summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--go.mod2
-rw-r--r--go.sum4
-rw-r--r--vendor/github.com/containers/buildah/.golangci.yml40
-rw-r--r--vendor/github.com/containers/buildah/CHANGELOG.md11
-rw-r--r--vendor/github.com/containers/buildah/add.go26
-rw-r--r--vendor/github.com/containers/buildah/buildah.go2
-rw-r--r--vendor/github.com/containers/buildah/changelog.txt11
-rw-r--r--vendor/github.com/containers/buildah/chroot/run.go12
-rw-r--r--vendor/github.com/containers/buildah/chroot/seccomp.go26
-rw-r--r--vendor/github.com/containers/buildah/copier/copier.go48
-rw-r--r--vendor/modules.txt2
11 files changed, 123 insertions, 61 deletions
diff --git a/go.mod b/go.mod
index 637777f5d..7b8957cda 100644
--- a/go.mod
+++ b/go.mod
@@ -11,7 +11,7 @@ require (
github.com/containerd/containerd v1.4.1 // indirect
github.com/containernetworking/cni v0.8.0
github.com/containernetworking/plugins v0.8.7
- github.com/containers/buildah v1.16.2
+ github.com/containers/buildah v1.16.4
github.com/containers/common v0.23.0
github.com/containers/conmon v2.0.20+incompatible
github.com/containers/image/v5 v5.6.0
diff --git a/go.sum b/go.sum
index c0c5006ab..2baae4843 100644
--- a/go.sum
+++ b/go.sum
@@ -70,8 +70,8 @@ github.com/containernetworking/cni v0.8.0 h1:BT9lpgGoH4jw3lFC7Odz2prU5ruiYKcgAjM
github.com/containernetworking/cni v0.8.0/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
github.com/containernetworking/plugins v0.8.7 h1:bU7QieuAp+sACI2vCzESJ3FoT860urYP+lThyZkb/2M=
github.com/containernetworking/plugins v0.8.7/go.mod h1:R7lXeZaBzpfqapcAbHRW8/CYwm0dHzbz0XEjofx0uB0=
-github.com/containers/buildah v1.16.2 h1:u8RA0r9sp3d5df/QRm0glG7L6ZN40UVJcYedwcZGt8w=
-github.com/containers/buildah v1.16.2/go.mod h1:i1XqXgpCROnfcq4oNtfrFEk7UzNDxLJ/PZ+CnPyoIq8=
+github.com/containers/buildah v1.16.4 h1:bxthp2FoGcpc2O/RyvbGUAZoefmc5hRBqWQi3BjRu7w=
+github.com/containers/buildah v1.16.4/go.mod h1:i1XqXgpCROnfcq4oNtfrFEk7UzNDxLJ/PZ+CnPyoIq8=
github.com/containers/common v0.21.0/go.mod h1:8w8SVwc+P2p1MOnRMbSKNWXt1Iwd2bKFu2LLZx55DTM=
github.com/containers/common v0.23.0 h1:+g4mI3wUYSzOtoWU9TNVoV4K52/aN6JEz0qs1YdPEe8=
github.com/containers/common v0.23.0/go.mod h1:E56/N0beWGf+lrrJX32atuo2hkjzHwSC8n1vCG+TAR0=
diff --git a/vendor/github.com/containers/buildah/.golangci.yml b/vendor/github.com/containers/buildah/.golangci.yml
index 888d89afa..f8247f049 100644
--- a/vendor/github.com/containers/buildah/.golangci.yml
+++ b/vendor/github.com/containers/buildah/.golangci.yml
@@ -7,38 +7,26 @@ run:
# Don't exceed number of threads available when running under CI
concurrency: 4
linters:
- disable-all: true
- enable:
- - bodyclose
+ enable-all: true
+ disable:
+ # All these break for one reason or another
- deadcode
- depguard
- dupl
- errcheck
- - gofmt
- - goimports
+ - gochecknoglobals
+ - gochecknoinits
+ - goconst
+ - gocritic
+ - gocyclo
- golint
- # Broken? Unpredictably dies w/o any error well before deadline/timeout expires
- # - gosimple
- - govet
- - ineffassign
- - interfacer
- - misspell
- - nakedret
- - staticcheck
+ - gosec
+ - gosimple
+ - lll
+ - maligned
+ - prealloc
+ - scopelint
- structcheck
- - stylecheck
- typecheck
- unconvert
- - unparam
- - unused
- varcheck
- # - gochecknoglobals
- # - gochecknoinits
- # - goconst
- # - gocritic
- # - gocyclo
- # - gosec
- # - lll
- # - maligned
- # - prealloc
- # - scopelint
diff --git a/vendor/github.com/containers/buildah/CHANGELOG.md b/vendor/github.com/containers/buildah/CHANGELOG.md
index 6168dc317..ca6a98889 100644
--- a/vendor/github.com/containers/buildah/CHANGELOG.md
+++ b/vendor/github.com/containers/buildah/CHANGELOG.md
@@ -2,10 +2,21 @@
# Changelog
+## v1.16.4 (2020-10-01)
+ ADD: only expand archives at the right time
+
+## v1.16.3 (2020-09-30)
+ Lint: Use same linters as podman
+ add: preserve ownerships and permissions on ADDed archives
+ chroot: fix handling of errno seccomp rules
+ git-validation.sh: set the base for comparison to v1.16.0
+ chroot: create bind mount targets 0755 instead of 0700
+
## v1.16.2 (2020-09-21)
Add(): fix handling of relative paths with no ContextDir
## v1.16.1 (2020-09-10)
+ CI: use release-1.16 as the basis for validation tests
copier.Get(): hard link targets shouldn't be relative paths
## v1.16.0 (2020-09-03)
diff --git a/vendor/github.com/containers/buildah/add.go b/vendor/github.com/containers/buildah/add.go
index bbfdda9c1..a3f3c7a37 100644
--- a/vendor/github.com/containers/buildah/add.go
+++ b/vendor/github.com/containers/buildah/add.go
@@ -33,7 +33,8 @@ type AddAndCopyOptions struct {
Chown string
// PreserveOwnership, if Chown is not set, tells us to avoid setting
// ownership of copied items to 0:0, instead using whatever ownership
- // information is already set. Not meaningful for remote sources.
+ // information is already set. Not meaningful for remote sources or
+ // local archives that we extract.
PreserveOwnership bool
// All of the data being copied will pass through Hasher, if set.
// If the sources are URLs or files, their contents will be passed to
@@ -210,7 +211,6 @@ func (b *Builder) Add(destination string, extract bool, options AddAndCopyOption
// Find out which user (and group) the destination should belong to.
var chownDirs, chownFiles *idtools.IDPair
- var chmodDirs, chmodFiles *os.FileMode
var user specs.User
if options.Chown != "" {
user, _, err = b.user(mountPoint, options.Chown)
@@ -319,9 +319,9 @@ func (b *Builder) Add(destination string, extract bool, options AddAndCopyOption
UIDMap: destUIDMap,
GIDMap: destGIDMap,
ChownDirs: chownDirs,
- ChmodDirs: chmodDirs,
+ ChmodDirs: nil,
ChownFiles: chownFiles,
- ChmodFiles: chmodFiles,
+ ChmodFiles: nil,
}
putErr = copier.Put(mountPoint, extractDirectory, putOptions, io.TeeReader(pipeReader, hasher))
}
@@ -396,6 +396,10 @@ func (b *Builder) Add(destination string, extract bool, options AddAndCopyOption
GIDMap: srcGIDMap,
Excludes: options.Excludes,
ExpandArchives: extract,
+ ChownDirs: chownDirs,
+ ChmodDirs: nil,
+ ChownFiles: chownFiles,
+ ChmodFiles: nil,
StripSetuidBit: options.StripSetuidBit,
StripSetgidBit: options.StripSetgidBit,
StripStickyBit: options.StripStickyBit,
@@ -423,12 +427,14 @@ func (b *Builder) Add(destination string, extract bool, options AddAndCopyOption
_, putErr = io.Copy(hasher, pipeReader)
} else {
putOptions := copier.PutOptions{
- UIDMap: destUIDMap,
- GIDMap: destGIDMap,
- ChownDirs: chownDirs,
- ChmodDirs: chmodDirs,
- ChownFiles: chownFiles,
- ChmodFiles: chmodFiles,
+ UIDMap: destUIDMap,
+ GIDMap: destGIDMap,
+ DefaultDirOwner: chownDirs,
+ DefaultDirMode: nil,
+ ChownDirs: nil,
+ ChmodDirs: nil,
+ ChownFiles: nil,
+ ChmodFiles: nil,
}
putErr = copier.Put(mountPoint, extractDirectory, putOptions, io.TeeReader(pipeReader, hasher))
}
diff --git a/vendor/github.com/containers/buildah/buildah.go b/vendor/github.com/containers/buildah/buildah.go
index e63cfff3a..2ac0210bd 100644
--- a/vendor/github.com/containers/buildah/buildah.go
+++ b/vendor/github.com/containers/buildah/buildah.go
@@ -28,7 +28,7 @@ const (
Package = "buildah"
// Version for the Package. Bump version in contrib/rpm/buildah.spec
// too.
- Version = "1.16.2"
+ Version = "1.16.4"
// The value we use to identify what type of information, currently a
// serialized Builder structure, we are using as per-container state.
// This should only be changed when we make incompatible changes to
diff --git a/vendor/github.com/containers/buildah/changelog.txt b/vendor/github.com/containers/buildah/changelog.txt
index d34ede417..048dc61c1 100644
--- a/vendor/github.com/containers/buildah/changelog.txt
+++ b/vendor/github.com/containers/buildah/changelog.txt
@@ -1,7 +1,18 @@
+- Changelog for v1.16.4 (2020-10-01)
+ * ADD: only expand archives at the right time
+
+- Changelog for v1.16.3 (2020-09-30)
+ * Lint: Use same linters as podman
+ * add: preserve ownerships and permissions on ADDed archives
+ * chroot: fix handling of errno seccomp rules
+ * git-validation.sh: set the base for comparison to v1.16.0
+ * chroot: create bind mount targets 0755 instead of 0700
+
- Changelog for v1.16.2 (2020-09-21)
* Add(): fix handling of relative paths with no ContextDir
- Changelog for v1.16.1 (2020-09-10)
+ * CI: use release-1.16 as the basis for validation tests
* copier.Get(): hard link targets shouldn't be relative paths
- Changelog for v1.16.0 (2020-09-03)
diff --git a/vendor/github.com/containers/buildah/chroot/run.go b/vendor/github.com/containers/buildah/chroot/run.go
index 7a83a73a3..e8842f7a9 100644
--- a/vendor/github.com/containers/buildah/chroot/run.go
+++ b/vendor/github.com/containers/buildah/chroot/run.go
@@ -1047,7 +1047,7 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
subDev := filepath.Join(spec.Root.Path, "/dev")
if err := unix.Mount("/dev", subDev, "bind", devFlags, ""); err != nil {
if os.IsNotExist(err) {
- err = os.Mkdir(subDev, 0700)
+ err = os.Mkdir(subDev, 0755)
if err == nil {
err = unix.Mount("/dev", subDev, "bind", devFlags, "")
}
@@ -1071,7 +1071,7 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
subProc := filepath.Join(spec.Root.Path, "/proc")
if err := unix.Mount("/proc", subProc, "bind", procFlags, ""); err != nil {
if os.IsNotExist(err) {
- err = os.Mkdir(subProc, 0700)
+ err = os.Mkdir(subProc, 0755)
if err == nil {
err = unix.Mount("/proc", subProc, "bind", procFlags, "")
}
@@ -1086,7 +1086,7 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
subSys := filepath.Join(spec.Root.Path, "/sys")
if err := unix.Mount("/sys", subSys, "bind", sysFlags, ""); err != nil {
if os.IsNotExist(err) {
- err = os.Mkdir(subSys, 0700)
+ err = os.Mkdir(subSys, 0755)
if err == nil {
err = unix.Mount("/sys", subSys, "bind", sysFlags, "")
}
@@ -1163,15 +1163,15 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
}
// The target isn't there yet, so create it.
if srcinfo.IsDir() {
- if err = os.MkdirAll(target, 0111); err != nil {
+ if err = os.MkdirAll(target, 0755); err != nil {
return undoBinds, errors.Wrapf(err, "error creating mountpoint %q in mount namespace", target)
}
} else {
- if err = os.MkdirAll(filepath.Dir(target), 0111); err != nil {
+ if err = os.MkdirAll(filepath.Dir(target), 0755); err != nil {
return undoBinds, errors.Wrapf(err, "error ensuring parent of mountpoint %q (%q) is present in mount namespace", target, filepath.Dir(target))
}
var file *os.File
- if file, err = os.OpenFile(target, os.O_WRONLY|os.O_CREATE, 0); err != nil {
+ if file, err = os.OpenFile(target, os.O_WRONLY|os.O_CREATE, 0755); err != nil {
return undoBinds, errors.Wrapf(err, "error creating mountpoint %q in mount namespace", target)
}
file.Close()
diff --git a/vendor/github.com/containers/buildah/chroot/seccomp.go b/vendor/github.com/containers/buildah/chroot/seccomp.go
index 12a9b0032..1ca0a159e 100644
--- a/vendor/github.com/containers/buildah/chroot/seccomp.go
+++ b/vendor/github.com/containers/buildah/chroot/seccomp.go
@@ -15,18 +15,28 @@ func setSeccomp(spec *specs.Spec) error {
if spec.Linux.Seccomp == nil {
return nil
}
- mapAction := func(specAction specs.LinuxSeccompAction) libseccomp.ScmpAction {
+ mapAction := func(specAction specs.LinuxSeccompAction, errnoRet *uint) libseccomp.ScmpAction {
switch specAction {
case specs.ActKill:
return libseccomp.ActKill
case specs.ActTrap:
return libseccomp.ActTrap
case specs.ActErrno:
- return libseccomp.ActErrno
+ action := libseccomp.ActErrno
+ if errnoRet != nil {
+ action = action.SetReturnCode(int16(*errnoRet))
+ }
+ return action
case specs.ActTrace:
return libseccomp.ActTrace
case specs.ActAllow:
return libseccomp.ActAllow
+ case specs.ActLog:
+ return libseccomp.ActLog
+ case specs.ActKillProcess:
+ return libseccomp.ActKillProcess
+ default:
+ logrus.Errorf("unmappable action %v", specAction)
}
return libseccomp.ActInvalid
}
@@ -68,6 +78,8 @@ func setSeccomp(spec *specs.Spec) error {
/* fallthrough */ /* for now */
case specs.ArchPARISC64:
/* fallthrough */ /* for now */
+ default:
+ logrus.Errorf("unmappable arch %v", specArch)
}
return libseccomp.ArchInvalid
}
@@ -87,11 +99,13 @@ func setSeccomp(spec *specs.Spec) error {
return libseccomp.CompareGreater
case specs.OpMaskedEqual:
return libseccomp.CompareMaskedEqual
+ default:
+ logrus.Errorf("unmappable op %v", op)
}
return libseccomp.CompareInvalid
}
- filter, err := libseccomp.NewFilter(mapAction(spec.Linux.Seccomp.DefaultAction))
+ filter, err := libseccomp.NewFilter(mapAction(spec.Linux.Seccomp.DefaultAction, nil))
if err != nil {
return errors.Wrapf(err, "error creating seccomp filter with default action %q", spec.Linux.Seccomp.DefaultAction)
}
@@ -112,7 +126,7 @@ func setSeccomp(spec *specs.Spec) error {
}
for scnum := range scnames {
if len(rule.Args) == 0 {
- if err = filter.AddRule(scnum, mapAction(rule.Action)); err != nil {
+ if err = filter.AddRule(scnum, mapAction(rule.Action, rule.ErrnoRet)); err != nil {
return errors.Wrapf(err, "error adding a rule (%q:%q) to seccomp filter", scnames[scnum], rule.Action)
}
continue
@@ -129,7 +143,7 @@ func setSeccomp(spec *specs.Spec) error {
}
conditions = append(conditions, condition)
}
- if err = filter.AddRuleConditional(scnum, mapAction(rule.Action), conditions); err != nil {
+ if err = filter.AddRuleConditional(scnum, mapAction(rule.Action, rule.ErrnoRet), conditions); err != nil {
// Okay, if the rules specify multiple equality
// checks, assume someone thought that they
// were OR'd, when in fact they're ordinarily
@@ -137,7 +151,7 @@ func setSeccomp(spec *specs.Spec) error {
// different rules to get that OR effect.
if len(rule.Args) > 1 && opsAreAllEquality && err.Error() == "two checks on same syscall argument" {
for i := range conditions {
- if err = filter.AddRuleConditional(scnum, mapAction(rule.Action), conditions[i:i+1]); err != nil {
+ if err = filter.AddRuleConditional(scnum, mapAction(rule.Action, rule.ErrnoRet), conditions[i:i+1]); err != nil {
return errors.Wrapf(err, "error adding a conditional rule (%q:%q[%d]) to seccomp filter", scnames[scnum], rule.Action, i)
}
}
diff --git a/vendor/github.com/containers/buildah/copier/copier.go b/vendor/github.com/containers/buildah/copier/copier.go
index a980fe292..1021aeb6f 100644
--- a/vendor/github.com/containers/buildah/copier/copier.go
+++ b/vendor/github.com/containers/buildah/copier/copier.go
@@ -222,6 +222,10 @@ type GetOptions struct {
UIDMap, GIDMap []idtools.IDMap // map from hostIDs to containerIDs in the output archive
Excludes []string // contents to pretend don't exist, using the OS-specific path separator
ExpandArchives bool // extract the contents of named items that are archives
+ ChownDirs *idtools.IDPair // set ownership on directories. no effect on archives being extracted
+ ChmodDirs *os.FileMode // set permissions on directories. no effect on archives being extracted
+ ChownFiles *idtools.IDPair // set ownership of files. no effect on archives being extracted
+ ChmodFiles *os.FileMode // set permissions on files. no effect on archives being extracted
StripSetuidBit bool // strip the setuid bit off of items being copied. no effect on archives being extracted
StripSetgidBit bool // strip the setgid bit off of items being copied. no effect on archives being extracted
StripStickyBit bool // strip the sticky bit off of items being copied. no effect on archives being extracted
@@ -265,6 +269,8 @@ func Get(root string, directory string, options GetOptions, globs []string, bulk
// PutOptions controls parts of Put()'s behavior.
type PutOptions struct {
UIDMap, GIDMap []idtools.IDMap // map from containerIDs to hostIDs when writing contents to disk
+ DefaultDirOwner *idtools.IDPair // set ownership of implicitly-created directories, default is ChownDirs, or 0:0 if ChownDirs not set
+ DefaultDirMode *os.FileMode // set permissions on implicitly-created directories, default is ChmodDirs, or 0755 if ChmodDirs not set
ChownDirs *idtools.IDPair // set ownership of newly-created directories
ChmodDirs *os.FileMode // set permissions on newly-created directories
ChownFiles *idtools.IDPair // set ownership of newly-created files
@@ -1032,6 +1038,9 @@ func copierHandlerGet(bulkWriter io.Writer, req request, pm *fileutils.PatternMa
}
// evaluate excludes relative to the root directory
if info.Mode().IsDir() {
+ // we don't expand any of the contents that are archives
+ options := req.GetOptions
+ options.ExpandArchives = false
walkfn := func(path string, info os.FileInfo, err error) error {
// compute the path of this item
// relative to the top-level directory,
@@ -1073,7 +1082,7 @@ func copierHandlerGet(bulkWriter io.Writer, req request, pm *fileutils.PatternMa
symlinkTarget = target
}
// add the item to the outgoing tar stream
- return copierHandlerGetOne(info, symlinkTarget, rel, path, req.GetOptions, tw, hardlinkChecker, idMappings)
+ return copierHandlerGetOne(info, symlinkTarget, rel, path, options, tw, hardlinkChecker, idMappings)
}
// walk the directory tree, checking/adding items individually
if err := filepath.Walk(item, walkfn); err != nil {
@@ -1193,6 +1202,22 @@ func copierHandlerGetOne(srcfi os.FileInfo, symlinkTarget, name, contentPath str
return errors.Wrapf(err, "error mapping host filesystem owners %#v to container filesystem owners", hostPair)
}
}
+ // force ownership and/or permissions, if requested
+ if hdr.Typeflag == tar.TypeDir {
+ if options.ChownDirs != nil {
+ hdr.Uid, hdr.Gid = options.ChownDirs.UID, options.ChownDirs.GID
+ }
+ if options.ChmodDirs != nil {
+ hdr.Mode = int64(*options.ChmodDirs)
+ }
+ } else {
+ if options.ChownFiles != nil {
+ hdr.Uid, hdr.Gid = options.ChownFiles.UID, options.ChownFiles.GID
+ }
+ if options.ChmodFiles != nil {
+ hdr.Mode = int64(*options.ChmodFiles)
+ }
+ }
// output the header
if err = tw.WriteHeader(hdr); err != nil {
return errors.Wrapf(err, "error writing header for %s (%s)", contentPath, hdr.Name)
@@ -1220,13 +1245,20 @@ func copierHandlerPut(bulkReader io.Reader, req request, idMappings *idtools.IDM
errorResponse := func(fmtspec string, args ...interface{}) (*response, func() error, error) {
return &response{Error: fmt.Sprintf(fmtspec, args...), Put: putResponse{}}, nil, nil
}
- dirUID, dirGID := 0, 0
+ dirUID, dirGID, defaultDirUID, defaultDirGID := 0, 0, 0, 0
if req.PutOptions.ChownDirs != nil {
dirUID, dirGID = req.PutOptions.ChownDirs.UID, req.PutOptions.ChownDirs.GID
+ defaultDirUID, defaultDirGID = dirUID, dirGID
}
- dirMode := os.FileMode(0755)
+ defaultDirMode := os.FileMode(0755)
if req.PutOptions.ChmodDirs != nil {
- dirMode = *req.PutOptions.ChmodDirs
+ defaultDirMode = *req.PutOptions.ChmodDirs
+ }
+ if req.PutOptions.DefaultDirOwner != nil {
+ defaultDirUID, defaultDirGID = req.PutOptions.DefaultDirOwner.UID, req.PutOptions.DefaultDirOwner.GID
+ }
+ if req.PutOptions.DefaultDirMode != nil {
+ defaultDirMode = *req.PutOptions.DefaultDirMode
}
var fileUID, fileGID *int
if req.PutOptions.ChownFiles != nil {
@@ -1258,11 +1290,11 @@ func copierHandlerPut(bulkReader io.Reader, req request, idMappings *idtools.IDM
subdir = filepath.Join(subdir, component)
path := filepath.Join(req.Root, subdir)
if err := os.Mkdir(path, 0700); err == nil {
- if err = lchown(path, dirUID, dirGID); err != nil {
- return errors.Wrapf(err, "copier: put: error setting owner of %q to %d:%d", path, dirUID, dirGID)
+ if err = lchown(path, defaultDirUID, defaultDirGID); err != nil {
+ return errors.Wrapf(err, "copier: put: error setting owner of %q to %d:%d", path, defaultDirUID, defaultDirGID)
}
- if err = os.Chmod(path, dirMode); err != nil {
- return errors.Wrapf(err, "copier: put: error setting permissions on %q to 0%o", path, dirMode)
+ if err = os.Chmod(path, defaultDirMode); err != nil {
+ return errors.Wrapf(err, "copier: put: error setting permissions on %q to 0%o", path, defaultDirMode)
}
} else {
if !os.IsExist(err) {
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 3c7749b57..0a7e6ad44 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -67,7 +67,7 @@ github.com/containernetworking/plugins/pkg/utils/hwaddr
github.com/containernetworking/plugins/pkg/utils/sysctl
github.com/containernetworking/plugins/plugins/ipam/host-local/backend
github.com/containernetworking/plugins/plugins/ipam/host-local/backend/allocator
-# github.com/containers/buildah v1.16.2
+# github.com/containers/buildah v1.16.4
github.com/containers/buildah
github.com/containers/buildah/bind
github.com/containers/buildah/chroot