diff options
author | Daniel J Walsh <dwalsh@redhat.com> | 2018-10-07 08:27:00 -0400 |
---|---|---|
committer | Daniel J Walsh <dwalsh@redhat.com> | 2018-10-07 08:29:23 -0400 |
commit | 3a76772bb1d93aa42e5f0ab58f8abf705e1e90ca (patch) | |
tree | b311ff0b423e85e80059be00654fa32ada881987 /vendor | |
parent | 141a1327fbb2d6e476d959ba9a23d01e1200a9fc (diff) | |
download | podman-3a76772bb1d93aa42e5f0ab58f8abf705e1e90ca.tar.gz podman-3a76772bb1d93aa42e5f0ab58f8abf705e1e90ca.tar.bz2 podman-3a76772bb1d93aa42e5f0ab58f8abf705e1e90ca.zip |
Vendor in latest github.com/containers/storage,image, buildah
Grab latest fixes from subpackages
Including fixes for usernamespace chowning retaining file attributes
Better logging of error messages.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'vendor')
17 files changed, 286 insertions, 93 deletions
diff --git a/vendor/github.com/containers/buildah/README.md b/vendor/github.com/containers/buildah/README.md index fa4a58fd9..6a79e524b 100644 --- a/vendor/github.com/containers/buildah/README.md +++ b/vendor/github.com/containers/buildah/README.md @@ -17,6 +17,8 @@ The Buildah package provides a command line tool that can be used to ## Buildah Information for Developers +For blogs, release announcements and more, please checkout the [buildah.io](https://buildah.io) website! + **[Buildah Demos](demos)** **[Changelog](CHANGELOG.md)** diff --git a/vendor/github.com/containers/buildah/buildah.go b/vendor/github.com/containers/buildah/buildah.go index 7891810a2..79704d7b1 100644 --- a/vendor/github.com/containers/buildah/buildah.go +++ b/vendor/github.com/containers/buildah/buildah.go @@ -24,7 +24,7 @@ const ( Package = "buildah" // Version for the Package. Bump version in contrib/rpm/buildah.spec // too. - Version = "1.4-dev" + Version = "1.5-dev" // The value we use to identify what type of information, currently a // serialized Builder structure, we are using as per-container state. // This should only be changed when we make incompatible changes to diff --git a/vendor/github.com/containers/buildah/chroot/run.go b/vendor/github.com/containers/buildah/chroot/run.go index 58b7a883c..51e2d2bd4 100644 --- a/vendor/github.com/containers/buildah/chroot/run.go +++ b/vendor/github.com/containers/buildah/chroot/run.go @@ -100,18 +100,6 @@ func RunUsingChroot(spec *specs.Spec, bundlePath string, stdin io.Reader, stdout } logrus.Debugf("config = %v", string(specbytes)) - // Run the grandparent subprocess in a user namespace that reuses the mappings that we have. - uidmap, gidmap, err := util.GetHostIDMappings("") - if err != nil { - return err - } - for i := range uidmap { - uidmap[i].HostID = uidmap[i].ContainerID - } - for i := range gidmap { - gidmap[i].HostID = gidmap[i].ContainerID - } - // Default to using stdin/stdout/stderr if we weren't passed objects to use. if stdin == nil { stdin = os.Stdin @@ -162,10 +150,6 @@ func RunUsingChroot(spec *specs.Spec, bundlePath string, stdin io.Reader, stdout cmd.Stdin, cmd.Stdout, cmd.Stderr = stdin, stdout, stderr cmd.Dir = "/" cmd.Env = append([]string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}, os.Environ()...) - cmd.UnshareFlags = syscall.CLONE_NEWUSER - cmd.UidMappings = uidmap - cmd.GidMappings = gidmap - cmd.GidMappingsEnableSetgroups = true logrus.Debugf("Running %#v in %#v", cmd.Cmd, cmd) confwg.Add(1) @@ -568,10 +552,19 @@ func runUsingChroot(spec *specs.Spec, bundlePath string, ctty *os.File, stdin io cmd.Stdin, cmd.Stdout, cmd.Stderr = stdin, stdout, stderr cmd.Dir = "/" cmd.Env = append([]string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}, os.Environ()...) - cmd.UnshareFlags = syscall.CLONE_NEWUSER | syscall.CLONE_NEWUTS | syscall.CLONE_NEWNS - cmd.UidMappings = uidmap - cmd.GidMappings = gidmap - cmd.GidMappingsEnableSetgroups = true + cmd.UnshareFlags = syscall.CLONE_NEWUTS | syscall.CLONE_NEWNS + requestedUserNS := false + for _, ns := range spec.Linux.Namespaces { + if ns.Type == specs.LinuxNamespaceType(specs.UserNamespace) { + requestedUserNS = true + } + } + if len(spec.Linux.UIDMappings) > 0 || len(spec.Linux.GIDMappings) > 0 || requestedUserNS { + cmd.UnshareFlags = cmd.UnshareFlags | syscall.CLONE_NEWUSER + cmd.UidMappings = uidmap + cmd.GidMappings = gidmap + cmd.GidMappingsEnableSetgroups = true + } if ctty != nil { cmd.Setsid = true cmd.Ctty = ctty @@ -697,15 +690,7 @@ func runUsingChrootExecMain() { fmt.Fprintf(os.Stderr, "error setting SELinux label for process: %v\n", err) os.Exit(1) } - logrus.Debugf("setting capabilities") - if err := setCapabilities(options.Spec); err != nil { - fmt.Fprintf(os.Stderr, "error setting capabilities for process %v\n", err) - os.Exit(1) - } - if err = setSeccomp(options.Spec); err != nil { - fmt.Fprintf(os.Stderr, "error setting seccomp filter for process: %v\n", err) - os.Exit(1) - } + logrus.Debugf("setting resource limits") if err = setRlimits(options.Spec, false, false); err != nil { fmt.Fprintf(os.Stderr, "error setting process resource limits for process: %v\n", err) @@ -747,11 +732,28 @@ func runUsingChrootExecMain() { os.Exit(1) } } + logrus.Debugf("setting gid") if err = syscall.Setresgid(int(user.GID), int(user.GID), int(user.GID)); err != nil { fmt.Fprintf(os.Stderr, "error setting GID: %v", err) os.Exit(1) } + + if err = setSeccomp(options.Spec); err != nil { + fmt.Fprintf(os.Stderr, "error setting seccomp filter for process: %v\n", err) + os.Exit(1) + } + + logrus.Debugf("setting capabilities") + var keepCaps []string + if user.UID != 0 { + keepCaps = []string{"CAP_SETUID"} + } + if err := setCapabilities(options.Spec, keepCaps...); err != nil { + fmt.Fprintf(os.Stderr, "error setting capabilities for process: %v\n", err) + os.Exit(1) + } + logrus.Debugf("setting uid") if err = syscall.Setresuid(int(user.UID), int(user.UID), int(user.UID)); err != nil { fmt.Fprintf(os.Stderr, "error setting UID: %v", err) @@ -855,7 +857,11 @@ func setApparmorProfile(spec *specs.Spec) error { } // setCapabilities sets capabilities for ourselves, to be more or less inherited by any processes that we'll start. -func setCapabilities(spec *specs.Spec) error { +func setCapabilities(spec *specs.Spec, keepCaps ...string) error { + currentCaps, err := capability.NewPid(0) + if err != nil { + return errors.Wrapf(err, "error reading capabilities of current process") + } caps, err := capability.NewPid(0) if err != nil { return errors.Wrapf(err, "error reading capabilities of current process") @@ -868,8 +874,8 @@ func setCapabilities(spec *specs.Spec) error { capability.AMBIENT: spec.Process.Capabilities.Ambient, } knownCaps := capability.List() + caps.Clear(capability.CAPS | capability.BOUNDS | capability.AMBS) for capType, capList := range capMap { - caps.Clear(capType) for _, capToSet := range capList { cap := capability.CAP_LAST_CAP for _, c := range knownCaps { @@ -883,12 +889,25 @@ func setCapabilities(spec *specs.Spec) error { } caps.Set(capType, cap) } - } - for capType := range capMap { - if err = caps.Apply(capType); err != nil { - return errors.Wrapf(err, "error setting %s capabilities to %#v", capType.String(), capMap[capType]) + for _, capToSet := range keepCaps { + cap := capability.CAP_LAST_CAP + for _, c := range knownCaps { + if strings.EqualFold("CAP_"+c.String(), capToSet) { + cap = c + break + } + } + if cap == capability.CAP_LAST_CAP { + return errors.Errorf("error mapping capability %q to a number", capToSet) + } + if currentCaps.Get(capType, cap) { + caps.Set(capType, cap) + } } } + if err = caps.Apply(capability.CAPS | capability.BOUNDS | capability.AMBS); err != nil { + return errors.Wrapf(err, "error setting capabilities") + } return nil } diff --git a/vendor/github.com/containers/buildah/commit.go b/vendor/github.com/containers/buildah/commit.go index f89930399..c07a5881b 100644 --- a/vendor/github.com/containers/buildah/commit.go +++ b/vendor/github.com/containers/buildah/commit.go @@ -92,6 +92,15 @@ func (b *Builder) Commit(ctx context.Context, dest types.ImageReference, options var imgID string systemContext := getSystemContext(options.SystemContext, options.SignaturePolicyPath) + + blocked, err := isReferenceBlocked(dest, systemContext) + if err != nil { + return "", errors.Wrapf(err, "error checking if committing to registry for %q is blocked", transports.ImageName(dest)) + } + if blocked { + return "", errors.Errorf("commit access to registry for %q is blocked by configuration", transports.ImageName(dest)) + } + policy, err := signature.DefaultPolicy(systemContext) if err != nil { return imgID, errors.Wrapf(err, "error obtaining default signature policy") @@ -120,7 +129,7 @@ func (b *Builder) Commit(ctx context.Context, dest types.ImageReference, options return imgID, errors.Wrapf(err, "error computing layer digests and building metadata") } // "Copy" our image to where it needs to be. - err = cp.Image(ctx, policyContext, dest, src, getCopyOptions(options.ReportWriter, nil, systemContext, "")) + err = cp.Image(ctx, policyContext, dest, src, getCopyOptions(options.ReportWriter, src, nil, dest, systemContext, "")) if err != nil { return imgID, errors.Wrapf(err, "error copying layers and metadata") } @@ -162,6 +171,15 @@ func (b *Builder) Commit(ctx context.Context, dest types.ImageReference, options // Push copies the contents of the image to a new location. func Push(ctx context.Context, image string, dest types.ImageReference, options PushOptions) error { systemContext := getSystemContext(options.SystemContext, options.SignaturePolicyPath) + + blocked, err := isReferenceBlocked(dest, systemContext) + if err != nil { + return errors.Wrapf(err, "error checking if pushing to registry for %q is blocked", transports.ImageName(dest)) + } + if blocked { + return errors.Errorf("push access to registry for %q is blocked by configuration", transports.ImageName(dest)) + } + policy, err := signature.DefaultPolicy(systemContext) if err != nil { return errors.Wrapf(err, "error obtaining default signature policy") @@ -176,7 +194,7 @@ func Push(ctx context.Context, image string, dest types.ImageReference, options return err } // Copy everything. - err = cp.Image(ctx, policyContext, dest, src, getCopyOptions(options.ReportWriter, nil, systemContext, options.ManifestType)) + err = cp.Image(ctx, policyContext, dest, src, getCopyOptions(options.ReportWriter, src, nil, dest, systemContext, options.ManifestType)) if err != nil { return errors.Wrapf(err, "error copying layers and metadata") } diff --git a/vendor/github.com/containers/buildah/common.go b/vendor/github.com/containers/buildah/common.go index dcf922dc9..56a901925 100644 --- a/vendor/github.com/containers/buildah/common.go +++ b/vendor/github.com/containers/buildah/common.go @@ -3,7 +3,10 @@ package buildah import ( "io" + "github.com/sirupsen/logrus" + cp "github.com/containers/image/copy" + "github.com/containers/image/transports" "github.com/containers/image/types" ) @@ -14,11 +17,35 @@ const ( DOCKER = "docker" ) -func getCopyOptions(reportWriter io.Writer, sourceSystemContext *types.SystemContext, destinationSystemContext *types.SystemContext, manifestType string) *cp.Options { +func getCopyOptions(reportWriter io.Writer, sourceReference types.ImageReference, sourceSystemContext *types.SystemContext, destinationReference types.ImageReference, destinationSystemContext *types.SystemContext, manifestType string) *cp.Options { + sourceCtx := &types.SystemContext{} + if sourceSystemContext != nil { + *sourceCtx = *sourceSystemContext + } + sourceInsecure, err := isReferenceInsecure(sourceReference, sourceCtx) + if err != nil { + logrus.Debugf("error determining if registry for %q is insecure: %v", transports.ImageName(sourceReference), err) + } else if sourceInsecure { + sourceCtx.DockerInsecureSkipTLSVerify = true + sourceCtx.OCIInsecureSkipTLSVerify = true + } + + destinationCtx := &types.SystemContext{} + if destinationSystemContext != nil { + *destinationCtx = *destinationSystemContext + } + destinationInsecure, err := isReferenceInsecure(destinationReference, destinationCtx) + if err != nil { + logrus.Debugf("error determining if registry for %q is insecure: %v", transports.ImageName(destinationReference), err) + } else if destinationInsecure { + destinationCtx.DockerInsecureSkipTLSVerify = true + destinationCtx.OCIInsecureSkipTLSVerify = true + } + return &cp.Options{ ReportWriter: reportWriter, - SourceCtx: sourceSystemContext, - DestinationCtx: destinationSystemContext, + SourceCtx: sourceCtx, + DestinationCtx: destinationCtx, ForceManifestMIMEType: manifestType, } } diff --git a/vendor/github.com/containers/buildah/imagebuildah/build.go b/vendor/github.com/containers/buildah/imagebuildah/build.go index 9b4c6f635..727e41c38 100644 --- a/vendor/github.com/containers/buildah/imagebuildah/build.go +++ b/vendor/github.com/containers/buildah/imagebuildah/build.go @@ -325,6 +325,9 @@ func (b *Executor) Preserve(path string) error { archivedPath := filepath.Join(b.mountPoint, cachedPath) logrus.Debugf("no longer need cache of %q in %q", archivedPath, b.volumeCache[cachedPath]) if err := os.Remove(b.volumeCache[cachedPath]); err != nil { + if os.IsNotExist(err) { + continue + } return errors.Wrapf(err, "error removing %q", b.volumeCache[cachedPath]) } delete(b.volumeCache, cachedPath) @@ -343,6 +346,9 @@ func (b *Executor) volumeCacheInvalidate(path string) error { } for _, cachedPath := range invalidated { if err := os.Remove(b.volumeCache[cachedPath]); err != nil { + if os.IsNotExist(err) { + continue + } return errors.Wrapf(err, "error removing volume cache %q", b.volumeCache[cachedPath]) } archivedPath := filepath.Join(b.mountPoint, cachedPath) @@ -1125,6 +1131,7 @@ func (b *Executor) Commit(ctx context.Context, ib *imagebuilder.Builder, created AdditionalTags: b.additionalTags, ReportWriter: writer, PreferredManifestType: b.outputFormat, + SystemContext: b.systemContext, IIDFile: b.iidfile, Squash: b.squash, Parent: b.builder.FromImageID, diff --git a/vendor/github.com/containers/buildah/new.go b/vendor/github.com/containers/buildah/new.go index b0b655da9..3b94459e7 100644 --- a/vendor/github.com/containers/buildah/new.go +++ b/vendor/github.com/containers/buildah/new.go @@ -3,7 +3,6 @@ package buildah import ( "context" "fmt" - "os" "strings" "github.com/containers/buildah/util" @@ -14,7 +13,6 @@ import ( "github.com/containers/image/types" "github.com/containers/storage" multierror "github.com/hashicorp/go-multierror" - "github.com/opencontainers/selinux/go-selinux" "github.com/opencontainers/selinux/go-selinux/label" "github.com/openshift/imagebuilder" "github.com/pkg/errors" @@ -36,36 +34,6 @@ const ( minimumTruncatedIDLength = 3 ) -func reserveSELinuxLabels(store storage.Store, id string) error { - if selinux.GetEnabled() { - containers, err := store.Containers() - if err != nil { - return err - } - - for _, c := range containers { - if id == c.ID { - continue - } else { - b, err := OpenBuilder(store, c.ID) - if err != nil { - if os.IsNotExist(err) { - // Ignore not exist errors since containers probably created by other tool - // TODO, we need to read other containers json data to reserve their SELinux labels - continue - } - return err - } - // Prevent different containers from using same MCS label - if err := label.ReserveLabel(b.ProcessLabel); err != nil { - return err - } - } - } - } - return nil -} - func pullAndFindImage(ctx context.Context, store storage.Store, imageName string, options BuilderOptions, sc *types.SystemContext) (*storage.Image, types.ImageReference, error) { pullOptions := PullOptions{ ReportWriter: options.ReportWriter, @@ -303,7 +271,7 @@ func newBuilder(ctx context.Context, store storage.Store, options BuilderOptions } }() - if err = reserveSELinuxLabels(store, container.ID); err != nil { + if err = ReserveSELinuxLabels(store, container.ID); err != nil { return nil, err } processLabel, mountLabel, err := label.InitLabels(options.CommonBuildOpts.LabelOpts) diff --git a/vendor/github.com/containers/buildah/pkg/cli/common.go b/vendor/github.com/containers/buildah/pkg/cli/common.go index 94b92e1eb..b54663f5d 100644 --- a/vendor/github.com/containers/buildah/pkg/cli/common.go +++ b/vendor/github.com/containers/buildah/pkg/cli/common.go @@ -128,11 +128,6 @@ var ( Name: "iidfile", Usage: "`file` to write the image ID to", }, - cli.StringFlag{ - Name: "isolation", - Usage: "`type` of process isolation to use. Use BUILDAH_ISOLATION environment variable to override.", - Value: DefaultIsolation(), - }, cli.StringSliceFlag{ Name: "label", Usage: "Set metadata for an image (default [])", @@ -230,6 +225,11 @@ var ( Usage: "memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems.", }, cli.StringFlag{ + Name: "isolation", + Usage: "`type` of process isolation to use. Use BUILDAH_ISOLATION environment variable to override.", + Value: DefaultIsolation(), + }, + cli.StringFlag{ Name: "memory, m", Usage: "memory limit (format: <number>[<unit>], where unit = b, k, m or g)", }, diff --git a/vendor/github.com/containers/buildah/pkg/parse/parse.go b/vendor/github.com/containers/buildah/pkg/parse/parse.go index d206508b4..1f13cfdee 100644 --- a/vendor/github.com/containers/buildah/pkg/parse/parse.go +++ b/vendor/github.com/containers/buildah/pkg/parse/parse.go @@ -283,6 +283,8 @@ func SystemContextFromOptions(c *cli.Context) (*types.SystemContext, error) { } if c.IsSet("tls-verify") { ctx.DockerInsecureSkipTLSVerify = !c.BoolT("tls-verify") + ctx.OCIInsecureSkipTLSVerify = !c.BoolT("tls-verify") + ctx.DockerDaemonInsecureSkipTLSVerify = !c.BoolT("tls-verify") } if c.IsSet("creds") { var err error diff --git a/vendor/github.com/containers/buildah/pull.go b/vendor/github.com/containers/buildah/pull.go index c2fc6637f..b7a106b2f 100644 --- a/vendor/github.com/containers/buildah/pull.go +++ b/vendor/github.com/containers/buildah/pull.go @@ -160,6 +160,14 @@ func pullImage(ctx context.Context, store storage.Store, imageName string, optio srcRef = srcRef2 } + blocked, err := isReferenceBlocked(srcRef, sc) + if err != nil { + return nil, errors.Wrapf(err, "error checking if pulling from registry for %q is blocked", transports.ImageName(srcRef)) + } + if blocked { + return nil, errors.Errorf("pull access to registry for %q is blocked by configuration", transports.ImageName(srcRef)) + } + destName, err := localImageNameForReference(ctx, store, srcRef, spec) if err != nil { return nil, errors.Wrapf(err, "error computing local image name for %q", transports.ImageName(srcRef)) @@ -190,7 +198,7 @@ func pullImage(ctx context.Context, store storage.Store, imageName string, optio }() logrus.Debugf("copying %q to %q", spec, destName) - pullError := cp.Image(ctx, policyContext, destRef, srcRef, getCopyOptions(options.ReportWriter, sc, nil, "")) + pullError := cp.Image(ctx, policyContext, destRef, srcRef, getCopyOptions(options.ReportWriter, srcRef, sc, destRef, nil, "")) if pullError == nil { return destRef, nil } diff --git a/vendor/github.com/containers/buildah/unshare/unshare.c b/vendor/github.com/containers/buildah/unshare/unshare.c index 47d775c73..ae4185ea4 100644 --- a/vendor/github.com/containers/buildah/unshare/unshare.c +++ b/vendor/github.com/containers/buildah/unshare/unshare.c @@ -11,6 +11,8 @@ #include <termios.h> #include <unistd.h> +const char *_max_user_namespaces = "/proc/sys/user/max_user_namespaces"; + static int _buildah_unshare_parse_envint(const char *envname) { char *p, *q; long l; @@ -31,7 +33,10 @@ static int _buildah_unshare_parse_envint(const char *envname) { void _buildah_unshare(void) { + FILE *fp; int flags, pidfd, continuefd, n, pgrp, sid, ctty; + long max_userns; + size_t n_read; char buf[2048]; flags = _buildah_unshare_parse_envint("_Buildah-unshare"); @@ -41,6 +46,22 @@ void _buildah_unshare(void) if ((flags & CLONE_NEWUSER) != 0) { if (unshare(CLONE_NEWUSER) == -1) { fprintf(stderr, "Error during unshare(CLONE_NEWUSER): %m\n"); + fp = fopen(_max_user_namespaces, "r"); + if (fp != NULL) { + memset(buf, 0, sizeof(buf)); + n_read = fread(buf, 1, sizeof(buf) - 1, fp); + if (n_read > 0) { + max_userns = atoi(buf); + if (max_userns == 0) { + fprintf(stderr, "User namespaces are not enabled in %s.\n", _max_user_namespaces); + } + } else { + fprintf(stderr, "Error reading %s: no contents, should contain a number greater than 0.\n", _max_user_namespaces); + } + fclose(fp); + } else { + fprintf(stderr, "Error reading %s: %m\n", _max_user_namespaces); + } _exit(1); } } diff --git a/vendor/github.com/containers/buildah/unshare/unshare.go b/vendor/github.com/containers/buildah/unshare/unshare.go index 74b107e44..fbe623660 100644 --- a/vendor/github.com/containers/buildah/unshare/unshare.go +++ b/vendor/github.com/containers/buildah/unshare/unshare.go @@ -191,8 +191,8 @@ func (c *Cmd) Start() error { } defer gidmap.Close() if _, err := fmt.Fprintf(gidmap, "%s", g.String()); err != nil { - fmt.Fprintf(continueWrite, "error writing /proc/%s/gid_map: %v", pidString, err) - return errors.Wrapf(err, "error writing /proc/%s/gid_map", pidString) + fmt.Fprintf(continueWrite, "error writing %q to /proc/%s/gid_map: %v", g.String(), pidString, err) + return errors.Wrapf(err, "error writing %q to /proc/%s/gid_map", g.String(), pidString) } } } @@ -222,8 +222,8 @@ func (c *Cmd) Start() error { } defer uidmap.Close() if _, err := fmt.Fprintf(uidmap, "%s", u.String()); err != nil { - fmt.Fprintf(continueWrite, "error writing /proc/%s/uid_map: %v", pidString, err) - return errors.Wrapf(err, "error writing /proc/%s/uid_map", pidString) + fmt.Fprintf(continueWrite, "error writing %q to /proc/%s/uid_map: %v", u.String(), pidString, err) + return errors.Wrapf(err, "error writing %q to /proc/%s/uid_map", u.String(), pidString) } } } diff --git a/vendor/github.com/containers/buildah/util.go b/vendor/github.com/containers/buildah/util.go index ef9be87fb..7bb651bd2 100644 --- a/vendor/github.com/containers/buildah/util.go +++ b/vendor/github.com/containers/buildah/util.go @@ -7,14 +7,19 @@ import ( "sync" "github.com/containers/image/docker/reference" + "github.com/containers/image/pkg/sysregistries" "github.com/containers/image/pkg/sysregistriesv2" "github.com/containers/image/types" + "github.com/containers/storage" "github.com/containers/storage/pkg/archive" "github.com/containers/storage/pkg/chrootarchive" "github.com/containers/storage/pkg/idtools" "github.com/containers/storage/pkg/reexec" rspec "github.com/opencontainers/runtime-spec/specs-go" + "github.com/opencontainers/selinux/go-selinux" + "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" + "github.com/sirupsen/logrus" ) // InitReexec is a wrapper for reexec.Init(). It should be called at @@ -181,6 +186,70 @@ func getRegistries(sc *types.SystemContext) ([]string, error) { return searchRegistries, nil } +// isRegistryInsecure checks if the named registry is marked as not secure +func isRegistryInsecure(registry string, sc *types.SystemContext) (bool, error) { + registries, err := sysregistriesv2.GetRegistries(sc) + if err != nil { + return false, errors.Wrapf(err, "unable to parse the registries configuration (%s)", sysregistries.RegistriesConfPath(sc)) + } + if reginfo := sysregistriesv2.FindRegistry(registry, registries); reginfo != nil { + if reginfo.Insecure { + logrus.Debugf("registry %q is marked insecure in registries configuration %q", registry, sysregistries.RegistriesConfPath(sc)) + } else { + logrus.Debugf("registry %q is not marked insecure in registries configuration %q", registry, sysregistries.RegistriesConfPath(sc)) + } + return reginfo.Insecure, nil + } + logrus.Debugf("registry %q is not listed in registries configuration %q, assuming it's secure", registry, sysregistries.RegistriesConfPath(sc)) + return false, nil +} + +// isRegistryBlocked checks if the named registry is marked as blocked +func isRegistryBlocked(registry string, sc *types.SystemContext) (bool, error) { + registries, err := sysregistriesv2.GetRegistries(sc) + if err != nil { + return false, errors.Wrapf(err, "unable to parse the registries configuration (%s)", sysregistries.RegistriesConfPath(sc)) + } + if reginfo := sysregistriesv2.FindRegistry(registry, registries); reginfo != nil { + if reginfo.Blocked { + logrus.Debugf("registry %q is marked as blocked in registries configuration %q", registry, sysregistries.RegistriesConfPath(sc)) + } else { + logrus.Debugf("registry %q is not marked as blocked in registries configuration %q", registry, sysregistries.RegistriesConfPath(sc)) + } + return reginfo.Blocked, nil + } + logrus.Debugf("registry %q is not listed in registries configuration %q, assuming it's not blocked", registry, sysregistries.RegistriesConfPath(sc)) + return false, nil +} + +// isReferenceSomething checks if the registry part of a reference is insecure or blocked +func isReferenceSomething(ref types.ImageReference, sc *types.SystemContext, what func(string, *types.SystemContext) (bool, error)) (bool, error) { + if ref != nil && ref.DockerReference() != nil { + if named, ok := ref.DockerReference().(reference.Named); ok { + if domain := reference.Domain(named); domain != "" { + return what(domain, sc) + } + } + } + return false, nil +} + +// isReferenceInsecure checks if the registry part of a reference is insecure +func isReferenceInsecure(ref types.ImageReference, sc *types.SystemContext) (bool, error) { + return isReferenceSomething(ref, sc, isRegistryInsecure) +} + +// isReferenceBlocked checks if the registry part of a reference is blocked +func isReferenceBlocked(ref types.ImageReference, sc *types.SystemContext) (bool, error) { + if ref != nil && ref.Transport() != nil { + switch ref.Transport().Name() { + case "docker": + return isReferenceSomething(ref, sc, isRegistryBlocked) + } + } + return false, nil +} + // hasRegistry returns a bool/err response if the image has a registry in its // name func hasRegistry(imageName string) (bool, error) { @@ -194,3 +263,35 @@ func hasRegistry(imageName string) (bool, error) { } return false, nil } + +// ReserveSELinuxLabels reads containers storage and reserves SELinux containers +// fall all existing buildah containers +func ReserveSELinuxLabels(store storage.Store, id string) error { + if selinux.GetEnabled() { + containers, err := store.Containers() + if err != nil { + return err + } + + for _, c := range containers { + if id == c.ID { + continue + } else { + b, err := OpenBuilder(store, c.ID) + if err != nil { + if os.IsNotExist(err) { + // Ignore not exist errors since containers probably created by other tool + // TODO, we need to read other containers json data to reserve their SELinux labels + continue + } + return err + } + // Prevent different containers from using same MCS label + if err := label.ReserveLabel(b.ProcessLabel); err != nil { + return err + } + } + } + } + return nil +} diff --git a/vendor/github.com/containers/buildah/vendor.conf b/vendor/github.com/containers/buildah/vendor.conf index 92c3be927..42389e8c6 100644 --- a/vendor/github.com/containers/buildah/vendor.conf +++ b/vendor/github.com/containers/buildah/vendor.conf @@ -3,9 +3,9 @@ github.com/blang/semver master github.com/BurntSushi/toml master github.com/containerd/continuity master github.com/containernetworking/cni v0.7.0-alpha1 -github.com/containers/image 8f11f3ad8912d8bc43a7d25992b8f313ffefd430 +github.com/containers/image 5cc7850824afe2b4fb016f8906666b358c50dc31 github.com/containers/libpod 2afadeec6696fefac468a49c8ba24b0bc275aa75 -github.com/containers/storage 68332c059156eae970a03245cfcd4d717fb66ecd +github.com/containers/storage 41294c85d97bef688e18f710402895dbecde3308 github.com/docker/distribution 5f6282db7d65e6d72ad7c2cc66310724a57be716 github.com/docker/docker 86f080cff0914e9694068ed78d503701667c4c00 github.com/docker/docker-credential-helpers d68f9aeca33f5fd3f08eeae5e9d175edf4e731d1 diff --git a/vendor/github.com/containers/image/docker/docker_client.go b/vendor/github.com/containers/image/docker/docker_client.go index 4fb10c395..a410279a5 100644 --- a/vendor/github.com/containers/image/docker/docker_client.go +++ b/vendor/github.com/containers/image/docker/docker_client.go @@ -516,7 +516,7 @@ func (c *dockerClient) detectProperties(ctx context.Context) error { url := fmt.Sprintf(resolvedPingV2URL, scheme, c.registry) resp, err := c.makeRequestToResolvedURL(ctx, "GET", url, nil, nil, -1, noAuth) if err != nil { - logrus.Debugf("Ping %s err %#v", url, err) + logrus.Debugf("Ping %s err %s (%#v)", url, err.Error(), err) return err } defer resp.Body.Close() @@ -542,7 +542,7 @@ func (c *dockerClient) detectProperties(ctx context.Context) error { pingV1 := func(scheme string) bool { url := fmt.Sprintf(resolvedPingV1URL, scheme, c.registry) resp, err := c.makeRequestToResolvedURL(ctx, "GET", url, nil, nil, -1, noAuth) - logrus.Debugf("Ping %s err %#v", url, err) + logrus.Debugf("Ping %s err %s (%#v)", url, err.Error(), err) if err != nil { return false } diff --git a/vendor/github.com/containers/image/pkg/tlsclientconfig/tlsclientconfig.go b/vendor/github.com/containers/image/pkg/tlsclientconfig/tlsclientconfig.go index 156651173..6785564e8 100644 --- a/vendor/github.com/containers/image/pkg/tlsclientconfig/tlsclientconfig.go +++ b/vendor/github.com/containers/image/pkg/tlsclientconfig/tlsclientconfig.go @@ -34,6 +34,19 @@ func SetupCertificates(dir string, tlsc *tls.Config) error { for _, f := range fs { fullPath := filepath.Join(dir, f.Name()) if strings.HasSuffix(f.Name(), ".crt") { + logrus.Debugf(" crt: %s", fullPath) + data, err := ioutil.ReadFile(fullPath) + if err != nil { + if os.IsNotExist(err) { + // Dangling symbolic link? + // Race with someone who deleted the + // file after we read the directory's + // list of contents? + logrus.Warnf("error reading certificate %q: %v", fullPath, err) + continue + } + return err + } if tlsc.RootCAs == nil { systemPool, err := tlsconfig.SystemCertPool() if err != nil { @@ -41,11 +54,6 @@ func SetupCertificates(dir string, tlsc *tls.Config) error { } tlsc.RootCAs = systemPool } - logrus.Debugf(" crt: %s", fullPath) - data, err := ioutil.ReadFile(fullPath) - if err != nil { - return err - } tlsc.RootCAs.AppendCertsFromPEM(data) } if strings.HasSuffix(f.Name(), ".cert") { diff --git a/vendor/github.com/containers/storage/drivers/chown_unix.go b/vendor/github.com/containers/storage/drivers/chown_unix.go index b37a9271a..51d6d754b 100644 --- a/vendor/github.com/containers/storage/drivers/chown_unix.go +++ b/vendor/github.com/containers/storage/drivers/chown_unix.go @@ -8,6 +8,7 @@ import ( "syscall" "github.com/containers/storage/pkg/idtools" + "github.com/containers/storage/pkg/system" ) func platformLChown(path string, info os.FileInfo, toHost, toContainer *idtools.IDMappings) error { @@ -49,6 +50,11 @@ func platformLChown(path string, info os.FileInfo, toHost, toContainer *idtools. if err != nil { return fmt.Errorf("%s: lstat(%q): %v", os.Args[0], path, err) } + cap, err := system.Lgetxattr(path, "security.capability") + if err != nil && err != system.ErrNotSupportedPlatform { + return fmt.Errorf("%s: Lgetxattr(%q): %v", os.Args[0], path, err) + } + // Make the change. if err := syscall.Lchown(path, uid, gid); err != nil { return fmt.Errorf("%s: chown(%q): %v", os.Args[0], path, err) @@ -59,6 +65,12 @@ func platformLChown(path string, info os.FileInfo, toHost, toContainer *idtools. return fmt.Errorf("%s: chmod(%q): %v", os.Args[0], path, err) } } + if cap != nil { + if err := system.Lsetxattr(path, "security.capability", cap, 0); err != nil { + return fmt.Errorf("%s: Lsetxattr(%q): %v", os.Args[0], path, err) + } + } + } } return nil |