build: handle --iidfile-raw and --metadata-file flags

* docs: man page additions * test/e2e: add tests for `--iidfile-raw` and `--metadata-file` * test/buildah-bud: update buildah-bud test patch for buildah v1.42.1 Signed-off-by: Danish Prakash <contact@danishpraka.sh>
2026-02-05 15:45:08 +01:00 · 2026-01-30 13:59:18 +05:30
parent 3b3cb1f958
commit 827ba37b3e
12 changed files with 94 additions and 14 deletions
--- a/cmd/podman/common/build.go
+++ b/cmd/podman/common/build.go
@@ -54,7 +54,7 @@ type BuildFlagsWrapper struct {
 // supported or don't make sense in the farm build use case
 var FarmBuildHiddenFlags = []string{
 	"arch", "all-platforms", "compress", "cw", "disable-content-trust",
-	"logsplit", "manifest", "os", "output", "platform", "sign-by", "signature-policy", "stdin",
+	"logsplit", "manifest", "metadata-file", "os", "output", "platform", "sign-by", "signature-policy", "stdin",
 	"variant",
 }
@@ -149,6 +149,9 @@ func ParseBuildOpts(cmd *cobra.Command, args []string, buildOpts *BuildFlagsWrap
 	if cmd.Flag("output").Changed && registry.IsRemote() {
 		return nil, errors.New("'--output' option is not supported in remote mode")
 	}
 	if cmd.Flag("metadata-file").Changed && registry.IsRemote() {
 		return nil, errors.New("'--metadata-file' option is not supported in remote mode")
 	}
 	if buildOpts.Network == "none" {
 		if cmd.Flag("dns").Changed {
@@ -612,6 +615,7 @@ func buildFlagsWrapperToOptions(c *cobra.Command, contextDir string, flags *Buil
 		UnsetEnvs:               flags.UnsetEnvs,
 		UnsetLabels:             flags.UnsetLabels,
 		UnsetAnnotations:        flags.UnsetAnnotations,
 		MetadataFile:            flags.MetadataFile,
 	}
 	if c.Flag("created-annotation").Changed {
--- a/cmd/podman/farm/build.go
+++ b/cmd/podman/farm/build.go
@@ -109,6 +109,11 @@ func build(cmd *cobra.Command, args []string) error {
 		return err
 	}
 	opts.IIDFile = iidFile
 	iidFileRaw, err := cmd.Flags().GetString("iidfile-raw")
 	if err != nil {
 		return err
 	}
 	opts.IIDFileRaw = iidFileRaw
 	// only set tls-verify if it has been changed by the user
 	// if it hasn't we will read the registries.conf on the farm
 	// nodes for further configuration
--- a/cmd/podman/images/build.go
+++ b/cmd/podman/images/build.go
@@ -118,11 +118,12 @@ func build(cmd *cobra.Command, args []string) error {
 	}
 	if cmd.Flag("iidfile").Changed {
-		f, err := os.Create(buildOpts.Iidfile)
+		if err := os.WriteFile(buildOpts.Iidfile, []byte("sha256:"+report.ID), 0o644); err != nil {
 		if err != nil {
 			return err
 		}
-		if _, err := f.WriteString("sha256:" + report.ID); err != nil {
+	}
 	if cmd.Flag("iidfile-raw").Changed {
 		if err := os.WriteFile(buildOpts.IidfileRaw, []byte(report.ID), 0o644); err != nil {
 			return err
 		}
 	}
--- a/docs/source/markdown/options/iidfile-raw.md
+++ b/docs/source/markdown/options/iidfile-raw.md
@@ -0,0 +1,7 @@
 ####> This option file is used in:
 ####>   podman build, farm build
 ####> If file is edited, make sure the changes
 ####> are applicable to all of those.
 #### **--iidfile-raw**=*ImageIDfile*
 Write the built image's ID to the file without the algorithm prefix (e.g., `sha256:`). When `--platform` is specified more than once, attempting to use this option triggers an error.
--- a/docs/source/markdown/options/metadata-file.md
+++ b/docs/source/markdown/options/metadata-file.md
@@ -0,0 +1,9 @@
 ####> This option file is used in:
 ####>   podman build
 ####> If file is edited, make sure the changes
 ####> are applicable to all of those.
 #### **--metadata-file**=*MetadataFile*
 Write information about the built image to the named file. When `--platform` is specified more than once, attempting to use this option triggers an error.
 Note: This option is not supported in remote mode.
--- a/docs/source/markdown/podman-build.1.md.in
+++ b/docs/source/markdown/podman-build.1.md.in
@@ -223,6 +223,8 @@ It does not affect _/etc/resolv.conf_ in the final image.
@@option iidfile
@@option iidfile-raw
@@option inherit-annotations
@@option inherit-labels
@@ -255,6 +257,8 @@ This option is not supported on the remote client, including Mac and Windows
@@option memory-swap
@@option metadata-file
@@option network.image
@@option no-cache
--- a/docs/source/markdown/podman-farm-build.1.md.in
+++ b/docs/source/markdown/podman-farm-build.1.md.in
@@ -125,6 +125,8 @@ This option specifies the name of the farm to be used in the build process.
@@option iidfile
@@option iidfile-raw
@@option inherit-annotations
@@option inherit-labels
--- a/pkg/farm/farm.go
+++ b/pkg/farm/farm.go
@@ -268,6 +268,7 @@ func (f *Farm) Build(ctx context.Context, schedule Schedule, options entities.Bu
 	listBuilderOptions := listBuilderOptions{
 		cleanup:       options.Cleanup,
 		iidFile:       options.IIDFile,
 		iidFileRaw:    options.IIDFileRaw,
 		authfile:      options.Authfile,
 		skipTLSVerify: options.SkipTLSVerify,
 	}
--- a/pkg/farm/list_builder.go
+++ b/pkg/farm/list_builder.go
@@ -16,6 +16,7 @@ import (
 type listBuilderOptions struct {
 	cleanup       bool
 	iidFile       string
 	iidFileRaw    string
 	authfile      string
 	skipTLSVerify *bool
 }
@@ -130,6 +131,11 @@ func (l *listLocal) build(ctx context.Context, images map[entities.BuildReport]e
 			return "", err
 		}
 	}
 	if l.options.iidFileRaw != "" {
 		if err := os.WriteFile(l.options.iidFileRaw, []byte(listID), 0o644); err != nil {
 			return "", err
 		}
 	}
 	return l.listName, nil
 }
--- a/test/buildah-bud/apply-podman-deltas
+++ b/test/buildah-bud/apply-podman-deltas
@@ -279,6 +279,9 @@ skip_if_remote "compat API does not support oci-archive tags" \
 skip_if_remote "http_proxy env is not sent via remote API" \
               "build proxy - ADD URL"
 skip_if_remote "--metadata-file not supported in remote mode" \
               "bud cache by format"
 ###############################################################################
 # BEGIN tests which are skipped due to actual podman or podman-remote bugs.
@@ -329,6 +332,12 @@ skip "FIXME: 2024-05-28 new VMs from #338" \
 # 2025-04-01 FIXME wrong exit code from git related failures from #25756
 skip_if_remote "FIXME: 2025-04-01 git related errors returning wrong exit code" \
               "bud with ADD with git repository source"
 #
 # 2026-02-02 buildah's overlay-over-context-directory fails with process substitution
 # FIXME: Don't use process substitution for Containerfile in buildah tests
 skip "process substitution with overlay context not supported" \
     "build-with-timestamp-applies-to-oci-archive" \
     "build-with-timestamp-applies-to-oci-archive-with-base"
 # END   temporary workarounds that must be reevaluated periodically
 ###############################################################################
--- a/test/buildah-bud/buildah-tests.diff
+++ b/test/buildah-bud/buildah-tests.diff
@@ -1,16 +1,17 @@
-From 4c30f5e698bc1d4ca498347435174a6be7232876 Mon Sep 17 00:00:00 2001
+From 1ca19690f26005148482b1fbeff0aa52a67ee898 Mon Sep 17 00:00:00 2001
 From: Ed Santiago <santiago@redhat.com>
 Date: Thu, 6 Oct 2022 17:32:59 -0600
 Subject: [PATCH] tweaks for running buildah tests under podman
 Signed-off-by: Ed Santiago <santiago@redhat.com>
 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
 Signed-off-by: Danish Prakash <contact@danishpraka.sh>
 ---
 tests/helpers.bash | 166 +++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 162 insertions(+), 4 deletions(-)
 diff --git a/tests/helpers.bash b/tests/helpers.bash
-index 5acd0a3c3..7a0721305 100644
+index d08221a52759..5e9c818092cb 100644
 --- a/tests/helpers.bash
 +++ b/tests/helpers.bash
@@ -85,6 +85,42 @@ EOF
@@ -55,8 +56,8 @@ index 5acd0a3c3..7a0721305 100644
 +    fi
 }
- function starthttpd() { # directory [working-directory-or-"" [certfile, keyfile]]
+ function starthttpd() { # directoryspecs [working-directory-or-"" [certfile, keyfile]]
-@@ -149,6 +185,22 @@ function teardown_tests() {
+@@ -154,6 +190,22 @@ function teardown_tests() {
     stop_git_daemon
     stop_registry
@@ -79,7 +80,7 @@ index 5acd0a3c3..7a0721305 100644
     # Workaround for #1991 - buildah + overlayfs leaks mount points.
     # Many tests leave behind /var/tmp/.../root/overlay and sub-mounts;
     # let's find those and clean them up, otherwise 'rm -rf' fails.
-@@ -270,7 +322,12 @@ function copy() {
+@@ -275,7 +327,12 @@ function copy() {
 }
 function podman() {
@@ -93,7 +94,7 @@ index 5acd0a3c3..7a0721305 100644
 }
 # There are various scenarios where we would like to execute `tests` as rootless user, however certain commands like `buildah mount`
-@@ -377,8 +434,86 @@ function run_buildah() {
+@@ -382,8 +439,86 @@ function run_buildah() {
         --retry)         retry=3;        shift;;  # retry network flakes
     esac
@@ -181,7 +182,7 @@ index 5acd0a3c3..7a0721305 100644
     # If session is rootless and `buildah mount` is invoked, perform unshare,
     # since normal user cannot mount a filesystem unless they're in a user namespace along with its own mount namespace.
-@@ -392,8 +527,8 @@ function run_buildah() {
+@@ -397,8 +532,8 @@ function run_buildah() {
         retry=$(( retry - 1 ))
         # stdout is only emitted upon error; this echo is to help a debugger
@@ -192,7 +193,7 @@ index 5acd0a3c3..7a0721305 100644
         # without "quotes", multiple lines are glommed together into one
         if [ -n "$output" ]; then
             echo "$output"
-@@ -420,6 +555,9 @@ function run_buildah() {
+@@ -425,6 +560,9 @@ function run_buildah() {
             false
         fi
@@ -202,7 +203,7 @@ index 5acd0a3c3..7a0721305 100644
         if [ -n "$expected_rc" ]; then
             if [ "$status" -eq "$expected_rc" ]; then
                 return
-@@ -757,6 +895,26 @@ function skip_if_no_unshare() {
+@@ -753,6 +891,26 @@ function skip_if_no_unshare() {
   fi
 }
@@ -230,5 +231,5 @@ index 5acd0a3c3..7a0721305 100644
 #  start_git_daemon  #
 ######################
 -- 
-2.51.0
+2.51.1
--- a/test/e2e/build_test.go
+++ b/test/e2e/build_test.go
@@ -310,6 +310,21 @@ var _ = Describe("Podman build", func() {
 		Expect("sha256:" + data[0].ID).To(Equal(string(id)))
 	})
 	It("podman build basic alpine and print id to external file without prefix (--iidfile-raw)", func() {
 		targetFile := filepath.Join(podmanTest.TempDir, "idFileRaw")
 		session := podmanTest.Podman([]string{"build", "--pull-never", "build/basicalpine", "--iidfile-raw", targetFile})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(ExitCleanly())
 		id, _ := os.ReadFile(targetFile)
 		// Verify that id is correct (no sha256: prefix)
 		inspect := podmanTest.Podman([]string{"inspect", string(id)})
 		inspect.WaitWithDefaultTimeout()
 		data := inspect.InspectImageJSON()
 		Expect(data[0].ID).To(Equal(string(id)))
 	})
 	It("podman Test PATH and reserved annotation in built image", func() {
 		path := "/tmp:/bin:/usr/bin:/usr/sbin"
 		session := podmanTest.Podman([]string{
@@ -1385,4 +1400,20 @@ COPY --from=img2 /etc/alpine-release /prefix-test/container-prefix.txt`
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(ExitCleanly())
 	})
 	It("podman build basic alpine and write metadata to external file", func() {
 		SkipIfRemote("--metadata-file is not supported in remote mode")
 		targetFile := filepath.Join(podmanTest.TempDir, "metadata.json")
 		session := podmanTest.Podman([]string{"build", "--pull-never", "build/basicalpine", "--metadata-file", targetFile})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(ExitCleanly())
 		// Verify that metadata file exists and contains expected keys
 		metadata, err := os.ReadFile(targetFile)
 		Expect(err).ToNot(HaveOccurred())
 		Expect(metadata).To(ContainSubstring("containerimage.config.digest"))
 		Expect(metadata).To(ContainSubstring("containerimage.digest"))
 		Expect(metadata).To(ContainSubstring("containerimage.descriptor"))
 	})
 })