run: after we've picked up the exit status of the "main" process that
we're running, reap anything that was reparented to us before returning.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When RUN requires us to create the target for a mountpoint, make note of
it and any parent directories that needed to be created, and filter them
out when generating a layer diff or --output data.
The exceptions will be directories that the conformance tests confirm
that BuildKit also leaves behind, though for compatibility with the
classic builder, we have to make that conditional.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Dynamically link sqlite3 when installed, the main motivation is that we
reduce the podman binary size with that. I see about 3.2 MB savings.
But also dynamically linking it means if there a vulnerabilities only
the sqlite3 distro package needs updating and we don't have to make a
new podman release with the vendored update.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Add a dummy "runtime" that just dumps its runtime config, either the
entirety of it, or a section of it corresponding to each command line
argument. Tests can use it to ensure that we set the right thing in the
configuration without also depending on the runtime to do as its asked,
which isn't always something we have control over.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
This way is recommended by golangci-lint developers, plus we'll save
some build time.
In addition, add GOLANGCI_LINT_VERSION to the top-level Makefile,
so it can be updated by renovate.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Unless --no-pivot or the equivalent API flag is set, try to pivot_root()
to enter the rootfs during Run(). Fall back to using chroot() as before
if that fails for any reason.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
The current list of sources doesn't list vendor sources and some other
.go files, requiring manual modifications to the Makefile to build
binaries. This change uses `find` (from Podman's Makefile) to detect .go
files across the repo.
Removes the validation script since we're no longer specifying sources
manually. And removes explicit *.go files as binary sources.
Signed-off-by: Danish Prakash <contact@danishpraka.sh>
For quite some time (Go 1.16? To be honest, I don't remember) placing
sources in a specific directory under $GOPATH is no longer required.
[NO NEW TESTS NEEDED]
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
It looks like those were added to aim in CI, and is no longer required.
As it is quite unexpected to have make targets operate on directories such
as ../../, let's remove those.
Fix Ubuntu build instructions accordingly (runc binary package is
available in those distros).
[NO NEW TESTS NEEDED]
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Update references to specific versions of golang in the Makefile and the
Cirrus CI configuration to match go.mod, and add a check in the 'vendor'
target that CI runs that the image it's run inside is a close-enough
match to the version listed in go.mod.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Use a listener helper to bind to an available-according-to-the-kernel
listening port and run a command with its stdio more or less tied to the
connection instead of trying to launch a git daemon directly using a
port number that we can only guess is available.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
If we're running a command in a working container whose platform doesn't
match our own, attempt to register any emulators for which we find
configurations of the type included in Fedora's qemu-user-static
packages.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a validation script that checks that we haven't forgotten to add any
new packages to the SOURCES definition in the top-level Makefile.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
They largely duplicate other integration tests. Add an integration test
to cover the "output from inspect is valid JSON" case.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
If the $(go env GOCACHE) directory exists and is writeable, bind-mount
it into the container that we're running to do the vendoring.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
We can't set it all of the time because the renovate bot doesn't allow
us to set this in its configuration unless we're hosting the bot
ourselves, and I don't think that we are.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Set GOTOOLCHAIN=local for all make targets, and for renovate.
Have the "vendor" target (and by extension, "vendor-in-container", which
our validation in CI uses) clear any "toolchain" directive that might
have been added to go.mod through manual invocations of the compiler.
At this point, we probably don't need to be checking for Go module
support, so switch to assuming it's available.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
rpkg is now deprecated. This commit makes the rpm target consistent with
the one in Podman.
Using skip-ci as we don't need to run cirrus tests for this change.
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
github.com/cilium/ebpf v0.12.3 (the latest tag as of this moment) won't
build on linux/loong64, but the tip of its main branch does. When
v0.12.4 is released, and we're using that or a later version, we can
turn it back on.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Update github.com/openshift/imagebuilder to the v1.2.6 release
Update github.com/containers/common to the current tip of the main branch
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a --sbom flag to `buildah build` and `buildah commit` which will
scan the rootfs and specified context directories to build SPDX or
CycloneDX SBOMs and lists of package URLs.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Include the arch in the name of the static entrypoint binary, in case we
find ourselves needing to support other architectures in the same area
in the future.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Compress the unencrypted entry point binary for confidential workload
images using gzip's `-n` flag, to omit the original file's timestamp
from the compressed copy. Add a -f and -9 to always overwrite the
output file and sacrifice speed to shave off a few more bytes.
[NO NEW TESTS NEEDED]
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
The target internal/mkcw/embed/entrypoint is only built on x86_64, but
internal/mkcw/embed/entrypoint.gz is run on all arches. This causes build
failures on anything non x86_64 as internal/mkcw/embed/entrypoint is not build.
Signed-off-by: Dan Čermák <dcermak@suse.com>
Add an OverrideChanges and an OverrideConfig field to CommitOptions,
both of which can be used to make last-minute edits to the configuration
of an image that we're committing.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a --cw option to `buildah build` and `buildah commit`, which takes a
comma-separated list of arguments and produces an image laid out for use
as a confidential workload:
type: sev or snp
attestation_url: location of a key broker server
cpus: expected number of virtual CPUs to run with
memory: expected megabytes of memory to run with
workload_id: a distinguishing identifier for the key broker server
ignore_attestation_errors: ignore errors registering the workload
passphrase: for encrypting the disk image
slop: extra space to allocate for the disk image
At least one of attestation_url and passphrase must be specified in
order for the encrypted disk image to be decryptable at run-time. Other
arguments can be omitted. ignore_attestation_errors is intentionally
undocumented, as it's mainly used to permit some amount of testing on
systems which don't have the required hardware.
Add an `mkcw` top-level command, for converting directly from an image
to a confidential workload.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
The chrooting causes testing with coverage counting enabled to output a
warning message which interferes with how they communicate with child
processes. Disable -cover for those modules by testing them separately
without it.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Nalin Dahyabhai
flouthoc
Rahil Bhimjiani
Paul Holzinger
renovate[bot]
Kir Kolyshkin
Danish Prakash
openshift-merge-bot[bot]
Lokesh Mandvekar
Daniel J Walsh
Doug Rabson
Dan Čermák
Miloslav Trmač
Giuseppe Scrivano
Michal Biesek