user namespace when joining it + * Misc + - Updated containers/common to v0.8.2 + +------------------------------------------------------------------- @@ -5 +21 @@ -- Update podman to v1.8.2: +- Update podman to v1.9.0: Old: ---- podman-1.9.0.tar.xz New: ---- podman-1.9.1.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ podman.spec ++++++ --- /var/tmp/diff_new_pack.OXIPZ6/_old 2020-05-01 11:07:43.075112131 +0200 +++ /var/tmp/diff_new_pack.OXIPZ6/_new 2020-05-01 11:07:43.075112131 +0200 @@ -22,7 +22,7 @@ %define with_libostree 1 %endif Name: podman -Version: 1.9.0 +Version: 1.9.1 Release: 0 Summary: Daemon-less container engine for managing containers, pods and images License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.OXIPZ6/_old 2020-05-01 11:07:43.115112218 +0200 +++ /var/tmp/diff_new_pack.OXIPZ6/_new 2020-05-01 11:07:43.119112227 +0200 @@ -4,8 +4,8 @@ <param name="url">https://github.com/containers/libpod.git</param> <param name="scm">git</param> <param name="filename">podman</param> -<param name="versionformat">1.9.0</param> -<param name="revision">v1.9.0</param> +<param name="versionformat">1.9.1</param> +<param name="revision">v1.9.1</param> </service> <service name="set_version" mode="disabled"> ++++++ podman-1.9.0.tar.xz -> podman-1.9.1.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/.cirrus.yml new/podman-1.9.1/.cirrus.yml --- old/podman-1.9.0/.cirrus.yml 2020-04-15 16:51:28.000000000 +0200 +++ new/podman-1.9.1/.cirrus.yml 2020-04-28 22:29:37.000000000 +0200 @@ -14,7 +14,7 @@ #### Global variables used for all tasks #### # Name of the ultimate destination branch for this CI run, PR or post-merge. - DEST_BRANCH: "master" + DEST_BRANCH: "v1.9" # Overrides default location (/tmp/cirrus) for repo clone GOPATH: "/var/tmp/go" GOBIN: "${GOPATH}/bin" @@ -106,7 +106,7 @@ # Note: Image has dual purpose, see contrib/gate/README.md # The entrypoint.sh script ensures a prestine copy of $SRCPATH is # available at $GOSRC before executing make instructions. - image: "quay.io/libpod/gate:master" + image: "quay.io/libpod/gate:v1.9" cpu: 8 memory: 12 @@ -234,7 +234,7 @@ # Runs within Cirrus's "community cluster" container: # Note: Image has dual purpose, see contrib/gate/README.md - image: "quay.io/libpod/gate:master" + image: "quay.io/libpod/gate:v1.9" cpu: 4 memory: 12 @@ -321,7 +321,7 @@ - "build_without_cgo" container: - image: "quay.io/libpod/imgts:master" # see contrib/imgts + image: "quay.io/libpod/imgts:v1.9" # see contrib/imgts cpu: 1 memory: 1 @@ -346,32 +346,6 @@ script: '$CIRRUS_WORKING_DIR/$SCRIPT_BASE/update_meta.sh |& ${TIMESTAMP}' -# Remove old and disused images based on labels set by meta_task -image_prune_task: - - # This should ONLY ever run from the master branch, and never - # anywhere else so it's behavior is always consistent, even - # as new branches are created. - only_if: $CIRRUS_BRANCH == "master" - - depends_on: - - "meta" - - container: - image: "quay.io/libpod/imgprune:master" # see contrib/imgprune - cpu: 1 - memory: 1 - - env: - <<: *meta_env_vars - GCPJSON: ENCRYPTED[4c11d8e09c904c30fc70eecb95c73dec0ddf19976f9b981a0f80f3f6599e8f990bcef93c253ac0277f200850d98528e7] - GCPNAME: ENCRYPTED[7f54557ba6e5a437f11283a53e71baec9ca546f48a9835538cc54d297f79968eb1337d4596a1025b14f9d1c5723fbd29] - - timeout_in: 10m - - script: '/usr/local/bin/entrypoint.sh |& ${TIMESTAMP}' - - # This task does the unit and integration testing for every platform testing_task: alias: "testing" @@ -766,7 +740,6 @@ - "build_each_commit" - "build_without_cgo" - "meta" - - "image_prune" - "testing" - "rpmbuild" - "special_testing_rootless" @@ -785,7 +758,7 @@ container: # Note: Image has dual purpose, see contrib/gate/README.md - image: "quay.io/libpod/gate:master" + image: "quay.io/libpod/gate:v1.9" cpu: 1 memory: 1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/RELEASE_NOTES.md new/podman-1.9.1/RELEASE_NOTES.md --- old/podman-1.9.0/RELEASE_NOTES.md 2020-04-15 16:51:28.000000000 +0200 +++ new/podman-1.9.1/RELEASE_NOTES.md 2020-04-28 22:29:37.000000000 +0200 @@ -1,5 +1,14 @@ # Release Notes +## 1.9.1 +### Bugfixes +- Fixed a bug where healthchecks could become nonfunctional if container log paths were manually set with `--log-path` and multiple container logs were placed in the same directory ([#5915](https://github.com/containers/libpod/issues/5915)) +- Fixed a bug where rootless Podman could, when using an older `libpod.conf`, print numerous warning messages about an invalid CGroup manager config +- Fixed a bug where rootless Podman would sometimes fail to close the rootless user namespace when joining it ([#5873](https://github.com/containers/libpod/issues/5873)) + +### Misc +- Updated containers/common to v0.8.2 + ## 1.9.0 ### Features - Experimental support has been added for `podman run --userns=auto`, which automatically allocates a unique UID and GID range for the new container's user namespace diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/changelog.txt new/podman-1.9.1/changelog.txt --- old/podman-1.9.0/changelog.txt 2020-04-15 16:51:28.000000000 +0200 +++ new/podman-1.9.1/changelog.txt 2020-04-28 22:29:37.000000000 +0200 @@ -1,3 +1,15 @@ +- Changelog for v1.9.1 (2020-04-28): + * Update release notes for v1.9.1 + * separate healthcheck and container log paths + * Update vendor to containers/common v0.8.2 + * rootless: move join namespace inside child process + * rootless: skip looking up parent user ns + * Don't check configuration until user input is applied + * Move selinux labeling support from pkg/util to pkg/selinux + * Cirrus: Necessary changes for v1.9 branch automation + * Cirrus: Fix gate container build failure + * logformat: handle apiv2 results, add anchor links + - Changelog for v1.9.0 (2020-04-15) * podmanV2: fix nil deref * v2specgen prune libpod diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/cmd/podman/cliconfig/config.go new/podman-1.9.1/cmd/podman/cliconfig/config.go --- old/podman-1.9.0/cmd/podman/cliconfig/config.go 2020-04-15 16:51:28.000000000 +0200 +++ new/podman-1.9.1/cmd/podman/cliconfig/config.go 2020-04-28 22:29:37.000000000 +0200 @@ -708,7 +708,6 @@ func GetDefaultConfig() *config.Config { var err error conf, err := config.NewConfig("") - conf.CheckCgroupsAndAdjustConfig() if err != nil { logrus.Errorf("Error loading container config %v\n", err) os.Exit(1) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/cmd/podman/main.go new/podman-1.9.1/cmd/podman/main.go --- old/podman-1.9.0/cmd/podman/main.go 2020-04-15 16:51:28.000000000 +0200 +++ new/podman-1.9.1/cmd/podman/main.go 2020-04-28 22:29:37.000000000 +0200 @@ -126,6 +126,9 @@ return err } + defaultContainerConfig.Engine.CgroupManager = MainGlobalOpts.CGroupManager + defaultContainerConfig.CheckCgroupsAndAdjustConfig() + if err := setupRootless(cmd, args); err != nil { return err } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/cmd/podman/shared/create.go new/podman-1.9.1/cmd/podman/shared/create.go --- old/podman-1.9.0/cmd/podman/shared/create.go 2020-04-15 16:51:28.000000000 +0200 +++ new/podman-1.9.1/cmd/podman/shared/create.go 2020-04-28 22:29:37.000000000 +0200 @@ -376,6 +376,10 @@ } } + usernsType := c.String("userns") + if !c.IsSet("userns") && !idmappings.HostUIDMapping { + usernsType = "private" + } // Kernel Namespaces // TODO Fix handling of namespace from pod // Instead of integrating here, should be done in libpod @@ -386,7 +390,7 @@ "pid": c.String("pid"), "net": c.String("network"), "ipc": c.String("ipc"), - "user": c.String("userns"), + "user": usernsType, "uts": c.String("uts"), } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/contrib/cirrus/lib.sh new/podman-1.9.1/contrib/cirrus/lib.sh --- old/podman-1.9.0/contrib/cirrus/lib.sh 2020-04-15 16:51:28.000000000 +0200 +++ new/podman-1.9.1/contrib/cirrus/lib.sh 2020-04-28 22:29:37.000000000 +0200 @@ -50,7 +50,7 @@ # Defaults when not running under CI export CI="${CI:-false}" CIRRUS_CI="${CIRRUS_CI:-false}" -DEST_BRANCH="${DEST_BRANCH:-master}" +DEST_BRANCH="${DEST_BRANCH:-v1.9}" CONTINUOUS_INTEGRATION="${CONTINUOUS_INTEGRATION:-false}" CIRRUS_REPO_NAME=${CIRRUS_REPO_NAME:-libpod} CIRRUS_BASE_SHA=${CIRRUS_BASE_SHA:-unknown$(date +%s)} # difficult to reliably discover @@ -71,7 +71,7 @@ # IN_PODMAN container image IN_PODMAN_IMAGE="quay.io/libpod/in_podman:$DEST_BRANCH" # Image for uploading releases -UPLDREL_IMAGE="quay.io/libpod/upldrel:master" +UPLDREL_IMAGE="quay.io/libpod/upldrel:v1.9" # Avoid getting stuck waiting for user input export DEBIAN_FRONTEND="noninteractive" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/contrib/cirrus/logformatter new/podman-1.9.1/contrib/cirrus/logformatter --- old/podman-1.9.0/contrib/cirrus/logformatter 2020-04-15 16:51:28.000000000 +0200 +++ new/podman-1.9.1/contrib/cirrus/logformatter 2020-04-28 22:29:37.000000000 +0200 @@ -220,8 +220,8 @@ $cirrus_task = $1; } - # BATS handling - if ($line =~ /^1\.\.\d+$/) { + # BATS handling (used also for apiv2 tests, which emit TAP output) + if ($line =~ /^1\.\.\d+$/ || $line =~ m!/test-apiv2!) { $looks_like_bats = 1; } if ($looks_like_bats) { @@ -234,6 +234,10 @@ elsif ($line =~ /^#\s/) { $css = 'log' } if ($css) { + # Make it linkable, e.g. foo.html#t--00001 + if ($line =~ /^(not\s+)?ok\s+(\d+)/) { + $line = sprintf("<a name='t--%05d'>%s</a>", $2, $line); + } $line = "<span class='bats-$css'>$line</span>"; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/contrib/gate/Dockerfile new/podman-1.9.1/contrib/gate/Dockerfile --- old/podman-1.9.0/contrib/gate/Dockerfile 2020-04-15 16:51:28.000000000 +0200 +++ new/podman-1.9.1/contrib/gate/Dockerfile 2020-04-28 22:29:37.000000000 +0200 @@ -21,6 +21,7 @@ procps-ng \ python \ python3-dateutil \ + python3-pip \ python3-psutil \ python3-pytoml \ python3-pyyaml \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/go.mod new/podman-1.9.1/go.mod --- old/podman-1.9.0/go.mod 2020-04-15 16:51:28.000000000 +0200 +++ new/podman-1.9.1/go.mod 2020-04-28 22:29:37.000000000 +0200 @@ -10,7 +10,7 @@ github.com/containernetworking/cni v0.7.2-0.20200304161608-4fae32b84921 github.com/containernetworking/plugins v0.8.5 github.com/containers/buildah v1.14.8 - github.com/containers/common v0.8.1 + github.com/containers/common v0.8.2 github.com/containers/conmon v2.0.14+incompatible github.com/containers/image/v5 v5.4.3 github.com/containers/psgo v1.4.0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/go.sum new/podman-1.9.1/go.sum --- old/podman-1.9.0/go.sum 2020-04-15 16:51:28.000000000 +0200 +++ new/podman-1.9.1/go.sum 2020-04-28 22:29:37.000000000 +0200 @@ -67,6 +67,8 @@ github.com/containers/buildah v1.14.8/go.mod h1:ytEjHJQnRXC1ygXMyc0FqYkjcoCydqBQkOdxbH563QU= github.com/containers/common v0.8.1 h1:1IUwAtZ4mC7GYRr4AC23cHf2oXCuoLzTUoSzIkSgnYw= github.com/containers/common v0.8.1/go.mod h1:VxDJbaA1k6N1TNv9Rt6bQEF4hyKVHNfOfGA5L91ADEs= +github.com/containers/common v0.8.2 h1:TzbHcY1C6xAcZyPk0UJLAKVpW77AUkw5DWoApWB8Ge8= +github.com/containers/common v0.8.2/go.mod h1:VxDJbaA1k6N1TNv9Rt6bQEF4hyKVHNfOfGA5L91ADEs= github.com/containers/conmon v2.0.14+incompatible h1:knU1O1QxXy5YxtjMQVKEyCajROaehizK9FHaICl+P5Y= github.com/containers/conmon v2.0.14+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I= github.com/containers/image/v5 v5.4.3 h1:zn2HR7uu4hpvT5QQHgjqonOzKDuM1I1UHUEmzZT5sbs= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/libpod/healthcheck.go new/podman-1.9.1/libpod/healthcheck.go --- old/podman-1.9.0/libpod/healthcheck.go 2020-04-15 16:51:28.000000000 +0200 +++ new/podman-1.9.1/libpod/healthcheck.go 2020-04-28 22:29:37.000000000 +0200 @@ -238,7 +238,7 @@ // HealthCheckLogPath returns the path for where the health check log is func (c *Container) healthCheckLogPath() string { - return filepath.Join(filepath.Dir(c.LogPath()), "healthcheck.log") + return filepath.Join(filepath.Dir(c.state.RunDir), "healthcheck.log") } // GetHealthCheckLog returns HealthCheck results by reading the container's diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/libpod/runtime.go new/podman-1.9.1/libpod/runtime.go --- old/podman-1.9.0/libpod/runtime.go 2020-04-15 16:51:28.000000000 +0200 +++ new/podman-1.9.1/libpod/runtime.go 2020-04-28 22:29:37.000000000 +0200 @@ -131,8 +131,9 @@ if err != nil { return nil, err } + runtime, err = newRuntimeFromConfig(ctx, conf, options...) conf.CheckCgroupsAndAdjustConfig() - return newRuntimeFromConfig(ctx, conf, options...) + return runtime, err } // NewRuntimeFromConfig creates a new container runtime using the given diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/pkg/rootless/rootless_linux.c new/podman-1.9.1/pkg/rootless/rootless_linux.c --- old/podman-1.9.0/pkg/rootless/rootless_linux.c 2020-04-15 16:51:28.000000000 +0200 +++ new/podman-1.9.1/pkg/rootless/rootless_linux.c 2020-04-28 22:29:37.000000000 +0200 @@ -535,8 +535,36 @@ } } +static void +join_namespace_or_die (int pid_to_join, const char *ns_file) +{ + char ns_path[PATH_MAX]; + int ret; + int fd; + + ret = snprintf (ns_path, PATH_MAX, "/proc/%d/ns/%s", pid_to_join, ns_file); + if (ret == PATH_MAX) + { + fprintf (stderr, "internal error: namespace path too long\n"); + _exit (EXIT_FAILURE); + } + + fd = open (ns_path, O_CLOEXEC | O_RDONLY); + if (fd < 0) + { + fprintf (stderr, "cannot open: %s\n", ns_path); + _exit (EXIT_FAILURE); + } + if (setns (fd, 0) < 0) + { + fprintf (stderr, "cannot set namespace to %s: %s\n", ns_path, strerror (errno)); + _exit (EXIT_FAILURE); + } + close (fd); +} + int -reexec_userns_join (int userns, int mountns, char *pause_pid_file_path) +reexec_userns_join (int pid_to_join, char *pause_pid_file_path) { char uid[16]; char gid[16]; @@ -606,19 +634,8 @@ _exit (EXIT_FAILURE); } - if (setns (userns, 0) < 0) - { - fprintf (stderr, "cannot setns: %s\n", strerror (errno)); - _exit (EXIT_FAILURE); - } - close (userns); - - if (mountns >= 0 && setns (mountns, 0) < 0) - { - fprintf (stderr, "cannot setns: %s\n", strerror (errno)); - _exit (EXIT_FAILURE); - } - close (mountns); + join_namespace_or_die (pid_to_join, "user"); + join_namespace_or_die (pid_to_join, "mnt"); if (syscall_setresgid (0, 0, 0) < 0) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/pkg/rootless/rootless_linux.go new/podman-1.9.1/pkg/rootless/rootless_linux.go --- old/podman-1.9.0/pkg/rootless/rootless_linux.go 2020-04-15 16:51:28.000000000 +0200 +++ new/podman-1.9.1/pkg/rootless/rootless_linux.go 2020-04-28 22:29:37.000000000 +0200 @@ -31,7 +31,7 @@ extern uid_t rootless_gid(); extern int reexec_in_user_namespace(int ready, char *pause_pid_file_path, char *file_to_read, int fd); extern int reexec_in_user_namespace_wait(int pid, int options); -extern int reexec_userns_join(int userns, int mountns, char *pause_pid_file_path); +extern int reexec_userns_join(int pid, char *pause_pid_file_path); */ import "C" @@ -124,91 +124,6 @@ return nil } -func readUserNs(path string) (string, error) { - b := make([]byte, 256) - _, err := unix.Readlink(path, b) - if err != nil { - return "", err - } - return string(b), nil -} - -func readUserNsFd(fd uintptr) (string, error) { - return readUserNs(fmt.Sprintf("/proc/self/fd/%d", fd)) -} - -func getParentUserNs(fd uintptr) (uintptr, error) { - const nsGetParent = 0xb702 - ret, _, errno := unix.Syscall(unix.SYS_IOCTL, fd, uintptr(nsGetParent), 0) - if errno != 0 { - return 0, errno - } - return (uintptr)(unsafe.Pointer(ret)), nil -} - -// getUserNSFirstChild returns an open FD for the first direct child user namespace that created the process -// Each container creates a new user namespace where the runtime runs. The current process in the container -// might have created new user namespaces that are child of the initial namespace we created. -// This function finds the initial namespace created for the container that is a child of the current namespace. -// -// current ns -// / \ -// TARGET -> a [other containers] -// / -// b -// / -// NS READ USING THE PID -> c -func getUserNSFirstChild(fd uintptr) (*os.File, error) { - currentNS, err := readUserNs("/proc/self/ns/user") - if err != nil { - return nil, err - } - - ns, err := readUserNsFd(fd) - if err != nil { - return nil, errors.Wrapf(err, "cannot read user namespace") - } - if ns == currentNS { - return nil, errors.New("process running in the same user namespace") - } - - for { - nextFd, err := getParentUserNs(fd) - if err != nil { - if err == unix.ENOTTY { - return os.NewFile(fd, "userns child"), nil - } - return nil, errors.Wrapf(err, "cannot get parent user namespace") - } - - ns, err = readUserNsFd(nextFd) - if err != nil { - return nil, errors.Wrapf(err, "cannot read user namespace") - } - - if ns == currentNS { - if err := unix.Close(int(nextFd)); err != nil { - return nil, err - } - - // Drop O_CLOEXEC for the fd. - _, _, errno := unix.Syscall(unix.SYS_FCNTL, fd, unix.F_SETFD, 0) - if errno != 0 { - if err := unix.Close(int(fd)); err != nil { - logrus.Errorf("failed to close file descriptor %d", fd) - } - return nil, errno - } - - return os.NewFile(fd, "userns child"), nil - } - if err := unix.Close(int(fd)); err != nil { - return nil, err - } - fd = nextFd - } -} - // joinUserAndMountNS re-exec podman in a new userNS and join the user and mount // namespace of the specified PID without looking up its parent. Useful to join directly // the conmon process. @@ -220,31 +135,7 @@ cPausePid := C.CString(pausePid) defer C.free(unsafe.Pointer(cPausePid)) - userNS, err := os.Open(fmt.Sprintf("/proc/%d/ns/user", pid)) - if err != nil { - return false, -1, err - } - defer func() { - if err := userNS.Close(); err != nil { - logrus.Errorf("unable to close namespace: %q", err) - } - }() - - mountNS, err := os.Open(fmt.Sprintf("/proc/%d/ns/mnt", pid)) - if err != nil { - return false, -1, err - } - defer func() { - if err := mountNS.Close(); err != nil { - logrus.Errorf("unable to close namespace: %q", err) - } - }() - - fd, err := getUserNSFirstChild(userNS.Fd()) - if err != nil { - return false, -1, err - } - pidC := C.reexec_userns_join(C.int(fd.Fd()), C.int(mountNS.Fd()), cPausePid) + pidC := C.reexec_userns_join(C.int(pid), cPausePid) if int(pidC) < 0 { return false, -1, errors.Errorf("cannot re-exec process") } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/pkg/selinux/selinux.go new/podman-1.9.1/pkg/selinux/selinux.go --- old/podman-1.9.0/pkg/selinux/selinux.go 1970-01-01 01:00:00.000000000 +0100 +++ new/podman-1.9.1/pkg/selinux/selinux.go 2020-04-28 22:29:37.000000000 +0200 @@ -0,0 +1,40 @@ +package util + +import ( + "github.com/opencontainers/selinux/go-selinux" +) + +// SELinuxKVMLabel returns labels for running kvm isolated containers +func SELinuxKVMLabel(cLabel string) (string, error) { + if cLabel == "" { + // selinux is disabled + return "", nil + } + processLabel, _ := selinux.KVMContainerLabels() + selinux.ReleaseLabel(processLabel) + return swapSELinuxLabel(cLabel, processLabel) +} + +// SELinuxInitLabel returns labels for running systemd based containers +func SELinuxInitLabel(cLabel string) (string, error) { + if cLabel == "" { + // selinux is disabled + return "", nil + } + processLabel, _ := selinux.InitContainerLabels() + selinux.ReleaseLabel(processLabel) + return swapSELinuxLabel(cLabel, processLabel) +} + +func swapSELinuxLabel(cLabel, processLabel string) (string, error) { + dcon, err := selinux.NewContext(cLabel) + if err != nil { + return "", err + } + scon, err := selinux.NewContext(processLabel) + if err != nil { + return "", err + } + dcon["type"] = scon["type"] + return dcon.Get(), nil +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/test/apiv2/test-apiv2 new/podman-1.9.1/test/apiv2/test-apiv2 --- old/podman-1.9.0/test/apiv2/test-apiv2 2020-04-15 16:51:28.000000000 +0200 +++ new/podman-1.9.1/test/apiv2/test-apiv2 2020-04-28 22:29:37.000000000 +0200 @@ -355,7 +355,7 @@ if [ -n "$service_pid" ]; then kill $service_pid - wait -f $service_pid + wait $service_pid fi test_count=$(<$testcounter_file) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/vendor/github.com/containers/common/pkg/config/containers.conf new/podman-1.9.1/vendor/github.com/containers/common/pkg/config/containers.conf --- old/podman-1.9.0/vendor/github.com/containers/common/pkg/config/containers.conf 2020-04-15 16:51:28.000000000 +0200 +++ new/podman-1.9.1/vendor/github.com/containers/common/pkg/config/containers.conf 2020-04-28 22:29:37.000000000 +0200 @@ -376,6 +376,8 @@ # "/usr/local/sbin/kata-runtime", # "/sbin/kata-runtime", # "/bin/kata-runtime", +# "/usr/bin/kata-qemu", +# "/usr/bin/kata-fc", # ] # Number of seconds to wait for container to exit before sending kill signal. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/vendor/github.com/containers/common/pkg/config/default.go new/podman-1.9.1/vendor/github.com/containers/common/pkg/config/default.go --- old/podman-1.9.0/vendor/github.com/containers/common/pkg/config/default.go 2020-04-15 16:51:28.000000000 +0200 +++ new/podman-1.9.1/vendor/github.com/containers/common/pkg/config/default.go 2020-04-28 22:29:37.000000000 +0200 @@ -141,13 +141,18 @@ netns = "slirp4netns" } + cgroupNS := "host" + if cgroup2, _ := cgroupv2.Enabled(); cgroup2 { + cgroupNS = "private" + } + return &Config{ Containers: ContainersConfig{ Devices: []string{}, Volumes: []string{}, Annotations: []string{}, ApparmorProfile: DefaultApparmorProfile, - CgroupNS: "private", + CgroupNS: cgroupNS, DefaultCapabilities: DefaultCapabilities, DefaultSysctls: []string{}, DefaultUlimits: getDefaultProcessLimits(), @@ -172,7 +177,7 @@ SeccompProfile: SeccompDefaultPath, ShmSize: DefaultShmSize, UTSNS: "private", - UserNS: "private", + UserNS: "host", UserNSSize: DefaultUserNSSize, }, Network: NetworkConfig{ @@ -246,6 +251,8 @@ "/usr/local/sbin/kata-runtime", "/sbin/kata-runtime", "/bin/kata-runtime", + "/usr/bin/kata-qemu", + "/usr/bin/kata-fc", }, } c.ConmonEnvVars = []string{ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/vendor/github.com/containers/common/pkg/config/libpodConfig.go new/podman-1.9.1/vendor/github.com/containers/common/pkg/config/libpodConfig.go --- old/podman-1.9.0/vendor/github.com/containers/common/pkg/config/libpodConfig.go 2020-04-15 16:51:28.000000000 +0200 +++ new/podman-1.9.1/vendor/github.com/containers/common/pkg/config/libpodConfig.go 2020-04-28 22:29:37.000000000 +0200 @@ -224,6 +224,12 @@ } } + // hard code EventsLogger to "file" to match older podman versions. + if config.EventsLogger != "file" { + logrus.Debugf("Ignoring lipod.conf EventsLogger setting %q. Use containers.conf if you want to change this setting and remove libpod.conf files.", config.EventsLogger) + config.EventsLogger = "file" + } + c.libpodToContainersConfig(config) return nil diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/vendor/modules.txt new/podman-1.9.1/vendor/modules.txt --- old/podman-1.9.0/vendor/modules.txt 2020-04-15 16:51:28.000000000 +0200 +++ new/podman-1.9.1/vendor/modules.txt 2020-04-28 22:29:37.000000000 +0200 @@ -82,7 +82,7 @@ github.com/containers/buildah/pkg/supplemented github.com/containers/buildah/pkg/umask github.com/containers/buildah/util -# github.com/containers/common v0.8.1 +# github.com/containers/common v0.8.2 github.com/containers/common/pkg/apparmor github.com/containers/common/pkg/capabilities github.com/containers/common/pkg/cgroupv2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/podman-1.9.0/version/version.go new/podman-1.9.1/version/version.go --- old/podman-1.9.0/version/version.go 2020-04-15 16:51:28.000000000 +0200 +++ new/podman-1.9.1/version/version.go 2020-04-28 22:29:37.000000000 +0200 @@ -4,7 +4,7 @@ // NOTE: remember to bump the version at the top // of the top-level README.md file when this is // bumped. -const Version = "1.9.0" +const Version = "1.9.1" // RemoteAPIVersion is the version for the remote // client API. It is used to determine compatibility
