summaryrefslogtreecommitdiff
path: root/vendor/github.com/projectatomic
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/github.com/projectatomic')
-rw-r--r--vendor/github.com/projectatomic/buildah/bind/mount.go1
-rw-r--r--vendor/github.com/projectatomic/buildah/chroot/run.go70
-rw-r--r--vendor/github.com/projectatomic/buildah/chroot/seccomp.go2
-rw-r--r--vendor/github.com/projectatomic/buildah/config_noseccomp.go11
-rw-r--r--vendor/github.com/projectatomic/buildah/pkg/cli/common.go21
-rw-r--r--vendor/github.com/projectatomic/buildah/run.go41
-rw-r--r--vendor/github.com/projectatomic/buildah/seccomp.go (renamed from vendor/github.com/projectatomic/buildah/config_seccomp.go)2
-rw-r--r--vendor/github.com/projectatomic/buildah/seccomp_unsupported.go15
-rw-r--r--vendor/github.com/projectatomic/buildah/selinux.go12
-rw-r--r--vendor/github.com/projectatomic/buildah/selinux_unsupported.go10
10 files changed, 152 insertions, 33 deletions
diff --git a/vendor/github.com/projectatomic/buildah/bind/mount.go b/vendor/github.com/projectatomic/buildah/bind/mount.go
index 9f55ae468..695bde554 100644
--- a/vendor/github.com/projectatomic/buildah/bind/mount.go
+++ b/vendor/github.com/projectatomic/buildah/bind/mount.go
@@ -133,6 +133,7 @@ func SetupIntermediateMountNamespace(spec *specs.Spec, bundlePath string) (unmou
if err = unix.Mount(rootPath, rootfs, "", unix.MS_BIND|unix.MS_REC|unix.MS_PRIVATE, ""); err != nil {
return unmountAll, errors.Wrapf(err, "error bind mounting root filesystem from %q to %q", rootPath, rootfs)
}
+ logrus.Debugf("bind mounted %q to %q", rootPath, rootfs)
unmount = append([]string{rootfs}, unmount...)
spec.Root.Path = rootfs
diff --git a/vendor/github.com/projectatomic/buildah/chroot/run.go b/vendor/github.com/projectatomic/buildah/chroot/run.go
index 2cae5b9da..9a70e0f51 100644
--- a/vendor/github.com/projectatomic/buildah/chroot/run.go
+++ b/vendor/github.com/projectatomic/buildah/chroot/run.go
@@ -98,6 +98,7 @@ func RunUsingChroot(spec *specs.Spec, bundlePath string, stdin io.Reader, stdout
if err = ioutils.AtomicWriteFile(filepath.Join(bundlePath, "config.json"), specbytes, 0600); err != nil {
return errors.Wrapf(err, "error storing runtime configuration")
}
+ logrus.Debugf("config = %v", string(specbytes))
// Run the grandparent subprocess in a user namespace that reuses the mappings that we have.
uidmap, gidmap, err := util.GetHostIDMappings("")
@@ -381,11 +382,15 @@ func runUsingChrootMain() {
logrus.Error(what)
return false
}
- for readFd := range relays {
+ for readFd, writeFd := range relays {
if err := unix.SetNonblock(readFd, true); err != nil {
logrus.Errorf("error setting descriptor %d (%s) non-blocking: %v", readFd, fdDesc[readFd], err)
return
}
+ if err := unix.SetNonblock(writeFd, false); err != nil {
+ logrus.Errorf("error setting descriptor %d (%s) blocking: %v", relays[writeFd], fdDesc[writeFd], err)
+ return
+ }
}
go func() {
buffers := make(map[int]*bytes.Buffer)
@@ -429,6 +434,26 @@ func runUsingChrootMain() {
continue
}
}
+ // If this is the last of the data we'll be able to read
+ // from this descriptor, read as much as there is to read.
+ for rfd.Revents&unix.POLLHUP == unix.POLLHUP {
+ nr, err := unix.Read(int(rfd.Fd), b)
+ logIfNotRetryable(err, fmt.Sprintf("read %s: %v", fdDesc[int(rfd.Fd)], err))
+ if nr <= 0 {
+ break
+ }
+ if wfd, ok := relays[int(rfd.Fd)]; ok {
+ nwritten, err := buffers[wfd].Write(b[:nr])
+ if err != nil {
+ logrus.Debugf("buffer: %v", err)
+ break
+ }
+ if nwritten != nr {
+ logrus.Debugf("buffer: expected to buffer %d bytes, wrote %d", nr, nwritten)
+ break
+ }
+ }
+ }
}
if nread == 0 {
removeFds[int(rfd.Fd)] = struct{}{}
@@ -592,8 +617,7 @@ func runUsingChroot(spec *specs.Spec, bundlePath string, ctty *os.File, stdin io
// main() for parent subprocess. Its main job is to try to make our
// environment look like the one described by the runtime configuration blob,
-// and then launch the intended command as a child, since we can't exec()
-// directly.
+// and then launch the intended command as a child.
func runUsingChrootExecMain() {
args := os.Args[1:]
var options runUsingChrootExecSubprocOptions
@@ -630,6 +654,31 @@ func runUsingChrootExecMain() {
}
}
+ // Try to chroot into the root. Do this before we potentially block the syscall via the
+ // seccomp profile.
+ var oldst, newst unix.Stat_t
+ if err := unix.Stat(options.Spec.Root.Path, &oldst); err != nil {
+ fmt.Fprintf(os.Stderr, "error stat()ing intended root directory %q: %v\n", options.Spec.Root.Path, err)
+ os.Exit(1)
+ }
+ if err := unix.Chdir(options.Spec.Root.Path); err != nil {
+ fmt.Fprintf(os.Stderr, "error chdir()ing to intended root directory %q: %v\n", options.Spec.Root.Path, err)
+ os.Exit(1)
+ }
+ if err := unix.Chroot(options.Spec.Root.Path); err != nil {
+ fmt.Fprintf(os.Stderr, "error chroot()ing into directory %q: %v\n", options.Spec.Root.Path, err)
+ os.Exit(1)
+ }
+ if err := unix.Stat("/", &newst); err != nil {
+ fmt.Fprintf(os.Stderr, "error stat()ing current root directory: %v\n", err)
+ os.Exit(1)
+ }
+ if oldst.Dev != newst.Dev || oldst.Ino != newst.Ino {
+ fmt.Fprintf(os.Stderr, "unknown error chroot()ing into directory %q: %v\n", options.Spec.Root.Path, err)
+ os.Exit(1)
+ }
+ logrus.Debugf("chrooted into %q", options.Spec.Root.Path)
+
// not doing because it's still shared: creating devices
// not doing because it's not applicable: setting annotations
// not doing because it's still shared: setting sysctl settings
@@ -663,20 +712,21 @@ func runUsingChrootExecMain() {
os.Exit(1)
}
- // Try to chroot into the root.
- if err := unix.Chroot(options.Spec.Root.Path); err != nil {
- fmt.Fprintf(os.Stderr, "error chroot()ing into directory %q: %v\n", options.Spec.Root.Path, err)
- os.Exit(1)
- }
+ // Try to change to the directory.
cwd := options.Spec.Process.Cwd
if !filepath.IsAbs(cwd) {
cwd = "/" + cwd
}
+ cwd = filepath.Clean(cwd)
+ if err := unix.Chdir("/"); err != nil {
+ fmt.Fprintf(os.Stderr, "error chdir()ing into new root directory %q: %v\n", options.Spec.Root.Path, err)
+ os.Exit(1)
+ }
if err := unix.Chdir(cwd); err != nil {
- fmt.Fprintf(os.Stderr, "error chdir()ing into directory %q: %v\n", cwd, err)
+ fmt.Fprintf(os.Stderr, "error chdir()ing into directory %q under root %q: %v\n", cwd, options.Spec.Root.Path, err)
os.Exit(1)
}
- logrus.Debugf("chrooted into %q, changed working directory to %q", options.Spec.Root.Path, cwd)
+ logrus.Debugf("changed working directory to %q", cwd)
// Drop privileges.
user := options.Spec.Process.User
diff --git a/vendor/github.com/projectatomic/buildah/chroot/seccomp.go b/vendor/github.com/projectatomic/buildah/chroot/seccomp.go
index d5c5842d4..f2c55017f 100644
--- a/vendor/github.com/projectatomic/buildah/chroot/seccomp.go
+++ b/vendor/github.com/projectatomic/buildah/chroot/seccomp.go
@@ -105,7 +105,7 @@ func setSeccomp(spec *specs.Spec) error {
for _, name := range rule.Names {
scnum, err := libseccomp.GetSyscallFromName(name)
if err != nil {
- logrus.Debugf("error mapping syscall %q to a syscall, ignoring %q rule for %q", name, rule.Action)
+ logrus.Debugf("error mapping syscall %q to a syscall, ignoring %q rule for %q", name, rule.Action, name)
continue
}
scnames[scnum] = name
diff --git a/vendor/github.com/projectatomic/buildah/config_noseccomp.go b/vendor/github.com/projectatomic/buildah/config_noseccomp.go
deleted file mode 100644
index e8354cc55..000000000
--- a/vendor/github.com/projectatomic/buildah/config_noseccomp.go
+++ /dev/null
@@ -1,11 +0,0 @@
-// +build !seccomp
-
-package buildah
-
-import "github.com/opencontainers/runtime-spec/specs-go"
-
-func setupSeccomp(spec *specs.Spec, seccompProfilePath string) error {
- // If no seccomp is being used, the Seccomp profile in the Linux spec
- // is not set
- return nil
-}
diff --git a/vendor/github.com/projectatomic/buildah/pkg/cli/common.go b/vendor/github.com/projectatomic/buildah/pkg/cli/common.go
index 0d035f471..a438daf6a 100644
--- a/vendor/github.com/projectatomic/buildah/pkg/cli/common.go
+++ b/vendor/github.com/projectatomic/buildah/pkg/cli/common.go
@@ -10,6 +10,7 @@ import (
"strings"
"github.com/opencontainers/runtime-spec/specs-go"
+ "github.com/pkg/errors"
"github.com/projectatomic/buildah"
"github.com/projectatomic/buildah/util"
"github.com/urfave/cli"
@@ -68,6 +69,13 @@ var (
},
}
+ LayerFlags = []cli.Flag{
+ cli.BoolFlag{
+ Name: "layers",
+ Usage: fmt.Sprintf("cache intermediate layers during build. Use BUILDAH_LAYERS environment variable to override. (default %t)", UseLayers()),
+ },
+ }
+
BudFlags = []cli.Flag{
cli.StringSliceFlag{
Name: "annotation",
@@ -130,10 +138,6 @@ var (
Usage: "Set metadata for an image (default [])",
},
cli.BoolFlag{
- Name: "layers",
- Usage: fmt.Sprintf("cache intermediate layers during build. Use BUILDAH_LAYERS environment variable to override. (default %t)", UseLayers()),
- },
- cli.BoolFlag{
Name: "no-cache",
Usage: "Do not use existing cached images for the container build. Build from the start with a new set of cached layers.",
},
@@ -280,3 +284,12 @@ func DefaultIsolation() string {
}
return buildah.OCI
}
+
+func VerifyFlagsArgsOrder(args []string) error {
+ for _, arg := range args {
+ if strings.HasPrefix(arg, "-") {
+ return errors.Errorf("No options (%s) can be specified after the image or container name", arg)
+ }
+ }
+ return nil
+}
diff --git a/vendor/github.com/projectatomic/buildah/run.go b/vendor/github.com/projectatomic/buildah/run.go
index 71a76862e..12560de3c 100644
--- a/vendor/github.com/projectatomic/buildah/run.go
+++ b/vendor/github.com/projectatomic/buildah/run.go
@@ -973,8 +973,7 @@ func (b *Builder) Run(command []string, options RunOptions) error {
} else if b.WorkDir() != "" {
g.SetProcessCwd(b.WorkDir())
}
- g.SetProcessSelinuxLabel(b.ProcessLabel)
- g.SetLinuxMountLabel(b.MountLabel)
+ setupSelinux(g, b.ProcessLabel, b.MountLabel)
mountPoint, err := b.Mount(b.MountLabel)
if err != nil {
return err
@@ -1017,6 +1016,7 @@ func (b *Builder) Run(command []string, options RunOptions) error {
if spec.Process.Cwd == "" {
spec.Process.Cwd = DefaultWorkingDir
}
+ logrus.Debugf("ensuring working directory %q exists", filepath.Join(mountPoint, spec.Process.Cwd))
if err = os.MkdirAll(filepath.Join(mountPoint, spec.Process.Cwd), 0755); err != nil {
return errors.Wrapf(err, "error ensuring working directory %q exists", spec.Process.Cwd)
}
@@ -1760,11 +1760,14 @@ func runCopyStdio(stdio *sync.WaitGroup, copyPipes bool, stdioPipe [][]int, copy
writeDesc[unix.Stderr] = "stderr"
}
// Set our reading descriptors to non-blocking.
- for fd := range relayMap {
- if err := unix.SetNonblock(fd, true); err != nil {
- logrus.Errorf("error setting %s to nonblocking: %v", readDesc[fd], err)
+ for rfd, wfd := range relayMap {
+ if err := unix.SetNonblock(rfd, true); err != nil {
+ logrus.Errorf("error setting %s to nonblocking: %v", readDesc[rfd], err)
return
}
+ if err := unix.SetNonblock(wfd, false); err != nil {
+ logrus.Errorf("error setting descriptor %d (%s) blocking: %v", wfd, writeDesc[wfd], err)
+ }
}
// A helper that returns false if err is an error that would cause us
// to give up.
@@ -1837,7 +1840,33 @@ func runCopyStdio(stdio *sync.WaitGroup, copyPipes bool, stdioPipe [][]int, copy
}
if n > 0 {
// Buffer the data in case we get blocked on where they need to go.
- relayBuffer[writeFD].Write(buf[:n])
+ nwritten, err := relayBuffer[writeFD].Write(buf[:n])
+ if err != nil {
+ logrus.Debugf("buffer: %v", err)
+ continue
+ }
+ if nwritten != n {
+ logrus.Debugf("buffer: expected to buffer %d bytes, wrote %d", n, nwritten)
+ continue
+ }
+ // If this is the last of the data we'll be able to read from this
+ // descriptor, read all that there is to read.
+ for pollFd.Revents&unix.POLLHUP == unix.POLLHUP {
+ nr, err := unix.Read(readFD, buf)
+ logIfNotRetryable(err, fmt.Sprintf("read %s: %v", readDesc[readFD], err))
+ if nr <= 0 {
+ break
+ }
+ nwritten, err := relayBuffer[writeFD].Write(buf[:nr])
+ if err != nil {
+ logrus.Debugf("buffer: %v", err)
+ break
+ }
+ if nwritten != nr {
+ logrus.Debugf("buffer: expected to buffer %d bytes, wrote %d", nr, nwritten)
+ break
+ }
+ }
}
}
}
diff --git a/vendor/github.com/projectatomic/buildah/config_seccomp.go b/vendor/github.com/projectatomic/buildah/seccomp.go
index a5bb010c0..a435b5f71 100644
--- a/vendor/github.com/projectatomic/buildah/config_seccomp.go
+++ b/vendor/github.com/projectatomic/buildah/seccomp.go
@@ -1,4 +1,4 @@
-// +build seccomp
+// +build seccomp,linux
package buildah
diff --git a/vendor/github.com/projectatomic/buildah/seccomp_unsupported.go b/vendor/github.com/projectatomic/buildah/seccomp_unsupported.go
new file mode 100644
index 000000000..cba8390c5
--- /dev/null
+++ b/vendor/github.com/projectatomic/buildah/seccomp_unsupported.go
@@ -0,0 +1,15 @@
+// +build !seccomp !linux
+
+package buildah
+
+import (
+ "github.com/opencontainers/runtime-spec/specs-go"
+)
+
+func setupSeccomp(spec *specs.Spec, seccompProfilePath string) error {
+ if spec.Linux != nil {
+ // runtime-tools may have supplied us with a default filter
+ spec.Linux.Seccomp = nil
+ }
+ return nil
+}
diff --git a/vendor/github.com/projectatomic/buildah/selinux.go b/vendor/github.com/projectatomic/buildah/selinux.go
new file mode 100644
index 000000000..2b850cf9f
--- /dev/null
+++ b/vendor/github.com/projectatomic/buildah/selinux.go
@@ -0,0 +1,12 @@
+// +build selinux,linux
+
+package buildah
+
+import (
+ "github.com/opencontainers/runtime-tools/generate"
+)
+
+func setupSelinux(g *generate.Generator, processLabel, mountLabel string) {
+ g.SetProcessSelinuxLabel(processLabel)
+ g.SetLinuxMountLabel(mountLabel)
+}
diff --git a/vendor/github.com/projectatomic/buildah/selinux_unsupported.go b/vendor/github.com/projectatomic/buildah/selinux_unsupported.go
new file mode 100644
index 000000000..0aa7c46e4
--- /dev/null
+++ b/vendor/github.com/projectatomic/buildah/selinux_unsupported.go
@@ -0,0 +1,10 @@
+// +build !selinux !linux
+
+package buildah
+
+import (
+ "github.com/opencontainers/runtime-tools/generate"
+)
+
+func setupSelinux(g *generate.Generator, processLabel, mountLabel string) {
+}