If errors for which os.IsExist() or os.IsNotExist() would have returned
true have been wrapped using fmt.Errorf()'s "%w" verb, os.IsExist() and
os.IsNotExist(), not having been retrofitted to use errors.Is(), will
return false.
Use errors.Is() to check if an error is an os.ErrExist or os.ErrNotExist
error instead of calling os.IsExist() or os.IsNotExist().
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
We now use the golang error wrapping format specifier `%w` instead of
the deprecated github.com/pkg/errors package.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Following PR adds support for OCI hooks attached to each of ephemeral
build contains which are created by `RUN` step invoked during `buildah
build` command.
Following PR also adds `--hooks-dir` flag to `buildah build` option
which allows end-users to specify one or more configuration directories
for OCI-hooks.
Note: Following PR migrates `pkg/hooks` from `podman` to `buildah` so
buildah could implement this feature and once merged `podman` can start
using `buildah/pkg/hooks`.
For usage see man-page and example test-case.
See: https://github.com/opencontainers/runtime-spec/blob/main/config.md#posix-platform-hooks
Closes: https://github.com/containers/buildah/issues/4068
Signed-off-by: Aditya R <arajan@redhat.com>
Podman and Buildah should use the same code the generate the resolv.conf
file. This mostly moved the podman code into c/common and created a
better API for it so buildah can use it as well.
[NO NEW TESTS NEEDED] All existing tests should continue to pass.
Fixes#3806
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Code Cleanup: Buildkit run mount setup functions no longer have 13
arguments and are slightly more readable. Use structs instead.
[NO NEW TESTS NEEDED]
Signed-off-by: Ashley Cui <acui@redhat.com>
Buildah now supports renaming devices while performing a build using
`--device <some-name>:<new-name>`. Implementation is similar to `podman`
where we prefer using `bind-mount` for devices instead of `mknod` in
`rootless` setups.
Usage
```console
buildah build -t test --device /dev/null:/test/dev/null .
```
Closes: https://github.com/containers/buildah/issues/4002
Signed-off-by: Aditya R <arajan@redhat.com>
If a secret is used in a RUN step it is created on host but we had a
check which expects a secret to not exist on the host however same
secret can be remounted on another step so it can already exists on host
so remove the check since a secret can be mounted again from host in
another RUN step.
Closes: https://github.com/containers/buildah/issues/3993
Signed-off-by: Aditya R <arajan@redhat.com>
Use the new etchosts package to generate the hosts file.
This will ensure that we use the same logic in podman and buildah.
New features are:
- no duplicated entries
- adds entries for the network/slirp4netns ips
- configure the host.containers.internal entry in containers.conf
- configure the base hosts file in containers.conf
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The current logic in setupRootlessSpecChanges has quite a few problems.
First of this logic is a noop for rootful and when we have a netns.
However pid and ipc could still need special mounts.
In Podman we have already working code for this so this reuses the same
logic and adapts it to buildah.
4ba71f955a/pkg/specgen/generate/oci.go (L178)
Since there is already logic to handle these mounts in buildah we will
add it there and also handle the special rootless case there.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Buildah ignores the container.conf settings. Commit 05d5d22dc6 tried
to fix this but I cannot see how this would have worked, there were also
no test added related to containers.conf.
The code below were we read the default just overwrites everything we
already set so the config settings are ignored.
Also there are many weird places were settings are just overwritten for
no particular reason. The namespaces code path looks like mess to me.
Namespaces are added/changed/removed in many different places and there
is no explanation why. Maybe I am just not familar enough with this code
base but I cannot really understand this. Hopefully a maintainer can
take a closer look to see if my changes are indeed correct.
Fixescontainers/podman#13294
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When the run child process exits early the parent still tries to read
from the ready pipe. Reading from the pipe should end when all writers
are closed. The problem is that the parent kept the writer open as well.
To fix the hang we just need to close the writer before we try to read
and after we gave it to the child.
To prevent closing the fd twice with defer I added a new fileCloser type
to store if the file was already closed.
This problem was noticed in the podman CI:
https://storage.googleapis.com/cirrus-ci-6707778565701632-fcae48/artifacts/containers/podman/6624611893772288/html/sys-podman-fedora-35-root-host-netavark.log.html
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Restore setting of the parent-death signal when we're running
subprocesses in Run(), so that if we get killed, the child processes
will also get killed.
While a child process is running, if we receive SIGHUP, SIGINT, or
SIGTERM, forward the signal to our child process unless it's the command
we're executing, which we SIGKILL without mercy, and finish the current
routine, which will then notice that the child process has exited and
return an error to its caller.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Podman waits for 4 minutes to wait for conmon/oci runtime to create the
container[1]. Since this value seems to work we should use the same one
here.
[1] b4b8b8b537/libpod/define/runtime.go (L27)
[NO NEW TESTS NEEDED]
Fixescontainers/podman#13327
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The kernel never sets the inheritable capabilities for a process, they
are only set by userspace. Emulate the same behavior.
Closes: CVE-2022-27651
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
A shared cache on host must support locking so other parallel/concurrent builds
will wait for current executing RUN statement to finish.
* Locks the cache store as soon as RUN is triggered.
* Locked target is added to cleanup list so it can be unlocked as soon
as RUN step is completed.
Signed-off-by: Aditya R <arajan@redhat.com>
Users want to turn off addition of /etc/hosts file while building
container images, this would allow them to customize the /etc/hosts
file within the image.
Fixes: https://github.com/containers/buildah/issues/3808
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
when the configured cgroup manager is set to "systemd", use the
--systemd-cgroup option to the OCI runtime. It is understood both by
crun and runc.
Closes: https://github.com/containers/buildah/issues/3700
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Make sure that, if we're given neither a concurrent jobs count nor a
semaphore to use, we create a semaphore. Otherwise, each platform in a
multi-platform build will run with maximum concurrency, which isn't the
desired default. Our CLI always passes in a Jobs count, so it hasn't
been affected by this problem.
[NO NEW TESTS NEEDED]
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
The backend logic already supports specifying custom network names. This
only adds the support for the frontend parsing.
Fixescontainers/podman#12282
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Allow users to specify non-volatile `upper` and `workdir` with overlay
mounts.
Usage
```console
buildah from alpine
buildah run -v /something/lower:/test:z,O,upperdir=/somewhere/upperdir,workdir=/somwhere/workdir alpine-working-container cat /test/hello
```
Signed-off-by: Aditya R <arajan@redhat.com>
The permission on this directory will prevent user namespaces from using
secrets. Should be world searchable
[NO TESTS NEEDED]
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We need to use the default from containers.conf and not hardcode them in
buildah. This fixes an issue with the cni network backend since it would
try to access /etc/cni/net.d/ even as rootless user. This regression was
introduced in commit f9cff07b81.
Also hide the cni flags as we do not expect users to change this. The
recommended way is to change them in containers.conf.
[NO NEW TESTS NEEDED]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Nalin Dahyabhai
Doug Rabson
Sascha Grunert
Aditya R
Paul Holzinger
Ashley Cui
OpenShift Merge Robot
Daniel J Walsh
Giuseppe Scrivano
Giuseppe Scrivano