Add an OmitLayerHistoryEntry field to CommitOptions, which more or less
causes us to reproduce our base image, except with PrependedEmptyLayers,
AppendedEmptyLayers, PrependedLinkedLayers, AppendedLinkedLayers, and
config changes still added in.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When checking /proc/self/mountinfo for a root filesystem, also match "/"
mounted with "rw" as its only mount option, as an alternative to being
mounted with "rw" and other options at the same time.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Pass BUILDAH_RUNTIME through to tests that we run inside of containers,
and discard the CI_DESIRED_RUNTIME variable, which sort of did the same
thing. We still set OCI to the name of the runtime because tests
consult it directly.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When adding an unprivileged user to run tests as, ensure that the
primary and supplemental groups are not repeated, and that at least one
supplemental group is outside of the user's subgid range. When skipping
a test because the invoking user doesn't have any supplemental groups,
log the user's IDs.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Exercise preservation of supplemental groups in the tests that use
`buildah build` and `buildah from` with `--group-add keep-groups`.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a unit test that commits OCI layouts with various types of
compression specified, and verifies that the layers end up written with
the desired compression and media type descriptors.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Without this change, specifying `Compression: imagebuildah.Zstd` in
`imagebuildah`'s `BuildOptions fails, so it is not possible to push
cache to a registry with zstd compression.
Note this is only applicable to OCI manifests.
Signed-off-by: Aaron Lehmann <alehmann@netflix.com>
Dynamically link sqlite3 when installed, the main motivation is that we
reduce the podman binary size with that. I see about 3.2 MB savings.
But also dynamically linking it means if there a vulnerabilities only
the sqlite3 distro package needs updating and we don't have to make a
new podman release with the vendored update.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When using either --source-date-epoch or --timestamp, default to not
adding a label with our version number in it, since it can change
between builds.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* Consistently use --releasever instead of --release in dnf examples
* Remove trailing whitespace
* Use --use-host-config --setopt "*.countme=false" when running dnf with
an empty --installroot
* Use Fedora 42 instead of Fedora 30 in examples
* Block quote console examples in tutorials
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Set up permissions on the scanner output directory so that scanners
whose images specify that they be run as non-root users can still write
to it. The most recent syft image exposed our bug.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When using either --source-date-epoch or --timestamp, make sure that
handling of RUN instructions uses a defined hostname if possible, and
commits using a reference to a static container name.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Use $SOURCE_DATE_EPOCH as the default for the --source-date-epoch flag
to the "build" CLI.
When a source-date-epoch is set, we'll use it when writing new history
entries, force timestamps in data written for --output to the specified
timestamp, and populate a "SOURCE_DATE_EPOCH" ARG that we treat as
always being set, and which we don't complain about being left unused.
By default, this will not affect timestamps in newly-added layers.
Add a --rewrite-timestamp flag, which "clamps" timestamps in newly-added
layers to not be later than the --source-date-epoch value if the
--source-date-epoch flag is set, but has no effect otherwise.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a --source-date-epoch flag, defaulting to $SOURCE_DATE_EPOCH if set,
which sets the created-on date and the timestamp for the new history
entries, but does not default to modifying the timestamps on contents in
new layers.
Add a --rewrite-timestamp flag, which "clamps" timestamps in the new
layers to not be later than the --source-date-epoch value if both
the --rewrite-timestamp and --source-date-epoch flags were set.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
renovate[bot]
Nalin Dahyabhai
openshift-merge-bot[bot]
flouthoc
Ricardo Branco
Aaron Lehmann
Paul Holzinger