diff --git a/go.mod b/go.mod index d2cb0f67902..a7d3c87858c 100644 --- a/go.mod +++ b/go.mod @@ -20,7 +20,7 @@ go 1.21 // ***** ATTENTION WARNING CAUTION DANGER ****** require ( github.com/containerd/containerd v1.7.18 github.com/containernetworking/cni v1.1.2 - github.com/containers/common v0.59.0 + github.com/containers/common v0.59.1 github.com/containers/image/v5 v5.31.0 github.com/containers/luksy v0.0.0-20240506205542-84b50f50f3ee github.com/containers/ocicrypt v1.1.10 diff --git a/go.sum b/go.sum index 7f891154f83..d779b8d7537 100644 --- a/go.sum +++ b/go.sum @@ -61,8 +61,8 @@ github.com/containernetworking/cni v1.1.2 h1:wtRGZVv7olUHMOqouPpn3cXJWpJgM6+EUl3 github.com/containernetworking/cni v1.1.2/go.mod h1:sDpYKmGVENF3s6uvMvGgldDWeG8dMxakj/u+i9ht9vw= github.com/containernetworking/plugins v1.5.0 h1:P09DMlfvvsLSskDoftnuwXY7lwa7IAhTGznZxA5E8fk= github.com/containernetworking/plugins v1.5.0/go.mod h1:bcXMvG9gWGc6jVXeodmMzuXmXqpqMguZm6Zu/oIr7AA= -github.com/containers/common v0.59.0 h1:fy9Jz0B7Qs1C030bm73YJtVddaiFSZD3558EV1tgN2g= -github.com/containers/common v0.59.0/go.mod h1:53VicJCZ2AD0O+Br7VVoyrS7viXF4YmwlTIocWUT8XE= +github.com/containers/common v0.59.1 h1:7VkmJN3YvD0jLFwaUjLHSRJ98JLffydiyOJjYr0dUTo= +github.com/containers/common v0.59.1/go.mod h1:53VicJCZ2AD0O+Br7VVoyrS7viXF4YmwlTIocWUT8XE= github.com/containers/image/v5 v5.31.0 h1:eDFVlz5XaYICxe9dXpf23htEKvyosgkl62mJlIATXE4= github.com/containers/image/v5 v5.31.0/go.mod h1:5QfOqSackPkSbF7Qxc1DnVNnPJKQ+KWLkfEfDpK590Q= github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYglewc+UyGf6lc8Mj2UaPTHy/iF2De0/77CA= diff --git a/vendor/github.com/containers/common/libimage/manifests/manifests.go b/vendor/github.com/containers/common/libimage/manifests/manifests.go index 64f06350f0f..2213e735758 100644 --- a/vendor/github.com/containers/common/libimage/manifests/manifests.go +++ b/vendor/github.com/containers/common/libimage/manifests/manifests.go @@ -663,6 +663,9 @@ func (l *list) Add(ctx context.Context, sys *types.SystemContext, ref types.Imag if err != nil { return "", fmt.Errorf("adding instance with digest %q: %w", *instanceInfo.instanceDigest, err) } + if err := l.List.SetArtifactType(instanceInfo.instanceDigest, instanceInfo.ArtifactType); err != nil { + return "", fmt.Errorf("setting artifact manifest type for instance with digest %q: %w", *instanceInfo.instanceDigest, err) + } if err = l.List.SetURLs(*instanceInfo.instanceDigest, instanceInfo.URLs); err != nil { return "", fmt.Errorf("setting URLs for instance with digest %q: %w", *instanceInfo.instanceDigest, err) } diff --git a/vendor/github.com/containers/common/libnetwork/cni/network.go b/vendor/github.com/containers/common/libnetwork/cni/network.go index 94d13f7a0ff..7e001fab0ed 100644 --- a/vendor/github.com/containers/common/libnetwork/cni/network.go +++ b/vendor/github.com/containers/common/libnetwork/cni/network.go @@ -82,9 +82,23 @@ type InitConfig struct { // NewCNINetworkInterface creates the ContainerNetwork interface for the CNI backend. // Note: The networks are not loaded from disk until a method is called. func NewCNINetworkInterface(conf *InitConfig) (types.ContainerNetwork, error) { + var netns *rootlessnetns.Netns + var err error + // Do not use unshare.IsRootless() here. We only care if we are running re-exec in the userns, + // IsRootless() also returns true if we are root in a userns which is not what we care about and + // causes issues as this slower more complicated rootless-netns logic should not be used as root. + val, ok := os.LookupEnv(unshare.UsernsEnvName) + useRootlessNetns := ok && val == "done" + if useRootlessNetns { + netns, err = rootlessnetns.New(conf.RunDir, rootlessnetns.CNI, conf.Config) + if err != nil { + return nil, err + } + } + // root needs to use a globally unique lock because there is only one host netns lockPath := defaultRootLockPath - if unshare.IsRootless() { + if useRootlessNetns { lockPath = filepath.Join(conf.CNIConfigDir, "cni.lock") } @@ -112,14 +126,6 @@ func NewCNINetworkInterface(conf *InitConfig) (types.ContainerNetwork, error) { defaultSubnetPools = config.DefaultSubnetPools } - var netns *rootlessnetns.Netns - if unshare.IsRootless() { - netns, err = rootlessnetns.New(conf.RunDir, rootlessnetns.CNI, conf.Config) - if err != nil { - return nil, err - } - } - cni := libcni.NewCNIConfig(conf.Config.Network.CNIPluginDirs.Values, &cniExec{}) n := &cniNetwork{ cniConfigDir: conf.CNIConfigDir, diff --git a/vendor/github.com/containers/common/libnetwork/netavark/network.go b/vendor/github.com/containers/common/libnetwork/netavark/network.go index d79fdff43af..6ec4a9d15ba 100644 --- a/vendor/github.com/containers/common/libnetwork/netavark/network.go +++ b/vendor/github.com/containers/common/libnetwork/netavark/network.go @@ -96,9 +96,23 @@ type InitConfig struct { // NewNetworkInterface creates the ContainerNetwork interface for the netavark backend. // Note: The networks are not loaded from disk until a method is called. func NewNetworkInterface(conf *InitConfig) (types.ContainerNetwork, error) { + var netns *rootlessnetns.Netns + var err error + // Do not use unshare.IsRootless() here. We only care if we are running re-exec in the userns, + // IsRootless() also returns true if we are root in a userns which is not what we care about and + // causes issues as this slower more complicated rootless-netns logic should not be used as root. + val, ok := os.LookupEnv(unshare.UsernsEnvName) + useRootlessNetns := ok && val == "done" + if useRootlessNetns { + netns, err = rootlessnetns.New(conf.NetworkRunDir, rootlessnetns.Netavark, conf.Config) + if err != nil { + return nil, err + } + } + // root needs to use a globally unique lock because there is only one host netns lockPath := defaultRootLockPath - if unshare.IsRootless() { + if useRootlessNetns { lockPath = filepath.Join(conf.NetworkConfigDir, "netavark.lock") } @@ -134,18 +148,6 @@ func NewNetworkInterface(conf *InitConfig) (types.ContainerNetwork, error) { defaultSubnetPools = config.DefaultSubnetPools } - var netns *rootlessnetns.Netns - // Do not use unshare.IsRootless() here. We only care if we are running re-exec in the userns, - // IsRootless() also returns true if we are root in a userns which is not what we care about and - // causes issues as this slower more complicated rootless-netns logic should not be used as root. - _, useRootlessNetns := os.LookupEnv(unshare.UsernsEnvName) - if useRootlessNetns { - netns, err = rootlessnetns.New(conf.NetworkRunDir, rootlessnetns.Netavark, conf.Config) - if err != nil { - return nil, err - } - } - n := &netavarkNetwork{ networkConfigDir: conf.NetworkConfigDir, networkRunDir: conf.NetworkRunDir, diff --git a/vendor/github.com/containers/common/pkg/config/config_windows.go b/vendor/github.com/containers/common/pkg/config/config_windows.go index fbe1bb3f12f..b2cd751a159 100644 --- a/vendor/github.com/containers/common/pkg/config/config_windows.go +++ b/vendor/github.com/containers/common/pkg/config/config_windows.go @@ -5,7 +5,7 @@ import "os" const ( // _configPath is the path to the containers/containers.conf // inside a given config directory. - _configPath = "containers\\containers.conf" + _configPath = "\\containers\\containers.conf" // DefaultContainersConfig holds the default containers config path DefaultContainersConfig = "" diff --git a/vendor/github.com/containers/common/pkg/config/containers.conf b/vendor/github.com/containers/common/pkg/config/containers.conf index 7d79df07a1a..c00efecbb36 100644 --- a/vendor/github.com/containers/common/pkg/config/containers.conf +++ b/vendor/github.com/containers/common/pkg/config/containers.conf @@ -350,9 +350,9 @@ default_sysctls = [ # The firewall driver to be used by netavark. # The default is empty which means netavark will pick one accordingly. Current supported -# drivers are "iptables", "none" (no firewall rules will be created) and "firewalld" (firewalld is -# experimental at the moment and not recommend outside of testing). In the future we are -# planning to add support for a "nftables" driver. +# drivers are "iptables", "nftables", "none" (no firewall rules will be created) and "firewalld" (firewalld is +# experimental at the moment and not recommend outside of testing). +# #firewall_driver = "" @@ -890,10 +890,10 @@ default_sysctls = [ [podmansh] # Shell to spawn in container. Default: /bin/sh. #shell = "/bin/sh" -# +# # Name of the container the podmansh user should join. #container = "podmansh" -# +# # Default timeout in seconds for podmansh logins. # Favored over the deprecated "podmansh_timeout" field. #timeout = 30 diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go index b8311bf196a..5484a31839f 100644 --- a/vendor/github.com/containers/common/version/version.go +++ b/vendor/github.com/containers/common/version/version.go @@ -1,4 +1,4 @@ package version // Version is the version of the build. -const Version = "0.59.0" +const Version = "0.59.1" diff --git a/vendor/modules.txt b/vendor/modules.txt index 7bfccf5f161..ef1a9d60f5a 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -106,7 +106,7 @@ github.com/containernetworking/cni/pkg/version # github.com/containernetworking/plugins v1.5.0 ## explicit; go 1.20 github.com/containernetworking/plugins/pkg/ns -# github.com/containers/common v0.59.0 +# github.com/containers/common v0.59.1 ## explicit; go 1.21 github.com/containers/common/internal github.com/containers/common/internal/attributedstring