Allow --output to be specified multiple times for `buildah build`.
That's of limited usefulness right now, but as exporters get added, it
won't be, and it's better to provide the new multiple-values API field
sooner rather than later.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Every stage now has its own copy of systemcontext.
On processing of every stage platform spec in systemcontext must be
correctly reset.
Closes: https://github.com/containers/buildah/issues/5968
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
These experimental packages are now available in the Go standard
library since Go 1.21:
1. golang.org/x/exp/slices -> slices [1]
2. golang.org/x/exp/maps -> maps [2]
[1]: https://go.dev/doc/go1.21#slices
[2]: https://go.dev/doc/go1.21#maps
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
Clean up the distinctions between the volumes slice and the volumeCache
and volumeCacheInfo maps so that --compat-volumes will work correctly
when we're building with multiple layers.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
The default configuration that `docker build` applies to images built
using "scratch" has changed from classic builds to BuildKit. Add a
toggle for selecting which behavior to mimic.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Make the traditional handling of volumes (where they're "frozen" and can
only be modified by ADD or COPY, which requires that we cache their
contents and save/restore them before/after RUN instructions) an option
that is not enabled by default.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Make setting the Parent field in the config blob of a docker format
image optional (yes, we're bringing it back!), since it no longer
appears to be set by newer versions of docker build.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Use slices.Clone() and maps.Clone() instead of our own non-generic
functions. We have to be more careful in a couple of places where we
set items in maps which aren't unconditionally initialized.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
This allows callers to provide custom SourceLookupReferenceFunc and
DestinationLookupReferenceFunc for cache pull/push. These can be used to
implement custom blob caches, and to wrap the reference being
pushed/pulled to influence the copy behavior.
Signed-off-by: Aaron Lehmann <alehmann@netflix.com>
Add support for using CDI to resolve `--device` devices for RUN
instructions during `buildah build`, `buildah from`, and `buildah run`,
as `podman run` does.
This generally requires that we stop resolving device specifications
(arguments passed to --device) earlier and deferring that until it's
time to run a process, because CDI wants to pick over those values,
modify a runtime spec to set up the ones that it knows about, and then
hand back the list of values that it doesn't know about.
We don't want to do a dry run of this during CLI processing because that
would create a window where the underlying hardware state could change,
and that could produce some hard-to-diagnose errors.
Being able to test this is going to require that we add the `--device`
flag to `buildah run` (`--security-opt` affects how we build the
container's layer, so it has to be done at `buildah from`).
The default configured devices list is pulled in by CLI flag processing
during `buildah from` and `buildah build`, so it doesn't also need to be
explicitly passed to `buildah run` or the internal Run() method.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a --sbom flag to `buildah build` and `buildah commit` which will
scan the rootfs and specified context directories to build SPDX or
CycloneDX SBOMs and lists of package URLs.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Use a definition of "scratch" that's exported by imagebuilder instead of
hard-coding it ourselves like it's just some magic value we came up
with, in the multiple places where we refer to it.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
All `[]string`s in containers.conf have now been migrated to attributed
string slices which require some adjustments in Buildah and Podman.
[NO NEW TESTS NEEDED]
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
This change is the first step of integrating appendable string arrays
into containers.conf and starts with enabling the `Env`, `Mounts`, and
`Volumes` fields in the `[Containers]` table.
Both, Buildah and Podman, read (and sometimes write) the fields of the
`Config` struct at various places, so I decided to migrate the fields
step-by-step. The ones in this change are most critical ones for
customers. Once all string slices/arrays are migrated, the docs of
containers.conf will be updated. The current changes are entirely
transparent to users.
[NO NEW TESTS NEEDED]
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
When building a multi-stage image ( without `--layers` ) and a
stage contains only a base-image buildah removes the base-image
itself as part of cleanup process. This is a bug and following commit
fixes that.
Reproducer
```Dockerfile
FROM parent
FROM another-base
COPY --from=0 somefile .
```
`buildah build -t multi-stage .`
Closes: https://github.com/containers/podman/issues/20291
Signed-off-by: Aditya R <arajan@redhat.com>
Add a --cw option to `buildah build` and `buildah commit`, which takes a
comma-separated list of arguments and produces an image laid out for use
as a confidential workload:
type: sev or snp
attestation_url: location of a key broker server
cpus: expected number of virtual CPUs to run with
memory: expected megabytes of memory to run with
workload_id: a distinguishing identifier for the key broker server
ignore_attestation_errors: ignore errors registering the workload
passphrase: for encrypting the disk image
slop: extra space to allocate for the disk image
At least one of attestation_url and passphrase must be specified in
order for the encrypted disk image to be decryptable at run-time. Other
arguments can be omitted. ignore_attestation_errors is intentionally
undocumented, as it's mainly used to permit some amount of testing on
systems which don't have the required hardware.
Add an `mkcw` top-level command, for converting directly from an image
to a confidential workload.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Don't try to look up an image by name when we're committing an image,
because we don't want to accidentally take advantage of any fuzzy
matching that libimage might start doing. Instead, just use the
normalization call.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
build-arg warnings must honor globally defined arguments and must not
produce warnings if an arguments is already defined globally.
Closes: https://github.com/containers/buildah/issues/4981
Signed-off-by: Aditya R <arajan@redhat.com>
`--layer-label` allows users to set labels on intermediate labels agnostic
of the labels set on actual image. Since there are use-cases where users
want to perform operation on intermediate images only on the basis of
certain labels.
Closes: https://github.com/containers/buildah/issues/4933
Signed-off-by: Aditya R <arajan@redhat.com>
In https://github.com/containers/buildah/pull/4673 we made a change were
we were applying labels to end of each stage, which is different than
what we were doing before i.e applying label at the end of the each
step.
However buildkit does not adds label to any stage or steps it only adds
label at the end of final stage so lets do that.
Closes: https://github.com/containers/buildah/issues/4804
Signed-off-by: Aditya R <arajan@redhat.com>
Buildah currently applies labels to each intermediate image which is not
the right thing to do since others builds uses these intermediate image
and they can inherit the label even though they never had this
intention.
Only apply labels to the final build i.e last instruction of last stage
which will make sure that labels are only applied to final image and not
to the intermediate images.
Closes: https://github.com/containers/buildah/issues/4632
Signed-off-by: Aditya R <arajan@redhat.com>
COPY must honor processing any argument if any configured while
evaulating `--from=` statement.
Makes below Containerfile functional without any external `--build-arg`
value from CLI
```Dockerfile
ARG my_env=a
FROM alpine as stage_a
RUN /bin/true
FROM alpine
COPY --from=stage_${my_env} /bin/true true
```
Closes: https://github.com/containers/buildah/issues/4573
Signed-off-by: Aditya R <arajan@redhat.com>
Buildah warns about TARETARCH, TARGETOS, TARGETPLATFORM in a multi-arch
build however its not very useful for end-users and there are cases
where this can be left untouched so do not warn about test default build
args
Closes: https://github.com/containers/buildah/issues/4485
Signed-off-by: Aditya R <arajan@redhat.com>
While preparing list of cleanup stages, executor must add stage with no
children also to cleanupStages since a stage can also exist in the form
only `FROM base_image` i.e without any child nodes.
Ensures we leave no dandling build container for cases such as
```dockerfile
FROM quay.io/quay/busybox:latest AS busybox
FROM scratch
COPY --from=busybox /bin/busybox /bin/busybox
```
Closes: https://github.com/containers/buildah/issues/4572
Signed-off-by: Aditya R <arajan@redhat.com>
We handle --label command line arguments by appending LABEL instructions
to the Dockerfile contents before we parse it. Previously, we were
appending a separate line for each label-value pair. Consolidate them
for the sake of tools that arbitrarily limit the length of histories
that they're willing to accept in images (boo!).
Add a similar implementation for --env command line arguments.
Previously, we'd set them in the initial configuration for each stage
and also set them at commit-time, and that potentially overrode any
values that were explicitly in the stage itself, and which would have
affected RUN instructions. Remove the set-at-commit-time logic so that
the history reflects what ends up in the image.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Allow containers running under buildah to use
--group-add keep-groups, so that they can inherit
access to the users groups.
Also allow users to add supplimental groups to the container.
Fixes: https://github.com/containers/buildah/issues/4476
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
In golang 1.19, `io/ioutil` is fully deprecated preventing Buildah from
compiling. Replace all calls with equivalent calls from the `os`
package.
Signed-off-by: Chris Evich <cevich@redhat.com>
Buildah must support multiple sources for remote cache when using
`--cache-to` and `--cache-from` so users can distribute and collect
cache from various sources.
We also need for compat with buildkit api which in past broke `podman`
compat build API see: https://github.com/containers/podman/pull/16380
More discussion here: https://github.com/containers/podman/pull/16380
Signed-off-by: Aditya R <arajan@redhat.com>
While PR https://github.com/containers/buildah/pull/3947 added support
for evaluating `--build-args` in base image names for a builds but it
missed processing default value if any. So for scenarios where `ARG`
already has a default value in Containerfile via `ARG key=value` but
was not specified with `--build-arg key=value` the processing ignored
the default value. Following commit just adds support for that.
Makes below Containerfile functional without any external `--build-arg`
value from CLI
```Dockerfile
ARG my_env=a
FROM alpine as stage_a
RUN /bin/true
FROM stage_${my_env} as stage_b
RUN /bin/true
```
Closes: https://github.com/containers/buildah/issues/4312
Signed-off-by: Aditya R <arajan@redhat.com>
The lack of the preservation was probably an oversight when --mount was added for RUN.
I added a test that fails without the modification and succeeds with.
Fixes#4375
Signed-off-by: Marcus Watkins <mwatkins@mitre.org>
Before this commit buildah produces warning for UnsetBuildArgs at the
top level while preparing the build in `imagebuildah/build` hence it
makes it hard to honor certain logic like `do not produce warning for
stages which are not used` therefore move `warnOnUnsetBuildArgs` to
`imagebuldah/executor` so we can warn while processing each stage.
Following commit will prevent warning unnecessarily for stages which are
completely skipped.
Closes: https://github.com/containers/buildah/issues/4303
Signed-off-by: Aditya R <arajan@redhat.com>
Nalin Dahyabhai
Aditya R
Kir Kolyshkin
flouthoc
Eng Zer Jun
Giuseppe Scrivano
Aaron Lehmann
Daniel J Walsh
Philip Dubé
openshift-merge-bot[bot]
Valentin Rothberg
guoguangwu
Chris Bandy
Chris Evich
Marcus Watkins