summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--vendor.conf2
-rw-r--r--vendor/github.com/projectatomic/buildah/imagebuildah/build.go118
-rw-r--r--vendor/github.com/projectatomic/buildah/run.go154
-rw-r--r--vendor/github.com/projectatomic/buildah/util/util.go53
4 files changed, 221 insertions, 106 deletions
diff --git a/vendor.conf b/vendor.conf
index 54a6bc92f..c2d72bfb8 100644
--- a/vendor.conf
+++ b/vendor.conf
@@ -88,7 +88,7 @@ k8s.io/kube-openapi 275e2ce91dec4c05a4094a7b1daee5560b555ac9 https://github.com/
k8s.io/utils 258e2a2fa64568210fbd6267cf1d8fd87c3cb86e https://github.com/kubernetes/utils
github.com/mrunalp/fileutils master
github.com/varlink/go master
-github.com/projectatomic/buildah e098ef46fd32af5e77c7c65315d454653a36d6dd
+github.com/projectatomic/buildah cf753ee6fe1f606c4456d2d76690534f8170d9a3
github.com/Nvveen/Gotty master
github.com/fsouza/go-dockerclient master
github.com/openshift/imagebuilder master
diff --git a/vendor/github.com/projectatomic/buildah/imagebuildah/build.go b/vendor/github.com/projectatomic/buildah/imagebuildah/build.go
index 2c75fcfe1..e7fad7f67 100644
--- a/vendor/github.com/projectatomic/buildah/imagebuildah/build.go
+++ b/vendor/github.com/projectatomic/buildah/imagebuildah/build.go
@@ -11,6 +11,7 @@ import (
"strings"
"time"
+ cp "github.com/containers/image/copy"
is "github.com/containers/image/storage"
"github.com/containers/image/transports"
"github.com/containers/image/transports/alltransports"
@@ -697,6 +698,33 @@ func (b *Executor) Delete() (err error) {
return err
}
+// resolveNameToImageRef creates a types.ImageReference from b.output
+func (b *Executor) resolveNameToImageRef() (types.ImageReference, error) {
+ var (
+ imageRef types.ImageReference
+ err error
+ )
+ if b.output != "" {
+ imageRef, err = alltransports.ParseImageName(b.output)
+ if err != nil {
+ candidates := util.ResolveName(b.output, "", b.systemContext, b.store)
+ if len(candidates) == 0 {
+ return imageRef, errors.Errorf("error parsing target image name %q", b.output)
+ }
+ imageRef2, err2 := is.Transport.ParseStoreReference(b.store, candidates[0])
+ if err2 != nil {
+ return imageRef, errors.Wrapf(err, "error parsing target image name %q", b.output)
+ }
+ return imageRef2, nil
+ }
+ }
+ imageRef, err = is.Transport.ParseStoreReference(b.store, "@"+stringid.GenerateRandomID())
+ if err != nil {
+ return imageRef, errors.Wrapf(err, "error parsing reference for image to be written")
+ }
+ return imageRef, nil
+}
+
// Execute runs each of the steps in the parsed tree, in turn.
func (b *Executor) Execute(ctx context.Context, ib *imagebuilder.Builder, node *parser.Node) error {
checkForLayers := true
@@ -745,18 +773,31 @@ func (b *Executor) Execute(ctx context.Context, ib *imagebuilder.Builder, node *
return errors.Wrap(err, "error checking if cached image exists from a previous build")
}
}
+
+ if cacheID != "" {
+ fmt.Fprintf(b.out, "--> Using cache %s\n", cacheID)
+ }
+
+ // If a cache is found for the last step, that means nothing in the
+ // Dockerfile changed. Just create a copy of the existing image and
+ // save it with the new name passed in by the user.
+ if cacheID != "" && i == len(children)-1 {
+ if err := b.copyExistingImage(ctx, cacheID); err != nil {
+ return err
+ }
+ break
+ }
+
if cacheID == "" || !checkForLayers {
checkForLayers = false
err := ib.Run(step, b, requiresStart)
if err != nil {
return errors.Wrapf(err, "error building at step %+v", *step)
}
- } else {
- b.log("Using cache %s", cacheID)
}
- // Commit if at the last step of the Dockerfile and a cached image is found.
- // Also commit steps if no cache is found.
- if (cacheID != "" && i == len(children)-1) || cacheID == "" {
+
+ // Commit if no cache is found
+ if cacheID == "" {
imgID, err = b.Commit(ctx, ib, getCreatedBy(node))
if err != nil {
return errors.Wrapf(err, "error committing container for step %+v", *step)
@@ -785,6 +826,32 @@ func (b *Executor) Execute(ctx context.Context, ib *imagebuilder.Builder, node *
return nil
}
+// copyExistingImage creates a copy of an image already in store
+func (b *Executor) copyExistingImage(ctx context.Context, cacheID string) error {
+ // Get the destination Image Reference
+ dest, err := b.resolveNameToImageRef()
+ if err != nil {
+ return err
+ }
+
+ policyContext, err := util.GetPolicyContext(b.systemContext)
+ if err != nil {
+ return err
+ }
+ defer policyContext.Destroy()
+
+ // Look up the source image, expecting it to be in local storage
+ src, err := is.Transport.ParseStoreReference(b.store, cacheID)
+ if err != nil {
+ return errors.Wrapf(err, "error getting source imageReference for %q", cacheID)
+ }
+ if err := cp.Image(ctx, policyContext, dest, src, nil); err != nil {
+ return errors.Wrapf(err, "error copying image %q", cacheID)
+ }
+ b.log("COMMIT %s", b.output)
+ return nil
+}
+
// layerExists returns true if an intermediate image of currNode exists in the image store from a previous build.
// It verifies tihis by checking the parent of the top layer of the image and the history.
func (b *Executor) layerExists(ctx context.Context, currNode *parser.Node, children []*parser.Node) (string, error) {
@@ -958,30 +1025,11 @@ func urlContentModified(url string, historyTime *time.Time) (bool, error) {
// Commit writes the container's contents to an image, using a passed-in tag as
// the name if there is one, generating a unique ID-based one otherwise.
func (b *Executor) Commit(ctx context.Context, ib *imagebuilder.Builder, createdBy string) (string, error) {
- var (
- imageRef types.ImageReference
- err error
- )
-
- if b.output != "" {
- imageRef, err = alltransports.ParseImageName(b.output)
- if err != nil {
- candidates := util.ResolveName(b.output, "", b.systemContext, b.store)
- if len(candidates) == 0 {
- return "", errors.Errorf("error parsing target image name %q", b.output)
- }
- imageRef2, err2 := is.Transport.ParseStoreReference(b.store, candidates[0])
- if err2 != nil {
- return "", errors.Wrapf(err, "error parsing target image name %q", b.output)
- }
- imageRef = imageRef2
- }
- } else {
- imageRef, err = is.Transport.ParseStoreReference(b.store, "@"+stringid.GenerateRandomID())
- if err != nil {
- return "", errors.Wrapf(err, "error parsing reference for image to be written")
- }
+ imageRef, err := b.resolveNameToImageRef()
+ if err != nil {
+ return "", err
}
+
if ib.Author != "" {
b.builder.SetMaintainer(ib.Author)
}
@@ -1062,7 +1110,7 @@ func (b *Executor) Commit(ctx context.Context, ib *imagebuilder.Builder, created
return "", err
}
if options.IIDFile == "" && imgID != "" {
- fmt.Fprintf(b.out, "%s\n", imgID)
+ fmt.Fprintf(b.out, "--> %s\n", imgID)
}
return imgID, nil
}
@@ -1089,12 +1137,12 @@ func (b *Executor) Build(ctx context.Context, stages imagebuilder.Stages) error
return err
}
}
- if b.layers || b.noCache {
- return nil
- }
- _, err := stageExecutor.Commit(ctx, stages[len(stages)-1].Builder, "")
- if err != nil {
- return err
+
+ if !b.layers && !b.noCache {
+ _, err := stageExecutor.Commit(ctx, stages[len(stages)-1].Builder, "")
+ if err != nil {
+ return err
+ }
}
// If building with layers and b.removeIntermediateCtrs is true
// only remove intermediate container for each step if an error
diff --git a/vendor/github.com/projectatomic/buildah/run.go b/vendor/github.com/projectatomic/buildah/run.go
index e111c5207..0efb79922 100644
--- a/vendor/github.com/projectatomic/buildah/run.go
+++ b/vendor/github.com/projectatomic/buildah/run.go
@@ -19,6 +19,7 @@ import (
"time"
"github.com/containernetworking/cni/libcni"
+ "github.com/containers/storage/pkg/idtools"
"github.com/containers/storage/pkg/ioutils"
"github.com/containers/storage/pkg/reexec"
units "github.com/docker/go-units"
@@ -579,8 +580,8 @@ func runSetupVolumeMounts(mountLabel string, volumeMounts []string, optionMounts
}
// addNetworkConfig copies files from host and sets them up to bind mount into container
-func (b *Builder) addNetworkConfig(rdir, hostPath string) (string, error) {
- copyFileWithTar := b.copyFileWithTar(nil, nil)
+func (b *Builder) addNetworkConfig(rdir, hostPath string, chownOpts *idtools.IDPair) (string, error) {
+ copyFileWithTar := b.copyFileWithTar(chownOpts, nil)
cfile := filepath.Join(rdir, filepath.Base(hostPath))
@@ -684,11 +685,6 @@ func setupCapabilities(g *generate.Generator, firstAdds, firstDrops, secondAdds,
return nil
}
-func setupApparmor(spec *specs.Spec, apparmorProfile string) error {
- spec.Process.ApparmorProfile = apparmorProfile
- return nil
-}
-
func setupTerminal(g *generate.Generator, terminalPolicy TerminalPolicy, terminalSize *specs.Box) {
switch terminalPolicy {
case DefaultTerminal:
@@ -844,9 +840,77 @@ func runLookupPath(g *generate.Generator, command []string) []string {
return command
}
+func (b *Builder) configureUIDGID(g *generate.Generator, mountPoint string, options RunOptions) error {
+ // Set the user UID/GID/supplemental group list/capabilities lists.
+ user, err := b.user(mountPoint, options.User)
+ if err != nil {
+ return err
+ }
+ if err := setupCapabilities(g, b.AddCapabilities, b.DropCapabilities, options.AddCapabilities, options.DropCapabilities); err != nil {
+ return err
+ }
+ g.SetProcessUID(user.UID)
+ g.SetProcessGID(user.GID)
+ for _, gid := range user.AdditionalGids {
+ g.AddProcessAdditionalGid(gid)
+ }
+
+ // Remove capabilities if not running as root
+ if user.UID != 0 {
+ g.ClearProcessCapabilities()
+ }
+
+ return nil
+}
+
+func (b *Builder) configureEnvironment(g *generate.Generator, options RunOptions) {
+ g.ClearProcessEnv()
+ for _, envSpec := range append(b.Env(), options.Env...) {
+ env := strings.SplitN(envSpec, "=", 2)
+ if len(env) > 1 {
+ g.AddProcessEnv(env[0], env[1])
+ }
+ }
+
+ for src, dest := range b.Args {
+ g.AddProcessEnv(src, dest)
+ }
+}
+
+func (b *Builder) configureNamespaces(g *generate.Generator, options RunOptions) (bool, []string, error) {
+ defaultNamespaceOptions, err := DefaultNamespaceOptions()
+ if err != nil {
+ return false, nil, err
+ }
+
+ namespaceOptions := defaultNamespaceOptions
+ namespaceOptions.AddOrReplace(b.NamespaceOptions...)
+ namespaceOptions.AddOrReplace(options.NamespaceOptions...)
+
+ networkPolicy := options.ConfigureNetwork
+ if networkPolicy == NetworkDefault {
+ networkPolicy = b.ConfigureNetwork
+ }
+
+ configureNetwork, configureNetworks, configureUTS, err := setupNamespaces(g, namespaceOptions, b.IDMappingOptions, networkPolicy)
+ if err != nil {
+ return false, nil, err
+ }
+
+ if configureUTS {
+ if options.Hostname != "" {
+ g.SetHostname(options.Hostname)
+ } else if b.Hostname() != "" {
+ g.SetHostname(b.Hostname())
+ }
+ } else {
+ g.SetHostname("")
+ }
+ return configureNetwork, configureNetworks, nil
+}
+
// Run runs the specified command in the container's root filesystem.
func (b *Builder) Run(command []string, options RunOptions) error {
- var user specs.User
p, err := ioutil.TempDir("", Package)
if err != nil {
return err
@@ -870,17 +934,7 @@ func (b *Builder) Run(command []string, options RunOptions) error {
g := &gp
- g.ClearProcessEnv()
- for _, envSpec := range append(b.Env(), options.Env...) {
- env := strings.SplitN(envSpec, "=", 2)
- if len(env) > 1 {
- g.AddProcessEnv(env[0], env[1])
- }
- }
-
- for src, dest := range b.Args {
- g.AddProcessEnv(src, dest)
- }
+ b.configureEnvironment(g, options)
if b.CommonBuildOpts == nil {
return errors.Errorf("Invalid format on container you must recreate the container")
@@ -919,62 +973,22 @@ func (b *Builder) Run(command []string, options RunOptions) error {
setupTerminal(g, options.Terminal, options.TerminalSize)
- defaultNamespaceOptions, err := DefaultNamespaceOptions()
+ configureNetwork, configureNetworks, err := b.configureNamespaces(g, options)
if err != nil {
return err
}
- namespaceOptions := defaultNamespaceOptions
- namespaceOptions.AddOrReplace(b.NamespaceOptions...)
- namespaceOptions.AddOrReplace(options.NamespaceOptions...)
-
- networkPolicy := options.ConfigureNetwork
- if networkPolicy == NetworkDefault {
- networkPolicy = b.ConfigureNetwork
- }
-
- configureNetwork, configureNetworks, configureUTS, err := setupNamespaces(g, namespaceOptions, b.IDMappingOptions, networkPolicy)
- if err != nil {
+ if err := b.configureUIDGID(g, mountPoint, options); err != nil {
return err
}
- if configureUTS {
- if options.Hostname != "" {
- g.SetHostname(options.Hostname)
- } else if b.Hostname() != "" {
- g.SetHostname(b.Hostname())
- }
- } else {
- g.SetHostname("")
- }
-
- // Set the user UID/GID/supplemental group list/capabilities lists.
- if user, err = b.user(mountPoint, options.User); err != nil {
- return err
- }
- if err = setupCapabilities(g, b.AddCapabilities, b.DropCapabilities, options.AddCapabilities, options.DropCapabilities); err != nil {
- return err
- }
- g.SetProcessUID(user.UID)
- g.SetProcessGID(user.GID)
- for _, gid := range user.AdditionalGids {
- g.AddProcessAdditionalGid(gid)
- }
+ g.SetProcessApparmorProfile(b.CommonBuildOpts.ApparmorProfile)
// Now grab the spec from the generator. Set the generator to nil so that future contributors
// will quickly be able to tell that they're supposed to be modifying the spec directly from here.
spec := g.Spec()
g = nil
- // Remove capabilities if not running as root
- if user.UID != 0 {
- var caplist []string
- spec.Process.Capabilities.Permitted = caplist
- spec.Process.Capabilities.Inheritable = caplist
- spec.Process.Capabilities.Effective = caplist
- spec.Process.Capabilities.Ambient = caplist
- }
-
// Set the working directory, creating it if we must.
if spec.Process.Cwd == "" {
spec.Process.Cwd = DefaultWorkingDir
@@ -983,11 +997,6 @@ func (b *Builder) Run(command []string, options RunOptions) error {
return errors.Wrapf(err, "error ensuring working directory %q exists", spec.Process.Cwd)
}
- // Set the apparmor profile name.
- if err = setupApparmor(spec, b.CommonBuildOpts.ApparmorProfile); err != nil {
- return err
- }
-
// Set the seccomp configuration using the specified profile name. Some syscalls are
// allowed if certain capabilities are to be granted (example: CAP_SYS_CHROOT and chroot),
// so we sorted out the capabilities lists first.
@@ -995,11 +1004,18 @@ func (b *Builder) Run(command []string, options RunOptions) error {
return err
}
- hostFile, err := b.addNetworkConfig(path, "/etc/hosts")
+ // Figure out who owns files that will appear to be owned by UID/GID 0 in the container.
+ rootUID, rootGID, err := util.GetHostRootIDs(spec)
+ if err != nil {
+ return err
+ }
+ rootIDPair := &idtools.IDPair{UID: int(rootUID), GID: int(rootGID)}
+
+ hostFile, err := b.addNetworkConfig(path, "/etc/hosts", rootIDPair)
if err != nil {
return err
}
- resolvFile, err := b.addNetworkConfig(path, "/etc/resolv.conf")
+ resolvFile, err := b.addNetworkConfig(path, "/etc/resolv.conf", rootIDPair)
if err != nil {
return err
}
diff --git a/vendor/github.com/projectatomic/buildah/util/util.go b/vendor/github.com/projectatomic/buildah/util/util.go
index 61705867d..2617a27b7 100644
--- a/vendor/github.com/projectatomic/buildah/util/util.go
+++ b/vendor/github.com/projectatomic/buildah/util/util.go
@@ -7,6 +7,7 @@ import (
"net/url"
"os"
"path"
+ "path/filepath"
"strconv"
"strings"
@@ -15,6 +16,7 @@ import (
"github.com/containers/image/docker/reference"
ociarchive "github.com/containers/image/oci/archive"
"github.com/containers/image/pkg/sysregistries"
+ "github.com/containers/image/signature"
is "github.com/containers/image/storage"
"github.com/containers/image/tarball"
"github.com/containers/image/types"
@@ -330,7 +332,8 @@ func getHostIDMappings(path string) ([]specs.LinuxIDMapping, error) {
return mappings, nil
}
-// GetHostIDMappings reads mappings for the current process from the kernel.
+// GetHostIDMappings reads mappings for the specified process (or the current
+// process if pid is "self" or an empty string) from the kernel.
func GetHostIDMappings(pid string) ([]specs.LinuxIDMapping, []specs.LinuxIDMapping, error) {
if pid == "" {
pid = "self"
@@ -428,3 +431,51 @@ func ParseIDMappings(uidmap, gidmap []string) ([]idtools.IDMap, []idtools.IDMap,
}
return uid, gid, nil
}
+
+// UnsharedRootPath returns a location under ($XDG_DATA_HOME/containers/storage,
+// or $HOME/.local/share/containers/storage, or
+// (the user's home directory)/.local/share/containers/storage, or an error.
+func UnsharedRootPath(homedir string) (string, error) {
+ // If $XDG_DATA_HOME is defined...
+ if envDataHome, haveDataHome := os.LookupEnv("XDG_DATA_HOME"); haveDataHome {
+ return filepath.Join(envDataHome, "containers", "storage"), nil
+ }
+ // If $XDG_DATA_HOME is not defined, but $HOME is defined...
+ if envHomedir, haveHomedir := os.LookupEnv("HOME"); haveHomedir {
+ // Default to the user's $HOME/.local/share/containers/storage subdirectory.
+ return filepath.Join(envHomedir, ".local", "share", "containers", "storage"), nil
+ }
+ // If we know where our home directory is...
+ if homedir != "" {
+ // Default to the user's homedir/.local/share/containers/storage subdirectory.
+ return filepath.Join(homedir, ".local", "share", "containers", "storage"), nil
+ }
+ return "", errors.New("unable to determine a --root location: neither $XDG_DATA_HOME nor $HOME is set")
+}
+
+// UnsharedRunrootPath returns $XDG_RUNTIME_DIR/run, /var/run/user/(the user's UID)/run, or an error.
+func UnsharedRunrootPath(uid string) (string, error) {
+ // If $XDG_RUNTIME_DIR is defined...
+ if envRuntimeDir, haveRuntimeDir := os.LookupEnv("XDG_RUNTIME_DIR"); haveRuntimeDir {
+ return filepath.Join(envRuntimeDir, "run"), nil
+ }
+ // If $XDG_RUNTIME_DIR is not defined, but we know our UID...
+ if uid != "" {
+ return filepath.Join("/var/run/user", uid, "run"), nil
+ }
+ return "", errors.New("unable to determine a --runroot location: $XDG_RUNTIME_DIR is not set, and we don't know our UID")
+}
+
+// GetPolicyContext sets up, initializes and returns a new context for the specified policy
+func GetPolicyContext(ctx *types.SystemContext) (*signature.PolicyContext, error) {
+ policy, err := signature.DefaultPolicy(ctx)
+ if err != nil {
+ return nil, err
+ }
+
+ policyContext, err := signature.NewPolicyContext(policy)
+ if err != nil {
+ return nil, err
+ }
+ return policyContext, nil
+}