When building or committing an image in OCI format, default to setting
the org.opencontainers.image.created annotation to the value used in the
image's config blob for the image's creation date. The behavior can be
controlled using the new --created-annotation flag.
Add --annotation and --unsetannotation flags to `buildah commit` which
mimic the same flags for `buildah build`.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When RUN requires us to create the target for a mountpoint, make note of
it and any parent directories that needed to be created, and filter them
out when generating a layer diff or --output data.
The exceptions will be directories that the conformance tests confirm
that BuildKit also leaves behind, though for compatibility with the
classic builder, we have to make that conditional.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Use $SOURCE_DATE_EPOCH as the default for the --source-date-epoch flag
to the "build" CLI.
When a source-date-epoch is set, we'll use it when writing new history
entries, force timestamps in data written for --output to the specified
timestamp, and populate a "SOURCE_DATE_EPOCH" ARG that we treat as
always being set, and which we don't complain about being left unused.
By default, this will not affect timestamps in newly-added layers.
Add a --rewrite-timestamp flag, which "clamps" timestamps in newly-added
layers to not be later than the --source-date-epoch value if the
--source-date-epoch flag is set, but has no effect otherwise.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Allow --output to be specified multiple times for `buildah build`.
That's of limited usefulness right now, but as exporters get added, it
won't be, and it's better to provide the new multiple-values API field
sooner rather than later.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Only propagate error message from git and let buildah reflect error code
`125`.
Reason: Buildah should return predicatable error code from the set of
defined error codes in exec_codes.go at https://github.com/containers/buildah/blob/main/pkg/cli/exec_codes.go#L6
anything other that predefined error codes introduces inconsistency thus making testing difficult in CI and podman.
Users should expect buildah to refect ExecErrorCodeGeneric with error message kept intact from the underlying `git`
commands.
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
Correctly report back error when attempting to create `Tmpdir` for a
given url source.
Also remove superfluous `isGitTag` from define/types.go since `git
fetch` correctly resolves by provided reference.
Closes: https://github.com/containers/podman/issues/25679
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
Ensure that the temporary directory that we create is never itself the
top-level directory of the content that we're downloading, in case it's
an archive which includes a "." with weird permissions.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
The default configuration that `docker build` applies to images built
using "scratch" has changed from classic builds to BuildKit. Add a
toggle for selecting which behavior to mimic.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Update some godocs, and update an octal value in a godoc to start with
0o instead of just 0, to match the literal on the next line.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
This change is generated by `go1.23rc2 fix ./...`.
Had to use go1.23rc2, since all released go versions have a bug
preventing it from working with `go 1.22.0` in go.mod (opened
https://github.com/golang/go/issues/68825,
https://github.com/golang/go/issues/68824 for awareness).
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Change fields of the
github.com/containers/common/libimage.LookupReferenceFunc type to be of
the github.com/containers/common/libimage/manifests.LookupReferenceFunc
type. The two types are aliases for each other, but the libimage package
refuses to build when podman is using us as a dependency of its remote
client.
Note that the CachePullSourceLookupReferenceFunc,
CachePullDestinationLookupReferenceFunc,
CachePushSourceLookupReferenceFunc, and
CachePushDestinationLookupReferenceFunc callbacks in define.BuildOptions
aren't currently proxied for podman remote clients.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Make the traditional handling of volumes (where they're "frozen" and can
only be modified by ADD or COPY, which requires that we cache their
contents and save/restore them before/after RUN instructions) an option
that is not enabled by default.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Rework parsing of --pull flags to add "newer" as an alias for "ifnewer",
and to reject unrecognized values instead of treating them as synonymous
with "ifmissing".
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Make setting the Parent field in the config blob of a docker format
image optional (yes, we're bringing it back!), since it no longer
appears to be set by newer versions of docker build.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
This allows callers to provide custom SourceLookupReferenceFunc and
DestinationLookupReferenceFunc for cache pull/push. These can be used to
implement custom blob caches, and to wrap the reference being
pushed/pulled to influence the copy behavior.
Signed-off-by: Aaron Lehmann <alehmann@netflix.com>
As the title says. Setting to v1.37.0-dev after
creatings Buildah v1.36.0 for release with Podman v5.1
[NO NEW TESTS NEEDED]
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Add support for using CDI to resolve `--device` devices for RUN
instructions during `buildah build`, `buildah from`, and `buildah run`,
as `podman run` does.
This generally requires that we stop resolving device specifications
(arguments passed to --device) earlier and deferring that until it's
time to run a process, because CDI wants to pick over those values,
modify a runtime spec to set up the ones that it knows about, and then
hand back the list of values that it doesn't know about.
We don't want to do a dry run of this during CLI processing because that
would create a window where the underlying hardware state could change,
and that could produce some hard-to-diagnose errors.
Being able to test this is going to require that we add the `--device`
flag to `buildah run` (`--security-opt` affects how we build the
container's layer, so it has to be done at `buildah from`).
The default configured devices list is pulled in by CLI flag processing
during `buildah from` and `buildah build`, so it doesn't also need to be
explicitly passed to `buildah run` or the internal Run() method.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Avoid generically referring to "the container" where it can be ambiguous
that we're actually talking about the environment we set up for running
a command for a RUN instruction or Run() call.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
There have been a number of breaking changes added
since v1.34 to the main branch. We'll create a new
release branch for v1.34 and will set the version in
main to 1.35.0-dev.
The intended target for Buildah v1.35 is Fedora 40.
[NO NEW TESTS NEEDED]
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Podman currently sets the ulimits of nofile and nproc
to max in rootless mode, if the user does not override.
Buildah on the other hand just passes in the current defaults.
Podman build should match podman run, and this will fix that problem.
Fixes: https://github.com/containers/buildah/issues/5273
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Add a --sbom flag to `buildah build` and `buildah commit` which will
scan the rootfs and specified context directories to build SPDX or
CycloneDX SBOMs and lists of package URLs.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Jan Kaluza
tomsweeneyredhat
Patrick Stoeckle
Nalin Dahyabhai
flouthoc
openshift-merge-bot[bot]
Aditya R
Kir Kolyshkin
Daniel J Walsh
Giuseppe Scrivano
danishprakash
Maya Rashish
Aaron Lehmann