mirror of
https://github.com/containers/podman.git
synced 2025-06-21 09:28:09 +08:00
vendor in latest buildah
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This commit is contained in:
6
go.mod
6
go.mod
@ -12,14 +12,14 @@ require (
|
||||
github.com/container-orchestrated-devices/container-device-interface v0.5.4
|
||||
github.com/containernetworking/cni v1.1.2
|
||||
github.com/containernetworking/plugins v1.3.0
|
||||
github.com/containers/buildah v1.30.1-0.20230504052500-e925b5852e07
|
||||
github.com/containers/common v0.53.1-0.20230626115555-370c89881624
|
||||
github.com/containers/buildah v1.30.1-0.20230627110136-33b7088fec7b
|
||||
github.com/containers/common v0.53.1-0.20230627061926-e6f314e59b81
|
||||
github.com/containers/conmon v2.0.20+incompatible
|
||||
github.com/containers/image/v5 v5.25.1-0.20230623174242-68798a22ce3e
|
||||
github.com/containers/libhvee v0.0.5
|
||||
github.com/containers/ocicrypt v1.1.7
|
||||
github.com/containers/psgo v1.8.0
|
||||
github.com/containers/storage v1.46.2-0.20230621123301-73f29956326d
|
||||
github.com/containers/storage v1.47.0
|
||||
github.com/coreos/go-systemd/v22 v22.5.0
|
||||
github.com/coreos/stream-metadata-go v0.4.2
|
||||
github.com/crc-org/vfkit v0.0.5-0.20230602131541-3d57f09010c9
|
||||
|
12
go.sum
12
go.sum
@ -239,10 +239,10 @@ github.com/containernetworking/plugins v0.8.6/go.mod h1:qnw5mN19D8fIwkqW7oHHYDHV
|
||||
github.com/containernetworking/plugins v0.9.1/go.mod h1:xP/idU2ldlzN6m4p5LmGiwRDjeJr6FLK6vuiUwoH7P8=
|
||||
github.com/containernetworking/plugins v1.3.0 h1:QVNXMT6XloyMUoO2wUOqWTC1hWFV62Q6mVDp5H1HnjM=
|
||||
github.com/containernetworking/plugins v1.3.0/go.mod h1:Pc2wcedTQQCVuROOOaLBPPxrEXqqXBFt3cZ+/yVg6l0=
|
||||
github.com/containers/buildah v1.30.1-0.20230504052500-e925b5852e07 h1:Bs2sNFh/fSYr4J6JJLFqzyn3dp6HhlA6ewFwRYUpeIE=
|
||||
github.com/containers/buildah v1.30.1-0.20230504052500-e925b5852e07/go.mod h1:6A/BK0YJLXL8+AqlbceKJrhUT+NtEgsvAc51F7TAllc=
|
||||
github.com/containers/common v0.53.1-0.20230626115555-370c89881624 h1:YBgjfoo0G3tR8vm225ghJnqOZOVv3tH1L1GbyRM9320=
|
||||
github.com/containers/common v0.53.1-0.20230626115555-370c89881624/go.mod h1:qE1MzGl69IoK7ZNCCH51+aLVjyQtnH0LiZe0wG32Jy0=
|
||||
github.com/containers/buildah v1.30.1-0.20230627110136-33b7088fec7b h1:cTb0Sxu/tIQ9uPIchFmkYs+uOtylhyO+0h2+i3XzisQ=
|
||||
github.com/containers/buildah v1.30.1-0.20230627110136-33b7088fec7b/go.mod h1:O2jiDd5+569W8cwqyLnRKiqAHOPTi/Kj+oDlFNsFg24=
|
||||
github.com/containers/common v0.53.1-0.20230627061926-e6f314e59b81 h1:axB9UaqlBcpVX4yA41OfshJd5emqOuQ/GMNxopyAX20=
|
||||
github.com/containers/common v0.53.1-0.20230627061926-e6f314e59b81/go.mod h1:BkgcpfdNC54M3fGDtHUjqt7teGNsuj9yGoWUC+YVhi4=
|
||||
github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
|
||||
github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
|
||||
github.com/containers/image/v5 v5.25.1-0.20230623174242-68798a22ce3e h1:4W/7KRo29f7zRGRruc3kSf18wNZB/loR1jTygi0TvRM=
|
||||
@ -259,8 +259,8 @@ github.com/containers/ocicrypt v1.1.7/go.mod h1:7CAhjcj2H8AYp5YvEie7oVSK2AhBY8Ns
|
||||
github.com/containers/psgo v1.8.0 h1:2loGekmGAxM9ir5OsXWEfGwFxorMPYnc6gEDsGFQvhY=
|
||||
github.com/containers/psgo v1.8.0/go.mod h1:T8ZxnX3Ur4RvnhxFJ7t8xJ1F48RhiZB4rSrOaR/qGHc=
|
||||
github.com/containers/storage v1.43.0/go.mod h1:uZ147thiIFGdVTjMmIw19knttQnUCl3y9zjreHrg11s=
|
||||
github.com/containers/storage v1.46.2-0.20230621123301-73f29956326d h1:OzN0VtkQ8kcj6HB8QdrIq7qiVsZ6pEcmolV1trZgrgA=
|
||||
github.com/containers/storage v1.46.2-0.20230621123301-73f29956326d/go.mod h1:pRp3lkRo2qodb/ltpnudoXggrviRmaCmU5a5GhTBae0=
|
||||
github.com/containers/storage v1.47.0 h1:Tl/onL8yE/4QABc2kfPDaTSYijk3QrmXGrO21KXkj58=
|
||||
github.com/containers/storage v1.47.0/go.mod h1:pRp3lkRo2qodb/ltpnudoXggrviRmaCmU5a5GhTBae0=
|
||||
github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
|
||||
github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
|
||||
github.com/coreos/go-iptables v0.4.5/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU=
|
||||
|
28
vendor/github.com/containers/buildah/.packit.sh
generated
vendored
28
vendor/github.com/containers/buildah/.packit.sh
generated
vendored
@ -1,28 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# This script handles any custom processing of the spec file generated using the `post-upstream-clone`
|
||||
# action and gets used by the fix-spec-file action in .packit.yaml.
|
||||
|
||||
set -eo pipefail
|
||||
|
||||
# Get Version from define/types.go in HEAD
|
||||
VERSION=$(grep ^$'\tVersion' define/types.go | cut -d\" -f2 | sed -e 's/-/~/')
|
||||
|
||||
# Generate source tarball from HEAD
|
||||
git archive --prefix=buildah-$VERSION/ -o buildah-$VERSION.tar.gz HEAD
|
||||
|
||||
# RPM Spec modifications
|
||||
|
||||
# Use the Version from define/types.go in rpm spec
|
||||
sed -i "s/^Version:.*/Version: $VERSION/" buildah.spec
|
||||
|
||||
# Use Packit's supplied variable in the Release field in rpm spec.
|
||||
# buildah.spec is generated using `rpkg spec --outdir ./` as mentioned in the
|
||||
# `post-upstream-clone` action in .packit.yaml.
|
||||
sed -i "s/^Release:.*/Release: $PACKIT_RPMSPEC_RELEASE%{?dist}/" buildah.spec
|
||||
|
||||
# Use above generated tarball as Source in rpm spec
|
||||
sed -i "s/^Source:.*.tar.gz/Source: buildah-$VERSION.tar.gz/" buildah.spec
|
||||
|
||||
# Use the right build dir for autosetup stage in rpm spec
|
||||
sed -i "s/^%setup.*/%autosetup -Sgit -n %{name}-$VERSION/" buildah.spec
|
30
vendor/github.com/containers/buildah/.packit.yaml
generated
vendored
30
vendor/github.com/containers/buildah/.packit.yaml
generated
vendored
@ -4,8 +4,11 @@
|
||||
|
||||
# Build targets can be found at:
|
||||
# https://copr.fedorainfracloud.org/coprs/rhcontainerbot/packit-builds/
|
||||
# and
|
||||
# https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/
|
||||
|
||||
specfile_path: buildah.spec
|
||||
specfile_path: rpm/buildah.spec
|
||||
upstream_tag_template: v{version}
|
||||
|
||||
jobs:
|
||||
- &copr
|
||||
@ -16,15 +19,28 @@ jobs:
|
||||
enable_net: true
|
||||
srpm_build_deps:
|
||||
- make
|
||||
- rpkg
|
||||
actions:
|
||||
post-upstream-clone:
|
||||
- "rpkg spec --outdir ./"
|
||||
fix-spec-file:
|
||||
- "bash .packit.sh"
|
||||
|
||||
- <<: *copr
|
||||
# Run on commit to main branch
|
||||
trigger: commit
|
||||
branch: main
|
||||
project: podman-next
|
||||
|
||||
- job: propose_downstream
|
||||
trigger: release
|
||||
update_release: false
|
||||
dist_git_branches:
|
||||
- fedora-all
|
||||
actions:
|
||||
pre-sync:
|
||||
- "bash rpm/update-spec-provides.sh"
|
||||
|
||||
- job: koji_build
|
||||
trigger: commit
|
||||
dist_git_branches:
|
||||
- fedora-all
|
||||
|
||||
- job: bodhi_update
|
||||
trigger: commit
|
||||
dist_git_branches:
|
||||
- fedora-branched # rawhide updates are created automatically
|
||||
|
4
vendor/github.com/containers/buildah/Makefile
generated
vendored
4
vendor/github.com/containers/buildah/Makefile
generated
vendored
@ -1,7 +1,7 @@
|
||||
export GOPROXY=https://proxy.golang.org
|
||||
|
||||
APPARMORTAG := $(shell hack/apparmor_tag.sh)
|
||||
STORAGETAGS := $(shell ./btrfs_tag.sh) $(shell ./btrfs_installed_tag.sh) $(shell ./libdm_tag.sh) $(shell ./hack/libsubid_tag.sh)
|
||||
STORAGETAGS := exclude_graphdriver_devicemapper $(shell ./btrfs_tag.sh) $(shell ./btrfs_installed_tag.sh) $(shell ./hack/libsubid_tag.sh)
|
||||
SECURITYTAGS ?= seccomp $(APPARMORTAG)
|
||||
TAGS ?= $(SECURITYTAGS) $(STORAGETAGS) $(shell ./hack/systemd_tag.sh)
|
||||
BUILDTAGS += $(TAGS)
|
||||
@ -27,7 +27,7 @@ RACEFLAGS := $(shell $(GO_TEST) -race ./pkg/dummy > /dev/null 2>&1 && echo -race
|
||||
COMMIT_NO ?= $(shell git rev-parse HEAD 2> /dev/null || true)
|
||||
GIT_COMMIT ?= $(if $(shell git status --porcelain --untracked-files=no),${COMMIT_NO}-dirty,${COMMIT_NO})
|
||||
SOURCE_DATE_EPOCH ?= $(if $(shell date +%s),$(shell date +%s),$(error "date failed"))
|
||||
STATIC_STORAGETAGS = "containers_image_openpgp exclude_graphdriver_devicemapper $(STORAGE_TAGS)"
|
||||
STATIC_STORAGETAGS = "containers_image_openpgp $(STORAGE_TAGS)"
|
||||
|
||||
# we get GNU make 3.x in MacOS build envs, which wants # to be escaped in
|
||||
# strings, while the 4.x we have on Linux doesn't. this is the documented
|
||||
|
165
vendor/github.com/containers/buildah/buildah.spec.rpkg
generated
vendored
165
vendor/github.com/containers/buildah/buildah.spec.rpkg
generated
vendored
@ -1,165 +0,0 @@
|
||||
# For automatic rebuilds in COPR
|
||||
|
||||
# The following tag is to get correct syntax highlighting for this file in vim text editor
|
||||
# vim: syntax=spec
|
||||
|
||||
# Any additinoal comments should go below this line or else syntax highlighting
|
||||
# may not work.
|
||||
|
||||
# CAUTION: This is not a replacement for RPMs provided by your distro.
|
||||
# Only intended to build and test the latest unreleased changes.
|
||||
|
||||
%global with_debug 1
|
||||
|
||||
# RHEL 8's default %%gobuild macro doesn't account for the BUILDTAGS variable, so we
|
||||
# set it separately here and do not depend on RHEL 8's go-srpm-macros package.
|
||||
%if !0%{?fedora} && 0%{?rhel} <= 8
|
||||
%define gobuild(o:) GO111MODULE=off go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl ${BUILDTAGS:-}" -ldflags "-linkmode=external -compressdwarf=false ${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**};
|
||||
%endif
|
||||
|
||||
%if 0%{?with_debug}
|
||||
%global _find_debuginfo_dwz_opts %{nil}
|
||||
%global _dwz_low_mem_die_limit 0
|
||||
%else
|
||||
%global debug_package %{nil}
|
||||
%endif
|
||||
|
||||
%global provider github
|
||||
%global provider_tld com
|
||||
%global project containers
|
||||
%global repo %{name}
|
||||
# https://github.com/containers/%%{name}
|
||||
%global import_path %{provider}.%{provider_tld}/%{project}/%{repo}
|
||||
%global git0 https://%{import_path}
|
||||
|
||||
Name: {{{ git_dir_name }}}
|
||||
Epoch: 101
|
||||
Version: {{{ git_dir_version }}}
|
||||
Release: 1%{?dist}
|
||||
Summary: Manage Pods, Containers and Container Images
|
||||
License: ASL 2.0
|
||||
URL: https://github.com/containers/buildah
|
||||
VCS: {{{ git_dir_vcs }}}
|
||||
Source: {{{ git_dir_pack }}}
|
||||
BuildRequires: device-mapper-devel
|
||||
BuildRequires: git-core
|
||||
BuildRequires: golang
|
||||
BuildRequires: glib2-devel
|
||||
BuildRequires: glibc-static
|
||||
BuildRequires: go-md2man
|
||||
%if 0%{?fedora} || 0%{?rhel} >= 9
|
||||
BuildRequires: go-rpm-macros
|
||||
%endif
|
||||
BuildRequires: gpgme-devel
|
||||
BuildRequires: libassuan-devel
|
||||
BuildRequires: make
|
||||
BuildRequires: ostree-devel
|
||||
BuildRequires: shadow-utils-subid-devel
|
||||
%if 0%{?fedora} && ! 0%{?rhel}
|
||||
BuildRequires: btrfs-progs-devel
|
||||
%endif
|
||||
Requires: containers-common-extra >= 4:1-78
|
||||
%if 0%{?rhel}
|
||||
BuildRequires: libseccomp-devel
|
||||
%else
|
||||
BuildRequires: libseccomp-static
|
||||
%endif
|
||||
Requires: libseccomp
|
||||
Suggests: cpp
|
||||
|
||||
%description
|
||||
The %{name} package provides a command line tool which can be used to
|
||||
* create a working container from scratch
|
||||
or
|
||||
* create a working container from an image as a starting point
|
||||
* mount/umount a working container's root file system for manipulation
|
||||
* save container's root file system layer to create a new image
|
||||
* delete a working container or an image.
|
||||
|
||||
%package tests
|
||||
Summary: Tests for %{name}
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
Requires: bats
|
||||
Requires: bzip2
|
||||
Requires: podman
|
||||
Requires: golang
|
||||
Requires: jq
|
||||
Requires: httpd-tools
|
||||
Requires: openssl
|
||||
Requires: nmap-ncat
|
||||
Requires: git-daemon
|
||||
|
||||
%description tests
|
||||
%{summary}
|
||||
|
||||
This package contains system tests for %{name}
|
||||
|
||||
%prep
|
||||
{{{ git_dir_setup_macro }}}
|
||||
|
||||
%build
|
||||
%set_build_flags
|
||||
export GOPATH=$(pwd)/_build:$(pwd)
|
||||
export CGO_CFLAGS=$CFLAGS
|
||||
# These extra flags present in $CFLAGS have been skipped for now as they break the build
|
||||
CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-flto=auto//g')
|
||||
CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-Wp,D_GLIBCXX_ASSERTIONS//g')
|
||||
CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-specs=\/usr\/lib\/rpm\/redhat\/redhat-annobin-cc1//g')
|
||||
|
||||
%ifarch x86_64
|
||||
export CGO_CFLAGS+=" -m64 -mtune=generic -fcf-protection=full"
|
||||
%endif
|
||||
|
||||
mkdir _build
|
||||
pushd _build
|
||||
mkdir -p src/%{provider}.%{provider_tld}/%{project}
|
||||
ln -s $(dirs +1 -l) src/%{import_path}
|
||||
popd
|
||||
|
||||
mv vendor src
|
||||
|
||||
export CNI_VERSION=`grep '^# github.com/containernetworking/cni ' src/modules.txt | sed 's,.* ,,'`
|
||||
export LDFLAGS="-X main.buildInfo=`date +%s` -X main.cniVersion=${CNI_VERSION}"
|
||||
|
||||
export BUILDTAGS="$(hack/libsubid_tag.sh) seccomp selinux $(hack/systemd_tag.sh)"
|
||||
%if 0%{?rhel}
|
||||
export BUILDTAGS="$BUILDTAGS exclude_graphdriver_btrfs btrfs_noversion"
|
||||
%endif
|
||||
|
||||
%gobuild -o bin/%{name} %{import_path}/cmd/%{name}
|
||||
%gobuild -o bin/imgtype %{import_path}/tests/imgtype
|
||||
%gobuild -o bin/copy %{import_path}/tests/copy
|
||||
GOMD2MAN=go-md2man %{__make} -C docs
|
||||
|
||||
# This will copy the files generated by the `make` command above into
|
||||
# the installable rpm package.
|
||||
%install
|
||||
export GOPATH=$(pwd)/_build:$(pwd):%{gopath}
|
||||
make DESTDIR=%{buildroot} PREFIX=%{_prefix} install install.completions
|
||||
make DESTDIR=%{buildroot} PREFIX=%{_prefix} -C docs install
|
||||
|
||||
install -d -p %{buildroot}/%{_datadir}/%{name}/test/system
|
||||
cp -pav tests/. %{buildroot}/%{_datadir}/%{name}/test/system
|
||||
cp bin/imgtype %{buildroot}/%{_bindir}/%{name}-imgtype
|
||||
cp bin/copy %{buildroot}/%{_bindir}/%{name}-copy
|
||||
|
||||
rm -f %{buildroot}%{_mandir}/man5/{Containerfile.5*,containerignore.5*}
|
||||
|
||||
|
||||
%files
|
||||
%license LICENSE
|
||||
%doc README.md
|
||||
%{_bindir}/%{name}
|
||||
%{_mandir}/man1/%{name}*
|
||||
%dir %{_datadir}/bash-completion
|
||||
%dir %{_datadir}/bash-completion/completions
|
||||
%{_datadir}/bash-completion/completions/%{name}
|
||||
|
||||
%files tests
|
||||
%license LICENSE
|
||||
%{_bindir}/%{name}-imgtype
|
||||
%{_bindir}/%{name}-copy
|
||||
%{_datadir}/%{name}/test
|
||||
|
||||
%changelog
|
||||
{{{ git_dir_changelog }}}
|
4
vendor/github.com/containers/buildah/chroot/run_common.go
generated
vendored
4
vendor/github.com/containers/buildah/chroot/run_common.go
generated
vendored
@ -501,6 +501,10 @@ func runUsingChroot(spec *specs.Spec, bundlePath string, ctty *os.File, stdin io
|
||||
// Apologize for the namespace configuration that we're about to ignore.
|
||||
logNamespaceDiagnostics(spec)
|
||||
|
||||
// We need to lock the thread so that PR_SET_PDEATHSIG won't trigger if the current thread exits.
|
||||
runtime.LockOSThread()
|
||||
defer runtime.UnlockOSThread()
|
||||
|
||||
// Start the parent subprocess.
|
||||
cmd := unshare.Command(append([]string{runUsingChrootExecCommand}, spec.Process.Args...)...)
|
||||
setPdeathsig(cmd.Cmd)
|
||||
|
2
vendor/github.com/containers/buildah/copier/copier.go
generated
vendored
2
vendor/github.com/containers/buildah/copier/copier.go
generated
vendored
@ -1721,7 +1721,7 @@ func copierHandlerPut(bulkReader io.Reader, req request, idMappings *idtools.IDM
|
||||
// no type flag for sockets
|
||||
default:
|
||||
return fmt.Errorf("unrecognized Typeflag %c", hdr.Typeflag)
|
||||
case tar.TypeReg, tar.TypeRegA:
|
||||
case tar.TypeReg:
|
||||
var written int64
|
||||
written, err = createFile(path, tr)
|
||||
// only check the length if there wasn't an error, which we'll
|
||||
|
5
vendor/github.com/containers/buildah/imagebuildah/build.go
generated
vendored
5
vendor/github.com/containers/buildah/imagebuildah/build.go
generated
vendored
@ -17,6 +17,7 @@ import (
|
||||
"github.com/containerd/containerd/platforms"
|
||||
"github.com/containers/buildah/define"
|
||||
internalUtil "github.com/containers/buildah/internal/util"
|
||||
"github.com/containers/buildah/pkg/parse"
|
||||
"github.com/containers/buildah/util"
|
||||
"github.com/containers/common/libimage"
|
||||
"github.com/containers/common/pkg/config"
|
||||
@ -65,7 +66,9 @@ func BuildDockerfiles(ctx context.Context, store storage.Store, options define.B
|
||||
if options.CommonBuildOpts == nil {
|
||||
options.CommonBuildOpts = &define.CommonBuildOptions{}
|
||||
}
|
||||
|
||||
if err := parse.Volumes(options.CommonBuildOpts.Volumes); err != nil {
|
||||
return "", nil, fmt.Errorf("validating volumes: %w", err)
|
||||
}
|
||||
if len(paths) == 0 {
|
||||
return "", nil, errors.New("building: no dockerfiles specified")
|
||||
}
|
||||
|
50
vendor/github.com/containers/buildah/imagebuildah/executor.go
generated
vendored
50
vendor/github.com/containers/buildah/imagebuildah/executor.go
generated
vendored
@ -470,34 +470,34 @@ func (b *Executor) buildStage(ctx context.Context, cleanupStages map[int]*StageE
|
||||
output := ""
|
||||
if stageIndex == len(stages)-1 {
|
||||
output = b.output
|
||||
}
|
||||
// Check if any labels were passed in via the API, and add a final line
|
||||
// to the Dockerfile that would provide the same result.
|
||||
// Reason: Docker adds label modification as a last step which can be
|
||||
// processed like regular steps, and if no modification is done to
|
||||
// layers, its easier to re-use cached layers.
|
||||
if len(b.labels) > 0 {
|
||||
var labelLine string
|
||||
labels := append([]string{}, b.labels...)
|
||||
for _, labelSpec := range labels {
|
||||
label := strings.SplitN(labelSpec, "=", 2)
|
||||
key := label[0]
|
||||
value := ""
|
||||
if len(label) > 1 {
|
||||
value = label[1]
|
||||
// Check if any labels were passed in via the API, and add a final line
|
||||
// to the Dockerfile that would provide the same result.
|
||||
// Reason: Docker adds label modification as a last step which can be
|
||||
// processed like regular steps, and if no modification is done to
|
||||
// layers, its easier to re-use cached layers.
|
||||
if len(b.labels) > 0 {
|
||||
var labelLine string
|
||||
labels := append([]string{}, b.labels...)
|
||||
for _, labelSpec := range labels {
|
||||
label := strings.SplitN(labelSpec, "=", 2)
|
||||
key := label[0]
|
||||
value := ""
|
||||
if len(label) > 1 {
|
||||
value = label[1]
|
||||
}
|
||||
// check only for an empty key since docker allows empty values
|
||||
if key != "" {
|
||||
labelLine += fmt.Sprintf(" %q=%q", key, value)
|
||||
}
|
||||
}
|
||||
// check only for an empty key since docker allows empty values
|
||||
if key != "" {
|
||||
labelLine += fmt.Sprintf(" %q=%q", key, value)
|
||||
if len(labelLine) > 0 {
|
||||
additionalNode, err := imagebuilder.ParseDockerfile(strings.NewReader("LABEL" + labelLine + "\n"))
|
||||
if err != nil {
|
||||
return "", nil, fmt.Errorf("while adding additional LABEL step: %w", err)
|
||||
}
|
||||
stage.Node.Children = append(stage.Node.Children, additionalNode.Children...)
|
||||
}
|
||||
}
|
||||
if len(labelLine) > 0 {
|
||||
additionalNode, err := imagebuilder.ParseDockerfile(strings.NewReader("LABEL" + labelLine + "\n"))
|
||||
if err != nil {
|
||||
return "", nil, fmt.Errorf("while adding additional LABEL step: %w", err)
|
||||
}
|
||||
stage.Node.Children = append(stage.Node.Children, additionalNode.Children...)
|
||||
}
|
||||
}
|
||||
|
||||
// If this stage is starting out with environment variables that were
|
||||
|
10
vendor/github.com/containers/buildah/install.md
generated
vendored
10
vendor/github.com/containers/buildah/install.md
generated
vendored
@ -161,7 +161,6 @@ Prior to installing Buildah, install the following packages on your Linux distro
|
||||
* bats
|
||||
* btrfs-progs-devel
|
||||
* bzip2
|
||||
* device-mapper-devel
|
||||
* git
|
||||
* go-md2man
|
||||
* gpgme-devel
|
||||
@ -181,7 +180,6 @@ In Fedora, you can use this command:
|
||||
golang \
|
||||
bats \
|
||||
btrfs-progs-devel \
|
||||
device-mapper-devel \
|
||||
glib2-devel \
|
||||
gpgme-devel \
|
||||
libassuan-devel \
|
||||
@ -216,7 +214,6 @@ In RHEL and CentOS, run this command to install the build dependencies:
|
||||
golang \
|
||||
bats \
|
||||
btrfs-progs-devel \
|
||||
device-mapper-devel \
|
||||
glib2-devel \
|
||||
gpgme-devel \
|
||||
libassuan-devel \
|
||||
@ -242,7 +239,6 @@ On openSUSE Tumbleweed, install go via `zypper in go`, then run this command:
|
||||
bzip2 \
|
||||
libgpgme-devel \
|
||||
libseccomp-devel \
|
||||
device-mapper-devel \
|
||||
libbtrfs-devel \
|
||||
go-md2man
|
||||
```
|
||||
@ -256,7 +252,7 @@ In Ubuntu jammy you can use these commands:
|
||||
|
||||
```
|
||||
sudo apt-get -y -qq update
|
||||
sudo apt-get -y install bats btrfs-progs git libapparmor-dev libdevmapper-dev libglib2.0-dev libgpgme11-dev libseccomp-dev libselinux1-dev skopeo go-md2man make
|
||||
sudo apt-get -y install bats btrfs-progs git libapparmor-dev libglib2.0-dev libgpgme11-dev libseccomp-dev libselinux1-dev skopeo go-md2man make
|
||||
sudo apt-get -y install golang-1.18
|
||||
```
|
||||
Then to install Buildah on Ubuntu follow the steps in this example:
|
||||
@ -282,7 +278,7 @@ sudo gpg --export 0x018BA5AD9DF57A4448F0E6CF8BECF1637AD8C79D >> /usr/share/keyri
|
||||
sudo echo 'deb [signed-by=/usr/share/keyrings/projectatomic-ppa.gpg] http://ppa.launchpad.net/projectatomic/ppa/ubuntu zesty main' > /etc/apt/sources.list.d/projectatomic-ppa.list
|
||||
sudo apt update
|
||||
sudo apt -y install -t stretch-backports golang
|
||||
sudo apt -y install bats btrfs-tools git libapparmor-dev libdevmapper-dev libglib2.0-dev libgpgme11-dev libseccomp-dev libselinux1-dev skopeo-containers go-md2man
|
||||
sudo apt -y install bats btrfs-tools git libapparmor-dev libglib2.0-dev libgpgme11-dev libseccomp-dev libselinux1-dev skopeo-containers go-md2man
|
||||
```
|
||||
|
||||
The build steps on Debian are otherwise the same as Ubuntu, above.
|
||||
@ -319,7 +315,7 @@ cat /etc/containers/registries.conf
|
||||
# and 'registries.block'.
|
||||
|
||||
[registries.search]
|
||||
registries = ['docker.io', 'registry.fedoraproject.org', 'quay.io', 'registry.access.redhat.com', 'registry.centos.org']
|
||||
registries = ['docker.io', 'registry.fedoraproject.org', 'quay.io', 'registry.access.redhat.com']
|
||||
|
||||
# If you need to access insecure registries, add the registry's fully-qualified name.
|
||||
# An insecure registry is one that does not have a valid SSL certificate or only does HTTP.
|
||||
|
56
vendor/github.com/containers/buildah/internal/util/util.go
generated
vendored
56
vendor/github.com/containers/buildah/internal/util/util.go
generated
vendored
@ -8,9 +8,8 @@ import (
|
||||
|
||||
"github.com/containers/buildah/define"
|
||||
"github.com/containers/common/libimage"
|
||||
"github.com/containers/common/pkg/config"
|
||||
"github.com/containers/image/v5/types"
|
||||
encconfig "github.com/containers/ocicrypt/config"
|
||||
enchelpers "github.com/containers/ocicrypt/helpers"
|
||||
"github.com/containers/storage"
|
||||
"github.com/containers/storage/pkg/archive"
|
||||
"github.com/containers/storage/pkg/chrootarchive"
|
||||
@ -56,6 +55,13 @@ func GetTempDir() string {
|
||||
if tmpdir, ok := os.LookupEnv("TMPDIR"); ok {
|
||||
return tmpdir
|
||||
}
|
||||
containerConfig, err := config.Default()
|
||||
if err != nil {
|
||||
tmpdir, err := containerConfig.ImageCopyTmpDir()
|
||||
if err != nil {
|
||||
return tmpdir
|
||||
}
|
||||
}
|
||||
return "/var/tmp"
|
||||
}
|
||||
|
||||
@ -106,49 +112,3 @@ func ExportFromReader(input io.Reader, opts define.BuildOutputOption) error {
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// DecryptConfig translates decryptionKeys into a DescriptionConfig structure
|
||||
func DecryptConfig(decryptionKeys []string) (*encconfig.DecryptConfig, error) {
|
||||
decryptConfig := &encconfig.DecryptConfig{}
|
||||
if len(decryptionKeys) > 0 {
|
||||
// decryption
|
||||
dcc, err := enchelpers.CreateCryptoConfig([]string{}, decryptionKeys)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("invalid decryption keys: %w", err)
|
||||
}
|
||||
cc := encconfig.CombineCryptoConfigs([]encconfig.CryptoConfig{dcc})
|
||||
decryptConfig = cc.DecryptConfig
|
||||
}
|
||||
|
||||
return decryptConfig, nil
|
||||
}
|
||||
|
||||
// EncryptConfig translates encryptionKeys into a EncriptionsConfig structure
|
||||
func EncryptConfig(encryptionKeys []string, encryptLayers []int) (*encconfig.EncryptConfig, *[]int, error) {
|
||||
var encLayers *[]int
|
||||
var encConfig *encconfig.EncryptConfig
|
||||
|
||||
if len(encryptionKeys) > 0 {
|
||||
// encryption
|
||||
encLayers = &encryptLayers
|
||||
ecc, err := enchelpers.CreateCryptoConfig(encryptionKeys, []string{})
|
||||
if err != nil {
|
||||
return nil, nil, fmt.Errorf("invalid encryption keys: %w", err)
|
||||
}
|
||||
cc := encconfig.CombineCryptoConfigs([]encconfig.CryptoConfig{ecc})
|
||||
encConfig = cc.EncryptConfig
|
||||
}
|
||||
return encConfig, encLayers, nil
|
||||
}
|
||||
|
||||
// GetFormat translates format string into either docker or OCI format constant
|
||||
func GetFormat(format string) (string, error) {
|
||||
switch format {
|
||||
case define.OCI:
|
||||
return define.OCIv1ImageManifest, nil
|
||||
case define.DOCKER:
|
||||
return define.Dockerv2ImageManifest, nil
|
||||
default:
|
||||
return "", fmt.Errorf("unrecognized image type %q", format)
|
||||
}
|
||||
}
|
||||
|
15
vendor/github.com/containers/buildah/libdm_tag.sh
generated
vendored
15
vendor/github.com/containers/buildah/libdm_tag.sh
generated
vendored
@ -1,15 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
tmpdir="$PWD/tmp.$RANDOM"
|
||||
mkdir -p "$tmpdir"
|
||||
trap 'rm -fr "$tmpdir"' EXIT
|
||||
${CC:-cc} ${CFLAGS} ${CPPFLAGS} ${LDFLAGS} -o "$tmpdir"/libdm_tag -x c - -ldevmapper > /dev/null 2> /dev/null << EOF
|
||||
#include <libdevmapper.h>
|
||||
int main() {
|
||||
struct dm_task *task;
|
||||
dm_task_deferred_remove(task);
|
||||
return 0;
|
||||
}
|
||||
EOF
|
||||
if test $? -ne 0 ; then
|
||||
echo libdm_no_deferred_remove
|
||||
fi
|
7
vendor/github.com/containers/buildah/pkg/cli/build.go
generated
vendored
7
vendor/github.com/containers/buildah/pkg/cli/build.go
generated
vendored
@ -14,7 +14,6 @@ import (
|
||||
"time"
|
||||
|
||||
"github.com/containers/buildah/define"
|
||||
iutil "github.com/containers/buildah/internal/util"
|
||||
"github.com/containers/buildah/pkg/parse"
|
||||
"github.com/containers/buildah/pkg/util"
|
||||
"github.com/containers/common/pkg/auth"
|
||||
@ -135,7 +134,7 @@ func GenBuildOptions(c *cobra.Command, inputArgs []string, iopts BuildOptions) (
|
||||
}
|
||||
|
||||
containerfiles := getContainerfiles(iopts.File)
|
||||
format, err := iutil.GetFormat(iopts.Format)
|
||||
format, err := GetFormat(iopts.Format)
|
||||
if err != nil {
|
||||
return options, nil, nil, err
|
||||
}
|
||||
@ -272,7 +271,7 @@ func GenBuildOptions(c *cobra.Command, inputArgs []string, iopts BuildOptions) (
|
||||
return options, nil, nil, err
|
||||
}
|
||||
|
||||
decryptConfig, err := iutil.DecryptConfig(iopts.DecryptionKeys)
|
||||
decryptConfig, err := DecryptConfig(iopts.DecryptionKeys)
|
||||
if err != nil {
|
||||
return options, nil, nil, fmt.Errorf("unable to obtain decrypt config: %w", err)
|
||||
}
|
||||
@ -433,7 +432,7 @@ func readBuildArgFile(buildargfile string, args map[string]string) error {
|
||||
return err
|
||||
}
|
||||
for _, arg := range strings.Split(string(argfile), "\n") {
|
||||
if len (arg) == 0 || arg[0] == '#' {
|
||||
if len(arg) == 0 || arg[0] == '#' {
|
||||
continue
|
||||
}
|
||||
readBuildArg(arg, args)
|
||||
|
48
vendor/github.com/containers/buildah/pkg/cli/common.go
generated
vendored
48
vendor/github.com/containers/buildah/pkg/cli/common.go
generated
vendored
@ -15,6 +15,8 @@ import (
|
||||
"github.com/containers/buildah/pkg/parse"
|
||||
commonComp "github.com/containers/common/pkg/completion"
|
||||
"github.com/containers/common/pkg/config"
|
||||
encconfig "github.com/containers/ocicrypt/config"
|
||||
enchelpers "github.com/containers/ocicrypt/helpers"
|
||||
"github.com/containers/storage/pkg/unshare"
|
||||
"github.com/opencontainers/runtime-spec/specs-go"
|
||||
"github.com/spf13/pflag"
|
||||
@ -523,3 +525,49 @@ func LookupEnvVarReferences(specs, environ []string) []string {
|
||||
|
||||
return result
|
||||
}
|
||||
|
||||
// DecryptConfig translates decryptionKeys into a DescriptionConfig structure
|
||||
func DecryptConfig(decryptionKeys []string) (*encconfig.DecryptConfig, error) {
|
||||
var decryptConfig *encconfig.DecryptConfig
|
||||
if len(decryptionKeys) > 0 {
|
||||
// decryption
|
||||
dcc, err := enchelpers.CreateCryptoConfig([]string{}, decryptionKeys)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("invalid decryption keys: %w", err)
|
||||
}
|
||||
cc := encconfig.CombineCryptoConfigs([]encconfig.CryptoConfig{dcc})
|
||||
decryptConfig = cc.DecryptConfig
|
||||
}
|
||||
|
||||
return decryptConfig, nil
|
||||
}
|
||||
|
||||
// EncryptConfig translates encryptionKeys into a EncriptionsConfig structure
|
||||
func EncryptConfig(encryptionKeys []string, encryptLayers []int) (*encconfig.EncryptConfig, *[]int, error) {
|
||||
var encLayers *[]int
|
||||
var encConfig *encconfig.EncryptConfig
|
||||
|
||||
if len(encryptionKeys) > 0 {
|
||||
// encryption
|
||||
encLayers = &encryptLayers
|
||||
ecc, err := enchelpers.CreateCryptoConfig(encryptionKeys, []string{})
|
||||
if err != nil {
|
||||
return nil, nil, fmt.Errorf("invalid encryption keys: %w", err)
|
||||
}
|
||||
cc := encconfig.CombineCryptoConfigs([]encconfig.CryptoConfig{ecc})
|
||||
encConfig = cc.EncryptConfig
|
||||
}
|
||||
return encConfig, encLayers, nil
|
||||
}
|
||||
|
||||
// GetFormat translates format string into either docker or OCI format constant
|
||||
func GetFormat(format string) (string, error) {
|
||||
switch format {
|
||||
case define.OCI:
|
||||
return define.OCIv1ImageManifest, nil
|
||||
case define.DOCKER:
|
||||
return define.Dockerv2ImageManifest, nil
|
||||
default:
|
||||
return "", fmt.Errorf("unrecognized image type %q", format)
|
||||
}
|
||||
}
|
||||
|
9
vendor/github.com/containers/buildah/pkg/parse/parse.go
generated
vendored
9
vendor/github.com/containers/buildah/pkg/parse/parse.go
generated
vendored
@ -17,6 +17,7 @@ import (
|
||||
"github.com/containerd/containerd/platforms"
|
||||
"github.com/containers/buildah/define"
|
||||
internalParse "github.com/containers/buildah/internal/parse"
|
||||
internalUtil "github.com/containers/buildah/internal/util"
|
||||
"github.com/containers/buildah/pkg/sshagent"
|
||||
"github.com/containers/common/pkg/config"
|
||||
"github.com/containers/common/pkg/parse"
|
||||
@ -154,9 +155,6 @@ func CommonBuildOptionsFromFlagSet(flags *pflag.FlagSet, findFlagFunc func(name
|
||||
return nil, fmt.Errorf("invalid --shm-size: %w", err)
|
||||
}
|
||||
volumes, _ := flags.GetStringArray("volume")
|
||||
if err := Volumes(volumes); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
cpuPeriod, _ := flags.GetUint64("cpu-period")
|
||||
cpuQuota, _ := flags.GetInt64("cpu-quota")
|
||||
cpuShares, _ := flags.GetUint64("cpu-shares")
|
||||
@ -999,10 +997,7 @@ func isValidDeviceMode(mode string) bool {
|
||||
}
|
||||
|
||||
func GetTempDir() string {
|
||||
if tmpdir, ok := os.LookupEnv("TMPDIR"); ok {
|
||||
return tmpdir
|
||||
}
|
||||
return "/var/tmp"
|
||||
return internalUtil.GetTempDir()
|
||||
}
|
||||
|
||||
// Secrets parses the --secret flag
|
||||
|
135
vendor/github.com/containers/buildah/run_common.go
generated
vendored
135
vendor/github.com/containers/buildah/run_common.go
generated
vendored
@ -35,6 +35,7 @@ import (
|
||||
"github.com/containers/common/libnetwork/network"
|
||||
"github.com/containers/common/libnetwork/resolvconf"
|
||||
netTypes "github.com/containers/common/libnetwork/types"
|
||||
netUtil "github.com/containers/common/libnetwork/util"
|
||||
"github.com/containers/common/pkg/config"
|
||||
"github.com/containers/common/pkg/subscriptions"
|
||||
imageTypes "github.com/containers/image/v5/types"
|
||||
@ -117,7 +118,7 @@ func (b *Builder) addResolvConf(rdir string, chownOpts *idtools.IDPair, dnsServe
|
||||
}
|
||||
|
||||
// generateHosts creates a containers hosts file
|
||||
func (b *Builder) generateHosts(rdir string, chownOpts *idtools.IDPair, imageRoot string) (string, error) {
|
||||
func (b *Builder) generateHosts(rdir string, chownOpts *idtools.IDPair, imageRoot string, spec *spec.Spec) (string, error) {
|
||||
conf, err := config.Default()
|
||||
if err != nil {
|
||||
return "", err
|
||||
@ -128,12 +129,34 @@ func (b *Builder) generateHosts(rdir string, chownOpts *idtools.IDPair, imageRoo
|
||||
return "", err
|
||||
}
|
||||
|
||||
var entries etchosts.HostEntries
|
||||
isHost := true
|
||||
if spec.Linux != nil {
|
||||
for _, ns := range spec.Linux.Namespaces {
|
||||
if ns.Type == specs.NetworkNamespace {
|
||||
isHost = false
|
||||
break
|
||||
}
|
||||
}
|
||||
}
|
||||
// add host entry for local ip when running in host network
|
||||
if spec.Hostname != "" && isHost {
|
||||
ip := netUtil.GetLocalIP()
|
||||
if ip != "" {
|
||||
entries = append(entries, etchosts.HostEntry{
|
||||
Names: []string{spec.Hostname},
|
||||
IP: ip,
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
targetfile := filepath.Join(rdir, "hosts")
|
||||
if err := etchosts.New(&etchosts.Params{
|
||||
BaseFile: path,
|
||||
ExtraHosts: b.CommonBuildOpts.AddHost,
|
||||
HostContainersInternalIP: etchosts.GetHostContainersInternalIP(conf, nil, nil),
|
||||
TargetFile: targetfile,
|
||||
ContainerIPs: entries,
|
||||
}); err != nil {
|
||||
return "", err
|
||||
}
|
||||
@ -368,6 +391,9 @@ func checkAndOverrideIsolationOptions(isolation define.Isolation, options *RunOp
|
||||
if (pidns != nil && pidns.Host) && (userns != nil && !userns.Host) {
|
||||
return fmt.Errorf("not allowed to mix host PID namespace with container user namespace")
|
||||
}
|
||||
case IsolationChroot:
|
||||
logrus.Info("network namespace isolation not supported with chroot isolation, forcing host network")
|
||||
options.NamespaceOptions.AddOrReplace(define.NamespaceOption{Name: string(specs.NetworkNamespace), Host: true})
|
||||
}
|
||||
return nil
|
||||
}
|
||||
@ -1105,8 +1131,12 @@ func runUsingRuntimeMain() {
|
||||
os.Exit(1)
|
||||
}
|
||||
|
||||
func (b *Builder) runUsingRuntimeSubproc(isolation define.Isolation, options RunOptions, configureNetwork bool, configureNetworks,
|
||||
func (b *Builder) runUsingRuntimeSubproc(isolation define.Isolation, options RunOptions, configureNetwork bool, networkString string,
|
||||
moreCreateArgs []string, spec *specs.Spec, rootPath, bundlePath, containerName, buildContainerName, hostsFile string) (err error) {
|
||||
// Lock the caller to a single OS-level thread.
|
||||
runtime.LockOSThread()
|
||||
defer runtime.UnlockOSThread()
|
||||
|
||||
var confwg sync.WaitGroup
|
||||
config, conferr := json.Marshal(runUsingRuntimeSubprocOptions{
|
||||
Options: options,
|
||||
@ -1207,7 +1237,7 @@ func (b *Builder) runUsingRuntimeSubproc(isolation define.Isolation, options Run
|
||||
return fmt.Errorf("parsing pid %s as a number: %w", string(pidValue), err)
|
||||
}
|
||||
|
||||
teardown, netstatus, err := b.runConfigureNetwork(pid, isolation, options, configureNetworks, containerName)
|
||||
teardown, netstatus, err := b.runConfigureNetwork(pid, isolation, options, networkString, containerName)
|
||||
if teardown != nil {
|
||||
defer teardown()
|
||||
}
|
||||
@ -1217,13 +1247,7 @@ func (b *Builder) runUsingRuntimeSubproc(isolation define.Isolation, options Run
|
||||
|
||||
// only add hosts if we manage the hosts file
|
||||
if hostsFile != "" {
|
||||
var entries etchosts.HostEntries
|
||||
if netstatus != nil {
|
||||
entries = etchosts.GetNetworkHostEntries(netstatus, spec.Hostname, buildContainerName)
|
||||
} else {
|
||||
// we have slirp4netns, default to slirp4netns ip since this is not configurable in buildah
|
||||
entries = etchosts.HostEntries{{IP: "10.0.2.100", Names: []string{spec.Hostname, buildContainerName}}}
|
||||
}
|
||||
entries := etchosts.GetNetworkHostEntries(netstatus, spec.Hostname, buildContainerName)
|
||||
// make sure to sync this with (b *Builder) generateHosts()
|
||||
err = etchosts.Add(hostsFile, entries)
|
||||
if err != nil {
|
||||
@ -1328,7 +1352,7 @@ func (b *Builder) setupMounts(mountPoint string, spec *specs.Spec, bundlePath st
|
||||
processGID: int(processGID),
|
||||
}
|
||||
// Get the list of mounts that are just for this Run() call.
|
||||
runMounts, mountArtifacts, err := b.runSetupRunMounts(runFileMounts, runMountInfo, idMaps)
|
||||
runMounts, mountArtifacts, err := b.runSetupRunMounts(mountPoint, runFileMounts, runMountInfo, idMaps)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@ -1464,10 +1488,28 @@ func cleanableDestinationListFromMounts(mounts []spec.Mount) []string {
|
||||
return mountDest
|
||||
}
|
||||
|
||||
func checkIfMountDestinationPreExists(root string, dest string) (bool, error) {
|
||||
statResults, err := copier.Stat(root, "", copier.StatOptions{}, []string{dest})
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
if len(statResults) > 0 {
|
||||
// We created exact path for globbing so it will
|
||||
// return only one result.
|
||||
if statResults[0].Error != "" && len(statResults[0].Globbed) == 0 {
|
||||
// Path do not exsits.
|
||||
return false, nil
|
||||
}
|
||||
// Path exists.
|
||||
return true, nil
|
||||
}
|
||||
return false, nil
|
||||
}
|
||||
|
||||
// runSetupRunMounts sets up mounts that exist only in this RUN, not in subsequent runs
|
||||
//
|
||||
// If this function succeeds, the caller must unlock runMountArtifacts.TargetLocks (when??)
|
||||
func (b *Builder) runSetupRunMounts(mounts []string, sources runMountInfo, idMaps IDMaps) ([]spec.Mount, *runMountArtifacts, error) {
|
||||
func (b *Builder) runSetupRunMounts(mountPoint string, mounts []string, sources runMountInfo, idMaps IDMaps) ([]spec.Mount, *runMountArtifacts, error) {
|
||||
// If `type` is not set default to TypeBind
|
||||
mountType := define.TypeBind
|
||||
mountTargets := make([]string, 0, 10)
|
||||
@ -1485,6 +1527,11 @@ func (b *Builder) runSetupRunMounts(mounts []string, sources runMountInfo, idMap
|
||||
}
|
||||
}()
|
||||
for _, mount := range mounts {
|
||||
var mountSpec *spec.Mount
|
||||
var err error
|
||||
var envFile, image string
|
||||
var agent *sshagent.AgentServer
|
||||
var tl *lockfile.LockFile
|
||||
tokens := strings.Split(mount, ",")
|
||||
for _, field := range tokens {
|
||||
if strings.HasPrefix(field, "type=") {
|
||||
@ -1497,63 +1544,71 @@ func (b *Builder) runSetupRunMounts(mounts []string, sources runMountInfo, idMap
|
||||
}
|
||||
switch mountType {
|
||||
case "secret":
|
||||
mount, envFile, err := b.getSecretMount(tokens, sources.Secrets, idMaps, sources.WorkDir)
|
||||
mountSpec, envFile, err = b.getSecretMount(tokens, sources.Secrets, idMaps, sources.WorkDir)
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
if mount != nil {
|
||||
finalMounts = append(finalMounts, *mount)
|
||||
mountTargets = append(mountTargets, mount.Destination)
|
||||
if mountSpec != nil {
|
||||
finalMounts = append(finalMounts, *mountSpec)
|
||||
if envFile != "" {
|
||||
tmpFiles = append(tmpFiles, envFile)
|
||||
}
|
||||
}
|
||||
case "ssh":
|
||||
mount, agent, err := b.getSSHMount(tokens, sshCount, sources.SSHSources, idMaps)
|
||||
mountSpec, agent, err = b.getSSHMount(tokens, sshCount, sources.SSHSources, idMaps)
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
if mount != nil {
|
||||
finalMounts = append(finalMounts, *mount)
|
||||
mountTargets = append(mountTargets, mount.Destination)
|
||||
if mountSpec != nil {
|
||||
finalMounts = append(finalMounts, *mountSpec)
|
||||
agents = append(agents, agent)
|
||||
if sshCount == 0 {
|
||||
defaultSSHSock = mount.Destination
|
||||
defaultSSHSock = mountSpec.Destination
|
||||
}
|
||||
// Count is needed as the default destination of the ssh sock inside the container is /run/buildkit/ssh_agent.{i}
|
||||
sshCount++
|
||||
}
|
||||
case define.TypeBind:
|
||||
mount, image, err := b.getBindMount(tokens, sources.SystemContext, sources.ContextDir, sources.StageMountPoints, idMaps, sources.WorkDir)
|
||||
mountSpec, image, err = b.getBindMount(tokens, sources.SystemContext, sources.ContextDir, sources.StageMountPoints, idMaps, sources.WorkDir)
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
finalMounts = append(finalMounts, *mount)
|
||||
mountTargets = append(mountTargets, mount.Destination)
|
||||
finalMounts = append(finalMounts, *mountSpec)
|
||||
// only perform cleanup if image was mounted ignore everything else
|
||||
if image != "" {
|
||||
mountImages = append(mountImages, image)
|
||||
}
|
||||
case "tmpfs":
|
||||
mount, err := b.getTmpfsMount(tokens, idMaps)
|
||||
mountSpec, err = b.getTmpfsMount(tokens, idMaps)
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
finalMounts = append(finalMounts, *mount)
|
||||
mountTargets = append(mountTargets, mount.Destination)
|
||||
finalMounts = append(finalMounts, *mountSpec)
|
||||
case "cache":
|
||||
mount, tl, err := b.getCacheMount(tokens, sources.StageMountPoints, idMaps, sources.WorkDir)
|
||||
mountSpec, tl, err = b.getCacheMount(tokens, sources.StageMountPoints, idMaps, sources.WorkDir)
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
finalMounts = append(finalMounts, *mount)
|
||||
mountTargets = append(mountTargets, mount.Destination)
|
||||
finalMounts = append(finalMounts, *mountSpec)
|
||||
if tl != nil {
|
||||
targetLocks = append(targetLocks, tl)
|
||||
}
|
||||
default:
|
||||
return nil, nil, fmt.Errorf("invalid mount type %q", mountType)
|
||||
}
|
||||
|
||||
if mountSpec != nil {
|
||||
pathPreExists, err := checkIfMountDestinationPreExists(mountPoint, mountSpec.Destination)
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
if !pathPreExists {
|
||||
// In such case it means that the path did not exists before
|
||||
// creating any new mounts therefore we must clean the newly
|
||||
// created directory after this step.
|
||||
mountTargets = append(mountTargets, mountSpec.Destination)
|
||||
}
|
||||
}
|
||||
}
|
||||
succeeded = true
|
||||
artifacts := &runMountArtifacts{
|
||||
@ -1622,9 +1677,12 @@ func (b *Builder) getSecretMount(tokens []string, secrets map[string]define.Secr
|
||||
target = filepath.Join(workdir, target)
|
||||
}
|
||||
case "required":
|
||||
required, err = strconv.ParseBool(kv[1])
|
||||
if err != nil {
|
||||
return nil, "", errInvalidSyntax
|
||||
required = true
|
||||
if len(kv) > 1 {
|
||||
required, err = strconv.ParseBool(kv[1])
|
||||
if err != nil {
|
||||
return nil, "", errInvalidSyntax
|
||||
}
|
||||
}
|
||||
case "mode":
|
||||
mode64, err := strconv.ParseUint(kv[1], 8, 32)
|
||||
@ -1876,7 +1934,6 @@ func (b *Builder) cleanupRunMounts(context *imageTypes.SystemContext, mountpoint
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
opts := copier.RemoveOptions{
|
||||
All: true,
|
||||
}
|
||||
@ -1900,3 +1957,13 @@ func (b *Builder) cleanupRunMounts(context *imageTypes.SystemContext, mountpoint
|
||||
internalParse.UnlockLockArray(artifacts.TargetLocks)
|
||||
return prevErr
|
||||
}
|
||||
|
||||
// setPdeathsig sets a parent-death signal for the process
|
||||
// the goroutine that starts the child process should lock itself to
|
||||
// a native thread using runtime.LockOSThread() until the child exits
|
||||
func setPdeathsig(cmd *exec.Cmd) {
|
||||
if cmd.SysProcAttr == nil {
|
||||
cmd.SysProcAttr = &syscall.SysProcAttr{}
|
||||
}
|
||||
cmd.SysProcAttr.Pdeathsig = syscall.SIGKILL
|
||||
}
|
||||
|
39
vendor/github.com/containers/buildah/run_freebsd.go
generated
vendored
39
vendor/github.com/containers/buildah/run_freebsd.go
generated
vendored
@ -7,10 +7,8 @@ import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"os"
|
||||
"os/exec"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"syscall"
|
||||
"unsafe"
|
||||
|
||||
"github.com/containers/buildah/bind"
|
||||
@ -147,7 +145,7 @@ func (b *Builder) Run(command []string, options RunOptions) error {
|
||||
|
||||
setupTerminal(g, options.Terminal, options.TerminalSize)
|
||||
|
||||
configureNetwork, configureNetworks, err := b.configureNamespaces(g, &options)
|
||||
configureNetwork, networkString, err := b.configureNamespaces(g, &options)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@ -198,7 +196,7 @@ func (b *Builder) Run(command []string, options RunOptions) error {
|
||||
|
||||
hostFile := ""
|
||||
if !options.NoHosts && !contains(volumes, config.DefaultHostsFile) && options.ConfigureNetwork != define.NetworkDisabled {
|
||||
hostFile, err = b.generateHosts(path, rootIDPair, mountPoint)
|
||||
hostFile, err = b.generateHosts(path, rootIDPair, mountPoint, spec)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@ -282,7 +280,7 @@ func (b *Builder) Run(command []string, options RunOptions) error {
|
||||
} else {
|
||||
moreCreateArgs = nil
|
||||
}
|
||||
err = b.runUsingRuntimeSubproc(isolation, options, configureNetwork, configureNetworks, moreCreateArgs, spec, mountPoint, path, containerName, b.Container, hostFile)
|
||||
err = b.runUsingRuntimeSubproc(isolation, options, configureNetwork, networkString, moreCreateArgs, spec, mountPoint, path, containerName, b.Container, hostFile)
|
||||
case IsolationChroot:
|
||||
err = chroot.RunUsingChroot(spec, path, homeDir, options.Stdin, options.Stdout, options.Stderr)
|
||||
default:
|
||||
@ -376,11 +374,16 @@ func setupCapabilities(g *generate.Generator, defaultCapabilities, adds, drops [
|
||||
return nil
|
||||
}
|
||||
|
||||
func (b *Builder) runConfigureNetwork(pid int, isolation define.Isolation, options RunOptions, configureNetworks []string, containerName string) (teardown func(), netStatus map[string]nettypes.StatusBlock, err error) {
|
||||
func (b *Builder) runConfigureNetwork(pid int, isolation define.Isolation, options RunOptions, networkString string, containerName string) (teardown func(), netStatus map[string]nettypes.StatusBlock, err error) {
|
||||
//if isolation == IsolationOCIRootless {
|
||||
//return setupRootlessNetwork(pid)
|
||||
//}
|
||||
|
||||
var configureNetworks []string
|
||||
if len(networkString) > 0 {
|
||||
configureNetworks = strings.Split(networkString, ",")
|
||||
}
|
||||
|
||||
if len(configureNetworks) == 0 {
|
||||
configureNetworks = []string{b.NetworkInterface.DefaultNetworkName()}
|
||||
}
|
||||
@ -415,7 +418,7 @@ func (b *Builder) runConfigureNetwork(pid int, isolation define.Isolation, optio
|
||||
return teardown, nil, nil
|
||||
}
|
||||
|
||||
func setupNamespaces(logger *logrus.Logger, g *generate.Generator, namespaceOptions define.NamespaceOptions, idmapOptions define.IDMappingOptions, policy define.NetworkConfigurationPolicy) (configureNetwork bool, configureNetworks []string, configureUTS bool, err error) {
|
||||
func setupNamespaces(logger *logrus.Logger, g *generate.Generator, namespaceOptions define.NamespaceOptions, idmapOptions define.IDMappingOptions, policy define.NetworkConfigurationPolicy) (configureNetwork bool, networkString string, configureUTS bool, err error) {
|
||||
// Set namespace options in the container configuration.
|
||||
for _, namespaceOption := range namespaceOptions {
|
||||
switch namespaceOption.Name {
|
||||
@ -423,7 +426,7 @@ func setupNamespaces(logger *logrus.Logger, g *generate.Generator, namespaceOpti
|
||||
configureNetwork = false
|
||||
if !namespaceOption.Host && (namespaceOption.Path == "" || !filepath.IsAbs(namespaceOption.Path)) {
|
||||
if namespaceOption.Path != "" && !filepath.IsAbs(namespaceOption.Path) {
|
||||
configureNetworks = strings.Split(namespaceOption.Path, ",")
|
||||
networkString = namespaceOption.Path
|
||||
namespaceOption.Path = ""
|
||||
}
|
||||
configureNetwork = (policy != define.NetworkDisabled)
|
||||
@ -439,13 +442,13 @@ func setupNamespaces(logger *logrus.Logger, g *generate.Generator, namespaceOpti
|
||||
// equivalents for UTS and and network namespaces.
|
||||
}
|
||||
|
||||
return configureNetwork, configureNetworks, configureUTS, nil
|
||||
return configureNetwork, networkString, configureUTS, nil
|
||||
}
|
||||
|
||||
func (b *Builder) configureNamespaces(g *generate.Generator, options *RunOptions) (bool, []string, error) {
|
||||
func (b *Builder) configureNamespaces(g *generate.Generator, options *RunOptions) (bool, string, error) {
|
||||
defaultNamespaceOptions, err := DefaultNamespaceOptions()
|
||||
if err != nil {
|
||||
return false, nil, err
|
||||
return false, "", err
|
||||
}
|
||||
|
||||
namespaceOptions := defaultNamespaceOptions
|
||||
@ -466,9 +469,9 @@ func (b *Builder) configureNamespaces(g *generate.Generator, options *RunOptions
|
||||
}
|
||||
}
|
||||
|
||||
configureNetwork, configureNetworks, configureUTS, err := setupNamespaces(options.Logger, g, namespaceOptions, b.IDMappingOptions, networkPolicy)
|
||||
configureNetwork, networkString, configureUTS, err := setupNamespaces(options.Logger, g, namespaceOptions, b.IDMappingOptions, networkPolicy)
|
||||
if err != nil {
|
||||
return false, nil, err
|
||||
return false, "", err
|
||||
}
|
||||
|
||||
if configureUTS {
|
||||
@ -495,7 +498,7 @@ func (b *Builder) configureNamespaces(g *generate.Generator, options *RunOptions
|
||||
spec.Process.Env = append(spec.Process.Env, fmt.Sprintf("HOSTNAME=%s", spec.Hostname))
|
||||
}
|
||||
|
||||
return configureNetwork, configureNetworks, nil
|
||||
return configureNetwork, networkString, nil
|
||||
}
|
||||
|
||||
func runSetupBoundFiles(bundlePath string, bindFiles map[string]string) (mounts []specs.Mount) {
|
||||
@ -531,14 +534,6 @@ func addRlimits(ulimit []string, g *generate.Generator, defaultUlimits []string)
|
||||
return nil
|
||||
}
|
||||
|
||||
// setPdeathsig sets a parent-death signal for the process
|
||||
func setPdeathsig(cmd *exec.Cmd) {
|
||||
if cmd.SysProcAttr == nil {
|
||||
cmd.SysProcAttr = &syscall.SysProcAttr{}
|
||||
}
|
||||
cmd.SysProcAttr.Pdeathsig = syscall.SIGKILL
|
||||
}
|
||||
|
||||
// Create pipes to use for relaying stdio.
|
||||
func runMakeStdioPipe(uid, gid int) ([][]int, error) {
|
||||
stdioPipe := make([][]int, 3)
|
||||
|
236
vendor/github.com/containers/buildah/run_linux.go
generated
vendored
236
vendor/github.com/containers/buildah/run_linux.go
generated
vendored
@ -7,14 +7,13 @@ import (
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
"net"
|
||||
"os"
|
||||
"os/exec"
|
||||
"path/filepath"
|
||||
"strconv"
|
||||
"strings"
|
||||
"syscall"
|
||||
"time"
|
||||
|
||||
"github.com/containernetworking/plugins/pkg/ns"
|
||||
"github.com/containers/buildah/bind"
|
||||
"github.com/containers/buildah/chroot"
|
||||
"github.com/containers/buildah/copier"
|
||||
@ -24,8 +23,11 @@ import (
|
||||
"github.com/containers/buildah/pkg/overlay"
|
||||
"github.com/containers/buildah/pkg/parse"
|
||||
"github.com/containers/buildah/util"
|
||||
"github.com/containers/common/libnetwork/pasta"
|
||||
"github.com/containers/common/libnetwork/resolvconf"
|
||||
"github.com/containers/common/libnetwork/slirp4netns"
|
||||
nettypes "github.com/containers/common/libnetwork/types"
|
||||
netUtil "github.com/containers/common/libnetwork/util"
|
||||
"github.com/containers/common/pkg/capabilities"
|
||||
"github.com/containers/common/pkg/chown"
|
||||
"github.com/containers/common/pkg/config"
|
||||
@ -202,16 +204,11 @@ func (b *Builder) Run(command []string, options RunOptions) error {
|
||||
|
||||
setupTerminal(g, options.Terminal, options.TerminalSize)
|
||||
|
||||
configureNetwork, configureNetworks, err := b.configureNamespaces(g, &options)
|
||||
configureNetwork, networkString, err := b.configureNamespaces(g, &options)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// rootless and networks are not supported
|
||||
if len(configureNetworks) > 0 && isolation == IsolationOCIRootless {
|
||||
return errors.New("cannot use networks as rootless")
|
||||
}
|
||||
|
||||
homeDir, err := b.configureUIDGID(g, mountPoint, options)
|
||||
if err != nil {
|
||||
return err
|
||||
@ -264,7 +261,7 @@ func (b *Builder) Run(command []string, options RunOptions) error {
|
||||
|
||||
hostFile := ""
|
||||
if !options.NoHosts && !contains(volumes, config.DefaultHostsFile) && options.ConfigureNetwork != define.NetworkDisabled {
|
||||
hostFile, err = b.generateHosts(path, rootIDPair, mountPoint)
|
||||
hostFile, err = b.generateHosts(path, rootIDPair, mountPoint, spec)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@ -366,7 +363,7 @@ rootless=%d
|
||||
if options.NoPivot {
|
||||
moreCreateArgs = append(moreCreateArgs, "--no-pivot")
|
||||
}
|
||||
err = b.runUsingRuntimeSubproc(isolation, options, configureNetwork, configureNetworks, moreCreateArgs, spec,
|
||||
err = b.runUsingRuntimeSubproc(isolation, options, configureNetwork, networkString, moreCreateArgs, spec,
|
||||
mountPoint, path, define.Package+"-"+filepath.Base(path), b.Container, hostFile)
|
||||
case IsolationChroot:
|
||||
err = chroot.RunUsingChroot(spec, path, homeDir, options.Stdin, options.Stdout, options.Stderr)
|
||||
@ -375,7 +372,7 @@ rootless=%d
|
||||
if options.NoPivot {
|
||||
moreCreateArgs = append(moreCreateArgs, "--no-pivot")
|
||||
}
|
||||
err = b.runUsingRuntimeSubproc(isolation, options, configureNetwork, configureNetworks, moreCreateArgs, spec,
|
||||
err = b.runUsingRuntimeSubproc(isolation, options, configureNetwork, networkString, moreCreateArgs, spec,
|
||||
mountPoint, path, define.Package+"-"+filepath.Base(path), b.Container, hostFile)
|
||||
default:
|
||||
err = errors.New("don't know how to run this command")
|
||||
@ -420,7 +417,7 @@ func (b *Builder) setupOCIHooks(config *spec.Spec, hasVolumes bool) (map[string]
|
||||
}
|
||||
}
|
||||
|
||||
hookErr, err := hooksExec.RuntimeConfigFilter(context.Background(), allHooks["precreate"], config, hooksExec.DefaultPostKillTimeout)
|
||||
hookErr, err := hooksExec.RuntimeConfigFilter(context.Background(), allHooks["precreate"], config, hooksExec.DefaultPostKillTimeout) //nolint:staticcheck
|
||||
if err != nil {
|
||||
logrus.Warnf("Container: precreate hook: %v", err)
|
||||
if hookErr != nil && hookErr != err {
|
||||
@ -475,80 +472,122 @@ func addCommonOptsToSpec(commonOpts *define.CommonBuildOptions, g *generate.Gene
|
||||
return nil
|
||||
}
|
||||
|
||||
func setupRootlessNetwork(pid int) (teardown func(), err error) {
|
||||
slirp4netns, err := exec.LookPath("slirp4netns")
|
||||
func setupSlirp4netnsNetwork(netns, cid string, options []string) (func(), map[string]nettypes.StatusBlock, error) {
|
||||
defConfig, err := config.Default()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
return nil, nil, fmt.Errorf("failed to get container config: %w", err)
|
||||
}
|
||||
|
||||
rootlessSlirpSyncR, rootlessSlirpSyncW, err := os.Pipe()
|
||||
// we need the TmpDir for the slirp4netns code
|
||||
if err := os.MkdirAll(defConfig.Engine.TmpDir, 0o751); err != nil {
|
||||
return nil, nil, fmt.Errorf("failed to create tempdir: %w", err)
|
||||
}
|
||||
res, err := slirp4netns.Setup(&slirp4netns.SetupOptions{
|
||||
Config: defConfig,
|
||||
ContainerID: cid,
|
||||
Netns: netns,
|
||||
ExtraOptions: options,
|
||||
Pdeathsig: syscall.SIGKILL,
|
||||
})
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("cannot create slirp4netns sync pipe: %w", err)
|
||||
return nil, nil, err
|
||||
}
|
||||
defer rootlessSlirpSyncR.Close()
|
||||
|
||||
// Be sure there are no fds inherited to slirp4netns except the sync pipe
|
||||
files, err := os.ReadDir("/proc/self/fd")
|
||||
ip, err := slirp4netns.GetIP(res.Subnet)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("cannot list open fds: %w", err)
|
||||
}
|
||||
for _, f := range files {
|
||||
fd, err := strconv.Atoi(f.Name())
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("cannot parse fd: %w", err)
|
||||
}
|
||||
if fd == int(rootlessSlirpSyncW.Fd()) {
|
||||
continue
|
||||
}
|
||||
unix.CloseOnExec(fd)
|
||||
return nil, nil, fmt.Errorf("get slirp4netns ip: %w", err)
|
||||
}
|
||||
|
||||
cmd := exec.Command(slirp4netns, "--mtu", "65520", "-r", "3", "-c", strconv.Itoa(pid), "tap0")
|
||||
setPdeathsig(cmd)
|
||||
cmd.Stdin, cmd.Stdout, cmd.Stderr = nil, nil, nil
|
||||
cmd.ExtraFiles = []*os.File{rootlessSlirpSyncW}
|
||||
|
||||
err = cmd.Start()
|
||||
rootlessSlirpSyncW.Close()
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("cannot start slirp4netns: %w", err)
|
||||
}
|
||||
|
||||
b := make([]byte, 1)
|
||||
for {
|
||||
if err := rootlessSlirpSyncR.SetDeadline(time.Now().Add(1 * time.Second)); err != nil {
|
||||
return nil, fmt.Errorf("setting slirp4netns pipe timeout: %w", err)
|
||||
}
|
||||
if _, err := rootlessSlirpSyncR.Read(b); err == nil {
|
||||
break
|
||||
} else {
|
||||
if os.IsTimeout(err) {
|
||||
// Check if the process is still running.
|
||||
var status syscall.WaitStatus
|
||||
_, err := syscall.Wait4(cmd.Process.Pid, &status, syscall.WNOHANG, nil)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to read slirp4netns process status: %w", err)
|
||||
}
|
||||
if status.Exited() || status.Signaled() {
|
||||
return nil, errors.New("slirp4netns failed")
|
||||
}
|
||||
|
||||
continue
|
||||
}
|
||||
return nil, fmt.Errorf("failed to read from slirp4netns sync pipe: %w", err)
|
||||
}
|
||||
// create fake status to make sure we get the correct ip in hosts
|
||||
subnet := nettypes.IPNet{IPNet: net.IPNet{
|
||||
IP: *ip,
|
||||
Mask: res.Subnet.Mask,
|
||||
}}
|
||||
netStatus := map[string]nettypes.StatusBlock{
|
||||
slirp4netns.BinaryName: nettypes.StatusBlock{
|
||||
Interfaces: map[string]nettypes.NetInterface{
|
||||
"tap0": {
|
||||
Subnets: []nettypes.NetAddress{{IPNet: subnet}},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
return func() {
|
||||
cmd.Process.Kill() // nolint:errcheck
|
||||
cmd.Wait() // nolint:errcheck
|
||||
}, nil
|
||||
syscall.Kill(res.Pid, syscall.SIGKILL) // nolint:errcheck
|
||||
var status syscall.WaitStatus
|
||||
syscall.Wait4(res.Pid, &status, 0, nil) // nolint:errcheck
|
||||
}, netStatus, nil
|
||||
}
|
||||
|
||||
func (b *Builder) runConfigureNetwork(pid int, isolation define.Isolation, options RunOptions, configureNetworks []string, containerName string) (teardown func(), netStatus map[string]nettypes.StatusBlock, err error) {
|
||||
func setupPasta(netns string, options []string) (func(), map[string]nettypes.StatusBlock, error) {
|
||||
defConfig, err := config.Default()
|
||||
if err != nil {
|
||||
return nil, nil, fmt.Errorf("failed to get container config: %w", err)
|
||||
}
|
||||
|
||||
err = pasta.Setup(&pasta.SetupOptions{
|
||||
Config: defConfig,
|
||||
Netns: netns,
|
||||
ExtraOptions: options,
|
||||
})
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
|
||||
var ip string
|
||||
err = ns.WithNetNSPath(netns, func(_ ns.NetNS) error {
|
||||
// get the first ip in the netns and use this as our ip for /etc/hosts
|
||||
ip = netUtil.GetLocalIP()
|
||||
return nil
|
||||
})
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
|
||||
// create fake status to make sure we get the correct ip in hosts
|
||||
subnet := nettypes.IPNet{IPNet: net.IPNet{
|
||||
IP: net.ParseIP(ip),
|
||||
Mask: net.IPv4Mask(255, 255, 255, 0),
|
||||
}}
|
||||
netStatus := map[string]nettypes.StatusBlock{
|
||||
slirp4netns.BinaryName: nettypes.StatusBlock{
|
||||
Interfaces: map[string]nettypes.NetInterface{
|
||||
"tap0": {
|
||||
Subnets: []nettypes.NetAddress{{IPNet: subnet}},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
return nil, netStatus, nil
|
||||
}
|
||||
|
||||
func (b *Builder) runConfigureNetwork(pid int, isolation define.Isolation, options RunOptions, network, containerName string) (teardown func(), netStatus map[string]nettypes.StatusBlock, err error) {
|
||||
netns := fmt.Sprintf("/proc/%d/ns/net", pid)
|
||||
var configureNetworks []string
|
||||
|
||||
name, networkOpts, hasOpts := strings.Cut(network, ":")
|
||||
var netOpts []string
|
||||
if hasOpts {
|
||||
netOpts = strings.Split(networkOpts, ",")
|
||||
}
|
||||
switch {
|
||||
case name == slirp4netns.BinaryName,
|
||||
isolation == IsolationOCIRootless && name == "":
|
||||
return setupSlirp4netnsNetwork(netns, containerName, netOpts)
|
||||
case name == pasta.BinaryName:
|
||||
return setupPasta(netns, netOpts)
|
||||
|
||||
// Basically default case except we make sure to not split an empty
|
||||
// name as this would return a slice with one empty string which is
|
||||
// not a valid network name.
|
||||
case len(network) > 0:
|
||||
// old syntax allow comma separated network names
|
||||
configureNetworks = strings.Split(network, ",")
|
||||
}
|
||||
|
||||
if isolation == IsolationOCIRootless {
|
||||
teardown, err = setupRootlessNetwork(pid)
|
||||
return teardown, nil, err
|
||||
return nil, nil, errors.New("cannot use networks as rootless")
|
||||
}
|
||||
|
||||
if len(configureNetworks) == 0 {
|
||||
@ -560,7 +599,6 @@ func (b *Builder) runConfigureNetwork(pid int, isolation define.Isolation, optio
|
||||
// interfaces. Ensure this by opening a handle to the network
|
||||
// namespace, and using our copy to both configure and
|
||||
// deconfigure it.
|
||||
netns := fmt.Sprintf("/proc/%d/ns/net", pid)
|
||||
netFD, err := unix.Open(netns, unix.O_RDONLY, 0)
|
||||
if err != nil {
|
||||
return nil, nil, fmt.Errorf("opening network namespace: %w", err)
|
||||
@ -615,10 +653,10 @@ func runMakeStdioPipe(uid, gid int) ([][]int, error) {
|
||||
return stdioPipe, nil
|
||||
}
|
||||
|
||||
func setupNamespaces(logger *logrus.Logger, g *generate.Generator, namespaceOptions define.NamespaceOptions, idmapOptions define.IDMappingOptions, policy define.NetworkConfigurationPolicy) (configureNetwork bool, configureNetworks []string, configureUTS bool, err error) {
|
||||
func setupNamespaces(logger *logrus.Logger, g *generate.Generator, namespaceOptions define.NamespaceOptions, idmapOptions define.IDMappingOptions, policy define.NetworkConfigurationPolicy) (configureNetwork bool, networkString string, configureUTS bool, err error) {
|
||||
defaultContainerConfig, err := config.Default()
|
||||
if err != nil {
|
||||
return false, nil, false, fmt.Errorf("failed to get container config: %w", err)
|
||||
return false, "", false, fmt.Errorf("failed to get container config: %w", err)
|
||||
}
|
||||
|
||||
addSysctl := func(prefixes []string) error {
|
||||
@ -644,7 +682,7 @@ func setupNamespaces(logger *logrus.Logger, g *generate.Generator, namespaceOpti
|
||||
case string(specs.IPCNamespace):
|
||||
if !namespaceOption.Host {
|
||||
if err := addSysctl([]string{"fs.mqueue"}); err != nil {
|
||||
return false, nil, false, err
|
||||
return false, "", false, err
|
||||
}
|
||||
}
|
||||
case string(specs.UserNamespace):
|
||||
@ -657,7 +695,7 @@ func setupNamespaces(logger *logrus.Logger, g *generate.Generator, namespaceOpti
|
||||
configureNetwork = false
|
||||
if !namespaceOption.Host && (namespaceOption.Path == "" || !filepath.IsAbs(namespaceOption.Path)) {
|
||||
if namespaceOption.Path != "" && !filepath.IsAbs(namespaceOption.Path) {
|
||||
configureNetworks = strings.Split(namespaceOption.Path, ",")
|
||||
networkString = namespaceOption.Path
|
||||
namespaceOption.Path = ""
|
||||
}
|
||||
configureNetwork = (policy != define.NetworkDisabled)
|
||||
@ -669,30 +707,30 @@ func setupNamespaces(logger *logrus.Logger, g *generate.Generator, namespaceOpti
|
||||
configureUTS = true
|
||||
}
|
||||
if err := addSysctl([]string{"kernel.hostname", "kernel.domainame"}); err != nil {
|
||||
return false, nil, false, err
|
||||
return false, "", false, err
|
||||
}
|
||||
}
|
||||
}
|
||||
if namespaceOption.Host {
|
||||
if err := g.RemoveLinuxNamespace(namespaceOption.Name); err != nil {
|
||||
return false, nil, false, fmt.Errorf("removing %q namespace for run: %w", namespaceOption.Name, err)
|
||||
return false, "", false, fmt.Errorf("removing %q namespace for run: %w", namespaceOption.Name, err)
|
||||
}
|
||||
} else if err := g.AddOrReplaceLinuxNamespace(namespaceOption.Name, namespaceOption.Path); err != nil {
|
||||
if namespaceOption.Path == "" {
|
||||
return false, nil, false, fmt.Errorf("adding new %q namespace for run: %w", namespaceOption.Name, err)
|
||||
return false, "", false, fmt.Errorf("adding new %q namespace for run: %w", namespaceOption.Name, err)
|
||||
}
|
||||
return false, nil, false, fmt.Errorf("adding %q namespace %q for run: %w", namespaceOption.Name, namespaceOption.Path, err)
|
||||
return false, "", false, fmt.Errorf("adding %q namespace %q for run: %w", namespaceOption.Name, namespaceOption.Path, err)
|
||||
}
|
||||
}
|
||||
|
||||
// If we've got mappings, we're going to have to create a user namespace.
|
||||
if len(idmapOptions.UIDMap) > 0 || len(idmapOptions.GIDMap) > 0 || configureUserns {
|
||||
if err := g.AddOrReplaceLinuxNamespace(string(specs.UserNamespace), ""); err != nil {
|
||||
return false, nil, false, fmt.Errorf("adding new %q namespace for run: %w", string(specs.UserNamespace), err)
|
||||
return false, "", false, fmt.Errorf("adding new %q namespace for run: %w", string(specs.UserNamespace), err)
|
||||
}
|
||||
hostUidmap, hostGidmap, err := unshare.GetHostIDMappings("")
|
||||
if err != nil {
|
||||
return false, nil, false, err
|
||||
return false, "", false, err
|
||||
}
|
||||
for _, m := range idmapOptions.UIDMap {
|
||||
g.AddLinuxUIDMapping(m.HostID, m.ContainerID, m.Size)
|
||||
@ -712,23 +750,23 @@ func setupNamespaces(logger *logrus.Logger, g *generate.Generator, namespaceOpti
|
||||
}
|
||||
if !specifiedNetwork {
|
||||
if err := g.AddOrReplaceLinuxNamespace(string(specs.NetworkNamespace), ""); err != nil {
|
||||
return false, nil, false, fmt.Errorf("adding new %q namespace for run: %w", string(specs.NetworkNamespace), err)
|
||||
return false, "", false, fmt.Errorf("adding new %q namespace for run: %w", string(specs.NetworkNamespace), err)
|
||||
}
|
||||
configureNetwork = (policy != define.NetworkDisabled)
|
||||
}
|
||||
} else {
|
||||
if err := g.RemoveLinuxNamespace(string(specs.UserNamespace)); err != nil {
|
||||
return false, nil, false, fmt.Errorf("removing %q namespace for run: %w", string(specs.UserNamespace), err)
|
||||
return false, "", false, fmt.Errorf("removing %q namespace for run: %w", string(specs.UserNamespace), err)
|
||||
}
|
||||
if !specifiedNetwork {
|
||||
if err := g.RemoveLinuxNamespace(string(specs.NetworkNamespace)); err != nil {
|
||||
return false, nil, false, fmt.Errorf("removing %q namespace for run: %w", string(specs.NetworkNamespace), err)
|
||||
return false, "", false, fmt.Errorf("removing %q namespace for run: %w", string(specs.NetworkNamespace), err)
|
||||
}
|
||||
}
|
||||
}
|
||||
if configureNetwork {
|
||||
if err := addSysctl([]string{"net"}); err != nil {
|
||||
return false, nil, false, err
|
||||
return false, "", false, err
|
||||
}
|
||||
for name, val := range define.DefaultNetworkSysctl {
|
||||
// Check that the sysctl we are adding is actually supported
|
||||
@ -736,7 +774,7 @@ func setupNamespaces(logger *logrus.Logger, g *generate.Generator, namespaceOpti
|
||||
p := filepath.Join("/proc/sys", strings.Replace(name, ".", "/", -1))
|
||||
_, err := os.Stat(p)
|
||||
if err != nil && !errors.Is(err, os.ErrNotExist) {
|
||||
return false, nil, false, err
|
||||
return false, "", false, err
|
||||
}
|
||||
if err == nil {
|
||||
g.AddLinuxSysctl(name, val)
|
||||
@ -745,13 +783,13 @@ func setupNamespaces(logger *logrus.Logger, g *generate.Generator, namespaceOpti
|
||||
}
|
||||
}
|
||||
}
|
||||
return configureNetwork, configureNetworks, configureUTS, nil
|
||||
return configureNetwork, networkString, configureUTS, nil
|
||||
}
|
||||
|
||||
func (b *Builder) configureNamespaces(g *generate.Generator, options *RunOptions) (bool, []string, error) {
|
||||
func (b *Builder) configureNamespaces(g *generate.Generator, options *RunOptions) (bool, string, error) {
|
||||
defaultNamespaceOptions, err := DefaultNamespaceOptions()
|
||||
if err != nil {
|
||||
return false, nil, err
|
||||
return false, "", err
|
||||
}
|
||||
|
||||
namespaceOptions := defaultNamespaceOptions
|
||||
@ -774,9 +812,9 @@ func (b *Builder) configureNamespaces(g *generate.Generator, options *RunOptions
|
||||
if networkPolicy == NetworkDisabled {
|
||||
namespaceOptions.AddOrReplace(define.NamespaceOptions{{Name: string(specs.NetworkNamespace), Host: false}}...)
|
||||
}
|
||||
configureNetwork, configureNetworks, configureUTS, err := setupNamespaces(options.Logger, g, namespaceOptions, b.IDMappingOptions, networkPolicy)
|
||||
configureNetwork, networkString, configureUTS, err := setupNamespaces(options.Logger, g, namespaceOptions, b.IDMappingOptions, networkPolicy)
|
||||
if err != nil {
|
||||
return false, nil, err
|
||||
return false, "", err
|
||||
}
|
||||
|
||||
if configureUTS {
|
||||
@ -803,7 +841,7 @@ func (b *Builder) configureNamespaces(g *generate.Generator, options *RunOptions
|
||||
spec.Process.Env = append(spec.Process.Env, fmt.Sprintf("HOSTNAME=%s", spec.Hostname))
|
||||
}
|
||||
|
||||
return configureNetwork, configureNetworks, nil
|
||||
return configureNetwork, networkString, nil
|
||||
}
|
||||
|
||||
func runSetupBoundFiles(bundlePath string, bindFiles map[string]string) (mounts []specs.Mount) {
|
||||
@ -1228,11 +1266,3 @@ func (b *Builder) getCacheMount(tokens []string, stageMountPoints map[string]int
|
||||
succeeded = true
|
||||
return &volumes[0], targetLock, nil
|
||||
}
|
||||
|
||||
// setPdeathsig sets a parent-death signal for the process
|
||||
func setPdeathsig(cmd *exec.Cmd) {
|
||||
if cmd.SysProcAttr == nil {
|
||||
cmd.SysProcAttr = &syscall.SysProcAttr{}
|
||||
}
|
||||
cmd.SysProcAttr.Pdeathsig = syscall.SIGKILL
|
||||
}
|
||||
|
65
vendor/github.com/containers/common/pkg/secrets/secrets.go
generated
vendored
65
vendor/github.com/containers/common/pkg/secrets/secrets.go
generated
vendored
@ -79,6 +79,8 @@ type Secret struct {
|
||||
Metadata map[string]string `json:"metadata,omitempty"`
|
||||
// CreatedAt is when the secret was created
|
||||
CreatedAt time.Time `json:"createdAt"`
|
||||
// UpdatedAt is when the secret was updated
|
||||
UpdatedAt time.Time `json:"updatedAt"`
|
||||
// Driver is the driver used to store secret data
|
||||
Driver string `json:"driver"`
|
||||
// DriverOptions are extra options used to run this driver
|
||||
@ -112,6 +114,8 @@ type StoreOptions struct {
|
||||
Metadata map[string]string
|
||||
// Labels are labels on the secret
|
||||
Labels map[string]string
|
||||
// Replace existing secret
|
||||
Replace bool
|
||||
}
|
||||
|
||||
// NewManager creates a new secrets manager
|
||||
@ -140,6 +144,28 @@ func NewManager(rootPath string) (*SecretsManager, error) {
|
||||
return manager, nil
|
||||
}
|
||||
|
||||
func (s *SecretsManager) newSecret(name string) (*Secret, error) {
|
||||
secr := new(Secret)
|
||||
secr.Name = name
|
||||
secr.CreatedAt = time.Now()
|
||||
secr.UpdatedAt = secr.CreatedAt
|
||||
|
||||
for {
|
||||
newID := stringid.GenerateNonCryptoID()
|
||||
// GenerateNonCryptoID() gives 64 characters, so we truncate to correct length
|
||||
newID = newID[0:secretIDLength]
|
||||
_, err := s.lookupSecret(newID)
|
||||
if err != nil {
|
||||
if errors.Is(err, ErrNoSuchSecret) {
|
||||
secr.ID = newID
|
||||
break
|
||||
}
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
return secr, nil
|
||||
}
|
||||
|
||||
// Store takes a name, creates a secret and stores the secret metadata and the secret payload.
|
||||
// It returns a generated ID that is associated with the secret.
|
||||
// The max size for secret data is 512kB.
|
||||
@ -152,7 +178,7 @@ func (s *SecretsManager) Store(name string, data []byte, driverType string, opti
|
||||
if !(len(data) > 0 && len(data) < maxSecretSize) {
|
||||
return "", errDataSize
|
||||
}
|
||||
|
||||
var secr *Secret
|
||||
s.lockfile.Lock()
|
||||
defer s.lockfile.Unlock()
|
||||
|
||||
@ -160,23 +186,22 @@ func (s *SecretsManager) Store(name string, data []byte, driverType string, opti
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
if exist {
|
||||
return "", fmt.Errorf("%s: %w", name, errSecretNameInUse)
|
||||
}
|
||||
|
||||
secr := new(Secret)
|
||||
secr.Name = name
|
||||
|
||||
for {
|
||||
newID := stringid.GenerateNonCryptoID()
|
||||
// GenerateNonCryptoID() gives 64 characters, so we truncate to correct length
|
||||
newID = newID[0:secretIDLength]
|
||||
_, err := s.lookupSecret(newID)
|
||||
if !options.Replace {
|
||||
return "", fmt.Errorf("%s: %w", name, errSecretNameInUse)
|
||||
}
|
||||
secr, err = s.lookupSecret(name)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
secr.UpdatedAt = time.Now()
|
||||
} else {
|
||||
if options.Replace {
|
||||
return "", fmt.Errorf("%s: %w", name, ErrNoSuchSecret)
|
||||
}
|
||||
secr, err = s.newSecret(name)
|
||||
if err != nil {
|
||||
if errors.Is(err, ErrNoSuchSecret) {
|
||||
secr.ID = newID
|
||||
break
|
||||
}
|
||||
return "", err
|
||||
}
|
||||
}
|
||||
@ -193,7 +218,6 @@ func (s *SecretsManager) Store(name string, data []byte, driverType string, opti
|
||||
|
||||
secr.Driver = driverType
|
||||
secr.Metadata = options.Metadata
|
||||
secr.CreatedAt = time.Now()
|
||||
secr.DriverOptions = options.DriverOpts
|
||||
secr.Labels = options.Labels
|
||||
|
||||
@ -201,6 +225,13 @@ func (s *SecretsManager) Store(name string, data []byte, driverType string, opti
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
if options.Replace {
|
||||
err = driver.Delete(secr.ID)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("replacing secret %s: %w", name, err)
|
||||
}
|
||||
}
|
||||
|
||||
err = driver.Store(secr.ID, data)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("creating secret %s: %w", name, err)
|
||||
|
2
vendor/github.com/containers/storage/VERSION
generated
vendored
2
vendor/github.com/containers/storage/VERSION
generated
vendored
@ -1 +1 @@
|
||||
1.47.0-dev
|
||||
1.47.0
|
||||
|
6
vendor/modules.txt
vendored
6
vendor/modules.txt
vendored
@ -105,7 +105,7 @@ github.com/containernetworking/cni/pkg/version
|
||||
# github.com/containernetworking/plugins v1.3.0
|
||||
## explicit; go 1.20
|
||||
github.com/containernetworking/plugins/pkg/ns
|
||||
# github.com/containers/buildah v1.30.1-0.20230504052500-e925b5852e07
|
||||
# github.com/containers/buildah v1.30.1-0.20230627110136-33b7088fec7b
|
||||
## explicit; go 1.18
|
||||
github.com/containers/buildah
|
||||
github.com/containers/buildah/bind
|
||||
@ -128,7 +128,7 @@ github.com/containers/buildah/pkg/rusage
|
||||
github.com/containers/buildah/pkg/sshagent
|
||||
github.com/containers/buildah/pkg/util
|
||||
github.com/containers/buildah/util
|
||||
# github.com/containers/common v0.53.1-0.20230626115555-370c89881624
|
||||
# github.com/containers/common v0.53.1-0.20230627061926-e6f314e59b81
|
||||
## explicit; go 1.18
|
||||
github.com/containers/common/libimage
|
||||
github.com/containers/common/libimage/define
|
||||
@ -293,7 +293,7 @@ github.com/containers/psgo/internal/dev
|
||||
github.com/containers/psgo/internal/host
|
||||
github.com/containers/psgo/internal/proc
|
||||
github.com/containers/psgo/internal/process
|
||||
# github.com/containers/storage v1.46.2-0.20230621123301-73f29956326d
|
||||
# github.com/containers/storage v1.47.0
|
||||
## explicit; go 1.19
|
||||
github.com/containers/storage
|
||||
github.com/containers/storage/drivers
|
||||
|
Reference in New Issue
Block a user