When RUN requires us to create the target for a mountpoint, make note of
it and any parent directories that needed to be created, and filter them
out when generating a layer diff or --output data.
The exceptions will be directories that the conformance tests confirm
that BuildKit also leaves behind, though for compatibility with the
classic builder, we have to make that conditional.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When RUN requires us to create the target for a mountpoint, make note of
it and any parent directories that needed to be created, and clear them
all out if they look basically the same after the command finishes.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Make sure that we consistently unmount the list of images that we're
told to, even in cases where we return an error before arranging to do
so in Run().
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Fix a time-of-check/time-of-use error when mounting type=bind and
type=cache directories that use a "src" flag. A hostile writer could
use a concurrently-running stage or build to replace that "src" location
between the point when we had resolved possible symbolic links and when
runc/crun/whatever actually went to create the bind mount
(CVE-2024-11218).
Stop ignoring the "src" option for cache mounts when there's no "from"
option.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When handling RUN --mount=type=bind, where the mount is read-write,
instead of a simple bind mount, create an overlay mount with an upper
directory that will be discarded after the overlay mount is unmounted.
This brings us in line with the expected behavior, wherein writes to
bind mounts should be discarded.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
We always map 169.254.1.2 with pasta to the host now so ensure the
host.containers.internal entry is set correctly.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Make the traditional handling of volumes (where they're "frozen" and can
only be modified by ADD or COPY, which requires that we cache their
contents and save/restore them before/after RUN instructions) an option
that is not enabled by default.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add support for using CDI to resolve `--device` devices for RUN
instructions during `buildah build`, `buildah from`, and `buildah run`,
as `podman run` does.
This generally requires that we stop resolving device specifications
(arguments passed to --device) earlier and deferring that until it's
time to run a process, because CDI wants to pick over those values,
modify a runtime spec to set up the ones that it knows about, and then
hand back the list of values that it doesn't know about.
We don't want to do a dry run of this during CLI processing because that
would create a window where the underlying hardware state could change,
and that could produce some hard-to-diagnose errors.
Being able to test this is going to require that we add the `--device`
flag to `buildah run` (`--security-opt` affects how we build the
container's layer, so it has to be done at `buildah from`).
The default configured devices list is pulled in by CLI flag processing
during `buildah from` and `buildah build`, so it doesn't also need to be
explicitly passed to `buildah run` or the internal Run() method.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Avoid generically referring to "the container" where it can be ambiguous
that we're actually talking about the environment we set up for running
a command for a RUN instruction or Run() call.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Previously buildah may have created a incorrect hosts/resolv.conf file,
when netavark, slirp4netns or pasta are used we have to actually
consider their special setup and use the correct nameservers.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When working with `--mount=type=bind` and `--mount=type=cache` allow
`target` to accept relative paths w.r.t to the configured work dir.
Closes: https://github.com/containers/buildah/issues/4309
Signed-off-by: Aditya R <arajan@redhat.com>
They exist in memory anyway, so this is more efficient:
we avoid the need to manually touch the filesystem again,
the associated costs - and the error paths go away.
[NO NEW TESTS NEEDED]
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Code Cleanup: Buildkit run mount setup functions no longer have 13
arguments and are slightly more readable. Use structs instead.
[NO NEW TESTS NEEDED]
Signed-off-by: Ashley Cui <acui@redhat.com>
A shared cache on host must support locking so other parallel/concurrent builds
will wait for current executing RUN statement to finish.
* Locks the cache store as soon as RUN is triggered.
* Locked target is added to cleanup list so it can be unlocked as soon
as RUN step is completed.
Signed-off-by: Aditya R <arajan@redhat.com>
Users want to turn off addition of /etc/hosts file while building
container images, this would allow them to customize the /etc/hosts
file within the image.
Fixes: https://github.com/containers/buildah/issues/3808
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
allow to override the cgroup manager with a global option
--cgroup-manager=MANAGER that has the same semantic as Podman.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Following commit adds buildkit like support for `from` field to `--mount=type=bind`
and `--mount=type=cache` so images and stage can be used as mount source.
Usage looks like
```dockerfile
RUN --mount=type=bind,source=.,from=<your-image>,target=/path ls /path
```
and
```dockerfile
RUN --mount=type=cache,from=<your-image>,target=/path ls /path
```
Signed-off-by: Aditya Rajan <arajan@redhat.com>
Run secrets can now be created from an environment variable. The
environment variable is read and is briefly stored as a file on /dev/shm
when it's being used, and the file is removed after the RUN command is
finished.
Fixes: #3524
Signed-off-by: Ashley Cui <acui@redhat.com>
Following commit adds support for using buildkit like
`--mount=type=bind` with `RUN` statements. Mounts created by `--mount`
are transient in nature and only scoped to current RUN statements.
Signed-off-by: Aditya Rajan <arajan@redhat.com>
Allow ssh socket from host or certain ssh keys to be exposed to a
certain RUN instruction, but not any other instructions, as well as not
showing up in the final image.
This is done by spawining a new agent from buildah and mounting
the listening socket inside the run. SSH_AUTH_SOCK inside the container
will be set to the socket mountpoint. The defualt mountpoint is
/run/buildkit/ssh_agent.{i}
Signed-off-by: Ashley Cui <acui@redhat.com>
We want Info, Warning and Debug logrus messages to be writen to the
buildah stderr. this way when podman-remote is using build, it will
get the messages back on the client side.
[NO TESTS NEEDED] Since this will be tested in Podman.
Fixes: https://github.com/containers/buildah/issues/3214
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Add support for secrets. Secrets is a two-part flag that allows secret files to
be accessed for a certain RUN instruction, but not any other
instructions, as well as now showing up in the final image.
Signed-off-by: Ashley Cui <acui@redhat.com>
We want to shrink the size of the import when importing pkg from
buildah. This should help us shrink the size of the golang bindings
in podman.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
What `go tool dist list` says the toolchain supports changes, so this
change removes these attempted cross-compile build targets.
* GOOS=darwin, GOARCH unspecified
* GOOS=darwin, GOARCH=386
Replace our use of slices of
github.com/opencontainers/runc/libcontainer/configs.Device structures
with a locally-defined type alias so that we can avoid importing the
package on non-Unixy systems. The result is not going to be a very
useful binary on non-Linux systems, but it helps ensure that our
subpackages won't break compilation for other projects who consume us as
a library.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Some Dockerfiles (fuse-overlay) require additional devices to be in the
build environment.
This patch allows the user to specify additional devices.
Also I noticed that CapAdd and CapDrop was not working in buildah bud situations,
so this patch also fixes this.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1820
Approved by: @TomSweeneyRedHat
the podman remote-client for windows pulls in some buildah code for
things like commit and build. we need to perform some slight
refactoring of buildah code to accomodate that build.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1551
Approved by: rhatdan
This will make vendoring in pkg/unshare easier into other
packages like skopeo.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1532
Approved by: TomSweeneyRedHat
- pass all proxy env vars
- --http-proxy option for bud and from
- bash_completion and docs
Signed-off-by: James Cassell <code@james.cassell.me>
Closes: #1525
Approved by: giuseppe
use --dns* flags to change /etc/resolv.conf in the container during the build.
Signed-off-by: Qi Wang <qiwan@redhat.com>
Closes: #1491
Approved by: rhatdan
We don't want to vendor anything from libpod into Buildah.
We want to switch this around. Moving pkg content from libpod
to Buildah allows us to fix this.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1400
Approved by: giuseppe
The {Add,Del}NetworkList APIs were extended with a context parameter,
which require adjustments in the code.
Fixes: #1433
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Closes: #1434
Approved by: rhatdan
if --net is not specified, default to use the host network namespace.
It is still possible to use slirp4netns with --network container.
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1690209
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1421
Approved by: rhatdan
it improves significantly the performance of the slirp4netns network:
777bdcccef (iperf3-netns---host)
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1404
Approved by: vrothberg
setup.rpm attempts to modify /etc/hosts, if it thinks
it has never been modified. By adding a #comment to the
front of the file, it should prevent this from blowing up
the build.
Also add hostname to the /etc/hosts file linked to localhosts
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1313
Approved by: vrothberg
Starting to remove dependency on libpod from buildah.
secrets is used so that builds can access RHEL subscriptions
so this makes more sense to be in buildah then libpod.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1366
Approved by: vrothberg
For some reason, the CI does not report any of these; on macOS
I see many more reports (including complaints about the standard
library), this only cleans up the trivial cases.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #1365
Approved by: rhatdan
When reading the last of the output from a child process, ignore an EIO,
since we already got the HUP indication.
Avoid double-logging errors in our I/O loop when using isolation other
than chroot (spotted by @afbjorklund).
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1273
Approved by: rhatdan
This will get buildah bud to follow docker build handling of
hostname environment variable and hostname command properly
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1242
Approved by: giuseppe
runc has a good "auto detect" mode to find out when running in
rootless mode. It also makes easier to plug another OCI runtime,
since --rootless is not part of the OCI specs.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1145
Approved by: TomSweeneyRedHat
change the logic for bind mounting /etc/hosts and /etc/resolv.conf in
the container. Now they are not bind mounted when they are specified
as volumes, so it is still possible to have them writeable in the
container.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1156
Approved by: rhatdan
If slirp4netns is available, use it to configure the network for the
rootless isolation mode.
Closes: https://github.com/containers/buildah/issues/1139
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1156
Approved by: rhatdan
When changing settings for rootless containers, only discard the part of
the networking configuration that specifies which networks we want to
configure, and preserve whether or not we want to use the host's network
namespace.
If we were told to create an empty network namespace or to just attach
to another namespace, go ahead and try to do that.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1146
Approved by: rhatdan
Jan Kaluza
Nalin Dahyabhai
Paul Holzinger
Daniel J Walsh
guoguangwu
Aditya R
Miloslav Trmač
Ashley Cui
Giuseppe Scrivano
Josh Soref
baude
James Cassell
Qi Wang
Valentin Rothberg
Anders F Björklund