Allow ssh socket from host or certain ssh keys to be exposed to a
certain RUN instruction, but not any other instructions, as well as not
showing up in the final image.
This is done by spawining a new agent from buildah and mounting
the listening socket inside the run. SSH_AUTH_SOCK inside the container
will be set to the socket mountpoint. The defualt mountpoint is
/run/buildkit/ssh_agent.{i}
Signed-off-by: Ashley Cui <acui@redhat.com>
We want Info, Warning and Debug logrus messages to be writen to the
buildah stderr. this way when podman-remote is using build, it will
get the messages back on the client side.
[NO TESTS NEEDED] Since this will be tested in Podman.
Fixes: https://github.com/containers/buildah/issues/3214
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Add support for secrets. Secrets is a two-part flag that allows secret files to
be accessed for a certain RUN instruction, but not any other
instructions, as well as now showing up in the final image.
Signed-off-by: Ashley Cui <acui@redhat.com>
We want to shrink the size of the import when importing pkg from
buildah. This should help us shrink the size of the golang bindings
in podman.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
What `go tool dist list` says the toolchain supports changes, so this
change removes these attempted cross-compile build targets.
* GOOS=darwin, GOARCH unspecified
* GOOS=darwin, GOARCH=386
Replace our use of slices of
github.com/opencontainers/runc/libcontainer/configs.Device structures
with a locally-defined type alias so that we can avoid importing the
package on non-Unixy systems. The result is not going to be a very
useful binary on non-Linux systems, but it helps ensure that our
subpackages won't break compilation for other projects who consume us as
a library.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Some Dockerfiles (fuse-overlay) require additional devices to be in the
build environment.
This patch allows the user to specify additional devices.
Also I noticed that CapAdd and CapDrop was not working in buildah bud situations,
so this patch also fixes this.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1820
Approved by: @TomSweeneyRedHat
the podman remote-client for windows pulls in some buildah code for
things like commit and build. we need to perform some slight
refactoring of buildah code to accomodate that build.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1551
Approved by: rhatdan
This will make vendoring in pkg/unshare easier into other
packages like skopeo.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1532
Approved by: TomSweeneyRedHat
- pass all proxy env vars
- --http-proxy option for bud and from
- bash_completion and docs
Signed-off-by: James Cassell <code@james.cassell.me>
Closes: #1525
Approved by: giuseppe
use --dns* flags to change /etc/resolv.conf in the container during the build.
Signed-off-by: Qi Wang <qiwan@redhat.com>
Closes: #1491
Approved by: rhatdan
We don't want to vendor anything from libpod into Buildah.
We want to switch this around. Moving pkg content from libpod
to Buildah allows us to fix this.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1400
Approved by: giuseppe
The {Add,Del}NetworkList APIs were extended with a context parameter,
which require adjustments in the code.
Fixes: #1433
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Closes: #1434
Approved by: rhatdan
if --net is not specified, default to use the host network namespace.
It is still possible to use slirp4netns with --network container.
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1690209
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1421
Approved by: rhatdan
it improves significantly the performance of the slirp4netns network:
777bdcccef (iperf3-netns---host)
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1404
Approved by: vrothberg
setup.rpm attempts to modify /etc/hosts, if it thinks
it has never been modified. By adding a #comment to the
front of the file, it should prevent this from blowing up
the build.
Also add hostname to the /etc/hosts file linked to localhosts
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1313
Approved by: vrothberg
Starting to remove dependency on libpod from buildah.
secrets is used so that builds can access RHEL subscriptions
so this makes more sense to be in buildah then libpod.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1366
Approved by: vrothberg
For some reason, the CI does not report any of these; on macOS
I see many more reports (including complaints about the standard
library), this only cleans up the trivial cases.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #1365
Approved by: rhatdan
When reading the last of the output from a child process, ignore an EIO,
since we already got the HUP indication.
Avoid double-logging errors in our I/O loop when using isolation other
than chroot (spotted by @afbjorklund).
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1273
Approved by: rhatdan
This will get buildah bud to follow docker build handling of
hostname environment variable and hostname command properly
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1242
Approved by: giuseppe
runc has a good "auto detect" mode to find out when running in
rootless mode. It also makes easier to plug another OCI runtime,
since --rootless is not part of the OCI specs.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1145
Approved by: TomSweeneyRedHat
change the logic for bind mounting /etc/hosts and /etc/resolv.conf in
the container. Now they are not bind mounted when they are specified
as volumes, so it is still possible to have them writeable in the
container.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1156
Approved by: rhatdan
If slirp4netns is available, use it to configure the network for the
rootless isolation mode.
Closes: https://github.com/containers/buildah/issues/1139
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1156
Approved by: rhatdan
When changing settings for rootless containers, only discard the part of
the networking configuration that specifies which networks we want to
configure, and preserve whether or not we want to use the host's network
namespace.
If we were told to create an empty network namespace or to just attach
to another namespace, go ahead and try to do that.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1146
Approved by: rhatdan
Only set up bind mounts of copies of the host's /etc/hosts and
/etc/resolv.conf files if we're not just going to create a new,
unconfigured network namespace.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1146
Approved by: rhatdan
Break setup for built-in volumes into independent steps where we create
the volume's mount point, the directory that will hold its contents, and
if there is content under the mount point, populate the volume with the
mount point's contents.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1126
Approved by: rhatdan
ReserveSELinuxLabels() checks if an error returned by OpenBuilder() is a
does-not-exist error, but OpenBuilder() returns wrapped errors now, and
it wasn't checking the root cause error.
When newBuilder() fails, check the right error value when deciding
whether or not deleting the partially-constructed container failed.
OpenBuildersByPath() shouldn't choke on non-buildah containers, so have
it handle does-not-exist errors the same way OpenAllBuilders() does.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1109
Approved by: rhatdan
--no-pivot: "do not use pivot root to jail process inside rootfs.
This should be used whenever the rootfs is on top of a ramdisk"
Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
Closes: #1071
Approved by: rhatdan
Make sure that when attempting to diagnose an error, if we encounter an
error during the diagnostic attempt, we return the original error rather
than the error encountered in trying to diagnose it. Log that one.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1072
Approved by: rhatdan
When creating a building VOLUME for a container we need to create it
with the ownership/permsissions of the directory that we will be mounting on.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We need to be able to run sudo commands inside of Dockerfile's
even when containers are setup with non root.
This patch retains the bounding set for containers run with non root user.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1001
Approved by: vrothberg
When seccomp is not enabled, make sure to clear any default setting
which runtime-tools supplied for us. Likewise, if SELinux is not
enabled, don't set a process label or a mount label.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #988
Approved by: rhatdan
When we're polling to handle stdio for a container, when we detect a HUP
on our stdin, read all that we can from stdin before closing it, instead
of reading only, at most, a single chunk of bytes.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #980
Approved by: rhatdan
Make the chroot() call before applying a seccomp filter, which might not
allow us to do it. Add more debugging messages.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #979
Approved by: rhatdan
When running outside of a container, --no-pivot isn't necessary, and
when running inside of a container, it's not enough to solve any of the
difficulties we're seeing there. It may trigger an EPERM for unshare()
calls inside of the container that we launch, and we don't want that, so
drop it, for now at least.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #921
Approved by: rhatdan
Add an IsolationOCIRootless that runs the OCI runtime with its
--rootless flag, with network and UTS namespaces disabled, with IPC,
PID, and user namespaces forcibly enabled. In this mode, we don't
attempt to set the container's hostname (because we don't have our own
UTS namespace), and we don't try to set any supplemental groups. The
/sys directory is replaced with a bind mount of the host's /sys rather
than a fresh sysfs instance.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #873
Approved by: rhatdan
Add a new Isolation value: IsolationOCIRootless, for which we add a
global --rootless=true flag and a local --no-new-keyring flag when
creating a runtime container, and make some changes to the mounts list,
default namespacing configurations, and supplemental groups list.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #873
Approved by: rhatdan
Add an IsolationChroot that trades flexibility and isolation for being
able to do what it does in a host environment that's already isolated to
the point where we're not allowed to set up some of that isolation,
producing a result that leans more toward chroot(1) than runc(1) does.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #836
Approved by: rhatdan
Before calling runCollectOutput() to read error information from pipes,
make sure we've closed our handles to the writing ends of the pipes.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #872
Approved by: rhatdan
/proc/acpi allows containers to modify certain settings on the host, without
SELinux enabled.
/proc/keys allows information about keys on the host to leak into the containers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #853
Approved by: rhatdan
Ashley Cui
Daniel J Walsh
Josh Soref
Nalin Dahyabhai
baude
James Cassell
Qi Wang
Giuseppe Scrivano
Valentin Rothberg
Miloslav Trmač
Anders F Björklund
TomSweeneyRedHat
Zhou Hao