Codebase list golang-github-containers-common / d6f93a5
Merge tag 'v0.34.2+ds1' into debian/sid Reinhard Tartler 3 years ago
29 changed file(s) with 672 addition(s) and 237 deletion(s). Raw diff Collapse all Expand all
+1
-0
Makefile less more
6868 .PHONY: validate
6969 validate: build/golangci-lint
7070 ./build/golangci-lint run
71 ./tools/validate_seccomp.sh ./pkg/seccomp
7172
7273 vendor-in-container:
7374 podman run --privileged --rm --env HOME=/root -v `pwd`:/src -w /src golang make vendor
+11
-2
docs/containers.conf.5.md less more
277277 ## ENGINE TABLE
278278 The `engine` table contains configuration options used to set up container engines such as Podman and Buildah.
279279
280 **image_build_format**="oci"
281 The default image format to building container images. Valid values are "oci" (default) or "docker".
280 **image_default_format**="oci"|"v2s2"|"v2s1"
281
282 Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
283 container images. By default images pulled and pushed match the format of the
284 source image. Building/committing defaults to OCI.
285 Note: **image_build_format** is deprecated.
282286
283287 **cgroup_check**=false
284288
360364 associated with the pod. This container does nothing other then sleep,
361365 reserving the pods resources for the lifetime of the pod.
362366
367 **image_parallel_copies**=0
368
369 Maximum number of image layers to be copied (pulled/pushed) simultaneously.
370 Not setting this field will fall back to containers/image defaults. (6)
371
363372 **lock_type**="shm"
364373
365374 Specify the locking mechanism to use; valid values are "shm" and "file".
+9
-10
go.mod less more
44 require (
55 github.com/BurntSushi/toml v0.3.1
66 github.com/blang/semver v3.5.1+incompatible // indirect
7 github.com/containers/image/v5 v5.9.0
8 github.com/containers/storage v1.24.5
7 github.com/containers/image/v5 v5.10.1
8 github.com/containers/storage v1.25.0
99 github.com/docker/distribution v2.7.1+incompatible
1010 github.com/docker/docker v17.12.0-ce-rc1.0.20201020191947-73dc6a680cdd+incompatible
1111 github.com/docker/go-units v0.4.0
1212 github.com/ghodss/yaml v1.0.0
13 github.com/google/go-cmp v0.5.2 // indirect
1413 github.com/gorilla/mux v1.8.0 // indirect
1514 github.com/hashicorp/go-multierror v1.1.0
16 github.com/onsi/ginkgo v1.14.2
17 github.com/onsi/gomega v1.10.4
18 github.com/opencontainers/runc v1.0.0-rc91
19 github.com/opencontainers/runtime-spec v1.0.3-0.20200710190001-3e4195d92445
15 github.com/onsi/ginkgo v1.15.0
16 github.com/onsi/gomega v1.10.5
17 github.com/opencontainers/runc v1.0.0-rc93
18 github.com/opencontainers/runtime-spec v1.0.3-0.20200929063507-e6143ca7d51d
2019 github.com/opencontainers/runtime-tools v0.9.0
2120 github.com/opencontainers/selinux v1.8.0
2221 github.com/pkg/errors v0.9.1
2524 github.com/sirupsen/logrus v1.7.0
2625 github.com/spf13/cobra v1.1.1
2726 github.com/spf13/pflag v1.0.5
28 github.com/stretchr/testify v1.6.1
29 github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2
27 github.com/stretchr/testify v1.7.0
28 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
3029 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9
31 golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3
30 golang.org/x/sys v0.0.0-20210112080510-489259a85091
3231 )
+51
-31
go.sum less more
1515 github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
1616 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
1717 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
18 github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw=
1918 github.com/Microsoft/go-winio v0.4.16-0.20201130162521-d1ffc52c7331 h1:3YnB7Hpmh1lPecPE8doMOtYCrMdrpedZOvxfuNES/Vk=
2019 github.com/Microsoft/go-winio v0.4.16-0.20201130162521-d1ffc52c7331/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugXOPRXwdLnMv0=
21 github.com/Microsoft/hcsshim v0.8.9 h1:VrfodqvztU8YSOvygU+DN1BGaSGxmrNfqOv5oOuX2Bk=
22 github.com/Microsoft/hcsshim v0.8.9/go.mod h1:5692vkUqntj1idxauYlpoINNKeqCiG6Sg38RRsjT5y8=
2320 github.com/Microsoft/hcsshim v0.8.14 h1:lbPVK25c1cu5xTLITwpUcxoA9vKrKErASPYygvouJns=
2421 github.com/Microsoft/hcsshim v0.8.14/go.mod h1:NtVKoYxQuTLx6gEq0L96c9Ju4JbRJ4nY2ow3VK6a9Lg=
2522 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
4037 github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
4138 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
4239 github.com/checkpoint-restore/go-criu/v4 v4.0.2/go.mod h1:xUQBLp4RLc5zJtWY++yjOoMoB5lihDt7fai+75m+rGw=
40 github.com/checkpoint-restore/go-criu/v4 v4.1.0/go.mod h1:xUQBLp4RLc5zJtWY++yjOoMoB5lihDt7fai+75m+rGw=
4341 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
4442 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
4543 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
4644 github.com/cilium/ebpf v0.0.0-20200110133405-4032b1d8aae3/go.mod h1:MA5e5Lr8slmEg9bt0VpxxWqJlO4iwu3FBdHUzV7wQVg=
4745 github.com/cilium/ebpf v0.0.0-20200507155900-a9f01edf17e3/go.mod h1:XT+cAw5wfvsodedcijoh1l9cf7v1x9FlFB/3VmF/O8s=
46 github.com/cilium/ebpf v0.2.0/go.mod h1:To2CFviqOWL/M0gIMsvSMlqe7em/l1ALkX1PyjrX2Qs=
4847 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
49 github.com/containerd/cgroups v0.0.0-20190919134610-bf292b21730f h1:tSNMc+rJDfmYntojat8lljbt1mgKNpTxUZJsSzJ9Y1s=
50 github.com/containerd/cgroups v0.0.0-20190919134610-bf292b21730f/go.mod h1:OApqhQ4XNSNC13gXIwDjhOQxjWa/NxkwZXJ1EvqT0ko=
5148 github.com/containerd/cgroups v0.0.0-20200531161412-0dbf7f05ba59 h1:qWj4qVYZ95vLWwqyNJCQg7rDsG5wPdze0UaPolH7DUk=
5249 github.com/containerd/cgroups v0.0.0-20200531161412-0dbf7f05ba59/go.mod h1:pA0z1pT8KYB3TCXK/ocprsh7MAkoW8bZVzPdih9snmM=
5350 github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw=
5451 github.com/containerd/console v1.0.0/go.mod h1:8Pf4gM6VEbTNRIT26AyyU7hxdQU3MvAvxVI0sc00XBE=
52 github.com/containerd/console v1.0.1/go.mod h1:XUsP6YE/mKtz6bxc+I8UiKKTP04qjQL4qcS3XoQ5xkw=
5553 github.com/containerd/containerd v1.3.2/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
5654 github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
5755 github.com/containerd/fifo v0.0.0-20190226154929-a9fb20d87448/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI=
5856 github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0=
5957 github.com/containerd/ttrpc v0.0.0-20190828154514-0e0f228740de/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o=
6058 github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc=
61 github.com/containers/image/v5 v5.9.0 h1:dRmUtcluQcmasNo3DpnRoZjfU0rOu1qZeL6wlDJr10Q=
62 github.com/containers/image/v5 v5.9.0/go.mod h1:blOEFd/iFdeyh891ByhCVUc+xAcaI3gBegXECwz9UbQ=
59 github.com/containers/image/v5 v5.10.1 h1:tHhGQ8RCMxJfJLD/PEW1qrOKX8nndledW9qz6UiAxns=
60 github.com/containers/image/v5 v5.10.1/go.mod h1:JlRLJZv7elVbtHaaaR6Kz8i6G3k2ttj4t7fubwxD9Hs=
6361 github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b h1:Q8ePgVfHDplZ7U33NwHZkrVELsZP5fYj9pM5WBZB2GE=
6462 github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY=
6563 github.com/containers/ocicrypt v1.0.3 h1:vYgl+RZ9Q3DPMuTfxmN+qp0X2Bj52uuY2vnt6GzVe1c=
6664 github.com/containers/ocicrypt v1.0.3/go.mod h1:CUBa+8MRNL/VkpxYIpaMtgn1WgXGyvPQj8jcy0EVG6g=
67 github.com/containers/storage v1.23.7/go.mod h1:cUT2zHjtx+WlVri30obWmM2gpqpi8jfPsmIzP1TVpEI=
6865 github.com/containers/storage v1.24.5 h1:BusfdU0rCS2/Daa/DPw+0iLfGRlYA7UVF7D0el3N7Vk=
6966 github.com/containers/storage v1.24.5/go.mod h1:YC+2pY8SkfEAcZkwycxYbpK8EiRbx5soPPwz9dxe4IQ=
67 github.com/containers/storage v1.25.0 h1:p0PLlQcWmtE+7XLfOCR0WuYyMTby1yozpI4DaKOtWTA=
68 github.com/containers/storage v1.25.0/go.mod h1:UxTYd5F4mPVqmDRcRL0PBS8+HP74aBn96eahnhEvPtk=
7069 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
7170 github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
7271 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
7473 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
7574 github.com/coreos/go-systemd/v22 v22.0.0 h1:XJIw/+VlJ+87J+doOxznsAWIdmWuViOVhkQamW5YV28=
7675 github.com/coreos/go-systemd/v22 v22.0.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk=
76 github.com/coreos/go-systemd/v22 v22.1.0 h1:kq/SbG2BCKLkDKkjQf5OWwKWUKj1lgs3lFI4PxnR5lg=
77 github.com/coreos/go-systemd/v22 v22.1.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk=
7778 github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
7879 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
7980 github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
81 github.com/cyphar/filepath-securejoin v0.2.2 h1:jCwT2GTP+PY5nBz3c/YL5PAIbusElVrPujOBSCj8xRg=
8082 github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4=
8183 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
8284 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
110112 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
111113 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
112114 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
113 github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e h1:BWhy2j3IXJhjCbC68FptL43tDKIq8FladmaTs3Xs7Z8=
114 github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e/go.mod h1:bBOAhwG1umN6/6ZUMtDFBMQR8jRg9O75tm9K00oMsK4=
115115 github.com/godbus/dbus/v5 v5.0.3 h1:ZqHaoEF7TBzh4jzPmqVhE/5A1z9of6orkAe5uHoAeME=
116116 github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
117117 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
134134 github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
135135 github.com/golang/protobuf v1.4.2 h1:+Z5KGCizgyZCbGh1KZqA0fcLLkwbsjIzS4aV2v7wJX0=
136136 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
137 github.com/golang/protobuf v1.4.3 h1:JjCZWpVbqXDqFVmTfYWEVTMIYrL/NPdPSCHPJ0T/raM=
138 github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
137139 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
138140 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
139141 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
197199 github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
198200 github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
199201 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
200 github.com/klauspost/compress v1.11.1/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
201 github.com/klauspost/compress v1.11.3 h1:dB4Bn0tN3wdCzQxnS8r06kV74qN/TAfaIS0bVE8h3jc=
202 github.com/klauspost/compress v1.11.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
203202 github.com/klauspost/compress v1.11.5 h1:xNCE0uE6yvTPRS+0wGNMHPo3NIpwnk6aluQZ6R6kRcc=
204203 github.com/klauspost/compress v1.11.5/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
204 github.com/klauspost/compress v1.11.7 h1:0hzRabrMN4tSTvMfnL3SCv1ZGeAP23ynzodBgaHeMeg=
205 github.com/klauspost/compress v1.11.7/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
205206 github.com/klauspost/pgzip v1.2.5 h1:qnWYvvKqedOF2ulHpMG72XQol4ILEJ8k2wwRl/Km8oE=
206207 github.com/klauspost/pgzip v1.2.5/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
207208 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
222223 github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
223224 github.com/mattn/go-shellwords v1.0.10 h1:Y7Xqm8piKOO3v10Thp7Z36h4FYFjt5xB//6XvOrs2Gw=
224225 github.com/mattn/go-shellwords v1.0.10/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y=
226 github.com/mattn/go-shellwords v1.0.11 h1:vCoR9VPpsk/TZFW2JwK5I9S0xdrtUq2bph6/YjEPnaw=
227 github.com/mattn/go-shellwords v1.0.11/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y=
225228 github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
226229 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
227230 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
244247 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
245248 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
246249 github.com/mrunalp/fileutils v0.0.0-20171103030105-7d4729fb3618/go.mod h1:x8F1gnqOkIEiO4rqoeEEEqQbo7HjGMTvyoq3gej4iT0=
250 github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
247251 github.com/mtrmac/gpgme v0.1.2/go.mod h1:GYYHnGSuS7HK3zVS2n3y73y0okK/BeKzwnn5jgiVFNI=
248252 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
249253 github.com/nxadm/tail v1.4.4 h1:DQuhQpB1tVlglWS2hLQ5OV6B5r8aGxSrPc5Qo6uTN78=
251255 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
252256 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
253257 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
254 github.com/onsi/ginkgo v1.14.2 h1:8mVmC9kjFFmA8H4pKMUhcblgifdkOIXPvbhN1T36q1M=
255 github.com/onsi/ginkgo v1.14.2/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY=
258 github.com/onsi/ginkgo v1.15.0 h1:1V1NfVQR87RtWAgp1lv9JZJ5Jap+XFGKPi00andXGi4=
259 github.com/onsi/ginkgo v1.15.0/go.mod h1:hF8qUzuuC8DJGygJH3726JnCZX4MYbRB8yFfISqnKUg=
256260 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
257261 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
258 github.com/onsi/gomega v1.10.4 h1:NiTx7EEvBzu9sFOD1zORteLSt3o8gnlvZZwSE9TnY9U=
259 github.com/onsi/gomega v1.10.4/go.mod h1:g/HbgYopi++010VEqkFgJHKC09uJiW9UkXvMUuKHUCQ=
262 github.com/onsi/gomega v1.10.5 h1:7n6FEkpFmfCoo2t+YYqXH0evK+a9ICQz0xcAy9dYcaQ=
263 github.com/onsi/gomega v1.10.5/go.mod h1:gza4q3jKQJijlu05nKWRCW/GavJumGt8aNRxWg7mt48=
260264 github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
261265 github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
262266 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
267271 github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
268272 github.com/opencontainers/runc v1.0.0-rc91 h1:Tp8LWs5G8rFpzTsbRjAtQkPVexhCu0bnANE5IfIhJ6g=
269273 github.com/opencontainers/runc v1.0.0-rc91/go.mod h1:3Sm6Dt7OT8z88EbdQqqcRN2oCT54jbi72tT/HqgflT8=
270 github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
274 github.com/opencontainers/runc v1.0.0-rc93 h1:x2UMpOOVf3kQ8arv/EsDGwim8PTNqzL1/EYDr/+scOM=
275 github.com/opencontainers/runc v1.0.0-rc93/go.mod h1:3NOsor4w32B2tC0Zbl8Knk4Wg84SM2ImC1fxBuqJ/H0=
271276 github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
272277 github.com/opencontainers/runtime-spec v1.0.3-0.20200520003142-237cc4f519e2 h1:9mv9SC7GWmRWE0J/+oD8w3GsN2KYGKtg6uwLN7hfP5E=
273278 github.com/opencontainers/runtime-spec v1.0.3-0.20200520003142-237cc4f519e2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
274 github.com/opencontainers/runtime-spec v1.0.3-0.20200710190001-3e4195d92445 h1:y8cfsJRmn8g3VkM4IDpusKSgMUZEXhudm/BuYANLozE=
275 github.com/opencontainers/runtime-spec v1.0.3-0.20200710190001-3e4195d92445/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
279 github.com/opencontainers/runtime-spec v1.0.3-0.20200929063507-e6143ca7d51d h1:pNa8metDkwZjb9g4T8s+krQ+HRgZAkqnXml+wNir/+s=
280 github.com/opencontainers/runtime-spec v1.0.3-0.20200929063507-e6143ca7d51d/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
276281 github.com/opencontainers/runtime-tools v0.9.0 h1:FYgwVsKRI/H9hU32MJ/4MLOzXWodKK5zsQavY8NPMkU=
277282 github.com/opencontainers/runtime-tools v0.9.0/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs=
278283 github.com/opencontainers/selinux v1.5.1/go.mod h1:yTcKuYAh6R95iDpefGLQaPaRwJFwyzAJufJyiTt7s0g=
279 github.com/opencontainers/selinux v1.6.0 h1:+bIAS/Za3q5FTwWym4fTB0vObnfCf3G/NC7K6Jx62mY=
280 github.com/opencontainers/selinux v1.6.0/go.mod h1:VVGKuOLlE7v4PJyT6h7mNWvq1rzqiriPsEqVhc+svHE=
281284 github.com/opencontainers/selinux v1.8.0 h1:+77ba4ar4jsCbL1GLbFL8fFM57w6suPfSS9PDLDY7KM=
282285 github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3ogry1nUQF8Evvo=
283286 github.com/ostreedev/ostree-go v0.0.0-20190702140239-759a8c1ac913/go.mod h1:J6OG6YJVEWopen4avK3VNQSnALmmjvniMmni/YFYAwc=
350353 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
351354 github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
352355 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
356 github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
357 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
353358 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
354359 github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2 h1:b6uOv7YOFK0TYG7HtkIgExQo+2RdLuwRft63jn2HWj8=
355360 github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
361 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI=
362 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
356363 github.com/tchap/go-patricia v2.3.0+incompatible h1:GkY4dP3cEfEASBPPkWd+AmjYxhmDkqO9/zg7R0lSQRs=
357364 github.com/tchap/go-patricia v2.3.0+incompatible/go.mod h1:bmLyhP68RS6kStMGxByiQ23RP/odRBOTVjwp2cDyi6I=
358365 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
359 github.com/ulikunitz/xz v0.5.8 h1:ERv8V6GKqVi23rgu5cj9pVfVzJbOqAY2Ntl88O6c2nQ=
360 github.com/ulikunitz/xz v0.5.8/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
361 github.com/urfave/cli v0.0.0-20171014202726-7bc6a0acffa5/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
366 github.com/ulikunitz/xz v0.5.9 h1:RsKRIA2MO8x56wkkcd3LbtcE/uMszhb6DpRf+3uwa3I=
367 github.com/ulikunitz/xz v0.5.9/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
362368 github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
363369 github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
364370 github.com/vbatts/tar-split v0.11.1 h1:0Odu65rhcZ3JZaPHxl7tCI3V/C/Q9Zf82UFravl02dE=
365371 github.com/vbatts/tar-split v0.11.1/go.mod h1:LEuURwDEiWjRjwu46yU3KVGuUdVv/dcnpcEPSzR8z6g=
366 github.com/vbauerster/mpb/v5 v5.3.0/go.mod h1:4yTkvAb8Cm4eylAp6t0JRq6pXDkFJ4krUlDqWYkakAs=
372 github.com/vbauerster/mpb/v5 v5.4.0/go.mod h1:fi4wVo7BVQ22QcvFObm+VwliQXlV1eBT8JDaKXR4JGI=
367373 github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE=
368374 github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU=
369 github.com/willf/bitset v1.1.11-0.20200630133818-d5bec3311243 h1:R43TdZy32XXSXjJn7M/HhALJ9imq6ztLnChfYJpVDnM=
370 github.com/willf/bitset v1.1.11-0.20200630133818-d5bec3311243/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4=
371375 github.com/willf/bitset v1.1.11 h1:N7Z7E9UvjW+sGsEl7k/SJrvY2reP1A07MrGuCjIOjRE=
372376 github.com/willf/bitset v1.1.11/go.mod h1:83CECat5yLh5zVOf4P1ErAgKA5UDvKtgyUABdr3+MjI=
373377 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
378382 github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74=
379383 github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
380384 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
385 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
381386 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
382387 go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
383388 go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk=
393398 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
394399 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
395400 golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
401 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
396402 golang.org/x/crypto v0.0.0-20200423211502-4bdfaf469ed5/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
397403 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI=
398404 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
414420 golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
415421 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
416422 golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
423 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
417424 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
418425 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
419426 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
433440 golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
434441 golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
435442 golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
443 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
436444 golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb h1:eBmm0M9fYhWpKZLjQUUKka/LtIxf46G4fxeEz5KJr9U=
437445 golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
446 golang.org/x/net v0.0.0-20201224014010-6772e930b67b h1:iFwSg7t5GZmB/Q5TjiEAsdoLDrdJRC1RiF2WhuV29Qw=
447 golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
438448 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
439449 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
440450 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
444454 golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
445455 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
446456 golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
457 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
447458 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
448459 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
449460 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
458469 golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
459470 golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
460471 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
461 golang.org/x/sys v0.0.0-20190514135907-3a4b5fb9f71f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
462472 golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
463473 golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
464474 golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
475485 golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
476486 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
477487 golang.org/x/sys v0.0.0-20200327173247-9dae0f8f5775/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
478 golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
479 golang.org/x/sys v0.0.0-20200810151505-1b9f1253b3ed/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
480488 golang.org/x/sys v0.0.0-20200909081042-eff7692f9009/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
489 golang.org/x/sys v0.0.0-20200916030750-2334cc1a136f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
481490 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f h1:+Nyd8tzPX9R7BWHguqsrbFdRx3WQ/1ib8I44HXV5yTA=
482491 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
492 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
483493 golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3 h1:kzM6+9dur93BcC2kVlYl34cHU+TYZLanmpSJHVMmL64=
484494 golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
495 golang.org/x/sys v0.0.0-20201218084310-7d0127a74742 h1:+CBz4km/0KPU3RGTwARGh/noP3bEwtHcq+0YcBQM2JQ=
496 golang.org/x/sys v0.0.0-20201218084310-7d0127a74742/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
497 golang.org/x/sys v0.0.0-20210112080510-489259a85091 h1:DMyOG0U+gKfu8JZzg2UQe9MeaC1X+xQWlAKcRnjxjCw=
498 golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
499 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
485500 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
486501 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
487502 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
509524 golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
510525 golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
511526 golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
527 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
528 golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
512529 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
530 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
513531 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
514532 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
533 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
534 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
515535 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
516536 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
517537 google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
+1
-1
pkg/cgroupv2/cgroups_linux.go less more
1212 isCgroupV2Err error
1313 )
1414
15 // Enabled returns whether we are running in cgroup 2 cgroup2 mode.
15 // Enabled returns whether we are running on cgroup v2
1616 func Enabled() (bool, error) {
1717 isCgroupV2Once.Do(func() {
1818 var st syscall.Statfs_t
+1
-1
pkg/cgroupv2/cgroups_unsupported.go less more
11
22 package cgroupv2
33
4 // Enabled returns whether we are running in cgroup 2 cgroup2 mode.
4 // Enabled returns whether we are running on cgroup v2
55 func Enabled() (bool, error) {
66 return false, nil
77 }
+124
-0
pkg/chown/chown.go less more
0 // +build !windows
1
2 package chown
3
4 import (
5 "os"
6 "os/user"
7 "path/filepath"
8 "syscall"
9
10 "github.com/containers/storage/pkg/homedir"
11 "github.com/pkg/errors"
12 )
13
14 // DangerousHostPath validates if a host path is dangerous and should not be modified
15 func DangerousHostPath(path string) (bool, error) {
16 excludePaths := map[string]bool{
17 "/": true,
18 "/bin": true,
19 "/boot": true,
20 "/dev": true,
21 "/etc": true,
22 "/etc/passwd": true,
23 "/etc/pki": true,
24 "/etc/shadow": true,
25 "/home": true,
26 "/lib": true,
27 "/lib64": true,
28 "/media": true,
29 "/opt": true,
30 "/proc": true,
31 "/root": true,
32 "/run": true,
33 "/sbin": true,
34 "/srv": true,
35 "/sys": true,
36 "/tmp": true,
37 "/usr": true,
38 "/var": true,
39 "/var/lib": true,
40 "/var/log": true,
41 }
42
43 if home := homedir.Get(); home != "" {
44 excludePaths[home] = true
45 }
46
47 if sudoUser := os.Getenv("SUDO_USER"); sudoUser != "" {
48 if usr, err := user.Lookup(sudoUser); err == nil {
49 excludePaths[usr.HomeDir] = true
50 }
51 }
52
53 absPath, err := filepath.Abs(path)
54 if err != nil {
55 return true, err
56 }
57
58 realPath, err := filepath.EvalSymlinks(absPath)
59 if err != nil {
60 return true, err
61 }
62
63 if excludePaths[realPath] {
64 return true, nil
65 }
66
67 return false, nil
68 }
69
70 // ChangeHostPathOwnership changes the uid and gid ownership of a directory or file within the host.
71 // This is used by the volume U flag to change source volumes ownership
72 func ChangeHostPathOwnership(path string, recursive bool, uid, gid int) error {
73 // Validate if host path can be chowned
74 isDangerous, err := DangerousHostPath(path)
75 if err != nil {
76 return errors.Wrapf(err, "failed to validate if host path is dangerous")
77 }
78
79 if isDangerous {
80 return errors.Errorf("chowning host path %q is not allowed. You can manually `chown -R %d:%d %s`", path, uid, gid, path)
81 }
82
83 // Chown host path
84 if recursive {
85 err := filepath.Walk(path, func(filePath string, f os.FileInfo, err error) error {
86 if err != nil {
87 return err
88 }
89
90 // Get current ownership
91 currentUID := int(f.Sys().(*syscall.Stat_t).Uid)
92 currentGID := int(f.Sys().(*syscall.Stat_t).Gid)
93
94 if uid != currentUID || gid != currentGID {
95 return os.Lchown(filePath, uid, gid)
96 }
97
98 return nil
99 })
100
101 if err != nil {
102 return errors.Wrapf(err, "failed to chown recursively host path")
103 }
104 } else {
105 // Get host path info
106 f, err := os.Lstat(path)
107 if err != nil {
108 return errors.Wrapf(err, "failed to get host path information")
109 }
110
111 // Get current ownership
112 currentUID := int(f.Sys().(*syscall.Stat_t).Uid)
113 currentGID := int(f.Sys().(*syscall.Stat_t).Gid)
114
115 if uid != currentUID || gid != currentGID {
116 if err := os.Lchown(path, uid, gid); err != nil {
117 return errors.Wrapf(err, "failed to chown host path")
118 }
119 }
120 }
121
122 return nil
123 }
+138
-0
pkg/chown/chown_test.go less more
0 // +build !windows
1
2 package chown
3
4 import (
5 "io/ioutil"
6 "os"
7 "runtime"
8 "syscall"
9 "testing"
10
11 "github.com/stretchr/testify/assert"
12 )
13
14 func TestDangerousHostPath(t *testing.T) {
15 if runtime.GOOS != "linux" {
16 t.Skip("Current paths are supported only by Linux")
17 }
18
19 // Create a temp dir that is not dangerous
20 td, err := ioutil.TempDir("/tmp", "validDir")
21 if err != nil {
22 t.Fatal(err)
23 }
24 defer os.RemoveAll(td)
25
26 tests := []struct {
27 Path string
28 Expected bool
29 ExpectError bool
30 ExpectedErrorMsg string
31 }{
32 {
33 "/tmp",
34 true,
35 false,
36 "",
37 },
38 {
39 td,
40 false,
41 false,
42 "",
43 },
44 {
45 "/doesnotexist",
46 false,
47 true,
48 "no such file or directory",
49 },
50 }
51
52 for _, test := range tests {
53 result, err := DangerousHostPath(test.Path)
54 if test.ExpectError {
55 assert.Error(t, err)
56 assert.Contains(t, err.Error(), test.ExpectedErrorMsg)
57 } else {
58 assert.NoError(t, err)
59 assert.Equal(t, test.Expected, result)
60 }
61 }
62 }
63
64 func TestChangeHostPathOwnership(t *testing.T) {
65 if runtime.GOOS != "linux" {
66 t.Skip("Current paths are supported only by Linux")
67 }
68
69 // Create a temp dir that is not dangerous
70 td, err := ioutil.TempDir("/tmp", "validDir")
71 if err != nil {
72 t.Fatal(err)
73 }
74 defer os.RemoveAll(td)
75
76 // Get host path info
77 f, err := os.Lstat(td)
78 if err != nil {
79 t.Fatal(err)
80 }
81
82 // Get current ownership
83 currentUID := int(f.Sys().(*syscall.Stat_t).Uid)
84 currentGID := int(f.Sys().(*syscall.Stat_t).Gid)
85
86 tests := []struct {
87 Path string
88 Recursive bool
89 UID int
90 GID int
91 ExpectError bool
92 ExpectedErrorMsg string
93 }{
94 {
95 "/doesnotexist",
96 false,
97 0,
98 0,
99 true,
100 "no such file or directory",
101 },
102 {
103 "/tmp",
104 false,
105 0,
106 0,
107 true,
108 "is not allowed",
109 },
110 {
111 td,
112 false,
113 currentUID,
114 currentGID,
115 false,
116 "",
117 },
118 {
119 td,
120 true,
121 currentUID,
122 currentGID,
123 false,
124 "",
125 },
126 }
127
128 for _, test := range tests {
129 err := ChangeHostPathOwnership(test.Path, test.Recursive, test.UID, test.GID)
130 if test.ExpectError {
131 assert.Error(t, err)
132 assert.Contains(t, err.Error(), test.ExpectedErrorMsg)
133 } else {
134 assert.NoError(t, err)
135 }
136 }
137 }
+12
-0
pkg/chown/chown_windows.go less more
0 package chown
1
2 // DangerousHostPath validates if a host path is dangerous and should not be modified
3 func DangerousHostPath(path string) (bool, error) {
4 return false, nil
5 }
6
7 // ChangeHostPathOwnership changes the uid and gid ownership of a directory or file within the host.
8 // This is used by the volume U flag to change source volumes ownership
9 func ChangeHostPathOwnership(path string, recursive bool, uid, gid int) error {
10 return nil
11 }
+15
-4
pkg/config/config.go less more
186186
187187 // EngineConfig contains configuration options used to set up a engine runtime
188188 type EngineConfig struct {
189 // ImageBuildFormat indicates the default image format to building
190 // container images. Valid values are "oci" (default) or "docker".
191 ImageBuildFormat string `toml:"image_build_format,omitempty"`
192
193189 // CgroupCheck indicates the configuration has been rewritten after an
194190 // upgrade to Fedora 31 to change the default OCI runtime for cgroupv2v2.
195191 CgroupCheck bool `toml:"cgroup_check,omitempty"`
234230 // this slice takes precedence.
235231 HooksDir []string `toml:"hooks_dir,omitempty"`
236232
233 // ImageBuildFormat (DEPRECATED) indicates the default image format to
234 // building container images. Should use ImageDefaultFormat
235 ImageBuildFormat string `toml:"image_build_format,omitempty"`
236
237237 // ImageDefaultTransport is the default transport method used to fetch
238238 // images.
239239 ImageDefaultTransport string `toml:"image_default_transport,omitempty"`
240
241 // ImageParallelCopies indicates the maximum number of image layers
242 // to be copied simultaneously. If this is zero, container engines
243 // will fall back to containers/image defaults.
244 ImageParallelCopies uint `toml:"image_parallel_copies,omitempty"`
245
246 // ImageDefaultFormat sepecified the manifest Type (oci, v2s2, or v2s1)
247 // to use when pulling, pushing, building container images. By default
248 // image pulled and pushed match the format of the source image.
249 // Building/committing defaults to OCI.
250 ImageDefaultFormat string `toml:"image_default_format,omitempty"`
240251
241252 // InfraCommand is the command run to start up a pod infra container.
242253 InfraCommand string `toml:"infra_command,omitempty"`
+2
-0
pkg/config/config_test.go less more
301301 gomega.Expect(err).To(gomega.BeNil())
302302 gomega.Expect(config).ToNot(gomega.BeNil())
303303 gomega.Expect(config.Containers.ApparmorProfile).To(gomega.Equal("overridden-default"))
304 gomega.Expect(config.Engine.ImageParallelCopies).To(gomega.Equal(uint(10)))
305 gomega.Expect(config.Engine.ImageDefaultFormat).To(gomega.Equal("v2s2"))
304306 })
305307
306308 It("should fail with invalid value", func() {
+8
-3
pkg/config/containers.conf less more
245245 # network_config_dir = "/etc/cni/net.d/"
246246
247247 [engine]
248 # ImageBuildFormat indicates the default image format to building
249 # container images. Valid values are "oci" (default) or "docker".
250 # image_build_format = "oci"
248 # Maximum number of image layers to be copied (pulled/pushed) simultaneously.
249 # Not setting this field, or setting it to zero, will fall back to containers/image defaults.
250 # image_parallel_copies=0
251
252 # Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
253 # container images. By default image pulled and pushed match the format of the
254 # source image. Building/commiting defaults to OCI.
255 # image_default_format = ""
251256
252257 # Cgroup management implementation used for the runtime.
253258 # Valid options "systemd" or "cgroupfs"
+6
-0
pkg/config/default.go less more
517517 func (c *Config) Umask() string {
518518 return c.Containers.Umask
519519 }
520
521 // LogDriver returns the logging driver to be used
522 // currently k8s-file or journald
523 func (c *Config) LogDriver() string {
524 return c.Containers.LogDriver
525 }
+4
-0
pkg/config/testdata/containers_override.conf less more
00 [containers]
11
22 apparmor_profile = "overridden-default"
3
4 [engine]
5 image_parallel_copies=10
6 image_default_format="v2s2"
+11
-0
pkg/config/util_supported.go less more
2424
2525 rootlessRuntimeDirOnce.Do(func() {
2626 runtimeDir := os.Getenv("XDG_RUNTIME_DIR")
27 if runtimeDir != "" {
28 st, err := os.Stat(runtimeDir)
29 if err != nil {
30 rootlessRuntimeDirError = err
31 return
32 }
33 if int(st.Sys().(*syscall.Stat_t).Uid) != os.Geteuid() {
34 rootlessRuntimeDirError = fmt.Errorf("XDG_RUNTIME_DIR directory %q is not owned by the current user", runtimeDir)
35 return
36 }
37 }
2738 uid := fmt.Sprintf("%d", unshare.GetRootlessUID())
2839 if runtimeDir == "" {
2940 tmpDir := filepath.Join("/run", "user", uid)
+6
-1
pkg/parse/parse.go less more
1212
1313 // ValidateVolumeOpts validates a volume's options
1414 func ValidateVolumeOpts(options []string) ([]string, error) {
15 var foundRootPropagation, foundRWRO, foundLabelChange, bindType, foundExec, foundDev, foundSuid int
15 var foundRootPropagation, foundRWRO, foundLabelChange, bindType, foundExec, foundDev, foundSuid, foundChown int
1616 finalOpts := make([]string, 0, len(options))
1717 for _, opt := range options {
1818 switch opt {
4040 foundLabelChange++
4141 if foundLabelChange > 1 {
4242 return nil, errors.Errorf("invalid options %q, can only specify 1 'z', 'Z', or 'O' option", strings.Join(options, ", "))
43 }
44 case "U":
45 foundChown++
46 if foundChown > 1 {
47 return nil, errors.Errorf("invalid options %q, can only specify 1 'U' option", strings.Join(options, ", "))
4348 }
4449 case "private", "rprivate", "shared", "rshared", "slave", "rslave", "unbindable", "runbindable":
4550 foundRootPropagation++
+3
-4
pkg/parse/parse_unix.go less more
66 "path/filepath"
77
88 "github.com/containers/storage/pkg/unshare"
9 "github.com/opencontainers/runc/libcontainer/configs"
109 "github.com/opencontainers/runc/libcontainer/devices"
1110 "github.com/pkg/errors"
1211 )
1312
14 func DeviceFromPath(device string) ([]configs.Device, error) {
15 var devs []configs.Device
13 func DeviceFromPath(device string) ([]devices.Device, error) {
14 var devs []devices.Device
1615 src, dst, permissions, err := Device(device)
1716 if err != nil {
1817 return nil, err
4342 }
4443 for _, d := range srcDevices {
4544 d.Path = filepath.Join(dst, filepath.Base(d.Path))
46 d.Permissions = configs.DevicePermissions(permissions)
45 d.Permissions = devices.Permissions(permissions)
4746 devs = append(devs, *d)
4847 }
4948 return devs, nil
+11
-1
pkg/report/doc.go less more
3737 ... process JSON and output
3838 }
3939
40 and
40 Template Functions:
41
42 The following template functions are added to the template when parsed:
43 - join strings.Join, {{join .Field separator}}
44 - lower strings.ToLower {{ .Field | lower }}
45 - split strings.Split {{ .Field | split }}
46 - title strings.Title {{ .Field | title }}
47 - upper strings.ToUpper {{ .Field | upper }}
48
49 report.Funcs() may be used to add additional template functions.
50 Adding an existing function will replace that function for the life of that template.
4151
4252
4353 Note: Your code should not ignore errors
+48
-6
pkg/report/template.go less more
00 package report
11
22 import (
3 "bytes"
4 "encoding/json"
35 "reflect"
46 "strings"
57 "text/template"
2022 var tableReplacer = strings.NewReplacer(
2123 "table ", "",
2224 `\t`, "\t",
23 `\n`, "\n",
2425 " ", "\t",
2526 )
2627
2728 // escapedReplacer will clean up escaped characters from CLI
2829 var escapedReplacer = strings.NewReplacer(
2930 `\t`, "\t",
30 `\n`, "\n",
3131 )
32
33 var DefaultFuncs = FuncMap{
34 "join": strings.Join,
35 "json": func(v interface{}) string {
36 buf := &bytes.Buffer{}
37 enc := json.NewEncoder(buf)
38 enc.SetEscapeHTML(false)
39 enc.Encode(v)
40 // Remove the trailing new line added by the encoder
41 return strings.TrimSpace(buf.String())
42 },
43 "lower": strings.ToLower,
44 "pad": padWithSpace,
45 "split": strings.Split,
46 "title": strings.Title,
47 "truncate": truncateWithLength,
48 "upper": strings.ToUpper,
49 }
3250
3351 // NormalizeFormat reads given go template format provided by CLI and munges it into what we need
3452 func NormalizeFormat(format string) string {
4462 f += "\n"
4563 }
4664 return f
65 }
66
67 // padWithSpace adds spaces*prefix and spaces*suffix to the input when it is non-empty
68 func padWithSpace(source string, prefix, suffix int) string {
69 if source == "" {
70 return source
71 }
72 return strings.Repeat(" ", prefix) + source + strings.Repeat(" ", suffix)
73 }
74
75 // truncateWithLength truncates the source string up to the length provided by the input
76 func truncateWithLength(source string, length int) string {
77 if len(source) < length {
78 return source
79 }
80 return source[:length]
4781 }
4882
4983 // Headers queries the interface for field names.
87121
88122 // NewTemplate creates a new template object
89123 func NewTemplate(name string) *Template {
90 return &Template{template.New(name), false}
124 return &Template{Template: template.New(name).Funcs(template.FuncMap(DefaultFuncs))}
91125 }
92126
93127 // Parse parses text as a template body for t
99133 text = NormalizeFormat(text)
100134 }
101135
102 tt, err := t.Template.Parse(text)
136 tt, err := t.Template.Funcs(template.FuncMap(DefaultFuncs)).Parse(text)
103137 return &Template{tt, t.isTable}, err
104138 }
105139
106 // Funcs adds the elements of the argument map to the template's function map
140 // Funcs adds the elements of the argument map to the template's function map.
141 // A default template function will be replace if there is a key collision.
107142 func (t *Template) Funcs(funcMap FuncMap) *Template {
108 return &Template{t.Template.Funcs(template.FuncMap(funcMap)), t.isTable}
143 m := make(FuncMap)
144 for k, v := range DefaultFuncs {
145 m[k] = v
146 }
147 for k, v := range funcMap {
148 m[k] = v
149 }
150 return &Template{Template: t.Template.Funcs(template.FuncMap(m)), isTable: t.isTable}
109151 }
110152
111153 // IsTable returns true if format string defines a "table"
+48
-8
pkg/report/template_test.go less more
4747 input string
4848 expected string
4949 }{
50 {"{{.ID}}\t{{.ID}}\n", "{{.ID}}\t{{.ID}}\n"},
51 {`{{.ID}}\t{{.ID}}\n`, "{{.ID}}\t{{.ID}}\n"},
52 {`{{.ID}} {{.ID}}\n`, "{{.ID}} {{.ID}}\n"},
50 {"{{.ID}}\t{{.ID}}", "{{.ID}}\t{{.ID}}\n"},
51 {`{{.ID}}\t{{.ID}}`, "{{.ID}}\t{{.ID}}\n"},
52 {`{{.ID}} {{.ID}}`, "{{.ID}} {{.ID}}\n"},
5353 {`table {{.ID}}\t{{.ID}}`, "{{.ID}}\t{{.ID}}\n"},
5454 {`table {{.ID}} {{.ID}}`, "{{.ID}}\t{{.ID}}\n"},
5555 }
6767 testCase := []string{
6868 "table {{.ID}}",
6969 "table {{ .ID}}",
70 `table {{ .ID}}\n`,
7170 "table {{ .ID}}\n",
7271 "{{range .}}{{.ID}}{{end}}",
7372 `{{range .}}{{.ID}}{{end}}`,
9796 assert.True(t, tmpl.isTable)
9897 }
9998
100 func TestTemplate_Funcs(t *testing.T) {
99 func TestTemplate_trim(t *testing.T) {
101100 tmpl := NewTemplate("TestTemplate")
102 tmpl = tmpl.Funcs(map[string]interface{}{"ToLower": strings.ToLower})
103 tmpl, e := tmpl.Parse("{{.ID |ToLower}}")
101 tmpl, e := tmpl.Funcs(FuncMap{"trim": strings.TrimSpace}).Parse("{{.ID |trim}}")
104102 assert.NoError(t, e)
105103
106104 var buf bytes.Buffer
107105 err := tmpl.Execute(&buf, map[string]string{
108 "ID": "ident",
106 "ID": "ident ",
109107 })
110108 assert.NoError(t, err)
111109 assert.Equal(t, "ident\n", buf.String())
112110 }
111
112 func TestTemplate_DefaultFuncs(t *testing.T) {
113 tmpl := NewTemplate("TestTemplate")
114 // Throw in trim function to ensure default 'join' is still available
115 tmpl, e := tmpl.Funcs(FuncMap{"trim": strings.TrimSpace}).Parse(`{{join .ID "\n"}}`)
116 assert.NoError(t, e)
117
118 var buf bytes.Buffer
119 err := tmpl.Execute(&buf, map[string][]string{
120 "ID": {"ident1", "ident2", "ident3"},
121 })
122 assert.NoError(t, err)
123 assert.Equal(t, "ident1\nident2\nident3\n", buf.String())
124 }
125
126 func TestTemplate_ReplaceFuncs(t *testing.T) {
127 tmpl := NewTemplate("TestTemplate")
128 // yes, we're overriding upper with lower :-)
129 tmpl, e := tmpl.Funcs(FuncMap{"upper": strings.ToLower}).Parse(`{{.ID | lower}}`)
130 assert.NoError(t, e)
131
132 var buf bytes.Buffer
133 err := tmpl.Execute(&buf, map[string]string{
134 "ID": "IDENT",
135 })
136 assert.NoError(t, err)
137 assert.Equal(t, "ident\n", buf.String())
138 }
139
140 func TestTemplate_json(t *testing.T) {
141 tmpl := NewTemplate("TestTemplate")
142 // yes, we're overriding upper with lower :-)
143 tmpl, e := tmpl.Parse(`{{json .ID}}`)
144 assert.NoError(t, e)
145
146 var buf bytes.Buffer
147 err := tmpl.Execute(&buf, map[string][]string{
148 "ID": {"ident1", "ident2", "ident3"},
149 })
150 assert.NoError(t, err)
151 assert.Equal(t, `["ident1","ident2","ident3"]`+"\n", buf.String())
152 }
+14
-65
pkg/seccomp/default_linux.go less more
44 package seccomp
55
66 import (
7 "syscall"
8
97 "golang.org/x/sys/unix"
108 )
119
4442
4543 // DefaultProfile defines the allowlist for the default seccomp profile.
4644 func DefaultProfile() *Seccomp {
47 einval := uint(syscall.EINVAL)
45 einval := uint(unix.EINVAL)
4846
4947 syscalls := []*Syscall{
5048 {
8684 "epoll_ctl",
8785 "epoll_ctl_old",
8886 "epoll_pwait",
87 "epoll_pwait2",
8988 "epoll_wait",
9089 "epoll_wait_old",
9190 "eventfd",
114113 "flock",
115114 "fork",
116115 "fremovexattr",
116 "fsconfig",
117117 "fsetxattr",
118 "fsmount",
119 "fsopen",
120 "fspick",
118121 "fstat",
119122 "fstat64",
120123 "fstatat64",
202205 "mmap",
203206 "mmap2",
204207 "mount",
208 "move_mount",
205209 "mprotect",
206210 "mq_getsetattr",
207211 "mq_notify",
224228 "open",
225229 "openat",
226230 "openat2",
231 "open_tree",
227232 "pause",
228233 "pidfd_getfd",
229234 "pidfd_open",
330335 "signalfd",
331336 "signalfd4",
332337 "sigreturn",
333 "socket",
334338 "socketcall",
335339 "socketpair",
336340 "splice",
511515 {
512516 Names: []string{
513517 "bpf",
514 "clone",
515518 "fanotify_init",
516519 "lookup_dcookie",
517 "mount",
518 "name_to_handle_at",
519520 "perf_event_open",
520521 "quotactl",
521522 "setdomainname",
522523 "sethostname",
523524 "setns",
524 "umount",
525 "umount2",
526 "unshare",
527525 },
528526 Action: ActAllow,
529527 Args: []*Arg{},
530528 Includes: Filter{
531529 Caps: []string{"CAP_SYS_ADMIN"},
532 },
533 },
534 {
535 Names: []string{
536 "clone",
537 },
538 Action: ActAllow,
539 Args: []*Arg{
540 {
541 Index: 0,
542 Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET,
543 ValueTwo: 0,
544 Op: OpMaskedEqual,
545 },
546 },
547 Excludes: Filter{
548 Caps: []string{"CAP_SYS_ADMIN"},
549 Arches: []string{"s390", "s390x"},
550 },
551 },
552 {
553 Names: []string{
554 "clone",
555 },
556 Action: ActAllow,
557 Args: []*Arg{
558 {
559 Index: 1,
560 Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET,
561 ValueTwo: 0,
562 Op: OpMaskedEqual,
563 },
564 },
565 Comment: "s390 parameter ordering for clone is different",
566 Includes: Filter{
567 Arches: []string{"s390", "s390x"},
568 },
569 Excludes: Filter{
570 Caps: []string{"CAP_SYS_ADMIN"},
571 },
572 },
573 {
574 Names: []string{
575 "reboot",
576 },
577 Action: ActAllow,
578 Args: []*Arg{},
579 Includes: Filter{
580 Caps: []string{"CAP_SYS_BOOT"},
581530 },
582531 },
583532 {
607556 Names: []string{
608557 "get_mempolicy",
609558 "mbind",
610 "name_to_handle_at",
611559 "set_mempolicy",
612560 },
613561 Action: ActAllow,
629577 {
630578 Names: []string{
631579 "kcmp",
580 "process_madvise",
632581 "process_vm_readv",
633582 "process_vm_writev",
634583 "ptrace",
682631 Args: []*Arg{
683632 {
684633 Index: 0,
685 Value: syscall.AF_NETLINK,
634 Value: unix.AF_NETLINK,
686635 Op: OpEqualTo,
687636 },
688637 {
689638 Index: 2,
690 Value: syscall.NETLINK_AUDIT,
639 Value: unix.NETLINK_AUDIT,
691640 Op: OpEqualTo,
692641 },
693642 },
703652 Args: []*Arg{
704653 {
705654 Index: 2,
706 Value: syscall.NETLINK_AUDIT,
655 Value: unix.NETLINK_AUDIT,
707656 Op: OpNotEqual,
708657 },
709658 },
719668 Args: []*Arg{
720669 {
721670 Index: 0,
722 Value: syscall.AF_NETLINK,
671 Value: unix.AF_NETLINK,
723672 Op: OpNotEqual,
724673 },
725674 },
735684 Args: []*Arg{
736685 {
737686 Index: 2,
738 Value: syscall.NETLINK_AUDIT,
687 Value: unix.NETLINK_AUDIT,
739688 Op: OpNotEqual,
740689 },
741690 },
+34
-0
pkg/seccomp/generate.go less more
0 // +build ignore
1
2 // Copyright 2013-2021 Docker, Inc.
3
4 package main
5
6 import (
7 "encoding/json"
8 "io/ioutil"
9 "os"
10 "path/filepath"
11
12 "github.com/containers/common/pkg/seccomp"
13 )
14
15 // saves the default seccomp profile as a json file so people can use it as a
16 // base for their own custom profiles
17 func main() {
18 wd, err := os.Getwd()
19 if err != nil {
20 panic(err)
21 }
22 f := filepath.Join(wd, "seccomp.json")
23
24 // write the default profile to the file
25 b, err := json.MarshalIndent(seccomp.DefaultProfile(), "", "\t")
26 if err != nil {
27 panic(err)
28 }
29
30 if err := ioutil.WriteFile(f, b, 0644); err != nil {
31 panic(err)
32 }
33 }
+11
-74
pkg/seccomp/seccomp.json less more
8888 "epoll_ctl",
8989 "epoll_ctl_old",
9090 "epoll_pwait",
91 "epoll_pwait2",
9192 "epoll_wait",
9293 "epoll_wait_old",
9394 "eventfd",
116117 "flock",
117118 "fork",
118119 "fremovexattr",
120 "fsconfig",
119121 "fsetxattr",
122 "fsmount",
123 "fsopen",
124 "fspick",
120125 "fstat",
121126 "fstat64",
122127 "fstatat64",
176181 "ioprio_get",
177182 "ioprio_set",
178183 "ipc",
184 "keyctl",
179185 "kill",
180186 "lchown",
181187 "lchown32",
203209 "mmap",
204210 "mmap2",
205211 "mount",
212 "move_mount",
206213 "mprotect",
207214 "mq_getsetattr",
208215 "mq_notify",
225232 "open",
226233 "openat",
227234 "openat2",
235 "open_tree",
228236 "pause",
229237 "pidfd_getfd",
230238 "pidfd_open",
573581 {
574582 "names": [
575583 "bpf",
576 "clone",
577584 "fanotify_init",
578585 "lookup_dcookie",
579 "mount",
580 "name_to_handle_at",
581586 "perf_event_open",
582587 "quotactl",
583588 "setdomainname",
584589 "sethostname",
585 "setns",
586 "umount",
587 "umount2",
588 "unshare"
590 "setns"
589591 ],
590592 "action": "SCMP_ACT_ALLOW",
591593 "args": [],
593595 "includes": {
594596 "caps": [
595597 "CAP_SYS_ADMIN"
596 ]
597 },
598 "excludes": {}
599 },
600 {
601 "names": [
602 "clone"
603 ],
604 "action": "SCMP_ACT_ALLOW",
605 "args": [
606 {
607 "index": 0,
608 "value": 2080505856,
609 "valueTwo": 0,
610 "op": "SCMP_CMP_MASKED_EQ"
611 }
612 ],
613 "comment": "",
614 "includes": {},
615 "excludes": {
616 "caps": [
617 "CAP_SYS_ADMIN"
618 ],
619 "arches": [
620 "s390",
621 "s390x"
622 ]
623 }
624 },
625 {
626 "names": [
627 "clone"
628 ],
629 "action": "SCMP_ACT_ALLOW",
630 "args": [
631 {
632 "index": 1,
633 "value": 2080505856,
634 "valueTwo": 0,
635 "op": "SCMP_CMP_MASKED_EQ"
636 }
637 ],
638 "comment": "s390 parameter ordering for clone is different",
639 "includes": {
640 "arches": [
641 "s390",
642 "s390x"
643 ]
644 },
645 "excludes": {
646 "caps": [
647 "CAP_SYS_ADMIN"
648 ]
649 }
650 },
651 {
652 "names": [
653 "reboot"
654 ],
655 "action": "SCMP_ACT_ALLOW",
656 "args": [],
657 "comment": "",
658 "includes": {
659 "caps": [
660 "CAP_SYS_BOOT"
661598 ]
662599 },
663600 "excludes": {}
697634 "names": [
698635 "get_mempolicy",
699636 "mbind",
700 "name_to_handle_at",
701637 "set_mempolicy"
702638 ],
703639 "action": "SCMP_ACT_ALLOW",
727663 {
728664 "names": [
729665 "kcmp",
666 "process_madvise",
730667 "process_vm_readv",
731668 "process_vm_writev",
732669 "ptrace"
893830 "excludes": {}
894831 }
895832 ]
896 }
833 }
+5
-0
pkg/secrets/filedriver/filedriver.go less more
3232 func NewDriver(rootPath string) (*Driver, error) {
3333 fileDriver := new(Driver)
3434 fileDriver.secretsDataFilePath = filepath.Join(rootPath, secretsDataFile)
35 // the lockfile functions requre that the rootPath dir is executable
36 if err := os.MkdirAll(rootPath, 0700); err != nil {
37 return nil, err
38 }
39
3540 lock, err := lockfile.GetLockfile(filepath.Join(rootPath, "secretsdata.lock"))
3641 if err != nil {
3742 return nil, err
+7
-6
pkg/secrets/secrets.go less more
33 "os"
44 "path/filepath"
55 "regexp"
6 "strings"
67 "time"
78
89 "github.com/containers/common/pkg/secrets/filedriver"
4647
4748 // secretNameRegexp matches valid secret names
4849 // Allowed: 64 [a-zA-Z0-9-_.] characters, and the start and end character must be [a-zA-Z0-9]
49 var secretNameRegexp = regexp.MustCompile(`^[a-zA-Z0-9][a-zA-Z0-9_.-]*[a-zA-Z0-9]?$`)
50 var secretNameRegexp = regexp.MustCompile(`^[a-zA-Z0-9][a-zA-Z0-9_.-]*$`)
5051
5152 // SecretsManager holds information on handling secrets
5253 type SecretsManager struct {
9798 if !filepath.IsAbs(rootPath) {
9899 return nil, errors.Wrapf(errInvalidPath, "path must be absolute: %s", rootPath)
99100 }
100 if _, err := os.Stat(rootPath); os.IsNotExist(err) {
101 // the lockfile functions requre that the rootPath dir is executable
102 os.MkdirAll(rootPath, 0700)
101 // the lockfile functions requre that the rootPath dir is executable
102 if err := os.MkdirAll(rootPath, 0700); err != nil {
103 return nil, err
103104 }
104105
105106 lock, err := lockfile.GetLockfile(filepath.Join(rootPath, "secrets.lock"))
131132 s.lockfile.Lock()
132133 defer s.lockfile.Unlock()
133134
134 exist, err := s.secretExists(name)
135 exist, err := s.exactSecretExists(name)
135136 if err != nil {
136137 return "", err
137138 }
261262
262263 // validateSecretName checks if the secret name is valid.
263264 func validateSecretName(name string) error {
264 if !secretNameRegexp.MatchString(name) || len(name) > 64 {
265 if !secretNameRegexp.MatchString(name) || len(name) > 64 || strings.HasSuffix(name, "-") || strings.HasSuffix(name, ".") {
265266 return errors.Wrapf(errInvalidSecretName, "only 64 [a-zA-Z0-9-_.] characters allowed, and the start and end character must be [a-zA-Z0-9]: %s", name)
266267 }
267268 return nil
+22
-0
pkg/secrets/secrets_test.go less more
6464 // invalid chars
6565 _, err = manager.Store("??", []byte("mydata"), drivertype, opts)
6666 require.Error(t, err)
67 _, err = manager.Store("-a", []byte("mydata"), drivertype, opts)
68 require.Error(t, err)
69 _, err = manager.Store("a-", []byte("mydata"), drivertype, opts)
70 require.Error(t, err)
71 _, err = manager.Store(".a", []byte("mydata"), drivertype, opts)
72 require.Error(t, err)
73 _, err = manager.Store("a.", []byte("mydata"), drivertype, opts)
74 require.Error(t, err)
6775 }
6876
6977 func TestAddMultipleSecrets(t *testing.T) {
110118
111119 _, err = manager.Store("mysecret", []byte("mydata"), drivertype, opts)
112120 require.Error(t, err)
121 }
122
123 func TestAddSecretPrefix(t *testing.T) {
124 manager, testpath, err := setup()
125 require.NoError(t, err)
126 defer cleanup(testpath)
127
128 // If the randomly generated secret id is something like "abcdeiuoergnadufigh"
129 // we should still allow someone to store a secret with the name "abcd" or "a"
130 secretID, err := manager.Store("mysecret", []byte("mydata"), drivertype, opts)
131 require.NoError(t, err)
132
133 _, err = manager.Store(secretID[0:5], []byte("mydata"), drivertype, opts)
134 require.NoError(t, err)
113135 }
114136
115137 func TestRemoveSecret(t *testing.T) {
+29
-19
pkg/secrets/secretsdb.go less more
6767
6868 // getNameAndID takes a secret's name, ID, or partial ID, and returns both its name and full ID.
6969 func (s *SecretsManager) getNameAndID(nameOrID string) (name, id string, err error) {
70 err = s.loadDB()
71 if err != nil {
70 name, id, err = s.getExactNameAndID(nameOrID)
71 if err == nil {
72 return name, id, nil
73 } else if errors.Cause(err) != errNoSuchSecret {
7274 return "", "", err
7375 }
74 if id, ok := s.db.NameToID[nameOrID]; ok {
75 name := nameOrID
76 return name, id, nil
77 }
78
79 // Name not found, we know we're working with ID or partial ID.
76
77 // ID prefix may have been given, iterate through all IDs.
8078 // ID and partial ID has a max lenth of 25, so we return if its greater than that.
8179 if len(nameOrID) > secretIDLength {
8280 return "", "", errors.Wrapf(errNoSuchSecret, "no secret with name or id %q", nameOrID)
8381 }
84
85 if name, ok := s.db.IDToName[nameOrID]; ok {
86 id := nameOrID
87 return name, id, nil
88 }
89
90 // ID prefix may have been given, iterate through all IDs.
9182 exists := false
9283 var foundID, foundName string
9384 for id, name := range s.db.IDToName {
10495 if exists {
10596 return foundName, foundID, nil
10697 }
107
10898 return "", "", errors.Wrapf(errNoSuchSecret, "no secret with name or id %q", nameOrID)
10999 }
110100
111 // secretExists checks if the secret exists, given a name, ID, or partial ID.
112 func (s *SecretsManager) secretExists(nameOrID string) (bool, error) {
113 _, _, err := s.getNameAndID(nameOrID)
101 // getExactNameAndID takes a secret's name or ID and returns both its name and full ID.
102 func (s *SecretsManager) getExactNameAndID(nameOrID string) (name, id string, err error) {
103 err = s.loadDB()
104 if err != nil {
105 return "", "", err
106 }
107 if name, ok := s.db.IDToName[nameOrID]; ok {
108 id := nameOrID
109 return name, id, nil
110 }
111
112 if id, ok := s.db.NameToID[nameOrID]; ok {
113 name := nameOrID
114 return name, id, nil
115 }
116
117 return "", "", errors.Wrapf(errNoSuchSecret, "no secret with name or id %q", nameOrID)
118 }
119
120 // exactSecretExists checks if the secret exists, given a name or ID
121 // Does not match partial name or IDs
122 func (s *SecretsManager) exactSecretExists(nameOrID string) (bool, error) {
123 _, _, err := s.getExactNameAndID(nameOrID)
114124 if err != nil {
115125 if errors.Cause(err) == errNoSuchSecret {
116126 return false, nil
+39
-0
tools/validate_seccomp.sh less more
0 #!/bin/bash
1 #
2 # validate_seccomp.sh <gopath/to/pkg/seccomp>
3 #
4 # Validates that the seccomp.json file has been generated and matches the
5 # profile defined in the pkg/seccomp package.
6
7 set -Eeuo pipefail
8
9 PACKAGE_PATH="${1:-./pkg/seccomp}"
10 TARGET_FILE="$PACKAGE_PATH/seccomp.json"
11
12 # Stash a copy.
13 tmp_copy="$(mktemp --tmpdir podman-seccomp.json.XXXXXX)"
14 cp "$TARGET_FILE" "$tmp_copy"
15
16 # Generate it again and figure out if there was a difference.
17 go generate -tags seccomp "$PACKAGE_PATH" >/dev/null
18 diffs="$(diff -u "$tmp_copy" "$TARGET_FILE" ||:)"
19
20 if [ "$diffs" ]; then
21 # Can we make a prettier diff?
22 have_diffstat=1
23 which diffstat || have_diffstat=
24 if [ "$have_diffstat" ]; then
25 diffs="$(echo "$diffs" | diffstat)"
26 fi
27
28 # Output an error message and fail the CI.
29 cat >&2 <<-EOF
30 The result of 'go generate -tags seccomp $PACKAGE_PATH' differs.
31
32 $diffs
33
34 Please re-run 'go generate -tags seccomp $PACKAGE_PATH' and then amend your
35 commits to include the updated seccomp.json file.
36 EOF
37 exit 1
38 fi
+1
-1
version/version.go less more
00 package version
11
22 // Version is the version of the build.
3 const Version = "0.33.1"
3 const Version = "0.34.2"