Podman waits for 4 minutes to wait for conmon/oci runtime to create the
container[1]. Since this value seems to work we should use the same one
here.
[1] b4b8b8b537/libpod/define/runtime.go (L27)
[NO NEW TESTS NEEDED]
Fixescontainers/podman#13327
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The kernel never sets the inheritable capabilities for a process, they
are only set by userspace. Emulate the same behavior.
Closes: CVE-2022-27651
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
A shared cache on host must support locking so other parallel/concurrent builds
will wait for current executing RUN statement to finish.
* Locks the cache store as soon as RUN is triggered.
* Locked target is added to cleanup list so it can be unlocked as soon
as RUN step is completed.
Signed-off-by: Aditya R <arajan@redhat.com>
Users want to turn off addition of /etc/hosts file while building
container images, this would allow them to customize the /etc/hosts
file within the image.
Fixes: https://github.com/containers/buildah/issues/3808
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
when the configured cgroup manager is set to "systemd", use the
--systemd-cgroup option to the OCI runtime. It is understood both by
crun and runc.
Closes: https://github.com/containers/buildah/issues/3700
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Make sure that, if we're given neither a concurrent jobs count nor a
semaphore to use, we create a semaphore. Otherwise, each platform in a
multi-platform build will run with maximum concurrency, which isn't the
desired default. Our CLI always passes in a Jobs count, so it hasn't
been affected by this problem.
[NO NEW TESTS NEEDED]
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
The backend logic already supports specifying custom network names. This
only adds the support for the frontend parsing.
Fixescontainers/podman#12282
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Allow users to specify non-volatile `upper` and `workdir` with overlay
mounts.
Usage
```console
buildah from alpine
buildah run -v /something/lower:/test:z,O,upperdir=/somewhere/upperdir,workdir=/somwhere/workdir alpine-working-container cat /test/hello
```
Signed-off-by: Aditya R <arajan@redhat.com>
The permission on this directory will prevent user namespaces from using
secrets. Should be world searchable
[NO TESTS NEEDED]
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We need to use the default from containers.conf and not hardcode them in
buildah. This fixes an issue with the cni network backend since it would
try to access /etc/cni/net.d/ even as rootless user. This regression was
introduced in commit f9cff07b81.
Also hide the cni flags as we do not expect users to change this. The
recommended way is to change them in containers.conf.
[NO NEW TESTS NEEDED]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Following commit adds buildkit like support for `from` field to `--mount=type=bind`
and `--mount=type=cache` so images and stage can be used as mount source.
Usage looks like
```dockerfile
RUN --mount=type=bind,source=.,from=<your-image>,target=/path ls /path
```
and
```dockerfile
RUN --mount=type=cache,from=<your-image>,target=/path ls /path
```
Signed-off-by: Aditya Rajan <arajan@redhat.com>
Podman uses the new netavark network stack. Buildah should be able to do
the same. Both projects should use the same networking code which was
move to c/common/libnetwork. The new network interface can use either
CNI or netvavark. Using the same code for podman and buildah is
important to ensure that both use the same backend. Mixing CNI and
netavark is not supported.
This also fixes some outstanding CNI issues, e.g. buildah trying to
connect all cni networks.
[NO NEW TESTS NEEDED]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Do not configure the netns in the runtime child process, this removes
the need to send the network options to the child. This will be needed
for the new libnetwork network interface which cannot be transfered as
json.
To synchronize this between the child and parent we use two pipe pairs.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
First move podman/pkg/cgroups into Buildah.
Only set resources to nil on non cgroupsv2 systems in rootless mode.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Buildah is mainly building with Host Namespaces, this changes most
namespaces to be private matching Podman and using containers.conf
Fixes: https://github.com/containers/buildah/issues/3634
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Label stdio pipes to ensure that processes we run can read through
/dev/stdin and write through the /dev/stdout and /dev/stderr links.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
This commit makes sure we honor NetworkDisabled in `runs` if
`--network=none` was specified while building the container and no
configuration was specified in while running the container.
Signed-off-by: Aditya Rajan <arajan@redhat.com>
Run secrets can now be created from an environment variable. The
environment variable is read and is briefly stored as a file on /dev/shm
when it's being used, and the file is removed after the RUN command is
finished.
Fixes: #3524
Signed-off-by: Ashley Cui <acui@redhat.com>
In linux, directory can contains colon.
Add support to mount path contains colon.
buildah run --volume /root/a\\🅱️/root/test:O
Signed-off-by: chenk008 <kongchen28@gmail.com>
Also switch default hostname from truncated ContainerID to Container
name.
It makes more sense that a user would know the name of the container
versus the generated id, so we should use this as a default.
Fixes: https://github.com/containers/buildah/issues/3509
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Following PR inroduces a new mount type=cache in parity to buildkit
which allows users to share persistant cache between different builds.
Allowing users to cache content generated by bussiness logic or enhance
build performance by caching components across builds.
Signed-off-by: Aditya Rajan <arajan@redhat.com>
Fixed a bug where buildah bud mounted secrets permissions were incorrect due to a decimal/octal conversion error. buildah bud mounted secrets now have a default permission of 400. Fixes#3557
Signed-off-by: Ashley Cui <acui@redhat.com>
Following PR adds supports for buildkit like `--mount=type=tmpfs` which
allows end users to mount a chunk of volatile memory instead of a persistent storage device.
Signed-off-by: Aditya Rajan <arajan@redhat.com>
Following commit adds support for using buildkit like
`--mount=type=bind` with `RUN` statements. Mounts created by `--mount`
are transient in nature and only scoped to current RUN statements.
Signed-off-by: Aditya Rajan <arajan@redhat.com>
Users are not seeing Warnings when doing podman --remote build.
We need to wire the logrus messages all the way through the system.
Fixes: https://github.com/containers/buildah/issues/3537
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Following commit ensures that we cleanup dangling `/run` after every RUN
command and make sure that it does not persists on physical image. Ensure
parity with how docker behaves with `.dockerenv`.
Signed-off-by: Aditya Rajan <arajan@redhat.com>
Check if `go test` supports the -race flag on the build platform, and if
so, use it for unit tests instead of just assuming that it's always
available.
Use sync/atomic to safely use a uint32 instead of a bool to keep track
of whether or not the process we started for RUN has stopped.
[NO NEW TESTS NEEDED]
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
The golang.org/x/crypto/ssh/terminal package has been deprecated and
replaced upstream by golang.org/x/term, so switch to that. It's a
simple 1:1 replacement.
[NO NEW TESTS NEEDED]
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When we're told to add built images to a manifest list, manipulate the
list ourselves, so that if we're creating a list, we won't have a
partially-populated list if some of the builds fail.
This also lets us include all of the platform information (including
variant info, which we can't sniff out after the fact) that we were
given when we started building the images.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Allow ssh socket from host or certain ssh keys to be exposed to a
certain RUN instruction, but not any other instructions, as well as not
showing up in the final image.
This is done by spawining a new agent from buildah and mounting
the listening socket inside the run. SSH_AUTH_SOCK inside the container
will be set to the socket mountpoint. The defualt mountpoint is
/run/buildkit/ssh_agent.{i}
Signed-off-by: Ashley Cui <acui@redhat.com>
Make sure to use the correct resolv.conf in case of systemd-resolved.
Also filter out 127... nameserver when run in private netns.
Fixes#2780
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
[NO TESTS NEEDED] since I've no idea how to force it.
Reported-in: containers/podman/issues/11148
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Giuseppe Scrivano
Paul Holzinger
Giuseppe Scrivano
Aditya R
Daniel J Walsh
Nalin Dahyabhai
OpenShift Merge Robot
Ashley Cui
chenk008
openshift-ci[bot]
Valentin Rothberg