fix: upgrade podman 5.1.1, drop CNI support

* podman 5.1.1 * drop CNI networking in favour of netavark + pasta * build statically linked netavark, pasta and aardvark * conmon 2.1.11 * crun 1.15 * build using golang 1.21, use alpine 3.19 base container
mgoltzsche · Jun 4, 2024 · ae522af · ae522af
1 parent b59b3c5
commit ae522af
Show file tree

Hide file tree

Showing 7 changed files with 57 additions and 50 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,10 +1,10 @@
 # Download gpg
-FROM alpine:3.18 AS gpg
+FROM alpine:3.19 AS gpg
 RUN apk add --no-cache gnupg
 
 
 # runc
-FROM golang:1.20-alpine3.18 AS runc
+FROM golang:1.21-alpine3.19 AS runc
 ARG RUNC_VERSION=v1.1.12
 # Download runc binary release since static build doesn't work with musl libc anymore since 1.1.8, see https://github.com/opencontainers/runc/issues/3950
 RUN set -eux; \
@@ -16,7 +16,7 @@ RUN set -eux; \
 
 
 # podman build base
-FROM golang:1.20-alpine3.18 AS podmanbuildbase
+FROM golang:1.21-alpine3.19 AS podmanbuildbase
 RUN apk add --update --no-cache git make gcc pkgconf musl-dev \
 	btrfs-progs btrfs-progs-dev libassuan-dev lvm2-dev device-mapper \
 	glib-static libc-dev gpgme-dev protobuf-dev protobuf-c-dev \
@@ -27,7 +27,7 @@ RUN apk add --update --no-cache git make gcc pkgconf musl-dev \
 # podman (without systemd support)
 FROM podmanbuildbase AS podman
 RUN apk add --update --no-cache tzdata curl
-ARG PODMAN_VERSION=v5.0.0
+ARG PODMAN_VERSION=v5.1.1
 ARG PODMAN_BUILDTAGS='seccomp selinux apparmor exclude_graphdriver_devicemapper containers_image_openpgp'
 ARG PODMAN_CGO=1
 RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch ${PODMAN_VERSION} https://github.com/containers/podman src/github.com/containers/podman
@@ -47,34 +47,21 @@ RUN set -ex; \
 
 # conmon (without systemd support)
 FROM podmanbuildbase AS conmon
-ARG CONMON_VERSION=v2.1.10
+ARG CONMON_VERSION=v2.1.11
 RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch ${CONMON_VERSION} https://github.com/containers/conmon.git /conmon
 WORKDIR /conmon
 RUN set -ex; \
 	make git-vars bin/conmon PKG_CONFIG='pkg-config --static' CFLAGS='-std=c99 -Os -Wall -Wextra -Werror -static' LDFLAGS='-s -w -static'; \
 	bin/conmon --help >/dev/null
 
 
-# CNI plugins
-FROM podmanbuildbase AS cniplugins
-ARG CNI_PLUGIN_VERSION=v1.4.1
-ARG CNI_PLUGINS="ipam/host-local main/loopback main/bridge meta/portmap meta/tuning meta/firewall"
-RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch=${CNI_PLUGIN_VERSION} https://github.com/containernetworking/plugins /go/src/github.com/containernetworking/plugins
-WORKDIR /go/src/github.com/containernetworking/plugins
-RUN set -ex; \
-	for PLUGINDIR in $CNI_PLUGINS; do \
-		PLUGINBIN=/usr/local/lib/cni/$(basename $PLUGINDIR); \
-		CGO_ENABLED=0 go build -o $PLUGINBIN -ldflags "-s -w -extldflags '-static'" ./plugins/$PLUGINDIR; \
-		! ldd $PLUGINBIN; \
-	done
-
-
 # slirp4netns
+# TODO: remove in favour of netavark + pasta?!
 FROM podmanbuildbase AS slirp4netns
 WORKDIR /
 RUN apk add --update --no-cache autoconf automake meson ninja linux-headers libcap-static libcap-dev clang llvm
 # Build libslirp
-ARG LIBSLIRP_VERSION=v4.7.0
+ARG LIBSLIRP_VERSION=v4.8.0
 RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch=${LIBSLIRP_VERSION} https://gitlab.freedesktop.org/slirp/libslirp.git
 WORKDIR /libslirp
 RUN set -ex; \
@@ -84,34 +71,50 @@ RUN set -ex; \
 	ninja -C build install
 # Build slirp4netns
 WORKDIR /
-ARG SLIRP4NETNS_VERSION=v1.2.3
+ARG SLIRP4NETNS_VERSION=v1.3.1
 RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch $SLIRP4NETNS_VERSION https://github.com/rootless-containers/slirp4netns.git
 WORKDIR /slirp4netns
 RUN set -ex; \
 	./autogen.sh; \
 	LDFLAGS=-static ./configure --prefix=/usr; \
 	make
 
+
+FROM rust:1.78-alpine3.19 AS rustbase
+RUN apk add --update --no-cache git make musl-dev
+
 # netavark
-FROM podmanbuildbase AS netavark
-WORKDIR /
-RUN apk add --update --no-cache cargo
-# Build passt
+FROM rustbase AS netavark
+RUN apk add --update --no-cache protoc
 ARG NETAVARK_VERSION=v1.10.3
-RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch=${NETAVARK_VERSION} https://github.com/containers/netavark
+RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch=$NETAVARK_VERSION https://github.com/containers/netavark
 WORKDIR /netavark
-RUN LDFLAGS=-static make
+ENV RUSTFLAGS='-C link-arg=-s'
+RUN cargo build --release
+
+
+# aardvark-dns
+FROM rustbase AS aardvark-dns
+ARG AARDVARKDNS_VERSION=v1.10.0
+RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch=$AARDVARKDNS_VERSION https://github.com/containers/aardvark-dns
+WORKDIR /aardvark-dns
+ENV RUSTFLAGS='-C link-arg=-s'
+RUN cargo build --release
 
 
 # passt
 FROM podmanbuildbase AS passt
 WORKDIR /
 RUN apk add --update --no-cache autoconf automake meson ninja linux-headers libcap-static libcap-dev clang llvm coreutils
-# Build passt
-ARG PASST_VERSION=2024_04_05.954589b
-RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch=${PASST_VERSION} git://passt.top/passt
+ARG PASST_VERSION=2024_05_23.765eb0b
+RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch=$PASST_VERSION git://passt.top/passt
 WORKDIR /passt
-RUN make static
+RUN set -ex; \
+	make static; \
+	mkdir bin; \
+	cp pasta bin/; \
+	[ ! -f pasta.avx2 ] || cp pasta.avx2 bin/; \
+	! ldd /passt/bin/pasta
 
 
 # fuse-overlayfs (derived from https://github.com/containers/fuse-overlayfs/blob/master/Dockerfile.static)
@@ -129,7 +132,7 @@ RUN set -ex; \
 	ninja install; \
 	fusermount3 -V
 ARG FUSEOVERLAYFS_VERSION=v1.13
-RUN git clone -c advice.detachedHead=false --depth=1 --branch=$FUSEOVERLAYFS_VERSION https://github.com/containers/fuse-overlayfs /fuse-overlayfs
+RUN git clone -c 'advice.detachedHead=false' --depth=1 --branch=$FUSEOVERLAYFS_VERSION https://github.com/containers/fuse-overlayfs /fuse-overlayfs
 WORKDIR /fuse-overlayfs
 RUN set -ex; \
 	sh autogen.sh; \
@@ -143,7 +146,7 @@ RUN set -ex; \
 FROM podmanbuildbase AS catatonit
 RUN apk add --update --no-cache autoconf automake libtool
 ARG CATATONIT_VERSION=v0.2.0
-RUN git clone --branch=$CATATONIT_VERSION https://github.com/openSUSE/catatonit.git /catatonit
+RUN git clone -c 'advice.detachedHead=false' --branch=$CATATONIT_VERSION https://github.com/openSUSE/catatonit.git /catatonit
 WORKDIR /catatonit
 RUN set -ex; \
 	./autogen.sh; \
@@ -153,12 +156,14 @@ RUN set -ex; \
 
 
 # Build podman base image
-FROM alpine:3.18 AS podmanbase
+FROM alpine:3.19 AS podmanbase
 LABEL maintainer="Max Goltzsche <[email protected]>"
 RUN apk add --no-cache tzdata ca-certificates
 COPY --from=conmon /conmon/bin/conmon /usr/local/lib/podman/conmon
 COPY --from=podman /usr/local/lib/podman/rootlessport /usr/local/lib/podman/rootlessport
 COPY --from=podman /usr/local/bin/podman /usr/local/bin/podman
+COPY --from=passt /passt/bin/ /usr/local/bin/
+COPY --from=netavark /netavark/target/release/netavark /usr/local/lib/podman/netavark
 COPY conf/containers /etc/containers
 RUN set -ex; \
 	adduser -D podman -h /podman -u 1000; \
@@ -187,7 +192,7 @@ COPY --from=runc   /usr/local/bin/runc   /usr/local/bin/runc
 # Download crun
 # (switched keyserver from sks to ubuntu since sks is offline now and gpg refuses to import keys from keys.openpgp.org because it does not provide a user ID with the key.)
 FROM gpg AS crun
-ARG CRUN_VERSION=1.14.4
+ARG CRUN_VERSION=1.15
 RUN set -ex; \
 	ARCH="`uname -m | sed 's!x86_64!amd64!; s!aarch64!arm64!'`"; \
 	wget -O /usr/local/bin/crun https://github.com/containers/crun/releases/download/$CRUN_VERSION/crun-${CRUN_VERSION}-linux-${ARCH}-disable-systemd; \
@@ -202,12 +207,9 @@ FROM rootlesspodmanbase AS rootlesspodmanminimal
 COPY --from=crun /usr/local/bin/crun /usr/local/bin/crun
 COPY conf/crun-containers.conf /etc/containers/containers.conf
 
-# Build podman image with rootless binaries and CNI plugins
+# Build podman image with rootless binaries
 FROM rootlesspodmanrunc AS podmanall
 RUN apk add --no-cache iptables ip6tables
 COPY --from=slirp4netns /slirp4netns/slirp4netns /usr/local/bin/slirp4netns
-COPY --from=passt /passt/pasta /usr/local/bin/pasta
-COPY --from=netavark /netavark/bin/netavark /usr/local/lib/podman/netavark
-COPY --from=cniplugins /usr/local/lib/cni /usr/local/lib/cni
+COPY --from=aardvark-dns /aardvark-dns/target/release/aardvark-dns /usr/local/lib/podman/aardvark-dns
 COPY --from=catatonit /catatonit/catatonit /usr/local/lib/podman/catatonit
-COPY conf/cni /etc/cni
diff --git a/Dockerfile-remote b/Dockerfile-remote
@@ -1,5 +1,5 @@
 # podman build base
-FROM golang:1.20-alpine3.18 AS podmanbuildbase
+FROM golang:1.21-alpine3.19 AS podmanbuildbase
 RUN apk add --update --no-cache git make gcc pkgconf musl-dev \
 	btrfs-progs btrfs-progs-dev libassuan-dev lvm2-dev device-mapper \
 	glib-static libc-dev gpgme-dev protobuf-dev protobuf-c-dev \
@@ -9,7 +9,7 @@ RUN apk add --update --no-cache git make gcc pkgconf musl-dev \
 # podman remote
 FROM podmanbuildbase AS podman-remote
 RUN apk add --update --no-cache curl
-ARG PODMAN_VERSION=v5.0.0
+ARG PODMAN_VERSION=v5.1.1
 RUN git clone -c advice.detachedHead=false --depth=1 --branch=${PODMAN_VERSION} https://github.com/containers/podman src/github.com/containers/podman
 WORKDIR $GOPATH/src/github.com/containers/podman
 RUN set -eux; \
@@ -20,6 +20,6 @@ RUN set -eux; \
 	podman --help >/dev/null; \
 	[ "$(ldd /usr/local/bin/podman-remote | wc -l)" -eq 0 ] || (ldd /usr/local/bin/podman-remote; false)
 
-FROM alpine:3.18
+FROM alpine:3.19
 COPY --from=podman-remote /usr/local/bin /usr/local/bin
 RUN adduser -D podman-remote -h /podman -u 1000
diff --git a/Makefile b/Makefile
@@ -12,7 +12,7 @@ GPG_IMAGE = gpg-signer
 
 BUILD_DIR = ./build
 
-BATS_VERSION = v1.8.2
+BATS_VERSION = v1.11.0
 BATS_DIR := $(BUILD_DIR)/bats-$(BATS_VERSION)
 BATS = $(BATS_DIR)/bin/bats
 BATS_TEST ?= test
@@ -145,7 +145,7 @@ run:
 		$(PODMAN_IMAGE) /bin/sh
 
 clean:
-	$(DOCKER) run --rm -v "`pwd`:/work" alpine:3.18 rm -rf /work/build
+	$(DOCKER) run --rm -v "`pwd`:/work" alpine:3.19 rm -rf /work/build
 
 run-server: podman-ssh
 	# TODO: make sshd log to stdout (while still ensuring that we know when it is available)

diff --git a/README.md b/README.md
@@ -6,16 +6,18 @@ This project provides alpine-based podman container images and statically linked
 * [conmon](https://github.com/containers/conmon)
 * [fuse-overlayfs](https://github.com/containers/fuse-overlayfs) and [libfuse](https://github.com/libfuse/libfuse)
 * [slirp4netns](https://github.com/rootless-containers/slirp4netns) (with [libslirp](https://gitlab.freedesktop.org/slirp/libslirp))
-* [CNI plugins](https://github.com/containernetworking/plugins): loopback, bridge, host-local, portmap, firewall, tuning
+* [Netavark](https://github.com/containers/netavark): container network stack and default in podman 5 or later
 * [catatonit](https://github.com/openSUSE/catatonit)
 
+CNI networking has been replaced with Netavark since Podman version 5.
+
 ## Container image
 
 The following image tags are supported:
 
 | Tag | Description |
 | --- | ----------- |
-| `latest`, `<VERSION>` | podman with both rootless and rootful dependencies: runc, conmon, fuse-overlayfs, slirp4netns, CNI plugins, catatonit. |
+| `latest`, `<VERSION>` | podman with both rootless and rootful dependencies: runc, conmon, fuse-overlayfs, slirp4netns, netavark, catatonit. |
 | `minimal`, `<VERSION>-minimal` | podman, crun, fuse-overlayfs and conmon binaries, configured to use the host's existing namespaces (low isolation level). |
 | `remote`, `<VERSION>-remote` | the podman remote binary. |
 
@@ -73,14 +75,16 @@ The following binaries should be installed on your host:
 * `nsenter`
 * `uidmap` (for rootless mode)
 
+[nftables](https://netfilter.org/projects/nftables/) (with or without optional iptables-nft wrapper) to be included in the future [WIP](https://github.com/containers/netavark/pull/883).  
+
 In order to run rootless containers that use multiple uids/gids you may want to set up a uid/gid mapping for your user on your host:
 ```
 sudo sh -c "echo $(id -un):100000:200000 >> /etc/subuid"
 sudo sh -c "echo $(id -gn):100000:200000 >> /etc/subgid"
 ```
 _Please make sure you don't add the mapping multiple times._  
 
-To support applications that use the `docker` command you may want to link it to `podman` as follows:
+To support applications that rely on the `docker` command, a quick option is to link `podman` as follows:
 ```sh
 sudo ln -s /usr/local/bin/podman /usr/local/bin/docker
 ```

diff --git a/conf/crun-containers.conf b/conf/crun-containers.conf
@@ -7,6 +7,7 @@ ipcns="host"
 utsns="host"
 cgroupns="host"
 cgroups="disabled"
+log_driver = "k8s-file"
 [engine]
 cgroup_manager = "cgroupfs"
 events_logger="file"

diff --git a/test/rootful.bats b/test/rootful.bats
@@ -13,7 +13,7 @@ skipIfDockerUnavailableAndNotRunAsRoot() {
 	fi
 }
 
-@test "rootful podman - internet connectivity (CNI networking)" {
+@test "rootful podman - internet connectivity" {
 	skipIfDockerUnavailableAndNotRunAsRoot
 	$DOCKER run --rm --privileged --entrypoint /bin/sh -u root:root \
 		-v "$PODMAN_ROOT_DATA_DIR:/var/lib/containers/storage" \

diff --git a/test/rootless.bats b/test/rootless.bats
@@ -31,7 +31,7 @@ teardown_file() {
 }
 
 @test "$TEST_PREFIX podman - unmapped uid" {
-	$DOCKER run --rm --privileged --user 9000:9000 \
+	$DOCKER run --rm --privileged --user 9000:9000 -e HOME=/tmp \
 		--pull=never "${PODMAN_IMAGE}" \
 		docker run --rm alpine:3.17 wget -O /dev/null http://example.org
 }