diff --git a/contrib/cirrus/logcollector.sh b/contrib/cirrus/logcollector.sh index 419b16eb5dc..fa13acef6f3 100755 --- a/contrib/cirrus/logcollector.sh +++ b/contrib/cirrus/logcollector.sh @@ -35,7 +35,6 @@ case $1 in podman runc skopeo - slirp4netns ) case $OS_RELEASE_ID in fedora*) diff --git a/docs/buildah-build.1.md b/docs/buildah-build.1.md index be891b02ebd..c219495387c 100644 --- a/docs/buildah-build.1.md +++ b/docs/buildah-build.1.md @@ -664,15 +664,6 @@ Valid _mode_ values are: - **ns:**_path_: path to a network namespace to join; - **private**: create a new namespace for the container (default) - **\**: Join the network with the given name or ID, e.g. use `--network mynet` to join the network with the name mynet. Only supported for rootful users. -- **slirp4netns[:OPTIONS,...]**: use **slirp4netns**(1) to create a user network stack. This is the default for rootless containers. It is possible to specify these additional options, they can also be set with `network_cmd_options` in containers.conf: - - **allow_host_loopback=true|false**: Allow slirp4netns to reach the host loopback IP (default is 10.0.2.2 or the second IP from slirp4netns cidr subnet when changed, see the cidr option below). The default is false. - - **mtu=MTU**: Specify the MTU to use for this network. (Default is `65520`). - - **cidr=CIDR**: Specify ip range to use for this network. (Default is `10.0.2.0/24`). - - **enable_ipv6=true|false**: Enable IPv6. Default is true. (Required for `outbound_addr6`). - - **outbound_addr=INTERFACE**: Specify the outbound interface slirp binds to (ipv4 traffic only). - - **outbound_addr=IPv4**: Specify the outbound ipv4 address slirp binds to. - - **outbound_addr6=INTERFACE**: Specify the outbound interface slirp binds to (ipv6 traffic only). - - **outbound_addr6=IPv6**: Specify the outbound ipv6 address slirp binds to. - **pasta[:OPTIONS,...]**: use **pasta**(1) to create a user-mode networking stack. \ This is only supported in rootless mode. \ @@ -698,13 +689,12 @@ Valid _mode_ values are: - **pasta:--mtu,1500**: Specify a 1500 bytes MTU for the _tap_ interface in the container. - **pasta:--ipv4-only,-a,10.0.2.0,-n,24,-g,10.0.2.2,--dns-forward,10.0.2.3,-m,1500,--no-ndp,--no-dhcpv6,--no-dhcp**, - equivalent to default slirp4netns(1) options: disable IPv6, assign + disable IPv6, assign `10.0.2.0/24` to the `tap0` interface in the container, with gateway `10.0.2.3`, enable DNS forwarder reachable at `10.0.2.3`, set MTU to 1500 bytes, disable NDP, DHCPv6 and DHCP support. - **pasta:-I,tap0,--ipv4-only,-a,10.0.2.0,-n,24,-g,10.0.2.2,--dns-forward,10.0.2.3,--no-ndp,--no-dhcpv6,--no-dhcp**, - equivalent to default slirp4netns(1) options with Podman overrides: same as - above, but leave the MTU to 65520 bytes + same as above, but leave the MTU to 65520 bytes - **pasta:-t,auto,-u,auto,-T,auto,-U,auto**: enable automatic port forwarding based on observed bound ports from both host and container sides - **pasta:-T,5201**: enable forwarding of TCP port 5201 from container to diff --git a/docs/buildah-from.1.md b/docs/buildah-from.1.md index 33be7d65804..04cdd31cd11 100644 --- a/docs/buildah-from.1.md +++ b/docs/buildah-from.1.md @@ -307,15 +307,6 @@ Valid _mode_ values are: - **ns:**_path_: path to a network namespace to join; - **private**: create a new namespace for the container (default) - **\**: Join the network with the given name or ID, e.g. use `--network mynet` to join the network with the name mynet. Only supported for rootful users. -- **slirp4netns[:OPTIONS,...]**: use **slirp4netns**(1) to create a user network stack. This is the default for rootless containers. It is possible to specify these additional options, they can also be set with `network_cmd_options` in containers.conf: - - **allow_host_loopback=true|false**: Allow slirp4netns to reach the host loopback IP (default is 10.0.2.2 or the second IP from slirp4netns cidr subnet when changed, see the cidr option below). The default is false. - - **mtu=MTU**: Specify the MTU to use for this network. (Default is `65520`). - - **cidr=CIDR**: Specify ip range to use for this network. (Default is `10.0.2.0/24`). - - **enable_ipv6=true|false**: Enable IPv6. Default is true. (Required for `outbound_addr6`). - - **outbound_addr=INTERFACE**: Specify the outbound interface slirp binds to (ipv4 traffic only). - - **outbound_addr=IPv4**: Specify the outbound ipv4 address slirp binds to. - - **outbound_addr6=INTERFACE**: Specify the outbound interface slirp binds to (ipv6 traffic only). - - **outbound_addr6=IPv6**: Specify the outbound ipv6 address slirp binds to. - **pasta[:OPTIONS,...]**: use **pasta**(1) to create a user-mode networking stack. \ This is only supported in rootless mode. \ @@ -341,13 +332,12 @@ Valid _mode_ values are: - **pasta:--mtu,1500**: Specify a 1500 bytes MTU for the _tap_ interface in the container. - **pasta:--ipv4-only,-a,10.0.2.0,-n,24,-g,10.0.2.2,--dns-forward,10.0.2.3,-m,1500,--no-ndp,--no-dhcpv6,--no-dhcp**, - equivalent to default slirp4netns(1) options: disable IPv6, assign + disable IPv6, assign `10.0.2.0/24` to the `tap0` interface in the container, with gateway `10.0.2.3`, enable DNS forwarder reachable at `10.0.2.3`, set MTU to 1500 bytes, disable NDP, DHCPv6 and DHCP support. - **pasta:-I,tap0,--ipv4-only,-a,10.0.2.0,-n,24,-g,10.0.2.2,--dns-forward,10.0.2.3,--no-ndp,--no-dhcpv6,--no-dhcp**, - equivalent to default slirp4netns(1) options with Podman overrides: same as - above, but leave the MTU to 65520 bytes + same as above, but leave the MTU to 65520 bytes - **pasta:-t,auto,-u,auto,-T,auto,-U,auto**: enable automatic port forwarding based on observed bound ports from both host and container sides - **pasta:-T,5201**: enable forwarding of TCP port 5201 from container to diff --git a/docs/buildah-run.1.md b/docs/buildah-run.1.md index 078bb0f2b8d..146ca02c3d6 100644 --- a/docs/buildah-run.1.md +++ b/docs/buildah-run.1.md @@ -195,15 +195,6 @@ Valid _mode_ values are: - **ns:**_path_: path to a network namespace to join; - **private**: create a new namespace for the container (default) - **\**: Join the network with the given name or ID, e.g. use `--network mynet` to join the network with the name mynet. Only supported for rootful users. -- **slirp4netns[:OPTIONS,...]**: use **slirp4netns**(1) to create a user network stack. This is the default for rootless containers. It is possible to specify these additional options, they can also be set with `network_cmd_options` in containers.conf: - - **allow_host_loopback=true|false**: Allow slirp4netns to reach the host loopback IP (default is 10.0.2.2 or the second IP from slirp4netns cidr subnet when changed, see the cidr option below). The default is false. - - **mtu=MTU**: Specify the MTU to use for this network. (Default is `65520`). - - **cidr=CIDR**: Specify ip range to use for this network. (Default is `10.0.2.0/24`). - - **enable_ipv6=true|false**: Enable IPv6. Default is true. (Required for `outbound_addr6`). - - **outbound_addr=INTERFACE**: Specify the outbound interface slirp binds to (ipv4 traffic only). - - **outbound_addr=IPv4**: Specify the outbound ipv4 address slirp binds to. - - **outbound_addr6=INTERFACE**: Specify the outbound interface slirp binds to (ipv6 traffic only). - - **outbound_addr6=IPv6**: Specify the outbound ipv6 address slirp binds to. - **pasta[:OPTIONS,...]**: use **pasta**(1) to create a user-mode networking stack. \ This is only supported in rootless mode. \ @@ -229,13 +220,12 @@ Valid _mode_ values are: - **pasta:--mtu,1500**: Specify a 1500 bytes MTU for the _tap_ interface in the container. - **pasta:--ipv4-only,-a,10.0.2.0,-n,24,-g,10.0.2.2,--dns-forward,10.0.2.3,-m,1500,--no-ndp,--no-dhcpv6,--no-dhcp**, - equivalent to default slirp4netns(1) options: disable IPv6, assign + disable IPv6, assign `10.0.2.0/24` to the `tap0` interface in the container, with gateway `10.0.2.3`, enable DNS forwarder reachable at `10.0.2.3`, set MTU to 1500 bytes, disable NDP, DHCPv6 and DHCP support. - **pasta:-I,tap0,--ipv4-only,-a,10.0.2.0,-n,24,-g,10.0.2.2,--dns-forward,10.0.2.3,--no-ndp,--no-dhcpv6,--no-dhcp**, - equivalent to default slirp4netns(1) options with Podman overrides: same as - above, but leave the MTU to 65520 bytes + same as above, but leave the MTU to 65520 bytes - **pasta:-t,auto,-u,auto,-T,auto,-U,auto**: enable automatic port forwarding based on observed bound ports from both host and container sides - **pasta:-T,5201**: enable forwarding of TCP port 5201 from container to diff --git a/go.mod b/go.mod index 61e615e088a..d9086b2e27f 100644 --- a/go.mod +++ b/go.mod @@ -90,7 +90,7 @@ require ( github.com/klauspost/pgzip v1.2.6 // indirect github.com/manifoldco/promptui v0.9.0 // indirect github.com/mattn/go-runewidth v0.0.20 // indirect - github.com/mattn/go-sqlite3 v1.14.37 // indirect + github.com/mattn/go-sqlite3 v1.14.38 // indirect github.com/miekg/pkcs11 v1.1.1 // indirect github.com/mistifyio/go-zfs/v4 v4.0.0 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect @@ -110,7 +110,7 @@ require ( github.com/secure-systems-lab/go-securesystemslib v0.10.0 // indirect github.com/sigstore/fulcio v1.8.5 // indirect github.com/sigstore/protobuf-specs v0.5.0 // indirect - github.com/sigstore/sigstore v1.10.4 // indirect + github.com/sigstore/sigstore v1.10.5 // indirect github.com/smallstep/pkcs7 v0.1.1 // indirect github.com/stefanberger/go-pkcs11uri v0.0.0-20230803200340-78284954bff6 // indirect github.com/sylabs/sif/v2 v2.24.0 // indirect @@ -134,3 +134,5 @@ require ( sigs.k8s.io/yaml v1.6.0 // indirect tags.cncf.io/container-device-interface/specs-go v1.1.0 // indirect ) + +replace go.podman.io/common => github.com/lsm5/container-libs/common v0.0.0-20260406132453-36c3c76c317f diff --git a/go.sum b/go.sum index 10cf022e678..ab301c90d3b 100644 --- a/go.sum +++ b/go.sum @@ -139,14 +139,16 @@ github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/lsm5/container-libs/common v0.0.0-20260406132453-36c3c76c317f h1:kL+ojWml9qJmq/8Zm+itpZH/kZR+vIYt5D6pHHCkgRM= +github.com/lsm5/container-libs/common v0.0.0-20260406132453-36c3c76c317f/go.mod h1:qLDYVwhMiNQtG3pFPewYO4xfxoWEKjFgWx7zTEV5Pz4= github.com/manifoldco/promptui v0.9.0 h1:3V4HzJk1TtXW1MTZMP7mdlwbBpIinw3HztaIlYthEiA= github.com/manifoldco/promptui v0.9.0/go.mod h1:ka04sppxSGFAtxX0qhlYQjISsg9mR4GWtQEhdbn6Pgg= github.com/mattn/go-runewidth v0.0.20 h1:WcT52H91ZUAwy8+HUkdM3THM6gXqXuLJi9O3rjcQQaQ= github.com/mattn/go-runewidth v0.0.20/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs= github.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebGE2xrk= github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y= -github.com/mattn/go-sqlite3 v1.14.37 h1:3DOZp4cXis1cUIpCfXLtmlGolNLp2VEqhiB/PARNBIg= -github.com/mattn/go-sqlite3 v1.14.37/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y= +github.com/mattn/go-sqlite3 v1.14.38 h1:tDUzL85kMvOrvpCt8P64SbGgVFtJB11GPi2AdmITgb4= +github.com/mattn/go-sqlite3 v1.14.38/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y= github.com/miekg/pkcs11 v1.1.1 h1:Ugu9pdy6vAYku5DEpVWVFPYnzV+bxB+iRdbuFSu7TvU= github.com/miekg/pkcs11 v1.1.1/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= github.com/mistifyio/go-zfs/v4 v4.0.0 h1:sU0+5dX45tdDK5xNZ3HBi95nxUc48FS92qbIZEvpAg4= @@ -227,8 +229,8 @@ github.com/sigstore/fulcio v1.8.5 h1:HYTD1/L5wlBp8JxsWxUf8hmfaNBBF/x3r3p5l6tZwbA github.com/sigstore/fulcio v1.8.5/go.mod h1:tSLYK3JsKvJpDW1BsIsVHZgHj+f8TjXARzqIUWSsSPQ= github.com/sigstore/protobuf-specs v0.5.0 h1:F8YTI65xOHw70NrvPwJ5PhAzsvTnuJMGLkA4FIkofAY= github.com/sigstore/protobuf-specs v0.5.0/go.mod h1:+gXR+38nIa2oEupqDdzg4qSBT0Os+sP7oYv6alWewWc= -github.com/sigstore/sigstore v1.10.4 h1:ytOmxMgLdcUed3w1SbbZOgcxqwMG61lh1TmZLN+WeZE= -github.com/sigstore/sigstore v1.10.4/go.mod h1:tDiyrdOref3q6qJxm2G+JHghqfmvifB7hw+EReAfnbI= +github.com/sigstore/sigstore v1.10.5 h1:KqrOjDhNOVY+uOzQFat2FrGLClPPCb3uz8pK3wuI+ow= +github.com/sigstore/sigstore v1.10.5/go.mod h1:k/mcVVXw3I87dYG/iCVTSW2xTrW7vPzxxGic4KqsqXs= github.com/sirupsen/logrus v1.9.4 h1:TsZE7l11zFCLZnZ+teH4Umoq5BhEIfIzfRDZ1Uzql2w= github.com/sirupsen/logrus v1.9.4/go.mod h1:ftWc9WdOfJ0a92nsE2jF5u5ZwH8Bv2zdeOC42RjbV2g= github.com/smallstep/pkcs7 v0.1.1 h1:x+rPdt2W088V9Vkjho4KtoggyktZJlMduZAtRHm68LU= @@ -283,8 +285,6 @@ go.opentelemetry.io/otel/sdk/metric v1.40.0 h1:mtmdVqgQkeRxHgRv4qhyJduP3fYJRMX4A go.opentelemetry.io/otel/sdk/metric v1.40.0/go.mod h1:4Z2bGMf0KSK3uRjlczMOeMhKU2rhUqdWNoKcYrtcBPg= go.opentelemetry.io/otel/trace v1.40.0 h1:WA4etStDttCSYuhwvEa8OP8I5EWu24lkOzp+ZYblVjw= go.opentelemetry.io/otel/trace v1.40.0/go.mod h1:zeAhriXecNGP/s2SEG3+Y8X9ujcJOTqQ5RgdEJcawiA= -go.podman.io/common v0.67.1-0.20260325203629-8af78737e8bb h1:M7HBBoHTUUrqoEc2/EBjLohxFNfDiKIVwwFgJbBJPzI= -go.podman.io/common v0.67.1-0.20260325203629-8af78737e8bb/go.mod h1:BeZEvRCqnBigHU1pXTwl9zOa9vnlWsN8xu8qJ3aAax0= go.podman.io/image/v5 v5.39.2-0.20260325203629-8af78737e8bb h1:D7XAk5xUsl4e4HjeuudqIWC5WRParcxrHrbMEtKg8Zs= go.podman.io/image/v5 v5.39.2-0.20260325203629-8af78737e8bb/go.mod h1:d2xLDZUX546mC7wGaRNC/FxDKTrcopsUWAIUnmRfNxY= go.podman.io/storage v1.62.1-0.20260325203629-8af78737e8bb h1:gTawPpGgB21JF6uNQESpO+s/nbG9LzL53cCMYCSnSXk= diff --git a/internal/mkcw/embed/entrypoint_amd64.gz b/internal/mkcw/embed/entrypoint_amd64.gz index 5c5f81c18e4..e5fed2b3ce0 100755 Binary files a/internal/mkcw/embed/entrypoint_amd64.gz and b/internal/mkcw/embed/entrypoint_amd64.gz differ diff --git a/run_common.go b/run_common.go index 640e375c417..098d766fc48 100644 --- a/run_common.go +++ b/run_common.go @@ -389,8 +389,8 @@ func checkAndOverrideIsolationOptions(isolation define.Isolation, options *RunOp case IsolationOCIRootless: // only change the netns if the caller did not set it if ns := options.NamespaceOptions.Find(string(specs.NetworkNamespace)); ns == nil { - if _, err := exec.LookPath("slirp4netns"); err != nil { - // if slirp4netns is not installed we have to use the hosts net namespace + if _, err := exec.LookPath("pasta"); err != nil { + // if pasta is not installed we have to use the hosts net namespace options.NamespaceOptions.AddOrReplace(define.NamespaceOption{Name: string(specs.NetworkNamespace), Host: true}) } } diff --git a/run_linux.go b/run_linux.go index c3dbaf7972a..676adcbe245 100644 --- a/run_linux.go +++ b/run_linux.go @@ -12,7 +12,6 @@ import ( "slices" "strings" "sync" - "syscall" "github.com/containers/buildah/bind" "github.com/containers/buildah/chroot" @@ -33,7 +32,6 @@ import ( "go.podman.io/common/libnetwork/etchosts" "go.podman.io/common/libnetwork/pasta" "go.podman.io/common/libnetwork/resolvconf" - "go.podman.io/common/libnetwork/slirp4netns" nettypes "go.podman.io/common/libnetwork/types" netUtil "go.podman.io/common/libnetwork/util" "go.podman.io/common/pkg/capabilities" @@ -689,46 +687,6 @@ func addCommonOptsToSpec(commonOpts *define.CommonBuildOptions, g *generate.Gene return nil } -func setupSlirp4netnsNetwork(config *config.Config, netns, cid string, options, hostnames []string) (func(), *netResult, error) { - // we need the TmpDir for the slirp4netns code - if err := os.MkdirAll(config.Engine.TmpDir, 0o751); err != nil { - return nil, nil, fmt.Errorf("failed to create tempdir: %w", err) - } - res, err := slirp4netns.Setup(&slirp4netns.SetupOptions{ - Config: config, - ContainerID: cid, - Netns: netns, - ExtraOptions: options, - Pdeathsig: syscall.SIGKILL, - }) - if err != nil { - return nil, nil, err - } - - ip, err := slirp4netns.GetIP(res.Subnet) - if err != nil { - return nil, nil, fmt.Errorf("get slirp4netns ip: %w", err) - } - - dns, err := slirp4netns.GetDNS(res.Subnet) - if err != nil { - return nil, nil, fmt.Errorf("get slirp4netns dns ip: %w", err) - } - - result := &netResult{ - entries: etchosts.HostEntries{{IP: ip.String(), Names: hostnames}}, - dnsServers: []string{dns.String()}, - ipv6: res.IPv6, - keepHostResolvers: true, - } - - return func() { - syscall.Kill(res.Pid, syscall.SIGKILL) //nolint:errcheck - var status syscall.WaitStatus - syscall.Wait4(res.Pid, &status, 0, nil) //nolint:errcheck - }, result, nil -} - func setupPasta(config *config.Config, netns string, options, hostnames []string) (func(), *netResult, error) { res, err := pasta.Setup(&pasta.SetupOptions{ Config: config, @@ -776,8 +734,6 @@ func (b *Builder) runConfigureNetwork(pid int, isolation define.Isolation, optio } if isolation == IsolationOCIRootless && name == "" { switch defConfig.Network.DefaultRootlessNetworkCmd { - case slirp4netns.BinaryName, "": - name = slirp4netns.BinaryName case pasta.BinaryName: name = pasta.BinaryName default: @@ -787,8 +743,6 @@ func (b *Builder) runConfigureNetwork(pid int, isolation define.Isolation, optio } switch { - case name == slirp4netns.BinaryName: - return setupSlirp4netnsNetwork(defConfig, netns, containerName, netOpts, hostnames) case name == pasta.BinaryName: return setupPasta(defConfig, netns, netOpts, hostnames) diff --git a/tests/bud.bats b/tests/bud.bats index f9b5374319e..399380e1a8f 100644 --- a/tests/bud.bats +++ b/tests/bud.bats @@ -7713,22 +7713,6 @@ _EOF fi } -@test "bud with --network slirp4netns" { - skip_if_no_runtime - skip_if_in_container - skip_if_chroot - - _prefetch alpine - - run_buildah bud $WITH_POLICY_JSON --network slirp4netns $BUDFILES/network - # default subnet is 10.0.2.100/24 - assert "$output" =~ "10.0.2.100/24" "ip addr shows default subnet" - - run_buildah bud $WITH_POLICY_JSON --network slirp4netns:cidr=192.168.255.0/24,mtu=2000 $BUDFILES/network - assert "$output" =~ "192.168.255.100/24" "ip addr shows custom subnet" - assert "$output" =~ "mtu 2000" "ip addr shows mtu 2000" -} - @test "bud with --network pasta" { skip_if_no_runtime skip_if_chroot diff --git a/tests/run.bats b/tests/run.bats index 882e79fffc1..7517d942a80 100644 --- a/tests/run.bats +++ b/tests/run.bats @@ -704,10 +704,6 @@ function configure_and_check_user() { expect_output --substring "(10.88.*|10.0.2.100)[[:blank:]]$cid" assert "$output" !~ "(10.88.*|10.0.2.100)[[:blank:]]host1 $cid" "Container IP should not contain host1" - # check slirp4netns sets correct hostname with another cidr - run_buildah run --network slirp4netns:cidr=192.168.2.0/24 --hostname $hostname $cid cat /etc/hosts - expect_output --substring "192.168.2.100[[:blank:]]$hostname $cid" - run_buildah run --network=container $cid cat /etc/hosts m=$(buildah mount $cid) run cat $m/etc/hosts @@ -788,9 +784,9 @@ function configure_and_check_user() { # filter out 127... nameservers run grep -v "nameserver 127." <<< "$output" nameservers="$output" - # in case of rootless add extra slirp4netns nameserver + # in case of rootless add extra pasta nameserver if is_rootless; then - nameservers="nameserver 10.0.2.3 + nameservers="nameserver 169.254.1.1 $output" fi run_buildah from --quiet --pull=false $WITH_POLICY_JSON alpine diff --git a/tests/tmt/system.fmf b/tests/tmt/system.fmf index 835f959a35b..dc84a01a7c0 100644 --- a/tests/tmt/system.fmf +++ b/tests/tmt/system.fmf @@ -1,7 +1,6 @@ require: - buildah-tests - git-daemon - - slirp4netns environment: BUILDAH_BINARY: /usr/bin/buildah diff --git a/vendor/github.com/mattn/go-sqlite3/sqlite3.go b/vendor/github.com/mattn/go-sqlite3/sqlite3.go index dffc2bda2df..76b0f2324c1 100644 --- a/vendor/github.com/mattn/go-sqlite3/sqlite3.go +++ b/vendor/github.com/mattn/go-sqlite3/sqlite3.go @@ -875,7 +875,7 @@ func (c *SQLiteConn) exec(ctx context.Context, query string, args []driver.Named // consume the number of arguments used in the current // statement and append all named arguments not // contained therein - if len(args[start:start+na]) > 0 { + if na > 0 { stmtArgs = append(stmtArgs, args[start:start+na]...) for i := range args { if (i < start || i >= na) && args[i].Name != "" { @@ -1968,7 +1968,7 @@ func (s *SQLiteStmt) bind(args []driver.NamedValue) error { bindIndices := make([][3]int, len(args)) prefixes := []string{":", "@", "$"} for i, v := range args { - bindIndices[i][0] = args[i].Ordinal + bindIndices[i][0] = v.Ordinal if v.Name != "" { for j := range prefixes { cname := C.CString(prefixes[j] + v.Name) @@ -2179,7 +2179,7 @@ func (rc *SQLiteRows) Columns() []string { defer rc.s.mu.Unlock() if rc.s.s != nil && int(rc.nc) != len(rc.cols) { rc.cols = make([]string, rc.nc) - for i := 0; i < int(rc.nc); i++ { + for i := range rc.cols { rc.cols[i] = C.GoString(C.sqlite3_column_name(rc.s.s, C.int(i))) } } @@ -2189,7 +2189,7 @@ func (rc *SQLiteRows) Columns() []string { func (rc *SQLiteRows) declTypes() []string { if rc.s.s != nil && rc.decltype == nil { rc.decltype = make([]string, rc.nc) - for i := 0; i < int(rc.nc); i++ { + for i := range rc.decltype { rc.decltype[i] = strings.ToLower(C.GoString(C.sqlite3_column_decltype(rc.s.s, C.int(i)))) } } @@ -2251,11 +2251,13 @@ func (rc *SQLiteRows) nextSyncLocked(dest []driver.Value) error { rc.declTypes() + decltype := rc.decltype + _ = decltype[len(dest)-1] for i := range dest { switch C.sqlite3_column_type(rc.s.s, C.int(i)) { case C.SQLITE_INTEGER: val := int64(C.sqlite3_column_int64(rc.s.s, C.int(i))) - switch rc.decltype[i] { + switch decltype[i] { case columnTimestamp, columnDatetime, columnDate: var t time.Time // Assume a millisecond unix timestamp if it's 13 digits -- too @@ -2295,7 +2297,7 @@ func (rc *SQLiteRows) nextSyncLocked(dest []driver.Value) error { n := int(C.sqlite3_column_bytes(rc.s.s, C.int(i))) s := C.GoStringN((*C.char)(unsafe.Pointer(C.sqlite3_column_text(rc.s.s, C.int(i)))), C.int(n)) - switch rc.decltype[i] { + switch decltype[i] { case columnTimestamp, columnDatetime, columnDate: var t time.Time s = strings.TrimSuffix(s, "Z") diff --git a/vendor/github.com/mattn/go-sqlite3/sqlite3_opt_vtable.go b/vendor/github.com/mattn/go-sqlite3/sqlite3_opt_vtable.go index 9b164b3e0b3..9761bf3570e 100644 --- a/vendor/github.com/mattn/go-sqlite3/sqlite3_opt_vtable.go +++ b/vendor/github.com/mattn/go-sqlite3/sqlite3_opt_vtable.go @@ -301,10 +301,18 @@ const ( OpLT = 16 OpGE = 32 OpMATCH = 64 - OpLIKE = 65 /* 3.10.0 and later only */ - OpGLOB = 66 /* 3.10.0 and later only */ - OpREGEXP = 67 /* 3.10.0 and later only */ - OpScanUnique = 1 /* Scan visits at most 1 row */ + OpLIKE = 65 /* 3.10.0 and later only */ + OpGLOB = 66 /* 3.10.0 and later only */ + OpREGEXP = 67 /* 3.10.0 and later only */ + OpNE = 68 /* 3.21.0 and later only */ + OpISNOT = 69 /* 3.21.0 and later */ + OpISNOTNULL = 70 /* 3.21.0 and later */ + OpISNULL = 71 /* 3.21.0 and later */ + OpIS = 72 /* 3.21.0 and later */ + OpLIMIT = 73 /* 3.38.0 and later */ + OpOFFSET = 74 /* 3.38.0 and later */ + OpFUNCTION = 150 /* 3.25.0 and later */ + OpScanUnique = 1 /* Scan visits at most 1 row */ ) // InfoConstraint give information of constraint. diff --git a/vendor/github.com/sigstore/sigstore/pkg/signature/algorithm_registry.go b/vendor/github.com/sigstore/sigstore/pkg/signature/algorithm_registry.go index 02c032b02df..802256ac65f 100644 --- a/vendor/github.com/sigstore/sigstore/pkg/signature/algorithm_registry.go +++ b/vendor/github.com/sigstore/sigstore/pkg/signature/algorithm_registry.go @@ -62,7 +62,7 @@ type AlgorithmDetails struct { // The underlying type of these parameters is dependent on the keyType. // For example, ECDSA algorithms will store an elliptic curve here whereas, RSA keys will store the key size. // Algorithms that don't require any extra parameters leave this set to nil. - extraKeyParams interface{} + extraKeyParams any // flagValue is a string representation of the signature algorithm that follows the naming conventions of CLI // arguments that are used for Sigstore services. @@ -157,7 +157,7 @@ var supportedAlgorithms = []AlgorithmDetails{ {v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_4096_SHA256, RSA, crypto.SHA256, v1.HashAlgorithm_SHA2_256, RSAKeySize(4096), "rsa-sign-pkcs1-4096-sha256"}, {v1.PublicKeyDetails_PKIX_RSA_PSS_2048_SHA256, RSA, crypto.SHA256, v1.HashAlgorithm_SHA2_256, RSAKeySize(2048), "rsa-sign-pss-2048-sha256"}, {v1.PublicKeyDetails_PKIX_RSA_PSS_3072_SHA256, RSA, crypto.SHA256, v1.HashAlgorithm_SHA2_256, RSAKeySize(3072), "rsa-sign-pss-3072-sha256"}, - {v1.PublicKeyDetails_PKIX_RSA_PSS_4096_SHA256, RSA, crypto.SHA256, v1.HashAlgorithm_SHA2_256, RSAKeySize(4096), "rsa-sign-pss-4092-sha256"}, + {v1.PublicKeyDetails_PKIX_RSA_PSS_4096_SHA256, RSA, crypto.SHA256, v1.HashAlgorithm_SHA2_256, RSAKeySize(4096), "rsa-sign-pss-4096-sha256"}, {v1.PublicKeyDetails_PKIX_ECDSA_P256_SHA_256, ECDSA, crypto.SHA256, v1.HashAlgorithm_SHA2_256, elliptic.P256(), "ecdsa-sha2-256-nistp256"}, {v1.PublicKeyDetails_PKIX_ECDSA_P384_SHA_384, ECDSA, crypto.SHA384, v1.HashAlgorithm_SHA2_384, elliptic.P384(), "ecdsa-sha2-384-nistp384"}, {v1.PublicKeyDetails_PKIX_ECDSA_P384_SHA_256, ECDSA, crypto.SHA256, v1.HashAlgorithm_SHA2_256, elliptic.P384(), "ecdsa-sha2-256-nistp384"}, //nolint:staticcheck diff --git a/vendor/github.com/sigstore/sigstore/pkg/signature/message.go b/vendor/github.com/sigstore/sigstore/pkg/signature/message.go index 44771ff3daa..bd715b0c540 100644 --- a/vendor/github.com/sigstore/sigstore/pkg/signature/message.go +++ b/vendor/github.com/sigstore/sigstore/pkg/signature/message.go @@ -21,18 +21,14 @@ import ( "errors" "fmt" "io" + "slices" ) func isSupportedAlg(alg crypto.Hash, supportedAlgs []crypto.Hash) bool { if supportedAlgs == nil { return true } - for _, supportedAlg := range supportedAlgs { - if alg == supportedAlg { - return true - } - } - return false + return slices.Contains(supportedAlgs, alg) } // ComputeDigestForSigning calculates the digest value for the specified message using a hash function selected by the following process: diff --git a/vendor/github.com/sigstore/sigstore/pkg/signature/payload/payload.go b/vendor/github.com/sigstore/sigstore/pkg/signature/payload/payload.go index cab6f5b98a7..58cbff79736 100644 --- a/vendor/github.com/sigstore/sigstore/pkg/signature/payload/payload.go +++ b/vendor/github.com/sigstore/sigstore/pkg/signature/payload/payload.go @@ -29,8 +29,8 @@ const CosignSignatureType = "cosign container image signature" // SimpleContainerImage describes the structure of a basic container image signature payload, as defined at: // https://github.com/containers/image/blob/main/docs/containers-signature.5.md#json-data-format type SimpleContainerImage struct { - Critical Critical `json:"critical"` // Critical data critical to correctly evaluating the validity of the signature - Optional map[string]interface{} `json:"optional"` // Optional optional metadata about the image + Critical Critical `json:"critical"` // Critical data critical to correctly evaluating the validity of the signature + Optional map[string]any `json:"optional"` // Optional optional metadata about the image } // Critical data critical to correctly evaluating the validity of a signature @@ -65,7 +65,7 @@ type Cosign struct { // - Older versions of cosign generate signatures where ClaimedIdentity only contains a registry/…/repo ; signature consumers should allow users // to determine whether such images should be accepted (and, long-term, the default SHOULD be to reject them) ClaimedIdentity string - Annotations map[string]interface{} + Annotations map[string]any } // SimpleContainerImage returns information about a container image in the github.com/containers/image/signature format diff --git a/vendor/github.com/sigstore/sigstore/pkg/signature/util.go b/vendor/github.com/sigstore/sigstore/pkg/signature/util.go index 3f8beff49c8..e4d7c4190db 100644 --- a/vendor/github.com/sigstore/sigstore/pkg/signature/util.go +++ b/vendor/github.com/sigstore/sigstore/pkg/signature/util.go @@ -28,7 +28,7 @@ import ( ) // SignImage signs a container manifest using the specified signer object -func SignImage(signer SignerVerifier, image name.Digest, optionalAnnotations map[string]interface{}) (payload, signature []byte, err error) { +func SignImage(signer SignerVerifier, image name.Digest, optionalAnnotations map[string]any) (payload, signature []byte, err error) { imgPayload := sigpayload.Cosign{ Image: image, Annotations: optionalAnnotations, @@ -45,7 +45,7 @@ func SignImage(signer SignerVerifier, image name.Digest, optionalAnnotations map } // VerifyImageSignature verifies a signature over a container manifest -func VerifyImageSignature(signer SignerVerifier, payload, signature []byte) (image name.Digest, annotations map[string]interface{}, err error) { +func VerifyImageSignature(signer SignerVerifier, payload, signature []byte) (image name.Digest, annotations map[string]any, err error) { if err := signer.VerifySignature(bytes.NewReader(signature), bytes.NewReader(payload)); err != nil { return name.Digest{}, nil, fmt.Errorf("signature verification failed: %w", err) } diff --git a/vendor/go.podman.io/common/libnetwork/internal/rootlessnetns/netns_linux.go b/vendor/go.podman.io/common/libnetwork/internal/rootlessnetns/netns_linux.go index 049df8dc357..548dad39743 100644 --- a/vendor/go.podman.io/common/libnetwork/internal/rootlessnetns/netns_linux.go +++ b/vendor/go.podman.io/common/libnetwork/internal/rootlessnetns/netns_linux.go @@ -5,7 +5,6 @@ import ( "errors" "fmt" "io/fs" - "net" "os" "path/filepath" "strconv" @@ -17,7 +16,6 @@ import ( "github.com/sirupsen/logrus" "go.podman.io/common/libnetwork/pasta" "go.podman.io/common/libnetwork/resolvconf" - "go.podman.io/common/libnetwork/slirp4netns" "go.podman.io/common/libnetwork/types" "go.podman.io/common/pkg/config" "go.podman.io/common/pkg/netns" @@ -37,7 +35,7 @@ const ( // infoCacheFile file name for the cache file used to store the rootless netns info. infoCacheFile = "info.json" - // rootlessNetNsConnPidFile is the name of the rootless netns slirp4netns/pasta pid file. + // rootlessNetNsConnPidFile is the name of the rootless netns pasta pid file. rootlessNetNsConnPidFile = "rootless-netns-conn.pid" tmpfs = "tmpfs" @@ -107,7 +105,7 @@ func (n *Netns) getOrCreateNetns() (netns.NetNS, bool, error) { pidPath := n.getPath(rootlessNetNsConnPidFile) pid, err := readPidFile(pidPath) if err == nil { - // quick check if pasta/slirp4netns are still running + // quick check if pasta is still running err := unix.Kill(pid, 0) if err == nil { if err := n.deserializeInfo(); err != nil { @@ -149,14 +147,12 @@ func (n *Netns) getOrCreateNetns() (netns.NetNS, bool, error) { } } switch strings.ToLower(n.config.Network.DefaultRootlessNetworkCmd) { - case "", slirp4netns.BinaryName: - err = n.setupSlirp4netns(nsPath) - case pasta.BinaryName: + case "", pasta.BinaryName: err = n.setupPasta(nsPath) default: err = fmt.Errorf("invalid rootless network command %q", n.config.Network.DefaultRootlessNetworkCmd) } - // If pasta or slirp4netns fail here we need to get rid of the netns again to not leak it, + // If pasta fails here we need to get rid of the netns again to not leak it, // otherwise the next command thinks the netns was successfully setup. if err != nil { if nerr := netns.UnmountNS(nsPath); nerr != nil { @@ -215,7 +211,7 @@ func (n *Netns) setupPasta(nsPath string) error { return fmt.Errorf("unable to decode pasta PID: %w", err) } - if err := systemd.MoveRootlessNetnsSlirpProcessToUserSlice(pid); err != nil { + if err := systemd.MoveRootlessNetnsProcessToUserSlice(pid); err != nil { // only log this, it is not fatal but can lead to issues when running podman inside systemd units logrus.Errorf("failed to move the rootless netns pasta process to the systemd user.slice: %v", err) } @@ -246,68 +242,6 @@ func (n *Netns) setupPasta(nsPath string) error { return nil } -func (n *Netns) setupSlirp4netns(nsPath string) error { - res, err := slirp4netns.Setup(&slirp4netns.SetupOptions{ - Config: n.config, - ContainerID: "rootless-netns", - Netns: nsPath, - }) - if err != nil { - return wrapError("start slirp4netns", err) - } - // create pid file for the slirp4netns process - // this is need to kill the process in the cleanup - pid := strconv.Itoa(res.Pid) - err = os.WriteFile(n.getPath(rootlessNetNsConnPidFile), []byte(pid), 0o600) - if err != nil { - return wrapError("write slirp4netns pid file", err) - } - - if systemd.RunsOnSystemd() { - // move to systemd scope to prevent systemd from killing it - err = systemd.MoveRootlessNetnsSlirpProcessToUserSlice(res.Pid) - if err != nil { - // only log this, it is not fatal but can lead to issues when running podman inside systemd units - logrus.Errorf("failed to move the rootless netns slirp4netns process to the systemd user.slice: %v", err) - } - } - - // build a new resolv.conf file which uses the slirp4netns dns server address - resolveIP, err := slirp4netns.GetDNS(res.Subnet) - if err != nil { - return wrapError("determine default slirp4netns DNS address", err) - } - nameservers := []string{resolveIP.String()} - - netnsIP, err := slirp4netns.GetIP(res.Subnet) - if err != nil { - return wrapError("determine default slirp4netns ip address", err) - } - - if err := resolvconf.New(&resolvconf.Params{ - Path: n.getPath(resolvConfName), - // fake the netns since we want to filter localhost - Namespaces: []specs.LinuxNamespace{ - {Type: specs.NetworkNamespace}, - }, - IPv6Enabled: res.IPv6, - KeepHostServers: true, - Nameservers: nameservers, - }); err != nil { - return wrapError("create resolv.conf", err) - } - - n.info = &types.RootlessNetnsInfo{ - IPAddresses: []net.IP{*netnsIP}, - DnsForwardIps: nameservers, - } - if err := n.serializeInfo(); err != nil { - return wrapError("serialize info", err) - } - - return nil -} - func (n *Netns) cleanupRootlessNetns() error { pidFile := n.getPath(rootlessNetNsConnPidFile) pid, err := readPidFile(pidFile) @@ -317,7 +251,7 @@ func (n *Netns) cleanupRootlessNetns() error { return nil } if err == nil { - // kill the slirp/pasta process so we do not leak it + // kill the pasta process so we do not leak it err = unix.Kill(pid, unix.SIGTERM) if err == unix.ESRCH { err = nil diff --git a/vendor/go.podman.io/common/libnetwork/slirp4netns/const.go b/vendor/go.podman.io/common/libnetwork/slirp4netns/const.go deleted file mode 100644 index 82f3bff3a0b..00000000000 --- a/vendor/go.podman.io/common/libnetwork/slirp4netns/const.go +++ /dev/null @@ -1,17 +0,0 @@ -package slirp4netns - -import "net" - -const ( - BinaryName = "slirp4netns" -) - -// SetupResult return type from Setup(). -type SetupResult struct { - // Pid of the created slirp4netns process - Pid int - // Subnet which is used by slirp4netns - Subnet *net.IPNet - // IPv6 whenever Ipv6 is enabled in slirp4netns - IPv6 bool -} diff --git a/vendor/go.podman.io/common/libnetwork/slirp4netns/const_linux.go b/vendor/go.podman.io/common/libnetwork/slirp4netns/const_linux.go deleted file mode 100644 index 8e2742fe3fe..00000000000 --- a/vendor/go.podman.io/common/libnetwork/slirp4netns/const_linux.go +++ /dev/null @@ -1,11 +0,0 @@ -package slirp4netns - -const ( - ipv6ConfDefaultAcceptDadSysctl = "/proc/sys/net/ipv6/conf/default/accept_dad" - - // defaultMTU the default MTU override. - defaultMTU = 65520 - - // default slirp4ns subnet. - defaultSubnet = "10.0.2.0/24" -) diff --git a/vendor/go.podman.io/common/libnetwork/slirp4netns/slirp4netns.go b/vendor/go.podman.io/common/libnetwork/slirp4netns/slirp4netns.go deleted file mode 100644 index 74126c608ca..00000000000 --- a/vendor/go.podman.io/common/libnetwork/slirp4netns/slirp4netns.go +++ /dev/null @@ -1,740 +0,0 @@ -//go:build linux - -package slirp4netns - -import ( - "bytes" - "encoding/json" - "errors" - "fmt" - "io" - "net" - "os" - "os/exec" - "path/filepath" - "strconv" - "strings" - "sync" - "syscall" - "time" - - "github.com/sirupsen/logrus" - "go.podman.io/common/libnetwork/types" - "go.podman.io/common/pkg/config" - "go.podman.io/common/pkg/netns" - "go.podman.io/common/pkg/rootlessport" - "go.podman.io/common/pkg/servicereaper" - "go.podman.io/common/pkg/util" -) - -type slirpFeatures struct { - HasDisableHostLoopback bool - HasMTU bool - HasEnableSandbox bool - HasEnableSeccomp bool - HasCIDR bool - HasOutboundAddr bool - HasIPv6 bool -} - -type slirp4netnsCmdArg struct { - Proto string `json:"proto,omitempty"` - HostAddr string `json:"host_addr"` - HostPort uint16 `json:"host_port"` - GuestAddr string `json:"guest_addr"` - GuestPort uint16 `json:"guest_port"` -} - -type slirp4netnsCmd struct { - Execute string `json:"execute"` - Args slirp4netnsCmdArg `json:"arguments"` -} - -type networkOptions struct { - cidr string - disableHostLoopback bool - enableIPv6 bool - isSlirpHostForward bool - noPivotRoot bool - mtu int - outboundAddr string - outboundAddr6 string -} - -type SetupOptions struct { - // Config used to get slip4netns path and other default options - Config *config.Config - // ContainerID is the ID of the container - ContainerID string - // Netns path to the netns - Netns string - // Ports the should be forwarded - Ports []types.PortMapping - // ExtraOptions for slirp4netns that were set on the cli - ExtraOptions []string - // Slirp4netnsExitPipeR pipe used to exit the slirp4netns process. - // This is must be the reading end, the writer must be kept open until you want the - // process to exit. For podman, conmon will hold the pipe open. - // It can be set to nil in which case we do not use the pipe exit and the caller - // must use the returned pid to kill the process after it is done. - Slirp4netnsExitPipeR *os.File - // RootlessPortSyncPipe pipe used to exit the rootlessport process. - // Same as Slirp4netnsExitPipeR, except this is only used when ports are given. - RootlessPortExitPipeR *os.File - // Pdeathsig is the signal which is send to slirp4netns process if the calling thread - // exits. The caller is responsible for locking the thread with runtime.LockOSThread(). - Pdeathsig syscall.Signal -} - -type logrusDebugWriter struct { - prefix string -} - -func (w *logrusDebugWriter) Write(p []byte) (int, error) { - logrus.Debugf("%s%s", w.prefix, string(p)) - return len(p), nil -} - -func checkSlirpFlags(path string) (*slirpFeatures, error) { - cmd := exec.Command(path, "--help") - out, err := cmd.CombinedOutput() - if err != nil { - return nil, fmt.Errorf("slirp4netns %q: %w", out, err) - } - return &slirpFeatures{ - HasDisableHostLoopback: strings.Contains(string(out), "--disable-host-loopback"), - HasMTU: strings.Contains(string(out), "--mtu"), - HasEnableSandbox: strings.Contains(string(out), "--enable-sandbox"), - HasEnableSeccomp: strings.Contains(string(out), "--enable-seccomp"), - HasCIDR: strings.Contains(string(out), "--cidr"), - HasOutboundAddr: strings.Contains(string(out), "--outbound-addr"), - HasIPv6: strings.Contains(string(out), "--enable-ipv6"), - }, nil -} - -func parseNetworkOptions(config *config.Config, extraOptions []string) (*networkOptions, error) { - options := make([]string, 0, len(config.Engine.NetworkCmdOptions.Get())+len(extraOptions)) - options = append(options, config.Engine.NetworkCmdOptions.Get()...) - options = append(options, extraOptions...) - opts := &networkOptions{ - // overwrite defaults - disableHostLoopback: true, - mtu: defaultMTU, - noPivotRoot: config.Engine.NoPivotRoot, - enableIPv6: true, - } - for _, o := range options { - option, value, ok := strings.Cut(o, "=") - if !ok { - return nil, fmt.Errorf("unknown option for slirp4netns: %q", o) - } - switch option { - case "cidr": - ipv4, _, err := net.ParseCIDR(value) - if err != nil || ipv4.To4() == nil { - return nil, fmt.Errorf("invalid cidr %q", value) - } - opts.cidr = value - case "port_handler": - switch value { - case "slirp4netns": - opts.isSlirpHostForward = true - case "rootlesskit": - opts.isSlirpHostForward = false - default: - return nil, fmt.Errorf("unknown port_handler for slirp4netns: %q", value) - } - case "allow_host_loopback": - switch value { - case "true": - opts.disableHostLoopback = false - case "false": - opts.disableHostLoopback = true - default: - return nil, fmt.Errorf("invalid value of allow_host_loopback for slirp4netns: %q", value) - } - case "enable_ipv6": - switch value { - case "true": - opts.enableIPv6 = true - case "false": - opts.enableIPv6 = false - default: - return nil, fmt.Errorf("invalid value of enable_ipv6 for slirp4netns: %q", value) - } - case "outbound_addr": - ipv4 := net.ParseIP(value) - if ipv4 == nil || ipv4.To4() == nil { - _, err := net.InterfaceByName(value) - if err != nil { - return nil, fmt.Errorf("invalid outbound_addr %q", value) - } - } - opts.outboundAddr = value - case "outbound_addr6": - ipv6 := net.ParseIP(value) - if ipv6 == nil || ipv6.To4() != nil { - _, err := net.InterfaceByName(value) - if err != nil { - return nil, fmt.Errorf("invalid outbound_addr6: %q", value) - } - } - opts.outboundAddr6 = value - case "mtu": - var err error - opts.mtu, err = strconv.Atoi(value) - if opts.mtu < 68 || err != nil { - return nil, fmt.Errorf("invalid mtu %q", value) - } - default: - return nil, fmt.Errorf("unknown option for slirp4netns: %q", o) - } - } - return opts, nil -} - -func createBasicSlirpCmdArgs(options *networkOptions, features *slirpFeatures) ([]string, error) { - cmdArgs := []string{} - if options.disableHostLoopback && features.HasDisableHostLoopback { - cmdArgs = append(cmdArgs, "--disable-host-loopback") - } - if options.mtu > -1 && features.HasMTU { - cmdArgs = append(cmdArgs, "--mtu="+strconv.Itoa(options.mtu)) - } - if !options.noPivotRoot && features.HasEnableSandbox { - cmdArgs = append(cmdArgs, "--enable-sandbox") - } - if features.HasEnableSeccomp { - cmdArgs = append(cmdArgs, "--enable-seccomp") - } - - if options.cidr != "" { - if !features.HasCIDR { - return nil, errors.New("cidr not supported") - } - cmdArgs = append(cmdArgs, "--cidr="+options.cidr) - } - - if options.enableIPv6 { - if !features.HasIPv6 { - return nil, errors.New("enable_ipv6 not supported") - } - cmdArgs = append(cmdArgs, "--enable-ipv6") - } - - if options.outboundAddr != "" { - if !features.HasOutboundAddr { - return nil, errors.New("outbound_addr not supported") - } - cmdArgs = append(cmdArgs, "--outbound-addr="+options.outboundAddr) - } - - if options.outboundAddr6 != "" { - if !features.HasOutboundAddr || !features.HasIPv6 { - return nil, errors.New("outbound_addr6 not supported") - } - if !options.enableIPv6 { - return nil, errors.New("enable_ipv6=true is required for outbound_addr6") - } - cmdArgs = append(cmdArgs, "--outbound-addr6="+options.outboundAddr6) - } - - return cmdArgs, nil -} - -// Setup can be called in rootful as well as in rootless. -// Spawns the slirp4netns process and setup port forwarding if ports are given. -func Setup(opts *SetupOptions) (*SetupResult, error) { - var err error - path, err := opts.Config.FindHelperBinary(BinaryName, true) - if err != nil { - return nil, fmt.Errorf("could not find slirp4netns, the network namespace can't be configured: %w", err) - } - - syncR, syncW, err := os.Pipe() - if err != nil { - return nil, fmt.Errorf("failed to open pipe: %w", err) - } - defer closeQuiet(syncR) - defer closeQuiet(syncW) - - havePortMapping := len(opts.Ports) > 0 - logPath := filepath.Join(opts.Config.Engine.TmpDir, fmt.Sprintf("slirp4netns-%s.log", opts.ContainerID)) - - netOptions, err := parseNetworkOptions(opts.Config, opts.ExtraOptions) - if err != nil { - return nil, err - } - slirpFeatures, err := checkSlirpFlags(path) - if err != nil { - return nil, fmt.Errorf("checking slirp4netns binary %s: %q: %w", path, err, err) - } - cmdArgs, err := createBasicSlirpCmdArgs(netOptions, slirpFeatures) - if err != nil { - return nil, err - } - - // the slirp4netns arguments being passed are described as follows: - // from the slirp4netns documentation: https://github.com/rootless-containers/slirp4netns - // -c, --configure Brings up the tap interface - // -e, --exit-fd=FD specify the FD for terminating slirp4netns - // -r, --ready-fd=FD specify the FD to write to when the initialization steps are finished - cmdArgs = append(cmdArgs, "-c", "-r", "3") - if opts.Slirp4netnsExitPipeR != nil { - cmdArgs = append(cmdArgs, "-e", "4") - } - - var apiSocket string - if havePortMapping && netOptions.isSlirpHostForward { - apiSocket = filepath.Join(opts.Config.Engine.TmpDir, opts.ContainerID+".net") - cmdArgs = append(cmdArgs, "--api-socket", apiSocket) - } - - cmdArgs = append(cmdArgs, "--netns-type=path", opts.Netns, "tap0") - - cmd := exec.Command(path, cmdArgs...) - logrus.Debugf("slirp4netns command: %s", strings.Join(cmd.Args, " ")) - cmd.SysProcAttr = &syscall.SysProcAttr{ - Setpgid: true, - Pdeathsig: opts.Pdeathsig, - } - - // workaround for https://github.com/rootless-containers/slirp4netns/pull/153 - if !netOptions.noPivotRoot && slirpFeatures.HasEnableSandbox { - cmd.SysProcAttr.Cloneflags = syscall.CLONE_NEWNS - cmd.SysProcAttr.Unshareflags = syscall.CLONE_NEWNS - } - - // Leak one end of the pipe in slirp4netns, the other will be sent to conmon - cmd.ExtraFiles = append(cmd.ExtraFiles, syncW) - if opts.Slirp4netnsExitPipeR != nil { - cmd.ExtraFiles = append(cmd.ExtraFiles, opts.Slirp4netnsExitPipeR) - } - - logFile, err := os.Create(logPath) - if err != nil { - return nil, fmt.Errorf("failed to open slirp4netns log file %s: %w", logPath, err) - } - defer logFile.Close() - // Unlink immediately the file so we won't need to worry about cleaning it up later. - // It is still accessible through the open fd logFile. - if err := os.Remove(logPath); err != nil { - return nil, fmt.Errorf("delete file %s: %w", logPath, err) - } - cmd.Stdout = logFile - cmd.Stderr = logFile - - var slirpReadyWg, netnsReadyWg *sync.WaitGroup - if netOptions.enableIPv6 { - // use two wait groups to make sure we set the sysctl before - // starting slirp and reset it only after slirp is ready - slirpReadyWg = &sync.WaitGroup{} - netnsReadyWg = &sync.WaitGroup{} - slirpReadyWg.Add(1) - netnsReadyWg.Add(1) - - go func() { - err := netns.WithNetNSPath(opts.Netns, func(_ netns.NetNS) error { - // Duplicate Address Detection slows the ipv6 setup down for 1-2 seconds. - // Since slirp4netns is run in its own namespace and not directly routed - // we can skip this to make the ipv6 address immediately available. - // We change the default to make sure the slirp tap interface gets the - // correct value assigned so DAD is disabled for it - // Also make sure to change this value back to the original after slirp4netns - // is ready in case users rely on this sysctl. - orgValue, err := os.ReadFile(ipv6ConfDefaultAcceptDadSysctl) - if err != nil { - netnsReadyWg.Done() - // on ipv6 disabled systems the sysctl does not exist - // so we should not error - if errors.Is(err, os.ErrNotExist) { - return nil - } - return err - } - err = os.WriteFile(ipv6ConfDefaultAcceptDadSysctl, []byte("0"), 0o644) - netnsReadyWg.Done() - if err != nil { - return err - } - - // wait until slirp4nets is ready before resetting this value - slirpReadyWg.Wait() - return os.WriteFile(ipv6ConfDefaultAcceptDadSysctl, orgValue, 0o644) - }) - if err != nil { - logrus.Warnf("failed to set net.ipv6.conf.default.accept_dad sysctl: %v", err) - } - }() - - // wait until we set the sysctl - netnsReadyWg.Wait() - } - - if err := cmd.Start(); err != nil { - if netOptions.enableIPv6 { - slirpReadyWg.Done() - } - return nil, fmt.Errorf("failed to start slirp4netns process: %w", err) - } - defer func() { - servicereaper.AddPID(cmd.Process.Pid) - if err := cmd.Process.Release(); err != nil { - logrus.Errorf("Unable to release command process: %q", err) - } - }() - - err = waitForSync(syncR, cmd, logFile, 1*time.Second) - if netOptions.enableIPv6 { - slirpReadyWg.Done() - } - if err != nil { - return nil, err - } - - // Set a default slirp subnet. Parsing a string with the net helper is easier than building the struct myself - _, slirpSubnet, _ := net.ParseCIDR(defaultSubnet) - - // Set slirp4netnsSubnet addresses now that we are pretty sure the command executed - if netOptions.cidr != "" { - ipv4, ipv4network, err := net.ParseCIDR(netOptions.cidr) - if err != nil || ipv4.To4() == nil { - return nil, fmt.Errorf("invalid cidr %q", netOptions.cidr) - } - slirpSubnet = ipv4network - } - - if havePortMapping { - if netOptions.isSlirpHostForward { - err = setupRootlessPortMappingViaSlirp(opts.Ports, cmd, apiSocket) - } else { - err = SetupRootlessPortMappingViaRLK(opts, slirpSubnet, nil) - } - if err != nil { - return nil, err - } - } - - return &SetupResult{ - Pid: cmd.Process.Pid, - Subnet: slirpSubnet, - IPv6: netOptions.enableIPv6, - }, nil -} - -// GetIP returns the slirp ipv4 address based on subnet. If subnet is null use default subnet. -// Reference: https://github.com/rootless-containers/slirp4netns/blob/master/slirp4netns.1.md#description -func GetIP(subnet *net.IPNet) (*net.IP, error) { - _, slirpSubnet, _ := net.ParseCIDR(defaultSubnet) - if subnet != nil { - slirpSubnet = subnet - } - expectedIP, err := addToIP(slirpSubnet, uint32(100)) - if err != nil { - return nil, fmt.Errorf("calculating expected ip for slirp4netns: %w", err) - } - return expectedIP, nil -} - -// GetGateway returns the slirp gateway ipv4 address based on subnet. -// Reference: https://github.com/rootless-containers/slirp4netns/blob/master/slirp4netns.1.md#description -func GetGateway(subnet *net.IPNet) (*net.IP, error) { - _, slirpSubnet, _ := net.ParseCIDR(defaultSubnet) - if subnet != nil { - slirpSubnet = subnet - } - expectedGatewayIP, err := addToIP(slirpSubnet, uint32(2)) - if err != nil { - return nil, fmt.Errorf("calculating expected gateway ip for slirp4netns: %w", err) - } - return expectedGatewayIP, nil -} - -// GetDNS returns slirp DNS ipv4 address based on subnet. -// Reference: https://github.com/rootless-containers/slirp4netns/blob/master/slirp4netns.1.md#description -func GetDNS(subnet *net.IPNet) (*net.IP, error) { - _, slirpSubnet, _ := net.ParseCIDR(defaultSubnet) - if subnet != nil { - slirpSubnet = subnet - } - expectedDNSIP, err := addToIP(slirpSubnet, uint32(3)) - if err != nil { - return nil, fmt.Errorf("calculating expected dns ip for slirp4netns: %w", err) - } - return expectedDNSIP, nil -} - -// Helper function to calculate slirp ip address offsets -// Adapted from: https://github.com/signalsciences/ipv4/blob/master/int.go#L12-L24 -func addToIP(subnet *net.IPNet, offset uint32) (*net.IP, error) { - // I have no idea why I have to do this, but if I don't ip is 0 - ipFixed := subnet.IP.To4() - - ipInteger := uint32(ipFixed[3]) | uint32(ipFixed[2])<<8 | uint32(ipFixed[1])<<16 | uint32(ipFixed[0])<<24 - ipNewRaw := ipInteger + offset - // Avoid overflows - if ipNewRaw < ipInteger { - return nil, fmt.Errorf("integer overflow while calculating ip address offset, %s + %d", ipFixed, offset) - } - ipNew := net.IPv4(byte(ipNewRaw>>24), byte(ipNewRaw>>16&0xFF), byte(ipNewRaw>>8)&0xFF, byte(ipNewRaw&0xFF)) - if !subnet.Contains(ipNew) { - return nil, fmt.Errorf("calculated ip address %s is not within given subnet %s", ipNew.String(), subnet.String()) - } - return &ipNew, nil -} - -func waitForSync(syncR *os.File, cmd *exec.Cmd, logFile io.ReadSeeker, timeout time.Duration) error { - prog := filepath.Base(cmd.Path) - if len(cmd.Args) > 0 { - prog = cmd.Args[0] - } - b := make([]byte, 16) - for { - if err := syncR.SetDeadline(time.Now().Add(timeout)); err != nil { - return fmt.Errorf("setting %s pipe timeout: %w", prog, err) - } - // FIXME: return err as soon as proc exits, without waiting for timeout - _, err := syncR.Read(b) - if err == nil { - break - } - if errors.Is(err, os.ErrDeadlineExceeded) { - // Check if the process is still running. - var status syscall.WaitStatus - pid, err := syscall.Wait4(cmd.Process.Pid, &status, syscall.WNOHANG, nil) - if err != nil { - return fmt.Errorf("failed to read %s process status: %w", prog, err) - } - if pid != cmd.Process.Pid { - continue - } - if status.Exited() { - // Seek at the beginning of the file and read all its content - if _, err := logFile.Seek(0, 0); err != nil { - logrus.Errorf("Could not seek log file: %q", err) - } - logContent, err := io.ReadAll(logFile) - if err != nil { - return fmt.Errorf("%s failed: %w", prog, err) - } - return fmt.Errorf("%s failed: %q", prog, logContent) - } - if status.Signaled() { - return fmt.Errorf("%s killed by signal", prog) - } - continue - } - return fmt.Errorf("failed to read from %s sync pipe: %w", prog, err) - } - return nil -} - -func SetupRootlessPortMappingViaRLK(opts *SetupOptions, slirpSubnet *net.IPNet, netStatus map[string]types.StatusBlock) error { - syncR, syncW, err := os.Pipe() - if err != nil { - return fmt.Errorf("failed to open pipe: %w", err) - } - defer closeQuiet(syncR) - defer closeQuiet(syncW) - - logPath := filepath.Join(opts.Config.Engine.TmpDir, fmt.Sprintf("rootlessport-%s.log", opts.ContainerID)) - logFile, err := os.Create(logPath) - if err != nil { - return fmt.Errorf("failed to open rootlessport log file %s: %w", logPath, err) - } - defer logFile.Close() - // Unlink immediately the file so we won't need to worry about cleaning it up later. - // It is still accessible through the open fd logFile. - if err := os.Remove(logPath); err != nil { - return fmt.Errorf("delete file %s: %w", logPath, err) - } - - childIP := GetRootlessPortChildIP(slirpSubnet, netStatus) - cfg := rootlessport.Config{ - Mappings: opts.Ports, - NetNSPath: opts.Netns, - ExitFD: 3, - ReadyFD: 4, - TmpDir: opts.Config.Engine.TmpDir, - ChildIP: childIP, - ContainerID: opts.ContainerID, - RootlessCNI: netStatus != nil, - } - cfgJSON, err := json.Marshal(cfg) - if err != nil { - return err - } - cfgR := bytes.NewReader(cfgJSON) - var stdout bytes.Buffer - path, err := opts.Config.FindHelperBinary(rootlessport.BinaryName, false) - if err != nil { - return err - } - cmd := exec.Command(path) - cmd.Args = []string{rootlessport.BinaryName} - - // Leak one end of the pipe in rootlessport process, the other will be sent to conmon - cmd.ExtraFiles = append(cmd.ExtraFiles, opts.RootlessPortExitPipeR, syncW) - cmd.Stdin = cfgR - // stdout is for human-readable error, stderr is for debug log - cmd.Stdout = &stdout - cmd.Stderr = io.MultiWriter(logFile, &logrusDebugWriter{"rootlessport: "}) - cmd.SysProcAttr = &syscall.SysProcAttr{ - Setpgid: true, - } - if err := cmd.Start(); err != nil { - return fmt.Errorf("failed to start rootlessport process: %w", err) - } - defer func() { - servicereaper.AddPID(cmd.Process.Pid) - if err := cmd.Process.Release(); err != nil { - logrus.Errorf("Unable to release rootlessport process: %q", err) - } - }() - if err := waitForSync(syncR, cmd, logFile, 3*time.Second); err != nil { - stdoutStr := stdout.String() - if stdoutStr != "" { - // err contains full debug log and too verbose, so return stdoutStr - logrus.Debug(err) - return errors.New("rootlessport " + strings.TrimSuffix(stdoutStr, "\n")) - } - return err - } - logrus.Debug("rootlessport is ready") - return nil -} - -func setupRootlessPortMappingViaSlirp(ports []types.PortMapping, cmd *exec.Cmd, apiSocket string) (err error) { - const pidWaitTimeout = 60 * time.Second - chWait := make(chan error) - go func() { - interval := 25 * time.Millisecond - for i := time.Duration(0); i < pidWaitTimeout; i += interval { - // Check if the process is still running. - var status syscall.WaitStatus - pid, err := syscall.Wait4(cmd.Process.Pid, &status, syscall.WNOHANG, nil) - if err != nil { - break - } - if pid != cmd.Process.Pid { - continue - } - if status.Exited() || status.Signaled() { - chWait <- fmt.Errorf("slirp4netns exited with status %d", status.ExitStatus()) - } - time.Sleep(interval) - } - }() - defer close(chWait) - - // wait that API socket file appears before trying to use it. - if _, err := util.WaitForFile(apiSocket, chWait, pidWaitTimeout); err != nil { - return fmt.Errorf("waiting for slirp4nets to create the api socket file %s: %w", apiSocket, err) - } - - // for each port we want to add we need to open a connection to the slirp4netns control socket - // and send the add_hostfwd command. - for _, port := range ports { - for protocol := range strings.SplitSeq(port.Protocol, ",") { - hostIP := port.HostIP - if hostIP == "" { - hostIP = "0.0.0.0" - } - for i := range port.Range { - if err := openSlirp4netnsPort(apiSocket, protocol, hostIP, port.HostPort+i, port.ContainerPort+i); err != nil { - return err - } - } - } - } - logrus.Debug("slirp4netns port-forwarding setup via add_hostfwd is ready") - return nil -} - -// openSlirp4netnsPort sends the slirp4netns pai quey to the given socket. -func openSlirp4netnsPort(apiSocket, proto, hostip string, hostport, guestport uint16) error { - conn, err := net.Dial("unix", apiSocket) - if err != nil { - return fmt.Errorf("cannot open connection to %s: %w", apiSocket, err) - } - defer func() { - if err := conn.Close(); err != nil { - logrus.Errorf("Unable to close slirp4netns connection: %q", err) - } - }() - apiCmd := slirp4netnsCmd{ - Execute: "add_hostfwd", - Args: slirp4netnsCmdArg{ - Proto: proto, - HostAddr: hostip, - HostPort: hostport, - GuestPort: guestport, - }, - } - // create the JSON payload and send it. Mark the end of request shutting down writes - // to the socket, as requested by slirp4netns. - data, err := json.Marshal(&apiCmd) - if err != nil { - return fmt.Errorf("cannot marshal JSON for slirp4netns: %w", err) - } - if _, err := fmt.Fprintf(conn, "%s\n", data); err != nil { - return fmt.Errorf("cannot write to control socket %s: %w", apiSocket, err) - } - //nolint:errcheck // This cast should never fail, if it does we get a interface - // conversion panic and a stack trace on how we ended up here which is more - // valuable than returning a human friendly error test as we don't know how it - // happened. - if err := conn.(*net.UnixConn).CloseWrite(); err != nil { - return fmt.Errorf("cannot shutdown the socket %s: %w", apiSocket, err) - } - buf := make([]byte, 2048) - readLength, err := conn.Read(buf) - if err != nil { - return fmt.Errorf("cannot read from control socket %s: %w", apiSocket, err) - } - // if there is no 'error' key in the received JSON data, then the operation was - // successful. - var y map[string]any - if err := json.Unmarshal(buf[0:readLength], &y); err != nil { - return fmt.Errorf("parsing error status from slirp4netns: %w", err) - } - if e, found := y["error"]; found { - return fmt.Errorf("from slirp4netns while setting up port redirection: %v", e) - } - return nil -} - -func GetRootlessPortChildIP(slirpSubnet *net.IPNet, netStatus map[string]types.StatusBlock) string { - if slirpSubnet != nil { - slirp4netnsIP, err := GetIP(slirpSubnet) - if err != nil { - return "" - } - return slirp4netnsIP.String() - } - - var ipv6 net.IP - for _, status := range netStatus { - for _, netInt := range status.Interfaces { - for _, netAddress := range netInt.Subnets { - ipv4 := netAddress.IPNet.IP.To4() - if ipv4 != nil { - return ipv4.String() - } - ipv6 = netAddress.IPNet.IP - } - } - } - if ipv6 != nil { - return ipv6.String() - } - return "" -} - -// closeQuiet closes a file and logs any error. Should only be used within -// a defer. -func closeQuiet(f *os.File) { - if err := f.Close(); err != nil { - logrus.Errorf("Unable to close file %s: %q", f.Name(), err) - } -} diff --git a/vendor/go.podman.io/common/pkg/config/config.go b/vendor/go.podman.io/common/pkg/config/config.go index 7864f9f3819..944bf2c1c49 100644 --- a/vendor/go.podman.io/common/pkg/config/config.go +++ b/vendor/go.podman.io/common/pkg/config/config.go @@ -402,10 +402,6 @@ type EngineConfig struct { // containers and pods will be visible. The default namespace is "". Namespace string `toml:"namespace,omitempty"` - // NetworkCmdOptions is the default options to pass to the slirp4netns binary. - // For example "allow_host_loopback=true" - NetworkCmdOptions configfile.Slice `toml:"network_cmd_options,omitempty"` - // NoPivotRoot sets whether to set no-pivot-root in the OCI runtime. NoPivotRoot bool `toml:"no_pivot_root,omitempty"` @@ -614,7 +610,7 @@ type NetworkConfig struct { DefaultSubnetPools []SubnetPool `toml:"default_subnet_pools,omitempty"` // DefaultRootlessNetworkCmd is used to set the default rootless network - // program, either "slirp4nents" (default) or "pasta". + // program, currently only "pasta". DefaultRootlessNetworkCmd string `toml:"default_rootless_network_cmd,omitempty"` // NetworkConfigDir is where network configuration files are stored. diff --git a/vendor/go.podman.io/common/pkg/config/containers.conf b/vendor/go.podman.io/common/pkg/config/containers.conf index 49fd38390b8..d092448bb16 100644 --- a/vendor/go.podman.io/common/pkg/config/containers.conf +++ b/vendor/go.podman.io/common/pkg/config/containers.conf @@ -405,8 +405,8 @@ default_sysctls = [ -# Configure which rootless network program to use by default. Valid options are -# `slirp4netns` and `pasta` (default). +# Configure which rootless network program to use by default. The only valid option is +# `pasta` (default). # #default_rootless_network_cmd = "pasta" @@ -663,28 +663,6 @@ default_sysctls = [ # #namespace = "" -# Default options to pass to the slirp4netns binary. -# Valid options values are: -# -# - allow_host_loopback=true|false: Allow the slirp4netns to reach the host loopback IP (`10.0.2.2`). -# Default is false. -# - mtu=MTU: Specify the MTU to use for this network. (Default is `65520`). -# - cidr=CIDR: Specify ip range to use for this network. (Default is `10.0.2.0/24`). -# - enable_ipv6=true|false: Enable IPv6. Default is true. (Required for `outbound_addr6`). -# - outbound_addr=INTERFACE: Specify the outbound interface slirp should bind to (ipv4 traffic only). -# - outbound_addr=IPv4: Specify the outbound ipv4 address slirp should bind to. -# - outbound_addr6=INTERFACE: Specify the outbound interface slirp should bind to (ipv6 traffic only). -# - outbound_addr6=IPv6: Specify the outbound ipv6 address slirp should bind to. -# - port_handler=rootlesskit: Use rootlesskit for port forwarding. Default. -# Note: Rootlesskit changes the source IP address of incoming packets to a IP address in the container -# network namespace, usually `10.0.2.100`. If your application requires the real source IP address, -# e.g. web server logs, use the slirp4netns port handler. The rootlesskit port handler is also used for -# rootless containers when connected to user-defined networks. -# - port_handler=slirp4netns: Use the slirp4netns port forwarding, it is slower than rootlesskit but -# preserves the correct source IP address. This port handler cannot be used for user-defined networks. -# -#network_cmd_options = [] - # Whether to use chroot instead of pivot_root in the runtime # #no_pivot_root = false diff --git a/vendor/go.podman.io/common/pkg/config/containers.conf-freebsd b/vendor/go.podman.io/common/pkg/config/containers.conf-freebsd index 620bd0ca4f1..bc14ac75214 100644 --- a/vendor/go.podman.io/common/pkg/config/containers.conf-freebsd +++ b/vendor/go.podman.io/common/pkg/config/containers.conf-freebsd @@ -496,28 +496,6 @@ default_sysctls = [ # #namespace = "" -# Default options to pass to the slirp4netns binary. -# Valid options values are: -# -# - allow_host_loopback=true|false: Allow the slirp4netns to reach the host loopback IP (`10.0.2.2`). -# Default is false. -# - mtu=MTU: Specify the MTU to use for this network. (Default is `65520`). -# - cidr=CIDR: Specify ip range to use for this network. (Default is `10.0.2.0/24`). -# - enable_ipv6=true|false: Enable IPv6. Default is true. (Required for `outbound_addr6`). -# - outbound_addr=INTERFACE: Specify the outbound interface slirp should bind to (ipv4 traffic only). -# - outbound_addr=IPv4: Specify the outbound ipv4 address slirp should bind to. -# - outbound_addr6=INTERFACE: Specify the outbound interface slirp should bind to (ipv6 traffic only). -# - outbound_addr6=IPv6: Specify the outbound ipv6 address slirp should bind to. -# - port_handler=rootlesskit: Use rootlesskit for port forwarding. Default. -# Note: Rootlesskit changes the source IP address of incoming packets to a IP address in the container -# network namespace, usually `10.0.2.100`. If your application requires the real source IP address, -# e.g. web server logs, use the slirp4netns port handler. The rootlesskit port handler is also used for -# rootless containers when connected to user-defined networks. -# - port_handler=slirp4netns: Use the slirp4netns port forwarding, it is slower than rootlesskit but -# preserves the correct source IP address. This port handler cannot be used for user-defined networks. -# -#network_cmd_options = [] - # Whether to use chroot instead of pivot_root in the runtime # #no_pivot_root = false diff --git a/vendor/go.podman.io/common/pkg/rootlessport/rootlessport_linux.go b/vendor/go.podman.io/common/pkg/rootlessport/rootlessport_linux.go deleted file mode 100644 index 78829b9fb61..00000000000 --- a/vendor/go.podman.io/common/pkg/rootlessport/rootlessport_linux.go +++ /dev/null @@ -1,26 +0,0 @@ -//go:build linux - -// Rootlessport Config type for use in podman/cmd/rootlessport. -package rootlessport - -import ( - "go.podman.io/common/libnetwork/types" -) - -const ( - // BinaryName is the binary name for the parent process. - BinaryName = "rootlessport" -) - -// Config needs to be provided to the process via stdin as a JSON string. -// stdin needs to be closed after the message has been written. -type Config struct { - Mappings []types.PortMapping - NetNSPath string - ExitFD int - ReadyFD int - TmpDir string - ChildIP string - ContainerID string - RootlessCNI bool -} diff --git a/vendor/go.podman.io/common/pkg/servicereaper/service.go b/vendor/go.podman.io/common/pkg/servicereaper/service.go deleted file mode 100644 index 12a29669b29..00000000000 --- a/vendor/go.podman.io/common/pkg/servicereaper/service.go +++ /dev/null @@ -1,64 +0,0 @@ -//go:build linux || freebsd - -package servicereaper - -import ( - "os" - "os/signal" - "sync" - "syscall" - - "github.com/sirupsen/logrus" -) - -type service struct { - pidMap map[int]bool - mutex *sync.Mutex -} - -var s = service{ - pidMap: map[int]bool{}, - mutex: &sync.Mutex{}, -} - -func AddPID(pid int) { - s.mutex.Lock() - s.pidMap[pid] = true - s.mutex.Unlock() -} - -func Start() { - // create signal channel and only wait for SIGCHLD - sigc := make(chan os.Signal, 1) - signal.Notify(sigc, syscall.SIGCHLD) - // wait and reap in an extra goroutine - go reaper(sigc) -} - -func reaper(sigc chan os.Signal) { - for { - // block until we receive SIGCHLD - <-sigc - s.mutex.Lock() - for pid := range s.pidMap { - var status syscall.WaitStatus - waitpid, err := syscall.Wait4(pid, &status, syscall.WNOHANG, nil) - if err != nil { - // do not log error for ECHILD - if err != syscall.ECHILD { - logrus.Warnf("Wait for pid %d failed: %v ", pid, err) - } - delete(s.pidMap, pid) - continue - } - // if pid == 0 nothing happened - if waitpid == 0 { - continue - } - if status.Exited() || status.Signaled() { - delete(s.pidMap, pid) - } - } - s.mutex.Unlock() - } -} diff --git a/vendor/go.podman.io/common/pkg/systemd/systemd_linux.go b/vendor/go.podman.io/common/pkg/systemd/systemd_linux.go index ab6606f56ba..2e862e89782 100644 --- a/vendor/go.podman.io/common/pkg/systemd/systemd_linux.go +++ b/vendor/go.podman.io/common/pkg/systemd/systemd_linux.go @@ -58,9 +58,9 @@ func moveProcessToScope(pid int, slice, scope string) error { return err } -// MoveRootlessNetnsSlirpProcessToUserSlice moves the slirp4netns process for the rootless netns +// MoveRootlessNetnsProcessToUserSlice moves the pasta process for the rootless netns // into a different scope so that systemd does not kill it with a container. -func MoveRootlessNetnsSlirpProcessToUserSlice(pid int) error { +func MoveRootlessNetnsProcessToUserSlice(pid int) error { randBytes := make([]byte, 4) _, err := rand.Read(randBytes) if err != nil { diff --git a/vendor/modules.txt b/vendor/modules.txt index df263cccbec..ebadc23b504 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -218,7 +218,7 @@ github.com/mattn/go-runewidth # github.com/mattn/go-shellwords v1.0.12 ## explicit; go 1.13 github.com/mattn/go-shellwords -# github.com/mattn/go-sqlite3 v1.14.37 +# github.com/mattn/go-sqlite3 v1.14.38 ## explicit; go 1.19 github.com/mattn/go-sqlite3 # github.com/miekg/pkcs11 v1.1.1 @@ -364,7 +364,7 @@ github.com/sigstore/fulcio/pkg/certificate # github.com/sigstore/protobuf-specs v0.5.0 ## explicit; go 1.22.0 github.com/sigstore/protobuf-specs/gen/pb-go/common/v1 -# github.com/sigstore/sigstore v1.10.4 +# github.com/sigstore/sigstore v1.10.5 ## explicit; go 1.25.0 github.com/sigstore/sigstore/pkg/cryptoutils github.com/sigstore/sigstore/pkg/signature @@ -454,7 +454,7 @@ go.opentelemetry.io/otel/trace go.opentelemetry.io/otel/trace/embedded go.opentelemetry.io/otel/trace/internal/telemetry go.opentelemetry.io/otel/trace/noop -# go.podman.io/common v0.67.1-0.20260325203629-8af78737e8bb +# go.podman.io/common v0.67.1-0.20260325203629-8af78737e8bb => github.com/lsm5/container-libs/common v0.0.0-20260406132453-36c3c76c317f ## explicit; go 1.25.6 go.podman.io/common/internal go.podman.io/common/libimage @@ -469,7 +469,6 @@ go.podman.io/common/libnetwork/netavark go.podman.io/common/libnetwork/network go.podman.io/common/libnetwork/pasta go.podman.io/common/libnetwork/resolvconf -go.podman.io/common/libnetwork/slirp4netns go.podman.io/common/libnetwork/types go.podman.io/common/libnetwork/util go.podman.io/common/pkg/apparmor @@ -493,9 +492,7 @@ go.podman.io/common/pkg/netns go.podman.io/common/pkg/parse go.podman.io/common/pkg/password go.podman.io/common/pkg/retry -go.podman.io/common/pkg/rootlessport go.podman.io/common/pkg/seccomp -go.podman.io/common/pkg/servicereaper go.podman.io/common/pkg/signal go.podman.io/common/pkg/subscriptions go.podman.io/common/pkg/supplemented @@ -821,3 +818,4 @@ tags.cncf.io/container-device-interface/pkg/parser # tags.cncf.io/container-device-interface/specs-go v1.1.0 ## explicit; go 1.19 tags.cncf.io/container-device-interface/specs-go +# go.podman.io/common => github.com/lsm5/container-libs/common v0.0.0-20260406132453-36c3c76c317f