The limited documentation on how "overlay" works in podman-run suggests
that the calling user does all of the management of the upper directory
themselves, and we don't want to break whatever use case that is.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Change generateOverlayStructure() to not return its first argument
unchanged, since both of its callers already have that value, and adjust
a few error messages.
In the Linux MountWithOptions(), ensure that, if UpperDirOptionFragment
and WorkDirOptionFragment values were specified, they are absolute
paths, otherwise place them under the top-level parent of the various
directories we have for this mount.
Update a number of comments.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a ForceMount flag to pkg/overlay.Options that forces mounting the
overlay filesystem and returning a bind mount to it instead of trying to
leave that for later in cases where we're able to have the kernel do it.
This is mainly for the sake of callers that want to do more things with
the mounted overlay filesystem before passing them to the (presumably)
OCI runtime.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When using the working container's rootfs to populate a plaintext disk
image with mkfs, instead of writing .krun_config.json to the rootfs and
then removing it afterward (since we don't want it to show up if the
same working container is later committed to non confidential-workload
image), mount an overlay filesystem using a temporary directory as the
upper and the rootfs as the lower, create the .krun_config.json file in
the overlay filesystem, and use the overlay filesystem as the source
directory for mkfs.
Add the necessary stubs to allow pkg/overlay to at least compile on
non-Linux systems. Change the naming scheme for a test so that the path
names it uses for temporary directories don't include "," or "=", which
can confuse the kernel.
Creating confidential workload images will now only be possible on Linux
systems, but we exec'd out to sevctl to read platform certificates, and
that requires kernel support with vendor firmware, so I don't know that
anyone will actually be impacted by the change.
Teach pkg/overlay.MountWithOptions() to accept `nil` as a pointer to a
struct parameter that is otherwise optional.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Note: in theory, we could support read/write overlays on FreeBSD using a
combination of unionfs and nullfs but this would take two mounts and the
API only lets us return a single mount from MountWithOptions. Read only
mounts can be done with just nullfs and this is enough to support read
only image mounts in podman.
[NO NEW TESTS NEEDED]
Signed-off-by: Doug Rabson <dfr@rabson.org>
In golang 1.19, `io/ioutil` is fully deprecated preventing Buildah from
compiling. Replace all calls with equivalent calls from the `os`
package.
Signed-off-by: Chris Evich <cevich@redhat.com>
If errors for which os.IsExist() or os.IsNotExist() would have returned
true have been wrapped using fmt.Errorf()'s "%w" verb, os.IsExist() and
os.IsNotExist(), not having been retrofitted to use errors.Is(), will
return false.
Use errors.Is() to check if an error is an os.ErrExist or os.ErrNotExist
error instead of calling os.IsExist() or os.IsNotExist().
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
We now use the golang error wrapping format specifier `%w` instead of
the deprecated github.com/pkg/errors package.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
if a mountProgram is specified, use it also in rootfull mode.
Closes: https://github.com/containers/buildah/issues/3281
[NO NEW TESTS NEEDED]
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Allow users to specify non-volatile `upper` and `workdir` with overlay
mounts.
Usage
```console
buildah from alpine
buildah run -v /something/lower:/test:z,O,upperdir=/somewhere/upperdir,workdir=/somwhere/workdir alpine-working-container cat /test/hello
```
Signed-off-by: Aditya R <arajan@redhat.com>
Expose `MountWithOptions` for overlay which allows users to pass more
verbose configuration for overlay mounts.
For instance `upperdir, workerdir` and in future `volatile`.
Signed-off-by: Aditya R <arajan@redhat.com>
In linux, directory can contains colon.
Add support to mount path contains colon.
buildah run --volume /root/a\\🅱️/root/test:O
Signed-off-by: chenk008 <kongchen28@gmail.com>
This patch sets the userxattr field when run in rootless mode.
Fixes: https://github.com/containers/buildah/issues/3503
Patch came from @flouthoc Aditya Rajan <arajan@redhat.com>
[NO TESTS NEEDED] Since this can not be tested in CI/CD system yet.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When we're told to add built images to a manifest list, manipulate the
list ourselves, so that if we're creating a list, we won't have a
partially-populated list if some of the builds fail.
This also lets us include all of the platform information (including
variant info, which we can't sniff out after the fact) that we were
given when we started building the images.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Following function generates a permanent overlayfs struct as compared to tempdir.
[NO NEW TESTS NEEDED]
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
Overlay mounts should work like volume bind mounts and preserve the
underlyng source directories permissions.
Fixes: https://github.com/containers/podman/issues/9947
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Golangs os.* functions return the name of the file/directory they
fail to use. We should not wrap these errors with the file/directory
to use names, causes stuttering when the user sees the errors, and looks
bad having huge error messages.
Since this is just code cleanup, existing tests should handle the
changes.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We are setting the permissions based on the dest dir rather
then the source dir. Since we want this to work identical to a bind
mount, we need to have the permissions align.
There is also an issue where overlays on existing mounts is blowing up.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When using volume mounts, the destination directory will get
created if it does not exists. The current code blows up when
the destination directory did not exists.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When we mount over a destination directory inside of the container
we need to preserve the mode of the destination.
Needed to fix: https://github.com/containers/podman/issues/8801
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
there can be multiple overlay mounts for a container. Each mount is
performed in a ../userdata/overlay subdirectory.
Iterate the subdirectories and attempt to unmount them.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Podman uses the overlay mounts differently then in buildah. Specifically the
overlay mount points can be used over and over again when starting and stopping
the container. Since the paths are backed into the contianer config, we have
to be able to cleanout just the Upper and Merged directory rather then destroying
and recreating the overlay directories on each container start.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1822
Approved by: vrothberg
We have moved share code from buildah, podman and others into containers/common.
Specifically for this PR we are moving to use containers/common/pkg/unshare and
containers/common/pkg/cgroups.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #2010
Approved by: QiWang19
when running in rootless mode, use fuse-overlayfs for mounting the
overlay file system on the host. Then create a bind mount inside the
container.
Closes: https://github.com/containers/buildah/issues/1741
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1743
Approved by: rhatdan
This commit enabled to golint linter in golangci-lint and applies all
necessary fixes.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
Closes: #1740
Approved by: rhatdan
There is a chance that buildah crashed and left overlay
content. This patch will remove any left over content
before creating the overlay mounts.
Also the previous patch would not be able to handle multiple
overlay volume mounts. This patch fixes this issue as well.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1625
Approved by: TomSweeneyRedHat
Overlay mounts allow buildah bud and buildah from to
specify a directory on the disk that will be mounted
as an overlay into the container, where the overlay can be written to
but when the RUN or buildah run exits, the modified files will dissapear.
The basic idea is to be able to mount cache from the disk for things like yum/dnf/apt
to be able to be used and modified in the contianer on a run command, but to be
kept fresh for each RUN.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1560
Approved by: giuseppe
Nalin Dahyabhai
Jan Kaluza
Philip Dubé
Doug Rabson
Chris Evich
Sascha Grunert
Daniel J Walsh
Giuseppe Scrivano
Aditya R
chenk008
flouthoc
Valentin Rothberg
Sascha Grunert