Now the bud --help output correctly reads that the default behavior when
--pull is not provided at all is "missing", and that the default value
for --pull if explicitly provided but without value is "always".
Fixes#6266.
Signed-off-by: Romain Geissler <romain.geissler@amadeus.com>
When using either --source-date-epoch or --timestamp, default to not
adding a label with our version number in it, since it can change
between builds.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Flag `--add-host` should support `host-gateway` when argument is in the
form of `buildah build --add-host=proxyhost:host-gateway .`
This is consistent with podman.
Closes: https://github.com/containers/podman/issues/26034
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
Fixes: https://github.com/containers/buildah/issues/6160
label_users tells buildah and podman to maintain the user and role
from the SELinux label, the default is to change the user and role to
system_u:system_r.
With this change we end up with an unconfined_u user running the
container as unconfined_u:unconfined_r.
I don't believe our CI/CD system can test this, because it runs with
system_u:system_r by default.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
These:
> copier/copier.go:1664:2: QF1003: could use tagged switch on hdr.Typeflag (staticcheck)
> if hdr.Typeflag == tar.TypeReg {
> ^
> pkg/parse/parse.go:708:4: QF1003: could use tagged switch on arr[1] (staticcheck)
> if arr[1] == "local" {
> ^
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Describe the "env" and "type" options in the buildah-build(1) man page.
When parsing the "--secret=" flag for the CLI, instead of ignoring an
option that we don't recognize, return an error.
Even though the set of meaningful "id" values for secrets is passed in
via the command line, don't directly use it to construct a file path.
Change the default mode for SSH agent sockets that we create from 0o620
to 0o600.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
In 1.7.19, containerd spun out its platforms package into its own
repository. Update to use the new repository.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Rework parsing of --pull flags to add "newer" as an alias for "ifnewer",
and to reject unrecognized values instead of treating them as synonymous
with "ifmissing".
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
buildah build --pull=false is documented to never pull the image, but it
is currently ignored.
Fixes: https://github.com/containers/podman/issues/21783
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Split up the diagnostic for missing SBOM generation settings so that we
can more easily tell the difference between "you didn't tell me where to
put the output files" and "I don't know how to generate things".
[NO NEW TESTS NEEDED]
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a --sbom flag to `buildah build` and `buildah commit` which will
scan the rootfs and specified context directories to build SPDX or
CycloneDX SBOMs and lists of package URLs.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Make sure that we accept both upper- and lower-cased versions of the
names of TEE types as arguments for `buildah build`'s --cw flag and for
`buildah mkcw`'s --type flag. We previously only understood lower-case
versions, but the docs always used upper case.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
With this pkg/parse does not depend on libimage.
[NO NEW TESTS NEEDED]
Based on Miloslav's work: https://github.com/containers/podman/pull/19718
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
internal/parse does not need to depend on libimage.
This allows for a smaller podman remote client.
Based on Miloslav's work: https://github.com/containers/podman/pull/19718
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Add a --cw option to `buildah build` and `buildah commit`, which takes a
comma-separated list of arguments and produces an image laid out for use
as a confidential workload:
type: sev or snp
attestation_url: location of a key broker server
cpus: expected number of virtual CPUs to run with
memory: expected megabytes of memory to run with
workload_id: a distinguishing identifier for the key broker server
ignore_attestation_errors: ignore errors registering the workload
passphrase: for encrypting the disk image
slop: extra space to allocate for the disk image
At least one of attestation_url and passphrase must be specified in
order for the encrypted disk image to be decryptable at run-time. Other
arguments can be omitted. ignore_attestation_errors is intentionally
undocumented, as it's mainly used to permit some amount of testing on
systems which don't have the required hardware.
Add an `mkcw` top-level command, for converting directly from an image
to a confidential workload.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When we read TMPDIR and SSH_AUTH_SOCK from the environment, convert them
to absolute paths before using them. Call auth.GetDefaultAuthFile()
instead of reading REGISTRY_AUTH_FILE.
[NO NEW TESTS NEEDED]
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Validate build volumes on backend and not on frontend
Closes: https://github.com/containers/podman/issues/17139
[NO NEW TESTS NEEDED]
Exisiting volumes checks must pass. ( Tests might need retrofit in error
message )
Signed-off-by: Aditya R <arajan@redhat.com>
podman-remote has a bug where it sends `/` when no platform is set,
patch is there to make sure older clients still work if backend is
updated
Closes: https://github.com/containers/buildah/issues/4763
Signed-off-by: Aditya R <arajan@redhat.com>
PR https://github.com/containers/buildah/pull/4490 added a new API
`CleanCacheMount` which allows cleaning the buildcache and cache generated
on host by --mount=type=cache just like buildkit's prune command.
Following API is needed to tools like podman can utilize this and
integrate it to the commands like `podman system reset`
[NO NEW TESTS NEEDED]
[NO TESTS NEEDED]
Test already added here: https://github.com/containers/buildah/pull/4490
Signed-off-by: Aditya R <arajan@redhat.com>
Drop support for remote use-cases when .containerignore or .dockerignore is a symlink pointing to arbitrary location on host.
[NO NEW TESTS NEEDED]
[NO TESTS NEEDED]
Signed-off-by: Aditya R <arajan@redhat.com>
Buildah must support multiple sources for remote cache when using
`--cache-to` and `--cache-from` so users can distribute and collect
cache from various sources.
We also need for compat with buildkit api which in past broke `podman`
compat build API see: https://github.com/containers/podman/pull/16380
More discussion here: https://github.com/containers/podman/pull/16380
Signed-off-by: Aditya R <arajan@redhat.com>
Podman adds an Error: to every error message. So starting an error
message with "error" ends up being reported to the user as
Error: error ...
This patch removes the stutter.
Also ioutil.ReadFile errors report the Path, so wrapping the err message
with the path causes a stutter.
Signed-off-by: Daniel J Walsh dwalsh@redhat.com
[NO NEW TESTS NEEDED]
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
As per buildkit backend documentation when using the BuildKit backend, docker build searches for
a `.dockerignore` file relative to the Dockerfile name. For example, running `docker build -f myapp.Dockerfile .`
will first look for an ignore file named `myapp.Dockerfile.dockerignore`. If such a file is not found, the
`.dockerignore` file is used if present. Using a Dockerfile based `.dockerignore` is useful if a project contains
multiple Dockerfiles that expect to ignore different sets of files.
Following PR introduces this buildkit feature parity.
Closes: https://github.com/containers/buildah/issues/4236
Signed-off-by: Aditya R <arajan@redhat.com>
Use values from containers/common for locating seccomp.json. At the
moment this isn't actually a change, but we don't want to fall out of
step again.
[NO NEW TESTS NEEDED]
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When `buildah manifest create` is given the `--amend` flag and a list
with the name that was specified for the to-be-created list already
exists, just reuse the list.
Make the `--insecure` flag, if we see it, conflict with `--tls-verify`,
but have the reverse of the effect that `--tls-verify` does, and teach
the `buildah manifest` `add`, `create`, and `push` subcommands about
it.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
If errors for which os.IsExist() or os.IsNotExist() would have returned
true have been wrapped using fmt.Errorf()'s "%w" verb, os.IsExist() and
os.IsNotExist(), not having been retrofitted to use errors.Is(), will
return false.
Use errors.Is() to check if an error is an os.ErrExist or os.ErrNotExist
error instead of calling os.IsExist() or os.IsNotExist().
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Following commit
* Initiates `cacheKey` or `layerKey` for intermediate images generated
for layers.
* Allows end users to upload cached layers with `cacheKey` to remote
sources using `--cache-to`. `--cache-to` is a optional flag to be used
with `buildah build` which publishes cached layers to remote sources.
* Allows end users to use cached layers from `remote` sources with
`--cache-from`. `--cache-from` is a optional flag to be used with
`buildah build` and it pulls cached layers from remote sources in a step
by step manner only if is a valid cache hit.
Example
* Populate cache source or use cached layers if already present
```bash
buildah build -t test --layers --cache-to registry/myrepo/cache --cache-from registry/myrepo/cache .
```
Future:
* `cacheKey` or `layerKey` model is only being used when working with
remote sources however local cache lookup can be also optimized if its
is altered to use `cacheKey` model instead of iterating through all the
images in local storage. As discussed here
References:
* Feature is quite similar to `kaniko`'s `--cache-repo`: https://github.com/GoogleContainerTools/kaniko#--cache-repo
Closes: issues#620
Signed-off-by: Aditya R <arajan@redhat.com>
We now use the golang error wrapping format specifier `%w` instead of
the deprecated github.com/pkg/errors package.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Following PR adds support for OCI hooks attached to each of ephemeral
build contains which are created by `RUN` step invoked during `buildah
build` command.
Following PR also adds `--hooks-dir` flag to `buildah build` option
which allows end-users to specify one or more configuration directories
for OCI-hooks.
Note: Following PR migrates `pkg/hooks` from `podman` to `buildah` so
buildah could implement this feature and once merged `podman` can start
using `buildah/pkg/hooks`.
For usage see man-page and example test-case.
See: https://github.com/opencontainers/runtime-spec/blob/main/config.md#posix-platform-hooks
Closes: https://github.com/containers/buildah/issues/4068
Signed-off-by: Aditya R <arajan@redhat.com>
Buildah now supports `--userns=auto` which can automatically pick an empty range and create an user namespace for the container.
The `--userns=auto` flag, requires that the user name containers and a range of subordinate user ids that the build container is allowed to use be specified in the /etc/subuid and /etc/subgid files.
Example: `containers:2147483647:2147483648`.
Buildah allocates unique ranges of UIDs and GIDs from the containers subordinate user ids. The size of the ranges is based on the number of UIDs required in the image. The number of UIDs and GIDs can be overridden with the size option.
Valid auto options:
* gidmapping=CONTAINER_GID:HOST_GID:SIZE: to force a GID mapping to be present in the user namespace.
* size=SIZE: to specify an explicit size for the automatic user namespace. e.g. --userns=auto:size=8192. If size is not specified, auto will estimate a size for the user namespace.
* uidmapping=CONTAINER_UID:HOST_UID:SIZE: to force a UID mapping to be present in the user namespace.
Signed-off-by: Aditya R <arajan@redhat.com>
Jan Kaluza
Romain Geissler
Nalin Dahyabhai
flouthoc
Daniel J Walsh
Kir Kolyshkin
cuishuang
Giuseppe Scrivano
Philip Dubé
Paul Holzinger
Aditya R
Erik Schnetter
Sascha Grunert