When building the slice of environment variables to add to the
configuration for a container that we're about to run, in case of
conflicts, we want the values from the base image or working container
to override the global defaults, and we want values that were passed to
us through the API to override them both.
In cases of conflicts, values which occur later in the slice override
values which occurred earlier, so we want to add them in this order:
* values from containers.conf
* values from the base image or working container
* values passed to us through the API
We previously applied the containers.conf defaults after the base image
or working container's value, and that meant that containers.conf's
values always took precedence over the values in the image.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
In porting containers.conf to libpod, we found that buildah needed
to handle the containers.conf on the server side rather then from
the CLI.
Since the `podman-remote build` would probably not have the same content
as containers.conf on the server, the processesing of the defaults needs
to be handled in imagebuildah. The CapAdd and CapDrop values need to be
passed in.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This is a rework of Qi Wang's patches.
Import package pkg/config from containers/common to read containers.conf
This patch allows users to specify default values stored in containers.conf
that will modify the behaviour of buildah tool.
Signed-off-by: Qi Wang <qiwan@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #2011
Approved by: TomSweeneyRedHat
Podman uses the overlay mounts differently then in buildah. Specifically the
overlay mount points can be used over and over again when starting and stopping
the container. Since the paths are backed into the contianer config, we have
to be able to cleanout just the Upper and Merged directory rather then destroying
and recreating the overlay directories on each container start.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1822
Approved by: vrothberg
If host is running in fips mode, then RHEL8.2 and beyond container images
will come with a directory /usr/share/crypto-policies/back-ends/FIPS.
This directory needs to be bind mounted over /etc/crypto-policies/back-ends in
order to make all tools in the container follow the FIPS Mode rules.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We have moved share code from buildah, podman and others into containers/common.
Specifically for this PR we are moving to use containers/common/pkg/unshare and
containers/common/pkg/cgroups.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #2010
Approved by: QiWang19
If disableFips is set, then we don't mount the FIPS
secret even if the machine is in FIPs mode. This is
to help users run workloads that are not fips compliant
in openshift even if their machine is in FIPs mode.
This is needed in CRI-O.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Some Dockerfiles (fuse-overlay) require additional devices to be in the
build environment.
This patch allows the user to specify additional devices.
Also I noticed that CapAdd and CapDrop was not working in buildah bud situations,
so this patch also fixes this.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1820
Approved by: @TomSweeneyRedHat
Container processes want to check for the existence of this file
to determine if they are running inside of a container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Add a DryRun flag to AddAndCopyOptions, so that we can "copy" content to
digest it.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1792
Approved by: TomSweeneyRedHat
fix the detection code for running in a user namespace. When buildah
is running in rootless mode, a user namespace is automatically created
even if there are no mappings configured.
Closes: https://github.com/containers/libpod/issues/2972
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1775
Approved by: rhatdan
This commit enabled the `unparam` linter and applies all reported issues.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
Closes: #1719
Approved by: rhatdan
Fix an out-of-range panic in buildah-run by moving the call to
setNonbloc() to the appropriate place (i.e., only when the copyPipes
parameter is set).
Replaces #1672. Needed to make two smaller functions to make gofmt
happy.
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Closes: #1674
Approved by: rhatdan
make the stdin pipe not blocking, so that it won't hang if the other
end is not reading from it.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1668
Approved by: rhatdan
make the stdin pipe not blocking, so that it won't hang if the other
end is not reading from it.
Closes: https://github.com/containers/buildah/issues/1664
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1668
Approved by: rhatdan
Fix handling of ID mapping for COPY: when copying from other containers,
use their mappings, and when copying from the host, use host mappings.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1630
Approved by: TomSweeneyRedHat
There is a chance that buildah crashed and left overlay
content. This patch will remove any left over content
before creating the overlay mounts.
Also the previous patch would not be able to handle multiple
overlay volume mounts. This patch fixes this issue as well.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1625
Approved by: TomSweeneyRedHat
check that the sysctl we'd like to use is supported by the kernel
before using it.
Closes: https://github.com/containers/buildah/issues/1618
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1619
Approved by: rhatdan
Checks to see if the $HOME envvar has been set
and if not, trys to set it as best as possible.
Fixes: #1592
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Closes: #1594
Approved by: rhatdan
Overlay mounts allow buildah bud and buildah from to
specify a directory on the disk that will be mounted
as an overlay into the container, where the overlay can be written to
but when the RUN or buildah run exits, the modified files will dissapear.
The basic idea is to be able to mount cache from the disk for things like yum/dnf/apt
to be able to be used and modified in the contianer on a run command, but to be
kept fresh for each RUN.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1560
Approved by: giuseppe
Rootless mode was ignoreing the --shm-size option.
For some reason the test that would have caught this was disabled.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1595
Approved by: vrothberg
In a prior PR, we were creating the directory from the
translated symlink onto the host container. Instead
try to create that in the container and if it exists
already, just continue.
Fixes: #1562
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Closes: #1565
Approved by: rhatdan
the podman remote-client for windows pulls in some buildah code for
things like commit and build. we need to perform some slight
refactoring of buildah code to accomodate that build.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1551
Approved by: rhatdan
the goal here is to allow ourselves to cross compile buildah for a darwin
target. we are doing this to eventually protect from regressions that could
creep into buildah so we don't dig ourselves a deeper hole.
the simplified and non-variable approach to the make darwin was done with
intent to keep this simple until we can exploit things a little more.
once this PR merges, i will create a CI test that will test for regressions
on a make darwin. we should also be doing a gofmt with a darwin target so the
!linux|darwin tagged files are also checked for completeness. initially the
test can be optional for passing with the long-term idea that it be made
a firm requirement at the buildah maintainers behest.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #840
Approved by: rhatdan
Daniel J Walsh
Nalin Dahyabhai
Urvashi Mohnani
Giuseppe Scrivano
Sascha Grunert
Qi Wang
Valentin Rothberg
TomSweeneyRedHat
Jordan Webb
Lawrence Chan
baude