Bump to Buildah v1.29.5. This will contain a fix for CVE-2024-11218 and
will be vendored into the Podman 4.4-rhel release branch to address the
issue there for RHEL 8.6, RHEL 9.0, and a variety of OCP versions.
[NO NEW TESTS NEEDED]
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Ensure that the temporary directory that we create is never itself the
top-level directory of the content that we're downloading, in case it's
an archive which includes a "." with weird permissions.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: David Shea <dshea@redhat.com>
In golang 1.19, `io/ioutil` is fully deprecated preventing Buildah from
compiling. Replace all calls with equivalent calls from the `os`
package.
Signed-off-by: Chris Evich <cevich@redhat.com>
Podman adds an Error: to every error message. So starting an error
message with "error" ends up being reported to the user as
Error: error ...
This patch removes the stutter.
Also ioutil.ReadFile errors report the Path, so wrapping the err message
with the path causes a stutter.
Signed-off-by: Daniel J Walsh dwalsh@redhat.com
[NO NEW TESTS NEEDED]
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* build: support filtering cache by duration using `--cache-ttl`.
* build: support building from commit when using git repo as build context.
* build: clean up git repos correctly when using subdirs.
* build: add support for distributing cache to remote sources using `--cache-to` and `--cache-from`.
* imagebuildah: optimize cache hits for `COPY` and `ADD` instructions.
* build: support OCI hooks for ephemeral build containers.
* build: add support for `--userns=auto`.
* copier: add NoOverwriteNonDirDir option .
* add initial support for building images using Buildah on FreeBSD.
* multistage: this now skips the computing of unwanted stages to improve performance.
* multiarch: support splitting build logs for `--platform` using `--logsplit`.
* build: add support for building images where the base image has no history.
* commit: allow disabling image history with `--omit-history`.
* build: add support for renaming a device in rootless setups.
* build: now supports additionalBuildContext in builds via the `--build-context` option.
* build: `--output` produces artifacts even if the build container is not committed.
* build: now accepts `-cpp-flag`, allowing users to pass in CPP flags when processing a Containerfile with C Preprocessor-like syntax.
* build: now accepts a branch and a subdirectory when the build context is a git repository.
* build: output now shows a progress bar while pushing and pulling images
* build: now errors out if the path to Containerfile is a directory.
* build: support building container images on environments that are rootless and without any valid login sessions.
* fix: `--output` now generates artifacts even if the entire build is cached.
* fix: `--output` generates artifacts only for the target stage in multi-stage builds.
* fix,add: now fails on a bad HTTP response instead of writing to container
* fix,squash: never use build cache when computing the last step of the last stage
* fix,build,run: allow reusing secret more than once in different RUN steps
* fix: compatibility with Docker build by making its --label and --annotate options set empty labels and annotations when given a name but no `=` or label value.
[NO NEW TESTS NEEDED]
[NO TESTS NEEDED]
Signed-off-by: Aditya R <arajan@redhat.com>
When using URL to a git repo as build context allow specifying `commit`
to make sure specific `commit` is used as the build context.
Examples
```console
buildah build -t test myrepo.git#abcef123
buildah build -t test myrepo.git#abcef123
buildah build -t test myrepo.git#abcef123:somesubdir
```
Closes: https://github.com/containers/buildah/issues/4148
Signed-off-by: Aditya R <arajan@redhat.com>
When the build context is specified as a subdirectory in a Git
repository, we were cloning the repository to start, but only removing
the subdirectory when we were finished with it. We should be removing
the whole clone.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
We now use the golang error wrapping format specifier `%w` instead of
the deprecated github.com/pkg/errors package.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Buildah now supports `--userns=auto` which can automatically pick an empty range and create an user namespace for the container.
The `--userns=auto` flag, requires that the user name containers and a range of subordinate user ids that the build container is allowed to use be specified in the /etc/subuid and /etc/subgid files.
Example: `containers:2147483647:2147483648`.
Buildah allocates unique ranges of UIDs and GIDs from the containers subordinate user ids. The size of the ranges is based on the number of UIDs required in the image. The number of UIDs and GIDs can be overridden with the size option.
Valid auto options:
* gidmapping=CONTAINER_GID:HOST_GID:SIZE: to force a GID mapping to be present in the user namespace.
* size=SIZE: to specify an explicit size for the automatic user namespace. e.g. --userns=auto:size=8192. If size is not specified, auto will estimate a size for the user namespace.
* uidmapping=CONTAINER_UID:HOST_UID:SIZE: to force a UID mapping to be present in the user namespace.
Signed-off-by: Aditya R <arajan@redhat.com>
When using `build -t <tag> <some-url-to-git-repo>` buildah does not
accepts syntax `url#branch:subdir` following commit allows end users to
switch context to any subdirectory in the git repo.
Usage
```console
buildah build -t test 'https://github.com/containers/podman.git#main:contrib/hello'
```
Signed-off-by: Aditya R <arajan@redhat.com>
Allows end-users to export final build content or rootfs to external formats.
By default, a local container image is created from the build result. The --output (or -o) flag allows you to override this behavior, and a specify a custom exporter. For example, custom exporters allow you to export the build artifacts as files on the local filesystem instead of a Container image, which can be useful for generating local binaries, code generation etc.
The value for --output is a CSV-formatted string defining the exporter type and options. Currently, local and tar exporters are supported. The local exporter writes the resulting build files to a directory on the client side. The tar exporter is similar but writes the files as a single tarball (.tar).
```console
buildah build --output type=local,dest=dir .
buildah build --output type=tar,dest=rootfs.tar .
buildah build -o dir .
```
Reference: https://docs.docker.com/engine/reference/commandline/build/#custom-build-outputs
Signed-off-by: Aditya R <arajan@redhat.com>
We need to use the default from containers.conf and not hardcode them in
buildah. This fixes an issue with the cni network backend since it would
try to access /etc/cni/net.d/ even as rootless user. This regression was
introduced in commit f9cff07b81.
Also hide the cni flags as we do not expect users to change this. The
recommended way is to change them in containers.conf.
[NO NEW TESTS NEEDED]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When define.TempDirForURL() runs an external command, if it fails,
include the command's output in the error that's handed back to its
caller so that the end-user has some idea of what happened.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Run secrets can now be created from an environment variable. The
environment variable is read and is briefly stored as a file on /dev/shm
when it's being used, and the file is removed after the RUN command is
finished.
Fixes: #3524
Signed-off-by: Ashley Cui <acui@redhat.com>
The build with git URL recognizes git URLs by either a git:// scheme prefix, or
any other URL with other schemes such as https:// and a .git suffix.
The build with git URL and branch recognizes the branch name as the fragment
part of the URL, the part after the #.
The .git suffix check is performed by checking that the suffix of the full URL
is .git, however this causes URLs that begin with scheme https://, and have a
.git path suffix, to not be recognized as git URLs when a branch name is
appended.
The logic for checking if the URL path is suffixed with .git should parse the
URL first and consider only the path when looking for the suffix. This change
is implemented in this commit.
This commit also removes the guard within the cloneToDirectory function because
it is unnecessary since every location the function is called the check has
already been carried out.
Signed-off-by: Leigh McCulloch <351529+leighmcculloch@users.noreply.github.com>
If a git repository contains submodules, we need to check them all
out because the Containerfile/Dockerfile at the repo might use them.
Fixes: https://github.com/containers/buildah/issues/3104
It is too complicated to setup a recursive submodules git repo, so
setting no tests needed.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Currently it is impossible to switch from a PullPolicy type
and PolicyMap via strings. This PR Makes the types align.
This is required to make passing of PullPolicy in podman-remote
to work.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This PR removes the pkg/auth which brings in docker/docker
since it really is not needed, and was only there to help users
discover the settings of where the authfile was, when the environment
variables were set. Would almost never be of any value.
Move imagebuildah.BuildOptions to define.BuildOptions
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We want to shrink the size of the import when importing pkg from
buildah. This should help us shrink the size of the golang bindings
in podman.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
refeactor the pullpollicy to its own package so that it can be imported on its own without deps like containers/storage, etc. this will help consuming podman's go bindings.
Signed-off-by: baude <bbaude@redhat.com>
tomsweeneyredhat
Nalin Dahyabhai
David Shea
Chris Evich
Doug Rabson
Daniel J Walsh
Aditya R
Sascha Grunert
Paul Holzinger
Ashley Cui
Leigh McCulloch
baude