diff options
-rw-r--r-- | pkg/api/handlers/compat/images_build.go | 45 | ||||
-rw-r--r-- | pkg/bindings/images/build.go | 54 | ||||
-rw-r--r-- | test/e2e/build/Dockerfile.with-multiple-secret | 3 | ||||
-rw-r--r-- | test/e2e/build/Dockerfile.with-secret | 2 | ||||
-rw-r--r-- | test/e2e/build/Dockerfile.with-secret-verify-leak | 3 | ||||
-rw-r--r-- | test/e2e/build/anothersecret.txt | 1 | ||||
-rw-r--r-- | test/e2e/build/secret.txt | 1 | ||||
-rw-r--r-- | test/e2e/build_test.go | 39 |
8 files changed, 148 insertions, 0 deletions
diff --git a/pkg/api/handlers/compat/images_build.go b/pkg/api/handlers/compat/images_build.go index bc53e9312..f85df02e1 100644 --- a/pkg/api/handlers/compat/images_build.go +++ b/pkg/api/handlers/compat/images_build.go @@ -122,6 +122,7 @@ func BuildImage(w http.ResponseWriter, r *http.Request) { Target string `schema:"target"` Timestamp int64 `schema:"timestamp"` Ulimits string `schema:"ulimits"` + Secrets string `schema:"secrets"` }{ Dockerfile: "Dockerfile", Registry: "docker.io", @@ -242,6 +243,49 @@ func BuildImage(w http.ResponseWriter, r *http.Request) { dnssearch = m } + var secrets = []string{} + if _, found := r.URL.Query()["secrets"]; found { + var m = []string{} + if err := json.Unmarshal([]byte(query.Secrets), &m); err != nil { + utils.BadRequest(w, "secrets", query.Secrets, err) + return + } + + // for podman-remote all secrets must be picked from context director + // hence modify src so contextdir is added as prefix + + for _, secret := range m { + secretOpt := strings.Split(secret, ",") + if len(secretOpt) > 0 { + modifiedOpt := []string{} + for _, token := range secretOpt { + arr := strings.SplitN(token, "=", 2) + if len(arr) > 1 { + if arr[0] == "src" { + /* move secret away from contextDir */ + /* to make sure we dont accidentally commit temporary secrets to image*/ + builderDirectory, _ := filepath.Split(contextDirectory) + // following path is outside build context + newSecretPath := filepath.Join(builderDirectory, arr[1]) + oldSecretPath := filepath.Join(contextDirectory, arr[1]) + err := os.Rename(oldSecretPath, newSecretPath) + if err != nil { + utils.BadRequest(w, "secrets", query.Secrets, err) + return + } + + modifiedSrc := fmt.Sprintf("src=%s", newSecretPath) + modifiedOpt = append(modifiedOpt, modifiedSrc) + } else { + modifiedOpt = append(modifiedOpt, token) + } + } + } + secrets = append(secrets, strings.Join(modifiedOpt[:], ",")) + } + } + } + var output string if len(tags) > 0 { possiblyNormalizedName, err := utils.NormalizeToDockerHub(r, tags[0]) @@ -476,6 +520,7 @@ func BuildImage(w http.ResponseWriter, r *http.Request) { SeccompProfilePath: seccomp, ShmSize: strconv.Itoa(query.ShmSize), Ulimit: ulimits, + Secrets: secrets, }, CNIConfigDir: rtc.Network.CNIPluginDirs[0], CNIPluginPath: util.DefaultCNIPluginPath, diff --git a/pkg/bindings/images/build.go b/pkg/bindings/images/build.go index 3b0bebe9f..25770fdfc 100644 --- a/pkg/bindings/images/build.go +++ b/pkg/bindings/images/build.go @@ -5,6 +5,7 @@ import ( "compress/gzip" "context" "encoding/json" + "fmt" "io" "io/ioutil" "net/http" @@ -377,6 +378,59 @@ func Build(ctx context.Context, containerFiles []string, options entities.BuildO } params.Set("dockerfile", string(cFileJSON)) } + + // build secrets are usually absolute host path or relative to context dir on host + // in any case move secret to current context and ship the tar. + if secrets := options.CommonBuildOpts.Secrets; len(secrets) > 0 { + secretsForRemote := []string{} + + for _, secret := range secrets { + secretOpt := strings.Split(secret, ",") + if len(secretOpt) > 0 { + modifiedOpt := []string{} + for _, token := range secretOpt { + arr := strings.SplitN(token, "=", 2) + if len(arr) > 1 { + if arr[0] == "src" { + // read specified secret into a tmp file + // move tmp file to tar and change secret source to relative tmp file + tmpSecretFile, err := ioutil.TempFile(options.ContextDirectory, "podman-build-secret") + if err != nil { + return nil, err + } + defer os.Remove(tmpSecretFile.Name()) // clean up + defer tmpSecretFile.Close() + srcSecretFile, err := os.Open(arr[1]) + if err != nil { + return nil, err + } + defer srcSecretFile.Close() + _, err = io.Copy(tmpSecretFile, srcSecretFile) + if err != nil { + return nil, err + } + + //add tmp file to context dir + tarContent = append(tarContent, tmpSecretFile.Name()) + + modifiedSrc := fmt.Sprintf("src=%s", filepath.Base(tmpSecretFile.Name())) + modifiedOpt = append(modifiedOpt, modifiedSrc) + } else { + modifiedOpt = append(modifiedOpt, token) + } + } + } + secretsForRemote = append(secretsForRemote, strings.Join(modifiedOpt[:], ",")) + } + } + + c, err := jsoniter.MarshalToString(secretsForRemote) + if err != nil { + return nil, err + } + params.Add("secrets", c) + } + tarfile, err := nTar(append(excludes, dontexcludes...), tarContent...) if err != nil { logrus.Errorf("Cannot tar container entries %v error: %v", tarContent, err) diff --git a/test/e2e/build/Dockerfile.with-multiple-secret b/test/e2e/build/Dockerfile.with-multiple-secret new file mode 100644 index 000000000..f3478914f --- /dev/null +++ b/test/e2e/build/Dockerfile.with-multiple-secret @@ -0,0 +1,3 @@ +FROM alpine +RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret +RUN --mount=type=secret,id=mysecret2 cat /run/secrets/mysecret2 diff --git a/test/e2e/build/Dockerfile.with-secret b/test/e2e/build/Dockerfile.with-secret new file mode 100644 index 000000000..920663a92 --- /dev/null +++ b/test/e2e/build/Dockerfile.with-secret @@ -0,0 +1,2 @@ +FROM alpine +RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret diff --git a/test/e2e/build/Dockerfile.with-secret-verify-leak b/test/e2e/build/Dockerfile.with-secret-verify-leak new file mode 100644 index 000000000..0957ac6a6 --- /dev/null +++ b/test/e2e/build/Dockerfile.with-secret-verify-leak @@ -0,0 +1,3 @@ +FROM alpine +COPY * / +RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret diff --git a/test/e2e/build/anothersecret.txt b/test/e2e/build/anothersecret.txt new file mode 100644 index 000000000..bc5fdbd32 --- /dev/null +++ b/test/e2e/build/anothersecret.txt @@ -0,0 +1 @@ +anothersecret diff --git a/test/e2e/build/secret.txt b/test/e2e/build/secret.txt new file mode 100644 index 000000000..d9106c0af --- /dev/null +++ b/test/e2e/build/secret.txt @@ -0,0 +1 @@ +somesecret diff --git a/test/e2e/build_test.go b/test/e2e/build_test.go index 420ed929f..c541f25ae 100644 --- a/test/e2e/build_test.go +++ b/test/e2e/build_test.go @@ -59,6 +59,45 @@ var _ = Describe("Podman build", func() { Expect(session).Should(Exit(0)) }) + It("podman build with a secret from file", func() { + session := podmanTest.Podman([]string{"build", "-f", "build/Dockerfile.with-secret", "-t", "secret-test", "--secret", "id=mysecret,src=build/secret.txt", "build/"}) + session.WaitWithDefaultTimeout() + Expect(session).Should(Exit(0)) + Expect(session.OutputToString()).To(ContainSubstring("somesecret")) + + session = podmanTest.Podman([]string{"rmi", "secret-test"}) + session.WaitWithDefaultTimeout() + Expect(session).Should(Exit(0)) + }) + + It("podman build with multiple secrets from files", func() { + session := podmanTest.Podman([]string{"build", "-f", "build/Dockerfile.with-multiple-secret", "-t", "multiple-secret-test", "--secret", "id=mysecret,src=build/secret.txt", "--secret", "id=mysecret2,src=build/anothersecret.txt", "build/"}) + session.WaitWithDefaultTimeout() + Expect(session).Should(Exit(0)) + Expect(session.OutputToString()).To(ContainSubstring("somesecret")) + Expect(session.OutputToString()).To(ContainSubstring("anothersecret")) + + session = podmanTest.Podman([]string{"rmi", "multiple-secret-test"}) + session.WaitWithDefaultTimeout() + Expect(session).Should(Exit(0)) + }) + + It("podman build with a secret from file and verify if secret file is not leaked into image", func() { + session := podmanTest.Podman([]string{"build", "-f", "build/Dockerfile.with-secret-verify-leak", "-t", "secret-test-leak", "--secret", "id=mysecret,src=build/secret.txt", "build/"}) + session.WaitWithDefaultTimeout() + Expect(session).Should(Exit(0)) + Expect(session.OutputToString()).To(ContainSubstring("somesecret")) + + session = podmanTest.Podman([]string{"run", "--rm", "secret-test-leak", "ls"}) + session.WaitWithDefaultTimeout() + Expect(session).Should(Exit(0)) + Expect(session.OutputToString()).To(Not(ContainSubstring("podman-build-secret"))) + + session = podmanTest.Podman([]string{"rmi", "secret-test-leak"}) + session.WaitWithDefaultTimeout() + Expect(session).Should(Exit(0)) + }) + It("podman build with logfile", func() { logfile := filepath.Join(podmanTest.TempDir, "logfile") session := podmanTest.Podman([]string{"build", "--pull-never", "--tag", "test", "--logfile", logfile, "build/basicalpine"}) |