Use the CutPrefix(), SplitSeq(), and FieldsSeq() functions from the
strings package when chopping up or iterating over parts of strings, per
golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When checking the platforms of the base images, if we encounter a
reference which includes both a tag and a digest, work around it like
the pull logic does: try it without the tag.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When we look up a stage that's referred to in a COPY --from argument,
treat the string as a stage number not only if it parses as one, as we
checked before, but now also require that the number correspond to one
of the stages that would be completed before the one into which the
content will be copied.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When generating a checksum for files mounted into container via
`--mount=type=bind` ignore their `ModTime`, `AccessTime` and
`ChangeTime` so we can maintain cache burst consistency with `COPY`
command.
Closes: https://github.com/containers/buildah/issues/6291
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
Make the history created-by field note when a label was unset, or if the
one of the CLI flags that modifies the timestamps in the layer were
used, so that the cache evaluation logic can factor that into account.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When there are no instructions to process, we try to reuse the base
image. When we've been told, out of band, to remove labels or
environment variables, or affect annotations, we still need to, though,
so check for values of more of those flags.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When building images for `manifest` list using `--platform` same image
is used for multiple platform if base is `scratch` , following PR adds a
check to always verify `platform` of `cache` with `target`.
Closes: https://github.com/containers/podman/issues/18723
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
What type of PR is this?
/kind feature
What this PR does / why we need it:
It implements --link for COPY and ADD instructions and enables the creation of
cachable layers that can be reused independently across builds.
Follows buildkit `--link` specifications
How to verify it
bats tests/bud.bats
Which issue(s) this PR fixes:
Fixes#4325
Does this PR introduce a user-facing change?
Yes, gives extra functionality to Containerfiles
Signed-off-by: Joshua Arrevillaga <2004jarrevillaga@gmail.com>
When SOURCE_DATE_EPOCH is passed in as a build-arg, treat it as we would
if it was passed in via the environment or its own CLI flag.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When building or committing an image in OCI format, default to setting
the org.opencontainers.image.created annotation to the value used in the
image's config blob for the image's creation date. The behavior can be
controlled using the new --created-annotation flag.
Add --annotation and --unsetannotation flags to `buildah commit` which
mimic the same flags for `buildah build`.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When RUN requires us to create the target for a mountpoint, make note of
it and any parent directories that needed to be created, and filter them
out when generating a layer diff or --output data.
The exceptions will be directories that the conformance tests confirm
that BuildKit also leaves behind, though for compatibility with the
classic builder, we have to make that conditional.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When using either --source-date-epoch or --timestamp, default to not
adding a label with our version number in it, since it can change
between builds.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When using either --source-date-epoch or --timestamp, make sure that
handling of RUN instructions uses a defined hostname if possible, and
commits using a reference to a static container name.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Use $SOURCE_DATE_EPOCH as the default for the --source-date-epoch flag
to the "build" CLI.
When a source-date-epoch is set, we'll use it when writing new history
entries, force timestamps in data written for --output to the specified
timestamp, and populate a "SOURCE_DATE_EPOCH" ARG that we treat as
always being set, and which we don't complain about being left unused.
By default, this will not affect timestamps in newly-added layers.
Add a --rewrite-timestamp flag, which "clamps" timestamps in newly-added
layers to not be later than the --source-date-epoch value if the
--source-date-epoch flag is set, but has no effect otherwise.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a --source-date-epoch flag, defaulting to $SOURCE_DATE_EPOCH if set,
which sets the created-on date and the timestamp for the new history
entries, but does not default to modifying the timestamps on contents in
new layers.
Add a --rewrite-timestamp flag, which "clamps" timestamps in the new
layers to not be later than the --source-date-epoch value if both
the --rewrite-timestamp and --source-date-epoch flags were set.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Allow --output to be specified multiple times for `buildah build`.
That's of limited usefulness right now, but as exporters get added, it
won't be, and it's better to provide the new multiple-values API field
sooner rather than later.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
If multiple layers are found as cache candidates then select the layer
which was created recently.
Closes: https://github.com/containers/buildah/issues/6152
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
Patch in PR https://github.com/containers/buildah/pull/5691 added a
function to calculate and write checksum to history of `source` in
`--mount` instructions but it did not add part to expand build args if
they are present in `source` path.
Following PR Just corrects the above issue and also adds a new test to
make sure we don't break this in future again.
Closes: https://github.com/containers/podman/issues/25425
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
> imagebuildah/stage_executor.go:714:13: superfluous-else: if block ends with a break statement, so drop this else and outdent its block (move short variable declaration to its own line if necessary) (revive)
> } else {
> // Treat the source's name as the name of an image.
> mountPoint, err := s.getImageRootfs(s.ctx, from)
> if err != nil {
> return nil, fmt.Errorf("%s from=%s: no stage or image found with that name", flag, from)
> }
> stageMountPoints[from] = internal.StageMountDetails{
> IsImage: true,
> DidExecute: true,
> MountPoint: mountPoint,
> }
> break
> }
>
(The alternative is to keep "else" and remove "break", but there are
other break statements above it, so for style consistency it's better to
keep using break.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Every stage now has its own copy of systemcontext.
On processing of every stage platform spec in systemcontext must be
correctly reset.
Closes: https://github.com/containers/buildah/issues/5968
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
Previous code called defer with argument "dockerfiles..." which is
always empty at time of evaluation.
Even when dockerfiles is appended to later in this method, it has no
entries at time of evaluation as an argument to the defer function, thus
no files were ever closed as a result.
Minor refactor so that all referenced files and HTTP requests are now
closed at end of function.
Signed-off-by: Adam Eijdenberg <adam@continusec.com>
getCreatedBy ignores heredoc summary when build args are specified
following PR makes sure the behaviour is correct.
Also test is modified to make sure buildah correctly burst cache if
heredoc content is changed.
Closes: https://github.com/containers/podman/issues/25469
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
... to validate that the manifests match expected digests, if any.
In some cases, using an UnparsedInstance can also avoid redundant I/O.
Do this everywhere, even where we read local storage which is
mostly trusted, because it is cheap enough and being consistent
makes it less likely for the code to be copied into other
contexts where the sources are not trusted.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
New imagebuilder contains fix that sets empty TARGETVARIANT and BUILDVARIANT. Docker does not set these values for ARM64.
This fixes the TestConformance/multistage-builtin-args and TestConformance/builtins tests on ARM64.
Signed-off-by: Jan Rodák <hony.com@seznam.cz>
When using `--mount=type=bind` or `--mount=type=cache` the hash or
digest of source in these flags should be added to image history so
buildah can burst cache if files on host or image which is being used as
source is changed.
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
These experimental packages are now available in the Go standard
library since Go 1.21:
1. golang.org/x/exp/slices -> slices [1]
2. golang.org/x/exp/maps -> maps [2]
[1]: https://go.dev/doc/go1.21#slices
[2]: https://go.dev/doc/go1.21#maps
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
Allow cache mounts (RUN --mount=type=cache) to refer to other stages or
additional build contexts.
Update the build-check-cve-2024-9675 integration test to use different
directories for its main build context and the additional build context
that it uses for its final run.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Nalin Dahyabhai
Jan Kaluza
openshift-merge-bot[bot]
flouthoc
Joshua Arrevillaga
Patrick Stoeckle
Aditya R
Kir Kolyshkin
Jan Rodák
Adam Eijdenberg
Miloslav Trmač
Eng Zer Jun