Implements support for the BuildKit source policy feature, bringing
feature parity with `buildctl build --source-policy-file`. The JSON schema
is compatible with BuildKit's source policy format.
Features:
- New `--source-policy-file` flag for `buildah build`
- ALLOW, DENY, and CONVERT actions for controlling source references
- EXACT and WILDCARD match types for flexible policy rules
- Automatic image reference normalization to docker-image:// format
This allows organizations to:
- Pin base image tags to specific digests at build time
- Deny specific sources from being used to enforce security policies
- Transform source references without modifying Containerfiles
Changes:
- pkg/sourcepolicy/: New package for policy parsing, validation, matching
- define/build.go: Added SourcePolicyFile field to BuildOptions
- pkg/cli/common.go: Added --source-policy-file flag definition
- imagebuildah/executor.go: Policy loading in newExecutor()
- imagebuildah/stage_executor.go: Policy evaluation in prepare()
- docs/buildah-build.1.md: Man page documentation with examples
- tests/source-policy.bats: Integration tests
- pkg/sourcepolicy/policy_test.go: Unit tests
Signed-off-by: Konstantin Vyatkin <tino@vtkn.io>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Try to limit which image transports we accept in stages, and scope the
ones that use path names to the context directory. At some point
anything that isn't an image ID or pullable spec should start being
rejected.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Mount a read-write overlay directory over the build context directory to
restore the ability to use it as a covert cache of sorts during the
lifetime of each platform's build, but in a way that still ensures that
we don't modify the real build context directory.
N.B.: builds where FROM in one stage referenced a relative path which
had been written to a bind-mounted default build context directory by an
earlier stage broke when we started making those bind mounts into
overlays to prevent/discard modifications to that directory, and while
this extends the lifetime of that overlay so that it's consistent
throughout the build, those relative path names are still going to point
to the wrong location.
Since we need to determine SELinux labeling before mounting the overlay,
go ahead and calculate the labels to use before creating the first
builder, and remove the logic that had whichever stage thought it was
the first one set them in its parent object for use by other stages, in
what was probably a racey way.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a MetadataFile field to BuildOptions, to which we write a dictionary
of information about a just-committed image.
Pay more attention to sourceDateEpoch than to timestamp when we're
tagging an existing image with the intended destination name.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Rename the Executor and StageExecutor types to make them private to the
package. Exporting them wasn't required for them to supply an interface
that they implemented for use by github.com/openshift/imagebuilder, and
we're about to change the signature for StageExecutor.Execute().
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Previously using outputing to a tar would fail with a simple `FROM xxx`
image.
This now will complete the copy (including passing through any specified
timestamp) and stop before trying to tag a non-registry stored result.
Signed-off-by: Adam Eijdenberg <adam@continusec.com>
When committing, if we didn't get an image ID off the bat because the
image wasn't being committed to local storage, try to return the image's
configuration blob digest, which is what is traditionally used as the
image's ID.
This allows the --iidfile flag to write a value to a file in situations
where the image isn't being written to local storage. The image ID is
of limited value in these cases, since we can't use it to look up the
image anywhere else, but at least we don't write a file that just has
the digest name prefix or log an empty string.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Use the CutPrefix(), SplitSeq(), and FieldsSeq() functions from the
strings package when chopping up or iterating over parts of strings, per
golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When checking the platforms of the base images, if we encounter a
reference which includes both a tag and a digest, work around it like
the pull logic does: try it without the tag.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When we look up a stage that's referred to in a COPY --from argument,
treat the string as a stage number not only if it parses as one, as we
checked before, but now also require that the number correspond to one
of the stages that would be completed before the one into which the
content will be copied.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When generating a checksum for files mounted into container via
`--mount=type=bind` ignore their `ModTime`, `AccessTime` and
`ChangeTime` so we can maintain cache burst consistency with `COPY`
command.
Closes: https://github.com/containers/buildah/issues/6291
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
Make the history created-by field note when a label was unset, or if the
one of the CLI flags that modifies the timestamps in the layer were
used, so that the cache evaluation logic can factor that into account.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When there are no instructions to process, we try to reuse the base
image. When we've been told, out of band, to remove labels or
environment variables, or affect annotations, we still need to, though,
so check for values of more of those flags.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When building images for `manifest` list using `--platform` same image
is used for multiple platform if base is `scratch` , following PR adds a
check to always verify `platform` of `cache` with `target`.
Closes: https://github.com/containers/podman/issues/18723
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
What type of PR is this?
/kind feature
What this PR does / why we need it:
It implements --link for COPY and ADD instructions and enables the creation of
cachable layers that can be reused independently across builds.
Follows buildkit `--link` specifications
How to verify it
bats tests/bud.bats
Which issue(s) this PR fixes:
Fixes #4325
Does this PR introduce a user-facing change?
Yes, gives extra functionality to Containerfiles
Signed-off-by: Joshua Arrevillaga <2004jarrevillaga@gmail.com>
When SOURCE_DATE_EPOCH is passed in as a build-arg, treat it as we would
if it was passed in via the environment or its own CLI flag.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When building or committing an image in OCI format, default to setting
the org.opencontainers.image.created annotation to the value used in the
image's config blob for the image's creation date. The behavior can be
controlled using the new --created-annotation flag.
Add --annotation and --unsetannotation flags to `buildah commit` which
mimic the same flags for `buildah build`.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When RUN requires us to create the target for a mountpoint, make note of
it and any parent directories that needed to be created, and filter them
out when generating a layer diff or --output data.
The exceptions will be directories that the conformance tests confirm
that BuildKit also leaves behind, though for compatibility with the
classic builder, we have to make that conditional.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When using either --source-date-epoch or --timestamp, default to not
adding a label with our version number in it, since it can change
between builds.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When using either --source-date-epoch or --timestamp, make sure that
handling of RUN instructions uses a defined hostname if possible, and
commits using a reference to a static container name.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Use $SOURCE_DATE_EPOCH as the default for the --source-date-epoch flag
to the "build" CLI.
When a source-date-epoch is set, we'll use it when writing new history
entries, force timestamps in data written for --output to the specified
timestamp, and populate a "SOURCE_DATE_EPOCH" ARG that we treat as
always being set, and which we don't complain about being left unused.
By default, this will not affect timestamps in newly-added layers.
Add a --rewrite-timestamp flag, which "clamps" timestamps in newly-added
layers to not be later than the --source-date-epoch value if the
--source-date-epoch flag is set, but has no effect otherwise.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a --source-date-epoch flag, defaulting to $SOURCE_DATE_EPOCH if set,
which sets the created-on date and the timestamp for the new history
entries, but does not default to modifying the timestamps on contents in
new layers.
Add a --rewrite-timestamp flag, which "clamps" timestamps in the new
layers to not be later than the --source-date-epoch value if both
the --rewrite-timestamp and --source-date-epoch flags were set.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Allow --output to be specified multiple times for `buildah build`.
That's of limited usefulness right now, but as exporters get added, it
won't be, and it's better to provide the new multiple-values API field
sooner rather than later.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
> imagebuildah/stage_executor.go:714:13: superfluous-else: if block ends with a break statement, so drop this else and outdent its block (move short variable declaration to its own line if necessary) (revive)
> } else {
> // Treat the source's name as the name of an image.
> mountPoint, err := s.getImageRootfs(s.ctx, from)
> if err != nil {
> return nil, fmt.Errorf("%s from=%s: no stage or image found with that name", flag, from)
> }
> stageMountPoints[from] = internal.StageMountDetails{
> IsImage: true,
> DidExecute: true,
> MountPoint: mountPoint,
> }
> break
> }
>
(The alternative is to keep "else" and remove "break", but there are
other break statements above it, so for style consistency it's better to
keep using break.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
