In linux, directory can contains colon.
Add support to mount path contains colon.
buildah run --volume /root/a\\🅱️/root/test:O
Signed-off-by: chenk008 <kongchen28@gmail.com>
Also switch default hostname from truncated ContainerID to Container
name.
It makes more sense that a user would know the name of the container
versus the generated id, so we should use this as a default.
Fixes: https://github.com/containers/buildah/issues/3509
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Following PR inroduces a new mount type=cache in parity to buildkit
which allows users to share persistant cache between different builds.
Allowing users to cache content generated by bussiness logic or enhance
build performance by caching components across builds.
Signed-off-by: Aditya Rajan <arajan@redhat.com>
Fixed a bug where buildah bud mounted secrets permissions were incorrect due to a decimal/octal conversion error. buildah bud mounted secrets now have a default permission of 400. Fixes#3557
Signed-off-by: Ashley Cui <acui@redhat.com>
Following PR adds supports for buildkit like `--mount=type=tmpfs` which
allows end users to mount a chunk of volatile memory instead of a persistent storage device.
Signed-off-by: Aditya Rajan <arajan@redhat.com>
Following commit adds support for using buildkit like
`--mount=type=bind` with `RUN` statements. Mounts created by `--mount`
are transient in nature and only scoped to current RUN statements.
Signed-off-by: Aditya Rajan <arajan@redhat.com>
Users are not seeing Warnings when doing podman --remote build.
We need to wire the logrus messages all the way through the system.
Fixes: https://github.com/containers/buildah/issues/3537
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Following commit ensures that we cleanup dangling `/run` after every RUN
command and make sure that it does not persists on physical image. Ensure
parity with how docker behaves with `.dockerenv`.
Signed-off-by: Aditya Rajan <arajan@redhat.com>
Check if `go test` supports the -race flag on the build platform, and if
so, use it for unit tests instead of just assuming that it's always
available.
Use sync/atomic to safely use a uint32 instead of a bool to keep track
of whether or not the process we started for RUN has stopped.
[NO NEW TESTS NEEDED]
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
The golang.org/x/crypto/ssh/terminal package has been deprecated and
replaced upstream by golang.org/x/term, so switch to that. It's a
simple 1:1 replacement.
[NO NEW TESTS NEEDED]
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When we're told to add built images to a manifest list, manipulate the
list ourselves, so that if we're creating a list, we won't have a
partially-populated list if some of the builds fail.
This also lets us include all of the platform information (including
variant info, which we can't sniff out after the fact) that we were
given when we started building the images.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Allow ssh socket from host or certain ssh keys to be exposed to a
certain RUN instruction, but not any other instructions, as well as not
showing up in the final image.
This is done by spawining a new agent from buildah and mounting
the listening socket inside the run. SSH_AUTH_SOCK inside the container
will be set to the socket mountpoint. The defualt mountpoint is
/run/buildkit/ssh_agent.{i}
Signed-off-by: Ashley Cui <acui@redhat.com>
Make sure to use the correct resolv.conf in case of systemd-resolved.
Also filter out 127... nameserver when run in private netns.
Fixes#2780
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
[NO TESTS NEEDED] since I've no idea how to force it.
Reported-in: containers/podman/issues/11148
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Fixes: https://github.com/containers/buildah/issues/3152
Sometimes after running buildah run in a terminal, commands executed afterwards which try to read from stdin fail with EAGAIN. This is because it sets O_NONBLOCK on the FD:
[NO TESTS NEEDED] Since I don't know how to test this.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
As part of the podman-machine work, we need to stop distributing
the default CNI configuration that has traditionally been
supplied by Podman, 87-podman.conflist. Buildah (as root) also
uses this file, and will be unable to set up container networking
without it.
The replacement we've introduced is the ability to automatically
create said configuration file using a package in
containers/common. This has already been added to Podman, and
this PR adds it to Buildah.
[NO TESTS NEEDED] as there's no real easy way to verify that
Buildah made the network - no explicit command for listing
networks.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
We want Info, Warning and Debug logrus messages to be writen to the
buildah stderr. this way when podman-remote is using build, it will
get the messages back on the client side.
[NO TESTS NEEDED] Since this will be tested in Podman.
Fixes: https://github.com/containers/buildah/issues/3214
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Ed has found situations where the container exits, before we can check
the state causing a failure, where I think we can complete successfully.
Fixes: https://github.com/containers/buildah/issues/3113
[NO TESTS NEEDED] since I have no way to generate this race condition.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Mention that errors we relay from the runtime are from the runtime, to
hopefully reduce confusion when troubleshooting.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add support for secrets. Secrets is a two-part flag that allows secret files to
be accessed for a certain RUN instruction, but not any other
instructions, as well as now showing up in the final image.
Signed-off-by: Ashley Cui <acui@redhat.com>
Check if a builtin volume is a symlink. If it is,
follow the symlink and ensure that the destination
exists.
Add tests for symlink and no symlink case.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Currently depending on the sort order of mount points, we can overmount
a volume specified from the user. Podman has a function sortMount that
sorts all mounts based on destination directory to ensure all mounts
show up. This PR moves the function from Podman to Buildah. Once merged
I will change Podman to use the buildah function.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Expand conformance test coverage for COPY --chown, and correct our
behavior when the argument is a single number: instead of assuming the
number is the UID and GID = 0, the GID should be the same as the UID.
This means that we can't quite use the same function for parsing the
arguments for COPY --chown and USER, as they evidently have different
defaults for the case where the argument is a single number.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
This PR removes the pkg/auth which brings in docker/docker
since it really is not needed, and was only there to help users
discover the settings of where the authfile was, when the environment
variables were set. Would almost never be of any value.
Move imagebuildah.BuildOptions to define.BuildOptions
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We want to shrink the size of the import when importing pkg from
buildah. This should help us shrink the size of the golang bindings
in podman.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We have been asked to leak some container information
and image information into the container to be used
by certain tools. (Toolbox and others)
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
pkg/secrets has been moved and slightly been rewrittin
in containers/common, along with pkg/umask.
Convert Buildah to use these packages rather then internal
packages.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
I can't remember why we disabled UTS namespaces for rootless isolation,
but it doesn't look necessary.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Make sure the directory we're creating is explicitly below the chroot we
want to create it under.
Fix a similar incorrect call in imagebuildah.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
It is not entirely correct to always ignore EEXIST here. It should only
be ignored in one special case: when a working directory already exists,
and is an absolute symlink to another directory under container root.
MkdirAll reports an error because the symlink is broken in the host
context (without chroot).
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This subtle bug keeps lurking in because error checking for `Mkdir()`
and `MkdirAll()` is slightly different wrt `EEXIST`/`IsExist`:
- for `Mkdir()`, `IsExist` error should (usually) be ignored
(unless you want to make sure directory was not there before)
as it means "the destination directory was already there";
- for `MkdirAll()`, `IsExist` error should NEVER be ignored.
This commit removes ignoring the IsExist error, as it should not
be ignored.
[v2: skip patching (*Builder).Run]
For more details, a quote from opencontainers/runc PR #162:
-quote-
TL;DR: check for IsExist(err) after a failed MkdirAll() is both
redundant and wrong -- so two reasons to remove it.
Quoting MkdirAll documentation:
> MkdirAll creates a directory named path, along with any necessary
> parents, and returns nil, or else returns an error. If path
> is already a directory, MkdirAll does nothing and returns nil.
This means two things:
1. If a directory to be created already exists, no error is
returned.
2. If the error returned is IsExist (EEXIST), it means there exists
a non-directory with the same name as MkdirAll need to use for
directory. Example: we want to MkdirAll("a/b"), but file "a"
(or "a/b") already exists, so MkdirAll fails.
The above is a theory, based on quoted documentation and my UNIX
knowledge.
3. In practice, though, current MkdirAll implementation [1] returns
ENOTDIR in most of cases described in #2, with the exception when
there is a race between MkdirAll and someone else creating the
last component of MkdirAll argument as a file. In this very case
MkdirAll() will indeed return EEXIST.
Because of #1, IsExist check after MkdirAll is not needed.
Because of #2 and #3, ignoring IsExist error is just plain wrong,
as directory we require is not created. It's cleaner to report
the error now.
Note this error is all over the tree, I guess due to copy-paste,
or trying to follow the same usage pattern as for Mkdir(),
or some not quite correct examples on the Internet.
> [1] https://github.com/golang/go/blob/f9ed2f75/src/os/path.go
-end-quote-
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Golang built in functions like os.Create and others print the name of
the file system object when they fail. Wrapping them a second time
with the file system object, makes the error message look like crap
when reported to the user.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
OpenShift Merge Robot
Daniel J Walsh
chenk008
Aditya Rajan
Ashley Cui
Nalin Dahyabhai
openshift-ci[bot]
Paul Holzinger
Valentin Rothberg
Matthew Heon
Urvashi Mohnani
Eduardo Vega
Giuseppe Scrivano
Josh Soref