Vendor Buildah v1.8.3

Vendor in Buildah v1.8.3 Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
2025-12-04 04:09:40 +08:00 · 2019-06-04 12:58:16 -04:00
parent 7b0d6fcf0e
commit 14ec550ec3
14 changed files with 238 additions and 177 deletions
--- a/vendor/github.com/containers/buildah/pkg/chrootuser/user.go
+++ b/vendor/github.com/containers/buildah/pkg/chrootuser/user.go
@@ -18,7 +18,7 @@ var (
 // it will use the /etc/passwd and /etc/group files inside of the rootdir
 // to return this information.
 // userspec format [user | user:group | uid | uid:gid | user:gid | uid:group ]
-func GetUser(rootdir, userspec string) (uint32, uint32, error) {
+func GetUser(rootdir, userspec string) (uint32, uint32, string, error) {
 	var gid64 uint64
 	var gerr error = user.UnknownGroupError("error looking up group")

@@ -26,7 +26,7 @@ func GetUser(rootdir, userspec string) (uint32, uint32, error) {
 	userspec = spec[0]
 	groupspec := ""
 	if userspec == "" {
-		return 0, 0, nil
+		return 0, 0, "/", nil
 	}
 	if len(spec) > 1 {
 		groupspec = spec[1]
@@ -65,15 +65,21 @@ func GetUser(rootdir, userspec string) (uint32, uint32, error) {
 		}
 	}

-	if uerr == nil && gerr == nil {
-		return uint32(uid64), uint32(gid64), nil
+	homedir, err := lookupHomedirInContainer(rootdir, uid64)
+	if err != nil {
+		homedir = "/"
 	}

-	err := errors.Wrapf(uerr, "error determining run uid")
+	if uerr == nil && gerr == nil {
+		return uint32(uid64), uint32(gid64), homedir, nil
+	}
+
+	err = errors.Wrapf(uerr, "error determining run uid")
 	if uerr == nil {
 		err = errors.Wrapf(gerr, "error determining run gid")
 	}
-	return 0, 0, err
+
+	return 0, 0, homedir, err
 }

 // GetGroup returns the gid by looking it up in the /etc/group file
--- a/vendor/github.com/containers/buildah/pkg/chrootuser/user_basic.go
+++ b/vendor/github.com/containers/buildah/pkg/chrootuser/user_basic.go
@@ -25,3 +25,7 @@ func lookupAdditionalGroupsForUIDInContainer(rootdir string, userid uint64) (gid
 func lookupUIDInContainer(rootdir string, uid uint64) (string, uint64, error) {
 	return "", 0, errors.New("UID lookup not supported")
 }
+
+func lookupHomedirInContainer(rootdir string, uid uint64) (string, error) {
+	return "", errors.New("Home directory lookup not supported")
+}
--- a/vendor/github.com/containers/buildah/pkg/chrootuser/user_linux.go
+++ b/vendor/github.com/containers/buildah/pkg/chrootuser/user_linux.go
@@ -84,6 +84,7 @@ type lookupPasswdEntry struct {
 	name string
 	uid  uint64
 	gid  uint64
+	home string
 }
 type lookupGroupEntry struct {
 	name string
@@ -135,6 +136,7 @@ func parseNextPasswd(rc *bufio.Reader) *lookupPasswdEntry {
 		name: fields[0],
 		uid:  uid,
 		gid:  gid,
+		home: fields[5],
 	}
 }

@@ -291,3 +293,29 @@ func lookupUIDInContainer(rootdir string, uid uint64) (string, uint64, error) {

 	return "", 0, user.UnknownUserError(fmt.Sprintf("error looking up uid %q", uid))
 }
+
+func lookupHomedirInContainer(rootdir string, uid uint64) (string, error) {
+	cmd, f, err := openChrootedFile(rootdir, "/etc/passwd")
+	if err != nil {
+		return "", err
+	}
+	defer func() {
+		_ = cmd.Wait()
+	}()
+	rc := bufio.NewReader(f)
+	defer f.Close()
+
+	lookupUser.Lock()
+	defer lookupUser.Unlock()
+
+	pwd := parseNextPasswd(rc)
+	for pwd != nil {
+		if pwd.uid != uid {
+			pwd = parseNextPasswd(rc)
+			continue
+		}
+		return pwd.home, nil
+	}
+
+	return "", user.UnknownUserError(fmt.Sprintf("error looking up uid %q for homedir", uid))
+}
--- a/vendor/github.com/containers/buildah/pkg/secrets/secrets.go
+++ b/vendor/github.com/containers/buildah/pkg/secrets/secrets.go
@@ -117,7 +117,12 @@ func getMounts(filePath string) []string {
 	}
 	var mounts []string
 	for scanner.Scan() {
-		mounts = append(mounts, scanner.Text())
+		if strings.HasPrefix(strings.TrimSpace(scanner.Text()), "/") {
+			mounts = append(mounts, scanner.Text())
+		} else {
+			logrus.Debugf("skipping unrecognized mount in %v: %q",
+				filePath, scanner.Text())
+		}
 	}
 	return mounts
 }
@@ -190,58 +195,79 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPr
 	var mounts []rspec.Mount
 	defaultMountsPaths := getMounts(filePath)
 	for _, path := range defaultMountsPaths {
-		hostDir, ctrDir, err := getMountsMap(path)
+		hostDirOrFile, ctrDirOrFile, err := getMountsMap(path)
 		if err != nil {
 			return nil, err
 		}
-		// skip if the hostDir path doesn't exist
-		if _, err = os.Stat(hostDir); err != nil {
+		// skip if the hostDirOrFile path doesn't exist
+		fileInfo, err := os.Stat(hostDirOrFile)
+		if err != nil {
 			if os.IsNotExist(err) {
-				logrus.Warnf("Path %q from %q doesn't exist, skipping", hostDir, filePath)
+				logrus.Warnf("Path %q from %q doesn't exist, skipping", hostDirOrFile, filePath)
 				continue
 			}
-			return nil, errors.Wrapf(err, "failed to stat %q", hostDir)
+			return nil, errors.Wrapf(err, "failed to stat %q", hostDirOrFile)
 		}

-		ctrDirOnHost := filepath.Join(containerWorkingDir, ctrDir)
+		ctrDirOrFileOnHost := filepath.Join(containerWorkingDir, ctrDirOrFile)

-		// In the event of a restart, don't want to copy secrets over again as they already would exist in ctrDirOnHost
-		_, err = os.Stat(ctrDirOnHost)
+		// In the event of a restart, don't want to copy secrets over again as they already would exist in ctrDirOrFileOnHost
+		_, err = os.Stat(ctrDirOrFileOnHost)
 		if os.IsNotExist(err) {
-			if err = os.MkdirAll(ctrDirOnHost, 0755); err != nil {
-				return nil, errors.Wrapf(err, "making container directory %q failed", ctrDirOnHost)
-			}
-			hostDir, err = resolveSymbolicLink(hostDir)
+
+			hostDirOrFile, err = resolveSymbolicLink(hostDirOrFile)
 			if err != nil {
 				return nil, err
 			}

-			data, err := getHostSecretData(hostDir)
-			if err != nil {
-				return nil, errors.Wrapf(err, "getting host secret data failed")
-			}
-			for _, s := range data {
-				if err := s.saveTo(ctrDirOnHost); err != nil {
-					return nil, errors.Wrapf(err, "error saving data to container filesystem on host %q", ctrDirOnHost)
+			switch mode := fileInfo.Mode(); {
+			case mode.IsDir():
+				if err = os.MkdirAll(ctrDirOrFileOnHost, 0755); err != nil {
+					return nil, errors.Wrapf(err, "making container directory %q failed", ctrDirOrFileOnHost)
 				}
+				data, err := getHostSecretData(hostDirOrFile)
+				if err != nil {
+					return nil, errors.Wrapf(err, "getting host secret data failed")
+				}
+				for _, s := range data {
+					if err := s.saveTo(ctrDirOrFileOnHost); err != nil {
+						return nil, errors.Wrapf(err, "error saving data to container filesystem on host %q", ctrDirOrFileOnHost)
+					}
+				}
+			case mode.IsRegular():
+				data, err := readFile("", hostDirOrFile)
+				if err != nil {
+					return nil, errors.Wrapf(err, "error reading file %q", hostDirOrFile)
+
+				}
+				for _, s := range data {
+					if err := os.MkdirAll(filepath.Dir(ctrDirOrFileOnHost), 0700); err != nil {
+						return nil, err
+					}
+					if err := ioutil.WriteFile(ctrDirOrFileOnHost, s.data, 0700); err != nil {
+						return nil, errors.Wrapf(err, "error saving data to container filesystem on host %q", ctrDirOrFileOnHost)
+					}
+				}
+			default:
+				return nil, errors.Errorf("unsupported file type for: %q", hostDirOrFile)
 			}

-			err = label.Relabel(ctrDirOnHost, mountLabel, false)
+			err = label.Relabel(ctrDirOrFileOnHost, mountLabel, false)
 			if err != nil {
 				return nil, errors.Wrap(err, "error applying correct labels")
 			}
 			if uid != 0 || gid != 0 {
-				if err := rchown(ctrDirOnHost, uid, gid); err != nil {
+				if err := rchown(ctrDirOrFileOnHost, uid, gid); err != nil {
 					return nil, err
 				}
 			}
 		} else if err != nil {
-			return nil, errors.Wrapf(err, "error getting status of %q", ctrDirOnHost)
+			return nil, errors.Wrapf(err, "error getting status of %q", ctrDirOrFileOnHost)
 		}

 		m := rspec.Mount{
-			Source:      filepath.Join(mountPrefix, ctrDir),
-			Destination: ctrDir,
+			Source:      filepath.Join(mountPrefix, ctrDirOrFile),
+			Destination: ctrDirOrFile,
 			Type:        "bind",
 			Options:     []string{"bind", "rprivate"},
 		}
--- a/vendor/github.com/containers/buildah/pkg/unshare/unshare.go
+++ b/vendor/github.com/containers/buildah/pkg/unshare/unshare.go
@@ -64,6 +64,7 @@ func (c *Cmd) Start() error {
 	if os.Geteuid() != 0 {
 		c.Env = append(c.Env, "_CONTAINERS_USERNS_CONFIGURED=done")
 		c.Env = append(c.Env, fmt.Sprintf("_CONTAINERS_ROOTLESS_UID=%d", os.Geteuid()))
+		c.Env = append(c.Env, fmt.Sprintf("_CONTAINERS_ROOTLESS_GID=%d", os.Getegid()))
 	}

 	// Create the pipe for reading the child's PID.
@@ -183,6 +184,7 @@ func (c *Cmd) Start() error {
 			for _, m := range c.GidMappings {
 				fmt.Fprintf(g, "%d %d %d\n", m.ContainerID, m.HostID, m.Size)
 			}
+			gidmapSet := false
 			// Set the GID map.
 			if c.UseNewgidmap {
 				cmd := exec.Command("newgidmap", append([]string{pidString}, strings.Fields(strings.Replace(g.String(), "\n", " ", -1))...)...)
@@ -190,11 +192,16 @@ func (c *Cmd) Start() error {
 				cmd.Stdout = g
 				cmd.Stderr = g
 				err := cmd.Run()
-				if err != nil {
+				if err == nil {
+					gidmapSet = true
+				} else {
 					fmt.Fprintf(continueWrite, "error running newgidmap: %v: %s", err, g.String())
-					return errors.Wrapf(err, "error running newgidmap: %s", g.String())
+					fmt.Fprintf(continueWrite, "falling back to single mapping\n")
+					g.Reset()
+					g.Write([]byte(fmt.Sprintf("0 %d 1\n", os.Getegid())))
 				}
-			} else {
+			}
+			if !gidmapSet {
 				gidmap, err := os.OpenFile(fmt.Sprintf("/proc/%s/gid_map", pidString), os.O_TRUNC|os.O_WRONLY, 0)
 				if err != nil {
 					fmt.Fprintf(continueWrite, "error opening /proc/%s/gid_map: %v", pidString, err)
@@ -214,6 +221,7 @@ func (c *Cmd) Start() error {
 			for _, m := range c.UidMappings {
 				fmt.Fprintf(u, "%d %d %d\n", m.ContainerID, m.HostID, m.Size)
 			}
+			uidmapSet := false
 			// Set the GID map.
 			if c.UseNewuidmap {
 				cmd := exec.Command("newuidmap", append([]string{pidString}, strings.Fields(strings.Replace(u.String(), "\n", " ", -1))...)...)
@@ -221,11 +229,16 @@ func (c *Cmd) Start() error {
 				cmd.Stdout = u
 				cmd.Stderr = u
 				err := cmd.Run()
-				if err != nil {
+				if err == nil {
+					uidmapSet = true
+				} else {
 					fmt.Fprintf(continueWrite, "error running newuidmap: %v: %s", err, u.String())
-					return errors.Wrapf(err, "error running newuidmap: %s", u.String())
+					fmt.Fprintf(continueWrite, "falling back to single mapping\n")
+					u.Reset()
+					u.Write([]byte(fmt.Sprintf("0 %d 1\n", os.Geteuid())))
 				}
-			} else {
+			}
+			if !uidmapSet {
 				uidmap, err := os.OpenFile(fmt.Sprintf("/proc/%s/uid_map", pidString), os.O_TRUNC|os.O_WRONLY, 0)
 				if err != nil {
 					fmt.Fprintf(continueWrite, "error opening /proc/%s/uid_map: %v", pidString, err)
@@ -354,7 +367,9 @@ func MaybeReexecUsingUserNamespace(evenForRoot bool) {
 		// range in /etc/subuid and /etc/subgid file is a starting host
 		// ID and a range size.
 		uidmap, gidmap, err = GetSubIDMappings(me.Username, me.Username)
-		bailOnError(err, "error reading allowed ID mappings")
+		if err != nil {
+			logrus.Warnf("error reading allowed ID mappings: %v", err)
+		}
 		if len(uidmap) == 0 {
 			logrus.Warnf("Found no UID ranges set aside for user %q in /etc/subuid.", me.Username)
 		}