This is a rework of Qi Wang's patches.
Import package pkg/config from containers/common to read containers.conf
This patch allows users to specify default values stored in containers.conf
that will modify the behaviour of buildah tool.
Signed-off-by: Qi Wang <qiwan@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #2011
Approved by: TomSweeneyRedHat
Close source files after we've finished reading from them, rather than
leaving it for later.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #2072
Approved by: giuseppe
Don't start digesting the contents of any file that we end up skipping.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #2072
Approved by: giuseppe
When generating the list of exclusions to process .dockerignore
contents, don't include .dockerignore if we don't have a .dockerignore
file in the context directory. That way, if the file doesn't exist, and
the caller didn't pass in any patterns, we get no patterns instead of
just one ".dockerignore" pattern, and we can hit the faster copy path.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #2072
Approved by: giuseppe
Remove go 1.12.x from the testing matrix to consume less resources from
Travis and save some energy.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
We are always adding .dockerignore to the pattern list, if this is the only pattern
then no patterns we added to the list, and we should return nil.
This is causing a major slowdown in buildah, since it is not using the optimized tar for
copying.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #2070
Approved by: saschagrunert
Fix man page instances of 'registries.conf(5)' et al.
The correct man page is containers-registries.conf(5).
Found via:
$ for i in registries.conf storage.conf policy.json ; do grep $i.5 docs/*.md | grep -v containers-$i;done
In buildah.md, I simply removed the storage.conf line from
the 'Commands' table because it's not a command.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Closes: #2068
Approved by: TomSweeneyRedHat
Update the openshift/api dependency to the latest commit. Several users
have reported that the go.mod couldn't be parsed, which should now be
fixed.
Fixes: #2042
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Closes: #2066
Approved by: rhatdan
fix bug that buildah does not check .dockerignore file if source of COPY instruction is a filepath. This patch will skip the path if the overall result of the dockerignore matcher is true.
Signed-off-by: Qi Wang <qiwan@redhat.com>
Closes: #2064
Approved by: rhatdan
PR #2039 broke system tests, because they're installed in /usr:
# buildah bud -v /usr/share/buildah/test/system:/testdir:rw,z /usr/share/buildah/test/system/bud/mount
...
error building at STEP "RUN mount": error resolving mountpoints for container "173c5e567e95f2604b5ea677f5e5364839d5b455a9081cdb4101f20242997e5e": relabeling "/usr/share/buildah/test/system" failed: relabeling content in /usr is not allowed
Solution: mount a volume from TESTDIR (singular), which is in TMPDIR,
not TESTSDIR (plural), which is our test source dir.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Closes: #2065
Approved by: vrothberg
@tanzislam noted [1] that Buildah should be using the -traditional flag
to prevent CPP from removing trailing backslashes in non-directive lines
and the -undef flag to prevent built-in macros from expansion (e.g.,
"linux" to "1").
[1] https://github.com/moby/moby/issues/735#issuecomment-568720297
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Closes: #2044
Approved by: TomSweeneyRedHat
Bumping c/storage to v1.15.5. Once merged I'll spin up
a Buildah v1.13.0
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Closes: #2050
Approved by: rhatdan
If the volume option was specified like: `--volume "${HOME}/.cache/zae9ujei:/myvol:rw,Z"`,
the COBRA code that processed the input from the user was considering the value to be a
SliceVar with two volumes `${HOME}/.cache/zae9ujei:/myvol:rw` and `Z` due to the comma.
Converted the COBRA code to consider the input as an ArrayVar instead and the value is
handled appropriately. Also increased the testing to catch this going forward.
Addresses: #2000
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Closes: #2039
Approved by: rhatdan
Podman uses the overlay mounts differently then in buildah. Specifically the
overlay mount points can be used over and over again when starting and stopping
the container. Since the paths are backed into the contianer config, we have
to be able to cleanout just the Upper and Merged directory rather then destroying
and recreating the overlay directories on each container start.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1822
Approved by: vrothberg
1 We need to update all packages in the buildah image to make sure they are
up2date.
2 reinstall shadow-utils. For some reason the fedora base image does not
include the file capabilities assigned to /usr/bin/newuidmap and
/usr/bin/newgidmap. Reinstalling shadow-utils, brings them back.
3 Add a default user `build` to the system. This will create the
/etc/subuid and /etc/subgid maps get created correctly.
Once we have this we should be able to build a container starting with a non
privileged user
podman run -ti --user build --device=/dev/fuse -v ./Dockerfile:/Dockerfile:z quay.io/buildahi/stable buildah bud /
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #2038
Approved by: baude
If host is running in fips mode, then RHEL8.2 and beyond container images
will come with a directory /usr/share/crypto-policies/back-ends/FIPS.
This directory needs to be bind mounted over /etc/crypto-policies/back-ends in
order to make all tools in the container follow the FIPS Mode rules.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Or set it to /var/tmp if the user did not specify.
Currently certain large workloads can not be handled because users are running
out of space on pulls/ and pushes. Containers/image stores data temporarily in
the file system. This allows the user to overide the location of the temporary
storage.
Also update containers/image to v5.0.1
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The 'pull --all-tags' test flakes often in CI, e.g.:
unexpected http code: 500 [...] URL: https://auth.docker.io/...
This is a remote registry error, not one we can resolve
on our end without complex retry-pull logic.
Here is an alternative which I believe provides better
testing anyway: instead of relying heavily on a remote
registry, do all the work using our already-set-up local
one. Pull one image (yes, sigh, from remote registry)
and push it locally with various different tags. Then
pull with --all-tags and make sure we get what we expect.
Advantages:
+ less reliance on network & remote server
+ less reliance on the _setup_ of said server, i.e.
we don't have to just blindly trust that there
will be multiple tagged versions of an image
+ better testing: since we know what we push to
the local registry, we know exactly what we
should expect to see on pull, and we now
actually test that instead of a handwavey
"oh just hope that there are more than three"
+ better testing of messages, and comparing image IDs
Disadvantages:
- I've rolled two tests into one. (I'm not sure what the
purpose was of pull-with-alltags-from-registry. Is the
behavior that different?
- In a development environment or some imaginary CI
environment in which the local registry is persistent
across runs, if someone were to remove one or more
tags from the 'tags=(...)' list, tests would fail
because the registry would include more tagged images
(saved in a previous run) than the test expects. The
diagnostic in this case would not be very helpful.
And of course, while I'm at it, improve a few of the other
tests: don't just check for error on non-docker --all-tags
pulls, actually make sure we get the expected message.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Closes: #2032
Approved by: rhatdan
Split out into its own commit, because it's a big one
to review.
The same code was literally copy-pasted a bunch of times, with
the only difference being the use of $doomeddir vs $destdir in
a couple of spots. Refactor, and while we're at it refactor the
tests for expected matches and mismatches.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Closes: #2029
Approved by: rhatdan
This is the manual part of the cleanup.
- remove most 'buildah rm's from cleanup steps
- remove unused variables
- use expect_output when possible, not 'test [ x = y ]'
- includes fixing some not-what-you-think-it-is uses
of run_buildah | grep
- be careful not to leave droppings in current directory
Special attention to:
- authenticate.bats: create Dockerfile in temp dir, not pwd!
- push.bats: remove broken output check
- registries.bats: refactor, remove duplicate tests & code
- rmi.bats: better checking of messages
- secrets.bats: use TESTDIR (tmp), not TESTSDIR (/usr/share) !
We don't want to leave droppings behind if we fail; this has
bitten us before. And, since there's only one test, there's
no need to override setup() / teardown(). Do setup inline,
and take advantage of existing defaults.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Closes: #2029
Approved by: rhatdan
Replace plain 'buildah' invocations with run_buildah
For ease of review, this commit was entirely machine-generated via:
$ perl -pi -e 's/^(\s+)buildah(\s)/${1}run_buildah${2}/' *.bats
Signed-off-by: Ed Santiago <santiago@redhat.com>
Closes: #2029
Approved by: rhatdan
Replace this pattern:
cid=$(buildah ...)
with:
run_buildah ...
cid=$output
As a special case, if the buildah command is 'from' and the
string 'scratch' does not appear in the arguments, add '--quiet'.
Otherwise we'll get Pulling messages as part of $output. This
is an overkill solution.
For ease of review, this commit was entirely machine-generated via:
$ perl -pi -e 's{^(\s+)(\S+)=\$\(buildah (.*)\)$}{$indent=$1;$var=$2;$cmd=$3; $cmd =~ s/(\bfrom)\s(?!.*scratch)/$1 --quiet $2/; "${indent}run_buildah $cmd\n$indent$var=\$output"}e' *.bats
Signed-off-by: Ed Santiago <santiago@redhat.com>
Closes: #2029
Approved by: rhatdan
PR #1935 removed the default --debug logging; so all run_buildah
calls now use the default (error). It is safe to remove unnecessary
instances of --log-level=error .
For ease of review, this commit was entirely machine-generated via:
$ perl -pi -e 's/ --log-level=error / /' *.bats
Signed-off-by: Ed Santiago <santiago@redhat.com>
Closes: #2029
Approved by: rhatdan
Daniel J Walsh
Lokesh Mandvekar
TomSweeneyRedHat
dependabot-preview[bot]
Nalin Dahyabhai
Valentin Rothberg
Boaz Shuster
Ed Santiago
Qi Wang
Laurent Stacul