Use the CutPrefix(), SplitSeq(), and FieldsSeq() functions from the
strings package when chopping up or iterating over parts of strings, per
golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Treat the five optional bool flags as optional bool values, allowing for
them to not be set if they weren't explicitly given on the command line.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When building or committing an image in OCI format, default to setting
the org.opencontainers.image.created annotation to the value used in the
image's config blob for the image's creation date. The behavior can be
controlled using the new --created-annotation flag.
Add --annotation and --unsetannotation flags to `buildah commit` which
mimic the same flags for `buildah build`.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Use $SOURCE_DATE_EPOCH as the default for the --source-date-epoch flag
to the "build" CLI.
When a source-date-epoch is set, we'll use it when writing new history
entries, force timestamps in data written for --output to the specified
timestamp, and populate a "SOURCE_DATE_EPOCH" ARG that we treat as
always being set, and which we don't complain about being left unused.
By default, this will not affect timestamps in newly-added layers.
Add a --rewrite-timestamp flag, which "clamps" timestamps in newly-added
layers to not be later than the --source-date-epoch value if the
--source-date-epoch flag is set, but has no effect otherwise.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Allow --output to be specified multiple times for `buildah build`.
That's of limited usefulness right now, but as exporters get added, it
won't be, and it's better to provide the new multiple-values API field
sooner rather than later.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
These experimental packages are now available in the Go standard
library since Go 1.21:
1. golang.org/x/exp/slices -> slices [1]
2. golang.org/x/exp/maps -> maps [2]
[1]: https://go.dev/doc/go1.21#slices
[2]: https://go.dev/doc/go1.21#maps
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
Make the traditional handling of volumes (where they're "frozen" and can
only be modified by ADD or COPY, which requires that we cache their
contents and save/restore them before/after RUN instructions) an option
that is not enabled by default.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add support for using CDI to resolve `--device` devices for RUN
instructions during `buildah build`, `buildah from`, and `buildah run`,
as `podman run` does.
This generally requires that we stop resolving device specifications
(arguments passed to --device) earlier and deferring that until it's
time to run a process, because CDI wants to pick over those values,
modify a runtime spec to set up the ones that it knows about, and then
hand back the list of values that it doesn't know about.
We don't want to do a dry run of this during CLI processing because that
would create a window where the underlying hardware state could change,
and that could produce some hard-to-diagnose errors.
Being able to test this is going to require that we add the `--device`
flag to `buildah run` (`--security-opt` affects how we build the
container's layer, so it has to be done at `buildah from`).
The default configured devices list is pulled in by CLI flag processing
during `buildah from` and `buildah build`, so it doesn't also need to be
explicitly passed to `buildah run` or the internal Run() method.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a --sbom flag to `buildah build` and `buildah commit` which will
scan the rootfs and specified context directories to build SPDX or
CycloneDX SBOMs and lists of package URLs.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a --cw option to `buildah build` and `buildah commit`, which takes a
comma-separated list of arguments and produces an image laid out for use
as a confidential workload:
type: sev or snp
attestation_url: location of a key broker server
cpus: expected number of virtual CPUs to run with
memory: expected megabytes of memory to run with
workload_id: a distinguishing identifier for the key broker server
ignore_attestation_errors: ignore errors registering the workload
passphrase: for encrypting the disk image
slop: extra space to allocate for the disk image
At least one of attestation_url and passphrase must be specified in
order for the encrypted disk image to be decryptable at run-time. Other
arguments can be omitted. ignore_attestation_errors is intentionally
undocumented, as it's mainly used to permit some amount of testing on
systems which don't have the required hardware.
Add an `mkcw` top-level command, for converting directly from an image
to a confidential workload.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
`--layer-label` allows users to set labels on intermediate labels agnostic
of the labels set on actual image. Since there are use-cases where users
want to perform operation on intermediate images only on the basis of
certain labels.
Closes: https://github.com/containers/buildah/issues/4933
Signed-off-by: Aditya R <arajan@redhat.com>
We want to share these functions with Podman, Podman currently
has a slightly different version which is correct, so use correct
version in Buildah and vendor it into Podman.
Fixing: https://github.com/containers/podman/issues/18196
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Allows codifying build arguments into a structured file, perhaps one
named arguments.Containerargs
The build arg file also accepts comments starting #, so automated
tooling or CI/CD workflows can monitor arguments like versions to
ensure they are up-to-date.
Signed-off-by: Jack Wearden <jack@jackwearden.co.uk>
Allow containers running under buildah to use
--group-add keep-groups, so that they can inherit
access to the users groups.
Also allow users to add supplimental groups to the container.
Fixes: https://github.com/containers/buildah/issues/4476
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
In golang 1.19, `io/ioutil` is fully deprecated preventing Buildah from
compiling. Replace all calls with equivalent calls from the `os`
package.
Signed-off-by: Chris Evich <cevich@redhat.com>
Buildah must support multiple sources for remote cache when using
`--cache-to` and `--cache-from` so users can distribute and collect
cache from various sources.
We also need for compat with buildkit api which in past broke `podman`
compat build API see: https://github.com/containers/podman/pull/16380
More discussion here: https://github.com/containers/podman/pull/16380
Signed-off-by: Aditya R <arajan@redhat.com>
Conflict --isolation=chroot and --network, since internally --chroot
will always configure network ns equivalent to host.
Closes: https://github.com/containers/buildah/issues/4255
Signed-off-by: Aditya R <arajan@redhat.com>
Podman adds an Error: to every error message. So starting an error
message with "error" ends up being reported to the user as
Error: error ...
This patch removes the stutter.
Also ioutil.ReadFile errors report the Path, so wrapping the err message
with the path causes a stutter.
Signed-off-by: Daniel J Walsh dwalsh@redhat.com
[NO NEW TESTS NEEDED]
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
In multi-stage builds buildah will skip stages which are unused (i.e
stages which don't contribute anything to target stage directly or
indirectly) however in certain cases users need to process these unused
stages hence add support for `--skip-unused-stages` which allows users
to control this behaviour.
Ref: https://github.com/GoogleContainerTools/kaniko#flag---skip-unused-stages
Closes: https://github.com/containers/buildah/issues/4243
Signed-off-by: Aditya R <arajan@redhat.com>
If user explicitly specified `--cache-ttl=0s
it would effectively mean that user is asking
to use no cache at all. In such use cases
buildah can skip looking for cache entierly
by setting `--no-cache=true` internally.
Closes: https://github.com/containers/buildah/issues/4244
Signed-off-by: Aditya R <arajan@redhat.com>
As per buildkit backend documentation when using the BuildKit backend, docker build searches for
a `.dockerignore` file relative to the Dockerfile name. For example, running `docker build -f myapp.Dockerfile .`
will first look for an ignore file named `myapp.Dockerfile.dockerignore`. If such a file is not found, the
`.dockerignore` file is used if present. Using a Dockerfile based `.dockerignore` is useful if a project contains
multiple Dockerfiles that expect to ignore different sets of files.
Following PR introduces this buildkit feature parity.
Closes: https://github.com/containers/buildah/issues/4236
Signed-off-by: Aditya R <arajan@redhat.com>
Allows users to configure `--retry` attempts and `--retry-delay`
duration using two additional flags for commands
* buildah build
* buildah pull
* buildah push
* buildah from
* buildah add
* buildah copy
Closes: https://github.com/containers/buildah/issues/4018
Not sure how we can test retry attempts in CI, but added a test in
tests/bud.bats which verfies we parse and added flag in other options
for sanity parsing checking.
Signed-off-by: Aditya R <arajan@redhat.com>
`build` or `bud` now supports a new flag `--cache-ttl` which accepts
duration and allows end users to ignore cache images which are not under
the specified duration.
Following flag is useful for setups/platforms which heavily relies on
`--layer` and buildah caching but want recompute certain `RUN` steps
after specified duration to make sure specific `RUN` steps are always
updated. Example `RUN dnf update` or `RUN dnf install`
Closes: https://github.com/containers/buildah/issues/4160
Somewhat similar to kaniko's: https://github.com/GoogleContainerTools/kaniko#--cache-ttl-duration
Signed-off-by: Aditya R <arajan@redhat.com>
Following commit
* Initiates `cacheKey` or `layerKey` for intermediate images generated
for layers.
* Allows end users to upload cached layers with `cacheKey` to remote
sources using `--cache-to`. `--cache-to` is a optional flag to be used
with `buildah build` which publishes cached layers to remote sources.
* Allows end users to use cached layers from `remote` sources with
`--cache-from`. `--cache-from` is a optional flag to be used with
`buildah build` and it pulls cached layers from remote sources in a step
by step manner only if is a valid cache hit.
Example
* Populate cache source or use cached layers if already present
```bash
buildah build -t test --layers --cache-to registry/myrepo/cache --cache-from registry/myrepo/cache .
```
Future:
* `cacheKey` or `layerKey` model is only being used when working with
remote sources however local cache lookup can be also optimized if its
is altered to use `cacheKey` model instead of iterating through all the
images in local storage. As discussed here
References:
* Feature is quite similar to `kaniko`'s `--cache-repo`: https://github.com/GoogleContainerTools/kaniko#--cache-repo
Closes: issues#620
Signed-off-by: Aditya R <arajan@redhat.com>
We now use the golang error wrapping format specifier `%w` instead of
the deprecated github.com/pkg/errors package.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Nalin Dahyabhai
Jan Kaluza
flouthoc
openshift-merge-bot[bot]
Aditya R
Kir Kolyshkin
Eng Zer Jun
Daniel J Walsh
Chris Bandy
Jack Wearden
Chris Evich
Ed Santiago
Sascha Grunert