Add a --cw option to `buildah build` and `buildah commit`, which takes a
comma-separated list of arguments and produces an image laid out for use
as a confidential workload:
type: sev or snp
attestation_url: location of a key broker server
cpus: expected number of virtual CPUs to run with
memory: expected megabytes of memory to run with
workload_id: a distinguishing identifier for the key broker server
ignore_attestation_errors: ignore errors registering the workload
passphrase: for encrypting the disk image
slop: extra space to allocate for the disk image
At least one of attestation_url and passphrase must be specified in
order for the encrypted disk image to be decryptable at run-time. Other
arguments can be omitted. ignore_attestation_errors is intentionally
undocumented, as it's mainly used to permit some amount of testing on
systems which don't have the required hardware.
Add an `mkcw` top-level command, for converting directly from an image
to a confidential workload.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
`--layer-label` allows users to set labels on intermediate labels agnostic
of the labels set on actual image. Since there are use-cases where users
want to perform operation on intermediate images only on the basis of
certain labels.
Closes: https://github.com/containers/buildah/issues/4933
Signed-off-by: Aditya R <arajan@redhat.com>
We want to share these functions with Podman, Podman currently
has a slightly different version which is correct, so use correct
version in Buildah and vendor it into Podman.
Fixing: https://github.com/containers/podman/issues/18196
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Allows codifying build arguments into a structured file, perhaps one
named arguments.Containerargs
The build arg file also accepts comments starting #, so automated
tooling or CI/CD workflows can monitor arguments like versions to
ensure they are up-to-date.
Signed-off-by: Jack Wearden <jack@jackwearden.co.uk>
Allow containers running under buildah to use
--group-add keep-groups, so that they can inherit
access to the users groups.
Also allow users to add supplimental groups to the container.
Fixes: https://github.com/containers/buildah/issues/4476
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
In golang 1.19, `io/ioutil` is fully deprecated preventing Buildah from
compiling. Replace all calls with equivalent calls from the `os`
package.
Signed-off-by: Chris Evich <cevich@redhat.com>
Buildah must support multiple sources for remote cache when using
`--cache-to` and `--cache-from` so users can distribute and collect
cache from various sources.
We also need for compat with buildkit api which in past broke `podman`
compat build API see: https://github.com/containers/podman/pull/16380
More discussion here: https://github.com/containers/podman/pull/16380
Signed-off-by: Aditya R <arajan@redhat.com>
Conflict --isolation=chroot and --network, since internally --chroot
will always configure network ns equivalent to host.
Closes: https://github.com/containers/buildah/issues/4255
Signed-off-by: Aditya R <arajan@redhat.com>
Podman adds an Error: to every error message. So starting an error
message with "error" ends up being reported to the user as
Error: error ...
This patch removes the stutter.
Also ioutil.ReadFile errors report the Path, so wrapping the err message
with the path causes a stutter.
Signed-off-by: Daniel J Walsh dwalsh@redhat.com
[NO NEW TESTS NEEDED]
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
In multi-stage builds buildah will skip stages which are unused (i.e
stages which don't contribute anything to target stage directly or
indirectly) however in certain cases users need to process these unused
stages hence add support for `--skip-unused-stages` which allows users
to control this behaviour.
Ref: https://github.com/GoogleContainerTools/kaniko#flag---skip-unused-stages
Closes: https://github.com/containers/buildah/issues/4243
Signed-off-by: Aditya R <arajan@redhat.com>
If user explicitly specified `--cache-ttl=0s
it would effectively mean that user is asking
to use no cache at all. In such use cases
buildah can skip looking for cache entierly
by setting `--no-cache=true` internally.
Closes: https://github.com/containers/buildah/issues/4244
Signed-off-by: Aditya R <arajan@redhat.com>
As per buildkit backend documentation when using the BuildKit backend, docker build searches for
a `.dockerignore` file relative to the Dockerfile name. For example, running `docker build -f myapp.Dockerfile .`
will first look for an ignore file named `myapp.Dockerfile.dockerignore`. If such a file is not found, the
`.dockerignore` file is used if present. Using a Dockerfile based `.dockerignore` is useful if a project contains
multiple Dockerfiles that expect to ignore different sets of files.
Following PR introduces this buildkit feature parity.
Closes: https://github.com/containers/buildah/issues/4236
Signed-off-by: Aditya R <arajan@redhat.com>
Allows users to configure `--retry` attempts and `--retry-delay`
duration using two additional flags for commands
* buildah build
* buildah pull
* buildah push
* buildah from
* buildah add
* buildah copy
Closes: https://github.com/containers/buildah/issues/4018
Not sure how we can test retry attempts in CI, but added a test in
tests/bud.bats which verfies we parse and added flag in other options
for sanity parsing checking.
Signed-off-by: Aditya R <arajan@redhat.com>
`build` or `bud` now supports a new flag `--cache-ttl` which accepts
duration and allows end users to ignore cache images which are not under
the specified duration.
Following flag is useful for setups/platforms which heavily relies on
`--layer` and buildah caching but want recompute certain `RUN` steps
after specified duration to make sure specific `RUN` steps are always
updated. Example `RUN dnf update` or `RUN dnf install`
Closes: https://github.com/containers/buildah/issues/4160
Somewhat similar to kaniko's: https://github.com/GoogleContainerTools/kaniko#--cache-ttl-duration
Signed-off-by: Aditya R <arajan@redhat.com>
Following commit
* Initiates `cacheKey` or `layerKey` for intermediate images generated
for layers.
* Allows end users to upload cached layers with `cacheKey` to remote
sources using `--cache-to`. `--cache-to` is a optional flag to be used
with `buildah build` which publishes cached layers to remote sources.
* Allows end users to use cached layers from `remote` sources with
`--cache-from`. `--cache-from` is a optional flag to be used with
`buildah build` and it pulls cached layers from remote sources in a step
by step manner only if is a valid cache hit.
Example
* Populate cache source or use cached layers if already present
```bash
buildah build -t test --layers --cache-to registry/myrepo/cache --cache-from registry/myrepo/cache .
```
Future:
* `cacheKey` or `layerKey` model is only being used when working with
remote sources however local cache lookup can be also optimized if its
is altered to use `cacheKey` model instead of iterating through all the
images in local storage. As discussed here
References:
* Feature is quite similar to `kaniko`'s `--cache-repo`: https://github.com/GoogleContainerTools/kaniko#--cache-repo
Closes: issues#620
Signed-off-by: Aditya R <arajan@redhat.com>
We now use the golang error wrapping format specifier `%w` instead of
the deprecated github.com/pkg/errors package.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Nalin Dahyabhai
Aditya R
Daniel J Walsh
Chris Bandy
Jack Wearden
Chris Evich
Ed Santiago
Sascha Grunert