After determining the type of runtime to use,
either "runc" or "crun" dependent upon the system, search
the list of that type of runtime in the containers.conf
file. It includes the location of those runtimes in a
number of different architectures. Once found, set the
runtime to use to that value.
Fixes: #2113
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Before this patch, it was not possible to retrieve a remote manifest
just by specifying the image name, like:
```
> buildah manifest inspect alpine
Invalid image name "alpine", expected colon-separated transport:reference
```
It was possible to get the manifest via:
```
> buildah manifest inspect docker://alpine
…
```
But after pulling the image into the local storage, this works not any
more:
```
> buildah pull alpine
e7d92cdc71feacf90708cb59182d0df1b911f8ae022d29e8e95d75ca6a99776a
> buildah manifest inspect docker://alpine
manifest from image … is of type
"application/vnd.docker.distribution.manifest.v2+json", which
is not a list type
ERRO exit status 1
```
This means we now collect a list of possible local or remote manifests
and try to resolve them sequentially. This enables us to fallback to the
remote location if the locally fetched manifest is not an actual
manifest. It also enables us to see the remote manifest via:
```
> ./buildah manifest inspect alpine
{
…
}
```
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
We have moved share code from buildah, podman and others into containers/common.
Specifically for this PR we are moving to use containers/common/pkg/unshare and
containers/common/pkg/cgroups.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #2010
Approved by: QiWang19
Typo from 765c09d6db (Update containers/image to v2.0.0, 2019-06-03, #1634).
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #1861
Approved by: TomSweeneyRedHat
Image names longer than 32 characters will now be truncated via `...` in
the default table output. For example this:
```
CONTAINER ID BUILDER IMAGE ID IMAGE NAME CONTAINER NAME
579aa959bb4d * 9b1a5a0c02f5 docker.io/clearlinux/golang:latest golang-working-container
```
Now looks like this:
```
CONTAINER ID BUILDER IMAGE ID IMAGE NAME CONTAINER NAME
579aa959bb4d * 9b1a5a0c02f5 docker.io/clearlinux/golang:l... golang-working-container
```
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
Closes: #1841
Approved by: rhatdan
We need to run with crun rather then runc on cgroupsV2 platforms.
runc does not currently support cgroups V2, so if the machine is
in cgroups V2 mode we have to use crun by default.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1823
Approved by: @TomSweeneyRedHat
Fix handling of ID mapping for COPY: when copying from other containers,
use their mappings, and when copying from the host, use host mappings.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1630
Approved by: TomSweeneyRedHat
Container image also switched out the version of bolddb
we were uisng.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1586
Approved by: vrothberg
In multistage builds without caching, if an intermediate stage's image
ended up being the final image (i.e., when the last instruction in the
Dockerfile is a FROM instruction that references a previous stage), we
would remove it when we finished building. Fix that by modifying the
cleanup logic to compare the ID of an image that it's about to delete to
the final image's ID, if it has one, and skipping it if they match.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1564
Approved by: vrothberg
This will make vendoring in pkg/unshare easier into other
packages like skopeo.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1532
Approved by: TomSweeneyRedHat
When ResolveName has already determined that the value is an
ID (prefix), and returned the full ID, rely on that knowledge
and don't try at all to pull the image from a 'remote transport ""';
also, don't try to match strings that are already known not to be
ID prefixes, or that are known to use a different transport, against
local storage.
Should not change behavior, except possibly in theoretical
inconsistency cases when store.Image(knownImageID) fails; the code
now does not report other unrelated errors on the transport == ""
path below.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #1361
Approved by: rhatdan
No need to hard-code the :tag / @digest syntax when there
already is an API returning the string representation.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #1361
Approved by: rhatdan
Change references to Transfer to transfer to make it internal only.
It should be determined from the image specification and only determined
in one place.
Make buildah.Pull use registries.conf
Currently buildah pull does not resolve images based on registries.conf
This does not match the behaviour of buildah from or buildah bud
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1319
Approved by: rhatdan
When reading the last of the output from a child process, ignore an EIO,
since we already got the HUP indication.
Avoid double-logging errors in our I/O loop when using isolation other
than chroot (spotted by @afbjorklund).
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1273
Approved by: rhatdan
Mostly this is a straightforward elimination of manual GetRegistries calls.
In getCopyOptions, we just remove setting the DockerInsecureSkipTLSVerify
values because the docker:// tranport now does that automatically. (This
actually changes behavior, because docker:// supports namespace prefixes
in addition to matching only by hostnames, but that's a superset of the
previous behavior.)
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #1214
Approved by: rhatdan
pullImage now tries (incorrectly) to redundantly compute the same
value as part of error handling. So, return the actually used
data in util.ResolveName.
The computed value is not used yet, so should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #909
Approved by: rhatdan
if XDG_RUNTIME_DIR is not set, try in the order:
- /var/run/user/$UID/run
- $HOME/rundir
also set the XDG_RUNTIME_DIR so that the OCI runtime will
use the same settings.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1077
Approved by: rhatdan
Allow util.ResolveName() to return errors from libraries that it uses.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #948
Approved by: rhatdan
Switch from using github.com/containers/image/pkg/sysregistries to using
github.com/containers/image/pkg/sysregistriesv2 to complete unqualified
image names. Keep v1 around because it'll tell us which configuration
file to name in an error message if things don't work right.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #904
Approved by: rhatdan
When building with layers, the last step wouldn't get implemented
if a cache already existed. This fix checks if every step in the dockerfile
is the same, and if it is it just creates a copy of the existing image
with the new name passed in by the user. The images will have the same
IDs and the new one will just be another tag of the original image.
This is what docker build does as well.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #832
Approved by: rhatdan
If our CLI is invoked as an unprivileged user (uid != 0),
* create a namespace using our own UID and GID as "0" followed by the
ranges matching our name and our primary group's name that we find in
/etc/subuid and /etc/subgid (the latter by way of using newuidmap and
newgidmap)
* re-exec ourselves inside of that user namespace, prepending global CLI arguments that:
* override the driver from storage.conf with "vfs"
* override the storage root from storage.conf with a "containers/storage" subdirectory
of $XDG_DATA_HOME, or $HOME/.local/share.
* override the storage runroot from storage.conf with either "$XDG_RUNTIME_DIR/run" or
"/var/run/user/$uid/run"
* set default ID mapping settings to map all of the ranges matching
our name and our primary group's name that we found in /etc/subuid
and /etc/subgid
* can still be overridden using the command line
Add a "buildah unshare" CLI that will start an arbitrary command in the
first namespace, so that manual cleanup of locations used by the second
namespace will be possible.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #823
Approved by: rhatdan
Break getProcIDMappings() out of run.go and turn it into
util.GetHostIDMappings(), and add util.GetSubIDMappings() and
util.ParseIDMappings().
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #796
Approved by: rhatdan
Break runSetupIntermediateMountNamespace() into its own package.
Move stringInSlice(), getHostIDs(), and getHostRootIDs() into the util
subdirectory and export them.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #796
Approved by: rhatdan
The search registries and insecure registries are separate lists,
and should not be merged just because the InsecureSkipTLSVerify is
set
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #759
Approved by: mtrmac
When checking if an image name includes a registry name, when checking
for cases where parsing it inserts additional path components, handle
cases where the name includes a tag or digest component.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #710
Approved by: rhatdan
Extend util.ResolveName() to prepend "localhost" to the list of
registries, and teach util.FindImage(), util.ExpandNames(), and
util.AddImageNames() to use util.ResolveName().
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #648
Approved by: rhatdan
buildah from now supports pulling images using the following transports:
docker-archive, oci-archive, and dir.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #524
Approved by: TomSweeneyRedHat
During the creation of a new builder object there are errors
that are only logged into "logrus.Debugf".
If in the end of the process "ref" or "img" are nil and "options.FromImage"
is set then it means that there was an issue.
By default, it was assumed that the image name is wrong. Yet,
this assumption isn't always correct. For example, it might fail due to
authorization or connection errors.
In this patch, I am attempting to fix this problem by checking the
last error stored in the "err" variable and returning the cause
of the failure.
Signed-off-by: Boaz Shuster <ripcurld.github@gmail.com>
Closes: #406
Approved by: rhatdan
When locating an image for pulling, inspection, or pushing, if we're
given an image name that doesn't include a domain/registry, try building
a set of candidate names using the configured registries as domains, and
then pull/inspect/push using the first of those names that works.
If a name that we're given corresponds to a prefix of the ID of a local
image, skip completion and use the ID directly instead.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #360
Approved by: rhatdan
Impove error reporting by wrapping all returned err functions with
error.Wrapf
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Closes: #124
Approved by: nalind
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Closes: #125
Approved by: nalind
TomSweeneyRedHat
Sascha Grunert
Daniel J Walsh
Nalin Dahyabhai
Miloslav Trmač
W. Trevor King
Valentin Rothberg
Šimon Lukašík
Giuseppe Scrivano
umohnani8
Boaz Shuster