diff options
-rw-r--r-- | go.mod | 2 | ||||
-rw-r--r-- | go.sum | 4 | ||||
-rw-r--r-- | vendor/github.com/containers/buildah/.golangci.yml | 40 | ||||
-rw-r--r-- | vendor/github.com/containers/buildah/CHANGELOG.md | 11 | ||||
-rw-r--r-- | vendor/github.com/containers/buildah/add.go | 26 | ||||
-rw-r--r-- | vendor/github.com/containers/buildah/buildah.go | 2 | ||||
-rw-r--r-- | vendor/github.com/containers/buildah/changelog.txt | 11 | ||||
-rw-r--r-- | vendor/github.com/containers/buildah/chroot/run.go | 12 | ||||
-rw-r--r-- | vendor/github.com/containers/buildah/chroot/seccomp.go | 26 | ||||
-rw-r--r-- | vendor/github.com/containers/buildah/copier/copier.go | 48 | ||||
-rw-r--r-- | vendor/modules.txt | 2 |
11 files changed, 123 insertions, 61 deletions
@@ -11,7 +11,7 @@ require ( github.com/containerd/containerd v1.4.1 // indirect github.com/containernetworking/cni v0.8.0 github.com/containernetworking/plugins v0.8.7 - github.com/containers/buildah v1.16.2 + github.com/containers/buildah v1.16.4 github.com/containers/common v0.23.0 github.com/containers/conmon v2.0.20+incompatible github.com/containers/image/v5 v5.6.0 @@ -70,8 +70,8 @@ github.com/containernetworking/cni v0.8.0 h1:BT9lpgGoH4jw3lFC7Odz2prU5ruiYKcgAjM github.com/containernetworking/cni v0.8.0/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY= github.com/containernetworking/plugins v0.8.7 h1:bU7QieuAp+sACI2vCzESJ3FoT860urYP+lThyZkb/2M= github.com/containernetworking/plugins v0.8.7/go.mod h1:R7lXeZaBzpfqapcAbHRW8/CYwm0dHzbz0XEjofx0uB0= -github.com/containers/buildah v1.16.2 h1:u8RA0r9sp3d5df/QRm0glG7L6ZN40UVJcYedwcZGt8w= -github.com/containers/buildah v1.16.2/go.mod h1:i1XqXgpCROnfcq4oNtfrFEk7UzNDxLJ/PZ+CnPyoIq8= +github.com/containers/buildah v1.16.4 h1:bxthp2FoGcpc2O/RyvbGUAZoefmc5hRBqWQi3BjRu7w= +github.com/containers/buildah v1.16.4/go.mod h1:i1XqXgpCROnfcq4oNtfrFEk7UzNDxLJ/PZ+CnPyoIq8= github.com/containers/common v0.21.0/go.mod h1:8w8SVwc+P2p1MOnRMbSKNWXt1Iwd2bKFu2LLZx55DTM= github.com/containers/common v0.23.0 h1:+g4mI3wUYSzOtoWU9TNVoV4K52/aN6JEz0qs1YdPEe8= github.com/containers/common v0.23.0/go.mod h1:E56/N0beWGf+lrrJX32atuo2hkjzHwSC8n1vCG+TAR0= diff --git a/vendor/github.com/containers/buildah/.golangci.yml b/vendor/github.com/containers/buildah/.golangci.yml index 888d89afa..f8247f049 100644 --- a/vendor/github.com/containers/buildah/.golangci.yml +++ b/vendor/github.com/containers/buildah/.golangci.yml @@ -7,38 +7,26 @@ run: # Don't exceed number of threads available when running under CI concurrency: 4 linters: - disable-all: true - enable: - - bodyclose + enable-all: true + disable: + # All these break for one reason or another - deadcode - depguard - dupl - errcheck - - gofmt - - goimports + - gochecknoglobals + - gochecknoinits + - goconst + - gocritic + - gocyclo - golint - # Broken? Unpredictably dies w/o any error well before deadline/timeout expires - # - gosimple - - govet - - ineffassign - - interfacer - - misspell - - nakedret - - staticcheck + - gosec + - gosimple + - lll + - maligned + - prealloc + - scopelint - structcheck - - stylecheck - typecheck - unconvert - - unparam - - unused - varcheck - # - gochecknoglobals - # - gochecknoinits - # - goconst - # - gocritic - # - gocyclo - # - gosec - # - lll - # - maligned - # - prealloc - # - scopelint diff --git a/vendor/github.com/containers/buildah/CHANGELOG.md b/vendor/github.com/containers/buildah/CHANGELOG.md index 6168dc317..ca6a98889 100644 --- a/vendor/github.com/containers/buildah/CHANGELOG.md +++ b/vendor/github.com/containers/buildah/CHANGELOG.md @@ -2,10 +2,21 @@ # Changelog +## v1.16.4 (2020-10-01) + ADD: only expand archives at the right time + +## v1.16.3 (2020-09-30) + Lint: Use same linters as podman + add: preserve ownerships and permissions on ADDed archives + chroot: fix handling of errno seccomp rules + git-validation.sh: set the base for comparison to v1.16.0 + chroot: create bind mount targets 0755 instead of 0700 + ## v1.16.2 (2020-09-21) Add(): fix handling of relative paths with no ContextDir ## v1.16.1 (2020-09-10) + CI: use release-1.16 as the basis for validation tests copier.Get(): hard link targets shouldn't be relative paths ## v1.16.0 (2020-09-03) diff --git a/vendor/github.com/containers/buildah/add.go b/vendor/github.com/containers/buildah/add.go index bbfdda9c1..a3f3c7a37 100644 --- a/vendor/github.com/containers/buildah/add.go +++ b/vendor/github.com/containers/buildah/add.go @@ -33,7 +33,8 @@ type AddAndCopyOptions struct { Chown string // PreserveOwnership, if Chown is not set, tells us to avoid setting // ownership of copied items to 0:0, instead using whatever ownership - // information is already set. Not meaningful for remote sources. + // information is already set. Not meaningful for remote sources or + // local archives that we extract. PreserveOwnership bool // All of the data being copied will pass through Hasher, if set. // If the sources are URLs or files, their contents will be passed to @@ -210,7 +211,6 @@ func (b *Builder) Add(destination string, extract bool, options AddAndCopyOption // Find out which user (and group) the destination should belong to. var chownDirs, chownFiles *idtools.IDPair - var chmodDirs, chmodFiles *os.FileMode var user specs.User if options.Chown != "" { user, _, err = b.user(mountPoint, options.Chown) @@ -319,9 +319,9 @@ func (b *Builder) Add(destination string, extract bool, options AddAndCopyOption UIDMap: destUIDMap, GIDMap: destGIDMap, ChownDirs: chownDirs, - ChmodDirs: chmodDirs, + ChmodDirs: nil, ChownFiles: chownFiles, - ChmodFiles: chmodFiles, + ChmodFiles: nil, } putErr = copier.Put(mountPoint, extractDirectory, putOptions, io.TeeReader(pipeReader, hasher)) } @@ -396,6 +396,10 @@ func (b *Builder) Add(destination string, extract bool, options AddAndCopyOption GIDMap: srcGIDMap, Excludes: options.Excludes, ExpandArchives: extract, + ChownDirs: chownDirs, + ChmodDirs: nil, + ChownFiles: chownFiles, + ChmodFiles: nil, StripSetuidBit: options.StripSetuidBit, StripSetgidBit: options.StripSetgidBit, StripStickyBit: options.StripStickyBit, @@ -423,12 +427,14 @@ func (b *Builder) Add(destination string, extract bool, options AddAndCopyOption _, putErr = io.Copy(hasher, pipeReader) } else { putOptions := copier.PutOptions{ - UIDMap: destUIDMap, - GIDMap: destGIDMap, - ChownDirs: chownDirs, - ChmodDirs: chmodDirs, - ChownFiles: chownFiles, - ChmodFiles: chmodFiles, + UIDMap: destUIDMap, + GIDMap: destGIDMap, + DefaultDirOwner: chownDirs, + DefaultDirMode: nil, + ChownDirs: nil, + ChmodDirs: nil, + ChownFiles: nil, + ChmodFiles: nil, } putErr = copier.Put(mountPoint, extractDirectory, putOptions, io.TeeReader(pipeReader, hasher)) } diff --git a/vendor/github.com/containers/buildah/buildah.go b/vendor/github.com/containers/buildah/buildah.go index e63cfff3a..2ac0210bd 100644 --- a/vendor/github.com/containers/buildah/buildah.go +++ b/vendor/github.com/containers/buildah/buildah.go @@ -28,7 +28,7 @@ const ( Package = "buildah" // Version for the Package. Bump version in contrib/rpm/buildah.spec // too. - Version = "1.16.2" + Version = "1.16.4" // The value we use to identify what type of information, currently a // serialized Builder structure, we are using as per-container state. // This should only be changed when we make incompatible changes to diff --git a/vendor/github.com/containers/buildah/changelog.txt b/vendor/github.com/containers/buildah/changelog.txt index d34ede417..048dc61c1 100644 --- a/vendor/github.com/containers/buildah/changelog.txt +++ b/vendor/github.com/containers/buildah/changelog.txt @@ -1,7 +1,18 @@ +- Changelog for v1.16.4 (2020-10-01) + * ADD: only expand archives at the right time + +- Changelog for v1.16.3 (2020-09-30) + * Lint: Use same linters as podman + * add: preserve ownerships and permissions on ADDed archives + * chroot: fix handling of errno seccomp rules + * git-validation.sh: set the base for comparison to v1.16.0 + * chroot: create bind mount targets 0755 instead of 0700 + - Changelog for v1.16.2 (2020-09-21) * Add(): fix handling of relative paths with no ContextDir - Changelog for v1.16.1 (2020-09-10) + * CI: use release-1.16 as the basis for validation tests * copier.Get(): hard link targets shouldn't be relative paths - Changelog for v1.16.0 (2020-09-03) diff --git a/vendor/github.com/containers/buildah/chroot/run.go b/vendor/github.com/containers/buildah/chroot/run.go index 7a83a73a3..e8842f7a9 100644 --- a/vendor/github.com/containers/buildah/chroot/run.go +++ b/vendor/github.com/containers/buildah/chroot/run.go @@ -1047,7 +1047,7 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func( subDev := filepath.Join(spec.Root.Path, "/dev") if err := unix.Mount("/dev", subDev, "bind", devFlags, ""); err != nil { if os.IsNotExist(err) { - err = os.Mkdir(subDev, 0700) + err = os.Mkdir(subDev, 0755) if err == nil { err = unix.Mount("/dev", subDev, "bind", devFlags, "") } @@ -1071,7 +1071,7 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func( subProc := filepath.Join(spec.Root.Path, "/proc") if err := unix.Mount("/proc", subProc, "bind", procFlags, ""); err != nil { if os.IsNotExist(err) { - err = os.Mkdir(subProc, 0700) + err = os.Mkdir(subProc, 0755) if err == nil { err = unix.Mount("/proc", subProc, "bind", procFlags, "") } @@ -1086,7 +1086,7 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func( subSys := filepath.Join(spec.Root.Path, "/sys") if err := unix.Mount("/sys", subSys, "bind", sysFlags, ""); err != nil { if os.IsNotExist(err) { - err = os.Mkdir(subSys, 0700) + err = os.Mkdir(subSys, 0755) if err == nil { err = unix.Mount("/sys", subSys, "bind", sysFlags, "") } @@ -1163,15 +1163,15 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func( } // The target isn't there yet, so create it. if srcinfo.IsDir() { - if err = os.MkdirAll(target, 0111); err != nil { + if err = os.MkdirAll(target, 0755); err != nil { return undoBinds, errors.Wrapf(err, "error creating mountpoint %q in mount namespace", target) } } else { - if err = os.MkdirAll(filepath.Dir(target), 0111); err != nil { + if err = os.MkdirAll(filepath.Dir(target), 0755); err != nil { return undoBinds, errors.Wrapf(err, "error ensuring parent of mountpoint %q (%q) is present in mount namespace", target, filepath.Dir(target)) } var file *os.File - if file, err = os.OpenFile(target, os.O_WRONLY|os.O_CREATE, 0); err != nil { + if file, err = os.OpenFile(target, os.O_WRONLY|os.O_CREATE, 0755); err != nil { return undoBinds, errors.Wrapf(err, "error creating mountpoint %q in mount namespace", target) } file.Close() diff --git a/vendor/github.com/containers/buildah/chroot/seccomp.go b/vendor/github.com/containers/buildah/chroot/seccomp.go index 12a9b0032..1ca0a159e 100644 --- a/vendor/github.com/containers/buildah/chroot/seccomp.go +++ b/vendor/github.com/containers/buildah/chroot/seccomp.go @@ -15,18 +15,28 @@ func setSeccomp(spec *specs.Spec) error { if spec.Linux.Seccomp == nil { return nil } - mapAction := func(specAction specs.LinuxSeccompAction) libseccomp.ScmpAction { + mapAction := func(specAction specs.LinuxSeccompAction, errnoRet *uint) libseccomp.ScmpAction { switch specAction { case specs.ActKill: return libseccomp.ActKill case specs.ActTrap: return libseccomp.ActTrap case specs.ActErrno: - return libseccomp.ActErrno + action := libseccomp.ActErrno + if errnoRet != nil { + action = action.SetReturnCode(int16(*errnoRet)) + } + return action case specs.ActTrace: return libseccomp.ActTrace case specs.ActAllow: return libseccomp.ActAllow + case specs.ActLog: + return libseccomp.ActLog + case specs.ActKillProcess: + return libseccomp.ActKillProcess + default: + logrus.Errorf("unmappable action %v", specAction) } return libseccomp.ActInvalid } @@ -68,6 +78,8 @@ func setSeccomp(spec *specs.Spec) error { /* fallthrough */ /* for now */ case specs.ArchPARISC64: /* fallthrough */ /* for now */ + default: + logrus.Errorf("unmappable arch %v", specArch) } return libseccomp.ArchInvalid } @@ -87,11 +99,13 @@ func setSeccomp(spec *specs.Spec) error { return libseccomp.CompareGreater case specs.OpMaskedEqual: return libseccomp.CompareMaskedEqual + default: + logrus.Errorf("unmappable op %v", op) } return libseccomp.CompareInvalid } - filter, err := libseccomp.NewFilter(mapAction(spec.Linux.Seccomp.DefaultAction)) + filter, err := libseccomp.NewFilter(mapAction(spec.Linux.Seccomp.DefaultAction, nil)) if err != nil { return errors.Wrapf(err, "error creating seccomp filter with default action %q", spec.Linux.Seccomp.DefaultAction) } @@ -112,7 +126,7 @@ func setSeccomp(spec *specs.Spec) error { } for scnum := range scnames { if len(rule.Args) == 0 { - if err = filter.AddRule(scnum, mapAction(rule.Action)); err != nil { + if err = filter.AddRule(scnum, mapAction(rule.Action, rule.ErrnoRet)); err != nil { return errors.Wrapf(err, "error adding a rule (%q:%q) to seccomp filter", scnames[scnum], rule.Action) } continue @@ -129,7 +143,7 @@ func setSeccomp(spec *specs.Spec) error { } conditions = append(conditions, condition) } - if err = filter.AddRuleConditional(scnum, mapAction(rule.Action), conditions); err != nil { + if err = filter.AddRuleConditional(scnum, mapAction(rule.Action, rule.ErrnoRet), conditions); err != nil { // Okay, if the rules specify multiple equality // checks, assume someone thought that they // were OR'd, when in fact they're ordinarily @@ -137,7 +151,7 @@ func setSeccomp(spec *specs.Spec) error { // different rules to get that OR effect. if len(rule.Args) > 1 && opsAreAllEquality && err.Error() == "two checks on same syscall argument" { for i := range conditions { - if err = filter.AddRuleConditional(scnum, mapAction(rule.Action), conditions[i:i+1]); err != nil { + if err = filter.AddRuleConditional(scnum, mapAction(rule.Action, rule.ErrnoRet), conditions[i:i+1]); err != nil { return errors.Wrapf(err, "error adding a conditional rule (%q:%q[%d]) to seccomp filter", scnames[scnum], rule.Action, i) } } diff --git a/vendor/github.com/containers/buildah/copier/copier.go b/vendor/github.com/containers/buildah/copier/copier.go index a980fe292..1021aeb6f 100644 --- a/vendor/github.com/containers/buildah/copier/copier.go +++ b/vendor/github.com/containers/buildah/copier/copier.go @@ -222,6 +222,10 @@ type GetOptions struct { UIDMap, GIDMap []idtools.IDMap // map from hostIDs to containerIDs in the output archive Excludes []string // contents to pretend don't exist, using the OS-specific path separator ExpandArchives bool // extract the contents of named items that are archives + ChownDirs *idtools.IDPair // set ownership on directories. no effect on archives being extracted + ChmodDirs *os.FileMode // set permissions on directories. no effect on archives being extracted + ChownFiles *idtools.IDPair // set ownership of files. no effect on archives being extracted + ChmodFiles *os.FileMode // set permissions on files. no effect on archives being extracted StripSetuidBit bool // strip the setuid bit off of items being copied. no effect on archives being extracted StripSetgidBit bool // strip the setgid bit off of items being copied. no effect on archives being extracted StripStickyBit bool // strip the sticky bit off of items being copied. no effect on archives being extracted @@ -265,6 +269,8 @@ func Get(root string, directory string, options GetOptions, globs []string, bulk // PutOptions controls parts of Put()'s behavior. type PutOptions struct { UIDMap, GIDMap []idtools.IDMap // map from containerIDs to hostIDs when writing contents to disk + DefaultDirOwner *idtools.IDPair // set ownership of implicitly-created directories, default is ChownDirs, or 0:0 if ChownDirs not set + DefaultDirMode *os.FileMode // set permissions on implicitly-created directories, default is ChmodDirs, or 0755 if ChmodDirs not set ChownDirs *idtools.IDPair // set ownership of newly-created directories ChmodDirs *os.FileMode // set permissions on newly-created directories ChownFiles *idtools.IDPair // set ownership of newly-created files @@ -1032,6 +1038,9 @@ func copierHandlerGet(bulkWriter io.Writer, req request, pm *fileutils.PatternMa } // evaluate excludes relative to the root directory if info.Mode().IsDir() { + // we don't expand any of the contents that are archives + options := req.GetOptions + options.ExpandArchives = false walkfn := func(path string, info os.FileInfo, err error) error { // compute the path of this item // relative to the top-level directory, @@ -1073,7 +1082,7 @@ func copierHandlerGet(bulkWriter io.Writer, req request, pm *fileutils.PatternMa symlinkTarget = target } // add the item to the outgoing tar stream - return copierHandlerGetOne(info, symlinkTarget, rel, path, req.GetOptions, tw, hardlinkChecker, idMappings) + return copierHandlerGetOne(info, symlinkTarget, rel, path, options, tw, hardlinkChecker, idMappings) } // walk the directory tree, checking/adding items individually if err := filepath.Walk(item, walkfn); err != nil { @@ -1193,6 +1202,22 @@ func copierHandlerGetOne(srcfi os.FileInfo, symlinkTarget, name, contentPath str return errors.Wrapf(err, "error mapping host filesystem owners %#v to container filesystem owners", hostPair) } } + // force ownership and/or permissions, if requested + if hdr.Typeflag == tar.TypeDir { + if options.ChownDirs != nil { + hdr.Uid, hdr.Gid = options.ChownDirs.UID, options.ChownDirs.GID + } + if options.ChmodDirs != nil { + hdr.Mode = int64(*options.ChmodDirs) + } + } else { + if options.ChownFiles != nil { + hdr.Uid, hdr.Gid = options.ChownFiles.UID, options.ChownFiles.GID + } + if options.ChmodFiles != nil { + hdr.Mode = int64(*options.ChmodFiles) + } + } // output the header if err = tw.WriteHeader(hdr); err != nil { return errors.Wrapf(err, "error writing header for %s (%s)", contentPath, hdr.Name) @@ -1220,13 +1245,20 @@ func copierHandlerPut(bulkReader io.Reader, req request, idMappings *idtools.IDM errorResponse := func(fmtspec string, args ...interface{}) (*response, func() error, error) { return &response{Error: fmt.Sprintf(fmtspec, args...), Put: putResponse{}}, nil, nil } - dirUID, dirGID := 0, 0 + dirUID, dirGID, defaultDirUID, defaultDirGID := 0, 0, 0, 0 if req.PutOptions.ChownDirs != nil { dirUID, dirGID = req.PutOptions.ChownDirs.UID, req.PutOptions.ChownDirs.GID + defaultDirUID, defaultDirGID = dirUID, dirGID } - dirMode := os.FileMode(0755) + defaultDirMode := os.FileMode(0755) if req.PutOptions.ChmodDirs != nil { - dirMode = *req.PutOptions.ChmodDirs + defaultDirMode = *req.PutOptions.ChmodDirs + } + if req.PutOptions.DefaultDirOwner != nil { + defaultDirUID, defaultDirGID = req.PutOptions.DefaultDirOwner.UID, req.PutOptions.DefaultDirOwner.GID + } + if req.PutOptions.DefaultDirMode != nil { + defaultDirMode = *req.PutOptions.DefaultDirMode } var fileUID, fileGID *int if req.PutOptions.ChownFiles != nil { @@ -1258,11 +1290,11 @@ func copierHandlerPut(bulkReader io.Reader, req request, idMappings *idtools.IDM subdir = filepath.Join(subdir, component) path := filepath.Join(req.Root, subdir) if err := os.Mkdir(path, 0700); err == nil { - if err = lchown(path, dirUID, dirGID); err != nil { - return errors.Wrapf(err, "copier: put: error setting owner of %q to %d:%d", path, dirUID, dirGID) + if err = lchown(path, defaultDirUID, defaultDirGID); err != nil { + return errors.Wrapf(err, "copier: put: error setting owner of %q to %d:%d", path, defaultDirUID, defaultDirGID) } - if err = os.Chmod(path, dirMode); err != nil { - return errors.Wrapf(err, "copier: put: error setting permissions on %q to 0%o", path, dirMode) + if err = os.Chmod(path, defaultDirMode); err != nil { + return errors.Wrapf(err, "copier: put: error setting permissions on %q to 0%o", path, defaultDirMode) } } else { if !os.IsExist(err) { diff --git a/vendor/modules.txt b/vendor/modules.txt index 3c7749b57..0a7e6ad44 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -67,7 +67,7 @@ github.com/containernetworking/plugins/pkg/utils/hwaddr github.com/containernetworking/plugins/pkg/utils/sysctl github.com/containernetworking/plugins/plugins/ipam/host-local/backend github.com/containernetworking/plugins/plugins/ipam/host-local/backend/allocator -# github.com/containers/buildah v1.16.2 +# github.com/containers/buildah v1.16.4 github.com/containers/buildah github.com/containers/buildah/bind github.com/containers/buildah/chroot |