diff --git a/go.mod b/go.mod index 38b9266d12..fe2d462e7e 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( github.com/checkpoint-restore/checkpointctl v1.3.0 github.com/checkpoint-restore/go-criu/v7 v7.2.0 github.com/containernetworking/plugins v1.6.2 - github.com/containers/buildah v1.40.0 + github.com/containers/buildah v1.40.1 github.com/containers/common v0.63.1 github.com/containers/conmon v2.0.20+incompatible github.com/containers/gvisor-tap-vsock v0.8.6 diff --git a/go.sum b/go.sum index d24c5ff7cc..0ae25f23b4 100644 --- a/go.sum +++ b/go.sum @@ -66,8 +66,8 @@ github.com/containernetworking/cni v1.3.0 h1:v6EpN8RznAZj9765HhXQrtXgX+ECGebEYEm github.com/containernetworking/cni v1.3.0/go.mod h1:Bs8glZjjFfGPHMw6hQu82RUgEPNGEaBb9KS5KtNMnJ4= github.com/containernetworking/plugins v1.6.2 h1:pqP8Mq923TLyef5g97XfJ/xpDeVek4yF8A4mzy9Tc4U= github.com/containernetworking/plugins v1.6.2/go.mod h1:SP5UG3jDO9LtmfbBJdP+nl3A1atOtbj2MBOYsnaxy64= -github.com/containers/buildah v1.40.0 h1:qCHTKnL/UEutxT6ZS8Zvhy7QUpe719jEIeGMSlcN3j4= -github.com/containers/buildah v1.40.0/go.mod h1:U6qj0nseq6t97T2kkNpjgo0WBVRYIXASIOlS5eWvlhM= +github.com/containers/buildah v1.40.1 h1:RW+Fbelwblzg1mJfKfyGZPS4Nbc5QtT866fJ9pYFtYo= +github.com/containers/buildah v1.40.1/go.mod h1:1UCQBc3LZrT4u5R/u7igGgUQxeDlJmn/OyYDQ9mumFk= github.com/containers/common v0.63.1 h1:6g02gbW34PaRVH4Heb2Pk11x0SdbQ+8AfeKKeQGqYBE= github.com/containers/common v0.63.1/go.mod h1:+3GCotSqNdIqM3sPs152VvW7m5+Mg8Kk+PExT3G9hZw= github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg= diff --git a/vendor/github.com/containers/buildah/.cirrus.yml b/vendor/github.com/containers/buildah/.cirrus.yml index 4a7bc5c17a..6195c8a567 100644 --- a/vendor/github.com/containers/buildah/.cirrus.yml +++ b/vendor/github.com/containers/buildah/.cirrus.yml @@ -6,7 +6,7 @@ env: #### Global variables used for all tasks #### # Name of the ultimate destination branch for this CI run, PR or post-merge. - DEST_BRANCH: "main" + DEST_BRANCH: "release-1.40" GOPATH: "/var/tmp/go" GOSRC: "${GOPATH}/src/github.com/containers/buildah" GOCACHE: "/tmp/go-build" @@ -22,18 +22,20 @@ env: IN_PODMAN: 'false' # root or rootless PRIV_NAME: root + # default "mention the $BUILDAH_RUNTIME in the task alias, with initial whitespace" value + RUNTIME_N: "" #### #### Cache-image names to test with #### # GCE project where images live IMAGE_PROJECT: "libpod-218412" - FEDORA_NAME: "fedora-41" - PRIOR_FEDORA_NAME: "fedora-40" + FEDORA_NAME: "fedora-42" + PRIOR_FEDORA_NAME: "fedora-41" DEBIAN_NAME: "debian-13" # Image identifiers - IMAGE_SUFFIX: "c20250324t111922z-f41f40d13" + IMAGE_SUFFIX: "c20250422t130822z-f42f41d13" FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}" PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${IMAGE_SUFFIX}" DEBIAN_CACHE_IMAGE_NAME: "debian-${IMAGE_SUFFIX}" @@ -122,7 +124,7 @@ vendor_task: # Runs within Cirrus's "community cluster" container: - image: docker.io/library/golang:1.23 + image: docker.io/library/golang:1.23.3 cpu: 1 memory: 1 @@ -196,7 +198,7 @@ conformance_task: integration_task: - name: "Integration $DISTRO_NV w/ $STORAGE_DRIVER" + name: "Integration $DISTRO_NV$RUNTIME_N w/ $STORAGE_DRIVER" alias: integration skip: *not_build_docs depends_on: *smoke_vendor @@ -207,11 +209,26 @@ integration_task: DISTRO_NV: "${FEDORA_NAME}" IMAGE_NAME: "${FEDORA_CACHE_IMAGE_NAME}" STORAGE_DRIVER: 'vfs' - # Disabled until we update to f41/42 as f40 does not have go 1.22 - # - env: - # DISTRO_NV: "${PRIOR_FEDORA_NAME}" - # IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}" - # STORAGE_DRIVER: 'vfs' + BUILDAH_RUNTIME: crun + RUNTIME_N: " using crun" + - env: + DISTRO_NV: "${FEDORA_NAME}" + IMAGE_NAME: "${FEDORA_CACHE_IMAGE_NAME}" + STORAGE_DRIVER: 'vfs' + BUILDAH_RUNTIME: runc + RUNTIME_N: " using runc" + - env: + DISTRO_NV: "${PRIOR_FEDORA_NAME}" + IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}" + STORAGE_DRIVER: 'vfs' + BUILDAH_RUNTIME: crun + RUNTIME_N: " using crun" + - env: + DISTRO_NV: "${PRIOR_FEDORA_NAME}" + IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}" + STORAGE_DRIVER: 'vfs' + BUILDAH_RUNTIME: runc + RUNTIME_N: " using runc" - env: DISTRO_NV: "${DEBIAN_NAME}" IMAGE_NAME: "${DEBIAN_CACHE_IMAGE_NAME}" @@ -221,11 +238,26 @@ integration_task: DISTRO_NV: "${FEDORA_NAME}" IMAGE_NAME: "${FEDORA_CACHE_IMAGE_NAME}" STORAGE_DRIVER: 'overlay' - # Disabled until we update to f41/42 as f40 does not have go 1.22 - # - env: - # DISTRO_NV: "${PRIOR_FEDORA_NAME}" - # IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}" - # STORAGE_DRIVER: 'overlay' + BUILDAH_RUNTIME: crun + RUNTIME_N: " using crun" + - env: + DISTRO_NV: "${FEDORA_NAME}" + IMAGE_NAME: "${FEDORA_CACHE_IMAGE_NAME}" + STORAGE_DRIVER: 'overlay' + BUILDAH_RUNTIME: runc + RUNTIME_N: " using runc" + - env: + DISTRO_NV: "${PRIOR_FEDORA_NAME}" + IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}" + STORAGE_DRIVER: 'overlay' + BUILDAH_RUNTIME: crun + RUNTIME_N: " using crun" + - env: + DISTRO_NV: "${PRIOR_FEDORA_NAME}" + IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}" + STORAGE_DRIVER: 'overlay' + BUILDAH_RUNTIME: runc + RUNTIME_N: " using runc" - env: DISTRO_NV: "${DEBIAN_NAME}" IMAGE_NAME: "${DEBIAN_CACHE_IMAGE_NAME}" @@ -255,7 +287,7 @@ integration_task: golang_version_script: '$GOSRC/$SCRIPT_BASE/logcollector.sh golang' integration_rootless_task: - name: "Integration rootless $DISTRO_NV w/ $STORAGE_DRIVER" + name: "Integration rootless $DISTRO_NV$RUNTIME_N w/ $STORAGE_DRIVER" alias: integration_rootless skip: *not_build_docs depends_on: *smoke_vendor @@ -268,12 +300,29 @@ integration_rootless_task: IMAGE_NAME: "${FEDORA_CACHE_IMAGE_NAME}" STORAGE_DRIVER: 'overlay' PRIV_NAME: rootless - # Disabled until we update to f40/41 as f39 does not have go 1.22 - # - env: - # DISTRO_NV: "${PRIOR_FEDORA_NAME}" - # IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}" - # STORAGE_DRIVER: 'overlay' - # PRIV_NAME: rootless + BUILDAH_RUNTIME: runc + RUNTIME_N: " using runc" + - env: + DISTRO_NV: "${FEDORA_NAME}" + IMAGE_NAME: "${FEDORA_CACHE_IMAGE_NAME}" + STORAGE_DRIVER: 'overlay' + PRIV_NAME: rootless + BUILDAH_RUNTIME: crun + RUNTIME_N: " using crun" + - env: + DISTRO_NV: "${PRIOR_FEDORA_NAME}" + IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}" + STORAGE_DRIVER: 'overlay' + PRIV_NAME: rootless + BUILDAH_RUNTIME: runc + RUNTIME_N: " using runc" + - env: + DISTRO_NV: "${PRIOR_FEDORA_NAME}" + IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}" + STORAGE_DRIVER: 'overlay' + PRIV_NAME: rootless + BUILDAH_RUNTIME: crun + RUNTIME_N: " using crun" - env: DISTRO_NV: "${DEBIAN_NAME}" IMAGE_NAME: "${DEBIAN_CACHE_IMAGE_NAME}" diff --git a/vendor/github.com/containers/buildah/CHANGELOG.md b/vendor/github.com/containers/buildah/CHANGELOG.md index 09021936e5..6dc3b86bb8 100644 --- a/vendor/github.com/containers/buildah/CHANGELOG.md +++ b/vendor/github.com/containers/buildah/CHANGELOG.md @@ -2,6 +2,16 @@ # Changelog +## v1.40.1 (2025-06-04) + + vendor: update c/common to v0.63.1 + CI: run integration tests on Fedora with both crun and runc + buildah-build(1): clarify that --cgroup-parent affects RUN instructions + runUsingRuntime: use named constants for runtime states + Add a dummy "runtime" that just dumps its config file + run: handle relabeling bind mounts ourselves + Tweak our handling of variant values, again + ## v1.40.0 (2025-04-17) Bump c/storage to v1.58.0, c/image v5.35.0, c/common v0.63.0 diff --git a/vendor/github.com/containers/buildah/Makefile b/vendor/github.com/containers/buildah/Makefile index 53982bf23c..b8006aac07 100644 --- a/vendor/github.com/containers/buildah/Makefile +++ b/vendor/github.com/containers/buildah/Makefile @@ -59,7 +59,7 @@ export GOLANGCI_LINT_VERSION := 2.1.0 # Note: Uses the -N -l go compiler options to disable compiler optimizations # and inlining. Using these build options allows you to subsequently # use source debugging tools like delve. -all: bin/buildah bin/imgtype bin/copy bin/inet bin/tutorial docs +all: bin/buildah bin/imgtype bin/copy bin/inet bin/tutorial bin/dumpspec docs # Update nix/nixpkgs.json its latest stable commit .PHONY: nixpkgs @@ -107,6 +107,9 @@ bin/buildah.%: $(SOURCES) mkdir -p ./bin GOOS=$(word 2,$(subst ., ,$@)) GOARCH=$(word 3,$(subst ., ,$@)) $(GO_BUILD) $(BUILDAH_LDFLAGS) -o $@ -tags "containers_image_openpgp" ./cmd/buildah +bin/dumpspec: $(SOURCES) + $(GO_BUILD) $(BUILDAH_LDFLAGS) -o $@ $(BUILDFLAGS) ./tests/dumpspec + bin/imgtype: $(SOURCES) $(GO_BUILD) $(BUILDAH_LDFLAGS) -o $@ $(BUILDFLAGS) ./tests/imgtype/imgtype.go diff --git a/vendor/github.com/containers/buildah/changelog.txt b/vendor/github.com/containers/buildah/changelog.txt index 182a6afea5..77702e1c86 100644 --- a/vendor/github.com/containers/buildah/changelog.txt +++ b/vendor/github.com/containers/buildah/changelog.txt @@ -1,3 +1,12 @@ +- Changelog for v1.40.1 (2025-06-04) + * vendor: update c/common to v0.63.1 + * CI: run integration tests on Fedora with both crun and runc + * buildah-build(1): clarify that --cgroup-parent affects RUN instructions + * runUsingRuntime: use named constants for runtime states + * Add a dummy "runtime" that just dumps its config file + * run: handle relabeling bind mounts ourselves + * Tweak our handling of variant values, again + - Changelog for v1.40.0 (2025-04-17) * Bump c/storage to v1.58.0, c/image v5.35.0, c/common v0.63.0 * fix(deps): update module github.com/docker/docker to v28.1.0+incompatible diff --git a/vendor/github.com/containers/buildah/chroot/pty_unsupported.go b/vendor/github.com/containers/buildah/chroot/pty_unsupported.go deleted file mode 100644 index 5b6a67d582..0000000000 --- a/vendor/github.com/containers/buildah/chroot/pty_unsupported.go +++ /dev/null @@ -1,11 +0,0 @@ -//go:build !linux && !(freebsd && cgo) - -package chroot - -import ( - "errors" -) - -func getPtyDescriptors() (int, int, error) { - return -1, -1, errors.New("getPtyDescriptors not supported on this platform") -} diff --git a/vendor/github.com/containers/buildah/chroot/run_common.go b/vendor/github.com/containers/buildah/chroot/run_common.go index 895b4065ba..8e94ff73d7 100644 --- a/vendor/github.com/containers/buildah/chroot/run_common.go +++ b/vendor/github.com/containers/buildah/chroot/run_common.go @@ -18,6 +18,7 @@ import ( "syscall" "github.com/containers/buildah/bind" + "github.com/containers/buildah/internal/pty" "github.com/containers/buildah/util" "github.com/containers/storage/pkg/ioutils" "github.com/containers/storage/pkg/reexec" @@ -217,7 +218,7 @@ func runUsingChrootMain() { var stderr io.Writer fdDesc := make(map[int]string) if options.Spec.Process.Terminal { - ptyMasterFd, ptyFd, err := getPtyDescriptors() + ptyMasterFd, ptyFd, err := pty.GetPtyDescriptors() if err != nil { logrus.Errorf("error opening PTY descriptors: %v", err) os.Exit(1) diff --git a/vendor/github.com/containers/buildah/config.go b/vendor/github.com/containers/buildah/config.go index dacee92c3e..6e75dfe093 100644 --- a/vendor/github.com/containers/buildah/config.go +++ b/vendor/github.com/containers/buildah/config.go @@ -146,18 +146,9 @@ func (b *Builder) fixupConfig(sys *types.SystemContext) { if b.Architecture() == "" { if sys != nil && sys.ArchitectureChoice != "" { b.SetArchitecture(sys.ArchitectureChoice) - } else { - b.SetArchitecture(currentPlatformSpecification.Architecture) - } - // in case the arch string we started with was shorthand for a known arch+variant pair, normalize it - ps := internalUtil.NormalizePlatform(ociv1.Platform{OS: b.OS(), Architecture: b.Architecture(), Variant: b.Variant()}) - b.SetArchitecture(ps.Architecture) - b.SetVariant(ps.Variant) - } - if b.Variant() == "" { - if sys != nil && sys.VariantChoice != "" { b.SetVariant(sys.VariantChoice) } else { + b.SetArchitecture(currentPlatformSpecification.Architecture) b.SetVariant(currentPlatformSpecification.Variant) } // in case the arch string we started with was shorthand for a known arch+variant pair, normalize it diff --git a/vendor/github.com/containers/buildah/define/types.go b/vendor/github.com/containers/buildah/define/types.go index c78e4ce21c..9fa643ca48 100644 --- a/vendor/github.com/containers/buildah/define/types.go +++ b/vendor/github.com/containers/buildah/define/types.go @@ -29,7 +29,7 @@ const ( // identify working containers. Package = "buildah" // Version for the Package. Also used by .packit.sh for Packit builds. - Version = "1.40.0" + Version = "1.40.1" // DefaultRuntime if containers.conf fails. DefaultRuntime = "runc" diff --git a/vendor/github.com/containers/buildah/chroot/pty_posix.go b/vendor/github.com/containers/buildah/internal/pty/pty_posix.go similarity index 87% rename from vendor/github.com/containers/buildah/chroot/pty_posix.go rename to vendor/github.com/containers/buildah/internal/pty/pty_posix.go index 827ed97471..56383da478 100644 --- a/vendor/github.com/containers/buildah/chroot/pty_posix.go +++ b/vendor/github.com/containers/buildah/internal/pty/pty_posix.go @@ -1,6 +1,6 @@ //go:build freebsd && cgo -package chroot +package pty // #include // #include @@ -37,7 +37,9 @@ func unlockpt(fd int) error { return nil } -func getPtyDescriptors() (int, int, error) { +// GetPtyDescriptors allocates a new pseudoterminal and returns the control and +// pseudoterminal file descriptors. +func GetPtyDescriptors() (int, int, error) { // Create a pseudo-terminal and open the control side controlFd, err := openpt() if err != nil { diff --git a/vendor/github.com/containers/buildah/chroot/pty_ptmx.go b/vendor/github.com/containers/buildah/internal/pty/pty_ptmx.go similarity index 82% rename from vendor/github.com/containers/buildah/chroot/pty_ptmx.go rename to vendor/github.com/containers/buildah/internal/pty/pty_ptmx.go index 53b35760b3..d60d2d814f 100644 --- a/vendor/github.com/containers/buildah/chroot/pty_ptmx.go +++ b/vendor/github.com/containers/buildah/internal/pty/pty_ptmx.go @@ -1,6 +1,6 @@ //go:build linux -package chroot +package pty import ( "fmt" @@ -11,9 +11,11 @@ import ( "golang.org/x/sys/unix" ) -// Open a PTY using the /dev/ptmx device. The main advantage of using -// this instead of posix_openpt is that it avoids cgo. -func getPtyDescriptors() (int, int, error) { +// GetPtyDescriptors allocates a new pseudoterminal and returns the control and +// pseudoterminal file descriptors. This implementation uses the /dev/ptmx +// device. The main advantage of using this instead of posix_openpt is that it +// avoids cgo. +func GetPtyDescriptors() (int, int, error) { // Create a pseudo-terminal -- open a copy of the master side. controlFd, err := unix.Open("/dev/ptmx", os.O_RDWR, 0o600) if err != nil { diff --git a/vendor/github.com/containers/buildah/internal/pty/pty_unsupported.go b/vendor/github.com/containers/buildah/internal/pty/pty_unsupported.go new file mode 100644 index 0000000000..1041639439 --- /dev/null +++ b/vendor/github.com/containers/buildah/internal/pty/pty_unsupported.go @@ -0,0 +1,13 @@ +//go:build !linux && !(freebsd && cgo) + +package pty + +import ( + "errors" +) + +// GetPtyDescriptors would allocate a new pseudoterminal and return the control and +// pseudoterminal file descriptors, if only it could. +func GetPtyDescriptors() (int, int, error) { + return -1, -1, errors.New("GetPtyDescriptors not supported on this platform") +} diff --git a/vendor/github.com/containers/buildah/run_common.go b/vendor/github.com/containers/buildah/run_common.go index a3d382f28c..3448c47250 100644 --- a/vendor/github.com/containers/buildah/run_common.go +++ b/vendor/github.com/containers/buildah/run_common.go @@ -696,8 +696,9 @@ func runUsingRuntime(options RunOptions, configureNetwork bool, moreCreateArgs [ return 1, fmt.Errorf("parsing container state %q from %s: %w", string(stateOutput), runtime, err) } switch state.Status { - case "running": - case "stopped": + case specs.StateCreating, specs.StateCreated, specs.StateRunning: + // all fine + case specs.StateStopped: atomic.StoreUint32(&stopped, 1) default: return 1, fmt.Errorf("container status unexpectedly changed to %q", state.Status) diff --git a/vendor/github.com/containers/buildah/run_linux.go b/vendor/github.com/containers/buildah/run_linux.go index 9a55cba3b7..584507ae4e 100644 --- a/vendor/github.com/containers/buildah/run_linux.go +++ b/vendor/github.com/containers/buildah/run_linux.go @@ -543,6 +543,33 @@ rootless=%d defer b.cleanupTempVolumes() + // Handle mount flags that request that the source locations for "bind" mountpoints be + // relabeled, and filter those flags out of the list of mount options we pass to the + // runtime. + for i := range spec.Mounts { + switch spec.Mounts[i].Type { + default: + continue + case "bind", "rbind": + // all good, keep going + } + zflag := "" + for _, opt := range spec.Mounts[i].Options { + if opt == "z" || opt == "Z" { + zflag = opt + } + } + if zflag == "" { + continue + } + spec.Mounts[i].Options = slices.DeleteFunc(spec.Mounts[i].Options, func(opt string) bool { + return opt == "z" || opt == "Z" + }) + if err := relabel(spec.Mounts[i].Source, b.MountLabel, zflag == "z"); err != nil { + return fmt.Errorf("setting file label %q on %q: %w", b.MountLabel, spec.Mounts[i].Source, err) + } + } + switch isolation { case define.IsolationOCI: var moreCreateArgs []string @@ -1139,16 +1166,19 @@ func (b *Builder) runSetupVolumeMounts(mountLabel string, volumeMounts []string, if err := relabel(host, mountLabel, true); err != nil { return specs.Mount{}, err } + options = slices.DeleteFunc(options, func(o string) bool { return o == "z" }) } if foundZ { if err := relabel(host, mountLabel, false); err != nil { return specs.Mount{}, err } + options = slices.DeleteFunc(options, func(o string) bool { return o == "Z" }) } if foundU { if err := chown.ChangeHostPathOwnership(host, true, idMaps.processUID, idMaps.processGID); err != nil { return specs.Mount{}, err } + options = slices.DeleteFunc(options, func(o string) bool { return o == "U" }) } if foundO { if (upperDir != "" && workDir == "") || (workDir != "" && upperDir == "") { diff --git a/vendor/modules.txt b/vendor/modules.txt index 46541e9373..a4e861384e 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -110,7 +110,7 @@ github.com/containernetworking/cni/pkg/version # github.com/containernetworking/plugins v1.6.2 ## explicit; go 1.23 github.com/containernetworking/plugins/pkg/ns -# github.com/containers/buildah v1.40.0 +# github.com/containers/buildah v1.40.1 ## explicit; go 1.23.3 github.com/containers/buildah github.com/containers/buildah/bind @@ -125,6 +125,7 @@ github.com/containers/buildah/internal/mkcw github.com/containers/buildah/internal/mkcw/types github.com/containers/buildah/internal/open github.com/containers/buildah/internal/parse +github.com/containers/buildah/internal/pty github.com/containers/buildah/internal/sbom github.com/containers/buildah/internal/tmpdir github.com/containers/buildah/internal/util