summaryrefslogtreecommitdiff
path: root/vendor
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2018-10-07 08:27:00 -0400
committerDaniel J Walsh <dwalsh@redhat.com>2018-10-07 08:29:23 -0400
commit3a76772bb1d93aa42e5f0ab58f8abf705e1e90ca (patch)
treeb311ff0b423e85e80059be00654fa32ada881987 /vendor
parent141a1327fbb2d6e476d959ba9a23d01e1200a9fc (diff)
downloadpodman-3a76772bb1d93aa42e5f0ab58f8abf705e1e90ca.tar.gz
podman-3a76772bb1d93aa42e5f0ab58f8abf705e1e90ca.tar.bz2
podman-3a76772bb1d93aa42e5f0ab58f8abf705e1e90ca.zip
Vendor in latest github.com/containers/storage,image, buildah
Grab latest fixes from subpackages Including fixes for usernamespace chowning retaining file attributes Better logging of error messages. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'vendor')
-rw-r--r--vendor/github.com/containers/buildah/README.md2
-rw-r--r--vendor/github.com/containers/buildah/buildah.go2
-rw-r--r--vendor/github.com/containers/buildah/chroot/run.go89
-rw-r--r--vendor/github.com/containers/buildah/commit.go22
-rw-r--r--vendor/github.com/containers/buildah/common.go33
-rw-r--r--vendor/github.com/containers/buildah/imagebuildah/build.go7
-rw-r--r--vendor/github.com/containers/buildah/new.go34
-rw-r--r--vendor/github.com/containers/buildah/pkg/cli/common.go10
-rw-r--r--vendor/github.com/containers/buildah/pkg/parse/parse.go2
-rw-r--r--vendor/github.com/containers/buildah/pull.go10
-rw-r--r--vendor/github.com/containers/buildah/unshare/unshare.c21
-rw-r--r--vendor/github.com/containers/buildah/unshare/unshare.go8
-rw-r--r--vendor/github.com/containers/buildah/util.go101
-rw-r--r--vendor/github.com/containers/buildah/vendor.conf4
-rw-r--r--vendor/github.com/containers/image/docker/docker_client.go4
-rw-r--r--vendor/github.com/containers/image/pkg/tlsclientconfig/tlsclientconfig.go18
-rw-r--r--vendor/github.com/containers/storage/drivers/chown_unix.go12
17 files changed, 286 insertions, 93 deletions
diff --git a/vendor/github.com/containers/buildah/README.md b/vendor/github.com/containers/buildah/README.md
index fa4a58fd9..6a79e524b 100644
--- a/vendor/github.com/containers/buildah/README.md
+++ b/vendor/github.com/containers/buildah/README.md
@@ -17,6 +17,8 @@ The Buildah package provides a command line tool that can be used to
## Buildah Information for Developers
+For blogs, release announcements and more, please checkout the [buildah.io](https://buildah.io) website!
+
**[Buildah Demos](demos)**
**[Changelog](CHANGELOG.md)**
diff --git a/vendor/github.com/containers/buildah/buildah.go b/vendor/github.com/containers/buildah/buildah.go
index 7891810a2..79704d7b1 100644
--- a/vendor/github.com/containers/buildah/buildah.go
+++ b/vendor/github.com/containers/buildah/buildah.go
@@ -24,7 +24,7 @@ const (
Package = "buildah"
// Version for the Package. Bump version in contrib/rpm/buildah.spec
// too.
- Version = "1.4-dev"
+ Version = "1.5-dev"
// The value we use to identify what type of information, currently a
// serialized Builder structure, we are using as per-container state.
// This should only be changed when we make incompatible changes to
diff --git a/vendor/github.com/containers/buildah/chroot/run.go b/vendor/github.com/containers/buildah/chroot/run.go
index 58b7a883c..51e2d2bd4 100644
--- a/vendor/github.com/containers/buildah/chroot/run.go
+++ b/vendor/github.com/containers/buildah/chroot/run.go
@@ -100,18 +100,6 @@ func RunUsingChroot(spec *specs.Spec, bundlePath string, stdin io.Reader, stdout
}
logrus.Debugf("config = %v", string(specbytes))
- // Run the grandparent subprocess in a user namespace that reuses the mappings that we have.
- uidmap, gidmap, err := util.GetHostIDMappings("")
- if err != nil {
- return err
- }
- for i := range uidmap {
- uidmap[i].HostID = uidmap[i].ContainerID
- }
- for i := range gidmap {
- gidmap[i].HostID = gidmap[i].ContainerID
- }
-
// Default to using stdin/stdout/stderr if we weren't passed objects to use.
if stdin == nil {
stdin = os.Stdin
@@ -162,10 +150,6 @@ func RunUsingChroot(spec *specs.Spec, bundlePath string, stdin io.Reader, stdout
cmd.Stdin, cmd.Stdout, cmd.Stderr = stdin, stdout, stderr
cmd.Dir = "/"
cmd.Env = append([]string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}, os.Environ()...)
- cmd.UnshareFlags = syscall.CLONE_NEWUSER
- cmd.UidMappings = uidmap
- cmd.GidMappings = gidmap
- cmd.GidMappingsEnableSetgroups = true
logrus.Debugf("Running %#v in %#v", cmd.Cmd, cmd)
confwg.Add(1)
@@ -568,10 +552,19 @@ func runUsingChroot(spec *specs.Spec, bundlePath string, ctty *os.File, stdin io
cmd.Stdin, cmd.Stdout, cmd.Stderr = stdin, stdout, stderr
cmd.Dir = "/"
cmd.Env = append([]string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}, os.Environ()...)
- cmd.UnshareFlags = syscall.CLONE_NEWUSER | syscall.CLONE_NEWUTS | syscall.CLONE_NEWNS
- cmd.UidMappings = uidmap
- cmd.GidMappings = gidmap
- cmd.GidMappingsEnableSetgroups = true
+ cmd.UnshareFlags = syscall.CLONE_NEWUTS | syscall.CLONE_NEWNS
+ requestedUserNS := false
+ for _, ns := range spec.Linux.Namespaces {
+ if ns.Type == specs.LinuxNamespaceType(specs.UserNamespace) {
+ requestedUserNS = true
+ }
+ }
+ if len(spec.Linux.UIDMappings) > 0 || len(spec.Linux.GIDMappings) > 0 || requestedUserNS {
+ cmd.UnshareFlags = cmd.UnshareFlags | syscall.CLONE_NEWUSER
+ cmd.UidMappings = uidmap
+ cmd.GidMappings = gidmap
+ cmd.GidMappingsEnableSetgroups = true
+ }
if ctty != nil {
cmd.Setsid = true
cmd.Ctty = ctty
@@ -697,15 +690,7 @@ func runUsingChrootExecMain() {
fmt.Fprintf(os.Stderr, "error setting SELinux label for process: %v\n", err)
os.Exit(1)
}
- logrus.Debugf("setting capabilities")
- if err := setCapabilities(options.Spec); err != nil {
- fmt.Fprintf(os.Stderr, "error setting capabilities for process %v\n", err)
- os.Exit(1)
- }
- if err = setSeccomp(options.Spec); err != nil {
- fmt.Fprintf(os.Stderr, "error setting seccomp filter for process: %v\n", err)
- os.Exit(1)
- }
+
logrus.Debugf("setting resource limits")
if err = setRlimits(options.Spec, false, false); err != nil {
fmt.Fprintf(os.Stderr, "error setting process resource limits for process: %v\n", err)
@@ -747,11 +732,28 @@ func runUsingChrootExecMain() {
os.Exit(1)
}
}
+
logrus.Debugf("setting gid")
if err = syscall.Setresgid(int(user.GID), int(user.GID), int(user.GID)); err != nil {
fmt.Fprintf(os.Stderr, "error setting GID: %v", err)
os.Exit(1)
}
+
+ if err = setSeccomp(options.Spec); err != nil {
+ fmt.Fprintf(os.Stderr, "error setting seccomp filter for process: %v\n", err)
+ os.Exit(1)
+ }
+
+ logrus.Debugf("setting capabilities")
+ var keepCaps []string
+ if user.UID != 0 {
+ keepCaps = []string{"CAP_SETUID"}
+ }
+ if err := setCapabilities(options.Spec, keepCaps...); err != nil {
+ fmt.Fprintf(os.Stderr, "error setting capabilities for process: %v\n", err)
+ os.Exit(1)
+ }
+
logrus.Debugf("setting uid")
if err = syscall.Setresuid(int(user.UID), int(user.UID), int(user.UID)); err != nil {
fmt.Fprintf(os.Stderr, "error setting UID: %v", err)
@@ -855,7 +857,11 @@ func setApparmorProfile(spec *specs.Spec) error {
}
// setCapabilities sets capabilities for ourselves, to be more or less inherited by any processes that we'll start.
-func setCapabilities(spec *specs.Spec) error {
+func setCapabilities(spec *specs.Spec, keepCaps ...string) error {
+ currentCaps, err := capability.NewPid(0)
+ if err != nil {
+ return errors.Wrapf(err, "error reading capabilities of current process")
+ }
caps, err := capability.NewPid(0)
if err != nil {
return errors.Wrapf(err, "error reading capabilities of current process")
@@ -868,8 +874,8 @@ func setCapabilities(spec *specs.Spec) error {
capability.AMBIENT: spec.Process.Capabilities.Ambient,
}
knownCaps := capability.List()
+ caps.Clear(capability.CAPS | capability.BOUNDS | capability.AMBS)
for capType, capList := range capMap {
- caps.Clear(capType)
for _, capToSet := range capList {
cap := capability.CAP_LAST_CAP
for _, c := range knownCaps {
@@ -883,12 +889,25 @@ func setCapabilities(spec *specs.Spec) error {
}
caps.Set(capType, cap)
}
- }
- for capType := range capMap {
- if err = caps.Apply(capType); err != nil {
- return errors.Wrapf(err, "error setting %s capabilities to %#v", capType.String(), capMap[capType])
+ for _, capToSet := range keepCaps {
+ cap := capability.CAP_LAST_CAP
+ for _, c := range knownCaps {
+ if strings.EqualFold("CAP_"+c.String(), capToSet) {
+ cap = c
+ break
+ }
+ }
+ if cap == capability.CAP_LAST_CAP {
+ return errors.Errorf("error mapping capability %q to a number", capToSet)
+ }
+ if currentCaps.Get(capType, cap) {
+ caps.Set(capType, cap)
+ }
}
}
+ if err = caps.Apply(capability.CAPS | capability.BOUNDS | capability.AMBS); err != nil {
+ return errors.Wrapf(err, "error setting capabilities")
+ }
return nil
}
diff --git a/vendor/github.com/containers/buildah/commit.go b/vendor/github.com/containers/buildah/commit.go
index f89930399..c07a5881b 100644
--- a/vendor/github.com/containers/buildah/commit.go
+++ b/vendor/github.com/containers/buildah/commit.go
@@ -92,6 +92,15 @@ func (b *Builder) Commit(ctx context.Context, dest types.ImageReference, options
var imgID string
systemContext := getSystemContext(options.SystemContext, options.SignaturePolicyPath)
+
+ blocked, err := isReferenceBlocked(dest, systemContext)
+ if err != nil {
+ return "", errors.Wrapf(err, "error checking if committing to registry for %q is blocked", transports.ImageName(dest))
+ }
+ if blocked {
+ return "", errors.Errorf("commit access to registry for %q is blocked by configuration", transports.ImageName(dest))
+ }
+
policy, err := signature.DefaultPolicy(systemContext)
if err != nil {
return imgID, errors.Wrapf(err, "error obtaining default signature policy")
@@ -120,7 +129,7 @@ func (b *Builder) Commit(ctx context.Context, dest types.ImageReference, options
return imgID, errors.Wrapf(err, "error computing layer digests and building metadata")
}
// "Copy" our image to where it needs to be.
- err = cp.Image(ctx, policyContext, dest, src, getCopyOptions(options.ReportWriter, nil, systemContext, ""))
+ err = cp.Image(ctx, policyContext, dest, src, getCopyOptions(options.ReportWriter, src, nil, dest, systemContext, ""))
if err != nil {
return imgID, errors.Wrapf(err, "error copying layers and metadata")
}
@@ -162,6 +171,15 @@ func (b *Builder) Commit(ctx context.Context, dest types.ImageReference, options
// Push copies the contents of the image to a new location.
func Push(ctx context.Context, image string, dest types.ImageReference, options PushOptions) error {
systemContext := getSystemContext(options.SystemContext, options.SignaturePolicyPath)
+
+ blocked, err := isReferenceBlocked(dest, systemContext)
+ if err != nil {
+ return errors.Wrapf(err, "error checking if pushing to registry for %q is blocked", transports.ImageName(dest))
+ }
+ if blocked {
+ return errors.Errorf("push access to registry for %q is blocked by configuration", transports.ImageName(dest))
+ }
+
policy, err := signature.DefaultPolicy(systemContext)
if err != nil {
return errors.Wrapf(err, "error obtaining default signature policy")
@@ -176,7 +194,7 @@ func Push(ctx context.Context, image string, dest types.ImageReference, options
return err
}
// Copy everything.
- err = cp.Image(ctx, policyContext, dest, src, getCopyOptions(options.ReportWriter, nil, systemContext, options.ManifestType))
+ err = cp.Image(ctx, policyContext, dest, src, getCopyOptions(options.ReportWriter, src, nil, dest, systemContext, options.ManifestType))
if err != nil {
return errors.Wrapf(err, "error copying layers and metadata")
}
diff --git a/vendor/github.com/containers/buildah/common.go b/vendor/github.com/containers/buildah/common.go
index dcf922dc9..56a901925 100644
--- a/vendor/github.com/containers/buildah/common.go
+++ b/vendor/github.com/containers/buildah/common.go
@@ -3,7 +3,10 @@ package buildah
import (
"io"
+ "github.com/sirupsen/logrus"
+
cp "github.com/containers/image/copy"
+ "github.com/containers/image/transports"
"github.com/containers/image/types"
)
@@ -14,11 +17,35 @@ const (
DOCKER = "docker"
)
-func getCopyOptions(reportWriter io.Writer, sourceSystemContext *types.SystemContext, destinationSystemContext *types.SystemContext, manifestType string) *cp.Options {
+func getCopyOptions(reportWriter io.Writer, sourceReference types.ImageReference, sourceSystemContext *types.SystemContext, destinationReference types.ImageReference, destinationSystemContext *types.SystemContext, manifestType string) *cp.Options {
+ sourceCtx := &types.SystemContext{}
+ if sourceSystemContext != nil {
+ *sourceCtx = *sourceSystemContext
+ }
+ sourceInsecure, err := isReferenceInsecure(sourceReference, sourceCtx)
+ if err != nil {
+ logrus.Debugf("error determining if registry for %q is insecure: %v", transports.ImageName(sourceReference), err)
+ } else if sourceInsecure {
+ sourceCtx.DockerInsecureSkipTLSVerify = true
+ sourceCtx.OCIInsecureSkipTLSVerify = true
+ }
+
+ destinationCtx := &types.SystemContext{}
+ if destinationSystemContext != nil {
+ *destinationCtx = *destinationSystemContext
+ }
+ destinationInsecure, err := isReferenceInsecure(destinationReference, destinationCtx)
+ if err != nil {
+ logrus.Debugf("error determining if registry for %q is insecure: %v", transports.ImageName(destinationReference), err)
+ } else if destinationInsecure {
+ destinationCtx.DockerInsecureSkipTLSVerify = true
+ destinationCtx.OCIInsecureSkipTLSVerify = true
+ }
+
return &cp.Options{
ReportWriter: reportWriter,
- SourceCtx: sourceSystemContext,
- DestinationCtx: destinationSystemContext,
+ SourceCtx: sourceCtx,
+ DestinationCtx: destinationCtx,
ForceManifestMIMEType: manifestType,
}
}
diff --git a/vendor/github.com/containers/buildah/imagebuildah/build.go b/vendor/github.com/containers/buildah/imagebuildah/build.go
index 9b4c6f635..727e41c38 100644
--- a/vendor/github.com/containers/buildah/imagebuildah/build.go
+++ b/vendor/github.com/containers/buildah/imagebuildah/build.go
@@ -325,6 +325,9 @@ func (b *Executor) Preserve(path string) error {
archivedPath := filepath.Join(b.mountPoint, cachedPath)
logrus.Debugf("no longer need cache of %q in %q", archivedPath, b.volumeCache[cachedPath])
if err := os.Remove(b.volumeCache[cachedPath]); err != nil {
+ if os.IsNotExist(err) {
+ continue
+ }
return errors.Wrapf(err, "error removing %q", b.volumeCache[cachedPath])
}
delete(b.volumeCache, cachedPath)
@@ -343,6 +346,9 @@ func (b *Executor) volumeCacheInvalidate(path string) error {
}
for _, cachedPath := range invalidated {
if err := os.Remove(b.volumeCache[cachedPath]); err != nil {
+ if os.IsNotExist(err) {
+ continue
+ }
return errors.Wrapf(err, "error removing volume cache %q", b.volumeCache[cachedPath])
}
archivedPath := filepath.Join(b.mountPoint, cachedPath)
@@ -1125,6 +1131,7 @@ func (b *Executor) Commit(ctx context.Context, ib *imagebuilder.Builder, created
AdditionalTags: b.additionalTags,
ReportWriter: writer,
PreferredManifestType: b.outputFormat,
+ SystemContext: b.systemContext,
IIDFile: b.iidfile,
Squash: b.squash,
Parent: b.builder.FromImageID,
diff --git a/vendor/github.com/containers/buildah/new.go b/vendor/github.com/containers/buildah/new.go
index b0b655da9..3b94459e7 100644
--- a/vendor/github.com/containers/buildah/new.go
+++ b/vendor/github.com/containers/buildah/new.go
@@ -3,7 +3,6 @@ package buildah
import (
"context"
"fmt"
- "os"
"strings"
"github.com/containers/buildah/util"
@@ -14,7 +13,6 @@ import (
"github.com/containers/image/types"
"github.com/containers/storage"
multierror "github.com/hashicorp/go-multierror"
- "github.com/opencontainers/selinux/go-selinux"
"github.com/opencontainers/selinux/go-selinux/label"
"github.com/openshift/imagebuilder"
"github.com/pkg/errors"
@@ -36,36 +34,6 @@ const (
minimumTruncatedIDLength = 3
)
-func reserveSELinuxLabels(store storage.Store, id string) error {
- if selinux.GetEnabled() {
- containers, err := store.Containers()
- if err != nil {
- return err
- }
-
- for _, c := range containers {
- if id == c.ID {
- continue
- } else {
- b, err := OpenBuilder(store, c.ID)
- if err != nil {
- if os.IsNotExist(err) {
- // Ignore not exist errors since containers probably created by other tool
- // TODO, we need to read other containers json data to reserve their SELinux labels
- continue
- }
- return err
- }
- // Prevent different containers from using same MCS label
- if err := label.ReserveLabel(b.ProcessLabel); err != nil {
- return err
- }
- }
- }
- }
- return nil
-}
-
func pullAndFindImage(ctx context.Context, store storage.Store, imageName string, options BuilderOptions, sc *types.SystemContext) (*storage.Image, types.ImageReference, error) {
pullOptions := PullOptions{
ReportWriter: options.ReportWriter,
@@ -303,7 +271,7 @@ func newBuilder(ctx context.Context, store storage.Store, options BuilderOptions
}
}()
- if err = reserveSELinuxLabels(store, container.ID); err != nil {
+ if err = ReserveSELinuxLabels(store, container.ID); err != nil {
return nil, err
}
processLabel, mountLabel, err := label.InitLabels(options.CommonBuildOpts.LabelOpts)
diff --git a/vendor/github.com/containers/buildah/pkg/cli/common.go b/vendor/github.com/containers/buildah/pkg/cli/common.go
index 94b92e1eb..b54663f5d 100644
--- a/vendor/github.com/containers/buildah/pkg/cli/common.go
+++ b/vendor/github.com/containers/buildah/pkg/cli/common.go
@@ -128,11 +128,6 @@ var (
Name: "iidfile",
Usage: "`file` to write the image ID to",
},
- cli.StringFlag{
- Name: "isolation",
- Usage: "`type` of process isolation to use. Use BUILDAH_ISOLATION environment variable to override.",
- Value: DefaultIsolation(),
- },
cli.StringSliceFlag{
Name: "label",
Usage: "Set metadata for an image (default [])",
@@ -230,6 +225,11 @@ var (
Usage: "memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems.",
},
cli.StringFlag{
+ Name: "isolation",
+ Usage: "`type` of process isolation to use. Use BUILDAH_ISOLATION environment variable to override.",
+ Value: DefaultIsolation(),
+ },
+ cli.StringFlag{
Name: "memory, m",
Usage: "memory limit (format: <number>[<unit>], where unit = b, k, m or g)",
},
diff --git a/vendor/github.com/containers/buildah/pkg/parse/parse.go b/vendor/github.com/containers/buildah/pkg/parse/parse.go
index d206508b4..1f13cfdee 100644
--- a/vendor/github.com/containers/buildah/pkg/parse/parse.go
+++ b/vendor/github.com/containers/buildah/pkg/parse/parse.go
@@ -283,6 +283,8 @@ func SystemContextFromOptions(c *cli.Context) (*types.SystemContext, error) {
}
if c.IsSet("tls-verify") {
ctx.DockerInsecureSkipTLSVerify = !c.BoolT("tls-verify")
+ ctx.OCIInsecureSkipTLSVerify = !c.BoolT("tls-verify")
+ ctx.DockerDaemonInsecureSkipTLSVerify = !c.BoolT("tls-verify")
}
if c.IsSet("creds") {
var err error
diff --git a/vendor/github.com/containers/buildah/pull.go b/vendor/github.com/containers/buildah/pull.go
index c2fc6637f..b7a106b2f 100644
--- a/vendor/github.com/containers/buildah/pull.go
+++ b/vendor/github.com/containers/buildah/pull.go
@@ -160,6 +160,14 @@ func pullImage(ctx context.Context, store storage.Store, imageName string, optio
srcRef = srcRef2
}
+ blocked, err := isReferenceBlocked(srcRef, sc)
+ if err != nil {
+ return nil, errors.Wrapf(err, "error checking if pulling from registry for %q is blocked", transports.ImageName(srcRef))
+ }
+ if blocked {
+ return nil, errors.Errorf("pull access to registry for %q is blocked by configuration", transports.ImageName(srcRef))
+ }
+
destName, err := localImageNameForReference(ctx, store, srcRef, spec)
if err != nil {
return nil, errors.Wrapf(err, "error computing local image name for %q", transports.ImageName(srcRef))
@@ -190,7 +198,7 @@ func pullImage(ctx context.Context, store storage.Store, imageName string, optio
}()
logrus.Debugf("copying %q to %q", spec, destName)
- pullError := cp.Image(ctx, policyContext, destRef, srcRef, getCopyOptions(options.ReportWriter, sc, nil, ""))
+ pullError := cp.Image(ctx, policyContext, destRef, srcRef, getCopyOptions(options.ReportWriter, srcRef, sc, destRef, nil, ""))
if pullError == nil {
return destRef, nil
}
diff --git a/vendor/github.com/containers/buildah/unshare/unshare.c b/vendor/github.com/containers/buildah/unshare/unshare.c
index 47d775c73..ae4185ea4 100644
--- a/vendor/github.com/containers/buildah/unshare/unshare.c
+++ b/vendor/github.com/containers/buildah/unshare/unshare.c
@@ -11,6 +11,8 @@
#include <termios.h>
#include <unistd.h>
+const char *_max_user_namespaces = "/proc/sys/user/max_user_namespaces";
+
static int _buildah_unshare_parse_envint(const char *envname) {
char *p, *q;
long l;
@@ -31,7 +33,10 @@ static int _buildah_unshare_parse_envint(const char *envname) {
void _buildah_unshare(void)
{
+ FILE *fp;
int flags, pidfd, continuefd, n, pgrp, sid, ctty;
+ long max_userns;
+ size_t n_read;
char buf[2048];
flags = _buildah_unshare_parse_envint("_Buildah-unshare");
@@ -41,6 +46,22 @@ void _buildah_unshare(void)
if ((flags & CLONE_NEWUSER) != 0) {
if (unshare(CLONE_NEWUSER) == -1) {
fprintf(stderr, "Error during unshare(CLONE_NEWUSER): %m\n");
+ fp = fopen(_max_user_namespaces, "r");
+ if (fp != NULL) {
+ memset(buf, 0, sizeof(buf));
+ n_read = fread(buf, 1, sizeof(buf) - 1, fp);
+ if (n_read > 0) {
+ max_userns = atoi(buf);
+ if (max_userns == 0) {
+ fprintf(stderr, "User namespaces are not enabled in %s.\n", _max_user_namespaces);
+ }
+ } else {
+ fprintf(stderr, "Error reading %s: no contents, should contain a number greater than 0.\n", _max_user_namespaces);
+ }
+ fclose(fp);
+ } else {
+ fprintf(stderr, "Error reading %s: %m\n", _max_user_namespaces);
+ }
_exit(1);
}
}
diff --git a/vendor/github.com/containers/buildah/unshare/unshare.go b/vendor/github.com/containers/buildah/unshare/unshare.go
index 74b107e44..fbe623660 100644
--- a/vendor/github.com/containers/buildah/unshare/unshare.go
+++ b/vendor/github.com/containers/buildah/unshare/unshare.go
@@ -191,8 +191,8 @@ func (c *Cmd) Start() error {
}
defer gidmap.Close()
if _, err := fmt.Fprintf(gidmap, "%s", g.String()); err != nil {
- fmt.Fprintf(continueWrite, "error writing /proc/%s/gid_map: %v", pidString, err)
- return errors.Wrapf(err, "error writing /proc/%s/gid_map", pidString)
+ fmt.Fprintf(continueWrite, "error writing %q to /proc/%s/gid_map: %v", g.String(), pidString, err)
+ return errors.Wrapf(err, "error writing %q to /proc/%s/gid_map", g.String(), pidString)
}
}
}
@@ -222,8 +222,8 @@ func (c *Cmd) Start() error {
}
defer uidmap.Close()
if _, err := fmt.Fprintf(uidmap, "%s", u.String()); err != nil {
- fmt.Fprintf(continueWrite, "error writing /proc/%s/uid_map: %v", pidString, err)
- return errors.Wrapf(err, "error writing /proc/%s/uid_map", pidString)
+ fmt.Fprintf(continueWrite, "error writing %q to /proc/%s/uid_map: %v", u.String(), pidString, err)
+ return errors.Wrapf(err, "error writing %q to /proc/%s/uid_map", u.String(), pidString)
}
}
}
diff --git a/vendor/github.com/containers/buildah/util.go b/vendor/github.com/containers/buildah/util.go
index ef9be87fb..7bb651bd2 100644
--- a/vendor/github.com/containers/buildah/util.go
+++ b/vendor/github.com/containers/buildah/util.go
@@ -7,14 +7,19 @@ import (
"sync"
"github.com/containers/image/docker/reference"
+ "github.com/containers/image/pkg/sysregistries"
"github.com/containers/image/pkg/sysregistriesv2"
"github.com/containers/image/types"
+ "github.com/containers/storage"
"github.com/containers/storage/pkg/archive"
"github.com/containers/storage/pkg/chrootarchive"
"github.com/containers/storage/pkg/idtools"
"github.com/containers/storage/pkg/reexec"
rspec "github.com/opencontainers/runtime-spec/specs-go"
+ "github.com/opencontainers/selinux/go-selinux"
+ "github.com/opencontainers/selinux/go-selinux/label"
"github.com/pkg/errors"
+ "github.com/sirupsen/logrus"
)
// InitReexec is a wrapper for reexec.Init(). It should be called at
@@ -181,6 +186,70 @@ func getRegistries(sc *types.SystemContext) ([]string, error) {
return searchRegistries, nil
}
+// isRegistryInsecure checks if the named registry is marked as not secure
+func isRegistryInsecure(registry string, sc *types.SystemContext) (bool, error) {
+ registries, err := sysregistriesv2.GetRegistries(sc)
+ if err != nil {
+ return false, errors.Wrapf(err, "unable to parse the registries configuration (%s)", sysregistries.RegistriesConfPath(sc))
+ }
+ if reginfo := sysregistriesv2.FindRegistry(registry, registries); reginfo != nil {
+ if reginfo.Insecure {
+ logrus.Debugf("registry %q is marked insecure in registries configuration %q", registry, sysregistries.RegistriesConfPath(sc))
+ } else {
+ logrus.Debugf("registry %q is not marked insecure in registries configuration %q", registry, sysregistries.RegistriesConfPath(sc))
+ }
+ return reginfo.Insecure, nil
+ }
+ logrus.Debugf("registry %q is not listed in registries configuration %q, assuming it's secure", registry, sysregistries.RegistriesConfPath(sc))
+ return false, nil
+}
+
+// isRegistryBlocked checks if the named registry is marked as blocked
+func isRegistryBlocked(registry string, sc *types.SystemContext) (bool, error) {
+ registries, err := sysregistriesv2.GetRegistries(sc)
+ if err != nil {
+ return false, errors.Wrapf(err, "unable to parse the registries configuration (%s)", sysregistries.RegistriesConfPath(sc))
+ }
+ if reginfo := sysregistriesv2.FindRegistry(registry, registries); reginfo != nil {
+ if reginfo.Blocked {
+ logrus.Debugf("registry %q is marked as blocked in registries configuration %q", registry, sysregistries.RegistriesConfPath(sc))
+ } else {
+ logrus.Debugf("registry %q is not marked as blocked in registries configuration %q", registry, sysregistries.RegistriesConfPath(sc))
+ }
+ return reginfo.Blocked, nil
+ }
+ logrus.Debugf("registry %q is not listed in registries configuration %q, assuming it's not blocked", registry, sysregistries.RegistriesConfPath(sc))
+ return false, nil
+}
+
+// isReferenceSomething checks if the registry part of a reference is insecure or blocked
+func isReferenceSomething(ref types.ImageReference, sc *types.SystemContext, what func(string, *types.SystemContext) (bool, error)) (bool, error) {
+ if ref != nil && ref.DockerReference() != nil {
+ if named, ok := ref.DockerReference().(reference.Named); ok {
+ if domain := reference.Domain(named); domain != "" {
+ return what(domain, sc)
+ }
+ }
+ }
+ return false, nil
+}
+
+// isReferenceInsecure checks if the registry part of a reference is insecure
+func isReferenceInsecure(ref types.ImageReference, sc *types.SystemContext) (bool, error) {
+ return isReferenceSomething(ref, sc, isRegistryInsecure)
+}
+
+// isReferenceBlocked checks if the registry part of a reference is blocked
+func isReferenceBlocked(ref types.ImageReference, sc *types.SystemContext) (bool, error) {
+ if ref != nil && ref.Transport() != nil {
+ switch ref.Transport().Name() {
+ case "docker":
+ return isReferenceSomething(ref, sc, isRegistryBlocked)
+ }
+ }
+ return false, nil
+}
+
// hasRegistry returns a bool/err response if the image has a registry in its
// name
func hasRegistry(imageName string) (bool, error) {
@@ -194,3 +263,35 @@ func hasRegistry(imageName string) (bool, error) {
}
return false, nil
}
+
+// ReserveSELinuxLabels reads containers storage and reserves SELinux containers
+// fall all existing buildah containers
+func ReserveSELinuxLabels(store storage.Store, id string) error {
+ if selinux.GetEnabled() {
+ containers, err := store.Containers()
+ if err != nil {
+ return err
+ }
+
+ for _, c := range containers {
+ if id == c.ID {
+ continue
+ } else {
+ b, err := OpenBuilder(store, c.ID)
+ if err != nil {
+ if os.IsNotExist(err) {
+ // Ignore not exist errors since containers probably created by other tool
+ // TODO, we need to read other containers json data to reserve their SELinux labels
+ continue
+ }
+ return err
+ }
+ // Prevent different containers from using same MCS label
+ if err := label.ReserveLabel(b.ProcessLabel); err != nil {
+ return err
+ }
+ }
+ }
+ }
+ return nil
+}
diff --git a/vendor/github.com/containers/buildah/vendor.conf b/vendor/github.com/containers/buildah/vendor.conf
index 92c3be927..42389e8c6 100644
--- a/vendor/github.com/containers/buildah/vendor.conf
+++ b/vendor/github.com/containers/buildah/vendor.conf
@@ -3,9 +3,9 @@ github.com/blang/semver master
github.com/BurntSushi/toml master
github.com/containerd/continuity master
github.com/containernetworking/cni v0.7.0-alpha1
-github.com/containers/image 8f11f3ad8912d8bc43a7d25992b8f313ffefd430
+github.com/containers/image 5cc7850824afe2b4fb016f8906666b358c50dc31
github.com/containers/libpod 2afadeec6696fefac468a49c8ba24b0bc275aa75
-github.com/containers/storage 68332c059156eae970a03245cfcd4d717fb66ecd
+github.com/containers/storage 41294c85d97bef688e18f710402895dbecde3308
github.com/docker/distribution 5f6282db7d65e6d72ad7c2cc66310724a57be716
github.com/docker/docker 86f080cff0914e9694068ed78d503701667c4c00
github.com/docker/docker-credential-helpers d68f9aeca33f5fd3f08eeae5e9d175edf4e731d1
diff --git a/vendor/github.com/containers/image/docker/docker_client.go b/vendor/github.com/containers/image/docker/docker_client.go
index 4fb10c395..a410279a5 100644
--- a/vendor/github.com/containers/image/docker/docker_client.go
+++ b/vendor/github.com/containers/image/docker/docker_client.go
@@ -516,7 +516,7 @@ func (c *dockerClient) detectProperties(ctx context.Context) error {
url := fmt.Sprintf(resolvedPingV2URL, scheme, c.registry)
resp, err := c.makeRequestToResolvedURL(ctx, "GET", url, nil, nil, -1, noAuth)
if err != nil {
- logrus.Debugf("Ping %s err %#v", url, err)
+ logrus.Debugf("Ping %s err %s (%#v)", url, err.Error(), err)
return err
}
defer resp.Body.Close()
@@ -542,7 +542,7 @@ func (c *dockerClient) detectProperties(ctx context.Context) error {
pingV1 := func(scheme string) bool {
url := fmt.Sprintf(resolvedPingV1URL, scheme, c.registry)
resp, err := c.makeRequestToResolvedURL(ctx, "GET", url, nil, nil, -1, noAuth)
- logrus.Debugf("Ping %s err %#v", url, err)
+ logrus.Debugf("Ping %s err %s (%#v)", url, err.Error(), err)
if err != nil {
return false
}
diff --git a/vendor/github.com/containers/image/pkg/tlsclientconfig/tlsclientconfig.go b/vendor/github.com/containers/image/pkg/tlsclientconfig/tlsclientconfig.go
index 156651173..6785564e8 100644
--- a/vendor/github.com/containers/image/pkg/tlsclientconfig/tlsclientconfig.go
+++ b/vendor/github.com/containers/image/pkg/tlsclientconfig/tlsclientconfig.go
@@ -34,6 +34,19 @@ func SetupCertificates(dir string, tlsc *tls.Config) error {
for _, f := range fs {
fullPath := filepath.Join(dir, f.Name())
if strings.HasSuffix(f.Name(), ".crt") {
+ logrus.Debugf(" crt: %s", fullPath)
+ data, err := ioutil.ReadFile(fullPath)
+ if err != nil {
+ if os.IsNotExist(err) {
+ // Dangling symbolic link?
+ // Race with someone who deleted the
+ // file after we read the directory's
+ // list of contents?
+ logrus.Warnf("error reading certificate %q: %v", fullPath, err)
+ continue
+ }
+ return err
+ }
if tlsc.RootCAs == nil {
systemPool, err := tlsconfig.SystemCertPool()
if err != nil {
@@ -41,11 +54,6 @@ func SetupCertificates(dir string, tlsc *tls.Config) error {
}
tlsc.RootCAs = systemPool
}
- logrus.Debugf(" crt: %s", fullPath)
- data, err := ioutil.ReadFile(fullPath)
- if err != nil {
- return err
- }
tlsc.RootCAs.AppendCertsFromPEM(data)
}
if strings.HasSuffix(f.Name(), ".cert") {
diff --git a/vendor/github.com/containers/storage/drivers/chown_unix.go b/vendor/github.com/containers/storage/drivers/chown_unix.go
index b37a9271a..51d6d754b 100644
--- a/vendor/github.com/containers/storage/drivers/chown_unix.go
+++ b/vendor/github.com/containers/storage/drivers/chown_unix.go
@@ -8,6 +8,7 @@ import (
"syscall"
"github.com/containers/storage/pkg/idtools"
+ "github.com/containers/storage/pkg/system"
)
func platformLChown(path string, info os.FileInfo, toHost, toContainer *idtools.IDMappings) error {
@@ -49,6 +50,11 @@ func platformLChown(path string, info os.FileInfo, toHost, toContainer *idtools.
if err != nil {
return fmt.Errorf("%s: lstat(%q): %v", os.Args[0], path, err)
}
+ cap, err := system.Lgetxattr(path, "security.capability")
+ if err != nil && err != system.ErrNotSupportedPlatform {
+ return fmt.Errorf("%s: Lgetxattr(%q): %v", os.Args[0], path, err)
+ }
+
// Make the change.
if err := syscall.Lchown(path, uid, gid); err != nil {
return fmt.Errorf("%s: chown(%q): %v", os.Args[0], path, err)
@@ -59,6 +65,12 @@ func platformLChown(path string, info os.FileInfo, toHost, toContainer *idtools.
return fmt.Errorf("%s: chmod(%q): %v", os.Args[0], path, err)
}
}
+ if cap != nil {
+ if err := system.Lsetxattr(path, "security.capability", cap, 0); err != nil {
+ return fmt.Errorf("%s: Lsetxattr(%q): %v", os.Args[0], path, err)
+ }
+ }
+
}
}
return nil