We have been asked to leak some container information
and image information into the container to be used
by certain tools. (Toolbox and others)
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
pkg/secrets has been moved and slightly been rewrittin
in containers/common, along with pkg/umask.
Convert Buildah to use these packages rather then internal
packages.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
I can't remember why we disabled UTS namespaces for rootless isolation,
but it doesn't look necessary.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Make sure the directory we're creating is explicitly below the chroot we
want to create it under.
Fix a similar incorrect call in imagebuildah.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
It is not entirely correct to always ignore EEXIST here. It should only
be ignored in one special case: when a working directory already exists,
and is an absolute symlink to another directory under container root.
MkdirAll reports an error because the symlink is broken in the host
context (without chroot).
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This subtle bug keeps lurking in because error checking for `Mkdir()`
and `MkdirAll()` is slightly different wrt `EEXIST`/`IsExist`:
- for `Mkdir()`, `IsExist` error should (usually) be ignored
(unless you want to make sure directory was not there before)
as it means "the destination directory was already there";
- for `MkdirAll()`, `IsExist` error should NEVER be ignored.
This commit removes ignoring the IsExist error, as it should not
be ignored.
[v2: skip patching (*Builder).Run]
For more details, a quote from opencontainers/runc PR #162:
-quote-
TL;DR: check for IsExist(err) after a failed MkdirAll() is both
redundant and wrong -- so two reasons to remove it.
Quoting MkdirAll documentation:
> MkdirAll creates a directory named path, along with any necessary
> parents, and returns nil, or else returns an error. If path
> is already a directory, MkdirAll does nothing and returns nil.
This means two things:
1. If a directory to be created already exists, no error is
returned.
2. If the error returned is IsExist (EEXIST), it means there exists
a non-directory with the same name as MkdirAll need to use for
directory. Example: we want to MkdirAll("a/b"), but file "a"
(or "a/b") already exists, so MkdirAll fails.
The above is a theory, based on quoted documentation and my UNIX
knowledge.
3. In practice, though, current MkdirAll implementation [1] returns
ENOTDIR in most of cases described in #2, with the exception when
there is a race between MkdirAll and someone else creating the
last component of MkdirAll argument as a file. In this very case
MkdirAll() will indeed return EEXIST.
Because of #1, IsExist check after MkdirAll is not needed.
Because of #2 and #3, ignoring IsExist error is just plain wrong,
as directory we require is not created. It's cleaner to report
the error now.
Note this error is all over the tree, I guess due to copy-paste,
or trying to follow the same usage pattern as for Mkdir(),
or some not quite correct examples on the Internet.
> [1] https://github.com/golang/go/blob/f9ed2f75/src/os/path.go
-end-quote-
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Golang built in functions like os.Create and others print the name of
the file system object when they fail. Wrapping them a second time
with the file system object, makes the error message look like crap
when reported to the user.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
What `go tool dist list` says the toolchain supports changes, so this
change removes these attempted cross-compile build targets.
* GOOS=darwin, GOARCH unspecified
* GOOS=darwin, GOARCH=386
Replace our use of slices of
github.com/opencontainers/runc/libcontainer/configs.Device structures
with a locally-defined type alias so that we can avoid importing the
package on non-Unixy systems. The result is not going to be a very
useful binary on non-Linux systems, but it helps ensure that our
subpackages won't break compilation for other projects who consume us as
a library.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
The hardwired default for containers.conf now includes a TERM variable,
and passing it through to commands that we "RUN" during a build can
subtly cause the resulting image to be different from one that `docker
build` would create, so stop using it there.
When a runtime runs the image we eventually produce, it'll consult the
configuration file, so the variable will still be set, even when it
isn't set in the image.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2560: Rework ADD/COPY to use the copier package r=giuseppe a=nalind
#### What type of PR is this?
/kind failing-test
#### What this PR does / why we need it:
Use the copier package for ADD, COPY, and for ensuring that a specified directory exists in the working container's rootfs. This should improve our speed when a .dockerignore file is being used, and correctness all around.
When evaluating cache for content that's being copied/added in, switch from (digest the data, check for a cache entry, then maybe copy the data and create the new layer) to (copy the data and create the new layer, digesting as we go, check for a cache entry, either commit or discard the new layer). This reduces the amount of data that we read from disk, which helps when the data being read doesn't all fit in the kernel's cache, and if we end up keeping the result, costs us nothing compared to what we were doing before.
#### How to verify it
More of our conformance tests should pass, and existing tests should continue to pass. (We do update a couple of integration tests, but I believe they were expecting incorrect behavior before.)
#### Which issue(s) this PR fixes:
Fixes#574.
Fixes#2476.
#### Special notes for your reviewer:
This is another part of #2480.
#### Does this PR introduce a user-facing change?
```
ADD and COPY should be faster when a .dockerignore file is being used.
```
Co-authored-by: Nalin Dahyabhai <nalin@redhat.com>
Use the copier package to rework how we handle ADD and COPY.
When evaluating cache for content that's being copied/added in, switch
from (digest the data, check for a cache entry, then maybe copy the data
and create the new layer) to (copy the data and create the new layer,
digesting as we go, check for a cache entry, either commit or discard
the new layer).
Use the copier package for ADD, COPY, and for ensuring that a specified
directory exists in the working container's rootfs.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
If there's no network present in the container, don't bind
the /etc/hosts file as any changes to from the caller will
be lost when run exits. Ditto the /etc/resolv.conf file.
Addresses: #2478
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Move the conformance tests from ginkgo to using the default testing
package and github.com/stretchr/testify/require, preserving the existing
tests and adding more.
Add conformance tests to our Cirrus configuration, currently marked as
an allowed failure.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2465: Deduplicate environment variables r=rhatdan a=nalind
#### What type of PR is this?
> /kind cleanup
#### What this PR does / why we need it:
When combining lists of environment variables read from base images with defaults supplied from our own configuration, ensure that the resulting environment we produce only contains one value for any given variable. While adding variables to a runtime spec using `github.com/opencontainers/runtime-tools/generate.Generator.AddProcessEnv()` ensures that later values in the list override values that occur earlier, we shouldn't be depending on that.
#### How to verify it
#### Which issue(s) this PR fixes:
None
#### Special notes for your reviewer:
Related to https://github.com/openshift/imagebuilder/pull/169.
#### Does this PR introduce a user-facing change?
```
None
```
Co-authored-by: Nalin Dahyabhai <nalin@redhat.com>
When combining lists of environment variables, or environment variables
combined with build arguments, always deduplicate sets of values.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
fix a race condition where the container process could exit before the
runtime sends the signal, causing the command to fail.
Part of: https://github.com/containers/crun/issues/422
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
The correct args are already contained in the RunOptions.
They were resolved by the imagebuilder library's Step
(edcddd8483/builder.go (L311-L317))
function
This was previously adding args that should not have been accessible
in the current stage as they were not first referenced by an ARG
command
Signed-off-by: Nick Carboni <ncarboni@redhat.com>
do not attempt again to poll the file if it is not pollable and the
the errno is not syscall.EINTR or syscall.EAGAIN.
Closes: https://github.com/containers/buildah/issues/2194
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
After determining the type of runtime to use,
either "runc" or "crun" dependent upon the system, search
the list of that type of runtime in the containers.conf
file. It includes the location of those runtimes in a
number of different architectures. Once found, set the
runtime to use to that value.
Fixes: #2113
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
When building the slice of environment variables to add to the
configuration for a container that we're about to run, in case of
conflicts, we want the values from the base image or working container
to override the global defaults, and we want values that were passed to
us through the API to override them both.
In cases of conflicts, values which occur later in the slice override
values which occurred earlier, so we want to add them in this order:
* values from containers.conf
* values from the base image or working container
* values passed to us through the API
We previously applied the containers.conf defaults after the base image
or working container's value, and that meant that containers.conf's
values always took precedence over the values in the image.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
In porting containers.conf to libpod, we found that buildah needed
to handle the containers.conf on the server side rather then from
the CLI.
Since the `podman-remote build` would probably not have the same content
as containers.conf on the server, the processesing of the defaults needs
to be handled in imagebuildah. The CapAdd and CapDrop values need to be
passed in.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This is a rework of Qi Wang's patches.
Import package pkg/config from containers/common to read containers.conf
This patch allows users to specify default values stored in containers.conf
that will modify the behaviour of buildah tool.
Signed-off-by: Qi Wang <qiwan@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #2011
Approved by: TomSweeneyRedHat
Podman uses the overlay mounts differently then in buildah. Specifically the
overlay mount points can be used over and over again when starting and stopping
the container. Since the paths are backed into the contianer config, we have
to be able to cleanout just the Upper and Merged directory rather then destroying
and recreating the overlay directories on each container start.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1822
Approved by: vrothberg
If host is running in fips mode, then RHEL8.2 and beyond container images
will come with a directory /usr/share/crypto-policies/back-ends/FIPS.
This directory needs to be bind mounted over /etc/crypto-policies/back-ends in
order to make all tools in the container follow the FIPS Mode rules.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We have moved share code from buildah, podman and others into containers/common.
Specifically for this PR we are moving to use containers/common/pkg/unshare and
containers/common/pkg/cgroups.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #2010
Approved by: QiWang19
If disableFips is set, then we don't mount the FIPS
secret even if the machine is in FIPs mode. This is
to help users run workloads that are not fips compliant
in openshift even if their machine is in FIPs mode.
This is needed in CRI-O.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Some Dockerfiles (fuse-overlay) require additional devices to be in the
build environment.
This patch allows the user to specify additional devices.
Also I noticed that CapAdd and CapDrop was not working in buildah bud situations,
so this patch also fixes this.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1820
Approved by: @TomSweeneyRedHat
Container processes want to check for the existence of this file
to determine if they are running inside of a container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Add a DryRun flag to AddAndCopyOptions, so that we can "copy" content to
digest it.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1792
Approved by: TomSweeneyRedHat
fix the detection code for running in a user namespace. When buildah
is running in rootless mode, a user namespace is automatically created
even if there are no mappings configured.
Closes: https://github.com/containers/libpod/issues/2972
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1775
Approved by: rhatdan
This commit enabled the `unparam` linter and applies all reported issues.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
Closes: #1719
Approved by: rhatdan
Josh Soref
Eduardo Vega
Daniel J Walsh
Nalin Dahyabhai
bors[bot]
Giuseppe Scrivano
TomSweeneyRedHat
dependabot-preview[bot]
Brandon Lum
Nick Carboni
Urvashi Mohnani
Sascha Grunert
Qi Wang
Valentin Rothberg