Addresses CVE-2024-1753 which allowed a user to write files to the
`/` directory of the host machine if selinux was not enabled.
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
We have this same parsing code in 3 maybe 4 places in our sources,
Someone needs to go through it all and get this to be parsed in less
places.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Add a --sbom flag to `buildah build` and `buildah commit` which will
scan the rootfs and specified context directories to build SPDX or
CycloneDX SBOMs and lists of package URLs.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When we have extra files to add to the image, handle them by adding them
to the upper overlay layer before creating the plaintext filesystem
image.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When using the working container's rootfs to populate a plaintext disk
image with mkfs, instead of writing .krun_config.json to the rootfs and
then removing it afterward (since we don't want it to show up if the
same working container is later committed to non confidential-workload
image), mount an overlay filesystem using a temporary directory as the
upper and the rootfs as the lower, create the .krun_config.json file in
the overlay filesystem, and use the overlay filesystem as the source
directory for mkfs.
Add the necessary stubs to allow pkg/overlay to at least compile on
non-Linux systems. Change the naming scheme for a test so that the path
names it uses for temporary directories don't include "," or "=", which
can confuse the kernel.
Creating confidential workload images will now only be possible on Linux
systems, but we exec'd out to sevctl to read platform certificates, and
that requires kernel support with vendor firmware, so I don't know that
anyone will actually be impacted by the change.
Teach pkg/overlay.MountWithOptions() to accept `nil` as a pointer to a
struct parameter that is otherwise optional.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
This is a common mistake by users and is ignored in some places
but not everywhere. This change will help this to be ignored everwhere.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Include the arch in the name of the static entrypoint binary, in case we
find ourselves needing to support other architectures in the same area
in the future.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add an OverrideChanges and an OverrideConfig field to CommitOptions,
both of which can be used to make last-minute edits to the configuration
of an image that we're committing.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Following PR is a attempt to add `Heredoc` support to buildah.
Once this PR is merged buildah is supposed to honor heredoc syntax while
processing containerfiles
Expected syntax to work
```Dockerfile
FROM docker.io/library/python:latest
RUN <<EOF
echo "Hello" >> /hello
echo "World!" >> /hello
EOF
RUN python3 <<EOF
with open("/hello", "w") as f:
print("Hello", file=f)
print("Something", file=f)
EOF
RUN ls -a
RUN cat hello
```
Signed-off-by: Aditya R <arajan@redhat.com>
All `[]string`s in containers.conf have now been migrated to attributed
string slices which require some adjustments in Buildah and Podman.
[NO NEW TESTS NEEDED]
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
This change is the first step of integrating appendable string arrays
into containers.conf and starts with enabling the `Env`, `Mounts`, and
`Volumes` fields in the `[Containers]` table.
Both, Buildah and Podman, read (and sometimes write) the fields of the
`Config` struct at various places, so I decided to migrate the fields
step-by-step. The ones in this change are most critical ones for
customers. Once all string slices/arrays are migrated, the docs of
containers.conf will be updated. The current changes are entirely
transparent to users.
[NO NEW TESTS NEEDED]
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Projects which are using buildah as a library and set `TMPDIR` manually
can stumble upon a use-case where `TMPDIR` was set to a relative path.
Such as `export TMPDIR=.` in such case buildah will try to create a
temporary root using `Mkdirtemp` leading to a point where bundle is not
generated correctly since path was relative.
Following use case can be resolved by making sure that buildah always
converts relative path to absolute path and `GetTempDir` does it well.
Example reproducer with podman
```Dockerfile
FROM alpine
RUN echo hello
```
```console
export TMPDIR=.
podman build --no-cache -t test .
```
Expected failure
```console
STEP 1/2: FROM alpine
STEP 2/2: RUN echo hello
error running container: checking permissions on "buildah2341274198": stat buildah2341274198: no such file or directory
ERRO[0000] did not get container create message from subprocess: EOF
Error: building at STEP "RUN echo hello": while running runtime: exit status 1
```
Closes: RHEL-2598
Signed-off-by: Aditya R <arajan@redhat.com>
Add siena and turin to the list of generations in a comment.
Drop a double-whitespace in the middle of a comment sentence.
[NO NEW TESTS NEEDED]
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a --cw option to `buildah build` and `buildah commit`, which takes a
comma-separated list of arguments and produces an image laid out for use
as a confidential workload:
type: sev or snp
attestation_url: location of a key broker server
cpus: expected number of virtual CPUs to run with
memory: expected megabytes of memory to run with
workload_id: a distinguishing identifier for the key broker server
ignore_attestation_errors: ignore errors registering the workload
passphrase: for encrypting the disk image
slop: extra space to allocate for the disk image
At least one of attestation_url and passphrase must be specified in
order for the encrypted disk image to be decryptable at run-time. Other
arguments can be omitted. ignore_attestation_errors is intentionally
undocumented, as it's mainly used to permit some amount of testing on
systems which don't have the required hardware.
Add an `mkcw` top-level command, for converting directly from an image
to a confidential workload.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When we read TMPDIR and SSH_AUTH_SOCK from the environment, convert them
to absolute paths before using them. Call auth.GetDefaultAuthFile()
instead of reading REGISTRY_AUTH_FILE.
[NO NEW TESTS NEEDED]
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Don't create an ImageDestination only to call .Reference() on it. copy.Image
manages its own ImageSource/ImageDestination instances.
- On the pull path, this causes two ImageDestination objects to exist concurrently
for the same directory. That's not really expected to work (because the implementation
caches a modified top-level index in memory); luckily it currently doesn't matter
because we don't make any writes through the manually-managed object, but it's
a risk for future changes.
- On the push path, this creates a local object when the thing to push just doesn't exist.
Note that the code calls the input "sourcePath" but it can contain a tag, and that
seems to be intentional.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
We want to share these functions with Podman, Podman currently
has a slightly different version which is correct, so use correct
version in Buildah and vendor it into Podman.
Fixing: https://github.com/containers/podman/issues/18196
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
A non-nil but empty decryption configuration
seems to be valid enough to trigger decryption in some
configurations, per
https://github.com/containers/podman/issues/18196 .
Like in Skopeo and Podman, only decrypt when the user explicitly
instructs us to (e.g. not triggering decryption based on environment
variables).
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
In golang 1.19, `io/ioutil` is fully deprecated preventing Buildah from
compiling. Replace all calls with equivalent calls from the `os`
package.
Signed-off-by: Chris Evich <cevich@redhat.com>
`mount=type=cache` creates a common cache directory on host in temporary
directory, split this cache directory for each user invocation in order
to prevent overlapping of cache content when `buildah` is invoked by
different users on same host.
Signed-off-by: Aditya R <arajan@redhat.com>
This allows declaring run mounts using e.g. '-mount=type=nullfs,...' on
FreeBSD which makes more sense for FreeBSD users. It is also consistent
with 'podman run' which requires the nullfs mount type on FreeBSD.
[NO NEW TESTS NEEDED]
Signed-off-by: Doug Rabson <dfr@rabson.org>
... and use a more traditional error handling model,
where responsibility for the cleanup passes to the caller
_only_ if the called function succeeds.
To reinforce that, hard-code nil returns on error paths
instead of returning the locks.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
It can return at most one lock, so don't return an array.
Should not change behavior right now, but it will simplify
cleanup.
[NO NEW TESTS NEEDED]
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
They exist in memory anyway, so this is more efficient:
we avoid the need to manually touch the filesystem again,
the associated costs - and the error paths go away.
[NO NEW TESTS NEEDED]
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
`--mount=type=cache` must not add internal lockfiles to cache directory
created by users instead store it in a different central directory with
path as `/base/buildah-cache/buildah-lockfiles`.
There are use-cases where users can wipe cache between the builds so
lockfiles will be removed in unexpected manner and also its not okay to
mix buildah's internal construct with user's cache content.
Helps in: https://github.com/containers/buildah/issues/4342
Signed-off-by: Aditya R <arajan@redhat.com>
