Add a way to pass a "set the SELinux contexts" labels to
MountWithOptions.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: David Shea <dshea@redhat.com>
Add a ForceMount flag to pkg/overlay.Options that forces mounting the
overlay filesystem and returning a bind mount to it instead of trying to
leave that for later in cases where we're able to have the kernel do it.
This is mainly for the sake of callers that want to do more things with
the mounted overlay filesystem before passing them to the (presumably)
OCI runtime.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: David Shea <dshea@redhat.com>
Support splitting build logs for multi-arch builds ( `--platform` ) by
using `--logfile` and `--logsplit` which splits generated log file in the
convention `${file}_${platform_os}_${platform_arch}`.
Closes: https://github.com/containers/buildah/issues/3960
Signed-off-by: Aditya R <arajan@redhat.com>
As per `OCI` `image-spec` setting history is optional so buildah must
support these use-cases via `--omit-history=true` some of the use-cases
are discussed below.
* There are use-cases when image-spec contributes to the image size by
adding build history to image-spec in certain use-cases this image
history is not required by the end-users but there is no way to remove
it. See: https://github.com/containers/buildah/issues/3513
* Certain build tools don't honor setting build history in image spec
however buildah does not allow processing images without build history
since setting build history is still optional as per `OCI` image-spec
( https://github.com/opencontainers/image-spec/blob/main/config.md#properties)
so buildah must support such use-cases.
Closes: https://github.com/containers/buildah/issues/4025
Closes: https://github.com/containers/buildah/issues/3513
Signed-off-by: Aditya R <arajan@redhat.com>
As builds got more complicated, the ability to only access files from one location became quite limiting. With `multi-stage` builds where you can `copy` files from other parts of the Containerfile by adding the `--from` flag and pointing it to the name of another Containerfile stage or a remote image.
The new named build context feature is an extension of this pattern. You can now define additional build contexts when running the build command, give them a name, and then access them inside a Dockerfile the same way you previously did with build stages.
Additional build contexts can be defined with a new `--build-context [name]=[value]` flag. The key component defines the name for your build context and the value can be:
```console
Local directory – e.g. --build-context project2=../path/to/project2/src
HTTP URL to a tarball – e.g. --build-context src=https://example.org/releases/src.tar
Container image – Define with a docker-image:// prefix, e.g. --build-context alpine=docker-image://alpine:3.15, ( also supports docker://, container-image:// )
```
On the Containerfile side, you can reference the build context on all commands that accept the “from” parameter. Here’s how that might look:
```Dockerfile
FROM [name]
COPY --from=[name] ...
RUN --mount=from=[name] …
```
The value of [name] is matched with the following priority order:
* Named build context defined with `--build-context [name]=..`
* Stage defined with `AS [name]` inside Dockerfile
* Remote image `[name]` in a container registry
Added Features
* Pinning images for `FROM` and `COPY`
* Specifying multiple buildcontexts from different projects
and using them with `--from` in `ADD` and `COPY` directive
* Override a Remote Dependency with a Local One.
* Using additional context from external `Tar`
Signed-off-by: Aditya R <arajan@redhat.com>
Buildah now supports renaming devices while performing a build using
`--device <some-name>:<new-name>`. Implementation is similar to `podman`
where we prefer using `bind-mount` for devices instead of `mknod` in
`rootless` setups.
Usage
```console
buildah build -t test --device /dev/null:/test/dev/null .
```
Closes: https://github.com/containers/buildah/issues/4002
Signed-off-by: Aditya R <arajan@redhat.com>
Make more of our usage information in --help output consistent with
itself, i.e., initial lower case.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Teach `buildah build` and `buildah config` about the OS version and
features fields. We don't tend to use them on Linux, but they're in the
OCI and Docker config structures, so we need to be able to preserve and
manipulate their values, much as we do for variant information.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a `--env` option to `buildah build` that functions similarly to the
`buildah config --env` option, to complement `buildah build`'s
`--unsetenv` option.
Document that `buildah config`'s `--env` function fetches the current
value for a variable when the name is supplied, but no `=` or value
follows it.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Allows end-users to export final build content or rootfs to external formats.
By default, a local container image is created from the build result. The --output (or -o) flag allows you to override this behavior, and a specify a custom exporter. For example, custom exporters allow you to export the build artifacts as files on the local filesystem instead of a Container image, which can be useful for generating local binaries, code generation etc.
The value for --output is a CSV-formatted string defining the exporter type and options. Currently, local and tar exporters are supported. The local exporter writes the resulting build files to a directory on the client side. The tar exporter is similar but writes the files as a single tarball (.tar).
```console
buildah build --output type=local,dest=dir .
buildah build --output type=tar,dest=rootfs.tar .
buildah build -o dir .
```
Reference: https://docs.docker.com/engine/reference/commandline/build/#custom-build-outputs
Signed-off-by: Aditya R <arajan@redhat.com>
Port of fix from podman-land:
62f4ae98fb
Thanks to pholzing@redhat.com for figuring this out.
[NO NEW TESTS NEEDED]
Signed-off-by: Chris Evich <cevich@redhat.com>
Allow end users to remove default identity labels if they want to.
Since there are instances where images can be reproduced across version
hence users must have option to suppress default labels.
Closes: https://github.com/containers/buildah/issues/3826
Signed-off-by: Aditya R <arajan@redhat.com>
Implementation of `GetVolumes` seems to be changing with addition of new
features hence moving it from exposed parse package to internal parse
package and move needed helpers with it.
Signed-off-by: Aditya R <arajan@redhat.com>
A shared cache on host must support locking so other parallel/concurrent builds
will wait for current executing RUN statement to finish.
* Locks the cache store as soon as RUN is triggered.
* Locked target is added to cleanup list so it can be unlocked as soon
as RUN step is completed.
Signed-off-by: Aditya R <arajan@redhat.com>
Users want to turn off addition of /etc/hosts file while building
container images, this would allow them to customize the /etc/hosts
file within the image.
Fixes: https://github.com/containers/buildah/issues/3808
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Buildah's pkg/blobcache has been moved into containers/image [1] to
consolidate implementations of interfaces such as image destinations
and image sources.
Since there are no functional changes: [NO NEW TESTS NEEDED]
[1] https://github.com/containers/image/pull/1459
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
if a mountProgram is specified, use it also in rootfull mode.
Closes: https://github.com/containers/buildah/issues/3281
[NO NEW TESTS NEEDED]
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
The backend logic already supports specifying custom network names. This
only adds the support for the frontend parsing.
Fixescontainers/podman#12282
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Per @edsantiago 's suggestion, make the pull commands consistent, always
accepting a value. Currently we have:
--pull
--pull=true
--pull=false
--pull-never
--pull-always
With this changes, we will only have pull with a variety of options,
ala:
--pull
--pull=true
--pull=false
--pull=never
--pull=always
For backward compatibility, the --pull-never and --pull-always
options will remain operational, however they are not documented
and are conisdered deprecated.
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Allow users to specify non-volatile `upper` and `workdir` with overlay
mounts.
Usage
```console
buildah from alpine
buildah run -v /something/lower:/test:z,O,upperdir=/somewhere/upperdir,workdir=/somwhere/workdir alpine-working-container cat /test/hello
```
Signed-off-by: Aditya R <arajan@redhat.com>
Expose `MountWithOptions` for overlay which allows users to pass more
verbose configuration for overlay mounts.
For instance `upperdir, workerdir` and in future `volatile`.
Signed-off-by: Aditya R <arajan@redhat.com>
In situations where you don't want/need Cobra climbing behavior nor
Cobra at all using FlagSet is the easier sell.
Signed-off-by: Andreas Bergmeier <abergmeier@gmx.net>
In situations where you don't want/need Cobra climbing behavior nor
Cobra at all using FlagSet is the easier sell.
Signed-off-by: Andreas Bergmeier <abergmeier@gmx.net>
In situations where you don't want/need Cobra climbing behavior nor
Cobra at all using FlagSet is the easier sell.
Signed-off-by: Andreas Bergmeier <abergmeier@gmx.net>
In situations where you don't want/need Cobra climbing behavior nor
Cobra at all using FlagSet is the easier sell.
Signed-off-by: Andreas Bergmeier <abergmeier@gmx.net>
We need to use the default from containers.conf and not hardcode them in
buildah. This fixes an issue with the cni network backend since it would
try to access /etc/cni/net.d/ even as rootless user. This regression was
introduced in commit f9cff07b81.
Also hide the cni flags as we do not expect users to change this. The
recommended way is to change them in containers.conf.
[NO NEW TESTS NEEDED]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Following commit adds buildkit like support for `from` field to `--mount=type=bind`
and `--mount=type=cache` so images and stage can be used as mount source.
Usage looks like
```dockerfile
RUN --mount=type=bind,source=.,from=<your-image>,target=/path ls /path
```
and
```dockerfile
RUN --mount=type=cache,from=<your-image>,target=/path ls /path
```
Signed-off-by: Aditya Rajan <arajan@redhat.com>
Buildah is mainly building with Host Namespaces, this changes most
namespaces to be private matching Podman and using containers.conf
Fixes: https://github.com/containers/buildah/issues/3634
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
In image-spec 1.0.2, the MediaType field is now available in OCI
manifests, so set it.
Update the imgtype helper to output the MediaType field as-is from OCI
image manifests instead of just always supplying the expected value.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
There are cases where remote will close connection by itself with a message
make sure we give connection enough time instead of closing explictly
early.
Future improvement: Relay output and perform close instead of relying on `ServeAgent` to flush
buffer by closing connection.
[NO NEW TESTS NEEDED]
Signed-off-by: Aditya Rajan <arajan@redhat.com>
NetworkPolicy should be set as NetworkEnabled when expliclty specified using
`--network` instead of silently marking it as NetworkDefault.
NetworkDefault is equivalent to NetworkEnabled but we can use
NetworkEnabled to verify if user explicitly used `--network` and prevent
override from builder configs.
Signed-off-by: Aditya Rajan <arajan@redhat.com>
Run secrets can now be created from an environment variable. The
environment variable is read and is briefly stored as a file on /dev/shm
when it's being used, and the file is removed after the RUN command is
finished.
Fixes: #3524
Signed-off-by: Ashley Cui <acui@redhat.com>
In linux, directory can contains colon.
Add support to mount path contains colon.
buildah run --volume /root/a\\🅱️/root/test:O
Signed-off-by: chenk008 <kongchen28@gmail.com>
Users have accidently had a .containerignore or .dockerignore
file in their context directly which blocked all content.
Currently we report that no globs matched, but do not
identify where the globs came from.
This change is an attempt to add this data to the error.
Example: https://github.com/containers/buildah/issues/3318
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Following PR inroduces a new mount type=cache in parity to buildkit
which allows users to share persistant cache between different builds.
Allowing users to cache content generated by bussiness logic or enhance
build performance by caching components across builds.
Signed-off-by: Aditya Rajan <arajan@redhat.com>
Following commit adds support for using buildkit like
`--mount=type=bind` with `RUN` statements. Mounts created by `--mount`
are transient in nature and only scoped to current RUN statements.
Signed-off-by: Aditya Rajan <arajan@redhat.com>
Nalin Dahyabhai
Aditya R
Daniel J Walsh
Chris Evich
Navid Yaghoobi
Valentin Rothberg
Giuseppe Scrivano
OpenShift Merge Robot
Paul Holzinger
tomsweeneyredhat
Andreas Bergmeier
Kir Kolyshkin
Ashley Cui
chenk008