opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-12-04 20:28:40 +08:00
Code Issues Packages Projects Releases Wiki Activity

Bump to Buildah v1.13.1

Browse Source 
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
This commit is contained in:
TomSweeneyRedHat
2020-01-14 14:46:46 -05:00
parent 564bd693ca
commit f5bda9994d
123 changed files with 6487 additions and 3192 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
vendor/github.com/containers/buildah/pkg/chrootuser/user.go generated vendored
View File

@@ -25,9 +25,11 @@ func GetUser(rootdir, userspec string) (uint32, uint32, string, error) {
spec := strings.SplitN(userspec, ":", 2)
userspec = spec[0]
groupspec := ""
if userspec == "" {
return 0, 0, "/", nil
userspec = "0"
}
if len(spec) > 1 {
groupspec = spec[1]
}

2
vendor/github.com/containers/buildah/pkg/cli/common.go generated vendored
View File

@@ -209,7 +209,7 @@ func GetFromAndBudFlags(flags *FromAndBudResults, usernsResults *UserNSResults,
fs.StringArrayVar(&flags.SecurityOpt, "security-opt", []string{}, "security options (default [])")
fs.StringVar(&flags.ShmSize, "shm-size", "65536k", "size of '/dev/shm'. The format is `<number><unit>`.")
fs.StringSliceVar(&flags.Ulimit, "ulimit", []string{}, "ulimit options (default [])")
fs.StringSliceVarP(&flags.Volumes, "volume", "v", []string{}, "bind mount a volume into the container (default [])")
fs.StringArrayVarP(&flags.Volumes, "volume", "v", []string{}, "bind mount a volume into the container (default [])")
// Add in the usernamespace and namespaceflags
usernsFlags := GetUserNSFlags(usernsResults)

112
vendor/github.com/containers/buildah/pkg/overlay/overlay.go generated vendored
View File

@@ -9,46 +9,48 @@ import (
"strings"
"github.com/containers/common/pkg/unshare"
"github.com/containers/storage"
"github.com/containers/storage/pkg/idtools"
"github.com/containers/storage/pkg/system"
"github.com/opencontainers/runtime-spec/specs-go"
"github.com/pkg/errors"
"golang.org/x/sys/unix"
)
// MountTemp creates a subdir of the contentDir based on the source directory
// from the source system. It then mounts up the source directory on to the
// generated mount point and returns the mount point to the caller.
func MountTemp(store storage.Store, containerID, source, dest string, rootUID, rootGID int) (mount specs.Mount, contentDir string, Err error) {
// TempDir generates an overlay Temp directory in the container content
func TempDir(containerDir string, rootUID, rootGID int) (string, error) {
containerDir, err := store.ContainerDirectory(containerID)
if err != nil {
return mount, "", err
}
contentDir = filepath.Join(containerDir, "overlay")
contentDir := filepath.Join(containerDir, "overlay")
if err := idtools.MkdirAllAs(contentDir, 0700, rootUID, rootGID); err != nil {
return mount, "", errors.Wrapf(err, "failed to create the overlay %s directory", contentDir)
return "", errors.Wrapf(err, "failed to create the overlay %s directory", contentDir)
}
contentDir, err = ioutil.TempDir(contentDir, "")
contentDir, err := ioutil.TempDir(contentDir, "")
if err != nil {
return mount, "", errors.Wrapf(err, "failed to create TempDir in the overlay %s directory", contentDir)
return "", errors.Wrapf(err, "failed to create the overlay tmpdir in %s directory", contentDir)
}
defer func() {
if Err != nil {
os.RemoveAll(contentDir)
}
}()
upperDir := filepath.Join(contentDir, "upper")
workDir := filepath.Join(contentDir, "work")
if err := idtools.MkdirAllAs(upperDir, 0700, rootUID, rootGID); err != nil {
return mount, "", errors.Wrapf(err, "failed to create the overlay %s directory", upperDir)
return "", errors.Wrapf(err, "failed to create the overlay %s directory", upperDir)
}
if err := idtools.MkdirAllAs(workDir, 0700, rootUID, rootGID); err != nil {
return mount, "", errors.Wrapf(err, "failed to create the overlay %s directory", workDir)
return "", errors.Wrapf(err, "failed to create the overlay %s directory", workDir)
}
mergeDir := filepath.Join(contentDir, "merge")
if err := idtools.MkdirAllAs(mergeDir, 0700, rootUID, rootGID); err != nil {
return "", errors.Wrapf(err, "failed to create the overlay %s directory", mergeDir)
}
return contentDir, nil
}
// Mount creates a subdir of the contentDir based on the source directory
// from the source system. It then mounts up the source directory on to the
// generated mount point and returns the mount point to the caller.
func Mount(contentDir, source, dest string, rootUID, rootGID int, graphOptions []string) (mount specs.Mount, Err error) {
upperDir := filepath.Join(contentDir, "upper")
workDir := filepath.Join(contentDir, "work")
mergeDir := filepath.Join(contentDir, "merge")
overlayOptions := fmt.Sprintf("lowerdir=%s,upperdir=%s,workdir=%s,private", source, upperDir, workDir)
if unshare.IsRootless() {
@@ -60,36 +62,30 @@ func MountTemp(store storage.Store, containerID, source, dest string, rootUID, r
"overlay2.mount_program": true,
}
for _, i := range store.GraphOptions() {
for _, i := range graphOptions {
s := strings.SplitN(i, "=", 2)
if len(s) != 2 {
continue
}
k := s[0]
v := s[1]
if mountMap[k] {
mountProgram = v
key := s[0]
val := s[1]
if mountMap[key] {
mountProgram = val
break
}
}
if mountProgram != "" {
mergeDir := filepath.Join(contentDir, "merge")
if err := idtools.MkdirAllAs(mergeDir, 0700, rootUID, rootGID); err != nil {
return mount, "", errors.Wrapf(err, "failed to create the overlay %s directory", mergeDir)
}
cmd := exec.Command(mountProgram, "-o", overlayOptions, mergeDir)
if err := cmd.Run(); err != nil {
return mount, "", errors.Wrapf(err, "exec %s", mountProgram)
return mount, errors.Wrapf(err, "exec %s", mountProgram)
}
mount.Source = mergeDir
mount.Destination = dest
mount.Type = "bind"
mount.Options = []string{"bind", "slave"}
return mount, contentDir, nil
return mount, nil
}
/* If a mount_program is not specified, fallback to try mount native overlay. */
}
@@ -99,23 +95,59 @@ func MountTemp(store storage.Store, containerID, source, dest string, rootUID, r
mount.Type = "overlay"
mount.Options = strings.Split(overlayOptions, ",")
return mount, contentDir, nil
return mount, nil
}
// RemoveTemp removes temporary mountpoint and all content from its parent
// directory
func RemoveTemp(contentDir string) error {
if unshare.IsRootless() {
mergeDir := filepath.Join(contentDir, "merge")
if err := unix.Unmount(mergeDir, 0); err != nil {
if !os.IsNotExist(err) {
return errors.Wrapf(err, "unmount overlay %s", mergeDir)
}
if err := Unmount(contentDir); err != nil {
return err
}
}
return os.RemoveAll(contentDir)
}
// Unmount the overlay mountpoint
func Unmount(contentDir string) (Err error) {
mergeDir := filepath.Join(contentDir, "merge")
if err := unix.Unmount(mergeDir, 0); err != nil && !os.IsNotExist(err) {
return errors.Wrapf(err, "unmount overlay %s", mergeDir)
}
return nil
}
func recreate(contentDir string) error {
st, err := system.Stat(contentDir)
if err != nil {
if os.IsNotExist(err) {
return nil
}
return errors.Wrapf(err, "failed to stat overlay upper %s directory", contentDir)
}
if err := os.RemoveAll(contentDir); err != nil {
return errors.Wrapf(err, "failed to cleanup overlay %s directory", contentDir)
}
if err := idtools.MkdirAllAs(contentDir, os.FileMode(st.Mode()), int(st.UID()), int(st.GID())); err != nil {
return errors.Wrapf(err, "failed to create the overlay %s directory", contentDir)
}
return nil
}
// CleanupMount removes all temporary mountpoint content
func CleanupMount(contentDir string) (Err error) {
if err := recreate(filepath.Join(contentDir, "upper")); err != nil {
return err
}
if err := recreate(filepath.Join(contentDir, "work")); err != nil {
return err
}
return nil
}
// CleanupContent removes all temporary mountpoint and all content from
// directory
func CleanupContent(containerDir string) (Err error) {

10
vendor/github.com/containers/buildah/pkg/parse/parse.go generated vendored
View File

@@ -102,7 +102,7 @@ func CommonBuildOptions(c *cobra.Command) (*buildah.CommonBuildOptions, error) {
if _, err := units.FromHumanSize(c.Flag("shm-size").Value.String()); err != nil {
return nil, errors.Wrapf(err, "invalid --shm-size")
}
volumes, _ := c.Flags().GetStringSlice("volume")
volumes, _ := c.Flags().GetStringArray("volume")
if err := Volumes(volumes); err != nil {
return nil, err
}
@@ -589,6 +589,7 @@ func SystemContextFromOptions(c *cobra.Command) (*types.SystemContext, error) {
if arch, err := c.Flags().GetString("override-arch"); err == nil {
ctx.ArchitectureChoice = arch
}
ctx.BigFilesTemporaryDir = GetTempDir()
return ctx, nil
}
@@ -956,3 +957,10 @@ func isValidDeviceMode(mode string) bool {
}
return true
}
func GetTempDir() string {
if tmpdir, ok := os.LookupEnv("TMPDIR"); ok {
return tmpdir
}
return "/var/tmp"
}

48
vendor/github.com/containers/buildah/pkg/secrets/secrets.go generated vendored
View File

@@ -148,12 +148,21 @@ func getMountsMap(path string) (string, string, error) {
}
// SecretMounts copies, adds, and mounts the secrets to the container root filesystem
// Deprecated, Please use SecretMountWithUIDGID
func SecretMounts(mountLabel, containerWorkingDir, mountFile string, rootless, disableFips bool) []rspec.Mount {
return SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, containerWorkingDir, 0, 0, rootless, disableFips)
}
// SecretMountsWithUIDGID specifies the uid/gid of the owner
func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPrefix string, uid, gid int, rootless, disableFips bool) []rspec.Mount {
// SecretMountsWithUIDGID copies, adds, and mounts the secrets to the container root filesystem
// mountLabel: MAC/SELinux label for container content
// containerWorkingDir: Private data for storing secrets on the host mounted in container.
// mountFile: Additional mount points required for the container.
// mountPoint: Container image mountpoint
// uid: to assign to content created for secrets
// gid: to assign to content created for secrets
// rootless: indicates whether container is running in rootless mode
// disableFips: indicates whether system should ignore fips mode
func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPoint string, uid, gid int, rootless, disableFips bool) []rspec.Mount {
var (
secretMounts []rspec.Mount
mountFiles []string
@@ -171,7 +180,7 @@ func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPre
}
for _, file := range mountFiles {
if _, err := os.Stat(file); err == nil {
mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, mountPrefix, uid, gid)
mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, uid, gid)
if err != nil {
logrus.Warnf("error mounting secrets, skipping entry in %s: %v", file, err)
}
@@ -187,7 +196,7 @@ func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPre
// Add FIPS mode secret if /etc/system-fips exists on the host
_, err := os.Stat("/etc/system-fips")
if err == nil {
if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPrefix, mountLabel, uid, gid); err != nil {
if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPoint, mountLabel, uid, gid); err != nil {
logrus.Errorf("error adding FIPS mode secret to container: %v", err)
}
} else if os.IsNotExist(err) {
@@ -206,7 +215,7 @@ func rchown(chowndir string, uid, gid int) error {
// addSecretsFromMountsFile copies the contents of host directory to container directory
// and returns a list of mounts
func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPrefix string, uid, gid int) ([]rspec.Mount, error) {
func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir string, uid, gid int) ([]rspec.Mount, error) {
var mounts []rspec.Mount
defaultMountsPaths := getMounts(filePath)
for _, path := range defaultMountsPaths {
@@ -285,7 +294,7 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPr
}
m := rspec.Mount{
Source: filepath.Join(mountPrefix, ctrDirOrFile),
Source: ctrDirOrFileOnHost,
Destination: ctrDirOrFile,
Type: "bind",
Options: []string{"bind", "rprivate"},
@@ -300,15 +309,15 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPr
// root filesystem if /etc/system-fips exists on hosts.
// This enables the container to be FIPS compliant and run openssl in
// FIPS mode as the host is also in FIPS mode.
func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix, mountLabel string, uid, gid int) error {
func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPoint, mountLabel string, uid, gid int) error {
secretsDir := "/run/secrets"
ctrDirOnHost := filepath.Join(containerWorkingDir, secretsDir)
if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) {
if err = idtools.MkdirAllAs(ctrDirOnHost, 0755, uid, gid); err != nil {
return errors.Wrapf(err, "making container directory on host failed")
return errors.Wrapf(err, "making container directory %q on host failed", ctrDirOnHost)
}
if err = label.Relabel(ctrDirOnHost, mountLabel, false); err != nil {
return errors.Wrap(err, "error applying correct labels")
return errors.Wrapf(err, "error applying correct labels on %q", ctrDirOnHost)
}
}
fipsFile := filepath.Join(ctrDirOnHost, "system-fips")
@@ -323,7 +332,7 @@ func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix,
if !mountExists(*mounts, secretsDir) {
m := rspec.Mount{
Source: filepath.Join(mountPrefix, secretsDir),
Source: ctrDirOnHost,
Destination: secretsDir,
Type: "bind",
Options: []string{"bind", "rprivate"},
@@ -331,6 +340,25 @@ func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix,
*mounts = append(*mounts, m)
}
srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS"
destDir := "/etc/crypto-policies/back-ends"
srcOnHost := filepath.Join(mountPoint, srcBackendDir)
if _, err := os.Stat(srcOnHost); err != nil {
if os.IsNotExist(err) {
return nil
}
return errors.Wrapf(err, "failed to stat FIPS Backend directory %q", ctrDirOnHost)
}
if !mountExists(*mounts, destDir) {
m := rspec.Mount{
Source: srcOnHost,
Destination: destDir,
Type: "bind",
Options: []string{"bind", "rprivate"},
}
*mounts = append(*mounts, m)
}
return nil
}