mirror of
https://github.com/containers/podman.git
synced 2025-05-21 00:56:36 +08:00
Use buildah default isolation when working with podman play kube
Users can specify BUILDAH_ISOLATION environment variable to change the default. Fixes: https://github.com/containers/podman/issues/20024 Currently podman play kube is defaulting to chroot, which is the least safe version of build, we should always default to secure whenever possible. Chroot should only be used when building within a container. No great way to tests this. [NO NEW TESTS NEEDED] Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh
@ -163,6 +163,8 @@ and as a result environment variable `FOO` is set to `bar` for container `contai
|
|||||||
|
|
||||||
Build images even if they are found in the local storage. Use `--build=false` to completely disable builds. (This option is not available with the remote Podman client)
|
Build images even if they are found in the local storage. Use `--build=false` to completely disable builds. (This option is not available with the remote Podman client)
|
||||||
|
|
||||||
|
Note: You can also override the default isolation type by setting the BUILDAH_ISOLATION environment variable. export BUILDAH_ISOLATION=oci. See podman-build.1.md for more information.
|
||||||
|
|
||||||
@@option cert-dir
|
@@option cert-dir
|
||||||
|
|
||||||
#### **--configmap**=*path*
|
#### **--configmap**=*path*
|
||||||
@ -320,4 +322,4 @@ has been changed or altered.
|
|||||||
@@include ../../kubernetes_support.md
|
@@include ../../kubernetes_support.md
|
||||||
|
|
||||||
## SEE ALSO
|
## SEE ALSO
|
||||||
**[podman(1)](podman.1.md)**, **[podman-kube(1)](podman-kube.1.md)**, **[podman-kube-down(1)](podman-kube-down.1.md)**, **[podman-network-create(1)](podman-network-create.1.md)**, **[podman-kube-generate(1)](podman-kube-generate.1.md)**, **[containers-certs.d(5)](https://github.com/containers/image/blob/main/docs/containers-certs.d.5.md)**
|
**[podman(1)](podman.1.md)**, **[podman-kube(1)](podman-kube.1.md)**, **[podman-kube-down(1)](podman-kube-down.1.md)**, **[podman-network-create(1)](podman-network-create.1.md)**, **[podman-kube-generate(1)](podman-kube-generate.1.md)**, **[podman-build(1)](podman-build.1.md)**, **[containers-certs.d(5)](https://github.com/containers/image/blob/main/docs/containers-certs.d.5.md)**
|
||||||
|
|||||||
@ -13,6 +13,7 @@ import (
|
|||||||
"sync"
|
"sync"
|
||||||
|
|
||||||
buildahDefine "github.com/containers/buildah/define"
|
buildahDefine "github.com/containers/buildah/define"
|
||||||
|
bparse "github.com/containers/buildah/pkg/parse"
|
||||||
"github.com/containers/common/libimage"
|
"github.com/containers/common/libimage"
|
||||||
nettypes "github.com/containers/common/libnetwork/types"
|
nettypes "github.com/containers/common/libnetwork/types"
|
||||||
"github.com/containers/common/pkg/config"
|
"github.com/containers/common/pkg/config"
|
||||||
@ -991,7 +992,11 @@ func (ic *ContainerEngine) getImageAndLabelInfo(ctx context.Context, cwd string,
|
|||||||
buildOpts := new(buildahDefine.BuildOptions)
|
buildOpts := new(buildahDefine.BuildOptions)
|
||||||
commonOpts := new(buildahDefine.CommonBuildOptions)
|
commonOpts := new(buildahDefine.CommonBuildOptions)
|
||||||
buildOpts.ConfigureNetwork = buildahDefine.NetworkDefault
|
buildOpts.ConfigureNetwork = buildahDefine.NetworkDefault
|
||||||
buildOpts.Isolation = buildahDefine.IsolationChroot
|
isolation, err := bparse.IsolationOption("")
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
buildOpts.Isolation = isolation
|
||||||
buildOpts.CommonBuildOpts = commonOpts
|
buildOpts.CommonBuildOpts = commonOpts
|
||||||
buildOpts.Output = container.Image
|
buildOpts.Output = container.Image
|
||||||
buildOpts.ContextDirectory = filepath.Dir(buildFile)
|
buildOpts.ContextDirectory = filepath.Dir(buildFile)
|
||||||
|
|||||||
Reference in New Issue
Block a user