Use the CutPrefix(), SplitSeq(), and FieldsSeq() functions from the
strings package when chopping up or iterating over parts of strings, per
golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When we look up a stage that's referred to in a COPY --from argument,
treat the string as a stage number not only if it parses as one, as we
checked before, but now also require that the number correspond to one
of the stages that would be completed before the one into which the
content will be copied.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When building images for `manifest` list using `--platform` same image
is used for multiple platform if base is `scratch` , following PR adds a
check to always verify `platform` of `cache` with `target`.
Closes: https://github.com/containers/podman/issues/18723
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
When building or committing an image in OCI format, default to setting
the org.opencontainers.image.created annotation to the value used in the
image's config blob for the image's creation date. The behavior can be
controlled using the new --created-annotation flag.
Add --annotation and --unsetannotation flags to `buildah commit` which
mimic the same flags for `buildah build`.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When RUN requires us to create the target for a mountpoint, make note of
it and any parent directories that needed to be created, and filter them
out when generating a layer diff or --output data.
The exceptions will be directories that the conformance tests confirm
that BuildKit also leaves behind, though for compatibility with the
classic builder, we have to make that conditional.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Use $SOURCE_DATE_EPOCH as the default for the --source-date-epoch flag
to the "build" CLI.
When a source-date-epoch is set, we'll use it when writing new history
entries, force timestamps in data written for --output to the specified
timestamp, and populate a "SOURCE_DATE_EPOCH" ARG that we treat as
always being set, and which we don't complain about being left unused.
By default, this will not affect timestamps in newly-added layers.
Add a --rewrite-timestamp flag, which "clamps" timestamps in newly-added
layers to not be later than the --source-date-epoch value if the
--source-date-epoch flag is set, but has no effect otherwise.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Allow --output to be specified multiple times for `buildah build`.
That's of limited usefulness right now, but as exporters get added, it
won't be, and it's better to provide the new multiple-values API field
sooner rather than later.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Every stage now has its own copy of systemcontext.
On processing of every stage platform spec in systemcontext must be
correctly reset.
Closes: https://github.com/containers/buildah/issues/5968
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
These experimental packages are now available in the Go standard
library since Go 1.21:
1. golang.org/x/exp/slices -> slices [1]
2. golang.org/x/exp/maps -> maps [2]
[1]: https://go.dev/doc/go1.21#slices
[2]: https://go.dev/doc/go1.21#maps
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
Clean up the distinctions between the volumes slice and the volumeCache
and volumeCacheInfo maps so that --compat-volumes will work correctly
when we're building with multiple layers.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
The default configuration that `docker build` applies to images built
using "scratch" has changed from classic builds to BuildKit. Add a
toggle for selecting which behavior to mimic.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Make the traditional handling of volumes (where they're "frozen" and can
only be modified by ADD or COPY, which requires that we cache their
contents and save/restore them before/after RUN instructions) an option
that is not enabled by default.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Make setting the Parent field in the config blob of a docker format
image optional (yes, we're bringing it back!), since it no longer
appears to be set by newer versions of docker build.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Use slices.Clone() and maps.Clone() instead of our own non-generic
functions. We have to be more careful in a couple of places where we
set items in maps which aren't unconditionally initialized.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
This allows callers to provide custom SourceLookupReferenceFunc and
DestinationLookupReferenceFunc for cache pull/push. These can be used to
implement custom blob caches, and to wrap the reference being
pushed/pulled to influence the copy behavior.
Signed-off-by: Aaron Lehmann <alehmann@netflix.com>
Add support for using CDI to resolve `--device` devices for RUN
instructions during `buildah build`, `buildah from`, and `buildah run`,
as `podman run` does.
This generally requires that we stop resolving device specifications
(arguments passed to --device) earlier and deferring that until it's
time to run a process, because CDI wants to pick over those values,
modify a runtime spec to set up the ones that it knows about, and then
hand back the list of values that it doesn't know about.
We don't want to do a dry run of this during CLI processing because that
would create a window where the underlying hardware state could change,
and that could produce some hard-to-diagnose errors.
Being able to test this is going to require that we add the `--device`
flag to `buildah run` (`--security-opt` affects how we build the
container's layer, so it has to be done at `buildah from`).
The default configured devices list is pulled in by CLI flag processing
during `buildah from` and `buildah build`, so it doesn't also need to be
explicitly passed to `buildah run` or the internal Run() method.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a --sbom flag to `buildah build` and `buildah commit` which will
scan the rootfs and specified context directories to build SPDX or
CycloneDX SBOMs and lists of package URLs.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Use a definition of "scratch" that's exported by imagebuilder instead of
hard-coding it ourselves like it's just some magic value we came up
with, in the multiple places where we refer to it.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
All `[]string`s in containers.conf have now been migrated to attributed
string slices which require some adjustments in Buildah and Podman.
[NO NEW TESTS NEEDED]
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
This change is the first step of integrating appendable string arrays
into containers.conf and starts with enabling the `Env`, `Mounts`, and
`Volumes` fields in the `[Containers]` table.
Both, Buildah and Podman, read (and sometimes write) the fields of the
`Config` struct at various places, so I decided to migrate the fields
step-by-step. The ones in this change are most critical ones for
customers. Once all string slices/arrays are migrated, the docs of
containers.conf will be updated. The current changes are entirely
transparent to users.
[NO NEW TESTS NEEDED]
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
When building a multi-stage image ( without `--layers` ) and a
stage contains only a base-image buildah removes the base-image
itself as part of cleanup process. This is a bug and following commit
fixes that.
Reproducer
```Dockerfile
FROM parent
FROM another-base
COPY --from=0 somefile .
```
`buildah build -t multi-stage .`
Closes: https://github.com/containers/podman/issues/20291
Signed-off-by: Aditya R <arajan@redhat.com>
Add a --cw option to `buildah build` and `buildah commit`, which takes a
comma-separated list of arguments and produces an image laid out for use
as a confidential workload:
type: sev or snp
attestation_url: location of a key broker server
cpus: expected number of virtual CPUs to run with
memory: expected megabytes of memory to run with
workload_id: a distinguishing identifier for the key broker server
ignore_attestation_errors: ignore errors registering the workload
passphrase: for encrypting the disk image
slop: extra space to allocate for the disk image
At least one of attestation_url and passphrase must be specified in
order for the encrypted disk image to be decryptable at run-time. Other
arguments can be omitted. ignore_attestation_errors is intentionally
undocumented, as it's mainly used to permit some amount of testing on
systems which don't have the required hardware.
Add an `mkcw` top-level command, for converting directly from an image
to a confidential workload.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Don't try to look up an image by name when we're committing an image,
because we don't want to accidentally take advantage of any fuzzy
matching that libimage might start doing. Instead, just use the
normalization call.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
build-arg warnings must honor globally defined arguments and must not
produce warnings if an arguments is already defined globally.
Closes: https://github.com/containers/buildah/issues/4981
Signed-off-by: Aditya R <arajan@redhat.com>
`--layer-label` allows users to set labels on intermediate labels agnostic
of the labels set on actual image. Since there are use-cases where users
want to perform operation on intermediate images only on the basis of
certain labels.
Closes: https://github.com/containers/buildah/issues/4933
Signed-off-by: Aditya R <arajan@redhat.com>
In https://github.com/containers/buildah/pull/4673 we made a change were
we were applying labels to end of each stage, which is different than
what we were doing before i.e applying label at the end of the each
step.
However buildkit does not adds label to any stage or steps it only adds
label at the end of final stage so lets do that.
Closes: https://github.com/containers/buildah/issues/4804
Signed-off-by: Aditya R <arajan@redhat.com>
Buildah currently applies labels to each intermediate image which is not
the right thing to do since others builds uses these intermediate image
and they can inherit the label even though they never had this
intention.
Only apply labels to the final build i.e last instruction of last stage
which will make sure that labels are only applied to final image and not
to the intermediate images.
Closes: https://github.com/containers/buildah/issues/4632
Signed-off-by: Aditya R <arajan@redhat.com>
COPY must honor processing any argument if any configured while
evaulating `--from=` statement.
Makes below Containerfile functional without any external `--build-arg`
value from CLI
```Dockerfile
ARG my_env=a
FROM alpine as stage_a
RUN /bin/true
FROM alpine
COPY --from=stage_${my_env} /bin/true true
```
Closes: https://github.com/containers/buildah/issues/4573
Signed-off-by: Aditya R <arajan@redhat.com>
Nalin Dahyabhai
Jan Kaluza
flouthoc
openshift-merge-bot[bot]
Aditya R
Kir Kolyshkin
Eng Zer Jun
Giuseppe Scrivano
Aaron Lehmann
Daniel J Walsh
Philip Dubé
Valentin Rothberg
guoguangwu
Chris Bandy