Move the thread that launches the runtime helper into its own OS thread,
have it create its own mount namespace, and bind mount anything that we
want to eventually bind mount into the container, into a subdirectory of
the bundle directory, before running the helper.
When deciding what to bind mount in, make the volumes specified by the
user our highest priority, in case they've been specified in order to
override our default settings for a given location. This required
breaking up setupMounts() to keep the complexity tests from complaining.
When we use a user namespace with the host IPC namespace, bind mount
/dev/shm and /dev/mqueue instead of mounting fresh copies.
If we're told to use a user namespace with the host PID namespace,
return an error, because that doesn't work.
When we use a user namespace with the host network namespace, bind mount
/sys instead of mounting a fresh one.
When we use the host UTS namespace, don't try to set a hostname.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #700
Approved by: rhatdan
Use CNI to configure networks for containers for which we create new
network namespaces.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #700
Approved by: rhatdan
Use ID mapping information when setting permissions on content that we
add to the container, and on secrets that we copy in, on pipes that we
use for stdio, and when extracting the whole filesystem as a "layer".
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #700
Approved by: rhatdan
Add options to the CLI that specify which cgroups we execute "run"
commands under, and controlling how we set up namespaces for them.
Pass them down to Builders that we create, and allow them to be
overridden by options passed to Builder.Run().
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #700
Approved by: rhatdan
If we're creating a user namespace, we always need to supply at least
one mapping for the UID and GID maps. If we're not given any mappings,
map the ranges that are available to us, instead of assuming we can map
all possible values, in case we're already in a user namespace.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #700
Approved by: rhatdan
Read UID/GID mapping information when creating or importing containers,
and if there is mapping information, use it when building runtime
configurations.
Mounting sysfs in a user namespace requires that we also have our own
network namespace, so default to creating one for that case.
Switch permissions on files that we bind in so that they're writable
from inside of the container.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #700
Approved by: rhatdan
Instead of using the runtime's "run" command to have it handle the
entire life cycle of a process when we need to launch one, do it
ourselves, and handle passing the data between our stdio and the
container's.
This will make it possible for us to set up networking using CNI between
the "create" and "start" phases, and head off permissions problems when
the process in the container can't read or write to the invoking user's
terminal or stdio.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #708
Approved by: rhatdan
Break Builder.Run()'s "running runc" parts into their own method, in
preparation for making that part larger.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #708
Approved by: rhatdan
We are currently volume mounting /etc/hosts and /etc/resolv.conf into the
container, SELinux is preventing these files from being written while in the
container. THis patch will create a temporary hosts and resolv.conf, that
will be labeled correctly and volume mounted into the container.
This will also fix an issue where if you used buildah bud --host it was
modifying the real /etc/hosts file.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Make the PullPolicy field in BuilderOptions structures and the the
Terminal field in RunOptions their own types.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #705
Approved by: rhatdan
If the host is in FIPS mode and /etc/system-fips exists
/run/secrets/system-fips is created in the container so that
the container can run in FIPS mode as well.
Vendor in libpod/pkg/secrets and remove the duplicate secrets code
in buildah.
Also remove the hidden --default-mounts-file flag that was being used for test,
as it is not needed anymore and makes the code simpler.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #603
Approved by: rhatdan
Also vendor in the latest imagebuilder code and all the packages
that come with it.
Note: imagebuilder.NewBuilderForReader has been removed from imagebuilder
so I had to split the function up into two different calls.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #517
Approved by: rhatdan
* Changed addHostsToFile to make it easy to test
* Changed .travis.yml and Makefile to run all unit tests except ./tests/
* Added unit-tests to addHosts, addHostsToFile and addRlimits
Signed-off-by: Boaz Shuster <ripcurld.github@gmail.com>
Closes: #529
Approved by: rhatdan
Just have to refuse to use previous created containers when doing a run.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #500
Approved by: rhatdan
Add the remaining --volume and --shm-size flags to buildah bud and from
--volume supports the following options: rw, ro, z, Z, private, slave, shared
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #491
Approved by: rhatdan
Avoid opening the file in write mode if we are not going to write
anything.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #487
Approved by: rhatdan
When populating a container from a container image with a
volume directory, we need to copy the content of the source
directory into the target. The code was mistakenly looking
for a file not a directory.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #471
Approved by: nalind
When we warn about not processing a secrets configuration file, actually
skip anything we might have salvaged from it to make our behavior match
the warning.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #380
Approved by: rhatdan
I have made a subpackage of libpod to handle chrootuser,
using the user code from buildah.
This patch removes user handling from buildah and uses
projectatomic/libpod/pkg/chrootuser
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #377
Approved by: nalind
Don't worry about not being able to populate temporary volumes using the
contents of the location in the image where they're expected to be
mounted if we fail to do so because that location doesn't exist.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #248
Approved by: rhatdan
When ensuring that the working directory exists before running a
command, make sure we create the location that we set in the
configuration file that we pass to runc.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #241
Approved by: rhatdan
run: The latest version of runtime-spec dropped the Platform field, so
stop trying to set it when generating a configuration for a runtime.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #201
Approved by: rhatdan
When "run" isn't explicitly given a command, mix the command and
entrypoint options and configured values together correctly.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #160
Approved by: rhatdan
Ensure that volume points are created, if they don't exist, when they're
defined in a Dockerfile (#151), and that if we create them, we create
them with 0755 permissions (#152).
When processing RUN instructions or the run command, if we're not
mounting something in a volume's location, create a copy of the volume's
initial contents under the container directory and bind mount that.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #154
Approved by: rhatdan
Add a --volume/-v flag to "buildah run" to allow volume bind mounts to
be specified on the command line.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #144
Approved by: rhatdan
Impove error reporting by wrapping all returned err functions with
error.Wrapf
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Closes: #124
Approved by: nalind
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Closes: #125
Approved by: nalind
Make sure that we don't mount a tmpfs in volume locations where Run()
has been told to mount something else.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #121
Approved by: rhatdan
If Run() isn't passed a hostname to set, but we have one that was set
directly or inherited from the source image, use that value.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #121
Approved by: rhatdan
Maintain the container configuration in multiple formats in the Buildah
object, initializing one based on the other, depending on which format
the source image used for its configuration.
Replace directly manipulated fields in the Buildah object (Annotations,
CreatedBy, OS, Architecture, Maintainer, User, Workdir, Env, Cmd,
Entrypoint, Expose, Labels, and Volumes) with accessor functions which
update both configurations and which read from whichever one we consider
to be authoritative. Drop Args because we weren't using them.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #102
Approved by: rhatdan
When we have cgo, use fgetpwent() to try to look up user IDs and primary
GIDs in containers. If that fails for any reason (or if we don't have
cgo), fall back to doing what we were doing before (i.e., trying to look
up the information on the host).
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #63
Approved by: rhatdan
Make Run() default to running the command with a PTY if we're being run
with stdout connected to terminal, and provide options to force the
decision one way or the other.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #64
Approved by: rhatdan
Add options to Run() for passing in additional environment variables,
overriding the default command, user, and working directory, and a flag
for controlling whether or not we attach to the host's network.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #46
Approved by: rhatdan
When we run a command in Run(), since it's sharing the host's network
namespace, also have it share the host's DNS settings.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #34
Approved by: rhatdan
Nalin Dahyabhai
Daniel J Walsh
pixdrift
umohnani8
Boaz Shuster
Giuseppe Scrivano
TomSweeneyRedHat