diff options
Diffstat (limited to 'vendor/github.com/projectatomic')
14 files changed, 277 insertions, 104 deletions
diff --git a/vendor/github.com/projectatomic/buildah/add.go b/vendor/github.com/projectatomic/buildah/add.go index 93ecba9f4..1aad8ad37 100644 --- a/vendor/github.com/projectatomic/buildah/add.go +++ b/vendor/github.com/projectatomic/buildah/add.go @@ -11,12 +11,12 @@ import ( "syscall" "time" + "github.com/containers/libpod/pkg/chrootuser" "github.com/containers/storage/pkg/archive" "github.com/containers/storage/pkg/idtools" "github.com/opencontainers/runtime-spec/specs-go" "github.com/pkg/errors" "github.com/projectatomic/buildah/util" - "github.com/projectatomic/libpod/pkg/chrootuser" "github.com/sirupsen/logrus" ) diff --git a/vendor/github.com/projectatomic/buildah/buildah.go b/vendor/github.com/projectatomic/buildah/buildah.go index 1f5212362..32785a26f 100644 --- a/vendor/github.com/projectatomic/buildah/buildah.go +++ b/vendor/github.com/projectatomic/buildah/buildah.go @@ -24,7 +24,7 @@ const ( Package = "buildah" // Version for the Package. Bump version in contrib/rpm/buildah.spec // too. - Version = "1.3-dev" + Version = "1.4-dev" // The value we use to identify what type of information, currently a // serialized Builder structure, we are using as per-container state. // This should only be changed when we make incompatible changes to @@ -146,7 +146,6 @@ type Builder struct { // Image metadata and runtime settings, in multiple formats. OCIv1 v1.Image `json:"ociv1,omitempty"` Docker docker.V2Image `json:"docker,omitempty"` - // DefaultMountsFilePath is the file path holding the mounts to be mounted in "host-path:container-path" format. DefaultMountsFilePath string `json:"defaultMountsFilePath,omitempty"` @@ -292,7 +291,6 @@ type CommonBuildOptions struct { // BuilderOptions are used to initialize a new Builder. type BuilderOptions struct { - // Args define variables that users can pass at build-time to the builder Args map[string]string // FromImage is the name of the image which should be used as the @@ -360,9 +358,7 @@ type BuilderOptions struct { // after processing the AddCapabilities set, when running commands in the // container. If a capability appears in both lists, it will be dropped. DropCapabilities []string - // ImageOnly is a boolean designating that we wish to only pull the image and - // to not create a container from it. Used by pull command. - ImageOnly bool + CommonBuildOpts *CommonBuildOptions } diff --git a/vendor/github.com/projectatomic/buildah/chroot/run.go b/vendor/github.com/projectatomic/buildah/chroot/run.go index 77709c52d..2cae5b9da 100644 --- a/vendor/github.com/projectatomic/buildah/chroot/run.go +++ b/vendor/github.com/projectatomic/buildah/chroot/run.go @@ -551,9 +551,7 @@ func runUsingChroot(spec *specs.Spec, bundlePath string, ctty *os.File, stdin io cmd.Setsid = true cmd.Ctty = ctty } - if spec.Process.OOMScoreAdj != nil { - cmd.OOMScoreAdj = *spec.Process.OOMScoreAdj - } + cmd.OOMScoreAdj = spec.Process.OOMScoreAdj cmd.ExtraFiles = append([]*os.File{preader}, cmd.ExtraFiles...) cmd.Hook = func(int) error { for _, f := range closeOnceRunning { @@ -935,7 +933,7 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func( } logrus.Debugf("bind mounted %q to %q", "/dev", filepath.Join(spec.Root.Path, "/dev")) - // Bind /proc read-write. + // Bind /proc read-only. subProc := filepath.Join(spec.Root.Path, "/proc") if err := unix.Mount("/proc", subProc, "bind", procFlags, ""); err != nil { if os.IsNotExist(err) { @@ -1133,6 +1131,15 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func( } } + // Create an empty directory for to use for masking directories. + roEmptyDir := filepath.Join(bundlePath, "empty") + if len(spec.Linux.MaskedPaths) > 0 { + if err := os.Mkdir(roEmptyDir, 0700); err != nil { + return undoBinds, errors.Wrapf(err, "error creating empty directory %q", roEmptyDir) + } + removes = append(removes, roEmptyDir) + } + // Set up any masked paths that we need to. If we're running inside of // a container, some of these locations will already be read-only tmpfs // filesystems or bind mounted to os.DevNull. If we're not running @@ -1220,10 +1227,10 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func( } } } - // The target's a directory, so mount a read-only tmpfs on it. - roFlags := uintptr(syscall.MS_NOSUID | syscall.MS_NODEV | syscall.MS_NOEXEC | syscall.MS_RDONLY) + // The target's a directory, so read-only bind mount an empty directory on it. + roFlags := uintptr(syscall.MS_BIND | syscall.MS_NOSUID | syscall.MS_NODEV | syscall.MS_NOEXEC | syscall.MS_RDONLY) if !isReadOnly || (hasContent && isAccessible) { - if err = unix.Mount("none", target, "tmpfs", roFlags, "size=0"); err != nil { + if err = unix.Mount(roEmptyDir, target, "bind", roFlags, ""); err != nil { return undoBinds, errors.Wrapf(err, "error masking directory %q in mount namespace", target) } if err = unix.Statfs(target, &fs); err != nil { diff --git a/vendor/github.com/projectatomic/buildah/config.go b/vendor/github.com/projectatomic/buildah/config.go index b39d2b6c6..731e3b80a 100644 --- a/vendor/github.com/projectatomic/buildah/config.go +++ b/vendor/github.com/projectatomic/buildah/config.go @@ -3,6 +3,7 @@ package buildah import ( "context" "encoding/json" + "os" "path/filepath" "runtime" "strings" @@ -260,11 +261,21 @@ func (b *Builder) Env() []string { // built using an image built from this container. func (b *Builder) SetEnv(k string, v string) { reset := func(s *[]string) { + getenv := func(name string) string { + for i := range *s { + val := strings.SplitN((*s)[i], "=", 2) + if len(val) == 2 && val[0] == name { + return val[1] + } + } + return name + } n := []string{} for i := range *s { if !strings.HasPrefix((*s)[i], k+"=") { n = append(n, (*s)[i]) } + v = os.Expand(v, getenv) } n = append(n, k+"="+v) *s = n diff --git a/vendor/github.com/projectatomic/buildah/imagebuildah/build.go b/vendor/github.com/projectatomic/buildah/imagebuildah/build.go index 42e51878e..bcdcfb678 100644 --- a/vendor/github.com/projectatomic/buildah/imagebuildah/build.go +++ b/vendor/github.com/projectatomic/buildah/imagebuildah/build.go @@ -96,6 +96,8 @@ type BuildOptions struct { // is supplied, the message will be sent to Err (or os.Stderr, if Err // is nil) by default. Log func(format string, args ...interface{}) + // In is connected to stdin for RUN instructions. + In io.Reader // Out is a place where non-error log messages are sent. Out io.Writer // Err is a place where error log messages should be sent. @@ -190,6 +192,7 @@ type Executor struct { outputFormat string additionalTags []string log func(format string, args ...interface{}) + in io.Reader out io.Writer err io.Writer signaturePolicyPath string @@ -471,11 +474,15 @@ func (b *Executor) Run(run imagebuilder.Run, config docker.Config) error { if b.builder == nil { return errors.Errorf("no build container available") } - devNull, err := os.Open(os.DevNull) - if err != nil { - return errors.Errorf("error opening %q for reading: %v", os.DevNull, err) + stdin := b.in + if stdin == nil { + devNull, err := os.Open(os.DevNull) + if err != nil { + return errors.Errorf("error opening %q for reading: %v", os.DevNull, err) + } + defer devNull.Close() + stdin = devNull } - defer devNull.Close() options := buildah.RunOptions{ Hostname: config.Hostname, Runtime: b.runtime, @@ -486,7 +493,7 @@ func (b *Executor) Run(run imagebuilder.Run, config docker.Config) error { WorkingDir: config.WorkingDir, Entrypoint: config.Entrypoint, Cmd: config.Cmd, - Stdin: devNull, + Stdin: stdin, Stdout: b.out, Stderr: b.err, Quiet: b.quiet, @@ -504,7 +511,7 @@ func (b *Executor) Run(run imagebuilder.Run, config docker.Config) error { if err := b.volumeCacheSave(); err != nil { return err } - err = b.builder.Run(args, options) + err := b.builder.Run(args, options) if err2 := b.volumeCacheRestore(); err2 != nil { if err == nil { return err2 @@ -557,6 +564,7 @@ func NewExecutor(store storage.Store, options BuildOptions) (*Executor, error) { volumeCache: make(map[string]string), volumeCacheInfo: make(map[string]os.FileInfo), log: options.Log, + in: options.In, out: options.Out, err: options.Err, reportWriter: options.ReportWriter, @@ -1203,8 +1211,9 @@ func BuildDockerfiles(ctx context.Context, store storage.Store, options BuildOpt } data = resp.Body } else { - if !filepath.IsAbs(dfile) { - logrus.Debugf("resolving local Dockerfile %q", dfile) + // If the Dockerfile isn't found try prepending the + // context directory to it. + if _, err := os.Stat(dfile); os.IsNotExist(err) { dfile = filepath.Join(options.ContextDirectory, dfile) } logrus.Debugf("reading local Dockerfile %q", dfile) diff --git a/vendor/github.com/projectatomic/buildah/new.go b/vendor/github.com/projectatomic/buildah/new.go index 60d217552..1895bae48 100644 --- a/vendor/github.com/projectatomic/buildah/new.go +++ b/vendor/github.com/projectatomic/buildah/new.go @@ -66,7 +66,13 @@ func reserveSELinuxLabels(store storage.Store, id string) error { } func pullAndFindImage(ctx context.Context, store storage.Store, imageName string, options BuilderOptions, sc *types.SystemContext) (*storage.Image, types.ImageReference, error) { - ref, err := pullImage(ctx, store, imageName, options, sc) + pullOptions := PullOptions{ + ReportWriter: options.ReportWriter, + Store: store, + SystemContext: options.SystemContext, + Transport: options.Transport, + } + ref, err := pullImage(ctx, store, imageName, pullOptions, sc) if err != nil { logrus.Debugf("error pulling image %q: %v", imageName, err) return nil, nil, err @@ -248,15 +254,6 @@ func newBuilder(ctx context.Context, store storage.Store, options BuilderOptions defer src.Close() } - // If the pull command was used, we only pull the image, - // we don't create a container. - if options.ImageOnly { - imgBuilder := &Builder{ - FromImageID: imageID, - } - return imgBuilder, nil - } - name := "working-container" if options.Container != "" { name = options.Container diff --git a/vendor/github.com/projectatomic/buildah/pkg/cli/common.go b/vendor/github.com/projectatomic/buildah/pkg/cli/common.go index de3326842..39a1773e4 100644 --- a/vendor/github.com/projectatomic/buildah/pkg/cli/common.go +++ b/vendor/github.com/projectatomic/buildah/pkg/cli/common.go @@ -176,10 +176,6 @@ var ( Name: "squash", Usage: "Squash newly built layers into a single new layer. The build process does not currently support caching so this is a NOOP.", }, - cli.BoolTFlag{ - Name: "stream", - Usage: "There is no daemon in use, so this command is a NOOP.", - }, cli.StringSliceFlag{ Name: "tag, t", Usage: "tagged `name` to apply to the built image", diff --git a/vendor/github.com/projectatomic/buildah/pkg/parse/parse.go b/vendor/github.com/projectatomic/buildah/pkg/parse/parse.go index bd333a2cc..2dff18818 100644 --- a/vendor/github.com/projectatomic/buildah/pkg/parse/parse.go +++ b/vendor/github.com/projectatomic/buildah/pkg/parse/parse.go @@ -545,6 +545,8 @@ func defaultIsolation() (buildah.Isolation, error) { if isSet { if strings.HasPrefix(strings.ToLower(isolation), "oci") { return buildah.IsolationOCI, nil + } else if strings.HasPrefix(strings.ToLower(isolation), "rootless") { + return buildah.IsolationOCIRootless, nil } else if strings.HasPrefix(strings.ToLower(isolation), "chroot") { return buildah.IsolationChroot, nil } @@ -558,6 +560,8 @@ func IsolationOption(c *cli.Context) (buildah.Isolation, error) { if c.String("isolation") != "" { if strings.HasPrefix(strings.ToLower(c.String("isolation")), "oci") { return buildah.IsolationOCI, nil + } else if strings.HasPrefix(strings.ToLower(c.String("isolation")), "rootless") { + return buildah.IsolationOCIRootless, nil } else if strings.HasPrefix(strings.ToLower(c.String("isolation")), "chroot") { return buildah.IsolationChroot, nil } else { diff --git a/vendor/github.com/projectatomic/buildah/pull.go b/vendor/github.com/projectatomic/buildah/pull.go index e9ce03f02..48d7f76ed 100644 --- a/vendor/github.com/projectatomic/buildah/pull.go +++ b/vendor/github.com/projectatomic/buildah/pull.go @@ -2,6 +2,7 @@ package buildah import ( "context" + "io" "strings" cp "github.com/containers/image/copy" @@ -20,6 +21,28 @@ import ( "github.com/sirupsen/logrus" ) +// PullOptions can be used to alter how an image is copied in from somewhere. +type PullOptions struct { + // SignaturePolicyPath specifies an override location for the signature + // policy which should be used for verifying the new image as it is + // being written. Except in specific circumstances, no value should be + // specified, indicating that the shared, system-wide default policy + // should be used. + SignaturePolicyPath string + // ReportWriter is an io.Writer which will be used to log the writing + // of the new image. + ReportWriter io.Writer + // Store is the local storage store which holds the source image. + Store storage.Store + // github.com/containers/image/types SystemContext to hold credentials + // and other authentication/authorization information. + SystemContext *types.SystemContext + // Transport is a value which is prepended to the image's name, if the + // image name alone can not be resolved to a reference to a source + // image. No separator is implicitly added. + Transport string +} + func localImageNameForReference(ctx context.Context, store storage.Store, srcRef types.ImageReference, spec string) (string, error) { if srcRef == nil { return "", errors.Errorf("reference to image is empty") @@ -112,7 +135,13 @@ func localImageNameForReference(ctx context.Context, store storage.Store, srcRef return name, nil } -func pullImage(ctx context.Context, store storage.Store, imageName string, options BuilderOptions, sc *types.SystemContext) (types.ImageReference, error) { +// Pull copies the contents of the image from somewhere else. +func Pull(ctx context.Context, imageName string, options PullOptions) (types.ImageReference, error) { + systemContext := getSystemContext(options.SystemContext, options.SignaturePolicyPath) + return pullImage(ctx, options.Store, imageName, options, systemContext) +} + +func pullImage(ctx context.Context, store storage.Store, imageName string, options PullOptions, sc *types.SystemContext) (types.ImageReference, error) { spec := imageName srcRef, err := alltransports.ParseImageName(spec) if err != nil { @@ -144,12 +173,6 @@ func pullImage(ctx context.Context, store storage.Store, imageName string, optio return nil, errors.Wrapf(err, "error parsing image name %q", destName) } - img, err := srcRef.NewImageSource(ctx, sc) - if err != nil { - return nil, errors.Wrapf(err, "error initializing %q as an image source", spec) - } - img.Close() - policy, err := signature.DefaultPolicy(sc) if err != nil { return nil, errors.Wrapf(err, "error obtaining default signature policy") diff --git a/vendor/github.com/projectatomic/buildah/run.go b/vendor/github.com/projectatomic/buildah/run.go index b6a21cdad..71a76862e 100644 --- a/vendor/github.com/projectatomic/buildah/run.go +++ b/vendor/github.com/projectatomic/buildah/run.go @@ -19,6 +19,7 @@ import ( "time" "github.com/containernetworking/cni/libcni" + "github.com/containers/libpod/pkg/secrets" "github.com/containers/storage/pkg/idtools" "github.com/containers/storage/pkg/ioutils" "github.com/containers/storage/pkg/reexec" @@ -31,7 +32,6 @@ import ( "github.com/projectatomic/buildah/bind" "github.com/projectatomic/buildah/chroot" "github.com/projectatomic/buildah/util" - "github.com/projectatomic/libpod/pkg/secrets" "github.com/sirupsen/logrus" "golang.org/x/crypto/ssh/terminal" "golang.org/x/sys/unix" @@ -116,6 +116,8 @@ const ( // IsolationChroot is a more chroot-like environment: less isolation, // but with fewer requirements. IsolationChroot + // IsolationOCIRootless is a proper OCI runtime in rootless mode. + IsolationOCIRootless ) // String converts a Isolation into a string. @@ -127,6 +129,8 @@ func (i Isolation) String() string { return "IsolationOCI" case IsolationChroot: return "IsolationChroot" + case IsolationOCIRootless: + return "IsolationOCIRootless" } return fmt.Sprintf("unrecognized isolation type %d", i) } @@ -135,7 +139,7 @@ func (i Isolation) String() string { type RunOptions struct { // Hostname is the hostname we set for the running container. Hostname string - // Isolation is either IsolationDefault, IsolationOCI, or IsolationChroot. + // Isolation is either IsolationDefault, IsolationOCI, IsolationChroot, or IsolationOCIRootless. Isolation Isolation // Runtime is the name of the runtime to run. It should accept the // same arguments that runc does, and produce similar output. @@ -350,6 +354,13 @@ func (b *Builder) setupMounts(mountPoint string, spec *specs.Spec, bundlePath st return false } + ipc := namespaceOptions.Find(string(specs.IPCNamespace)) + hostIPC := ipc == nil || ipc.Host + net := namespaceOptions.Find(string(specs.NetworkNamespace)) + hostNetwork := net == nil || net.Host + user := namespaceOptions.Find(string(specs.UserNamespace)) + hostUser := user == nil || user.Host + // Copy mounts from the generated list. mountCgroups := true specMounts := []specs.Mount{} @@ -357,9 +368,7 @@ func (b *Builder) setupMounts(mountPoint string, spec *specs.Spec, bundlePath st // Override some of the mounts from the generated list if we're doing different things with namespaces. if specMount.Destination == "/dev/shm" { specMount.Options = []string{"nosuid", "noexec", "nodev", "mode=1777", "size=" + shmSize} - user := namespaceOptions.Find(string(specs.UserNamespace)) - ipc := namespaceOptions.Find(string(specs.IPCNamespace)) - if (ipc == nil || ipc.Host) && (user != nil && !user.Host) { + if hostIPC && !hostUser { if _, err := os.Stat("/dev/shm"); err != nil && os.IsNotExist(err) { continue } @@ -372,9 +381,7 @@ func (b *Builder) setupMounts(mountPoint string, spec *specs.Spec, bundlePath st } } if specMount.Destination == "/dev/mqueue" { - user := namespaceOptions.Find(string(specs.UserNamespace)) - ipc := namespaceOptions.Find(string(specs.IPCNamespace)) - if (ipc == nil || ipc.Host) && (user != nil && !user.Host) { + if hostIPC && !hostUser { if _, err := os.Stat("/dev/mqueue"); err != nil && os.IsNotExist(err) { continue } @@ -387,9 +394,7 @@ func (b *Builder) setupMounts(mountPoint string, spec *specs.Spec, bundlePath st } } if specMount.Destination == "/sys" { - user := namespaceOptions.Find(string(specs.UserNamespace)) - net := namespaceOptions.Find(string(specs.NetworkNamespace)) - if (net == nil || net.Host) && (user != nil && !user.Host) { + if hostNetwork && !hostUser { mountCgroups = false if _, err := os.Stat("/sys"); err != nil && os.IsNotExist(err) { continue @@ -715,7 +720,6 @@ func setupTerminal(g *generate.Generator, terminalPolicy TerminalPolicy, termina func setupNamespaces(g *generate.Generator, namespaceOptions NamespaceOptions, idmapOptions IDMappingOptions, policy NetworkConfigurationPolicy) (configureNetwork bool, configureNetworks []string, configureUTS bool, err error) { // Set namespace options in the container configuration. - hostPidns := false configureUserns := false specifiedNetwork := false for _, namespaceOption := range namespaceOptions { @@ -725,8 +729,6 @@ func setupNamespaces(g *generate.Generator, namespaceOptions NamespaceOptions, i if !namespaceOption.Host && namespaceOption.Path == "" { configureUserns = true } - case string(specs.PIDNamespace): - hostPidns = namespaceOption.Host case string(specs.NetworkNamespace): specifiedNetwork = true configureNetwork = false @@ -754,11 +756,9 @@ func setupNamespaces(g *generate.Generator, namespaceOptions NamespaceOptions, i return false, nil, false, errors.Wrapf(err, "error adding %q namespace %q for run", namespaceOption.Name, namespaceOption.Path) } } + // If we've got mappings, we're going to have to create a user namespace. if len(idmapOptions.UIDMap) > 0 || len(idmapOptions.GIDMap) > 0 || configureUserns { - if hostPidns { - return false, nil, false, errors.New("unable to mix host PID namespace with user namespace") - } if err := g.AddOrReplaceLinuxNamespace(specs.UserNamespace, ""); err != nil { return false, nil, false, errors.Wrapf(err, "error adding new %q namespace for run", string(specs.UserNamespace)) } @@ -940,26 +940,26 @@ func (b *Builder) Run(command []string, options RunOptions) error { logrus.Errorf("error removing %q: %v", path, err2) } }() + gp, err := generate.New("linux") if err != nil { return err } - g := &gp - b.configureEnvironment(g, options) - - if os.Getuid() != 0 { - g.RemoveMount("/dev/pts") - devPts := specs.Mount{ - Destination: "/dev/pts", - Type: "devpts", - Source: "devpts", - Options: []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620"}, + isolation := options.Isolation + if isolation == IsolationDefault { + isolation = b.Isolation + if isolation == IsolationDefault { + isolation = IsolationOCI } - g.AddMount(devPts) + } + if err := checkAndOverrideIsolationOptions(isolation, &options); err != nil { + return err } + b.configureEnvironment(g, options) + if b.CommonBuildOpts == nil { return errors.Errorf("Invalid format on container you must recreate the container") } @@ -1070,24 +1070,139 @@ func (b *Builder) Run(command []string, options RunOptions) error { } } - isolation := options.Isolation - if isolation == IsolationDefault { - isolation = b.Isolation - if isolation == IsolationDefault { - isolation = IsolationOCI - } - } switch isolation { case IsolationOCI: - err = b.runUsingRuntimeSubproc(options, configureNetwork, configureNetworks, spec, mountPoint, path, Package+"-"+filepath.Base(path)) + // The default is --rootless=auto, which makes troubleshooting a bit harder. + // rootlessFlag := []string{"--rootless=false"} + // for _, arg := range options.Args { + // if strings.HasPrefix(arg, "--rootless") { + // rootlessFlag = nil + // } + // } + // options.Args = append(options.Args, rootlessFlag...) + err = b.runUsingRuntimeSubproc(options, configureNetwork, configureNetworks, nil, spec, mountPoint, path, Package+"-"+filepath.Base(path)) case IsolationChroot: err = chroot.RunUsingChroot(spec, path, options.Stdin, options.Stdout, options.Stderr) + case IsolationOCIRootless: + if err := setupRootlessSpecChanges(spec, path, rootUID, rootGID); err != nil { + return err + } + rootlessFlag := []string{"--rootless=true"} + for _, arg := range options.Args { + if strings.HasPrefix(arg, "--rootless") { + rootlessFlag = nil + } + } + options.Args = append(options.Args, rootlessFlag...) + err = b.runUsingRuntimeSubproc(options, configureNetwork, configureNetworks, []string{"--no-new-keyring"}, spec, mountPoint, path, Package+"-"+filepath.Base(path)) default: err = errors.Errorf("don't know how to run this command") } return err } +func checkAndOverrideIsolationOptions(isolation Isolation, options *RunOptions) error { + switch isolation { + case IsolationOCIRootless: + if ns := options.NamespaceOptions.Find(string(specs.IPCNamespace)); ns == nil || ns.Host { + logrus.Debugf("Forcing use of an IPC namespace.") + } + options.NamespaceOptions.AddOrReplace(NamespaceOption{Name: string(specs.IPCNamespace)}) + if ns := options.NamespaceOptions.Find(string(specs.NetworkNamespace)); ns != nil && !ns.Host { + logrus.Debugf("Disabling network namespace.") + } + options.NamespaceOptions.AddOrReplace(NamespaceOption{Name: string(specs.NetworkNamespace), Host: true}) + if ns := options.NamespaceOptions.Find(string(specs.PIDNamespace)); ns == nil || ns.Host { + logrus.Debugf("Forcing use of a PID namespace.") + } + options.NamespaceOptions.AddOrReplace(NamespaceOption{Name: string(specs.PIDNamespace), Host: false}) + if ns := options.NamespaceOptions.Find(string(specs.UserNamespace)); ns == nil || ns.Host { + logrus.Debugf("Forcing use of a user namespace.") + } + options.NamespaceOptions.AddOrReplace(NamespaceOption{Name: string(specs.UserNamespace)}) + if ns := options.NamespaceOptions.Find(string(specs.UTSNamespace)); ns != nil && !ns.Host { + logrus.Debugf("Disabling UTS namespace.") + } + options.NamespaceOptions.AddOrReplace(NamespaceOption{Name: string(specs.UTSNamespace), Host: true}) + case IsolationOCI: + pidns := options.NamespaceOptions.Find(string(specs.PIDNamespace)) + userns := options.NamespaceOptions.Find(string(specs.UserNamespace)) + if (pidns == nil || pidns.Host) && (userns != nil && !userns.Host) { + return fmt.Errorf("not allowed to mix host PID namespace with container user namespace") + } + } + return nil +} + +func setupRootlessSpecChanges(spec *specs.Spec, bundleDir string, rootUID, rootGID uint32) error { + spec.Hostname = "" + spec.Process.User.AdditionalGids = nil + spec.Linux.Resources = nil + + emptyDir := filepath.Join(bundleDir, "empty") + if err := os.Mkdir(emptyDir, 0); err != nil { + return errors.Wrapf(err, "error creating %q", emptyDir) + } + + // Replace /sys with a read-only bind mount. + mounts := []specs.Mount{ + { + Source: "/dev", + Destination: "/dev", + Type: "tmpfs", + Options: []string{"private", "strictatime", "noexec", "nosuid", "mode=755", "size=65536k"}, + }, + { + Source: "mqueue", + Destination: "/dev/mqueue", + Type: "mqueue", + Options: []string{"private", "nodev", "noexec", "nosuid"}, + }, + { + Source: "pts", + Destination: "/dev/pts", + Type: "devpts", + Options: []string{"private", "noexec", "nosuid", "newinstance", "ptmxmode=0666", "mode=0620"}, + }, + { + Source: "shm", + Destination: "/dev/shm", + Type: "tmpfs", + Options: []string{"private", "nodev", "noexec", "nosuid", "mode=1777", "size=65536k"}, + }, + { + Source: "/proc", + Destination: "/proc", + Type: "proc", + Options: []string{"private", "nodev", "noexec", "nosuid"}, + }, + { + Source: "/sys", + Destination: "/sys", + Type: "bind", + Options: []string{bind.NoBindOption, "rbind", "private", "nodev", "noexec", "nosuid", "ro"}, + }, + } + // Cover up /sys/fs/cgroup and /sys/fs/selinux, if they exist in our source for /sys. + if _, err := os.Stat("/sys/fs/cgroup"); err == nil { + spec.Linux.MaskedPaths = append(spec.Linux.MaskedPaths, "/sys/fs/cgroup") + } + if _, err := os.Stat("/sys/fs/selinux"); err == nil { + spec.Linux.MaskedPaths = append(spec.Linux.MaskedPaths, "/sys/fs/selinux") + } + // Keep anything that isn't under /dev, /proc, or /sys. + for i := range spec.Mounts { + if spec.Mounts[i].Destination == "/dev" || strings.HasPrefix(spec.Mounts[i].Destination, "/dev/") || + spec.Mounts[i].Destination == "/proc" || strings.HasPrefix(spec.Mounts[i].Destination, "/proc/") || + spec.Mounts[i].Destination == "/sys" || strings.HasPrefix(spec.Mounts[i].Destination, "/sys/") { + continue + } + mounts = append(mounts, spec.Mounts[i]) + } + spec.Mounts = mounts + return nil +} + type runUsingRuntimeSubprocOptions struct { Options RunOptions Spec *specs.Spec @@ -1095,10 +1210,11 @@ type runUsingRuntimeSubprocOptions struct { BundlePath string ConfigureNetwork bool ConfigureNetworks []string + MoreCreateArgs []string ContainerName string } -func (b *Builder) runUsingRuntimeSubproc(options RunOptions, configureNetwork bool, configureNetworks []string, spec *specs.Spec, rootPath, bundlePath, containerName string) (err error) { +func (b *Builder) runUsingRuntimeSubproc(options RunOptions, configureNetwork bool, configureNetworks, moreCreateArgs []string, spec *specs.Spec, rootPath, bundlePath, containerName string) (err error) { var confwg sync.WaitGroup config, conferr := json.Marshal(runUsingRuntimeSubprocOptions{ Options: options, @@ -1107,6 +1223,7 @@ func (b *Builder) runUsingRuntimeSubproc(options RunOptions, configureNetwork bo BundlePath: bundlePath, ConfigureNetwork: configureNetwork, ConfigureNetworks: configureNetworks, + MoreCreateArgs: moreCreateArgs, ContainerName: containerName, }) if conferr != nil { @@ -1177,7 +1294,7 @@ func runUsingRuntimeMain() { os.Exit(1) } // Run the container, start to finish. - status, err := runUsingRuntime(options.Options, options.ConfigureNetwork, options.ConfigureNetworks, options.Spec, options.RootPath, options.BundlePath, options.ContainerName) + status, err := runUsingRuntime(options.Options, options.ConfigureNetwork, options.ConfigureNetworks, options.MoreCreateArgs, options.Spec, options.RootPath, options.BundlePath, options.ContainerName) if err != nil { fmt.Fprintf(os.Stderr, "error running container: %v\n", err) os.Exit(1) @@ -1192,7 +1309,7 @@ func runUsingRuntimeMain() { os.Exit(1) } -func runUsingRuntime(options RunOptions, configureNetwork bool, configureNetworks []string, spec *specs.Spec, rootPath, bundlePath, containerName string) (wstatus unix.WaitStatus, err error) { +func runUsingRuntime(options RunOptions, configureNetwork bool, configureNetworks, moreCreateArgs []string, spec *specs.Spec, rootPath, bundlePath, containerName string) (wstatus unix.WaitStatus, err error) { // Lock the caller to a single OS-level thread. runtime.LockOSThread() @@ -1226,8 +1343,6 @@ func runUsingRuntime(options RunOptions, configureNetwork bool, configureNetwork runtime = util.Runtime() } - // Default to not specifying a console socket location. - var moreCreateArgs []string // Default to just passing down our stdio. getCreateStdio := func() (io.ReadCloser, io.WriteCloser, io.WriteCloser) { return os.Stdin, os.Stdout, os.Stderr @@ -1313,6 +1428,7 @@ func runUsingRuntime(options RunOptions, configureNetwork bool, configureNetwork del.Stderr = os.Stderr // Actually create the container. + logrus.Debugf("Running %q", create.Args) err = create.Run() if err != nil { return 1, errors.Wrapf(err, "error creating container for %v: %s", spec.Process.Args, runCollectOutput(errorFds, closeBeforeReadingErrorFds)) @@ -1373,6 +1489,7 @@ func runUsingRuntime(options RunOptions, configureNetwork bool, configureNetwork go runCopyStdio(&stdio, copyPipes, stdioPipe, copyConsole, consoleListener, finishCopy, finishedCopy, spec) // Start the container. + logrus.Debugf("Running %q", start.Args) err = start.Run() if err != nil { return 1, errors.Wrapf(err, "error starting container") diff --git a/vendor/github.com/projectatomic/buildah/unshare/unshare.go b/vendor/github.com/projectatomic/buildah/unshare/unshare.go index ed2a97934..4eea74956 100644 --- a/vendor/github.com/projectatomic/buildah/unshare/unshare.go +++ b/vendor/github.com/projectatomic/buildah/unshare/unshare.go @@ -33,7 +33,7 @@ type Cmd struct { Setsid bool Setpgrp bool Ctty *os.File - OOMScoreAdj int + OOMScoreAdj *int Hook func(pid int) error } @@ -234,18 +234,18 @@ func (c *Cmd) Start() error { } } - // Adjust the process's OOM score. - oomScoreAdj, err := os.OpenFile(fmt.Sprintf("/proc/%s/oom_score_adj", pidString), os.O_TRUNC|os.O_WRONLY, 0) - if err != nil { - fmt.Fprintf(continueWrite, "error opening oom_score_adj: %v", err) - return errors.Wrapf(err, "error opening /proc/%s/oom_score_adj", pidString) - } - if _, err := fmt.Fprintf(oomScoreAdj, "%d\n", c.OOMScoreAdj); err != nil { - fmt.Fprintf(continueWrite, "error writing \"%d\" to oom_score_adj: %v", c.OOMScoreAdj, err) - return errors.Wrapf(err, "error writing \"%d\" to /proc/%s/oom_score_adj", c.OOMScoreAdj, pidString) + if c.OOMScoreAdj != nil { + oomScoreAdj, err := os.OpenFile(fmt.Sprintf("/proc/%s/oom_score_adj", pidString), os.O_TRUNC|os.O_WRONLY, 0) + if err != nil { + fmt.Fprintf(continueWrite, "error opening oom_score_adj: %v", err) + return errors.Wrapf(err, "error opening /proc/%s/oom_score_adj", pidString) + } + defer oomScoreAdj.Close() + if _, err := fmt.Fprintf(oomScoreAdj, "%d\n", *c.OOMScoreAdj); err != nil { + fmt.Fprintf(continueWrite, "error writing \"%d\" to oom_score_adj: %v", c.OOMScoreAdj, err) + return errors.Wrapf(err, "error writing \"%d\" to /proc/%s/oom_score_adj", c.OOMScoreAdj, pidString) + } } - defer oomScoreAdj.Close() - // Run any additional setup that we want to do before the child starts running proper. if c.Hook != nil { if err = c.Hook(pid); err != nil { diff --git a/vendor/github.com/projectatomic/buildah/util.go b/vendor/github.com/projectatomic/buildah/util.go index 4aa19b384..ef9be87fb 100644 --- a/vendor/github.com/projectatomic/buildah/util.go +++ b/vendor/github.com/projectatomic/buildah/util.go @@ -7,7 +7,7 @@ import ( "sync" "github.com/containers/image/docker/reference" - "github.com/containers/image/pkg/sysregistries" + "github.com/containers/image/pkg/sysregistriesv2" "github.com/containers/image/types" "github.com/containers/storage/pkg/archive" "github.com/containers/storage/pkg/chrootarchive" @@ -166,12 +166,18 @@ func (b *Builder) tarPath() func(path string) (io.ReadCloser, error) { } } -// getRegistries obtains the list of registries defined in the global registries file. +// getRegistries obtains the list of search registries defined in the global registries file. func getRegistries(sc *types.SystemContext) ([]string, error) { - searchRegistries, err := sysregistries.GetRegistries(sc) + var searchRegistries []string + registries, err := sysregistriesv2.GetRegistries(sc) if err != nil { return nil, errors.Wrapf(err, "unable to parse the registries.conf file") } + for _, registry := range sysregistriesv2.FindUnqualifiedSearchRegistries(registries) { + if !registry.Blocked { + searchRegistries = append(searchRegistries, registry.URL) + } + } return searchRegistries, nil } diff --git a/vendor/github.com/projectatomic/buildah/util/util.go b/vendor/github.com/projectatomic/buildah/util/util.go index 2617a27b7..1e7361462 100644 --- a/vendor/github.com/projectatomic/buildah/util/util.go +++ b/vendor/github.com/projectatomic/buildah/util/util.go @@ -15,7 +15,7 @@ import ( dockerarchive "github.com/containers/image/docker/archive" "github.com/containers/image/docker/reference" ociarchive "github.com/containers/image/oci/archive" - "github.com/containers/image/pkg/sysregistries" + "github.com/containers/image/pkg/sysregistriesv2" "github.com/containers/image/signature" is "github.com/containers/image/storage" "github.com/containers/image/tarball" @@ -114,11 +114,17 @@ func ResolveName(name string, firstRegistry string, sc *types.SystemContext, sto } // Figure out the list of registries. - registries, err := sysregistries.GetRegistries(sc) + var registries []string + allRegistries, err := sysregistriesv2.GetRegistries(sc) if err != nil { logrus.Debugf("unable to read configured registries to complete %q: %v", name, err) registries = []string{} } + for _, registry := range sysregistriesv2.FindUnqualifiedSearchRegistries(allRegistries) { + if !registry.Blocked { + registries = append(registries, registry.URL) + } + } // Create all of the combinations. Some registries need an additional component added, so // use our lookaside map to keep track of them. If there are no configured registries, we'll diff --git a/vendor/github.com/projectatomic/buildah/vendor.conf b/vendor/github.com/projectatomic/buildah/vendor.conf index 5a99b0cbf..3fec2d1f1 100644 --- a/vendor/github.com/projectatomic/buildah/vendor.conf +++ b/vendor/github.com/projectatomic/buildah/vendor.conf @@ -4,10 +4,10 @@ github.com/BurntSushi/toml master github.com/containerd/continuity master github.com/containernetworking/cni v0.6.0 github.com/seccomp/containers-golang master -github.com/containers/image 134f99bed228d6297dc01d152804f6f09f185418 +github.com/containers/image 216acb1bcd2c1abef736ee322e17147ee2b7d76c github.com/containers/storage 17c7d1fee5603ccf6dd97edc14162fc1510e7e23 github.com/docker/distribution 5f6282db7d65e6d72ad7c2cc66310724a57be716 -github.com/docker/docker b8571fd81c7d2223c9ecbf799c693e3ef1daaea9 +github.com/docker/docker 86f080cff0914e9694068ed78d503701667c4c00 github.com/docker/docker-credential-helpers d68f9aeca33f5fd3f08eeae5e9d175edf4e731d1 github.com/docker/engine-api master github.com/docker/go-connections 3ede32e2033de7505e6500d6c868c2b9ed9f169d @@ -42,7 +42,8 @@ github.com/ostreedev/ostree-go aeb02c6b6aa2889db3ef62f7855650755befd460 github.com/pborman/uuid master github.com/pkg/errors master github.com/pquerna/ffjson d49c2bc1aa135aad0c6f4fc2056623ec78f5d5ac -github.com/projectatomic/libpod master +github.com/containers/libpod master +github.com/containers/libpod master github.com/sirupsen/logrus master github.com/syndtr/gocapability master github.com/tchap/go-patricia master |