Add a --all-platforms that instructs the builder to build for the
intersection of all platforms for which the build's base images are
available. Returns an error if any of them aren't references to
manifest lists. We've learned that we can't really trust architecture
and OS information stored in image config blobs, so we don't try to
salvage that case.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When we're told to add built images to a manifest list, manipulate the
list ourselves, so that if we're creating a list, we won't have a
partially-populated list if some of the builds fail.
This also lets us include all of the platform information (including
variant info, which we can't sniff out after the fact) that we were
given when we started building the images.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Allow ssh socket from host or certain ssh keys to be exposed to a
certain RUN instruction, but not any other instructions, as well as not
showing up in the final image.
This is done by spawining a new agent from buildah and mounting
the listening socket inside the run. SSH_AUTH_SOCK inside the container
will be set to the socket mountpoint. The defualt mountpoint is
/run/buildkit/ssh_agent.{i}
Signed-off-by: Ashley Cui <acui@redhat.com>
Add a pkg/parse.PlatformsFromOptions() which understands a "variant"
value as an optional third value in an OS/ARCH[/VARIANT] argument value,
which accepts a comma-separated list of them, and which returns a list
of platforms.
Teach "from" and "pull" about the --platform option and add integration
tests for them, warning if --platform was given multiple values.
Add a define.BuildOptions.JobSemaphore which an imagebuildah executor
will use in preference to one that it might allocate for itself.
In main(), allocate a JobSemaphore if the number of jobs is not 0 (which
we treat as "unlimited", and continue to allow executors to do).
In addManifest(), take a lock on the manifest list's image ID so that we
don't overwrite changes that another thread might be making while we're
attempting to make changes to it. In main(), create an empty list if
the list doesn't already exist before we start down this path, so that
we don't get two threads trying to create that manifest list at the same
time later on. Two processes could still try to create the same list
twice, but it's an incremental improvement.
Finally, if we've been given multiple platforms to build for, run their
builds concurrently and gather up their results.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Currently the rusage is reported to stdout and rather cumbersome to parse. The
new flag rusage-logfile can be used to specify a file to which the log will be
written instead.
Signed-off-by: Dan Čermák <dcermak@suse.com>
Add support for secrets. Secrets is a two-part flag that allows secret files to
be accessed for a certain RUN instruction, but not any other
instructions, as well as now showing up in the final image.
Signed-off-by: Ashley Cui <acui@redhat.com>
This PR removes the pkg/auth which brings in docker/docker
since it really is not needed, and was only there to help users
discover the settings of where the authfile was, when the environment
variables were set. Would almost never be of any value.
Move imagebuildah.BuildOptions to define.BuildOptions
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We want to shrink the size of the import when importing pkg from
buildah. This should help us shrink the size of the golang bindings
in podman.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Currently manifests just look like images in container storage.
It is surprising to the user when they go to push the images
that they end up failing, and have to use the buildah manifest push.
This patch causes buildah push to failover to buildah manifest push
if the image is a manifest.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Remove --override-os and --override-arch flags.
Also use --platform option if specified when generating the SystemContext.
Conflict --platform option with --os, --arch and --variant options.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Some commands within a Containerfile, might need input from users.
For example confirmation commands from Apt.
Adding a --stdin flag will allows users to interact with containers
while running inside of buildah bud.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
These changes will allow the "FROM" statement in a Containerfile
to be overridden with a new `--from` option. If I have this Dockerfile.fedora
```
FROM fedora
```
This command will instead build an alpine image:
```
STEP 1: FROM alpine
Completed short name "alpine" with unqualified-search registries (origin: /etc/containers/registries.conf)
Getting image source signatures
Copying blob 188c0c94c7c5 done
Copying config d6e46aa247 done
Writing manifest to image destination
Storing signatures
STEP 2: COMMIT tom
--> d6e46aa2470
d6e46aa2470df1d32034c6707c8041158b652f38d2a9ae3d7ad7e7532d22ebe0
```
Addresses: #2404
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
when running as rootless, make sure the cli default isolation is set
to "rootless" instead of "oci".
Closes: https://github.com/containers/buildah/issues/2750
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Allow users to override location of the .dockerignore file.
If user specified an --ignorefile flag, buildah will read the
file and pass in the exclude lines based on the .dockerignore
contents.
Also add a --contextdir flag to buildah copy and buildah add to
specify where the context directory is located. For these two
commands the --ignorefile flag requires the --contextdir flag.
When the --ignorefile flag is passed in, the .dockerignore files
in the context directory will be ignored.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The format of the userns-uid-map and userns-gid-map fields must be
the form of a triple `ctrUid:hostUid:length` but we were not validating
that, doing a lot of useless processing, and then not even failing.
Addresses: #2676
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The PR containers/podman#6442 enables a new way to create
shell completions scripts. The shell completion is handled
by cobra and since the build flags are defined here
the completion functions for this should be defined here
as well. For Reference see:
https://github.com/spf13/cobra/blob/master/shell_completions.md
I added a unit test to ensure that the flags have a
completion function set.
These completions could also be used by buildah if someone
wants to implements this cobra completion logic for buildah.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
We recieved feedback on the --omit-timestamp that
users would rather specify the timestamp seconds
rather then just use EPOCH.
This PR removes --omit-timestamp from buildah bud
since this has never been released.
We also hide --omit-timestamp from buildah commit
and allow users to continue to use it, but it conflicts
with --timestamp.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Add a flag to imagebuildah.BuildOptions that will log timing and i/o
information at each step of the build process, and enable it if we're
given the hidden --log-rusage flag in the CLI.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Podman namespaces flags handle the options slightly differently.
Specifically namespace flag `container` is very different.
Replace the `container` option with `private` to better match podman
but continue to support `container`
Similarly Podman expects --network ns:/PATH to allow the indication of a
path to a precreated network namespace. Buildah just supported
--network /PATH, buildah will now support both formats, but document
ns:/path.
Finally use Aliases for fix some duplicated code in buildah.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Currently you can only do deterministic builds with commit command
this change will cause the metadata in the container image to be
epoch 0.
Next step is to save the data in the tar balls as 0.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
In porting containers.conf to libpod, we found that buildah needed
to handle the containers.conf on the server side rather then from
the CLI.
Since the `podman-remote build` would probably not have the same content
as containers.conf on the server, the processesing of the defaults needs
to be handled in imagebuildah. The CapAdd and CapDrop values need to be
passed in.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Touching up the OS, ARCH and PLATFORM options
doc just a bit from #2907.
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Closes: #2101
Approved by: rhatdan
When building images we now allow the architecture and operating system
to be overwritten via the new `--os` and `--arch` flags. This allows the
use case of packing pre-built or cross-compiled binaries into container
images with specifying the correct environment. The `--platform` flag
now takes the `os/arch` format into account as well.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
Closes: #2097
Approved by: rhatdan
Add the --sign-by option to `buildah build-using-dockerfile`,
`buildah commit`, `buildah push`, and `buildah manifest push`. Add the
`--remove-signatures` option to `buildah pull`, `buildah push`, and
`buildah manifest push`. We just pass them to the image library, which
does all of the heavy lifting.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #2085
Approved by: rhatdan
This is a rework of Qi Wang's patches.
Import package pkg/config from containers/common to read containers.conf
This patch allows users to specify default values stored in containers.conf
that will modify the behaviour of buildah tool.
Signed-off-by: Qi Wang <qiwan@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #2011
Approved by: TomSweeneyRedHat
If the volume option was specified like: `--volume "${HOME}/.cache/zae9ujei:/myvol:rw,Z"`,
the COBRA code that processed the input from the user was considering the value to be a
SliceVar with two volumes `${HOME}/.cache/zae9ujei:/myvol:rw` and `Z` due to the comma.
Converted the COBRA code to consider the input as an ArrayVar instead and the value is
handled appropriately. Also increased the testing to catch this going forward.
Addresses: #2000
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Closes: #2039
Approved by: rhatdan
Thanks to Dmitry Smirnov @onlyjob for suggesting this tool.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1985
Approved by: TomSweeneyRedHat
(Replaces #1873 as it had lint issues that were timing out tests that I couldn't
track down easily)
Prior to this fix, if someone did `buildah bud --pull=false .` and the image in
the Containerfile's FROM statement was not local, the build would fail. The same
build on Docker will succeed. In Docker, when `--pull` is set to false, it only
pulls the image from the registry if there was not one locally. Buildah would never
pull the image and if the image was not locally available, it would throw an error.
In certain Kubernetes environments, this was especially troublesome.
To retain the old `--pull=false` functionality, I've created a new `--pull-never`
option that fails if an image is not locally available just like the old
`--pull=false` option used to do.
In addition, if there was a newer version of the image on the repository than
the one locally, the `--pull=true` option would not pull the image as it should
have, this corrects that.
Changes both the from and bud commands.
Addresses: #1675
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Closes: #1959
Approved by: rhatdan
This patch will let authfile path default to the containers/image location for authentication file. Which for now will be xdg_runtime_dir, but eventually will switch to kernel keyring.
Signed-off-by: Qi Wang <qiwan@redhat.com>
Closes: #1947
Approved by: rhatdan
Move the runtime Cobra flag for the build command to the
command itself and out of the common definitions. Podman
uses the same definition and there was a collision with that
flag and the one here: https://github.com/containers/libpod/blob/master/cmd/podman/main_local.go#L69
This caused wonky results. The podman global flag would
think it had been set, but no value was captured, or reversely,
the flag didn't think it had been set, but if you peered inside
you'd see the appropriate value from the user input.
This was all based on whether you did
`podman --runtime=/usr/bin/runc build` or
`podman build --runtime=/usr/bin/runc`
As Podman uses their runtime flag in multiple places, it's
easier to remove it from the common definition here in Buildah
and then add the flag into the bud command.
Once merged and vendored into Podman, this will fix: https://bugzilla.redhat.com/show_bug.cgi?id=1758082
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Closes: #1904
Approved by: rhatdan
Some Dockerfiles (fuse-overlay) require additional devices to be in the
build environment.
This patch allows the user to specify additional devices.
Also I noticed that CapAdd and CapDrop was not working in buildah bud situations,
so this patch also fixes this.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1820
Approved by: @TomSweeneyRedHat
The command line help should contain the indicator that `--dns=none` is
possble to disable the creation of the `/etc/resolv.conf` file.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
Closes: #1774
Approved by: rhatdan
Daniel J Walsh
Nalin Dahyabhai
Kirill Shirinkin
openshift-ci[bot]
Ashley Cui
Dan Čermák
OpenShift Merge Robot
TomSweeneyRedHat
Giuseppe Scrivano
Paul Holzinger
Brandon Lum
Qi Wang
Sascha Grunert