Mostly this is a straightforward elimination of manual GetRegistries calls.
In getCopyOptions, we just remove setting the DockerInsecureSkipTLSVerify
values because the docker:// tranport now does that automatically. (This
actually changes behavior, because docker:// supports namespace prefixes
in addition to matching only by hostnames, but that's a superset of the
previous behavior.)
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #1214
Approved by: rhatdan
ReserveSELinuxLabels() checks if an error returned by OpenBuilder() is a
does-not-exist error, but OpenBuilder() returns wrapped errors now, and
it wasn't checking the root cause error.
When newBuilder() fails, check the right error value when deciding
whether or not deleting the partially-constructed container failed.
OpenBuildersByPath() shouldn't choke on non-buildah containers, so have
it handle does-not-exist errors the same way OpenAllBuilders() does.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1109
Approved by: rhatdan
Use the value now returned by util.ResolveImage instead of trying to
recompute it.
Then drop the no longer used getRegistries. (It might be reasonable
to split that part of util.ResolveImage to make it shorter; but it should
not ideally have any independent second-guessing callers. So, just
keep the inlined one instead; that way we certainly don't break it.)
Also drop the no longer used hasRegistry.
CHANGES BEHAVIOR:
- Most notably, the "short name but no search registries" code
has been broken for some time; pullImage was called with
localhost/$shortname, which was a qualified name, so the
specialized error handling was never attempted.
- Temporarily, the error handling in the "short name but no
search registries" code trigers even if there were actually
valid values to try (in practice there is always localhost/$shortname,
and possibly also options.Registry/$shortname). The next commit
will improve it again.
- We now have more legitimate access to the original short name,
so include it in the error message (it was technically available
before, but using it was awkward).
NOTE: registriesConfPath is computed using the sysregistries
package, but actual access happens using the sysregistriesv2 package.
That should be cleaned up eventually.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #909
Approved by: rhatdan
Make sure that when attempting to diagnose an error, if we encounter an
error during the diagnostic attempt, we return the original error rather
than the error encountered in trying to diagnose it. Log that one.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1072
Approved by: rhatdan
Check if reading and writing from the registry named by an image is
allowed when the transport is "docker".
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1056
Approved by: rhatdan
The image library's copy routine doesn't itself consult the registries
configuration in order to decide whether or not to disable TLS
verification when communicating with a registry, so it's on us to use
the name of a source or destination image to decide whether to set the
flag for that behavior.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1056
Approved by: rhatdan
We want to make sure that buildah and podman don't use the
same SELinux MCS Labels. So we need to export this function
so libpod can use it.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1041
Approved by: rhatdan
Switch from using github.com/containers/image/pkg/sysregistries to using
github.com/containers/image/pkg/sysregistriesv2 to complete unqualified
image names. Keep v1 around because it'll tell us which configuration
file to name in an error message if things don't work right.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #904
Approved by: rhatdan
Instead of ignoring the global --registries-conf option and using only
$REGISTRIES_CONFIG_PATH, use it for the option default.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #854
Approved by: rhatdan
Break getProcIDMappings() out of run.go and turn it into
util.GetHostIDMappings(), and add util.GetSubIDMappings() and
util.ParseIDMappings().
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #796
Approved by: rhatdan
Break runSetupIntermediateMountNamespace() into its own package.
Move stringInSlice(), getHostIDs(), and getHostRootIDs() into the util
subdirectory and export them.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #796
Approved by: rhatdan
Add a field to AddOrCopyOptions that can take an io.Writer, more often a
hash.Hash returned by digest.Digester's Hash() method, to calculate a
sum over what we add or copy.
Make the help output summarizing the arguments that "buildah add" and
"buildah copy" accept more closely match their man pages.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #766
Approved by: rhatdan
Use CNI to configure networks for containers for which we create new
network namespaces.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #700
Approved by: rhatdan
Use ID mapping information when setting permissions on content that we
add to the container, and on secrets that we copy in, on pipes that we
use for stdio, and when extracting the whole filesystem as a "layer".
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #700
Approved by: rhatdan
Add options to the CLI that specify which cgroups we execute "run"
commands under, and controlling how we set up namespaces for them.
Pass them down to Builders that we create, and allow them to be
overridden by options passed to Builder.Run().
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #700
Approved by: rhatdan
If we're creating a user namespace, we always need to supply at least
one mapping for the UID and GID maps. If we're not given any mappings,
map the ranges that are available to us, instead of assuming we can map
all possible values, in case we're already in a user namespace.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #700
Approved by: rhatdan
Read UID/GID mapping information when creating or importing containers,
and if there is mapping information, use it when building runtime
configurations.
Mounting sysfs in a user namespace requires that we also have our own
network namespace, so default to creating one for that case.
Switch permissions on files that we bind in so that they're writable
from inside of the container.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #700
Approved by: rhatdan
Maintain the container configuration in multiple formats in the Buildah
object, initializing one based on the other, depending on which format
the source image used for its configuration.
Replace directly manipulated fields in the Buildah object (Annotations,
CreatedBy, OS, Architecture, Maintainer, User, Workdir, Env, Cmd,
Entrypoint, Expose, Labels, and Volumes) with accessor functions which
update both configurations and which read from whichever one we consider
to be authoritative. Drop Args because we weren't using them.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #102
Approved by: rhatdan
Have imagebuildah reexport some constants and its own Mount type, to
reduce the number of our dependencies that a prospective consumer of
this package would also need to import directly.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #84
Approved by: rhatdan
Miloslav Trmač
Nalin Dahyabhai
Daniel J Walsh
TomSweeneyRedHat