From 2f3875d0098093fa740d871b81e91a8533fe9878 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 4 Mar 2019 08:35:09 -0500 Subject: Move secrets package to buildah Trying to remove circular dependencies between libpod and buildah. First step to move pkg content from libpod to buildah. Signed-off-by: Daniel J Walsh --- vendor/github.com/containers/buildah/buildah.go | 2 +- vendor/github.com/containers/buildah/new.go | 77 +++++++++------------- .../containers/buildah/pkg/secrets/secrets.go | 12 ++-- vendor/github.com/containers/buildah/pull.go | 63 +++++++----------- vendor/github.com/containers/buildah/util/util.go | 18 +++-- vendor/github.com/containers/buildah/vendor.conf | 2 +- 6 files changed, 74 insertions(+), 100 deletions(-) (limited to 'vendor/github.com') diff --git a/vendor/github.com/containers/buildah/buildah.go b/vendor/github.com/containers/buildah/buildah.go index cca80a308..8f5364632 100644 --- a/vendor/github.com/containers/buildah/buildah.go +++ b/vendor/github.com/containers/buildah/buildah.go @@ -26,7 +26,7 @@ const ( Package = "buildah" // Version for the Package. Bump version in contrib/rpm/buildah.spec // too. - Version = "1.7.1" + Version = "1.8-dev" // The value we use to identify what type of information, currently a // serialized Builder structure, we are using as per-container state. // This should only be changed when we make incompatible changes to diff --git a/vendor/github.com/containers/buildah/new.go b/vendor/github.com/containers/buildah/new.go index 768cdd0c6..262c90220 100644 --- a/vendor/github.com/containers/buildah/new.go +++ b/vendor/github.com/containers/buildah/new.go @@ -22,27 +22,23 @@ const ( // BaseImageFakeName is the "name" of a source image which we interpret // as "no image". BaseImageFakeName = imagebuilder.NoBaseImageSpecifier - - // minimumTruncatedIDLength is the minimum length of an identifier that - // we'll accept as possibly being a truncated image ID. - minimumTruncatedIDLength = 3 ) -func pullAndFindImage(ctx context.Context, store storage.Store, transport string, imageName string, options BuilderOptions, sc *types.SystemContext) (*storage.Image, types.ImageReference, error) { +func pullAndFindImage(ctx context.Context, store storage.Store, srcRef types.ImageReference, options BuilderOptions, sc *types.SystemContext) (*storage.Image, types.ImageReference, error) { pullOptions := PullOptions{ ReportWriter: options.ReportWriter, Store: store, SystemContext: options.SystemContext, BlobDirectory: options.PullBlobDirectory, } - ref, err := pullImage(ctx, store, transport, imageName, pullOptions, sc) + ref, err := pullImage(ctx, store, srcRef, pullOptions, sc) if err != nil { - logrus.Debugf("error pulling image %q: %v", imageName, err) + logrus.Debugf("error pulling image %q: %v", transports.ImageName(srcRef), err) return nil, nil, err } img, err := is.Transport.GetStoreImage(store, ref) if err != nil { - logrus.Debugf("error reading pulled image %q: %v", imageName, err) + logrus.Debugf("error reading pulled image %q: %v", transports.ImageName(srcRef), err) return nil, nil, errors.Wrapf(err, "error locating image %q in local storage", transports.ImageName(ref)) } return img, ref, nil @@ -112,56 +108,45 @@ func resolveImage(ctx context.Context, systemContext *types.SystemContext, store failures := []failure{} for _, image := range candidates { - var err error - if len(image) >= minimumTruncatedIDLength { - if img, err := store.Image(image); err == nil && img != nil && strings.HasPrefix(img.ID, image) { - ref, err := is.Transport.ParseStoreReference(store, img.ID) - if err != nil { - return nil, "", nil, errors.Wrapf(err, "error parsing reference to image %q", img.ID) - } - return ref, transport, img, nil - } - } - - if options.PullPolicy == PullAlways { - pulledImg, pulledReference, err := pullAndFindImage(ctx, store, transport, image, options, systemContext) + if transport == "" { + img, err := store.Image(image) if err != nil { - logrus.Debugf("unable to pull and read image %q: %v", image, err) + logrus.Debugf("error looking up known-local image %q: %v", image, err) failures = append(failures, failure{resolvedImageName: image, err: err}) continue } - return pulledReference, transport, pulledImg, nil + ref, err := is.Transport.ParseStoreReference(store, img.ID) + if err != nil { + return nil, "", nil, errors.Wrapf(err, "error parsing reference to image %q", img.ID) + } + return ref, transport, img, nil } - srcRef, err := alltransports.ParseImageName(image) + trans := transport + if transport != util.DefaultTransport { + trans = trans + ":" + } + srcRef, err := alltransports.ParseImageName(trans + image) if err != nil { - if transport == "" { - logrus.Debugf("error parsing image name %q: %v", image, err) - failures = append(failures, failure{ - resolvedImageName: image, - err: errors.Wrapf(err, "error parsing image name"), - }) - continue - } - logrus.Debugf("error parsing image name %q as given, trying with transport %q: %v", image, transport, err) + logrus.Debugf("error parsing image name %q: %v", trans+image, err) + failures = append(failures, failure{ + resolvedImageName: image, + err: errors.Wrapf(err, "error parsing attempted image name %q", trans+image), + }) + continue + } - trans := transport - if transport != util.DefaultTransport { - trans = trans + ":" - } - srcRef2, err := alltransports.ParseImageName(trans + image) + if options.PullPolicy == PullAlways { + pulledImg, pulledReference, err := pullAndFindImage(ctx, store, srcRef, options, systemContext) if err != nil { - logrus.Debugf("error parsing image name %q: %v", transport+image, err) - failures = append(failures, failure{ - resolvedImageName: image, - err: errors.Wrapf(err, "error parsing attempted image name %q", transport+image), - }) + logrus.Debugf("unable to pull and read image %q: %v", image, err) + failures = append(failures, failure{resolvedImageName: image, err: err}) continue } - srcRef = srcRef2 + return pulledReference, transport, pulledImg, nil } - destImage, err := localImageNameForReference(ctx, store, srcRef, options.FromImage) + destImage, err := localImageNameForReference(ctx, store, srcRef) if err != nil { return nil, "", nil, errors.Wrapf(err, "error computing local image name for %q", transports.ImageName(srcRef)) } @@ -187,7 +172,7 @@ func resolveImage(ctx context.Context, systemContext *types.SystemContext, store continue } - pulledImg, pulledReference, err := pullAndFindImage(ctx, store, transport, image, options, systemContext) + pulledImg, pulledReference, err := pullAndFindImage(ctx, store, srcRef, options, systemContext) if err != nil { logrus.Debugf("unable to pull and read image %q: %v", image, err) failures = append(failures, failure{resolvedImageName: image, err: err}) diff --git a/vendor/github.com/containers/buildah/pkg/secrets/secrets.go b/vendor/github.com/containers/buildah/pkg/secrets/secrets.go index 242953609..3b64f8952 100644 --- a/vendor/github.com/containers/buildah/pkg/secrets/secrets.go +++ b/vendor/github.com/containers/buildah/pkg/secrets/secrets.go @@ -8,6 +8,7 @@ import ( "strings" "github.com/containers/libpod/pkg/rootless" + "github.com/containers/storage/pkg/idtools" rspec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" @@ -176,7 +177,7 @@ func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPre // Add FIPS mode secret if /etc/system-fips exists on the host _, err := os.Stat("/etc/system-fips") if err == nil { - if err := addFIPSModeSecret(&secretMounts, containerWorkingDir); err != nil { + if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPrefix, mountLabel, uid, gid); err != nil { logrus.Errorf("error adding FIPS mode secret to container: %v", err) } } else if os.IsNotExist(err) { @@ -264,13 +265,16 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPr // root filesystem if /etc/system-fips exists on hosts. // This enables the container to be FIPS compliant and run openssl in // FIPS mode as the host is also in FIPS mode. -func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir string) error { +func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix, mountLabel string, uid, gid int) error { secretsDir := "/run/secrets" ctrDirOnHost := filepath.Join(containerWorkingDir, secretsDir) if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) { - if err = os.MkdirAll(ctrDirOnHost, 0755); err != nil { + if err = idtools.MkdirAllAs(ctrDirOnHost, 0755, uid, gid); err != nil { return errors.Wrapf(err, "making container directory on host failed") } + if err = label.Relabel(ctrDirOnHost, mountLabel, false); err != nil { + return errors.Wrap(err, "error applying correct labels") + } } fipsFile := filepath.Join(ctrDirOnHost, "system-fips") // In the event of restart, it is possible for the FIPS mode file to already exist @@ -284,7 +288,7 @@ func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir string) error if !mountExists(*mounts, secretsDir) { m := rspec.Mount{ - Source: ctrDirOnHost, + Source: filepath.Join(mountPrefix, secretsDir), Destination: secretsDir, Type: "bind", Options: []string{"bind", "rprivate"}, diff --git a/vendor/github.com/containers/buildah/pull.go b/vendor/github.com/containers/buildah/pull.go index 363cf5ce2..d3c9870af 100644 --- a/vendor/github.com/containers/buildah/pull.go +++ b/vendor/github.com/containers/buildah/pull.go @@ -19,10 +19,9 @@ import ( "github.com/containers/image/signature" is "github.com/containers/image/storage" "github.com/containers/image/transports" - "github.com/containers/image/transports/alltransports" "github.com/containers/image/types" "github.com/containers/storage" - "github.com/hashicorp/go-multierror" + multierror "github.com/hashicorp/go-multierror" "github.com/pkg/errors" "github.com/sirupsen/logrus" ) @@ -52,15 +51,14 @@ type PullOptions struct { AllTags bool } -func localImageNameForReference(ctx context.Context, store storage.Store, srcRef types.ImageReference, spec string) (string, error) { +func localImageNameForReference(ctx context.Context, store storage.Store, srcRef types.ImageReference) (string, error) { if srcRef == nil { return "", errors.Errorf("reference to image is empty") } - split := strings.SplitN(spec, ":", 2) - file := split[len(split)-1] var name string switch srcRef.Transport().Name() { case dockerarchive.Transport.Name(): + file := srcRef.StringWithinTransport() tarSource, err := tarfile.NewSourceFromFile(file) if err != nil { return "", errors.Wrapf(err, "error opening tarfile %q as a source image", file) @@ -104,14 +102,15 @@ func localImageNameForReference(ctx context.Context, store storage.Store, srcRef } case directory.Transport.Name(): // supports pull from a directory - name = split[1] + name = srcRef.StringWithinTransport() // remove leading "/" if name[:1] == "/" { name = name[1:] } case oci.Transport.Name(): // supports pull from a directory - name = split[1] + split := strings.SplitN(srcRef.StringWithinTransport(), ":", 2) + name = split[0] // remove leading "/" if name[:1] == "/" { name = name[1:] @@ -175,21 +174,29 @@ func Pull(ctx context.Context, imageName string, options PullOptions) error { return errors.New("Non-docker transport is not supported, for --all-tags pulling") } - spec := transport + storageRef.DockerReference().Name() - storageRef, err = alltransports.ParseImageName(spec) + repo := reference.TrimNamed(storageRef.DockerReference()) + dockerRef, err := docker.NewReference(reference.TagNameOnly(storageRef.DockerReference())) if err != nil { - return errors.Wrapf(err, "error getting repository tags") + return errors.Wrapf(err, "internal error creating docker.Transport reference for %s", storageRef.DockerReference().String()) } - tags, err := docker.GetRepositoryTags(ctx, systemContext, storageRef) + tags, err := docker.GetRepositoryTags(ctx, systemContext, dockerRef) if err != nil { return errors.Wrapf(err, "error getting repository tags") } for _, tag := range tags { - name := spec + ":" + tag + tagged, err := reference.WithTag(repo, tag) + if err != nil { + errs = multierror.Append(errs, err) + continue + } + taggedRef, err := docker.NewReference(tagged) + if err != nil { + return errors.Wrapf(err, "internal error creating docker.Transport reference for %s", tagged.String()) + } if options.ReportWriter != nil { - options.ReportWriter.Write([]byte("Pulling " + name + "\n")) + options.ReportWriter.Write([]byte("Pulling " + tagged.String() + "\n")) } - ref, err := pullImage(ctx, options.Store, transport, name, options, systemContext) + ref, err := pullImage(ctx, options.Store, taggedRef, options, systemContext) if err != nil { errs = multierror.Append(errs, err) continue @@ -208,27 +215,7 @@ func Pull(ctx context.Context, imageName string, options PullOptions) error { return errs.ErrorOrNil() } -func pullImage(ctx context.Context, store storage.Store, transport string, imageName string, options PullOptions, sc *types.SystemContext) (types.ImageReference, error) { - spec := imageName - srcRef, err := alltransports.ParseImageName(spec) - if err != nil { - logrus.Debugf("error parsing image name %q, trying with transport %q: %v", spec, transport, err) - if transport == "" { - transport = util.DefaultTransport - } else { - if transport != util.DefaultTransport { - transport = transport + ":" - } - } - spec = transport + spec - srcRef2, err2 := alltransports.ParseImageName(spec) - if err2 != nil { - return nil, errors.Wrapf(err2, "error parsing image name %q", spec) - } - srcRef = srcRef2 - } - logrus.Debugf("parsed image name %q", spec) - +func pullImage(ctx context.Context, store storage.Store, srcRef types.ImageReference, options PullOptions, sc *types.SystemContext) (types.ImageReference, error) { blocked, err := isReferenceBlocked(srcRef, sc) if err != nil { return nil, errors.Wrapf(err, "error checking if pulling from registry for %q is blocked", transports.ImageName(srcRef)) @@ -237,7 +224,7 @@ func pullImage(ctx context.Context, store storage.Store, transport string, image return nil, errors.Errorf("pull access to registry for %q is blocked by configuration", transports.ImageName(srcRef)) } - destName, err := localImageNameForReference(ctx, store, srcRef, spec) + destName, err := localImageNameForReference(ctx, store, srcRef) if err != nil { return nil, errors.Wrapf(err, "error computing local image name for %q", transports.ImageName(srcRef)) } @@ -274,9 +261,9 @@ func pullImage(ctx context.Context, store storage.Store, transport string, image } }() - logrus.Debugf("copying %q to %q", spec, destName) + logrus.Debugf("copying %q to %q", transports.ImageName(srcRef), destName) if _, err := cp.Image(ctx, policyContext, maybeCachedDestRef, srcRef, getCopyOptions(options.ReportWriter, srcRef, sc, maybeCachedDestRef, nil, "")); err != nil { - logrus.Debugf("error copying src image [%q] to dest image [%q] err: %v", spec, destName, err) + logrus.Debugf("error copying src image [%q] to dest image [%q] err: %v", transports.ImageName(srcRef), destName, err) return nil, err } return destRef, nil diff --git a/vendor/github.com/containers/buildah/util/util.go b/vendor/github.com/containers/buildah/util/util.go index d98493634..7f3bbaef4 100644 --- a/vendor/github.com/containers/buildah/util/util.go +++ b/vendor/github.com/containers/buildah/util/util.go @@ -20,7 +20,7 @@ import ( "github.com/containers/storage" "github.com/containers/storage/pkg/idtools" "github.com/docker/distribution/registry/api/errcode" - "github.com/opencontainers/runtime-spec/specs-go" + specs "github.com/opencontainers/runtime-spec/specs-go" "github.com/pkg/errors" "github.com/sirupsen/logrus" ) @@ -47,6 +47,12 @@ var ( // correspond to in the set of configured registries, the transport used to // pull the image, and a boolean which is true iff // 1) the list of search registries was used, and 2) it was empty. +// +// The returned image names never include a transport: prefix, and if transport != "", +// (transport, image) should be a valid input to alltransports.ParseImageName. +// transport == "" indicates that image that already exists in a local storage, +// and the name is valid for store.Image() / storage.Transport.ParseStoreReference(). +// // NOTE: The "list of search registries is empty" check does not count blocked registries, // and neither the implied "localhost" nor a possible firstRegistry are counted func ResolveName(name string, firstRegistry string, sc *types.SystemContext, store storage.Store) ([]string, string, bool, error) { @@ -162,15 +168,7 @@ func ExpandNames(names []string, firstRegistry string, systemContext *types.Syst name = named } name = reference.TagNameOnly(name) - tag := "" - digest := "" - if tagged, ok := name.(reference.NamedTagged); ok { - tag = ":" + tagged.Tag() - } - if digested, ok := name.(reference.Digested); ok { - digest = "@" + digested.Digest().String() - } - expanded = append(expanded, name.Name()+tag+digest) + expanded = append(expanded, name.String()) } return expanded, nil } diff --git a/vendor/github.com/containers/buildah/vendor.conf b/vendor/github.com/containers/buildah/vendor.conf index 27bf45541..3cdb9c95f 100644 --- a/vendor/github.com/containers/buildah/vendor.conf +++ b/vendor/github.com/containers/buildah/vendor.conf @@ -9,7 +9,7 @@ github.com/mattn/go-isatty v0.0.4 github.com/VividCortex/ewma v1.1.1 github.com/boltdb/bolt v1.3.1 github.com/containers/libpod v1.0 -github.com/containers/storage v1.10 +github.com/containers/storage v1.11 github.com/docker/distribution 5f6282db7d65e6d72ad7c2cc66310724a57be716 github.com/docker/docker 86f080cff0914e9694068ed78d503701667c4c00 github.com/docker/docker-credential-helpers v0.6.1 -- cgit v1.2.3-54-g00ecf