Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

podman4.2 #2

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
*.swp
*.tar.gz
*.tgz
*.raw
/podman-versions.txt

14 changes: 5 additions & 9 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -16,22 +16,18 @@ RUN emerge -j4 --getbinpkg --buildpkgonly podman squashfs-tools
FROM base AS staging
COPY --from=builder /var/lib/portage/pkgs /var/lib/portage/pkgs
RUN emerge --getbinpkg --usepkg squashfs-tools
RUN pkgs=$(emerge 2>/dev/null --usepkgonly --pretend podman | awk -F'] ' '/binary/{ print $ 2 }' | awk '{ print "="$1 }'); emerge --usepkgonly --root=/work --nodeps $pkgs
RUN mkdir -p /work /output
RUN emerge 2>/dev/null --usepkgonly --pretend podman | awk -F'] ' '/binary/{ print $ 2 }' | awk '{ print "="$1 }' > /output/podman-versions.txt
RUN emerge --usepkgonly --root=/work --nodeps $(cat /output/podman-versions.txt)
RUN mkdir -p /work/usr/lib/extension-release.d && echo -e 'ID=flatcar\nSYSEXT_LEVEL=1.0' >/work/usr/lib/extension-release.d/extension-release.podman
RUN mkdir -p /work/usr/src
RUN mv /work/etc /work/usr/etc
COPY usr /work/usr
RUN mv /work/opt/cni/bin /work/usr/lib/cni
RUN rm -rf /work/var /work/usr/include /work/usr/lib*/cmake /work/opt/cni
RUN rmdir /work/opt
RUN mkdir -p /output && mksquashfs /work /output/podman.raw -noappend

FROM busybox AS torcx
RUN mkdir /work /output
COPY torcx /work
RUN tar -zcvf /output/docker:podman.torcx.tgz -C /work .
RUN mksquashfs /work /output/podman.raw -noappend

FROM busybox
COPY --from=staging /output /output
COPY --from=torcx /output /output
CMD ["cp", "/output/podman.raw", "/output/docker:podman.torcx.tgz", "/out"]
CMD ["cp", "/output/podman.raw", "/output/podman-versions.txt", "/out"]
18 changes: 6 additions & 12 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,21 +6,15 @@ make podman.raw

# Use

Copy podman.raw to /etc/extensions.

Disable selinux in /etc/selinux/config - must be disabled not permissive. Default file is a symlink so make a copy (`cp /etc/selinux/config{,-}; mv /etc/selinux/config{-,}`)

Symlink the CNI plugins `ln -sf /usr/lib/cni/ /opt/cni/`
Copy podman.raw to /var/lib/extensions.

Copy configs from /usr/etc/ into the appropriate directories in /etc. Remove the .example extensions.

Run `systemctl enable --now podman.socket`
If you want an example containers.conf, you can retrieve it from [here](https://raw.githubusercontent.com/containers/common/main/pkg/config/containers.conf)
Or simply `curl -O /etc/containers/containers.conf https://raw.githubusercontent.com/containers/common/main/pkg/config/containers.conf`
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Or simply `curl -O /etc/containers/containers.conf https://raw.githubusercontent.com/containers/common/main/pkg/config/containers.conf`
Or simply `curl -o /etc/containers/containers.conf https://raw.githubusercontent.com/containers/common/main/pkg/config/containers.conf`


# Test
Optional: If you want rootless containers to work, disable selinux in /etc/selinux/config - must be disabled not permissive. Default file is a symlink so make a copy (`cp /etc/selinux/config{,-}; mv /etc/selinux/config{-,}`)

```
snap install hello-world
snap run hello-world
```
Optional: If you want remote podman services, run `systemctl enable --now podman.socket`

To make snaps accessible, add /var/lib/podman/snap/bin to $PATH.
If you want to remove docker entirely, visit [here](https://github.com/goochjj/flatcar-podman-docker-torcx)
1 change: 1 addition & 0 deletions overlay/app-containers/crun/Manifest
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
DIST crun-1.3.tar.xz 831108 BLAKE2B 37e8d0ba764ae77c870c68ea9cd93f1ea1c751eb2b6aa84481f81b22ec2eb5d9e518d4808bd1bca545c57d18c5c491372694009d6498652cce45fda8864e5835 SHA512 3b58ee65a41bc85ec31147053f00e9c2a2e5ee9a72381a65c19480cc24d80cad7c9f6e1a47b3e020facf0603c54e4d2640db187c5e66a7deb8b1ead7bc111ee6
DIST crun-1.4.2.tar.xz 873636 BLAKE2B f8b3546b7c4aeb7077af8cf9e7ec0059259143da80a6a0d020dc9d702e03008b2b1c2a6a5cdd555b625abc1f2ed5a55786525919eda15dc241d1b8f2334e8689 SHA512 f97eedf84a61cc3753f528b75b24f95131e871f734c8e770b9bdc4e1d33668162e6bdc0c4676c0164900bc987490d3dbd0060c27046091f012ad178ef42fbdbf
DIST crun-1.4.4.tar.xz 877892 BLAKE2B 57e48c0a229db3f54212177cef3fdb3f59b4bb1d1cc865da956f026a35837d839489bd126f880d7a9ceb18f5cffbf0e32ac9ae59a4cd39c34e3aff5b32c0559a SHA512 1756dccf6509457a5dc114d43c4f4e99258a20c3437dfe06016d080989c5d3035f5735d62d18ab537b660ec36de04df369a2582745baf4ab680af367a19830fd
DIST crun-1.4.5.tar.xz 879044 BLAKE2B c80cae28c23140086682493a7dddb40640491e3ea827f0a7376d9be12570111d056022f50b8d7c574ca07790753d20de2314db5b89463994c4fffbc7576c372d SHA512 9f288279615fdf587018c465047fc8793daae280ab864bf9046994983239129d50f2eb89cac9b092e5cdc49a10f3523ab403a3f0e7451f7536b79f651a355153
74 changes: 74 additions & 0 deletions overlay/app-containers/crun/crun-1.4.5.ebuild
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
# Copyright 2019-2022 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2

EAPI=8

PYTHON_COMPAT=( python3_{8..10} )

# Can drop autotools/eautoreconf after next release & glibc patch gone
inherit autotools python-any-r1

DESCRIPTION="A fast and low-memory footprint OCI Container Runtime fully written in C"
HOMEPAGE="https://github.com/containers/crun"
SRC_URI="https://github.com/containers/${PN}/releases/download/${PV}/${P}.tar.xz"

LICENSE="GPL-2+ LGPL-2.1+"
SLOT="0"
KEYWORDS="amd64 ~arm arm64 ~ppc64 ~riscv"
IUSE="+bpf +caps criu +seccomp selinux systemd static-libs"

DEPEND="
dev-libs/yajl:=
sys-kernel/linux-headers
caps? ( sys-libs/libcap )
criu? ( >=sys-process/criu-3.15 )
seccomp? ( sys-libs/libseccomp )
systemd? ( sys-apps/systemd:= )
"
RDEPEND="${DEPEND}
selinux? ( sec-policy/selinux-container )"
BDEPEND="
${PYTHON_DEPS}
virtual/pkgconfig
"

# the crun test suite is comprehensive to the extent that tests will fail
# within a sandbox environment, due to the nature of the privileges
# required to create linux "containers".
RESTRICT="test"

PATCHES=(
"${FILESDIR}"/${PN}-1.4.5-glibc-2.36.patch
)

src_prepare() {
default

eautoreconf
}

src_configure() {
local myeconfargs=(
$(use_enable bpf)
$(use_enable caps)
$(use_enable criu)
$(use_enable seccomp)
$(use_enable systemd)
$(usex static-libs '--enable-shared --enable-static' '--enable-shared --disable-static' '' '')
)

# Need https://github.com/containers/libocispec/pull/107 to be merged & land in
# a crun release that syncs up w/ latest version, then can drop CONFIG_SHELL
CONFIG_SHELL="${BROOT}/bin/bash" econf "${myeconfargs[@]}"
}

src_compile() {
emake -C libocispec
emake crun
}

src_install() {
emake "DESTDIR=${D}" install-exec
doman crun.1
einstalldocs
}
79 changes: 79 additions & 0 deletions overlay/app-containers/crun/files/crun-1.4.5-glibc-2.36.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
https://bugs.gentoo.org/863437
https://github.com/containers/crun/commit/3df14584b84414df77b2079c1b8b48d44d0ceb61

From 3df14584b84414df77b2079c1b8b48d44d0ceb61 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <[email protected]>
Date: Tue, 26 Jul 2022 15:17:16 +0200
Subject: [PATCH] linux: fix build with glibc 2.36

glibc 2.36 has the new mount API in the <sys/mount.h> file. These
definitions conflict with the definitions in the <linux/mount.h>
file.

Add a check and include <linux/mount.h> only if it doesn't conflict
with <sys/mount.h>.

Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2110738

Signed-off-by: Giuseppe Scrivano <[email protected]>
--- a/configure.ac
+++ b/configure.ac
@@ -174,11 +174,21 @@ LIBS=""
AC_MSG_CHECKING([for new mount API (fsconfig)])
AC_COMPILE_IFELSE(
[AC_LANG_SOURCE([[
+ #include <sys/mount.h>
+ int cmd = FSCONFIG_CMD_CREATE;
+ ]])],
+ [AC_MSG_RESULT(yes)
+ AC_DEFINE([HAVE_FSCONFIG_CMD_CREATE_SYS_MOUNT_H], 1, [Define if FSCONFIG_CMD_CREATE is available in sys/mount.h])],
+ [AC_MSG_RESULT(no)])
+AC_COMPILE_IFELSE(
+ [AC_LANG_SOURCE([[
+ /* also make sure it doesn't conflict with <sys/mount.h> since it is always used. */
+ #include <sys/mount.h>
#include <linux/mount.h>
int cmd = FSCONFIG_CMD_CREATE;
]])],
[AC_MSG_RESULT(yes)
- AC_DEFINE([HAVE_FSCONFIG_CMD_CREATE], 1, [Define if FSCONFIG_CMD_CREATE is available])],
+ AC_DEFINE([HAVE_FSCONFIG_CMD_CREATE_LINUX_MOUNT_H], 1, [Define if FSCONFIG_CMD_CREATE is available in linux/mount.h])],
[AC_MSG_RESULT(no)])

AC_MSG_CHECKING([for seccomp notify API])
--- a/src/libcrun/linux.c
+++ b/src/libcrun/linux.c
@@ -26,9 +26,13 @@
#include <fcntl.h>
#include <unistd.h>
#include <sys/mount.h>
-#ifdef HAVE_FSCONFIG_CMD_CREATE
+#ifdef HAVE_FSCONFIG_CMD_CREATE_LINUX_MOUNT_H
# include <linux/mount.h>
#endif
+#if defined HAVE_FSCONFIG_CMD_CREATE_LINUX_MOUNT_H || defined HAVE_FSCONFIG_CMD_CREATE_SYS_MOUNT_H
+# define HAVE_NEW_MOUNT_API
+#endif
+
#include <sys/syscall.h>
#include <sys/prctl.h>
#ifdef HAVE_CAP
@@ -990,7 +994,7 @@ open_mount_target (libcrun_container_t *container, const char *target_rel, libcr
static int
fsopen_mount (runtime_spec_schema_defs_mount *mount)
{
-#ifdef HAVE_FSCONFIG_CMD_CREATE
+#ifdef HAVE_NEW_MOUNT_API
cleanup_close int fsfd = -1;
int ret;

@@ -1016,7 +1020,7 @@ fsopen_mount (runtime_spec_schema_defs_mount *mount)
static int
fs_move_mount_to (int fd, int dirfd, const char *name)
{
-#ifdef HAVE_FSCONFIG_CMD_CREATE
+#ifdef HAVE_NEW_MOUNT_API
if (name)
return syscall_move_mount (fd, "", dirfd, name, MOVE_MOUNT_F_EMPTY_PATH);


3 changes: 3 additions & 0 deletions overlay/app-containers/podman/Manifest
Original file line number Diff line number Diff line change
@@ -1 +1,4 @@
DIST podman-4.0.3.tar.gz 11392523 BLAKE2B 2d69fa8f52b061a931cf3dbe767edcb9eb5baf4f45fa77bcd9dd6e5541c126830c059a2bb97906f4fe9a4fd3257f77c801add06e1da910542ebafeaa2d032768 SHA512 a7c6f9a0f33641520c4143e6a3568129021783557f8ea7c846e4bc3f7da9bf70cb30b19cc7c6527809df2c46e6ded1d162a929dc4f44a5daafcf9d211b43b44a
DIST podman-4.1.0.tar.gz 10904727 BLAKE2B 6d01a65b13494dc948c0667147eca6f250a81056f1bcf6eda6285566b8aa7aa526794ea96a571aecad642a8b1d3d1877cd31683ccf46662f8681a2afac083b5a SHA512 4d5f240423f21b1224ce44853a2265359dacee0d921f0ea53a7fca34f9076ebfaa49f4327a59ac51f5bf5b9dafb47dda3a9bb8e609237cc69f833b42b95bcd0a
DIST podman-4.1.1.tar.gz 10905391 BLAKE2B a094785ccb7a84a42147fb0f0360480ad4f73a1cdaa29b666fabb08528584f5d37b1cf8fb807351d4a60d81779de4dec3ab5fc83275061eded21f97fd3fa5e7f SHA512 19dd2800b59dacf7edd5d8204bdaffa0959910c7751b582f5a12b8d644b52f9d6581b9c3b4cba3ddb0707f6a90c0dbc93de6d8e2eaa6a4234ebb9dfa28e693b3
DIST podman-4.2.0.tar.gz 13019518 BLAKE2B a3b8d8b140b9d34e24f87f998fff3558649487b503bdd437f537f09adc51819d81786b6b4e858ef4e8a43c0d872cd20cd1ceee06988a36f830b9ffbb5109d14d SHA512 bc9e28d9938127f91be10ea8bc6c6f638a01d74d120efad5ad1e72c5f7b893685871e83872434745bc72ecaca430355b0f59d302660e8b4a53cc88a88cc37f9c
165 changes: 165 additions & 0 deletions overlay/app-containers/podman/podman-4.1.0-r1.ebuild
Original file line number Diff line number Diff line change
@@ -0,0 +1,165 @@
# Copyright 1999-2022 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2

EAPI=7
EGIT_COMMIT="e4b03902052294d4f342a185bb54702ed5bed8b1"

inherit bash-completion-r1 flag-o-matic go-module tmpfiles

DESCRIPTION="Library and podman tool for running OCI-based containers in Pods"
HOMEPAGE="https://github.com/containers/podman/"
MY_PN=podman
MY_P=${MY_PN}-${PV}
SRC_URI="https://github.com/containers/podman/archive/v${PV}.tar.gz -> ${MY_P}.tar.gz"
LICENSE="Apache-2.0 BSD BSD-2 CC-BY-SA-4.0 ISC MIT MPL-2.0"
SLOT="0"

KEYWORDS="amd64 arm64 ~ppc64 ~riscv"
IUSE="apparmor btrfs cgroup-hybrid +fuse +init +rootless selinux"
RESTRICT+=" test"

COMMON_DEPEND="
app-crypt/gpgme:=
>=app-containers/conmon-2.0.0
cgroup-hybrid? ( >=app-containers/runc-1.0.0_rc6 )
!cgroup-hybrid? ( app-containers/crun )
dev-libs/libassuan:=
dev-libs/libgpg-error:=
>=app-containers/cni-plugins-0.8.6
sys-apps/shadow:=
sys-fs/lvm2
sys-libs/libseccomp:=

apparmor? ( sys-libs/libapparmor )
btrfs? ( sys-fs/btrfs-progs )
init? ( app-containers/catatonit )
rootless? ( app-containers/slirp4netns )
selinux? ( sys-libs/libselinux:= )
"
DEPEND="
${COMMON_DEPEND}
dev-go/go-md2man"
RDEPEND="${COMMON_DEPEND}
fuse? ( sys-fs/fuse-overlayfs )
selinux? ( sec-policy/selinux-podman )"

S=${WORKDIR}/${MY_P}

src_prepare() {
default

# Disable installation of python modules here, since those are
# installed by separate ebuilds.
local makefile_sed_args=(
-e '/^GIT_.*/d'
-e 's/$(GO) build/$(GO) build -v -work -x/'
-e 's/^\(install:.*\) install\.python$/\1/'
-e 's|^pkg/varlink/iopodman.go: .gopathok pkg/varlink/io.podman.varlink$|pkg/varlink/iopodman.go: pkg/varlink/io.podman.varlink|'
)

has_version -b '>=dev-lang/go-1.13.9' || makefile_sed_args+=(-e 's:GO111MODULE=off:GO111MODULE=on:')

sed "${makefile_sed_args[@]}" -i Makefile || die
}

src_compile() {
local git_commit=${EGIT_COMMIT}

# Filter unsupported linker flags
filter-flags '-Wl,*'

[[ -f hack/apparmor_tag.sh ]] || die
if use apparmor; then
echo -e "#!/bin/sh\necho apparmor" > hack/apparmor_tag.sh || die
else
echo -e "#!/bin/sh\ntrue" > hack/apparmor_tag.sh || die
fi

[[ -f hack/btrfs_installed_tag.sh ]] || die
if use btrfs; then
echo -e "#!/bin/sh\ntrue" > hack/btrfs_installed_tag.sh || die
else
echo -e "#!/bin/sh\necho exclude_graphdriver_btrfs" > \
hack/btrfs_installed_tag.sh || die
fi

[[ -f hack/selinux_tag.sh ]] || die
if use selinux; then
echo -e "#!/bin/sh\necho selinux" > hack/selinux_tag.sh || die
else
echo -e "#!/bin/sh\ntrue" > hack/selinux_tag.sh || die
fi

# Avoid this error when generating pkg/varlink/iopodman.go:
# cannot find package "github.com/varlink/go/varlink/idl"
mkdir -p _output || die
ln -snf ../vendor _output/src || die
GO111MODULE=off GOPATH=${PWD}/_output go generate ./pkg/varlink/... || die
rm _output/src || die

export -n GOCACHE GOPATH XDG_CACHE_HOME
GOBIN="${S}/bin" \
emake all \
GIT_BRANCH=master \
GIT_BRANCH_CLEAN=master \
COMMIT_NO="${git_commit}" \
GIT_COMMIT="${git_commit}"
}

src_install() {
emake DESTDIR="${D}" PREFIX="${EPREFIX}/usr" install

insinto /etc/containers
newins test/registries.conf registries.conf.example
newins test/policy.json policy.json.example

insinto /usr/share/containers
doins vendor/github.com/containers/common/pkg/seccomp/seccomp.json

newconfd "${FILESDIR}"/podman.confd podman
newinitd "${FILESDIR}"/podman.initd podman

insinto /etc/logrotate.d
newins "${FILESDIR}/podman.logrotated" podman

dobashcomp completions/bash/*

insinto /usr/share/zsh/site-functions
doins completions/zsh/*

insinto /usr/share/fish/vendor_completions.d
doins completions/fish/*

keepdir /var/lib/containers
}

pkg_preinst() {
PODMAN_ROOTLESS_UPGRADE=false
if use rootless; then
has_version 'app-containers/podman[rootless]' || PODMAN_ROOTLESS_UPGRADE=true
fi
}

pkg_postinst() {
tmpfiles_process podman.conf

local want_newline=false
if [[ ! ( -e ${EROOT%/*}/etc/containers/policy.json && -e ${EROOT%/*}/etc/containers/registries.conf ) ]]; then
elog "You need to create the following config files:"
elog "/etc/containers/registries.conf"
elog "/etc/containers/policy.json"
elog "To copy over default examples, use:"
elog "cp /etc/containers/registries.conf{.example,}"
elog "cp /etc/containers/policy.json{.example,}"
want_newline=true
fi
if [[ ${PODMAN_ROOTLESS_UPGRADE} == true ]] ; then
${want_newline} && elog ""
elog "For rootless operation, you need to configure subuid/subgid"
elog "for user running podman. In case subuid/subgid has only been"
elog "configured for root, run:"
elog "usermod --add-subuids 1065536-1131071 <user>"
elog "usermod --add-subgids 1065536-1131071 <user>"
want_newline=true
fi
}
Loading