diff options
Diffstat (limited to 'vendor/github.com/projectatomic')
10 files changed, 930 insertions, 151 deletions
diff --git a/vendor/github.com/projectatomic/buildah/buildah.go b/vendor/github.com/projectatomic/buildah/buildah.go index a14ec0a61..b05e5deb1 100644 --- a/vendor/github.com/projectatomic/buildah/buildah.go +++ b/vendor/github.com/projectatomic/buildah/buildah.go @@ -3,6 +3,7 @@ package buildah import ( "context" "encoding/json" + "fmt" "io" "io/ioutil" "os" @@ -35,11 +36,14 @@ const ( stateFile = Package + ".json" ) +// PullPolicy takes the value PullIfMissing, PullAlways, or PullNever. +type PullPolicy int + const ( // PullIfMissing is one of the values that BuilderOptions.PullPolicy // can take, signalling that the source image should be pulled from a // registry if a local copy of it is not already present. - PullIfMissing = iota + PullIfMissing PullPolicy = iota // PullAlways is one of the values that BuilderOptions.PullPolicy can // take, signalling that a fresh, possibly updated, copy of the image // should be pulled from a registry before the build proceeds. @@ -50,6 +54,19 @@ const ( PullNever ) +// String converts a PullPolicy into a string. +func (p PullPolicy) String() string { + switch p { + case PullIfMissing: + return "PullIfMissing" + case PullAlways: + return "PullAlways" + case PullNever: + return "PullNever" + } + return fmt.Sprintf("unrecognized policy %d", p) +} + // Builder objects are used to represent containers which are being used to // build images. They also carry potential updates which will be applied to // the image's configuration when the container's contents are used to build an @@ -95,9 +112,11 @@ type Builder struct { // Image metadata and runtime settings, in multiple formats. OCIv1 v1.Image `json:"ociv1,omitempty"` Docker docker.V2Image `json:"docker,omitempty"` - // DefaultMountsFilePath is the file path holding the mounts to be mounted in "host-path:container-path" format + + // DefaultMountsFilePath is the file path holding the mounts to be mounted in "host-path:container-path" format. DefaultMountsFilePath string `json:"defaultMountsFilePath,omitempty"` - CommonBuildOpts *CommonBuildOptions + + CommonBuildOpts *CommonBuildOptions } // BuilderInfo are used as objects to display container information @@ -140,35 +159,54 @@ func GetBuildInfo(b *Builder) BuilderInfo { } } -// CommonBuildOptions are reseources that can be defined by flags for both buildah from and bud +// CommonBuildOptions are resources that can be defined by flags for both buildah from and build-using-dockerfile type CommonBuildOptions struct { // AddHost is the list of hostnames to add to the resolv.conf AddHost []string - //CgroupParent it the path to cgroups under which the cgroup for the container will be created. + // CgroupParent is the path to cgroups under which the cgroup for the container will be created. CgroupParent string - //CPUPeriod limits the CPU CFS (Completely Fair Scheduler) period + // CPUPeriod limits the CPU CFS (Completely Fair Scheduler) period CPUPeriod uint64 - //CPUQuota limits the CPU CFS (Completely Fair Scheduler) quota + // CPUQuota limits the CPU CFS (Completely Fair Scheduler) quota CPUQuota int64 - //CPUShares (relative weight + // CPUShares (relative weight CPUShares uint64 - //CPUSetCPUs in which to allow execution (0-3, 0,1) + // CPUSetCPUs in which to allow execution (0-3, 0,1) CPUSetCPUs string - //CPUSetMems memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems. + // CPUSetMems memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems. CPUSetMems string - //Memory limit + // Memory is the upper limit (in bytes) on how much memory running containers can use. Memory int64 - //MemorySwap limit value equal to memory plus swap. + // MemorySwap limits the amount of memory and swap together. MemorySwap int64 - //SecruityOpts modify the way container security is running - LabelOpts []string + // LabelOpts is the a slice of fields of an SELinux context, given in "field:pair" format, or "disable". + // Recognized field names are "role", "type", and "level". + LabelOpts []string + // SeccompProfilePath is the pathname of a seccomp profile. SeccompProfilePath string - ApparmorProfile string - //ShmSize is the shared memory size + // ApparmorProfile is the name of an apparmor profile. + ApparmorProfile string + // ShmSize is the "size" value to use when mounting an shmfs on the container's /dev/shm directory. ShmSize string - //Ulimit options + // Ulimit specifies resource limit options, in the form type:softlimit[:hardlimit]. + // These types are recognized: + // "core": maximimum core dump size (ulimit -c) + // "cpu": maximum CPU time (ulimit -t) + // "data": maximum size of a process's data segment (ulimit -d) + // "fsize": maximum size of new files (ulimit -f) + // "locks": maximum number of file locks (ulimit -x) + // "memlock": maximum amount of locked memory (ulimit -l) + // "msgqueue": maximum amount of data in message queues (ulimit -q) + // "nice": niceness adjustment (nice -n, ulimit -e) + // "nofile": maximum number of open files (ulimit -n) + // "nproc": maximum number of processes (ulimit -u) + // "rss": maximum size of a process's (ulimit -m) + // "rtprio": maximum real-time scheduling priority (ulimit -r) + // "rttime": maximum amount of real-time execution between blocking syscalls + // "sigpending": maximum number of pending signals (ulimit -i) + // "stack": maximum stack size (ulimit -s) Ulimit []string - //Volumes to bind mount into the container + // Volumes to bind mount into the container Volumes []string } @@ -184,7 +222,7 @@ type BuilderOptions struct { // PullPolicy decides whether or not we should pull the image that // we're using as a base image. It should be PullIfMissing, // PullAlways, or PullNever. - PullPolicy int + PullPolicy PullPolicy // Registry is a value which is prepended to the image's name, if it // needs to be pulled and the image name alone can not be resolved to a // reference to a source image. No separator is implicitly added. @@ -209,7 +247,8 @@ type BuilderOptions struct { // github.com/containers/image/types SystemContext to hold credentials // and other authentication/authorization information. SystemContext *types.SystemContext - // DefaultMountsFilePath is the file path holding the mounts to be mounted in "host-path:container-path" format + // DefaultMountsFilePath is the file path holding the mounts to be + // mounted in "host-path:container-path" format DefaultMountsFilePath string CommonBuildOpts *CommonBuildOptions } diff --git a/vendor/github.com/projectatomic/buildah/commit.go b/vendor/github.com/projectatomic/buildah/commit.go index da86ee855..75d2626f5 100644 --- a/vendor/github.com/projectatomic/buildah/commit.go +++ b/vendor/github.com/projectatomic/buildah/commit.go @@ -49,6 +49,9 @@ type CommitOptions struct { SystemContext *types.SystemContext // IIDFile tells the builder to write the image ID to the specified file IIDFile string + // Squash tells the builder to produce an image with a single layer + // instead of with possibly more than one layer. + Squash bool } // PushOptions can be used to alter how an image is copied somewhere. @@ -100,7 +103,7 @@ func (b *Builder) Commit(ctx context.Context, dest types.ImageReference, options // Check if we're keeping everything in local storage. If so, we can take certain shortcuts. _, destIsStorage := dest.Transport().(is.StoreTransport) exporting := !destIsStorage - src, err := b.makeImageRef(options.PreferredManifestType, exporting, options.Compression, options.HistoryTimestamp) + src, err := b.makeImageRef(options.PreferredManifestType, exporting, options.Squash, options.Compression, options.HistoryTimestamp) if err != nil { return imgID, errors.Wrapf(err, "error computing layer digests and building metadata") } diff --git a/vendor/github.com/projectatomic/buildah/image.go b/vendor/github.com/projectatomic/buildah/image.go index a54643806..c66a5cd08 100644 --- a/vendor/github.com/projectatomic/buildah/image.go +++ b/vendor/github.com/projectatomic/buildah/image.go @@ -4,6 +4,7 @@ import ( "bytes" "context" "encoding/json" + "fmt" "io" "io/ioutil" "os" @@ -41,6 +42,8 @@ type containerImageRef struct { compression archive.Compression name reference.Named names []string + containerID string + mountLabel string layerID string oconfig []byte dconfig []byte @@ -50,12 +53,15 @@ type containerImageRef struct { annotations map[string]string preferredManifestType string exporting bool + squash bool } type containerImageSource struct { path string ref *containerImageRef store storage.Store + containerID string + mountLabel string layerID string names []string compression archive.Compression @@ -94,6 +100,124 @@ func expectedDockerDiffIDs(image docker.V2Image) int { return expected } +// Compute the media types which we need to attach to a layer, given the type of +// compression that we'll be applying. +func (i *containerImageRef) computeLayerMIMEType(what string) (omediaType, dmediaType string, err error) { + omediaType = v1.MediaTypeImageLayer + dmediaType = docker.V2S2MediaTypeUncompressedLayer + if i.compression != archive.Uncompressed { + switch i.compression { + case archive.Gzip: + omediaType = v1.MediaTypeImageLayerGzip + dmediaType = docker.V2S2MediaTypeLayer + logrus.Debugf("compressing %s with gzip", what) + case archive.Bzip2: + // Until the image specs define a media type for bzip2-compressed layers, even if we know + // how to decompress them, we can't try to compress layers with bzip2. + return "", "", errors.New("media type for bzip2-compressed layers is not defined") + case archive.Xz: + // Until the image specs define a media type for xz-compressed layers, even if we know + // how to decompress them, we can't try to compress layers with xz. + return "", "", errors.New("media type for xz-compressed layers is not defined") + default: + logrus.Debugf("compressing %s with unknown compressor(?)", what) + } + } + return omediaType, dmediaType, nil +} + +// Extract the container's whole filesystem as if it were a single layer. +func (i *containerImageRef) extractRootfs() (io.ReadCloser, error) { + mountPoint, err := i.store.Mount(i.containerID, i.mountLabel) + if err != nil { + return nil, errors.Wrapf(err, "error extracting container %q", i.containerID) + } + tarOptions := &archive.TarOptions{ + Compression: archive.Uncompressed, + } + rc, err := archive.TarWithOptions(mountPoint, tarOptions) + if err != nil { + return nil, errors.Wrapf(err, "error extracting container %q", i.containerID) + } + return ioutils.NewReadCloserWrapper(rc, func() error { + err := rc.Close() + if err != nil { + err = errors.Wrapf(err, "error closing tar archive of container %q", i.containerID) + } + if err2 := i.store.Unmount(i.containerID); err == nil { + if err2 != nil { + err2 = errors.Wrapf(err2, "error unmounting container %q", i.containerID) + } + err = err2 + } + return err + }), nil +} + +// Build fresh copies of the container configuration structures so that we can edit them +// without making unintended changes to the original Builder. +func (i *containerImageRef) createConfigsAndManifests() (v1.Image, v1.Manifest, docker.V2Image, docker.V2S2Manifest, error) { + created := i.created + + // Build an empty image, and then decode over it. + oimage := v1.Image{} + if err := json.Unmarshal(i.oconfig, &oimage); err != nil { + return v1.Image{}, v1.Manifest{}, docker.V2Image{}, docker.V2S2Manifest{}, err + } + // Always replace this value, since we're newer than our base image. + oimage.Created = &created + // Clear the list of diffIDs, since we always repopulate it. + oimage.RootFS.Type = docker.TypeLayers + oimage.RootFS.DiffIDs = []digest.Digest{} + // Only clear the history if we're squashing, otherwise leave it be so that we can append + // entries to it. + if i.squash { + oimage.History = []v1.History{} + } + + // Build an empty image, and then decode over it. + dimage := docker.V2Image{} + if err := json.Unmarshal(i.dconfig, &dimage); err != nil { + return v1.Image{}, v1.Manifest{}, docker.V2Image{}, docker.V2S2Manifest{}, err + } + // Always replace this value, since we're newer than our base image. + dimage.Created = created + // Clear the list of diffIDs, since we always repopulate it. + dimage.RootFS = &docker.V2S2RootFS{} + dimage.RootFS.Type = docker.TypeLayers + dimage.RootFS.DiffIDs = []digest.Digest{} + // Only clear the history if we're squashing, otherwise leave it be so that we can append + // entries to it. + if i.squash { + dimage.History = []docker.V2S2History{} + } + + // Build empty manifests. The Layers lists will be populated later. + omanifest := v1.Manifest{ + Versioned: specs.Versioned{ + SchemaVersion: 2, + }, + Config: v1.Descriptor{ + MediaType: v1.MediaTypeImageConfig, + }, + Layers: []v1.Descriptor{}, + Annotations: i.annotations, + } + + dmanifest := docker.V2S2Manifest{ + V2Versioned: docker.V2Versioned{ + SchemaVersion: 2, + MediaType: docker.V2S2MediaTypeManifest, + }, + Config: docker.V2S2Descriptor{ + MediaType: docker.V2S2MediaTypeImageConfig, + }, + Layers: []docker.V2S2Descriptor{}, + } + + return oimage, omanifest, dimage, dmanifest, nil +} + func (i *containerImageRef) NewImageSource(ctx context.Context, sc *types.SystemContext) (src types.ImageSource, err error) { // Decide which type of manifest and configuration output we're going to provide. manifestType := i.preferredManifestType @@ -109,11 +233,12 @@ func (i *containerImageRef) NewImageSource(ctx context.Context, sc *types.System if err != nil { return nil, errors.Wrapf(err, "unable to read layer %q", layerID) } - // Walk the list of parent layers, prepending each as we go. + // Walk the list of parent layers, prepending each as we go. If we're squashing, + // stop at the layer ID of the top layer, which we won't really be using anyway. for layer != nil { layers = append(append([]string{}, layerID), layers...) layerID = layer.Parent - if layerID == "" { + if layerID == "" || i.squash { err = nil break } @@ -139,57 +264,25 @@ func (i *containerImageRef) NewImageSource(ctx context.Context, sc *types.System } }() - // Build fresh copies of the configurations so that we don't mess with the values in the Builder - // object itself. - oimage := v1.Image{} - err = json.Unmarshal(i.oconfig, &oimage) + // Build fresh copies of the configurations and manifest so that we don't mess with any + // values in the Builder object itself. + oimage, omanifest, dimage, dmanifest, err := i.createConfigsAndManifests() if err != nil { return nil, err } - created := i.created - oimage.Created = &created - dimage := docker.V2Image{} - err = json.Unmarshal(i.dconfig, &dimage) - if err != nil { - return nil, err - } - dimage.Created = created - - // Start building manifests. - omanifest := v1.Manifest{ - Versioned: specs.Versioned{ - SchemaVersion: 2, - }, - Config: v1.Descriptor{ - MediaType: v1.MediaTypeImageConfig, - }, - Layers: []v1.Descriptor{}, - Annotations: i.annotations, - } - dmanifest := docker.V2S2Manifest{ - V2Versioned: docker.V2Versioned{ - SchemaVersion: 2, - MediaType: docker.V2S2MediaTypeManifest, - }, - Config: docker.V2S2Descriptor{ - MediaType: docker.V2S2MediaTypeImageConfig, - }, - Layers: []docker.V2S2Descriptor{}, - } - - oimage.RootFS.Type = docker.TypeLayers - oimage.RootFS.DiffIDs = []digest.Digest{} - dimage.RootFS = &docker.V2S2RootFS{} - dimage.RootFS.Type = docker.TypeLayers - dimage.RootFS.DiffIDs = []digest.Digest{} // Extract each layer and compute its digests, both compressed (if requested) and uncompressed. for _, layerID := range layers { + what := fmt.Sprintf("layer %q", layerID) + if i.squash { + what = fmt.Sprintf("container %q", i.containerID) + } // The default layer media type assumes no compression. omediaType := v1.MediaTypeImageLayer dmediaType := docker.V2S2MediaTypeUncompressedLayer - // If we're not re-exporting the data, reuse the blobsum and diff IDs. - if !i.exporting && layerID != i.layerID { + // If we're not re-exporting the data, and we're reusing layers individually, reuse + // the blobsum and diff IDs. + if !i.exporting && !i.squash && layerID != i.layerID { layer, err2 := i.store.Layer(layerID) if err2 != nil { return nil, errors.Wrapf(err, "unable to locate layer %q", layerID) @@ -218,40 +311,37 @@ func (i *containerImageRef) NewImageSource(ctx context.Context, sc *types.System continue } // Figure out if we need to change the media type, in case we're using compression. - if i.compression != archive.Uncompressed { - switch i.compression { - case archive.Gzip: - omediaType = v1.MediaTypeImageLayerGzip - dmediaType = docker.V2S2MediaTypeLayer - logrus.Debugf("compressing layer %q with gzip", layerID) - case archive.Bzip2: - // Until the image specs define a media type for bzip2-compressed layers, even if we know - // how to decompress them, we can't try to compress layers with bzip2. - return nil, errors.New("media type for bzip2-compressed layers is not defined") - case archive.Xz: - // Until the image specs define a media type for xz-compressed layers, even if we know - // how to decompress them, we can't try to compress layers with xz. - return nil, errors.New("media type for xz-compressed layers is not defined") - default: - logrus.Debugf("compressing layer %q with unknown compressor(?)", layerID) - } + omediaType, dmediaType, err = i.computeLayerMIMEType(what) + if err != nil { + return nil, err } - // Start reading the layer. + // Start reading either the layer or the whole container rootfs. noCompression := archive.Uncompressed diffOptions := &storage.DiffOptions{ Compression: &noCompression, } - rc, err := i.store.Diff("", layerID, diffOptions) - if err != nil { - return nil, errors.Wrapf(err, "error extracting layer %q", layerID) + var rc io.ReadCloser + if i.squash { + // Extract the root filesystem as a single layer. + rc, err = i.extractRootfs() + if err != nil { + return nil, err + } + defer rc.Close() + } else { + // Extract this layer, one of possibly many. + rc, err = i.store.Diff("", layerID, diffOptions) + if err != nil { + return nil, errors.Wrapf(err, "error extracting %s", what) + } + defer rc.Close() } - defer rc.Close() srcHasher := digest.Canonical.Digester() reader := io.TeeReader(rc, srcHasher.Hash()) // Set up to write the possibly-recompressed blob. layerFile, err := os.OpenFile(filepath.Join(path, "layer"), os.O_CREATE|os.O_WRONLY, 0600) if err != nil { - return nil, errors.Wrapf(err, "error opening file for layer %q", layerID) + return nil, errors.Wrapf(err, "error opening file for %s", what) } destHasher := digest.Canonical.Digester() counter := ioutils.NewWriteCounter(layerFile) @@ -259,26 +349,26 @@ func (i *containerImageRef) NewImageSource(ctx context.Context, sc *types.System // Compress the layer, if we're recompressing it. writer, err := archive.CompressStream(multiWriter, i.compression) if err != nil { - return nil, errors.Wrapf(err, "error compressing layer %q", layerID) + return nil, errors.Wrapf(err, "error compressing %s", what) } size, err := io.Copy(writer, reader) if err != nil { - return nil, errors.Wrapf(err, "error storing layer %q to file", layerID) + return nil, errors.Wrapf(err, "error storing %s to file", what) } writer.Close() layerFile.Close() if i.compression == archive.Uncompressed { if size != counter.Count { - return nil, errors.Errorf("error storing layer %q to file: inconsistent layer size (copied %d, wrote %d)", layerID, size, counter.Count) + return nil, errors.Errorf("error storing %s to file: inconsistent layer size (copied %d, wrote %d)", what, size, counter.Count) } } else { size = counter.Count } - logrus.Debugf("layer %q size is %d bytes", layerID, size) + logrus.Debugf("%s size is %d bytes", what, size) // Rename the layer so that we can more easily find it by digest later. err = os.Rename(filepath.Join(path, "layer"), filepath.Join(path, destHasher.Digest().String())) if err != nil { - return nil, errors.Wrapf(err, "error storing layer %q to file", layerID) + return nil, errors.Wrapf(err, "error storing %s to file", what) } // Add a note in the manifest about the layer. The blobs are identified by their possibly- // compressed blob digests. @@ -383,6 +473,8 @@ func (i *containerImageRef) NewImageSource(ctx context.Context, sc *types.System path: path, ref: i, store: i.store, + containerID: i.containerID, + mountLabel: i.mountLabel, layerID: i.layerID, names: i.names, compression: i.compression, @@ -440,15 +532,15 @@ func (i *containerImageSource) Reference() types.ImageReference { } func (i *containerImageSource) GetSignatures(ctx context.Context, instanceDigest *digest.Digest) ([][]byte, error) { - if instanceDigest != nil && *instanceDigest != digest.FromBytes(i.manifest) { - return nil, errors.Errorf("TODO") + if instanceDigest != nil { + return nil, errors.Errorf("containerImageSource does not support manifest lists") } return nil, nil } func (i *containerImageSource) GetManifest(ctx context.Context, instanceDigest *digest.Digest) ([]byte, string, error) { - if instanceDigest != nil && *instanceDigest != digest.FromBytes(i.manifest) { - return nil, "", errors.Errorf("TODO") + if instanceDigest != nil { + return nil, "", errors.Errorf("containerImageSource does not support manifest lists") } return i.manifest, i.manifestType, nil } @@ -488,7 +580,7 @@ func (i *containerImageSource) GetBlob(ctx context.Context, blob types.BlobInfo) return ioutils.NewReadCloserWrapper(layerFile, closer), size, nil } -func (b *Builder) makeImageRef(manifestType string, exporting bool, compress archive.Compression, historyTimestamp *time.Time) (types.ImageReference, error) { +func (b *Builder) makeImageRef(manifestType string, exporting bool, squash bool, compress archive.Compression, historyTimestamp *time.Time) (types.ImageReference, error) { var name reference.Named container, err := b.store.Container(b.ContainerID) if err != nil { @@ -519,6 +611,8 @@ func (b *Builder) makeImageRef(manifestType string, exporting bool, compress arc compression: compress, name: name, names: container.Names, + containerID: container.ID, + mountLabel: b.MountLabel, layerID: container.LayerID, oconfig: oconfig, dconfig: dconfig, @@ -528,6 +622,7 @@ func (b *Builder) makeImageRef(manifestType string, exporting bool, compress arc annotations: b.Annotations(), preferredManifestType: manifestType, exporting: exporting, + squash: squash, } return ref, nil } diff --git a/vendor/github.com/projectatomic/buildah/imagebuildah/build.go b/vendor/github.com/projectatomic/buildah/imagebuildah/build.go index dd8421807..5472c1db5 100644 --- a/vendor/github.com/projectatomic/buildah/imagebuildah/build.go +++ b/vendor/github.com/projectatomic/buildah/imagebuildah/build.go @@ -51,7 +51,7 @@ type BuildOptions struct { ContextDirectory string // PullPolicy controls whether or not we pull images. It should be one // of PullIfMissing, PullAlways, or PullNever. - PullPolicy int + PullPolicy buildah.PullPolicy // Registry is a value which is prepended to the image's name, if it // needs to be pulled and the image name alone can not be resolved to a // reference to a source image. No separator is implicitly added. @@ -113,6 +113,13 @@ type BuildOptions struct { DefaultMountsFilePath string // IIDFile tells the builder to write the image ID to the specified file IIDFile string + // Squash tells the builder to produce an image with a single layer + // instead of with possibly more than one layer. + Squash bool + // Labels metadata for an image + Labels []string + // Annotation metadata for an image + Annotations []string } // Executor is a buildah-based implementation of the imagebuilder.Executor @@ -124,7 +131,7 @@ type Executor struct { store storage.Store contextDir string builder *buildah.Builder - pullPolicy int + pullPolicy buildah.PullPolicy registry string transport string ignoreUnrecognizedInstructions bool @@ -150,6 +157,9 @@ type Executor struct { commonBuildOptions *buildah.CommonBuildOptions defaultMountsFilePath string iidfile string + squash bool + labels []string + annotations []string } // withName creates a new child executor that will be used whenever a COPY statement uses --from=NAME. @@ -482,6 +492,9 @@ func NewExecutor(store storage.Store, options BuildOptions) (*Executor, error) { commonBuildOptions: options.CommonBuildOpts, defaultMountsFilePath: options.DefaultMountsFilePath, iidfile: options.IIDFile, + squash: options.Squash, + labels: append([]string{}, options.Labels...), + annotations: append([]string{}, options.Annotations...), } if exec.err == nil { exec.err = os.Stderr @@ -673,6 +686,22 @@ func (b *Executor) Commit(ctx context.Context, ib *imagebuilder.Builder) (err er for k, v := range config.Labels { b.builder.SetLabel(k, v) } + for _, labelSpec := range b.labels { + label := strings.SplitN(labelSpec, "=", 2) + if len(label) > 1 { + b.builder.SetLabel(label[0], label[1]) + } else { + b.builder.SetLabel(label[0], "") + } + } + for _, annotationSpec := range b.annotations { + annotation := strings.SplitN(annotationSpec, "=", 2) + if len(annotation) > 1 { + b.builder.SetAnnotation(annotation[0], annotation[1]) + } else { + b.builder.SetAnnotation(annotation[0], "") + } + } if imageRef != nil { logName := transports.ImageName(imageRef) logrus.Debugf("COMMIT %q", logName) @@ -692,6 +721,7 @@ func (b *Executor) Commit(ctx context.Context, ib *imagebuilder.Builder) (err er ReportWriter: b.reportWriter, PreferredManifestType: b.outputFormat, IIDFile: b.iidfile, + Squash: b.squash, } imgID, err := b.builder.Commit(ctx, imageRef, options) if err != nil { diff --git a/vendor/github.com/projectatomic/buildah/pkg/cli/common.go b/vendor/github.com/projectatomic/buildah/pkg/cli/common.go index eeabc3ee7..e65dba2bd 100644 --- a/vendor/github.com/projectatomic/buildah/pkg/cli/common.go +++ b/vendor/github.com/projectatomic/buildah/pkg/cli/common.go @@ -11,6 +11,10 @@ import ( var ( BudFlags = []cli.Flag{ + cli.StringSliceFlag{ + Name: "annotation", + Usage: "Set metadata for an image (default [])", + }, cli.StringFlag{ Name: "authfile", Usage: "path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json", @@ -53,6 +57,10 @@ var ( Name: "iidfile", Usage: "Write the image ID to the file", }, + cli.StringSliceFlag{ + Name: "label", + Usage: "Set metadata for an image (default [])", + }, cli.BoolFlag{ Name: "no-cache", Usage: "Do not use caching for the container build. Buildah does not currently support caching so this is a NOOP.", @@ -139,11 +147,11 @@ var ( }, cli.StringSliceFlag{ Name: "security-opt", - Usage: "security Options (default [])", + Usage: "security options (default [])", }, cli.StringFlag{ Name: "shm-size", - Usage: "size of `/dev/shm`. The format is `<number><unit>`.", + Usage: "size of '/dev/shm'. The format is `<number><unit>`.", Value: "65536k", }, cli.StringSliceFlag{ diff --git a/vendor/github.com/projectatomic/buildah/pkg/parse/parse.go b/vendor/github.com/projectatomic/buildah/pkg/parse/parse.go index 6512aad52..eb7be9c1e 100644 --- a/vendor/github.com/projectatomic/buildah/pkg/parse/parse.go +++ b/vendor/github.com/projectatomic/buildah/pkg/parse/parse.go @@ -88,7 +88,7 @@ func parseSecurityOpts(securityOpts []string, commonOpts *buildah.CommonBuildOpt } con := strings.SplitN(opt, "=", 2) if len(con) != 2 { - return errors.Errorf("Invalid --security-opt 1: %q", opt) + return errors.Errorf("Invalid --security-opt name=value pair: %q", opt) } switch con[0] { diff --git a/vendor/github.com/projectatomic/buildah/pull.go b/vendor/github.com/projectatomic/buildah/pull.go index 9b8578651..edfaa6216 100644 --- a/vendor/github.com/projectatomic/buildah/pull.go +++ b/vendor/github.com/projectatomic/buildah/pull.go @@ -60,10 +60,15 @@ func localImageNameForReference(ctx context.Context, store storage.Store, srcRef if err != nil { return "", errors.Wrapf(err, "error loading manifest for %q", srcRef) } + // if index.json has no reference name, compute the image digest instead if manifest.Annotations == nil || manifest.Annotations["org.opencontainers.image.ref.name"] == "" { - return "", errors.Errorf("error, archive doesn't have a name annotation. Cannot store image with no name") + name, err = getImageDigest(ctx, srcRef, nil) + if err != nil { + return "", err + } + } else { + name = manifest.Annotations["org.opencontainers.image.ref.name"] } - name = manifest.Annotations["org.opencontainers.image.ref.name"] case util.DirTransport: // supports pull from a directory name = split[1] diff --git a/vendor/github.com/projectatomic/buildah/run.go b/vendor/github.com/projectatomic/buildah/run.go index 50edc9434..0af21b7f0 100644 --- a/vendor/github.com/projectatomic/buildah/run.go +++ b/vendor/github.com/projectatomic/buildah/run.go @@ -2,16 +2,23 @@ package buildah import ( "bufio" + "bytes" "encoding/json" "fmt" "io" "io/ioutil" + "net" "os" "os/exec" "path/filepath" + "strconv" "strings" + "sync" + "syscall" + "time" "github.com/containers/storage/pkg/ioutils" + "github.com/containers/storage/pkg/reexec" "github.com/docker/docker/profiles/seccomp" units "github.com/docker/go-units" digest "github.com/opencontainers/go-digest" @@ -22,6 +29,7 @@ import ( "github.com/projectatomic/libpod/pkg/secrets" "github.com/sirupsen/logrus" "golang.org/x/crypto/ssh/terminal" + "golang.org/x/sys/unix" ) const ( @@ -29,12 +37,17 @@ const ( DefaultWorkingDir = "/" // DefaultRuntime is the default command to use to run the container. DefaultRuntime = "runc" + // runUsingRuntimeCommand is a command we use as a key for reexec + runUsingRuntimeCommand = Package + "-runtime" ) +// TerminalPolicy takes the value DefaultTerminal, WithoutTerminal, or WithTerminal. +type TerminalPolicy int + const ( // DefaultTerminal indicates that this Run invocation should be // connected to a pseudoterminal if we're connected to a terminal. - DefaultTerminal = iota + DefaultTerminal TerminalPolicy = iota // WithoutTerminal indicates that this Run invocation should NOT be // connected to a pseudoterminal. WithoutTerminal @@ -43,6 +56,19 @@ const ( WithTerminal ) +// String converts a TerminalPoliicy into a string. +func (t TerminalPolicy) String() string { + switch t { + case DefaultTerminal: + return "DefaultTerminal" + case WithoutTerminal: + return "WithoutTerminal" + case WithTerminal: + return "WithTerminal" + } + return fmt.Sprintf("unrecognized terminal setting %d", t) +} + // RunOptions can be used to alter how a command is run in the container. type RunOptions struct { // Hostname is the hostname we set for the running container. @@ -72,7 +98,7 @@ type RunOptions struct { // terminal is used if os.Stdout is connected to a terminal, but that // decision can be overridden by specifying either WithTerminal or // WithoutTerminal. - Terminal int + Terminal TerminalPolicy // Quiet tells the run to turn off output to stdout. Quiet bool } @@ -114,7 +140,7 @@ func addHostsToFile(hosts []string, filename string) error { } func addCommonOptsToSpec(commonOpts *CommonBuildOptions, g *generate.Generator) error { - // RESOURCES - CPU + // Resources - CPU if commonOpts.CPUPeriod != 0 { g.SetLinuxResourcesCPUPeriod(commonOpts.CPUPeriod) } @@ -131,7 +157,7 @@ func addCommonOptsToSpec(commonOpts *CommonBuildOptions, g *generate.Generator) g.SetLinuxResourcesCPUMems(commonOpts.CPUSetMems) } - // RESOURCES - MEMORY + // Resources - Memory if commonOpts.Memory != 0 { g.SetLinuxResourcesMemoryLimit(commonOpts.Memory) } @@ -139,22 +165,21 @@ func addCommonOptsToSpec(commonOpts *CommonBuildOptions, g *generate.Generator) g.SetLinuxResourcesMemorySwap(commonOpts.MemorySwap) } + // cgroup membership if commonOpts.CgroupParent != "" { g.SetLinuxCgroupsPath(commonOpts.CgroupParent) } + // Other process resource limits if err := addRlimits(commonOpts.Ulimit, g); err != nil { return err } - if err := addHostsToFile(commonOpts.AddHost, "/etc/hosts"); err != nil { - return err - } - logrus.Debugln("Resources:", commonOpts) + logrus.Debugf("Resources: %#v", commonOpts) return nil } -func (b *Builder) setupMounts(mountPoint string, spec *specs.Spec, optionMounts []specs.Mount, bindFiles, builtinVolumes, volumeMounts []string, shmSize string) error { +func (b *Builder) setupMounts(mountPoint string, spec *specs.Spec, optionMounts []specs.Mount, bindFiles map[string]string, builtinVolumes, volumeMounts []string, shmSize string) error { // The passed-in mounts matter the most to us. mounts := make([]specs.Mount, len(optionMounts)) copy(mounts, optionMounts) @@ -179,14 +204,14 @@ func (b *Builder) setupMounts(mountPoint string, spec *specs.Spec, optionMounts mounts = append(mounts, specMount) } // Add bind mounts for important files, unless they conflict. - for _, boundFile := range bindFiles { - if haveMount(boundFile) { + for dest, src := range bindFiles { + if haveMount(dest) { // Already have something to mount there, so skip this one. continue } mounts = append(mounts, specs.Mount{ - Source: boundFile, - Destination: boundFile, + Source: src, + Destination: dest, Type: "bind", Options: []string{"rbind", "ro"}, }) @@ -293,6 +318,28 @@ func (b *Builder) setupMounts(mountPoint string, spec *specs.Spec, optionMounts return nil } +// addNetworkConfig copies files from host and sets them up to bind mount into container +func (b *Builder) addNetworkConfig(rdir, hostPath string) (string, error) { + stat, err := os.Stat(hostPath) + if err != nil { + return "", errors.Wrapf(err, "stat %q failed", hostPath) + } + + buf, err := ioutil.ReadFile(hostPath) + if err != nil { + return "", errors.Wrapf(err, "opening %q failed", hostPath) + } + cfile := filepath.Join(rdir, filepath.Base(hostPath)) + if err := ioutil.WriteFile(cfile, buf, stat.Mode()); err != nil { + return "", errors.Wrapf(err, "opening %q failed", cfile) + } + if err = label.Relabel(cfile, b.MountLabel, false); err != nil { + return "", errors.Wrapf(err, "error relabeling %q in container %q", cfile, b.ContainerID) + } + + return cfile, nil +} + // Run runs the specified command in the container's root filesystem. func (b *Builder) Run(command []string, options RunOptions) error { var user specs.User @@ -399,10 +446,10 @@ func (b *Builder) Run(command []string, options RunOptions) error { return errors.Wrapf(err, "error ensuring working directory %q exists", spec.Process.Cwd) } - //Security Opts + // Set the apparmor profile name. g.SetProcessApparmorProfile(b.CommonBuildOpts.ApparmorProfile) - // HANDLE SECCOMP + // Set the seccomp configuration using the specified profile name. if b.CommonBuildOpts.SeccompProfilePath != "unconfined" { if b.CommonBuildOpts.SeccompProfilePath != "" { seccompProfile, err := ioutil.ReadFile(b.CommonBuildOpts.SeccompProfilePath) @@ -430,37 +477,580 @@ func (b *Builder) Run(command []string, options RunOptions) error { Options: []string{"nosuid", "noexec", "nodev", "relatime", "ro"}, } g.AddMount(cgroupMnt) + hostFile, err := b.addNetworkConfig(path, "/etc/hosts") + if err != nil { + return err + } + resolvFile, err := b.addNetworkConfig(path, "/etc/resolv.conf") + if err != nil { + return err + } - bindFiles := []string{"/etc/hosts", "/etc/resolv.conf"} + if err := addHostsToFile(b.CommonBuildOpts.AddHost, hostFile); err != nil { + return err + } + + bindFiles := map[string]string{ + "/etc/hosts": hostFile, + "/etc/resolv.conf": resolvFile, + } err = b.setupMounts(mountPoint, spec, options.Mounts, bindFiles, b.Volumes(), b.CommonBuildOpts.Volumes, b.CommonBuildOpts.ShmSize) if err != nil { return errors.Wrapf(err, "error resolving mountpoints for container") } - specbytes, err := json.Marshal(spec) + return b.runUsingRuntimeSubproc(options, spec, mountPoint, path, Package+"-"+filepath.Base(path)) +} + +type runUsingRuntimeSubprocOptions struct { + Options RunOptions + Spec *specs.Spec + RootPath string + BundlePath string + ContainerName string +} + +func (b *Builder) runUsingRuntimeSubproc(options RunOptions, spec *specs.Spec, rootPath, bundlePath, containerName string) (err error) { + var confwg sync.WaitGroup + config, conferr := json.Marshal(runUsingRuntimeSubprocOptions{ + Options: options, + Spec: spec, + RootPath: rootPath, + BundlePath: bundlePath, + ContainerName: containerName, + }) + if conferr != nil { + return errors.Wrapf(conferr, "error encoding configuration for %q", runUsingRuntimeCommand) + } + cmd := reexec.Command(runUsingRuntimeCommand) + cmd.Dir = bundlePath + cmd.Stdin = os.Stdin + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + cmd.Env = append(os.Environ(), fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())) + preader, pwriter, err := os.Pipe() if err != nil { - return err + return errors.Wrapf(err, "error creating configuration pipe") + } + confwg.Add(1) + go func() { + _, conferr = io.Copy(pwriter, bytes.NewReader(config)) + confwg.Done() + }() + cmd.ExtraFiles = append([]*os.File{preader}, cmd.ExtraFiles...) + defer preader.Close() + defer pwriter.Close() + err = cmd.Run() + confwg.Wait() + if err == nil { + return conferr } - err = ioutils.AtomicWriteFile(filepath.Join(path, "config.json"), specbytes, 0600) + return err +} + +func init() { + reexec.Register(runUsingRuntimeCommand, runUsingRuntimeMain) +} + +func runUsingRuntimeMain() { + var options runUsingRuntimeSubprocOptions + // Set logging. + if level := os.Getenv("LOGLEVEL"); level != "" { + if ll, err := strconv.Atoi(level); err == nil { + logrus.SetLevel(logrus.Level(ll)) + } + } + // Unpack our configuration. + confPipe := os.NewFile(3, "confpipe") + if confPipe == nil { + fmt.Fprintf(os.Stderr, "error reading options pipe\n") + os.Exit(1) + } + defer confPipe.Close() + if err := json.NewDecoder(confPipe).Decode(&options); err != nil { + fmt.Fprintf(os.Stderr, "error decoding options: %v\n", err) + os.Exit(1) + } + // Set ourselves up to read the container's exit status. We're doing this in a child process + // so that we won't mess with the setting in a caller of the library. + if err := unix.Prctl(unix.PR_SET_CHILD_SUBREAPER, uintptr(1), 0, 0, 0); err != nil { + fmt.Fprintf(os.Stderr, "prctl(PR_SET_CHILD_SUBREAPER, 1): %v\n", err) + os.Exit(1) + } + // Run the container, start to finish. + status, err := runUsingRuntime(options.Options, options.Spec, options.RootPath, options.BundlePath, options.ContainerName) if err != nil { - return errors.Wrapf(err, "error storing runtime configuration") + fmt.Fprintf(os.Stderr, "error running container: %v\n", err) + os.Exit(1) + } + // Pass the container's exit status back to the caller by exiting with the same status. + if status.Exited() { + os.Exit(status.ExitStatus()) + } else if status.Signaled() { + fmt.Fprintf(os.Stderr, "container exited on %s\n", status.Signal()) + os.Exit(1) } + os.Exit(1) +} + +func runUsingRuntime(options RunOptions, spec *specs.Spec, rootPath, bundlePath, containerName string) (wstatus unix.WaitStatus, err error) { + // Write the runtime configuration. + specbytes, err := json.Marshal(spec) + if err != nil { + return 1, err + } + if err = ioutils.AtomicWriteFile(filepath.Join(bundlePath, "config.json"), specbytes, 0600); err != nil { + return 1, errors.Wrapf(err, "error storing runtime configuration") + } + logrus.Debugf("config = %v", string(specbytes)) + + // Decide which runtime to use. runtime := options.Runtime if runtime == "" { runtime = DefaultRuntime } - args := append(options.Args, "run", "-b", path, Package+"-"+b.ContainerID) - cmd := exec.Command(runtime, args...) - cmd.Dir = mountPoint - cmd.Stdin = os.Stdin - cmd.Stdout = os.Stdout - if options.Quiet { - cmd.Stdout = nil + + // Default to not specifying a console socket location. + moreCreateArgs := func() []string { return nil } + // Default to just passing down our stdio. + getCreateStdio := func() (*os.File, *os.File, *os.File) { return os.Stdin, os.Stdout, os.Stderr } + + // Figure out how we're doing stdio handling, and create pipes and sockets. + var stdio sync.WaitGroup + var consoleListener *net.UnixListener + stdioPipe := make([][]int, 3) + copyConsole := false + copyStdio := false + finishCopy := make([]int, 2) + if err = unix.Pipe(finishCopy); err != nil { + return 1, errors.Wrapf(err, "error creating pipe for notifying to stop stdio") } - cmd.Stderr = os.Stderr - err = cmd.Run() + finishedCopy := make(chan struct{}) + if spec.Process != nil { + if spec.Process.Terminal { + copyConsole = true + // Create a listening socket for accepting the container's terminal's PTY master. + socketPath := filepath.Join(bundlePath, "console.sock") + consoleListener, err = net.ListenUnix("unix", &net.UnixAddr{Name: socketPath, Net: "unix"}) + if err != nil { + return 1, errors.Wrapf(err, "error creating socket to receive terminal descriptor") + } + // Add console socket arguments. + moreCreateArgs = func() []string { return []string{"--console-socket", socketPath} } + } else { + copyStdio = true + // Create pipes to use for relaying stdio. + for i := range stdioPipe { + stdioPipe[i] = make([]int, 2) + if err = unix.Pipe(stdioPipe[i]); err != nil { + return 1, errors.Wrapf(err, "error creating pipe for container FD %d", i) + } + } + // Set stdio to our pipes. + getCreateStdio = func() (*os.File, *os.File, *os.File) { + stdin := os.NewFile(uintptr(stdioPipe[unix.Stdin][0]), "/dev/stdin") + stdout := os.NewFile(uintptr(stdioPipe[unix.Stdout][1]), "/dev/stdout") + stderr := os.NewFile(uintptr(stdioPipe[unix.Stderr][1]), "/dev/stderr") + return stdin, stdout, stderr + } + } + } else { + if options.Quiet { + // Discard stdout. + getCreateStdio = func() (*os.File, *os.File, *os.File) { + return os.Stdin, nil, os.Stderr + } + } + } + + // Build the commands that we'll execute. + pidFile := filepath.Join(bundlePath, "pid") + args := append(append(append(options.Args, "create", "--bundle", bundlePath, "--pid-file", pidFile), moreCreateArgs()...), containerName) + create := exec.Command(runtime, args...) + create.Dir = bundlePath + stdin, stdout, stderr := getCreateStdio() + create.Stdin, create.Stdout, create.Stderr = stdin, stdout, stderr + if create.SysProcAttr == nil { + create.SysProcAttr = &syscall.SysProcAttr{} + } + runSetDeathSig(create) + + args = append(options.Args, "start", containerName) + start := exec.Command(runtime, args...) + start.Dir = bundlePath + start.Stderr = os.Stderr + runSetDeathSig(start) + + args = append(options.Args, "kill", containerName) + kill := exec.Command(runtime, args...) + kill.Dir = bundlePath + kill.Stderr = os.Stderr + runSetDeathSig(kill) + + args = append(options.Args, "delete", containerName) + del := exec.Command(runtime, args...) + del.Dir = bundlePath + del.Stderr = os.Stderr + runSetDeathSig(del) + + // Actually create the container. + err = create.Run() if err != nil { - logrus.Debugf("error running runc %v: %v", spec.Process.Args, err) + return 1, errors.Wrapf(err, "error creating container for %v", spec.Process.Args) + } + defer func() { + err2 := del.Run() + if err2 != nil { + if err == nil { + err = errors.Wrapf(err2, "error deleting container") + } else { + logrus.Infof("error deleting container: %v", err2) + } + } + }() + + // Make sure we read the container's exit status when it exits. + pidValue, err := ioutil.ReadFile(pidFile) + if err != nil { + return 1, errors.Wrapf(err, "error reading pid from %q", pidFile) + } + pid, err := strconv.Atoi(strings.TrimSpace(string(pidValue))) + if err != nil { + return 1, errors.Wrapf(err, "error parsing pid %s as a number", string(pidValue)) + } + var reaping sync.WaitGroup + reaping.Add(1) + go func() { + defer reaping.Done() + var err error + _, err = unix.Wait4(pid, &wstatus, 0, nil) + if err != nil { + wstatus = 0 + logrus.Errorf("error waiting for container child process: %v\n", err) + } + }() + + if copyStdio { + // We don't need the ends of the pipes that belong to the container. + stdin.Close() + if stdout != nil { + stdout.Close() + } + stderr.Close() + } + + // Handle stdio for the container in the background. + stdio.Add(1) + go runCopyStdio(&stdio, copyStdio, stdioPipe, copyConsole, consoleListener, finishCopy, finishedCopy) + + // Start the container. + err = start.Run() + if err != nil { + return 1, errors.Wrapf(err, "error starting container") + } + stopped := false + defer func() { + if !stopped { + err2 := kill.Run() + if err2 != nil { + if err == nil { + err = errors.Wrapf(err2, "error stopping container") + } else { + logrus.Infof("error stopping container: %v", err2) + } + } + } + }() + + // Wait for the container to exit. + for { + now := time.Now() + var state specs.State + args = append(options.Args, "state", containerName) + stat := exec.Command(runtime, args...) + stat.Dir = bundlePath + stat.Stderr = os.Stderr + stateOutput, stateErr := stat.Output() + if stateErr != nil { + return 1, errors.Wrapf(stateErr, "error reading container state") + } + if err = json.Unmarshal(stateOutput, &state); err != nil { + return 1, errors.Wrapf(stateErr, "error parsing container state %q", string(stateOutput)) + } + switch state.Status { + case "running": + case "stopped": + stopped = true + default: + return 1, errors.Errorf("container status unexpectedly changed to %q", state.Status) + } + if stopped { + break + } + select { + case <-finishedCopy: + stopped = true + case <-time.After(time.Until(now.Add(100 * time.Millisecond))): + continue + } + if stopped { + break + } + } + + // Close the writing end of the stop-handling-stdio notification pipe. + unix.Close(finishCopy[1]) + // Wait for the stdio copy goroutine to flush. + stdio.Wait() + // Wait until we finish reading the exit status. + reaping.Wait() + + return wstatus, nil +} + +func runCopyStdio(stdio *sync.WaitGroup, copyStdio bool, stdioPipe [][]int, copyConsole bool, consoleListener *net.UnixListener, finishCopy []int, finishedCopy chan struct{}) { + defer func() { + unix.Close(finishCopy[0]) + if copyStdio { + unix.Close(stdioPipe[unix.Stdin][1]) + unix.Close(stdioPipe[unix.Stdout][0]) + unix.Close(stdioPipe[unix.Stderr][0]) + } + stdio.Done() + finishedCopy <- struct{}{} + }() + // If we're not doing I/O handling, we're done. + if !copyConsole && !copyStdio { + return + } + terminalFD := -1 + if copyConsole { + // Accept a connection over our listening socket. + fd, err := runAcceptTerminal(consoleListener) + if err != nil { + logrus.Errorf("%v", err) + return + } + terminalFD = fd + // Set our terminal's mode to raw, to pass handling of special + // terminal input to the terminal in the container. + state, err := terminal.MakeRaw(unix.Stdin) + if err != nil { + logrus.Warnf("error setting terminal state: %v", err) + } else { + defer func() { + if err = terminal.Restore(unix.Stdin, state); err != nil { + logrus.Errorf("unable to restore terminal state: %v", err) + } + }() + // FIXME - if we're connected to a terminal, we should be + // passing the updated terminal size down when we receive a + // SIGWINCH. + } + } + // Track how many descriptors we're expecting data from. + reading := 0 + // Map describing where data on an incoming descriptor should go. + relayMap := make(map[int]int) + // Map describing incoming descriptors. + relayDesc := make(map[int]string) + // Buffers. + relayBuffer := make(map[int]*bytes.Buffer) + if copyConsole { + // Input from our stdin, output from the terminal descriptor. + relayMap[unix.Stdin] = terminalFD + relayDesc[unix.Stdin] = "stdin" + relayBuffer[unix.Stdin] = new(bytes.Buffer) + relayMap[terminalFD] = unix.Stdout + relayDesc[terminalFD] = "container terminal output" + relayBuffer[terminalFD] = new(bytes.Buffer) + reading = 2 + } + if copyStdio { + // Input from our stdin, output from the stdout and stderr pipes. + relayMap[unix.Stdin] = stdioPipe[unix.Stdin][1] + relayDesc[unix.Stdin] = "stdin" + relayBuffer[unix.Stdin] = new(bytes.Buffer) + relayMap[stdioPipe[unix.Stdout][0]] = unix.Stdout + relayDesc[stdioPipe[unix.Stdout][0]] = "container stdout" + relayBuffer[stdioPipe[unix.Stdout][0]] = new(bytes.Buffer) + relayMap[stdioPipe[unix.Stderr][0]] = unix.Stderr + relayDesc[stdioPipe[unix.Stderr][0]] = "container stderr" + relayBuffer[stdioPipe[unix.Stderr][0]] = new(bytes.Buffer) + reading = 3 + } + // Set our reading descriptors to non-blocking. + for fd := range relayMap { + if err := unix.SetNonblock(fd, true); err != nil { + logrus.Errorf("error setting %s to nonblocking: %v", relayDesc[fd], err) + return + } + } + // Pass data back and forth. + for { + // Start building the list of descriptors to poll. + pollFds := make([]unix.PollFd, 0, reading+1) + // Poll for a notification that we should stop handling stdio. + pollFds = append(pollFds, unix.PollFd{Fd: int32(finishCopy[0]), Events: unix.POLLIN | unix.POLLHUP}) + // Poll on our reading descriptors. + for rfd := range relayMap { + pollFds = append(pollFds, unix.PollFd{Fd: int32(rfd), Events: unix.POLLIN | unix.POLLHUP}) + } + buf := make([]byte, 8192) + // Wait for new data from any input descriptor, or a notification that we're done. + nevents, err := unix.Poll(pollFds, -1) + if err != nil { + if errno, isErrno := err.(syscall.Errno); isErrno { + switch errno { + case syscall.EINTR: + continue + default: + logrus.Errorf("unable to wait for stdio/terminal data to relay: %v", err) + return + } + } else { + logrus.Errorf("unable to wait for stdio/terminal data to relay: %v", err) + return + } + } + if nevents == 0 { + logrus.Errorf("unexpected no data, no error waiting for terminal data to relay") + return + } + var removes []int + for _, pollFd := range pollFds { + // If this descriptor's just been closed from the other end, mark it for + // removal from the set that we're checking for. + if pollFd.Revents&unix.POLLHUP == unix.POLLHUP { + removes = append(removes, int(pollFd.Fd)) + } + // If the EPOLLIN flag isn't set, then there's no data to be read from this descriptor. + if pollFd.Revents&unix.POLLIN == 0 { + // If we're using pipes and it's our stdin, close the writing end + // of the corresponding pipe. + if copyStdio && int(pollFd.Fd) == unix.Stdin { + unix.Close(stdioPipe[unix.Stdin][1]) + stdioPipe[unix.Stdin][1] = -1 + } + continue + } + // Copy whatever we read to wherever it needs to be sent. + readFD := int(pollFd.Fd) + writeFD, needToRelay := relayMap[readFD] + if needToRelay { + n, err := unix.Read(readFD, buf) + if err != nil { + if errno, isErrno := err.(syscall.Errno); isErrno { + switch errno { + default: + logrus.Errorf("unable to read %s: %v", relayDesc[readFD], err) + case syscall.EINTR, syscall.EAGAIN: + } + } else { + logrus.Errorf("unable to wait for %s data to relay: %v", relayDesc[readFD], err) + } + continue + } + // If it's zero-length on our stdin and we're + // using pipes, it's an EOF, so close the stdin + // pipe's writing end. + if n == 0 && copyStdio && int(pollFd.Fd) == unix.Stdin { + unix.Close(stdioPipe[unix.Stdin][1]) + stdioPipe[unix.Stdin][1] = -1 + } + if n > 0 { + // Buffer the data in case we're blocked on where they need to go. + relayBuffer[readFD].Write(buf[:n]) + // Try to drain the buffer. + n, err = unix.Write(writeFD, relayBuffer[readFD].Bytes()) + if err != nil { + logrus.Errorf("unable to write %s: %v", relayDesc[readFD], err) + return + } + relayBuffer[readFD].Next(n) + } + } + } + // Remove any descriptors which we don't need to poll any more from the poll descriptor list. + for _, remove := range removes { + delete(relayMap, remove) + reading-- + } + if reading == 0 { + // We have no more open descriptors to read, so we can stop now. + return + } + // If the we-can-return pipe had anything for us, we're done. + for _, pollFd := range pollFds { + if int(pollFd.Fd) == finishCopy[0] && pollFd.Revents != 0 { + // The pipe is closed, indicating that we can stop now. + return + } + } + } +} + +func runAcceptTerminal(consoleListener *net.UnixListener) (int, error) { + defer consoleListener.Close() + c, err := consoleListener.AcceptUnix() + if err != nil { + return -1, errors.Wrapf(err, "error accepting socket descriptor connection") + } + defer c.Close() + // Expect a control message over our new connection. + b := make([]byte, 8192) + oob := make([]byte, 8192) + n, oobn, _, _, err := c.ReadMsgUnix(b, oob) + if err != nil { + return -1, errors.Wrapf(err, "error reading socket descriptor: %v") + } + if n > 0 { + logrus.Debugf("socket descriptor is for %q", string(b[:n])) + } + if oobn > len(oob) { + return -1, errors.Errorf("too much out-of-bounds data (%d bytes)", oobn) + } + // Parse the control message. + scm, err := unix.ParseSocketControlMessage(oob[:oobn]) + if err != nil { + return -1, errors.Wrapf(err, "error parsing out-of-bound data as a socket control message") + } + logrus.Debugf("control messages: %v", scm) + // Expect to get a descriptor. + terminalFD := -1 + for i := range scm { + fds, err := unix.ParseUnixRights(&scm[i]) + if err != nil { + return -1, errors.Wrapf(err, "error parsing unix rights control message: %v") + } + logrus.Debugf("fds: %v", fds) + if len(fds) == 0 { + continue + } + terminalFD = fds[0] + break + } + if terminalFD == -1 { + return -1, errors.Errorf("unable to read terminal descriptor") + } + // Set the pseudoterminal's size to match our own. + winsize, err := unix.IoctlGetWinsize(unix.Stdin, unix.TIOCGWINSZ) + if err != nil { + logrus.Warnf("error reading size of controlling terminal: %v", err) + return terminalFD, nil + } + err = unix.IoctlSetWinsize(terminalFD, unix.TIOCSWINSZ, winsize) + if err != nil { + logrus.Warnf("error setting size of container pseudoterminal: %v", err) + } + return terminalFD, nil +} + +func runSetDeathSig(cmd *exec.Cmd) { + if cmd.SysProcAttr == nil { + cmd.SysProcAttr = &syscall.SysProcAttr{} + } + if cmd.SysProcAttr.Pdeathsig == 0 { + cmd.SysProcAttr.Pdeathsig = syscall.SIGTERM } - return err } diff --git a/vendor/github.com/projectatomic/buildah/util/util.go b/vendor/github.com/projectatomic/buildah/util/util.go index 41bd46cb3..e8539f978 100644 --- a/vendor/github.com/projectatomic/buildah/util/util.go +++ b/vendor/github.com/projectatomic/buildah/util/util.go @@ -70,7 +70,7 @@ func ResolveName(name string, firstRegistry string, sc *types.SystemContext, sto } } - // If the image is from a different transport + // If the image includes a transport's name as a prefix, use it as-is. split := strings.SplitN(name, ":", 2) if len(split) == 2 { if _, ok := Transports[split[0]]; ok { @@ -91,8 +91,16 @@ func ResolveName(name string, firstRegistry string, sc *types.SystemContext, sto // If this domain can cause us to insert something in the middle, check if that happened. repoPath := reference.Path(named) domain := reference.Domain(named) + tag := "" + if tagged, ok := named.(reference.Tagged); ok { + tag = ":" + tagged.Tag() + } + digest := "" + if digested, ok := named.(reference.Digested); ok { + digest = "@" + digested.Digest().String() + } defaultPrefix := RegistryDefaultPathPrefix[reference.Domain(named)] + "/" - if strings.HasPrefix(repoPath, defaultPrefix) && path.Join(domain, repoPath[len(defaultPrefix):]) == name { + if strings.HasPrefix(repoPath, defaultPrefix) && path.Join(domain, repoPath[len(defaultPrefix):])+tag+digest == name { // Yup, parsing just inserted a bit in the middle, so there was a domain name there to begin with. return []string{name} } diff --git a/vendor/github.com/projectatomic/buildah/vendor.conf b/vendor/github.com/projectatomic/buildah/vendor.conf index be0b04e4a..50f91b072 100644 --- a/vendor/github.com/projectatomic/buildah/vendor.conf +++ b/vendor/github.com/projectatomic/buildah/vendor.conf @@ -1,27 +1,32 @@ -github.com/BurntSushi/toml master -github.com/Nvveen/Gotty master github.com/blang/semver master +github.com/BurntSushi/toml master +github.com/containerd/continuity master +github.com/containernetworking/cni v0.6.0 github.com/containers/image master -github.com/containers/storage master +github.com/containers/storage 0b8ab959bba614a4f88bb3791dbc078c3d47f259 github.com/docker/distribution 5f6282db7d65e6d72ad7c2cc66310724a57be716 github.com/docker/docker b8571fd81c7d2223c9ecbf799c693e3ef1daaea9 +github.com/docker/docker-credential-helpers d68f9aeca33f5fd3f08eeae5e9d175edf4e731d1 github.com/docker/engine-api master github.com/docker/go-connections 3ede32e2033de7505e6500d6c868c2b9ed9f169d github.com/docker/go-units 0dadbb0345b35ec7ef35e228dabb8de89a65bf52 -github.com/docker/docker-credential-helpers d68f9aeca33f5fd3f08eeae5e9d175edf4e731d1 github.com/docker/libtrust aabc10ec26b754e797f9028f4589c5b7bd90dc20 github.com/fsouza/go-dockerclient master github.com/ghodss/yaml master +github.com/gogo/protobuf master github.com/golang/glog master github.com/gorilla/context master github.com/gorilla/mux master +github.com/hashicorp/errwrap master github.com/hashicorp/go-cleanhttp master +github.com/hashicorp/go-multierror master github.com/imdario/mergo master github.com/mattn/go-runewidth master github.com/mattn/go-shellwords master github.com/mistifyio/go-zfs master github.com/moby/moby f8806b18b4b92c5e1980f6e11c917fad201cd73c github.com/mtrmac/gpgme master +github.com/Nvveen/Gotty master github.com/opencontainers/go-digest aa2ec055abd10d26d539eb630a92241b781ce4bc github.com/opencontainers/image-spec v1.0.0 github.com/opencontainers/runc master @@ -32,11 +37,16 @@ github.com/openshift/imagebuilder master github.com/ostreedev/ostree-go aeb02c6b6aa2889db3ef62f7855650755befd460 github.com/pborman/uuid master github.com/pkg/errors master +github.com/pquerna/ffjson d49c2bc1aa135aad0c6f4fc2056623ec78f5d5ac +github.com/projectatomic/libpod e686269da34ed4208f4ed517c0587ab38e8eaf2c github.com/sirupsen/logrus master github.com/syndtr/gocapability master github.com/tchap/go-patricia master github.com/urfave/cli master github.com/vbatts/tar-split v0.10.2 +github.com/xeipuuv/gojsonpointer master +github.com/xeipuuv/gojsonreference master +github.com/xeipuuv/gojsonschema master golang.org/x/crypto master golang.org/x/net master golang.org/x/sys master @@ -46,12 +56,3 @@ gopkg.in/yaml.v2 cd8b52f8269e0feb286dfeef29f8fe4d5b397e0b k8s.io/apimachinery master k8s.io/client-go master k8s.io/kubernetes master -github.com/hashicorp/go-multierror master -github.com/hashicorp/errwrap master -github.com/xeipuuv/gojsonschema master -github.com/xeipuuv/gojsonreference master -github.com/containerd/continuity master -github.com/gogo/protobuf master -github.com/xeipuuv/gojsonpointer master -github.com/pquerna/ffjson d49c2bc1aa135aad0c6f4fc2056623ec78f5d5ac -github.com/projectatomic/libpod master |