Try to limit which image transports we accept in stages, and scope the
ones that use path names to the context directory. At some point
anything that isn't an image ID or pullable spec should start being
rejected.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Mount a read-write overlay directory over the build context directory to
restore the ability to use it as a covert cache of sorts during the
lifetime of each platform's build, but in a way that still ensures that
we don't modify the real build context directory.
N.B.: builds where FROM in one stage referenced a relative path which
had been written to a bind-mounted default build context directory by an
earlier stage broke when we started making those bind mounts into
overlays to prevent/discard modifications to that directory, and while
this extends the lifetime of that overlay so that it's consistent
throughout the build, those relative path names are still going to point
to the wrong location.
Since we need to determine SELinux labeling before mounting the overlay,
go ahead and calculate the labels to use before creating the first
builder, and remove the logic that had whichever stage thought it was
the first one set them in its parent object for use by other stages, in
what was probably a racey way.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a MetadataFile field to BuildOptions, to which we write a dictionary
of information about a just-committed image.
Pay more attention to sourceDateEpoch than to timestamp when we're
tagging an existing image with the intended destination name.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a CommitResults() method which returns a structure on success,
changing Commit() into a wrapper for it which returns a subset of the
data to keep its signature stable.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Previously using outputing to a tar would fail with a simple `FROM xxx`
image.
This now will complete the copy (including passing through any specified
timestamp) and stop before trying to tag a non-registry stored result.
Signed-off-by: Adam Eijdenberg <adam@continusec.com>
When committing, if we didn't get an image ID off the bat because the
image wasn't being committed to local storage, try to return the image's
configuration blob digest, which is what is traditionally used as the
image's ID.
This allows the --iidfile flag to write a value to a file in situations
where the image isn't being written to local storage. The image ID is
of limited value in these cases, since we can't use it to look up the
image anywhere else, but at least we don't write a file that just has
the digest name prefix or log an empty string.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
In case there's some opportunistic hard linking going on, which might be
causing problems when the tests are packaged and run in an environment
which is wildly different from CI.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When checking that certain directories are masked, treat the
readable-but-empty case as acceptable, as before, and now also accept
the actually-unreadable case, which can happen with crun 1.24.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When checking that certain directories are masked, treat the
readable-but-empty case as acceptable, as before, and now also accept
actually-unreadable case, which can happen with crun 1.24.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Drop the "omitempty" tag from the "json" tag on struct members that are
themselves structs, since the JSON encoder doesn't actually do that, per
golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Use the CutPrefix(), SplitSeq(), and FieldsSeq() functions from the
strings package when chopping up or iterating over parts of strings, per
golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Use the $PATH from the runtime config, if it includes one, so that when
the command to run isn't an absolute path and the command isn't being
processed by the shell, exec.Command()'s internal call to
exec.LookPath() will find it.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When checking the platforms of the base images, if we encounter a
reference which includes both a tag and a digest, work around it like
the pull logic does: try it without the tag.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Fall back to creating a new builder with it if MountImage() fails on the
base image, because when the store is configured with its "imagestore"
option, that can happen.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
After narrowing down the list of parent directories which we might need
to exclude to those which are present in the base image, filter them out
of the layer diff as it is generated.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a note that we need a test binary built for the sake of a few
conformance tests, for people who run the conformance tests directly
instead of using the top-level makefile target.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Assume that if the destination location for an ADD or COPY has a
basename of ".", that we're meant to treat it as a directory.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When generating a checksum for files mounted into container via
`--mount=type=bind` ignore their `ModTime`, `AccessTime` and
`ChangeTime` so we can maintain cache burst consistency with `COPY`
command.
Closes: https://github.com/containers/buildah/issues/6291
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
Make the history created-by field note when a label was unset, or if the
one of the CLI flags that modifies the timestamps in the layer were
used, so that the cache evaluation logic can factor that into account.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When there are no instructions to process, we try to reuse the base
image. When we've been told, out of band, to remove labels or
environment variables, or affect annotations, we still need to, though,
so check for values of more of those flags.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When suppressing what we think are pulled-up directories at commit-time,
only do that when we're _not_ squashing the image, in which case we
really do need to output it into the one layer that our output image
will have.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
run: after we've picked up the exit status of the "main" process that
we're running, reap anything that was reparented to us before returning.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Now the bud --help output correctly reads that the default behavior when
--pull is not provided at all is "missing", and that the default value
for --pull if explicitly provided but without value is "always".
Fixes#6266.
Signed-off-by: Romain Geissler <romain.geissler@amadeus.com>
Add a test that causes parent directories of mount targets to be "pulled
up" if we're running on top of overlay in a situation where its native
diff method is available, and ensure that we can still avoid adding
those directories to the committed layer when we're the only reason they
were pulled up.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When building images for `manifest` list using `--platform` same image
is used for multiple platform if base is `scratch` , following PR adds a
check to always verify `platform` of `cache` with `target`.
Closes: https://github.com/containers/podman/issues/18723
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
Use the Proxy Environment http_proxy/HTTPS_PROXY/NO_PROXY to handle the
http request.
Signed-off-by: Alexander Merkle <alexander.merkle@lauterbach.com>
What type of PR is this?
/kind feature
What this PR does / why we need it:
It implements --link for COPY and ADD instructions and enables the creation of
cachable layers that can be reused independently across builds.
Follows buildkit `--link` specifications
How to verify it
bats tests/bud.bats
Which issue(s) this PR fixes:
Fixes#4325
Does this PR introduce a user-facing change?
Yes, gives extra functionality to Containerfiles
Signed-off-by: Joshua Arrevillaga <2004jarrevillaga@gmail.com>
Update "the bud with --cpu-shares" test to expect the a cgroupsv2 value
computed using either the older formula or the newer one introduced in
github.com/opencontainers/cgroups v0.0.3, and give it a unique name so
that it can be selected more easily with bats's "--filter" flag.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When SOURCE_DATE_EPOCH is passed in as a build-arg, treat it as we would
if it was passed in via the environment or its own CLI flag.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Unfortunately on a number of occasions, Buildah has been released
officially with a `-dev` suffix in the version number. Assist in
catching this mistake at release time by the addition of a simple
conditional test. Note that it must be positively enabled by a
magic env. var. before executing the system tests.
Also (thanks to @lsm5) update the TMT test to trigger the new
condition for future Fedora releases.
Signed-off-by: Chris Evich <cevich@redhat.com>
Nalin Dahyabhai
Adam Eijdenberg
openshift-merge-bot[bot]
Jan Kaluza
flouthoc
Romain Geissler
Alexander Merkle
Joshua Arrevillaga
Lokesh Mandvekar
Rahil Bhimjiani
Chris Evich