From 64ff149324fd2e77002360bf5c585208ee238f8d Mon Sep 17 00:00:00 2001 From: Aditya R Date: Mon, 16 Oct 2023 11:55:50 +0530 Subject: [PATCH 1/4] vendor: bump buildah to v1.32.1-0.20231012130144-244170240d85 Signed-off-by: Aditya R --- go.mod | 4 +- go.sum | 8 +- .../github.com/containers/buildah/.gitignore | 2 + .../containers/buildah/.packit.yaml | 7 +- vendor/github.com/containers/buildah/add.go | 8 +- .../containers/buildah/define/build.go | 2 + .../containers/buildah/define/types.go | 2 +- vendor/github.com/containers/buildah/image.go | 3 +- .../buildah/imagebuildah/executor.go | 47 +++--- .../buildah/imagebuildah/stage_executor.go | 121 ++++++++------ .../buildah/internal/mkcw/types/workload.go | 2 +- .../buildah/internal/mkcw/workload.go | 2 +- .../containers/buildah/pkg/cli/build.go | 1 + .../containers/buildah/pkg/cli/common.go | 3 + .../buildah/pkg/sshagent/sshagent.go | 3 +- .../containers/buildah/run_common.go | 6 +- .../containers/buildah/run_freebsd.go | 3 +- .../containers/buildah/run_linux.go | 7 +- .../containers/buildah/selinux_tag.sh | 4 - .../github.com/containers/luksy/.cirrus.yml | 3 +- vendor/github.com/containers/luksy/Makefile | 6 +- vendor/github.com/containers/luksy/OWNERS | 4 + vendor/github.com/containers/luksy/decrypt.go | 27 +++- vendor/github.com/containers/luksy/encrypt.go | 4 +- .../github.com/containers/luksy/encryption.go | 149 +++++++++++------- vendor/github.com/containers/luksy/luks.go | 4 +- vendor/modules.txt | 4 +- 27 files changed, 266 insertions(+), 170 deletions(-) delete mode 100644 vendor/github.com/containers/buildah/selinux_tag.sh create mode 100644 vendor/github.com/containers/luksy/OWNERS diff --git a/go.mod b/go.mod index ee1ae7ba12..f7877f35a6 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( github.com/container-orchestrated-devices/container-device-interface v0.6.1 github.com/containernetworking/cni v1.1.2 github.com/containernetworking/plugins v1.3.0 - github.com/containers/buildah v1.32.0 + github.com/containers/buildah v1.32.1-0.20231012130144-244170240d85 github.com/containers/common v0.56.1-0.20231010150003-09776aa73db7 github.com/containers/conmon v2.0.20+incompatible github.com/containers/gvisor-tap-vsock v0.7.1 @@ -92,7 +92,7 @@ require ( github.com/containerd/log v0.1.0 // indirect github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 // indirect - github.com/containers/luksy v0.0.0-20230808154129-d2d74a56682f // indirect + github.com/containers/luksy v0.0.0-20230912175440-6df88cb7f0dd // indirect github.com/coreos/go-oidc/v3 v3.6.0 // indirect github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f // indirect github.com/cyberphone/json-canonicalization v0.0.0-20230710064741-aa7fe85c7dbd // indirect diff --git a/go.sum b/go.sum index 748c7b4c57..a7b8ee8698 100644 --- a/go.sum +++ b/go.sum @@ -249,8 +249,8 @@ github.com/containernetworking/plugins v0.8.6/go.mod h1:qnw5mN19D8fIwkqW7oHHYDHV github.com/containernetworking/plugins v0.9.1/go.mod h1:xP/idU2ldlzN6m4p5LmGiwRDjeJr6FLK6vuiUwoH7P8= github.com/containernetworking/plugins v1.3.0 h1:QVNXMT6XloyMUoO2wUOqWTC1hWFV62Q6mVDp5H1HnjM= github.com/containernetworking/plugins v1.3.0/go.mod h1:Pc2wcedTQQCVuROOOaLBPPxrEXqqXBFt3cZ+/yVg6l0= -github.com/containers/buildah v1.32.0 h1:uz5Rcf7lGeStj7iPTBgO4UdhQYZqMMzyt9suDf16k1k= -github.com/containers/buildah v1.32.0/go.mod h1:sN3rA3DbnqekNz3bNdkqWduuirYDuMs54LUCOZOomBE= +github.com/containers/buildah v1.32.1-0.20231012130144-244170240d85 h1:Jn3o/XIIbyQqpnzwsALj5qnyr03dfxLmviMiDlBKRyU= +github.com/containers/buildah v1.32.1-0.20231012130144-244170240d85/go.mod h1:4XtQQpvO6e3qFDzYak6E/KLZLc/Erq02Yr0J9K+SIA4= github.com/containers/common v0.56.1-0.20231010150003-09776aa73db7 h1:Gx9i5pM2uXoIL3+QDuS3ddko+vGBCoRfisHchQV4K0g= github.com/containers/common v0.56.1-0.20231010150003-09776aa73db7/go.mod h1:UoUXLn51o0628B8h4MOdWGKYfS/y0e9mjizyfERMoes= github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg= @@ -263,8 +263,8 @@ github.com/containers/libhvee v0.4.1-0.20231012183749-e51be96b4854 h1:9pHtBDAO1Z github.com/containers/libhvee v0.4.1-0.20231012183749-e51be96b4854/go.mod h1:3lTcwI2g7qe8Ekgk9hdDxQeT9KrqXPilQvxJfIJp8TQ= github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYglewc+UyGf6lc8Mj2UaPTHy/iF2De0/77CA= github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY= -github.com/containers/luksy v0.0.0-20230808154129-d2d74a56682f h1:/HjLNYkVoUJNT4mm2dzGl63x7nD6YHxxI/k1kR0TkzA= -github.com/containers/luksy v0.0.0-20230808154129-d2d74a56682f/go.mod h1:hEjwW0sePqkTahMzbzeDsQEXN2zdF2VAccqSj5vb1NY= +github.com/containers/luksy v0.0.0-20230912175440-6df88cb7f0dd h1:NbQ782+jynau+ySnK8qBGyLstgiaLOAjoJWrwSLovGc= +github.com/containers/luksy v0.0.0-20230912175440-6df88cb7f0dd/go.mod h1:p3x2uBi+Eaqor7MXSnXIoSGmIaocAlRnd3UiEl6AtgQ= github.com/containers/ocicrypt v1.0.1/go.mod h1:MeJDzk1RJHv89LjsH0Sp5KTY3ZYkjXO/C+bKAeWFIrc= github.com/containers/ocicrypt v1.1.0/go.mod h1:b8AOe0YR67uU8OqfVNcznfFpAzu3rdgUV4GP9qXPfu4= github.com/containers/ocicrypt v1.1.1/go.mod h1:Dm55fwWm1YZAjYRaJ94z2mfZikIyIN4B0oB3dj3jFxY= diff --git a/vendor/github.com/containers/buildah/.gitignore b/vendor/github.com/containers/buildah/.gitignore index 939ce6ef52..e8dee79c89 100644 --- a/vendor/github.com/containers/buildah/.gitignore +++ b/vendor/github.com/containers/buildah/.gitignore @@ -10,3 +10,5 @@ Dockerfile* !/tests/conformance/**/Dockerfile* *.swp /result/ +internal/mkcw/embed/entrypoint.o +internal/mkcw/embed/entrypoint diff --git a/vendor/github.com/containers/buildah/.packit.yaml b/vendor/github.com/containers/buildah/.packit.yaml index 80f8a05e48..76b297c14a 100644 --- a/vendor/github.com/containers/buildah/.packit.yaml +++ b/vendor/github.com/containers/buildah/.packit.yaml @@ -11,7 +11,9 @@ srpm_build_deps: jobs: - job: copr_build trigger: pull_request - # keep in sync with https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next + notifications: + failure_comment: + message: "Ephemeral COPR build failed. @containers/packit-build please check." enable_net: true targets: - fedora-all-x86_64 @@ -28,6 +30,9 @@ jobs: # Run on commit to main branch - job: copr_build trigger: commit + notifications: + failure_comment: + message: "podman-next COPR build failed. @containers/packit-build please check." owner: rhcontainerbot project: podman-next enable_net: true diff --git a/vendor/github.com/containers/buildah/add.go b/vendor/github.com/containers/buildah/add.go index 1bb6c85009..534ef83f21 100644 --- a/vendor/github.com/containers/buildah/add.go +++ b/vendor/github.com/containers/buildah/add.go @@ -456,9 +456,11 @@ func (b *Builder) Add(destination string, extract bool, options AddAndCopyOption // Iterate through every item that matched the glob. itemsCopied := 0 for _, glob := range localSourceStat.Globbed { - rel, err := filepath.Rel(contextDir, glob) - if err != nil { - return fmt.Errorf("computing path of %q relative to %q: %w", glob, contextDir, err) + rel := glob + if filepath.IsAbs(glob) { + if rel, err = filepath.Rel(contextDir, glob); err != nil { + return fmt.Errorf("computing path of %q relative to %q: %w", glob, contextDir, err) + } } if strings.HasPrefix(rel, ".."+string(os.PathSeparator)) { return fmt.Errorf("possible escaping context directory error: %q is outside of %q", glob, contextDir) diff --git a/vendor/github.com/containers/buildah/define/build.go b/vendor/github.com/containers/buildah/define/build.go index ce5ad0ade4..59d2fcf10d 100644 --- a/vendor/github.com/containers/buildah/define/build.go +++ b/vendor/github.com/containers/buildah/define/build.go @@ -318,6 +318,8 @@ type BuildOptions struct { AllPlatforms bool // UnsetEnvs is a list of environments to not add to final image. UnsetEnvs []string + // UnsetLabels is a list of labels to not add to final image from base image. + UnsetLabels []string // Envs is a list of environment variables to set in the final image. Envs []string // OSFeatures specifies operating system features the image requires. diff --git a/vendor/github.com/containers/buildah/define/types.go b/vendor/github.com/containers/buildah/define/types.go index 8bd1d07958..78bf746a00 100644 --- a/vendor/github.com/containers/buildah/define/types.go +++ b/vendor/github.com/containers/buildah/define/types.go @@ -29,7 +29,7 @@ const ( // identify working containers. Package = "buildah" // Version for the Package. Also used by .packit.sh for Packit builds. - Version = "1.32.0" + Version = "1.33.0-dev" // DefaultRuntime if containers.conf fails. DefaultRuntime = "runc" diff --git a/vendor/github.com/containers/buildah/image.go b/vendor/github.com/containers/buildah/image.go index 1a48f5b74e..9fb34ab37f 100644 --- a/vendor/github.com/containers/buildah/image.go +++ b/vendor/github.com/containers/buildah/image.go @@ -17,6 +17,7 @@ import ( "github.com/containers/buildah/define" "github.com/containers/buildah/docker" "github.com/containers/buildah/internal/mkcw" + "github.com/containers/buildah/internal/tmpdir" "github.com/containers/image/v5/docker/reference" "github.com/containers/image/v5/image" "github.com/containers/image/v5/manifest" @@ -374,7 +375,7 @@ func (i *containerImageRef) NewImageSource(ctx context.Context, sc *types.System logrus.Debugf("layer list: %q", layers) // Make a temporary directory to hold blobs. - path, err := os.MkdirTemp(os.TempDir(), define.Package) + path, err := os.MkdirTemp(tmpdir.GetTempDir(), define.Package) if err != nil { return nil, fmt.Errorf("creating temporary directory to hold layer blobs: %w", err) } diff --git a/vendor/github.com/containers/buildah/imagebuildah/executor.go b/vendor/github.com/containers/buildah/imagebuildah/executor.go index f61c2d1f78..a5ee429348 100644 --- a/vendor/github.com/containers/buildah/imagebuildah/executor.go +++ b/vendor/github.com/containers/buildah/imagebuildah/executor.go @@ -142,6 +142,7 @@ type Executor struct { sshsources map[string]*sshagent.Source logPrefix string unsetEnvs []string + unsetLabels []string processLabel string // Shares processLabel of first stage container with containers of other stages in same build mountLabel string // Shares mountLabel of first stage container with containers of other stages in same build buildOutput string // Specifies instructions for any custom build output @@ -300,6 +301,7 @@ func newExecutor(logger *logrus.Logger, logPrefix string, store storage.Store, o sshsources: sshsources, logPrefix: logPrefix, unsetEnvs: append([]string{}, options.UnsetEnvs...), + unsetLabels: append([]string{}, options.UnsetLabels...), buildOutput: options.BuildOutput, osVersion: options.OSVersion, osFeatures: append([]string{}, options.OSFeatures...), @@ -468,14 +470,14 @@ func (b *Executor) getImageTypeAndHistoryAndDiffIDs(ctx context.Context, imageID return manifestFormat, oci.History, oci.RootFS.DiffIDs, nil } -func (b *Executor) buildStage(ctx context.Context, cleanupStages map[int]*StageExecutor, stages imagebuilder.Stages, stageIndex int) (imageID string, ref reference.Canonical, err error) { +func (b *Executor) buildStage(ctx context.Context, cleanupStages map[int]*StageExecutor, stages imagebuilder.Stages, stageIndex int) (imageID string, ref reference.Canonical, onlyBaseImage bool, err error) { stage := stages[stageIndex] ib := stage.Builder node := stage.Node base, err := ib.From(node) if err != nil { logrus.Debugf("buildStage(node.Children=%#v)", node.Children) - return "", nil, err + return "", nil, false, err } // If this is the last stage, then the image that we produce at @@ -506,7 +508,7 @@ func (b *Executor) buildStage(ctx context.Context, cleanupStages map[int]*StageE if len(labelLine) > 0 { additionalNode, err := imagebuilder.ParseDockerfile(strings.NewReader("LABEL" + labelLine + "\n")) if err != nil { - return "", nil, fmt.Errorf("while adding additional LABEL step: %w", err) + return "", nil, false, fmt.Errorf("while adding additional LABEL step: %w", err) } stage.Node.Children = append(stage.Node.Children, additionalNode.Children...) } @@ -525,13 +527,13 @@ func (b *Executor) buildStage(ctx context.Context, cleanupStages map[int]*StageE value := env[1] envLine += fmt.Sprintf(" %q=%q", key, value) } else { - return "", nil, fmt.Errorf("BUG: unresolved environment variable: %q", key) + return "", nil, false, fmt.Errorf("BUG: unresolved environment variable: %q", key) } } if len(envLine) > 0 { additionalNode, err := imagebuilder.ParseDockerfile(strings.NewReader("ENV" + envLine + "\n")) if err != nil { - return "", nil, fmt.Errorf("while adding additional ENV step: %w", err) + return "", nil, false, fmt.Errorf("while adding additional ENV step: %w", err) } // make this the first instruction in the stage after its FROM instruction stage.Node.Children = append(additionalNode.Children, stage.Node.Children...) @@ -572,8 +574,8 @@ func (b *Executor) buildStage(ctx context.Context, cleanupStages map[int]*StageE } // Build this stage. - if imageID, ref, err = stageExecutor.Execute(ctx, base); err != nil { - return "", nil, err + if imageID, ref, onlyBaseImage, err = stageExecutor.Execute(ctx, base); err != nil { + return "", nil, onlyBaseImage, err } // The stage succeeded, so remove its build container if we're @@ -586,7 +588,7 @@ func (b *Executor) buildStage(ctx context.Context, cleanupStages map[int]*StageE b.stagesLock.Unlock() } - return imageID, ref, nil + return imageID, ref, onlyBaseImage, nil } type stageDependencyInfo struct { @@ -878,10 +880,11 @@ func (b *Executor) Build(ctx context.Context, stages imagebuilder.Stages) (image b.warnOnUnsetBuildArgs(stages, dependencyMap, b.args) type Result struct { - Index int - ImageID string - Ref reference.Canonical - Error error + Index int + ImageID string + OnlyBaseImage bool + Ref reference.Canonical + Error error } ch := make(chan Result, len(stages)) @@ -941,21 +944,23 @@ func (b *Executor) Build(ctx context.Context, stages imagebuilder.Stages) (image return } } - stageID, stageRef, stageErr := b.buildStage(ctx, cleanupStages, stages, index) + stageID, stageRef, stageOnlyBaseImage, stageErr := b.buildStage(ctx, cleanupStages, stages, index) if stageErr != nil { cancel = true ch <- Result{ - Index: index, - Error: stageErr, + Index: index, + Error: stageErr, + OnlyBaseImage: stageOnlyBaseImage, } return } ch <- Result{ - Index: index, - ImageID: stageID, - Ref: stageRef, - Error: nil, + Index: index, + ImageID: stageID, + Ref: stageRef, + OnlyBaseImage: stageOnlyBaseImage, + Error: nil, } }() } @@ -985,7 +990,9 @@ func (b *Executor) Build(ctx context.Context, stages imagebuilder.Stages) (image // We're not populating the cache with intermediate // images, so add this one to the list of images that // we'll remove later. - if !b.layers { + // Only remove intermediate image is `--layers` is not provided + // or following stage was not only a base image ( i.e a different image ). + if !b.layers && !r.OnlyBaseImage { cleanupImages = append(cleanupImages, r.ImageID) } } diff --git a/vendor/github.com/containers/buildah/imagebuildah/stage_executor.go b/vendor/github.com/containers/buildah/imagebuildah/stage_executor.go index e901e7c862..c532544471 100644 --- a/vendor/github.com/containers/buildah/imagebuildah/stage_executor.go +++ b/vendor/github.com/containers/buildah/imagebuildah/stage_executor.go @@ -349,11 +349,6 @@ func (s *StageExecutor) volumeCacheRestore() error { func (s *StageExecutor) Copy(excludes []string, copies ...imagebuilder.Copy) error { s.builder.ContentDigester.Restart() for _, copy := range copies { - if copy.Download { - logrus.Debugf("ADD %#v, %#v", excludes, copy) - } else { - logrus.Debugf("COPY %#v, %#v", excludes, copy) - } if err := s.volumeCacheInvalidate(copy.Dest); err != nil { return err } @@ -413,6 +408,16 @@ func (s *StageExecutor) Copy(excludes []string, copies ...imagebuilder.Copy) err } else { contextDir = additionalBuildContext.DownloadedCache } + } else { + // This points to a path on the filesystem + // Check to see if there's a .containerignore + // file, update excludes for this stage before + // proceeding + buildContextExcludes, _, err := parse.ContainerIgnoreFile(additionalBuildContext.Value, "", nil) + if err != nil { + return err + } + excludes = append(excludes, buildContextExcludes...) } } else { copy.From = additionalBuildContext.Value @@ -447,6 +452,11 @@ func (s *StageExecutor) Copy(excludes []string, copies ...imagebuilder.Copy) err stripSetuid = true // did this change between 18.06 and 19.03? stripSetgid = true // did this change between 18.06 and 19.03? } + if copy.Download { + logrus.Debugf("ADD %#v, %#v", excludes, copy) + } else { + logrus.Debugf("COPY %#v, %#v", excludes, copy) + } for _, src := range copy.Src { if strings.HasPrefix(src, "http://") || strings.HasPrefix(src, "https://") { // Source is a URL, allowed for ADD but not COPY. @@ -822,7 +832,7 @@ func (s *StageExecutor) prepare(ctx context.Context, from string, initializeIBCo } } dImage := docker.Image{ - Parent: builder.FromImage, + Parent: builder.FromImageID, ContainerConfig: dConfig, Container: builder.Container, Author: builder.Maintainer(), @@ -905,13 +915,14 @@ func (s *StageExecutor) getContentSummaryAfterAddingContent() string { } // Execute runs each of the steps in the stage's parsed tree, in turn. -func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string, ref reference.Canonical, err error) { +func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string, ref reference.Canonical, onlyBaseImg bool, err error) { var resourceUsage rusage.Rusage stage := s.stage ib := stage.Builder checkForLayers := s.executor.layers && s.executor.useCache moreStages := s.index < len(s.stages)-1 lastStage := !moreStages + onlyBaseImage := false imageIsUsedLater := moreStages && (s.executor.baseMap[stage.Name] || s.executor.baseMap[strconv.Itoa(stage.Position)]) rootfsIsUsedLater := moreStages && (s.executor.rootfsMap[stage.Name] || s.executor.rootfsMap[strconv.Itoa(stage.Position)]) @@ -924,7 +935,7 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string, // either in local storage, or one that we have to pull from a // registry, subject to the passed-in pull policy. if isStage, err := s.executor.waitForStage(ctx, base, s.stages[:s.index]); isStage && err != nil { - return "", nil, err + return "", nil, false, err } pullPolicy := s.executor.pullPolicy s.executor.stagesLock.Lock() @@ -954,7 +965,7 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string, // Start counting resource usage before we potentially pull a base image. if rusage.Supported() { if resourceUsage, err = rusage.Get(); err != nil { - return "", nil, err + return "", nil, false, err } // Log the final incremental resource usage counter before we return. defer logRusage() @@ -964,7 +975,7 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string, // the imagebuilder configuration may alter the list of steps we have, // so take a snapshot of them *after* that. if _, err := s.prepare(ctx, base, true, true, preserveBaseImageAnnotationsAtStageStart, pullPolicy); err != nil { - return "", nil, err + return "", nil, false, err } children := stage.Node.Children @@ -1022,7 +1033,7 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string, logrus.Debugf("Generating custom build output with options %q", s.executor.buildOutput) buildOutputOption, err = parse.GetBuildOutput(s.executor.buildOutput) if err != nil { - return "", nil, fmt.Errorf("failed to parse build output: %w", err) + return "", nil, false, fmt.Errorf("failed to parse build output: %w", err) } } @@ -1033,13 +1044,19 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string, // squash the contents of the base image. Whichever is // the case, we need to commit() to create a new image. logCommit(s.output, -1) - if imgID, ref, err = s.commit(ctx, s.getCreatedBy(nil, ""), false, s.output, s.executor.squash, lastStage); err != nil { - return "", nil, fmt.Errorf("committing base container: %w", err) + emptyLayer := false + if s.builder.FromImageID == "" { + // No base image means there's nothing to put in a + // layer, so don't create one. + emptyLayer = true + } + if imgID, ref, err = s.commit(ctx, s.getCreatedBy(nil, ""), emptyLayer, s.output, s.executor.squash, lastStage); err != nil { + return "", nil, false, fmt.Errorf("committing base container: %w", err) } // Generate build output if needed. if canGenerateBuildOutput { if err := s.generateBuildOutput(buildOutputOption); err != nil { - return "", nil, err + return "", nil, false, err } } } else if len(s.executor.labels) > 0 || len(s.executor.annotations) > 0 { @@ -1047,12 +1064,12 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string, // via the command line, so we need to commit. logCommit(s.output, -1) if imgID, ref, err = s.commit(ctx, s.getCreatedBy(stage.Node, ""), true, s.output, s.executor.squash, lastStage); err != nil { - return "", nil, err + return "", nil, false, err } // Generate build output if needed. if canGenerateBuildOutput { if err := s.generateBuildOutput(buildOutputOption); err != nil { - return "", nil, err + return "", nil, false, err } } } else { @@ -1061,8 +1078,9 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string, // options, so just reuse the base image. logCommit(s.output, -1) if imgID, ref, err = s.tagExistingImage(ctx, s.builder.FromImageID, s.output); err != nil { - return "", nil, err + return "", nil, onlyBaseImage, err } + onlyBaseImage = true // If we have reached this point then our build is just performing a tag // and it contains no steps or instructions (i.e Containerfile only contains // `FROM and nothing else so we will never end up committing this @@ -1070,7 +1088,7 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string, // specified honor that and export the contents of the current build anyways. if canGenerateBuildOutput { if err := s.generateBuildOutput(buildOutputOption); err != nil { - return "", nil, err + return "", nil, onlyBaseImage, err } } } @@ -1084,7 +1102,7 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string, // Resolve any arguments in this instruction. step := ib.Step() if err := step.Resolve(node); err != nil { - return "", nil, fmt.Errorf("resolving step %+v: %w", *node, err) + return "", nil, false, fmt.Errorf("resolving step %+v: %w", *node, err) } logrus.Debugf("Parsed Step: %+v", *step) if !s.executor.quiet { @@ -1097,21 +1115,21 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string, command := strings.ToUpper(step.Command) // chmod, chown and from flags should have an '=' sign, '--chmod=', '--chown=' or '--from=' if command == "COPY" && (flag == "--chmod" || flag == "--chown" || flag == "--from") { - return "", nil, fmt.Errorf("COPY only supports the --chmod= --chown= and the --from= flags") + return "", nil, false, fmt.Errorf("COPY only supports the --chmod= --chown= and the --from= flags") } if command == "ADD" && (flag == "--chmod" || flag == "--chown") { - return "", nil, fmt.Errorf("ADD only supports the --chmod= and the --chown= flags") + return "", nil, false, fmt.Errorf("ADD only supports the --chmod= and the --chown= flags") } if strings.Contains(flag, "--from") && command == "COPY" { arr := strings.Split(flag, "=") if len(arr) != 2 { - return "", nil, fmt.Errorf("%s: invalid --from flag, should be --from=", command) + return "", nil, false, fmt.Errorf("%s: invalid --from flag, should be --from=", command) } // If arr[1] has an argument within it, resolve it to its // value. Otherwise just return the value found. from, fromErr := imagebuilder.ProcessWord(arr[1], s.stage.Builder.Arguments()) if fromErr != nil { - return "", nil, fmt.Errorf("unable to resolve argument %q: %w", arr[1], fromErr) + return "", nil, false, fmt.Errorf("unable to resolve argument %q: %w", arr[1], fromErr) } // Before looking into additional context @@ -1134,7 +1152,7 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string, // replace with image set in build context from = additionalBuildContext.Value if _, err := s.getImageRootfs(ctx, from); err != nil { - return "", nil, fmt.Errorf("%s --from=%s: no stage or image found with that name", command, from) + return "", nil, false, fmt.Errorf("%s --from=%s: no stage or image found with that name", command, from) } break } @@ -1144,12 +1162,12 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string, // result of an earlier stage, wait for that // stage to finish being built. if isStage, err := s.executor.waitForStage(ctx, from, s.stages[:s.index]); isStage && err != nil { - return "", nil, err + return "", nil, false, err } if otherStage, ok := s.executor.stages[from]; ok && otherStage.index < s.index { break } else if _, err = s.getImageRootfs(ctx, from); err != nil { - return "", nil, fmt.Errorf("%s --from=%s: no stage or image found with that name", command, from) + return "", nil, false, fmt.Errorf("%s --from=%s: no stage or image found with that name", command, from) } break } @@ -1171,7 +1189,7 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string, err := ib.Run(step, s, noRunsRemaining) if err != nil { logrus.Debugf("Error building at step %+v: %v", *step, err) - return "", nil, fmt.Errorf("building at STEP \"%s\": %w", step.Message, err) + return "", nil, false, fmt.Errorf("building at STEP \"%s\": %w", step.Message, err) } // In case we added content, retrieve its digest. addedContentSummary := s.getContentSummaryAfterAddingContent() @@ -1196,13 +1214,13 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string, logCommit(s.output, i) imgID, ref, err = s.commit(ctx, s.getCreatedBy(node, addedContentSummary), false, s.output, s.executor.squash, lastStage && lastInstruction) if err != nil { - return "", nil, fmt.Errorf("committing container for step %+v: %w", *step, err) + return "", nil, false, fmt.Errorf("committing container for step %+v: %w", *step, err) } logImageID(imgID) // Generate build output if needed. if canGenerateBuildOutput { if err := s.generateBuildOutput(buildOutputOption); err != nil { - return "", nil, err + return "", nil, false, err } } } else { @@ -1234,7 +1252,7 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string, for _, a := range node.Flags { arg, err := imagebuilder.ProcessWord(a, s.stage.Builder.Arguments()) if err != nil { - return "", nil, err + return "", nil, false, err } switch { case strings.HasPrefix(arg, "--mount="): @@ -1246,7 +1264,7 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string, } stageMountPoints, err := s.runStageMountPoints(mounts) if err != nil { - return "", nil, err + return "", nil, false, err } for _, mountPoint := range stageMountPoints { if mountPoint.DidExecute { @@ -1268,7 +1286,7 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string, if needsCacheKey { cacheKey, err = s.generateCacheKey(ctx, node, addedContentSummary, s.stepRequiresLayer(step)) if err != nil { - return "", nil, fmt.Errorf("failed while generating cache key: %w", err) + return "", nil, false, fmt.Errorf("failed while generating cache key: %w", err) } } // Check if there's already an image based on our parent that @@ -1288,7 +1306,7 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string, s.didExecute = true if err = ib.Run(step, s, noRunsRemaining); err != nil { logrus.Debugf("Error building at step %+v: %v", *step, err) - return "", nil, fmt.Errorf("building at STEP \"%s\": %w", step.Message, err) + return "", nil, false, fmt.Errorf("building at STEP \"%s\": %w", step.Message, err) } // Retrieve the digest info for the content that we just copied // into the rootfs. @@ -1297,13 +1315,13 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string, if needsCacheKey { cacheKey, err = s.generateCacheKey(ctx, node, addedContentSummary, s.stepRequiresLayer(step)) if err != nil { - return "", nil, fmt.Errorf("failed while generating cache key: %w", err) + return "", nil, false, fmt.Errorf("failed while generating cache key: %w", err) } } } cacheID, err = s.intermediateImageExists(ctx, node, addedContentSummary, s.stepRequiresLayer(step)) if err != nil { - return "", nil, fmt.Errorf("checking if cached image exists from a previous build: %w", err) + return "", nil, false, fmt.Errorf("checking if cached image exists from a previous build: %w", err) } // All the best effort to find cache on localstorage have failed try pulling // cache from remote repo if `--cache-from` was configured. @@ -1315,7 +1333,7 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string, logCachePulled(cacheKey, ref) cacheID, err = s.intermediateImageExists(ctx, node, addedContentSummary, s.stepRequiresLayer(step)) if err != nil { - return "", nil, fmt.Errorf("checking if cached image exists from a previous build: %w", err) + return "", nil, false, fmt.Errorf("checking if cached image exists from a previous build: %w", err) } if cacheID != "" { pulledAndUsedCacheImage = true @@ -1335,7 +1353,7 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string, s.didExecute = true if err = ib.Run(step, s, noRunsRemaining); err != nil { logrus.Debugf("Error building at step %+v: %v", *step, err) - return "", nil, fmt.Errorf("building at STEP \"%s\": %w", step.Message, err) + return "", nil, false, fmt.Errorf("building at STEP \"%s\": %w", step.Message, err) } // In case we added content, retrieve its digest. @@ -1344,7 +1362,7 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string, if needsCacheKey { cacheKey, err = s.generateCacheKey(ctx, node, addedContentSummary, s.stepRequiresLayer(step)) if err != nil { - return "", nil, fmt.Errorf("failed while generating cache key: %w", err) + return "", nil, false, fmt.Errorf("failed while generating cache key: %w", err) } } @@ -1353,7 +1371,7 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string, if checkForLayers && !avoidLookingCache { cacheID, err = s.intermediateImageExists(ctx, node, addedContentSummary, s.stepRequiresLayer(step)) if err != nil { - return "", nil, fmt.Errorf("checking if cached image exists from a previous build: %w", err) + return "", nil, false, fmt.Errorf("checking if cached image exists from a previous build: %w", err) } // All the best effort to find cache on localstorage have failed try pulling // cache from remote repo if `--cache-from` was configured and cacheKey was @@ -1366,7 +1384,7 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string, logCachePulled(cacheKey, ref) cacheID, err = s.intermediateImageExists(ctx, node, addedContentSummary, s.stepRequiresLayer(step)) if err != nil { - return "", nil, fmt.Errorf("checking if cached image exists from a previous build: %w", err) + return "", nil, false, fmt.Errorf("checking if cached image exists from a previous build: %w", err) } if cacheID != "" { pulledAndUsedCacheImage = true @@ -1390,7 +1408,7 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string, err := ib.Run(step, s, noRunsRemaining) if err != nil { logrus.Debugf("Error building at step %+v: %v", *step, err) - return "", nil, fmt.Errorf("building at STEP \"%s\": %w", step.Message, err) + return "", nil, false, fmt.Errorf("building at STEP \"%s\": %w", step.Message, err) } } } @@ -1407,7 +1425,7 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string, if commitName != "" { logCommit(commitName, i) if imgID, ref, err = s.tagExistingImage(ctx, cacheID, commitName); err != nil { - return "", nil, err + return "", nil, false, err } } } else { @@ -1423,12 +1441,12 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string, // can be part of build-cache. imgID, ref, err = s.commit(ctx, s.getCreatedBy(node, addedContentSummary), !s.stepRequiresLayer(step), commitName, false, lastStage && lastInstruction) if err != nil { - return "", nil, fmt.Errorf("committing container for step %+v: %w", *step, err) + return "", nil, false, fmt.Errorf("committing container for step %+v: %w", *step, err) } // Generate build output if needed. if canGenerateBuildOutput { if err := s.generateBuildOutput(buildOutputOption); err != nil { - return "", nil, err + return "", nil, false, err } } } @@ -1446,7 +1464,7 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string, if len(s.executor.cacheTo) != 0 && (!pulledAndUsedCacheImage || cacheID == "") && needsCacheKey { logCachePush(cacheKey) if err = s.pushCache(ctx, imgID, cacheKey); err != nil { - return "", nil, err + return "", nil, false, err } } @@ -1457,12 +1475,12 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string, // is the last instruction of the last stage. imgID, ref, err = s.commit(ctx, s.getCreatedBy(node, addedContentSummary), !s.stepRequiresLayer(step), commitName, true, lastStage && lastInstruction) if err != nil { - return "", nil, fmt.Errorf("committing final squash step %+v: %w", *step, err) + return "", nil, false, fmt.Errorf("committing final squash step %+v: %w", *step, err) } // Generate build output if needed. if canGenerateBuildOutput { if err := s.generateBuildOutput(buildOutputOption); err != nil { - return "", nil, err + return "", nil, false, err } } } else if cacheID != "" { @@ -1477,7 +1495,7 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string, // Generate build output if needed. if canGenerateBuildOutput { if err := s.generateBuildOutput(buildOutputOption); err != nil { - return "", nil, err + return "", nil, false, err } } } @@ -1508,11 +1526,11 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string, // ID that we really should not be pulling anymore (see // containers/podman/issues/10307). if _, err := s.prepare(ctx, imgID, false, true, true, define.PullNever); err != nil { - return "", nil, fmt.Errorf("preparing container for next step: %w", err) + return "", nil, false, fmt.Errorf("preparing container for next step: %w", err) } } } - return imgID, ref, nil + return imgID, ref, onlyBaseImage, nil } func historyEntriesEqual(base, derived v1.History) bool { @@ -2036,6 +2054,9 @@ func (s *StageExecutor) commit(ctx context.Context, createdBy string, emptyLayer if s.executor.commonBuildOptions.IdentityLabel == types.OptionalBoolUndefined || s.executor.commonBuildOptions.IdentityLabel == types.OptionalBoolTrue { s.builder.SetLabel(buildah.BuilderIdentityAnnotation, define.Version) } + for _, key := range s.executor.unsetLabels { + s.builder.UnsetLabel(key) + } for _, annotationSpec := range s.executor.annotations { annotation := strings.SplitN(annotationSpec, "=", 2) if len(annotation) > 1 { diff --git a/vendor/github.com/containers/buildah/internal/mkcw/types/workload.go b/vendor/github.com/containers/buildah/internal/mkcw/types/workload.go index 249683b0e7..9036485c7e 100644 --- a/vendor/github.com/containers/buildah/internal/mkcw/types/workload.go +++ b/vendor/github.com/containers/buildah/internal/mkcw/types/workload.go @@ -25,7 +25,7 @@ type SevWorkloadData struct { // SnpWorkloadData contains the required CPU generation name. // https://github.com/virtee/oci2cw/blob/1502d5be33c2fa82d49aaa95781bbab2aa932781/examples/tee-config-snp.json type SnpWorkloadData struct { - Generation string `json:"gen"` // "milan" (naples=1, rome=2, milan=3, genoa/bergamo=4) + Generation string `json:"gen"` // "milan" (naples=1, rome=2, milan=3, genoa/bergamo/siena=4, turin=5) } const ( diff --git a/vendor/github.com/containers/buildah/internal/mkcw/workload.go b/vendor/github.com/containers/buildah/internal/mkcw/workload.go index ca97daaf94..4109ce98e3 100644 --- a/vendor/github.com/containers/buildah/internal/mkcw/workload.go +++ b/vendor/github.com/containers/buildah/internal/mkcw/workload.go @@ -35,7 +35,7 @@ const ( // SNP is a known trusted execution environment type: AMD-SNP SNP = define.SNP // krun looks for its configuration JSON directly in a disk image if the last twelve bytes - // of the disk image are this magic value followed by a little-endian 64-bit + // of the disk image are this magic value followed by a little-endian 64-bit // length-of-the-configuration krunMagic = "KRUN" ) diff --git a/vendor/github.com/containers/buildah/pkg/cli/build.go b/vendor/github.com/containers/buildah/pkg/cli/build.go index 6a0948e854..e58e755632 100644 --- a/vendor/github.com/containers/buildah/pkg/cli/build.go +++ b/vendor/github.com/containers/buildah/pkg/cli/build.go @@ -425,6 +425,7 @@ func GenBuildOptions(c *cobra.Command, inputArgs []string, iopts BuildOptions) ( Timestamp: timestamp, TransientMounts: iopts.Volumes, UnsetEnvs: iopts.UnsetEnvs, + UnsetLabels: iopts.UnsetLabels, } if iopts.Quiet { options.ReportWriter = io.Discard diff --git a/vendor/github.com/containers/buildah/pkg/cli/common.go b/vendor/github.com/containers/buildah/pkg/cli/common.go index 6ff50d99fe..99d5991261 100644 --- a/vendor/github.com/containers/buildah/pkg/cli/common.go +++ b/vendor/github.com/containers/buildah/pkg/cli/common.go @@ -104,6 +104,7 @@ type BudResults struct { LogRusage bool RusageLogFile string UnsetEnvs []string + UnsetLabels []string Envs []string OSFeatures []string OSVersion string @@ -283,6 +284,7 @@ func GetBudFlags(flags *BudResults) pflag.FlagSet { fs.BoolVar(&flags.TLSVerify, "tls-verify", true, "require HTTPS and verify certificates when accessing the registry") fs.String("variant", "", "override the `variant` of the specified image") fs.StringSliceVar(&flags.UnsetEnvs, "unsetenv", nil, "unset environment variable from final image") + fs.StringSliceVar(&flags.UnsetLabels, "unsetlabel", nil, "unset label when inheriting labels from base image") return fs } @@ -328,6 +330,7 @@ func GetBudFlagsCompletions() commonComp.FlagCompletions { flagCompletion["target"] = commonComp.AutocompleteNone flagCompletion["timestamp"] = commonComp.AutocompleteNone flagCompletion["unsetenv"] = commonComp.AutocompleteNone + flagCompletion["unsetlabel"] = commonComp.AutocompleteNone flagCompletion["variant"] = commonComp.AutocompleteNone return flagCompletion } diff --git a/vendor/github.com/containers/buildah/pkg/sshagent/sshagent.go b/vendor/github.com/containers/buildah/pkg/sshagent/sshagent.go index 712e10fed3..ec28482b0f 100644 --- a/vendor/github.com/containers/buildah/pkg/sshagent/sshagent.go +++ b/vendor/github.com/containers/buildah/pkg/sshagent/sshagent.go @@ -11,6 +11,7 @@ import ( "sync" "time" + "github.com/containers/buildah/internal/tmpdir" "github.com/opencontainers/selinux/go-selinux" "github.com/sirupsen/logrus" "golang.org/x/crypto/ssh" @@ -79,7 +80,7 @@ func (a *AgentServer) Serve(processLabel string) (string, error) { if err != nil { return "", err } - serveDir, err := os.MkdirTemp("", ".buildah-ssh-sock") + serveDir, err := os.MkdirTemp(tmpdir.GetTempDir(), ".buildah-ssh-sock") if err != nil { return "", err } diff --git a/vendor/github.com/containers/buildah/run_common.go b/vendor/github.com/containers/buildah/run_common.go index ec51e93d55..b21a013cf0 100644 --- a/vendor/github.com/containers/buildah/run_common.go +++ b/vendor/github.com/containers/buildah/run_common.go @@ -1509,8 +1509,6 @@ func checkIfMountDestinationPreExists(root string, dest string) (bool, error) { // // If this function succeeds, the caller must unlock runMountArtifacts.TargetLocks (when??) func (b *Builder) runSetupRunMounts(mountPoint string, mounts []string, sources runMountInfo, idMaps IDMaps) ([]specs.Mount, *runMountArtifacts, error) { - // If `type` is not set default to TypeBind - mountType := define.TypeBind mountTargets := make([]string, 0, 10) tmpFiles := make([]string, 0, len(mounts)) mountImages := make([]string, 0, 10) @@ -1532,6 +1530,10 @@ func (b *Builder) runSetupRunMounts(mountPoint string, mounts []string, sources var agent *sshagent.AgentServer var tl *lockfile.LockFile tokens := strings.Split(mount, ",") + + // If `type` is not set default to TypeBind + mountType := define.TypeBind + for _, field := range tokens { if strings.HasPrefix(field, "type=") { kv := strings.Split(field, "=") diff --git a/vendor/github.com/containers/buildah/run_freebsd.go b/vendor/github.com/containers/buildah/run_freebsd.go index ad21e6db7b..ff70022072 100644 --- a/vendor/github.com/containers/buildah/run_freebsd.go +++ b/vendor/github.com/containers/buildah/run_freebsd.go @@ -16,6 +16,7 @@ import ( "github.com/containers/buildah/copier" "github.com/containers/buildah/define" "github.com/containers/buildah/internal" + "github.com/containers/buildah/internal/tmpdir" "github.com/containers/buildah/pkg/jail" "github.com/containers/buildah/pkg/overlay" "github.com/containers/buildah/pkg/parse" @@ -72,7 +73,7 @@ func setChildProcess() error { } func (b *Builder) Run(command []string, options RunOptions) error { - p, err := os.MkdirTemp("", Package) + p, err := os.MkdirTemp(tmpdir.GetTempDir(), define.Package) if err != nil { return err } diff --git a/vendor/github.com/containers/buildah/run_linux.go b/vendor/github.com/containers/buildah/run_linux.go index 2d9ba51d17..586b706daf 100644 --- a/vendor/github.com/containers/buildah/run_linux.go +++ b/vendor/github.com/containers/buildah/run_linux.go @@ -19,6 +19,7 @@ import ( "github.com/containers/buildah/copier" "github.com/containers/buildah/define" "github.com/containers/buildah/internal" + "github.com/containers/buildah/internal/tmpdir" "github.com/containers/buildah/internal/volumes" "github.com/containers/buildah/pkg/overlay" "github.com/containers/buildah/pkg/parse" @@ -71,7 +72,7 @@ func setChildProcess() error { // Run runs the specified command in the container's root filesystem. func (b *Builder) Run(command []string, options RunOptions) error { - p, err := os.MkdirTemp("", define.Package) + p, err := os.MkdirTemp(tmpdir.GetTempDir(), define.Package) if err != nil { return err } @@ -499,7 +500,7 @@ func setupSlirp4netnsNetwork(config *config.Config, netns, cid string, options [ Mask: res.Subnet.Mask, }} netStatus := map[string]nettypes.StatusBlock{ - slirp4netns.BinaryName: nettypes.StatusBlock{ + slirp4netns.BinaryName: { Interfaces: map[string]nettypes.NetInterface{ "tap0": { Subnets: []nettypes.NetAddress{{IPNet: subnet}}, @@ -541,7 +542,7 @@ func setupPasta(config *config.Config, netns string, options []string) (func(), Mask: net.IPv4Mask(255, 255, 255, 0), }} netStatus := map[string]nettypes.StatusBlock{ - slirp4netns.BinaryName: nettypes.StatusBlock{ + slirp4netns.BinaryName: { Interfaces: map[string]nettypes.NetInterface{ "tap0": { Subnets: []nettypes.NetAddress{{IPNet: subnet}}, diff --git a/vendor/github.com/containers/buildah/selinux_tag.sh b/vendor/github.com/containers/buildah/selinux_tag.sh deleted file mode 100644 index 993630ad62..0000000000 --- a/vendor/github.com/containers/buildah/selinux_tag.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/usr/bin/env bash -if pkg-config libselinux 2> /dev/null ; then - echo selinux -fi diff --git a/vendor/github.com/containers/luksy/.cirrus.yml b/vendor/github.com/containers/luksy/.cirrus.yml index a7e74a5608..08e1cb885f 100644 --- a/vendor/github.com/containers/luksy/.cirrus.yml +++ b/vendor/github.com/containers/luksy/.cirrus.yml @@ -3,13 +3,14 @@ docker_builder: env: HOME: /root DEBIAN_FRONTEND: noninteractive + CIRRUS_LOG_TIMESTAMP: true setup_script: | apt-get -q update apt-get -q install -y bats cryptsetup golang go version make unit_test_script: - go test -v -cover + go test -timeout 45m -v -cover defaults_script: | bats -f defaults ./tests aes_script: | diff --git a/vendor/github.com/containers/luksy/Makefile b/vendor/github.com/containers/luksy/Makefile index f958505fb8..b3563c2e54 100644 --- a/vendor/github.com/containers/luksy/Makefile +++ b/vendor/github.com/containers/luksy/Makefile @@ -4,11 +4,11 @@ BATS = bats all: luksy luksy: cmd/luksy/*.go *.go - $(GO) build -o luksy ./cmd/luksy + $(GO) build -o luksy$(shell go env GOEXE) ./cmd/luksy clean: - $(RM) luksy luksy.test + $(RM) luksy$(shell go env GOEXE) luksy.test test: - $(GO) test + $(GO) test -timeout 45m -v -cover $(BATS) ./tests diff --git a/vendor/github.com/containers/luksy/OWNERS b/vendor/github.com/containers/luksy/OWNERS new file mode 100644 index 0000000000..eca8673e88 --- /dev/null +++ b/vendor/github.com/containers/luksy/OWNERS @@ -0,0 +1,4 @@ +approvers: + - nalind +reviewers: + - nalind diff --git a/vendor/github.com/containers/luksy/decrypt.go b/vendor/github.com/containers/luksy/decrypt.go index 45b66b6e0e..b36c4f5082 100644 --- a/vendor/github.com/containers/luksy/decrypt.go +++ b/vendor/github.com/containers/luksy/decrypt.go @@ -4,6 +4,7 @@ import ( "bytes" "errors" "fmt" + "io" "os" "strconv" @@ -11,14 +12,23 @@ import ( "golang.org/x/crypto/pbkdf2" ) +// ReaderAtSeekCloser is a combination of io.ReaderAt, io.Seeker, and io.Closer, +// which is all we really need from an encrypted file. +type ReaderAtSeekCloser interface { + io.ReaderAt + io.Seeker + io.Closer +} + // Decrypt attempts to verify the specified password using information from the // header and read from the specified file. // // Returns a function which will decrypt payload blocks in succession, the size // of chunks of data that the function expects, the offset in the file where -// the payload begins, and the size of the payload. -func (h V1Header) Decrypt(password string, f *os.File) (func([]byte) ([]byte, error), int, int64, int64, error) { - st, err := f.Stat() +// the payload begins, and the size of the payload, assuming the payload runs +// to the end of the file. +func (h V1Header) Decrypt(password string, f ReaderAtSeekCloser) (func([]byte) ([]byte, error), int, int64, int64, error) { + size, err := f.Seek(0, io.SeekEnd) if err != nil { return nil, -1, -1, -1, err } @@ -70,7 +80,7 @@ func (h V1Header) Decrypt(password string, f *os.File) (func([]byte) ([]byte, er } if bytes.Equal(mkcandidateDerived, h.MKDigest()) { payloadOffset := int64(h.PayloadOffset() * V1SectorSize) - return decryptStream, V1SectorSize, payloadOffset, st.Size() - payloadOffset, nil + return decryptStream, V1SectorSize, payloadOffset, size - payloadOffset, nil } } if activeKeys == 0 { @@ -84,8 +94,9 @@ func (h V1Header) Decrypt(password string, f *os.File) (func([]byte) ([]byte, er // // Returns a function which will decrypt payload blocks in succession, the size // of chunks of data that the function expects, the offset in the file where -// the payload begins, and the size of the payload. -func (h V2Header) Decrypt(password string, f *os.File, j V2JSON) (func([]byte) ([]byte, error), int, int64, int64, error) { +// the payload begins, and the size of the payload, assuming the payload runs +// to the end of the file. +func (h V2Header) Decrypt(password string, f ReaderAtSeekCloser, j V2JSON) (func([]byte) ([]byte, error), int, int64, int64, error) { foundDigests := 0 for d, digest := range j.Digests { if digest.Type != "pbkdf2" { @@ -117,11 +128,11 @@ func (h V2Header) Decrypt(password string, f *os.File, j V2JSON) (func([]byte) ( } payloadOffset = tmp if segment.Size == "dynamic" { - st, err := f.Stat() + size, err := f.Seek(0, io.SeekEnd) if err != nil { continue } - payloadSize = st.Size() - payloadOffset + payloadSize = size - payloadOffset } else { payloadSize, err = strconv.ParseInt(segment.Size, 10, 64) if err != nil { diff --git a/vendor/github.com/containers/luksy/encrypt.go b/vendor/github.com/containers/luksy/encrypt.go index 97e5a597fd..63b345eb1e 100644 --- a/vendor/github.com/containers/luksy/encrypt.go +++ b/vendor/github.com/containers/luksy/encrypt.go @@ -246,8 +246,8 @@ func EncryptV2(password []string, cipher string, payloadSectorSize int) ([]byte, return nil, nil, -1, errors.New("internal error") } iterations := IterationsPBKDF2(tuningSalt, len(mkey), hasher) - timeCost := 1 - threadsCost := 4 + timeCost := 16 + threadsCost := 16 memoryCost := MemoryCostArgon2(tuningSalt, len(mkey), timeCost, threadsCost) priority := V2JSONKeyslotPriorityNormal var stripes [][]byte diff --git a/vendor/github.com/containers/luksy/encryption.go b/vendor/github.com/containers/luksy/encryption.go index bd08cc8222..242bceb310 100644 --- a/vendor/github.com/containers/luksy/encryption.go +++ b/vendor/github.com/containers/luksy/encryption.go @@ -417,9 +417,22 @@ func roundUpToMultiple(i, factor int) int { if i < 0 { return 0 } + if factor < 1 { + return i + } return i + ((factor - (i % factor)) % factor) } +func roundDownToMultiple(i, factor int) int { + if i < 0 { + return 0 + } + if factor < 1 { + return i + } + return i - (i % factor) +} + func hasherByName(name string) (func() hash.Hash, error) { switch name { case "sha1": @@ -436,13 +449,39 @@ func hasherByName(name string) (func() hash.Hash, error) { } type wrapper struct { - fn func(plaintext []byte) ([]byte, error) - blockSize int - buf []byte - buffered, consumed int - reader io.Reader - eof bool - writer io.Writer + fn func(plaintext []byte) ([]byte, error) + blockSize int + buf []byte + buffered int + processed int + reader io.Reader + eof bool + writer io.Writer +} + +func (w *wrapper) partialWrite() error { + if w.buffered-w.processed >= w.blockSize { + toProcess := roundDownToMultiple(w.buffered-w.processed, w.blockSize) + processed, err := w.fn(w.buf[w.processed : w.processed+toProcess]) + if err != nil { + return err + } + nProcessed := copy(w.buf[w.processed:], processed) + w.processed += nProcessed + } + if w.processed >= w.blockSize { + nWritten, err := w.writer.Write(w.buf[:w.processed]) + if err != nil { + return err + } + copy(w.buf, w.buf[nWritten:w.buffered]) + w.buffered -= nWritten + w.processed -= nWritten + if w.processed != 0 { + return fmt.Errorf("short write: %d != %d", nWritten, nWritten+w.processed) + } + } + return nil } func (w *wrapper) Write(buf []byte) (int, error) { @@ -451,19 +490,8 @@ func (w *wrapper) Write(buf []byte) (int, error) { nBuffered := copy(w.buf[w.buffered:], buf[n:]) w.buffered += nBuffered n += nBuffered - if w.buffered == len(w.buf) { - processed, err := w.fn(w.buf) - if err != nil { - return n, err - } - nWritten, err := w.writer.Write(processed) - if err != nil { - return n, err - } - w.buffered -= nWritten - if nWritten != len(processed) { - return n, fmt.Errorf("short write: %d != %d", nWritten, len(processed)) - } + if err := w.partialWrite(); err != nil { + return n, err } } return n, nil @@ -472,66 +500,73 @@ func (w *wrapper) Write(buf []byte) (int, error) { func (w *wrapper) Read(buf []byte) (int, error) { n := 0 for n < len(buf) { - nRead := copy(buf[n:], w.buf[w.consumed:]) - w.consumed += nRead - n += nRead - if w.consumed == len(w.buf) && !w.eof { - nRead, err := w.reader.Read(w.buf) - w.eof = errors.Is(err, io.EOF) - if err != nil && !w.eof { - return n, err - } - if nRead != len(w.buf) && !w.eof { - return n, fmt.Errorf("short read: %d != %d", nRead, len(w.buf)) + if !w.eof { + nRead, err := w.reader.Read(w.buf[w.buffered:]) + if err != nil { + if !errors.Is(err, io.EOF) { + w.buffered += nRead + return n, err + } + w.eof = true } - processed, err := w.fn(w.buf[:nRead]) + w.buffered += nRead + } + if w.buffered == 0 && w.eof { + return n, io.EOF + } + if w.buffered-w.processed >= w.blockSize { + toProcess := roundDownToMultiple(w.buffered-w.processed, w.blockSize) + processed, err := w.fn(w.buf[w.processed : w.processed+toProcess]) if err != nil { return n, err } - w.buf = processed - w.consumed = 0 + nProcessed := copy(w.buf[w.processed:], processed) + w.processed += nProcessed + } + nRead := copy(buf[n:], w.buf[:w.processed]) + n += nRead + copy(w.buf, w.buf[nRead:w.buffered]) + w.processed -= nRead + w.buffered -= nRead + if w.buffered-w.processed < w.blockSize { + break } } - var eof error - if w.consumed == len(w.buf) && w.eof { - eof = io.EOF - } - return n, eof + return n, nil } func (w *wrapper) Close() error { if w.writer != nil { if w.buffered%w.blockSize != 0 { - w.buffered += copy(w.buf[w.buffered:], make([]byte, roundUpToMultiple(w.buffered%w.blockSize, w.blockSize))) - } - processed, err := w.fn(w.buf[:w.buffered]) - if err != nil { - return err - } - nWritten, err := w.writer.Write(processed) - if err != nil { - return err - } - if nWritten != len(processed) { - return fmt.Errorf("short write: %d != %d", nWritten, len(processed)) + nPadding := w.blockSize - w.buffered%w.blockSize + nWritten, err := w.Write(make([]byte, nPadding)) + if err != nil { + return fmt.Errorf("flushing write: %v", err) + } + if nWritten < nPadding { + return fmt.Errorf("flushing write: %d != %d", nPadding, nWritten) + } } - w.buffered = 0 } return nil } // EncryptWriter creates an io.WriteCloser which buffers writes through an -// encryption function. After writing a final block, the returned writer -// should be closed. +// encryption function, transforming and writing multiples of the blockSize. +// After writing a final block, the returned writer should be closed. +// If only a partial block has been written when Close() is called, a final +// block with its length padded with zero bytes will be transformed and +// written. func EncryptWriter(fn func(plaintext []byte) ([]byte, error), writer io.Writer, blockSize int) io.WriteCloser { bufferSize := roundUpToMultiple(1024*1024, blockSize) return &wrapper{fn: fn, blockSize: blockSize, buf: make([]byte, bufferSize), writer: writer} } // DecryptReader creates an io.ReadCloser which buffers reads through a -// decryption function. When data will no longer be read, the returned reader -// should be closed. +// decryption function, decrypting and returning multiples of the blockSize +// until it reaches the end of the file. When data will no longer be read, the +// returned reader should be closed. func DecryptReader(fn func(ciphertext []byte) ([]byte, error), reader io.Reader, blockSize int) io.ReadCloser { bufferSize := roundUpToMultiple(1024*1024, blockSize) - return &wrapper{fn: fn, blockSize: blockSize, buf: make([]byte, bufferSize), consumed: bufferSize, reader: reader} + return &wrapper{fn: fn, blockSize: blockSize, buf: make([]byte, bufferSize), reader: reader} } diff --git a/vendor/github.com/containers/luksy/luks.go b/vendor/github.com/containers/luksy/luks.go index a0c95277cb..c584c5f3e2 100644 --- a/vendor/github.com/containers/luksy/luks.go +++ b/vendor/github.com/containers/luksy/luks.go @@ -4,7 +4,7 @@ import ( "bytes" "encoding/json" "fmt" - "os" + "io" ) // ReadHeaderOptions can control some of what ReadHeaders() does. @@ -13,7 +13,7 @@ type ReadHeaderOptions struct{} // ReadHeaders reads LUKS headers from the specified file, returning either a // LUKSv1 header, or two LUKSv2 headers and a LUKSv2 JSON block, depending on // which format is detected. -func ReadHeaders(f *os.File, options ReadHeaderOptions) (*V1Header, *V2Header, *V2Header, *V2JSON, error) { +func ReadHeaders(f io.ReaderAt, options ReadHeaderOptions) (*V1Header, *V2Header, *V2Header, *V2JSON, error) { var v1 V1Header var v2a, v2b V2Header n, err := f.ReadAt(v2a[:], 0) diff --git a/vendor/modules.txt b/vendor/modules.txt index 5384dd78e2..62821525a9 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -139,7 +139,7 @@ github.com/containernetworking/cni/pkg/version # github.com/containernetworking/plugins v1.3.0 ## explicit; go 1.20 github.com/containernetworking/plugins/pkg/ns -# github.com/containers/buildah v1.32.0 +# github.com/containers/buildah v1.32.1-0.20231012130144-244170240d85 ## explicit; go 1.18 github.com/containers/buildah github.com/containers/buildah/bind @@ -312,7 +312,7 @@ github.com/containers/libhvee/pkg/wmiext # github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 ## explicit github.com/containers/libtrust -# github.com/containers/luksy v0.0.0-20230808154129-d2d74a56682f +# github.com/containers/luksy v0.0.0-20230912175440-6df88cb7f0dd ## explicit; go 1.20 github.com/containers/luksy # github.com/containers/ocicrypt v1.1.8 From 6cf3dd4931f24f90591e4a88276acfbea3ba4502 Mon Sep 17 00:00:00 2001 From: Aditya R Date: Mon, 16 Oct 2023 11:58:34 +0530 Subject: [PATCH 2/4] docs: add unsetlabel Signed-off-by: Aditya R --- docs/source/markdown/podman-build.1.md.in | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/source/markdown/podman-build.1.md.in b/docs/source/markdown/podman-build.1.md.in index b635807ad9..56d5b48e42 100644 --- a/docs/source/markdown/podman-build.1.md.in +++ b/docs/source/markdown/podman-build.1.md.in @@ -812,6 +812,10 @@ types include: Unset environment variables from the final image. +#### **--unsetlabel**=*label* + +Unset the image label, causing the label not to be inherited from the base image. + #### **--userns**=*how* Sets the configuration for user namespaces when handling `RUN` instructions. From 331e47acb1687a96230ac5e572209e47c2e45012 Mon Sep 17 00:00:00 2001 From: Aditya R Date: Mon, 16 Oct 2023 12:15:40 +0530 Subject: [PATCH 3/4] test: build with TMPDIR as relative Test edge-case described here: https://github.com/containers/buildah/pull/5084 Test case in: RHEL-2598 Signed-off-by: Aditya R --- test/e2e/build/basicrun/Containerfile | 2 ++ test/e2e/build_test.go | 16 ++++++++++++++++ 2 files changed, 18 insertions(+) create mode 100644 test/e2e/build/basicrun/Containerfile diff --git a/test/e2e/build/basicrun/Containerfile b/test/e2e/build/basicrun/Containerfile new file mode 100644 index 0000000000..bb74de0cef --- /dev/null +++ b/test/e2e/build/basicrun/Containerfile @@ -0,0 +1,2 @@ +FROM quay.io/libpod/alpine:latest +RUN echo hello diff --git a/test/e2e/build_test.go b/test/e2e/build_test.go index 8558673805..faf49cb667 100644 --- a/test/e2e/build_test.go +++ b/test/e2e/build_test.go @@ -39,6 +39,22 @@ var _ = Describe("Podman build", func() { Expect(session).Should(ExitCleanly()) }) + It("podman build and remove basic alpine with TMPDIR as relative", func() { + // preserve TMPDIR if it was originally set + if cacheDir, found := os.LookupEnv("TMPDIR"); found { + defer os.Setenv("TMPDIR", cacheDir) + os.Unsetenv("TMPDIR") + } else { + defer os.Unsetenv("TMPDIR") + } + // Test case described here: https://github.com/containers/buildah/pull/5084 + os.Setenv("TMPDIR", ".") + podmanTest.AddImageToRWStore(ALPINE) + session := podmanTest.Podman([]string{"build", "--pull-never", "build/basicrun"}) + session.WaitWithDefaultTimeout() + Expect(session).Should(ExitCleanly()) + }) + It("podman build with a secret from file", func() { session := podmanTest.Podman([]string{"build", "-f", "build/Containerfile.with-secret", "-t", "secret-test", "--secret", "id=mysecret,src=build/secret.txt", "build/"}) session.WaitWithDefaultTimeout() From 5db3b753af8d17d670225c0e0aedef298996998d Mon Sep 17 00:00:00 2001 From: Aditya R Date: Mon, 16 Oct 2023 15:14:06 +0530 Subject: [PATCH 4/4] remote,build: wire unsetlabels Signed-off-by: Aditya R --- cmd/podman/common/build.go | 1 + pkg/api/handlers/compat/images_build.go | 2 ++ pkg/api/server/register_images.go | 6 ++++++ pkg/bindings/images/build.go | 4 ++++ 4 files changed, 13 insertions(+) diff --git a/cmd/podman/common/build.go b/cmd/podman/common/build.go index 100e6568d5..ca62f580c1 100644 --- a/cmd/podman/common/build.go +++ b/cmd/podman/common/build.go @@ -543,6 +543,7 @@ func buildFlagsWrapperToOptions(c *cobra.Command, contextDir string, flags *Buil Target: flags.Target, TransientMounts: flags.Volumes, UnsetEnvs: flags.UnsetEnvs, + UnsetLabels: flags.UnsetLabels, } if flags.IgnoreFile != "" { diff --git a/pkg/api/handlers/compat/images_build.go b/pkg/api/handlers/compat/images_build.go index b639000966..40741f56c6 100644 --- a/pkg/api/handlers/compat/images_build.go +++ b/pkg/api/handlers/compat/images_build.go @@ -140,6 +140,7 @@ func BuildImage(w http.ResponseWriter, r *http.Request) { Timestamp int64 `schema:"timestamp"` Ulimits string `schema:"ulimits"` UnsetEnvs []string `schema:"unsetenv"` + UnsetLabels []string `schema:"unsetlabel"` Volumes []string `schema:"volume"` }{ Dockerfile: "Dockerfile", @@ -711,6 +712,7 @@ func BuildImage(w http.ResponseWriter, r *http.Request) { SystemContext: systemContext, Target: query.Target, UnsetEnvs: query.UnsetEnvs, + UnsetLabels: query.UnsetLabels, } for _, platformSpec := range query.Platform { diff --git a/pkg/api/server/register_images.go b/pkg/api/server/register_images.go index 4c14f54140..0b9d0a500b 100644 --- a/pkg/api/server/register_images.go +++ b/pkg/api/server/register_images.go @@ -1617,6 +1617,12 @@ func (s *APIServer) registerImagesHandlers(r *mux.Router) error { // items: // type: string // - in: query + // name: unsetlabel + // description: Unset the image label, causing the label not to be inherited from the base image. + // type: array + // items: + // type: string + // - in: query // name: volume // description: Extra volumes that should be mounted in the build container. // type: array diff --git a/pkg/bindings/images/build.go b/pkg/bindings/images/build.go index 171c156bfa..3d21437b09 100644 --- a/pkg/bindings/images/build.go +++ b/pkg/bindings/images/build.go @@ -393,6 +393,10 @@ func Build(ctx context.Context, containerFiles []string, options entities.BuildO params.Add("unsetenv", uenv) } + for _, ulabel := range options.UnsetLabels { + params.Add("unsetlabel", ulabel) + } + var ( headers http.Header )