When container is created with specific uid and gid also add container
gid to supplementary/additional group.
Signed-off-by: Aditya R <arajan@redhat.com>
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Check that the inheritable capabilities are set to 0, even when we
explicitly try to add capabilities.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
The run-user test creates a test user with random UID and GID.
If the randomly-picked UID matches that of an existing account,
the test will flake because the account's default group will
almost certainly not match the one we generated.
Solution: only pick UIDs and GIDs that are not already present
in the container image.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Add support for secrets. Secrets is a two-part flag that allows secret files to
be accessed for a certain RUN instruction, but not any other
instructions, as well as now showing up in the final image.
Signed-off-by: Ashley Cui <acui@redhat.com>
In addition to seeing if OCI runtimes exists with `skip_if_no_runtime`,
we double-check just in case.
Signed-off-by: Hironori Shiina <shiina.hironori@jp.fujitsu.com>
Tests for the following options are added:
- buildah run --runtime --runtime-flag
- buildah run --terminal
- buildah run with namespace flags (Fix a bug in the existing test)
Signed-off-by: Hironori Shiina <shiina.hironori@jp.fujitsu.com>
Golangs os.* functions return the name of the file/directory they
fail to use. We should not wrap these errors with the file/directory
to use names, causes stuttering when the user sees the errors, and looks
bad having huge error messages.
Since this is just code cleanup, existing tests should handle the
changes.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Currently depending on the sort order of mount points, we can overmount
a volume specified from the user. Podman has a function sortMount that
sorts all mounts based on destination directory to ensure all mounts
show up. This PR moves the function from Podman to Buildah. Once merged
I will change Podman to use the buildah function.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
November 2020, docker.io started restricting unauthenticated
image pulls. Try to work around this by using a custom
registries.conf file.
For the most part this means copying images from docker.io
to quay.io, via:
$ skopeo copy --all docker://docker.io/library/img:tag \
docker://quay.io/libpod/img:tag
...for the following values of 'img:tag':
busybox:musl
centos:7 centos:8 centos:latest
composer:latest
debian:latest ubuntu:latest
docker:latest
php:7.2
For each of those, it was necessary to go into the quay.io
GUI, click the image name, click the settings (gear) icon
at bottom left, click 'Make public', and confirm.
This process did not work in four instances, which required
special-casing:
commit.bats : openshift/hello-openshift did not match the
mirroring rules; I switched to alpine instead.
Nalin confirmed on IRC that there was no magic
reason for requiring hello-openshift.
pull.bats : change a SHA. AFAICT there was nothing magic
about the SHA being used, it was just a
convenient one for purposes of testing
pull-by-sha. I simply switched to the SHA
of an image present on quay.
registries.bats : was assuming that fedora-minimal shortname
would be pulled from fedora registry.
Unfortunately, we have a copy on quay
(for podman tests), so that's what we
pull by shortname, and it does not match
the SHA of the fedoraproject.org one.
Solution: pull by tag (fedora-minimal:32)
and hope that nobody ever mirrors that one
on quay.
run.bats : another pull-by-SHA, but this time I changed
the SHA to a named tag, and skopeo copy'd
that image from docker.io to the given name
on quay. This time there _is_ something
magic about that particular SHA (it's an
image with a specific volume quirk) but
there's no actual reason to reference it
by SHA - we simply did so because we have
no control over tag names on docker.io.
Since we control tag names on quay.io,
it's easy and more maintainable to give
this image a descriptive tag.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Currently if you give a bogus --network flag,
buildah just ignores it and continues on.
This change will throw proper errors.
Add tests to make sure it works correctly.
Also remove some stuttering to clean up error messages.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We have been asked to leak some container information
and image information into the container to be used
by certain tools. (Toolbox and others)
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
I can't remember why we disabled UTS namespaces for rootless isolation,
but it doesn't look necessary.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
If there's no network present in the container, don't bind
the /etc/hosts file as any changes to from the caller will
be lost when run exits. Ditto the /etc/resolv.conf file.
Addresses: #2478
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Buildah run was exiting with the correct exit code, when a container
failed. Buildah bud was not, so this should fix this.
Also switched to the proper exit codes when containers fail. When
Buildah fails to execute it will exit with a 125 exit code like
Podman does. If a command fails to execute inside of a container
we will exit with a 126. Currently we do not support the 127 for
exiting when the command does not exist.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
In porting containers.conf to libpod, we found that buildah needed
to handle the containers.conf on the server side rather then from
the CLI.
Since the `podman-remote build` would probably not have the same content
as containers.conf on the server, the processesing of the defaults needs
to be handled in imagebuildah. The CapAdd and CapDrop values need to be
passed in.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Show of hands: who here loves submitting a PR, then coming back
hours later to find one job failed, then spending time poring
over logs and finding a network error? Anyone? Anyone?
This is a lame attempt to minimize such flakes by caching
commonly-used images and restoring them on demand. We
introduce a new helper, _prefetch(), which podman-pulls
an image the first time, podman-saves it, then on
subsequent calls (for the same image) podman-loads it:
@test foo {
_prefetch alpine busybox
...tests that run buildah-from either
}
This is an imperfect solution: it is incomplete and will
grow more so over time as new tests are added. It is
difficult to verify its coverage. I'm really unhappy
with it but if it works, the Total Sum Of Unhappiness
might decrease overall thanks to fewer flakes. If it
doesn't work, it's trivial to remove _prefetch calls
using a sed script. Shall we give it a chance?
Signed-off-by: Ed Santiago <santiago@redhat.com>
This is the manual part of the cleanup.
- remove most 'buildah rm's from cleanup steps
- remove unused variables
- use expect_output when possible, not 'test [ x = y ]'
- includes fixing some not-what-you-think-it-is uses
of run_buildah | grep
- be careful not to leave droppings in current directory
Special attention to:
- authenticate.bats: create Dockerfile in temp dir, not pwd!
- push.bats: remove broken output check
- registries.bats: refactor, remove duplicate tests & code
- rmi.bats: better checking of messages
- secrets.bats: use TESTDIR (tmp), not TESTSDIR (/usr/share) !
We don't want to leave droppings behind if we fail; this has
bitten us before. And, since there's only one test, there's
no need to override setup() / teardown(). Do setup inline,
and take advantage of existing defaults.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Closes: #2029
Approved by: rhatdan
Replace plain 'buildah' invocations with run_buildah
For ease of review, this commit was entirely machine-generated via:
$ perl -pi -e 's/^(\s+)buildah(\s)/${1}run_buildah${2}/' *.bats
Signed-off-by: Ed Santiago <santiago@redhat.com>
Closes: #2029
Approved by: rhatdan
Replace this pattern:
cid=$(buildah ...)
with:
run_buildah ...
cid=$output
As a special case, if the buildah command is 'from' and the
string 'scratch' does not appear in the arguments, add '--quiet'.
Otherwise we'll get Pulling messages as part of $output. This
is an overkill solution.
For ease of review, this commit was entirely machine-generated via:
$ perl -pi -e 's{^(\s+)(\S+)=\$\(buildah (.*)\)$}{$indent=$1;$var=$2;$cmd=$3; $cmd =~ s/(\bfrom)\s(?!.*scratch)/$1 --quiet $2/; "${indent}run_buildah $cmd\n$indent$var=\$output"}e' *.bats
Signed-off-by: Ed Santiago <santiago@redhat.com>
Closes: #2029
Approved by: rhatdan
PR #1935 removed the default --debug logging; so all run_buildah
calls now use the default (error). It is safe to remove unnecessary
instances of --log-level=error .
For ease of review, this commit was entirely machine-generated via:
$ perl -pi -e 's/ --log-level=error / /' *.bats
Signed-off-by: Ed Santiago <santiago@redhat.com>
Closes: #2029
Approved by: rhatdan
Thanks to Dmitry Smirnov @onlyjob for suggesting this tool.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1985
Approved by: TomSweeneyRedHat
(Replaces #1873 as it had lint issues that were timing out tests that I couldn't
track down easily)
Prior to this fix, if someone did `buildah bud --pull=false .` and the image in
the Containerfile's FROM statement was not local, the build would fail. The same
build on Docker will succeed. In Docker, when `--pull` is set to false, it only
pulls the image from the registry if there was not one locally. Buildah would never
pull the image and if the image was not locally available, it would throw an error.
In certain Kubernetes environments, this was especially troublesome.
To retain the old `--pull=false` functionality, I've created a new `--pull-never`
option that fails if an image is not locally available just like the old
`--pull=false` option used to do.
In addition, if there was a newer version of the image on the repository than
the one locally, the `--pull=true` option would not pull the image as it should
have, this corrects that.
Changes both the from and bud commands.
Addresses: #1675
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Closes: #1959
Approved by: rhatdan
Refactor many cumbersome BUILDAH_ISOLATION and 'which runc'
checks into common 'skip_if_{ chroot, rootless, no_runtime}'
calls.
This is in preparation for the next PR, which introduces
additional cgroups-v2 skips.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Closes: #1965
Approved by: rhatdan
Some Dockerfiles (fuse-overlay) require additional devices to be in the
build environment.
This patch allows the user to specify additional devices.
Also I noticed that CapAdd and CapDrop was not working in buildah bud situations,
so this patch also fixes this.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1820
Approved by: @TomSweeneyRedHat
Container processes want to check for the existence of this file
to determine if they are running inside of a container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The previous log-level implementation does not seem to work, which is
now fixed and aligns to other projects like podman and CRI-O. Therefore
the `--debug` flag has been deprecated and is now hidden.
Added documentation as well as integration tests.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
Closes: #1811
Approved by: rhatdan
When testing the --mount flag, don't add the "z" flag as a mount option
when mounting a tmpfs, since relabeling the "source" for that case
isn't supported.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
make the stdin pipe not blocking, so that it won't hang if the other
end is not reading from it.
Closes: https://github.com/containers/buildah/issues/1664
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1668
Approved by: rhatdan
...and make the "$output" argument implicit, as well as the
description text. This greatly simplifies its invocation.
Also: make it test for exact matches unless --substring
option is passed; this eases my mind about a few potentially
ambiguous situations such as the one in #1464.
Also: add comments to two truth-table check functions
Also: reorder some config checks alphabetically, for ease
of reading.
Thanks to Tom Sweeney for the suggestions and encouragement.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Closes: #1492
Approved by: rhatdan
This started off as bug fixes necessary to get BATS tests
actually working on RHEL8 (they weren't). It grew. I will
defend my actions in the first comment post.
Primary change: import some helpers from podman BATS tests,
most importantly 'run_buildah' and 'is'. The vast majority
of the changes you'll see here are of the form:
- run buildah ...
- [ $status = 0 ]
- [ check $output ]
+ run_buildah ... ! automatically checks status
+ is "$output" "..."
Also: chmod'ed some files -x. Necessary because rpmbuild tries
to be oh-so-clever about requirements, and when it sees an
executable file with a shebang line like '#!env bats' it
helpfully adds 'Requires: /usr/bin/bats' to the rpm, which
then fails to install because RHEL8 does not have bats.
Also: refactored duplicate code in a few places, by writing
and invoking module-specific helper functions.
Also: changed a handful of 'buildah's to run_buildah, in
order to get error checking and debug logging.
Also: added descriptive reasons to many "skip"s.
Also: selinux test: some tweakery to make it run on production
system (context is different if /usr/bin/buildah is chcon'ed
appropriately). I can't get this test to pass on Fedora from
a build dir, and I'm actually not convinced that this test
has ever passed, but let's see what CI shows.
Also: selinux test: skip broken test (#1465).
Also: version test: skip parts of it if running w/o sources.
Tests are now passing as root on RHEL8; rootless has numerous
failures which I don't believe are related to this PR.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Closes: #1472
Approved by: TomSweeneyRedHat
Break setup for built-in volumes into independent steps where we create
the volume's mount point, the directory that will hold its contents, and
if there is content under the mount point, populate the volume with the
mount point's contents.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1126
Approved by: rhatdan
Test that when a volume mount is in a location whose parent directory
doesn't already exist in the container, that we create any missing
components in the path for it.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #997
Approved by: rhatdan
When we're testing with rootless isolation, skip tests that check that
we were able to influence namespace and control group settings, since we
hardwire namespace settings and don't try to configure control groups.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #873
Approved by: rhatdan
When using chroot isolation, if we're configured to raise any process
limits above their current values, do so in the grandparent process,
before it transfers execution to a child that it starts in a user
namespace, which won't have the privileges to do so.
The child can still lower resource limits and set limits to the values
that it inherited, so let it continue to do so.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #891
Approved by: rhatdan
We want to set the maximum number of processes and number of open files
to match the Docker defaults.
nofile=1048576:1048576, nproc=1048576:1048576
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #891
Approved by: rhatdan
When testing volumes as part of checking that "run" is working
correctly, use the ":z" flag if we detect SELinux support to avoid false
negatives.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #876
Approved by: nalind
Add RunOptions and BuildOptions flags for modifying the list of granted
capabilities from the default.
Default to granting the current (as of this writing) defaults from
runtime-tools, with CAP_NET_RAW removed:
* CAP_AUDIT_WRITE
* CAP_CHOWN
* CAP_DAC_OVERRIDE
* CAP_FOWNER
* CAP_FSETID
* CAP_KILL
* CAP_MKNOD
* CAP_NET_BIND_SERVICE
* CAP_SETFCAP
* CAP_SETGID
* CAP_SETPCAP
* CAP_SETUID
* CAP_SYS_CHROOT
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #799
Approved by: rhatdan
Make sure that we don't trigger error messages in runc when $TMPDIR,
which affects os.TempDir(), is itself a symbolic link.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #746
Approved by: rhatdan
RunOptions.Mounts has been mistakenly ignored since #700; handle them.
Process the options on the bind mounts in RunOptions.Mounts the same way
we handle the ones in Builder.CommonBuildOpts.Volumes, so that flags
that control read-only/read-write usage, SELinux labeling, and mount
propagation will work.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #739
Approved by: rhatdan
Aditya R
Nalin Dahyabhai
Jacob Gillespie
Ed Santiago
Ashley Cui
OpenShift Merge Robot
Hironori Shiina
Daniel J Walsh
Eduardo Vega
TomSweeneyRedHat
Sascha Grunert
Qi Wang
Giuseppe Scrivano
baude