Add an IsolationOCIRootless that runs the OCI runtime with its
--rootless flag, with network and UTS namespaces disabled, with IPC,
PID, and user namespaces forcibly enabled. In this mode, we don't
attempt to set the container's hostname (because we don't have our own
UTS namespace), and we don't try to set any supplemental groups. The
/sys directory is replaced with a bind mount of the host's /sys rather
than a fresh sysfs instance.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #873
Approved by: rhatdan
Add a new Isolation value: IsolationOCIRootless, for which we add a
global --rootless=true flag and a local --no-new-keyring flag when
creating a runtime container, and make some changes to the mounts list,
default namespacing configurations, and supplemental groups list.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #873
Approved by: rhatdan
Add an IsolationChroot that trades flexibility and isolation for being
able to do what it does in a host environment that's already isolated to
the point where we're not allowed to set up some of that isolation,
producing a result that leans more toward chroot(1) than runc(1) does.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #836
Approved by: rhatdan
Before calling runCollectOutput() to read error information from pipes,
make sure we've closed our handles to the writing ends of the pipes.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #872
Approved by: rhatdan
/proc/acpi allows containers to modify certain settings on the host, without
SELinux enabled.
/proc/keys allows information about keys on the host to leak into the containers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #853
Approved by: rhatdan
Don't pass a nil error value to errors.Wrapf() when we want to report an
error, since it's documented as returning nil for that case.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #856
Approved by: rhatdan
the goal here is to allow ourselves to cross compile buildah for a darwin
target. we are doing this to eventually protect from regressions that could
creep into buildah so we don't dig ourselves a deeper hole.
the simplified and non-variable approach to the make darwin was done with
intent to keep this simple until we can exploit things a little more.
once this PR merges, i will create a CI test that will test for regressions
on a make darwin. we should also be doing a gofmt with a darwin target so the
!linux|darwin tagged files are also checked for completeness. initially the
test can be optional for passing with the long-term idea that it be made
a firm requirement at the buildah maintainers behest.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #840
Approved by: rhatdan
Remove the configureNetwork parameter from runConfigureNetwork(), which
was only called if the value was true, and which runConfigureNetwork()
itself never used.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #834
Approved by: rhatdan
Explicitly force the owner of /etc/hosts and /etc/resolv.conf to 0:0 in
the container, instead of attempting to let ID maping implicitly handle
it, since when we're being run unprivileged, the owners of the source
files are already unmapped IDs.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #823
Approved by: rhatdan
Add the basics of handling the "--isolation" option, though at the
moment, the only recognized option is "oci", which is our default.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #822
Approved by: rhatdan
Try to resolve commands which aren't given as absolute paths using the
$PATH environment variable and the mounted rootfs. If we don't have a
configured $PATH, add one.
We can't resolve symbolic links with absolute values reliably without
using chroot(), so we just take it on faith that a link, or a non-link
with the execute bit set, will work.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #820
Approved by: rhatdan
When copying environment variables from the image's configuration to the
spec that we'll pass to the runtime, clear out any defaults that the
generate package might be supplying. Currently, that's "$TERM".
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #820
Approved by: rhatdan
The latest runtime-tools is aware of other OS's than Linux. Libpod needs the newer
version to compile on darwin. Unfortunately, the API for generator.New() changed
and requires a string representation of the OS; furthermore, it also returns a
a generator and an error so code had to be adjusted for this too.
Signed-off-by: baude <bbaude@redhat.com>
Currently we are not adding the ARGS passed in via Dockerfile
or --build-args into the running container as environment variables.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #816
Approved by: umohnani8
Append address+"\t"+hostname to the hosts file instead of the
"hostname:address" format that we picked up from the command line.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #798
Approved by: rhatdan
Handle POLLNVAL status from poll() (invalid request, descriptor is not
open) by removing the descriptor from the list that we poll on.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #795
Approved by: rhatdan
Default to using a controlling terminal if all three stdio descriptors
are terminals, not just stdout.
Don't try to set stdin to raw mode while running a container if it's not
a terminal, in which case it doesn't support terminal modes.
Don't try to read the window size of stdin if it's not a terminal, in
which case it doesn't have a window size. Provide a way to explicitly
set it for those cases.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #795
Approved by: rhatdan
Don't try to set the Pdeathsig attribute on the runtime process when we
call the runtime. Whether we should try to do that is debatable, and it
seems to cause us to interact badly with strace(1).
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #802
Approved by: rhatdan
Add RunOptions and BuildOptions flags for modifying the list of granted
capabilities from the default.
Default to granting the current (as of this writing) defaults from
runtime-tools, with CAP_NET_RAW removed:
* CAP_AUDIT_WRITE
* CAP_CHOWN
* CAP_DAC_OVERRIDE
* CAP_FOWNER
* CAP_FSETID
* CAP_KILL
* CAP_MKNOD
* CAP_NET_BIND_SERVICE
* CAP_SETFCAP
* CAP_SETGID
* CAP_SETPCAP
* CAP_SETUID
* CAP_SYS_CHROOT
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #799
Approved by: rhatdan
moreCreateArgs() doesn't need to be a function; it can just be a slice.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #797
Approved by: rhatdan
Rework setupSeccomp() to use switch{} instead of multiple if{} tests
when deciding how to set the Seccomp configuration for a container.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #793
Approved by: rhatdan
Change RunOptions.Stdin from a ReadCloser to a Reader, since we weren't
closing it. Likewise, change RunOptions.Stdout and .Stderr from
WriteClosers to Writers, since we weren't closing them, either.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #792
Approved by: rhatdan
Break getProcIDMappings() out of run.go and turn it into
util.GetHostIDMappings(), and add util.GetSubIDMappings() and
util.ParseIDMappings().
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #796
Approved by: rhatdan
Break runSetupIntermediateMountNamespace() into its own package.
Move stringInSlice(), getHostIDs(), and getHostRootIDs() into the util
subdirectory and export them.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #796
Approved by: rhatdan
When relaying stdio data to and from a container, separate the "reading
and buffering from a read descriptor" step from the "relaying to a write
descriptor" step, so that we can try to flush buffers that have data in
them even when there's no new data to be read.
Treat EAGAIN as a recoverable error when writing, since we're now able
to come back and try again later.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #787
Approved by: rhatdan
Add a field to AddOrCopyOptions that can take an io.Writer, more often a
hash.Hash returned by digest.Digester's Hash() method, to calculate a
sum over what we add or copy.
Make the help output summarizing the arguments that "buildah add" and
"buildah copy" accept more closely match their man pages.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #766
Approved by: rhatdan
When polling for input on stdin (in Terminal == false cases), don't
close the write end of the pipe that we're using to relay data from
stdin to the container unless poll() tells us that we got a POLLHUP.
Assuming that was the case when POLLIN wasn't set meant that we'd close
it as soon as poll() returned and there was no activity on the
descriptor, and if poll() only returned because we had output from the
container to relay back, we were doing so prematurely.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #756
Approved by: rhatdan
runCollectOutput() tries to read error messages that may have been
written to pipes by the container runtime. Instead of setting them to
non-blocking and producing an error when we fail to read data, leave
them blocking so that we wait until the write end of a pipe is closed
before we give up on reading from it.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #754
Approved by: rhatdan
Provide RunOption fields for callers to give us stdio as an
io.ReadCloser and a pair of io.WriteClosers, or nil to use
os.Stdin/os.Stdout/os.Stderr.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #754
Approved by: rhatdan
Make sure that we don't trigger error messages in runc when $TMPDIR,
which affects os.TempDir(), is itself a symbolic link.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #746
Approved by: rhatdan
When running buildah code on Atomic Hosts, we need to make sure
the absolute path for the bundlePath is used or operations
will fail.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #745
Approved by: nalind
RunOptions.Mounts has been mistakenly ignored since #700; handle them.
Process the options on the bind mounts in RunOptions.Mounts the same way
we handle the ones in Builder.CommonBuildOpts.Volumes, so that flags
that control read-only/read-write usage, SELinux labeling, and mount
propagation will work.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #739
Approved by: rhatdan
If the runtime's "create" command fails, we try to collect error
messages from the pipes that we hooked up to its stdio in anticipation
of running a container without a TTY. We should only bother with that
when the container isn't attached to a TTY, which is the only time those
pipe descriptor slices are populated, so that we don't panic when we try
to read an item from an empty slice.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #740
Approved by: rhatdan
In Run(), when the userspec doesn't specify a group, if the specified
user has supplemental group memberships, pass them along to the runtime.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #700
Approved by: rhatdan
Move the thread that launches the runtime helper into its own OS thread,
have it create its own mount namespace, and bind mount anything that we
want to eventually bind mount into the container, into a subdirectory of
the bundle directory, before running the helper.
When deciding what to bind mount in, make the volumes specified by the
user our highest priority, in case they've been specified in order to
override our default settings for a given location. This required
breaking up setupMounts() to keep the complexity tests from complaining.
When we use a user namespace with the host IPC namespace, bind mount
/dev/shm and /dev/mqueue instead of mounting fresh copies.
If we're told to use a user namespace with the host PID namespace,
return an error, because that doesn't work.
When we use a user namespace with the host network namespace, bind mount
/sys instead of mounting a fresh one.
When we use the host UTS namespace, don't try to set a hostname.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #700
Approved by: rhatdan
Use CNI to configure networks for containers for which we create new
network namespaces.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #700
Approved by: rhatdan
Use ID mapping information when setting permissions on content that we
add to the container, and on secrets that we copy in, on pipes that we
use for stdio, and when extracting the whole filesystem as a "layer".
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #700
Approved by: rhatdan
Add options to the CLI that specify which cgroups we execute "run"
commands under, and controlling how we set up namespaces for them.
Pass them down to Builders that we create, and allow them to be
overridden by options passed to Builder.Run().
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #700
Approved by: rhatdan
If we're creating a user namespace, we always need to supply at least
one mapping for the UID and GID maps. If we're not given any mappings,
map the ranges that are available to us, instead of assuming we can map
all possible values, in case we're already in a user namespace.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #700
Approved by: rhatdan
Read UID/GID mapping information when creating or importing containers,
and if there is mapping information, use it when building runtime
configurations.
Mounting sysfs in a user namespace requires that we also have our own
network namespace, so default to creating one for that case.
Switch permissions on files that we bind in so that they're writable
from inside of the container.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #700
Approved by: rhatdan
Instead of using the runtime's "run" command to have it handle the
entire life cycle of a process when we need to launch one, do it
ourselves, and handle passing the data between our stdio and the
container's.
This will make it possible for us to set up networking using CNI between
the "create" and "start" phases, and head off permissions problems when
the process in the container can't read or write to the invoking user's
terminal or stdio.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #708
Approved by: rhatdan
Break Builder.Run()'s "running runc" parts into their own method, in
preparation for making that part larger.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #708
Approved by: rhatdan
We are currently volume mounting /etc/hosts and /etc/resolv.conf into the
container, SELinux is preventing these files from being written while in the
container. THis patch will create a temporary hosts and resolv.conf, that
will be labeled correctly and volume mounted into the container.
This will also fix an issue where if you used buildah bud --host it was
modifying the real /etc/hosts file.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Make the PullPolicy field in BuilderOptions structures and the the
Terminal field in RunOptions their own types.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #705
Approved by: rhatdan
If the host is in FIPS mode and /etc/system-fips exists
/run/secrets/system-fips is created in the container so that
the container can run in FIPS mode as well.
Vendor in libpod/pkg/secrets and remove the duplicate secrets code
in buildah.
Also remove the hidden --default-mounts-file flag that was being used for test,
as it is not needed anymore and makes the code simpler.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #603
Approved by: rhatdan
Also vendor in the latest imagebuilder code and all the packages
that come with it.
Note: imagebuilder.NewBuilderForReader has been removed from imagebuilder
so I had to split the function up into two different calls.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #517
Approved by: rhatdan
* Changed addHostsToFile to make it easy to test
* Changed .travis.yml and Makefile to run all unit tests except ./tests/
* Added unit-tests to addHosts, addHostsToFile and addRlimits
Signed-off-by: Boaz Shuster <ripcurld.github@gmail.com>
Closes: #529
Approved by: rhatdan
Just have to refuse to use previous created containers when doing a run.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #500
Approved by: rhatdan
Add the remaining --volume and --shm-size flags to buildah bud and from
--volume supports the following options: rw, ro, z, Z, private, slave, shared
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #491
Approved by: rhatdan
Avoid opening the file in write mode if we are not going to write
anything.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #487
Approved by: rhatdan
When populating a container from a container image with a
volume directory, we need to copy the content of the source
directory into the target. The code was mistakenly looking
for a file not a directory.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #471
Approved by: nalind
When we warn about not processing a secrets configuration file, actually
skip anything we might have salvaged from it to make our behavior match
the warning.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #380
Approved by: rhatdan
I have made a subpackage of libpod to handle chrootuser,
using the user code from buildah.
This patch removes user handling from buildah and uses
projectatomic/libpod/pkg/chrootuser
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #377
Approved by: nalind
Don't worry about not being able to populate temporary volumes using the
contents of the location in the image where they're expected to be
mounted if we fail to do so because that location doesn't exist.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #248
Approved by: rhatdan
When ensuring that the working directory exists before running a
command, make sure we create the location that we set in the
configuration file that we pass to runc.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #241
Approved by: rhatdan
run: The latest version of runtime-spec dropped the Platform field, so
stop trying to set it when generating a configuration for a runtime.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #201
Approved by: rhatdan
When "run" isn't explicitly given a command, mix the command and
entrypoint options and configured values together correctly.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #160
Approved by: rhatdan
Ensure that volume points are created, if they don't exist, when they're
defined in a Dockerfile (#151), and that if we create them, we create
them with 0755 permissions (#152).
When processing RUN instructions or the run command, if we're not
mounting something in a volume's location, create a copy of the volume's
initial contents under the container directory and bind mount that.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #154
Approved by: rhatdan
Add a --volume/-v flag to "buildah run" to allow volume bind mounts to
be specified on the command line.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #144
Approved by: rhatdan
Impove error reporting by wrapping all returned err functions with
error.Wrapf
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Closes: #124
Approved by: nalind
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Closes: #125
Approved by: nalind
Make sure that we don't mount a tmpfs in volume locations where Run()
has been told to mount something else.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #121
Approved by: rhatdan
If Run() isn't passed a hostname to set, but we have one that was set
directly or inherited from the source image, use that value.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #121
Approved by: rhatdan
Maintain the container configuration in multiple formats in the Buildah
object, initializing one based on the other, depending on which format
the source image used for its configuration.
Replace directly manipulated fields in the Buildah object (Annotations,
CreatedBy, OS, Architecture, Maintainer, User, Workdir, Env, Cmd,
Entrypoint, Expose, Labels, and Volumes) with accessor functions which
update both configurations and which read from whichever one we consider
to be authoritative. Drop Args because we weren't using them.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #102
Approved by: rhatdan
When we have cgo, use fgetpwent() to try to look up user IDs and primary
GIDs in containers. If that fails for any reason (or if we don't have
cgo), fall back to doing what we were doing before (i.e., trying to look
up the information on the host).
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #63
Approved by: rhatdan
Make Run() default to running the command with a PTY if we're being run
with stdout connected to terminal, and provide options to force the
decision one way or the other.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #64
Approved by: rhatdan
Add options to Run() for passing in additional environment variables,
overriding the default command, user, and working directory, and a flag
for controlling whether or not we attach to the host's network.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #46
Approved by: rhatdan
When we run a command in Run(), since it's sharing the host's network
namespace, also have it share the host's DNS settings.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #34
Approved by: rhatdan
Always make sure the working directory exists before attempting to run
anything inside of it, and before attempting to copy contents into it or
one of its subdirectories.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Default to mounting tmpfs over a container's volume mount points. Add a
RunOption for adding mounts to a run container, and use it as the
default set, adding any volume mounts and others that don't conflict
with them to it before running the container.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Provide RunOptions which can be used to change the runtime to something
other than "runc", and add an option that allows passing in additional
global arguments for the runtime.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Nalin Dahyabhai
Daniel J Walsh
baude
pixdrift
umohnani8
Boaz Shuster
Giuseppe Scrivano
TomSweeneyRedHat