This is needed on the off-chance that some tool or a human suggests
updating the minimum version to 1.21 or later. Since doing so would
cause Fedora and Debian to start behaving differently WRT builds.
Signed-off-by: Chris Evich <cevich@redhat.com>
If we are copying heredoc files, we need to temporary place
them in the context dir and then move to container via copier
there are cases where .containerignore can have a patterns like
which can match our heredoc files so let's not set any excludes
or IgnoreFile for this copy.
Closes: https://github.com/containers/buildah/issues/5391
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
A comment states that avoidLookingCache is set when a previous stage
that executed as part of the build is referenced by --mount, to avoid
reusing content from an older build of the stage:
// Only attempt to find cache if its needed, this part
// so that if a step is using RUN --mount and mounts
// previous stages then it uses the freshly built stage
// of re-using the older stage from the store.
However, stages consisting of COPY/ADD seem to be flagged with
didExecute even if they were fetched from cache instead. I believe
this is an oversight, and these stages should not prevent subsequent
caching.
Also, avoidLookingCache would prevent a cache push, but I think it
should only prevent cache lookups, since populating the cache is still
useful in these caess.
It's very possible I'm misunderstanding something, but I believe the
RUN step in test case I've added wrongly skips cache, and I'd appreciate
some pointers in the right direction if what I've proposed here isn't
the right solution.
Signed-off-by: Aaron Lehmann <alehmann@netflix.com>
Describe --device in `buildah from` and `buildah run`, where it's new.
Update the description of --device in `buildah build` to note that the
device nodes are only there while RUN instructions are being run, and
not to imply that they end up in the finished image.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add support for using CDI to resolve `--device` devices for RUN
instructions during `buildah build`, `buildah from`, and `buildah run`,
as `podman run` does.
This generally requires that we stop resolving device specifications
(arguments passed to --device) earlier and deferring that until it's
time to run a process, because CDI wants to pick over those values,
modify a runtime spec to set up the ones that it knows about, and then
hand back the list of values that it doesn't know about.
We don't want to do a dry run of this during CLI processing because that
would create a window where the underlying hardware state could change,
and that could produce some hard-to-diagnose errors.
Being able to test this is going to require that we add the `--device`
flag to `buildah run` (`--security-opt` affects how we build the
container's layer, so it has to be done at `buildah from`).
The default configured devices list is pulled in by CLI flag processing
during `buildah from` and `buildah build`, so it doesn't also need to be
explicitly passed to `buildah run` or the internal Run() method.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Avoid generically referring to "the container" where it can be ambiguous
that we're actually talking about the environment we set up for running
a command for a RUN instruction or Run() call.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When the passed-in source location is a symbolic link, dereference it,
because the documentation says that's what we do.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Just before merging #5411, a comment was made
about changing a RUN command to a comment. This
completes that.
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Whenever a PR's target branch moves, Renovate was reconfigured to rebase
all of it's PRs and re-run CI. This is annoying for developers, stop
it.
Signed-off-by: Chris Evich <cevich@redhat.com>
Addresses CVE-2024-1753 which allowed a user to write files to the
`/` directory of the host machine if selinux was not enabled.
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Previously buildah may have created a incorrect hosts/resolv.conf file,
when netavark, slirp4netns or pasta are used we have to actually
consider their special setup and use the correct nameservers.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We should never configure the files before we setup the network as we
are missing a lot of information. This is part 1 of the refactor where
we split the functions between create/add entries part. See the
following commit to actualy see how me make use of this.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This removes the need for any `Provides: bundled()` we needed in spec
files.
The updated Provides will be visible in the build logs and can also be
verified with `rpm -q --provides $RPM_FILE`.
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
Chris Evich
openshift-merge-bot[bot]
flouthoc
Daniel J Walsh
onlykzy
Aaron Lehmann
renovate[bot]
Rahil Bhimjiani
Nalin Dahyabhai
Ed Santiago
tomsweeneyredhat
Paul Holzinger
Lokesh Mandvekar
Philippe Vlérick