Use the copier package to rework how we handle ADD and COPY.
When evaluating cache for content that's being copied/added in, switch
from (digest the data, check for a cache entry, then maybe copy the data
and create the new layer) to (copy the data and create the new layer,
digesting as we go, check for a cache entry, either commit or discard
the new layer).
Use the copier package for ADD, COPY, and for ensuring that a specified
directory exists in the working container's rootfs.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
If there's no network present in the container, don't bind
the /etc/hosts file as any changes to from the caller will
be lost when run exits. Ditto the /etc/resolv.conf file.
Addresses: #2478
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Move the conformance tests from ginkgo to using the default testing
package and github.com/stretchr/testify/require, preserving the existing
tests and adding more.
Add conformance tests to our Cirrus configuration, currently marked as
an allowed failure.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2465: Deduplicate environment variables r=rhatdan a=nalind
#### What type of PR is this?
> /kind cleanup
#### What this PR does / why we need it:
When combining lists of environment variables read from base images with defaults supplied from our own configuration, ensure that the resulting environment we produce only contains one value for any given variable. While adding variables to a runtime spec using `github.com/opencontainers/runtime-tools/generate.Generator.AddProcessEnv()` ensures that later values in the list override values that occur earlier, we shouldn't be depending on that.
#### How to verify it
#### Which issue(s) this PR fixes:
None
#### Special notes for your reviewer:
Related to https://github.com/openshift/imagebuilder/pull/169.
#### Does this PR introduce a user-facing change?
```
None
```
Co-authored-by: Nalin Dahyabhai <nalin@redhat.com>
When combining lists of environment variables, or environment variables
combined with build arguments, always deduplicate sets of values.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
fix a race condition where the container process could exit before the
runtime sends the signal, causing the command to fail.
Part of: https://github.com/containers/crun/issues/422
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
The correct args are already contained in the RunOptions.
They were resolved by the imagebuilder library's Step
(edcddd8483/builder.go (L311-L317))
function
This was previously adding args that should not have been accessible
in the current stage as they were not first referenced by an ARG
command
Signed-off-by: Nick Carboni <ncarboni@redhat.com>
do not attempt again to poll the file if it is not pollable and the
the errno is not syscall.EINTR or syscall.EAGAIN.
Closes: https://github.com/containers/buildah/issues/2194
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
After determining the type of runtime to use,
either "runc" or "crun" dependent upon the system, search
the list of that type of runtime in the containers.conf
file. It includes the location of those runtimes in a
number of different architectures. Once found, set the
runtime to use to that value.
Fixes: #2113
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
When building the slice of environment variables to add to the
configuration for a container that we're about to run, in case of
conflicts, we want the values from the base image or working container
to override the global defaults, and we want values that were passed to
us through the API to override them both.
In cases of conflicts, values which occur later in the slice override
values which occurred earlier, so we want to add them in this order:
* values from containers.conf
* values from the base image or working container
* values passed to us through the API
We previously applied the containers.conf defaults after the base image
or working container's value, and that meant that containers.conf's
values always took precedence over the values in the image.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
In porting containers.conf to libpod, we found that buildah needed
to handle the containers.conf on the server side rather then from
the CLI.
Since the `podman-remote build` would probably not have the same content
as containers.conf on the server, the processesing of the defaults needs
to be handled in imagebuildah. The CapAdd and CapDrop values need to be
passed in.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This is a rework of Qi Wang's patches.
Import package pkg/config from containers/common to read containers.conf
This patch allows users to specify default values stored in containers.conf
that will modify the behaviour of buildah tool.
Signed-off-by: Qi Wang <qiwan@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #2011
Approved by: TomSweeneyRedHat
Podman uses the overlay mounts differently then in buildah. Specifically the
overlay mount points can be used over and over again when starting and stopping
the container. Since the paths are backed into the contianer config, we have
to be able to cleanout just the Upper and Merged directory rather then destroying
and recreating the overlay directories on each container start.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1822
Approved by: vrothberg
If host is running in fips mode, then RHEL8.2 and beyond container images
will come with a directory /usr/share/crypto-policies/back-ends/FIPS.
This directory needs to be bind mounted over /etc/crypto-policies/back-ends in
order to make all tools in the container follow the FIPS Mode rules.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We have moved share code from buildah, podman and others into containers/common.
Specifically for this PR we are moving to use containers/common/pkg/unshare and
containers/common/pkg/cgroups.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #2010
Approved by: QiWang19
If disableFips is set, then we don't mount the FIPS
secret even if the machine is in FIPs mode. This is
to help users run workloads that are not fips compliant
in openshift even if their machine is in FIPs mode.
This is needed in CRI-O.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Some Dockerfiles (fuse-overlay) require additional devices to be in the
build environment.
This patch allows the user to specify additional devices.
Also I noticed that CapAdd and CapDrop was not working in buildah bud situations,
so this patch also fixes this.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1820
Approved by: @TomSweeneyRedHat
Container processes want to check for the existence of this file
to determine if they are running inside of a container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Add a DryRun flag to AddAndCopyOptions, so that we can "copy" content to
digest it.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1792
Approved by: TomSweeneyRedHat
fix the detection code for running in a user namespace. When buildah
is running in rootless mode, a user namespace is automatically created
even if there are no mappings configured.
Closes: https://github.com/containers/libpod/issues/2972
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1775
Approved by: rhatdan
This commit enabled the `unparam` linter and applies all reported issues.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
Closes: #1719
Approved by: rhatdan
Fix an out-of-range panic in buildah-run by moving the call to
setNonbloc() to the appropriate place (i.e., only when the copyPipes
parameter is set).
Replaces #1672. Needed to make two smaller functions to make gofmt
happy.
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Closes: #1674
Approved by: rhatdan
make the stdin pipe not blocking, so that it won't hang if the other
end is not reading from it.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1668
Approved by: rhatdan
make the stdin pipe not blocking, so that it won't hang if the other
end is not reading from it.
Closes: https://github.com/containers/buildah/issues/1664
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1668
Approved by: rhatdan
Fix handling of ID mapping for COPY: when copying from other containers,
use their mappings, and when copying from the host, use host mappings.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1630
Approved by: TomSweeneyRedHat
There is a chance that buildah crashed and left overlay
content. This patch will remove any left over content
before creating the overlay mounts.
Also the previous patch would not be able to handle multiple
overlay volume mounts. This patch fixes this issue as well.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1625
Approved by: TomSweeneyRedHat
check that the sysctl we'd like to use is supported by the kernel
before using it.
Closes: https://github.com/containers/buildah/issues/1618
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1619
Approved by: rhatdan
Checks to see if the $HOME envvar has been set
and if not, trys to set it as best as possible.
Fixes: #1592
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Closes: #1594
Approved by: rhatdan
Overlay mounts allow buildah bud and buildah from to
specify a directory on the disk that will be mounted
as an overlay into the container, where the overlay can be written to
but when the RUN or buildah run exits, the modified files will dissapear.
The basic idea is to be able to mount cache from the disk for things like yum/dnf/apt
to be able to be used and modified in the contianer on a run command, but to be
kept fresh for each RUN.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1560
Approved by: giuseppe
Rootless mode was ignoreing the --shm-size option.
For some reason the test that would have caught this was disabled.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1595
Approved by: vrothberg
In a prior PR, we were creating the directory from the
translated symlink onto the host container. Instead
try to create that in the container and if it exists
already, just continue.
Fixes: #1562
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Closes: #1565
Approved by: rhatdan
the podman remote-client for windows pulls in some buildah code for
things like commit and build. we need to perform some slight
refactoring of buildah code to accomodate that build.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1551
Approved by: rhatdan
Nalin Dahyabhai
Daniel J Walsh
TomSweeneyRedHat
bors[bot]
Giuseppe Scrivano
dependabot-preview[bot]
Brandon Lum
Nick Carboni
Urvashi Mohnani
Sascha Grunert
Qi Wang
Valentin Rothberg
Jordan Webb
Lawrence Chan
baude