Buildah now supports renaming devices while performing a build using
`--device <some-name>:<new-name>`. Implementation is similar to `podman`
where we prefer using `bind-mount` for devices instead of `mknod` in
`rootless` setups.
Usage
```console
buildah build -t test --device /dev/null:/test/dev/null .
```
Closes: https://github.com/containers/buildah/issues/4002
Signed-off-by: Aditya R <arajan@redhat.com>
If a secret is used in a RUN step it is created on host but we had a
check which expects a secret to not exist on the host however same
secret can be remounted on another step so it can already exists on host
so remove the check since a secret can be mounted again from host in
another RUN step.
Closes: https://github.com/containers/buildah/issues/3993
Signed-off-by: Aditya R <arajan@redhat.com>
Use the new etchosts package to generate the hosts file.
This will ensure that we use the same logic in podman and buildah.
New features are:
- no duplicated entries
- adds entries for the network/slirp4netns ips
- configure the host.containers.internal entry in containers.conf
- configure the base hosts file in containers.conf
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The current logic in setupRootlessSpecChanges has quite a few problems.
First of this logic is a noop for rootful and when we have a netns.
However pid and ipc could still need special mounts.
In Podman we have already working code for this so this reuses the same
logic and adapts it to buildah.
4ba71f955a/pkg/specgen/generate/oci.go (L178)
Since there is already logic to handle these mounts in buildah we will
add it there and also handle the special rootless case there.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Buildah ignores the container.conf settings. Commit 05d5d22dc6 tried
to fix this but I cannot see how this would have worked, there were also
no test added related to containers.conf.
The code below were we read the default just overwrites everything we
already set so the config settings are ignored.
Also there are many weird places were settings are just overwritten for
no particular reason. The namespaces code path looks like mess to me.
Namespaces are added/changed/removed in many different places and there
is no explanation why. Maybe I am just not familar enough with this code
base but I cannot really understand this. Hopefully a maintainer can
take a closer look to see if my changes are indeed correct.
Fixescontainers/podman#13294
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When the run child process exits early the parent still tries to read
from the ready pipe. Reading from the pipe should end when all writers
are closed. The problem is that the parent kept the writer open as well.
To fix the hang we just need to close the writer before we try to read
and after we gave it to the child.
To prevent closing the fd twice with defer I added a new fileCloser type
to store if the file was already closed.
This problem was noticed in the podman CI:
https://storage.googleapis.com/cirrus-ci-6707778565701632-fcae48/artifacts/containers/podman/6624611893772288/html/sys-podman-fedora-35-root-host-netavark.log.html
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Restore setting of the parent-death signal when we're running
subprocesses in Run(), so that if we get killed, the child processes
will also get killed.
While a child process is running, if we receive SIGHUP, SIGINT, or
SIGTERM, forward the signal to our child process unless it's the command
we're executing, which we SIGKILL without mercy, and finish the current
routine, which will then notice that the child process has exited and
return an error to its caller.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Podman waits for 4 minutes to wait for conmon/oci runtime to create the
container[1]. Since this value seems to work we should use the same one
here.
[1] b4b8b8b537/libpod/define/runtime.go (L27)
[NO NEW TESTS NEEDED]
Fixescontainers/podman#13327
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The kernel never sets the inheritable capabilities for a process, they
are only set by userspace. Emulate the same behavior.
Closes: CVE-2022-27651
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
A shared cache on host must support locking so other parallel/concurrent builds
will wait for current executing RUN statement to finish.
* Locks the cache store as soon as RUN is triggered.
* Locked target is added to cleanup list so it can be unlocked as soon
as RUN step is completed.
Signed-off-by: Aditya R <arajan@redhat.com>
Users want to turn off addition of /etc/hosts file while building
container images, this would allow them to customize the /etc/hosts
file within the image.
Fixes: https://github.com/containers/buildah/issues/3808
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
when the configured cgroup manager is set to "systemd", use the
--systemd-cgroup option to the OCI runtime. It is understood both by
crun and runc.
Closes: https://github.com/containers/buildah/issues/3700
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Make sure that, if we're given neither a concurrent jobs count nor a
semaphore to use, we create a semaphore. Otherwise, each platform in a
multi-platform build will run with maximum concurrency, which isn't the
desired default. Our CLI always passes in a Jobs count, so it hasn't
been affected by this problem.
[NO NEW TESTS NEEDED]
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
The backend logic already supports specifying custom network names. This
only adds the support for the frontend parsing.
Fixescontainers/podman#12282
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Allow users to specify non-volatile `upper` and `workdir` with overlay
mounts.
Usage
```console
buildah from alpine
buildah run -v /something/lower:/test:z,O,upperdir=/somewhere/upperdir,workdir=/somwhere/workdir alpine-working-container cat /test/hello
```
Signed-off-by: Aditya R <arajan@redhat.com>
The permission on this directory will prevent user namespaces from using
secrets. Should be world searchable
[NO TESTS NEEDED]
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We need to use the default from containers.conf and not hardcode them in
buildah. This fixes an issue with the cni network backend since it would
try to access /etc/cni/net.d/ even as rootless user. This regression was
introduced in commit f9cff07b81.
Also hide the cni flags as we do not expect users to change this. The
recommended way is to change them in containers.conf.
[NO NEW TESTS NEEDED]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Following commit adds buildkit like support for `from` field to `--mount=type=bind`
and `--mount=type=cache` so images and stage can be used as mount source.
Usage looks like
```dockerfile
RUN --mount=type=bind,source=.,from=<your-image>,target=/path ls /path
```
and
```dockerfile
RUN --mount=type=cache,from=<your-image>,target=/path ls /path
```
Signed-off-by: Aditya Rajan <arajan@redhat.com>
Podman uses the new netavark network stack. Buildah should be able to do
the same. Both projects should use the same networking code which was
move to c/common/libnetwork. The new network interface can use either
CNI or netvavark. Using the same code for podman and buildah is
important to ensure that both use the same backend. Mixing CNI and
netavark is not supported.
This also fixes some outstanding CNI issues, e.g. buildah trying to
connect all cni networks.
[NO NEW TESTS NEEDED]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Do not configure the netns in the runtime child process, this removes
the need to send the network options to the child. This will be needed
for the new libnetwork network interface which cannot be transfered as
json.
To synchronize this between the child and parent we use two pipe pairs.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
First move podman/pkg/cgroups into Buildah.
Only set resources to nil on non cgroupsv2 systems in rootless mode.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Buildah is mainly building with Host Namespaces, this changes most
namespaces to be private matching Podman and using containers.conf
Fixes: https://github.com/containers/buildah/issues/3634
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Label stdio pipes to ensure that processes we run can read through
/dev/stdin and write through the /dev/stdout and /dev/stderr links.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
This commit makes sure we honor NetworkDisabled in `runs` if
`--network=none` was specified while building the container and no
configuration was specified in while running the container.
Signed-off-by: Aditya Rajan <arajan@redhat.com>
Run secrets can now be created from an environment variable. The
environment variable is read and is briefly stored as a file on /dev/shm
when it's being used, and the file is removed after the RUN command is
finished.
Fixes: #3524
Signed-off-by: Ashley Cui <acui@redhat.com>
In linux, directory can contains colon.
Add support to mount path contains colon.
buildah run --volume /root/a\\🅱️/root/test:O
Signed-off-by: chenk008 <kongchen28@gmail.com>
Also switch default hostname from truncated ContainerID to Container
name.
It makes more sense that a user would know the name of the container
versus the generated id, so we should use this as a default.
Fixes: https://github.com/containers/buildah/issues/3509
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Following PR inroduces a new mount type=cache in parity to buildkit
which allows users to share persistant cache between different builds.
Allowing users to cache content generated by bussiness logic or enhance
build performance by caching components across builds.
Signed-off-by: Aditya Rajan <arajan@redhat.com>
Fixed a bug where buildah bud mounted secrets permissions were incorrect due to a decimal/octal conversion error. buildah bud mounted secrets now have a default permission of 400. Fixes#3557
Signed-off-by: Ashley Cui <acui@redhat.com>
Following PR adds supports for buildkit like `--mount=type=tmpfs` which
allows end users to mount a chunk of volatile memory instead of a persistent storage device.
Signed-off-by: Aditya Rajan <arajan@redhat.com>
Following commit adds support for using buildkit like
`--mount=type=bind` with `RUN` statements. Mounts created by `--mount`
are transient in nature and only scoped to current RUN statements.
Signed-off-by: Aditya Rajan <arajan@redhat.com>
OpenShift Merge Robot
Daniel J Walsh
Aditya R
Paul Holzinger
Nalin Dahyabhai
Giuseppe Scrivano
Giuseppe Scrivano
Ashley Cui
chenk008