mirror of
https://github.com/containers/podman.git
synced 2025-08-24 18:12:25 +08:00
vendor: update buildah to latest
Includes a fix for CVE-2024-9407 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This commit is contained in:
Paul Holzinger
47
vendor/github.com/containers/buildah/commit.go
generated
vendored
47
vendor/github.com/containers/buildah/commit.go
generated
vendored
@ -24,6 +24,7 @@ import (
|
||||
"github.com/containers/storage/pkg/archive"
|
||||
"github.com/containers/storage/pkg/stringid"
|
||||
digest "github.com/opencontainers/go-digest"
|
||||
v1 "github.com/opencontainers/image-spec/specs-go/v1"
|
||||
"github.com/sirupsen/logrus"
|
||||
"golang.org/x/exp/maps"
|
||||
)
|
||||
@ -120,10 +121,11 @@ type CommitOptions struct {
|
||||
// OverrideConfig is applied.
|
||||
OverrideChanges []string
|
||||
// ExtraImageContent is a map which describes additional content to add
|
||||
// to the committed image. The map's keys are filesystem paths in the
|
||||
// image and the corresponding values are the paths of files whose
|
||||
// contents will be used in their place. The contents will be owned by
|
||||
// 0:0 and have mode 0644. Currently only accepts regular files.
|
||||
// to the new layer in the committed image. The map's keys are
|
||||
// filesystem paths in the image and the corresponding values are the
|
||||
// paths of files whose contents will be used in their place. The
|
||||
// contents will be owned by 0:0 and have mode 0o644. Currently only
|
||||
// accepts regular files.
|
||||
ExtraImageContent map[string]string
|
||||
// SBOMScanOptions encapsulates options which control whether or not we
|
||||
// run scanners on the rootfs that we're about to commit, and how.
|
||||
@ -132,17 +134,32 @@ type CommitOptions struct {
|
||||
// the image in Docker format. Newer BuildKit-based builds don't set
|
||||
// this field.
|
||||
CompatSetParent types.OptionalBool
|
||||
// PrependedLinkedLayers and AppendedLinkedLayers are combinations of
|
||||
// history entries and locations of either directory trees (if
|
||||
// directories, per os.Stat()) or uncompressed layer blobs which should
|
||||
// be added to the image at commit-time. The order of these relative
|
||||
// to PrependedEmptyLayers and AppendedEmptyLayers, and relative to the
|
||||
// corresponding members in the Builder object, in the committed image
|
||||
// is not guaranteed.
|
||||
PrependedLinkedLayers, AppendedLinkedLayers []LinkedLayer
|
||||
}
|
||||
|
||||
var (
|
||||
// storageAllowedPolicyScopes overrides the policy for local storage
|
||||
// to ensure that we can read images from it.
|
||||
storageAllowedPolicyScopes = signature.PolicyTransportScopes{
|
||||
"": []signature.PolicyRequirement{
|
||||
signature.NewPRInsecureAcceptAnything(),
|
||||
},
|
||||
}
|
||||
)
|
||||
// LinkedLayer combines a history entry with the location of either a directory
|
||||
// tree (if it's a directory, per os.Stat()) or an uncompressed layer blob
|
||||
// which should be added to the image at commit-time. The BlobPath and
|
||||
// History.EmptyLayer fields should be considered mutually-exclusive.
|
||||
type LinkedLayer struct {
|
||||
History v1.History // history entry to add
|
||||
BlobPath string // corresponding uncompressed blob file (layer as a tar archive), or directory tree to archive
|
||||
}
|
||||
|
||||
// storageAllowedPolicyScopes overrides the policy for local storage
|
||||
// to ensure that we can read images from it.
|
||||
var storageAllowedPolicyScopes = signature.PolicyTransportScopes{
|
||||
"": []signature.PolicyRequirement{
|
||||
signature.NewPRInsecureAcceptAnything(),
|
||||
},
|
||||
}
|
||||
|
||||
// checkRegistrySourcesAllows checks the $BUILD_REGISTRY_SOURCES environment
|
||||
// variable, if it's set. The contents are expected to be a JSON-encoded
|
||||
@ -348,6 +365,7 @@ func (b *Builder) Commit(ctx context.Context, dest types.ImageReference, options
|
||||
if options.ExtraImageContent == nil {
|
||||
options.ExtraImageContent = make(map[string]string, len(extraImageContent))
|
||||
}
|
||||
// merge in the scanner-generated content
|
||||
for k, v := range extraImageContent {
|
||||
if _, set := options.ExtraImageContent[k]; !set {
|
||||
options.ExtraImageContent[k] = v
|
||||
@ -438,7 +456,7 @@ func (b *Builder) Commit(ctx context.Context, dest types.ImageReference, options
|
||||
logrus.Debugf("removing %v from assigned names to image %q", nameToRemove, img.ID)
|
||||
}
|
||||
if options.IIDFile != "" {
|
||||
if err = os.WriteFile(options.IIDFile, []byte("sha256:"+img.ID), 0644); err != nil {
|
||||
if err = os.WriteFile(options.IIDFile, []byte("sha256:"+img.ID), 0o644); err != nil {
|
||||
return imgID, nil, "", err
|
||||
}
|
||||
}
|
||||
@ -487,7 +505,6 @@ func (b *Builder) Commit(ctx context.Context, dest types.ImageReference, options
|
||||
return imgID, nil, "", err
|
||||
}
|
||||
logrus.Debugf("added imgID %s to manifestID %s", imgID, manifestID)
|
||||
|
||||
}
|
||||
return imgID, ref, manifestDigest, nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user