Skip to content

Commit

Permalink
fix: upgrade podman 5.1.1, drop CNI support
Browse files Browse the repository at this point in the history
* podman 5.1.1
* drop CNI networking and slirp4netns in favour of netavark + pasta
* build statically linked netavark, pasta and aardvark
* conmon 2.1.11
* crun 1.15
* crun is also shipped with the normal (non-minimal) image now.
* build using golang 1.22, use alpine 3.19 base container

Co-authored-by: Trent Apple <[email protected]>
  • Loading branch information
mgoltzsche and trentapple committed Jun 11, 2024
1 parent a7fe098 commit 9b452b9
Show file tree
Hide file tree
Showing 11 changed files with 96 additions and 99 deletions.
5 changes: 5 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,11 @@ jobs:
with:
platforms: all

- name: Print environment
run: |
uname -a
docker --version
- name: Build & test
run: make images test

Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/verify.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,11 @@ jobs:
with:
platforms: all

- name: Print environment
run: |
uname -a
docker --version
- name: Build & test linux/amd64 image
run: make images test

Expand Down
132 changes: 54 additions & 78 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
# Download gpg
FROM alpine:3.18 AS gpg
FROM alpine:3.19 AS gpg
RUN apk add --no-cache gnupg


# runc
FROM golang:1.20-alpine3.18 AS runc
FROM golang:1.22-alpine3.19 AS runc
ARG RUNC_VERSION=v1.1.12
# Download runc binary release since static build doesn't work with musl libc anymore since 1.1.8, see https://github.com/opencontainers/runc/issues/3950
RUN set -eux; \
Expand All @@ -16,7 +16,7 @@ RUN set -eux; \


# podman build base
FROM golang:1.20-alpine3.18 AS podmanbuildbase
FROM golang:1.22-alpine3.19 AS podmanbuildbase
RUN apk add --update --no-cache git make gcc pkgconf musl-dev \
btrfs-progs btrfs-progs-dev libassuan-dev lvm2-dev device-mapper \
glib-static libc-dev gpgme-dev protobuf-dev protobuf-c-dev \
Expand All @@ -27,11 +27,12 @@ RUN apk add --update --no-cache git make gcc pkgconf musl-dev \
# podman (without systemd support)
FROM podmanbuildbase AS podman
RUN apk add --update --no-cache tzdata curl
ARG PODMAN_VERSION=v5.0.0
ARG PODMAN_VERSION=v5.1.1
ARG PODMAN_BUILDTAGS='seccomp selinux apparmor exclude_graphdriver_devicemapper containers_image_openpgp'
ARG PODMAN_CGO=1
RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch ${PODMAN_VERSION} https://github.com/containers/podman src/github.com/containers/podman
WORKDIR $GOPATH/src/github.com/containers/podman
# TODO: remove common patch once the PR is merged: https://github.com/containers/common/pull/2042
RUN set -ex; \
export CGO_ENABLED=$PODMAN_CGO; \
make bin/podman LDFLAGS_PODMAN="-s -w -extldflags '-static'" BUILDTAGS='${PODMAN_BUILDTAGS}'; \
Expand All @@ -47,71 +48,50 @@ RUN set -ex; \

# conmon (without systemd support)
FROM podmanbuildbase AS conmon
ARG CONMON_VERSION=v2.1.10
ARG CONMON_VERSION=v2.1.11
RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch ${CONMON_VERSION} https://github.com/containers/conmon.git /conmon
WORKDIR /conmon
RUN set -ex; \
make git-vars bin/conmon PKG_CONFIG='pkg-config --static' CFLAGS='-std=c99 -Os -Wall -Wextra -Werror -static' LDFLAGS='-s -w -static'; \
bin/conmon --help >/dev/null


# CNI plugins
FROM podmanbuildbase AS cniplugins
ARG CNI_PLUGIN_VERSION=v1.4.1
ARG CNI_PLUGINS="ipam/host-local main/loopback main/bridge meta/portmap meta/tuning meta/firewall"
RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch=${CNI_PLUGIN_VERSION} https://github.com/containernetworking/plugins /go/src/github.com/containernetworking/plugins
WORKDIR /go/src/github.com/containernetworking/plugins
RUN set -ex; \
for PLUGINDIR in $CNI_PLUGINS; do \
PLUGINBIN=/usr/local/lib/cni/$(basename $PLUGINDIR); \
CGO_ENABLED=0 go build -o $PLUGINBIN -ldflags "-s -w -extldflags '-static'" ./plugins/$PLUGINDIR; \
! ldd $PLUGINBIN; \
done
FROM rust:1.78-alpine3.19 AS rustbase
RUN apk add --update --no-cache git make musl-dev


# slirp4netns
FROM podmanbuildbase AS slirp4netns
WORKDIR /
RUN apk add --update --no-cache autoconf automake meson ninja linux-headers libcap-static libcap-dev clang llvm
# Build libslirp
ARG LIBSLIRP_VERSION=v4.7.0
RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch=${LIBSLIRP_VERSION} https://gitlab.freedesktop.org/slirp/libslirp.git
WORKDIR /libslirp
RUN set -ex; \
rm -rf /usr/lib/libglib-2.0.so /usr/lib/libintl.so; \
ln -s /usr/bin/clang /go/bin/clang; \
LDFLAGS="-s -w -static" meson --prefix /usr -D default_library=static build; \
ninja -C build install
# Build slirp4netns
WORKDIR /
ARG SLIRP4NETNS_VERSION=v1.2.3
RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch $SLIRP4NETNS_VERSION https://github.com/rootless-containers/slirp4netns.git
WORKDIR /slirp4netns
RUN set -ex; \
./autogen.sh; \
LDFLAGS=-static ./configure --prefix=/usr; \
make

# netavark
FROM podmanbuildbase AS netavark
WORKDIR /
RUN apk add --update --no-cache cargo
# Build passt
FROM rustbase AS netavark
RUN apk add --update --no-cache protoc
ARG NETAVARK_VERSION=v1.10.3
RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch=${NETAVARK_VERSION} https://github.com/containers/netavark
RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch=$NETAVARK_VERSION https://github.com/containers/netavark
WORKDIR /netavark
RUN LDFLAGS=-static make
ENV RUSTFLAGS='-C link-arg=-s'
RUN cargo build --release


# aardvark-dns
FROM rustbase AS aardvark-dns
ARG AARDVARKDNS_VERSION=v1.10.0
RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch=$AARDVARKDNS_VERSION https://github.com/containers/aardvark-dns
WORKDIR /aardvark-dns
ENV RUSTFLAGS='-C link-arg=-s'
RUN cargo build --release


# passt
FROM podmanbuildbase AS passt
WORKDIR /
RUN apk add --update --no-cache autoconf automake meson ninja linux-headers libcap-static libcap-dev clang llvm coreutils
# Build passt
ARG PASST_VERSION=2024_04_05.954589b
RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch=${PASST_VERSION} git://passt.top/passt
ARG PASST_VERSION=2024_05_23.765eb0b
RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch=$PASST_VERSION git://passt.top/passt
WORKDIR /passt
RUN make static
RUN set -ex; \
make static; \
mkdir bin; \
cp pasta bin/; \
[ ! -f pasta.avx2 ] || cp pasta.avx2 bin/; \
! ldd /passt/bin/pasta


# fuse-overlayfs (derived from https://github.com/containers/fuse-overlayfs/blob/master/Dockerfile.static)
Expand All @@ -129,7 +109,7 @@ RUN set -ex; \
ninja install; \
fusermount3 -V
ARG FUSEOVERLAYFS_VERSION=v1.13
RUN git clone -c advice.detachedHead=false --depth=1 --branch=$FUSEOVERLAYFS_VERSION https://github.com/containers/fuse-overlayfs /fuse-overlayfs
RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch=$FUSEOVERLAYFS_VERSION https://github.com/containers/fuse-overlayfs /fuse-overlayfs
WORKDIR /fuse-overlayfs
RUN set -ex; \
sh autogen.sh; \
Expand All @@ -143,7 +123,7 @@ RUN set -ex; \
FROM podmanbuildbase AS catatonit
RUN apk add --update --no-cache autoconf automake libtool
ARG CATATONIT_VERSION=v0.2.0
RUN git clone --branch=$CATATONIT_VERSION https://github.com/openSUSE/catatonit.git /catatonit
RUN git clone -c 'advice.detachedHead=false' --branch=$CATATONIT_VERSION https://github.com/openSUSE/catatonit.git /catatonit
WORKDIR /catatonit
RUN set -ex; \
./autogen.sh; \
Expand All @@ -152,13 +132,29 @@ RUN set -ex; \
./catatonit --version


# Download crun
# (switched keyserver from sks to ubuntu since sks is offline now and gpg refuses to import keys from keys.openpgp.org because it does not provide a user ID with the key.)
FROM gpg AS crun
ARG CRUN_VERSION=1.15
RUN set -ex; \
ARCH="`uname -m | sed 's!x86_64!amd64!; s!aarch64!arm64!'`"; \
wget -O /usr/local/bin/crun https://github.com/containers/crun/releases/download/$CRUN_VERSION/crun-${CRUN_VERSION}-linux-${ARCH}-disable-systemd; \
wget -O /tmp/crun.asc https://github.com/containers/crun/releases/download/$CRUN_VERSION/crun-${CRUN_VERSION}-linux-${ARCH}-disable-systemd.asc; \
gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 027F3BD58594CA181BB5EC50E4730F97F60286ED; \
gpg --batch --verify /tmp/crun.asc /usr/local/bin/crun; \
chmod +x /usr/local/bin/crun; \
! ldd /usr/local/bin/crun


# Build podman base image
FROM alpine:3.18 AS podmanbase
FROM alpine:3.19 AS podmanbase
LABEL maintainer="Max Goltzsche <[email protected]>"
RUN apk add --no-cache tzdata ca-certificates
COPY --from=conmon /conmon/bin/conmon /usr/local/lib/podman/conmon
COPY --from=podman /usr/local/lib/podman/rootlessport /usr/local/lib/podman/rootlessport
COPY --from=podman /usr/local/bin/podman /usr/local/bin/podman
COPY --from=passt /passt/bin/ /usr/local/bin/
COPY --from=netavark /netavark/target/release/netavark /usr/local/lib/podman/netavark
COPY conf/containers /etc/containers
RUN set -ex; \
adduser -D podman -h /podman -u 1000; \
Expand All @@ -179,35 +175,15 @@ ENV BUILDAH_ISOLATION=chroot container=oci
RUN apk add --no-cache shadow-uidmap
COPY --from=fuse-overlayfs /usr/bin/fuse-overlayfs /usr/local/bin/fuse-overlayfs
COPY --from=fuse-overlayfs /usr/bin/fusermount3 /usr/local/bin/fusermount3

# Build rootless podman base image with runc
FROM rootlesspodmanbase AS rootlesspodmanrunc
COPY --from=runc /usr/local/bin/runc /usr/local/bin/runc

# Download crun
# (switched keyserver from sks to ubuntu since sks is offline now and gpg refuses to import keys from keys.openpgp.org because it does not provide a user ID with the key.)
FROM gpg AS crun
ARG CRUN_VERSION=1.14.4
RUN set -ex; \
ARCH="`uname -m | sed 's!x86_64!amd64!; s!aarch64!arm64!'`"; \
wget -O /usr/local/bin/crun https://github.com/containers/crun/releases/download/$CRUN_VERSION/crun-${CRUN_VERSION}-linux-${ARCH}-disable-systemd; \
wget -O /tmp/crun.asc https://github.com/containers/crun/releases/download/$CRUN_VERSION/crun-${CRUN_VERSION}-linux-${ARCH}-disable-systemd.asc; \
gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 027F3BD58594CA181BB5EC50E4730F97F60286ED; \
gpg --batch --verify /tmp/crun.asc /usr/local/bin/crun; \
chmod +x /usr/local/bin/crun; \
! ldd /usr/local/bin/crun
COPY --from=crun /usr/local/bin/crun /usr/local/bin/crun

# Build minimal rootless podman
FROM rootlesspodmanbase AS rootlesspodmanminimal
COPY --from=crun /usr/local/bin/crun /usr/local/bin/crun
COPY conf/crun-containers.conf /etc/containers/containers.conf

# Build podman image with rootless binaries and CNI plugins
FROM rootlesspodmanrunc AS podmanall
# Build podman image with all binaries
FROM rootlesspodmanbase AS podmanall
RUN apk add --no-cache iptables ip6tables
COPY --from=slirp4netns /slirp4netns/slirp4netns /usr/local/bin/slirp4netns
COPY --from=passt /passt/pasta /usr/local/bin/pasta
COPY --from=netavark /netavark/bin/netavark /usr/local/lib/podman/netavark
COPY --from=cniplugins /usr/local/lib/cni /usr/local/lib/cni
COPY --from=catatonit /catatonit/catatonit /usr/local/lib/podman/catatonit
COPY conf/cni /etc/cni
COPY --from=runc /usr/local/bin/runc /usr/local/bin/runc
COPY --from=aardvark-dns /aardvark-dns/target/release/aardvark-dns /usr/local/lib/podman/aardvark-dns
6 changes: 3 additions & 3 deletions Dockerfile-remote
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# podman build base
FROM golang:1.20-alpine3.18 AS podmanbuildbase
FROM golang:1.22-alpine3.19 AS podmanbuildbase
RUN apk add --update --no-cache git make gcc pkgconf musl-dev \
btrfs-progs btrfs-progs-dev libassuan-dev lvm2-dev device-mapper \
glib-static libc-dev gpgme-dev protobuf-dev protobuf-c-dev \
Expand All @@ -9,7 +9,7 @@ RUN apk add --update --no-cache git make gcc pkgconf musl-dev \
# podman remote
FROM podmanbuildbase AS podman-remote
RUN apk add --update --no-cache curl
ARG PODMAN_VERSION=v5.0.0
ARG PODMAN_VERSION=v5.1.1
RUN git clone -c advice.detachedHead=false --depth=1 --branch=${PODMAN_VERSION} https://github.com/containers/podman src/github.com/containers/podman
WORKDIR $GOPATH/src/github.com/containers/podman
RUN set -eux; \
Expand All @@ -20,6 +20,6 @@ RUN set -eux; \
podman --help >/dev/null; \
[ "$(ldd /usr/local/bin/podman-remote | wc -l)" -eq 0 ] || (ldd /usr/local/bin/podman-remote; false)

FROM alpine:3.18
FROM alpine:3.19
COPY --from=podman-remote /usr/local/bin /usr/local/bin
RUN adduser -D podman-remote -h /podman -u 1000
5 changes: 2 additions & 3 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ GPG_IMAGE = gpg-signer

BUILD_DIR = ./build

BATS_VERSION = v1.8.2
BATS_VERSION = v1.11.0
BATS_DIR := $(BUILD_DIR)/bats-$(BATS_VERSION)
BATS = $(BATS_DIR)/bin/bats
BATS_TEST ?= test
Expand Down Expand Up @@ -102,7 +102,6 @@ tar: .podman-from-container
rm -rf $(ASSET_DIR)
mkdir -p $(ASSET_DIR)/etc $(ASSET_DIR)/usr/local
cp -r conf/containers $(ASSET_DIR)/etc/containers
cp -r conf/cni $(ASSET_DIR)/etc/cni
cp README.md $(ASSET_DIR)/
$(DOCKER) run --rm $(PODMAN_IMAGE) tar c /usr/local/{bin,lib} | tar -xC $(ASSET_DIR)

Expand Down Expand Up @@ -145,7 +144,7 @@ run:
$(PODMAN_IMAGE) /bin/sh

clean:
$(DOCKER) run --rm -v "`pwd`:/work" alpine:3.18 rm -rf /work/build
$(DOCKER) run --rm -v "`pwd`:/work" alpine:3.19 rm -rf /work/build

run-server: podman-ssh
# TODO: make sshd log to stdout (while still ensuring that we know when it is available)
Expand Down
18 changes: 12 additions & 6 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,21 +2,25 @@

This project provides alpine-based podman container images and statically linked (rootless) podman binaries for linux/amd64 and linux/arm64/v8 machines along with its dependencies _(without systemd support)_:
* [podman](https://github.com/containers/podman)
* [runc](https://github.com/opencontainers/runc/) or [crun](https://github.com/containers/crun)
* [crun](https://github.com/containers/crun)
* [runc](https://github.com/opencontainers/runc/)
* [conmon](https://github.com/containers/conmon)
* [fuse-overlayfs](https://github.com/containers/fuse-overlayfs) and [libfuse](https://github.com/libfuse/libfuse)
* [slirp4netns](https://github.com/rootless-containers/slirp4netns) (with [libslirp](https://gitlab.freedesktop.org/slirp/libslirp))
* [CNI plugins](https://github.com/containernetworking/plugins): loopback, bridge, host-local, portmap, firewall, tuning
* [Netavark](https://github.com/containers/netavark): container network stack and default in podman 5 or later
* [passt/pasta](https://passt.top/passt/)
* [aardvark-dns](https://github.com/containers/aardvark-dns)
* [catatonit](https://github.com/openSUSE/catatonit)

CNI networking has been replaced with Netavark since Podman version 5.

## Container image

The following image tags are supported:

| Tag | Description |
| --- | ----------- |
| `latest`, `<VERSION>` | podman with both rootless and rootful dependencies: runc, conmon, fuse-overlayfs, slirp4netns, CNI plugins, catatonit. |
| `minimal`, `<VERSION>-minimal` | podman, crun, fuse-overlayfs and conmon binaries, configured to use the host's existing namespaces (low isolation level). |
| `latest`, `<VERSION>` | podman with all dependencies: runc, crun, conmon, fuse-overlayfs, netavark, pasta, aardvark-dns, catatonit. |
| `minimal`, `<VERSION>-minimal` | podman, crun, conmon, fuse-overlayfs and netavark binaries, configured to use the host's existing namespaces (low isolation level). |
| `remote`, `<VERSION>-remote` | the podman remote binary. |

By default containers are run as user `root`.
Expand Down Expand Up @@ -73,14 +77,16 @@ The following binaries should be installed on your host:
* `nsenter`
* `uidmap` (for rootless mode)

[nftables](https://netfilter.org/projects/nftables/) (with or without optional iptables-nft wrapper) to be included in the future [WIP](https://github.com/containers/netavark/pull/883).

In order to run rootless containers that use multiple uids/gids you may want to set up a uid/gid mapping for your user on your host:
```
sudo sh -c "echo $(id -un):100000:200000 >> /etc/subuid"
sudo sh -c "echo $(id -gn):100000:200000 >> /etc/subgid"
```
_Please make sure you don't add the mapping multiple times._

To support applications that use the `docker` command you may want to link it to `podman` as follows:
To support applications that rely on the `docker` command, a quick option is to link `podman` as follows:
```sh
sudo ln -s /usr/local/bin/podman /usr/local/bin/docker
```
Expand Down
3 changes: 0 additions & 3 deletions conf/containers/containers.conf
Original file line number Diff line number Diff line change
@@ -1,7 +1,4 @@
# See https://github.com/containers/common/blob/master/pkg/config/containers.conf
[containers]
init_path = "/usr/local/lib/podman/catatonit"

[engine]
cgroup_manager = "cgroupfs"
events_logger="file"
1 change: 1 addition & 0 deletions conf/crun-containers.conf
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ ipcns="host"
utsns="host"
cgroupns="host"
cgroups="disabled"
log_driver = "k8s-file"
[engine]
cgroup_manager = "cgroupfs"
events_logger="file"
Expand Down
2 changes: 1 addition & 1 deletion test/remote.bats
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ teardown_file() {
podman --url=tcp://$PODMAN_ADDRESS run alpine:3.17 echo hello from remote container
}

@test "remote podman - build image from dockerfile" {
@test "remote podman - build dockerfile" {
# ATTENTION: podman remote fails if it cannot map the uids/gids from the server locally as well (which is why podman-remote user has been added)
$DOCKER run --rm --network=host --user=podman-remote:podman-remote --pull=never \
"${PODMAN_REMOTE_IMAGE}" \
Expand Down
4 changes: 2 additions & 2 deletions test/rootful.bats
Original file line number Diff line number Diff line change
Expand Up @@ -13,15 +13,15 @@ skipIfDockerUnavailableAndNotRunAsRoot() {
fi
}

@test "rootful podman - internet connectivity (CNI networking)" {
@test "rootful podman - internet connectivity (using netavark + pasta)" {
skipIfDockerUnavailableAndNotRunAsRoot
$DOCKER run --rm --privileged --entrypoint /bin/sh -u root:root \
-v "$PODMAN_ROOT_DATA_DIR:/var/lib/containers/storage" \
--pull=never "${PODMAN_IMAGE}" \
-c 'podman run --rm alpine:3.17 wget -O /dev/null http://example.org'
}

@test "rootful podman - build image from dockerfile" {
@test "rootful podman - build dockerfile" {
skipIfDockerUnavailableAndNotRunAsRoot
$DOCKER run --rm --privileged --entrypoint /bin/sh -u root:root \
-v "$PODMAN_ROOT_DATA_DIR:/var/lib/containers/storage" \
Expand Down
Loading

0 comments on commit 9b452b9

Please sign in to comment.