opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-05-21 00:56:36 +08:00
Code Issues Packages Projects Releases Wiki Activity

Use buildah default isolation when working with podman play kube

Browse Source 
Users can specify BUILDAH_ISOLATION environment variable to change the
default.

Fixes: https://github.com/containers/podman/issues/20024

Currently podman play kube is defaulting to chroot, which is the least
safe version of build, we should always default to secure whenever
possible. Chroot should only be used when building within a container.

No great way to tests this.
[NO NEW TESTS NEEDED]

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh
2023-10-23 13:29:30 -04:00
parent e9e18acd5f
commit 06b7264977
2 changed files with 9 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/source/markdown/podman-kube-play.1.md.in
View File

@ -163,6 +163,8 @@ and as a result environment variable `FOO` is set to `bar` for container `contai
Build images even if they are found in the local storage. Use `--build=false` to completely disable builds. (This option is not available with the remote Podman client)
Note: You can also override the default isolation type by setting the BUILDAH_ISOLATION environment variable. export BUILDAH_ISOLATION=oci. See podman-build.1.md for more information.
@@option cert-dir
#### **--configmap**=*path*
@ -320,4 +322,4 @@ has been changed or altered.
@@include ../../kubernetes_support.md
## SEE ALSO
**[podman(1)](podman.1.md)**, **[podman-kube(1)](podman-kube.1.md)**, **[podman-kube-down(1)](podman-kube-down.1.md)**, **[podman-network-create(1)](podman-network-create.1.md)**, **[podman-kube-generate(1)](podman-kube-generate.1.md)**, **[containers-certs.d(5)](https://github.com/containers/image/blob/main/docs/containers-certs.d.5.md)**
**[podman(1)](podman.1.md)**, **[podman-kube(1)](podman-kube.1.md)**, **[podman-kube-down(1)](podman-kube-down.1.md)**, **[podman-network-create(1)](podman-network-create.1.md)**, **[podman-kube-generate(1)](podman-kube-generate.1.md)**, **[podman-build(1)](podman-build.1.md)**, **[containers-certs.d(5)](https://github.com/containers/image/blob/main/docs/containers-certs.d.5.md)**

7
pkg/domain/infra/abi/play.go
View File

@ -13,6 +13,7 @@ import (
"sync"
buildahDefine "github.com/containers/buildah/define"
bparse "github.com/containers/buildah/pkg/parse"
"github.com/containers/common/libimage"
nettypes "github.com/containers/common/libnetwork/types"
"github.com/containers/common/pkg/config"
@ -991,7 +992,11 @@ func (ic *ContainerEngine) getImageAndLabelInfo(ctx context.Context, cwd string,
buildOpts := new(buildahDefine.BuildOptions)
commonOpts := new(buildahDefine.CommonBuildOptions)
buildOpts.ConfigureNetwork = buildahDefine.NetworkDefault
buildOpts.Isolation = buildahDefine.IsolationChroot
isolation, err := bparse.IsolationOption("")
if err != nil {
return nil, nil, err
}
buildOpts.Isolation = isolation
buildOpts.CommonBuildOpts = commonOpts
buildOpts.Output = container.Image
buildOpts.ContextDirectory = filepath.Dir(buildFile)