package parse // this package should contain functions that parse and validate // user input and is shared either amongst buildah subcommands or // would be useful to projects vendoring buildah import ( "fmt" "net" "os" "path/filepath" "runtime" "strconv" "strings" "unicode" "github.com/containers/buildah/define" "github.com/containers/buildah/pkg/sshagent" "github.com/containers/common/pkg/parse" "github.com/containers/image/v5/types" "github.com/containers/storage/pkg/idtools" "github.com/containers/storage/pkg/unshare" units "github.com/docker/go-units" specs "github.com/opencontainers/runtime-spec/specs-go" "github.com/pkg/errors" "github.com/sirupsen/logrus" "github.com/spf13/cobra" "golang.org/x/term" ) const ( // SeccompDefaultPath defines the default seccomp path SeccompDefaultPath = "/usr/share/containers/seccomp.json" // SeccompOverridePath if this exists it overrides the default seccomp path SeccompOverridePath = "/etc/crio/seccomp.json" // TypeBind is the type for mounting host dir TypeBind = "bind" // TypeTmpfs is the type for mounting tmpfs TypeTmpfs = "tmpfs" ) var ( errBadMntOption = errors.Errorf("invalid mount option") errDuplicateDest = errors.Errorf("duplicate mount destination") optionArgError = errors.Errorf("must provide an argument for option") noDestError = errors.Errorf("must set volume destination") ) // CommonBuildOptions parses the build options from the bud cli func CommonBuildOptions(c *cobra.Command) (*define.CommonBuildOptions, error) { var ( memoryLimit int64 memorySwap int64 noDNS bool err error ) memVal, _ := c.Flags().GetString("memory") if memVal != "" { memoryLimit, err = units.RAMInBytes(memVal) if err != nil { return nil, errors.Wrapf(err, "invalid value for memory") } } memSwapValue, _ := c.Flags().GetString("memory-swap") if memSwapValue != "" { memorySwap, err = units.RAMInBytes(memSwapValue) if err != nil { return nil, errors.Wrapf(err, "invalid value for memory-swap") } } addHost, _ := c.Flags().GetStringSlice("add-host") if len(addHost) > 0 { for _, host := range addHost { if err := validateExtraHost(host); err != nil { return nil, errors.Wrapf(err, "invalid value for add-host") } } } noDNS = false dnsServers := []string{} if c.Flag("dns").Changed { dnsServers, _ = c.Flags().GetStringSlice("dns") for _, server := range dnsServers { if strings.ToLower(server) == "none" { noDNS = true } } if noDNS && len(dnsServers) > 1 { return nil, errors.Errorf("invalid --dns, --dns=none may not be used with any other --dns options") } } dnsSearch := []string{} if c.Flag("dns-search").Changed { dnsSearch, _ = c.Flags().GetStringSlice("dns-search") if noDNS && len(dnsSearch) > 0 { return nil, errors.Errorf("invalid --dns-search, --dns-search may not be used with --dns=none") } } dnsOptions := []string{} if c.Flag("dns-option").Changed { dnsOptions, _ = c.Flags().GetStringSlice("dns-option") if noDNS && len(dnsOptions) > 0 { return nil, errors.Errorf("invalid --dns-option, --dns-option may not be used with --dns=none") } } if _, err := units.FromHumanSize(c.Flag("shm-size").Value.String()); err != nil { return nil, errors.Wrapf(err, "invalid --shm-size") } volumes, _ := c.Flags().GetStringArray("volume") if err := Volumes(volumes); err != nil { return nil, err } cpuPeriod, _ := c.Flags().GetUint64("cpu-period") cpuQuota, _ := c.Flags().GetInt64("cpu-quota") cpuShares, _ := c.Flags().GetUint64("cpu-shares") httpProxy, _ := c.Flags().GetBool("http-proxy") ulimit := []string{} if c.Flag("ulimit").Changed { ulimit, _ = c.Flags().GetStringSlice("ulimit") } secrets, _ := c.Flags().GetStringArray("secret") sshsources, _ := c.Flags().GetStringArray("ssh") commonOpts := &define.CommonBuildOptions{ AddHost: addHost, CPUPeriod: cpuPeriod, CPUQuota: cpuQuota, CPUSetCPUs: c.Flag("cpuset-cpus").Value.String(), CPUSetMems: c.Flag("cpuset-mems").Value.String(), CPUShares: cpuShares, CgroupParent: c.Flag("cgroup-parent").Value.String(), DNSOptions: dnsOptions, DNSSearch: dnsSearch, DNSServers: dnsServers, HTTPProxy: httpProxy, Memory: memoryLimit, MemorySwap: memorySwap, ShmSize: c.Flag("shm-size").Value.String(), Ulimit: ulimit, Volumes: volumes, Secrets: secrets, SSHSources: sshsources, } securityOpts, _ := c.Flags().GetStringArray("security-opt") if err := parseSecurityOpts(securityOpts, commonOpts); err != nil { return nil, err } return commonOpts, nil } func parseSecurityOpts(securityOpts []string, commonOpts *define.CommonBuildOptions) error { for _, opt := range securityOpts { if opt == "no-new-privileges" { return errors.Errorf("no-new-privileges is not supported") } con := strings.SplitN(opt, "=", 2) if len(con) != 2 { return errors.Errorf("Invalid --security-opt name=value pair: %q", opt) } switch con[0] { case "label": commonOpts.LabelOpts = append(commonOpts.LabelOpts, con[1]) case "apparmor": commonOpts.ApparmorProfile = con[1] case "seccomp": commonOpts.SeccompProfilePath = con[1] default: return errors.Errorf("Invalid --security-opt 2: %q", opt) } } if commonOpts.SeccompProfilePath == "" { if _, err := os.Stat(SeccompOverridePath); err == nil { commonOpts.SeccompProfilePath = SeccompOverridePath } else { if !os.IsNotExist(err) { return errors.WithStack(err) } if _, err := os.Stat(SeccompDefaultPath); err != nil { if !os.IsNotExist(err) { return errors.WithStack(err) } } else { commonOpts.SeccompProfilePath = SeccompDefaultPath } } } return nil } // Volume parses the input of --volume func Volume(volume string) (specs.Mount, error) { mount := specs.Mount{} arr := strings.SplitN(volume, ":", 3) if len(arr) < 2 { return mount, errors.Errorf("incorrect volume format %q, should be host-dir:ctr-dir[:option]", volume) } if err := validateVolumeMountHostDir(arr[0]); err != nil { return mount, err } if err := parse.ValidateVolumeCtrDir(arr[1]); err != nil { return mount, err } mountOptions := "" if len(arr) > 2 { mountOptions = arr[2] if _, err := parse.ValidateVolumeOpts(strings.Split(arr[2], ",")); err != nil { return mount, err } } mountOpts := strings.Split(mountOptions, ",") mount.Source = arr[0] mount.Destination = arr[1] mount.Type = "rbind" mount.Options = mountOpts return mount, nil } // Volumes validates the host and container paths passed in to the --volume flag func Volumes(volumes []string) error { if len(volumes) == 0 { return nil } for _, volume := range volumes { if _, err := Volume(volume); err != nil { return err } } return nil } func getVolumeMounts(volumes []string) (map[string]specs.Mount, error) { finalVolumeMounts := make(map[string]specs.Mount) for _, volume := range volumes { volumeMount, err := Volume(volume) if err != nil { return nil, err } if _, ok := finalVolumeMounts[volumeMount.Destination]; ok { return nil, errors.Wrapf(errDuplicateDest, volumeMount.Destination) } finalVolumeMounts[volumeMount.Destination] = volumeMount } return finalVolumeMounts, nil } // GetVolumes gets the volumes from --volume and --mount func GetVolumes(volumes []string, mounts []string) ([]specs.Mount, error) { unifiedMounts, err := getMounts(mounts) if err != nil { return nil, err } volumeMounts, err := getVolumeMounts(volumes) if err != nil { return nil, err } for dest, mount := range volumeMounts { if _, ok := unifiedMounts[dest]; ok { return nil, errors.Wrapf(errDuplicateDest, dest) } unifiedMounts[dest] = mount } finalMounts := make([]specs.Mount, 0, len(unifiedMounts)) for _, mount := range unifiedMounts { finalMounts = append(finalMounts, mount) } return finalMounts, nil } // getMounts takes user-provided input from the --mount flag and creates OCI // spec mounts. // buildah run --mount type=bind,src=/etc/resolv.conf,target=/etc/resolv.conf ... // buildah run --mount type=tmpfs,target=/dev/shm ... func getMounts(mounts []string) (map[string]specs.Mount, error) { finalMounts := make(map[string]specs.Mount) errInvalidSyntax := errors.Errorf("incorrect mount format: should be --mount type=,[src=,]target=[,options]") // TODO(vrothberg): the manual parsing can be replaced with a regular expression // to allow a more robust parsing of the mount format and to give // precise errors regarding supported format versus supported options. for _, mount := range mounts { arr := strings.SplitN(mount, ",", 2) if len(arr) < 2 { return nil, errors.Wrapf(errInvalidSyntax, "%q", mount) } kv := strings.Split(arr[0], "=") // TODO: type is not explicitly required in Docker. // If not specified, it defaults to "volume". if len(kv) != 2 || kv[0] != "type" { return nil, errors.Wrapf(errInvalidSyntax, "%q", mount) } tokens := strings.Split(arr[1], ",") switch kv[1] { case TypeBind: mount, err := GetBindMount(tokens) if err != nil { return nil, err } if _, ok := finalMounts[mount.Destination]; ok { return nil, errors.Wrapf(errDuplicateDest, mount.Destination) } finalMounts[mount.Destination] = mount case TypeTmpfs: mount, err := GetTmpfsMount(tokens) if err != nil { return nil, err } if _, ok := finalMounts[mount.Destination]; ok { return nil, errors.Wrapf(errDuplicateDest, mount.Destination) } finalMounts[mount.Destination] = mount default: return nil, errors.Errorf("invalid filesystem type %q", kv[1]) } } return finalMounts, nil } // GetBindMount parses a single bind mount entry from the --mount flag. func GetBindMount(args []string) (specs.Mount, error) { newMount := specs.Mount{ Type: TypeBind, } setSource := false setDest := false for _, val := range args { kv := strings.SplitN(val, "=", 2) switch kv[0] { case "bind-nonrecursive": newMount.Options = append(newMount.Options, "bind") case "ro", "nosuid", "nodev", "noexec": // TODO: detect duplication of these options. // (Is this necessary?) newMount.Options = append(newMount.Options, kv[0]) case "readonly": // Alias for "ro" newMount.Options = append(newMount.Options, "ro") case "shared", "rshared", "private", "rprivate", "slave", "rslave", "Z", "z": newMount.Options = append(newMount.Options, kv[0]) case "bind-propagation": if len(kv) == 1 { return newMount, errors.Wrapf(optionArgError, kv[0]) } newMount.Options = append(newMount.Options, kv[1]) case "src", "source": if len(kv) == 1 { return newMount, errors.Wrapf(optionArgError, kv[0]) } if err := parse.ValidateVolumeHostDir(kv[1]); err != nil { return newMount, err } newMount.Source = kv[1] setSource = true case "target", "dst", "destination": if len(kv) == 1 { return newMount, errors.Wrapf(optionArgError, kv[0]) } if err := parse.ValidateVolumeCtrDir(kv[1]); err != nil { return newMount, err } newMount.Destination = kv[1] setDest = true case "consistency": // Option for OS X only, has no meaning on other platforms // and can thus be safely ignored. // See also the handling of the equivalent "delegated" and "cached" in ValidateVolumeOpts default: return newMount, errors.Wrapf(errBadMntOption, kv[0]) } } if !setDest { return newMount, noDestError } if !setSource { newMount.Source = newMount.Destination } opts, err := parse.ValidateVolumeOpts(newMount.Options) if err != nil { return newMount, err } newMount.Options = opts return newMount, nil } // GetTmpfsMount parses a single tmpfs mount entry from the --mount flag func GetTmpfsMount(args []string) (specs.Mount, error) { newMount := specs.Mount{ Type: TypeTmpfs, Source: TypeTmpfs, } setDest := false for _, val := range args { kv := strings.SplitN(val, "=", 2) switch kv[0] { case "ro", "nosuid", "nodev", "noexec": newMount.Options = append(newMount.Options, kv[0]) case "readonly": // Alias for "ro" newMount.Options = append(newMount.Options, "ro") case "tmpfs-mode": if len(kv) == 1 { return newMount, errors.Wrapf(optionArgError, kv[0]) } newMount.Options = append(newMount.Options, fmt.Sprintf("mode=%s", kv[1])) case "tmpfs-size": if len(kv) == 1 { return newMount, errors.Wrapf(optionArgError, kv[0]) } newMount.Options = append(newMount.Options, fmt.Sprintf("size=%s", kv[1])) case "src", "source": return newMount, errors.Errorf("source is not supported with tmpfs mounts") case "target", "dst", "destination": if len(kv) == 1 { return newMount, errors.Wrapf(optionArgError, kv[0]) } if err := parse.ValidateVolumeCtrDir(kv[1]); err != nil { return newMount, err } newMount.Destination = kv[1] setDest = true default: return newMount, errors.Wrapf(errBadMntOption, kv[0]) } } if !setDest { return newMount, noDestError } return newMount, nil } // ValidateVolumeHostDir validates a volume mount's source directory func ValidateVolumeHostDir(hostDir string) error { return parse.ValidateVolumeHostDir(hostDir) } // validates the host path of buildah --volume func validateVolumeMountHostDir(hostDir string) error { if !filepath.IsAbs(hostDir) { return errors.Errorf("invalid host path, must be an absolute path %q", hostDir) } if _, err := os.Stat(hostDir); err != nil { return errors.WithStack(err) } return nil } // ValidateVolumeCtrDir validates a volume mount's destination directory. func ValidateVolumeCtrDir(ctrDir string) error { return parse.ValidateVolumeCtrDir(ctrDir) } // ValidateVolumeOpts validates a volume's options func ValidateVolumeOpts(options []string) ([]string, error) { return parse.ValidateVolumeOpts(options) } // validateExtraHost validates that the specified string is a valid extrahost and returns it. // ExtraHost is in the form of name:ip where the ip has to be a valid ip (ipv4 or ipv6). // for add-host flag func validateExtraHost(val string) error { // allow for IPv6 addresses in extra hosts by only splitting on first ":" arr := strings.SplitN(val, ":", 2) if len(arr) != 2 || len(arr[0]) == 0 { return errors.Errorf("bad format for add-host: %q", val) } if _, err := validateIPAddress(arr[1]); err != nil { return errors.Errorf("invalid IP address in add-host: %q", arr[1]) } return nil } // validateIPAddress validates an Ip address. // for dns, ip, and ip6 flags also func validateIPAddress(val string) (string, error) { var ip = net.ParseIP(strings.TrimSpace(val)) if ip != nil { return ip.String(), nil } return "", errors.Errorf("%s is not an ip address", val) } // SystemContextFromOptions returns a SystemContext populated with values // per the input parameters provided by the caller for the use in authentication. func SystemContextFromOptions(c *cobra.Command) (*types.SystemContext, error) { certDir, err := c.Flags().GetString("cert-dir") if err != nil { certDir = "" } ctx := &types.SystemContext{ DockerCertPath: certDir, } tlsVerify, err := c.Flags().GetBool("tls-verify") if err == nil && c.Flag("tls-verify").Changed { ctx.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!tlsVerify) ctx.OCIInsecureSkipTLSVerify = !tlsVerify ctx.DockerDaemonInsecureSkipTLSVerify = !tlsVerify } disableCompression, err := c.Flags().GetBool("disable-compression") if err == nil { if disableCompression { ctx.OCIAcceptUncompressedLayers = true } else { ctx.DirForceCompress = true } } creds, err := c.Flags().GetString("creds") if err == nil && c.Flag("creds").Changed { var err error ctx.DockerAuthConfig, err = AuthConfig(creds) if err != nil { return nil, err } } sigPolicy, err := c.Flags().GetString("signature-policy") if err == nil && c.Flag("signature-policy").Changed { ctx.SignaturePolicyPath = sigPolicy } authfile, err := c.Flags().GetString("authfile") if err == nil { ctx.AuthFilePath = getAuthFile(authfile) } regConf, err := c.Flags().GetString("registries-conf") if err == nil && c.Flag("registries-conf").Changed { ctx.SystemRegistriesConfPath = regConf } regConfDir, err := c.Flags().GetString("registries-conf-dir") if err == nil && c.Flag("registries-conf-dir").Changed { ctx.RegistriesDirPath = regConfDir } shortNameAliasConf, err := c.Flags().GetString("short-name-alias-conf") if err == nil && c.Flag("short-name-alias-conf").Changed { ctx.UserShortNameAliasConfPath = shortNameAliasConf } ctx.DockerRegistryUserAgent = fmt.Sprintf("Buildah/%s", define.Version) if c.Flag("os") != nil && c.Flag("os").Changed { var os string if os, err = c.Flags().GetString("os"); err != nil { return nil, err } ctx.OSChoice = os } if c.Flag("arch") != nil && c.Flag("arch").Changed { var arch string if arch, err = c.Flags().GetString("arch"); err != nil { return nil, err } ctx.ArchitectureChoice = arch } if c.Flag("variant") != nil && c.Flag("variant").Changed { var variant string if variant, err = c.Flags().GetString("variant"); err != nil { return nil, err } ctx.VariantChoice = variant } if c.Flag("platform") != nil && c.Flag("platform").Changed { var specs []string if specs, err = c.Flags().GetStringSlice("platform"); err != nil { return nil, err } if len(specs) == 0 || specs[0] == "" { return nil, errors.Errorf("unable to parse --platform value %v", specs) } platform := specs[0] os, arch, variant, err := Platform(platform) if err != nil { return nil, err } if ctx.OSChoice != "" || ctx.ArchitectureChoice != "" || ctx.VariantChoice != "" { return nil, errors.Errorf("invalid --platform may not be used with --os, --arch, or --variant") } ctx.OSChoice = os ctx.ArchitectureChoice = arch ctx.VariantChoice = variant } ctx.BigFilesTemporaryDir = GetTempDir() return ctx, nil } func getAuthFile(authfile string) string { if authfile != "" { return authfile } return os.Getenv("REGISTRY_AUTH_FILE") } // PlatformFromOptions parses the operating system (os) and architecture (arch) // from the provided command line options. Deprecated in favor of // PlatformsFromOptions(), but kept here because it's part of our API. func PlatformFromOptions(c *cobra.Command) (os, arch string, err error) { platforms, err := PlatformsFromOptions(c) if err != nil { return "", "", err } if len(platforms) < 1 { return "", "", errors.Errorf("invalid platform syntax for --platform (use OS/ARCH[/VARIANT])") } return platforms[0].OS, platforms[0].Arch, nil } // PlatformsFromOptions parses the operating system (os) and architecture // (arch) from the provided command line options. If --platform used, it // also returns the list of platforms that were passed in as its argument. func PlatformsFromOptions(c *cobra.Command) (platforms []struct{ OS, Arch, Variant string }, err error) { var os, arch, variant string if c.Flag("os").Changed { if os, err = c.Flags().GetString("os"); err != nil { return nil, err } } if c.Flag("arch").Changed { if arch, err = c.Flags().GetString("arch"); err != nil { return nil, err } } if c.Flag("variant").Changed { if variant, err = c.Flags().GetString("variant"); err != nil { return nil, err } } platforms = []struct{ OS, Arch, Variant string }{{os, arch, variant}} if c.Flag("platform").Changed { platforms = nil platformSpecs, err := c.Flags().GetStringSlice("platform") if err != nil { return nil, errors.Wrap(err, "unable to parse platform") } if os != "" || arch != "" || variant != "" { return nil, errors.Errorf("invalid --platform may not be used with --os, --arch, or --variant") } for _, pf := range platformSpecs { if os, arch, variant, err = Platform(pf); err != nil { return nil, errors.Wrapf(err, "unable to parse platform %q", pf) } platforms = append(platforms, struct{ OS, Arch, Variant string }{os, arch, variant}) } } return platforms, nil } const platformSep = "/" // DefaultPlatform returns the standard platform for the current system func DefaultPlatform() string { return runtime.GOOS + platformSep + runtime.GOARCH } // Platform separates the platform string into os, arch and variant, // accepting any of $arch, $os/$arch, or $os/$arch/$variant. func Platform(platform string) (os, arch, variant string, err error) { split := strings.Split(platform, platformSep) switch len(split) { case 3: variant = split[2] fallthrough case 2: arch = split[1] os = split[0] return case 1: if platform == "local" { return Platform(DefaultPlatform()) } } return "", "", "", errors.Errorf("invalid platform syntax for %q (use OS/ARCH[/VARIANT][,...])", platform) } func parseCreds(creds string) (string, string) { if creds == "" { return "", "" } up := strings.SplitN(creds, ":", 2) if len(up) == 1 { return up[0], "" } if up[0] == "" { return "", up[1] } return up[0], up[1] } // AuthConfig parses the creds in format [username[:password] into an auth // config. func AuthConfig(creds string) (*types.DockerAuthConfig, error) { username, password := parseCreds(creds) if username == "" { fmt.Print("Username: ") fmt.Scanln(&username) } if password == "" { fmt.Print("Password: ") termPassword, err := term.ReadPassword(0) if err != nil { return nil, errors.Wrapf(err, "could not read password from terminal") } password = string(termPassword) } return &types.DockerAuthConfig{ Username: username, Password: password, }, nil } // IDMappingOptions parses the build options related to user namespaces and ID mapping. func IDMappingOptions(c *cobra.Command, isolation define.Isolation) (usernsOptions define.NamespaceOptions, idmapOptions *define.IDMappingOptions, err error) { user := c.Flag("userns-uid-map-user").Value.String() group := c.Flag("userns-gid-map-group").Value.String() // If only the user or group was specified, use the same value for the // other, since we need both in order to initialize the maps using the // names. if user == "" && group != "" { user = group } if group == "" && user != "" { group = user } // Either start with empty maps or the name-based maps. mappings := idtools.NewIDMappingsFromMaps(nil, nil) if user != "" && group != "" { submappings, err := idtools.NewIDMappings(user, group) if err != nil { return nil, nil, err } mappings = submappings } globalOptions := c.PersistentFlags() // We'll parse the UID and GID mapping options the same way. buildIDMap := func(basemap []idtools.IDMap, option string) ([]specs.LinuxIDMapping, error) { outmap := make([]specs.LinuxIDMapping, 0, len(basemap)) // Start with the name-based map entries. for _, m := range basemap { outmap = append(outmap, specs.LinuxIDMapping{ ContainerID: uint32(m.ContainerID), HostID: uint32(m.HostID), Size: uint32(m.Size), }) } // Parse the flag's value as one or more triples (if it's even // been set), and append them. var spec []string if globalOptions.Lookup(option) != nil && globalOptions.Lookup(option).Changed { spec, _ = globalOptions.GetStringSlice(option) } if c.Flag(option).Changed { spec, _ = c.Flags().GetStringSlice(option) } idmap, err := parseIDMap(spec) if err != nil { return nil, err } for _, m := range idmap { outmap = append(outmap, specs.LinuxIDMapping{ ContainerID: m[0], HostID: m[1], Size: m[2], }) } return outmap, nil } uidmap, err := buildIDMap(mappings.UIDs(), "userns-uid-map") if err != nil { return nil, nil, err } gidmap, err := buildIDMap(mappings.GIDs(), "userns-gid-map") if err != nil { return nil, nil, err } // If we only have one map or the other populated at this point, then // use the same mapping for both, since we know that no user or group // name was specified, but a specific mapping was for one or the other. if len(uidmap) == 0 && len(gidmap) != 0 { uidmap = gidmap } if len(gidmap) == 0 && len(uidmap) != 0 { gidmap = uidmap } // By default, having mappings configured means we use a user // namespace. Otherwise, we don't. usernsOption := define.NamespaceOption{ Name: string(specs.UserNamespace), Host: len(uidmap) == 0 && len(gidmap) == 0, } // If the user specifically requested that we either use or don't use // user namespaces, override that default. if c.Flag("userns").Changed { how := c.Flag("userns").Value.String() switch how { case "", "container", "private": usernsOption.Host = false case "host": usernsOption.Host = true default: how = strings.TrimPrefix(how, "ns:") if _, err := os.Stat(how); err != nil { return nil, nil, errors.Wrapf(err, "checking %s namespace", string(specs.UserNamespace)) } logrus.Debugf("setting %q namespace to %q", string(specs.UserNamespace), how) usernsOption.Path = how } } usernsOptions = define.NamespaceOptions{usernsOption} usernetwork := c.Flags().Lookup("network") if usernetwork != nil && !usernetwork.Changed { usernsOptions = append(usernsOptions, define.NamespaceOption{ Name: string(specs.NetworkNamespace), Host: usernsOption.Host, }) } // If the user requested that we use the host namespace, but also that // we use mappings, that's not going to work. if (len(uidmap) != 0 || len(gidmap) != 0) && usernsOption.Host { return nil, nil, errors.Errorf("can not specify ID mappings while using host's user namespace") } return usernsOptions, &define.IDMappingOptions{ HostUIDMapping: usernsOption.Host, HostGIDMapping: usernsOption.Host, UIDMap: uidmap, GIDMap: gidmap, }, nil } func parseIDMap(spec []string) (m [][3]uint32, err error) { for _, s := range spec { args := strings.FieldsFunc(s, func(r rune) bool { return !unicode.IsDigit(r) }) if len(args)%3 != 0 { return nil, errors.Errorf("mapping %q is not in the form containerid:hostid:size[,...]", s) } for len(args) >= 3 { cid, err := strconv.ParseUint(args[0], 10, 32) if err != nil { return nil, errors.Wrapf(err, "error parsing container ID %q from mapping %q as a number", args[0], s) } hostid, err := strconv.ParseUint(args[1], 10, 32) if err != nil { return nil, errors.Wrapf(err, "error parsing host ID %q from mapping %q as a number", args[1], s) } size, err := strconv.ParseUint(args[2], 10, 32) if err != nil { return nil, errors.Wrapf(err, "error parsing %q from mapping %q as a number", args[2], s) } m = append(m, [3]uint32{uint32(cid), uint32(hostid), uint32(size)}) args = args[3:] } } return m, nil } // NamespaceOptions parses the build options for all namespaces except for user namespace. func NamespaceOptions(c *cobra.Command) (namespaceOptions define.NamespaceOptions, networkPolicy define.NetworkConfigurationPolicy, err error) { options := make(define.NamespaceOptions, 0, 7) policy := define.NetworkDefault for _, what := range []string{string(specs.IPCNamespace), "network", string(specs.PIDNamespace), string(specs.UTSNamespace)} { if c.Flags().Lookup(what) != nil && c.Flag(what).Changed { how := c.Flag(what).Value.String() switch what { case "network": what = string(specs.NetworkNamespace) } switch how { case "", "container", "private": logrus.Debugf("setting %q namespace to %q", what, "") options.AddOrReplace(define.NamespaceOption{ Name: what, }) case "host": logrus.Debugf("setting %q namespace to host", what) options.AddOrReplace(define.NamespaceOption{ Name: what, Host: true, }) default: if what == string(specs.NetworkNamespace) { if how == "none" { options.AddOrReplace(define.NamespaceOption{ Name: what, }) policy = define.NetworkDisabled logrus.Debugf("setting network to disabled") break } } how = strings.TrimPrefix(how, "ns:") if _, err := os.Stat(how); err != nil { return nil, define.NetworkDefault, errors.Wrapf(err, "checking %s namespace", what) } policy = define.NetworkEnabled logrus.Debugf("setting %q namespace to %q", what, how) options.AddOrReplace(define.NamespaceOption{ Name: what, Path: how, }) } } } return options, policy, nil } func defaultIsolation() (define.Isolation, error) { isolation, isSet := os.LookupEnv("BUILDAH_ISOLATION") if isSet { switch strings.ToLower(isolation) { case "oci": return define.IsolationOCI, nil case "rootless": return define.IsolationOCIRootless, nil case "chroot": return define.IsolationChroot, nil default: return 0, errors.Errorf("unrecognized $BUILDAH_ISOLATION value %q", isolation) } } if unshare.IsRootless() { return define.IsolationOCIRootless, nil } return define.IsolationDefault, nil } // IsolationOption parses the --isolation flag. func IsolationOption(isolation string) (define.Isolation, error) { if isolation != "" { switch strings.ToLower(isolation) { case "oci", "default": return define.IsolationOCI, nil case "rootless": return define.IsolationOCIRootless, nil case "chroot": return define.IsolationChroot, nil default: return 0, errors.Errorf("unrecognized isolation type %q", isolation) } } return defaultIsolation() } // Device parses device mapping string to a src, dest & permissions string // Valid values for device look like: // '/dev/sdc" // '/dev/sdc:/dev/xvdc" // '/dev/sdc:/dev/xvdc:rwm" // '/dev/sdc:rm" func Device(device string) (string, string, string, error) { src := "" dst := "" permissions := "rwm" arr := strings.Split(device, ":") switch len(arr) { case 3: if !isValidDeviceMode(arr[2]) { return "", "", "", errors.Errorf("invalid device mode: %s", arr[2]) } permissions = arr[2] fallthrough case 2: if isValidDeviceMode(arr[1]) { permissions = arr[1] } else { if len(arr[1]) == 0 || arr[1][0] != '/' { return "", "", "", errors.Errorf("invalid device mode: %s", arr[1]) } dst = arr[1] } fallthrough case 1: if len(arr[0]) > 0 { src = arr[0] break } fallthrough default: return "", "", "", errors.Errorf("invalid device specification: %s", device) } if dst == "" { dst = src } return src, dst, permissions, nil } // isValidDeviceMode checks if the mode for device is valid or not. // isValid mode is a composition of r (read), w (write), and m (mknod). func isValidDeviceMode(mode string) bool { var legalDeviceMode = map[rune]bool{ 'r': true, 'w': true, 'm': true, } if mode == "" { return false } for _, c := range mode { if !legalDeviceMode[c] { return false } legalDeviceMode[c] = false } return true } func GetTempDir() string { if tmpdir, ok := os.LookupEnv("TMPDIR"); ok { return tmpdir } return "/var/tmp" } // Secrets parses the --secret flag func Secrets(secrets []string) (map[string]string, error) { parsed := make(map[string]string) invalidSyntax := errors.Errorf("incorrect secret flag format: should be --secret id=foo,src=bar") for _, secret := range secrets { split := strings.Split(secret, ",") if len(split) > 2 { return nil, invalidSyntax } if len(split) == 2 { id := strings.Split(split[0], "=") src := strings.Split(split[1], "=") if len(split) == 2 && strings.ToLower(id[0]) == "id" && strings.ToLower(src[0]) == "src" { fullPath, err := filepath.Abs(src[1]) if err != nil { return nil, err } _, err = os.Stat(fullPath) if err == nil { parsed[id[1]] = fullPath } if err != nil { return nil, errors.Wrap(err, "could not parse secrets") } } else { return nil, invalidSyntax } } else { return nil, invalidSyntax } } return parsed, nil } // SSH parses the --ssh flag func SSH(sshSources []string) (map[string]*sshagent.Source, error) { parsed := make(map[string]*sshagent.Source) var paths []string for _, v := range sshSources { parts := strings.SplitN(v, "=", 2) if len(parts) > 1 { paths = strings.Split(parts[1], ",") } source, err := sshagent.NewSource(paths) if err != nil { return nil, err } parsed[parts[0]] = source } return parsed, nil }