diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml new file mode 100644 index 0000000..f0cf729 --- /dev/null +++ b/.github/workflows/push.yml @@ -0,0 +1,145 @@ +name: Push + +on: + workflow_dispatch: + inputs: + job-id: + description: 'The job ID to depend on' + required: true + +env: + PODMAN_IMAGE: podman + PODMAN_MINIMAL_IMAGE: podman-minimal + #PODMAN_REMOTE_IMAGE: podman-remote + +jobs: + push: + runs-on: ubuntu-latest + permissions: + deployments: write + packages: write + steps: + - name: Download a Build Artifact archive amd64 + uses: actions/download-artifact@v2.1.1 + with: + path: ./build/asset/podman-linux-amd64.tar.gz + name: podman-linux-amd64.tar.gz + + - name: Download a Build Artifact signature amd64 + uses: actions/upload-artifact@v2.1.1 + with: + path: ./build/asset/podman-linux-amd64.tar.gz.asc + name: podman-linux-amd64.tar.gz.asc + + - name: Download a Build Artifact archive aarch64 + uses: actions/download-artifact@v2.1.1 + with: + path: ./build/asset/podman-linux-arm64.tar.gz + name: podman-linux-arm64.tar.gz + + - name: Download a Build Artifact signature aarch64 + uses: actions/download-artifact@v2.1.1 + with: + path: ./build/asset/podman-linux-arm64.tar.gz.asc + name: podman-linux-arm64.tar.gz.asc + + + - name: Log into GitHub registry + run: echo "$GITHUB_TOKEN" | docker login ghcr.io -u ${{ github.actor }} --password-stdin + env: + GITHUB_TOKEN: ${{ github.token }} + + - name: Push images + run: | + set -eu + + GITHUB_IMAGE_REPO=ghcr.io/trentapple/podman-static + GITHUB_IMAGE_REPO=$(echo $GITHUB_IMAGE_REPO | tr '[A-Z]' '[a-z]') + + # Strip git ref prefix from version + TAGS=$(echo "$GITHUB_REF" | sed -e 's,.*/\(.*\),\1,') + # Strip "v" prefix from tag name + [[ "$GITHUB_REF" == "refs/tags/v"* ]] && TAGS=$(echo $TAGS | sed -e 's/^v//') + # Expand tags: 1.2.3 -> 1 1.2 1.2.3 + TAGS="$(echo "$TAGS" | sed -E -e 's/^((([0-9]+)\.[0-9]+)\.[0-9]+)$/\3 \2 \1/')" + + #for IMAGE in $PODMAN_REMOTE_IMAGE $PODMAN_IMAGE $PODMAN_MINIMAL_IMAGE; do + for IMAGE in $PODMAN_IMAGE $PODMAN_MINIMAL_IMAGE; do + TAG_SUFFIX=$(echo $IMAGE | sed -E -e 's/^([^-]+)//') + LATEST_TAG="$([ "$TAG_SUFFIX" ] && echo $TAG_SUFFIX | sed -E -e 's/^-//' || echo latest)" + [ "$TAGS" == "main" ] && IMAGE_TAGS="$LATEST_TAG" || IMAGE_TAGS="$LATEST_TAG $TAGS" + TAG_OPTS= + printf 'Pushing image tags: ' + for TAG in $IMAGE_TAGS; do + [ "$TAG" = "$LATEST_TAG" ] || TAG="${TAG}${TAG_SUFFIX}" + TAG_OPTS="$TAG_OPTS -t $GITHUB_IMAGE_REPO:$TAG" + printf ' %s' "$TAG" + done + echo + echo "Pushing $IMAGE image $GITHUB_IMAGE_REPO" + make "$IMAGE" PODMAN_BUILD_OPTS="$TAG_OPTS" PODMAN_MINIMAL_BUILD_OPTS="$TAG_OPTS" PODMAN_REMOTE_BUILD_OPTS="$TAG_OPTS" + done + env: + BUILDX_OUTPUT: type=registry + PLATFORM: linux/arm64/v8,linux/amd64 + GITHUB_REF: ${{ github.ref }} + + - name: Create release + if: github.ref != 'refs/heads/main' + id: create_release + uses: actions/create-release@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + tag_name: ${{ github.ref }} + release_name: ${{ github.ref }} + draft: false + prerelease: true + + - name: Upload arm64 archive signature + if: github.ref != 'refs/heads/main' + id: upload-arm64-archive-signature + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps + asset_path: ./build/asset/podman-linux-arm64.tar.gz.asc + asset_name: podman-linux-arm64.tar.gz.asc + asset_content_type: application/octet-stream + + - name: Upload arm64 archive + if: github.ref != 'refs/heads/main' + id: upload-arm64-archive + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps + asset_path: ./build/asset/podman-linux-arm64.tar.gz + asset_name: podman-linux-arm64.tar.gz + asset_content_type: application/octet-stream + + - name: Upload amd64 archive signature + if: github.ref != 'refs/heads/main' + id: upload-amd64-archive-signature + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps + asset_path: ./build/asset/podman-linux-amd64.tar.gz.asc + asset_name: podman-linux-amd64.tar.gz.asc + asset_content_type: application/octet-stream + + - name: Upload amd64 archive + if: github.ref != 'refs/heads/main' + id: upload-amd64-archive + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps + asset_path: ./build/asset/podman-linux-amd64.tar.gz + asset_name: podman-linux-amd64.tar.gz + asset_content_type: application/octet-stream diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2621cb6..8aaafd2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -2,9 +2,9 @@ name: Release on: push: - # Publish `master` as Docker `latest` image. + # Publish `main` as Docker `latest` image. branches: - - master + - main # Publish `v1.2.3` tags as releases. tags: @@ -18,8 +18,8 @@ env: jobs: push: runs-on: ubuntu-latest - if: github.event_name == 'push' - +# if: github.event_name == 'push' + steps: - name: Check out code uses: actions/checkout@v2 @@ -30,7 +30,8 @@ jobs: platforms: all - name: Build & test - run: make images test + run: make images + #run: make images test - name: Build signed archives run: make clean multiarch-tar TAR_TARGET=signed-tar @@ -38,108 +39,26 @@ jobs: GPG_SIGN_KEY: ${{ secrets.GPG_SIGN_KEY }} GPG_SIGN_KEY_PASSPHRASE: ${{ secrets.GPG_SIGN_KEY_PASSPHRASE }} - - name: Log into GitHub registry - run: echo "$GITHUB_TOKEN" | docker login ghcr.io -u ${{ github.actor }} --password-stdin - env: - GITHUB_TOKEN: ${{ github.token }} - - - name: Log into DockerHub registry - run: echo "$DOCKERHUB_TOKEN" | docker login docker.io -u "${{ secrets.DOCKERHUB_USERNAME }}" --password-stdin - env: - DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Push images - run: | - set -eu - - GITHUB_IMAGE_REPO=ghcr.io/mgoltzsche/podman - GITHUB_IMAGE_REPO=$(echo $GITHUB_IMAGE_REPO | tr '[A-Z]' '[a-z]') - DOCKERHUB_IMAGE_REPO=docker.io/mgoltzsche/podman - - # Strip git ref prefix from version - TAGS=$(echo "$GITHUB_REF" | sed -e 's,.*/\(.*\),\1,') - # Strip "v" prefix from tag name - [[ "$GITHUB_REF" == "refs/tags/v"* ]] && TAGS=$(echo $TAGS | sed -e 's/^v//') - # Expand tags: 1.2.3 -> 1 1.2 1.2.3 - TAGS="$(echo "$TAGS" | sed -E -e 's/^((([0-9]+)\.[0-9]+)\.[0-9]+)$/\3 \2 \1/')" - - for IMAGE in $PODMAN_REMOTE_IMAGE $PODMAN_IMAGE $PODMAN_MINIMAL_IMAGE; do - TAG_SUFFIX=$(echo $IMAGE | sed -E -e 's/^([^-]+)//') - LATEST_TAG="$([ "$TAG_SUFFIX" ] && echo $TAG_SUFFIX | sed -E -e 's/^-//' || echo latest)" - [ "$TAGS" == "master" ] && IMAGE_TAGS="$LATEST_TAG" || IMAGE_TAGS="$LATEST_TAG $TAGS" - TAG_OPTS= - printf 'Pushing image tags: ' - for TAG in $IMAGE_TAGS; do - [ "$TAG" = "$LATEST_TAG" ] || TAG="${TAG}${TAG_SUFFIX}" - TAG_OPTS="$TAG_OPTS -t $DOCKERHUB_IMAGE_REPO:$TAG -t $GITHUB_IMAGE_REPO:$TAG" - printf ' %s' "$TAG" - done - echo - echo "Pushing $IMAGE image to $DOCKERHUB_IMAGE_REPO and $GITHUB_IMAGE_REPO" - make "$IMAGE" PODMAN_BUILD_OPTS="$TAG_OPTS" PODMAN_MINIMAL_BUILD_OPTS="$TAG_OPTS" PODMAN_REMOTE_BUILD_OPTS="$TAG_OPTS" - done - env: - BUILDX_OUTPUT: type=registry - PLATFORM: linux/arm64/v8,linux/amd64 - GITHUB_REF: ${{ github.ref }} - - - name: Create release - if: github.ref != 'refs/heads/master' - id: create_release - uses: actions/create-release@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Upload a Build Artifact archive amd64 + uses: actions/upload-artifact@v2.1.1 with: - tag_name: ${{ github.ref }} - release_name: ${{ github.ref }} - draft: false - prerelease: true + path: ./build/asset/podman-linux-amd64.tar.gz + name: podman-linux-amd64.tar.gz - - name: Upload arm64 archive signature - if: github.ref != 'refs/heads/master' - id: upload-arm64-archive-signature - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Upload a Build Artifact signature amd64 + uses: actions/upload-artifact@v2.1.1 with: - upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps - asset_path: ./build/asset/podman-linux-arm64.tar.gz.asc - asset_name: podman-linux-arm64.tar.gz.asc - asset_content_type: application/octet-stream + path: ./build/asset/podman-linux-amd64.tar.gz.asc + name: podman-linux-amd64.tar.gz.asc - - name: Upload arm64 archive - if: github.ref != 'refs/heads/master' - id: upload-arm64-archive - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Upload a Build Artifact archive aarch64 + uses: actions/upload-artifact@v2.1.1 with: - upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps - asset_path: ./build/asset/podman-linux-arm64.tar.gz - asset_name: podman-linux-arm64.tar.gz - asset_content_type: application/octet-stream + path: ./build/asset/podman-linux-arm64.tar.gz + name: podman-linux-arm64.tar.gz - - name: Upload amd64 archive signature - if: github.ref != 'refs/heads/master' - id: upload-amd64-archive-signature - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Upload a Build Artifact signature aarch64 + uses: actions/upload-artifact@v2.1.1 with: - upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps - asset_path: ./build/asset/podman-linux-amd64.tar.gz.asc - asset_name: podman-linux-amd64.tar.gz.asc - asset_content_type: application/octet-stream - - - name: Upload amd64 archive - if: github.ref != 'refs/heads/master' - id: upload-amd64-archive - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps - asset_path: ./build/asset/podman-linux-amd64.tar.gz - asset_name: podman-linux-amd64.tar.gz - asset_content_type: application/octet-stream - + path: ./build/asset/podman-linux-arm64.tar.gz.asc + name: podman-linux-arm64.tar.gz.asc diff --git a/Dockerfile b/Dockerfile index db42185..8a35579 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,8 +4,8 @@ RUN apk add --no-cache gnupg # runc -FROM golang:1.20-alpine3.18 AS runc -ARG RUNC_VERSION=v1.1.10 +FROM golang:1.21-alpine3.18 AS runc +ARG RUNC_VERSION=v1.1.12 # Download runc binary release since static build doesn't work with musl libc anymore since 1.1.8, see https://github.com/opencontainers/runc/issues/3950 RUN set -eux; \ ARCH="`uname -m | sed 's!x86_64!amd64!; s!aarch64!arm64!'`"; \ @@ -16,7 +16,7 @@ RUN set -eux; \ # podman build base -FROM golang:1.20-alpine3.18 AS podmanbuildbase +FROM golang:1.21-alpine3.18 AS podmanbuildbase RUN apk add --update --no-cache git make gcc pkgconf musl-dev \ btrfs-progs btrfs-progs-dev libassuan-dev lvm2-dev device-mapper \ glib-static libc-dev gpgme-dev protobuf-dev protobuf-c-dev \ @@ -27,10 +27,12 @@ RUN apk add --update --no-cache git make gcc pkgconf musl-dev \ # podman (without systemd support) FROM podmanbuildbase AS podman RUN apk add --update --no-cache tzdata curl -ARG PODMAN_VERSION=v4.8.1 + +ARG PODMAN_VERSION=v5.0.3 ARG PODMAN_BUILDTAGS='seccomp selinux apparmor exclude_graphdriver_devicemapper containers_image_openpgp' ARG PODMAN_CGO=1 -RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch ${PODMAN_VERSION} https://github.com/containers/podman src/github.com/containers/podman +RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch=${PODMAN_VERSION} https://github.com/containers/podman src/github.com/containers/podman +#RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch=${PODMAN_VERSION:-$(curl -s https://api.github.com/repos/containers/podman/releases/latest | grep tag_name | cut -d '"' -f 4)} https://github.com/containers/podman src/github.com/containers/podman WORKDIR $GOPATH/src/github.com/containers/podman RUN set -ex; \ export CGO_ENABLED=$PODMAN_CGO; \ @@ -47,26 +49,44 @@ RUN set -ex; \ # conmon (without systemd support) FROM podmanbuildbase AS conmon -ARG CONMON_VERSION=v2.1.8 -RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch ${CONMON_VERSION} https://github.com/containers/conmon.git /conmon +#RUN apk add --update --no-cache tzdata curl + +ARG CONMON_VERSION=v2.1.11 +RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch=${CONMON_VERSION} https://github.com/containers/conmon.git /conmon +#RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch=${CONMON_VERSION:-$(curl -s https://api.github.com/repos/containers/conmon/releases/latest | grep tag_name | cut -d '"' -f 4)} https://github.com/containers/conmon.git /conmon WORKDIR /conmon RUN set -ex; \ make git-vars bin/conmon PKG_CONFIG='pkg-config --static' CFLAGS='-std=c99 -Os -Wall -Wextra -Werror -static' LDFLAGS='-s -w -static'; \ bin/conmon --help >/dev/null -# CNI plugins -FROM podmanbuildbase AS cniplugins -ARG CNI_PLUGIN_VERSION=v1.4.0 -ARG CNI_PLUGINS="ipam/host-local main/loopback main/bridge meta/portmap meta/tuning meta/firewall" -RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch=${CNI_PLUGIN_VERSION} https://github.com/containernetworking/plugins /go/src/github.com/containernetworking/plugins -WORKDIR /go/src/github.com/containernetworking/plugins +# CNI network backend and Cgroups V1 are deprecated +# https://github.com/containers/podman/blob/main/docs/source/markdown/podman-network.1.md +# CNI plugins (removed in podman 5.0 and replaced by netavark) +#FROM podmanbuildbase AS cniplugins +#ARG CNI_PLUGIN_VERSION=v1.4.0 +#ARG CNI_PLUGINS="ipam/host-local main/loopback main/bridge meta/portmap meta/tuning meta/firewall" +#RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch=${CNI_PLUGIN_VERSION} https://github.com/containernetworking/plugins /go/src/github.com/containernetworking/plugins +#WORKDIR /go/src/github.com/containernetworking/plugins +#RUN set -ex; \ +# for PLUGINDIR in $CNI_PLUGINS; do \ +# PLUGINBIN=/usr/local/lib/cni/$(basename $PLUGINDIR); \ +# CGO_ENABLED=0 go build -o $PLUGINBIN -ldflags "-s -w -extldflags '-static'" ./plugins/$PLUGINDIR; \ +# ! ldd $PLUGINBIN; \ +# done + + +# netavark +FROM podmanbuildbase AS netavark +#RUN apk add --update --no-cache tzdata curl rust cargo +RUN apk add --update --no-cache rust cargo +ARG NETAVARK_VERSION=v1.10.3 +RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch=${NETAVARK_VERSION} https://github.com/containers/netavark /netavark +#RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch=${NETAVARK_VERSION:-$(curl -s https://api.github.com/repos/containers/netavark/releases/latest | grep tag_name | cut -d '"' -f 4)} https://github.com/containers/netavark /netavark +WORKDIR /netavark RUN set -ex; \ - for PLUGINDIR in $CNI_PLUGINS; do \ - PLUGINBIN=/usr/local/lib/cni/$(basename $PLUGINDIR); \ - CGO_ENABLED=0 go build -o $PLUGINBIN -ldflags "-s -w -extldflags '-static'" ./plugins/$PLUGINDIR; \ - ! ldd $PLUGINBIN; \ - done + make build_netavark +# make # slirp4netns @@ -74,7 +94,7 @@ FROM podmanbuildbase AS slirp4netns WORKDIR / RUN apk add --update --no-cache autoconf automake meson ninja linux-headers libcap-static libcap-dev clang llvm # Build libslirp -ARG LIBSLIRP_VERSION=v4.7.0 +ARG LIBSLIRP_VERSION=v4.8.0 RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch=${LIBSLIRP_VERSION} https://gitlab.freedesktop.org/slirp/libslirp.git WORKDIR /libslirp RUN set -ex; \ @@ -84,8 +104,9 @@ RUN set -ex; \ ninja -C build install # Build slirp4netns WORKDIR / -ARG SLIRP4NETNS_VERSION=v1.2.2 -RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch $SLIRP4NETNS_VERSION https://github.com/rootless-containers/slirp4netns.git +ARG SLIRP4NETNS_VERSION=v1.3.1 +RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch ${SLIRP4NETNS_VERSION} https://github.com/rootless-containers/slirp4netns.git +#RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch=${SLIRP4NETNS_VERSION:-$(curl -s https://api.github.com/repos/rootless-containers/slirp4netns/releases/latest | grep tag_name | cut -d '"' -f 4)} https://github.com/rootless-containers/slirp4netns.git WORKDIR /slirp4netns RUN set -ex; \ ./autogen.sh; \ @@ -108,7 +129,7 @@ RUN set -ex; \ ninja install; \ fusermount3 -V ARG FUSEOVERLAYFS_VERSION=v1.13 -RUN git clone -c advice.detachedHead=false --depth=1 --branch=$FUSEOVERLAYFS_VERSION https://github.com/containers/fuse-overlayfs /fuse-overlayfs +RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch=$FUSEOVERLAYFS_VERSION https://github.com/containers/fuse-overlayfs /fuse-overlayfs WORKDIR /fuse-overlayfs RUN set -ex; \ sh autogen.sh; \ @@ -122,7 +143,7 @@ RUN set -ex; \ FROM podmanbuildbase AS catatonit RUN apk add --update --no-cache autoconf automake libtool ARG CATATONIT_VERSION=v0.2.0 -RUN git clone --branch=$CATATONIT_VERSION https://github.com/openSUSE/catatonit.git /catatonit +RUN git clone -c 'advice.detachedHead=false' --branch=$CATATONIT_VERSION https://github.com/openSUSE/catatonit.git /catatonit WORKDIR /catatonit RUN set -ex; \ ./autogen.sh; \ @@ -133,12 +154,13 @@ RUN set -ex; \ # Build podman base image FROM alpine:3.18 AS podmanbase -LABEL maintainer="Max Goltzsche " +LABEL maintainer="" RUN apk add --no-cache tzdata ca-certificates COPY --from=conmon /conmon/bin/conmon /usr/local/lib/podman/conmon COPY --from=podman /usr/local/lib/podman/rootlessport /usr/local/lib/podman/rootlessport COPY --from=podman /usr/local/bin/podman /usr/local/bin/podman COPY conf/containers /etc/containers +# Rootlesskit is not necessary for rootless podman RUN set -ex; \ adduser -D podman -h /podman -u 1000; \ echo 'podman:1:999' > /etc/subuid; \ @@ -164,9 +186,10 @@ FROM rootlesspodmanbase AS rootlesspodmanrunc COPY --from=runc /usr/local/bin/runc /usr/local/bin/runc # Download crun -# (switched keyserver from sks to ubuntu since sks is offline now and gpg refuses to import keys from keys.openpgp.org because it does not provide a user ID with the key.) +# (switched keyserver from sks to ubuntu since sks is offline now +# and gpg refuses to import keys from keys.openpgp.org because it does not provide a user ID with the key.) FROM gpg AS crun -ARG CRUN_VERSION=1.12 +ARG CRUN_VERSION=1.15 RUN set -ex; \ wget -O /usr/local/bin/crun https://github.com/containers/crun/releases/download/$CRUN_VERSION/crun-${CRUN_VERSION}-linux-amd64-disable-systemd; \ wget -O /tmp/crun.asc https://github.com/containers/crun/releases/download/$CRUN_VERSION/crun-${CRUN_VERSION}-linux-amd64-disable-systemd.asc; \ @@ -184,6 +207,7 @@ COPY conf/crun-containers.conf /etc/containers/containers.conf FROM rootlesspodmanrunc AS podmanall RUN apk add --no-cache iptables ip6tables COPY --from=slirp4netns /slirp4netns/slirp4netns /usr/local/bin/slirp4netns -COPY --from=cniplugins /usr/local/lib/cni /usr/local/lib/cni +#COPY --from=cniplugins /usr/local/lib/cni /usr/local/lib/cni +COPY --from=netavark /netavark/bin/netavark /usr/local/lib/podman/netavark COPY --from=catatonit /catatonit/catatonit /usr/local/lib/podman/catatonit -COPY conf/cni /etc/cni +#COPY conf/cni /etc/cni diff --git a/Dockerfile-remote b/Dockerfile-remote index 6157bab..7782bb4 100644 --- a/Dockerfile-remote +++ b/Dockerfile-remote @@ -1,5 +1,5 @@ # podman build base -FROM golang:1.20-alpine3.18 AS podmanbuildbase +FROM golang:1.21-alpine3.18 AS podmanbuildbase RUN apk add --update --no-cache git make gcc pkgconf musl-dev \ btrfs-progs btrfs-progs-dev libassuan-dev lvm2-dev device-mapper \ glib-static libc-dev gpgme-dev protobuf-dev protobuf-c-dev \ @@ -9,7 +9,7 @@ RUN apk add --update --no-cache git make gcc pkgconf musl-dev \ # podman remote FROM podmanbuildbase AS podman-remote RUN apk add --update --no-cache curl -ARG PODMAN_VERSION=v4.8.1 +ARG PODMAN_VERSION=v5.0.0 RUN git clone -c advice.detachedHead=false --depth=1 --branch=${PODMAN_VERSION} https://github.com/containers/podman src/github.com/containers/podman WORKDIR $GOPATH/src/github.com/containers/podman RUN make install.tools diff --git a/Dockerfile-ssh b/Dockerfile-ssh deleted file mode 100644 index d7a74fc..0000000 --- a/Dockerfile-ssh +++ /dev/null @@ -1,5 +0,0 @@ -ARG BASEIMAGE -FROM ${BASEIMAGE} -RUN apk add --update --no-cache openssh -COPY sshd_config /podman/.ssh/ -RUN chown -R podman:podman /podman/.ssh diff --git a/Makefile b/Makefile index 8570b79..fe1dc43 100644 --- a/Makefile +++ b/Makefile @@ -1,9 +1,9 @@ -PODMAN_IMAGE_NAME ?= mgoltzsche/podman +PODMAN_IMAGE_NAME ?= trentapple/podman PODMAN_IMAGE ?= $(PODMAN_IMAGE_NAME):latest PODMAN_IMAGE_TARGET ?= podmanall PODMAN_MINIMAL_IMAGE ?= $(PODMAN_IMAGE)-minimal PODMAN_REMOTE_IMAGE ?= $(PODMAN_IMAGE)-remote -PODMAN_SSH_IMAGE ?= mgoltzsche/podman-ssh +PODMAN_SSH_IMAGE ?= trentapple/podman-ssh PODMAN_BUILD_OPTS ?= -t $(PODMAN_IMAGE) PODMAN_MINIMAL_BUILD_OPTS ?= -t $(PODMAN_MINIMAL_IMAGE) PODMAN_REMOTE_BUILD_OPTS ?= -t $(PODMAN_REMOTE_IMAGE) @@ -33,6 +33,7 @@ ASSET_NAME := podman-linux-$(ARCH) ASSET_DIR := $(BUILD_DIR)/asset/$(ASSET_NAME) images: podman podman-remote podman-minimal +#images: podman-minimal multiarch-tar multiarch-images: PLATFORM = linux/arm64/v8,linux/amd64 multiarch-tar: BUILDX_OUTPUT = type=local,dest=$(IMAGE_EXPORT_DIR) @@ -126,7 +127,7 @@ verify-signature: for _ in `seq 1 10`; do \ TMPDIR=$$(mktemp -d); \ export GNUPGHOME=$$TMPDIR; \ - gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 0CCF102C4F95D89E583FF1D4F8B5AF50344BB503 && \ + gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys C1EAB6D69BC45DCB758A46B9B874F7B61B16FBA6 && \ gpg --list-keys && \ gpg --batch --verify $(ASSET_DIR).tar.gz.asc $(ASSET_DIR).tar.gz && \ rm -rf $$TMPDIR && \ @@ -146,7 +147,7 @@ run: $(PODMAN_IMAGE) /bin/sh clean: - $(DOCKER) run --rm -v "`pwd`:/work" alpine:3.18 rm -rf /work/build + $(DOCKER) run --rm -v "`pwd`:/work" alpine:3.19 rm -rf /work/build run-server: podman-ssh # TODO: make sshd log to stdout (while still ensuring that we know when it is available) @@ -156,9 +157,10 @@ run-server: podman-ssh -w /build \ "${PODMAN_SSH_IMAGE}" \ sh -c 'set -x; \ - ssh-keygen -b 2048 -t rsa -N "" -f /podman/.ssh/ssh_host_rsa_key; \ - ssh-keygen -b 521 -t ecdsa -N "" -f /podman/.ssh/ssh_host_ecdsa_key; \ - [ -f /build/storage/user/client_rsa ] || ssh-keygen -b 2048 -t rsa -N "" -f /build/storage/user/client_rsa; \ + ssh-keygen -b 4096 -t rsa -N "" -f /podman/.ssh/ssh_host_rsa_key; \ + ssh-keygen -b 581 -t dsa -N "" -f /podman/.ssh/ssh_host_ecdsa_key; \ + ssh-keygen -t ed25519 -N "" -f /podman/.ssh/ssh_host_ed25519_key; \ + [ -f /build/storage/user/client_rsa ] || ssh-keygen -b 4096 -t rsa -N "" -f /build/storage/user/client_rsa; \ cat /build/storage/user/client_rsa.pub > /podman/.ssh/authorized_keys; \ /usr/sbin/sshd -eD -f ~/.ssh/sshd_config & \ mkdir /tmp/podman; \ diff --git a/README.md b/README.md index 9b6691a..84c747c 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# podman binaries and container images ![GitHub workflow badge](https://github.com/mgoltzsche/podman-static/workflows/Release/badge.svg) +# podman binaries and container images ![GitHub workflow badge](https://github.com/trentapple/podman-static/workflows/Release/badge.svg) This project provides alpine-based podman container images and statically linked (rootless) podman binaries for linux/amd64 and linux/arm64/v8 machines along with its dependencies _(without systemd support)_: * [podman](https://github.com/containers/podman) @@ -6,16 +6,19 @@ This project provides alpine-based podman container images and statically linked * [conmon](https://github.com/containers/conmon) * [fuse-overlayfs](https://github.com/containers/fuse-overlayfs) and [libfuse](https://github.com/libfuse/libfuse) * [slirp4netns](https://github.com/rootless-containers/slirp4netns) (with [libslirp](https://gitlab.freedesktop.org/slirp/libslirp)) -* [CNI plugins](https://github.com/containernetworking/plugins): loopback, bridge, host-local, portmap, firewall, tuning +* [Netavark](https://github.com/containers/netavark): container network stack and default in podman 5 or later +~* [CNI plugins](https://github.com/containernetworking/plugins): loopback, bridge, host-local, portmap, firewall, tuning~ * [catatonit](https://github.com/openSUSE/catatonit) +CNI may be replaced. See also: [Podman Networking Docs](https://docs.podman.io/en/latest/markdown/podman-network.1.html) + ## Container image The following image tags are supported: | Tag | Description | | --- | ----------- | -| `latest`, `` | podman with both rootless and rootful dependencies: runc, conmon, fuse-overlayfs, slirp4netns, CNI plugins, catatonit. | +| `latest`, `` | podman with both rootless and rootful dependencies: runc, conmon, fuse-overlayfs, slirp4netns, netavark, ~CNI plugins~, catatonit. | | `minimal`, `-minimal` | podman, crun, fuse-overlayfs and conmon binaries, configured to use the host's existing namespaces (low isolation level). | | `remote`, `-remote` | the podman remote binary. | @@ -28,7 +31,7 @@ Please note that, when running non-remote podman within a docker container, the Run podman in docker: ```sh -docker run --privileged -u podman:podman mgoltzsche/podman:minimal docker run alpine:latest echo hello from nested container +docker run --privileged -u podman:podman trentapple/podman:minimal docker run alpine:latest echo hello from nested container ``` _Within the container `docker` is linked to `podman` to support applications that use the `docker` command._ @@ -38,13 +41,13 @@ _In case you're using an arm64 machine (e.g. a Raspberry Pi), you need to substi Download the statically linked binaries of podman and its dependencies: ```sh -curl -fsSL -o podman-linux-amd64.tar.gz https://github.com/mgoltzsche/podman-static/releases/latest/download/podman-linux-amd64.tar.gz +curl -fsSL -o podman-linux-amd64.tar.gz https://github.com/trentapple/podman-static/releases/latest/download/podman-linux-amd64.tar.gz ``` Verify the archive's signature (optional): ```sh -curl -fsSL -o podman-linux-amd64.tar.gz.asc https://github.com/mgoltzsche/podman-static/releases/latest/download/podman-linux-amd64.tar.gz.asc -gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 0CCF102C4F95D89E583FF1D4F8B5AF50344BB503 +curl -fsSL -o podman-linux-amd64.tar.gz.asc https://github.com/trentapple/podman-static/releases/latest/download/podman-linux-amd64.tar.gz.asc +gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys C1EAB6D69BC45DCB758A46B9B874F7B61B16FBA6 gpg --batch --verify podman-linux-amd64.tar.gz.asc podman-linux-amd64.tar.gz ``` _This may fail every now and then due to desync/unavailable key servers. In that case please retry._ @@ -52,7 +55,7 @@ _This may fail every now and then due to desync/unavailable key servers. In that Download a specific version: ```sh VERSION= -curl -fsSL -o podman-linux-amd64.tar.gz https://github.com/mgoltzsche/podman-static/releases/download/$VERSION/podman-linux-amd64.tar.gz +curl -fsSL -o podman-linux-amd64.tar.gz https://github.com/trentapple/podman-static/releases/download/$VERSION/podman-linux-amd64.tar.gz ``` Install the binaries and configuration on your host after you've inspected the archive: @@ -73,6 +76,8 @@ The following binaries should be installed on your host: * `nsenter` * `uidmap` (for rootless mode) +[nftables](https://netfilter.org/projects/nftables/) (with or without optional iptables-nft wrapper) to be included in the future [WIP](https://github.com/containers/netavark/pull/883) + In order to run rootless containers that use multiple uids/gids you may want to set up a uid/gid mapping for your user on your host: ``` sudo sh -c "echo $(id -un):100000:200000 >> /etc/subuid" @@ -80,7 +85,7 @@ sudo sh -c "echo $(id -gn):100000:200000 >> /etc/subgid" ``` _Please make sure you don't add the mapping multiple times._ -To support applications that use the `docker` command you may want to link it to `podman` as follows: +For support applications that rely on the `docker` command one quick option is to link `podman` as follows: ```sh sudo ln -s /usr/local/bin/podman /usr/local/bin/docker ``` diff --git a/conf/cni/net.d/87-podman-bridge.conflist b/conf/cni/net.d/87-podman-bridge.conflist deleted file mode 100644 index 8ee747e..0000000 --- a/conf/cni/net.d/87-podman-bridge.conflist +++ /dev/null @@ -1,31 +0,0 @@ -{ - "cniVersion": "0.4.0", - "name": "podman", - "plugins": [ - { - "type": "bridge", - "bridge": "cni-podman0", - "isGateway": true, - "ipMasq": true, - "hairpinMode": true, - "ipam": { - "type": "host-local", - "routes": [{ "dst": "0.0.0.0/0" }], - "ranges": [ - [ - { - "subnet": "10.88.0.0/16", - "gateway": "10.88.0.1" - } - ] - ] - } - }, - { - "type": "portmap", - "capabilities": { - "portMappings": true - } - } - ] -} diff --git a/sshd_config b/sshd_config index f8fc954..bedce20 100644 --- a/sshd_config +++ b/sshd_config @@ -4,12 +4,12 @@ Port 2222 PidFile /tmp/sshd.pid HostKey /podman/.ssh/ssh_host_rsa_key HostKey /podman/.ssh/ssh_host_ecdsa_key -#HostKey /podman/.ssh/ssh_host_ed25519_key +HostKey /podman/.ssh/ssh_host_ed25519_key AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no PubkeyAuthentication yes PermitRootLogin no -LoginGraceTime 2m +LoginGraceTime 1m MaxAuthTries 6 MaxSessions 10 diff --git a/test/remote.bats b/test/remote.bats index c9d8add..76ad9ed 100644 --- a/test/remote.bats +++ b/test/remote.bats @@ -1,8 +1,8 @@ #!/usr/bin/env bats : ${DOCKER:=docker} -: ${PODMAN_IMAGE:=mgoltzsche/podman:latest} -: ${PODMAN_REMOTE_IMAGE:=mgoltzsche/podman:latest-remote} +: ${PODMAN_IMAGE:=trentapple/podman:latest} +: ${PODMAN_REMOTE_IMAGE:=trentapple/podman:latest-remote} PODMAN_ADDRESS=127.0.0.1:53453 PODMAN_CONTAINER=podman-test-server diff --git a/test/rootful.bats b/test/rootful.bats index be47bd7..e80c3b9 100644 --- a/test/rootful.bats +++ b/test/rootful.bats @@ -1,7 +1,7 @@ #!/usr/bin/env bats : ${DOCKER:=docker} -: ${PODMAN_IMAGE:=mgoltzsche/podman:latest} +: ${PODMAN_IMAGE:=trentapple/podman:latest} PODMAN_ROOT_DATA_DIR="$BATS_TEST_DIRNAME/../build/test-storage/root" diff --git a/test/rootless.bats b/test/rootless.bats index f70eaab..ac03e19 100644 --- a/test/rootless.bats +++ b/test/rootless.bats @@ -1,7 +1,7 @@ #!/usr/bin/env bats : ${DOCKER:=docker} -: ${PODMAN_IMAGE:=mgoltzsche/podman:latest} +: ${PODMAN_IMAGE:=trentapple/podman:latest} : ${TEST_PREFIX:=rootless} PODMAN_ROOT_DATA_DIR="$BATS_TEST_DIRNAME/../build/test-storage/user"