All `[]string`s in containers.conf have now been migrated to attributed
string slices which require some adjustments in Buildah and Podman.
[NO NEW TESTS NEEDED]
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Previously, when mounting multiple mounts, if any mount had a `type`
specified, it would override the default type for subsequent mounts.
This meant, for example, that having a RUN step like:
```
RUN --mount=type=cache,target=/cache --mount=source=.,target=/src
```
would incorrectly mount the second source as a cache, instead of a
bind-mount.
This fix ensures the default is reset between each iteration of the
loop, ensuring we get the right mount type.
Signed-off-by: Benjamin Schubert <contact@benschubert.me>
internal/parse does not need to depend on libimage.
This allows for a smaller podman remote client.
Based on Miloslav's work: https://github.com/containers/podman/pull/19718
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This uses the same code as podman for slirp4netns, this means
- ipv6 is enabled by default
- slirp4netns options are read from contianers.conf
- slirp4netns options can now be set on the cli. This required some
small rework on where we parse the network string.
Lastly I updated the --network docs, to document the new slirp4netns
mode. That included fixing up buildah-from and buildah-run pages which
were incomplete in that regard. Now we show the same for all options.
Fixes#3968
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Some tools depend on the hostname being present in /etc/hosts. I would
argue they are broken but its not like we can do anything about that.
This adds the hostname with the local host ip when the host network is
used. For private networking we already add the hostname.
We also now correctly force host networking in chroot mode, it was
silently ignored before thus causing extra confusion here.
Fixes#4446
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Restore SysProcAttr.Pdeathsig values for child processes that we start,
so that they get a SIGKILL when we exit for whatever reason. Lock the
calling goroutine to a native thread while that's happening, like we
should always have done.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
it is not safe to use prctl(PR_SET_PDEATHSIG) in a Go program since
the parent of the process is considered the *thread* that created the
child process, and the Go runtime can free a thread at any time. We
would either need to lock the thread, or simpler just not use it.
[NO NEW TESTS NEEDED]
Closes: https://github.com/containers/podman/issues/17918
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
`Buildkit` and `docker` accepts `required` flag as `true` in
`--mount=type=secret` so let do same for buildah.
Example usage
```Dockerfile
FROM docker.io/nginx:1.23.3
RUN --mount=type=secret,id=nginx-crt,dst=/nginx-repo.crt,required \
--mount=type=secret,id=nginx-key,dst=/nginx-repo.key,required \
set -x \
&& . /etc/os-release \
&& stat /nginx-repo.crt \
&& stat /nginx-repo.key
```
Closes: https://github.com/containers/podman/issues/18438
Signed-off-by: Aditya R <arajan@redhat.com>
It seems buildah was cleaning path after unmounting the content which
was added by `--mount`, however buildah should `remove` only if the path
it did not pre-exist otherwise it should just simply `unmount`.
Following behaviour aligns buildah to buildkit
Closes: https://github.com/containers/buildah/issues/4739
Signed-off-by: Aditya R <arajan@redhat.com>
Allow containers running under buildah to use
--group-add keep-groups, so that they can inherit
access to the users groups.
Also allow users to add supplimental groups to the container.
Fixes: https://github.com/containers/buildah/issues/4476
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
User may get confusing error messages were it is not clear that they are
related to the network setup, wrap the error to make it more clear that
some network setup failed.
[NO NEW TESTS NEEDED]
Fixescontainers/podman#16809
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When working with `--mount=type=bind` and `--mount=type=cache` allow
`target` to accept relative paths w.r.t to the configured work dir.
Closes: https://github.com/containers/buildah/issues/4309
Signed-off-by: Aditya R <arajan@redhat.com>
In golang 1.19, `io/ioutil` is fully deprecated preventing Buildah from
compiling. Replace all calls with equivalent calls from the `os`
package.
Signed-off-by: Chris Evich <cevich@redhat.com>
This allows declaring run mounts using e.g. '-mount=type=nullfs,...' on
FreeBSD which makes more sense for FreeBSD users. It is also consistent
with 'podman run' which requires the nullfs mount type on FreeBSD.
[NO NEW TESTS NEEDED]
Signed-off-by: Doug Rabson <dfr@rabson.org>
... and use a more traditional error handling model,
where responsibility for the cleanup passes to the caller
_only_ if the called function succeeds.
To reinforce that, hard-code nil returns on error paths
instead of returning the locks.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
It can return at most one lock, so don't return an array.
Should not change behavior right now, but it will simplify
cleanup.
[NO NEW TESTS NEEDED]
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
By construction it's now quite clear that the locks should
always be locked.
Don't even bother with AssertLockedForWriting(), that's
partially (checking for lock ownership, not for read-write ownership)
implied by Unlock() already.
[NO NEW TESTS NEEDED]
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
They exist in memory anyway, so this is more efficient:
we avoid the need to manually touch the filesystem again,
the associated costs - and the error paths go away.
[NO NEW TESTS NEEDED]
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Single `RUN` can contain multiple `--mount` commands so lets append into
`lockedTargets` so we collect `lockfiles` from all the `--mount`
instructions.
Helps in: https://github.com/containers/buildah/issues/4342
Signed-off-by: Aditya R <arajan@redhat.com>
Podman adds an Error: to every error message. So starting an error
message with "error" ends up being reported to the user as
Error: error ...
This patch removes the stutter.
Also ioutil.ReadFile errors report the Path, so wrapping the err message
with the path causes a stutter.
Signed-off-by: Daniel J Walsh dwalsh@redhat.com
[NO NEW TESTS NEEDED]
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Flags processing in `--mount` must not be hardcode to expect first field to
be `type` instead it should be order agnostic.
Closes: https://github.com/containers/podman/issues/15748
Signed-off-by: Aditya R <arajan@redhat.com>
When container is created with specific uid and gid also add container
gid to supplementary/additional group.
Signed-off-by: Aditya R <arajan@redhat.com>
On FreeBSD, the Linux section of the spec is not populated. FreeBSD does
have a similar labelling facility in its MAC framework but that would be
better managed via a future addition of a FreeBSD section to the runtime
spec rather than trying to make it look like Linux.
[NO NEW TESTS NEEDED]
Signed-off-by: Doug Rabson <dfr@rabson.org>
If errors for which os.IsExist() or os.IsNotExist() would have returned
true have been wrapped using fmt.Errorf()'s "%w" verb, os.IsExist() and
os.IsNotExist(), not having been retrofitted to use errors.Is(), will
return false.
Use errors.Is() to check if an error is an os.ErrExist or os.ErrNotExist
error instead of calling os.IsExist() or os.IsNotExist().
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When we fail to create the pipe we're using to signal a start, don't
complain about failing to create the creation pipe.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Set the default for user namespaces correctly for callers that don't use
our CLI, e.g. OpenShift or our own tutorials. When we don't do that,
commands invoked through RUN instructions can see weird things, in this
case an empty /sys/fs/cgroup directory.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
This involves handling the fact that FreeBSD containers don't have a
Linux section in the spec and that mounting filesystem directories is
done with nullfs rather than bind.
Signed-off-by: Doug Rabson <dfr@rabson.org>
Valentin Rothberg
Daniel J Walsh
Benjamin Schubert
Paul Holzinger
Lokesh Mandvekar
guoguangwu
Nalin Dahyabhai
Giuseppe Scrivano
Aditya R
Chris Evich
Miloslav Trmač
Doug Rabson
openshift-ci[bot]