mirror of
https://github.com/containers/podman.git
synced 2025-06-20 17:13:43 +08:00
Vendor in latest github.com/containers/storage,image, buildah
Grab latest fixes from subpackages Including fixes for usernamespace chowning retaining file attributes Better logging of error messages. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
@ -10,8 +10,8 @@ github.com/containerd/cgroups 58556f5ad8448d99a6f7bea69ea4bdb7747cfeb0
|
||||
github.com/containerd/continuity master
|
||||
github.com/containernetworking/cni v0.7.0-alpha1
|
||||
github.com/containernetworking/plugins 1562a1e60ed101aacc5e08ed9dbeba8e9f3d4ec1
|
||||
github.com/containers/image 8f11f3ad8912d8bc43a7d25992b8f313ffefd430
|
||||
github.com/containers/storage 68332c059156eae970a03245cfcd4d717fb66ecd
|
||||
github.com/containers/image 7a1eac5d1df2dbd73d8b71853ebce32d989fcae3
|
||||
github.com/containers/storage 41294c85d97bef688e18f710402895dbecde3308
|
||||
github.com/containers/psgo 5dde6da0bc8831b35243a847625bcf18183bd1ee
|
||||
github.com/coreos/go-systemd v14
|
||||
github.com/cri-o/ocicni master
|
||||
@ -90,7 +90,7 @@ k8s.io/kube-openapi 275e2ce91dec4c05a4094a7b1daee5560b555ac9 https://github.com/
|
||||
k8s.io/utils 258e2a2fa64568210fbd6267cf1d8fd87c3cb86e https://github.com/kubernetes/utils
|
||||
github.com/mrunalp/fileutils master
|
||||
github.com/varlink/go master
|
||||
github.com/containers/buildah cf87f0947ef719872816cc5d6a5ba4db1c261365
|
||||
github.com/containers/buildah af8cb28f84d81ee1bca04c893142cd790b908c75
|
||||
github.com/Nvveen/Gotty master
|
||||
github.com/fsouza/go-dockerclient master
|
||||
github.com/openshift/imagebuilder master
|
||||
|
2
vendor/github.com/containers/buildah/README.md
generated
vendored
2
vendor/github.com/containers/buildah/README.md
generated
vendored
@ -17,6 +17,8 @@ The Buildah package provides a command line tool that can be used to
|
||||
|
||||
## Buildah Information for Developers
|
||||
|
||||
For blogs, release announcements and more, please checkout the [buildah.io](https://buildah.io) website!
|
||||
|
||||
**[Buildah Demos](demos)**
|
||||
|
||||
**[Changelog](CHANGELOG.md)**
|
||||
|
2
vendor/github.com/containers/buildah/buildah.go
generated
vendored
2
vendor/github.com/containers/buildah/buildah.go
generated
vendored
@ -24,7 +24,7 @@ const (
|
||||
Package = "buildah"
|
||||
// Version for the Package. Bump version in contrib/rpm/buildah.spec
|
||||
// too.
|
||||
Version = "1.4-dev"
|
||||
Version = "1.5-dev"
|
||||
// The value we use to identify what type of information, currently a
|
||||
// serialized Builder structure, we are using as per-container state.
|
||||
// This should only be changed when we make incompatible changes to
|
||||
|
89
vendor/github.com/containers/buildah/chroot/run.go
generated
vendored
89
vendor/github.com/containers/buildah/chroot/run.go
generated
vendored
@ -100,18 +100,6 @@ func RunUsingChroot(spec *specs.Spec, bundlePath string, stdin io.Reader, stdout
|
||||
}
|
||||
logrus.Debugf("config = %v", string(specbytes))
|
||||
|
||||
// Run the grandparent subprocess in a user namespace that reuses the mappings that we have.
|
||||
uidmap, gidmap, err := util.GetHostIDMappings("")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
for i := range uidmap {
|
||||
uidmap[i].HostID = uidmap[i].ContainerID
|
||||
}
|
||||
for i := range gidmap {
|
||||
gidmap[i].HostID = gidmap[i].ContainerID
|
||||
}
|
||||
|
||||
// Default to using stdin/stdout/stderr if we weren't passed objects to use.
|
||||
if stdin == nil {
|
||||
stdin = os.Stdin
|
||||
@ -162,10 +150,6 @@ func RunUsingChroot(spec *specs.Spec, bundlePath string, stdin io.Reader, stdout
|
||||
cmd.Stdin, cmd.Stdout, cmd.Stderr = stdin, stdout, stderr
|
||||
cmd.Dir = "/"
|
||||
cmd.Env = append([]string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}, os.Environ()...)
|
||||
cmd.UnshareFlags = syscall.CLONE_NEWUSER
|
||||
cmd.UidMappings = uidmap
|
||||
cmd.GidMappings = gidmap
|
||||
cmd.GidMappingsEnableSetgroups = true
|
||||
|
||||
logrus.Debugf("Running %#v in %#v", cmd.Cmd, cmd)
|
||||
confwg.Add(1)
|
||||
@ -568,10 +552,19 @@ func runUsingChroot(spec *specs.Spec, bundlePath string, ctty *os.File, stdin io
|
||||
cmd.Stdin, cmd.Stdout, cmd.Stderr = stdin, stdout, stderr
|
||||
cmd.Dir = "/"
|
||||
cmd.Env = append([]string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}, os.Environ()...)
|
||||
cmd.UnshareFlags = syscall.CLONE_NEWUSER | syscall.CLONE_NEWUTS | syscall.CLONE_NEWNS
|
||||
cmd.UidMappings = uidmap
|
||||
cmd.GidMappings = gidmap
|
||||
cmd.GidMappingsEnableSetgroups = true
|
||||
cmd.UnshareFlags = syscall.CLONE_NEWUTS | syscall.CLONE_NEWNS
|
||||
requestedUserNS := false
|
||||
for _, ns := range spec.Linux.Namespaces {
|
||||
if ns.Type == specs.LinuxNamespaceType(specs.UserNamespace) {
|
||||
requestedUserNS = true
|
||||
}
|
||||
}
|
||||
if len(spec.Linux.UIDMappings) > 0 || len(spec.Linux.GIDMappings) > 0 || requestedUserNS {
|
||||
cmd.UnshareFlags = cmd.UnshareFlags | syscall.CLONE_NEWUSER
|
||||
cmd.UidMappings = uidmap
|
||||
cmd.GidMappings = gidmap
|
||||
cmd.GidMappingsEnableSetgroups = true
|
||||
}
|
||||
if ctty != nil {
|
||||
cmd.Setsid = true
|
||||
cmd.Ctty = ctty
|
||||
@ -697,15 +690,7 @@ func runUsingChrootExecMain() {
|
||||
fmt.Fprintf(os.Stderr, "error setting SELinux label for process: %v\n", err)
|
||||
os.Exit(1)
|
||||
}
|
||||
logrus.Debugf("setting capabilities")
|
||||
if err := setCapabilities(options.Spec); err != nil {
|
||||
fmt.Fprintf(os.Stderr, "error setting capabilities for process %v\n", err)
|
||||
os.Exit(1)
|
||||
}
|
||||
if err = setSeccomp(options.Spec); err != nil {
|
||||
fmt.Fprintf(os.Stderr, "error setting seccomp filter for process: %v\n", err)
|
||||
os.Exit(1)
|
||||
}
|
||||
|
||||
logrus.Debugf("setting resource limits")
|
||||
if err = setRlimits(options.Spec, false, false); err != nil {
|
||||
fmt.Fprintf(os.Stderr, "error setting process resource limits for process: %v\n", err)
|
||||
@ -747,11 +732,28 @@ func runUsingChrootExecMain() {
|
||||
os.Exit(1)
|
||||
}
|
||||
}
|
||||
|
||||
logrus.Debugf("setting gid")
|
||||
if err = syscall.Setresgid(int(user.GID), int(user.GID), int(user.GID)); err != nil {
|
||||
fmt.Fprintf(os.Stderr, "error setting GID: %v", err)
|
||||
os.Exit(1)
|
||||
}
|
||||
|
||||
if err = setSeccomp(options.Spec); err != nil {
|
||||
fmt.Fprintf(os.Stderr, "error setting seccomp filter for process: %v\n", err)
|
||||
os.Exit(1)
|
||||
}
|
||||
|
||||
logrus.Debugf("setting capabilities")
|
||||
var keepCaps []string
|
||||
if user.UID != 0 {
|
||||
keepCaps = []string{"CAP_SETUID"}
|
||||
}
|
||||
if err := setCapabilities(options.Spec, keepCaps...); err != nil {
|
||||
fmt.Fprintf(os.Stderr, "error setting capabilities for process: %v\n", err)
|
||||
os.Exit(1)
|
||||
}
|
||||
|
||||
logrus.Debugf("setting uid")
|
||||
if err = syscall.Setresuid(int(user.UID), int(user.UID), int(user.UID)); err != nil {
|
||||
fmt.Fprintf(os.Stderr, "error setting UID: %v", err)
|
||||
@ -855,7 +857,11 @@ func setApparmorProfile(spec *specs.Spec) error {
|
||||
}
|
||||
|
||||
// setCapabilities sets capabilities for ourselves, to be more or less inherited by any processes that we'll start.
|
||||
func setCapabilities(spec *specs.Spec) error {
|
||||
func setCapabilities(spec *specs.Spec, keepCaps ...string) error {
|
||||
currentCaps, err := capability.NewPid(0)
|
||||
if err != nil {
|
||||
return errors.Wrapf(err, "error reading capabilities of current process")
|
||||
}
|
||||
caps, err := capability.NewPid(0)
|
||||
if err != nil {
|
||||
return errors.Wrapf(err, "error reading capabilities of current process")
|
||||
@ -868,8 +874,8 @@ func setCapabilities(spec *specs.Spec) error {
|
||||
capability.AMBIENT: spec.Process.Capabilities.Ambient,
|
||||
}
|
||||
knownCaps := capability.List()
|
||||
caps.Clear(capability.CAPS | capability.BOUNDS | capability.AMBS)
|
||||
for capType, capList := range capMap {
|
||||
caps.Clear(capType)
|
||||
for _, capToSet := range capList {
|
||||
cap := capability.CAP_LAST_CAP
|
||||
for _, c := range knownCaps {
|
||||
@ -883,12 +889,25 @@ func setCapabilities(spec *specs.Spec) error {
|
||||
}
|
||||
caps.Set(capType, cap)
|
||||
}
|
||||
}
|
||||
for capType := range capMap {
|
||||
if err = caps.Apply(capType); err != nil {
|
||||
return errors.Wrapf(err, "error setting %s capabilities to %#v", capType.String(), capMap[capType])
|
||||
for _, capToSet := range keepCaps {
|
||||
cap := capability.CAP_LAST_CAP
|
||||
for _, c := range knownCaps {
|
||||
if strings.EqualFold("CAP_"+c.String(), capToSet) {
|
||||
cap = c
|
||||
break
|
||||
}
|
||||
}
|
||||
if cap == capability.CAP_LAST_CAP {
|
||||
return errors.Errorf("error mapping capability %q to a number", capToSet)
|
||||
}
|
||||
if currentCaps.Get(capType, cap) {
|
||||
caps.Set(capType, cap)
|
||||
}
|
||||
}
|
||||
}
|
||||
if err = caps.Apply(capability.CAPS | capability.BOUNDS | capability.AMBS); err != nil {
|
||||
return errors.Wrapf(err, "error setting capabilities")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
|
22
vendor/github.com/containers/buildah/commit.go
generated
vendored
22
vendor/github.com/containers/buildah/commit.go
generated
vendored
@ -92,6 +92,15 @@ func (b *Builder) Commit(ctx context.Context, dest types.ImageReference, options
|
||||
var imgID string
|
||||
|
||||
systemContext := getSystemContext(options.SystemContext, options.SignaturePolicyPath)
|
||||
|
||||
blocked, err := isReferenceBlocked(dest, systemContext)
|
||||
if err != nil {
|
||||
return "", errors.Wrapf(err, "error checking if committing to registry for %q is blocked", transports.ImageName(dest))
|
||||
}
|
||||
if blocked {
|
||||
return "", errors.Errorf("commit access to registry for %q is blocked by configuration", transports.ImageName(dest))
|
||||
}
|
||||
|
||||
policy, err := signature.DefaultPolicy(systemContext)
|
||||
if err != nil {
|
||||
return imgID, errors.Wrapf(err, "error obtaining default signature policy")
|
||||
@ -120,7 +129,7 @@ func (b *Builder) Commit(ctx context.Context, dest types.ImageReference, options
|
||||
return imgID, errors.Wrapf(err, "error computing layer digests and building metadata")
|
||||
}
|
||||
// "Copy" our image to where it needs to be.
|
||||
err = cp.Image(ctx, policyContext, dest, src, getCopyOptions(options.ReportWriter, nil, systemContext, ""))
|
||||
err = cp.Image(ctx, policyContext, dest, src, getCopyOptions(options.ReportWriter, src, nil, dest, systemContext, ""))
|
||||
if err != nil {
|
||||
return imgID, errors.Wrapf(err, "error copying layers and metadata")
|
||||
}
|
||||
@ -162,6 +171,15 @@ func (b *Builder) Commit(ctx context.Context, dest types.ImageReference, options
|
||||
// Push copies the contents of the image to a new location.
|
||||
func Push(ctx context.Context, image string, dest types.ImageReference, options PushOptions) error {
|
||||
systemContext := getSystemContext(options.SystemContext, options.SignaturePolicyPath)
|
||||
|
||||
blocked, err := isReferenceBlocked(dest, systemContext)
|
||||
if err != nil {
|
||||
return errors.Wrapf(err, "error checking if pushing to registry for %q is blocked", transports.ImageName(dest))
|
||||
}
|
||||
if blocked {
|
||||
return errors.Errorf("push access to registry for %q is blocked by configuration", transports.ImageName(dest))
|
||||
}
|
||||
|
||||
policy, err := signature.DefaultPolicy(systemContext)
|
||||
if err != nil {
|
||||
return errors.Wrapf(err, "error obtaining default signature policy")
|
||||
@ -176,7 +194,7 @@ func Push(ctx context.Context, image string, dest types.ImageReference, options
|
||||
return err
|
||||
}
|
||||
// Copy everything.
|
||||
err = cp.Image(ctx, policyContext, dest, src, getCopyOptions(options.ReportWriter, nil, systemContext, options.ManifestType))
|
||||
err = cp.Image(ctx, policyContext, dest, src, getCopyOptions(options.ReportWriter, src, nil, dest, systemContext, options.ManifestType))
|
||||
if err != nil {
|
||||
return errors.Wrapf(err, "error copying layers and metadata")
|
||||
}
|
||||
|
33
vendor/github.com/containers/buildah/common.go
generated
vendored
33
vendor/github.com/containers/buildah/common.go
generated
vendored
@ -3,7 +3,10 @@ package buildah
|
||||
import (
|
||||
"io"
|
||||
|
||||
"github.com/sirupsen/logrus"
|
||||
|
||||
cp "github.com/containers/image/copy"
|
||||
"github.com/containers/image/transports"
|
||||
"github.com/containers/image/types"
|
||||
)
|
||||
|
||||
@ -14,11 +17,35 @@ const (
|
||||
DOCKER = "docker"
|
||||
)
|
||||
|
||||
func getCopyOptions(reportWriter io.Writer, sourceSystemContext *types.SystemContext, destinationSystemContext *types.SystemContext, manifestType string) *cp.Options {
|
||||
func getCopyOptions(reportWriter io.Writer, sourceReference types.ImageReference, sourceSystemContext *types.SystemContext, destinationReference types.ImageReference, destinationSystemContext *types.SystemContext, manifestType string) *cp.Options {
|
||||
sourceCtx := &types.SystemContext{}
|
||||
if sourceSystemContext != nil {
|
||||
*sourceCtx = *sourceSystemContext
|
||||
}
|
||||
sourceInsecure, err := isReferenceInsecure(sourceReference, sourceCtx)
|
||||
if err != nil {
|
||||
logrus.Debugf("error determining if registry for %q is insecure: %v", transports.ImageName(sourceReference), err)
|
||||
} else if sourceInsecure {
|
||||
sourceCtx.DockerInsecureSkipTLSVerify = true
|
||||
sourceCtx.OCIInsecureSkipTLSVerify = true
|
||||
}
|
||||
|
||||
destinationCtx := &types.SystemContext{}
|
||||
if destinationSystemContext != nil {
|
||||
*destinationCtx = *destinationSystemContext
|
||||
}
|
||||
destinationInsecure, err := isReferenceInsecure(destinationReference, destinationCtx)
|
||||
if err != nil {
|
||||
logrus.Debugf("error determining if registry for %q is insecure: %v", transports.ImageName(destinationReference), err)
|
||||
} else if destinationInsecure {
|
||||
destinationCtx.DockerInsecureSkipTLSVerify = true
|
||||
destinationCtx.OCIInsecureSkipTLSVerify = true
|
||||
}
|
||||
|
||||
return &cp.Options{
|
||||
ReportWriter: reportWriter,
|
||||
SourceCtx: sourceSystemContext,
|
||||
DestinationCtx: destinationSystemContext,
|
||||
SourceCtx: sourceCtx,
|
||||
DestinationCtx: destinationCtx,
|
||||
ForceManifestMIMEType: manifestType,
|
||||
}
|
||||
}
|
||||
|
7
vendor/github.com/containers/buildah/imagebuildah/build.go
generated
vendored
7
vendor/github.com/containers/buildah/imagebuildah/build.go
generated
vendored
@ -325,6 +325,9 @@ func (b *Executor) Preserve(path string) error {
|
||||
archivedPath := filepath.Join(b.mountPoint, cachedPath)
|
||||
logrus.Debugf("no longer need cache of %q in %q", archivedPath, b.volumeCache[cachedPath])
|
||||
if err := os.Remove(b.volumeCache[cachedPath]); err != nil {
|
||||
if os.IsNotExist(err) {
|
||||
continue
|
||||
}
|
||||
return errors.Wrapf(err, "error removing %q", b.volumeCache[cachedPath])
|
||||
}
|
||||
delete(b.volumeCache, cachedPath)
|
||||
@ -343,6 +346,9 @@ func (b *Executor) volumeCacheInvalidate(path string) error {
|
||||
}
|
||||
for _, cachedPath := range invalidated {
|
||||
if err := os.Remove(b.volumeCache[cachedPath]); err != nil {
|
||||
if os.IsNotExist(err) {
|
||||
continue
|
||||
}
|
||||
return errors.Wrapf(err, "error removing volume cache %q", b.volumeCache[cachedPath])
|
||||
}
|
||||
archivedPath := filepath.Join(b.mountPoint, cachedPath)
|
||||
@ -1125,6 +1131,7 @@ func (b *Executor) Commit(ctx context.Context, ib *imagebuilder.Builder, created
|
||||
AdditionalTags: b.additionalTags,
|
||||
ReportWriter: writer,
|
||||
PreferredManifestType: b.outputFormat,
|
||||
SystemContext: b.systemContext,
|
||||
IIDFile: b.iidfile,
|
||||
Squash: b.squash,
|
||||
Parent: b.builder.FromImageID,
|
||||
|
34
vendor/github.com/containers/buildah/new.go
generated
vendored
34
vendor/github.com/containers/buildah/new.go
generated
vendored
@ -3,7 +3,6 @@ package buildah
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"os"
|
||||
"strings"
|
||||
|
||||
"github.com/containers/buildah/util"
|
||||
@ -14,7 +13,6 @@ import (
|
||||
"github.com/containers/image/types"
|
||||
"github.com/containers/storage"
|
||||
multierror "github.com/hashicorp/go-multierror"
|
||||
"github.com/opencontainers/selinux/go-selinux"
|
||||
"github.com/opencontainers/selinux/go-selinux/label"
|
||||
"github.com/openshift/imagebuilder"
|
||||
"github.com/pkg/errors"
|
||||
@ -36,36 +34,6 @@ const (
|
||||
minimumTruncatedIDLength = 3
|
||||
)
|
||||
|
||||
func reserveSELinuxLabels(store storage.Store, id string) error {
|
||||
if selinux.GetEnabled() {
|
||||
containers, err := store.Containers()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
for _, c := range containers {
|
||||
if id == c.ID {
|
||||
continue
|
||||
} else {
|
||||
b, err := OpenBuilder(store, c.ID)
|
||||
if err != nil {
|
||||
if os.IsNotExist(err) {
|
||||
// Ignore not exist errors since containers probably created by other tool
|
||||
// TODO, we need to read other containers json data to reserve their SELinux labels
|
||||
continue
|
||||
}
|
||||
return err
|
||||
}
|
||||
// Prevent different containers from using same MCS label
|
||||
if err := label.ReserveLabel(b.ProcessLabel); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func pullAndFindImage(ctx context.Context, store storage.Store, imageName string, options BuilderOptions, sc *types.SystemContext) (*storage.Image, types.ImageReference, error) {
|
||||
pullOptions := PullOptions{
|
||||
ReportWriter: options.ReportWriter,
|
||||
@ -303,7 +271,7 @@ func newBuilder(ctx context.Context, store storage.Store, options BuilderOptions
|
||||
}
|
||||
}()
|
||||
|
||||
if err = reserveSELinuxLabels(store, container.ID); err != nil {
|
||||
if err = ReserveSELinuxLabels(store, container.ID); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
processLabel, mountLabel, err := label.InitLabels(options.CommonBuildOpts.LabelOpts)
|
||||
|
10
vendor/github.com/containers/buildah/pkg/cli/common.go
generated
vendored
10
vendor/github.com/containers/buildah/pkg/cli/common.go
generated
vendored
@ -128,11 +128,6 @@ var (
|
||||
Name: "iidfile",
|
||||
Usage: "`file` to write the image ID to",
|
||||
},
|
||||
cli.StringFlag{
|
||||
Name: "isolation",
|
||||
Usage: "`type` of process isolation to use. Use BUILDAH_ISOLATION environment variable to override.",
|
||||
Value: DefaultIsolation(),
|
||||
},
|
||||
cli.StringSliceFlag{
|
||||
Name: "label",
|
||||
Usage: "Set metadata for an image (default [])",
|
||||
@ -229,6 +224,11 @@ var (
|
||||
Name: "cpuset-mems",
|
||||
Usage: "memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems.",
|
||||
},
|
||||
cli.StringFlag{
|
||||
Name: "isolation",
|
||||
Usage: "`type` of process isolation to use. Use BUILDAH_ISOLATION environment variable to override.",
|
||||
Value: DefaultIsolation(),
|
||||
},
|
||||
cli.StringFlag{
|
||||
Name: "memory, m",
|
||||
Usage: "memory limit (format: <number>[<unit>], where unit = b, k, m or g)",
|
||||
|
2
vendor/github.com/containers/buildah/pkg/parse/parse.go
generated
vendored
2
vendor/github.com/containers/buildah/pkg/parse/parse.go
generated
vendored
@ -283,6 +283,8 @@ func SystemContextFromOptions(c *cli.Context) (*types.SystemContext, error) {
|
||||
}
|
||||
if c.IsSet("tls-verify") {
|
||||
ctx.DockerInsecureSkipTLSVerify = !c.BoolT("tls-verify")
|
||||
ctx.OCIInsecureSkipTLSVerify = !c.BoolT("tls-verify")
|
||||
ctx.DockerDaemonInsecureSkipTLSVerify = !c.BoolT("tls-verify")
|
||||
}
|
||||
if c.IsSet("creds") {
|
||||
var err error
|
||||
|
10
vendor/github.com/containers/buildah/pull.go
generated
vendored
10
vendor/github.com/containers/buildah/pull.go
generated
vendored
@ -160,6 +160,14 @@ func pullImage(ctx context.Context, store storage.Store, imageName string, optio
|
||||
srcRef = srcRef2
|
||||
}
|
||||
|
||||
blocked, err := isReferenceBlocked(srcRef, sc)
|
||||
if err != nil {
|
||||
return nil, errors.Wrapf(err, "error checking if pulling from registry for %q is blocked", transports.ImageName(srcRef))
|
||||
}
|
||||
if blocked {
|
||||
return nil, errors.Errorf("pull access to registry for %q is blocked by configuration", transports.ImageName(srcRef))
|
||||
}
|
||||
|
||||
destName, err := localImageNameForReference(ctx, store, srcRef, spec)
|
||||
if err != nil {
|
||||
return nil, errors.Wrapf(err, "error computing local image name for %q", transports.ImageName(srcRef))
|
||||
@ -190,7 +198,7 @@ func pullImage(ctx context.Context, store storage.Store, imageName string, optio
|
||||
}()
|
||||
|
||||
logrus.Debugf("copying %q to %q", spec, destName)
|
||||
pullError := cp.Image(ctx, policyContext, destRef, srcRef, getCopyOptions(options.ReportWriter, sc, nil, ""))
|
||||
pullError := cp.Image(ctx, policyContext, destRef, srcRef, getCopyOptions(options.ReportWriter, srcRef, sc, destRef, nil, ""))
|
||||
if pullError == nil {
|
||||
return destRef, nil
|
||||
}
|
||||
|
21
vendor/github.com/containers/buildah/unshare/unshare.c
generated
vendored
21
vendor/github.com/containers/buildah/unshare/unshare.c
generated
vendored
@ -11,6 +11,8 @@
|
||||
#include <termios.h>
|
||||
#include <unistd.h>
|
||||
|
||||
const char *_max_user_namespaces = "/proc/sys/user/max_user_namespaces";
|
||||
|
||||
static int _buildah_unshare_parse_envint(const char *envname) {
|
||||
char *p, *q;
|
||||
long l;
|
||||
@ -31,7 +33,10 @@ static int _buildah_unshare_parse_envint(const char *envname) {
|
||||
|
||||
void _buildah_unshare(void)
|
||||
{
|
||||
FILE *fp;
|
||||
int flags, pidfd, continuefd, n, pgrp, sid, ctty;
|
||||
long max_userns;
|
||||
size_t n_read;
|
||||
char buf[2048];
|
||||
|
||||
flags = _buildah_unshare_parse_envint("_Buildah-unshare");
|
||||
@ -41,6 +46,22 @@ void _buildah_unshare(void)
|
||||
if ((flags & CLONE_NEWUSER) != 0) {
|
||||
if (unshare(CLONE_NEWUSER) == -1) {
|
||||
fprintf(stderr, "Error during unshare(CLONE_NEWUSER): %m\n");
|
||||
fp = fopen(_max_user_namespaces, "r");
|
||||
if (fp != NULL) {
|
||||
memset(buf, 0, sizeof(buf));
|
||||
n_read = fread(buf, 1, sizeof(buf) - 1, fp);
|
||||
if (n_read > 0) {
|
||||
max_userns = atoi(buf);
|
||||
if (max_userns == 0) {
|
||||
fprintf(stderr, "User namespaces are not enabled in %s.\n", _max_user_namespaces);
|
||||
}
|
||||
} else {
|
||||
fprintf(stderr, "Error reading %s: no contents, should contain a number greater than 0.\n", _max_user_namespaces);
|
||||
}
|
||||
fclose(fp);
|
||||
} else {
|
||||
fprintf(stderr, "Error reading %s: %m\n", _max_user_namespaces);
|
||||
}
|
||||
_exit(1);
|
||||
}
|
||||
}
|
||||
|
8
vendor/github.com/containers/buildah/unshare/unshare.go
generated
vendored
8
vendor/github.com/containers/buildah/unshare/unshare.go
generated
vendored
@ -191,8 +191,8 @@ func (c *Cmd) Start() error {
|
||||
}
|
||||
defer gidmap.Close()
|
||||
if _, err := fmt.Fprintf(gidmap, "%s", g.String()); err != nil {
|
||||
fmt.Fprintf(continueWrite, "error writing /proc/%s/gid_map: %v", pidString, err)
|
||||
return errors.Wrapf(err, "error writing /proc/%s/gid_map", pidString)
|
||||
fmt.Fprintf(continueWrite, "error writing %q to /proc/%s/gid_map: %v", g.String(), pidString, err)
|
||||
return errors.Wrapf(err, "error writing %q to /proc/%s/gid_map", g.String(), pidString)
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -222,8 +222,8 @@ func (c *Cmd) Start() error {
|
||||
}
|
||||
defer uidmap.Close()
|
||||
if _, err := fmt.Fprintf(uidmap, "%s", u.String()); err != nil {
|
||||
fmt.Fprintf(continueWrite, "error writing /proc/%s/uid_map: %v", pidString, err)
|
||||
return errors.Wrapf(err, "error writing /proc/%s/uid_map", pidString)
|
||||
fmt.Fprintf(continueWrite, "error writing %q to /proc/%s/uid_map: %v", u.String(), pidString, err)
|
||||
return errors.Wrapf(err, "error writing %q to /proc/%s/uid_map", u.String(), pidString)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
101
vendor/github.com/containers/buildah/util.go
generated
vendored
101
vendor/github.com/containers/buildah/util.go
generated
vendored
@ -7,14 +7,19 @@ import (
|
||||
"sync"
|
||||
|
||||
"github.com/containers/image/docker/reference"
|
||||
"github.com/containers/image/pkg/sysregistries"
|
||||
"github.com/containers/image/pkg/sysregistriesv2"
|
||||
"github.com/containers/image/types"
|
||||
"github.com/containers/storage"
|
||||
"github.com/containers/storage/pkg/archive"
|
||||
"github.com/containers/storage/pkg/chrootarchive"
|
||||
"github.com/containers/storage/pkg/idtools"
|
||||
"github.com/containers/storage/pkg/reexec"
|
||||
rspec "github.com/opencontainers/runtime-spec/specs-go"
|
||||
"github.com/opencontainers/selinux/go-selinux"
|
||||
"github.com/opencontainers/selinux/go-selinux/label"
|
||||
"github.com/pkg/errors"
|
||||
"github.com/sirupsen/logrus"
|
||||
)
|
||||
|
||||
// InitReexec is a wrapper for reexec.Init(). It should be called at
|
||||
@ -181,6 +186,70 @@ func getRegistries(sc *types.SystemContext) ([]string, error) {
|
||||
return searchRegistries, nil
|
||||
}
|
||||
|
||||
// isRegistryInsecure checks if the named registry is marked as not secure
|
||||
func isRegistryInsecure(registry string, sc *types.SystemContext) (bool, error) {
|
||||
registries, err := sysregistriesv2.GetRegistries(sc)
|
||||
if err != nil {
|
||||
return false, errors.Wrapf(err, "unable to parse the registries configuration (%s)", sysregistries.RegistriesConfPath(sc))
|
||||
}
|
||||
if reginfo := sysregistriesv2.FindRegistry(registry, registries); reginfo != nil {
|
||||
if reginfo.Insecure {
|
||||
logrus.Debugf("registry %q is marked insecure in registries configuration %q", registry, sysregistries.RegistriesConfPath(sc))
|
||||
} else {
|
||||
logrus.Debugf("registry %q is not marked insecure in registries configuration %q", registry, sysregistries.RegistriesConfPath(sc))
|
||||
}
|
||||
return reginfo.Insecure, nil
|
||||
}
|
||||
logrus.Debugf("registry %q is not listed in registries configuration %q, assuming it's secure", registry, sysregistries.RegistriesConfPath(sc))
|
||||
return false, nil
|
||||
}
|
||||
|
||||
// isRegistryBlocked checks if the named registry is marked as blocked
|
||||
func isRegistryBlocked(registry string, sc *types.SystemContext) (bool, error) {
|
||||
registries, err := sysregistriesv2.GetRegistries(sc)
|
||||
if err != nil {
|
||||
return false, errors.Wrapf(err, "unable to parse the registries configuration (%s)", sysregistries.RegistriesConfPath(sc))
|
||||
}
|
||||
if reginfo := sysregistriesv2.FindRegistry(registry, registries); reginfo != nil {
|
||||
if reginfo.Blocked {
|
||||
logrus.Debugf("registry %q is marked as blocked in registries configuration %q", registry, sysregistries.RegistriesConfPath(sc))
|
||||
} else {
|
||||
logrus.Debugf("registry %q is not marked as blocked in registries configuration %q", registry, sysregistries.RegistriesConfPath(sc))
|
||||
}
|
||||
return reginfo.Blocked, nil
|
||||
}
|
||||
logrus.Debugf("registry %q is not listed in registries configuration %q, assuming it's not blocked", registry, sysregistries.RegistriesConfPath(sc))
|
||||
return false, nil
|
||||
}
|
||||
|
||||
// isReferenceSomething checks if the registry part of a reference is insecure or blocked
|
||||
func isReferenceSomething(ref types.ImageReference, sc *types.SystemContext, what func(string, *types.SystemContext) (bool, error)) (bool, error) {
|
||||
if ref != nil && ref.DockerReference() != nil {
|
||||
if named, ok := ref.DockerReference().(reference.Named); ok {
|
||||
if domain := reference.Domain(named); domain != "" {
|
||||
return what(domain, sc)
|
||||
}
|
||||
}
|
||||
}
|
||||
return false, nil
|
||||
}
|
||||
|
||||
// isReferenceInsecure checks if the registry part of a reference is insecure
|
||||
func isReferenceInsecure(ref types.ImageReference, sc *types.SystemContext) (bool, error) {
|
||||
return isReferenceSomething(ref, sc, isRegistryInsecure)
|
||||
}
|
||||
|
||||
// isReferenceBlocked checks if the registry part of a reference is blocked
|
||||
func isReferenceBlocked(ref types.ImageReference, sc *types.SystemContext) (bool, error) {
|
||||
if ref != nil && ref.Transport() != nil {
|
||||
switch ref.Transport().Name() {
|
||||
case "docker":
|
||||
return isReferenceSomething(ref, sc, isRegistryBlocked)
|
||||
}
|
||||
}
|
||||
return false, nil
|
||||
}
|
||||
|
||||
// hasRegistry returns a bool/err response if the image has a registry in its
|
||||
// name
|
||||
func hasRegistry(imageName string) (bool, error) {
|
||||
@ -194,3 +263,35 @@ func hasRegistry(imageName string) (bool, error) {
|
||||
}
|
||||
return false, nil
|
||||
}
|
||||
|
||||
// ReserveSELinuxLabels reads containers storage and reserves SELinux containers
|
||||
// fall all existing buildah containers
|
||||
func ReserveSELinuxLabels(store storage.Store, id string) error {
|
||||
if selinux.GetEnabled() {
|
||||
containers, err := store.Containers()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
for _, c := range containers {
|
||||
if id == c.ID {
|
||||
continue
|
||||
} else {
|
||||
b, err := OpenBuilder(store, c.ID)
|
||||
if err != nil {
|
||||
if os.IsNotExist(err) {
|
||||
// Ignore not exist errors since containers probably created by other tool
|
||||
// TODO, we need to read other containers json data to reserve their SELinux labels
|
||||
continue
|
||||
}
|
||||
return err
|
||||
}
|
||||
// Prevent different containers from using same MCS label
|
||||
if err := label.ReserveLabel(b.ProcessLabel); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
4
vendor/github.com/containers/buildah/vendor.conf
generated
vendored
4
vendor/github.com/containers/buildah/vendor.conf
generated
vendored
@ -3,9 +3,9 @@ github.com/blang/semver master
|
||||
github.com/BurntSushi/toml master
|
||||
github.com/containerd/continuity master
|
||||
github.com/containernetworking/cni v0.7.0-alpha1
|
||||
github.com/containers/image 8f11f3ad8912d8bc43a7d25992b8f313ffefd430
|
||||
github.com/containers/image 5cc7850824afe2b4fb016f8906666b358c50dc31
|
||||
github.com/containers/libpod 2afadeec6696fefac468a49c8ba24b0bc275aa75
|
||||
github.com/containers/storage 68332c059156eae970a03245cfcd4d717fb66ecd
|
||||
github.com/containers/storage 41294c85d97bef688e18f710402895dbecde3308
|
||||
github.com/docker/distribution 5f6282db7d65e6d72ad7c2cc66310724a57be716
|
||||
github.com/docker/docker 86f080cff0914e9694068ed78d503701667c4c00
|
||||
github.com/docker/docker-credential-helpers d68f9aeca33f5fd3f08eeae5e9d175edf4e731d1
|
||||
|
4
vendor/github.com/containers/image/docker/docker_client.go
generated
vendored
4
vendor/github.com/containers/image/docker/docker_client.go
generated
vendored
@ -516,7 +516,7 @@ func (c *dockerClient) detectProperties(ctx context.Context) error {
|
||||
url := fmt.Sprintf(resolvedPingV2URL, scheme, c.registry)
|
||||
resp, err := c.makeRequestToResolvedURL(ctx, "GET", url, nil, nil, -1, noAuth)
|
||||
if err != nil {
|
||||
logrus.Debugf("Ping %s err %#v", url, err)
|
||||
logrus.Debugf("Ping %s err %s (%#v)", url, err.Error(), err)
|
||||
return err
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
@ -542,7 +542,7 @@ func (c *dockerClient) detectProperties(ctx context.Context) error {
|
||||
pingV1 := func(scheme string) bool {
|
||||
url := fmt.Sprintf(resolvedPingV1URL, scheme, c.registry)
|
||||
resp, err := c.makeRequestToResolvedURL(ctx, "GET", url, nil, nil, -1, noAuth)
|
||||
logrus.Debugf("Ping %s err %#v", url, err)
|
||||
logrus.Debugf("Ping %s err %s (%#v)", url, err.Error(), err)
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
|
18
vendor/github.com/containers/image/pkg/tlsclientconfig/tlsclientconfig.go
generated
vendored
18
vendor/github.com/containers/image/pkg/tlsclientconfig/tlsclientconfig.go
generated
vendored
@ -34,6 +34,19 @@ func SetupCertificates(dir string, tlsc *tls.Config) error {
|
||||
for _, f := range fs {
|
||||
fullPath := filepath.Join(dir, f.Name())
|
||||
if strings.HasSuffix(f.Name(), ".crt") {
|
||||
logrus.Debugf(" crt: %s", fullPath)
|
||||
data, err := ioutil.ReadFile(fullPath)
|
||||
if err != nil {
|
||||
if os.IsNotExist(err) {
|
||||
// Dangling symbolic link?
|
||||
// Race with someone who deleted the
|
||||
// file after we read the directory's
|
||||
// list of contents?
|
||||
logrus.Warnf("error reading certificate %q: %v", fullPath, err)
|
||||
continue
|
||||
}
|
||||
return err
|
||||
}
|
||||
if tlsc.RootCAs == nil {
|
||||
systemPool, err := tlsconfig.SystemCertPool()
|
||||
if err != nil {
|
||||
@ -41,11 +54,6 @@ func SetupCertificates(dir string, tlsc *tls.Config) error {
|
||||
}
|
||||
tlsc.RootCAs = systemPool
|
||||
}
|
||||
logrus.Debugf(" crt: %s", fullPath)
|
||||
data, err := ioutil.ReadFile(fullPath)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
tlsc.RootCAs.AppendCertsFromPEM(data)
|
||||
}
|
||||
if strings.HasSuffix(f.Name(), ".cert") {
|
||||
|
12
vendor/github.com/containers/storage/drivers/chown_unix.go
generated
vendored
12
vendor/github.com/containers/storage/drivers/chown_unix.go
generated
vendored
@ -8,6 +8,7 @@ import (
|
||||
"syscall"
|
||||
|
||||
"github.com/containers/storage/pkg/idtools"
|
||||
"github.com/containers/storage/pkg/system"
|
||||
)
|
||||
|
||||
func platformLChown(path string, info os.FileInfo, toHost, toContainer *idtools.IDMappings) error {
|
||||
@ -49,6 +50,11 @@ func platformLChown(path string, info os.FileInfo, toHost, toContainer *idtools.
|
||||
if err != nil {
|
||||
return fmt.Errorf("%s: lstat(%q): %v", os.Args[0], path, err)
|
||||
}
|
||||
cap, err := system.Lgetxattr(path, "security.capability")
|
||||
if err != nil && err != system.ErrNotSupportedPlatform {
|
||||
return fmt.Errorf("%s: Lgetxattr(%q): %v", os.Args[0], path, err)
|
||||
}
|
||||
|
||||
// Make the change.
|
||||
if err := syscall.Lchown(path, uid, gid); err != nil {
|
||||
return fmt.Errorf("%s: chown(%q): %v", os.Args[0], path, err)
|
||||
@ -59,6 +65,12 @@ func platformLChown(path string, info os.FileInfo, toHost, toContainer *idtools.
|
||||
return fmt.Errorf("%s: chmod(%q): %v", os.Args[0], path, err)
|
||||
}
|
||||
}
|
||||
if cap != nil {
|
||||
if err := system.Lsetxattr(path, "security.capability", cap, 0); err != nil {
|
||||
return fmt.Errorf("%s: Lsetxattr(%q): %v", os.Args[0], path, err)
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
return nil
|
||||
|
Reference in New Issue
Block a user