Some Dockerfiles (fuse-overlay) require additional devices to be in the
build environment.
This patch allows the user to specify additional devices.
Also I noticed that CapAdd and CapDrop was not working in buildah bud situations,
so this patch also fixes this.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1820
Approved by: @TomSweeneyRedHat
the podman remote-client for windows pulls in some buildah code for
things like commit and build. we need to perform some slight
refactoring of buildah code to accomodate that build.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1551
Approved by: rhatdan
This will make vendoring in pkg/unshare easier into other
packages like skopeo.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1532
Approved by: TomSweeneyRedHat
- pass all proxy env vars
- --http-proxy option for bud and from
- bash_completion and docs
Signed-off-by: James Cassell <code@james.cassell.me>
Closes: #1525
Approved by: giuseppe
use --dns* flags to change /etc/resolv.conf in the container during the build.
Signed-off-by: Qi Wang <qiwan@redhat.com>
Closes: #1491
Approved by: rhatdan
We don't want to vendor anything from libpod into Buildah.
We want to switch this around. Moving pkg content from libpod
to Buildah allows us to fix this.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1400
Approved by: giuseppe
The {Add,Del}NetworkList APIs were extended with a context parameter,
which require adjustments in the code.
Fixes: #1433
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Closes: #1434
Approved by: rhatdan
if --net is not specified, default to use the host network namespace.
It is still possible to use slirp4netns with --network container.
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1690209
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1421
Approved by: rhatdan
it improves significantly the performance of the slirp4netns network:
777bdcccef (iperf3-netns---host)
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1404
Approved by: vrothberg
setup.rpm attempts to modify /etc/hosts, if it thinks
it has never been modified. By adding a #comment to the
front of the file, it should prevent this from blowing up
the build.
Also add hostname to the /etc/hosts file linked to localhosts
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1313
Approved by: vrothberg
Starting to remove dependency on libpod from buildah.
secrets is used so that builds can access RHEL subscriptions
so this makes more sense to be in buildah then libpod.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1366
Approved by: vrothberg
For some reason, the CI does not report any of these; on macOS
I see many more reports (including complaints about the standard
library), this only cleans up the trivial cases.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #1365
Approved by: rhatdan
When reading the last of the output from a child process, ignore an EIO,
since we already got the HUP indication.
Avoid double-logging errors in our I/O loop when using isolation other
than chroot (spotted by @afbjorklund).
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1273
Approved by: rhatdan
This will get buildah bud to follow docker build handling of
hostname environment variable and hostname command properly
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1242
Approved by: giuseppe
runc has a good "auto detect" mode to find out when running in
rootless mode. It also makes easier to plug another OCI runtime,
since --rootless is not part of the OCI specs.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1145
Approved by: TomSweeneyRedHat
change the logic for bind mounting /etc/hosts and /etc/resolv.conf in
the container. Now they are not bind mounted when they are specified
as volumes, so it is still possible to have them writeable in the
container.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1156
Approved by: rhatdan
If slirp4netns is available, use it to configure the network for the
rootless isolation mode.
Closes: https://github.com/containers/buildah/issues/1139
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1156
Approved by: rhatdan
When changing settings for rootless containers, only discard the part of
the networking configuration that specifies which networks we want to
configure, and preserve whether or not we want to use the host's network
namespace.
If we were told to create an empty network namespace or to just attach
to another namespace, go ahead and try to do that.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1146
Approved by: rhatdan
Only set up bind mounts of copies of the host's /etc/hosts and
/etc/resolv.conf files if we're not just going to create a new,
unconfigured network namespace.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1146
Approved by: rhatdan
Break setup for built-in volumes into independent steps where we create
the volume's mount point, the directory that will hold its contents, and
if there is content under the mount point, populate the volume with the
mount point's contents.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1126
Approved by: rhatdan
ReserveSELinuxLabels() checks if an error returned by OpenBuilder() is a
does-not-exist error, but OpenBuilder() returns wrapped errors now, and
it wasn't checking the root cause error.
When newBuilder() fails, check the right error value when deciding
whether or not deleting the partially-constructed container failed.
OpenBuildersByPath() shouldn't choke on non-buildah containers, so have
it handle does-not-exist errors the same way OpenAllBuilders() does.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1109
Approved by: rhatdan
--no-pivot: "do not use pivot root to jail process inside rootfs.
This should be used whenever the rootfs is on top of a ramdisk"
Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
Closes: #1071
Approved by: rhatdan
Make sure that when attempting to diagnose an error, if we encounter an
error during the diagnostic attempt, we return the original error rather
than the error encountered in trying to diagnose it. Log that one.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1072
Approved by: rhatdan
When creating a building VOLUME for a container we need to create it
with the ownership/permsissions of the directory that we will be mounting on.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We need to be able to run sudo commands inside of Dockerfile's
even when containers are setup with non root.
This patch retains the bounding set for containers run with non root user.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1001
Approved by: vrothberg
When seccomp is not enabled, make sure to clear any default setting
which runtime-tools supplied for us. Likewise, if SELinux is not
enabled, don't set a process label or a mount label.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #988
Approved by: rhatdan
When we're polling to handle stdio for a container, when we detect a HUP
on our stdin, read all that we can from stdin before closing it, instead
of reading only, at most, a single chunk of bytes.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #980
Approved by: rhatdan
Make the chroot() call before applying a seccomp filter, which might not
allow us to do it. Add more debugging messages.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #979
Approved by: rhatdan
When running outside of a container, --no-pivot isn't necessary, and
when running inside of a container, it's not enough to solve any of the
difficulties we're seeing there. It may trigger an EPERM for unshare()
calls inside of the container that we launch, and we don't want that, so
drop it, for now at least.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #921
Approved by: rhatdan
Add an IsolationOCIRootless that runs the OCI runtime with its
--rootless flag, with network and UTS namespaces disabled, with IPC,
PID, and user namespaces forcibly enabled. In this mode, we don't
attempt to set the container's hostname (because we don't have our own
UTS namespace), and we don't try to set any supplemental groups. The
/sys directory is replaced with a bind mount of the host's /sys rather
than a fresh sysfs instance.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #873
Approved by: rhatdan
Add a new Isolation value: IsolationOCIRootless, for which we add a
global --rootless=true flag and a local --no-new-keyring flag when
creating a runtime container, and make some changes to the mounts list,
default namespacing configurations, and supplemental groups list.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #873
Approved by: rhatdan
Add an IsolationChroot that trades flexibility and isolation for being
able to do what it does in a host environment that's already isolated to
the point where we're not allowed to set up some of that isolation,
producing a result that leans more toward chroot(1) than runc(1) does.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #836
Approved by: rhatdan
Before calling runCollectOutput() to read error information from pipes,
make sure we've closed our handles to the writing ends of the pipes.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #872
Approved by: rhatdan
/proc/acpi allows containers to modify certain settings on the host, without
SELinux enabled.
/proc/keys allows information about keys on the host to leak into the containers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #853
Approved by: rhatdan
Don't pass a nil error value to errors.Wrapf() when we want to report an
error, since it's documented as returning nil for that case.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #856
Approved by: rhatdan
the goal here is to allow ourselves to cross compile buildah for a darwin
target. we are doing this to eventually protect from regressions that could
creep into buildah so we don't dig ourselves a deeper hole.
the simplified and non-variable approach to the make darwin was done with
intent to keep this simple until we can exploit things a little more.
once this PR merges, i will create a CI test that will test for regressions
on a make darwin. we should also be doing a gofmt with a darwin target so the
!linux|darwin tagged files are also checked for completeness. initially the
test can be optional for passing with the long-term idea that it be made
a firm requirement at the buildah maintainers behest.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #840
Approved by: rhatdan
Remove the configureNetwork parameter from runConfigureNetwork(), which
was only called if the value was true, and which runConfigureNetwork()
itself never used.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #834
Approved by: rhatdan
Explicitly force the owner of /etc/hosts and /etc/resolv.conf to 0:0 in
the container, instead of attempting to let ID maping implicitly handle
it, since when we're being run unprivileged, the owners of the source
files are already unmapped IDs.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #823
Approved by: rhatdan
Daniel J Walsh
baude
James Cassell
Qi Wang
Giuseppe Scrivano
Valentin Rothberg
Miloslav Trmač
Nalin Dahyabhai
Anders F Björklund
TomSweeneyRedHat
Zhou Hao