Move get{Bind,Tmpfs,Secret,SSH}Mount to run_common.go
Signed-off-by: Doug Rabson <dfr@rabson.org>
This commit is contained in:
Doug Rabson
parent
0832ea2f35
commit
57a73847e4
265
run_common.go
265
run_common.go
|
|
@ -26,6 +26,8 @@ import (
|
||||||
"github.com/containers/buildah/bind"
|
"github.com/containers/buildah/bind"
|
||||||
"github.com/containers/buildah/copier"
|
"github.com/containers/buildah/copier"
|
||||||
"github.com/containers/buildah/define"
|
"github.com/containers/buildah/define"
|
||||||
|
"github.com/containers/buildah/internal"
|
||||||
|
internalParse "github.com/containers/buildah/internal/parse"
|
||||||
"github.com/containers/buildah/pkg/sshagent"
|
"github.com/containers/buildah/pkg/sshagent"
|
||||||
"github.com/containers/buildah/util"
|
"github.com/containers/buildah/util"
|
||||||
"github.com/containers/common/libnetwork/etchosts"
|
"github.com/containers/common/libnetwork/etchosts"
|
||||||
|
|
@ -34,6 +36,7 @@ import (
|
||||||
nettypes "github.com/containers/common/libnetwork/types"
|
nettypes "github.com/containers/common/libnetwork/types"
|
||||||
"github.com/containers/common/pkg/config"
|
"github.com/containers/common/pkg/config"
|
||||||
"github.com/containers/common/pkg/subscriptions"
|
"github.com/containers/common/pkg/subscriptions"
|
||||||
|
imagetypes "github.com/containers/image/v5/types"
|
||||||
"github.com/containers/storage"
|
"github.com/containers/storage"
|
||||||
"github.com/containers/storage/pkg/idtools"
|
"github.com/containers/storage/pkg/idtools"
|
||||||
"github.com/containers/storage/pkg/ioutils"
|
"github.com/containers/storage/pkg/ioutils"
|
||||||
|
|
@ -1523,3 +1526,265 @@ func (b *Builder) runSetupRunMounts(mounts []string, sources runMountInfo, idMap
|
||||||
}
|
}
|
||||||
return finalMounts, artifacts, nil
|
return finalMounts, artifacts, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (b *Builder) getBindMount(tokens []string, context *imagetypes.SystemContext, contextDir string, stageMountPoints map[string]internal.StageMountDetails, idMaps IDMaps) (*spec.Mount, string, error) {
|
||||||
|
if contextDir == "" {
|
||||||
|
return nil, "", errors.New("Context Directory for current run invocation is not configured")
|
||||||
|
}
|
||||||
|
var optionMounts []specs.Mount
|
||||||
|
mount, image, err := internalParse.GetBindMount(context, tokens, contextDir, b.store, b.MountLabel, stageMountPoints)
|
||||||
|
if err != nil {
|
||||||
|
return nil, image, err
|
||||||
|
}
|
||||||
|
optionMounts = append(optionMounts, mount)
|
||||||
|
volumes, err := b.runSetupVolumeMounts(b.MountLabel, nil, optionMounts, idMaps)
|
||||||
|
if err != nil {
|
||||||
|
return nil, image, err
|
||||||
|
}
|
||||||
|
return &volumes[0], image, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (b *Builder) getTmpfsMount(tokens []string, idMaps IDMaps) (*spec.Mount, error) {
|
||||||
|
var optionMounts []specs.Mount
|
||||||
|
mount, err := internalParse.GetTmpfsMount(tokens)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
optionMounts = append(optionMounts, mount)
|
||||||
|
volumes, err := b.runSetupVolumeMounts(b.MountLabel, nil, optionMounts, idMaps)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return &volumes[0], nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (b *Builder) getSecretMount(tokens []string, secrets map[string]define.Secret, idMaps IDMaps) (*spec.Mount, string, error) {
|
||||||
|
errInvalidSyntax := errors.New("secret should have syntax id=id[,target=path,required=bool,mode=uint,uid=uint,gid=uint")
|
||||||
|
if len(tokens) == 0 {
|
||||||
|
return nil, "", errInvalidSyntax
|
||||||
|
}
|
||||||
|
var err error
|
||||||
|
var id, target string
|
||||||
|
var required bool
|
||||||
|
var uid, gid uint32
|
||||||
|
var mode uint32 = 0400
|
||||||
|
for _, val := range tokens {
|
||||||
|
kv := strings.SplitN(val, "=", 2)
|
||||||
|
switch kv[0] {
|
||||||
|
case "id":
|
||||||
|
id = kv[1]
|
||||||
|
case "target", "dst", "destination":
|
||||||
|
target = kv[1]
|
||||||
|
case "required":
|
||||||
|
required, err = strconv.ParseBool(kv[1])
|
||||||
|
if err != nil {
|
||||||
|
return nil, "", errInvalidSyntax
|
||||||
|
}
|
||||||
|
case "mode":
|
||||||
|
mode64, err := strconv.ParseUint(kv[1], 8, 32)
|
||||||
|
if err != nil {
|
||||||
|
return nil, "", errInvalidSyntax
|
||||||
|
}
|
||||||
|
mode = uint32(mode64)
|
||||||
|
case "uid":
|
||||||
|
uid64, err := strconv.ParseUint(kv[1], 10, 32)
|
||||||
|
if err != nil {
|
||||||
|
return nil, "", errInvalidSyntax
|
||||||
|
}
|
||||||
|
uid = uint32(uid64)
|
||||||
|
case "gid":
|
||||||
|
gid64, err := strconv.ParseUint(kv[1], 10, 32)
|
||||||
|
if err != nil {
|
||||||
|
return nil, "", errInvalidSyntax
|
||||||
|
}
|
||||||
|
gid = uint32(gid64)
|
||||||
|
default:
|
||||||
|
return nil, "", errInvalidSyntax
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if id == "" {
|
||||||
|
return nil, "", errInvalidSyntax
|
||||||
|
}
|
||||||
|
// Default location for secretis is /run/secrets/id
|
||||||
|
if target == "" {
|
||||||
|
target = "/run/secrets/" + id
|
||||||
|
}
|
||||||
|
|
||||||
|
secr, ok := secrets[id]
|
||||||
|
if !ok {
|
||||||
|
if required {
|
||||||
|
return nil, "", fmt.Errorf("secret required but no secret with id %s found", id)
|
||||||
|
}
|
||||||
|
return nil, "", nil
|
||||||
|
}
|
||||||
|
var data []byte
|
||||||
|
var envFile string
|
||||||
|
var ctrFileOnHost string
|
||||||
|
|
||||||
|
switch secr.SourceType {
|
||||||
|
case "env":
|
||||||
|
data = []byte(os.Getenv(secr.Source))
|
||||||
|
tmpFile, err := ioutil.TempFile("/dev/shm", "buildah*")
|
||||||
|
if err != nil {
|
||||||
|
return nil, "", err
|
||||||
|
}
|
||||||
|
envFile = tmpFile.Name()
|
||||||
|
ctrFileOnHost = tmpFile.Name()
|
||||||
|
case "file":
|
||||||
|
containerWorkingDir, err := b.store.ContainerDirectory(b.ContainerID)
|
||||||
|
if err != nil {
|
||||||
|
return nil, "", err
|
||||||
|
}
|
||||||
|
data, err = ioutil.ReadFile(secr.Source)
|
||||||
|
if err != nil {
|
||||||
|
return nil, "", err
|
||||||
|
}
|
||||||
|
ctrFileOnHost = filepath.Join(containerWorkingDir, "secrets", id)
|
||||||
|
default:
|
||||||
|
return nil, "", errors.New("invalid source secret type")
|
||||||
|
}
|
||||||
|
|
||||||
|
// Copy secrets to container working dir (or tmp dir if it's an env), since we need to chmod,
|
||||||
|
// chown and relabel it for the container user and we don't want to mess with the original file
|
||||||
|
if err := os.MkdirAll(filepath.Dir(ctrFileOnHost), 0755); err != nil {
|
||||||
|
return nil, "", err
|
||||||
|
}
|
||||||
|
if err := ioutil.WriteFile(ctrFileOnHost, data, 0644); err != nil {
|
||||||
|
return nil, "", err
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := label.Relabel(ctrFileOnHost, b.MountLabel, false); err != nil {
|
||||||
|
return nil, "", err
|
||||||
|
}
|
||||||
|
hostUID, hostGID, err := util.GetHostIDs(idMaps.uidmap, idMaps.gidmap, uid, gid)
|
||||||
|
if err != nil {
|
||||||
|
return nil, "", err
|
||||||
|
}
|
||||||
|
if err := os.Lchown(ctrFileOnHost, int(hostUID), int(hostGID)); err != nil {
|
||||||
|
return nil, "", err
|
||||||
|
}
|
||||||
|
if err := os.Chmod(ctrFileOnHost, os.FileMode(mode)); err != nil {
|
||||||
|
return nil, "", err
|
||||||
|
}
|
||||||
|
newMount := specs.Mount{
|
||||||
|
Destination: target,
|
||||||
|
Type: "bind",
|
||||||
|
Source: ctrFileOnHost,
|
||||||
|
Options: []string{"bind", "rprivate", "ro"},
|
||||||
|
}
|
||||||
|
return &newMount, envFile, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// getSSHMount parses the --mount type=ssh flag in the Containerfile, checks if there's an ssh source provided, and creates and starts an ssh-agent to be forwarded into the container
|
||||||
|
func (b *Builder) getSSHMount(tokens []string, count int, sshsources map[string]*sshagent.Source, idMaps IDMaps) (*spec.Mount, *sshagent.AgentServer, error) {
|
||||||
|
errInvalidSyntax := errors.New("ssh should have syntax id=id[,target=path,required=bool,mode=uint,uid=uint,gid=uint")
|
||||||
|
|
||||||
|
var err error
|
||||||
|
var id, target string
|
||||||
|
var required bool
|
||||||
|
var uid, gid uint32
|
||||||
|
var mode uint32 = 400
|
||||||
|
for _, val := range tokens {
|
||||||
|
kv := strings.SplitN(val, "=", 2)
|
||||||
|
if len(kv) < 2 {
|
||||||
|
return nil, nil, errInvalidSyntax
|
||||||
|
}
|
||||||
|
switch kv[0] {
|
||||||
|
case "id":
|
||||||
|
id = kv[1]
|
||||||
|
case "target", "dst", "destination":
|
||||||
|
target = kv[1]
|
||||||
|
case "required":
|
||||||
|
required, err = strconv.ParseBool(kv[1])
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, errInvalidSyntax
|
||||||
|
}
|
||||||
|
case "mode":
|
||||||
|
mode64, err := strconv.ParseUint(kv[1], 8, 32)
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, errInvalidSyntax
|
||||||
|
}
|
||||||
|
mode = uint32(mode64)
|
||||||
|
case "uid":
|
||||||
|
uid64, err := strconv.ParseUint(kv[1], 10, 32)
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, errInvalidSyntax
|
||||||
|
}
|
||||||
|
uid = uint32(uid64)
|
||||||
|
case "gid":
|
||||||
|
gid64, err := strconv.ParseUint(kv[1], 10, 32)
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, errInvalidSyntax
|
||||||
|
}
|
||||||
|
gid = uint32(gid64)
|
||||||
|
default:
|
||||||
|
return nil, nil, errInvalidSyntax
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if id == "" {
|
||||||
|
id = "default"
|
||||||
|
}
|
||||||
|
// Default location for secretis is /run/buildkit/ssh_agent.{i}
|
||||||
|
if target == "" {
|
||||||
|
target = fmt.Sprintf("/run/buildkit/ssh_agent.%d", count)
|
||||||
|
}
|
||||||
|
|
||||||
|
sshsource, ok := sshsources[id]
|
||||||
|
if !ok {
|
||||||
|
if required {
|
||||||
|
return nil, nil, fmt.Errorf("ssh required but no ssh with id %s found", id)
|
||||||
|
}
|
||||||
|
return nil, nil, nil
|
||||||
|
}
|
||||||
|
// Create new agent from keys or socket
|
||||||
|
fwdAgent, err := sshagent.NewAgentServer(sshsource)
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
// Start ssh server, and get the host sock we're mounting in the container
|
||||||
|
hostSock, err := fwdAgent.Serve(b.ProcessLabel)
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := label.Relabel(filepath.Dir(hostSock), b.MountLabel, false); err != nil {
|
||||||
|
if shutdownErr := fwdAgent.Shutdown(); shutdownErr != nil {
|
||||||
|
b.Logger.Errorf("error shutting down agent: %v", shutdownErr)
|
||||||
|
}
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
if err := label.Relabel(hostSock, b.MountLabel, false); err != nil {
|
||||||
|
if shutdownErr := fwdAgent.Shutdown(); shutdownErr != nil {
|
||||||
|
b.Logger.Errorf("error shutting down agent: %v", shutdownErr)
|
||||||
|
}
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
hostUID, hostGID, err := util.GetHostIDs(idMaps.uidmap, idMaps.gidmap, uid, gid)
|
||||||
|
if err != nil {
|
||||||
|
if shutdownErr := fwdAgent.Shutdown(); shutdownErr != nil {
|
||||||
|
b.Logger.Errorf("error shutting down agent: %v", shutdownErr)
|
||||||
|
}
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
if err := os.Lchown(hostSock, int(hostUID), int(hostGID)); err != nil {
|
||||||
|
if shutdownErr := fwdAgent.Shutdown(); shutdownErr != nil {
|
||||||
|
b.Logger.Errorf("error shutting down agent: %v", shutdownErr)
|
||||||
|
}
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
if err := os.Chmod(hostSock, os.FileMode(mode)); err != nil {
|
||||||
|
if shutdownErr := fwdAgent.Shutdown(); shutdownErr != nil {
|
||||||
|
b.Logger.Errorf("error shutting down agent: %v", shutdownErr)
|
||||||
|
}
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
newMount := specs.Mount{
|
||||||
|
Destination: target,
|
||||||
|
Type: "bind",
|
||||||
|
Source: hostSock,
|
||||||
|
Options: []string{"bind", "rprivate", "ro"},
|
||||||
|
}
|
||||||
|
return &newMount, fwdAgent, nil
|
||||||
|
}
|
||||||
|
|
|
||||||
267
run_freebsd.go
267
run_freebsd.go
|
|
@ -9,7 +9,6 @@ import (
|
||||||
"os"
|
"os"
|
||||||
"os/exec"
|
"os/exec"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
"strconv"
|
|
||||||
"strings"
|
"strings"
|
||||||
"syscall"
|
"syscall"
|
||||||
"unsafe"
|
"unsafe"
|
||||||
|
|
@ -19,11 +18,9 @@ import (
|
||||||
"github.com/containers/buildah/copier"
|
"github.com/containers/buildah/copier"
|
||||||
"github.com/containers/buildah/define"
|
"github.com/containers/buildah/define"
|
||||||
"github.com/containers/buildah/internal"
|
"github.com/containers/buildah/internal"
|
||||||
internalParse "github.com/containers/buildah/internal/parse"
|
|
||||||
internalUtil "github.com/containers/buildah/internal/util"
|
internalUtil "github.com/containers/buildah/internal/util"
|
||||||
"github.com/containers/buildah/pkg/jail"
|
"github.com/containers/buildah/pkg/jail"
|
||||||
"github.com/containers/buildah/pkg/overlay"
|
"github.com/containers/buildah/pkg/overlay"
|
||||||
"github.com/containers/buildah/pkg/sshagent"
|
|
||||||
"github.com/containers/buildah/util"
|
"github.com/containers/buildah/util"
|
||||||
"github.com/containers/common/libnetwork/resolvconf"
|
"github.com/containers/common/libnetwork/resolvconf"
|
||||||
nettypes "github.com/containers/common/libnetwork/types"
|
nettypes "github.com/containers/common/libnetwork/types"
|
||||||
|
|
@ -37,7 +34,6 @@ import (
|
||||||
"github.com/opencontainers/runtime-spec/specs-go"
|
"github.com/opencontainers/runtime-spec/specs-go"
|
||||||
spec "github.com/opencontainers/runtime-spec/specs-go"
|
spec "github.com/opencontainers/runtime-spec/specs-go"
|
||||||
"github.com/opencontainers/runtime-tools/generate"
|
"github.com/opencontainers/runtime-tools/generate"
|
||||||
"github.com/opencontainers/selinux/go-selinux/label"
|
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
"github.com/sirupsen/logrus"
|
"github.com/sirupsen/logrus"
|
||||||
"golang.org/x/sys/unix"
|
"golang.org/x/sys/unix"
|
||||||
|
|
@ -320,269 +316,6 @@ func (b *Builder) getCacheMount(tokens []string, stageMountPoints map[string]int
|
||||||
return nil, nil, errors.New("cache mounts not supported on freebsd")
|
return nil, nil, errors.New("cache mounts not supported on freebsd")
|
||||||
}
|
}
|
||||||
|
|
||||||
func (b *Builder) getSecretMount(tokens []string, secrets map[string]define.Secret, idMaps IDMaps) (*spec.Mount, string, error) {
|
|
||||||
errInvalidSyntax := errors.New("secret should have syntax id=id[,target=path,required=bool,mode=uint,uid=uint,gid=uint")
|
|
||||||
if len(tokens) == 0 {
|
|
||||||
return nil, "", errInvalidSyntax
|
|
||||||
}
|
|
||||||
var err error
|
|
||||||
var id, target string
|
|
||||||
var required bool
|
|
||||||
var uid, gid uint32
|
|
||||||
var mode uint32 = 0400
|
|
||||||
for _, val := range tokens {
|
|
||||||
kv := strings.SplitN(val, "=", 2)
|
|
||||||
switch kv[0] {
|
|
||||||
case "id":
|
|
||||||
id = kv[1]
|
|
||||||
case "target", "dst", "destination":
|
|
||||||
target = kv[1]
|
|
||||||
case "required":
|
|
||||||
required, err = strconv.ParseBool(kv[1])
|
|
||||||
if err != nil {
|
|
||||||
return nil, "", errInvalidSyntax
|
|
||||||
}
|
|
||||||
case "mode":
|
|
||||||
mode64, err := strconv.ParseUint(kv[1], 8, 32)
|
|
||||||
if err != nil {
|
|
||||||
return nil, "", errInvalidSyntax
|
|
||||||
}
|
|
||||||
mode = uint32(mode64)
|
|
||||||
case "uid":
|
|
||||||
uid64, err := strconv.ParseUint(kv[1], 10, 32)
|
|
||||||
if err != nil {
|
|
||||||
return nil, "", errInvalidSyntax
|
|
||||||
}
|
|
||||||
uid = uint32(uid64)
|
|
||||||
case "gid":
|
|
||||||
gid64, err := strconv.ParseUint(kv[1], 10, 32)
|
|
||||||
if err != nil {
|
|
||||||
return nil, "", errInvalidSyntax
|
|
||||||
}
|
|
||||||
gid = uint32(gid64)
|
|
||||||
default:
|
|
||||||
return nil, "", errInvalidSyntax
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if id == "" {
|
|
||||||
return nil, "", errInvalidSyntax
|
|
||||||
}
|
|
||||||
// Default location for secretis is /run/secrets/id
|
|
||||||
if target == "" {
|
|
||||||
target = "/run/secrets/" + id
|
|
||||||
}
|
|
||||||
|
|
||||||
secr, ok := secrets[id]
|
|
||||||
if !ok {
|
|
||||||
if required {
|
|
||||||
return nil, "", errors.Errorf("secret required but no secret with id %s found", id)
|
|
||||||
}
|
|
||||||
return nil, "", nil
|
|
||||||
}
|
|
||||||
var data []byte
|
|
||||||
var envFile string
|
|
||||||
var ctrFileOnHost string
|
|
||||||
|
|
||||||
switch secr.SourceType {
|
|
||||||
case "env":
|
|
||||||
data = []byte(os.Getenv(secr.Source))
|
|
||||||
tmpFile, err := ioutil.TempFile("/var/tmp", "buildah*")
|
|
||||||
if err != nil {
|
|
||||||
return nil, "", err
|
|
||||||
}
|
|
||||||
envFile = tmpFile.Name()
|
|
||||||
ctrFileOnHost = tmpFile.Name()
|
|
||||||
case "file":
|
|
||||||
containerWorkingDir, err := b.store.ContainerDirectory(b.ContainerID)
|
|
||||||
if err != nil {
|
|
||||||
return nil, "", err
|
|
||||||
}
|
|
||||||
data, err = ioutil.ReadFile(secr.Source)
|
|
||||||
if err != nil {
|
|
||||||
return nil, "", err
|
|
||||||
}
|
|
||||||
ctrFileOnHost = filepath.Join(containerWorkingDir, "secrets", id)
|
|
||||||
default:
|
|
||||||
return nil, "", errors.New("invalid source secret type")
|
|
||||||
}
|
|
||||||
|
|
||||||
// Copy secrets to container working dir (or tmp dir if it's an env), since we need to chmod,
|
|
||||||
// chown and relabel it for the container user and we don't want to mess with the original file
|
|
||||||
if err := os.MkdirAll(filepath.Dir(ctrFileOnHost), 0755); err != nil {
|
|
||||||
return nil, "", err
|
|
||||||
}
|
|
||||||
if err := ioutil.WriteFile(ctrFileOnHost, data, 0644); err != nil {
|
|
||||||
return nil, "", err
|
|
||||||
}
|
|
||||||
|
|
||||||
if err := label.Relabel(ctrFileOnHost, b.MountLabel, false); err != nil {
|
|
||||||
return nil, "", err
|
|
||||||
}
|
|
||||||
hostUID, hostGID, err := util.GetHostIDs(nil, nil, uid, gid)
|
|
||||||
if err != nil {
|
|
||||||
return nil, "", err
|
|
||||||
}
|
|
||||||
if err := os.Lchown(ctrFileOnHost, int(hostUID), int(hostGID)); err != nil {
|
|
||||||
return nil, "", err
|
|
||||||
}
|
|
||||||
if err := os.Chmod(ctrFileOnHost, os.FileMode(mode)); err != nil {
|
|
||||||
return nil, "", err
|
|
||||||
}
|
|
||||||
newMount := specs.Mount{
|
|
||||||
Destination: target,
|
|
||||||
Type: "nullfs",
|
|
||||||
Source: ctrFileOnHost,
|
|
||||||
Options: []string{"ro"},
|
|
||||||
}
|
|
||||||
return &newMount, envFile, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// getSSHMount parses the --mount type=ssh flag in the Containerfile, checks if there's an ssh source provided, and creates and starts an ssh-agent to be forwarded into the container
|
|
||||||
func (b *Builder) getSSHMount(tokens []string, count int, sshsources map[string]*sshagent.Source, idMaps IDMaps) (*spec.Mount, *sshagent.AgentServer, error) {
|
|
||||||
errInvalidSyntax := errors.New("ssh should have syntax id=id[,target=path,required=bool,mode=uint,uid=uint,gid=uint")
|
|
||||||
|
|
||||||
var err error
|
|
||||||
var id, target string
|
|
||||||
var required bool
|
|
||||||
var uid, gid uint32
|
|
||||||
var mode uint32 = 400
|
|
||||||
for _, val := range tokens {
|
|
||||||
kv := strings.SplitN(val, "=", 2)
|
|
||||||
if len(kv) < 2 {
|
|
||||||
return nil, nil, errInvalidSyntax
|
|
||||||
}
|
|
||||||
switch kv[0] {
|
|
||||||
case "id":
|
|
||||||
id = kv[1]
|
|
||||||
case "target", "dst", "destination":
|
|
||||||
target = kv[1]
|
|
||||||
case "required":
|
|
||||||
required, err = strconv.ParseBool(kv[1])
|
|
||||||
if err != nil {
|
|
||||||
return nil, nil, errInvalidSyntax
|
|
||||||
}
|
|
||||||
case "mode":
|
|
||||||
mode64, err := strconv.ParseUint(kv[1], 8, 32)
|
|
||||||
if err != nil {
|
|
||||||
return nil, nil, errInvalidSyntax
|
|
||||||
}
|
|
||||||
mode = uint32(mode64)
|
|
||||||
case "uid":
|
|
||||||
uid64, err := strconv.ParseUint(kv[1], 10, 32)
|
|
||||||
if err != nil {
|
|
||||||
return nil, nil, errInvalidSyntax
|
|
||||||
}
|
|
||||||
uid = uint32(uid64)
|
|
||||||
case "gid":
|
|
||||||
gid64, err := strconv.ParseUint(kv[1], 10, 32)
|
|
||||||
if err != nil {
|
|
||||||
return nil, nil, errInvalidSyntax
|
|
||||||
}
|
|
||||||
gid = uint32(gid64)
|
|
||||||
default:
|
|
||||||
return nil, nil, errInvalidSyntax
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if id == "" {
|
|
||||||
id = "default"
|
|
||||||
}
|
|
||||||
// Default location for secretis is /run/buildkit/ssh_agent.{i}
|
|
||||||
if target == "" {
|
|
||||||
target = fmt.Sprintf("/run/buildkit/ssh_agent.%d", count)
|
|
||||||
}
|
|
||||||
|
|
||||||
sshsource, ok := sshsources[id]
|
|
||||||
if !ok {
|
|
||||||
if required {
|
|
||||||
return nil, nil, errors.Errorf("ssh required but no ssh with id %s found", id)
|
|
||||||
}
|
|
||||||
return nil, nil, nil
|
|
||||||
}
|
|
||||||
// Create new agent from keys or socket
|
|
||||||
fwdAgent, err := sshagent.NewAgentServer(sshsource)
|
|
||||||
if err != nil {
|
|
||||||
return nil, nil, err
|
|
||||||
}
|
|
||||||
// Start ssh server, and get the host sock we're mounting in the container
|
|
||||||
hostSock, err := fwdAgent.Serve(b.ProcessLabel)
|
|
||||||
if err != nil {
|
|
||||||
return nil, nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
if err := label.Relabel(filepath.Dir(hostSock), b.MountLabel, false); err != nil {
|
|
||||||
if shutdownErr := fwdAgent.Shutdown(); shutdownErr != nil {
|
|
||||||
b.Logger.Errorf("error shutting down agent: %v", shutdownErr)
|
|
||||||
}
|
|
||||||
return nil, nil, err
|
|
||||||
}
|
|
||||||
if err := label.Relabel(hostSock, b.MountLabel, false); err != nil {
|
|
||||||
if shutdownErr := fwdAgent.Shutdown(); shutdownErr != nil {
|
|
||||||
b.Logger.Errorf("error shutting down agent: %v", shutdownErr)
|
|
||||||
}
|
|
||||||
return nil, nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
hostUID, hostGID, err := util.GetHostIDs(nil, nil, uid, gid)
|
|
||||||
if err != nil {
|
|
||||||
if shutdownErr := fwdAgent.Shutdown(); shutdownErr != nil {
|
|
||||||
b.Logger.Errorf("error shutting down agent: %v", shutdownErr)
|
|
||||||
}
|
|
||||||
return nil, nil, err
|
|
||||||
}
|
|
||||||
if err := os.Lchown(hostSock, int(hostUID), int(hostGID)); err != nil {
|
|
||||||
if shutdownErr := fwdAgent.Shutdown(); shutdownErr != nil {
|
|
||||||
b.Logger.Errorf("error shutting down agent: %v", shutdownErr)
|
|
||||||
}
|
|
||||||
return nil, nil, err
|
|
||||||
}
|
|
||||||
if err := os.Chmod(hostSock, os.FileMode(mode)); err != nil {
|
|
||||||
if shutdownErr := fwdAgent.Shutdown(); shutdownErr != nil {
|
|
||||||
b.Logger.Errorf("error shutting down agent: %v", shutdownErr)
|
|
||||||
}
|
|
||||||
return nil, nil, err
|
|
||||||
}
|
|
||||||
newMount := specs.Mount{
|
|
||||||
Destination: target,
|
|
||||||
Type: "nullfs",
|
|
||||||
Source: hostSock,
|
|
||||||
Options: []string{"ro"},
|
|
||||||
}
|
|
||||||
return &newMount, fwdAgent, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (b *Builder) getBindMount(tokens []string, context *imagetypes.SystemContext, contextDir string, stageMountPoints map[string]internal.StageMountDetails, idMaps IDMaps) (*spec.Mount, string, error) {
|
|
||||||
if contextDir == "" {
|
|
||||||
return nil, "", errors.New("Context Directory for current run invocation is not configured")
|
|
||||||
}
|
|
||||||
var optionMounts []specs.Mount
|
|
||||||
mount, image, err := internalParse.GetBindMount(context, tokens, contextDir, b.store, b.MountLabel, stageMountPoints)
|
|
||||||
if err != nil {
|
|
||||||
return nil, image, err
|
|
||||||
}
|
|
||||||
optionMounts = append(optionMounts, mount)
|
|
||||||
volumes, err := b.runSetupVolumeMounts(b.MountLabel, nil, optionMounts, idMaps)
|
|
||||||
if err != nil {
|
|
||||||
return nil, image, err
|
|
||||||
}
|
|
||||||
return &volumes[0], image, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (b *Builder) getTmpfsMount(tokens []string, idMaps IDMaps) (*spec.Mount, error) {
|
|
||||||
var optionMounts []specs.Mount
|
|
||||||
mount, err := internalParse.GetTmpfsMount(tokens)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
optionMounts = append(optionMounts, mount)
|
|
||||||
volumes, err := b.runSetupVolumeMounts(b.MountLabel, nil, optionMounts, idMaps)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
return &volumes[0], nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (b *Builder) cleanupTempVolumes() {
|
func (b *Builder) cleanupTempVolumes() {
|
||||||
for tempVolume, val := range b.TempVolumes {
|
for tempVolume, val := range b.TempVolumes {
|
||||||
if val {
|
if val {
|
||||||
|
|
|
||||||
263
run_linux.go
263
run_linux.go
|
|
@ -25,7 +25,6 @@ import (
|
||||||
internalUtil "github.com/containers/buildah/internal/util"
|
internalUtil "github.com/containers/buildah/internal/util"
|
||||||
"github.com/containers/buildah/pkg/overlay"
|
"github.com/containers/buildah/pkg/overlay"
|
||||||
"github.com/containers/buildah/pkg/parse"
|
"github.com/containers/buildah/pkg/parse"
|
||||||
"github.com/containers/buildah/pkg/sshagent"
|
|
||||||
"github.com/containers/buildah/util"
|
"github.com/containers/buildah/util"
|
||||||
"github.com/containers/common/libnetwork/resolvconf"
|
"github.com/containers/common/libnetwork/resolvconf"
|
||||||
nettypes "github.com/containers/common/libnetwork/types"
|
nettypes "github.com/containers/common/libnetwork/types"
|
||||||
|
|
@ -1176,37 +1175,6 @@ func checkIdsGreaterThan5(ids []spec.LinuxIDMapping) bool {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
func (b *Builder) getBindMount(tokens []string, context *imagetypes.SystemContext, contextDir string, stageMountPoints map[string]internal.StageMountDetails, idMaps IDMaps) (*spec.Mount, string, error) {
|
|
||||||
if contextDir == "" {
|
|
||||||
return nil, "", errors.New("Context Directory for current run invocation is not configured")
|
|
||||||
}
|
|
||||||
var optionMounts []specs.Mount
|
|
||||||
mount, image, err := internalParse.GetBindMount(context, tokens, contextDir, b.store, b.MountLabel, stageMountPoints)
|
|
||||||
if err != nil {
|
|
||||||
return nil, image, err
|
|
||||||
}
|
|
||||||
optionMounts = append(optionMounts, mount)
|
|
||||||
volumes, err := b.runSetupVolumeMounts(b.MountLabel, nil, optionMounts, idMaps)
|
|
||||||
if err != nil {
|
|
||||||
return nil, image, err
|
|
||||||
}
|
|
||||||
return &volumes[0], image, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (b *Builder) getTmpfsMount(tokens []string, idMaps IDMaps) (*spec.Mount, error) {
|
|
||||||
var optionMounts []specs.Mount
|
|
||||||
mount, err := internalParse.GetTmpfsMount(tokens)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
optionMounts = append(optionMounts, mount)
|
|
||||||
volumes, err := b.runSetupVolumeMounts(b.MountLabel, nil, optionMounts, idMaps)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
return &volumes[0], nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (b *Builder) getCacheMount(tokens []string, stageMountPoints map[string]internal.StageMountDetails, idMaps IDMaps) (*spec.Mount, []string, error) {
|
func (b *Builder) getCacheMount(tokens []string, stageMountPoints map[string]internal.StageMountDetails, idMaps IDMaps) (*spec.Mount, []string, error) {
|
||||||
var optionMounts []specs.Mount
|
var optionMounts []specs.Mount
|
||||||
mount, lockedTargets, err := internalParse.GetCacheMount(tokens, b.store, b.MountLabel, stageMountPoints)
|
mount, lockedTargets, err := internalParse.GetCacheMount(tokens, b.store, b.MountLabel, stageMountPoints)
|
||||||
|
|
@ -1221,237 +1189,6 @@ func (b *Builder) getCacheMount(tokens []string, stageMountPoints map[string]int
|
||||||
return &volumes[0], lockedTargets, nil
|
return &volumes[0], lockedTargets, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (b *Builder) getSecretMount(tokens []string, secrets map[string]define.Secret, idMaps IDMaps) (*spec.Mount, string, error) {
|
|
||||||
errInvalidSyntax := errors.New("secret should have syntax id=id[,target=path,required=bool,mode=uint,uid=uint,gid=uint")
|
|
||||||
if len(tokens) == 0 {
|
|
||||||
return nil, "", errInvalidSyntax
|
|
||||||
}
|
|
||||||
var err error
|
|
||||||
var id, target string
|
|
||||||
var required bool
|
|
||||||
var uid, gid uint32
|
|
||||||
var mode uint32 = 0400
|
|
||||||
for _, val := range tokens {
|
|
||||||
kv := strings.SplitN(val, "=", 2)
|
|
||||||
switch kv[0] {
|
|
||||||
case "id":
|
|
||||||
id = kv[1]
|
|
||||||
case "target", "dst", "destination":
|
|
||||||
target = kv[1]
|
|
||||||
case "required":
|
|
||||||
required, err = strconv.ParseBool(kv[1])
|
|
||||||
if err != nil {
|
|
||||||
return nil, "", errInvalidSyntax
|
|
||||||
}
|
|
||||||
case "mode":
|
|
||||||
mode64, err := strconv.ParseUint(kv[1], 8, 32)
|
|
||||||
if err != nil {
|
|
||||||
return nil, "", errInvalidSyntax
|
|
||||||
}
|
|
||||||
mode = uint32(mode64)
|
|
||||||
case "uid":
|
|
||||||
uid64, err := strconv.ParseUint(kv[1], 10, 32)
|
|
||||||
if err != nil {
|
|
||||||
return nil, "", errInvalidSyntax
|
|
||||||
}
|
|
||||||
uid = uint32(uid64)
|
|
||||||
case "gid":
|
|
||||||
gid64, err := strconv.ParseUint(kv[1], 10, 32)
|
|
||||||
if err != nil {
|
|
||||||
return nil, "", errInvalidSyntax
|
|
||||||
}
|
|
||||||
gid = uint32(gid64)
|
|
||||||
default:
|
|
||||||
return nil, "", errInvalidSyntax
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if id == "" {
|
|
||||||
return nil, "", errInvalidSyntax
|
|
||||||
}
|
|
||||||
// Default location for secretis is /run/secrets/id
|
|
||||||
if target == "" {
|
|
||||||
target = "/run/secrets/" + id
|
|
||||||
}
|
|
||||||
|
|
||||||
secr, ok := secrets[id]
|
|
||||||
if !ok {
|
|
||||||
if required {
|
|
||||||
return nil, "", fmt.Errorf("secret required but no secret with id %s found", id)
|
|
||||||
}
|
|
||||||
return nil, "", nil
|
|
||||||
}
|
|
||||||
var data []byte
|
|
||||||
var envFile string
|
|
||||||
var ctrFileOnHost string
|
|
||||||
|
|
||||||
switch secr.SourceType {
|
|
||||||
case "env":
|
|
||||||
data = []byte(os.Getenv(secr.Source))
|
|
||||||
tmpFile, err := ioutil.TempFile("/dev/shm", "buildah*")
|
|
||||||
if err != nil {
|
|
||||||
return nil, "", err
|
|
||||||
}
|
|
||||||
envFile = tmpFile.Name()
|
|
||||||
ctrFileOnHost = tmpFile.Name()
|
|
||||||
case "file":
|
|
||||||
containerWorkingDir, err := b.store.ContainerDirectory(b.ContainerID)
|
|
||||||
if err != nil {
|
|
||||||
return nil, "", err
|
|
||||||
}
|
|
||||||
data, err = ioutil.ReadFile(secr.Source)
|
|
||||||
if err != nil {
|
|
||||||
return nil, "", err
|
|
||||||
}
|
|
||||||
ctrFileOnHost = filepath.Join(containerWorkingDir, "secrets", id)
|
|
||||||
default:
|
|
||||||
return nil, "", errors.New("invalid source secret type")
|
|
||||||
}
|
|
||||||
|
|
||||||
// Copy secrets to container working dir (or tmp dir if it's an env), since we need to chmod,
|
|
||||||
// chown and relabel it for the container user and we don't want to mess with the original file
|
|
||||||
if err := os.MkdirAll(filepath.Dir(ctrFileOnHost), 0755); err != nil {
|
|
||||||
return nil, "", err
|
|
||||||
}
|
|
||||||
if err := ioutil.WriteFile(ctrFileOnHost, data, 0644); err != nil {
|
|
||||||
return nil, "", err
|
|
||||||
}
|
|
||||||
|
|
||||||
if err := label.Relabel(ctrFileOnHost, b.MountLabel, false); err != nil {
|
|
||||||
return nil, "", err
|
|
||||||
}
|
|
||||||
hostUID, hostGID, err := util.GetHostIDs(idMaps.uidmap, idMaps.gidmap, uid, gid)
|
|
||||||
if err != nil {
|
|
||||||
return nil, "", err
|
|
||||||
}
|
|
||||||
if err := os.Lchown(ctrFileOnHost, int(hostUID), int(hostGID)); err != nil {
|
|
||||||
return nil, "", err
|
|
||||||
}
|
|
||||||
if err := os.Chmod(ctrFileOnHost, os.FileMode(mode)); err != nil {
|
|
||||||
return nil, "", err
|
|
||||||
}
|
|
||||||
newMount := specs.Mount{
|
|
||||||
Destination: target,
|
|
||||||
Type: "bind",
|
|
||||||
Source: ctrFileOnHost,
|
|
||||||
Options: []string{"bind", "rprivate", "ro"},
|
|
||||||
}
|
|
||||||
return &newMount, envFile, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// getSSHMount parses the --mount type=ssh flag in the Containerfile, checks if there's an ssh source provided, and creates and starts an ssh-agent to be forwarded into the container
|
|
||||||
func (b *Builder) getSSHMount(tokens []string, count int, sshsources map[string]*sshagent.Source, idMaps IDMaps) (*spec.Mount, *sshagent.AgentServer, error) {
|
|
||||||
errInvalidSyntax := errors.New("ssh should have syntax id=id[,target=path,required=bool,mode=uint,uid=uint,gid=uint")
|
|
||||||
|
|
||||||
var err error
|
|
||||||
var id, target string
|
|
||||||
var required bool
|
|
||||||
var uid, gid uint32
|
|
||||||
var mode uint32 = 400
|
|
||||||
for _, val := range tokens {
|
|
||||||
kv := strings.SplitN(val, "=", 2)
|
|
||||||
if len(kv) < 2 {
|
|
||||||
return nil, nil, errInvalidSyntax
|
|
||||||
}
|
|
||||||
switch kv[0] {
|
|
||||||
case "id":
|
|
||||||
id = kv[1]
|
|
||||||
case "target", "dst", "destination":
|
|
||||||
target = kv[1]
|
|
||||||
case "required":
|
|
||||||
required, err = strconv.ParseBool(kv[1])
|
|
||||||
if err != nil {
|
|
||||||
return nil, nil, errInvalidSyntax
|
|
||||||
}
|
|
||||||
case "mode":
|
|
||||||
mode64, err := strconv.ParseUint(kv[1], 8, 32)
|
|
||||||
if err != nil {
|
|
||||||
return nil, nil, errInvalidSyntax
|
|
||||||
}
|
|
||||||
mode = uint32(mode64)
|
|
||||||
case "uid":
|
|
||||||
uid64, err := strconv.ParseUint(kv[1], 10, 32)
|
|
||||||
if err != nil {
|
|
||||||
return nil, nil, errInvalidSyntax
|
|
||||||
}
|
|
||||||
uid = uint32(uid64)
|
|
||||||
case "gid":
|
|
||||||
gid64, err := strconv.ParseUint(kv[1], 10, 32)
|
|
||||||
if err != nil {
|
|
||||||
return nil, nil, errInvalidSyntax
|
|
||||||
}
|
|
||||||
gid = uint32(gid64)
|
|
||||||
default:
|
|
||||||
return nil, nil, errInvalidSyntax
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if id == "" {
|
|
||||||
id = "default"
|
|
||||||
}
|
|
||||||
// Default location for secretis is /run/buildkit/ssh_agent.{i}
|
|
||||||
if target == "" {
|
|
||||||
target = fmt.Sprintf("/run/buildkit/ssh_agent.%d", count)
|
|
||||||
}
|
|
||||||
|
|
||||||
sshsource, ok := sshsources[id]
|
|
||||||
if !ok {
|
|
||||||
if required {
|
|
||||||
return nil, nil, fmt.Errorf("ssh required but no ssh with id %s found", id)
|
|
||||||
}
|
|
||||||
return nil, nil, nil
|
|
||||||
}
|
|
||||||
// Create new agent from keys or socket
|
|
||||||
fwdAgent, err := sshagent.NewAgentServer(sshsource)
|
|
||||||
if err != nil {
|
|
||||||
return nil, nil, err
|
|
||||||
}
|
|
||||||
// Start ssh server, and get the host sock we're mounting in the container
|
|
||||||
hostSock, err := fwdAgent.Serve(b.ProcessLabel)
|
|
||||||
if err != nil {
|
|
||||||
return nil, nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
if err := label.Relabel(filepath.Dir(hostSock), b.MountLabel, false); err != nil {
|
|
||||||
if shutdownErr := fwdAgent.Shutdown(); shutdownErr != nil {
|
|
||||||
b.Logger.Errorf("error shutting down agent: %v", shutdownErr)
|
|
||||||
}
|
|
||||||
return nil, nil, err
|
|
||||||
}
|
|
||||||
if err := label.Relabel(hostSock, b.MountLabel, false); err != nil {
|
|
||||||
if shutdownErr := fwdAgent.Shutdown(); shutdownErr != nil {
|
|
||||||
b.Logger.Errorf("error shutting down agent: %v", shutdownErr)
|
|
||||||
}
|
|
||||||
return nil, nil, err
|
|
||||||
}
|
|
||||||
hostUID, hostGID, err := util.GetHostIDs(idMaps.uidmap, idMaps.gidmap, uid, gid)
|
|
||||||
if err != nil {
|
|
||||||
if shutdownErr := fwdAgent.Shutdown(); shutdownErr != nil {
|
|
||||||
b.Logger.Errorf("error shutting down agent: %v", shutdownErr)
|
|
||||||
}
|
|
||||||
return nil, nil, err
|
|
||||||
}
|
|
||||||
if err := os.Lchown(hostSock, int(hostUID), int(hostGID)); err != nil {
|
|
||||||
if shutdownErr := fwdAgent.Shutdown(); shutdownErr != nil {
|
|
||||||
b.Logger.Errorf("error shutting down agent: %v", shutdownErr)
|
|
||||||
}
|
|
||||||
return nil, nil, err
|
|
||||||
}
|
|
||||||
if err := os.Chmod(hostSock, os.FileMode(mode)); err != nil {
|
|
||||||
if shutdownErr := fwdAgent.Shutdown(); shutdownErr != nil {
|
|
||||||
b.Logger.Errorf("error shutting down agent: %v", shutdownErr)
|
|
||||||
}
|
|
||||||
return nil, nil, err
|
|
||||||
}
|
|
||||||
newMount := specs.Mount{
|
|
||||||
Destination: target,
|
|
||||||
Type: "bind",
|
|
||||||
Source: hostSock,
|
|
||||||
Options: []string{"bind", "rprivate", "ro"},
|
|
||||||
}
|
|
||||||
return &newMount, fwdAgent, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// cleanupRunMounts cleans up run mounts so they only appear in this run.
|
// cleanupRunMounts cleans up run mounts so they only appear in this run.
|
||||||
func (b *Builder) cleanupRunMounts(context *imagetypes.SystemContext, mountpoint string, artifacts *runMountArtifacts) error {
|
func (b *Builder) cleanupRunMounts(context *imagetypes.SystemContext, mountpoint string, artifacts *runMountArtifacts) error {
|
||||||
for _, agent := range artifacts.Agents {
|
for _, agent := range artifacts.Agents {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue