run: after we've picked up the exit status of the "main" process that
we're running, reap anything that was reparented to us before returning.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When RUN requires us to create the target for a mountpoint, make note of
it and any parent directories that needed to be created, and clear them
all out if they look basically the same after the command finishes.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When checking /proc/self/mountinfo for a root filesystem, also match "/"
mounted with "rw" as its only mount option, as an alternative to being
mounted with "rw" and other options at the same time.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When adding an unprivileged user to run tests as, ensure that the
primary and supplemental groups are not repeated, and that at least one
supplemental group is outside of the user's subgid range. When skipping
a test because the invoking user doesn't have any supplemental groups,
log the user's IDs.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Handle requested relabeling of bind mounts (i.e., the "z" and "Z" flags)
directly, instead of letting the runtime handle the relabeling.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When setting mount propagation on the root mount before unmounting it,
use MS_REBIND, since we know it's already a bind mount, and we actually
want to affect the extant bind mount instead of creating another right
over it. Otherwise, we might as well have not bothered.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When containers.conf has the "container_name_as_hostname" option set,
use that value, with values that don't fit `[A-Za-z0-9][A-Za-z0-9.-]+`
stripped out.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
The c/common defaults were changed to no longer mask this path[1]. As
such we need to remove it from this test.
[1] https://github.com/containers/common/pull/2278
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Fix a time-of-check/time-of-use error when mounting type=bind and
type=cache directories that use a "src" flag. A hostile writer could
use a concurrently-running stage or build to replace that "src" location
between the point when we had resolved possible symbolic links and when
runc/crun/whatever actually went to create the bind mount
(CVE-2024-11218).
Stop ignoring the "src" option for cache mounts when there's no "from"
option.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When handling RUN --mount=type=bind, where the mount is read-write,
instead of a simple bind mount, create an overlay mount with an upper
directory that will be discarded after the overlay mount is unmounted.
This brings us in line with the expected behavior, wherein writes to
bind mounts should be discarded.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
They compare buildah-bud against podman-run, which breaks if
/usr/bin/podman changes its ulimits, as happened recently
in podman PR 24335.
Signed-off-by: Ed Santiago <santiago@redhat.com>
We always map 169.254.1.2 with pasta to the host now so ensure the
host.containers.internal entry is set correctly.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Make tests pass when using a local cache registry (as triggered
by $CI_USE_REGISTRY_CACHE being non-empty).
Mostly just change images: consolidate to a smaller set, like,
replace the few instances of debian with ubuntu, use $SAFEIMAGE
where we can.
The most significant change was with some s1 (schema 1?) images.
Those exist on quay, but cannot be mirrored locally: the local
registry forbids schema 1 images. I choose to skip these tests
when running against a local registry.
Second most significant change is running containerized tests
with --net=host. We need this to access the registry running
on a localhost port. (One alternative would be to bind the
registry on all interfaces, cringe, then perform sed magic
on the registries-cache.conf file changing 127.0.0.1 to
host.containers.internal, more cringe).
Also, some cleanup.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Per consent in 2024-03-20 Planning, remove support for cgroups v1.
And, per discovery on 2024-05-28, systemd 256 no longer even
boots on a cgroups v1 system.
This commit switches to VMs built in:
https://github.com/containers/automation_images/pull/338
...in which Debian is now cgroups v2 with crun.
Requires disabling two conformance tests which fail when run
against docker 26.1; see #5526 for context on those.
Also requires disabling two bats tests on debian because
something changed there in ulimits. I'll look into them
later but right now this gives us breathing space.
And, latest git on f40 refuses to serve non-root files when
run as root ("dubious ownership"); so, in start_git_daemon(),
chown the extracted files.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Attempt to make more thorough use of cached copies of images during
integration tests, except in tests which need to pull a new image while
they're running, either because they test pulling directly, or because
they expect to pull a given image for a non-default platform or for
multiple platforms.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Previously buildah may have created a incorrect hosts/resolv.conf file,
when netavark, slirp4netns or pasta are used we have to actually
consider their special setup and use the correct nameservers.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This should have been done a long time ago and this would have made
clear that it did not work properly. However now that pasta is the
default and we fixed all the remaining problems we can easily enable
them.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
buildah build --pull=false is documented to never pull the image, but it
is currently ignored.
Fixes: https://github.com/containers/podman/issues/21783
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Podman currently sets the ulimits of nofile and nproc
to max in rootless mode, if the user does not override.
Buildah on the other hand just passes in the current defaults.
Podman build should match podman run, and this will fix that problem.
Fixes: https://github.com/containers/buildah/issues/5273
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When creating a container using a prefetched image, use --quiet and
--pull=false for the pair of tests which didn't, bringing them in line
with the rest of the tests in the file.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Use the `default_rootless_network_cmd` containers.conf options to know
which rootless network program to use as default. This setting is
important so distros and user can actually set a different default if
they wish.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Like podman allow buildah and therefore podman build to use the network
mode pasta. The pasta integration is very simple and we do not even
need a teardown handler for that as pasta will exit on its own when the
netns path is removed.
However right now this is broken, pasta will fail to open
/proc/$pid/ns/net. I send a patch[1] to fix this upstream in pasta.
I assume this will land quickly so I like to get this in now just so we
have this included in podman v4.6. Thus the test is skipped for now.
[1] https://archives.passt.top/passt-dev/20230623082531.25947-2-pholzing@redhat.com/
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This uses the same code as podman for slirp4netns, this means
- ipv6 is enabled by default
- slirp4netns options are read from contianers.conf
- slirp4netns options can now be set on the cli. This required some
small rework on where we parse the network string.
Lastly I updated the --network docs, to document the new slirp4netns
mode. That included fixing up buildah-from and buildah-run pages which
were incomplete in that regard. Now we show the same for all options.
Fixes#3968
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Some tools depend on the hostname being present in /etc/hosts. I would
argue they are broken but its not like we can do anything about that.
This adds the hostname with the local host ip when the host network is
used. For private networking we already add the hostname.
We also now correctly force host networking in chroot mode, it was
silently ignored before thus causing extra confusion here.
Fixes#4446
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
change the heuristic to mount a fresh sysfs every time a new network
namespace is created. This modification ensures the creation of the
sysfs when the network namespace is created, which is better than
sharing the one from the host.
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2164524
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
crun might not print any debugging message, so change the runtime-flag
test to use --log=log-file and test it was created.
Closes: https://github.com/containers/buildah/issues/4503
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Regular primitive bats uses assertions like '[ $foo = something ]'.
These are worthless for debugging: when they fail, all you know
is that foo is not "something" but you don't know what foo _is_.
Find and replace those assertions with 'assert', which is
more informative. Instances found via:
$ ack '^ *\[' tests/*.bats
There are many matches for 'test' (instead of '[') but those
mostly look like file-existence ones, which are less evil
than string-check tests. I'm leaving those be for now.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Allow containers running under buildah to use
--group-add keep-groups, so that they can inherit
access to the users groups.
Also allow users to add supplimental groups to the container.
Fixes: https://github.com/containers/buildah/issues/4476
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Conflict --isolation=chroot and --network, since internally --chroot
will always configure network ns equivalent to host.
Closes: https://github.com/containers/buildah/issues/4255
Signed-off-by: Aditya R <arajan@redhat.com>
When container is created with specific uid and gid also add container
gid to supplementary/additional group.
Signed-off-by: Aditya R <arajan@redhat.com>
When passing the value ? to a shell function as an argument, don't
forget to quote it, so that it doesn't get expanded as a filename
pattern by the shell.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Use the new etchosts package to generate the hosts file.
This will ensure that we use the same logic in podman and buildah.
New features are:
- no duplicated entries
- adds entries for the network/slirp4netns ips
- configure the host.containers.internal entry in containers.conf
- configure the base hosts file in containers.conf
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Check that the inheritable capabilities are set to 0, even when we
explicitly try to add capabilities.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Users want to turn off addition of /etc/hosts file while building
container images, this would allow them to customize the /etc/hosts
file within the image.
Fixes: https://github.com/containers/buildah/issues/3808
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Instrument test so that they can be executed in rootless environment.
Certain tests perform mount directly and they need a seperate
usernamespace, these tests are marked to be skipped for `rootless
environment`
Signed-off-by: Aditya R <arajan@redhat.com>
Nalin Dahyabhai
openshift-merge-bot[bot]
Ricardo Branco
Paul Holzinger
Ed Santiago
Daniel J Walsh
Giuseppe Scrivano
Chris Bandy
Aditya R
OpenShift Merge Robot