mirror of
https://github.com/containers/podman
synced 2024-10-20 09:13:46 +00:00
Move secrets package to buildah
Trying to remove circular dependencies between libpod and buildah. First step to move pkg content from libpod to buildah. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
parent
008aaf7468
commit
2f3875d009
|
@ -18,13 +18,13 @@ import (
|
||||||
|
|
||||||
cnitypes "github.com/containernetworking/cni/pkg/types/current"
|
cnitypes "github.com/containernetworking/cni/pkg/types/current"
|
||||||
"github.com/containernetworking/plugins/pkg/ns"
|
"github.com/containernetworking/plugins/pkg/ns"
|
||||||
|
"github.com/containers/buildah/pkg/secrets"
|
||||||
crioAnnotations "github.com/containers/libpod/pkg/annotations"
|
crioAnnotations "github.com/containers/libpod/pkg/annotations"
|
||||||
"github.com/containers/libpod/pkg/apparmor"
|
"github.com/containers/libpod/pkg/apparmor"
|
||||||
"github.com/containers/libpod/pkg/criu"
|
"github.com/containers/libpod/pkg/criu"
|
||||||
"github.com/containers/libpod/pkg/lookup"
|
"github.com/containers/libpod/pkg/lookup"
|
||||||
"github.com/containers/libpod/pkg/resolvconf"
|
"github.com/containers/libpod/pkg/resolvconf"
|
||||||
"github.com/containers/libpod/pkg/rootless"
|
"github.com/containers/libpod/pkg/rootless"
|
||||||
"github.com/containers/libpod/pkg/secrets"
|
|
||||||
"github.com/containers/storage/pkg/idtools"
|
"github.com/containers/storage/pkg/idtools"
|
||||||
"github.com/opencontainers/runc/libcontainer/user"
|
"github.com/opencontainers/runc/libcontainer/user"
|
||||||
spec "github.com/opencontainers/runtime-spec/specs-go"
|
spec "github.com/opencontainers/runtime-spec/specs-go"
|
||||||
|
|
|
@ -1,323 +0,0 @@
|
||||||
package secrets
|
|
||||||
|
|
||||||
import (
|
|
||||||
"bufio"
|
|
||||||
"io/ioutil"
|
|
||||||
"os"
|
|
||||||
"path/filepath"
|
|
||||||
"strings"
|
|
||||||
|
|
||||||
"github.com/containers/libpod/pkg/rootless"
|
|
||||||
"github.com/containers/storage/pkg/idtools"
|
|
||||||
rspec "github.com/opencontainers/runtime-spec/specs-go"
|
|
||||||
"github.com/opencontainers/selinux/go-selinux/label"
|
|
||||||
"github.com/pkg/errors"
|
|
||||||
"github.com/sirupsen/logrus"
|
|
||||||
)
|
|
||||||
|
|
||||||
var (
|
|
||||||
// DefaultMountsFile holds the default mount paths in the form
|
|
||||||
// "host_path:container_path"
|
|
||||||
DefaultMountsFile = "/usr/share/containers/mounts.conf"
|
|
||||||
// OverrideMountsFile holds the default mount paths in the form
|
|
||||||
// "host_path:container_path" overridden by the user
|
|
||||||
OverrideMountsFile = "/etc/containers/mounts.conf"
|
|
||||||
// UserOverrideMountsFile holds the default mount paths in the form
|
|
||||||
// "host_path:container_path" overridden by the rootless user
|
|
||||||
UserOverrideMountsFile = filepath.Join(os.Getenv("HOME"), ".config/containers/mounts.conf")
|
|
||||||
)
|
|
||||||
|
|
||||||
// secretData stores the name of the file and the content read from it
|
|
||||||
type secretData struct {
|
|
||||||
name string
|
|
||||||
data []byte
|
|
||||||
}
|
|
||||||
|
|
||||||
// saveTo saves secret data to given directory
|
|
||||||
func (s secretData) saveTo(dir string) error {
|
|
||||||
path := filepath.Join(dir, s.name)
|
|
||||||
if err := os.MkdirAll(filepath.Dir(path), 0700); err != nil && !os.IsExist(err) {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
return ioutil.WriteFile(path, s.data, 0700)
|
|
||||||
}
|
|
||||||
|
|
||||||
func readAll(root, prefix string) ([]secretData, error) {
|
|
||||||
path := filepath.Join(root, prefix)
|
|
||||||
|
|
||||||
data := []secretData{}
|
|
||||||
|
|
||||||
files, err := ioutil.ReadDir(path)
|
|
||||||
if err != nil {
|
|
||||||
if os.IsNotExist(err) {
|
|
||||||
return data, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
for _, f := range files {
|
|
||||||
fileData, err := readFile(root, filepath.Join(prefix, f.Name()))
|
|
||||||
if err != nil {
|
|
||||||
// If the file did not exist, might be a dangling symlink
|
|
||||||
// Ignore the error
|
|
||||||
if os.IsNotExist(err) {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
data = append(data, fileData...)
|
|
||||||
}
|
|
||||||
|
|
||||||
return data, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func readFile(root, name string) ([]secretData, error) {
|
|
||||||
path := filepath.Join(root, name)
|
|
||||||
|
|
||||||
s, err := os.Stat(path)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
if s.IsDir() {
|
|
||||||
dirData, err := readAll(root, name)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
return dirData, nil
|
|
||||||
}
|
|
||||||
bytes, err := ioutil.ReadFile(path)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
return []secretData{{name: name, data: bytes}}, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func getHostSecretData(hostDir string) ([]secretData, error) {
|
|
||||||
var allSecrets []secretData
|
|
||||||
hostSecrets, err := readAll(hostDir, "")
|
|
||||||
if err != nil {
|
|
||||||
return nil, errors.Wrapf(err, "failed to read secrets from %q", hostDir)
|
|
||||||
}
|
|
||||||
return append(allSecrets, hostSecrets...), nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func getMounts(filePath string) []string {
|
|
||||||
file, err := os.Open(filePath)
|
|
||||||
if err != nil {
|
|
||||||
// This is expected on most systems
|
|
||||||
logrus.Debugf("file %q not found, skipping...", filePath)
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
defer file.Close()
|
|
||||||
scanner := bufio.NewScanner(file)
|
|
||||||
if err = scanner.Err(); err != nil {
|
|
||||||
logrus.Errorf("error reading file %q, %v skipping...", filePath, err)
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
var mounts []string
|
|
||||||
for scanner.Scan() {
|
|
||||||
mounts = append(mounts, scanner.Text())
|
|
||||||
}
|
|
||||||
return mounts
|
|
||||||
}
|
|
||||||
|
|
||||||
// getHostAndCtrDir separates the host:container paths
|
|
||||||
func getMountsMap(path string) (string, string, error) {
|
|
||||||
arr := strings.SplitN(path, ":", 2)
|
|
||||||
if len(arr) == 2 {
|
|
||||||
return arr[0], arr[1], nil
|
|
||||||
}
|
|
||||||
return "", "", errors.Errorf("unable to get host and container dir")
|
|
||||||
}
|
|
||||||
|
|
||||||
// SecretMounts copies, adds, and mounts the secrets to the container root filesystem
|
|
||||||
func SecretMounts(mountLabel, containerWorkingDir, mountFile string) []rspec.Mount {
|
|
||||||
return SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, containerWorkingDir, 0, 0)
|
|
||||||
}
|
|
||||||
|
|
||||||
// SecretMountsWithUIDGID specifies the uid/gid of the owner
|
|
||||||
func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPrefix string, uid, gid int) []rspec.Mount {
|
|
||||||
var (
|
|
||||||
secretMounts []rspec.Mount
|
|
||||||
mountFiles []string
|
|
||||||
)
|
|
||||||
// Add secrets from paths given in the mounts.conf files
|
|
||||||
// mountFile will have a value if the hidden --default-mounts-file flag is set
|
|
||||||
// Note for testing purposes only
|
|
||||||
if mountFile == "" {
|
|
||||||
mountFiles = append(mountFiles, []string{OverrideMountsFile, DefaultMountsFile}...)
|
|
||||||
if rootless.IsRootless() {
|
|
||||||
mountFiles = append([]string{UserOverrideMountsFile}, mountFiles...)
|
|
||||||
_, err := os.Stat(UserOverrideMountsFile)
|
|
||||||
if err != nil && os.IsNotExist(err) {
|
|
||||||
os.MkdirAll(filepath.Dir(UserOverrideMountsFile), 0755)
|
|
||||||
if f, err := os.Create(UserOverrideMountsFile); err != nil {
|
|
||||||
logrus.Warnf("could not create file %s: %v", UserOverrideMountsFile, err)
|
|
||||||
} else {
|
|
||||||
f.Close()
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
mountFiles = append(mountFiles, mountFile)
|
|
||||||
}
|
|
||||||
for _, file := range mountFiles {
|
|
||||||
if _, err := os.Stat(file); err == nil {
|
|
||||||
mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, mountPrefix, uid, gid)
|
|
||||||
if err != nil {
|
|
||||||
logrus.Warnf("error mounting secrets, skipping: %v", err)
|
|
||||||
}
|
|
||||||
secretMounts = mounts
|
|
||||||
break
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Add FIPS mode secret if /etc/system-fips exists on the host
|
|
||||||
_, err := os.Stat("/etc/system-fips")
|
|
||||||
if err == nil {
|
|
||||||
if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPrefix, mountLabel, uid, gid); err != nil {
|
|
||||||
logrus.Errorf("error adding FIPS mode secret to container: %v", err)
|
|
||||||
}
|
|
||||||
} else if os.IsNotExist(err) {
|
|
||||||
logrus.Debug("/etc/system-fips does not exist on host, not mounting FIPS mode secret")
|
|
||||||
} else {
|
|
||||||
logrus.Errorf("stat /etc/system-fips failed for FIPS mode secret: %v", err)
|
|
||||||
}
|
|
||||||
return secretMounts
|
|
||||||
}
|
|
||||||
|
|
||||||
func rchown(chowndir string, uid, gid int) error {
|
|
||||||
return filepath.Walk(chowndir, func(filePath string, f os.FileInfo, err error) error {
|
|
||||||
return os.Lchown(filePath, uid, gid)
|
|
||||||
})
|
|
||||||
}
|
|
||||||
|
|
||||||
// addSecretsFromMountsFile copies the contents of host directory to container directory
|
|
||||||
// and returns a list of mounts
|
|
||||||
func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPrefix string, uid, gid int) ([]rspec.Mount, error) {
|
|
||||||
var mounts []rspec.Mount
|
|
||||||
defaultMountsPaths := getMounts(filePath)
|
|
||||||
for _, path := range defaultMountsPaths {
|
|
||||||
hostDir, ctrDir, err := getMountsMap(path)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
// skip if the hostDir path doesn't exist
|
|
||||||
if _, err = os.Stat(hostDir); err != nil {
|
|
||||||
if os.IsNotExist(err) {
|
|
||||||
logrus.Warnf("Path %q from %q doesn't exist, skipping", hostDir, filePath)
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
return nil, errors.Wrapf(err, "failed to stat %q", hostDir)
|
|
||||||
}
|
|
||||||
|
|
||||||
ctrDirOnHost := filepath.Join(containerWorkingDir, ctrDir)
|
|
||||||
|
|
||||||
// In the event of a restart, don't want to copy secrets over again as they already would exist in ctrDirOnHost
|
|
||||||
_, err = os.Stat(ctrDirOnHost)
|
|
||||||
if os.IsNotExist(err) {
|
|
||||||
if err = os.MkdirAll(ctrDirOnHost, 0755); err != nil {
|
|
||||||
return nil, errors.Wrapf(err, "making container directory %q failed", ctrDirOnHost)
|
|
||||||
}
|
|
||||||
hostDir, err = resolveSymbolicLink(hostDir)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
data, err := getHostSecretData(hostDir)
|
|
||||||
if err != nil {
|
|
||||||
return nil, errors.Wrapf(err, "getting host secret data failed")
|
|
||||||
}
|
|
||||||
for _, s := range data {
|
|
||||||
if err := s.saveTo(ctrDirOnHost); err != nil {
|
|
||||||
return nil, errors.Wrapf(err, "error saving data to container filesystem on host %q", ctrDirOnHost)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
err = label.Relabel(ctrDirOnHost, mountLabel, false)
|
|
||||||
if err != nil {
|
|
||||||
return nil, errors.Wrap(err, "error applying correct labels")
|
|
||||||
}
|
|
||||||
if uid != 0 || gid != 0 {
|
|
||||||
if err := rchown(ctrDirOnHost, uid, gid); err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
}
|
|
||||||
} else if err != nil {
|
|
||||||
return nil, errors.Wrapf(err, "error getting status of %q", ctrDirOnHost)
|
|
||||||
}
|
|
||||||
|
|
||||||
m := rspec.Mount{
|
|
||||||
Source: filepath.Join(mountPrefix, ctrDir),
|
|
||||||
Destination: ctrDir,
|
|
||||||
Type: "bind",
|
|
||||||
Options: []string{"bind", "rprivate"},
|
|
||||||
}
|
|
||||||
|
|
||||||
mounts = append(mounts, m)
|
|
||||||
}
|
|
||||||
return mounts, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// addFIPSModeSecret creates /run/secrets/system-fips in the container
|
|
||||||
// root filesystem if /etc/system-fips exists on hosts.
|
|
||||||
// This enables the container to be FIPS compliant and run openssl in
|
|
||||||
// FIPS mode as the host is also in FIPS mode.
|
|
||||||
func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix, mountLabel string, uid, gid int) error {
|
|
||||||
secretsDir := "/run/secrets"
|
|
||||||
ctrDirOnHost := filepath.Join(containerWorkingDir, secretsDir)
|
|
||||||
if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) {
|
|
||||||
if err = idtools.MkdirAllAs(ctrDirOnHost, 0755, uid, gid); err != nil {
|
|
||||||
return errors.Wrapf(err, "making container directory on host failed")
|
|
||||||
}
|
|
||||||
if err = label.Relabel(ctrDirOnHost, mountLabel, false); err != nil {
|
|
||||||
return errors.Wrap(err, "error applying correct labels")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
fipsFile := filepath.Join(ctrDirOnHost, "system-fips")
|
|
||||||
// In the event of restart, it is possible for the FIPS mode file to already exist
|
|
||||||
if _, err := os.Stat(fipsFile); os.IsNotExist(err) {
|
|
||||||
file, err := os.Create(fipsFile)
|
|
||||||
if err != nil {
|
|
||||||
return errors.Wrapf(err, "error creating system-fips file in container for FIPS mode")
|
|
||||||
}
|
|
||||||
defer file.Close()
|
|
||||||
}
|
|
||||||
|
|
||||||
if !mountExists(*mounts, secretsDir) {
|
|
||||||
m := rspec.Mount{
|
|
||||||
Source: filepath.Join(mountPrefix, secretsDir),
|
|
||||||
Destination: secretsDir,
|
|
||||||
Type: "bind",
|
|
||||||
Options: []string{"bind", "rprivate"},
|
|
||||||
}
|
|
||||||
*mounts = append(*mounts, m)
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// mountExists checks if a mount already exists in the spec
|
|
||||||
func mountExists(mounts []rspec.Mount, dest string) bool {
|
|
||||||
for _, mount := range mounts {
|
|
||||||
if mount.Destination == dest {
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
|
|
||||||
// resolveSymbolicLink resolves a possbile symlink path. If the path is a symlink, returns resolved
|
|
||||||
// path; if not, returns the original path.
|
|
||||||
func resolveSymbolicLink(path string) (string, error) {
|
|
||||||
info, err := os.Lstat(path)
|
|
||||||
if err != nil {
|
|
||||||
return "", err
|
|
||||||
}
|
|
||||||
if info.Mode()&os.ModeSymlink != os.ModeSymlink {
|
|
||||||
return path, nil
|
|
||||||
}
|
|
||||||
return filepath.EvalSymlinks(path)
|
|
||||||
}
|
|
|
@ -93,7 +93,7 @@ k8s.io/apimachinery kubernetes-1.10.13-beta.0 https://github.com/kubernetes/apim
|
||||||
k8s.io/client-go kubernetes-1.10.13-beta.0 https://github.com/kubernetes/client-go
|
k8s.io/client-go kubernetes-1.10.13-beta.0 https://github.com/kubernetes/client-go
|
||||||
github.com/mrunalp/fileutils 7d4729fb36185a7c1719923406c9d40e54fb93c7
|
github.com/mrunalp/fileutils 7d4729fb36185a7c1719923406c9d40e54fb93c7
|
||||||
github.com/varlink/go 3ac79db6fd6aec70924193b090962f92985fe199
|
github.com/varlink/go 3ac79db6fd6aec70924193b090962f92985fe199
|
||||||
github.com/containers/buildah v1.7.1
|
github.com/containers/buildah 11dd2197dfffedb40687de1d667e6c9fb0708de9
|
||||||
# TODO: Gotty has not been updated since 2012. Can we find replacement?
|
# TODO: Gotty has not been updated since 2012. Can we find replacement?
|
||||||
github.com/Nvveen/Gotty cd527374f1e5bff4938207604a14f2e38a9cf512
|
github.com/Nvveen/Gotty cd527374f1e5bff4938207604a14f2e38a9cf512
|
||||||
# do not go beyond the below commit as the next one requires a more recent
|
# do not go beyond the below commit as the next one requires a more recent
|
||||||
|
|
2
vendor/github.com/containers/buildah/buildah.go
generated
vendored
2
vendor/github.com/containers/buildah/buildah.go
generated
vendored
|
@ -26,7 +26,7 @@ const (
|
||||||
Package = "buildah"
|
Package = "buildah"
|
||||||
// Version for the Package. Bump version in contrib/rpm/buildah.spec
|
// Version for the Package. Bump version in contrib/rpm/buildah.spec
|
||||||
// too.
|
// too.
|
||||||
Version = "1.7.1"
|
Version = "1.8-dev"
|
||||||
// The value we use to identify what type of information, currently a
|
// The value we use to identify what type of information, currently a
|
||||||
// serialized Builder structure, we are using as per-container state.
|
// serialized Builder structure, we are using as per-container state.
|
||||||
// This should only be changed when we make incompatible changes to
|
// This should only be changed when we make incompatible changes to
|
||||||
|
|
79
vendor/github.com/containers/buildah/new.go
generated
vendored
79
vendor/github.com/containers/buildah/new.go
generated
vendored
|
@ -22,27 +22,23 @@ const (
|
||||||
// BaseImageFakeName is the "name" of a source image which we interpret
|
// BaseImageFakeName is the "name" of a source image which we interpret
|
||||||
// as "no image".
|
// as "no image".
|
||||||
BaseImageFakeName = imagebuilder.NoBaseImageSpecifier
|
BaseImageFakeName = imagebuilder.NoBaseImageSpecifier
|
||||||
|
|
||||||
// minimumTruncatedIDLength is the minimum length of an identifier that
|
|
||||||
// we'll accept as possibly being a truncated image ID.
|
|
||||||
minimumTruncatedIDLength = 3
|
|
||||||
)
|
)
|
||||||
|
|
||||||
func pullAndFindImage(ctx context.Context, store storage.Store, transport string, imageName string, options BuilderOptions, sc *types.SystemContext) (*storage.Image, types.ImageReference, error) {
|
func pullAndFindImage(ctx context.Context, store storage.Store, srcRef types.ImageReference, options BuilderOptions, sc *types.SystemContext) (*storage.Image, types.ImageReference, error) {
|
||||||
pullOptions := PullOptions{
|
pullOptions := PullOptions{
|
||||||
ReportWriter: options.ReportWriter,
|
ReportWriter: options.ReportWriter,
|
||||||
Store: store,
|
Store: store,
|
||||||
SystemContext: options.SystemContext,
|
SystemContext: options.SystemContext,
|
||||||
BlobDirectory: options.PullBlobDirectory,
|
BlobDirectory: options.PullBlobDirectory,
|
||||||
}
|
}
|
||||||
ref, err := pullImage(ctx, store, transport, imageName, pullOptions, sc)
|
ref, err := pullImage(ctx, store, srcRef, pullOptions, sc)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logrus.Debugf("error pulling image %q: %v", imageName, err)
|
logrus.Debugf("error pulling image %q: %v", transports.ImageName(srcRef), err)
|
||||||
return nil, nil, err
|
return nil, nil, err
|
||||||
}
|
}
|
||||||
img, err := is.Transport.GetStoreImage(store, ref)
|
img, err := is.Transport.GetStoreImage(store, ref)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logrus.Debugf("error reading pulled image %q: %v", imageName, err)
|
logrus.Debugf("error reading pulled image %q: %v", transports.ImageName(srcRef), err)
|
||||||
return nil, nil, errors.Wrapf(err, "error locating image %q in local storage", transports.ImageName(ref))
|
return nil, nil, errors.Wrapf(err, "error locating image %q in local storage", transports.ImageName(ref))
|
||||||
}
|
}
|
||||||
return img, ref, nil
|
return img, ref, nil
|
||||||
|
@ -112,19 +108,36 @@ func resolveImage(ctx context.Context, systemContext *types.SystemContext, store
|
||||||
|
|
||||||
failures := []failure{}
|
failures := []failure{}
|
||||||
for _, image := range candidates {
|
for _, image := range candidates {
|
||||||
var err error
|
if transport == "" {
|
||||||
if len(image) >= minimumTruncatedIDLength {
|
img, err := store.Image(image)
|
||||||
if img, err := store.Image(image); err == nil && img != nil && strings.HasPrefix(img.ID, image) {
|
if err != nil {
|
||||||
ref, err := is.Transport.ParseStoreReference(store, img.ID)
|
logrus.Debugf("error looking up known-local image %q: %v", image, err)
|
||||||
if err != nil {
|
failures = append(failures, failure{resolvedImageName: image, err: err})
|
||||||
return nil, "", nil, errors.Wrapf(err, "error parsing reference to image %q", img.ID)
|
continue
|
||||||
}
|
|
||||||
return ref, transport, img, nil
|
|
||||||
}
|
}
|
||||||
|
ref, err := is.Transport.ParseStoreReference(store, img.ID)
|
||||||
|
if err != nil {
|
||||||
|
return nil, "", nil, errors.Wrapf(err, "error parsing reference to image %q", img.ID)
|
||||||
|
}
|
||||||
|
return ref, transport, img, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
trans := transport
|
||||||
|
if transport != util.DefaultTransport {
|
||||||
|
trans = trans + ":"
|
||||||
|
}
|
||||||
|
srcRef, err := alltransports.ParseImageName(trans + image)
|
||||||
|
if err != nil {
|
||||||
|
logrus.Debugf("error parsing image name %q: %v", trans+image, err)
|
||||||
|
failures = append(failures, failure{
|
||||||
|
resolvedImageName: image,
|
||||||
|
err: errors.Wrapf(err, "error parsing attempted image name %q", trans+image),
|
||||||
|
})
|
||||||
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
if options.PullPolicy == PullAlways {
|
if options.PullPolicy == PullAlways {
|
||||||
pulledImg, pulledReference, err := pullAndFindImage(ctx, store, transport, image, options, systemContext)
|
pulledImg, pulledReference, err := pullAndFindImage(ctx, store, srcRef, options, systemContext)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logrus.Debugf("unable to pull and read image %q: %v", image, err)
|
logrus.Debugf("unable to pull and read image %q: %v", image, err)
|
||||||
failures = append(failures, failure{resolvedImageName: image, err: err})
|
failures = append(failures, failure{resolvedImageName: image, err: err})
|
||||||
|
@ -133,35 +146,7 @@ func resolveImage(ctx context.Context, systemContext *types.SystemContext, store
|
||||||
return pulledReference, transport, pulledImg, nil
|
return pulledReference, transport, pulledImg, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
srcRef, err := alltransports.ParseImageName(image)
|
destImage, err := localImageNameForReference(ctx, store, srcRef)
|
||||||
if err != nil {
|
|
||||||
if transport == "" {
|
|
||||||
logrus.Debugf("error parsing image name %q: %v", image, err)
|
|
||||||
failures = append(failures, failure{
|
|
||||||
resolvedImageName: image,
|
|
||||||
err: errors.Wrapf(err, "error parsing image name"),
|
|
||||||
})
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
logrus.Debugf("error parsing image name %q as given, trying with transport %q: %v", image, transport, err)
|
|
||||||
|
|
||||||
trans := transport
|
|
||||||
if transport != util.DefaultTransport {
|
|
||||||
trans = trans + ":"
|
|
||||||
}
|
|
||||||
srcRef2, err := alltransports.ParseImageName(trans + image)
|
|
||||||
if err != nil {
|
|
||||||
logrus.Debugf("error parsing image name %q: %v", transport+image, err)
|
|
||||||
failures = append(failures, failure{
|
|
||||||
resolvedImageName: image,
|
|
||||||
err: errors.Wrapf(err, "error parsing attempted image name %q", transport+image),
|
|
||||||
})
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
srcRef = srcRef2
|
|
||||||
}
|
|
||||||
|
|
||||||
destImage, err := localImageNameForReference(ctx, store, srcRef, options.FromImage)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, "", nil, errors.Wrapf(err, "error computing local image name for %q", transports.ImageName(srcRef))
|
return nil, "", nil, errors.Wrapf(err, "error computing local image name for %q", transports.ImageName(srcRef))
|
||||||
}
|
}
|
||||||
|
@ -187,7 +172,7 @@ func resolveImage(ctx context.Context, systemContext *types.SystemContext, store
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
pulledImg, pulledReference, err := pullAndFindImage(ctx, store, transport, image, options, systemContext)
|
pulledImg, pulledReference, err := pullAndFindImage(ctx, store, srcRef, options, systemContext)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logrus.Debugf("unable to pull and read image %q: %v", image, err)
|
logrus.Debugf("unable to pull and read image %q: %v", image, err)
|
||||||
failures = append(failures, failure{resolvedImageName: image, err: err})
|
failures = append(failures, failure{resolvedImageName: image, err: err})
|
||||||
|
|
12
vendor/github.com/containers/buildah/pkg/secrets/secrets.go
generated
vendored
12
vendor/github.com/containers/buildah/pkg/secrets/secrets.go
generated
vendored
|
@ -8,6 +8,7 @@ import (
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"github.com/containers/libpod/pkg/rootless"
|
"github.com/containers/libpod/pkg/rootless"
|
||||||
|
"github.com/containers/storage/pkg/idtools"
|
||||||
rspec "github.com/opencontainers/runtime-spec/specs-go"
|
rspec "github.com/opencontainers/runtime-spec/specs-go"
|
||||||
"github.com/opencontainers/selinux/go-selinux/label"
|
"github.com/opencontainers/selinux/go-selinux/label"
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
|
@ -176,7 +177,7 @@ func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPre
|
||||||
// Add FIPS mode secret if /etc/system-fips exists on the host
|
// Add FIPS mode secret if /etc/system-fips exists on the host
|
||||||
_, err := os.Stat("/etc/system-fips")
|
_, err := os.Stat("/etc/system-fips")
|
||||||
if err == nil {
|
if err == nil {
|
||||||
if err := addFIPSModeSecret(&secretMounts, containerWorkingDir); err != nil {
|
if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPrefix, mountLabel, uid, gid); err != nil {
|
||||||
logrus.Errorf("error adding FIPS mode secret to container: %v", err)
|
logrus.Errorf("error adding FIPS mode secret to container: %v", err)
|
||||||
}
|
}
|
||||||
} else if os.IsNotExist(err) {
|
} else if os.IsNotExist(err) {
|
||||||
|
@ -264,13 +265,16 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPr
|
||||||
// root filesystem if /etc/system-fips exists on hosts.
|
// root filesystem if /etc/system-fips exists on hosts.
|
||||||
// This enables the container to be FIPS compliant and run openssl in
|
// This enables the container to be FIPS compliant and run openssl in
|
||||||
// FIPS mode as the host is also in FIPS mode.
|
// FIPS mode as the host is also in FIPS mode.
|
||||||
func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir string) error {
|
func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix, mountLabel string, uid, gid int) error {
|
||||||
secretsDir := "/run/secrets"
|
secretsDir := "/run/secrets"
|
||||||
ctrDirOnHost := filepath.Join(containerWorkingDir, secretsDir)
|
ctrDirOnHost := filepath.Join(containerWorkingDir, secretsDir)
|
||||||
if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) {
|
if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) {
|
||||||
if err = os.MkdirAll(ctrDirOnHost, 0755); err != nil {
|
if err = idtools.MkdirAllAs(ctrDirOnHost, 0755, uid, gid); err != nil {
|
||||||
return errors.Wrapf(err, "making container directory on host failed")
|
return errors.Wrapf(err, "making container directory on host failed")
|
||||||
}
|
}
|
||||||
|
if err = label.Relabel(ctrDirOnHost, mountLabel, false); err != nil {
|
||||||
|
return errors.Wrap(err, "error applying correct labels")
|
||||||
|
}
|
||||||
}
|
}
|
||||||
fipsFile := filepath.Join(ctrDirOnHost, "system-fips")
|
fipsFile := filepath.Join(ctrDirOnHost, "system-fips")
|
||||||
// In the event of restart, it is possible for the FIPS mode file to already exist
|
// In the event of restart, it is possible for the FIPS mode file to already exist
|
||||||
|
@ -284,7 +288,7 @@ func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir string) error
|
||||||
|
|
||||||
if !mountExists(*mounts, secretsDir) {
|
if !mountExists(*mounts, secretsDir) {
|
||||||
m := rspec.Mount{
|
m := rspec.Mount{
|
||||||
Source: ctrDirOnHost,
|
Source: filepath.Join(mountPrefix, secretsDir),
|
||||||
Destination: secretsDir,
|
Destination: secretsDir,
|
||||||
Type: "bind",
|
Type: "bind",
|
||||||
Options: []string{"bind", "rprivate"},
|
Options: []string{"bind", "rprivate"},
|
||||||
|
|
65
vendor/github.com/containers/buildah/pull.go
generated
vendored
65
vendor/github.com/containers/buildah/pull.go
generated
vendored
|
@ -19,10 +19,9 @@ import (
|
||||||
"github.com/containers/image/signature"
|
"github.com/containers/image/signature"
|
||||||
is "github.com/containers/image/storage"
|
is "github.com/containers/image/storage"
|
||||||
"github.com/containers/image/transports"
|
"github.com/containers/image/transports"
|
||||||
"github.com/containers/image/transports/alltransports"
|
|
||||||
"github.com/containers/image/types"
|
"github.com/containers/image/types"
|
||||||
"github.com/containers/storage"
|
"github.com/containers/storage"
|
||||||
"github.com/hashicorp/go-multierror"
|
multierror "github.com/hashicorp/go-multierror"
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
"github.com/sirupsen/logrus"
|
"github.com/sirupsen/logrus"
|
||||||
)
|
)
|
||||||
|
@ -52,15 +51,14 @@ type PullOptions struct {
|
||||||
AllTags bool
|
AllTags bool
|
||||||
}
|
}
|
||||||
|
|
||||||
func localImageNameForReference(ctx context.Context, store storage.Store, srcRef types.ImageReference, spec string) (string, error) {
|
func localImageNameForReference(ctx context.Context, store storage.Store, srcRef types.ImageReference) (string, error) {
|
||||||
if srcRef == nil {
|
if srcRef == nil {
|
||||||
return "", errors.Errorf("reference to image is empty")
|
return "", errors.Errorf("reference to image is empty")
|
||||||
}
|
}
|
||||||
split := strings.SplitN(spec, ":", 2)
|
|
||||||
file := split[len(split)-1]
|
|
||||||
var name string
|
var name string
|
||||||
switch srcRef.Transport().Name() {
|
switch srcRef.Transport().Name() {
|
||||||
case dockerarchive.Transport.Name():
|
case dockerarchive.Transport.Name():
|
||||||
|
file := srcRef.StringWithinTransport()
|
||||||
tarSource, err := tarfile.NewSourceFromFile(file)
|
tarSource, err := tarfile.NewSourceFromFile(file)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", errors.Wrapf(err, "error opening tarfile %q as a source image", file)
|
return "", errors.Wrapf(err, "error opening tarfile %q as a source image", file)
|
||||||
|
@ -104,14 +102,15 @@ func localImageNameForReference(ctx context.Context, store storage.Store, srcRef
|
||||||
}
|
}
|
||||||
case directory.Transport.Name():
|
case directory.Transport.Name():
|
||||||
// supports pull from a directory
|
// supports pull from a directory
|
||||||
name = split[1]
|
name = srcRef.StringWithinTransport()
|
||||||
// remove leading "/"
|
// remove leading "/"
|
||||||
if name[:1] == "/" {
|
if name[:1] == "/" {
|
||||||
name = name[1:]
|
name = name[1:]
|
||||||
}
|
}
|
||||||
case oci.Transport.Name():
|
case oci.Transport.Name():
|
||||||
// supports pull from a directory
|
// supports pull from a directory
|
||||||
name = split[1]
|
split := strings.SplitN(srcRef.StringWithinTransport(), ":", 2)
|
||||||
|
name = split[0]
|
||||||
// remove leading "/"
|
// remove leading "/"
|
||||||
if name[:1] == "/" {
|
if name[:1] == "/" {
|
||||||
name = name[1:]
|
name = name[1:]
|
||||||
|
@ -175,21 +174,29 @@ func Pull(ctx context.Context, imageName string, options PullOptions) error {
|
||||||
return errors.New("Non-docker transport is not supported, for --all-tags pulling")
|
return errors.New("Non-docker transport is not supported, for --all-tags pulling")
|
||||||
}
|
}
|
||||||
|
|
||||||
spec := transport + storageRef.DockerReference().Name()
|
repo := reference.TrimNamed(storageRef.DockerReference())
|
||||||
storageRef, err = alltransports.ParseImageName(spec)
|
dockerRef, err := docker.NewReference(reference.TagNameOnly(storageRef.DockerReference()))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return errors.Wrapf(err, "error getting repository tags")
|
return errors.Wrapf(err, "internal error creating docker.Transport reference for %s", storageRef.DockerReference().String())
|
||||||
}
|
}
|
||||||
tags, err := docker.GetRepositoryTags(ctx, systemContext, storageRef)
|
tags, err := docker.GetRepositoryTags(ctx, systemContext, dockerRef)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return errors.Wrapf(err, "error getting repository tags")
|
return errors.Wrapf(err, "error getting repository tags")
|
||||||
}
|
}
|
||||||
for _, tag := range tags {
|
for _, tag := range tags {
|
||||||
name := spec + ":" + tag
|
tagged, err := reference.WithTag(repo, tag)
|
||||||
if options.ReportWriter != nil {
|
if err != nil {
|
||||||
options.ReportWriter.Write([]byte("Pulling " + name + "\n"))
|
errs = multierror.Append(errs, err)
|
||||||
|
continue
|
||||||
}
|
}
|
||||||
ref, err := pullImage(ctx, options.Store, transport, name, options, systemContext)
|
taggedRef, err := docker.NewReference(tagged)
|
||||||
|
if err != nil {
|
||||||
|
return errors.Wrapf(err, "internal error creating docker.Transport reference for %s", tagged.String())
|
||||||
|
}
|
||||||
|
if options.ReportWriter != nil {
|
||||||
|
options.ReportWriter.Write([]byte("Pulling " + tagged.String() + "\n"))
|
||||||
|
}
|
||||||
|
ref, err := pullImage(ctx, options.Store, taggedRef, options, systemContext)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
errs = multierror.Append(errs, err)
|
errs = multierror.Append(errs, err)
|
||||||
continue
|
continue
|
||||||
|
@ -208,27 +215,7 @@ func Pull(ctx context.Context, imageName string, options PullOptions) error {
|
||||||
return errs.ErrorOrNil()
|
return errs.ErrorOrNil()
|
||||||
}
|
}
|
||||||
|
|
||||||
func pullImage(ctx context.Context, store storage.Store, transport string, imageName string, options PullOptions, sc *types.SystemContext) (types.ImageReference, error) {
|
func pullImage(ctx context.Context, store storage.Store, srcRef types.ImageReference, options PullOptions, sc *types.SystemContext) (types.ImageReference, error) {
|
||||||
spec := imageName
|
|
||||||
srcRef, err := alltransports.ParseImageName(spec)
|
|
||||||
if err != nil {
|
|
||||||
logrus.Debugf("error parsing image name %q, trying with transport %q: %v", spec, transport, err)
|
|
||||||
if transport == "" {
|
|
||||||
transport = util.DefaultTransport
|
|
||||||
} else {
|
|
||||||
if transport != util.DefaultTransport {
|
|
||||||
transport = transport + ":"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
spec = transport + spec
|
|
||||||
srcRef2, err2 := alltransports.ParseImageName(spec)
|
|
||||||
if err2 != nil {
|
|
||||||
return nil, errors.Wrapf(err2, "error parsing image name %q", spec)
|
|
||||||
}
|
|
||||||
srcRef = srcRef2
|
|
||||||
}
|
|
||||||
logrus.Debugf("parsed image name %q", spec)
|
|
||||||
|
|
||||||
blocked, err := isReferenceBlocked(srcRef, sc)
|
blocked, err := isReferenceBlocked(srcRef, sc)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errors.Wrapf(err, "error checking if pulling from registry for %q is blocked", transports.ImageName(srcRef))
|
return nil, errors.Wrapf(err, "error checking if pulling from registry for %q is blocked", transports.ImageName(srcRef))
|
||||||
|
@ -237,7 +224,7 @@ func pullImage(ctx context.Context, store storage.Store, transport string, image
|
||||||
return nil, errors.Errorf("pull access to registry for %q is blocked by configuration", transports.ImageName(srcRef))
|
return nil, errors.Errorf("pull access to registry for %q is blocked by configuration", transports.ImageName(srcRef))
|
||||||
}
|
}
|
||||||
|
|
||||||
destName, err := localImageNameForReference(ctx, store, srcRef, spec)
|
destName, err := localImageNameForReference(ctx, store, srcRef)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errors.Wrapf(err, "error computing local image name for %q", transports.ImageName(srcRef))
|
return nil, errors.Wrapf(err, "error computing local image name for %q", transports.ImageName(srcRef))
|
||||||
}
|
}
|
||||||
|
@ -274,9 +261,9 @@ func pullImage(ctx context.Context, store storage.Store, transport string, image
|
||||||
}
|
}
|
||||||
}()
|
}()
|
||||||
|
|
||||||
logrus.Debugf("copying %q to %q", spec, destName)
|
logrus.Debugf("copying %q to %q", transports.ImageName(srcRef), destName)
|
||||||
if _, err := cp.Image(ctx, policyContext, maybeCachedDestRef, srcRef, getCopyOptions(options.ReportWriter, srcRef, sc, maybeCachedDestRef, nil, "")); err != nil {
|
if _, err := cp.Image(ctx, policyContext, maybeCachedDestRef, srcRef, getCopyOptions(options.ReportWriter, srcRef, sc, maybeCachedDestRef, nil, "")); err != nil {
|
||||||
logrus.Debugf("error copying src image [%q] to dest image [%q] err: %v", spec, destName, err)
|
logrus.Debugf("error copying src image [%q] to dest image [%q] err: %v", transports.ImageName(srcRef), destName, err)
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
return destRef, nil
|
return destRef, nil
|
||||||
|
|
18
vendor/github.com/containers/buildah/util/util.go
generated
vendored
18
vendor/github.com/containers/buildah/util/util.go
generated
vendored
|
@ -20,7 +20,7 @@ import (
|
||||||
"github.com/containers/storage"
|
"github.com/containers/storage"
|
||||||
"github.com/containers/storage/pkg/idtools"
|
"github.com/containers/storage/pkg/idtools"
|
||||||
"github.com/docker/distribution/registry/api/errcode"
|
"github.com/docker/distribution/registry/api/errcode"
|
||||||
"github.com/opencontainers/runtime-spec/specs-go"
|
specs "github.com/opencontainers/runtime-spec/specs-go"
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
"github.com/sirupsen/logrus"
|
"github.com/sirupsen/logrus"
|
||||||
)
|
)
|
||||||
|
@ -47,6 +47,12 @@ var (
|
||||||
// correspond to in the set of configured registries, the transport used to
|
// correspond to in the set of configured registries, the transport used to
|
||||||
// pull the image, and a boolean which is true iff
|
// pull the image, and a boolean which is true iff
|
||||||
// 1) the list of search registries was used, and 2) it was empty.
|
// 1) the list of search registries was used, and 2) it was empty.
|
||||||
|
//
|
||||||
|
// The returned image names never include a transport: prefix, and if transport != "",
|
||||||
|
// (transport, image) should be a valid input to alltransports.ParseImageName.
|
||||||
|
// transport == "" indicates that image that already exists in a local storage,
|
||||||
|
// and the name is valid for store.Image() / storage.Transport.ParseStoreReference().
|
||||||
|
//
|
||||||
// NOTE: The "list of search registries is empty" check does not count blocked registries,
|
// NOTE: The "list of search registries is empty" check does not count blocked registries,
|
||||||
// and neither the implied "localhost" nor a possible firstRegistry are counted
|
// and neither the implied "localhost" nor a possible firstRegistry are counted
|
||||||
func ResolveName(name string, firstRegistry string, sc *types.SystemContext, store storage.Store) ([]string, string, bool, error) {
|
func ResolveName(name string, firstRegistry string, sc *types.SystemContext, store storage.Store) ([]string, string, bool, error) {
|
||||||
|
@ -162,15 +168,7 @@ func ExpandNames(names []string, firstRegistry string, systemContext *types.Syst
|
||||||
name = named
|
name = named
|
||||||
}
|
}
|
||||||
name = reference.TagNameOnly(name)
|
name = reference.TagNameOnly(name)
|
||||||
tag := ""
|
expanded = append(expanded, name.String())
|
||||||
digest := ""
|
|
||||||
if tagged, ok := name.(reference.NamedTagged); ok {
|
|
||||||
tag = ":" + tagged.Tag()
|
|
||||||
}
|
|
||||||
if digested, ok := name.(reference.Digested); ok {
|
|
||||||
digest = "@" + digested.Digest().String()
|
|
||||||
}
|
|
||||||
expanded = append(expanded, name.Name()+tag+digest)
|
|
||||||
}
|
}
|
||||||
return expanded, nil
|
return expanded, nil
|
||||||
}
|
}
|
||||||
|
|
2
vendor/github.com/containers/buildah/vendor.conf
generated
vendored
2
vendor/github.com/containers/buildah/vendor.conf
generated
vendored
|
@ -9,7 +9,7 @@ github.com/mattn/go-isatty v0.0.4
|
||||||
github.com/VividCortex/ewma v1.1.1
|
github.com/VividCortex/ewma v1.1.1
|
||||||
github.com/boltdb/bolt v1.3.1
|
github.com/boltdb/bolt v1.3.1
|
||||||
github.com/containers/libpod v1.0
|
github.com/containers/libpod v1.0
|
||||||
github.com/containers/storage v1.10
|
github.com/containers/storage v1.11
|
||||||
github.com/docker/distribution 5f6282db7d65e6d72ad7c2cc66310724a57be716
|
github.com/docker/distribution 5f6282db7d65e6d72ad7c2cc66310724a57be716
|
||||||
github.com/docker/docker 86f080cff0914e9694068ed78d503701667c4c00
|
github.com/docker/docker 86f080cff0914e9694068ed78d503701667c4c00
|
||||||
github.com/docker/docker-credential-helpers v0.6.1
|
github.com/docker/docker-credential-helpers v0.6.1
|
||||||
|
|
Loading…
Reference in a new issue