Tag a new release to incorporate the recent security advisory, and make
a minor update to the CI configuration.
[NO NEW TESTS NEEDED]
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Ensure that the temporary directory that we create is never itself the
top-level directory of the content that we're downloading, in case it's
an archive which includes a "." with weird permissions.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
There have been a number of breaking changes added
since v1.34 to the main branch. We'll create a new
release branch for v1.34 and will set the version in
main to 1.35.0-dev.
The intended target for Buildah v1.35 is Fedora 40.
[NO NEW TESTS NEEDED]
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Podman currently sets the ulimits of nofile and nproc
to max in rootless mode, if the user does not override.
Buildah on the other hand just passes in the current defaults.
Podman build should match podman run, and this will fix that problem.
Fixes: https://github.com/containers/buildah/issues/5273
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Add a --sbom flag to `buildah build` and `buildah commit` which will
scan the rootfs and specified context directories to build SPDX or
CycloneDX SBOMs and lists of package URLs.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When using the working container's rootfs to populate a plaintext disk
image with mkfs, instead of writing .krun_config.json to the rootfs and
then removing it afterward (since we don't want it to show up if the
same working container is later committed to non confidential-workload
image), mount an overlay filesystem using a temporary directory as the
upper and the rootfs as the lower, create the .krun_config.json file in
the overlay filesystem, and use the overlay filesystem as the source
directory for mkfs.
Add the necessary stubs to allow pkg/overlay to at least compile on
non-Linux systems. Change the naming scheme for a test so that the path
names it uses for temporary directories don't include "," or "=", which
can confuse the kernel.
Creating confidential workload images will now only be possible on Linux
systems, but we exec'd out to sevctl to read platform certificates, and
that requires kernel support with vendor firmware, so I don't know that
anyone will actually be impacted by the change.
Teach pkg/overlay.MountWithOptions() to accept `nil` as a pointer to a
struct parameter that is otherwise optional.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a --cw option to `buildah build` and `buildah commit`, which takes a
comma-separated list of arguments and produces an image laid out for use
as a confidential workload:
type: sev or snp
attestation_url: location of a key broker server
cpus: expected number of virtual CPUs to run with
memory: expected megabytes of memory to run with
workload_id: a distinguishing identifier for the key broker server
ignore_attestation_errors: ignore errors registering the workload
passphrase: for encrypting the disk image
slop: extra space to allocate for the disk image
At least one of attestation_url and passphrase must be specified in
order for the encrypted disk image to be decryptable at run-time. Other
arguments can be omitted. ignore_attestation_errors is intentionally
undocumented, as it's mainly used to permit some amount of testing on
systems which don't have the required hardware.
Add an `mkcw` top-level command, for converting directly from an image
to a confidential workload.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
This commit adds Packit configuration files which will trigger rpm
builds on copr:`rhcontainerbot/packit-builds` on every PR as well as on
copr:`rhcontainerbot/podman-next` on every commit to main branch.
This commit will ensure main branch is always buildable on all supported
Fedora and CentOS Stream versions for aarch64 and x86_64.
TODO: enable build checks for s390x and ppc64le while ensuring they
don't take too long to build.
The packit builds reuse `buildah.spec.rpkg` present upstream and are
thus independent of Fedora / CentOS dist-git.
This change will remove the need for the current webhook based triggering
of rpm builds on rhcontainerbot/podman-next after commit to main.
That will be instead handled by the `trigger: commit` action added in this
PR. New builds will continue to get posted to the same link so users
don't need to change any existing copr repo configuration.
[NO NEW TESTS NEEDED]
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
In golang 1.19, `io/ioutil` is fully deprecated preventing Buildah from
compiling. Replace all calls with equivalent calls from the `os`
package.
Signed-off-by: Chris Evich <cevich@redhat.com>
Podman adds an Error: to every error message. So starting an error
message with "error" ends up being reported to the user as
Error: error ...
This patch removes the stutter.
Also ioutil.ReadFile errors report the Path, so wrapping the err message
with the path causes a stutter.
Signed-off-by: Daniel J Walsh dwalsh@redhat.com
[NO NEW TESTS NEEDED]
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* build: support filtering cache by duration using `--cache-ttl`.
* build: support building from commit when using git repo as build context.
* build: clean up git repos correctly when using subdirs.
* build: add support for distributing cache to remote sources using `--cache-to` and `--cache-from`.
* imagebuildah: optimize cache hits for `COPY` and `ADD` instructions.
* build: support OCI hooks for ephemeral build containers.
* build: add support for `--userns=auto`.
* copier: add NoOverwriteNonDirDir option .
* add initial support for building images using Buildah on FreeBSD.
* multistage: this now skips the computing of unwanted stages to improve performance.
* multiarch: support splitting build logs for `--platform` using `--logsplit`.
* build: add support for building images where the base image has no history.
* commit: allow disabling image history with `--omit-history`.
* build: add support for renaming a device in rootless setups.
* build: now supports additionalBuildContext in builds via the `--build-context` option.
* build: `--output` produces artifacts even if the build container is not committed.
* build: now accepts `-cpp-flag`, allowing users to pass in CPP flags when processing a Containerfile with C Preprocessor-like syntax.
* build: now accepts a branch and a subdirectory when the build context is a git repository.
* build: output now shows a progress bar while pushing and pulling images
* build: now errors out if the path to Containerfile is a directory.
* build: support building container images on environments that are rootless and without any valid login sessions.
* fix: `--output` now generates artifacts even if the entire build is cached.
* fix: `--output` generates artifacts only for the target stage in multi-stage builds.
* fix,add: now fails on a bad HTTP response instead of writing to container
* fix,squash: never use build cache when computing the last step of the last stage
* fix,build,run: allow reusing secret more than once in different RUN steps
* fix: compatibility with Docker build by making its --label and --annotate options set empty labels and annotations when given a name but no `=` or label value.
[NO NEW TESTS NEEDED]
[NO TESTS NEEDED]
Signed-off-by: Aditya R <arajan@redhat.com>
When using URL to a git repo as build context allow specifying `commit`
to make sure specific `commit` is used as the build context.
Examples
```console
buildah build -t test myrepo.git#abcef123
buildah build -t test myrepo.git#abcef123
buildah build -t test myrepo.git#abcef123:somesubdir
```
Closes: https://github.com/containers/buildah/issues/4148
Signed-off-by: Aditya R <arajan@redhat.com>
When the build context is specified as a subdirectory in a Git
repository, we were cloning the repository to start, but only removing
the subdirectory when we were finished with it. We should be removing
the whole clone.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
We now use the golang error wrapping format specifier `%w` instead of
the deprecated github.com/pkg/errors package.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Buildah now supports `--userns=auto` which can automatically pick an empty range and create an user namespace for the container.
The `--userns=auto` flag, requires that the user name containers and a range of subordinate user ids that the build container is allowed to use be specified in the /etc/subuid and /etc/subgid files.
Example: `containers:2147483647:2147483648`.
Buildah allocates unique ranges of UIDs and GIDs from the containers subordinate user ids. The size of the ranges is based on the number of UIDs required in the image. The number of UIDs and GIDs can be overridden with the size option.
Valid auto options:
* gidmapping=CONTAINER_GID:HOST_GID:SIZE: to force a GID mapping to be present in the user namespace.
* size=SIZE: to specify an explicit size for the automatic user namespace. e.g. --userns=auto:size=8192. If size is not specified, auto will estimate a size for the user namespace.
* uidmapping=CONTAINER_UID:HOST_UID:SIZE: to force a UID mapping to be present in the user namespace.
Signed-off-by: Aditya R <arajan@redhat.com>
When using `build -t <tag> <some-url-to-git-repo>` buildah does not
accepts syntax `url#branch:subdir` following commit allows end users to
switch context to any subdirectory in the git repo.
Usage
```console
buildah build -t test 'https://github.com/containers/podman.git#main:contrib/hello'
```
Signed-off-by: Aditya R <arajan@redhat.com>
Allows end-users to export final build content or rootfs to external formats.
By default, a local container image is created from the build result. The --output (or -o) flag allows you to override this behavior, and a specify a custom exporter. For example, custom exporters allow you to export the build artifacts as files on the local filesystem instead of a Container image, which can be useful for generating local binaries, code generation etc.
The value for --output is a CSV-formatted string defining the exporter type and options. Currently, local and tar exporters are supported. The local exporter writes the resulting build files to a directory on the client side. The tar exporter is similar but writes the files as a single tarball (.tar).
```console
buildah build --output type=local,dest=dir .
buildah build --output type=tar,dest=rootfs.tar .
buildah build -o dir .
```
Reference: https://docs.docker.com/engine/reference/commandline/build/#custom-build-outputs
Signed-off-by: Aditya R <arajan@redhat.com>
Nalin Dahyabhai
tomsweeneyredhat
Daniel J Walsh
Lokesh Mandvekar
Chris Evich
Doug Rabson
Aditya R
Sascha Grunert