Bump containers/buildah to v1.19.4

Fix handling of --iidfile to happen on the client side. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2025-06-17 15:08:08 +08:00 · 2021-02-08 14:26:51 -05:00
parent 19507d0ffe
commit 45981ba29a
15 changed files with 54 additions and 37 deletions
--- a/cmd/podman/images/build.go
+++ b/cmd/podman/images/build.go
@ -264,7 +264,18 @@ func build(cmd *cobra.Command, args []string) error {
 		return err
 	}

-	_, err = registry.ImageEngine().Build(registry.GetContext(), containerFiles, *apiBuildOpts)
+	report, err := registry.ImageEngine().Build(registry.GetContext(), containerFiles, *apiBuildOpts)
+
+	if cmd.Flag("iidfile").Changed {
+		f, err := os.Create(buildOpts.Iidfile)
+		if err != nil {
+			return err
+		}
+		if _, err := f.WriteString("sha256:" + report.ID); err != nil {
+			return err
+		}
+	}
+
 	return err
 }

@ -468,7 +479,6 @@ func buildFlagsWrapperToOptions(c *cobra.Command, contextDir string, flags *buil
 		ForceRmIntermediateCtrs: flags.ForceRm,
 		From:                    flags.From,
 		IDMappingOptions:        idmappingOptions,
-		IIDFile:                 flags.Iidfile,
 		In:                      stdin,
 		Isolation:               isolation,
 		Jobs:                    &flags.Jobs,
--- a/go.mod
+++ b/go.mod
@ -10,7 +10,7 @@ require (
 	github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd // indirect
 	github.com/containernetworking/cni v0.8.1
 	github.com/containernetworking/plugins v0.9.0
-	github.com/containers/buildah v1.19.3
+	github.com/containers/buildah v1.19.4
 	github.com/containers/common v0.34.3-0.20210208115708-8668c76dd577
 	github.com/containers/conmon v2.0.20+incompatible
 	github.com/containers/image/v5 v5.10.1
--- a/go.sum
+++ b/go.sum
@ -89,7 +89,6 @@ github.com/containerd/fifo v0.0.0-20190226154929-a9fb20d87448/go.mod h1:ODA38xgv
 github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0=
 github.com/containerd/ttrpc v0.0.0-20190828154514-0e0f228740de/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o=
 github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc=
-github.com/containernetworking/cni v0.7.2-0.20190904153231-83439463f784/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
 github.com/containernetworking/cni v0.8.0 h1:BT9lpgGoH4jw3lFC7Odz2prU5ruiYKcgAjMCbgybcKI=
 github.com/containernetworking/cni v0.8.0/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
 github.com/containernetworking/cni v0.8.1 h1:7zpDnQ3T3s4ucOuJ/ZCLrYBxzkg0AELFfII3Epo9TmI=
@ -97,8 +96,8 @@ github.com/containernetworking/cni v0.8.1/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ
 github.com/containernetworking/plugins v0.8.7/go.mod h1:R7lXeZaBzpfqapcAbHRW8/CYwm0dHzbz0XEjofx0uB0=
 github.com/containernetworking/plugins v0.9.0 h1:c+1gegKhR7+d0Caum9pEHugZlyhXPOG6v3V6xJgIGCI=
 github.com/containernetworking/plugins v0.9.0/go.mod h1:dbWv4dI0QrBGuVgj+TuVQ6wJRZVOhrCQj91YyC92sxg=
-github.com/containers/buildah v1.19.3 h1:U0E1UKzqW5C11W7giHhLZI06xkZiV40ZKDK/c1jotbE=
-github.com/containers/buildah v1.19.3/go.mod h1:uZb6GuE36tmRSOcIXGfiYqdpr+GPXWmlUIJSk5sn19w=
+github.com/containers/buildah v1.19.4 h1:TygMnZAt8JCQ0i1APbSHfdn69B2vGvPoJKD+f6D6fuA=
+github.com/containers/buildah v1.19.4/go.mod h1:PfK0EiB871UFD1CT8xNsKq60s7xw2pgSOEGICf+x6O8=
 github.com/containers/common v0.33.1 h1:XpDiq8Cta8+u1s4kpYSEWdB140ZmqgyIXfWkLqKx3z0=
 github.com/containers/common v0.33.1/go.mod h1:mjDo/NKeweL/onaspLhZ38WnHXaYmrELHclIdvSnYpY=
 github.com/containers/common v0.34.3-0.20210208115708-8668c76dd577 h1:tUJcLouJ1bC3w9gdqgKqZBsj2uCuM8D8jSR592lxbhE=
--- a/pkg/domain/infra/tunnel/images.go
+++ b/pkg/domain/infra/tunnel/images.go
@ -350,17 +350,6 @@ func (ir *ImageEngine) Build(_ context.Context, containerFiles []string, opts en
 	if err != nil {
 		return nil, err
 	}
-	// For remote clients, if the option for writing to a file was
-	// selected, we need to write to the *client's* filesystem.
-	if len(opts.IIDFile) > 0 {
-		f, err := os.Create(opts.IIDFile)
-		if err != nil {
-			return nil, err
-		}
-		if _, err := f.WriteString(report.ID); err != nil {
-			return nil, err
-		}
-	}
 	return report, nil
 }

--- a/test/e2e/build_test.go
+++ b/test/e2e/build_test.go
@ -194,7 +194,7 @@ var _ = Describe("Podman build", func() {
 		inspect := podmanTest.Podman([]string{"inspect", string(id)})
 		inspect.WaitWithDefaultTimeout()
 		data := inspect.InspectImageJSON()
-		Expect(data[0].ID).To(Equal(string(id)))
+		Expect("sha256:" + data[0].ID).To(Equal(string(id)))
 	})

 	It("podman Test PATH in built image", func() {
--- a/vendor/github.com/containers/buildah/CHANGELOG.md
+++ b/vendor/github.com/containers/buildah/CHANGELOG.md
@ -2,6 +2,14 @@

 # Changelog

+## v1.19.4 (2021-02-06)
+    run: fix check for host pid namespace
+    bump containernetworking/cni library to v0.8.1 - fix for CVE-2021-20206
+    Finish plumbing for buildah bud --manifest
+    buildah manifest add localimage should work
+    Fix build arg check
+    --iidfile: print hash prefix
+
 ## v1.19.3 (2021-01-28)
    [ci:docs] Fix man page for buildah push
    Vendor in containers/image v5.10.1
--- a/vendor/github.com/containers/buildah/buildah.go
+++ b/vendor/github.com/containers/buildah/buildah.go
@ -28,7 +28,7 @@ const (
 	Package = "buildah"
 	// Version for the Package.  Bump version in contrib/rpm/buildah.spec
 	// too.
-	Version = "1.19.3"
+	Version = "1.19.4"
 	// The value we use to identify what type of information, currently a
 	// serialized Builder structure, we are using as per-container state.
 	// This should only be changed when we make incompatible changes to
--- a/vendor/github.com/containers/buildah/changelog.txt
+++ b/vendor/github.com/containers/buildah/changelog.txt
@ -1,3 +1,11 @@
+- Changelog for v1.19.4 (2021-02-06)
+  * run: fix check for host pid namespace
+  * bump containernetworking/cni library to v0.8.1 - fix for CVE-2021-20206
+  * Finish plumbing for buildah bud --manifest
+  * buildah manifest add localimage should work
+  * Fix build arg check
+  * --iidfile: print hash prefix
+
 - Changelog for v1.19.3 (2021-01-28)
  * [ci:docs] Fix man page for buildah push
  * Vendor in containers/image v5.10.1
--- a/vendor/github.com/containers/buildah/commit.go
+++ b/vendor/github.com/containers/buildah/commit.go
@ -224,7 +224,7 @@ func checkRegistrySourcesAllows(forWhat string, dest types.ImageReference) (inse
 	return false, nil
 }

-func (b *Builder) addManifest(ctx context.Context, manifestName string, imageSpec string) error {
+func (b *Builder) addManifest(ctx context.Context, manifestName string, imageSpec string) (string, error) {
 	var create bool
 	systemContext := &types.SystemContext{}
 	var list manifests.List
@ -235,13 +235,13 @@ func (b *Builder) addManifest(ctx context.Context, manifestName string, imageSpe
 	} else {
 		_, list, err = manifests.LoadFromImage(b.store, listImage.ID)
 		if err != nil {
-			return err
+			return "", err
 		}
 	}

 	names, err := util.ExpandNames([]string{manifestName}, "", systemContext, b.store)
 	if err != nil {
-		return errors.Wrapf(err, "error encountered while expanding image name %q", manifestName)
+		return "", errors.Wrapf(err, "error encountered while expanding image name %q", manifestName)
 	}

 	ref, err := alltransports.ParseImageName(imageSpec)
@ -249,13 +249,13 @@ func (b *Builder) addManifest(ctx context.Context, manifestName string, imageSpe
 		if ref, err = alltransports.ParseImageName(util.DefaultTransport + imageSpec); err != nil {
 			// check if the local image exists
 			if ref, _, err = util.FindImage(b.store, "", systemContext, imageSpec); err != nil {
-				return err
+				return "", err
 			}
 		}
 	}

 	if _, err = list.Add(ctx, systemContext, ref, true); err != nil {
-		return err
+		return "", err
 	}
 	var imageID string
 	if create {
@ -263,10 +263,7 @@ func (b *Builder) addManifest(ctx context.Context, manifestName string, imageSpe
 	} else {
 		imageID, err = list.SaveToImage(b.store, listImage.ID, nil, "")
 	}
-	if err == nil {
-		fmt.Printf("%s\n", imageID)
-	}
-	return err
+	return imageID, err
 }

 // Commit writes the contents of the container, along with its updated
@ -469,7 +466,7 @@ func (b *Builder) Commit(ctx context.Context, dest types.ImageReference, options
 			dest = dest2
 		}
 		if options.IIDFile != "" {
-			if err = ioutil.WriteFile(options.IIDFile, []byte(img.ID), 0644); err != nil {
+			if err = ioutil.WriteFile(options.IIDFile, []byte("sha256:"+img.ID), 0644); err != nil {
 				return imgID, nil, "", err
 			}
 		}
@ -489,9 +486,12 @@ func (b *Builder) Commit(ctx context.Context, dest types.ImageReference, options
 	}

 	if options.Manifest != "" {
-		if err := b.addManifest(ctx, options.Manifest, imgID); err != nil {
+		manifestID, err := b.addManifest(ctx, options.Manifest, imgID)
+		if err != nil {
 			return imgID, nil, "", err
 		}
+		logrus.Debugf("added imgID %s to manifestID %s", imgID, manifestID)
+
 	}
 	return imgID, ref, manifestDigest, nil
 }
--- a/vendor/github.com/containers/buildah/go.mod
+++ b/vendor/github.com/containers/buildah/go.mod
@ -4,7 +4,7 @@ go 1.12

 require (
 	github.com/containerd/containerd v1.4.1 // indirect
-	github.com/containernetworking/cni v0.7.2-0.20190904153231-83439463f784
+	github.com/containernetworking/cni v0.8.1
 	github.com/containers/common v0.33.1
 	github.com/containers/image/v5 v5.10.1
 	github.com/containers/ocicrypt v1.0.3
--- a/vendor/github.com/containers/buildah/go.sum
+++ b/vendor/github.com/containers/buildah/go.sum
@ -76,8 +76,8 @@ github.com/containerd/fifo v0.0.0-20190226154929-a9fb20d87448/go.mod h1:ODA38xgv
 github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0=
 github.com/containerd/ttrpc v0.0.0-20190828154514-0e0f228740de/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o=
 github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc=
-github.com/containernetworking/cni v0.7.2-0.20190904153231-83439463f784 h1:rqUVLD8I859xRgUx/WMC3v7QAFqbLKZbs+0kqYboRJc=
-github.com/containernetworking/cni v0.7.2-0.20190904153231-83439463f784/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
+github.com/containernetworking/cni v0.8.1 h1:7zpDnQ3T3s4ucOuJ/ZCLrYBxzkg0AELFfII3Epo9TmI=
+github.com/containernetworking/cni v0.8.1/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
 github.com/containers/common v0.33.1 h1:XpDiq8Cta8+u1s4kpYSEWdB140ZmqgyIXfWkLqKx3z0=
 github.com/containers/common v0.33.1/go.mod h1:mjDo/NKeweL/onaspLhZ38WnHXaYmrELHclIdvSnYpY=
 github.com/containers/image/v5 v5.9.0 h1:dRmUtcluQcmasNo3DpnRoZjfU0rOu1qZeL6wlDJr10Q=
--- a/vendor/github.com/containers/buildah/imagebuildah/executor.go
+++ b/vendor/github.com/containers/buildah/imagebuildah/executor.go
@ -115,6 +115,7 @@ type Executor struct {
 	imageInfoLock                  sync.Mutex
 	imageInfoCache                 map[string]imageTypeAndHistoryAndDiffIDs
 	fromOverride                   string
+	manifest                       string
 }

 type imageTypeAndHistoryAndDiffIDs struct {
@ -231,6 +232,7 @@ func NewExecutor(store storage.Store, options BuildOptions, mainNode *parser.Nod
 		logRusage:                      options.LogRusage,
 		imageInfoCache:                 make(map[string]imageTypeAndHistoryAndDiffIDs),
 		fromOverride:                   options.From,
+		manifest:                       options.Manifest,
 	}
 	if exec.err == nil {
 		exec.err = os.Stderr
@ -679,7 +681,7 @@ func (b *Executor) Build(ctx context.Context, stages imagebuilder.Stages) (image
 	}
 	logrus.Debugf("printing final image id %q", imageID)
 	if b.iidfile != "" {
-		if err = ioutil.WriteFile(b.iidfile, []byte(imageID), 0644); err != nil {
+		if err = ioutil.WriteFile(b.iidfile, []byte("sha256:"+imageID), 0644); err != nil {
 			return imageID, ref, errors.Wrapf(err, "failed to write image ID to file %q", b.iidfile)
 		}
 	} else {
--- a/vendor/github.com/containers/buildah/imagebuildah/stage_executor.go
+++ b/vendor/github.com/containers/buildah/imagebuildah/stage_executor.go
@ -838,7 +838,7 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string,
 		// we need to call ib.Run() to correctly put the args together before
 		// determining if a cached layer with the same build args already exists
 		// and that is done in the if block below.
-		if checkForLayers && s.builder.Args == nil {
+		if checkForLayers && len(s.builder.Args) == 0 {
 			cacheID, err = s.intermediateImageExists(ctx, node, addedContentSummary, s.stepRequiresLayer(step))
 			if err != nil {
 				return "", nil, errors.Wrap(err, "error checking if cached image exists from a previous build")
@ -1276,6 +1276,7 @@ func (s *StageExecutor) commit(ctx context.Context, createdBy string, emptyLayer
 		MaxRetries:            s.executor.maxPullPushRetries,
 		RetryDelay:            s.executor.retryPullPushDelay,
 		HistoryTimestamp:      s.executor.timestamp,
+		Manifest:              s.executor.manifest,
 	}
 	imgID, _, manifestDigest, err := s.builder.Commit(ctx, imageRef, options)
 	if err != nil {
--- a/vendor/github.com/containers/buildah/run_linux.go
+++ b/vendor/github.com/containers/buildah/run_linux.go
@ -2210,7 +2210,7 @@ func checkAndOverrideIsolationOptions(isolation Isolation, options *RunOptions)
 	case IsolationOCI:
 		pidns := options.NamespaceOptions.Find(string(specs.PIDNamespace))
 		userns := options.NamespaceOptions.Find(string(specs.UserNamespace))
-		if (pidns == nil || pidns.Host) && (userns != nil && !userns.Host) {
+		if (pidns != nil && pidns.Host) && (userns != nil && !userns.Host) {
 			return errors.Errorf("not allowed to mix host PID namespace with container user namespace")
 		}
 	}
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -70,7 +70,7 @@ github.com/containernetworking/plugins/pkg/utils/hwaddr
 github.com/containernetworking/plugins/pkg/utils/sysctl
 github.com/containernetworking/plugins/plugins/ipam/host-local/backend
 github.com/containernetworking/plugins/plugins/ipam/host-local/backend/allocator
-# github.com/containers/buildah v1.19.3
+# github.com/containers/buildah v1.19.4
 github.com/containers/buildah
 github.com/containers/buildah/bind
 github.com/containers/buildah/chroot