[v0.59] more backports

docs/containers.conf.5.md

@@ -459,9 +459,8 @@ and "$graphroot/networks" as rootless.
 
 The firewall driver to be used by netavark.
 The default is empty which means netavark will pick one accordingly. Current supported
-drivers are "iptables", "none" (no firewall rules will be created) and "firewalld" (firewalld is
-experimental at the moment and not recommend outside of testing). In the future we are
-planning to add support for a "nftables" driver.
+drivers are "iptables", "nftables", "none" (no firewall rules will be created) and "firewalld" (firewalld is
+experimental at the moment and not recommend outside of testing).
 
 **dns_bind_port**=53
 

libimage/manifests/manifests.go

@@ -663,6 +663,9 @@ func (l *list) Add(ctx context.Context, sys *types.SystemContext, ref types.Imag
 		if err != nil {
 			return "", fmt.Errorf("adding instance with digest %q: %w", *instanceInfo.instanceDigest, err)
 		}
+		if err := l.List.SetArtifactType(instanceInfo.instanceDigest, instanceInfo.ArtifactType); err != nil {
+			return "", fmt.Errorf("setting artifact manifest type for instance with digest %q: %w", *instanceInfo.instanceDigest, err)
+		}
 		if err = l.List.SetURLs(*instanceInfo.instanceDigest, instanceInfo.URLs); err != nil {
 			return "", fmt.Errorf("setting URLs for instance with digest %q: %w", *instanceInfo.instanceDigest, err)
 		}

libimage/manifests/manifests_test.go

@@ -816,3 +816,24 @@ func TestInstanceByImageAndFiles(t *testing.T) {
 	assert.NoError(t, err)
 	assert.ElementsMatch(t, []string{}, noFiles)
 }
+
+// TestAddIndexOfArtifacts ensures that we don't fail to preserve artifactType
+// fields in artifact manifests when added from one list to another.
+func TestAddIndexOfArtifacts(t *testing.T) {
+	ctx := context.Background()
+
+	absPath, err := filepath.Abs(filepath.Join("..", "..", "pkg", "manifests", "testdata", "artifacts", "index"))
+	require.NoError(t, err)
+	rawPath := "oci:" + absPath
+	ref, err := alltransports.ParseImageName(rawPath)
+	require.NoErrorf(t, err, "ParseImageName(%q)", rawPath)
+
+	cookedList := Create()
+	_, err = cookedList.Add(ctx, sys, ref, true)
+	assert.NoError(t, err, "list.Add()")
+
+	cooked := cookedList.OCIv1()
+	for _, instance := range cooked.Manifests {
+		assert.NotEmpty(t, instance.ArtifactType, "lost the artifactType field")
+	}
+}

libnetwork/cni/network.go

@@ -82,9 +82,23 @@ type InitConfig struct {
 // NewCNINetworkInterface creates the ContainerNetwork interface for the CNI backend.
 // Note: The networks are not loaded from disk until a method is called.
 func NewCNINetworkInterface(conf *InitConfig) (types.ContainerNetwork, error) {
+	var netns *rootlessnetns.Netns
+	var err error
+	// Do not use unshare.IsRootless() here. We only care if we are running re-exec in the userns,
+	// IsRootless() also returns true if we are root in a userns which is not what we care about and
+	// causes issues as this slower more complicated rootless-netns logic should not be used as root.
+	val, ok := os.LookupEnv(unshare.UsernsEnvName)
+	useRootlessNetns := ok && val == "done"
+	if useRootlessNetns {
+		netns, err = rootlessnetns.New(conf.RunDir, rootlessnetns.CNI, conf.Config)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	// root needs to use a globally unique lock because there is only one host netns
 	lockPath := defaultRootLockPath
-	if unshare.IsRootless() {
+	if useRootlessNetns {
 		lockPath = filepath.Join(conf.CNIConfigDir, "cni.lock")
 	}
 
@@ -112,14 +126,6 @@ func NewCNINetworkInterface(conf *InitConfig) (types.ContainerNetwork, error) {
 		defaultSubnetPools = config.DefaultSubnetPools
 	}
 
-	var netns *rootlessnetns.Netns
-	if unshare.IsRootless() {
-		netns, err = rootlessnetns.New(conf.RunDir, rootlessnetns.CNI, conf.Config)
-		if err != nil {
-			return nil, err
-		}
-	}
-
 	cni := libcni.NewCNIConfig(conf.Config.Network.CNIPluginDirs.Values, &cniExec{})
 	n := &cniNetwork{
 		cniConfigDir:       conf.CNIConfigDir,

libnetwork/netavark/network.go

@@ -96,9 +96,23 @@ type InitConfig struct {
 // NewNetworkInterface creates the ContainerNetwork interface for the netavark backend.
 // Note: The networks are not loaded from disk until a method is called.
 func NewNetworkInterface(conf *InitConfig) (types.ContainerNetwork, error) {
+	var netns *rootlessnetns.Netns
+	var err error
+	// Do not use unshare.IsRootless() here. We only care if we are running re-exec in the userns,
+	// IsRootless() also returns true if we are root in a userns which is not what we care about and
+	// causes issues as this slower more complicated rootless-netns logic should not be used as root.
+	val, ok := os.LookupEnv(unshare.UsernsEnvName)
+	useRootlessNetns := ok && val == "done"
+	if useRootlessNetns {
+		netns, err = rootlessnetns.New(conf.NetworkRunDir, rootlessnetns.Netavark, conf.Config)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	// root needs to use a globally unique lock because there is only one host netns
 	lockPath := defaultRootLockPath
-	if unshare.IsRootless() {
+	if useRootlessNetns {
 		lockPath = filepath.Join(conf.NetworkConfigDir, "netavark.lock")
 	}
 
@@ -134,18 +148,6 @@ func NewNetworkInterface(conf *InitConfig) (types.ContainerNetwork, error) {
 		defaultSubnetPools = config.DefaultSubnetPools
 	}
 
-	var netns *rootlessnetns.Netns
-	// Do not use unshare.IsRootless() here. We only care if we are running re-exec in the userns,
-	// IsRootless() also returns true if we are root in a userns which is not what we care about and
-	// causes issues as this slower more complicated rootless-netns logic should not be used as root.
-	_, useRootlessNetns := os.LookupEnv(unshare.UsernsEnvName)
-	if useRootlessNetns {
-		netns, err = rootlessnetns.New(conf.NetworkRunDir, rootlessnetns.Netavark, conf.Config)
-		if err != nil {
-			return nil, err
-		}
-	}
-
 	n := &netavarkNetwork{
 		networkConfigDir:   conf.NetworkConfigDir,
 		networkRunDir:      conf.NetworkRunDir,

pkg/config/config_windows.go

@@ -5,7 +5,7 @@ import "os"
 const (
 	// _configPath is the path to the containers/containers.conf
 	// inside a given config directory.
-	_configPath = "containers\\containers.conf"
+	_configPath = "\\containers\\containers.conf"
 
 	// DefaultContainersConfig holds the default containers config path
 	DefaultContainersConfig = ""

pkg/config/containers.conf

@@ -350,9 +350,9 @@ default_sysctls = [
 
 # The firewall driver to be used by netavark.
 # The default is empty which means netavark will pick one accordingly. Current supported
-# drivers are "iptables", "none" (no firewall rules will be created) and "firewalld" (firewalld is
-# experimental at the moment and not recommend outside of testing). In the future we are
-# planning to add support for a "nftables" driver.
+# drivers are "iptables", "nftables", "none" (no firewall rules will be created) and "firewalld" (firewalld is
+# experimental at the moment and not recommend outside of testing).
+#
 #firewall_driver = ""
 
 
@@ -890,10 +890,10 @@ default_sysctls = [
 [podmansh]
 # Shell to spawn in container. Default: /bin/sh.
 #shell = "/bin/sh"
-# 
+#
 # Name of the container the podmansh user should join.
 #container = "podmansh"
-# 
+#
 # Default timeout in seconds for podmansh logins.
 # Favored over the deprecated "podmansh_timeout" field.
 #timeout = 30

pkg/manifests/testdata/artifacts/index/blobs/sha256/11a1bc9fb43d6791f7f881a0375f88e83b10ea1c040a8d6d986cf799bb56e981

@@ -0,0 +1,15 @@
+{
+  "layers": [
+    {
+      "digest": "sha256:541b3e9daa09b20bf85fa273e5cbd3e80185aa4ec298e765db87742b70138a53",
+      "mediaType": "application/octet-stream",
+      "size": 1000,
+      "annotations": {
+        "org.opencontainers.image.ref.name": "one-thousand"
+      }
+    }
+  ],
+  "mediaType": "application/vnd.oci.image.manifest.v1+json",
+  "artifactType": "application/vnd.reproducer+foo",
+  "schemaVersion": 2
+}

pkg/manifests/testdata/artifacts/index/blobs/sha256/25cb16f769a2248cde5556529b88e3cdff322dbe5c71e40cfb24030221e88b06

@@ -0,0 +1,15 @@
+{
+  "layers": [
+    {
+      "digest": "sha256:e6304a473c65ecd0ccffbd2f5925a8f51c44b11f59b66cfcc055e4bb911b8fa0",
+      "mediaType": "application/octet-stream",
+      "size": 500,
+      "annotations": {
+        "org.opencontainers.image.ref.name": "five-hundred"
+      }
+    }
+  ],
+  "mediaType": "application/vnd.oci.image.manifest.v1+json",
+  "artifactType": "application/vnd.reproducer+bar",
+  "schemaVersion": 2
+}

pkg/manifests/testdata/artifacts/index/blobs/sha256/74c31168f466d846e0e0cf46fc8c14e0c516500558166654fce7555682b1cba6

@@ -0,0 +1,26 @@
+{
+  "schemaVersion": 2,
+  "mediaType": "application/vnd.oci.image.index.v1+json",
+  "manifests": [
+    {
+      "mediaType": "application/vnd.oci.image.manifest.v1+json",
+      "digest": "sha256:25cb16f769a2248cde5556529b88e3cdff322dbe5c71e40cfb24030221e88b06",
+      "size": 417,
+      "platform": {
+        "architecture": "s390x",
+        "os": "linux"
+      },
+      "artifactType": "application/vnd.reproducer+bar"
+    },
+    {
+      "mediaType": "application/vnd.oci.image.manifest.v1+json",
+      "digest": "sha256:11a1bc9fb43d6791f7f881a0375f88e83b10ea1c040a8d6d986cf799bb56e981",
+      "size": 418,
+      "platform": {
+        "architecture": "ppc64le",
+        "os": "linux"
+      },
+      "artifactType": "application/vnd.reproducer+foo"
+    }
+  ]
+}

pkg/manifests/testdata/artifacts/index/index.json

@@ -0,0 +1,11 @@
+{
+  "schemaVersion": 2,
+  "mediaType": "application/vnd.oci.image.index.v1+json",
+  "manifests": [
+    {
+      "mediaType": "application/vnd.oci.image.index.v1+json",
+      "digest": "sha256:74c31168f466d846e0e0cf46fc8c14e0c516500558166654fce7555682b1cba6",
+      "size": 760
+    }
+  ]
+}

pkg/manifests/testdata/artifacts/index/oci-layout

@@ -0,0 +1,3 @@
+{
+    "imageLayoutVersion": "1.0.0"
+}