summaryrefslogtreecommitdiff
path: root/vendor
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2022-03-29 07:31:23 -0400
committerDaniel J Walsh <dwalsh@redhat.com>2022-04-08 09:02:52 -0400
commitdc17195bd9d1027b19c3e7f0975f17f4ebda408a (patch)
tree223a7caf22ee81fbd6a01d166c0821db4d413616 /vendor
parentf838333b7e6fae09f3ee9116b84c6e6482367298 (diff)
downloadpodman-dc17195bd9d1027b19c3e7f0975f17f4ebda408a.tar.gz
podman-dc17195bd9d1027b19c3e7f0975f17f4ebda408a.tar.bz2
podman-dc17195bd9d1027b19c3e7f0975f17f4ebda408a.zip
Vendor in new opencontainers/selinux
Also update vendor of containers/common,buildah,storage,image Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2069586 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'vendor')
-rw-r--r--vendor/github.com/containers/buildah/CHANGELOG.md59
-rw-r--r--vendor/github.com/containers/buildah/add.go34
-rw-r--r--vendor/github.com/containers/buildah/changelog.txt57
-rw-r--r--vendor/github.com/containers/buildah/chroot/run.go57
-rw-r--r--vendor/github.com/containers/buildah/copier/copier.go28
-rw-r--r--vendor/github.com/containers/buildah/define/build.go2
-rw-r--r--vendor/github.com/containers/buildah/define/types.go2
-rw-r--r--vendor/github.com/containers/buildah/go.mod27
-rw-r--r--vendor/github.com/containers/buildah/go.sum94
-rw-r--r--vendor/github.com/containers/buildah/imagebuildah/build.go4
-rw-r--r--vendor/github.com/containers/buildah/imagebuildah/stage_executor.go10
-rw-r--r--vendor/github.com/containers/buildah/install.md9
-rw-r--r--vendor/github.com/containers/buildah/internal/parse/parse.go248
-rw-r--r--vendor/github.com/containers/buildah/new.go10
-rw-r--r--vendor/github.com/containers/buildah/pkg/cli/common.go2
-rw-r--r--vendor/github.com/containers/buildah/pkg/parse/parse.go210
-rw-r--r--vendor/github.com/containers/buildah/run.go2
-rw-r--r--vendor/github.com/containers/buildah/run_linux.go174
-rw-r--r--vendor/github.com/containers/buildah/selinux.go5
-rw-r--r--vendor/github.com/containers/common/libimage/import.go5
-rw-r--r--vendor/github.com/containers/common/libnetwork/cni/cni_conversion.go234
-rw-r--r--vendor/github.com/containers/common/libnetwork/cni/cni_types.go14
-rw-r--r--vendor/github.com/containers/common/libnetwork/cni/config.go45
-rw-r--r--vendor/github.com/containers/common/libnetwork/cni/run.go45
-rw-r--r--vendor/github.com/containers/common/libnetwork/internal/util/bridge.go4
-rw-r--r--vendor/github.com/containers/common/libnetwork/internal/util/create.go8
-rw-r--r--vendor/github.com/containers/common/libnetwork/netavark/config.go41
-rw-r--r--vendor/github.com/containers/common/libnetwork/netavark/network.go2
-rw-r--r--vendor/github.com/containers/common/libnetwork/types/const.go4
-rw-r--r--vendor/github.com/containers/common/pkg/config/config.go12
-rw-r--r--vendor/github.com/containers/common/pkg/report/camelcase/README.md4
-rw-r--r--vendor/github.com/containers/common/pkg/secrets/passdriver/passdriver.go8
-rw-r--r--vendor/github.com/containers/image/v5/copy/copy.go11
-rw-r--r--vendor/github.com/containers/image/v5/copy/sign.go17
-rw-r--r--vendor/github.com/containers/image/v5/docker/docker_client.go40
-rw-r--r--vendor/github.com/containers/image/v5/docker/docker_image_dest.go21
-rw-r--r--vendor/github.com/containers/image/v5/docker/docker_image_src.go11
-rw-r--r--vendor/github.com/containers/image/v5/docker/lookaside.go2
-rw-r--r--vendor/github.com/containers/image/v5/openshift/openshift.go2
-rw-r--r--vendor/github.com/containers/image/v5/pkg/sysregistriesv2/shortnames.go6
-rw-r--r--vendor/github.com/containers/image/v5/pkg/sysregistriesv2/system_registries_v2.go67
-rw-r--r--vendor/github.com/containers/image/v5/signature/mechanism.go1
-rw-r--r--vendor/github.com/containers/image/v5/signature/mechanism_openpgp.go1
-rw-r--r--vendor/github.com/containers/image/v5/version/version.go6
-rw-r--r--vendor/github.com/containers/storage/.cirrus.yml10
-rw-r--r--vendor/github.com/containers/storage/VERSION2
-rw-r--r--vendor/github.com/containers/storage/go.mod4
-rw-r--r--vendor/github.com/containers/storage/go.sum7
-rw-r--r--vendor/github.com/containers/storage/pkg/idtools/idtools.go1
-rw-r--r--vendor/github.com/containers/storage/pkg/unshare/unshare_linux.go25
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go10
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/rchcon.go2
-rw-r--r--vendor/github.com/opencontainers/selinux/go-selinux/rchcon_go115.go2
-rw-r--r--vendor/github.com/openshift/imagebuilder/builder.go16
-rw-r--r--vendor/github.com/openshift/imagebuilder/imagebuilder.spec2
-rw-r--r--vendor/modules.txt21
56 files changed, 1174 insertions, 573 deletions
diff --git a/vendor/github.com/containers/buildah/CHANGELOG.md b/vendor/github.com/containers/buildah/CHANGELOG.md
index 5b2996e37..82cee5080 100644
--- a/vendor/github.com/containers/buildah/CHANGELOG.md
+++ b/vendor/github.com/containers/buildah/CHANGELOG.md
@@ -2,6 +2,65 @@
# Changelog
+## v1.25.1 (2022-03-30)
+
+ buildah: create WORKDIR with USER permissions
+ vendor: update github.com/openshift/imagebuilder
+ copier: attempt to open the dir before adding it
+ Updated dependabot to get updates for GitHub actions.
+ Switch most calls to filepath.Walk to filepath.WalkDir
+ build: allow --no-cache and --layers so build cache can be overrided
+ build(deps): bump github.com/onsi/gomega from 1.18.1 to 1.19.0
+ Bump to v1.26.0-dev
+ build(deps): bump github.com/golangci/golangci-lint in /tests/tools
+
+## v1.25.0 (2022-03-25)
+
+ install: drop RHEL/CentOS 7 doc
+ build(deps): bump github.com/containers/common from 0.47.4 to 0.47.5
+ Bump c/storage to v1.39.0 in main
+ Add a test for CVE-2022-27651
+ build(deps): bump github.com/docker/docker
+ Bump github.com/prometheus/client_golang to v1.11.1
+ [CI:DOCS] man pages: sort flags, and keep them that way
+ build(deps): bump github.com/containerd/containerd from 1.6.1 to 1.6.2
+ Don't pollute
+ network setup: increase timeout to 4 minutes
+ do not set the inheritable capabilities
+ build(deps): bump github.com/golangci/golangci-lint in /tests/tools
+ build(deps): bump github.com/containers/ocicrypt from 1.1.2 to 1.1.3
+ parse: convert exposed GetVolumes to internal only
+ buildkit: mount=type=cache support locking external cache store
+ .in support: improve error message when cpp is not installed
+ buildah image: install cpp
+ build(deps): bump github.com/stretchr/testify from 1.7.0 to 1.7.1
+ build(deps): bump github.com/spf13/cobra from 1.3.0 to 1.4.0
+ build(deps): bump github.com/docker/docker
+ Add --no-hosts flag to eliminate use of /etc/hosts within containers
+ test: remove skips for rootless users
+ test: unshare mount/umount if test is_rootless
+ tests/copy: read correct containers.conf
+ build(deps): bump github.com/docker/distribution
+ cirrus: add seperate task and matrix for rootless
+ tests: skip tests for rootless which need unshare
+ buildah: test rootless integration
+ vendor: bump c/storage to main/93ce26691863
+ build(deps): bump github.com/fsouza/go-dockerclient from 1.7.9 to 1.7.10
+ tests/copy: initialize the network, too
+ [CI:DOCS] remove references to Kubic for CentOS and Ubuntu
+ build(deps): bump github.com/containerd/containerd from 1.6.0 to 1.6.1
+ use c/image/pkg/blobcache
+ vendor c/image/v5@v5.20.0
+ add: ensure the context directory is an absolute path
+ executor: docker builds must inherit healthconfig from base if any
+ docs: Remove Containerfile and containeringore
+ build(deps): bump github.com/fsouza/go-dockerclient from 1.7.8 to 1.7.9
+ helpers.bash: Use correct syntax
+ speed up combination-namespaces test
+ build(deps): bump github.com/golangci/golangci-lint in /tests/tools
+ Bump back to 1.25.0-dev
+ build(deps): bump github.com/containerd/containerd from 1.5.9 to 1.6.0
+
## v1.24.2 (2022-02-16)
Increase subuid/subgid to 65535
diff --git a/vendor/github.com/containers/buildah/add.go b/vendor/github.com/containers/buildah/add.go
index 6aaa2cac7..8aa53a292 100644
--- a/vendor/github.com/containers/buildah/add.go
+++ b/vendor/github.com/containers/buildah/add.go
@@ -655,3 +655,37 @@ func (b *Builder) userForCopy(mountPoint string, userspec string) (uint32, uint3
}
return owner.UID, owner.GID, nil
}
+
+// EnsureContainerPathAs creates the specified directory owned by USER
+// with the file mode set to MODE.
+func (b *Builder) EnsureContainerPathAs(path, user string, mode *os.FileMode) error {
+ mountPoint, err := b.Mount(b.MountLabel)
+ if err != nil {
+ return err
+ }
+ defer func() {
+ if err2 := b.Unmount(); err2 != nil {
+ logrus.Errorf("error unmounting container: %v", err2)
+ }
+ }()
+
+ uid, gid := uint32(0), uint32(0)
+ if user != "" {
+ if uidForCopy, gidForCopy, err := b.userForCopy(mountPoint, user); err == nil {
+ uid = uidForCopy
+ gid = gidForCopy
+ }
+ }
+
+ destUIDMap, destGIDMap := convertRuntimeIDMaps(b.IDMappingOptions.UIDMap, b.IDMappingOptions.GIDMap)
+
+ idPair := &idtools.IDPair{UID: int(uid), GID: int(gid)}
+ opts := copier.MkdirOptions{
+ ChmodNew: mode,
+ ChownNew: idPair,
+ UIDMap: destUIDMap,
+ GIDMap: destGIDMap,
+ }
+ return copier.Mkdir(mountPoint, filepath.Join(mountPoint, path), opts)
+
+}
diff --git a/vendor/github.com/containers/buildah/changelog.txt b/vendor/github.com/containers/buildah/changelog.txt
index 7351a7906..16528b87e 100644
--- a/vendor/github.com/containers/buildah/changelog.txt
+++ b/vendor/github.com/containers/buildah/changelog.txt
@@ -1,3 +1,60 @@
+- Changelog for v1.25.1 (2022-03-30)
+ * buildah: create WORKDIR with USER permissions
+ * vendor: update github.com/openshift/imagebuilder
+ * copier: attempt to open the dir before adding it
+ * Updated dependabot to get updates for GitHub actions.
+ * Switch most calls to filepath.Walk to filepath.WalkDir
+ * build: allow --no-cache and --layers so build cache can be overrided
+ * build(deps): bump github.com/onsi/gomega from 1.18.1 to 1.19.0
+ * Bump to v1.26.0-dev
+ * build(deps): bump github.com/golangci/golangci-lint in /tests/tools
+
+- Changelog for v1.25.0 (2022-03-25)
+ * install: drop RHEL/CentOS 7 doc
+ * build(deps): bump github.com/containers/common from 0.47.4 to 0.47.5
+ * Bump c/storage to v1.39.0 in main
+ * Add a test for CVE-2022-27651
+ * build(deps): bump github.com/docker/docker
+ * Bump github.com/prometheus/client_golang to v1.11.1
+ * [CI:DOCS] man pages: sort flags, and keep them that way
+ * build(deps): bump github.com/containerd/containerd from 1.6.1 to 1.6.2
+ * Don't pollute
+ * network setup: increase timeout to 4 minutes
+ * do not set the inheritable capabilities
+ * build(deps): bump github.com/golangci/golangci-lint in /tests/tools
+ * build(deps): bump github.com/containers/ocicrypt from 1.1.2 to 1.1.3
+ * parse: convert exposed GetVolumes to internal only
+ * buildkit: mount=type=cache support locking external cache store
+ * .in support: improve error message when cpp is not installed
+ * buildah image: install cpp
+ * build(deps): bump github.com/stretchr/testify from 1.7.0 to 1.7.1
+ * build(deps): bump github.com/spf13/cobra from 1.3.0 to 1.4.0
+ * build(deps): bump github.com/docker/docker
+ * Add --no-hosts flag to eliminate use of /etc/hosts within containers
+ * test: remove skips for rootless users
+ * test: unshare mount/umount if test is_rootless
+ * tests/copy: read correct containers.conf
+ * build(deps): bump github.com/docker/distribution
+ * cirrus: add seperate task and matrix for rootless
+ * tests: skip tests for rootless which need unshare
+ * buildah: test rootless integration
+ * vendor: bump c/storage to main/93ce26691863
+ * build(deps): bump github.com/fsouza/go-dockerclient from 1.7.9 to 1.7.10
+ * tests/copy: initialize the network, too
+ * [CI:DOCS] remove references to Kubic for CentOS and Ubuntu
+ * build(deps): bump github.com/containerd/containerd from 1.6.0 to 1.6.1
+ * use c/image/pkg/blobcache
+ * vendor c/image/v5@v5.20.0
+ * add: ensure the context directory is an absolute path
+ * executor: docker builds must inherit healthconfig from base if any
+ * docs: Remove Containerfile and containeringore
+ * build(deps): bump github.com/fsouza/go-dockerclient from 1.7.8 to 1.7.9
+ * helpers.bash: Use correct syntax
+ * speed up combination-namespaces test
+ * build(deps): bump github.com/golangci/golangci-lint in /tests/tools
+ * Bump back to 1.25.0-dev
+ * build(deps): bump github.com/containerd/containerd from 1.5.9 to 1.6.0
+
- Changelog for v1.24.2 (2022-02-16)
* Increase subuid/subgid to 65535
* history: only add proxy vars to history if specified
diff --git a/vendor/github.com/containers/buildah/chroot/run.go b/vendor/github.com/containers/buildah/chroot/run.go
index badb51e34..9ff7c933d 100644
--- a/vendor/github.com/containers/buildah/chroot/run.go
+++ b/vendor/github.com/containers/buildah/chroot/run.go
@@ -10,6 +10,7 @@ import (
"io/ioutil"
"os"
"os/exec"
+ "os/signal"
"path/filepath"
"runtime"
"strconv"
@@ -159,10 +160,24 @@ func RunUsingChroot(spec *specs.Spec, bundlePath, homeDir string, stdin io.Reade
// Start the grandparent subprocess.
cmd := unshare.Command(runUsingChrootCommand)
+ setPdeathsig(cmd.Cmd)
cmd.Stdin, cmd.Stdout, cmd.Stderr = stdin, stdout, stderr
cmd.Dir = "/"
cmd.Env = []string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}
+ interrupted := make(chan os.Signal, 100)
+ cmd.Hook = func(int) error {
+ signal.Notify(interrupted, syscall.SIGHUP, syscall.SIGINT, syscall.SIGTERM)
+ go func() {
+ for receivedSignal := range interrupted {
+ if err := cmd.Process.Signal(receivedSignal); err != nil {
+ logrus.Infof("%v while attempting to forward %v to child process", err, receivedSignal)
+ }
+ }
+ }()
+ return nil
+ }
+
logrus.Debugf("Running %#v in %#v", cmd.Cmd, cmd)
confwg.Add(1)
go func() {
@@ -173,6 +188,8 @@ func RunUsingChroot(spec *specs.Spec, bundlePath, homeDir string, stdin io.Reade
cmd.ExtraFiles = append([]*os.File{preader}, cmd.ExtraFiles...)
err = cmd.Run()
confwg.Wait()
+ signal.Stop(interrupted)
+ close(interrupted)
if err == nil {
return conferr
}
@@ -571,6 +588,7 @@ func runUsingChroot(spec *specs.Spec, bundlePath string, ctty *os.File, stdin io
// Start the parent subprocess.
cmd := unshare.Command(append([]string{runUsingChrootExecCommand}, spec.Process.Args...)...)
+ setPdeathsig(cmd.Cmd)
cmd.Stdin, cmd.Stdout, cmd.Stderr = stdin, stdout, stderr
cmd.Dir = "/"
cmd.Env = []string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}
@@ -593,10 +611,19 @@ func runUsingChroot(spec *specs.Spec, bundlePath string, ctty *os.File, stdin io
}
cmd.OOMScoreAdj = spec.Process.OOMScoreAdj
cmd.ExtraFiles = append([]*os.File{preader}, cmd.ExtraFiles...)
+ interrupted := make(chan os.Signal, 100)
cmd.Hook = func(int) error {
for _, f := range closeOnceRunning {
f.Close()
}
+ signal.Notify(interrupted, syscall.SIGHUP, syscall.SIGINT, syscall.SIGTERM)
+ go func() {
+ for receivedSignal := range interrupted {
+ if err := cmd.Process.Signal(receivedSignal); err != nil {
+ logrus.Infof("%v while attempting to forward %v to child process", err, receivedSignal)
+ }
+ }
+ }()
return nil
}
@@ -609,6 +636,8 @@ func runUsingChroot(spec *specs.Spec, bundlePath string, ctty *os.File, stdin io
}()
err = cmd.Run()
confwg.Wait()
+ signal.Stop(interrupted)
+ close(interrupted)
if err != nil {
if exitError, ok := err.(*exec.ExitError); ok {
if waitStatus, ok := exitError.ProcessState.Sys().(syscall.WaitStatus); ok {
@@ -792,11 +821,27 @@ func runUsingChrootExecMain() {
// Actually run the specified command.
cmd := exec.Command(args[0], args[1:]...)
+ setPdeathsig(cmd)
cmd.Env = options.Spec.Process.Env
cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
cmd.Dir = cwd
logrus.Debugf("Running %#v (PATH = %q)", cmd, os.Getenv("PATH"))
- if err = cmd.Run(); err != nil {
+ interrupted := make(chan os.Signal, 100)
+ if err = cmd.Start(); err != nil {
+ fmt.Fprintf(os.Stderr, "process failed to start with error: %v", err)
+ }
+ go func() {
+ for range interrupted {
+ if err := cmd.Process.Signal(syscall.SIGKILL); err != nil {
+ logrus.Infof("%v while attempting to send SIGKILL to child process", err)
+ }
+ }
+ }()
+ signal.Notify(interrupted, syscall.SIGHUP, syscall.SIGINT, syscall.SIGTERM)
+ err = cmd.Wait()
+ signal.Stop(interrupted)
+ close(interrupted)
+ if err != nil {
if exitError, ok := err.(*exec.ExitError); ok {
if waitStatus, ok := exitError.ProcessState.Sys().(syscall.WaitStatus); ok {
if waitStatus.Exited() {
@@ -897,7 +942,7 @@ func setCapabilities(spec *specs.Spec, keepCaps ...string) error {
capMap := map[capability.CapType][]string{
capability.BOUNDING: spec.Process.Capabilities.Bounding,
capability.EFFECTIVE: spec.Process.Capabilities.Effective,
- capability.INHERITABLE: spec.Process.Capabilities.Inheritable,
+ capability.INHERITABLE: []string{},
capability.PERMITTED: spec.Process.Capabilities.Permitted,
capability.AMBIENT: spec.Process.Capabilities.Ambient,
}
@@ -1419,3 +1464,11 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
}
return undoBinds, nil
}
+
+// setPdeathsig sets a parent-death signal for the process
+func setPdeathsig(cmd *exec.Cmd) {
+ if cmd.SysProcAttr == nil {
+ cmd.SysProcAttr = &syscall.SysProcAttr{}
+ }
+ cmd.SysProcAttr.Pdeathsig = syscall.SIGKILL
+}
diff --git a/vendor/github.com/containers/buildah/copier/copier.go b/vendor/github.com/containers/buildah/copier/copier.go
index 49f2c55eb..d9f531acc 100644
--- a/vendor/github.com/containers/buildah/copier/copier.go
+++ b/vendor/github.com/containers/buildah/copier/copier.go
@@ -6,6 +6,7 @@ import (
"encoding/json"
"fmt"
"io"
+ "io/fs"
"io/ioutil"
"net"
"os"
@@ -1179,10 +1180,10 @@ func copierHandlerGet(bulkWriter io.Writer, req request, pm *fileutils.PatternMa
// we don't expand any of the contents that are archives
options := req.GetOptions
options.ExpandArchives = false
- walkfn := func(path string, info os.FileInfo, err error) error {
+ walkfn := func(path string, d fs.DirEntry, err error) error {
if err != nil {
if options.IgnoreUnreadable && errorIsPermission(err) {
- if info != nil && info.IsDir() {
+ if info != nil && d.IsDir() {
return filepath.SkipDir
}
return nil
@@ -1192,8 +1193,8 @@ func copierHandlerGet(bulkWriter io.Writer, req request, pm *fileutils.PatternMa
}
return errors.Wrapf(err, "copier: get: error reading %q", path)
}
- if info.Mode()&os.ModeType == os.ModeSocket {
- logrus.Warningf("copier: skipping socket %q", info.Name())
+ if d.Type() == os.ModeSocket {
+ logrus.Warningf("copier: skipping socket %q", d.Name())
return nil
}
// compute the path of this item
@@ -1216,7 +1217,7 @@ func copierHandlerGet(bulkWriter io.Writer, req request, pm *fileutils.PatternMa
return err
}
if skip {
- if info.IsDir() {
+ if d.IsDir() {
// if there are no "include
// this anyway" patterns at
// all, we don't need to
@@ -1254,17 +1255,21 @@ func copierHandlerGet(bulkWriter io.Writer, req request, pm *fileutils.PatternMa
}
// if it's a symlink, read its target
symlinkTarget := ""
- if info.Mode()&os.ModeType == os.ModeSymlink {
+ if d.Type() == os.ModeSymlink {
target, err := os.Readlink(path)
if err != nil {
return errors.Wrapf(err, "copier: get: readlink(%q(%q))", rel, path)
}
symlinkTarget = target
}
+ info, err := d.Info()
+ if err != nil {
+ return err
+ }
// if it's a directory and we're staying on one device, and it's on a
// different device than the one we started from, skip its contents
var ok error
- if info.Mode().IsDir() && req.GetOptions.NoCrossDevice {
+ if d.IsDir() && req.GetOptions.NoCrossDevice {
if !sameDevice(topInfo, info) {
ok = filepath.SkipDir
}
@@ -1282,7 +1287,7 @@ func copierHandlerGet(bulkWriter io.Writer, req request, pm *fileutils.PatternMa
return ok
}
// walk the directory tree, checking/adding items individually
- if err := filepath.Walk(item, walkfn); err != nil {
+ if err := filepath.WalkDir(item, walkfn); err != nil {
return errors.Wrapf(err, "copier: get: %q(%q)", queue[i], item)
}
itemsCopied++
@@ -1461,6 +1466,13 @@ func copierHandlerGetOne(srcfi os.FileInfo, symlinkTarget, name, contentPath str
return errors.Wrapf(err, "error opening file for adding its contents to archive")
}
defer f.Close()
+ } else if hdr.Typeflag == tar.TypeDir {
+ // open the directory file first to make sure we can access it.
+ f, err = os.Open(contentPath)
+ if err != nil {
+ return errors.Wrapf(err, "error opening directory for adding its contents to archive")
+ }
+ defer f.Close()
}
// output the header
if err = tw.WriteHeader(hdr); err != nil {
diff --git a/vendor/github.com/containers/buildah/define/build.go b/vendor/github.com/containers/buildah/define/build.go
index 648491531..1d452d66d 100644
--- a/vendor/github.com/containers/buildah/define/build.go
+++ b/vendor/github.com/containers/buildah/define/build.go
@@ -29,6 +29,8 @@ type CommonBuildOptions struct {
CPUSetMems string
// HTTPProxy determines whether *_proxy env vars from the build host are passed into the container.
HTTPProxy bool
+ // IdentityLabel if set ensures that default `io.buildah.version` label is not applied to build image.
+ IdentityLabel types.OptionalBool
// Memory is the upper limit (in bytes) on how much memory running containers can use.
Memory int64
// DNSSearch is the list of DNS search domains to add to the build container's /etc/resolv.conf
diff --git a/vendor/github.com/containers/buildah/define/types.go b/vendor/github.com/containers/buildah/define/types.go
index e78172816..beedcd86e 100644
--- a/vendor/github.com/containers/buildah/define/types.go
+++ b/vendor/github.com/containers/buildah/define/types.go
@@ -29,7 +29,7 @@ const (
Package = "buildah"
// Version for the Package. Bump version in contrib/rpm/buildah.spec
// too.
- Version = "1.25.0-dev"
+ Version = "1.26.0-dev"
// DefaultRuntime if containers.conf fails.
DefaultRuntime = "runc"
diff --git a/vendor/github.com/containers/buildah/go.mod b/vendor/github.com/containers/buildah/go.mod
index ced804d67..6fb3653fd 100644
--- a/vendor/github.com/containers/buildah/go.mod
+++ b/vendor/github.com/containers/buildah/go.mod
@@ -3,14 +3,14 @@ module github.com/containers/buildah
go 1.13
require (
- github.com/containerd/containerd v1.6.1
+ github.com/containerd/containerd v1.6.2
github.com/containernetworking/cni v1.0.1
- github.com/containers/common v0.47.4
- github.com/containers/image/v5 v5.20.0
- github.com/containers/ocicrypt v1.1.2
- github.com/containers/storage v1.38.3-0.20220308085612-93ce26691863
+ github.com/containers/common v0.47.5-0.20220331143923-5f14ec785c18
+ github.com/containers/image/v5 v5.20.1-0.20220404163228-d03e80fc66b3
+ github.com/containers/ocicrypt v1.1.3
+ github.com/containers/storage v1.39.1-0.20220330193934-f3200eb5a5d9
github.com/docker/distribution v2.8.1+incompatible
- github.com/docker/docker v20.10.12+incompatible
+ github.com/docker/docker v20.10.14+incompatible
github.com/docker/go-units v0.4.0
github.com/docker/libnetwork v0.8.0-dev.2.0.20190625141545-5a177b73e316
github.com/fsouza/go-dockerclient v1.7.10
@@ -20,25 +20,26 @@ require (
github.com/konsorten/go-windows-terminal-sequences v1.0.3 // indirect
github.com/mattn/go-shellwords v1.0.12
github.com/onsi/ginkgo v1.16.5
- github.com/onsi/gomega v1.18.1
+ github.com/onsi/gomega v1.19.0
github.com/opencontainers/go-digest v1.0.0
github.com/opencontainers/image-spec v1.0.3-0.20211202193544-a5463b7f9c84
- github.com/opencontainers/runc v1.1.0
+ github.com/opencontainers/runc v1.1.1
github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
github.com/opencontainers/runtime-tools v0.9.0
- github.com/opencontainers/selinux v1.10.0
- github.com/openshift/imagebuilder v1.2.2
+ github.com/opencontainers/selinux v1.10.1
+ github.com/openshift/imagebuilder v1.2.3
github.com/pkg/errors v0.9.1
+ github.com/prometheus/client_golang v1.11.1 // indirect
github.com/seccomp/libseccomp-golang v0.9.2-0.20210429002308-3879420cc921
github.com/sirupsen/logrus v1.8.1
- github.com/spf13/cobra v1.3.0
+ github.com/spf13/cobra v1.4.0
github.com/spf13/pflag v1.0.5
- github.com/stretchr/testify v1.7.0
+ github.com/stretchr/testify v1.7.1
github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
go.etcd.io/bbolt v1.3.6
golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
- golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27
+ golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
)
diff --git a/vendor/github.com/containers/buildah/go.sum b/vendor/github.com/containers/buildah/go.sum
index ea17ee260..86c79279a 100644
--- a/vendor/github.com/containers/buildah/go.sum
+++ b/vendor/github.com/containers/buildah/go.sum
@@ -108,7 +108,6 @@ github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMo
github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7/go.mod h1:z4/9nQmJSSwwds7ejkxaJwO37dru3geImFUdJlaLzQo=
github.com/ProtonMail/go-crypto v0.0.0-20210920160938-87db9fbc61c7/go.mod h1:z4/9nQmJSSwwds7ejkxaJwO37dru3geImFUdJlaLzQo=
-github.com/ProtonMail/go-crypto v0.0.0-20211112122917-428f8eabeeb3/go.mod h1:z4/9nQmJSSwwds7ejkxaJwO37dru3geImFUdJlaLzQo=
github.com/ProtonMail/go-crypto v0.0.0-20220113124808-70ae35bab23f/go.mod h1:z4/9nQmJSSwwds7ejkxaJwO37dru3geImFUdJlaLzQo=
github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
@@ -241,8 +240,9 @@ github.com/containerd/containerd v1.5.1/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTV
github.com/containerd/containerd v1.5.7/go.mod h1:gyvv6+ugqY25TiXxcZC3L5yOeYgEw0QMhscqVp1AR9c=
github.com/containerd/containerd v1.5.8/go.mod h1:YdFSv5bTFLpG2HIYmfqDpSYYTDX+mc5qtSuYx1YUb/s=
github.com/containerd/containerd v1.5.9/go.mod h1:fvQqCfadDGga5HZyn3j4+dx56qj2I9YwBrlSdalvJYQ=
-github.com/containerd/containerd v1.6.1 h1:oa2uY0/0G+JX4X7hpGCYvkp9FjUancz56kSNnb1sG3o=
github.com/containerd/containerd v1.6.1/go.mod h1:1nJz5xCZPusx6jJU8Frfct988y0NpumIq9ODB0kLtoE=
+github.com/containerd/containerd v1.6.2 h1:pcaPUGbYW8kBw6OgIZwIVIeEhdWVrBzsoCfVJ5BjrLU=
+github.com/containerd/containerd v1.6.2/go.mod h1:sidY30/InSE1j2vdD1ihtKoJz+lWdaXMdiAeIupaf+s=
github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
github.com/containerd/continuity v0.0.0-20191127005431-f65d91d395eb/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
@@ -278,8 +278,9 @@ github.com/containerd/nri v0.1.0/go.mod h1:lmxnXF6oMkbqs39FiCt1s0R2HSMhcLel9vNL3
github.com/containerd/stargz-snapshotter/estargz v0.4.1/go.mod h1:x7Q9dg9QYb4+ELgxmo4gBUeJB0tl5dqH1Sdz0nJU1QM=
github.com/containerd/stargz-snapshotter/estargz v0.9.0/go.mod h1:aE5PCyhFMwR8sbrErO5eM2GcvkyXTTJremG883D4qF0=
github.com/containerd/stargz-snapshotter/estargz v0.11.0/go.mod h1:/KsZXsJRllMbTKFfG0miFQWViQKdI9+9aSXs+HN0+ac=
-github.com/containerd/stargz-snapshotter/estargz v0.11.2 h1:0P0vWmfrEeTtZ4BBRrpuyu/HxR9HPBLfeljGOra5f6g=
-github.com/containerd/stargz-snapshotter/estargz v0.11.2/go.mod h1:rjbdAXaytDSIrAy2WAy2kUrJ4ehzDS0eUQLlIb5UCY0=
+github.com/containerd/stargz-snapshotter/estargz v0.11.1/go.mod h1:6VoPcf4M1wvnogWxqc4TqBWWErCS+R+ucnPZId2VbpQ=
+github.com/containerd/stargz-snapshotter/estargz v0.11.3 h1:k2kN16Px6LYuv++qFqK+JTcYqc8bEVxzGpf8/gFBL5M=
+github.com/containerd/stargz-snapshotter/estargz v0.11.3/go.mod h1:7vRJIcImfY8bpifnMjt+HTJoQxASq7T28MYbP15/Nf0=
github.com/containerd/ttrpc v0.0.0-20190828154514-0e0f228740de/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o=
github.com/containerd/ttrpc v0.0.0-20190828172938-92c8520ef9f8/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o=
github.com/containerd/ttrpc v0.0.0-20191028202541-4f1b8fe65a5c/go.mod h1:LPm1u0xBw8r8NOKoOdNMeVHSawSsltak+Ihv+etqsE8=
@@ -302,25 +303,28 @@ github.com/containernetworking/cni v1.0.1 h1:9OIL/sZmMYDBe+G8svzILAlulUpaDTUjeAb
github.com/containernetworking/cni v1.0.1/go.mod h1:AKuhXbN5EzmD4yTNtfSsX3tPcmtrBI6QcRV0NiNt15Y=
github.com/containernetworking/plugins v0.8.6/go.mod h1:qnw5mN19D8fIwkqW7oHHYDHVlzhJpcY6TQxn/fUyDDM=
github.com/containernetworking/plugins v0.9.1/go.mod h1:xP/idU2ldlzN6m4p5LmGiwRDjeJr6FLK6vuiUwoH7P8=
-github.com/containernetworking/plugins v1.0.1 h1:wwCfYbTCj5FC0EJgyzyjTXmqysOiJE9r712Z+2KVZAk=
github.com/containernetworking/plugins v1.0.1/go.mod h1:QHCfGpaTwYTbbH+nZXKVTxNBDZcxSOplJT5ico8/FLE=
-github.com/containers/common v0.47.4 h1:kS202Z/bTQIM/pwyuJ+lF8143Uli6AB9Q9OVR0xa9CM=
-github.com/containers/common v0.47.4/go.mod h1:HgX0mFXyB0Tbe2REEIp9x9CxET6iSzmHfwR6S/t2LZc=
-github.com/containers/image/v5 v5.19.1/go.mod h1:ewoo3u+TpJvGmsz64XgzbyTHwHtM94q7mgK/pX+v2SE=
-github.com/containers/image/v5 v5.20.0 h1:BYFMRvYqmEHnHo0sjTbnLbj0fzkGLDx6P57lszm30B4=
-github.com/containers/image/v5 v5.20.0/go.mod h1:5UL1ooih6+USVYXk19r8ScQNsbTprhlJxrHezAu4OVE=
-github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY=
+github.com/containernetworking/plugins v1.1.1 h1:+AGfFigZ5TiQH00vhR8qPeSatj53eNGz0C1d3wVYlHE=
+github.com/containernetworking/plugins v1.1.1/go.mod h1:Sr5TH/eBsGLXK/h71HeLfX19sZPp3ry5uHSkI4LPxV8=
+github.com/containers/common v0.47.5-0.20220331143923-5f14ec785c18 h1:Hp4ccfzcFpS2SAha0cfYcF6ofkaEFmgsuRSxBDK8W0Y=
+github.com/containers/common v0.47.5-0.20220331143923-5f14ec785c18/go.mod h1:Vr2Fn6EdzD6JNAbz8L8bTv3uWLv2p31Ih2O3EAK6Hyc=
+github.com/containers/image/v5 v5.19.2-0.20220224100137-1045fb70b094/go.mod h1:XoYK6kE0dpazFNcuS+a8lra+QfbC6s8tzv+cUuCrZpE=
+github.com/containers/image/v5 v5.20.1-0.20220404163228-d03e80fc66b3 h1:5oH8xNWulK0r7hfga9RsEZfh2JJXSn1UfSc6uPBgcP8=
+github.com/containers/image/v5 v5.20.1-0.20220404163228-d03e80fc66b3/go.mod h1:2nEPM0WuinC/0ssPsMv5Iy8YaRueUUTmTp3C7bn5uro=
github.com/containers/libtrust v0.0.0-20200511145503-9c3a6c22cd9a h1:spAGlqziZjCJL25C6F1zsQY05tfCKE9F5YwtEWWe6hU=
github.com/containers/libtrust v0.0.0-20200511145503-9c3a6c22cd9a/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY=
github.com/containers/ocicrypt v1.0.1/go.mod h1:MeJDzk1RJHv89LjsH0Sp5KTY3ZYkjXO/C+bKAeWFIrc=
github.com/containers/ocicrypt v1.1.0/go.mod h1:b8AOe0YR67uU8OqfVNcznfFpAzu3rdgUV4GP9qXPfu4=
github.com/containers/ocicrypt v1.1.1/go.mod h1:Dm55fwWm1YZAjYRaJ94z2mfZikIyIN4B0oB3dj3jFxY=
-github.com/containers/ocicrypt v1.1.2 h1:Ez+GAMP/4GLix5Ywo/fL7O0nY771gsBIigiqUm1aXz0=
github.com/containers/ocicrypt v1.1.2/go.mod h1:Dm55fwWm1YZAjYRaJ94z2mfZikIyIN4B0oB3dj3jFxY=
+github.com/containers/ocicrypt v1.1.3 h1:uMxn2wTb4nDR7GqG3rnZSfpJXqWURfzZ7nKydzIeKpA=
+github.com/containers/ocicrypt v1.1.3/go.mod h1:xpdkbVAuaH3WzbEabUd5yDsl9SwJA5pABH85425Es2g=
github.com/containers/storage v1.37.0/go.mod h1:kqeJeS0b7DO2ZT1nVWs0XufrmPFbgV3c+Q/45RlH6r4=
github.com/containers/storage v1.38.2/go.mod h1:INP0RPLHWBxx+pTsO5uiHlDUGHDFvWZPWprAbAlQWPQ=
-github.com/containers/storage v1.38.3-0.20220308085612-93ce26691863 h1:10k6Dl+Bm9zgsxP7qv0mnrhd7+XlCmgQWKgkydwZ7vQ=
-github.com/containers/storage v1.38.3-0.20220308085612-93ce26691863/go.mod h1:uhf9mPUP+uYajC2/S0A9NaCVa2JJ6+1C254ue4Edv2g=
+github.com/containers/storage v1.38.3-0.20220301151551-d06b0f81c0aa/go.mod h1:LkkL34WRi4dI4jt9Cp+ImdZi/P5i36glSHimT5CP5zM=
+github.com/containers/storage v1.39.0/go.mod h1:UAD0cKLouN4BOQRgZut/nMjrh/EnTCjSNPgp4ZuGWMs=
+github.com/containers/storage v1.39.1-0.20220330193934-f3200eb5a5d9 h1:fA/2FemaDv+POCJgg+QGJm84gMEDBwL5H0lDeubDJoE=
+github.com/containers/storage v1.39.1-0.20220330193934-f3200eb5a5d9/go.mod h1:IMa2AfBI+Fxxk2hQqLTGhpJX6z2pZS1/I785QJeUwUY=
github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
@@ -374,8 +378,9 @@ github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6
github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
github.com/docker/docker v20.10.3-0.20220208084023-a5c757555091+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/docker v20.10.12+incompatible h1:CEeNmFM0QZIsJCZKMkZx0ZcahTiewkrgiwfYD+dfl1U=
github.com/docker/docker v20.10.12+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v20.10.14+incompatible h1:+T9/PRYWNDo5SZl5qS1r9Mo/0Q8AwxKKPtu9S1yxM0w=
+github.com/docker/docker v20.10.14+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y=
github.com/docker/docker-credential-helpers v0.6.4 h1:axCks+yV+2MR3/kZhAmy07yC56WZ2Pwu/fKWtKuZB0o=
github.com/docker/docker-credential-helpers v0.6.4/go.mod h1:ofX3UI0Gz1TteYBjtgs07O36Pyasyp66D2uKT7H8W1c=
@@ -482,8 +487,9 @@ github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e h1:BWhy2j3IXJhjCbC68Fp
github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e/go.mod h1:bBOAhwG1umN6/6ZUMtDFBMQR8jRg9O75tm9K00oMsK4=
github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/godbus/dbus/v5 v5.0.6 h1:mkgN1ofwASrYnJ5W6U/BxG15eXXXjirgZc7CLqkcaro=
github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
+github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
github.com/gogo/googleapis v1.2.0/go.mod h1:Njal3psf3qN6dwBtQfUmBZh2ybovJ0tlu3o/AC7HYjU=
github.com/gogo/googleapis v1.4.0/go.mod h1:5YRNX2z1oM5gXdAkurHa942MDgEJyk02w4OecKY87+c=
github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
@@ -696,9 +702,10 @@ github.com/klauspost/compress v1.11.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYs
github.com/klauspost/compress v1.11.13/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
github.com/klauspost/compress v1.14.2/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
+github.com/klauspost/compress v1.14.3/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
github.com/klauspost/compress v1.14.4/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
-github.com/klauspost/compress v1.15.0 h1:xqfchp4whNFxn5A4XFyyYtitiWI8Hy5EW59jEwcyL6U=
-github.com/klauspost/compress v1.15.0/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
+github.com/klauspost/compress v1.15.1 h1:y9FcTHGyrebwfP0ZZqFiaxTaiDnUrGkJkI+f583BL1A=
+github.com/klauspost/compress v1.15.1/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
github.com/klauspost/pgzip v1.2.5 h1:qnWYvvKqedOF2ulHpMG72XQol4ILEJ8k2wwRl/Km8oE=
github.com/klauspost/pgzip v1.2.5/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
@@ -718,8 +725,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
github.com/linuxkit/virtsock v0.0.0-20201010232012-f8cee7dfc7a3/go.mod h1:3r6x7q95whyfWQpmGZTu3gk3v2YkMi05HEzl7Tf7YEo=
github.com/lyft/protoc-gen-star v0.5.3/go.mod h1:V0xaHgaf5oCCqmcxYcWiDfTiKsZsRc87/1qhoTACD8w=
-github.com/magefile/mage v1.11.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
github.com/magefile/mage v1.12.1/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
+github.com/magefile/mage v1.13.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
@@ -758,8 +765,9 @@ github.com/maxbrunsfeld/counterfeiter/v6 v6.2.2/go.mod h1:eD9eIE7cdwcMi9rYluz88J
github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso=
github.com/miekg/dns v1.1.41/go.mod h1:p6aan82bvRIyn+zDIv9xYNUpwa73JcSh9BKwknJysuI=
-github.com/miekg/pkcs11 v1.0.3 h1:iMwmD7I5225wv84WxIG/bmxz9AXjWvTWIbM/TYHvWtw=
github.com/miekg/pkcs11 v1.0.3/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=
+github.com/miekg/pkcs11 v1.1.1 h1:Ugu9pdy6vAYku5DEpVWVFPYnzV+bxB+iRdbuFSu7TvU=
+github.com/miekg/pkcs11 v1.1.1/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=
github.com/mistifyio/go-zfs v2.1.2-0.20190413222219-f784269be439+incompatible h1:aKW/4cBs+yK6gpqU3K/oIwk9Q/XICqd3zOX/UFuvqmk=
github.com/mistifyio/go-zfs v2.1.2-0.20190413222219-f784269be439+incompatible/go.mod h1:8AuVvqP/mXw1px98n46wfvcGfQ4ci2FwoAjKYxuo3Z4=
github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
@@ -805,6 +813,7 @@ github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRW
github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
github.com/ncw/swift v1.0.47/go.mod h1:23YIA4yWVnGwv2dQlN4bB7egfYX6YLn0Yo/S6zZO/ZM=
+github.com/networkplumbing/go-nft v0.2.0/go.mod h1:HnnM+tYvlGAsMU7yoYwXEVLLiDW9gdMmb5HoGcwpuQs=
github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
@@ -825,8 +834,8 @@ github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9k
github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0=
github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU=
-github.com/onsi/ginkgo/v2 v2.0.0 h1:CcuG/HvWNkkaqCUpJifQY8z7qEMBJya6aLPx6ftGyjQ=
-github.com/onsi/ginkgo/v2 v2.0.0/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c=
+github.com/onsi/ginkgo/v2 v2.1.3 h1:e/3Cwtogj0HA+25nMP1jCMDIf8RtRYbGwGGuBIFztkc=
+github.com/onsi/ginkgo/v2 v2.1.3/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c=
github.com/onsi/gomega v0.0.0-20151007035656-2152b45fa28a/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
@@ -837,8 +846,8 @@ github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1y
github.com/onsi/gomega v1.10.3/go.mod h1:V9xEwhxec5O8UDM77eCW8vLymOMltsqPVYWrpDsH8xc=
github.com/onsi/gomega v1.15.0/go.mod h1:cIuvLEne0aoVhAgh/O6ac0Op8WWw9H6eYCriF+tEHG0=
github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
-github.com/onsi/gomega v1.18.1 h1:M1GfJqGRrBrrGGsbxzV5dqM2U2ApXefZCQpkukxYRLE=
-github.com/onsi/gomega v1.18.1/go.mod h1:0q+aL8jAiMXy9hbwj2mr5GziHiwhAIQpFmmtT5hitRs=
+github.com/onsi/gomega v1.19.0 h1:4ieX6qQjPP/BfC3mpsAtIGGlxTWPeA3Inl/7DtXw1tw=
+github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro=
github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
@@ -854,8 +863,9 @@ github.com/opencontainers/runc v1.0.0-rc9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rm
github.com/opencontainers/runc v1.0.0-rc93/go.mod h1:3NOsor4w32B2tC0Zbl8Knk4Wg84SM2ImC1fxBuqJ/H0=
github.com/opencontainers/runc v1.0.2/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0=
github.com/opencontainers/runc v1.0.3/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0=
-github.com/opencontainers/runc v1.1.0 h1:O9+X96OcDjkmmZyfaG996kV7yq8HsoU2h1XRRQcefG8=
github.com/opencontainers/runc v1.1.0/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc=
+github.com/opencontainers/runc v1.1.1 h1:PJ9DSs2sVwE0iVr++pAHE6QkS9tzcVWozlPifdwMgrU=
+github.com/opencontainers/runc v1.1.1/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc=
github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
github.com/opencontainers/runtime-spec v1.0.2-0.20190207185410-29686dbc5559/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
@@ -870,12 +880,12 @@ github.com/opencontainers/selinux v1.6.0/go.mod h1:VVGKuOLlE7v4PJyT6h7mNWvq1rzqi
github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3ogry1nUQF8Evvo=
github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8=
github.com/opencontainers/selinux v1.8.5/go.mod h1:HTvjPFoGMbpQsG886e3lQwnsRWtE4TC1OF3OUvG9FAo=
-github.com/opencontainers/selinux v1.10.0 h1:rAiKF8hTcgLI3w0DHm6i0ylVVcOrlgR1kK99DRLDhyU=
github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
-github.com/openshift/imagebuilder v1.2.2 h1:++jWWMkTVJKP2MIjTPaTk2MqwWIOYYlDaQbZyLlLBh0=
-github.com/openshift/imagebuilder v1.2.2/go.mod h1:TRYHe4CH9U6nkDjxjBNM5klrLbJBrRbpJE5SaRwUBsQ=
+github.com/opencontainers/selinux v1.10.1 h1:09LIPVRP3uuZGQvgR+SgMSNBd1Eb3vlRbGqQpoHsF8w=
+github.com/opencontainers/selinux v1.10.1/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
+github.com/openshift/imagebuilder v1.2.3 h1:jvA7mESJdclRKkTe3Yl6UWlliFNVW6mLY8RI+Rrfhfo=
+github.com/openshift/imagebuilder v1.2.3/go.mod h1:TRYHe4CH9U6nkDjxjBNM5klrLbJBrRbpJE5SaRwUBsQ=
github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
-github.com/ostreedev/ostree-go v0.0.0-20190702140239-759a8c1ac913/go.mod h1:J6OG6YJVEWopen4avK3VNQSnALmmjvniMmni/YFYAwc=
github.com/ostreedev/ostree-go v0.0.0-20210805093236-719684c64e4f h1:/UDgs8FGMqwnHagNDPGOlts35QkhAZ8by3DR7nMih7M=
github.com/ostreedev/ostree-go v0.0.0-20210805093236-719684c64e4f/go.mod h1:J6OG6YJVEWopen4avK3VNQSnALmmjvniMmni/YFYAwc=
github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
@@ -905,8 +915,9 @@ github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5Fsn
github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g=
github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU=
github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
-github.com/prometheus/client_golang v1.11.0 h1:HNkLOAEQMIDv/K+04rukrLx6ch7msSRwf3/SASFAGtQ=
github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
+github.com/prometheus/client_golang v1.11.1 h1:+4eQaD7vAZ6DsfsxB15hbE0odUjGI5ARs9yskGu1v4s=
+github.com/prometheus/client_golang v1.11.1/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
github.com/prometheus/client_model v0.0.0-20171117100541-99fa1f4be8e5/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
@@ -980,8 +991,9 @@ github.com/spf13/cobra v0.0.2-0.20171109065643-2da4a54c5cee/go.mod h1:1l0Ry5zgKv
github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE=
github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo=
-github.com/spf13/cobra v1.3.0 h1:R7cSvGu+Vv+qX0gW5R/85dx2kmmJT5z5NM8ifdYjdn0=
github.com/spf13/cobra v1.3.0/go.mod h1:BrRVncBjOJa/eUcVVm9CE+oC6as8k+VYr4NY7WCi9V4=
+github.com/spf13/cobra v1.4.0 h1:y+wJpx64xcgO1V+RcnwW0LEHxTKRi2ZDPSBjWnrg88Q=
+github.com/spf13/cobra v1.4.0/go.mod h1:Wo4iy3BUC+X2Fybo0PDqwJIv3dNRiZLHQymsfxlB84g=
github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
@@ -1006,13 +1018,14 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1 h1:5TQK59W5E3v0r2duFAb7P95B6hEeOyEnHRa8MjYSMTY=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
github.com/sylabs/release-tools v0.1.0/go.mod h1:pqP/z/11/rYMQ0OM/Nn7TxGijw7KfZwW9UolD/J1TUo=
-github.com/sylabs/sif/v2 v2.3.1/go.mod h1:NnvveH62GiibimL00MrI6YYcZfb7DnZMcRo/40giY+0=
-github.com/sylabs/sif/v2 v2.3.2 h1:Kj60dUcE3TSM8Px4TaIbX7PUafB1QGhUi70Fz5Gf7iU=
github.com/sylabs/sif/v2 v2.3.2/go.mod h1:IrLX2pzmQ2O4qgv5iy3HdKJcBNYds9DTMd9Je8A9tX4=
+github.com/sylabs/sif/v2 v2.4.2 h1:L4jcqeOF33JfSnH+8GJKC7/ooVpzpZ2K7wotGG4ZzqQ=
+github.com/sylabs/sif/v2 v2.4.2/go.mod h1:6gQvzNKRIqr4FS08XBfHpkpnxv9b7h58GLkSJ1zdK9A=
github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI=
@@ -1052,7 +1065,6 @@ github.com/willf/bitset v1.1.11/go.mod h1:83CECat5yLh5zVOf4P1ErAgKA5UDvKtgyUABdr
github.com/xanzy/ssh-agent v0.3.0/go.mod h1:3s9xbODqPuuhK9JV1R321M/FlMZSBvE5aY6eAcqrDh0=
github.com/xanzy/ssh-agent v0.3.1/go.mod h1:QIE4lCeL7nkC25x+yA3LBIYfwCc1TFziCtG7cBAac6w=
github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
-github.com/xeipuuv/gojsonpointer v0.0.0-20190809123943-df4f5c81cb3b/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo=
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=
@@ -1248,8 +1260,9 @@ golang.org/x/net v0.0.0-20210929193557-e81a3d93ecf6/go.mod h1:9nx3DQGgdP8bBQD5qx
golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.0.0-20211216030914-fe4d6282115f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20220114011407-0dd24b26b47d h1:1n1fc535VhN8SYtD4cDUyNlfpAF2ROMM9+11equK3hs=
golang.org/x/net v0.0.0-20220114011407-0dd24b26b47d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20220225172249-27dd8689420f h1:oA4XRj0qtSt8Yo1Zms0CUlsT3KG69V2UGQWPBxujDmc=
+golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1396,8 +1409,9 @@ golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBc
golang.org/x/sys v0.0.0-20211205182925-97ca703d548d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27 h1:XDXtA5hveEEV8JB2l7nhMTp3t3cHp9ZpwcdjqyEWLlo=
golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9 h1:nhht2DYV/Sn3qOayu8lM+cU1ii9sTLUeBQwQQfUHtrs=
+golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
@@ -1604,8 +1618,9 @@ google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ6
google.golang.org/genproto v0.0.0-20211129164237-f09f9a12af12/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
google.golang.org/genproto v0.0.0-20211203200212-54befc351ae9/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa h1:I0YcKz0I7OAhddo7ya8kMnvprhcWM045PmkBdMO9zN0=
google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
+google.golang.org/genproto v0.0.0-20220304144024-325a89244dc8 h1:U9V52f6rAgINH7kT+musA1qF8kWyVOxzF8eYuOVuFwQ=
+google.golang.org/genproto v0.0.0-20220304144024-325a89244dc8/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI=
google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
@@ -1637,8 +1652,9 @@ google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnD
google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
-google.golang.org/grpc v1.43.0 h1:Eeu7bZtDZ2DpRCsLhUlcrLnvYaMK1Gz86a+hMVvELmM=
google.golang.org/grpc v1.43.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
+google.golang.org/grpc v1.44.0 h1:weqSxi/TMs1SqFRMHCtBgXRs8k3X39QIDEZ0pRcttUg=
+google.golang.org/grpc v1.44.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
diff --git a/vendor/github.com/containers/buildah/imagebuildah/build.go b/vendor/github.com/containers/buildah/imagebuildah/build.go
index 77d8b6d54..2384306db 100644
--- a/vendor/github.com/containers/buildah/imagebuildah/build.go
+++ b/vendor/github.com/containers/buildah/imagebuildah/build.go
@@ -431,8 +431,8 @@ func preprocessContainerfileContents(logger *logrus.Logger, containerfile string
cppCommand := "cpp"
cppPath, err := exec.LookPath(cppCommand)
if err != nil {
- if os.IsNotExist(err) {
- err = errors.Errorf("error: %s support requires %s to be installed", containerfile, cppPath)
+ if errors.Is(err, exec.ErrNotFound) {
+ err = fmt.Errorf("error: %v: .in support requires %s to be installed", err, cppCommand)
}
return nil, err
}
diff --git a/vendor/github.com/containers/buildah/imagebuildah/stage_executor.go b/vendor/github.com/containers/buildah/imagebuildah/stage_executor.go
index d2b635b48..4112a8187 100644
--- a/vendor/github.com/containers/buildah/imagebuildah/stage_executor.go
+++ b/vendor/github.com/containers/buildah/imagebuildah/stage_executor.go
@@ -1519,7 +1519,9 @@ func (s *StageExecutor) commit(ctx context.Context, createdBy string, emptyLayer
s.builder.SetLabel(label[0], "")
}
}
- s.builder.SetLabel(buildah.BuilderIdentityAnnotation, define.Version)
+ if s.executor.commonBuildOptions.IdentityLabel == types.OptionalBoolUndefined || s.executor.commonBuildOptions.IdentityLabel == types.OptionalBoolTrue {
+ s.builder.SetLabel(buildah.BuilderIdentityAnnotation, define.Version)
+ }
for _, annotationSpec := range s.executor.annotations {
annotation := strings.SplitN(annotationSpec, "=", 2)
if len(annotation) > 1 {
@@ -1570,5 +1572,9 @@ func (s *StageExecutor) commit(ctx context.Context, createdBy string, emptyLayer
}
func (s *StageExecutor) EnsureContainerPath(path string) error {
- return copier.Mkdir(s.mountPoint, filepath.Join(s.mountPoint, path), copier.MkdirOptions{})
+ return s.builder.EnsureContainerPathAs(path, "", nil)
+}
+
+func (s *StageExecutor) EnsureContainerPathAs(path, user string, mode *os.FileMode) error {
+ return s.builder.EnsureContainerPathAs(path, user, mode)
}
diff --git a/vendor/github.com/containers/buildah/install.md b/vendor/github.com/containers/buildah/install.md
index 333f8dd8b..02a81be6f 100644
--- a/vendor/github.com/containers/buildah/install.md
+++ b/vendor/github.com/containers/buildah/install.md
@@ -208,9 +208,7 @@ Then to install Buildah on Fedora follow the steps in this example:
### RHEL, CentOS
-In RHEL and CentOS 7, ensure that you are subscribed to the `rhel-7-server-rpms`,
-`rhel-7-server-extras-rpms`, `rhel-7-server-optional-rpms` and `EPEL` repositories, then
-run this command:
+In RHEL and CentOS, run this command to install the build dependencies:
```
yum -y install \
@@ -232,11 +230,6 @@ run this command:
The build steps for Buildah on RHEL or CentOS are the same as for Fedora, above.
-*NOTE:* Buildah on RHEL or CentOS version 7.* is not supported running as non-root due to
-these systems not having newuidmap or newgidmap installed. It is possible to pull
-the shadow-utils source RPM from Fedora 29 and build and install from that in order to
-run Buildah as non-root on these systems.
-
### openSUSE
On openSUSE Tumbleweed, install go via `zypper in go`, then run this command:
diff --git a/vendor/github.com/containers/buildah/internal/parse/parse.go b/vendor/github.com/containers/buildah/internal/parse/parse.go
index 8085cd097..832b2b9ab 100644
--- a/vendor/github.com/containers/buildah/internal/parse/parse.go
+++ b/vendor/github.com/containers/buildah/internal/parse/parse.go
@@ -14,6 +14,7 @@ import (
"github.com/containers/image/v5/types"
"github.com/containers/storage"
"github.com/containers/storage/pkg/idtools"
+ "github.com/containers/storage/pkg/lockfile"
specs "github.com/opencontainers/runtime-spec/specs-go"
"github.com/pkg/errors"
)
@@ -28,13 +29,16 @@ const (
// mount=type=cache must create a persistent directory on host so its available for all consecutive builds.
// Lifecycle of following directory will be inherited from how host machine treats temporary directory
BuildahCacheDir = "buildah-cache"
+ // mount=type=cache allows users to lock a cache store while its being used by another build
+ BuildahCacheLockfile = "buildah-cache-lockfile"
)
var (
- errBadMntOption = errors.New("invalid mount option")
- errBadOptionArg = errors.New("must provide an argument for option")
- errBadVolDest = errors.New("must set volume destination")
- errBadVolSrc = errors.New("must set volume source")
+ errBadMntOption = errors.New("invalid mount option")
+ errBadOptionArg = errors.New("must provide an argument for option")
+ errBadVolDest = errors.New("must set volume destination")
+ errBadVolSrc = errors.New("must set volume source")
+ errDuplicateDest = errors.Errorf("duplicate mount destination")
)
// GetBindMount parses a single bind mount entry from the --mount flag.
@@ -175,9 +179,10 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st
}
// GetCacheMount parses a single cache mount entry from the --mount flag.
-func GetCacheMount(args []string, store storage.Store, imageMountLabel string, additionalMountPoints map[string]internal.StageMountDetails) (specs.Mount, error) {
+func GetCacheMount(args []string, store storage.Store, imageMountLabel string, additionalMountPoints map[string]internal.StageMountDetails) (specs.Mount, []string, error) {
var err error
var mode uint64
+ lockedTargets := make([]string, 0)
var (
setDest bool
setShared bool
@@ -195,6 +200,8 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
uid := 0
//buidkit parity: cache directory defaults to gid 0 if not specified
gid := 0
+ // sharing mode
+ sharing := "shared"
for _, val := range args {
kv := strings.SplitN(val, "=", 2)
@@ -212,66 +219,68 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
case "shared", "rshared", "private", "rprivate", "slave", "rslave", "Z", "z", "U":
newMount.Options = append(newMount.Options, kv[0])
setShared = true
+ case "sharing":
+ sharing = kv[1]
case "bind-propagation":
if len(kv) == 1 {
- return newMount, errors.Wrapf(errBadOptionArg, kv[0])
+ return newMount, lockedTargets, errors.Wrapf(errBadOptionArg, kv[0])
}
newMount.Options = append(newMount.Options, kv[1])
case "id":
if len(kv) == 1 {
- return newMount, errors.Wrapf(errBadOptionArg, kv[0])
+ return newMount, lockedTargets, errors.Wrapf(errBadOptionArg, kv[0])
}
id = kv[1]
case "from":
if len(kv) == 1 {
- return newMount, errors.Wrapf(errBadOptionArg, kv[0])
+ return newMount, lockedTargets, errors.Wrapf(errBadOptionArg, kv[0])
}
fromStage = kv[1]
case "target", "dst", "destination":
if len(kv) == 1 {
- return newMount, errors.Wrapf(errBadOptionArg, kv[0])
+ return newMount, lockedTargets, errors.Wrapf(errBadOptionArg, kv[0])
}
if err := parse.ValidateVolumeCtrDir(kv[1]); err != nil {
- return newMount, err
+ return newMount, lockedTargets, err
}
newMount.Destination = kv[1]
setDest = true
case "src", "source":
if len(kv) == 1 {
- return newMount, errors.Wrapf(errBadOptionArg, kv[0])
+ return newMount, lockedTargets, errors.Wrapf(errBadOptionArg, kv[0])
}
newMount.Source = kv[1]
case "mode":
if len(kv) == 1 {
- return newMount, errors.Wrapf(errBadOptionArg, kv[0])
+ return newMount, lockedTargets, errors.Wrapf(errBadOptionArg, kv[0])
}
mode, err = strconv.ParseUint(kv[1], 8, 32)
if err != nil {
- return newMount, errors.Wrapf(err, "Unable to parse cache mode")
+ return newMount, lockedTargets, errors.Wrapf(err, "Unable to parse cache mode")
}
case "uid":
if len(kv) == 1 {
- return newMount, errors.Wrapf(errBadOptionArg, kv[0])
+ return newMount, lockedTargets, errors.Wrapf(errBadOptionArg, kv[0])
}
uid, err = strconv.Atoi(kv[1])
if err != nil {
- return newMount, errors.Wrapf(err, "Unable to parse cache uid")
+ return newMount, lockedTargets, errors.Wrapf(err, "Unable to parse cache uid")
}
case "gid":
if len(kv) == 1 {
- return newMount, errors.Wrapf(errBadOptionArg, kv[0])
+ return newMount, lockedTargets, errors.Wrapf(errBadOptionArg, kv[0])
}
gid, err = strconv.Atoi(kv[1])
if err != nil {
- return newMount, errors.Wrapf(err, "Unable to parse cache gid")
+ return newMount, lockedTargets, errors.Wrapf(err, "Unable to parse cache gid")
}
default:
- return newMount, errors.Wrapf(errBadMntOption, kv[0])
+ return newMount, lockedTargets, errors.Wrapf(errBadMntOption, kv[0])
}
}
if !setDest {
- return newMount, errBadVolDest
+ return newMount, lockedTargets, errBadVolDest
}
if fromStage != "" {
@@ -288,7 +297,7 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
// Cache does not supports using image so if not stage found
// return with error
if mountPoint == "" {
- return newMount, fmt.Errorf("no stage found with name %s", fromStage)
+ return newMount, lockedTargets, fmt.Errorf("no stage found with name %s", fromStage)
}
// path should be /contextDir/specified path
newMount.Source = filepath.Join(mountPoint, filepath.Clean(string(filepath.Separator)+newMount.Source))
@@ -304,7 +313,7 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
// create cache on host if not present
err = os.MkdirAll(cacheParent, os.FileMode(0755))
if err != nil {
- return newMount, errors.Wrapf(err, "Unable to create build cache directory")
+ return newMount, lockedTargets, errors.Wrapf(err, "Unable to create build cache directory")
}
if id != "" {
@@ -319,10 +328,28 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
//buildkit parity: change uid and gid if specified otheriwise keep `0`
err = idtools.MkdirAllAndChownNew(newMount.Source, os.FileMode(mode), idPair)
if err != nil {
- return newMount, errors.Wrapf(err, "Unable to change uid,gid of cache directory")
+ return newMount, lockedTargets, errors.Wrapf(err, "Unable to change uid,gid of cache directory")
}
}
+ switch sharing {
+ case "locked":
+ // lock parent cache
+ lockfile, err := lockfile.GetLockfile(filepath.Join(newMount.Source, BuildahCacheLockfile))
+ if err != nil {
+ return newMount, lockedTargets, errors.Wrapf(err, "Unable to acquire lock when sharing mode is locked")
+ }
+ // Will be unlocked after the RUN step is executed.
+ lockfile.Lock()
+ lockedTargets = append(lockedTargets, filepath.Join(newMount.Source, BuildahCacheLockfile))
+ case "shared":
+ // do nothing since default is `shared`
+ break
+ default:
+ // error out for unknown values
+ return newMount, lockedTargets, errors.Wrapf(err, "Unrecognized value %q for field `sharing`", sharing)
+ }
+
// buildkit parity: default sharing should be shared
// unless specified
if !setShared {
@@ -338,11 +365,184 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
opts, err := parse.ValidateVolumeOpts(newMount.Options)
if err != nil {
- return newMount, err
+ return newMount, lockedTargets, err
}
newMount.Options = opts
- return newMount, nil
+ return newMount, lockedTargets, nil
+}
+
+// ValidateVolumeMountHostDir validates the host path of buildah --volume
+func ValidateVolumeMountHostDir(hostDir string) error {
+ if !filepath.IsAbs(hostDir) {
+ return errors.Errorf("invalid host path, must be an absolute path %q", hostDir)
+ }
+ if _, err := os.Stat(hostDir); err != nil {
+ return errors.WithStack(err)
+ }
+ return nil
+}
+
+// RevertEscapedColon converts "\:" to ":"
+func RevertEscapedColon(source string) string {
+ return strings.ReplaceAll(source, "\\:", ":")
+}
+
+// SplitStringWithColonEscape splits string into slice by colon. Backslash-escaped colon (i.e. "\:") will not be regarded as separator
+func SplitStringWithColonEscape(str string) []string {
+ result := make([]string, 0, 3)
+ sb := &strings.Builder{}
+ for idx, r := range str {
+ if r == ':' {
+ // the colon is backslash-escaped
+ if idx-1 > 0 && str[idx-1] == '\\' {
+ sb.WriteRune(r)
+ } else {
+ // os.Stat will fail if path contains escaped colon
+ result = append(result, RevertEscapedColon(sb.String()))
+ sb.Reset()
+ }
+ } else {
+ sb.WriteRune(r)
+ }
+ }
+ if sb.Len() > 0 {
+ result = append(result, RevertEscapedColon(sb.String()))
+ }
+ return result
+}
+
+func getVolumeMounts(volumes []string) (map[string]specs.Mount, error) {
+ finalVolumeMounts := make(map[string]specs.Mount)
+
+ for _, volume := range volumes {
+ volumeMount, err := Volume(volume)
+ if err != nil {
+ return nil, err
+ }
+ if _, ok := finalVolumeMounts[volumeMount.Destination]; ok {
+ return nil, errors.Wrapf(errDuplicateDest, volumeMount.Destination)
+ }
+ finalVolumeMounts[volumeMount.Destination] = volumeMount
+ }
+ return finalVolumeMounts, nil
+}
+
+// Volume parses the input of --volume
+func Volume(volume string) (specs.Mount, error) {
+ mount := specs.Mount{}
+ arr := SplitStringWithColonEscape(volume)
+ if len(arr) < 2 {
+ return mount, errors.Errorf("incorrect volume format %q, should be host-dir:ctr-dir[:option]", volume)
+ }
+ if err := ValidateVolumeMountHostDir(arr[0]); err != nil {
+ return mount, err
+ }
+ if err := parse.ValidateVolumeCtrDir(arr[1]); err != nil {
+ return mount, err
+ }
+ mountOptions := ""
+ if len(arr) > 2 {
+ mountOptions = arr[2]
+ if _, err := parse.ValidateVolumeOpts(strings.Split(arr[2], ",")); err != nil {
+ return mount, err
+ }
+ }
+ mountOpts := strings.Split(mountOptions, ",")
+ mount.Source = arr[0]
+ mount.Destination = arr[1]
+ mount.Type = "rbind"
+ mount.Options = mountOpts
+ return mount, nil
+}
+
+// GetVolumes gets the volumes from --volume and --mount
+func GetVolumes(ctx *types.SystemContext, store storage.Store, volumes []string, mounts []string, contextDir string) ([]specs.Mount, []string, []string, error) {
+ unifiedMounts, mountedImages, lockedTargets, err := getMounts(ctx, store, mounts, contextDir)
+ if err != nil {
+ return nil, mountedImages, lockedTargets, err
+ }
+ volumeMounts, err := getVolumeMounts(volumes)
+ if err != nil {
+ return nil, mountedImages, lockedTargets, err
+ }
+ for dest, mount := range volumeMounts {
+ if _, ok := unifiedMounts[dest]; ok {
+ return nil, mountedImages, lockedTargets, errors.Wrapf(errDuplicateDest, dest)
+ }
+ unifiedMounts[dest] = mount
+ }
+
+ finalMounts := make([]specs.Mount, 0, len(unifiedMounts))
+ for _, mount := range unifiedMounts {
+ finalMounts = append(finalMounts, mount)
+ }
+ return finalMounts, mountedImages, lockedTargets, nil
+}
+
+// getMounts takes user-provided input from the --mount flag and creates OCI
+// spec mounts.
+// buildah run --mount type=bind,src=/etc/resolv.conf,target=/etc/resolv.conf ...
+// buildah run --mount type=tmpfs,target=/dev/shm ...
+func getMounts(ctx *types.SystemContext, store storage.Store, mounts []string, contextDir string) (map[string]specs.Mount, []string, []string, error) {
+ finalMounts := make(map[string]specs.Mount)
+ mountedImages := make([]string, 0)
+ lockedTargets := make([]string, 0)
+
+ errInvalidSyntax := errors.Errorf("incorrect mount format: should be --mount type=<bind|tmpfs>,[src=<host-dir>,]target=<ctr-dir>[,options]")
+
+ // TODO(vrothberg): the manual parsing can be replaced with a regular expression
+ // to allow a more robust parsing of the mount format and to give
+ // precise errors regarding supported format versus supported options.
+ for _, mount := range mounts {
+ arr := strings.SplitN(mount, ",", 2)
+ if len(arr) < 2 {
+ return nil, mountedImages, lockedTargets, errors.Wrapf(errInvalidSyntax, "%q", mount)
+ }
+ kv := strings.Split(arr[0], "=")
+ // TODO: type is not explicitly required in Docker.
+ // If not specified, it defaults to "volume".
+ if len(kv) != 2 || kv[0] != "type" {
+ return nil, mountedImages, lockedTargets, errors.Wrapf(errInvalidSyntax, "%q", mount)
+ }
+
+ tokens := strings.Split(arr[1], ",")
+ switch kv[1] {
+ case TypeBind:
+ mount, image, err := GetBindMount(ctx, tokens, contextDir, store, "", nil)
+ if err != nil {
+ return nil, mountedImages, lockedTargets, err
+ }
+ if _, ok := finalMounts[mount.Destination]; ok {
+ return nil, mountedImages, lockedTargets, errors.Wrapf(errDuplicateDest, mount.Destination)
+ }
+ finalMounts[mount.Destination] = mount
+ mountedImages = append(mountedImages, image)
+ case TypeCache:
+ mount, lockedPaths, err := GetCacheMount(tokens, store, "", nil)
+ lockedTargets = lockedPaths
+ if err != nil {
+ return nil, mountedImages, lockedTargets, err
+ }
+ if _, ok := finalMounts[mount.Destination]; ok {
+ return nil, mountedImages, lockedTargets, errors.Wrapf(errDuplicateDest, mount.Destination)
+ }
+ finalMounts[mount.Destination] = mount
+ case TypeTmpfs:
+ mount, err := GetTmpfsMount(tokens)
+ if err != nil {
+ return nil, mountedImages, lockedTargets, err
+ }
+ if _, ok := finalMounts[mount.Destination]; ok {
+ return nil, mountedImages, lockedTargets, errors.Wrapf(errDuplicateDest, mount.Destination)
+ }
+ finalMounts[mount.Destination] = mount
+ default:
+ return nil, mountedImages, lockedTargets, errors.Errorf("invalid filesystem type %q", kv[1])
+ }
+ }
+
+ return finalMounts, mountedImages, lockedTargets, nil
}
// GetTmpfsMount parses a single tmpfs mount entry from the --mount flag
diff --git a/vendor/github.com/containers/buildah/new.go b/vendor/github.com/containers/buildah/new.go
index c7e330c13..a74d4223a 100644
--- a/vendor/github.com/containers/buildah/new.go
+++ b/vendor/github.com/containers/buildah/new.go
@@ -15,6 +15,7 @@ import (
"github.com/containers/image/v5/transports"
"github.com/containers/image/v5/types"
"github.com/containers/storage"
+ "github.com/containers/storage/pkg/stringid"
digest "github.com/opencontainers/go-digest"
v1 "github.com/opencontainers/image-spec/specs-go/v1"
"github.com/openshift/imagebuilder"
@@ -48,6 +49,15 @@ func getImageName(name string, img *storage.Image) string {
func imageNamePrefix(imageName string) string {
prefix := imageName
+ if d, err := digest.Parse(imageName); err == nil {
+ prefix = d.Encoded()
+ if len(prefix) > 12 {
+ prefix = prefix[:12]
+ }
+ }
+ if stringid.ValidateID(prefix) == nil {
+ prefix = stringid.TruncateID(prefix)
+ }
s := strings.Split(prefix, ":")
if len(s) > 0 {
prefix = s[0]
diff --git a/vendor/github.com/containers/buildah/pkg/cli/common.go b/vendor/github.com/containers/buildah/pkg/cli/common.go
index bce497f29..ba0d7a13e 100644
--- a/vendor/github.com/containers/buildah/pkg/cli/common.go
+++ b/vendor/github.com/containers/buildah/pkg/cli/common.go
@@ -74,6 +74,7 @@ type BudResults struct {
PullAlways bool
PullNever bool
Quiet bool
+ IdentityLabel bool
Rm bool
Runtime string
RuntimeFlags []string
@@ -227,6 +228,7 @@ func GetBudFlags(flags *BudResults) pflag.FlagSet {
panic(fmt.Sprintf("error marking the pull-never flag as hidden: %v", err))
}
fs.BoolVarP(&flags.Quiet, "quiet", "q", false, "refrain from announcing build instructions and image read/write progress")
+ fs.BoolVar(&flags.IdentityLabel, "identity-label", true, "add default identity label (default true)")
fs.BoolVar(&flags.Rm, "rm", true, "Remove intermediate containers after a successful build")
// "runtime" definition moved to avoid name collision in podman build. Defined in cmd/buildah/build.go.
fs.StringSliceVar(&flags.RuntimeFlags, "runtime-flag", []string{}, "add global flags for the container runtime")
diff --git a/vendor/github.com/containers/buildah/pkg/parse/parse.go b/vendor/github.com/containers/buildah/pkg/parse/parse.go
index 9951c8815..e32280585 100644
--- a/vendor/github.com/containers/buildah/pkg/parse/parse.go
+++ b/vendor/github.com/containers/buildah/pkg/parse/parse.go
@@ -19,7 +19,6 @@ import (
"github.com/containers/buildah/pkg/sshagent"
"github.com/containers/common/pkg/parse"
"github.com/containers/image/v5/types"
- "github.com/containers/storage"
"github.com/containers/storage/pkg/idtools"
"github.com/containers/storage/pkg/unshare"
units "github.com/docker/go-units"
@@ -48,10 +47,6 @@ const (
BuildahCacheDir = "buildah-cache"
)
-var (
- errDuplicateDest = errors.Errorf("duplicate mount destination")
-)
-
// CommonBuildOptions parses the build options from the bud cli
func CommonBuildOptions(c *cobra.Command) (*define.CommonBuildOptions, error) {
return CommonBuildOptionsFromFlagSet(c.Flags(), c.Flag)
@@ -141,6 +136,7 @@ func CommonBuildOptionsFromFlagSet(flags *pflag.FlagSet, findFlagFunc func(name
cpuQuota, _ := flags.GetInt64("cpu-quota")
cpuShares, _ := flags.GetUint64("cpu-shares")
httpProxy, _ := flags.GetBool("http-proxy")
+ identityLabel, _ := flags.GetBool("identity-label")
ulimit := []string{}
if flags.Changed("ulimit") {
@@ -151,25 +147,26 @@ func CommonBuildOptionsFromFlagSet(flags *pflag.FlagSet, findFlagFunc func(name
sshsources, _ := flags.GetStringArray("ssh")
commonOpts := &define.CommonBuildOptions{
- AddHost: addHost,
- CPUPeriod: cpuPeriod,
- CPUQuota: cpuQuota,
- CPUSetCPUs: findFlagFunc("cpuset-cpus").Value.String(),
- CPUSetMems: findFlagFunc("cpuset-mems").Value.String(),
- CPUShares: cpuShares,
- CgroupParent: findFlagFunc("cgroup-parent").Value.String(),
- DNSOptions: dnsOptions,
- DNSSearch: dnsSearch,
- DNSServers: dnsServers,
- HTTPProxy: httpProxy,
- Memory: memoryLimit,
- MemorySwap: memorySwap,
- NoHosts: noHosts,
- ShmSize: findFlagFunc("shm-size").Value.String(),
- Ulimit: ulimit,
- Volumes: volumes,
- Secrets: secrets,
- SSHSources: sshsources,
+ AddHost: addHost,
+ CPUPeriod: cpuPeriod,
+ CPUQuota: cpuQuota,
+ CPUSetCPUs: findFlagFunc("cpuset-cpus").Value.String(),
+ CPUSetMems: findFlagFunc("cpuset-mems").Value.String(),
+ CPUShares: cpuShares,
+ CgroupParent: findFlagFunc("cgroup-parent").Value.String(),
+ DNSOptions: dnsOptions,
+ DNSSearch: dnsSearch,
+ DNSServers: dnsServers,
+ HTTPProxy: httpProxy,
+ IdentityLabel: types.NewOptionalBool(identityLabel),
+ Memory: memoryLimit,
+ MemorySwap: memorySwap,
+ NoHosts: noHosts,
+ ShmSize: findFlagFunc("shm-size").Value.String(),
+ Ulimit: ulimit,
+ Volumes: volumes,
+ Secrets: secrets,
+ SSHSources: sshsources,
}
securityOpts, _ := flags.GetStringArray("security-opt")
if err := parseSecurityOpts(securityOpts, commonOpts); err != nil {
@@ -222,59 +219,12 @@ func parseSecurityOpts(securityOpts []string, commonOpts *define.CommonBuildOpti
// Split string into slice by colon. Backslash-escaped colon (i.e. "\:") will not be regarded as separator
func SplitStringWithColonEscape(str string) []string {
- result := make([]string, 0, 3)
- sb := &strings.Builder{}
- for idx, r := range str {
- if r == ':' {
- // the colon is backslash-escaped
- if idx-1 > 0 && str[idx-1] == '\\' {
- sb.WriteRune(r)
- } else {
- // os.Stat will fail if path contains escaped colon
- result = append(result, revertEscapedColon(sb.String()))
- sb.Reset()
- }
- } else {
- sb.WriteRune(r)
- }
- }
- if sb.Len() > 0 {
- result = append(result, revertEscapedColon(sb.String()))
- }
- return result
-}
-
-// Convert "\:" to ":"
-func revertEscapedColon(source string) string {
- return strings.ReplaceAll(source, "\\:", ":")
+ return internalParse.SplitStringWithColonEscape(str)
}
// Volume parses the input of --volume
func Volume(volume string) (specs.Mount, error) {
- mount := specs.Mount{}
- arr := SplitStringWithColonEscape(volume)
- if len(arr) < 2 {
- return mount, errors.Errorf("incorrect volume format %q, should be host-dir:ctr-dir[:option]", volume)
- }
- if err := validateVolumeMountHostDir(arr[0]); err != nil {
- return mount, err
- }
- if err := parse.ValidateVolumeCtrDir(arr[1]); err != nil {
- return mount, err
- }
- mountOptions := ""
- if len(arr) > 2 {
- mountOptions = arr[2]
- if _, err := parse.ValidateVolumeOpts(strings.Split(arr[2], ",")); err != nil {
- return mount, err
- }
- }
- mountOpts := strings.Split(mountOptions, ",")
- mount.Source = arr[0]
- mount.Destination = arr[1]
- mount.Type = "rbind"
- mount.Options = mountOpts
- return mount, nil
+ return internalParse.Volume(volume)
}
// Volumes validates the host and container paths passed in to the --volume flag
@@ -290,125 +240,11 @@ func Volumes(volumes []string) error {
return nil
}
-func getVolumeMounts(volumes []string) (map[string]specs.Mount, error) {
- finalVolumeMounts := make(map[string]specs.Mount)
-
- for _, volume := range volumes {
- volumeMount, err := Volume(volume)
- if err != nil {
- return nil, err
- }
- if _, ok := finalVolumeMounts[volumeMount.Destination]; ok {
- return nil, errors.Wrapf(errDuplicateDest, volumeMount.Destination)
- }
- finalVolumeMounts[volumeMount.Destination] = volumeMount
- }
- return finalVolumeMounts, nil
-}
-
-// GetVolumes gets the volumes from --volume and --mount
-func GetVolumes(ctx *types.SystemContext, store storage.Store, volumes []string, mounts []string, contextDir string) ([]specs.Mount, []string, error) {
- unifiedMounts, mountedImages, err := getMounts(ctx, store, mounts, contextDir)
- if err != nil {
- return nil, mountedImages, err
- }
- volumeMounts, err := getVolumeMounts(volumes)
- if err != nil {
- return nil, mountedImages, err
- }
- for dest, mount := range volumeMounts {
- if _, ok := unifiedMounts[dest]; ok {
- return nil, mountedImages, errors.Wrapf(errDuplicateDest, dest)
- }
- unifiedMounts[dest] = mount
- }
-
- finalMounts := make([]specs.Mount, 0, len(unifiedMounts))
- for _, mount := range unifiedMounts {
- finalMounts = append(finalMounts, mount)
- }
- return finalMounts, mountedImages, nil
-}
-
-// getMounts takes user-provided input from the --mount flag and creates OCI
-// spec mounts.
-// buildah run --mount type=bind,src=/etc/resolv.conf,target=/etc/resolv.conf ...
-// buildah run --mount type=tmpfs,target=/dev/shm ...
-func getMounts(ctx *types.SystemContext, store storage.Store, mounts []string, contextDir string) (map[string]specs.Mount, []string, error) {
- finalMounts := make(map[string]specs.Mount)
- mountedImages := make([]string, 0)
-
- errInvalidSyntax := errors.Errorf("incorrect mount format: should be --mount type=<bind|tmpfs>,[src=<host-dir>,]target=<ctr-dir>[,options]")
-
- // TODO(vrothberg): the manual parsing can be replaced with a regular expression
- // to allow a more robust parsing of the mount format and to give
- // precise errors regarding supported format versus supported options.
- for _, mount := range mounts {
- arr := strings.SplitN(mount, ",", 2)
- if len(arr) < 2 {
- return nil, mountedImages, errors.Wrapf(errInvalidSyntax, "%q", mount)
- }
- kv := strings.Split(arr[0], "=")
- // TODO: type is not explicitly required in Docker.
- // If not specified, it defaults to "volume".
- if len(kv) != 2 || kv[0] != "type" {
- return nil, mountedImages, errors.Wrapf(errInvalidSyntax, "%q", mount)
- }
-
- tokens := strings.Split(arr[1], ",")
- switch kv[1] {
- case TypeBind:
- mount, image, err := internalParse.GetBindMount(ctx, tokens, contextDir, store, "", nil)
- if err != nil {
- return nil, mountedImages, err
- }
- if _, ok := finalMounts[mount.Destination]; ok {
- return nil, mountedImages, errors.Wrapf(errDuplicateDest, mount.Destination)
- }
- finalMounts[mount.Destination] = mount
- mountedImages = append(mountedImages, image)
- case TypeCache:
- mount, err := internalParse.GetCacheMount(tokens, store, "", nil)
- if err != nil {
- return nil, mountedImages, err
- }
- if _, ok := finalMounts[mount.Destination]; ok {
- return nil, mountedImages, errors.Wrapf(errDuplicateDest, mount.Destination)
- }
- finalMounts[mount.Destination] = mount
- case TypeTmpfs:
- mount, err := internalParse.GetTmpfsMount(tokens)
- if err != nil {
- return nil, mountedImages, err
- }
- if _, ok := finalMounts[mount.Destination]; ok {
- return nil, mountedImages, errors.Wrapf(errDuplicateDest, mount.Destination)
- }
- finalMounts[mount.Destination] = mount
- default:
- return nil, mountedImages, errors.Errorf("invalid filesystem type %q", kv[1])
- }
- }
-
- return finalMounts, mountedImages, nil
-}
-
// ValidateVolumeHostDir validates a volume mount's source directory
func ValidateVolumeHostDir(hostDir string) error {
return parse.ValidateVolumeHostDir(hostDir)
}
-// validates the host path of buildah --volume
-func validateVolumeMountHostDir(hostDir string) error {
- if !filepath.IsAbs(hostDir) {
- return errors.Errorf("invalid host path, must be an absolute path %q", hostDir)
- }
- if _, err := os.Stat(hostDir); err != nil {
- return errors.WithStack(err)
- }
- return nil
-}
-
// ValidateVolumeCtrDir validates a volume mount's destination directory.
func ValidateVolumeCtrDir(ctrDir string) error {
return parse.ValidateVolumeCtrDir(ctrDir)
diff --git a/vendor/github.com/containers/buildah/run.go b/vendor/github.com/containers/buildah/run.go
index 64d4e0979..e56aac8c9 100644
--- a/vendor/github.com/containers/buildah/run.go
+++ b/vendor/github.com/containers/buildah/run.go
@@ -175,4 +175,6 @@ type runMountArtifacts struct {
Agents []*sshagent.AgentServer
// SSHAuthSock is the path to the ssh auth sock inside the container
SSHAuthSock string
+ // LockedTargets to be unlocked if there are any.
+ LockedTargets []string
}
diff --git a/vendor/github.com/containers/buildah/run_linux.go b/vendor/github.com/containers/buildah/run_linux.go
index d69f5431b..411a0f8cf 100644
--- a/vendor/github.com/containers/buildah/run_linux.go
+++ b/vendor/github.com/containers/buildah/run_linux.go
@@ -12,6 +12,7 @@ import (
"net"
"os"
"os/exec"
+ "os/signal"
"path/filepath"
"runtime"
"strconv"
@@ -43,6 +44,7 @@ import (
"github.com/containers/storage"
"github.com/containers/storage/pkg/idtools"
"github.com/containers/storage/pkg/ioutils"
+ "github.com/containers/storage/pkg/lockfile"
"github.com/containers/storage/pkg/reexec"
"github.com/containers/storage/pkg/stringid"
"github.com/containers/storage/pkg/unshare"
@@ -190,16 +192,19 @@ func (b *Builder) Run(command []string, options RunOptions) error {
return err
}
- // Figure out who owns files that will appear to be owned by UID/GID 0 in the container.
- rootUID, rootGID, err := util.GetHostRootIDs(spec)
- if err != nil {
- return err
+ uid, gid := spec.Process.User.UID, spec.Process.User.GID
+ if spec.Linux != nil {
+ uid, gid, err = util.GetHostIDs(spec.Linux.UIDMappings, spec.Linux.GIDMappings, uid, gid)
+ if err != nil {
+ return err
+ }
}
- rootIDPair := &idtools.IDPair{UID: int(rootUID), GID: int(rootGID)}
+
+ idPair := &idtools.IDPair{UID: int(uid), GID: int(gid)}
mode := os.FileMode(0755)
coptions := copier.MkdirOptions{
- ChownNew: rootIDPair,
+ ChownNew: idPair,
ChmodNew: &mode,
}
if err := copier.Mkdir(mountPoint, filepath.Join(mountPoint, spec.Process.Cwd), coptions); err != nil {
@@ -210,6 +215,13 @@ func (b *Builder) Run(command []string, options RunOptions) error {
namespaceOptions := append(b.NamespaceOptions, options.NamespaceOptions...)
volumes := b.Volumes()
+ // Figure out who owns files that will appear to be owned by UID/GID 0 in the container.
+ rootUID, rootGID, err := util.GetHostRootIDs(spec)
+ if err != nil {
+ return err
+ }
+ rootIDPair := &idtools.IDPair{UID: int(rootUID), GID: int(rootGID)}
+
if !options.NoHosts && !contains(volumes, "/etc/hosts") {
hostFile, err := b.generateHosts(path, spec.Hostname, b.CommonBuildOpts.AddHost, rootIDPair)
if err != nil {
@@ -243,7 +255,7 @@ func (b *Builder) Run(command []string, options RunOptions) error {
rootless = 1
}
// Populate the .containerenv with container information
- containerenv := fmt.Sprintf(`\
+ containerenv := fmt.Sprintf(`
engine="buildah-%s"
name=%q
id=%q
@@ -289,9 +301,7 @@ rootless=%d
case define.IsolationOCI:
var moreCreateArgs []string
if options.NoPivot {
- moreCreateArgs = []string{"--no-pivot"}
- } else {
- moreCreateArgs = nil
+ moreCreateArgs = append(moreCreateArgs, "--no-pivot")
}
err = b.runUsingRuntimeSubproc(isolation, options, configureNetwork, configureNetworks, moreCreateArgs, spec, mountPoint, path, define.Package+"-"+filepath.Base(path))
case IsolationChroot:
@@ -828,7 +838,7 @@ func runUsingRuntime(options RunOptions, configureNetwork bool, moreCreateArgs [
if err = unix.Pipe(finishCopy); err != nil {
return 1, errors.Wrapf(err, "error creating pipe for notifying to stop stdio")
}
- finishedCopy := make(chan struct{})
+ finishedCopy := make(chan struct{}, 1)
var pargs []string
if spec.Process != nil {
pargs = spec.Process.Args
@@ -884,22 +894,27 @@ func runUsingRuntime(options RunOptions, configureNetwork bool, moreCreateArgs [
pidFile := filepath.Join(bundlePath, "pid")
args := append(append(append(runtimeArgs, "create", "--bundle", bundlePath, "--pid-file", pidFile), moreCreateArgs...), containerName)
create := exec.Command(runtime, args...)
+ setPdeathsig(create)
create.Dir = bundlePath
stdin, stdout, stderr := getCreateStdio()
create.Stdin, create.Stdout, create.Stderr = stdin, stdout, stderr
- if create.SysProcAttr == nil {
- create.SysProcAttr = &syscall.SysProcAttr{}
- }
args = append(options.Args, "start", containerName)
start := exec.Command(runtime, args...)
+ setPdeathsig(start)
start.Dir = bundlePath
start.Stderr = os.Stderr
- args = append(options.Args, "kill", containerName)
- kill := exec.Command(runtime, args...)
- kill.Dir = bundlePath
- kill.Stderr = os.Stderr
+ kill := func(signal string) *exec.Cmd {
+ args := append(options.Args, "kill", containerName)
+ if signal != "" {
+ args = append(args, signal)
+ }
+ kill := exec.Command(runtime, args...)
+ kill.Dir = bundlePath
+ kill.Stderr = os.Stderr
+ return kill
+ }
args = append(options.Args, "delete", containerName)
del := exec.Command(runtime, args...)
@@ -980,13 +995,23 @@ func runUsingRuntime(options RunOptions, configureNetwork bool, moreCreateArgs [
}
defer func() {
if atomic.LoadUint32(&stopped) == 0 {
- if err2 := kill.Run(); err2 != nil {
- options.Logger.Infof("error from %s stopping container: %v", runtime, err2)
+ if err := kill("").Run(); err != nil {
+ options.Logger.Infof("error from %s stopping container: %v", runtime, err)
}
+ atomic.StoreUint32(&stopped, 1)
}
}()
// Wait for the container to exit.
+ interrupted := make(chan os.Signal, 100)
+ go func() {
+ for range interrupted {
+ if err := kill("SIGKILL").Run(); err != nil {
+ logrus.Errorf("%v sending SIGKILL", err)
+ }
+ }
+ }()
+ signal.Notify(interrupted, syscall.SIGHUP, syscall.SIGINT, syscall.SIGTERM)
for {
now := time.Now()
var state specs.State
@@ -1025,6 +1050,8 @@ func runUsingRuntime(options RunOptions, configureNetwork bool, moreCreateArgs [
break
}
}
+ signal.Stop(interrupted)
+ close(interrupted)
// Close the writing end of the stop-handling-stdio notification pipe.
unix.Close(finishCopy[1])
@@ -1111,6 +1138,7 @@ func setupRootlessNetwork(pid int) (teardown func(), err error) {
}
cmd := exec.Command(slirp4netns, "--mtu", "65520", "-r", "3", "-c", strconv.Itoa(pid), "tap0")
+ setPdeathsig(cmd)
cmd.Stdin, cmd.Stdout, cmd.Stderr = nil, nil, nil
cmd.ExtraFiles = []*os.File{rootlessSlirpSyncW}
@@ -1228,6 +1256,7 @@ func runCopyStdio(logger *logrus.Logger, stdio *sync.WaitGroup, copyPipes bool,
}
stdio.Done()
finishedCopy <- struct{}{}
+ close(finishedCopy)
}()
// Map describing where data on an incoming descriptor should go.
relayMap := make(map[int]int)
@@ -1964,9 +1993,6 @@ func setupCapAdd(g *generate.Generator, caps ...string) error {
if err := g.AddProcessCapabilityEffective(cap); err != nil {
return errors.Wrapf(err, "error adding %q to the effective capability set", cap)
}
- if err := g.AddProcessCapabilityInheritable(cap); err != nil {
- return errors.Wrapf(err, "error adding %q to the inheritable capability set", cap)
- }
if err := g.AddProcessCapabilityPermitted(cap); err != nil {
return errors.Wrapf(err, "error adding %q to the permitted capability set", cap)
}
@@ -1985,9 +2011,6 @@ func setupCapDrop(g *generate.Generator, caps ...string) error {
if err := g.DropProcessCapabilityEffective(cap); err != nil {
return errors.Wrapf(err, "error removing %q from the effective capability set", cap)
}
- if err := g.DropProcessCapabilityInheritable(cap); err != nil {
- return errors.Wrapf(err, "error removing %q from the inheritable capability set", cap)
- }
if err := g.DropProcessCapabilityPermitted(cap); err != nil {
return errors.Wrapf(err, "error removing %q from the permitted capability set", cap)
}
@@ -2232,6 +2255,7 @@ func (b *Builder) runUsingRuntimeSubproc(isolation define.Isolation, options Run
return errors.Wrapf(conferr, "error encoding configuration for %q", runUsingRuntimeCommand)
}
cmd := reexec.Command(runUsingRuntimeCommand)
+ setPdeathsig(cmd)
cmd.Dir = bundlePath
cmd.Stdin = options.Stdin
if cmd.Stdin == nil {
@@ -2260,23 +2284,23 @@ func (b *Builder) runUsingRuntimeSubproc(isolation define.Isolation, options Run
}()
// create network configuration pipes
- var containerCreateR, containerCreateW *os.File
- var containerStartR, containerStartW *os.File
+ var containerCreateR, containerCreateW fileCloser
+ var containerStartR, containerStartW fileCloser
if configureNetwork {
- containerCreateR, containerCreateW, err = os.Pipe()
+ containerCreateR.file, containerCreateW.file, err = os.Pipe()
if err != nil {
return errors.Wrapf(err, "error creating container create pipe")
}
defer containerCreateR.Close()
defer containerCreateW.Close()
- containerStartR, containerStartW, err = os.Pipe()
+ containerStartR.file, containerStartW.file, err = os.Pipe()
if err != nil {
return errors.Wrapf(err, "error creating container create pipe")
}
defer containerStartR.Close()
defer containerStartW.Close()
- cmd.ExtraFiles = []*os.File{containerCreateW, containerStartR}
+ cmd.ExtraFiles = []*os.File{containerCreateW.file, containerStartR.file}
}
cmd.ExtraFiles = append([]*os.File{preader}, cmd.ExtraFiles...)
@@ -2286,8 +2310,20 @@ func (b *Builder) runUsingRuntimeSubproc(isolation define.Isolation, options Run
return errors.Wrapf(err, "error while starting runtime")
}
+ interrupted := make(chan os.Signal, 100)
+ go func() {
+ for receivedSignal := range interrupted {
+ if err := cmd.Process.Signal(receivedSignal); err != nil {
+ logrus.Infof("%v while attempting to forward %v to child process", err, receivedSignal)
+ }
+ }
+ }()
+ signal.Notify(interrupted, syscall.SIGHUP, syscall.SIGINT, syscall.SIGTERM)
+
if configureNetwork {
- if err := waitForSync(containerCreateR); err != nil {
+ // we already passed the fd to the child, now close the writer so we do not hang if the child closes it
+ containerCreateW.Close()
+ if err := waitForSync(containerCreateR.file); err != nil {
// we do not want to return here since we want to capture the exit code from the child via cmd.Wait()
// close the pipes here so that the child will not hang forever
containerCreateR.Close()
@@ -2313,16 +2349,19 @@ func (b *Builder) runUsingRuntimeSubproc(isolation define.Isolation, options Run
}
logrus.Debug("network namespace successfully setup, send start message to child")
- _, err = containerStartW.Write([]byte{1})
+ _, err = containerStartW.file.Write([]byte{1})
if err != nil {
return err
}
}
}
+
if err := cmd.Wait(); err != nil {
return errors.Wrapf(err, "error while running runtime")
}
confwg.Wait()
+ signal.Stop(interrupted)
+ close(interrupted)
if err == nil {
return conferr
}
@@ -2332,9 +2371,25 @@ func (b *Builder) runUsingRuntimeSubproc(isolation define.Isolation, options Run
return err
}
-// waitForSync waits for a maximum of 5 seconds to read something from the file
+// fileCloser is a helper struct to prevent closing the file twice in the code
+// users must call (fileCloser).Close() and not fileCloser.File.Close()
+type fileCloser struct {
+ file *os.File
+ closed bool
+}
+
+func (f *fileCloser) Close() {
+ if !f.closed {
+ if err := f.file.Close(); err != nil {
+ logrus.Errorf("failed to close file: %v", err)
+ }
+ f.closed = true
+ }
+}
+
+// waitForSync waits for a maximum of 4 minutes to read something from the file
func waitForSync(pipeR *os.File) error {
- if err := pipeR.SetDeadline(time.Now().Add(5 * time.Second)); err != nil {
+ if err := pipeR.SetDeadline(time.Now().Add(4 * time.Minute)); err != nil {
return err
}
b := make([]byte, 16)
@@ -2448,6 +2503,7 @@ func (b *Builder) runSetupRunMounts(context *imagetypes.SystemContext, mounts []
sshCount := 0
defaultSSHSock := ""
tokens := []string{}
+ lockedTargets := []string{}
for _, mount := range mounts {
arr := strings.SplitN(mount, ",", 2)
@@ -2506,12 +2562,13 @@ func (b *Builder) runSetupRunMounts(context *imagetypes.SystemContext, mounts []
finalMounts = append(finalMounts, *mount)
mountTargets = append(mountTargets, mount.Destination)
case "cache":
- mount, err := b.getCacheMount(tokens, rootUID, rootGID, processUID, processGID, stageMountPoints)
+ mount, lockedPaths, err := b.getCacheMount(tokens, rootUID, rootGID, processUID, processGID, stageMountPoints)
if err != nil {
return nil, nil, err
}
finalMounts = append(finalMounts, *mount)
mountTargets = append(mountTargets, mount.Destination)
+ lockedTargets = lockedPaths
default:
return nil, nil, errors.Errorf("invalid mount type %q", kv[1])
}
@@ -2522,6 +2579,7 @@ func (b *Builder) runSetupRunMounts(context *imagetypes.SystemContext, mounts []
Agents: agents,
MountedImages: mountImages,
SSHAuthSock: defaultSSHSock,
+ LockedTargets: lockedTargets,
}
return finalMounts, artifacts, nil
}
@@ -2557,18 +2615,18 @@ func (b *Builder) getTmpfsMount(tokens []string, rootUID, rootGID, processUID, p
return &volumes[0], nil
}
-func (b *Builder) getCacheMount(tokens []string, rootUID, rootGID, processUID, processGID int, stageMountPoints map[string]internal.StageMountDetails) (*spec.Mount, error) {
+func (b *Builder) getCacheMount(tokens []string, rootUID, rootGID, processUID, processGID int, stageMountPoints map[string]internal.StageMountDetails) (*spec.Mount, []string, error) {
var optionMounts []specs.Mount
- mount, err := internalParse.GetCacheMount(tokens, b.store, b.MountLabel, stageMountPoints)
+ mount, lockedTargets, err := internalParse.GetCacheMount(tokens, b.store, b.MountLabel, stageMountPoints)
if err != nil {
- return nil, err
+ return nil, lockedTargets, err
}
optionMounts = append(optionMounts, mount)
volumes, err := b.runSetupVolumeMounts(b.MountLabel, nil, optionMounts, rootUID, rootGID, processUID, processGID)
if err != nil {
- return nil, err
+ return nil, lockedTargets, err
}
- return &volumes[0], nil
+ return &volumes[0], lockedTargets, nil
}
func getSecretMount(tokens []string, secrets map[string]define.Secret, mountlabel string, containerWorkingDir string, uidmap []spec.LinuxIDMapping, gidmap []spec.LinuxIDMapping) (*spec.Mount, string, error) {
@@ -2850,6 +2908,32 @@ func (b *Builder) cleanupRunMounts(context *imagetypes.SystemContext, mountpoint
prevErr = err
}
}
+ // unlock if any locked files from this RUN statement
+ for _, path := range artifacts.LockedTargets {
+ _, err := os.Stat(path)
+ if err != nil {
+ // Lockfile not found this might be a problem,
+ // since LockedTargets must contain list of all locked files
+ // don't break here since we need to unlock other files but
+ // log so user can take a look
+ logrus.Warnf("Lockfile %q was expected here, stat failed with %v", path, err)
+ continue
+ }
+ lockfile, err := lockfile.GetLockfile(path)
+ if err != nil {
+ // unable to get lockfile
+ // lets log error and continue
+ // unlocking other files
+ logrus.Warn(err)
+ continue
+ }
+ if lockfile.Locked() {
+ lockfile.Unlock()
+ } else {
+ logrus.Warnf("Lockfile %q was expected to be locked, this is unexpected", path)
+ continue
+ }
+ }
return prevErr
}
@@ -2875,3 +2959,11 @@ func getNetworkInterface(store storage.Store, cniConfDir, cniPluginPath string)
}
return netInt, nil
}
+
+// setPdeathsig sets a parent-death signal for the process
+func setPdeathsig(cmd *exec.Cmd) {
+ if cmd.SysProcAttr == nil {
+ cmd.SysProcAttr = &syscall.SysProcAttr{}
+ }
+ cmd.SysProcAttr.Pdeathsig = syscall.SIGKILL
+}
diff --git a/vendor/github.com/containers/buildah/selinux.go b/vendor/github.com/containers/buildah/selinux.go
index e7e9fd8c2..83fc867a2 100644
--- a/vendor/github.com/containers/buildah/selinux.go
+++ b/vendor/github.com/containers/buildah/selinux.go
@@ -1,13 +1,14 @@
+//go:build linux
// +build linux
package buildah
import (
"fmt"
+ "os"
"github.com/opencontainers/runtime-tools/generate"
selinux "github.com/opencontainers/selinux/go-selinux"
- "github.com/opencontainers/selinux/go-selinux/label"
"github.com/pkg/errors"
)
@@ -33,7 +34,7 @@ func runLabelStdioPipes(stdioPipe [][]int, processLabel, mountLabel string) erro
}
for i := range stdioPipe {
pipeFdName := fmt.Sprintf("/proc/self/fd/%d", stdioPipe[i][0])
- if err := label.Relabel(pipeFdName, pipeContext, false); err != nil {
+ if err := selinux.SetFileLabel(pipeFdName, pipeContext); err != nil && !os.IsNotExist(err) {
return errors.Wrapf(err, "setting file label on %q", pipeFdName)
}
}
diff --git a/vendor/github.com/containers/common/libimage/import.go b/vendor/github.com/containers/common/libimage/import.go
index 67ab654b2..3db392784 100644
--- a/vendor/github.com/containers/common/libimage/import.go
+++ b/vendor/github.com/containers/common/libimage/import.go
@@ -49,15 +49,16 @@ func (r *Runtime) Import(ctx context.Context, path string, options *ImportOption
ic = config.ImageConfig
}
- hist := []v1.History{
+ history := []v1.History{
{Comment: options.CommitMessage},
}
config := v1.Image{
Config: ic,
- History: hist,
+ History: history,
OS: options.OS,
Architecture: options.Arch,
+ Variant: options.Variant,
}
u, err := url.ParseRequestURI(path)
diff --git a/vendor/github.com/containers/common/libnetwork/cni/cni_conversion.go b/vendor/github.com/containers/common/libnetwork/cni/cni_conversion.go
index 8c4eeff9d..36ac468de 100644
--- a/vendor/github.com/containers/common/libnetwork/cni/cni_conversion.go
+++ b/vendor/github.com/containers/common/libnetwork/cni/cni_conversion.go
@@ -128,76 +128,76 @@ func findPluginByName(plugins []*libcni.NetworkConfig, name string) bool {
// convertIPAMConfToNetwork converts A cni IPAMConfig to libpod network subnets.
// It returns an array of subnets and an extra bool if dhcp is configured.
func convertIPAMConfToNetwork(network *types.Network, ipam *ipamConfig, confPath string) error {
- if ipam.PluginType == types.DHCPIPAMDriver {
+ switch ipam.PluginType {
+ case "":
+ network.IPAMOptions[types.Driver] = types.NoneIPAMDriver
+ case types.DHCPIPAMDriver:
network.IPAMOptions[types.Driver] = types.DHCPIPAMDriver
- return nil
- }
-
- if ipam.PluginType != types.HostLocalIPAMDriver {
- // This is not an error. While we only support certain ipam drivers, we
- // cannot make it fail for unsupported ones. CNI is still able to use them,
- // just our translation logic cannot convert this into a Network.
- // For the same reason this is not warning, it would just be annoying for
- // everyone using a unknown ipam driver.
- logrus.Infof("unsupported ipam plugin %q in %s", ipam.PluginType, confPath)
- return nil
- }
-
- network.IPAMOptions[types.Driver] = types.HostLocalIPAMDriver
- for _, r := range ipam.Ranges {
- for _, ipam := range r {
- s := types.Subnet{}
-
- // Do not use types.ParseCIDR() because we want the ip to be
- // the network address and not a random ip in the sub.
- _, sub, err := net.ParseCIDR(ipam.Subnet)
- if err != nil {
- return err
- }
- s.Subnet = types.IPNet{IPNet: *sub}
-
- // gateway
- var gateway net.IP
- if ipam.Gateway != "" {
- gateway = net.ParseIP(ipam.Gateway)
- if gateway == nil {
- return errors.Errorf("failed to parse gateway ip %s", ipam.Gateway)
- }
- // convert to 4 byte if ipv4
- util.NormalizeIP(&gateway)
- } else if !network.Internal {
- // only add a gateway address if the network is not internal
- gateway, err = util.FirstIPInSubnet(sub)
+ case types.HostLocalIPAMDriver:
+ network.IPAMOptions[types.Driver] = types.HostLocalIPAMDriver
+ for _, r := range ipam.Ranges {
+ for _, ipam := range r {
+ s := types.Subnet{}
+
+ // Do not use types.ParseCIDR() because we want the ip to be
+ // the network address and not a random ip in the sub.
+ _, sub, err := net.ParseCIDR(ipam.Subnet)
if err != nil {
- return errors.Errorf("failed to get first ip in subnet %s", sub.String())
+ return err
}
- }
- s.Gateway = gateway
-
- var rangeStart net.IP
- var rangeEnd net.IP
- if ipam.RangeStart != "" {
- rangeStart = net.ParseIP(ipam.RangeStart)
- if rangeStart == nil {
- return errors.Errorf("failed to parse range start ip %s", ipam.RangeStart)
+ s.Subnet = types.IPNet{IPNet: *sub}
+
+ // gateway
+ var gateway net.IP
+ if ipam.Gateway != "" {
+ gateway = net.ParseIP(ipam.Gateway)
+ if gateway == nil {
+ return errors.Errorf("failed to parse gateway ip %s", ipam.Gateway)
+ }
+ // convert to 4 byte if ipv4
+ util.NormalizeIP(&gateway)
+ } else if !network.Internal {
+ // only add a gateway address if the network is not internal
+ gateway, err = util.FirstIPInSubnet(sub)
+ if err != nil {
+ return errors.Errorf("failed to get first ip in subnet %s", sub.String())
+ }
}
- }
- if ipam.RangeEnd != "" {
- rangeEnd = net.ParseIP(ipam.RangeEnd)
- if rangeEnd == nil {
- return errors.Errorf("failed to parse range end ip %s", ipam.RangeEnd)
+ s.Gateway = gateway
+
+ var rangeStart net.IP
+ var rangeEnd net.IP
+ if ipam.RangeStart != "" {
+ rangeStart = net.ParseIP(ipam.RangeStart)
+ if rangeStart == nil {
+ return errors.Errorf("failed to parse range start ip %s", ipam.RangeStart)
+ }
}
+ if ipam.RangeEnd != "" {
+ rangeEnd = net.ParseIP(ipam.RangeEnd)
+ if rangeEnd == nil {
+ return errors.Errorf("failed to parse range end ip %s", ipam.RangeEnd)
+ }
+ }
+ if rangeStart != nil || rangeEnd != nil {
+ s.LeaseRange = &types.LeaseRange{}
+ s.LeaseRange.StartIP = rangeStart
+ s.LeaseRange.EndIP = rangeEnd
+ }
+ if util.IsIPv6(s.Subnet.IP) {
+ network.IPv6Enabled = true
+ }
+ network.Subnets = append(network.Subnets, s)
}
- if rangeStart != nil || rangeEnd != nil {
- s.LeaseRange = &types.LeaseRange{}
- s.LeaseRange.StartIP = rangeStart
- s.LeaseRange.EndIP = rangeEnd
- }
- if util.IsIPv6(s.Subnet.IP) {
- network.IPv6Enabled = true
- }
- network.Subnets = append(network.Subnets, s)
}
+ default:
+ // This is not an error. While we only support certain ipam drivers, we
+ // cannot make it fail for unsupported ones. CNI is still able to use them,
+ // just our translation logic cannot convert this into a Network.
+ // For the same reason this is not warning, it would just be annoying for
+ // everyone using a unknown ipam driver.
+ logrus.Infof("unsupported ipam plugin %q in %s", ipam.PluginType, confPath)
+ network.IPAMOptions[types.Driver] = ipam.PluginType
}
return nil
}
@@ -225,10 +225,13 @@ func (n *cniNetwork) createCNIConfigListFromNetwork(network *types.Network, writ
var (
routes []ipamRoute
ipamRanges [][]ipamLocalHostRangeConf
- ipamConf ipamConfig
+ ipamConf *ipamConfig
err error
)
- if len(network.Subnets) > 0 {
+
+ ipamDriver := network.IPAMOptions[types.Driver]
+ switch ipamDriver {
+ case types.HostLocalIPAMDriver:
defIpv4Route := false
defIpv6Route := false
for _, subnet := range network.Subnets {
@@ -257,46 +260,20 @@ func (n *cniNetwork) createCNIConfigListFromNetwork(network *types.Network, writ
routes = append(routes, route)
}
}
- ipamConf = newIPAMHostLocalConf(routes, ipamRanges)
- } else {
- ipamConf = ipamConfig{PluginType: "dhcp"}
- }
+ conf := newIPAMHostLocalConf(routes, ipamRanges)
+ ipamConf = &conf
+ case types.DHCPIPAMDriver:
+ ipamConf = &ipamConfig{PluginType: "dhcp"}
- vlan := 0
- mtu := 0
- vlanPluginMode := ""
- for k, v := range network.Options {
- switch k {
- case "mtu":
- mtu, err = internalutil.ParseMTU(v)
- if err != nil {
- return nil, "", err
- }
-
- case "vlan":
- vlan, err = internalutil.ParseVlan(v)
- if err != nil {
- return nil, "", err
- }
-
- case "mode":
- switch network.Driver {
- case types.MacVLANNetworkDriver:
- if !pkgutil.StringInSlice(v, types.ValidMacVLANModes) {
- return nil, "", errors.Errorf("unknown macvlan mode %q", v)
- }
- case types.IPVLANNetworkDriver:
- if !pkgutil.StringInSlice(v, types.ValidIPVLANModes) {
- return nil, "", errors.Errorf("unknown ipvlan mode %q", v)
- }
- default:
- return nil, "", errors.Errorf("cannot set option \"mode\" with driver %q", network.Driver)
- }
- vlanPluginMode = v
+ case types.NoneIPAMDriver:
+ // do nothing
+ default:
+ return nil, "", errors.Errorf("unsupported ipam driver %q", ipamDriver)
+ }
- default:
- return nil, "", errors.Errorf("unsupported network option %s", k)
- }
+ opts, err := parseOptions(network.Options, network.Driver)
+ if err != nil {
+ return nil, "", err
}
isGateway := true
@@ -314,7 +291,7 @@ func (n *cniNetwork) createCNIConfigListFromNetwork(network *types.Network, writ
switch network.Driver {
case types.BridgeNetworkDriver:
- bridge := newHostLocalBridge(network.NetworkInterface, isGateway, ipMasq, mtu, vlan, &ipamConf)
+ bridge := newHostLocalBridge(network.NetworkInterface, isGateway, ipMasq, opts.mtu, opts.vlan, ipamConf)
plugins = append(plugins, bridge, newPortMapPlugin(), newFirewallPlugin(), newTuningPlugin())
// if we find the dnsname plugin we add configuration for it
if hasDNSNamePlugin(n.cniPluginDirs) && network.DNSEnabled {
@@ -323,10 +300,10 @@ func (n *cniNetwork) createCNIConfigListFromNetwork(network *types.Network, writ
}
case types.MacVLANNetworkDriver:
- plugins = append(plugins, newVLANPlugin(types.MacVLANNetworkDriver, network.NetworkInterface, vlanPluginMode, mtu, &ipamConf))
+ plugins = append(plugins, newVLANPlugin(types.MacVLANNetworkDriver, network.NetworkInterface, opts.vlanPluginMode, opts.mtu, ipamConf))
case types.IPVLANNetworkDriver:
- plugins = append(plugins, newVLANPlugin(types.IPVLANNetworkDriver, network.NetworkInterface, vlanPluginMode, mtu, &ipamConf))
+ plugins = append(plugins, newVLANPlugin(types.IPVLANNetworkDriver, network.NetworkInterface, opts.vlanPluginMode, opts.mtu, ipamConf))
default:
return nil, "", errors.Errorf("driver %q is not supported by cni", network.Driver)
@@ -402,3 +379,48 @@ func removeMachinePlugin(conf *libcni.NetworkConfigList) *libcni.NetworkConfigLi
conf.Plugins = plugins
return conf
}
+
+type options struct {
+ vlan int
+ mtu int
+ vlanPluginMode string
+}
+
+func parseOptions(networkOptions map[string]string, networkDriver string) (*options, error) {
+ opt := &options{}
+ var err error
+ for k, v := range networkOptions {
+ switch k {
+ case "mtu":
+ opt.mtu, err = internalutil.ParseMTU(v)
+ if err != nil {
+ return nil, err
+ }
+
+ case "vlan":
+ opt.vlan, err = internalutil.ParseVlan(v)
+ if err != nil {
+ return nil, err
+ }
+
+ case "mode":
+ switch networkDriver {
+ case types.MacVLANNetworkDriver:
+ if !pkgutil.StringInSlice(v, types.ValidMacVLANModes) {
+ return nil, errors.Errorf("unknown macvlan mode %q", v)
+ }
+ case types.IPVLANNetworkDriver:
+ if !pkgutil.StringInSlice(v, types.ValidIPVLANModes) {
+ return nil, errors.Errorf("unknown ipvlan mode %q", v)
+ }
+ default:
+ return nil, errors.Errorf("cannot set option \"mode\" with driver %q", networkDriver)
+ }
+ opt.vlanPluginMode = v
+
+ default:
+ return nil, errors.Errorf("unsupported network option %s", k)
+ }
+ }
+ return opt, nil
+}
diff --git a/vendor/github.com/containers/common/libnetwork/cni/cni_types.go b/vendor/github.com/containers/common/libnetwork/cni/cni_types.go
index 9ee159886..25cc173a6 100644
--- a/vendor/github.com/containers/common/libnetwork/cni/cni_types.go
+++ b/vendor/github.com/containers/common/libnetwork/cni/cni_types.go
@@ -145,11 +145,13 @@ func newHostLocalBridge(name string, isGateWay, ipMasq bool, mtu, vlan int, ipam
MTU: mtu,
HairpinMode: true,
Vlan: vlan,
- IPAM: *ipamConf,
}
- // if we use host-local set the ips cap to ensure we can set static ips via runtime config
- if ipamConf.PluginType == types.HostLocalIPAMDriver {
- bridge.Capabilities = caps
+ if ipamConf != nil {
+ bridge.IPAM = *ipamConf
+ // if we use host-local set the ips cap to ensure we can set static ips via runtime config
+ if ipamConf.PluginType == types.HostLocalIPAMDriver {
+ bridge.Capabilities = caps
+ }
}
return &bridge
}
@@ -259,7 +261,9 @@ func hasDNSNamePlugin(paths []string) bool {
func newVLANPlugin(pluginType, device, mode string, mtu int, ipam *ipamConfig) VLANConfig {
m := VLANConfig{
PluginType: pluginType,
- IPAM: *ipam,
+ }
+ if ipam != nil {
+ m.IPAM = *ipam
}
if mtu > 0 {
m.MTU = mtu
diff --git a/vendor/github.com/containers/common/libnetwork/cni/config.go b/vendor/github.com/containers/common/libnetwork/cni/config.go
index 8b300a03b..e94a53db6 100644
--- a/vendor/github.com/containers/common/libnetwork/cni/config.go
+++ b/vendor/github.com/containers/common/libnetwork/cni/config.go
@@ -53,6 +53,11 @@ func (n *cniNetwork) networkCreate(newNetwork *types.Network, defaultNet bool) (
return nil, err
}
+ err = validateIPAMDriver(newNetwork)
+ if err != nil {
+ return nil, err
+ }
+
// Only get the used networks for validation if we do not create the default network.
// The default network should not be validated against used subnets, we have to ensure
// that this network can always be created even when a subnet is already used on the host.
@@ -91,6 +96,9 @@ func (n *cniNetwork) networkCreate(newNetwork *types.Network, defaultNet bool) (
// generate the network ID
newNetwork.ID = getNetworkIDFromName(newNetwork.Name)
+ // when we do not have ipam we must disable dns
+ internalutil.IpamNoneDisableDns(newNetwork)
+
// FIXME: Should this be a hard error?
if newNetwork.DNSEnabled && newNetwork.Internal && hasDNSNamePlugin(n.cniPluginDirs) {
logrus.Warnf("dnsname and internal networks are incompatible. dnsname plugin not configured for network %s", newNetwork.Name)
@@ -197,13 +205,38 @@ func createIPMACVLAN(network *types.Network) error {
return errors.Errorf("parent interface %s does not exist", network.NetworkInterface)
}
}
- if len(network.Subnets) == 0 {
- network.IPAMOptions[types.Driver] = types.DHCPIPAMDriver
- if network.Internal {
- return errors.New("internal is not supported with macvlan and dhcp ipam driver")
+
+ switch network.IPAMOptions[types.Driver] {
+ // set default
+ case "":
+ if len(network.Subnets) == 0 {
+ // if no subnets and no driver choose dhcp
+ network.IPAMOptions[types.Driver] = types.DHCPIPAMDriver
+ } else {
+ network.IPAMOptions[types.Driver] = types.HostLocalIPAMDriver
}
- } else {
- network.IPAMOptions[types.Driver] = types.HostLocalIPAMDriver
+ case types.HostLocalIPAMDriver:
+ if len(network.Subnets) == 0 {
+ return errors.New("host-local ipam driver set but no subnets are given")
+ }
+ }
+
+ if network.IPAMOptions[types.Driver] == types.DHCPIPAMDriver && network.Internal {
+ return errors.New("internal is not supported with macvlan and dhcp ipam driver")
+ }
+ return nil
+}
+
+func validateIPAMDriver(n *types.Network) error {
+ ipamDriver := n.IPAMOptions[types.Driver]
+ switch ipamDriver {
+ case "", types.HostLocalIPAMDriver:
+ case types.DHCPIPAMDriver, types.NoneIPAMDriver:
+ if len(n.Subnets) > 0 {
+ return errors.Errorf("%s ipam driver is set but subnets are given", ipamDriver)
+ }
+ default:
+ return errors.Errorf("unsupported ipam driver %q", ipamDriver)
}
return nil
}
diff --git a/vendor/github.com/containers/common/libnetwork/cni/run.go b/vendor/github.com/containers/common/libnetwork/cni/run.go
index 8bea87893..c7fa86ed0 100644
--- a/vendor/github.com/containers/common/libnetwork/cni/run.go
+++ b/vendor/github.com/containers/common/libnetwork/cni/run.go
@@ -125,35 +125,38 @@ func CNIResultToStatus(res cnitypes.Result) (types.StatusBlock, error) {
result.DNSSearchDomains = cniResult.DNS.Search
interfaces := make(map[string]types.NetInterface)
- for _, ip := range cniResult.IPs {
- if ip.Interface == nil {
- // we do no expect ips without an interface
+ for intIndex, netInterface := range cniResult.Interfaces {
+ // we are only interested about interfaces in the container namespace
+ if netInterface.Sandbox == "" {
continue
}
- if len(cniResult.Interfaces) <= *ip.Interface {
- return result, errors.Errorf("invalid cni result, interface index %d out of range", *ip.Interface)
+
+ mac, err := net.ParseMAC(netInterface.Mac)
+ if err != nil {
+ return result, err
}
- cniInt := cniResult.Interfaces[*ip.Interface]
- netInt, ok := interfaces[cniInt.Name]
- if ok {
- netInt.Subnets = append(netInt.Subnets, types.NetAddress{
- IPNet: types.IPNet{IPNet: ip.Address},
- Gateway: ip.Gateway,
- })
- interfaces[cniInt.Name] = netInt
- } else {
- mac, err := net.ParseMAC(cniInt.Mac)
- if err != nil {
- return result, err
+ subnets := make([]types.NetAddress, 0, len(cniResult.IPs))
+ for _, ip := range cniResult.IPs {
+ if ip.Interface == nil {
+ // we do no expect ips without an interface
+ continue
}
- interfaces[cniInt.Name] = types.NetInterface{
- MacAddress: types.HardwareAddr(mac),
- Subnets: []types.NetAddress{{
+ if len(cniResult.Interfaces) <= *ip.Interface {
+ return result, errors.Errorf("invalid cni result, interface index %d out of range", *ip.Interface)
+ }
+
+ // when we have a ip for this interface add it to the subnets
+ if *ip.Interface == intIndex {
+ subnets = append(subnets, types.NetAddress{
IPNet: types.IPNet{IPNet: ip.Address},
Gateway: ip.Gateway,
- }},
+ })
}
}
+ interfaces[netInterface.Name] = types.NetInterface{
+ MacAddress: types.HardwareAddr(mac),
+ Subnets: subnets,
+ }
}
result.Interfaces = interfaces
return result, nil
diff --git a/vendor/github.com/containers/common/libnetwork/internal/util/bridge.go b/vendor/github.com/containers/common/libnetwork/internal/util/bridge.go
index 5a4752e2b..bfa72808d 100644
--- a/vendor/github.com/containers/common/libnetwork/internal/util/bridge.go
+++ b/vendor/github.com/containers/common/libnetwork/internal/util/bridge.go
@@ -27,7 +27,9 @@ func CreateBridge(n NetUtil, network *types.Network, usedNetworks []*net.IPNet,
}
}
- if network.IPAMOptions[types.Driver] != types.DHCPIPAMDriver {
+ ipamDriver := network.IPAMOptions[types.Driver]
+ // also do this when the driver is unset
+ if ipamDriver == "" || ipamDriver == types.HostLocalIPAMDriver {
if len(network.Subnets) == 0 {
freeSubnet, err := GetFreeIPv4NetworkSubnet(usedNetworks, subnetPools)
if err != nil {
diff --git a/vendor/github.com/containers/common/libnetwork/internal/util/create.go b/vendor/github.com/containers/common/libnetwork/internal/util/create.go
index ccb0f001a..c1a4bee75 100644
--- a/vendor/github.com/containers/common/libnetwork/internal/util/create.go
+++ b/vendor/github.com/containers/common/libnetwork/internal/util/create.go
@@ -3,6 +3,7 @@ package util
import (
"github.com/containers/common/libnetwork/types"
"github.com/pkg/errors"
+ "github.com/sirupsen/logrus"
)
func CommonNetworkCreate(n NetUtil, network *types.Network) error {
@@ -39,3 +40,10 @@ func CommonNetworkCreate(n NetUtil, network *types.Network) error {
}
return nil
}
+
+func IpamNoneDisableDns(network *types.Network) {
+ if network.IPAMOptions[types.Driver] == types.NoneIPAMDriver {
+ logrus.Debugf("dns disabled for network %q because ipam driver is set to none", network.Name)
+ network.DNSEnabled = false
+ }
+}
diff --git a/vendor/github.com/containers/common/libnetwork/netavark/config.go b/vendor/github.com/containers/common/libnetwork/netavark/config.go
index 99b4e0308..6a08de55c 100644
--- a/vendor/github.com/containers/common/libnetwork/netavark/config.go
+++ b/vendor/github.com/containers/common/libnetwork/netavark/config.go
@@ -67,6 +67,11 @@ func (n *netavarkNetwork) networkCreate(newNetwork *types.Network, defaultNet bo
return nil, err
}
+ err = validateIPAMDriver(newNetwork)
+ if err != nil {
+ return nil, err
+ }
+
// Only get the used networks for validation if we do not create the default network.
// The default network should not be validated against used subnets, we have to ensure
// that this network can always be created even when a subnet is already used on the host.
@@ -116,7 +121,10 @@ func (n *netavarkNetwork) networkCreate(newNetwork *types.Network, defaultNet bo
return nil, errors.Wrapf(types.ErrInvalidArg, "unsupported driver %s", newNetwork.Driver)
}
- // add gatway when not internal or dns enabled
+ // when we do not have ipam we must disable dns
+ internalutil.IpamNoneDisableDns(newNetwork)
+
+ // add gateway when not internal or dns enabled
addGateway := !newNetwork.Internal || newNetwork.DNSEnabled
err = internalutil.ValidateSubnets(newNetwork, addGateway, usedNetworks)
if err != nil {
@@ -153,10 +161,19 @@ func createMacvlan(network *types.Network) error {
return errors.Errorf("parent interface %s does not exist", network.NetworkInterface)
}
}
- if len(network.Subnets) == 0 {
- return errors.Errorf("macvlan driver needs at least one subnet specified, DHCP is not supported with netavark")
+
+ // we already validated the drivers before so we just have to set the default here
+ switch network.IPAMOptions[types.Driver] {
+ case "":
+ if len(network.Subnets) == 0 {
+ return errors.Errorf("macvlan driver needs at least one subnet specified, DHCP is not yet supported with netavark")
+ }
+ network.IPAMOptions[types.Driver] = types.HostLocalIPAMDriver
+ case types.HostLocalIPAMDriver:
+ if len(network.Subnets) == 0 {
+ return errors.Errorf("macvlan driver needs at least one subnet specified, when the host-local ipam driver is set")
+ }
}
- network.IPAMOptions[types.Driver] = types.HostLocalIPAMDriver
// validate the given options, we do not need them but just check to make sure they are valid
for key, value := range network.Options {
@@ -246,3 +263,19 @@ func (n *netavarkNetwork) NetworkInspect(nameOrID string) (types.Network, error)
}
return *network, nil
}
+
+func validateIPAMDriver(n *types.Network) error {
+ ipamDriver := n.IPAMOptions[types.Driver]
+ switch ipamDriver {
+ case "", types.HostLocalIPAMDriver:
+ case types.NoneIPAMDriver:
+ if len(n.Subnets) > 0 {
+ return errors.New("none ipam driver is set but subnets are given")
+ }
+ case types.DHCPIPAMDriver:
+ return errors.New("dhcp ipam driver is not yet supported with netavark")
+ default:
+ return errors.Errorf("unsupported ipam driver %q", ipamDriver)
+ }
+ return nil
+}
diff --git a/vendor/github.com/containers/common/libnetwork/netavark/network.go b/vendor/github.com/containers/common/libnetwork/netavark/network.go
index 166d5e31a..15d1f03eb 100644
--- a/vendor/github.com/containers/common/libnetwork/netavark/network.go
+++ b/vendor/github.com/containers/common/libnetwork/netavark/network.go
@@ -245,7 +245,7 @@ func parseNetwork(network *types.Network) error {
return errors.Errorf("invalid network ID %q", network.ID)
}
- // add gatway when not internal or dns enabled
+ // add gateway when not internal or dns enabled
addGateway := !network.Internal || network.DNSEnabled
return util.ValidateSubnets(network, addGateway, nil)
}
diff --git a/vendor/github.com/containers/common/libnetwork/types/const.go b/vendor/github.com/containers/common/libnetwork/types/const.go
index 5690a6058..a1e4d71ed 100644
--- a/vendor/github.com/containers/common/libnetwork/types/const.go
+++ b/vendor/github.com/containers/common/libnetwork/types/const.go
@@ -12,10 +12,12 @@ const (
// IPAM drivers
Driver = "driver"
- // HostLocalIPAMDriver store the ip
+ // HostLocalIPAMDriver store the ip locally in a db
HostLocalIPAMDriver = "host-local"
// DHCPIPAMDriver get subnet and ip from dhcp server
DHCPIPAMDriver = "dhcp"
+ // NoneIPAMDriver do not provide ipam management
+ NoneIPAMDriver = "none"
// DefaultSubnet is the name that will be used for the default CNI network.
DefaultNetworkName = "podman"
diff --git a/vendor/github.com/containers/common/pkg/config/config.go b/vendor/github.com/containers/common/pkg/config/config.go
index 8bf62800f..2c556c1bb 100644
--- a/vendor/github.com/containers/common/pkg/config/config.go
+++ b/vendor/github.com/containers/common/pkg/config/config.go
@@ -2,6 +2,7 @@ package config
import (
"fmt"
+ "io/fs"
"os"
"os/exec"
"path/filepath"
@@ -251,7 +252,7 @@ type EngineConfig struct {
// EventsLogFileMaxSize sets the maximum size for the events log. When the limit is exceeded,
// the logfile is rotated and the old one is deleted.
- EventsLogFileMaxSize uint64 `toml:"events_logfile_max_size,omitempty"`
+ EventsLogFileMaxSize uint64 `toml:"events_logfile_max_size,omitempty,omitzero"`
// EventsLogger determines where events should be logged.
EventsLogger string `toml:"events_logger,omitempty"`
@@ -649,17 +650,14 @@ func readConfigFromFile(path string, config *Config) error {
func addConfigs(dirPath string, configs []string) ([]string, error) {
newConfigs := []string{}
- err := filepath.Walk(dirPath,
+ err := filepath.WalkDir(dirPath,
// WalkFunc to read additional configs
- func(path string, info os.FileInfo, err error) error {
+ func(path string, d fs.DirEntry, err error) error {
switch {
case err != nil:
// return error (could be a permission problem)
return err
- case info == nil:
- // this should only happen when err != nil but let's be sure
- return nil
- case info.IsDir():
+ case d.IsDir():
if path != dirPath {
// make sure to not recurse into sub-directories
return filepath.SkipDir
diff --git a/vendor/github.com/containers/common/pkg/report/camelcase/README.md b/vendor/github.com/containers/common/pkg/report/camelcase/README.md
index 105a6ae33..0d255063d 100644
--- a/vendor/github.com/containers/common/pkg/report/camelcase/README.md
+++ b/vendor/github.com/containers/common/pkg/report/camelcase/README.md
@@ -27,9 +27,9 @@ go get github.com/fatih/camelcase
## Usage and examples
```go
-splitted := camelcase.Split("GolangPackage")
+split := camelcase.Split("GolangPackage")
-fmt.Println(splitted[0], splitted[1]) // prints: "Golang", "Package"
+fmt.Println(split[0], split[1]) // prints: "Golang", "Package"
```
Both lower camel case and upper camel case are supported. For more info please
diff --git a/vendor/github.com/containers/common/pkg/secrets/passdriver/passdriver.go b/vendor/github.com/containers/common/pkg/secrets/passdriver/passdriver.go
index 6dc00b34c..50967b7cf 100644
--- a/vendor/github.com/containers/common/pkg/secrets/passdriver/passdriver.go
+++ b/vendor/github.com/containers/common/pkg/secrets/passdriver/passdriver.go
@@ -30,6 +30,8 @@ type driverConfig struct {
Root string
// KeyID contains the key id that will be used for encryption (i.e. user@domain.tld)
KeyID string
+ // GPGHomedir is the homedir where the GPG keys are stored
+ GPGHomedir string
}
func (cfg *driverConfig) ParseOpts(opts map[string]string) {
@@ -40,6 +42,9 @@ func (cfg *driverConfig) ParseOpts(opts map[string]string) {
if val, ok := opts["key"]; ok {
cfg.KeyID = val
}
+ if val, ok := opts["gpghomedir"]; ok {
+ cfg.GPGHomedir = val
+ }
}
func defaultDriverConfig() *driverConfig {
@@ -156,6 +161,9 @@ func (d *Driver) Delete(id string) error {
}
func (d *Driver) gpg(ctx context.Context, in io.Reader, out io.Writer, args ...string) error {
+ if d.GPGHomedir != "" {
+ args = append([]string{"--homedir", d.GPGHomedir}, args...)
+ }
cmd := exec.CommandContext(ctx, "gpg", args...)
cmd.Env = os.Environ()
cmd.Stdin = in
diff --git a/vendor/github.com/containers/image/v5/copy/copy.go b/vendor/github.com/containers/image/v5/copy/copy.go
index 0501fb3c1..b616e566c 100644
--- a/vendor/github.com/containers/image/v5/copy/copy.go
+++ b/vendor/github.com/containers/image/v5/copy/copy.go
@@ -124,9 +124,10 @@ type ImageListSelection int
// Options allows supplying non-default configuration modifying the behavior of CopyImage.
type Options struct {
- RemoveSignatures bool // Remove any pre-existing signatures. SignBy will still add a new signature.
- SignBy string // If non-empty, asks for a signature to be added during the copy, and specifies a key ID, as accepted by signature.NewGPGSigningMechanism().SignDockerManifest(),
- SignPassphrase string // Passphare to use when signing with the key ID from `SignBy`.
+ RemoveSignatures bool // Remove any pre-existing signatures. SignBy will still add a new signature.
+ SignBy string // If non-empty, asks for a signature to be added during the copy, and specifies a key ID, as accepted by signature.NewGPGSigningMechanism().SignDockerManifest(),
+ SignPassphrase string // Passphare to use when signing with the key ID from `SignBy`.
+ SignIdentity reference.Named // Identify to use when signing, defaults to the docker reference of the destination
ReportWriter io.Writer
SourceCtx *types.SystemContext
DestinationCtx *types.SystemContext
@@ -574,7 +575,7 @@ func (c *copier) copyMultipleImages(ctx context.Context, policyContext *signatur
// Sign the manifest list.
if options.SignBy != "" {
- newSig, err := c.createSignature(manifestList, options.SignBy, options.SignPassphrase)
+ newSig, err := c.createSignature(manifestList, options.SignBy, options.SignPassphrase, options.SignIdentity)
if err != nil {
return nil, err
}
@@ -796,7 +797,7 @@ func (c *copier) copyOneImage(ctx context.Context, policyContext *signature.Poli
}
if options.SignBy != "" {
- newSig, err := c.createSignature(manifestBytes, options.SignBy, options.SignPassphrase)
+ newSig, err := c.createSignature(manifestBytes, options.SignBy, options.SignPassphrase, options.SignIdentity)
if err != nil {
return nil, "", "", err
}
diff --git a/vendor/github.com/containers/image/v5/copy/sign.go b/vendor/github.com/containers/image/v5/copy/sign.go
index 21a3facd7..aa42674bc 100644
--- a/vendor/github.com/containers/image/v5/copy/sign.go
+++ b/vendor/github.com/containers/image/v5/copy/sign.go
@@ -1,13 +1,14 @@
package copy
import (
+ "github.com/containers/image/v5/docker/reference"
"github.com/containers/image/v5/signature"
"github.com/containers/image/v5/transports"
"github.com/pkg/errors"
)
// createSignature creates a new signature of manifest using keyIdentity.
-func (c *copier) createSignature(manifest []byte, keyIdentity string, passphrase string) ([]byte, error) {
+func (c *copier) createSignature(manifest []byte, keyIdentity string, passphrase string, identity reference.Named) ([]byte, error) {
mech, err := signature.NewGPGSigningMechanism()
if err != nil {
return nil, errors.Wrap(err, "initializing GPG")
@@ -17,13 +18,19 @@ func (c *copier) createSignature(manifest []byte, keyIdentity string, passphrase
return nil, errors.Wrap(err, "Signing not supported")
}
- dockerReference := c.dest.Reference().DockerReference()
- if dockerReference == nil {
- return nil, errors.Errorf("Cannot determine canonical Docker reference for destination %s", transports.ImageName(c.dest.Reference()))
+ if identity != nil {
+ if reference.IsNameOnly(identity) {
+ return nil, errors.Errorf("Sign identity must be a fully specified reference %s", identity)
+ }
+ } else {
+ identity = c.dest.Reference().DockerReference()
+ if identity == nil {
+ return nil, errors.Errorf("Cannot determine canonical Docker reference for destination %s", transports.ImageName(c.dest.Reference()))
+ }
}
c.Printf("Signing manifest\n")
- newSig, err := signature.SignDockerManifestWithOptions(manifest, dockerReference.String(), mech, keyIdentity, &signature.SignOptions{Passphrase: passphrase})
+ newSig, err := signature.SignDockerManifestWithOptions(manifest, identity.String(), mech, keyIdentity, &signature.SignOptions{Passphrase: passphrase})
if err != nil {
return nil, errors.Wrap(err, "creating signature")
}
diff --git a/vendor/github.com/containers/image/v5/docker/docker_client.go b/vendor/github.com/containers/image/v5/docker/docker_client.go
index 833323b42..9837235d8 100644
--- a/vendor/github.com/containers/image/v5/docker/docker_client.go
+++ b/vendor/github.com/containers/image/v5/docker/docker_client.go
@@ -463,7 +463,11 @@ func (c *dockerClient) makeRequest(ctx context.Context, method, path string, hea
return nil, err
}
- url := fmt.Sprintf("%s://%s%s", c.scheme, c.registry, path)
+ urlString := fmt.Sprintf("%s://%s%s", c.scheme, c.registry, path)
+ url, err := url.Parse(urlString)
+ if err != nil {
+ return nil, err
+ }
return c.makeRequestToResolvedURL(ctx, method, url, headers, stream, -1, auth, extraScope)
}
@@ -500,7 +504,7 @@ func parseRetryAfter(res *http.Response, fallbackDelay time.Duration) time.Durat
// makeRequest should generally be preferred.
// In case of an HTTP 429 status code in the response, it may automatically retry a few times.
// TODO(runcom): too many arguments here, use a struct
-func (c *dockerClient) makeRequestToResolvedURL(ctx context.Context, method, url string, headers map[string][]string, stream io.Reader, streamLen int64, auth sendAuth, extraScope *authScope) (*http.Response, error) {
+func (c *dockerClient) makeRequestToResolvedURL(ctx context.Context, method string, url *url.URL, headers map[string][]string, stream io.Reader, streamLen int64, auth sendAuth, extraScope *authScope) (*http.Response, error) {
delay := backoffInitialDelay
attempts := 0
for {
@@ -518,7 +522,7 @@ func (c *dockerClient) makeRequestToResolvedURL(ctx context.Context, method, url
if delay > backoffMaxDelay {
delay = backoffMaxDelay
}
- logrus.Debugf("Too many requests to %s: sleeping for %f seconds before next attempt", url, delay.Seconds())
+ logrus.Debugf("Too many requests to %s: sleeping for %f seconds before next attempt", url.Redacted(), delay.Seconds())
select {
case <-ctx.Done():
return nil, ctx.Err()
@@ -533,12 +537,12 @@ func (c *dockerClient) makeRequestToResolvedURL(ctx context.Context, method, url
// streamLen, if not -1, specifies the length of the data expected on stream.
// makeRequest should generally be preferred.
// Note that no exponential back off is performed when receiving an http 429 status code.
-func (c *dockerClient) makeRequestToResolvedURLOnce(ctx context.Context, method, url string, headers map[string][]string, stream io.Reader, streamLen int64, auth sendAuth, extraScope *authScope) (*http.Response, error) {
- req, err := http.NewRequestWithContext(ctx, method, url, stream)
+func (c *dockerClient) makeRequestToResolvedURLOnce(ctx context.Context, method string, url *url.URL, headers map[string][]string, stream io.Reader, streamLen int64, auth sendAuth, extraScope *authScope) (*http.Response, error) {
+ req, err := http.NewRequestWithContext(ctx, method, url.String(), stream)
if err != nil {
return nil, err
}
- if streamLen != -1 { // Do not blindly overwrite if streamLen == -1, http.NewRequest above can figure out the length of bytes.Reader and similar objects without us having to compute it.
+ if streamLen != -1 { // Do not blindly overwrite if streamLen == -1, http.NewRequestWithContext above can figure out the length of bytes.Reader and similar objects without us having to compute it.
req.ContentLength = streamLen
}
req.Header.Set("Docker-Distribution-API-Version", "registry/2.0")
@@ -553,7 +557,7 @@ func (c *dockerClient) makeRequestToResolvedURLOnce(ctx context.Context, method,
return nil, err
}
}
- logrus.Debugf("%s %s", method, url)
+ logrus.Debugf("%s %s", method, url.Redacted())
res, err := c.client.Do(req)
if err != nil {
return nil, err
@@ -653,7 +657,7 @@ func (c *dockerClient) getBearerTokenOAuth2(ctx context.Context, challenge chall
authReq.Body = ioutil.NopCloser(bytes.NewBufferString(params.Encode()))
authReq.Header.Add("User-Agent", c.userAgent)
authReq.Header.Add("Content-Type", "application/x-www-form-urlencoded")
- logrus.Debugf("%s %s", authReq.Method, authReq.URL.String())
+ logrus.Debugf("%s %s", authReq.Method, authReq.URL.Redacted())
res, err := c.client.Do(authReq)
if err != nil {
return nil, err
@@ -705,7 +709,7 @@ func (c *dockerClient) getBearerToken(ctx context.Context, challenge challenge,
}
authReq.Header.Add("User-Agent", c.userAgent)
- logrus.Debugf("%s %s", authReq.Method, authReq.URL.String())
+ logrus.Debugf("%s %s", authReq.Method, authReq.URL.Redacted())
res, err := c.client.Do(authReq)
if err != nil {
return nil, err
@@ -735,14 +739,17 @@ func (c *dockerClient) detectPropertiesHelper(ctx context.Context) error {
c.client = &http.Client{Transport: tr}
ping := func(scheme string) error {
- url := fmt.Sprintf(resolvedPingV2URL, scheme, c.registry)
+ url, err := url.Parse(fmt.Sprintf(resolvedPingV2URL, scheme, c.registry))
+ if err != nil {
+ return err
+ }
resp, err := c.makeRequestToResolvedURL(ctx, http.MethodGet, url, nil, nil, -1, noAuth, nil)
if err != nil {
- logrus.Debugf("Ping %s err %s (%#v)", url, err.Error(), err)
+ logrus.Debugf("Ping %s err %s (%#v)", url.Redacted(), err.Error(), err)
return err
}
defer resp.Body.Close()
- logrus.Debugf("Ping %s status %d", url, resp.StatusCode)
+ logrus.Debugf("Ping %s status %d", url.Redacted(), resp.StatusCode)
if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusUnauthorized {
return httpResponseToError(resp, "")
}
@@ -762,14 +769,17 @@ func (c *dockerClient) detectPropertiesHelper(ctx context.Context) error {
}
// best effort to understand if we're talking to a V1 registry
pingV1 := func(scheme string) bool {
- url := fmt.Sprintf(resolvedPingV1URL, scheme, c.registry)
+ url, err := url.Parse(fmt.Sprintf(resolvedPingV1URL, scheme, c.registry))
+ if err != nil {
+ return false
+ }
resp, err := c.makeRequestToResolvedURL(ctx, http.MethodGet, url, nil, nil, -1, noAuth, nil)
if err != nil {
- logrus.Debugf("Ping %s err %s (%#v)", url, err.Error(), err)
+ logrus.Debugf("Ping %s err %s (%#v)", url.Redacted(), err.Error(), err)
return false
}
defer resp.Body.Close()
- logrus.Debugf("Ping %s status %d", url, resp.StatusCode)
+ logrus.Debugf("Ping %s status %d", url.Redacted(), resp.StatusCode)
if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusUnauthorized {
return false
}
diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
index e7af8f93d..e3275aa45 100644
--- a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
+++ b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
@@ -182,7 +182,7 @@ func (d *dockerImageDestination) PutBlob(ctx context.Context, stream io.Reader,
// This error text should never be user-visible, we terminate only after makeRequestToResolvedURL
// returns, so there isn’t a way for the error text to be provided to any of our callers.
defer uploadReader.Terminate(errors.New("Reading data from an already terminated upload"))
- res, err = d.c.makeRequestToResolvedURL(ctx, http.MethodPatch, uploadLocation.String(), map[string][]string{"Content-Type": {"application/octet-stream"}}, uploadReader, inputInfo.Size, v2Auth, nil)
+ res, err = d.c.makeRequestToResolvedURL(ctx, http.MethodPatch, uploadLocation, map[string][]string{"Content-Type": {"application/octet-stream"}}, uploadReader, inputInfo.Size, v2Auth, nil)
if err != nil {
logrus.Debugf("Error uploading layer chunked %v", err)
return nil, err
@@ -207,7 +207,7 @@ func (d *dockerImageDestination) PutBlob(ctx context.Context, stream io.Reader,
locationQuery := uploadLocation.Query()
locationQuery.Set("digest", blobDigest.String())
uploadLocation.RawQuery = locationQuery.Encode()
- res, err = d.c.makeRequestToResolvedURL(ctx, http.MethodPut, uploadLocation.String(), map[string][]string{"Content-Type": {"application/octet-stream"}}, nil, -1, v2Auth, nil)
+ res, err = d.c.makeRequestToResolvedURL(ctx, http.MethodPut, uploadLocation, map[string][]string{"Content-Type": {"application/octet-stream"}}, nil, -1, v2Auth, nil)
if err != nil {
return types.BlobInfo{}, err
}
@@ -257,9 +257,8 @@ func (d *dockerImageDestination) mountBlob(ctx context.Context, srcRepo referenc
"from": {reference.Path(srcRepo)},
}.Encode(),
}
- mountPath := u.String()
- logrus.Debugf("Trying to mount %s", mountPath)
- res, err := d.c.makeRequest(ctx, http.MethodPost, mountPath, nil, nil, v2Auth, extraScope)
+ logrus.Debugf("Trying to mount %s", u.Redacted())
+ res, err := d.c.makeRequest(ctx, http.MethodPost, u.String(), nil, nil, v2Auth, extraScope)
if err != nil {
return err
}
@@ -276,8 +275,8 @@ func (d *dockerImageDestination) mountBlob(ctx context.Context, srcRepo referenc
if err != nil {
return errors.Wrap(err, "determining upload URL after a mount attempt")
}
- logrus.Debugf("... started an upload instead of mounting, trying to cancel at %s", uploadLocation.String())
- res2, err := d.c.makeRequestToResolvedURL(ctx, http.MethodDelete, uploadLocation.String(), nil, nil, -1, v2Auth, extraScope)
+ logrus.Debugf("... started an upload instead of mounting, trying to cancel at %s", uploadLocation.Redacted())
+ res2, err := d.c.makeRequestToResolvedURL(ctx, http.MethodDelete, uploadLocation, nil, nil, -1, v2Auth, extraScope)
if err != nil {
logrus.Debugf("Error trying to cancel an inadvertent upload: %s", err)
} else {
@@ -600,9 +599,9 @@ func (d *dockerImageDestination) putOneSignature(url *url.URL, signature []byte)
return nil
case "http", "https":
- return errors.Errorf("Writing directly to a %s sigstore %s is not supported. Configure a sigstore-staging: location", url.Scheme, url.String())
+ return errors.Errorf("Writing directly to a %s sigstore %s is not supported. Configure a sigstore-staging: location", url.Scheme, url.Redacted())
default:
- return errors.Errorf("Unsupported scheme when writing signature to %s", url.String())
+ return errors.Errorf("Unsupported scheme when writing signature to %s", url.Redacted())
}
}
@@ -620,9 +619,9 @@ func (c *dockerClient) deleteOneSignature(url *url.URL) (missing bool, err error
return false, err
case "http", "https":
- return false, errors.Errorf("Writing directly to a %s sigstore %s is not supported. Configure a sigstore-staging: location", url.Scheme, url.String())
+ return false, errors.Errorf("Writing directly to a %s sigstore %s is not supported. Configure a sigstore-staging: location", url.Scheme, url.Redacted())
default:
- return false, errors.Errorf("Unsupported scheme when deleting signature from %s", url.String())
+ return false, errors.Errorf("Unsupported scheme when deleting signature from %s", url.Redacted())
}
}
diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_src.go b/vendor/github.com/containers/image/v5/docker/docker_image_src.go
index cb520d670..c08e5538a 100644
--- a/vendor/github.com/containers/image/v5/docker/docker_image_src.go
+++ b/vendor/github.com/containers/image/v5/docker/docker_image_src.go
@@ -253,13 +253,14 @@ func (s *dockerImageSource) getExternalBlob(ctx context.Context, urls []string)
return nil, 0, errors.New("internal error: getExternalBlob called with no URLs")
}
for _, u := range urls {
- if u, err := url.Parse(u); err != nil || (u.Scheme != "http" && u.Scheme != "https") {
+ url, err := url.Parse(u)
+ if err != nil || (url.Scheme != "http" && url.Scheme != "https") {
continue // unsupported url. skip this url.
}
// NOTE: we must not authenticate on additional URLs as those
// can be abused to leak credentials or tokens. Please
// refer to CVE-2020-15157 for more information.
- resp, err = s.c.makeRequestToResolvedURL(ctx, http.MethodGet, u, nil, nil, -1, noAuth, nil)
+ resp, err = s.c.makeRequestToResolvedURL(ctx, http.MethodGet, url, nil, nil, -1, noAuth, nil)
if err == nil {
if resp.StatusCode != http.StatusOK {
err = errors.Errorf("error fetching external blob from %q: %d (%s)", u, resp.StatusCode, http.StatusText(resp.StatusCode))
@@ -524,7 +525,7 @@ func (s *dockerImageSource) getOneSignature(ctx context.Context, url *url.URL) (
return sig, false, nil
case "http", "https":
- logrus.Debugf("GET %s", url)
+ logrus.Debugf("GET %s", url.Redacted())
req, err := http.NewRequestWithContext(ctx, http.MethodGet, url.String(), nil)
if err != nil {
return nil, false, err
@@ -537,7 +538,7 @@ func (s *dockerImageSource) getOneSignature(ctx context.Context, url *url.URL) (
if res.StatusCode == http.StatusNotFound {
return nil, true, nil
} else if res.StatusCode != http.StatusOK {
- return nil, false, errors.Errorf("Error reading signature from %s: status %d (%s)", url.String(), res.StatusCode, http.StatusText(res.StatusCode))
+ return nil, false, errors.Errorf("Error reading signature from %s: status %d (%s)", url.Redacted(), res.StatusCode, http.StatusText(res.StatusCode))
}
sig, err := iolimits.ReadAtMost(res.Body, iolimits.MaxSignatureBodySize)
if err != nil {
@@ -546,7 +547,7 @@ func (s *dockerImageSource) getOneSignature(ctx context.Context, url *url.URL) (
return sig, false, nil
default:
- return nil, false, errors.Errorf("Unsupported scheme when reading signature from %s", url.String())
+ return nil, false, errors.Errorf("Unsupported scheme when reading signature from %s", url.Redacted())
}
}
diff --git a/vendor/github.com/containers/image/v5/docker/lookaside.go b/vendor/github.com/containers/image/v5/docker/lookaside.go
index 515e59327..22d84931c 100644
--- a/vendor/github.com/containers/image/v5/docker/lookaside.go
+++ b/vendor/github.com/containers/image/v5/docker/lookaside.go
@@ -82,7 +82,7 @@ func SignatureStorageBaseURL(sys *types.SystemContext, ref types.ImageReference,
} else {
// returns default directory if no sigstore specified in configuration file
url = builtinDefaultSignatureStorageDir(rootless.GetRootlessEUID())
- logrus.Debugf(" No signature storage configuration found for %s, using built-in default %s", dr.PolicyConfigurationIdentity(), url.String())
+ logrus.Debugf(" No signature storage configuration found for %s, using built-in default %s", dr.PolicyConfigurationIdentity(), url.Redacted())
}
// NOTE: Keep this in sync with docs/signature-protocols.md!
// FIXME? Restrict to explicitly supported schemes?
diff --git a/vendor/github.com/containers/image/v5/openshift/openshift.go b/vendor/github.com/containers/image/v5/openshift/openshift.go
index c7c6cf694..67612d800 100644
--- a/vendor/github.com/containers/image/v5/openshift/openshift.go
+++ b/vendor/github.com/containers/image/v5/openshift/openshift.go
@@ -95,7 +95,7 @@ func (c *openshiftClient) doRequest(ctx context.Context, method, path string, re
req.Header.Set("Content-Type", "application/json")
}
- logrus.Debugf("%s %s", method, url.String())
+ logrus.Debugf("%s %s", method, url.Redacted())
res, err := c.httpClient.Do(req)
if err != nil {
return nil, err
diff --git a/vendor/github.com/containers/image/v5/pkg/sysregistriesv2/shortnames.go b/vendor/github.com/containers/image/v5/pkg/sysregistriesv2/shortnames.go
index 7122e869f..6909ea0a6 100644
--- a/vendor/github.com/containers/image/v5/pkg/sysregistriesv2/shortnames.go
+++ b/vendor/github.com/containers/image/v5/pkg/sysregistriesv2/shortnames.go
@@ -13,6 +13,7 @@ import (
"github.com/containers/storage/pkg/homedir"
"github.com/containers/storage/pkg/lockfile"
"github.com/pkg/errors"
+ "github.com/sirupsen/logrus"
)
// defaultShortNameMode is the default mode of registries.conf files if the
@@ -315,11 +316,14 @@ func (c *shortNameAliasCache) updateWithConfigurationFrom(updates *shortNameAlia
func loadShortNameAliasConf(confPath string) (*shortNameAliasConf, *shortNameAliasCache, error) {
conf := shortNameAliasConf{}
- _, err := toml.DecodeFile(confPath, &conf)
+ meta, err := toml.DecodeFile(confPath, &conf)
if err != nil && !os.IsNotExist(err) {
// It's okay if the config doesn't exist. Other errors are not.
return nil, nil, errors.Wrapf(err, "loading short-name aliases config file %q", confPath)
}
+ if keys := meta.Undecoded(); len(keys) > 0 {
+ logrus.Debugf("Failed to decode keys %q from %q", keys, confPath)
+ }
// Even if we don’t always need the cache, doing so validates the machine-generated config. The
// file could still be corrupted by another process or user.
diff --git a/vendor/github.com/containers/image/v5/pkg/sysregistriesv2/system_registries_v2.go b/vendor/github.com/containers/image/v5/pkg/sysregistriesv2/system_registries_v2.go
index c8a603c4e..c5df241b7 100644
--- a/vendor/github.com/containers/image/v5/pkg/sysregistriesv2/system_registries_v2.go
+++ b/vendor/github.com/containers/image/v5/pkg/sysregistriesv2/system_registries_v2.go
@@ -43,6 +43,16 @@ const builtinRegistriesConfDirPath = "/etc/containers/registries.conf.d"
// helper.
const AuthenticationFileHelper = "containers-auth.json"
+const (
+ // configuration values for "pull-from-mirror"
+ // mirrors will be used for both digest pulls and tag pulls
+ MirrorAll = "all"
+ // mirrors will only be used for digest pulls
+ MirrorByDigestOnly = "digest-only"
+ // mirrors will only be used for tag pulls
+ MirrorByTagOnly = "tag-only"
+)
+
// Endpoint describes a remote location of a registry.
type Endpoint struct {
// The endpoint's remote location. Can be empty iff Prefix contains
@@ -53,6 +63,18 @@ type Endpoint struct {
// If true, certs verification will be skipped and HTTP (non-TLS)
// connections will be allowed.
Insecure bool `toml:"insecure,omitempty"`
+ // PullFromMirror is used for adding restrictions to image pull through the mirror.
+ // Set to "all", "digest-only", or "tag-only".
+ // If "digest-only", mirrors will only be used for digest pulls. Pulling images by
+ // tag can potentially yield different images, depending on which endpoint
+ // we pull from. Restricting mirrors to pulls by digest avoids that issue.
+ // If "tag-only", mirrors will only be used for tag pulls. For a more up-to-date and expensive mirror
+ // that it is less likely to be out of sync if tags move, it should not be unnecessarily
+ // used for digest references.
+ // Default is "all" (or left empty), mirrors will be used for both digest pulls and tag pulls unless the mirror-by-digest-only is set for the primary registry.
+ // This can only be set in a registry's Mirror field, not in the registry's primary Endpoint.
+ // This per-mirror setting is allowed only when mirror-by-digest-only is not configured for the primary registry.
+ PullFromMirror string `toml:"pull-from-mirror,omitempty"`
}
// userRegistriesFile is the path to the per user registry configuration file.
@@ -115,7 +137,7 @@ type Registry struct {
Blocked bool `toml:"blocked,omitempty"`
// If true, mirrors will only be used for digest pulls. Pulling images by
// tag can potentially yield different images, depending on which endpoint
- // we pull from. Forcing digest-pulls for mirrors avoids that issue.
+ // we pull from. Restricting mirrors to pulls by digest avoids that issue.
MirrorByDigestOnly bool `toml:"mirror-by-digest-only,omitempty"`
}
@@ -130,17 +152,29 @@ type PullSource struct {
// reference.
func (r *Registry) PullSourcesFromReference(ref reference.Named) ([]PullSource, error) {
var endpoints []Endpoint
-
+ _, isDigested := ref.(reference.Canonical)
if r.MirrorByDigestOnly {
- // Only use mirrors when the reference is a digest one.
- if _, isDigested := ref.(reference.Canonical); isDigested {
- endpoints = append(r.Mirrors, r.Endpoint)
- } else {
- endpoints = []Endpoint{r.Endpoint}
+ // Only use mirrors when the reference is a digested one.
+ if isDigested {
+ endpoints = append(endpoints, r.Mirrors...)
}
} else {
- endpoints = append(r.Mirrors, r.Endpoint)
+ for _, mirror := range r.Mirrors {
+ // skip the mirror if per mirror setting exists but reference does not match the restriction
+ switch mirror.PullFromMirror {
+ case MirrorByDigestOnly:
+ if !isDigested {
+ continue
+ }
+ case MirrorByTagOnly:
+ if isDigested {
+ continue
+ }
+ }
+ endpoints = append(endpoints, mirror)
+ }
}
+ endpoints = append(endpoints, r.Endpoint)
sources := []PullSource{}
for _, ep := range endpoints {
@@ -374,6 +408,10 @@ func (config *V2RegistriesConf) postProcessRegistries() error {
}
}
+ // validate the mirror usage settings does not apply to primary registry
+ if reg.PullFromMirror != "" {
+ return fmt.Errorf("pull-from-mirror must not be set for a non-mirror registry %q", reg.Prefix)
+ }
// make sure mirrors are valid
for _, mir := range reg.Mirrors {
mir.Location, err = parseLocation(mir.Location)
@@ -387,6 +425,14 @@ func (config *V2RegistriesConf) postProcessRegistries() error {
if mir.Location == "" {
return &InvalidRegistries{s: "invalid condition: mirror location is unset"}
}
+
+ if reg.MirrorByDigestOnly && mir.PullFromMirror != "" {
+ return &InvalidRegistries{s: fmt.Sprintf("cannot set mirror usage mirror-by-digest-only for the registry (%q) and pull-from-mirror for per-mirror (%q) at the same time", reg.Prefix, mir.Location)}
+ }
+ if mir.PullFromMirror != "" && mir.PullFromMirror != MirrorAll &&
+ mir.PullFromMirror != MirrorByDigestOnly && mir.PullFromMirror != MirrorByTagOnly {
+ return &InvalidRegistries{s: fmt.Sprintf("unsupported pull-from-mirror value %q for mirror %q", mir.PullFromMirror, mir.Location)}
+ }
}
if reg.Location == "" {
regMap[reg.Prefix] = append(regMap[reg.Prefix], reg)
@@ -877,10 +923,13 @@ func loadConfigFile(path string, forceV2 bool) (*parsedConfig, error) {
// Load the tomlConfig. Note that `DecodeFile` will overwrite set fields.
var combinedTOML tomlConfig
- _, err := toml.DecodeFile(path, &combinedTOML)
+ meta, err := toml.DecodeFile(path, &combinedTOML)
if err != nil {
return nil, err
}
+ if keys := meta.Undecoded(); len(keys) > 0 {
+ logrus.Debugf("Failed to decode keys %q from %q", keys, path)
+ }
if combinedTOML.V1RegistriesConf.Nonempty() {
// Enforce the v2 format if requested.
diff --git a/vendor/github.com/containers/image/v5/signature/mechanism.go b/vendor/github.com/containers/image/v5/signature/mechanism.go
index 9a32a4364..961246147 100644
--- a/vendor/github.com/containers/image/v5/signature/mechanism.go
+++ b/vendor/github.com/containers/image/v5/signature/mechanism.go
@@ -13,6 +13,7 @@ import (
// code path, where cryptography is not relevant. For now, continue to
// use this frozen deprecated implementation. When mechanism_openpgp.go
// migrates to another implementation, this should migrate as well.
+ //lint:ignore SA1019 See above
"golang.org/x/crypto/openpgp" //nolint:staticcheck
)
diff --git a/vendor/github.com/containers/image/v5/signature/mechanism_openpgp.go b/vendor/github.com/containers/image/v5/signature/mechanism_openpgp.go
index 7a31425f1..ef4e70e7f 100644
--- a/vendor/github.com/containers/image/v5/signature/mechanism_openpgp.go
+++ b/vendor/github.com/containers/image/v5/signature/mechanism_openpgp.go
@@ -20,6 +20,7 @@ import (
// For this verify-only fallback, we haven't reviewed any of the
// existing alternatives to choose; so, for now, continue to
// use this frozen deprecated implementation.
+ //lint:ignore SA1019 See above
"golang.org/x/crypto/openpgp" //nolint:staticcheck
)
diff --git a/vendor/github.com/containers/image/v5/version/version.go b/vendor/github.com/containers/image/v5/version/version.go
index 05bb40fb4..c928b87ab 100644
--- a/vendor/github.com/containers/image/v5/version/version.go
+++ b/vendor/github.com/containers/image/v5/version/version.go
@@ -6,12 +6,12 @@ const (
// VersionMajor is for an API incompatible changes
VersionMajor = 5
// VersionMinor is for functionality in a backwards-compatible manner
- VersionMinor = 20
+ VersionMinor = 21
// VersionPatch is for backwards-compatible bug fixes
- VersionPatch = 1
+ VersionPatch = 0
// VersionDev indicates development branch. Releases will be empty string.
- VersionDev = "-dev"
+ VersionDev = ""
)
// Version is the specification version that the package types support.
diff --git a/vendor/github.com/containers/storage/.cirrus.yml b/vendor/github.com/containers/storage/.cirrus.yml
index 726acc3ae..28ad751a7 100644
--- a/vendor/github.com/containers/storage/.cirrus.yml
+++ b/vendor/github.com/containers/storage/.cirrus.yml
@@ -24,10 +24,10 @@ env:
# GCE project where images live
IMAGE_PROJECT: "libpod-218412"
# VM Image built in containers/automation_images
- _BUILT_IMAGE_SUFFIX: "c6431352024203264"
- FEDORA_CACHE_IMAGE_NAME: "fedora-${_BUILT_IMAGE_SUFFIX}"
- PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${_BUILT_IMAGE_SUFFIX}"
- UBUNTU_CACHE_IMAGE_NAME: "ubuntu-${_BUILT_IMAGE_SUFFIX}"
+ IMAGE_SUFFIX: "c4512539143831552"
+ FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
+ PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${IMAGE_SUFFIX}"
+ UBUNTU_CACHE_IMAGE_NAME: "ubuntu-${IMAGE_SUFFIX}"
####
#### Command variables to help avoid duplication
@@ -132,7 +132,7 @@ lint_task:
meta_task:
container:
- image: "quay.io/libpod/imgts:${_BUILT_IMAGE_SUFFIX}"
+ image: "quay.io/libpod/imgts:${IMAGE_SUFFIX}"
cpu: 1
memory: 1
diff --git a/vendor/github.com/containers/storage/VERSION b/vendor/github.com/containers/storage/VERSION
index a1c1503d3..79833f2ce 100644
--- a/vendor/github.com/containers/storage/VERSION
+++ b/vendor/github.com/containers/storage/VERSION
@@ -1 +1 @@
-1.38.2+dev
+1.39.0+dev
diff --git a/vendor/github.com/containers/storage/go.mod b/vendor/github.com/containers/storage/go.mod
index 4da8384af..c44fb5e0e 100644
--- a/vendor/github.com/containers/storage/go.mod
+++ b/vendor/github.com/containers/storage/go.mod
@@ -18,9 +18,9 @@ require (
github.com/mistifyio/go-zfs v2.1.2-0.20190413222219-f784269be439+incompatible
github.com/moby/sys/mountinfo v0.6.0
github.com/opencontainers/go-digest v1.0.0
- github.com/opencontainers/runc v1.1.0
+ github.com/opencontainers/runc v1.1.1
github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
- github.com/opencontainers/selinux v1.10.0
+ github.com/opencontainers/selinux v1.10.1
github.com/pkg/errors v0.9.1
github.com/sirupsen/logrus v1.8.1
github.com/stretchr/testify v1.7.1
diff --git a/vendor/github.com/containers/storage/go.sum b/vendor/github.com/containers/storage/go.sum
index b995da734..0a17af991 100644
--- a/vendor/github.com/containers/storage/go.sum
+++ b/vendor/github.com/containers/storage/go.sum
@@ -520,8 +520,8 @@ github.com/opencontainers/runc v1.0.0-rc8.0.20190926000215-3e425f80a8c9/go.mod h
github.com/opencontainers/runc v1.0.0-rc9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
github.com/opencontainers/runc v1.0.0-rc93/go.mod h1:3NOsor4w32B2tC0Zbl8Knk4Wg84SM2ImC1fxBuqJ/H0=
github.com/opencontainers/runc v1.0.2/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0=
-github.com/opencontainers/runc v1.1.0 h1:O9+X96OcDjkmmZyfaG996kV7yq8HsoU2h1XRRQcefG8=
-github.com/opencontainers/runc v1.1.0/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc=
+github.com/opencontainers/runc v1.1.1 h1:PJ9DSs2sVwE0iVr++pAHE6QkS9tzcVWozlPifdwMgrU=
+github.com/opencontainers/runc v1.1.1/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc=
github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
github.com/opencontainers/runtime-spec v1.0.2-0.20190207185410-29686dbc5559/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
@@ -533,8 +533,9 @@ github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39/go.mo
github.com/opencontainers/selinux v1.6.0/go.mod h1:VVGKuOLlE7v4PJyT6h7mNWvq1rzqiriPsEqVhc+svHE=
github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3ogry1nUQF8Evvo=
github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8=
-github.com/opencontainers/selinux v1.10.0 h1:rAiKF8hTcgLI3w0DHm6i0ylVVcOrlgR1kK99DRLDhyU=
github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
+github.com/opencontainers/selinux v1.10.1 h1:09LIPVRP3uuZGQvgR+SgMSNBd1Eb3vlRbGqQpoHsF8w=
+github.com/opencontainers/selinux v1.10.1/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
github.com/pelletier/go-toml v1.8.1/go.mod h1:T2/BmBdy8dvIRq1a/8aqjN41wvWlN4lrapLU/GW4pbc=
github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
diff --git a/vendor/github.com/containers/storage/pkg/idtools/idtools.go b/vendor/github.com/containers/storage/pkg/idtools/idtools.go
index a19ba288b..7c8f4d10c 100644
--- a/vendor/github.com/containers/storage/pkg/idtools/idtools.go
+++ b/vendor/github.com/containers/storage/pkg/idtools/idtools.go
@@ -190,7 +190,6 @@ func (i *IDMappings) RootPair() IDPair {
}
// ToHost returns the host UID and GID for the container uid, gid.
-// Remapping is only performed if the ids aren't already the remapped root ids
func (i *IDMappings) ToHost(pair IDPair) (IDPair, error) {
var err error
var target IDPair
diff --git a/vendor/github.com/containers/storage/pkg/unshare/unshare_linux.go b/vendor/github.com/containers/storage/pkg/unshare/unshare_linux.go
index 0d226e183..c352efce0 100644
--- a/vendor/github.com/containers/storage/pkg/unshare/unshare_linux.go
+++ b/vendor/github.com/containers/storage/pkg/unshare/unshare_linux.go
@@ -9,6 +9,7 @@ import (
"io"
"os"
"os/exec"
+ "os/signal"
"os/user"
"runtime"
"strconv"
@@ -484,6 +485,30 @@ func MaybeReexecUsingUserNamespace(evenForRoot bool) {
// Finish up.
logrus.Debugf("Running %+v with environment %+v, UID map %+v, and GID map %+v", cmd.Cmd.Args, os.Environ(), cmd.UidMappings, cmd.GidMappings)
+
+ // Forward SIGHUP, SIGINT, and SIGTERM to our child process.
+ interrupted := make(chan os.Signal, 100)
+ defer func() {
+ signal.Stop(interrupted)
+ close(interrupted)
+ }()
+ cmd.Hook = func(int) error {
+ go func() {
+ for receivedSignal := range interrupted {
+ cmd.Cmd.Process.Signal(receivedSignal)
+ }
+ }()
+ return nil
+ }
+ signal.Notify(interrupted, syscall.SIGHUP, syscall.SIGINT, syscall.SIGTERM)
+
+ // Make sure our child process gets SIGKILLed if we exit, for whatever
+ // reason, before it does.
+ if cmd.Cmd.SysProcAttr == nil {
+ cmd.Cmd.SysProcAttr = &syscall.SysProcAttr{}
+ }
+ cmd.Cmd.SysProcAttr.Pdeathsig = syscall.SIGKILL
+
ExecRunnable(cmd, nil)
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go
index 13ebf52ab..b32af4ee5 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go
@@ -55,12 +55,12 @@ func IsCgroup2HybridMode() bool {
var st unix.Statfs_t
err := unix.Statfs(hybridMountpoint, &st)
if err != nil {
- if os.IsNotExist(err) {
- // ignore the "not found" error
- isHybrid = false
- return
+ isHybrid = false
+ if !os.IsNotExist(err) {
+ // Report unexpected errors.
+ logrus.WithError(err).Debugf("statfs(%q) failed", hybridMountpoint)
}
- panic(fmt.Sprintf("cannot statfs cgroup root: %s", err))
+ return
}
isHybrid = st.Type == unix.CGROUP2_SUPER_MAGIC
})
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/rchcon.go b/vendor/github.com/opencontainers/selinux/go-selinux/rchcon.go
index 897ecbac4..feb739d32 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/rchcon.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/rchcon.go
@@ -12,7 +12,7 @@ import (
func rchcon(fpath, label string) error {
return pwalkdir.Walk(fpath, func(p string, _ fs.DirEntry, _ error) error {
- e := setFileLabel(p, label)
+ e := lSetFileLabel(p, label)
// Walk a file tree can race with removal, so ignore ENOENT.
if errors.Is(e, os.ErrNotExist) {
return nil
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/rchcon_go115.go b/vendor/github.com/opencontainers/selinux/go-selinux/rchcon_go115.go
index 2c8b033ce..ecc7abfac 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/rchcon_go115.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/rchcon_go115.go
@@ -11,7 +11,7 @@ import (
func rchcon(fpath, label string) error {
return pwalk.Walk(fpath, func(p string, _ os.FileInfo, _ error) error {
- e := setFileLabel(p, label)
+ e := lSetFileLabel(p, label)
// Walk a file tree can race with removal, so ignore ENOENT.
if errors.Is(e, os.ErrNotExist) {
return nil
diff --git a/vendor/github.com/openshift/imagebuilder/builder.go b/vendor/github.com/openshift/imagebuilder/builder.go
index b0e9d4f51..71dc41ea5 100644
--- a/vendor/github.com/openshift/imagebuilder/builder.go
+++ b/vendor/github.com/openshift/imagebuilder/builder.go
@@ -44,6 +44,7 @@ type Run struct {
type Executor interface {
Preserve(path string) error
EnsureContainerPath(path string) error
+ EnsureContainerPathAs(path, user string, mode *os.FileMode) error
Copy(excludes []string, copies ...Copy) error
Run(run Run, config docker.Config) error
UnrecognizedInstruction(step *Step) error
@@ -61,6 +62,15 @@ func (logExecutor) EnsureContainerPath(path string) error {
return nil
}
+func (logExecutor) EnsureContainerPathAs(path, user string, mode *os.FileMode) error {
+ if mode != nil {
+ log.Printf("ENSURE %s AS %q with MODE=%q", path, user, *mode)
+ } else {
+ log.Printf("ENSURE %s AS %q", path, user)
+ }
+ return nil
+}
+
func (logExecutor) Copy(excludes []string, copies ...Copy) error {
for _, c := range copies {
log.Printf("COPY %v -> %s (from:%s download:%t), chown: %s, chmod %s", c.Src, c.Dest, c.From, c.Download, c.Chown, c.Chmod)
@@ -88,6 +98,10 @@ func (noopExecutor) EnsureContainerPath(path string) error {
return nil
}
+func (noopExecutor) EnsureContainerPathAs(path, user string, mode *os.FileMode) error {
+ return nil
+}
+
func (noopExecutor) Copy(excludes []string, copies ...Copy) error {
return nil
}
@@ -378,7 +392,7 @@ func (b *Builder) Run(step *Step, exec Executor, noRunsRemaining bool) error {
}
if len(b.RunConfig.WorkingDir) > 0 {
- if err := exec.EnsureContainerPath(b.RunConfig.WorkingDir); err != nil {
+ if err := exec.EnsureContainerPathAs(b.RunConfig.WorkingDir, b.RunConfig.User, nil); err != nil {
return err
}
}
diff --git a/vendor/github.com/openshift/imagebuilder/imagebuilder.spec b/vendor/github.com/openshift/imagebuilder/imagebuilder.spec
index 79d16ec39..6a88a4fc4 100644
--- a/vendor/github.com/openshift/imagebuilder/imagebuilder.spec
+++ b/vendor/github.com/openshift/imagebuilder/imagebuilder.spec
@@ -12,7 +12,7 @@
#
%global golang_version 1.8.1
-%{!?version: %global version 1.2.2-dev}
+%{!?version: %global version 1.2.3}
%{!?release: %global release 1}
%global package_name imagebuilder
%global product_name Container Image Builder
diff --git a/vendor/modules.txt b/vendor/modules.txt
index f701b1bb4..30395f7e5 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -63,7 +63,7 @@ github.com/container-orchestrated-devices/container-device-interface/pkg/cdi
github.com/container-orchestrated-devices/container-device-interface/specs-go
# github.com/containerd/cgroups v1.0.3
github.com/containerd/cgroups/stats/v1
-# github.com/containerd/containerd v1.6.1
+# github.com/containerd/containerd v1.6.2
github.com/containerd/containerd/errdefs
github.com/containerd/containerd/log
github.com/containerd/containerd/pkg/userns
@@ -87,7 +87,7 @@ github.com/containernetworking/cni/pkg/version
# github.com/containernetworking/plugins v1.1.1
## explicit
github.com/containernetworking/plugins/pkg/ns
-# github.com/containers/buildah v1.24.3-0.20220310160415-5ec70bf01ea5
+# github.com/containers/buildah v1.25.2-0.20220406205807-5b8e79118057
## explicit
github.com/containers/buildah
github.com/containers/buildah/bind
@@ -109,7 +109,7 @@ github.com/containers/buildah/pkg/rusage
github.com/containers/buildah/pkg/sshagent
github.com/containers/buildah/pkg/util
github.com/containers/buildah/util
-# github.com/containers/common v0.47.5-0.20220323125147-7dc6e944d625
+# github.com/containers/common v0.47.5-0.20220405040919-5d3a1effbf99
## explicit
github.com/containers/common/libimage
github.com/containers/common/libimage/manifests
@@ -153,7 +153,7 @@ github.com/containers/common/version
# github.com/containers/conmon v2.0.20+incompatible
## explicit
github.com/containers/conmon/runner/config
-# github.com/containers/image/v5 v5.20.1-0.20220310094651-0d8056ee346f
+# github.com/containers/image/v5 v5.21.0
## explicit
github.com/containers/image/v5/copy
github.com/containers/image/v5/directory
@@ -233,7 +233,7 @@ github.com/containers/psgo/internal/dev
github.com/containers/psgo/internal/host
github.com/containers/psgo/internal/proc
github.com/containers/psgo/internal/process
-# github.com/containers/storage v1.38.3-0.20220321121613-8e565392dd91
+# github.com/containers/storage v1.39.1-0.20220330193934-f3200eb5a5d9
## explicit
github.com/containers/storage
github.com/containers/storage/drivers
@@ -532,7 +532,7 @@ github.com/onsi/ginkgo/reporters/stenographer
github.com/onsi/ginkgo/reporters/stenographer/support/go-colorable
github.com/onsi/ginkgo/reporters/stenographer/support/go-isatty
github.com/onsi/ginkgo/types
-# github.com/onsi/gomega v1.18.1 => github.com/onsi/gomega v1.16.0
+# github.com/onsi/gomega v1.19.0 => github.com/onsi/gomega v1.16.0
## explicit
github.com/onsi/gomega
github.com/onsi/gomega/format
@@ -554,7 +554,7 @@ github.com/opencontainers/go-digest
## explicit
github.com/opencontainers/image-spec/specs-go
github.com/opencontainers/image-spec/specs-go/v1
-# github.com/opencontainers/runc v1.1.0
+# github.com/opencontainers/runc v1.1.1
## explicit
github.com/opencontainers/runc/libcontainer/apparmor
github.com/opencontainers/runc/libcontainer/cgroups
@@ -574,13 +574,13 @@ github.com/opencontainers/runtime-tools/generate
github.com/opencontainers/runtime-tools/generate/seccomp
github.com/opencontainers/runtime-tools/specerror
github.com/opencontainers/runtime-tools/validate
-# github.com/opencontainers/selinux v1.10.0
+# github.com/opencontainers/selinux v1.10.1
## explicit
github.com/opencontainers/selinux/go-selinux
github.com/opencontainers/selinux/go-selinux/label
github.com/opencontainers/selinux/pkg/pwalk
github.com/opencontainers/selinux/pkg/pwalkdir
-# github.com/openshift/imagebuilder v1.2.2
+# github.com/openshift/imagebuilder v1.2.3
github.com/openshift/imagebuilder
github.com/openshift/imagebuilder/dockerfile/command
github.com/openshift/imagebuilder/dockerfile/parser
@@ -598,7 +598,6 @@ github.com/pmezard/go-difflib/difflib
# github.com/proglottis/gpgme v0.1.1
github.com/proglottis/gpgme
# github.com/prometheus/client_golang v1.11.1
-## explicit
github.com/prometheus/client_golang/prometheus
github.com/prometheus/client_golang/prometheus/internal
github.com/prometheus/client_golang/prometheus/promhttp
@@ -646,7 +645,7 @@ github.com/stefanberger/go-pkcs11uri
## explicit
github.com/stretchr/testify/assert
github.com/stretchr/testify/require
-# github.com/sylabs/sif/v2 v2.4.0
+# github.com/sylabs/sif/v2 v2.4.2
github.com/sylabs/sif/v2/pkg/sif
# github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
## explicit