Buildah currently applies labels to each intermediate image which is not
the right thing to do since others builds uses these intermediate image
and they can inherit the label even though they never had this
intention.
Only apply labels to the final build i.e last instruction of last stage
which will make sure that labels are only applied to final image and not
to the intermediate images.
Closes: https://github.com/containers/buildah/issues/4632
Signed-off-by: Aditya R <arajan@redhat.com>
Allows codifying build arguments into a structured file, perhaps one
named arguments.Containerargs
The build arg file also accepts comments starting #, so automated
tooling or CI/CD workflows can monitor arguments like versions to
ensure they are up-to-date.
Signed-off-by: Jack Wearden <jack@jackwearden.co.uk>
change the heuristic to mount a fresh sysfs every time a new network
namespace is created. This modification ensures the creation of the
sysfs when the network namespace is created, which is better than
sharing the one from the host.
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2164524
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Buildah should allow clients to support inline --network in RUN stmts so users
can create isolate or expose a particular build containers.
```Dockerfile
FROM alpine
RUN --network=host wget google.com
RUN --network=none wget google.com
```
Closes: https://github.com/containers/buildah/issues/4230
Signed-off-by: Aditya R <arajan@redhat.com>
Buildah's layer caching does not generates cache key or uses a layer
from store if `RUN --mount` is used to make sure that always freshly
mounted content is used in the `RUN` instruction, in such case there is
no use of even pushing the cache since it will be never used by buildah.
Make sure that stage executor attempts to push cache only if cacheKey is
generated.
Closes: https://github.com/containers/buildah/issues/4647
Signed-off-by: Aditya R <arajan@redhat.com>
COPY must honor processing any argument if any configured while
evaulating `--from=` statement.
Makes below Containerfile functional without any external `--build-arg`
value from CLI
```Dockerfile
ARG my_env=a
FROM alpine as stage_a
RUN /bin/true
FROM alpine
COPY --from=stage_${my_env} /bin/true true
```
Closes: https://github.com/containers/buildah/issues/4573
Signed-off-by: Aditya R <arajan@redhat.com>
Expecting warning for the builtin defaults in not in sync with what
buildkit is doing or docker is doing so buildah should do the same.
Signed-off-by: Aditya R <arajan@redhat.com>
Buildah warns about TARETARCH, TARGETOS, TARGETPLATFORM in a multi-arch
build however its not very useful for end-users and there are cases
where this can be left untouched so do not warn about test default build
args
Closes: https://github.com/containers/buildah/issues/4485
Signed-off-by: Aditya R <arajan@redhat.com>
When initializing a stage in a multi-stage build that's based on the
end-result of an earlier stage, don't reset the base image name/digest
annotations.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
In the tutorial, switch to calling `DefaultStoreOptionsAutoDetectUID()`
instead of `DefaultStoreOptions()`, which should figure things out
better.
In the tutorial, add an example of using Run(), where for API backward
compatibility reasons, we can't tell the difference between "grant no
capabilties by default" and "grant the default set of capabilities by
default".
The default isolation can be set automatically, so start doing that at
run-time, but have the tutorial look it up anyway because the tutorial
on the web will be newer than our current release for at least a while.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When we changed the cache-from and cache-to options to take slices of
name values instead of single values, we didn't update logic that
checked if a value was set to handle cases where we had a non-nil slice
with no elements in it.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
While preparing list of cleanup stages, executor must add stage with no
children also to cleanupStages since a stage can also exist in the form
only `FROM base_image` i.e without any child nodes.
Ensures we leave no dandling build container for cases such as
```dockerfile
FROM quay.io/quay/busybox:latest AS busybox
FROM scratch
COPY --from=busybox /bin/busybox /bin/busybox
```
Closes: https://github.com/containers/buildah/issues/4572
Signed-off-by: Aditya R <arajan@redhat.com>
Buildah must support accepting password from stdin agnostic of order
like `podman`
Example with buildah which should work
```console
$ cat password.txt | buildah login docker.io -u user --password-stdin
Error: too many arguments, login takes only 1 argument
```
Example with podman which already works
```console
$ cat password.txt | buildah login -u user --password-stdin docker.io
Login Succeeded
```
Closes: https://github.com/containers/buildah/issues/4557
Signed-off-by: Aditya R <arajan@redhat.com>
Following test is just copying files it should not depend upon
`ubuntu:18.04` lets change that so CI never gets blocked.
Signed-off-by: Aditya R <arajan@redhat.com>
This test could be failed when we enable firewall.
To reduce the impact of firewall, we use "curl".
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
(No, I don't expect the issue to be fixed, but sometimes we need
incentives in order to pay attention to flakes)
Signed-off-by: Ed Santiago <santiago@redhat.com>
When using `--mount=` in RUN instruction and source is a stage make sure
that freshly built stage is used if the stage selected in source was
just rebuilt.
Closes: https://github.com/containers/buildah/issues/4522
Signed-off-by: Aditya R <arajan@redhat.com>
crun might not print any debugging message, so change the runtime-flag
test to use --log=log-file and test it was created.
Closes: https://github.com/containers/buildah/issues/4503
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
We handle --label command line arguments by appending LABEL instructions
to the Dockerfile contents before we parse it. Previously, we were
appending a separate line for each label-value pair. Consolidate them
for the sake of tools that arbitrarily limit the length of histories
that they're willing to accept in images (boo!).
Add a similar implementation for --env command line arguments.
Previously, we'd set them in the initial configuration for each stage
and also set them at commit-time, and that potentially overrode any
values that were explicitly in the stage itself, and which would have
affected RUN instructions. Remove the set-at-commit-time logic so that
the history reflects what ends up in the image.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Regular primitive bats uses assertions like '[ $foo = something ]'.
These are worthless for debugging: when they fail, all you know
is that foo is not "something" but you don't know what foo _is_.
Find and replace those assertions with 'assert', which is
more informative. Instances found via:
$ ack '^ *\[' tests/*.bats
There are many matches for 'test' (instead of '[') but those
mostly look like file-existence ones, which are less evil
than string-check tests. I'm leaving those be for now.
Signed-off-by: Ed Santiago <santiago@redhat.com>
* Just like buildkit buildah must allow cleaning the buildcache and cache
generated on host by `--mount=type=cache` just like buildkit's `prune`
command.
* Also expose `CleanCacheMount` API so other tools like `podman` can use
it.
See: https://github.com/moby/buildkit#cache
Closes: https://github.com/containers/buildah/issues/4486
Signed-off-by: Aditya R <arajan@redhat.com>
Allow containers running under buildah to use
--group-add keep-groups, so that they can inherit
access to the users groups.
Also allow users to add supplimental groups to the container.
Fixes: https://github.com/containers/buildah/issues/4476
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Drop support for remote use-cases when .containerignore or .dockerignore is a symlink pointing to arbitrary location on host.
[NO NEW TESTS NEEDED]
[NO TESTS NEEDED]
Signed-off-by: Aditya R <arajan@redhat.com>
When working with `--mount=type=bind` and `--mount=type=cache` allow
`target` to accept relative paths w.r.t to the configured work dir.
Closes: https://github.com/containers/buildah/issues/4309
Signed-off-by: Aditya R <arajan@redhat.com>
In golang 1.19, `io/ioutil` is fully deprecated preventing Buildah from
compiling. Replace all calls with equivalent calls from the `os`
package.
Signed-off-by: Chris Evich <cevich@redhat.com>
Buildah must support multiple sources for remote cache when using
`--cache-to` and `--cache-from` so users can distribute and collect
cache from various sources.
We also need for compat with buildkit api which in past broke `podman`
compat build API see: https://github.com/containers/podman/pull/16380
More discussion here: https://github.com/containers/podman/pull/16380
Signed-off-by: Aditya R <arajan@redhat.com>
`mount=type=cache` creates a common cache directory on host in temporary
directory, split this cache directory for each user invocation in order
to prevent overlapping of cache content when `buildah` is invoked by
different users on same host.
Signed-off-by: Aditya R <arajan@redhat.com>
When noting that a non-symlink has setuid/setgid/sticky bits, switch
from using "syscall" package bits and syscall.Chmod() to using "os"
package bits and os.Chmod(), and if the item's a directory, record the
updated mode information in the "directoryModes" map that we'll use to
reset its permissions later.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Commit:
217b2d524c
was pushed to `main` accidently while it incorrectly assumes that `ENV`
must be used while processing base image, however `ENV` should be only
evaluated inside `RUN` instruction and not for any containerfile
instruction such as `FROM <>`. This fixes change made in above commit.
Following commit ensures that imagebuildah considers `HeadingArgs`
and `UserArgs` when its evaluating base image to pull all images from
manifest list early when build is invoked with `--all-platforms`
Closes: https://github.com/containers/buildah/issues/4399
Signed-off-by: Aditya R <arajan@redhat.com>
First: because we have a bunch of tests that rely on the image
manifest list, and ubi8 is not under our control: we've already
seen where ubi8 gets changed without our knowledge, requiring
almost a week of scrambling to get things fixed again.
Second, the registry it lives on is unreliable.
Signed-off-by: Ed Santiago <santiago@redhat.com>
A recently-added test included an unnecessary "rmi --prune".
Unnecessary code causes brain fatigue in maintainers trying
to understand its purpose. Kill it.
I've confirmed that tests pass under buildah root & rootless
and podman local & remote.
Signed-off-by: Ed Santiago <santiago@redhat.com>
While PR https://github.com/containers/buildah/pull/3947 added support
for evaluating `--build-args` in base image names for a builds but it
missed processing default value if any. So for scenarios where `ARG`
already has a default value in Containerfile via `ARG key=value` but
was not specified with `--build-arg key=value` the processing ignored
the default value. Following commit just adds support for that.
Makes below Containerfile functional without any external `--build-arg`
value from CLI
```Dockerfile
ARG my_env=a
FROM alpine as stage_a
RUN /bin/true
FROM stage_${my_env} as stage_b
RUN /bin/true
```
Closes: https://github.com/containers/buildah/issues/4312
Signed-off-by: Aditya R <arajan@redhat.com>
Aditya R
Jack Wearden
Jack Wearden
Giuseppe Scrivano
Daniel J Walsh
Chris Evich
danishprakash
Nalin Dahyabhai
Ed Santiago
Toshiki Sonoda