podman4.2

.gitignore

@@ -0,0 +1,6 @@
+*.swp
+*.tar.gz
+*.tgz
+*.raw
+/podman-versions.txt
+

Dockerfile

@@ -16,22 +16,18 @@ RUN emerge -j4 --getbinpkg --buildpkgonly podman squashfs-tools
 FROM base AS staging
 COPY --from=builder /var/lib/portage/pkgs /var/lib/portage/pkgs
 RUN emerge --getbinpkg --usepkg squashfs-tools
-RUN pkgs=$(emerge 2>/dev/null --usepkgonly --pretend podman | awk -F'] ' '/binary/{ print $ 2 }' | awk '{ print "="$1 }'); emerge --usepkgonly --root=/work --nodeps $pkgs
+RUN mkdir -p /work /output
+RUN emerge 2>/dev/null --usepkgonly --pretend podman | awk -F'] ' '/binary/{ print $ 2 }' | awk '{ print "="$1 }' > /output/podman-versions.txt
+RUN emerge --usepkgonly --root=/work --nodeps $(cat /output/podman-versions.txt)
 RUN mkdir -p /work/usr/lib/extension-release.d && echo -e 'ID=flatcar\nSYSEXT_LEVEL=1.0' >/work/usr/lib/extension-release.d/extension-release.podman
 RUN mkdir -p /work/usr/src
 RUN mv /work/etc /work/usr/etc
 COPY usr /work/usr
 RUN mv /work/opt/cni/bin /work/usr/lib/cni
 RUN rm -rf /work/var /work/usr/include /work/usr/lib*/cmake /work/opt/cni
 RUN rmdir /work/opt
-RUN mkdir -p /output && mksquashfs /work /output/podman.raw -noappend
-
-FROM busybox AS torcx
-RUN mkdir /work /output
-COPY torcx /work
-RUN tar -zcvf /output/docker:podman.torcx.tgz -C /work .
+RUN mksquashfs /work /output/podman.raw -noappend
 
 FROM busybox
 COPY --from=staging /output /output
-COPY --from=torcx /output /output
-CMD ["cp", "/output/podman.raw", "/output/docker:podman.torcx.tgz", "/out"]
+CMD ["cp", "/output/podman.raw", "/output/podman-versions.txt", "/out"]

README.md

@@ -6,21 +6,15 @@ make podman.raw
 
 # Use
 
-Copy podman.raw to /etc/extensions.
-
-Disable selinux in /etc/selinux/config - must be disabled not permissive. Default file is a symlink so make a copy (`cp /etc/selinux/config{,-}; mv /etc/selinux/config{-,}`)
-
-Symlink the CNI plugins `ln -sf /usr/lib/cni/ /opt/cni/`
+Copy podman.raw to /var/lib/extensions.
 
 Copy configs from /usr/etc/ into the appropriate directories in /etc.  Remove the .example extensions.
 
-Run `systemctl enable --now podman.socket`
+If you want an example containers.conf, you can retrieve it from [here](https://raw.githubusercontent.com/containers/common/main/pkg/config/containers.conf)
+Or simply `curl -O /etc/containers/containers.conf https://raw.githubusercontent.com/containers/common/main/pkg/config/containers.conf`
 
-# Test
+Optional: If you want rootless containers to work, disable selinux in /etc/selinux/config - must be disabled not permissive. Default file is a symlink so make a copy (`cp /etc/selinux/config{,-}; mv /etc/selinux/config{-,}`)
 
-```
-snap install hello-world
-snap run hello-world
-```
+Optional: If you want remote podman services, run `systemctl enable --now podman.socket`
 
-To make snaps accessible, add /var/lib/podman/snap/bin to $PATH.
+If you want to remove docker entirely, visit [here](https://github.com/goochjj/flatcar-podman-docker-torcx)

overlay/app-containers/crun/Manifest

@@ -1,3 +1,4 @@
 DIST crun-1.3.tar.xz 831108 BLAKE2B 37e8d0ba764ae77c870c68ea9cd93f1ea1c751eb2b6aa84481f81b22ec2eb5d9e518d4808bd1bca545c57d18c5c491372694009d6498652cce45fda8864e5835 SHA512 3b58ee65a41bc85ec31147053f00e9c2a2e5ee9a72381a65c19480cc24d80cad7c9f6e1a47b3e020facf0603c54e4d2640db187c5e66a7deb8b1ead7bc111ee6
 DIST crun-1.4.2.tar.xz 873636 BLAKE2B f8b3546b7c4aeb7077af8cf9e7ec0059259143da80a6a0d020dc9d702e03008b2b1c2a6a5cdd555b625abc1f2ed5a55786525919eda15dc241d1b8f2334e8689 SHA512 f97eedf84a61cc3753f528b75b24f95131e871f734c8e770b9bdc4e1d33668162e6bdc0c4676c0164900bc987490d3dbd0060c27046091f012ad178ef42fbdbf
 DIST crun-1.4.4.tar.xz 877892 BLAKE2B 57e48c0a229db3f54212177cef3fdb3f59b4bb1d1cc865da956f026a35837d839489bd126f880d7a9ceb18f5cffbf0e32ac9ae59a4cd39c34e3aff5b32c0559a SHA512 1756dccf6509457a5dc114d43c4f4e99258a20c3437dfe06016d080989c5d3035f5735d62d18ab537b660ec36de04df369a2582745baf4ab680af367a19830fd
+DIST crun-1.4.5.tar.xz 879044 BLAKE2B c80cae28c23140086682493a7dddb40640491e3ea827f0a7376d9be12570111d056022f50b8d7c574ca07790753d20de2314db5b89463994c4fffbc7576c372d SHA512 9f288279615fdf587018c465047fc8793daae280ab864bf9046994983239129d50f2eb89cac9b092e5cdc49a10f3523ab403a3f0e7451f7536b79f651a355153

overlay/app-containers/crun/crun-1.4.5.ebuild

@@ -0,0 +1,74 @@
+# Copyright 2019-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{8..10} )
+
+# Can drop autotools/eautoreconf after next release & glibc patch gone
+inherit autotools python-any-r1
+
+DESCRIPTION="A fast and low-memory footprint OCI Container Runtime fully written in C"
+HOMEPAGE="https://github.com/containers/crun"
+SRC_URI="https://github.com/containers/${PN}/releases/download/${PV}/${P}.tar.xz"
+
+LICENSE="GPL-2+ LGPL-2.1+"
+SLOT="0"
+KEYWORDS="amd64 ~arm arm64 ~ppc64 ~riscv"
+IUSE="+bpf +caps criu +seccomp selinux systemd static-libs"
+
+DEPEND="
+	dev-libs/yajl:=
+	sys-kernel/linux-headers
+	caps? ( sys-libs/libcap )
+	criu? ( >=sys-process/criu-3.15 )
+	seccomp? ( sys-libs/libseccomp )
+	systemd? ( sys-apps/systemd:= )
+"
+RDEPEND="${DEPEND}
+	selinux? ( sec-policy/selinux-container )"
+BDEPEND="
+	${PYTHON_DEPS}
+	virtual/pkgconfig
+"
+
+# the crun test suite is comprehensive to the extent that tests will fail
+# within a sandbox environment, due to the nature of the privileges
+# required to create linux "containers".
+RESTRICT="test"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-1.4.5-glibc-2.36.patch
+)
+
+src_prepare() {
+	default
+
+	eautoreconf
+}
+
+src_configure() {
+	local myeconfargs=(
+		$(use_enable bpf)
+		$(use_enable caps)
+		$(use_enable criu)
+		$(use_enable seccomp)
+		$(use_enable systemd)
+		$(usex static-libs '--enable-shared --enable-static' '--enable-shared --disable-static' '' '')
+	)
+
+	# Need https://github.com/containers/libocispec/pull/107 to be merged & land in
+	# a crun release that syncs up w/ latest version, then can drop CONFIG_SHELL
+	CONFIG_SHELL="${BROOT}/bin/bash" econf "${myeconfargs[@]}"
+}
+
+src_compile() {
+	emake -C libocispec
+	emake crun
+}
+
+src_install() {
+	emake "DESTDIR=${D}" install-exec
+	doman crun.1
+	einstalldocs
+}

overlay/app-containers/crun/files/crun-1.4.5-glibc-2.36.patch

@@ -0,0 +1,79 @@
+https://bugs.gentoo.org/863437
+https://github.com/containers/crun/commit/3df14584b84414df77b2079c1b8b48d44d0ceb61
+
+From 3df14584b84414df77b2079c1b8b48d44d0ceb61 Mon Sep 17 00:00:00 2001
+From: Giuseppe Scrivano <gscrivan@redhat.com>
+Date: Tue, 26 Jul 2022 15:17:16 +0200
+Subject: [PATCH] linux: fix build with glibc 2.36
+
+glibc 2.36 has the new mount API in the <sys/mount.h> file.  These
+definitions conflict with the definitions in the <linux/mount.h>
+file.
+
+Add a check and include <linux/mount.h> only if it doesn't conflict
+with <sys/mount.h>.
+
+Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2110738
+
+Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
+--- a/configure.ac
++++ b/configure.ac
+@@ -174,11 +174,21 @@ LIBS=""
+ AC_MSG_CHECKING([for new mount API (fsconfig)])
+ AC_COMPILE_IFELSE(
+ 	[AC_LANG_SOURCE([[
++			#include <sys/mount.h>
++			int cmd = FSCONFIG_CMD_CREATE;
++	]])],
++	[AC_MSG_RESULT(yes)
++		 AC_DEFINE([HAVE_FSCONFIG_CMD_CREATE_SYS_MOUNT_H], 1, [Define if FSCONFIG_CMD_CREATE is available in sys/mount.h])],
++	[AC_MSG_RESULT(no)])
++AC_COMPILE_IFELSE(
++	[AC_LANG_SOURCE([[
++			/* also make sure it doesn't conflict with <sys/mount.h> since it is always used.  */
++			#include <sys/mount.h>
+ 			#include <linux/mount.h>
+ 			int cmd = FSCONFIG_CMD_CREATE;
+ 	]])],
+ 	[AC_MSG_RESULT(yes)
+-		 AC_DEFINE([HAVE_FSCONFIG_CMD_CREATE], 1, [Define if FSCONFIG_CMD_CREATE is available])],
++		 AC_DEFINE([HAVE_FSCONFIG_CMD_CREATE_LINUX_MOUNT_H], 1, [Define if FSCONFIG_CMD_CREATE is available in linux/mount.h])],
+ 	[AC_MSG_RESULT(no)])
+
+ AC_MSG_CHECKING([for seccomp notify API])
+--- a/src/libcrun/linux.c
++++ b/src/libcrun/linux.c
+@@ -26,9 +26,13 @@
+ #include <fcntl.h>
+ #include <unistd.h>
+ #include <sys/mount.h>
+-#ifdef HAVE_FSCONFIG_CMD_CREATE
++#ifdef HAVE_FSCONFIG_CMD_CREATE_LINUX_MOUNT_H
+ #  include <linux/mount.h>
+ #endif
++#if defined HAVE_FSCONFIG_CMD_CREATE_LINUX_MOUNT_H || defined HAVE_FSCONFIG_CMD_CREATE_SYS_MOUNT_H
++#  define HAVE_NEW_MOUNT_API
++#endif
++
+ #include <sys/syscall.h>
+ #include <sys/prctl.h>
+ #ifdef HAVE_CAP
+@@ -990,7 +994,7 @@ open_mount_target (libcrun_container_t *container, const char *target_rel, libcr
+ static int
+ fsopen_mount (runtime_spec_schema_defs_mount *mount)
+ {
+-#ifdef HAVE_FSCONFIG_CMD_CREATE
++#ifdef HAVE_NEW_MOUNT_API
+   cleanup_close int fsfd = -1;
+   int ret;
+
+@@ -1016,7 +1020,7 @@ fsopen_mount (runtime_spec_schema_defs_mount *mount)
+ static int
+ fs_move_mount_to (int fd, int dirfd, const char *name)
+ {
+-#ifdef HAVE_FSCONFIG_CMD_CREATE
++#ifdef HAVE_NEW_MOUNT_API
+   if (name)
+     return syscall_move_mount (fd, "", dirfd, name, MOVE_MOUNT_F_EMPTY_PATH);
+
+

overlay/app-containers/podman/Manifest

@@ -1 +1,4 @@
 DIST podman-4.0.3.tar.gz 11392523 BLAKE2B 2d69fa8f52b061a931cf3dbe767edcb9eb5baf4f45fa77bcd9dd6e5541c126830c059a2bb97906f4fe9a4fd3257f77c801add06e1da910542ebafeaa2d032768 SHA512 a7c6f9a0f33641520c4143e6a3568129021783557f8ea7c846e4bc3f7da9bf70cb30b19cc7c6527809df2c46e6ded1d162a929dc4f44a5daafcf9d211b43b44a
+DIST podman-4.1.0.tar.gz 10904727 BLAKE2B 6d01a65b13494dc948c0667147eca6f250a81056f1bcf6eda6285566b8aa7aa526794ea96a571aecad642a8b1d3d1877cd31683ccf46662f8681a2afac083b5a SHA512 4d5f240423f21b1224ce44853a2265359dacee0d921f0ea53a7fca34f9076ebfaa49f4327a59ac51f5bf5b9dafb47dda3a9bb8e609237cc69f833b42b95bcd0a
+DIST podman-4.1.1.tar.gz 10905391 BLAKE2B a094785ccb7a84a42147fb0f0360480ad4f73a1cdaa29b666fabb08528584f5d37b1cf8fb807351d4a60d81779de4dec3ab5fc83275061eded21f97fd3fa5e7f SHA512 19dd2800b59dacf7edd5d8204bdaffa0959910c7751b582f5a12b8d644b52f9d6581b9c3b4cba3ddb0707f6a90c0dbc93de6d8e2eaa6a4234ebb9dfa28e693b3
+DIST podman-4.2.0.tar.gz 13019518 BLAKE2B a3b8d8b140b9d34e24f87f998fff3558649487b503bdd437f537f09adc51819d81786b6b4e858ef4e8a43c0d872cd20cd1ceee06988a36f830b9ffbb5109d14d SHA512 bc9e28d9938127f91be10ea8bc6c6f638a01d74d120efad5ad1e72c5f7b893685871e83872434745bc72ecaca430355b0f59d302660e8b4a53cc88a88cc37f9c

overlay/app-containers/podman/podman-4.1.0-r1.ebuild

@@ -0,0 +1,165 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+EGIT_COMMIT="e4b03902052294d4f342a185bb54702ed5bed8b1"
+
+inherit bash-completion-r1 flag-o-matic go-module tmpfiles
+
+DESCRIPTION="Library and podman tool for running OCI-based containers in Pods"
+HOMEPAGE="https://github.com/containers/podman/"
+MY_PN=podman
+MY_P=${MY_PN}-${PV}
+SRC_URI="https://github.com/containers/podman/archive/v${PV}.tar.gz -> ${MY_P}.tar.gz"
+LICENSE="Apache-2.0 BSD BSD-2 CC-BY-SA-4.0 ISC MIT MPL-2.0"
+SLOT="0"
+
+KEYWORDS="amd64 arm64 ~ppc64 ~riscv"
+IUSE="apparmor btrfs cgroup-hybrid +fuse +init +rootless selinux"
+RESTRICT+=" test"
+
+COMMON_DEPEND="
+	app-crypt/gpgme:=
+	>=app-containers/conmon-2.0.0
+	cgroup-hybrid? ( >=app-containers/runc-1.0.0_rc6  )
+	!cgroup-hybrid? ( app-containers/crun )
+	dev-libs/libassuan:=
+	dev-libs/libgpg-error:=
+	>=app-containers/cni-plugins-0.8.6
+	sys-apps/shadow:=
+	sys-fs/lvm2
+	sys-libs/libseccomp:=
+
+	apparmor? ( sys-libs/libapparmor )
+	btrfs? ( sys-fs/btrfs-progs )
+	init? ( app-containers/catatonit )
+	rootless? ( app-containers/slirp4netns )
+	selinux? ( sys-libs/libselinux:= )
+"
+DEPEND="
+	${COMMON_DEPEND}
+	dev-go/go-md2man"
+RDEPEND="${COMMON_DEPEND}
+	fuse? ( sys-fs/fuse-overlayfs )
+	selinux? ( sec-policy/selinux-podman )"
+
+S=${WORKDIR}/${MY_P}
+
+src_prepare() {
+	default
+
+	# Disable installation of python modules here, since those are
+	# installed by separate ebuilds.
+	local makefile_sed_args=(
+		-e '/^GIT_.*/d'
+		-e 's/$(GO) build/$(GO) build -v -work -x/'
+		-e 's/^\(install:.*\) install\.python$/\1/'
+		-e 's|^pkg/varlink/iopodman.go: .gopathok pkg/varlink/io.podman.varlink$|pkg/varlink/iopodman.go: pkg/varlink/io.podman.varlink|'
+	)
+
+	has_version -b '>=dev-lang/go-1.13.9' || makefile_sed_args+=(-e 's:GO111MODULE=off:GO111MODULE=on:')
+
+	sed "${makefile_sed_args[@]}" -i Makefile || die
+}
+
+src_compile() {
+	local git_commit=${EGIT_COMMIT}
+
+	# Filter unsupported linker flags
+	filter-flags '-Wl,*'
+
+	[[ -f hack/apparmor_tag.sh ]] || die
+	if use apparmor; then
+		echo -e "#!/bin/sh\necho apparmor" > hack/apparmor_tag.sh || die
+	else
+		echo -e "#!/bin/sh\ntrue" > hack/apparmor_tag.sh || die
+	fi
+
+	[[ -f hack/btrfs_installed_tag.sh ]] || die
+	if use btrfs; then
+		echo -e "#!/bin/sh\ntrue" > hack/btrfs_installed_tag.sh || die
+	else
+		echo -e "#!/bin/sh\necho exclude_graphdriver_btrfs" > \
+			hack/btrfs_installed_tag.sh || die
+	fi
+
+	[[ -f hack/selinux_tag.sh ]] || die
+	if use selinux; then
+		echo -e "#!/bin/sh\necho selinux" > hack/selinux_tag.sh || die
+	else
+		echo -e "#!/bin/sh\ntrue" > hack/selinux_tag.sh || die
+	fi
+
+	# Avoid this error when generating pkg/varlink/iopodman.go:
+	# cannot find package "github.com/varlink/go/varlink/idl"
+	mkdir -p _output || die
+	ln -snf ../vendor _output/src || die
+	GO111MODULE=off GOPATH=${PWD}/_output go generate ./pkg/varlink/... || die
+	rm _output/src || die
+
+	export -n GOCACHE GOPATH XDG_CACHE_HOME
+	GOBIN="${S}/bin" \
+		emake all \
+			GIT_BRANCH=master \
+			GIT_BRANCH_CLEAN=master \
+			COMMIT_NO="${git_commit}" \
+			GIT_COMMIT="${git_commit}"
+}
+
+src_install() {
+	emake DESTDIR="${D}" PREFIX="${EPREFIX}/usr" install
+
+	insinto /etc/containers
+	newins test/registries.conf registries.conf.example
+	newins test/policy.json policy.json.example
+
+	insinto /usr/share/containers
+	doins vendor/github.com/containers/common/pkg/seccomp/seccomp.json
+
+	newconfd "${FILESDIR}"/podman.confd podman
+	newinitd "${FILESDIR}"/podman.initd podman
+
+	insinto /etc/logrotate.d
+	newins "${FILESDIR}/podman.logrotated" podman
+
+	dobashcomp completions/bash/*
+
+	insinto /usr/share/zsh/site-functions
+	doins completions/zsh/*
+
+	insinto /usr/share/fish/vendor_completions.d
+	doins completions/fish/*
+
+	keepdir /var/lib/containers
+}
+
+pkg_preinst() {
+	PODMAN_ROOTLESS_UPGRADE=false
+	if use rootless; then
+		has_version 'app-containers/podman[rootless]' || PODMAN_ROOTLESS_UPGRADE=true
+	fi
+}
+
+pkg_postinst() {
+	tmpfiles_process podman.conf
+
+	local want_newline=false
+	if [[ ! ( -e ${EROOT%/*}/etc/containers/policy.json && -e ${EROOT%/*}/etc/containers/registries.conf ) ]]; then
+		elog "You need to create the following config files:"
+		elog "/etc/containers/registries.conf"
+		elog "/etc/containers/policy.json"
+		elog "To copy over default examples, use:"
+		elog "cp /etc/containers/registries.conf{.example,}"
+		elog "cp /etc/containers/policy.json{.example,}"
+		want_newline=true
+	fi
+	if [[ ${PODMAN_ROOTLESS_UPGRADE} == true ]] ; then
+		${want_newline} && elog ""
+		elog "For rootless operation, you need to configure subuid/subgid"
+		elog "for user running podman. In case subuid/subgid has only been"
+		elog "configured for root, run:"
+		elog "usermod --add-subuids 1065536-1131071 <user>"
+		elog "usermod --add-subgids 1065536-1131071 <user>"
+		want_newline=true
+	fi
+}