This change is required to allow podman for windows to build.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1855
Approved by: TomSweeneyRedHat
Some Dockerfiles (fuse-overlay) require additional devices to be in the
build environment.
This patch allows the user to specify additional devices.
Also I noticed that CapAdd and CapDrop was not working in buildah bud situations,
so this patch also fixes this.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1820
Approved by: @TomSweeneyRedHat
Also, ensure ordering is correct on other entries. The current
code will increment *after* checking for validity in some cases,
which allows such options as '-v /tmp:/test1:ro,rw' to pass
validation when they obviously don't make much sense.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Closes: #1794
Approved by: rhatdan
when running in rootless mode, use fuse-overlayfs for mounting the
overlay file system on the host. Then create a bind mount inside the
container.
Closes: https://github.com/containers/buildah/issues/1741
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1743
Approved by: rhatdan
This commit enabled to golint linter in golangci-lint and applies all
necessary fixes.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
Closes: #1740
Approved by: rhatdan
move ValidateVolumeOpts from libpod to buildah so libpod can vendor it in.
Signed-off-by: Qi Wang <qiwan@redhat.com>
Closes: #1698
Approved by: rhatdan
close#1464
fix the paring typo cpu-shared of --cpu-shares.
fix expect value in from.bats
Signed-off-by: Qi Wang <qiwan@redhat.com>
Closes: #1662
Approved by: TomSweeneyRedHat
Overlay mounts allow buildah bud and buildah from to
specify a directory on the disk that will be mounted
as an overlay into the container, where the overlay can be written to
but when the RUN or buildah run exits, the modified files will dissapear.
The basic idea is to be able to mount cache from the disk for things like yum/dnf/apt
to be able to be used and modified in the contianer on a run command, but to be
kept fresh for each RUN.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1560
Approved by: giuseppe
Fix the bug that buildah reads /var/run/containers.. as authentication file.(in readme files it should be /run/containers/uid).
Add `buildah login`, `buildah logout` to close#1329, enable to use buildah login before running buildah bud for multi-stage bud and avoiding using --creds flag.
Signed-off-by: Qi Wang <qiwan@redhat.com>
Closes: #1501
Approved by: rhatdan
buildah bud is ignoring --volumes flag.
This patch parses the volumes and then passes them into the builder to be used.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1559
Approved by: vrothberg
the podman remote-client for windows pulls in some buildah code for
things like commit and build. we need to perform some slight
refactoring of buildah code to accomodate that build.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1551
Approved by: rhatdan
- pass all proxy env vars
- --http-proxy option for bud and from
- bash_completion and docs
Signed-off-by: James Cassell <code@james.cassell.me>
Closes: #1525
Approved by: giuseppe
use --dns* flags to change /etc/resolv.conf in the container during the build.
Signed-off-by: Qi Wang <qiwan@redhat.com>
Closes: #1491
Approved by: rhatdan
Cobra does not allow a "," in a StringSlice, so we should
be using StringArrays. This fixes issues with setting
security-opts level flags.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1467
Approved by: TomSweeneyRedHat
if --net is not specified, default to use the host network namespace.
It is still possible to use slirp4netns with --network container.
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1690209
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1421
Approved by: rhatdan
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Fix the polarity of tls-verify, during the Cobra conversion
it was inadvertently flipped.
At least partially addresses: #1332
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Closes: #1351
Approved by: rhatdan
Mostly this is a straightforward elimination of manual GetRegistries calls.
In getCopyOptions, we just remove setting the DockerInsecureSkipTLSVerify
values because the docker:// tranport now does that automatically. (This
actually changes behavior, because docker:// supports namespace prefixes
in addition to matching only by hostnames, but that's a superset of the
previous behavior.)
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #1214
Approved by: rhatdan
To verify the value of the isolation, verify that all strings are the same, not just the beginning of the string.
Avoid users mistakenly thinking that the wrong value entered is also a correct value.
```
➜ buildah git:(isolation-fix) ✗ buildah from --isolation chrootcc cc510acfcd70
fedora-working-container-7
```
After Change:
```
➜ buildah git:(isolation-fix) ✗ ./buildah from --isolation chrootcc cc510acfcd70
unrecognized isolation type "chrootcc"
ERRO[0000] exit status 1
```
Signed-off-by: Zhou Hao <zhouhao@cn.fujitsu.com>
Closes: #1067
Approved by: rhatdan
The image library's copy routine doesn't itself consult the registries
configuration in order to decide whether or not to disable TLS
verification when communicating with a registry, so it's on us to use
the name of a source or destination image to decide whether to set the
flag for that behavior.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1056
Approved by: rhatdan
Add a new Isolation value: IsolationOCIRootless, for which we add a
global --rootless=true flag and a local --no-new-keyring flag when
creating a runtime container, and make some changes to the mounts list,
default namespacing configurations, and supplemental groups list.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #873
Approved by: rhatdan
When using chroot isolation, if we're configured to raise any process
limits above their current values, do so in the grandparent process,
before it transfers execution to a child that it starts in a user
namespace, which won't have the privileges to do so.
The child can still lower resource limits and set limits to the values
that it inherited, so let it continue to do so.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #891
Approved by: rhatdan
We want to set the maximum number of processes and number of open files
to match the Docker defaults.
nofile=1048576:1048576, nproc=1048576:1048576
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #891
Approved by: rhatdan
Add an IsolationChroot that trades flexibility and isolation for being
able to do what it does in a host environment that's already isolated to
the point where we're not allowed to set up some of that isolation,
producing a result that leans more toward chroot(1) than runc(1) does.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #836
Approved by: rhatdan
Add the basics of handling the "--isolation" option, though at the
moment, the only recognized option is "oci", which is our default.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #822
Approved by: rhatdan
Append address+"\t"+hostname to the hosts file instead of the
"hostname:address" format that we picked up from the command line.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #798
Approved by: rhatdan
Allow --userns-uid-map and --userns-gid-map to be specified as global
options, which can be overridden by options specified to commands which
know them as non-global options.
This will mainly benefit tools that want to set ID mappings for buildah
to use, but which don't want to have to figure out whether or not
they're invoking it with a subcommand that recognizes these options.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #803
Approved by: rhatdan
Print proper error message if the host or container paths
are relative paths. Only absolute paths are allowed.
Fix the buildah run documentation for the --volume flag
and add an example.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #643
Approved by: rhatdan
Projects like libpod would benefit greatly if we could vendor in buildah
rather than execing it. This refactor moves some of the key parsing
functions that buds uses to pkg/parse so that the project vendoring
buildah can also benefit from them.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #608
Approved by: rhatdan
Miloslav Trmač
Daniel J Walsh
Matthew Heon
Giuseppe Scrivano
Sascha Grunert
Nalin Dahyabhai
Qi Wang
Jordan Webb
baude
James Cassell
TomSweeneyRedHat
Zhou Hao
umohnani8