diff options
| author | dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> | 2019-12-16 09:18:55 +0000 |
|---|---|---|
| committer | Valentin Rothberg <rothberg@redhat.com> | 2019-12-19 18:17:23 +0100 |
| commit | 63bda55c1f8ab3d94a4ffc119efa58ed3d0ac57c (patch) | |
| tree | 71df4bcdaba77fb8dff35bbfbdf8934c21e01405 /vendor/github.com/containers/buildah | |
| parent | 6c7b6d994acddee0d50cec9bbe45fb4cb720a08d (diff) | |
| download | podman-63bda55c1f8ab3d94a4ffc119efa58ed3d0ac57c.tar.gz podman-63bda55c1f8ab3d94a4ffc119efa58ed3d0ac57c.tar.bz2 podman-63bda55c1f8ab3d94a4ffc119efa58ed3d0ac57c.zip | |
update c/buildah to v1.12.0
Also bump docker/docker.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Diffstat (limited to 'vendor/github.com/containers/buildah')
23 files changed, 147 insertions, 1039 deletions
diff --git a/vendor/github.com/containers/buildah/CHANGELOG.md b/vendor/github.com/containers/buildah/CHANGELOG.md index a0baf30e9..3cae61fa6 100644 --- a/vendor/github.com/containers/buildah/CHANGELOG.md +++ b/vendor/github.com/containers/buildah/CHANGELOG.md @@ -2,6 +2,33 @@ # Changelog + +## v1.12.0 (2019-12-13) + Allow ADD to use http src + Bump to c/storage v.1.15.3 + install.md: update golang dependency + imgtype: reset storage opts if driver overridden + Start using containers/common + overlay.bats typo: fuse-overlays should be fuse-overlayfs + chroot: Unmount with MNT_DETACH instead of UnmountMountpoints() + bind: don't complain about missing mountpoints + imgtype: check earlier for expected manifest type + Vendor containers/storage fix + Vendor containers/storage v1.15.1 + Add history names support + PR takeover of #1966 + Tests: Add inspect test check steps + Tests: Add container name and id check in containers test steps + Test: Get permission in add test + Tests: Add a test for tag by id + Tests: Add test cases for push test + Tests: Add image digest test + Tests: Add some buildah from tests + Tests: Add two commit test + Tests: Add buildah bud with --quiet test + Tests: Add two test for buildah add + Bump back to v1.12.0-dev + ## v1.11.6 (2019-12-03) Handle missing equal sign in --from and --chown flags for COPY/ADD bud COPY does not download URL diff --git a/vendor/github.com/containers/buildah/Makefile b/vendor/github.com/containers/buildah/Makefile index 9d04177d0..19aa4dc3c 100644 --- a/vendor/github.com/containers/buildah/Makefile +++ b/vendor/github.com/containers/buildah/Makefile @@ -33,7 +33,7 @@ LIBSECCOMP_COMMIT := release-2.3 EXTRALDFLAGS := LDFLAGS := -ldflags '-X main.GitCommit=$(GIT_COMMIT) -X main.buildInfo=$(SOURCE_DATE_EPOCH) -X main.cniVersion=$(CNI_COMMIT)' $(EXTRALDFLAGS) -SOURCES=*.go imagebuildah/*.go bind/*.go chroot/*.go cmd/buildah/*.go docker/*.go pkg/blobcache/*.go pkg/cli/*.go pkg/parse/*.go pkg/unshare/*.c pkg/unshare/*.go util/*.go +SOURCES=*.go imagebuildah/*.go bind/*.go chroot/*.go cmd/buildah/*.go docker/*.go pkg/blobcache/*.go pkg/cli/*.go pkg/parse/*.go util/*.go all: buildah imgtype docs diff --git a/vendor/github.com/containers/buildah/bind/mount.go b/vendor/github.com/containers/buildah/bind/mount.go index e1ae323b9..adde901fd 100644 --- a/vendor/github.com/containers/buildah/bind/mount.go +++ b/vendor/github.com/containers/buildah/bind/mount.go @@ -264,6 +264,10 @@ func UnmountMountpoints(mountpoint string, mountpointsToRemove []string) error { mount := getMountByID(id) // check if this mountpoint is mounted if err := unix.Lstat(mount.Mountpoint, &st); err != nil { + if os.IsNotExist(err) { + logrus.Debugf("mountpoint %q is not present(?), skipping", mount.Mountpoint) + continue + } return errors.Wrapf(err, "error checking if %q is mounted", mount.Mountpoint) } if mount.Major != int(unix.Major(st.Dev)) || mount.Minor != int(unix.Minor(st.Dev)) { diff --git a/vendor/github.com/containers/buildah/buildah.go b/vendor/github.com/containers/buildah/buildah.go index bceafc241..249b5cc90 100644 --- a/vendor/github.com/containers/buildah/buildah.go +++ b/vendor/github.com/containers/buildah/buildah.go @@ -27,7 +27,7 @@ const ( Package = "buildah" // Version for the Package. Bump version in contrib/rpm/buildah.spec // too. - Version = "1.11.6" + Version = "1.12.0" // The value we use to identify what type of information, currently a // serialized Builder structure, we are using as per-container state. // This should only be changed when we make incompatible changes to diff --git a/vendor/github.com/containers/buildah/changelog.txt b/vendor/github.com/containers/buildah/changelog.txt index 58d784e35..72c970140 100644 --- a/vendor/github.com/containers/buildah/changelog.txt +++ b/vendor/github.com/containers/buildah/changelog.txt @@ -1,3 +1,29 @@ +- Changelog for v1.12.0 (2019-12-13) + * Allow ADD to use http src + * Bump to c/storage v.1.15.3 + * install.md: update golang dependency + * imgtype: reset storage opts if driver overridden + * Start using containers/common + * overlay.bats typo: fuse-overlays should be fuse-overlayfs + * chroot: Unmount with MNT_DETACH instead of UnmountMountpoints() + * bind: don't complain about missing mountpoints + * imgtype: check earlier for expected manifest type + * Vendor containers/storage fix + * Vendor containers/storage v1.15.1 + * Add history names support + * PR takeover of #1966 + * Tests: Add inspect test check steps + * Tests: Add container name and id check in containers test steps + * Test: Get permission in add test + * Tests: Add a test for tag by id + * Tests: Add test cases for push test + * Tests: Add image digest test + * Tests: Add some buildah from tests + * Tests: Add two commit test + * Tests: Add buildah bud with --quiet test + * Tests: Add two test for buildah add + * Bump back to v1.12.0-dev + - Changelog for v1.11.6 (2019-12-03) * Handle missing equal sign in --from and --chown flags for COPY/ADD * bud COPY does not download URL diff --git a/vendor/github.com/containers/buildah/chroot/run.go b/vendor/github.com/containers/buildah/chroot/run.go index fbccbcdb0..482fef693 100644 --- a/vendor/github.com/containers/buildah/chroot/run.go +++ b/vendor/github.com/containers/buildah/chroot/run.go @@ -15,11 +15,12 @@ import ( "strings" "sync" "syscall" + "time" "unsafe" "github.com/containers/buildah/bind" - "github.com/containers/buildah/pkg/unshare" "github.com/containers/buildah/util" + "github.com/containers/common/pkg/unshare" "github.com/containers/storage/pkg/ioutils" "github.com/containers/storage/pkg/mount" "github.com/containers/storage/pkg/reexec" @@ -1002,12 +1003,19 @@ func isDevNull(dev os.FileInfo) bool { // callback that will clean up its work. func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func() error, err error) { var fs unix.Statfs_t - removes := []string{} undoBinds = func() error { - if err2 := bind.UnmountMountpoints(spec.Root.Path, removes); err2 != nil { - logrus.Warnf("pkg/chroot: error unmounting %q: %v", spec.Root.Path, err2) - if err == nil { - err = err2 + if err2 := unix.Unmount(spec.Root.Path, unix.MNT_DETACH); err2 != nil { + retries := 0 + for (err2 == unix.EBUSY || err2 == unix.EAGAIN) && retries < 50 { + time.Sleep(50 * time.Millisecond) + err2 = unix.Unmount(spec.Root.Path, unix.MNT_DETACH) + retries++ + } + if err2 != nil { + logrus.Warnf("pkg/chroot: error unmounting %q (retried %d times): %v", spec.Root.Path, retries, err2) + if err == nil { + err = err2 + } } } return err @@ -1096,6 +1104,7 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func( // Add /sys/fs/selinux to the set of masked paths, to ensure that we don't have processes // attempting to interact with labeling, when they aren't allowed to do so. spec.Linux.MaskedPaths = append(spec.Linux.MaskedPaths, "/sys/fs/selinux") + // Bind mount in everything we've been asked to mount. for _, m := range spec.Mounts { // Skip anything that we just mounted. @@ -1141,13 +1150,11 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func( if !os.IsNotExist(err) { return undoBinds, errors.Wrapf(err, "error examining %q for mounting in mount namespace", target) } - // The target isn't there yet, so create it, and make a - // note to remove it later. + // The target isn't there yet, so create it. if srcinfo.IsDir() { if err = os.MkdirAll(target, 0111); err != nil { return undoBinds, errors.Wrapf(err, "error creating mountpoint %q in mount namespace", target) } - removes = append(removes, target) } else { if err = os.MkdirAll(filepath.Dir(target), 0111); err != nil { return undoBinds, errors.Wrapf(err, "error ensuring parent of mountpoint %q (%q) is present in mount namespace", target, filepath.Dir(target)) @@ -1157,7 +1164,6 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func( return undoBinds, errors.Wrapf(err, "error creating mountpoint %q in mount namespace", target) } file.Close() - removes = append(removes, target) } } requestFlags := bindFlags @@ -1266,7 +1272,6 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func( if err := os.Mkdir(roEmptyDir, 0700); err != nil { return undoBinds, errors.Wrapf(err, "error creating empty directory %q", roEmptyDir) } - removes = append(removes, roEmptyDir) } // Set up any masked paths that we need to. If we're running inside of diff --git a/vendor/github.com/containers/buildah/common.go b/vendor/github.com/containers/buildah/common.go index d2e9dc732..35a7c6538 100644 --- a/vendor/github.com/containers/buildah/common.go +++ b/vendor/github.com/containers/buildah/common.go @@ -5,7 +5,7 @@ import ( "os" "path/filepath" - "github.com/containers/buildah/pkg/unshare" + "github.com/containers/common/pkg/unshare" cp "github.com/containers/image/v5/copy" "github.com/containers/image/v5/types" "github.com/containers/storage" diff --git a/vendor/github.com/containers/buildah/go.mod b/vendor/github.com/containers/buildah/go.mod index 684b00ff5..1d4967c4a 100644 --- a/vendor/github.com/containers/buildah/go.mod +++ b/vendor/github.com/containers/buildah/go.mod @@ -5,8 +5,9 @@ go 1.12 require ( github.com/blang/semver v3.5.0+incompatible // indirect github.com/containernetworking/cni v0.7.1 + github.com/containers/common v0.0.3 github.com/containers/image/v5 v5.0.0 - github.com/containers/storage v1.14.0 + github.com/containers/storage v1.15.3 github.com/cyphar/filepath-securejoin v0.2.2 github.com/docker/distribution v2.7.1+incompatible github.com/docker/docker-credential-helpers v0.6.1 // indirect @@ -43,7 +44,7 @@ require ( github.com/vishvananda/netns v0.0.0-20190625233234-7109fa855b0f // indirect github.com/xeipuuv/gojsonschema v1.1.0 // indirect golang.org/x/crypto v0.0.0-20190927123631-a832865fa7ad - golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3 + golang.org/x/sys v0.0.0-20191127021746-63cb32ae39b2 golang.org/x/time v0.0.0-20190921001708-c4c64cad1fd0 // indirect google.golang.org/grpc v1.24.0 // indirect k8s.io/api v0.0.0-20190813020757-36bff7324fb7 // indirect diff --git a/vendor/github.com/containers/buildah/go.sum b/vendor/github.com/containers/buildah/go.sum index 1cce3ff7e..9285963af 100644 --- a/vendor/github.com/containers/buildah/go.sum +++ b/vendor/github.com/containers/buildah/go.sum @@ -17,6 +17,8 @@ github.com/Microsoft/hcsshim v0.8.6 h1:ZfF0+zZeYdzMIVMZHKtDKJvLHj76XCuVae/jNkjj0 github.com/Microsoft/hcsshim v0.8.6/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg= github.com/Microsoft/hcsshim v0.8.7-0.20191101173118-65519b62243c h1:YMP6olTU903X3gxQJckdmiP8/zkSMq4kN3uipsU9XjU= github.com/Microsoft/hcsshim v0.8.7-0.20191101173118-65519b62243c/go.mod h1:7xhjOwRV2+0HXGmM0jxaEu+ZiXJFoVZOTfL/dmqbrD8= +github.com/Microsoft/hcsshim v0.8.7 h1:ptnOoufxGSzauVTsdE+wMYnCWA301PdoN4xg5oRdZpg= +github.com/Microsoft/hcsshim v0.8.7/go.mod h1:OHd7sQqRFrYd3RmSgbgji+ctCwkbq2wbEYNSzOYtcBQ= github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= @@ -50,12 +52,15 @@ github.com/containerd/ttrpc v0.0.0-20190828154514-0e0f228740de/go.mod h1:PvCDdDG github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc= github.com/containernetworking/cni v0.7.1 h1:fE3r16wpSEyaqY4Z4oFrLMmIGfBYIKpPrHK31EJ9FzE= github.com/containernetworking/cni v0.7.1/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY= +github.com/containers/common v0.0.3 h1:C2Zshb0w720FqPa42MCRuiGfbW0kwbURRwvK1EWIC5I= +github.com/containers/common v0.0.3/go.mod h1:CaOgMRiwi2JJHISMZ6VPPZhQYFUDRv3YYVss2RqUCMg= github.com/containers/image/v4 v4.0.1 h1:idNGHChj0Pyv3vLrxul2oSVMZLeFqpoq3CjLeVgapSQ= github.com/containers/image/v4 v4.0.1/go.mod h1:0ASJH1YgJiX/eqFZObqepgsvIA4XjCgpyfwn9pDGafA= github.com/containers/image/v5 v5.0.0 h1:arnXgbt1ucsC/ndtSpiQY87rA0UjhF+/xQnPzqdBDn4= github.com/containers/image/v5 v5.0.0/go.mod h1:MgiLzCfIeo8lrHi+4Lb8HP+rh513sm0Mlk6RrhjFOLY= github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b h1:Q8ePgVfHDplZ7U33NwHZkrVELsZP5fYj9pM5WBZB2GE= github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY= +github.com/containers/storage v1.13.2/go.mod h1:6D8nK2sU9V7nEmAraINRs88ZEscM5C5DK+8Npp27GeA= github.com/containers/storage v1.13.4 h1:j0bBaJDKbUHtAW1MXPFnwXJtqcH+foWeuXK1YaBV5GA= github.com/containers/storage v1.13.4/go.mod h1:6D8nK2sU9V7nEmAraINRs88ZEscM5C5DK+8Npp27GeA= github.com/containers/storage v1.13.5 h1:/SUzGeOP2HDijpF7Yur21Ch6WTZC1BNeZF917CWcp5c= @@ -66,10 +71,18 @@ github.com/containers/storage v1.13.6-0.20191017175359-7daeec89a243 h1:k97CWHLLr github.com/containers/storage v1.13.6-0.20191017175359-7daeec89a243/go.mod h1:imKnA8Ozb99yPWt64WPrtNOR0v0HKQZFH4oLV45N22k= github.com/containers/storage v1.14.0 h1:LbX6WZaDmkXt4DT4xWIg3YXAWd6oA4K9Fi6/KG1xt84= github.com/containers/storage v1.14.0/go.mod h1:qGPsti/qC1xxX+xcpHfiTMT+8ThVE2Jf83wFHHqkDAY= +github.com/containers/storage v1.15.1 h1:yE0lkMG/sIj+dvc/FDGT9KmPi/wXTKGqoLJnNy1tL/c= +github.com/containers/storage v1.15.1/go.mod h1:6BYP6xBTstj0E9dY6mYFgn3BRBRPRSVqfhAqKIWkGpE= +github.com/containers/storage v1.15.2 h1:hLgafU4tuyQk/smMkXZfHTS8FtAQsqQvfWCp4bsgjuw= +github.com/containers/storage v1.15.2/go.mod h1:v0lq/3f+cXH3Y/HiDaFYRR0zilwDve7I4W7U5xQxvF8= +github.com/containers/storage v1.15.3 h1:+lFSQZnnKUFyUEtguIgdoQLJfWSuYz+j/wg5GxLtsN4= +github.com/containers/storage v1.15.3/go.mod h1:v0lq/3f+cXH3Y/HiDaFYRR0zilwDve7I4W7U5xQxvF8= github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f h1:JOrtw2xFKzlg+cbHpyrpLDmnN1HqhBfnX7WDiW7eG2c= +github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= github.com/cyphar/filepath-securejoin v0.2.2 h1:jCwT2GTP+PY5nBz3c/YL5PAIbusElVrPujOBSCj8xRg= github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4= @@ -128,6 +141,7 @@ github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1 github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc= github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e h1:BWhy2j3IXJhjCbC68FptL43tDKIq8FladmaTs3Xs7Z8= github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e/go.mod h1:bBOAhwG1umN6/6ZUMtDFBMQR8jRg9O75tm9K00oMsK4= github.com/gogo/protobuf v0.0.0-20170815085658-fcdc5011193f/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= @@ -197,6 +211,10 @@ github.com/klauspost/compress v1.9.1 h1:TWy0o9J9c6LK9C8t7Msh6IAJNXbsU/nvKLTQUU5H github.com/klauspost/compress v1.9.1/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= github.com/klauspost/compress v1.9.2 h1:LfVyl+ZlLlLDeQ/d2AqfGIIH4qEDu0Ed2S5GyhCWIWY= github.com/klauspost/compress v1.9.2/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= +github.com/klauspost/compress v1.9.3 h1:hkFELABwacUEgBfiguNeQydKv3M9pawBq8o24Ypw9+M= +github.com/klauspost/compress v1.9.3/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= +github.com/klauspost/compress v1.9.4 h1:xhvAeUPQ2drNUhKtrGdTGNvV9nNafHMUkRyLkzxJoB4= +github.com/klauspost/compress v1.9.4/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= github.com/klauspost/cpuid v1.2.1 h1:vJi+O/nMdFt0vqm8NZBI6wzALWdA2X+egi0ogNyrC/w= github.com/klauspost/cpuid v1.2.1/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek= github.com/klauspost/pgzip v1.2.1 h1:oIPZROsWuPHpOdMVWLuJZXwgjhrW8r1yEX8UqMyeNHM= @@ -337,6 +355,12 @@ github.com/saschagrunert/storage v1.12.3-0.20191114093559-52adfaa6f31e h1:iX1xFl github.com/saschagrunert/storage v1.12.3-0.20191114093559-52adfaa6f31e/go.mod h1:apitPTJaaw4MMr0U+Z3WwpX86dwUMOlV/lp0NgZhXTU= github.com/saschagrunert/storage v1.12.3-0.20191116170926-5e07044cf0e2 h1:azd4fIVaZqFbBcgbMSuP9YyskvNwRdiV+SO2Z1qJfA8= github.com/saschagrunert/storage v1.12.3-0.20191116170926-5e07044cf0e2/go.mod h1:apitPTJaaw4MMr0U+Z3WwpX86dwUMOlV/lp0NgZhXTU= +github.com/saschagrunert/storage v1.12.3-0.20191204100010-fb36c82c86cf h1:zEhK8b4BuleUudosaE3JGawKtHHchx7eKodv1NqMbG4= +github.com/saschagrunert/storage v1.12.3-0.20191204100010-fb36c82c86cf/go.mod h1:/Lild6FqQu2HwAVjVC9d5EAls3Mqwoxx67XpnR4UgEY= +github.com/saschagrunert/storage v1.12.3-0.20191204100312-941968b40828 h1:bHO3vvwwptY0SQpmrB5gLd/+UvgzcZvmrf4sP+JCm50= +github.com/saschagrunert/storage v1.12.3-0.20191204100312-941968b40828/go.mod h1:/Lild6FqQu2HwAVjVC9d5EAls3Mqwoxx67XpnR4UgEY= +github.com/saschagrunert/storage v1.12.3-0.20191204101521-aca03d333c53 h1:CBWb8W8lkcjV3cPtMYqXWkFslNCR76MXD8H9WlMVWJw= +github.com/saschagrunert/storage v1.12.3-0.20191204101521-aca03d333c53/go.mod h1:/Lild6FqQu2HwAVjVC9d5EAls3Mqwoxx67XpnR4UgEY= github.com/seccomp/containers-golang v0.0.0-20180629143253-cdfdaa7543f4 h1:rOG9oHVIndNR14f3HRyBy9UPQYmIPniWqTU1TDdHhq4= github.com/seccomp/containers-golang v0.0.0-20180629143253-cdfdaa7543f4/go.mod h1:f/98/SnvAzhAEFQJ3u836FePXvcbE8BS0YGMQNn4mhA= github.com/seccomp/libseccomp-golang v0.9.1 h1:NJjM5DNFOs0s3kYE1WUOr6G8V97sdt46rlXTMfXGWBo= @@ -453,6 +477,8 @@ golang.org/x/sys v0.0.0-20190902133755-9109b7679e13 h1:tdsQdquKbTNMsSZLqnLELJGzC golang.org/x/sys v0.0.0-20190902133755-9109b7679e13/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3 h1:7TYNF4UdlohbFwpNH04CoPMp1cHUZgO1Ebq5r2hIjfo= golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191127021746-63cb32ae39b2 h1:/J2nHFg1MTqaRLFO7M+J78ASNsJoz3r0cvHBPQ77fsE= +golang.org/x/sys v0.0.0-20191127021746-63cb32ae39b2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= diff --git a/vendor/github.com/containers/buildah/imagebuildah/stage_executor.go b/vendor/github.com/containers/buildah/imagebuildah/stage_executor.go index 311031a95..b54caf3ef 100644 --- a/vendor/github.com/containers/buildah/imagebuildah/stage_executor.go +++ b/vendor/github.com/containers/buildah/imagebuildah/stage_executor.go @@ -423,38 +423,43 @@ func (s *StageExecutor) Copy(excludes []string, copies ...imagebuilder.Copy) err } for _, src := range copy.Src { if strings.HasPrefix(src, "http://") || strings.HasPrefix(src, "https://") { - // Source is a URL. - // returns an error to be compatible with docker - return errors.Errorf("source can't be a URL for COPY") - } - // Treat the source, which is not a URL, as a - // location relative to the - // all-content-comes-from-below-this-directory - // directory. - srcSecure, err := securejoin.SecureJoin(contextDir, src) - if err != nil { - return errors.Wrapf(err, "forbidden path for %q, it is outside of the build context %q", src, contextDir) - } - if hadFinalPathSeparator { - // If destination is a folder, we need to take extra care to - // ensure that files are copied with correct names (since - // resolving a symlink may result in a different name). - _, srcName := filepath.Split(src) - _, srcNameSecure := filepath.Split(srcSecure) - if srcName != srcNameSecure { - options := buildah.AddAndCopyOptions{ - Chown: copy.Chown, - ContextDir: contextDir, - Excludes: copyExcludes, - IDMappingOptions: idMappingOptions, - } - if err := s.builder.Add(filepath.Join(copy.Dest, srcName), copy.Download, options, srcSecure); err != nil { - return err + // Source is a URL, allowed for ADD but not COPY. + if copy.Download { + sources = append(sources, src) + } else { + // returns an error to be compatible with docker + return errors.Errorf("source can't be a URL for COPY") + } + } else { + // Treat the source, which is not a URL, as a + // location relative to the + // all-content-comes-from-below-this-directory + // directory. + srcSecure, err := securejoin.SecureJoin(contextDir, src) + if err != nil { + return errors.Wrapf(err, "forbidden path for %q, it is outside of the build context %q", src, contextDir) + } + if hadFinalPathSeparator { + // If destination is a folder, we need to take extra care to + // ensure that files are copied with correct names (since + // resolving a symlink may result in a different name). + _, srcName := filepath.Split(src) + _, srcNameSecure := filepath.Split(srcSecure) + if srcName != srcNameSecure { + options := buildah.AddAndCopyOptions{ + Chown: copy.Chown, + ContextDir: contextDir, + Excludes: copyExcludes, + IDMappingOptions: idMappingOptions, + } + if err := s.builder.Add(filepath.Join(copy.Dest, srcName), copy.Download, options, srcSecure); err != nil { + return err + } + continue } - continue } + sources = append(sources, srcSecure) } - sources = append(sources, srcSecure) } options := buildah.AddAndCopyOptions{ Chown: copy.Chown, diff --git a/vendor/github.com/containers/buildah/info.go b/vendor/github.com/containers/buildah/info.go index 68d217b8f..1e6d6b746 100644 --- a/vendor/github.com/containers/buildah/info.go +++ b/vendor/github.com/containers/buildah/info.go @@ -11,9 +11,9 @@ import ( "strings" "time" - "github.com/containers/buildah/pkg/cgroups" - "github.com/containers/buildah/pkg/unshare" "github.com/containers/buildah/util" + "github.com/containers/common/pkg/cgroups" + "github.com/containers/common/pkg/unshare" "github.com/containers/storage" "github.com/containers/storage/pkg/system" "github.com/sirupsen/logrus" diff --git a/vendor/github.com/containers/buildah/install.md b/vendor/github.com/containers/buildah/install.md index af340eb86..91522f64f 100644 --- a/vendor/github.com/containers/buildah/install.md +++ b/vendor/github.com/containers/buildah/install.md @@ -128,7 +128,7 @@ as yum, dnf or apt-get on a number of Linux distributions. Prior to installing Buildah, install the following packages on your Linux distro: * make -* golang (Requires version 1.10 or higher.) +* golang (Requires version 1.12 or higher.) * bats * btrfs-progs-devel * bzip2 @@ -239,7 +239,7 @@ In Ubuntu zesty and xenial, you can use these commands: apt-add-repository -y ppa:projectatomic/ppa apt-get -y -qq update apt-get -y install bats btrfs-tools git libapparmor-dev libdevmapper-dev libglib2.0-dev libgpgme11-dev libseccomp-dev libselinux1-dev skopeo-containers go-md2man - apt-get -y install golang-1.10 + apt-get -y install golang-1.12 ``` Then to install Buildah on Ubuntu follow the steps in this example: diff --git a/vendor/github.com/containers/buildah/pkg/cgroups/cgroups_supported.go b/vendor/github.com/containers/buildah/pkg/cgroups/cgroups_supported.go deleted file mode 100644 index 142eced08..000000000 --- a/vendor/github.com/containers/buildah/pkg/cgroups/cgroups_supported.go +++ /dev/null @@ -1,31 +0,0 @@ -// +build linux - -package cgroups - -import ( - "sync" - "syscall" -) - -const ( - _cgroup2SuperMagic = 0x63677270 -) - -var ( - isUnifiedOnce sync.Once - isUnified bool - isUnifiedErr error -) - -// IsCgroup2UnifiedMode returns whether we are running in cgroup 2 cgroup2 mode. -func IsCgroup2UnifiedMode() (bool, error) { - isUnifiedOnce.Do(func() { - var st syscall.Statfs_t - if err := syscall.Statfs("/sys/fs/cgroup", &st); err != nil { - isUnified, isUnifiedErr = false, err - } else { - isUnified, isUnifiedErr = st.Type == _cgroup2SuperMagic, nil - } - }) - return isUnified, isUnifiedErr -} diff --git a/vendor/github.com/containers/buildah/pkg/cgroups/cgroups_unsupported.go b/vendor/github.com/containers/buildah/pkg/cgroups/cgroups_unsupported.go deleted file mode 100644 index 9dc196e42..000000000 --- a/vendor/github.com/containers/buildah/pkg/cgroups/cgroups_unsupported.go +++ /dev/null @@ -1,8 +0,0 @@ -// +build !linux - -package cgroups - -// IsCgroup2UnifiedMode returns whether we are running in cgroup 2 cgroup2 mode. -func IsCgroup2UnifiedMode() (bool, error) { - return false, nil -} diff --git a/vendor/github.com/containers/buildah/pkg/overlay/overlay.go b/vendor/github.com/containers/buildah/pkg/overlay/overlay.go index ae1c63148..b3caa17e4 100644 --- a/vendor/github.com/containers/buildah/pkg/overlay/overlay.go +++ b/vendor/github.com/containers/buildah/pkg/overlay/overlay.go @@ -8,7 +8,7 @@ import ( "path/filepath" "strings" - "github.com/containers/buildah/pkg/unshare" + "github.com/containers/common/pkg/unshare" "github.com/containers/storage" "github.com/containers/storage/pkg/idtools" "github.com/opencontainers/runtime-spec/specs-go" diff --git a/vendor/github.com/containers/buildah/pkg/parse/parse_unix.go b/vendor/github.com/containers/buildah/pkg/parse/parse_unix.go index 1aaeca278..906236cc3 100644 --- a/vendor/github.com/containers/buildah/pkg/parse/parse_unix.go +++ b/vendor/github.com/containers/buildah/pkg/parse/parse_unix.go @@ -7,7 +7,7 @@ import ( "os" "path/filepath" - "github.com/containers/buildah/pkg/unshare" + "github.com/containers/common/pkg/unshare" "github.com/opencontainers/runc/libcontainer/configs" "github.com/opencontainers/runc/libcontainer/devices" "github.com/pkg/errors" diff --git a/vendor/github.com/containers/buildah/pkg/unshare/unshare.c b/vendor/github.com/containers/buildah/pkg/unshare/unshare.c deleted file mode 100644 index fd0d48d43..000000000 --- a/vendor/github.com/containers/buildah/pkg/unshare/unshare.c +++ /dev/null @@ -1,287 +0,0 @@ -#define _GNU_SOURCE -#include <sys/types.h> -#include <sys/ioctl.h> -#include <sys/stat.h> -#include <sys/syscall.h> -#include <sys/mman.h> -#include <fcntl.h> -#include <grp.h> -#include <sched.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <termios.h> -#include <errno.h> -#include <unistd.h> - -/* Open Source projects like conda-forge, want to package podman and are based - off of centos:6, Conda-force has minimal libc requirements and is lacking - the memfd.h file, so we use mmam.h -*/ -#ifndef MFD_ALLOW_SEALING -#define MFD_ALLOW_SEALING 2U -#endif -#ifndef MFD_CLOEXEC -#define MFD_CLOEXEC 1U -#endif - -#ifndef F_LINUX_SPECIFIC_BASE -#define F_LINUX_SPECIFIC_BASE 1024 -#endif -#ifndef F_ADD_SEALS -#define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9) -#define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10) -#endif -#ifndef F_SEAL_SEAL -#define F_SEAL_SEAL 0x0001LU -#endif -#ifndef F_SEAL_SHRINK -#define F_SEAL_SHRINK 0x0002LU -#endif -#ifndef F_SEAL_GROW -#define F_SEAL_GROW 0x0004LU -#endif -#ifndef F_SEAL_WRITE -#define F_SEAL_WRITE 0x0008LU -#endif - -#define BUFSTEP 1024 - -static const char *_max_user_namespaces = "/proc/sys/user/max_user_namespaces"; -static const char *_unprivileged_user_namespaces = "/proc/sys/kernel/unprivileged_userns_clone"; - -static int _containers_unshare_parse_envint(const char *envname) { - char *p, *q; - long l; - - p = getenv(envname); - if (p == NULL) { - return -1; - } - q = NULL; - l = strtol(p, &q, 10); - if ((q == NULL) || (*q != '\0')) { - fprintf(stderr, "Error parsing \"%s\"=\"%s\"!\n", envname, p); - _exit(1); - } - unsetenv(envname); - return l; -} - -static void _check_proc_sys_file(const char *path) -{ - FILE *fp; - char buf[32]; - size_t n_read; - long r; - - fp = fopen(path, "r"); - if (fp == NULL) { - if (errno != ENOENT) - fprintf(stderr, "Error reading %s: %m\n", _max_user_namespaces); - } else { - memset(buf, 0, sizeof(buf)); - n_read = fread(buf, 1, sizeof(buf) - 1, fp); - if (n_read > 0) { - r = atoi(buf); - if (r == 0) { - fprintf(stderr, "User namespaces are not enabled in %s.\n", path); - } - } else { - fprintf(stderr, "Error reading %s: no contents, should contain a number greater than 0.\n", path); - } - fclose(fp); - } -} - -static char **parse_proc_stringlist(const char *list) { - int fd, n, i, n_strings; - char *buf, *new_buf, **ret; - size_t size, new_size, used; - - fd = open(list, O_RDONLY); - if (fd == -1) { - return NULL; - } - buf = NULL; - size = 0; - used = 0; - for (;;) { - new_size = used + BUFSTEP; - new_buf = realloc(buf, new_size); - if (new_buf == NULL) { - free(buf); - fprintf(stderr, "realloc(%ld): out of memory\n", (long)(size + BUFSTEP)); - return NULL; - } - buf = new_buf; - size = new_size; - memset(buf + used, '\0', size - used); - n = read(fd, buf + used, size - used - 1); - if (n < 0) { - fprintf(stderr, "read(): %m\n"); - return NULL; - } - if (n == 0) { - break; - } - used += n; - } - close(fd); - n_strings = 0; - for (n = 0; n < used; n++) { - if ((n == 0) || (buf[n-1] == '\0')) { - n_strings++; - } - } - ret = calloc(n_strings + 1, sizeof(char *)); - if (ret == NULL) { - fprintf(stderr, "calloc(): out of memory\n"); - return NULL; - } - i = 0; - for (n = 0; n < used; n++) { - if ((n == 0) || (buf[n-1] == '\0')) { - ret[i++] = &buf[n]; - } - } - ret[i] = NULL; - return ret; -} - -static int containers_reexec(void) { - char **argv, *exename; - int fd, mmfd, n_read, n_written; - struct stat st; - char buf[2048]; - - argv = parse_proc_stringlist("/proc/self/cmdline"); - if (argv == NULL) { - return -1; - } - fd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC); - if (fd == -1) { - fprintf(stderr, "open(\"/proc/self/exe\"): %m\n"); - return -1; - } - if (fstat(fd, &st) == -1) { - fprintf(stderr, "fstat(\"/proc/self/exe\"): %m\n"); - return -1; - } - exename = basename(argv[0]); - mmfd = syscall(SYS_memfd_create, exename, (long) MFD_ALLOW_SEALING | MFD_CLOEXEC); - if (mmfd == -1) { - fprintf(stderr, "memfd_create(): %m\n"); - return -1; - } - for (;;) { - n_read = read(fd, buf, sizeof(buf)); - if (n_read < 0) { - fprintf(stderr, "read(\"/proc/self/exe\"): %m\n"); - return -1; - } - if (n_read == 0) { - break; - } - n_written = write(mmfd, buf, n_read); - if (n_written < 0) { - fprintf(stderr, "write(anonfd): %m\n"); - return -1; - } - if (n_written != n_read) { - fprintf(stderr, "write(anonfd): short write (%d != %d)\n", n_written, n_read); - return -1; - } - } - close(fd); - if (fcntl(mmfd, F_ADD_SEALS, F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE | F_SEAL_SEAL) == -1) { - close(mmfd); - fprintf(stderr, "Error sealing memfd copy: %m\n"); - return -1; - } - if (fexecve(mmfd, argv, environ) == -1) { - close(mmfd); - fprintf(stderr, "Error during reexec(...): %m\n"); - return -1; - } - return 0; -} - -void _containers_unshare(void) -{ - int flags, pidfd, continuefd, n, pgrp, sid, ctty; - char buf[2048]; - - flags = _containers_unshare_parse_envint("_Containers-unshare"); - if (flags == -1) { - return; - } - if ((flags & CLONE_NEWUSER) != 0) { - if (unshare(CLONE_NEWUSER) == -1) { - fprintf(stderr, "Error during unshare(CLONE_NEWUSER): %m\n"); - _check_proc_sys_file (_max_user_namespaces); - _check_proc_sys_file (_unprivileged_user_namespaces); - _exit(1); - } - } - pidfd = _containers_unshare_parse_envint("_Containers-pid-pipe"); - if (pidfd != -1) { - snprintf(buf, sizeof(buf), "%llu", (unsigned long long) getpid()); - size_t size = write(pidfd, buf, strlen(buf)); - if (size != strlen(buf)) { - fprintf(stderr, "Error writing PID to pipe on fd %d: %m\n", pidfd); - _exit(1); - } - close(pidfd); - } - continuefd = _containers_unshare_parse_envint("_Containers-continue-pipe"); - if (continuefd != -1) { - n = read(continuefd, buf, sizeof(buf)); - if (n > 0) { - fprintf(stderr, "Error: %.*s\n", n, buf); - _exit(1); - } - close(continuefd); - } - sid = _containers_unshare_parse_envint("_Containers-setsid"); - if (sid == 1) { - if (setsid() == -1) { - fprintf(stderr, "Error during setsid: %m\n"); - _exit(1); - } - } - pgrp = _containers_unshare_parse_envint("_Containers-setpgrp"); - if (pgrp == 1) { - if (setpgrp() == -1) { - fprintf(stderr, "Error during setpgrp: %m\n"); - _exit(1); - } - } - ctty = _containers_unshare_parse_envint("_Containers-ctty"); - if (ctty != -1) { - if (ioctl(ctty, TIOCSCTTY, 0) == -1) { - fprintf(stderr, "Error while setting controlling terminal to %d: %m\n", ctty); - _exit(1); - } - } - if ((flags & CLONE_NEWUSER) != 0) { - if (setresgid(0, 0, 0) != 0) { - fprintf(stderr, "Error during setresgid(0): %m\n"); - _exit(1); - } - if (setresuid(0, 0, 0) != 0) { - fprintf(stderr, "Error during setresuid(0): %m\n"); - _exit(1); - } - } - if ((flags & ~CLONE_NEWUSER) != 0) { - if (unshare(flags & ~CLONE_NEWUSER) == -1) { - fprintf(stderr, "Error during unshare(...): %m\n"); - _exit(1); - } - } - if (containers_reexec() != 0) { - _exit(1); - } - return; -} diff --git a/vendor/github.com/containers/buildah/pkg/unshare/unshare.go b/vendor/github.com/containers/buildah/pkg/unshare/unshare.go deleted file mode 100644 index ed83908c2..000000000 --- a/vendor/github.com/containers/buildah/pkg/unshare/unshare.go +++ /dev/null @@ -1,580 +0,0 @@ -// +build linux - -package unshare - -import ( - "bufio" - "bytes" - "fmt" - "io" - "os" - "os/exec" - "os/user" - "runtime" - "strconv" - "strings" - "sync" - "syscall" - - "github.com/containers/storage/pkg/idtools" - "github.com/containers/storage/pkg/reexec" - "github.com/opencontainers/runtime-spec/specs-go" - "github.com/pkg/errors" - "github.com/sirupsen/logrus" - "github.com/syndtr/gocapability/capability" -) - -// Cmd wraps an exec.Cmd created by the reexec package in unshare(), and -// handles setting ID maps and other related settings by triggering -// initialization code in the child. -type Cmd struct { - *exec.Cmd - UnshareFlags int - UseNewuidmap bool - UidMappings []specs.LinuxIDMapping - UseNewgidmap bool - GidMappings []specs.LinuxIDMapping - GidMappingsEnableSetgroups bool - Setsid bool - Setpgrp bool - Ctty *os.File - OOMScoreAdj *int - Hook func(pid int) error -} - -// Command creates a new Cmd which can be customized. -func Command(args ...string) *Cmd { - cmd := reexec.Command(args...) - return &Cmd{ - Cmd: cmd, - } -} - -func (c *Cmd) Start() error { - runtime.LockOSThread() - defer runtime.UnlockOSThread() - - // Set an environment variable to tell the child to synchronize its startup. - if c.Env == nil { - c.Env = os.Environ() - } - c.Env = append(c.Env, fmt.Sprintf("_Containers-unshare=%d", c.UnshareFlags)) - - // Please the libpod "rootless" package to find the expected env variables. - if os.Geteuid() != 0 { - c.Env = append(c.Env, "_CONTAINERS_USERNS_CONFIGURED=done") - c.Env = append(c.Env, fmt.Sprintf("_CONTAINERS_ROOTLESS_UID=%d", os.Geteuid())) - c.Env = append(c.Env, fmt.Sprintf("_CONTAINERS_ROOTLESS_GID=%d", os.Getegid())) - } - - // Create the pipe for reading the child's PID. - pidRead, pidWrite, err := os.Pipe() - if err != nil { - return errors.Wrapf(err, "error creating pid pipe") - } - c.Env = append(c.Env, fmt.Sprintf("_Containers-pid-pipe=%d", len(c.ExtraFiles)+3)) - c.ExtraFiles = append(c.ExtraFiles, pidWrite) - - // Create the pipe for letting the child know to proceed. - continueRead, continueWrite, err := os.Pipe() - if err != nil { - pidRead.Close() - pidWrite.Close() - return errors.Wrapf(err, "error creating pid pipe") - } - c.Env = append(c.Env, fmt.Sprintf("_Containers-continue-pipe=%d", len(c.ExtraFiles)+3)) - c.ExtraFiles = append(c.ExtraFiles, continueRead) - - // Pass along other instructions. - if c.Setsid { - c.Env = append(c.Env, "_Containers-setsid=1") - } - if c.Setpgrp { - c.Env = append(c.Env, "_Containers-setpgrp=1") - } - if c.Ctty != nil { - c.Env = append(c.Env, fmt.Sprintf("_Containers-ctty=%d", len(c.ExtraFiles)+3)) - c.ExtraFiles = append(c.ExtraFiles, c.Ctty) - } - - // Make sure we clean up our pipes. - defer func() { - if pidRead != nil { - pidRead.Close() - } - if pidWrite != nil { - pidWrite.Close() - } - if continueRead != nil { - continueRead.Close() - } - if continueWrite != nil { - continueWrite.Close() - } - }() - - // Start the new process. - err = c.Cmd.Start() - if err != nil { - return err - } - - // Close the ends of the pipes that the parent doesn't need. - continueRead.Close() - continueRead = nil - pidWrite.Close() - pidWrite = nil - - // Read the child's PID from the pipe. - pidString := "" - b := new(bytes.Buffer) - if _, err := io.Copy(b, pidRead); err != nil { - return errors.Wrapf(err, "error reading child PID") - } - pidString = b.String() - pid, err := strconv.Atoi(pidString) - if err != nil { - fmt.Fprintf(continueWrite, "error parsing PID %q: %v", pidString, err) - return errors.Wrapf(err, "error parsing PID %q", pidString) - } - pidString = fmt.Sprintf("%d", pid) - - // If we created a new user namespace, set any specified mappings. - if c.UnshareFlags&syscall.CLONE_NEWUSER != 0 { - // Always set "setgroups". - setgroups, err := os.OpenFile(fmt.Sprintf("/proc/%s/setgroups", pidString), os.O_TRUNC|os.O_WRONLY, 0) - if err != nil { - fmt.Fprintf(continueWrite, "error opening setgroups: %v", err) - return errors.Wrapf(err, "error opening /proc/%s/setgroups", pidString) - } - defer setgroups.Close() - if c.GidMappingsEnableSetgroups { - if _, err := fmt.Fprintf(setgroups, "allow"); err != nil { - fmt.Fprintf(continueWrite, "error writing \"allow\" to setgroups: %v", err) - return errors.Wrapf(err, "error opening \"allow\" to /proc/%s/setgroups", pidString) - } - } else { - if _, err := fmt.Fprintf(setgroups, "deny"); err != nil { - fmt.Fprintf(continueWrite, "error writing \"deny\" to setgroups: %v", err) - return errors.Wrapf(err, "error writing \"deny\" to /proc/%s/setgroups", pidString) - } - } - - if len(c.UidMappings) == 0 || len(c.GidMappings) == 0 { - uidmap, gidmap, err := GetHostIDMappings("") - if err != nil { - fmt.Fprintf(continueWrite, "error reading ID mappings in parent: %v", err) - return errors.Wrapf(err, "error reading ID mappings in parent") - } - if len(c.UidMappings) == 0 { - c.UidMappings = uidmap - for i := range c.UidMappings { - c.UidMappings[i].HostID = c.UidMappings[i].ContainerID - } - } - if len(c.GidMappings) == 0 { - c.GidMappings = gidmap - for i := range c.GidMappings { - c.GidMappings[i].HostID = c.GidMappings[i].ContainerID - } - } - } - - if len(c.GidMappings) > 0 { - // Build the GID map, since writing to the proc file has to be done all at once. - g := new(bytes.Buffer) - for _, m := range c.GidMappings { - fmt.Fprintf(g, "%d %d %d\n", m.ContainerID, m.HostID, m.Size) - } - gidmapSet := false - // Set the GID map. - if c.UseNewgidmap { - cmd := exec.Command("newgidmap", append([]string{pidString}, strings.Fields(strings.Replace(g.String(), "\n", " ", -1))...)...) - g.Reset() - cmd.Stdout = g - cmd.Stderr = g - err := cmd.Run() - if err == nil { - gidmapSet = true - } else { - logrus.Warnf("error running newgidmap: %v: %s", err, g.String()) - logrus.Warnf("falling back to single mapping") - g.Reset() - g.Write([]byte(fmt.Sprintf("0 %d 1\n", os.Getegid()))) - } - } - if !gidmapSet { - if c.UseNewgidmap { - setgroups, err := os.OpenFile(fmt.Sprintf("/proc/%s/setgroups", pidString), os.O_TRUNC|os.O_WRONLY, 0) - if err != nil { - fmt.Fprintf(continueWrite, "error opening /proc/%s/setgroups: %v", pidString, err) - return errors.Wrapf(err, "error opening /proc/%s/setgroups", pidString) - } - defer setgroups.Close() - if _, err := fmt.Fprintf(setgroups, "deny"); err != nil { - fmt.Fprintf(continueWrite, "error writing 'deny' to /proc/%s/setgroups: %v", pidString, err) - return errors.Wrapf(err, "error writing 'deny' to /proc/%s/setgroups", pidString) - } - } - gidmap, err := os.OpenFile(fmt.Sprintf("/proc/%s/gid_map", pidString), os.O_TRUNC|os.O_WRONLY, 0) - if err != nil { - fmt.Fprintf(continueWrite, "error opening /proc/%s/gid_map: %v", pidString, err) - return errors.Wrapf(err, "error opening /proc/%s/gid_map", pidString) - } - defer gidmap.Close() - if _, err := fmt.Fprintf(gidmap, "%s", g.String()); err != nil { - fmt.Fprintf(continueWrite, "error writing %q to /proc/%s/gid_map: %v", g.String(), pidString, err) - return errors.Wrapf(err, "error writing %q to /proc/%s/gid_map", g.String(), pidString) - } - } - } - - if len(c.UidMappings) > 0 { - // Build the UID map, since writing to the proc file has to be done all at once. - u := new(bytes.Buffer) - for _, m := range c.UidMappings { - fmt.Fprintf(u, "%d %d %d\n", m.ContainerID, m.HostID, m.Size) - } - uidmapSet := false - // Set the GID map. - if c.UseNewuidmap { - cmd := exec.Command("newuidmap", append([]string{pidString}, strings.Fields(strings.Replace(u.String(), "\n", " ", -1))...)...) - u.Reset() - cmd.Stdout = u - cmd.Stderr = u - err := cmd.Run() - if err == nil { - uidmapSet = true - } else { - logrus.Warnf("error running newuidmap: %v: %s", err, u.String()) - logrus.Warnf("falling back to single mapping") - u.Reset() - u.Write([]byte(fmt.Sprintf("0 %d 1\n", os.Geteuid()))) - } - } - if !uidmapSet { - uidmap, err := os.OpenFile(fmt.Sprintf("/proc/%s/uid_map", pidString), os.O_TRUNC|os.O_WRONLY, 0) - if err != nil { - fmt.Fprintf(continueWrite, "error opening /proc/%s/uid_map: %v", pidString, err) - return errors.Wrapf(err, "error opening /proc/%s/uid_map", pidString) - } - defer uidmap.Close() - if _, err := fmt.Fprintf(uidmap, "%s", u.String()); err != nil { - fmt.Fprintf(continueWrite, "error writing %q to /proc/%s/uid_map: %v", u.String(), pidString, err) - return errors.Wrapf(err, "error writing %q to /proc/%s/uid_map", u.String(), pidString) - } - } - } - } - - if c.OOMScoreAdj != nil { - oomScoreAdj, err := os.OpenFile(fmt.Sprintf("/proc/%s/oom_score_adj", pidString), os.O_TRUNC|os.O_WRONLY, 0) - if err != nil { - fmt.Fprintf(continueWrite, "error opening oom_score_adj: %v", err) - return errors.Wrapf(err, "error opening /proc/%s/oom_score_adj", pidString) - } - defer oomScoreAdj.Close() - if _, err := fmt.Fprintf(oomScoreAdj, "%d\n", *c.OOMScoreAdj); err != nil { - fmt.Fprintf(continueWrite, "error writing \"%d\" to oom_score_adj: %v", c.OOMScoreAdj, err) - return errors.Wrapf(err, "error writing \"%d\" to /proc/%s/oom_score_adj", c.OOMScoreAdj, pidString) - } - } - // Run any additional setup that we want to do before the child starts running proper. - if c.Hook != nil { - if err = c.Hook(pid); err != nil { - fmt.Fprintf(continueWrite, "hook error: %v", err) - return err - } - } - - return nil -} - -func (c *Cmd) Run() error { - if err := c.Start(); err != nil { - return err - } - return c.Wait() -} - -func (c *Cmd) CombinedOutput() ([]byte, error) { - return nil, errors.New("unshare: CombinedOutput() not implemented") -} - -func (c *Cmd) Output() ([]byte, error) { - return nil, errors.New("unshare: Output() not implemented") -} - -var ( - isRootlessOnce sync.Once - isRootless bool -) - -const ( - // UsernsEnvName is the environment variable, if set indicates in rootless mode - UsernsEnvName = "_CONTAINERS_USERNS_CONFIGURED" -) - -// IsRootless tells us if we are running in rootless mode -func IsRootless() bool { - isRootlessOnce.Do(func() { - isRootless = os.Geteuid() != 0 || os.Getenv(UsernsEnvName) != "" - }) - return isRootless -} - -// GetRootlessUID returns the UID of the user in the parent userNS -func GetRootlessUID() int { - uidEnv := os.Getenv("_CONTAINERS_ROOTLESS_UID") - if uidEnv != "" { - u, _ := strconv.Atoi(uidEnv) - return u - } - return os.Getuid() -} - -// RootlessEnv returns the environment settings for the rootless containers -func RootlessEnv() []string { - return append(os.Environ(), UsernsEnvName+"=done") -} - -type Runnable interface { - Run() error -} - -func bailOnError(err error, format string, a ...interface{}) { - if err != nil { - if format != "" { - logrus.Errorf("%s: %v", fmt.Sprintf(format, a...), err) - } else { - logrus.Errorf("%v", err) - } - os.Exit(1) - } -} - -// MaybeReexecUsingUserNamespace re-exec the process in a new namespace -func MaybeReexecUsingUserNamespace(evenForRoot bool) { - // If we've already been through this once, no need to try again. - if os.Geteuid() == 0 && IsRootless() { - return - } - - var uidNum, gidNum uint64 - // Figure out who we are. - me, err := user.Current() - if !os.IsNotExist(err) { - bailOnError(err, "error determining current user") - uidNum, err = strconv.ParseUint(me.Uid, 10, 32) - bailOnError(err, "error parsing current UID %s", me.Uid) - gidNum, err = strconv.ParseUint(me.Gid, 10, 32) - bailOnError(err, "error parsing current GID %s", me.Gid) - } - - runtime.LockOSThread() - defer runtime.UnlockOSThread() - - // ID mappings to use to reexec ourselves. - var uidmap, gidmap []specs.LinuxIDMapping - if uidNum != 0 || evenForRoot { - // Read the set of ID mappings that we're allowed to use. Each - // range in /etc/subuid and /etc/subgid file is a starting host - // ID and a range size. - uidmap, gidmap, err = GetSubIDMappings(me.Username, me.Username) - if err != nil { - logrus.Warnf("error reading allowed ID mappings: %v", err) - } - if len(uidmap) == 0 { - logrus.Warnf("Found no UID ranges set aside for user %q in /etc/subuid.", me.Username) - } - if len(gidmap) == 0 { - logrus.Warnf("Found no GID ranges set aside for user %q in /etc/subgid.", me.Username) - } - // Map our UID and GID, then the subuid and subgid ranges, - // consecutively, starting at 0, to get the mappings to use for - // a copy of ourselves. - uidmap = append([]specs.LinuxIDMapping{{HostID: uint32(uidNum), ContainerID: 0, Size: 1}}, uidmap...) - gidmap = append([]specs.LinuxIDMapping{{HostID: uint32(gidNum), ContainerID: 0, Size: 1}}, gidmap...) - var rangeStart uint32 - for i := range uidmap { - uidmap[i].ContainerID = rangeStart - rangeStart += uidmap[i].Size - } - rangeStart = 0 - for i := range gidmap { - gidmap[i].ContainerID = rangeStart - rangeStart += gidmap[i].Size - } - } else { - // If we have CAP_SYS_ADMIN, then we don't need to create a new namespace in order to be able - // to use unshare(), so don't bother creating a new user namespace at this point. - capabilities, err := capability.NewPid(0) - bailOnError(err, "error reading the current capabilities sets") - if capabilities.Get(capability.EFFECTIVE, capability.CAP_SYS_ADMIN) { - return - } - // Read the set of ID mappings that we're currently using. - uidmap, gidmap, err = GetHostIDMappings("") - bailOnError(err, "error reading current ID mappings") - // Just reuse them. - for i := range uidmap { - uidmap[i].HostID = uidmap[i].ContainerID - } - for i := range gidmap { - gidmap[i].HostID = gidmap[i].ContainerID - } - } - - // Unlike most uses of reexec or unshare, we're using a name that - // _won't_ be recognized as a registered reexec handler, since we - // _want_ to fall through reexec.Init() to the normal main(). - cmd := Command(append([]string{fmt.Sprintf("%s-in-a-user-namespace", os.Args[0])}, os.Args[1:]...)...) - - // If, somehow, we don't become UID 0 in our child, indicate that the child shouldn't try again. - err = os.Setenv(UsernsEnvName, "1") - bailOnError(err, "error setting %s=1 in environment", UsernsEnvName) - - // Set the default isolation type to use the "rootless" method. - if _, present := os.LookupEnv("BUILDAH_ISOLATION"); !present { - if err = os.Setenv("BUILDAH_ISOLATION", "rootless"); err != nil { - if err := os.Setenv("BUILDAH_ISOLATION", "rootless"); err != nil { - logrus.Errorf("error setting BUILDAH_ISOLATION=rootless in environment: %v", err) - os.Exit(1) - } - } - } - - // Reuse our stdio. - cmd.Stdin = os.Stdin - cmd.Stdout = os.Stdout - cmd.Stderr = os.Stderr - - // Set up a new user namespace with the ID mapping. - cmd.UnshareFlags = syscall.CLONE_NEWUSER | syscall.CLONE_NEWNS - cmd.UseNewuidmap = uidNum != 0 - cmd.UidMappings = uidmap - cmd.UseNewgidmap = uidNum != 0 - cmd.GidMappings = gidmap - cmd.GidMappingsEnableSetgroups = true - - // Finish up. - logrus.Debugf("running %+v with environment %+v, UID map %+v, and GID map %+v", cmd.Cmd.Args, os.Environ(), cmd.UidMappings, cmd.GidMappings) - ExecRunnable(cmd, nil) -} - -// ExecRunnable runs the specified unshare command, captures its exit status, -// and exits with the same status. -func ExecRunnable(cmd Runnable, cleanup func()) { - exit := func(status int) { - if cleanup != nil { - cleanup() - } - os.Exit(status) - } - if err := cmd.Run(); err != nil { - if exitError, ok := errors.Cause(err).(*exec.ExitError); ok { - if exitError.ProcessState.Exited() { - if waitStatus, ok := exitError.ProcessState.Sys().(syscall.WaitStatus); ok { - if waitStatus.Exited() { - logrus.Errorf("%v", exitError) - exit(waitStatus.ExitStatus()) - } - if waitStatus.Signaled() { - logrus.Errorf("%v", exitError) - exit(int(waitStatus.Signal()) + 128) - } - } - } - } - logrus.Errorf("%v", err) - logrus.Errorf("(unable to determine exit status)") - exit(1) - } - exit(0) -} - -// getHostIDMappings reads mappings from the named node under /proc. -func getHostIDMappings(path string) ([]specs.LinuxIDMapping, error) { - var mappings []specs.LinuxIDMapping - f, err := os.Open(path) - if err != nil { - return nil, errors.Wrapf(err, "error reading ID mappings from %q", path) - } - defer f.Close() - scanner := bufio.NewScanner(f) - for scanner.Scan() { - line := scanner.Text() - fields := strings.Fields(line) - if len(fields) != 3 { - return nil, errors.Errorf("line %q from %q has %d fields, not 3", line, path, len(fields)) - } - cid, err := strconv.ParseUint(fields[0], 10, 32) - if err != nil { - return nil, errors.Wrapf(err, "error parsing container ID value %q from line %q in %q", fields[0], line, path) - } - hid, err := strconv.ParseUint(fields[1], 10, 32) - if err != nil { - return nil, errors.Wrapf(err, "error parsing host ID value %q from line %q in %q", fields[1], line, path) - } - size, err := strconv.ParseUint(fields[2], 10, 32) - if err != nil { - return nil, errors.Wrapf(err, "error parsing size value %q from line %q in %q", fields[2], line, path) - } - mappings = append(mappings, specs.LinuxIDMapping{ContainerID: uint32(cid), HostID: uint32(hid), Size: uint32(size)}) - } - return mappings, nil -} - -// GetHostIDMappings reads mappings for the specified process (or the current -// process if pid is "self" or an empty string) from the kernel. -func GetHostIDMappings(pid string) ([]specs.LinuxIDMapping, []specs.LinuxIDMapping, error) { - if pid == "" { - pid = "self" - } - uidmap, err := getHostIDMappings(fmt.Sprintf("/proc/%s/uid_map", pid)) - if err != nil { - return nil, nil, err - } - gidmap, err := getHostIDMappings(fmt.Sprintf("/proc/%s/gid_map", pid)) - if err != nil { - return nil, nil, err - } - return uidmap, gidmap, nil -} - -// GetSubIDMappings reads mappings from /etc/subuid and /etc/subgid. -func GetSubIDMappings(user, group string) ([]specs.LinuxIDMapping, []specs.LinuxIDMapping, error) { - mappings, err := idtools.NewIDMappings(user, group) - if err != nil { - return nil, nil, errors.Wrapf(err, "error reading subuid mappings for user %q and subgid mappings for group %q", user, group) - } - var uidmap, gidmap []specs.LinuxIDMapping - for _, m := range mappings.UIDs() { - uidmap = append(uidmap, specs.LinuxIDMapping{ - ContainerID: uint32(m.ContainerID), - HostID: uint32(m.HostID), - Size: uint32(m.Size), - }) - } - for _, m := range mappings.GIDs() { - gidmap = append(gidmap, specs.LinuxIDMapping{ - ContainerID: uint32(m.ContainerID), - HostID: uint32(m.HostID), - Size: uint32(m.Size), - }) - } - return uidmap, gidmap, nil -} - -// ParseIDMappings parses mapping triples. -func ParseIDMappings(uidmap, gidmap []string) ([]idtools.IDMap, []idtools.IDMap, error) { - uid, err := idtools.ParseIDMap(uidmap, "userns-uid-map") - if err != nil { - return nil, nil, err - } - gid, err := idtools.ParseIDMap(gidmap, "userns-gid-map") - if err != nil { - return nil, nil, err - } - return uid, gid, nil -} diff --git a/vendor/github.com/containers/buildah/pkg/unshare/unshare_cgo.go b/vendor/github.com/containers/buildah/pkg/unshare/unshare_cgo.go deleted file mode 100644 index b3f8099f6..000000000 --- a/vendor/github.com/containers/buildah/pkg/unshare/unshare_cgo.go +++ /dev/null @@ -1,10 +0,0 @@ -// +build linux,cgo,!gccgo - -package unshare - -// #cgo CFLAGS: -Wall -// extern void _containers_unshare(void); -// void __attribute__((constructor)) init(void) { -// _containers_unshare(); -// } -import "C" diff --git a/vendor/github.com/containers/buildah/pkg/unshare/unshare_gccgo.go b/vendor/github.com/containers/buildah/pkg/unshare/unshare_gccgo.go deleted file mode 100644 index 2f95da7d8..000000000 --- a/vendor/github.com/containers/buildah/pkg/unshare/unshare_gccgo.go +++ /dev/null @@ -1,25 +0,0 @@ -// +build linux,cgo,gccgo - -package unshare - -// #cgo CFLAGS: -Wall -Wextra -// extern void _containers_unshare(void); -// void __attribute__((constructor)) init(void) { -// _containers_unshare(); -// } -import "C" - -// This next bit is straight out of libcontainer. - -// AlwaysFalse is here to stay false -// (and be exported so the compiler doesn't optimize out its reference) -var AlwaysFalse bool - -func init() { - if AlwaysFalse { - // by referencing this C init() in a noop test, it will ensure the compiler - // links in the C function. - // https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65134 - C.init() - } -} diff --git a/vendor/github.com/containers/buildah/pkg/unshare/unshare_unsupported.go b/vendor/github.com/containers/buildah/pkg/unshare/unshare_unsupported.go deleted file mode 100644 index bf4d567b8..000000000 --- a/vendor/github.com/containers/buildah/pkg/unshare/unshare_unsupported.go +++ /dev/null @@ -1,45 +0,0 @@ -// +build !linux - -package unshare - -import ( - "os" - - "github.com/containers/storage/pkg/idtools" - "github.com/opencontainers/runtime-spec/specs-go" -) - -const ( - // UsernsEnvName is the environment variable, if set indicates in rootless mode - UsernsEnvName = "_CONTAINERS_USERNS_CONFIGURED" -) - -// IsRootless tells us if we are running in rootless mode -func IsRootless() bool { - return false -} - -// GetRootlessUID returns the UID of the user in the parent userNS -func GetRootlessUID() int { - return os.Getuid() -} - -// RootlessEnv returns the environment settings for the rootless containers -func RootlessEnv() []string { - return append(os.Environ(), UsernsEnvName+"=") -} - -// MaybeReexecUsingUserNamespace re-exec the process in a new namespace -func MaybeReexecUsingUserNamespace(evenForRoot bool) { -} - -// GetHostIDMappings reads mappings for the specified process (or the current -// process if pid is "self" or an empty string) from the kernel. -func GetHostIDMappings(pid string) ([]specs.LinuxIDMapping, []specs.LinuxIDMapping, error) { - return nil, nil, nil -} - -// ParseIDMappings parses mapping triples. -func ParseIDMappings(uidmap, gidmap []string) ([]idtools.IDMap, []idtools.IDMap, error) { - return nil, nil, nil -} diff --git a/vendor/github.com/containers/buildah/run_linux.go b/vendor/github.com/containers/buildah/run_linux.go index 4f507d1bc..4c2d73edd 100644 --- a/vendor/github.com/containers/buildah/run_linux.go +++ b/vendor/github.com/containers/buildah/run_linux.go @@ -25,8 +25,8 @@ import ( "github.com/containers/buildah/chroot" "github.com/containers/buildah/pkg/overlay" "github.com/containers/buildah/pkg/secrets" - "github.com/containers/buildah/pkg/unshare" "github.com/containers/buildah/util" + "github.com/containers/common/pkg/unshare" "github.com/containers/storage/pkg/idtools" "github.com/containers/storage/pkg/ioutils" "github.com/containers/storage/pkg/reexec" diff --git a/vendor/github.com/containers/buildah/util/util.go b/vendor/github.com/containers/buildah/util/util.go index d5e842315..617af7b32 100644 --- a/vendor/github.com/containers/buildah/util/util.go +++ b/vendor/github.com/containers/buildah/util/util.go @@ -9,7 +9,7 @@ import ( "strings" "syscall" - "github.com/containers/buildah/pkg/cgroups" + "github.com/containers/common/pkg/cgroups" "github.com/containers/image/v5/docker/reference" "github.com/containers/image/v5/pkg/sysregistriesv2" "github.com/containers/image/v5/signature" |