mirror of
https://github.com/containers/podman
synced 2024-10-19 00:34:18 +00:00
Switch from pkg/secrets to pkg/subscriptions
The buildah/pkg/secrts package was move to containers/common/pkg/subscriptions. Switch to using this by default. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
parent
397e9a9f1b
commit
20160af018
|
@ -317,6 +317,10 @@ Pass through HTTP Proxy environment variables.
|
|||
|
||||
Write the image ID to the file.
|
||||
|
||||
#### **--ignorefile**
|
||||
|
||||
Path to an alternative .dockerignore file.
|
||||
|
||||
#### **--ipc**=*how*
|
||||
|
||||
Sets the configuration for IPC namespaces when handling `RUN` instructions.
|
||||
|
@ -844,9 +848,10 @@ $ podman build -f dev/Containerfile https://10.10.10.1/podman/context.tar.gz
|
|||
|
||||
### `.dockerignore`
|
||||
|
||||
If the file .dockerignore exists in the context directory, `podman build` reads
|
||||
its contents. Podman uses the content to exclude files and directories from
|
||||
the context directory, when executing COPY and ADD directives in the
|
||||
If the file .dockerignore exists in the context directory, `buildah copy` reads
|
||||
its contents. Use the `--ignorefile` flag to override .dockerignore path location.
|
||||
Podman uses the content to exclude files and directories from the context
|
||||
directory, when executing COPY and ADD directives in the
|
||||
Containerfile/Dockerfile
|
||||
|
||||
Users can specify a series of Unix shell globals in a .dockerignore file to
|
||||
|
|
2
go.mod
2
go.mod
|
@ -10,7 +10,7 @@ require (
|
|||
github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd // indirect
|
||||
github.com/containernetworking/cni v0.8.0
|
||||
github.com/containernetworking/plugins v0.8.7
|
||||
github.com/containers/buildah v1.18.0
|
||||
github.com/containers/buildah v1.18.1-0.20201125084616-dd26b137459c
|
||||
github.com/containers/common v0.29.0
|
||||
github.com/containers/conmon v2.0.20+incompatible
|
||||
github.com/containers/image/v5 v5.8.1
|
||||
|
|
14
go.sum
14
go.sum
|
@ -93,16 +93,12 @@ github.com/containernetworking/cni v0.8.0 h1:BT9lpgGoH4jw3lFC7Odz2prU5ruiYKcgAjM
|
|||
github.com/containernetworking/cni v0.8.0/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
|
||||
github.com/containernetworking/plugins v0.8.7 h1:bU7QieuAp+sACI2vCzESJ3FoT860urYP+lThyZkb/2M=
|
||||
github.com/containernetworking/plugins v0.8.7/go.mod h1:R7lXeZaBzpfqapcAbHRW8/CYwm0dHzbz0XEjofx0uB0=
|
||||
github.com/containers/buildah v1.18.0 h1:mWEm013LVNGecF++sYo0T7fe/4pqMas/PQxQ/qviC68=
|
||||
github.com/containers/buildah v1.18.0/go.mod h1:qHLk7RUL7cHfA7ve1MKkZ6cyKUxHD0YxiLJcKY+mJe8=
|
||||
github.com/containers/common v0.26.3/go.mod h1:hJWZIlrl5MsE2ELNRa+MPp6I1kPbXHauuj0Ym4BsLG4=
|
||||
github.com/containers/buildah v1.18.1-0.20201125084616-dd26b137459c h1:vyc2iYz9b2vfDiigpLyhiXNqXITt/dmDk74HpHzlQow=
|
||||
github.com/containers/buildah v1.18.1-0.20201125084616-dd26b137459c/go.mod h1:B+0OkXUogxdwsEy4ax3a5/vDtJjL6vCisiV6frQZJ4A=
|
||||
github.com/containers/common v0.29.0 h1:hTMC+urdkk5bKfhL/OgCixIX5xjJgQ2l2jPG745ECFQ=
|
||||
github.com/containers/common v0.29.0/go.mod h1:yT4GTUHsKRmpaDb+mecXRnIMre7W3ZgwXqaYMywXlaA=
|
||||
github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
|
||||
github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
|
||||
github.com/containers/image/v5 v5.7.0/go.mod h1:8aOy+YaItukxghRORkvhq5ibWttHErzDLy6egrKfKos=
|
||||
github.com/containers/image/v5 v5.8.0 h1:B3FGHi0bdGXgg698kBIGOlHCXN5n+scJr6/5354GOPU=
|
||||
github.com/containers/image/v5 v5.8.0/go.mod h1:jKxdRtyIDumVa56hdsZvV+gwx4zB50hRou6pIuCWLkg=
|
||||
github.com/containers/image/v5 v5.8.1 h1:aHW8a/Kd0dTJ7PTL/fc6y12sJqHxWgqilu+XyHfjD8Q=
|
||||
github.com/containers/image/v5 v5.8.1/go.mod h1:blOEFd/iFdeyh891ByhCVUc+xAcaI3gBegXECwz9UbQ=
|
||||
github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b h1:Q8ePgVfHDplZ7U33NwHZkrVELsZP5fYj9pM5WBZB2GE=
|
||||
|
@ -111,10 +107,7 @@ github.com/containers/ocicrypt v1.0.3 h1:vYgl+RZ9Q3DPMuTfxmN+qp0X2Bj52uuY2vnt6Gz
|
|||
github.com/containers/ocicrypt v1.0.3/go.mod h1:CUBa+8MRNL/VkpxYIpaMtgn1WgXGyvPQj8jcy0EVG6g=
|
||||
github.com/containers/psgo v1.5.1 h1:MQNb7FLbXqBdqz6u4lI2QWizVz4RSTzs1+Nk9XT1iVA=
|
||||
github.com/containers/psgo v1.5.1/go.mod h1:2ubh0SsreMZjSXW1Hif58JrEcFudQyIy9EzPUWfawVU=
|
||||
github.com/containers/storage v1.23.6/go.mod h1:haFs0HRowKwyzvWEx9EgI3WsL8XCSnBDb5f8P5CAxJY=
|
||||
github.com/containers/storage v1.23.7/go.mod h1:cUT2zHjtx+WlVri30obWmM2gpqpi8jfPsmIzP1TVpEI=
|
||||
github.com/containers/storage v1.24.0 h1:Fo2LkF7tkMLmo38sTZ/G8wHjcn8JfUFPfyTxM4WwMfk=
|
||||
github.com/containers/storage v1.24.0/go.mod h1:A4d3BzuZK9b3oLVEsiSRhZLPIx3z7utgiPyXLK/YMhY=
|
||||
github.com/containers/storage v1.24.1 h1:1+f8fy6ly35c8SLet5jzZ8t0WJJs5+xSpfMAYw0R3kc=
|
||||
github.com/containers/storage v1.24.1/go.mod h1:0xJL06Dmd+ZYXIUdnBUPN0JnhHGgwMkLvnnAonJfWJU=
|
||||
github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
|
||||
|
@ -322,8 +315,6 @@ github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvW
|
|||
github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
|
||||
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
|
||||
github.com/klauspost/compress v1.11.1/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
|
||||
github.com/klauspost/compress v1.11.2 h1:MiK62aErc3gIiVEtyzKfeOHgW7atJb5g/KNX5m3c2nQ=
|
||||
github.com/klauspost/compress v1.11.2/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
|
||||
github.com/klauspost/compress v1.11.3 h1:dB4Bn0tN3wdCzQxnS8r06kV74qN/TAfaIS0bVE8h3jc=
|
||||
github.com/klauspost/compress v1.11.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
|
||||
github.com/klauspost/pgzip v1.2.5 h1:qnWYvvKqedOF2ulHpMG72XQol4ILEJ8k2wwRl/Km8oE=
|
||||
|
@ -372,7 +363,6 @@ github.com/moby/sys/mount v0.1.1 h1:mdhBytJ1SMmMat0gtzWWjFX/87K5j6E/7Q5z7rR0cZY=
|
|||
github.com/moby/sys/mount v0.1.1/go.mod h1:FVQFLDRWwyBjDTBNQXDlWnSFREqOo3OKX9aqhmeoo74=
|
||||
github.com/moby/sys/mountinfo v0.1.0/go.mod h1:w2t2Avltqx8vE7gX5l+QiBKxODu2TX0+Syr3h52Tw4o=
|
||||
github.com/moby/sys/mountinfo v0.1.3/go.mod h1:w2t2Avltqx8vE7gX5l+QiBKxODu2TX0+Syr3h52Tw4o=
|
||||
github.com/moby/sys/mountinfo v0.3.1/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A=
|
||||
github.com/moby/sys/mountinfo v0.4.0 h1:1KInV3Huv18akCu58V7lzNlt+jFmqlu1EaErnEHE/VM=
|
||||
github.com/moby/sys/mountinfo v0.4.0/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A=
|
||||
github.com/moby/term v0.0.0-20200429084858-129dac9f73f6/go.mod h1:or9wGItza1sRcM4Wd3dIv8DsFHYQuFsMHEdxUIlUxms=
|
||||
|
|
|
@ -22,9 +22,9 @@ import (
|
|||
cnitypes "github.com/containernetworking/cni/pkg/types/current"
|
||||
"github.com/containernetworking/plugins/pkg/ns"
|
||||
"github.com/containers/buildah/pkg/overlay"
|
||||
"github.com/containers/buildah/pkg/secrets"
|
||||
"github.com/containers/common/pkg/apparmor"
|
||||
"github.com/containers/common/pkg/config"
|
||||
"github.com/containers/common/pkg/subscriptions"
|
||||
"github.com/containers/podman/v2/libpod/define"
|
||||
"github.com/containers/podman/v2/libpod/events"
|
||||
"github.com/containers/podman/v2/pkg/annotations"
|
||||
|
@ -1435,7 +1435,7 @@ func (c *Container) makeBindMounts() error {
|
|||
}
|
||||
|
||||
// Add Secret Mounts
|
||||
secretMounts := secrets.SecretMountsWithUIDGID(c.config.MountLabel, c.state.RunDir, c.runtime.config.Containers.DefaultMountsFile, c.state.Mountpoint, c.RootUID(), c.RootGID(), rootless.IsRootless(), false)
|
||||
secretMounts := subscriptions.MountsWithUIDGID(c.config.MountLabel, c.state.RunDir, c.runtime.config.Containers.DefaultMountsFile, c.state.Mountpoint, c.RootUID(), c.RootGID(), rootless.IsRootless(), false)
|
||||
for _, mount := range secretMounts {
|
||||
if _, ok := c.state.BindMounts[mount.Destination]; !ok {
|
||||
c.state.BindMounts[mount.Destination] = mount.Source
|
||||
|
|
2
vendor/github.com/containers/buildah/buildah.go
generated
vendored
2
vendor/github.com/containers/buildah/buildah.go
generated
vendored
|
@ -28,7 +28,7 @@ const (
|
|||
Package = "buildah"
|
||||
// Version for the Package. Bump version in contrib/rpm/buildah.spec
|
||||
// too.
|
||||
Version = "1.18.0"
|
||||
Version = "1.19.0-dev"
|
||||
// The value we use to identify what type of information, currently a
|
||||
// serialized Builder structure, we are using as per-container state.
|
||||
// This should only be changed when we make incompatible changes to
|
||||
|
|
7
vendor/github.com/containers/buildah/go.mod
generated
vendored
7
vendor/github.com/containers/buildah/go.mod
generated
vendored
|
@ -5,12 +5,11 @@ go 1.12
|
|||
require (
|
||||
github.com/containerd/containerd v1.4.1 // indirect
|
||||
github.com/containernetworking/cni v0.7.2-0.20190904153231-83439463f784
|
||||
github.com/containers/common v0.26.3
|
||||
github.com/containers/image/v5 v5.8.0
|
||||
github.com/containers/common v0.29.0
|
||||
github.com/containers/image/v5 v5.8.1
|
||||
github.com/containers/ocicrypt v1.0.3
|
||||
github.com/containers/storage v1.24.0
|
||||
github.com/containers/storage v1.24.1
|
||||
github.com/docker/distribution v2.7.1+incompatible
|
||||
github.com/docker/docker v17.12.0-ce-rc1.0.20201020191947-73dc6a680cdd+incompatible // indirect
|
||||
github.com/docker/go-units v0.4.0
|
||||
github.com/docker/libnetwork v0.8.0-dev.2.0.20190625141545-5a177b73e316
|
||||
github.com/fsouza/go-dockerclient v1.6.6
|
||||
|
|
20
vendor/github.com/containers/buildah/go.sum
generated
vendored
20
vendor/github.com/containers/buildah/go.sum
generated
vendored
|
@ -73,20 +73,17 @@ github.com/containerd/ttrpc v0.0.0-20190828154514-0e0f228740de/go.mod h1:PvCDdDG
|
|||
github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc=
|
||||
github.com/containernetworking/cni v0.7.2-0.20190904153231-83439463f784 h1:rqUVLD8I859xRgUx/WMC3v7QAFqbLKZbs+0kqYboRJc=
|
||||
github.com/containernetworking/cni v0.7.2-0.20190904153231-83439463f784/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
|
||||
github.com/containers/common v0.26.3 h1:5Kb5fMmJ7/xMiJ+iEbPA+5pQpl/FGxCgJex4nml4Slo=
|
||||
github.com/containers/common v0.26.3/go.mod h1:hJWZIlrl5MsE2ELNRa+MPp6I1kPbXHauuj0Ym4BsLG4=
|
||||
github.com/containers/image/v5 v5.7.0 h1:fiTC8/Xbr+zEP6njGTZtPW/3UD7MC93nC9DbUoWdxkA=
|
||||
github.com/containers/image/v5 v5.7.0/go.mod h1:8aOy+YaItukxghRORkvhq5ibWttHErzDLy6egrKfKos=
|
||||
github.com/containers/image/v5 v5.8.0 h1:B3FGHi0bdGXgg698kBIGOlHCXN5n+scJr6/5354GOPU=
|
||||
github.com/containers/image/v5 v5.8.0/go.mod h1:jKxdRtyIDumVa56hdsZvV+gwx4zB50hRou6pIuCWLkg=
|
||||
github.com/containers/common v0.29.0 h1:hTMC+urdkk5bKfhL/OgCixIX5xjJgQ2l2jPG745ECFQ=
|
||||
github.com/containers/common v0.29.0/go.mod h1:yT4GTUHsKRmpaDb+mecXRnIMre7W3ZgwXqaYMywXlaA=
|
||||
github.com/containers/image/v5 v5.8.1 h1:aHW8a/Kd0dTJ7PTL/fc6y12sJqHxWgqilu+XyHfjD8Q=
|
||||
github.com/containers/image/v5 v5.8.1/go.mod h1:blOEFd/iFdeyh891ByhCVUc+xAcaI3gBegXECwz9UbQ=
|
||||
github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b h1:Q8ePgVfHDplZ7U33NwHZkrVELsZP5fYj9pM5WBZB2GE=
|
||||
github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY=
|
||||
github.com/containers/ocicrypt v1.0.3 h1:vYgl+RZ9Q3DPMuTfxmN+qp0X2Bj52uuY2vnt6GzVe1c=
|
||||
github.com/containers/ocicrypt v1.0.3/go.mod h1:CUBa+8MRNL/VkpxYIpaMtgn1WgXGyvPQj8jcy0EVG6g=
|
||||
github.com/containers/storage v1.23.6/go.mod h1:haFs0HRowKwyzvWEx9EgI3WsL8XCSnBDb5f8P5CAxJY=
|
||||
github.com/containers/storage v1.23.7/go.mod h1:cUT2zHjtx+WlVri30obWmM2gpqpi8jfPsmIzP1TVpEI=
|
||||
github.com/containers/storage v1.24.0 h1:Fo2LkF7tkMLmo38sTZ/G8wHjcn8JfUFPfyTxM4WwMfk=
|
||||
github.com/containers/storage v1.24.0/go.mod h1:A4d3BzuZK9b3oLVEsiSRhZLPIx3z7utgiPyXLK/YMhY=
|
||||
github.com/containers/storage v1.24.1 h1:1+f8fy6ly35c8SLet5jzZ8t0WJJs5+xSpfMAYw0R3kc=
|
||||
github.com/containers/storage v1.24.1/go.mod h1:0xJL06Dmd+ZYXIUdnBUPN0JnhHGgwMkLvnnAonJfWJU=
|
||||
github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
|
||||
github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
|
||||
github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
|
||||
|
@ -232,8 +229,8 @@ github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvW
|
|||
github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
|
||||
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
|
||||
github.com/klauspost/compress v1.11.1/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
|
||||
github.com/klauspost/compress v1.11.2 h1:MiK62aErc3gIiVEtyzKfeOHgW7atJb5g/KNX5m3c2nQ=
|
||||
github.com/klauspost/compress v1.11.2/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
|
||||
github.com/klauspost/compress v1.11.3 h1:dB4Bn0tN3wdCzQxnS8r06kV74qN/TAfaIS0bVE8h3jc=
|
||||
github.com/klauspost/compress v1.11.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
|
||||
github.com/klauspost/pgzip v1.2.5 h1:qnWYvvKqedOF2ulHpMG72XQol4ILEJ8k2wwRl/Km8oE=
|
||||
github.com/klauspost/pgzip v1.2.5/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
|
||||
github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
|
||||
|
@ -278,7 +275,6 @@ github.com/moby/sys/mount v0.1.1 h1:mdhBytJ1SMmMat0gtzWWjFX/87K5j6E/7Q5z7rR0cZY=
|
|||
github.com/moby/sys/mount v0.1.1/go.mod h1:FVQFLDRWwyBjDTBNQXDlWnSFREqOo3OKX9aqhmeoo74=
|
||||
github.com/moby/sys/mountinfo v0.1.0/go.mod h1:w2t2Avltqx8vE7gX5l+QiBKxODu2TX0+Syr3h52Tw4o=
|
||||
github.com/moby/sys/mountinfo v0.1.3/go.mod h1:w2t2Avltqx8vE7gX5l+QiBKxODu2TX0+Syr3h52Tw4o=
|
||||
github.com/moby/sys/mountinfo v0.3.1/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A=
|
||||
github.com/moby/sys/mountinfo v0.4.0 h1:1KInV3Huv18akCu58V7lzNlt+jFmqlu1EaErnEHE/VM=
|
||||
github.com/moby/sys/mountinfo v0.4.0/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A=
|
||||
github.com/moby/term v0.0.0-20200429084858-129dac9f73f6/go.mod h1:or9wGItza1sRcM4Wd3dIv8DsFHYQuFsMHEdxUIlUxms=
|
||||
|
|
5
vendor/github.com/containers/buildah/image.go
generated
vendored
5
vendor/github.com/containers/buildah/image.go
generated
vendored
|
@ -321,10 +321,7 @@ func (i *containerImageRef) NewImageSource(ctx context.Context, sc *types.System
|
|||
}
|
||||
// If we're not re-exporting the data, and we're reusing layers individually, reuse
|
||||
// the blobsum and diff IDs.
|
||||
if !i.exporting && !i.squash && layerID != i.layerID {
|
||||
if layer.UncompressedDigest == "" {
|
||||
return nil, errors.Errorf("unable to look up size of layer %q", layerID)
|
||||
}
|
||||
if !i.exporting && !i.squash && layerID != i.layerID && layer.UncompressedDigest != "" {
|
||||
layerBlobSum := layer.UncompressedDigest
|
||||
layerBlobSize := layer.UncompressedSize
|
||||
diffID := layer.UncompressedDigest
|
||||
|
|
2
vendor/github.com/containers/buildah/imagebuildah/build.go
generated
vendored
2
vendor/github.com/containers/buildah/imagebuildah/build.go
generated
vendored
|
@ -185,6 +185,8 @@ type BuildOptions struct {
|
|||
Jobs *int
|
||||
// LogRusage logs resource usage for each step.
|
||||
LogRusage bool
|
||||
// Excludes is a list of excludes to be used instead of the .dockerignore file.
|
||||
Excludes []string
|
||||
}
|
||||
|
||||
// BuildDockerfiles parses a set of one or more Dockerfiles (which may be
|
||||
|
|
9
vendor/github.com/containers/buildah/imagebuildah/executor.go
generated
vendored
9
vendor/github.com/containers/buildah/imagebuildah/executor.go
generated
vendored
|
@ -130,9 +130,12 @@ func NewExecutor(store storage.Store, options BuildOptions, mainNode *parser.Nod
|
|||
return nil, errors.Wrapf(err, "failed to get container config")
|
||||
}
|
||||
|
||||
excludes, err := imagebuilder.ParseDockerignore(options.ContextDirectory)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
excludes := options.Excludes
|
||||
if len(excludes) == 0 {
|
||||
excludes, err = imagebuilder.ParseDockerignore(options.ContextDirectory)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
capabilities, err := defaultContainerConfig.Capabilities("", options.AddCapabilities, options.DropCapabilities)
|
||||
if err != nil {
|
||||
|
|
7
vendor/github.com/containers/buildah/imagebuildah/stage_executor.go
generated
vendored
7
vendor/github.com/containers/buildah/imagebuildah/stage_executor.go
generated
vendored
|
@ -368,6 +368,7 @@ func (s *StageExecutor) Run(run imagebuilder.Run, config docker.Config) error {
|
|||
Stderr: s.executor.err,
|
||||
Quiet: s.executor.quiet,
|
||||
NamespaceOptions: s.executor.namespaceOptions,
|
||||
Terminal: buildah.WithoutTerminal,
|
||||
}
|
||||
if config.NetworkDisabled {
|
||||
options.ConfigureNetwork = buildah.NetworkDisabled
|
||||
|
@ -1144,7 +1145,11 @@ func (s *StageExecutor) intermediateImageExists(ctx context.Context, currNode *p
|
|||
// lines in the Dockerfile up till the point we are at in the build.
|
||||
manifestType, history, diffIDs, err := s.executor.getImageTypeAndHistoryAndDiffIDs(ctx, image.ID)
|
||||
if err != nil {
|
||||
return "", errors.Wrapf(err, "error getting history of %q", image.ID)
|
||||
// It's possible that this image is for another architecture, which results
|
||||
// in a custom-crafted error message that we'd have to use substring matching
|
||||
// to recognize. Instead, ignore the image.
|
||||
logrus.Debugf("error getting history of %q (%v), ignoring it", image.ID, err)
|
||||
continue
|
||||
}
|
||||
// If this candidate isn't of the type that we're building, then it may have lost
|
||||
// some format-specific information that a building-without-cache run wouldn't lose.
|
||||
|
|
65
vendor/github.com/containers/buildah/install.md
generated
vendored
65
vendor/github.com/containers/buildah/install.md
generated
vendored
|
@ -59,35 +59,31 @@ sudo dnf -y install buildah
|
|||
|
||||
#### [Debian](https://debian.org)
|
||||
|
||||
The buildah package is [being worked on](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928083)
|
||||
for inclusion in the default Debian repos.
|
||||
|
||||
Alternatively, the [Kubic project](https://build.opensuse.org/project/show/devel:kubic:libcontainers:stable)
|
||||
provides packages for Debian 10, testing and unstable.
|
||||
The buildah package is available in
|
||||
the [Bullseye (testing) branch](https://packages.debian.org/bullseye/buildah), which
|
||||
will be the next stable release (Debian 11) as well as Debian Unstable/Sid.
|
||||
|
||||
```bash
|
||||
# Debian Unstable/Sid
|
||||
echo 'deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_Unstable/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
|
||||
wget -nv https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/Debian_Unstable/Release.key -O Release.key
|
||||
|
||||
# Debian Testing
|
||||
echo 'deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_Testing/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
|
||||
wget -nv https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/Debian_Testing/Release.key -O Release.key
|
||||
|
||||
# Debian 10
|
||||
echo 'deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_10/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
|
||||
wget -nv https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/Debian_10/Release.key -O Release.key
|
||||
|
||||
sudo apt-key add - < Release.key
|
||||
sudo apt-get update -qq
|
||||
sudo apt-get -qq -y install buildah
|
||||
# Debian Testing/Bullseye or Unstable/Sid
|
||||
sudo apt-get update
|
||||
sudo apt-get -y install buildah
|
||||
```
|
||||
|
||||
The [Kubic project](https://build.opensuse.org/project/show/devel:kubic:libcontainers:stable)
|
||||
provides packages for Debian 10. The Kubic packages for Debian Testing/Bullseye and Debian Unstable/Sid
|
||||
have been discontinued to avoid
|
||||
[conflicts](https://github.com/containers/buildah/issues/2797) with the official packages.
|
||||
|
||||
### [Fedora](https://www.fedoraproject.org), [CentOS](https://www.centos.org)
|
||||
Caution: If you upgrade from Debian 10 to Testing/Bullseye or
|
||||
Unstable/Sid you would likely end up downgrading Buildah because the version in
|
||||
OBS is more frequently updated than the one in Debian's official repositories,
|
||||
due to how Debian works.
|
||||
|
||||
|
||||
### [Fedora](https://www.fedoraproject.org)
|
||||
|
||||
```bash
|
||||
sudo yum -y install buildah
|
||||
sudo dnf -y install buildah
|
||||
```
|
||||
|
||||
### [Fedora SilverBlue](https://silverblue.fedoraproject.org)
|
||||
|
@ -127,19 +123,25 @@ sudo subscription-manager repos --enable=rhel-7-server-extras-rpms
|
|||
sudo yum -y install buildah
|
||||
```
|
||||
|
||||
#### [Raspbian](https://raspbian.org)
|
||||
#### [Raspberry Pi OS armhf (ex Raspbian)](https://www.raspberrypi.org/downloads/raspberry-pi-os/)
|
||||
|
||||
The Kubic project provides packages for Raspbian 10.
|
||||
|
||||
```bash
|
||||
# Raspbian 10
|
||||
echo 'deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Raspbian_10/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
|
||||
wget -nv https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/Raspbian_10/Release.key -O Release.key
|
||||
sudo apt-key add - < Release.key
|
||||
echo 'deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Raspbian_10/ /' | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
|
||||
curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Raspbian_10/Release.key | sudo apt-key add -
|
||||
sudo apt-get update -qq
|
||||
sudo apt-get -qq -y install buildah
|
||||
```
|
||||
|
||||
#### [Raspberry Pi OS arm64 (beta)](https://downloads.raspberrypi.org/raspios_arm64/images/)
|
||||
|
||||
Raspberry Pi OS use the standard Debian's repositories,
|
||||
so it is fully compatible with Debian's arm64 repository.
|
||||
You can simply follow the [steps for Debian](#debian) to install podman.
|
||||
|
||||
|
||||
### [RHEL8 Beta](https://www.redhat.com/en/blog/powering-its-future-while-preserving-present-introducing-red-hat-enterprise-linux-8-beta?intcmp=701f2000001Cz6OAAS)
|
||||
|
||||
```bash
|
||||
|
@ -149,7 +151,16 @@ sudo yum module install -y buildah
|
|||
|
||||
### [Ubuntu](https://www.ubuntu.com)
|
||||
|
||||
The Kubic project provides packages for Ubuntu 18.04, 19.04 and 19.10 (it should also work with direct derivatives like Pop!\_OS).
|
||||
The buildah package is available in the official repositories for Ubuntu 20.10
|
||||
and newer.
|
||||
|
||||
```bash
|
||||
# Ubuntu 20.10 and newer
|
||||
sudo apt-get -y update
|
||||
sudo apt-get -y install buildah
|
||||
```
|
||||
|
||||
The [Kubic project](https://build.opensuse.org/package/show/devel:kubic:libcontainers:stable/buildah) provides packages for some older but supported Ubuntu versions (it should also work with direct derivatives like Pop!\_OS).
|
||||
|
||||
```bash
|
||||
. /etc/os-release
|
||||
|
|
3
vendor/github.com/containers/buildah/pkg/cli/common.go
generated
vendored
3
vendor/github.com/containers/buildah/pkg/cli/common.go
generated
vendored
|
@ -59,6 +59,7 @@ type BudResults struct {
|
|||
Creds string
|
||||
DisableCompression bool
|
||||
DisableContentTrust bool
|
||||
IgnoreFile string
|
||||
File []string
|
||||
Format string
|
||||
Iidfile string
|
||||
|
@ -185,6 +186,7 @@ func GetBudFlags(flags *BudResults) pflag.FlagSet {
|
|||
fs.StringVar(&flags.Creds, "creds", "", "use `[username[:password]]` for accessing the registry")
|
||||
fs.BoolVarP(&flags.DisableCompression, "disable-compression", "D", true, "don't compress layers by default")
|
||||
fs.BoolVar(&flags.DisableContentTrust, "disable-content-trust", false, "This is a Docker specific option and is a NOOP")
|
||||
fs.StringVar(&flags.IgnoreFile, "ignorefile", "", "path to an alternate .dockerignore file")
|
||||
fs.StringSliceVarP(&flags.File, "file", "f", []string{}, "`pathname or URL` of a Dockerfile")
|
||||
fs.StringVar(&flags.Format, "format", DefaultFormat(), "`format` of the built image's manifest and metadata. Use BUILDAH_FORMAT environment variable to override.")
|
||||
fs.StringVar(&flags.Iidfile, "iidfile", "", "`file` to write the image ID to")
|
||||
|
@ -231,6 +233,7 @@ func GetBudFlagsCompletions() commonComp.FlagCompletions {
|
|||
flagCompletion["creds"] = commonComp.AutocompleteNone
|
||||
flagCompletion["file"] = commonComp.AutocompleteDefault
|
||||
flagCompletion["format"] = commonComp.AutocompleteNone
|
||||
flagCompletion["ignorefile"] = commonComp.AutocompleteDefault
|
||||
flagCompletion["iidfile"] = commonComp.AutocompleteDefault
|
||||
flagCompletion["jobs"] = commonComp.AutocompleteNone
|
||||
flagCompletion["label"] = commonComp.AutocompleteNone
|
||||
|
|
7
vendor/github.com/containers/buildah/pkg/umask/umask_unsupported.go
generated
vendored
7
vendor/github.com/containers/buildah/pkg/umask/umask_unsupported.go
generated
vendored
|
@ -1,7 +0,0 @@
|
|||
// +build !linux,!darwin
|
||||
|
||||
package umask
|
||||
|
||||
func CheckUmask() {}
|
||||
|
||||
func SetUmask(int) int { return 0 }
|
28
vendor/github.com/containers/buildah/run_linux.go
generated
vendored
28
vendor/github.com/containers/buildah/run_linux.go
generated
vendored
|
@ -25,10 +25,10 @@ import (
|
|||
"github.com/containers/buildah/chroot"
|
||||
"github.com/containers/buildah/copier"
|
||||
"github.com/containers/buildah/pkg/overlay"
|
||||
"github.com/containers/buildah/pkg/secrets"
|
||||
"github.com/containers/buildah/util"
|
||||
"github.com/containers/common/pkg/capabilities"
|
||||
"github.com/containers/common/pkg/config"
|
||||
"github.com/containers/common/pkg/subscriptions"
|
||||
"github.com/containers/storage/pkg/idtools"
|
||||
"github.com/containers/storage/pkg/ioutils"
|
||||
"github.com/containers/storage/pkg/reexec"
|
||||
|
@ -216,16 +216,28 @@ func (b *Builder) Run(command []string, options RunOptions) error {
|
|||
}
|
||||
// Empty file, so no need to recreate if it exists
|
||||
if _, ok := bindFiles["/run/.containerenv"]; !ok {
|
||||
// Empty string for now, but we may consider populating this later
|
||||
containerenvPath := filepath.Join(path, "/run/.containerenv")
|
||||
if err = os.MkdirAll(filepath.Dir(containerenvPath), 0755); err != nil {
|
||||
return err
|
||||
}
|
||||
emptyFile, err := os.Create(containerenvPath)
|
||||
if err != nil {
|
||||
|
||||
rootless := 0
|
||||
if unshare.IsRootless() {
|
||||
rootless = 1
|
||||
}
|
||||
// Populate the .containerenv with container information
|
||||
containerenv := fmt.Sprintf(`\
|
||||
engine="buildah-%s"
|
||||
name=%q
|
||||
id=%q
|
||||
image=%q
|
||||
imageid=%q
|
||||
rootless=%d
|
||||
`, Version, b.Container, b.ContainerID, b.FromImage, b.FromImageID, rootless)
|
||||
|
||||
if err = ioutils.AtomicWriteFile(containerenvPath, []byte(containerenv), 0755); err != nil {
|
||||
return err
|
||||
}
|
||||
emptyFile.Close()
|
||||
if err := label.Relabel(containerenvPath, b.MountLabel, false); err != nil {
|
||||
return err
|
||||
}
|
||||
|
@ -477,15 +489,15 @@ func (b *Builder) setupMounts(mountPoint string, spec *specs.Spec, bundlePath st
|
|||
return errors.Wrapf(err, "error determining work directory for container %q", b.ContainerID)
|
||||
}
|
||||
|
||||
// Figure out which UID and GID to tell the secrets package to use
|
||||
// Figure out which UID and GID to tell the subscritions package to use
|
||||
// for files that it creates.
|
||||
rootUID, rootGID, err := util.GetHostRootIDs(spec)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// Get the list of secrets mounts.
|
||||
secretMounts := secrets.SecretMountsWithUIDGID(b.MountLabel, cdir, b.DefaultMountsFilePath, mountPoint, int(rootUID), int(rootGID), unshare.IsRootless(), false)
|
||||
// Get the list of subscriptionss mounts.
|
||||
secretMounts := subscriptions.MountsWithUIDGID(b.MountLabel, cdir, b.DefaultMountsFilePath, mountPoint, int(rootUID), int(rootGID), unshare.IsRootless(), false)
|
||||
|
||||
// Add temporary copies of the contents of volume locations at the
|
||||
// volume locations, unless we already have something there.
|
||||
|
|
1
vendor/github.com/containers/common/pkg/subscriptions/mounts.conf
generated
vendored
Normal file
1
vendor/github.com/containers/common/pkg/subscriptions/mounts.conf
generated
vendored
Normal file
|
@ -0,0 +1 @@
|
|||
/usr/share/rhel/secrets:/run/secrets
|
|
@ -1,4 +1,4 @@
|
|||
package secrets
|
||||
package subscriptions
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
|
@ -7,7 +7,7 @@ import (
|
|||
"path/filepath"
|
||||
"strings"
|
||||
|
||||
"github.com/containers/buildah/pkg/umask"
|
||||
"github.com/containers/common/pkg/umask"
|
||||
"github.com/containers/storage/pkg/idtools"
|
||||
rspec "github.com/opencontainers/runtime-spec/specs-go"
|
||||
"github.com/opencontainers/selinux/go-selinux/label"
|
||||
|
@ -27,16 +27,16 @@ var (
|
|||
UserOverrideMountsFile = filepath.Join(os.Getenv("HOME"), ".config/containers/mounts.conf")
|
||||
)
|
||||
|
||||
// secretData stores the name of the file and the content read from it
|
||||
type secretData struct {
|
||||
// subscriptionData stores the name of the file and the content read from it
|
||||
type subscriptionData struct {
|
||||
name string
|
||||
data []byte
|
||||
mode os.FileMode
|
||||
dirMode os.FileMode
|
||||
}
|
||||
|
||||
// saveTo saves secret data to given directory
|
||||
func (s secretData) saveTo(dir string) error {
|
||||
// saveTo saves subscription data to given directory
|
||||
func (s subscriptionData) saveTo(dir string) error {
|
||||
path := filepath.Join(dir, s.name)
|
||||
if err := os.MkdirAll(filepath.Dir(path), s.dirMode); err != nil {
|
||||
return err
|
||||
|
@ -44,10 +44,10 @@ func (s secretData) saveTo(dir string) error {
|
|||
return ioutil.WriteFile(path, s.data, s.mode)
|
||||
}
|
||||
|
||||
func readAll(root, prefix string, parentMode os.FileMode) ([]secretData, error) {
|
||||
func readAll(root, prefix string, parentMode os.FileMode) ([]subscriptionData, error) {
|
||||
path := filepath.Join(root, prefix)
|
||||
|
||||
data := []secretData{}
|
||||
data := []subscriptionData{}
|
||||
|
||||
files, err := ioutil.ReadDir(path)
|
||||
if err != nil {
|
||||
|
@ -74,7 +74,7 @@ func readAll(root, prefix string, parentMode os.FileMode) ([]secretData, error)
|
|||
return data, nil
|
||||
}
|
||||
|
||||
func readFileOrDir(root, name string, parentMode os.FileMode) ([]secretData, error) {
|
||||
func readFileOrDir(root, name string, parentMode os.FileMode) ([]subscriptionData, error) {
|
||||
path := filepath.Join(root, name)
|
||||
|
||||
s, err := os.Stat(path)
|
||||
|
@ -93,7 +93,7 @@ func readFileOrDir(root, name string, parentMode os.FileMode) ([]secretData, err
|
|||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return []secretData{{
|
||||
return []subscriptionData{{
|
||||
name: name,
|
||||
data: bytes,
|
||||
mode: s.Mode(),
|
||||
|
@ -101,13 +101,13 @@ func readFileOrDir(root, name string, parentMode os.FileMode) ([]secretData, err
|
|||
}}, nil
|
||||
}
|
||||
|
||||
func getHostSecretData(hostDir string, mode os.FileMode) ([]secretData, error) {
|
||||
var allSecrets []secretData
|
||||
hostSecrets, err := readAll(hostDir, "", mode)
|
||||
func getHostSubscriptionData(hostDir string, mode os.FileMode) ([]subscriptionData, error) {
|
||||
var allSubscriptions []subscriptionData
|
||||
hostSubscriptions, err := readAll(hostDir, "", mode)
|
||||
if err != nil {
|
||||
return nil, errors.Wrapf(err, "failed to read secrets from %q", hostDir)
|
||||
return nil, errors.Wrapf(err, "failed to read subscriptions from %q", hostDir)
|
||||
}
|
||||
return append(allSecrets, hostSecrets...), nil
|
||||
return append(allSubscriptions, hostSubscriptions...), nil
|
||||
}
|
||||
|
||||
func getMounts(filePath string) []string {
|
||||
|
@ -136,7 +136,7 @@ func getMounts(filePath string) []string {
|
|||
}
|
||||
|
||||
// getHostAndCtrDir separates the host:container paths
|
||||
func getMountsMap(path string) (string, string, error) {
|
||||
func getMountsMap(path string) (string, string, error) { //nolint
|
||||
arr := strings.SplitN(path, ":", 2)
|
||||
switch len(arr) {
|
||||
case 1:
|
||||
|
@ -147,27 +147,21 @@ func getMountsMap(path string) (string, string, error) {
|
|||
return "", "", errors.Errorf("unable to get host and container dir from path: %s", path)
|
||||
}
|
||||
|
||||
// SecretMounts copies, adds, and mounts the secrets to the container root filesystem
|
||||
// Deprecated, Please use SecretMountWithUIDGID
|
||||
func SecretMounts(mountLabel, containerWorkingDir, mountFile string, rootless, disableFips bool) []rspec.Mount {
|
||||
return SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, containerWorkingDir, 0, 0, rootless, disableFips)
|
||||
}
|
||||
|
||||
// SecretMountsWithUIDGID copies, adds, and mounts the secrets to the container root filesystem
|
||||
// MountsWithUIDGID copies, adds, and mounts the subscriptions to the container root filesystem
|
||||
// mountLabel: MAC/SELinux label for container content
|
||||
// containerWorkingDir: Private data for storing secrets on the host mounted in container.
|
||||
// containerWorkingDir: Private data for storing subscriptions on the host mounted in container.
|
||||
// mountFile: Additional mount points required for the container.
|
||||
// mountPoint: Container image mountpoint
|
||||
// uid: to assign to content created for secrets
|
||||
// gid: to assign to content created for secrets
|
||||
// uid: to assign to content created for subscriptions
|
||||
// gid: to assign to content created for subscriptions
|
||||
// rootless: indicates whether container is running in rootless mode
|
||||
// disableFips: indicates whether system should ignore fips mode
|
||||
func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPoint string, uid, gid int, rootless, disableFips bool) []rspec.Mount {
|
||||
func MountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPoint string, uid, gid int, rootless, disableFips bool) []rspec.Mount {
|
||||
var (
|
||||
secretMounts []rspec.Mount
|
||||
mountFiles []string
|
||||
subscriptionMounts []rspec.Mount
|
||||
mountFiles []string
|
||||
)
|
||||
// Add secrets from paths given in the mounts.conf files
|
||||
// Add subscriptions from paths given in the mounts.conf files
|
||||
// mountFile will have a value if the hidden --default-mounts-file flag is set
|
||||
// Note for testing purposes only
|
||||
if mountFile == "" {
|
||||
|
@ -180,31 +174,32 @@ func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPoi
|
|||
}
|
||||
for _, file := range mountFiles {
|
||||
if _, err := os.Stat(file); err == nil {
|
||||
mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, uid, gid)
|
||||
mounts, err := addSubscriptionsFromMountsFile(file, mountLabel, containerWorkingDir, uid, gid)
|
||||
if err != nil {
|
||||
logrus.Warnf("error mounting secrets, skipping entry in %s: %v", file, err)
|
||||
logrus.Warnf("error mounting subscriptions, skipping entry in %s: %v", file, err)
|
||||
}
|
||||
secretMounts = mounts
|
||||
subscriptionMounts = mounts
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
// Only add FIPS secret mount if disableFips=false
|
||||
// Only add FIPS subscription mount if disableFips=false
|
||||
if disableFips {
|
||||
return secretMounts
|
||||
return subscriptionMounts
|
||||
}
|
||||
// Add FIPS mode secret if /etc/system-fips exists on the host
|
||||
// Add FIPS mode subscription if /etc/system-fips exists on the host
|
||||
_, err := os.Stat("/etc/system-fips")
|
||||
if err == nil {
|
||||
if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPoint, mountLabel, uid, gid); err != nil {
|
||||
logrus.Errorf("error adding FIPS mode secret to container: %v", err)
|
||||
switch {
|
||||
case err == nil:
|
||||
if err := addFIPSModeSubscription(&subscriptionMounts, containerWorkingDir, mountPoint, mountLabel, uid, gid); err != nil {
|
||||
logrus.Errorf("error adding FIPS mode subscription to container: %v", err)
|
||||
}
|
||||
} else if os.IsNotExist(err) {
|
||||
logrus.Debug("/etc/system-fips does not exist on host, not mounting FIPS mode secret")
|
||||
} else {
|
||||
logrus.Errorf("stat /etc/system-fips failed for FIPS mode secret: %v", err)
|
||||
case os.IsNotExist(err):
|
||||
logrus.Debug("/etc/system-fips does not exist on host, not mounting FIPS mode subscription")
|
||||
default:
|
||||
logrus.Errorf("stat /etc/system-fips failed for FIPS mode subscription: %v", err)
|
||||
}
|
||||
return secretMounts
|
||||
return subscriptionMounts
|
||||
}
|
||||
|
||||
func rchown(chowndir string, uid, gid int) error {
|
||||
|
@ -213,9 +208,9 @@ func rchown(chowndir string, uid, gid int) error {
|
|||
})
|
||||
}
|
||||
|
||||
// addSecretsFromMountsFile copies the contents of host directory to container directory
|
||||
// addSubscriptionsFromMountsFile copies the contents of host directory to container directory
|
||||
// and returns a list of mounts
|
||||
func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir string, uid, gid int) ([]rspec.Mount, error) {
|
||||
func addSubscriptionsFromMountsFile(filePath, mountLabel, containerWorkingDir string, uid, gid int) ([]rspec.Mount, error) {
|
||||
var mounts []rspec.Mount
|
||||
defaultMountsPaths := getMounts(filePath)
|
||||
for _, path := range defaultMountsPaths {
|
||||
|
@ -235,7 +230,7 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir string,
|
|||
|
||||
ctrDirOrFileOnHost := filepath.Join(containerWorkingDir, ctrDirOrFile)
|
||||
|
||||
// In the event of a restart, don't want to copy secrets over again as they already would exist in ctrDirOrFileOnHost
|
||||
// In the event of a restart, don't want to copy subscriptions over again as they already would exist in ctrDirOrFileOnHost
|
||||
_, err = os.Stat(ctrDirOrFileOnHost)
|
||||
if os.IsNotExist(err) {
|
||||
|
||||
|
@ -245,17 +240,17 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir string,
|
|||
}
|
||||
|
||||
// Don't let the umask have any influence on the file and directory creation
|
||||
oldUmask := umask.SetUmask(0)
|
||||
defer umask.SetUmask(oldUmask)
|
||||
oldUmask := umask.Set(0)
|
||||
defer umask.Set(oldUmask)
|
||||
|
||||
switch mode := fileInfo.Mode(); {
|
||||
case mode.IsDir():
|
||||
if err = os.MkdirAll(ctrDirOrFileOnHost, mode.Perm()); err != nil {
|
||||
return nil, errors.Wrapf(err, "making container directory %q failed", ctrDirOrFileOnHost)
|
||||
}
|
||||
data, err := getHostSecretData(hostDirOrFile, mode.Perm())
|
||||
data, err := getHostSubscriptionData(hostDirOrFile, mode.Perm())
|
||||
if err != nil {
|
||||
return nil, errors.Wrapf(err, "getting host secret data failed")
|
||||
return nil, errors.Wrapf(err, "getting host subscription data failed")
|
||||
}
|
||||
for _, s := range data {
|
||||
if err := s.saveTo(ctrDirOrFileOnHost); err != nil {
|
||||
|
@ -305,15 +300,15 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir string,
|
|||
return mounts, nil
|
||||
}
|
||||
|
||||
// addFIPSModeSecret creates /run/secrets/system-fips in the container
|
||||
// addFIPSModeSubscription creates /run/secrets/system-fips in the container
|
||||
// root filesystem if /etc/system-fips exists on hosts.
|
||||
// This enables the container to be FIPS compliant and run openssl in
|
||||
// FIPS mode as the host is also in FIPS mode.
|
||||
func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPoint, mountLabel string, uid, gid int) error {
|
||||
secretsDir := "/run/secrets"
|
||||
ctrDirOnHost := filepath.Join(containerWorkingDir, secretsDir)
|
||||
func addFIPSModeSubscription(mounts *[]rspec.Mount, containerWorkingDir, mountPoint, mountLabel string, uid, gid int) error {
|
||||
subscriptionsDir := "/run/secrets"
|
||||
ctrDirOnHost := filepath.Join(containerWorkingDir, subscriptionsDir)
|
||||
if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) {
|
||||
if err = idtools.MkdirAllAs(ctrDirOnHost, 0755, uid, gid); err != nil {
|
||||
if err = idtools.MkdirAllAs(ctrDirOnHost, 0755, uid, gid); err != nil { //nolint
|
||||
return errors.Wrapf(err, "making container directory %q on host failed", ctrDirOnHost)
|
||||
}
|
||||
if err = label.Relabel(ctrDirOnHost, mountLabel, false); err != nil {
|
||||
|
@ -330,10 +325,10 @@ func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPoint, m
|
|||
defer file.Close()
|
||||
}
|
||||
|
||||
if !mountExists(*mounts, secretsDir) {
|
||||
if !mountExists(*mounts, subscriptionsDir) {
|
||||
m := rspec.Mount{
|
||||
Source: ctrDirOnHost,
|
||||
Destination: secretsDir,
|
||||
Destination: subscriptionsDir,
|
||||
Type: "bind",
|
||||
Options: []string{"bind", "rprivate"},
|
||||
}
|
|
@ -8,13 +8,13 @@ import (
|
|||
"github.com/sirupsen/logrus"
|
||||
)
|
||||
|
||||
func CheckUmask() {
|
||||
oldUmask := syscall.Umask(0022)
|
||||
func Check() {
|
||||
oldUmask := syscall.Umask(0022) //nolint
|
||||
if (oldUmask & ^0022) != 0 {
|
||||
logrus.Debugf("umask value too restrictive. Forcing it to 022")
|
||||
}
|
||||
}
|
||||
|
||||
func SetUmask(value int) int {
|
||||
func Set(value int) int {
|
||||
return syscall.Umask(value)
|
||||
}
|
7
vendor/github.com/containers/common/pkg/umask/umask_unsupported.go
generated
vendored
Normal file
7
vendor/github.com/containers/common/pkg/umask/umask_unsupported.go
generated
vendored
Normal file
|
@ -0,0 +1,7 @@
|
|||
// +build !linux,!darwin
|
||||
|
||||
package umask
|
||||
|
||||
func Check() {}
|
||||
|
||||
func Set(int) int { return 0 }
|
6
vendor/modules.txt
vendored
6
vendor/modules.txt
vendored
|
@ -67,7 +67,7 @@ github.com/containernetworking/plugins/pkg/utils/hwaddr
|
|||
github.com/containernetworking/plugins/pkg/utils/sysctl
|
||||
github.com/containernetworking/plugins/plugins/ipam/host-local/backend
|
||||
github.com/containernetworking/plugins/plugins/ipam/host-local/backend/allocator
|
||||
# github.com/containers/buildah v1.18.0
|
||||
# github.com/containers/buildah v1.18.1-0.20201125084616-dd26b137459c
|
||||
github.com/containers/buildah
|
||||
github.com/containers/buildah/bind
|
||||
github.com/containers/buildah/chroot
|
||||
|
@ -84,9 +84,7 @@ github.com/containers/buildah/pkg/manifests
|
|||
github.com/containers/buildah/pkg/overlay
|
||||
github.com/containers/buildah/pkg/parse
|
||||
github.com/containers/buildah/pkg/rusage
|
||||
github.com/containers/buildah/pkg/secrets
|
||||
github.com/containers/buildah/pkg/supplemented
|
||||
github.com/containers/buildah/pkg/umask
|
||||
github.com/containers/buildah/util
|
||||
# github.com/containers/common v0.29.0
|
||||
github.com/containers/common/pkg/apparmor
|
||||
|
@ -100,7 +98,9 @@ github.com/containers/common/pkg/report
|
|||
github.com/containers/common/pkg/report/camelcase
|
||||
github.com/containers/common/pkg/retry
|
||||
github.com/containers/common/pkg/seccomp
|
||||
github.com/containers/common/pkg/subscriptions
|
||||
github.com/containers/common/pkg/sysinfo
|
||||
github.com/containers/common/pkg/umask
|
||||
github.com/containers/common/version
|
||||
# github.com/containers/conmon v2.0.20+incompatible
|
||||
github.com/containers/conmon/runner/config
|
||||
|
|
Loading…
Reference in a new issue