Merge pull request #7363 from mheon/lets_try_this_again

Lets try this again: v2.0.5 backports, round 2

.cirrus.yml

@@ -269,36 +269,36 @@ varlink_api_task:
         failed_branch_script: '$CIRRUS_WORKING_DIR/$SCRIPT_BASE/notice_branch_failure.sh'
 
 
-build_each_commit_task:
+# build_each_commit_task:
 
-    depends_on:
-        - "gating"
-        - "vendor"
-        - "varlink_api"
+#     depends_on:
+#         - "gating"
+#         - "vendor"
+#         - "varlink_api"
 
-    only_if: >-
-        $CIRRUS_BRANCH != $DEST_BRANCH &&
-        $CIRRUS_CHANGE_MESSAGE !=~ '.*CI:IMG.*' &&
-        $CIRRUS_CHANGE_MESSAGE !=~ '.*CI:DOCS.*'
+#     only_if: >-
+#         $CIRRUS_BRANCH != $DEST_BRANCH &&
+#         $CIRRUS_CHANGE_MESSAGE !=~ '.*CI:IMG.*' &&
+#         $CIRRUS_CHANGE_MESSAGE !=~ '.*CI:DOCS.*'
 
-    gce_instance:
-        cpu: 8
-        memory: "8Gb"
+#     gce_instance:
+#         cpu: 8
+#         memory: "8Gb"
 
-    env:
-        MOD_CONTAINERS_CONF: 'false'
+#     env:
+#         MOD_CONTAINERS_CONF: 'false'
 
-    timeout_in: 30m
+#     timeout_in: 30m
 
-    setup_environment_script: '$SCRIPT_BASE/setup_environment.sh |& ${TIMESTAMP}'
-    build_each_commit_script:
-        # set -x by default, no need to spew contents of lib.sh
-        - 'source $SCRIPT_BASE/lib.sh &> /dev/null'
-        - 'git fetch --depth 50 origin $DEST_BRANCH |& ${TIMESTAMP}'
-        - 'make build-all-new-commits GIT_BASE_BRANCH=origin/$DEST_BRANCH |& ${TIMESTAMP}'
+#     setup_environment_script: '$SCRIPT_BASE/setup_environment.sh |& ${TIMESTAMP}'
+#     build_each_commit_script:
+#         # set -x by default, no need to spew contents of lib.sh
+#         - 'source $SCRIPT_BASE/lib.sh &> /dev/null'
+#         - 'git fetch --depth 50 origin $DEST_BRANCH |& ${TIMESTAMP}'
+#         - 'make build-all-new-commits GIT_BASE_BRANCH=origin/$DEST_BRANCH |& ${TIMESTAMP}'
 
-    on_failure:
-        failed_branch_script: '$CIRRUS_WORKING_DIR/$SCRIPT_BASE/notice_branch_failure.sh'
+#     on_failure:
+#         failed_branch_script: '$CIRRUS_WORKING_DIR/$SCRIPT_BASE/notice_branch_failure.sh'
 
 
 build_without_cgo_task:
@@ -368,7 +368,6 @@ testing_task:
         - "gating"
         - "vendor"
         - "varlink_api"
-        - "build_each_commit"
         - "build_without_cgo"
         - "container_image_build"
 
@@ -433,7 +432,6 @@ special_testing_rootless_task:
         - "gating"
         - "varlink_api"
         - "vendor"
-        - "build_each_commit"
         - "build_without_cgo"
 
     only_if: >-
@@ -469,7 +467,6 @@ special_testing_in_podman_task:
         - "gating"
         - "varlink_api"
         - "vendor"
-        - "build_each_commit"
         - "build_without_cgo"
 
     only_if: >-
@@ -700,7 +697,6 @@ success_task:
         - "gating"
         - "vendor"
         - "varlink_api"
-        - "build_each_commit"
         - "build_without_cgo"
         - "container_image_build"
         - "meta"

RELEASE_NOTES.md

@@ -1,5 +1,58 @@
 # Release Notes
 
+## 2.0.5
+### Features
+- Rootless Podman will now add an entry to `/etc/passwd` for the user who ran Podman if run with `--userns=keep-id`.
+- The `podman system connection` command has been reworked to support multiple connections, and reenabled for use!
+- Podman now has a new global flag, `--connection`, to specify a connection to a remote Podman API instance.
+
+### Changes
+- Podman's automatic systemd integration (activated by the `--systemd=true` flag, set by default) will now activate for containers using `/usr/local/sbin/init` as their command, instead of just `/usr/sbin/init` and `/sbin/init` (and any path ending in `systemd`).
+- Seccomp profiles specified by the `--security-opt seccomp=...` flag to `podman create` and `podman run` will now be honored even if the container was created using `--privileged`.
+
+### Bugfixes
+- Fixed a bug where the `podman play kube` would not honor the `hostIP` field for port forwarding ([#5964](https://github.com/containers/podman/issues/5964)).
+- Fixed a bug where the `podman generate systemd` command would panic on an invalid restart policy being specified ([#7271](https://github.com/containers/podman/issues/7271)).
+- Fixed a bug where the `podman images` command could take a very long time (several minutes) to complete when a large number of images were present.
+- Fixed a bug where the `podman logs` command with the `--tail` flag would not work properly when a large amount of output would be printed ((#7230)[https://github.com/containers/podman/issues/7230]).
+- Fixed a bug where the `podman exec` command with remote Podman would not return a non-zero exit code when the exec session failed to start (e.g. invoking a non-existent command) ([#6893](https://github.com/containers/podman/issues/6893)).
+- Fixed a bug where the `podman load` command with remote Podman would did not honor user-specified tags ([#7124](https://github.com/containers/podman/issues/7124)).
+- Fixed a bug where the `podman system service` command, when run as a non-root user by Systemd, did not properly handle the Podman pause process and would not restart properly as a result ([#7180](https://github.com/containers/podman/issues/7180)).
+- Fixed a bug where the `--publish` flag to `podman create`, `podman run`, and `podman pod create` did not properly handle a host IP of 0.0.0.0 (attempting to bind to literal 0.0.0.0, instead of all IPs on the system) ([#7104](https://github.com/containers/podman/issues/7014)).
+- Fixed a bug where the `podman start --attach` command would not print the container's exit code when the command exited due to the container exiting.
+- Fixed a bug where the `podman rm` command with remote Podman would not remove volumes, even if the `--volumes` flag was specified ([#7128](https://github.com/containers/podman/issues/7128)).
+- Fixed a bug where the `podman run` command with remote Podman and the `--rm` flag could exit before the container was fully removed.
+- Fixed a bug where the `--pod new:...` flag to `podman run` and `podman create` would create a pod that did not share any namespaces.
+- Fixed a bug where the `--preserve-fds` flag to `podman run` and `podman exec` could close the wrong file descriptors while trying to close user-provided descriptors after passing them into the container.
+- Fixed a bug where default environment variables (`$PATH` and `$TERM`) were not set in containers when not provided by the image.
+- Fixed a bug where pod infra containers were not properly unmounted after exiting.
+- Fixed a bug where networks created with `podman network create` with an IPv6 subnet did not properly set an IPv6 default route.
+- Fixed a bug where the `podman save` command would not work properly when its output was piped to another command ([#7017](https://github.com/containers/podman/issues/7017)).
+- Fixed a bug where containers using a systemd init on a cgroups v1 system could leak mounts under `/sys/fs/cgroup/systemd` to the host.
+- Fixed a bug where `podman build` would not generate an event on completion ([#7022](https://github.com/containers/podman/issues/7022)).
+- Fixed a bug where the `podman history` command with remote Podman printed incorrect creation times for layers ([#7122](https://github.com/containers/podman/issues/7122)).
+- Fixed a bug where Podman would not create working directories specified by the container image if they did not exist.
+- Fixed a bug where Podman did not clear `CMD` from the container image if the user overrode `ENTRYPOINT` ([#7115](https://github.com/containers/podman/issues/7115)).
+- Fixed a bug where error parsing image names were not fully reported (part of the error message containing the exact issue was dropped).
+- Fixed a bug where the `podman images` command with remote Podman did not support printing image tags in Go templates supplied to the `--format` flag ([#7123](https://github.com/containers/podman/issues/7123)).
+- Fixed a bug where the `podman rmi --force` command would not attempt to unmount containers it was removing, which could cause a failure to remove the image.
+- Fixed a bug where the `podman generate systemd --new` command could incorrectly quote arguments to Podman that contained whitespace, leading to nonfunctional unit files ([#7285](https://github.com/containers/podman/issues/7285)).
+- Fixed a bug where the `podman version` command did not properly include build time and Git commit.
+- Fixed a bug where running systemd in a Podman container on a system that did not use the `systemd` cgroup manager would fail ([#6734](https://github.com/containers/podman/issues/6734)).
+
+### API
+- Fixed a bug where the libpod and compat Build endpoints did not accept the `application/tar` content type (instead only accepting `application/x-tar`) ([#7185](https://github.com/containers/podman/issues/7185)).
+- Fixed a bug where the libpod Exists endpoint would attempt to write a second header in some error conditions ([#7197](https://github.com/containers/podman/issues/7197)).
+- Fixed a bug where compat and libpod Network Inspect and Network Remove endpoints would return a 500 instead of 404 when the requested network was not found.
+- Added a versioned `_ping` endpoint (e.g. `http://localhost/v1.40/_ping`).
+- Fixed a bug where containers started through a systemd-managed instance of the REST API would be shut down when `podman system service` shut down due to its idle timeout ([#7294](https://github.com/containers/podman/issues/7294)).
+- Added stronger parameter verification for the libpod Network Create endpoint to ensure subnet mask is a valid value.
+- The `Pod` URL parameter to the Libpod Container List endpoint has been deprecated; the information previously gated by the `Pod` boolean will now be included in the response unconditionally.
+
+### Misc
+- Updated Buildah to v1.15.1
+- Updated containers/image library to v5.5.2
+
 ## 2.0.4
 ### Bugfixes
 - Fixed a bug where the output of `podman image search` did not populate the Description field as it was mistakenly assigned to the ID field.

cmd/podman/common/specgen.go

@@ -308,9 +308,8 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string
 	//
 	// Precedence order (higher index wins):
 	//  1) env-host, 2) image data, 3) env-file, 4) env
-	env := map[string]string{
-		"container": "podman",
-	}
+	env := make(map[string]string)
+	env["container"] = "podman"
 
 	// First transform the os env into a map. We need it for the labels later in
 	// any case.
@@ -387,8 +386,6 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string
 	s.Annotations = annotations
 
 	s.WorkDir = c.Workdir
-	userCommand := []string{}
-	var command []string
 	if c.Entrypoint != nil {
 		entrypoint := []string{}
 		if ep := *c.Entrypoint; len(ep) > 0 {
@@ -398,27 +395,13 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string
 			}
 		}
 		s.Entrypoint = entrypoint
-		// Build the command
-		// If we have an entry point, it goes first
-		command = entrypoint
 	}
 
 	// Include the command used to create the container.
 	s.ContainerCreateCommand = os.Args
 
 	if len(inputCommand) > 0 {
-		// User command overrides data CMD
-		command = append(command, inputCommand...)
-		userCommand = append(userCommand, inputCommand...)
-	}
-
-	switch {
-	case len(inputCommand) > 0:
-		s.Command = userCommand
-	case c.Entrypoint != nil:
-		s.Command = []string{}
-	default:
-		s.Command = command
+		s.Command = inputCommand
 	}
 
 	// SHM Size

cmd/podman/containers/create.go

@@ -292,7 +292,12 @@ func createPodIfNecessary(s *specgen.SpecGenerator, netOpts *entities.NetOptions
 		Infra:         true,
 		Net:           netOpts,
 		CreateCommand: os.Args,
+		Hostname:      s.ContainerBasicConfig.Hostname,
 	}
+	// Unset config values we passed to the pod to prevent them being used twice for the container and pod.
+	s.ContainerBasicConfig.Hostname = ""
+	s.ContainerNetworkConfig = specgen.ContainerNetworkConfig{}
+
 	s.Pod = podName
 	return registry.ContainerEngine().PodCreate(context.Background(), createOptions)
 }

cmd/podman/early_init_linux.go

@@ -32,7 +32,7 @@ func setUMask() {
 
 func earlyInitHook() {
 	if err := setRLimits(); err != nil {
-		fmt.Fprint(os.Stderr, "Failed to set rlimits: "+err.Error())
+		fmt.Fprintf(os.Stderr, "Failed to set rlimits: %s\n", err.Error())
 	}
 
 	setUMask()

cmd/podman/images/list.go

@@ -195,6 +195,7 @@ func sortImages(imageS []*entities.ImageSummary) ([]imageReporter, error) {
 		} else {
 			h.ImageSummary = *e
 			h.Repository = "<none>"
+			h.Tag = "<none>"
 			imgs = append(imgs, h)
 		}
 		listFlag.readOnly = e.IsReadOnly()
@@ -205,27 +206,34 @@ func sortImages(imageS []*entities.ImageSummary) ([]imageReporter, error) {
 }
 
 func tokenRepoTag(ref string) (string, string, error) {
-
 	if ref == "<none>:<none>" {
 		return "<none>", "<none>", nil
 	}
 
 	repo, err := reference.Parse(ref)
 	if err != nil {
-		return "", "", err
+		return "<none>", "<none>", err
 	}
 
 	named, ok := repo.(reference.Named)
 	if !ok {
-		return ref, "", nil
+		return ref, "<none>", nil
+	}
+	name := named.Name()
+	if name == "" {
+		name = "<none>"
 	}
 
 	tagged, ok := repo.(reference.Tagged)
 	if !ok {
-		return named.Name(), "", nil
+		return name, "<none>", nil
+	}
+	tag := tagged.Tag()
+	if tag == "" {
+		tag = "<none>"
 	}
 
-	return named.Name(), tagged.Tag(), nil
+	return name, tag, nil
 
 }
 

cmd/podman/images/save.go

@@ -5,10 +5,9 @@ import (
 	"os"
 	"strings"
 
-	"github.com/containers/libpod/v2/libpod/define"
-
 	"github.com/containers/libpod/v2/cmd/podman/parse"
 	"github.com/containers/libpod/v2/cmd/podman/registry"
+	"github.com/containers/libpod/v2/libpod/define"
 	"github.com/containers/libpod/v2/pkg/domain/entities"
 	"github.com/containers/libpod/v2/pkg/util"
 	"github.com/pkg/errors"
@@ -83,9 +82,10 @@ func saveFlags(flags *pflag.FlagSet) {
 
 }
 
-func save(cmd *cobra.Command, args []string) error {
+func save(cmd *cobra.Command, args []string) (finalErr error) {
 	var (
-		tags []string
+		tags      []string
+		succeeded = false
 	)
 	if cmd.Flag("compress").Changed && (saveOpts.Format != define.OCIManifestDir && saveOpts.Format != define.V2s2ManifestDir && saveOpts.Format == "") {
 		return errors.Errorf("--compress can only be set when --format is either 'oci-dir' or 'docker-dir'")
@@ -95,13 +95,32 @@ func save(cmd *cobra.Command, args []string) error {
 		if terminal.IsTerminal(int(fi.Fd())) {
 			return errors.Errorf("refusing to save to terminal. Use -o flag or redirect")
 		}
-		saveOpts.Output = "/dev/stdout"
+		pipePath, cleanup, err := setupPipe()
+		if err != nil {
+			return err
+		}
+		if cleanup != nil {
+			defer func() {
+				errc := cleanup()
+				if succeeded {
+					writeErr := <-errc
+					if writeErr != nil && finalErr == nil {
+						finalErr = writeErr
+					}
+				}
+			}()
+		}
+		saveOpts.Output = pipePath
 	}
 	if err := parse.ValidateFileName(saveOpts.Output); err != nil {
 		return err
 	}
 	if len(args) > 1 {
 		tags = args[1:]
 	}
-	return registry.ImageEngine().Save(context.Background(), args[0], tags, saveOpts)
+	err := registry.ImageEngine().Save(context.Background(), args[0], tags, saveOpts)
+	if err == nil {
+		succeeded = true
+	}
+	return err
 }

cmd/podman/images/utils_linux.go

@@ -0,0 +1,47 @@
+package images
+
+import (
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+)
+
+// setupPipe for fixing https://github.com/containers/podman/issues/7017
+// uses named pipe since containers/image EvalSymlinks fails with /dev/stdout
+// the caller should use the returned function to clean up the pipeDir
+func setupPipe() (string, func() <-chan error, error) {
+	errc := make(chan error)
+	pipeDir, err := ioutil.TempDir(os.TempDir(), "pipeDir")
+	if err != nil {
+		return "", nil, err
+	}
+	pipePath := filepath.Join(pipeDir, "saveio")
+	err = unix.Mkfifo(pipePath, 0600)
+	if err != nil {
+		if e := os.RemoveAll(pipeDir); e != nil {
+			logrus.Errorf("error removing named pipe: %q", e)
+		}
+		return "", nil, errors.Wrapf(err, "error creating named pipe")
+	}
+	go func() {
+		fpipe, err := os.Open(pipePath)
+		if err != nil {
+			errc <- err
+			return
+		}
+		_, err = io.Copy(os.Stdout, fpipe)
+		fpipe.Close()
+		errc <- err
+	}()
+	return pipePath, func() <-chan error {
+		if e := os.RemoveAll(pipeDir); e != nil {
+			logrus.Errorf("error removing named pipe: %q", e)
+		}
+		return errc
+	}, nil
+}

cmd/podman/images/utils_unsupported.go

@@ -0,0 +1,7 @@
+// +build !linux
+
+package images
+
+func setupPipe() (string, func() <-chan error, error) {
+	return "/dev/stdout", nil, nil
+}

cmd/podman/main.go

@@ -14,6 +14,7 @@ import (
 	_ "github.com/containers/libpod/v2/cmd/podman/pods"
 	"github.com/containers/libpod/v2/cmd/podman/registry"
 	_ "github.com/containers/libpod/v2/cmd/podman/system"
+	_ "github.com/containers/libpod/v2/cmd/podman/system/connection"
 	_ "github.com/containers/libpod/v2/cmd/podman/volumes"
 	"github.com/containers/libpod/v2/pkg/rootless"
 	"github.com/containers/libpod/v2/pkg/terminal"