This is much scarier than I had intended. The intention is to
start migrating from 'expect_output' and to use 'assert'
instead; the reason is that 'assert' allows much more
flexibility, particularly negative tests.
We've long wanted something like "assert that output does
not contain 'foo'". I've been too lazy to implement it,
but last week I noticed code in bud.bats that does:
! expect_output "sdfsdfsdf"
This is a really super bad idea: although it works fine when
things are good and tests pass, it's a disaster when tests
fail because the poor person debugging test output now sees
a test failure log, and starts tracking it down, and then
much later realizes that it was an intentional failure but
the '!' was negating it, and all that track-down work was
wasted.
To keep this PR reasonable, I'm keeping all positive uses
of expect_output untouched. We can migrate those (if desired)
over time. All negative uses are now assertions.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Between runc-1.0.0-70.rc92 and 1.0.1-3, debug messages changed
entirely. Old runc is a short and sweet list:
time="..." level=debug msg="nsexec:601 nsexec started"
time="..." level=debug msg="child process in init()"
time="..." level=debug msg="logging has already been configured"
New runc is pages and pages of gobbledygook which I'm not going to
paste here but which, basically, is completely different. Better,
because most messages now include "runc", but different.
These buildah tests need to pass in environments with old and
new runc. As best I can determine, the "child process in init"
message is the only string common to both old and new runc.
Use it as our gauge. (Note: I considered using a regex pattern
containing both "nsexec" and "runc". That's less maintainable.
If/when runc changes debug messages again, we may need to go
that route, but for now let's keep things clean).
Signed-off-by: Ed Santiago <santiago@redhat.com>
Fixes#3365
Given a near daily release of Fedora updates, some addressing security
issues, it's safest for users to always have an updated version-tagged
image. The cost of this is more image churn, but for a relatively small
image this should hopefully be a minor burden vs improved security.
Note: This is not a perfect solution, as there may be no
hard-dependencies between buildah and other packages with security
updates. However it is an improvement over the previous regime where we
simply pushed the latest version-tagged image once, then never touched
it again.
Minor: Rename `gen_fqin` identifier to `reponame_reg` to be more
consistent with it's sister block `containers_reg`.
Signed-off-by: Chris Evich <cevich@redhat.com>
In prepare(), don't check if the image name that it's passed is a
pseudonym for the result of a stage in the Dockerfile. Its callers
already did that.
When execute() knows that the image it's told to use as a base is a
pseudonym for the result of another stage in the Dockerfile, force the
pull policy to "never" to prevent an error when --pull-always=true.
Make imagebuildah.Mount a type alias instead of its own type, since we
never needed it to be a distinct type.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
By proxy by vendoring containers/common. Previously, a "dangling" image
was an untagged image; just a described in the Docker docs. The
definition of dangling has now been refined to an untagged image without
children to be compatible with Docker.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Base images don't have shadow-utils permissions set correctly, this
change should speed up the building of images a little bit.
[NO TESTS NEEDED] This does not change buildah in any way, so no need to
tests.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Existing specific version number requirement is misleading; discussion
in https://github.com/containers/podman/issues/10100. Consensus there
and in #3295 is to avoid specific version numbers.
Signed-off-by: Steve Traugott <stevegt@t7a.org>
Since this workflow is duplicated across three repositories, maintaining
changes becomes onerous if the item contents vary between
implementations in any way. Improve this situation by encoding the
repository-specific details into env. vars. then referencing those vars
throughout. This way, a meaningful diff can be worked with to compare
the contents across repositories.
Also included are abstractions for the specific command used to obtain
the project version, and needed details for filtering the output. Both
of these vary across the Buildah, Skopeo, and Podman repos.
***NOTE:*** This change requires the names of two github action secrets
to be updated: `BUILDAH_QUAY_USERNAME` -> `REPONAME_QUAY_USERNAME`
(and `*PASSWORD`).
Signed-off-by: Chris Evich <cevich@redhat.com>
Blake Burkhart reports that when running processes using "chroot"
isolation, the process being run can examine the environment of its
immediate parent and grandparent processes (CVE-2021-3602).
When run in a container in a CI/CD environment, the environment may
include sensitive information which was shared with the container in
order to be used only by buildah itself. The command being executed is
able to read such information.
This patch reduces the set of environment variables passed to these
intermediate processes, from all variables to the one which is used to
control the level of debug logging. It also corrects a misleading debug
message and expands the description of chroot isolation in man pages.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add new `buildah source {create,add,push,pull}` commands. All commands
are marked as experimental. None of it is meant to be officially
supported at the time of writing. All code resides in `internal/source`
and is hence not visible to external consumers of Buildah; just to be
on the safe side.
A source container or source image is an OCI artifact, that is an OCI
image with custom config (media type). There is a longer history behind
source images which are intended to ship the source artifacts of an
ordinary "executable" container image. Until now, source images at
Red Hat are built with github.com/containers/BuildSourceImage. We had a
growing desire (and always the long-term plan) to eventually replace
BuildSurceImage with something else, in this case Buildah.
This commit adds the initial base functionality along with tests to make
sure we're not regressing. The new commands do the following:
* `create` - creates an empty and initialized source image
* `add` - tar up a local path and add it as a layer to the souce image
* `push/pull` - intentionally separate commands from `buildah push/pull`
to allow for an easier usage and prevent the
implementations from undesired (future) interference
Further note: also vendor in c/image@master which ships a required fix.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Simple update due to master->main rename. The only functional change is
to only run the workflow on weekdays. Nobody's around on the weekend to
respond anyway.
Signed-off-by: Chris Evich <cevich@redhat.com>
At some point code from buildah/pkg/parse we copied into
containers/common/pkg/parse. Buildah should use the new code
now, so that we only have to make changes in one place.
[NO TESTS NEEDED] Since there is no new code added.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Ed Santiago
OpenShift Merge Robot
Daniel J Walsh
dependabot[bot]
Chris Evich
Hironori Shiina
Nalin Dahyabhai
Valentin Rothberg
stevegt
Wong Hoi Sing Edison
Jan Luebbe