Hello community,
here is the log from the commit of package buildah for openSUSE:Factory checked in at 2019-03-01 16:49:50
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/buildah (Old)
and /work/SRC/openSUSE:Factory/.buildah.new.28833 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "buildah"
Fri Mar 1 16:49:50 2019 rev:14 rq:680452 version:1.7.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/buildah/buildah.changes 2019-02-27 15:06:30.286440509 +0100
+++ /work/SRC/openSUSE:Factory/.buildah.new.28833/buildah.changes 2019-03-01 16:49:51.837743871 +0100
@@ -1,0 +2,8 @@
+Fri Mar 1 10:12:50 UTC 2019 - Richard Brown
+
+- Update to v1.7.1
+ * Minor fix to vendor in github.com/containers/image 1.5 version
+ * This fixes a crash on pulling of images
+- Stop building from specific commit
+
+-------------------------------------------------------------------
Old:
----
buildah-1.7.tar.xz
New:
----
buildah-1.7.1.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ buildah.spec ++++++
--- /var/tmp/diff_new_pack.y6PEzd/_old 2019-03-01 16:49:52.409743654 +0100
+++ /var/tmp/diff_new_pack.y6PEzd/_new 2019-03-01 16:49:52.409743654 +0100
@@ -16,14 +16,13 @@
#
-%define commit 87239ae7046ea3a25f644cd0789b3d6678dc144d
%define project github.com/containers/buildah
# Build with libostree-devel in Tumbleweed, Leap 15 and SLES 15
%if 0%{?suse_version} >= 1500
%define with_libostree 1
%endif
Name: buildah
-Version: 1.7
+Version: 1.7.1
Release: 0
Summary: Tool for building OCI containers
License: Apache-2.0
@@ -92,7 +91,7 @@
# Build buildah
go build -tags "$BUILDTAGS" \
-buildmode=pie \
- -ldflags '-s -w -X main.gitCommit=%{commit} -X main.buildInfo='$SOURCE_DATE_EPOCH' -X main.cniVersion='$CNIVersion'' \
+ -ldflags '-s -w -X main.buildInfo='$SOURCE_DATE_EPOCH' -X main.cniVersion='$CNIVersion'' \
-o bin/buildah \
%{project}/cmd/buildah
++++++ _service ++++++
--- /var/tmp/diff_new_pack.y6PEzd/_old 2019-03-01 16:49:52.445743641 +0100
+++ /var/tmp/diff_new_pack.y6PEzd/_new 2019-03-01 16:49:52.445743641 +0100
@@ -4,8 +4,8 @@
<param name="url">https://github.com/containers/buildah.git</param>
<param name="scm">git</param>
<param name="filename">buildah</param>
-<param name="versionformat">1.7</param>
-<param name="revision">v1.7</param>
+<param name="versionformat">1.7.1</param>
+<param name="revision">v1.7.1</param>
</service>
<service name="recompress" mode="disabled">
++++++ buildah-1.7.tar.xz -> buildah-1.7.1.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/buildah-1.7/CHANGELOG.md new/buildah-1.7.1/CHANGELOG.md
--- old/buildah-1.7/CHANGELOG.md 2019-02-21 17:59:11.000000000 +0100
+++ new/buildah-1.7.1/CHANGELOG.md 2019-02-26 21:27:29.000000000 +0100
@@ -2,6 +2,328 @@
# Changelog
+## v1.7 (2019-02-21)
+ vendor containers/image v1.4
+ Make "images --all" faster
+ Remove a misleading comment
+ Remove quiet option from pull options
+ Make sure buildah pull --all-tags only works with docker transport
+ Support oci layout format
+ Fix pulling of images within buildah
+ Fix tls-verify polarity
+ Travis: execute make vendor and hack/tree_status.sh
+ vendor.conf: remove unused dependencies
+ add missing vendor/github.com/containers/libpod/vendor.conf
+ vendor.conf: remove github.com/inconshreveable/mousetrap
+ make vendor: always fetch the latest vndr
+ add hack/tree_status.sh script
+ Bump c/Storage to 1.10
+ Add --all-tags test to pull
+ mount: make error clearer
+ Remove global flags from cli help
+ Set --disable-compression to true as documented
+ Help document using buildah mount in rootless mode
+ healthcheck start-period: update documentation
+ Vendor in latest c/storage and c/image
+ dumpbolt: handle nested buckets
+ Fix buildah commit compress by default
+ Test on xenial, not trusty
+ unshare: reexec using a memfd copy instead of the binary
+ Add --target to bud command
+ Fix example for setting multiple environment variables
+ main: fix rootless mode
+ buildah: force umask 022
+ pull.bats: specify registry config when using registries
+ pull.bats: use the temporary directory, not /tmp
+ unshare: do not set rootless mode if euid=0
+ Touch up cli help examples and a few nits
+ Add an undocumented dumpbolt command
+ Move tar commands into containers/storage
+ Fix bud issue with 2 line Dockerfile
+ Add package install descriptions
+ Note configuration file requirements
+ Replace urfave/cli with cobra
+ cleanup vendor.conf
+ Vendor in latest containers/storage
+ Add Quiet to PullOptions and PushOptions
+ cmd/commit: add flag omit-timestamp to allow for deterministic builds
+ Add options for empty-layer history entries
+ Make CLI help descriptions and usage a bit more consistent
+ vndr opencontainers/selinux
+ Bump baseline test Fedora to 29
+ Bump to v1.7-dev-1
+ Bump to v1.6-1
+ Add support for ADD --chown
+ imagebuildah: make EnsureContainerPath() check/create the right one
+ Bump 1.7-dev
+ Fix contrib/rpm/bulidah.spec changelog date
+
+## v1.6-1 (2019-01-18)
+ Add support for ADD --chown
+ imagebuildah: make EnsureContainerPath() check/create the right one
+ Fix contrib/rpm/bulidah.spec changelog date
+ Vendor in latest containers/storage
+ Revendor everything
+ Revendor in latest code by release
+ unshare: do not set USER=root
+ run: ignore EIO when flushing at the end, avoid double log
+ build-using-dockerfile,commit: disable compression by default
+ Update some comments
+ Make rootless work under no_pivot_root
+ Add CreatedAtRaw date field for use with Format
+ Properly format images JSON output
+ pull: add all-tags option
+ Fix support for multiple Short options
+ pkg/blobcache: add synchronization
+ Skip empty files in file check of conformance test
+ Use NoPivot also for RUN, not only for run
+ Remove no longer used isReferenceInsecure / isRegistryInsecure
+ Do not set OCIInsecureSkipTLSVerify based on registries.conf
+ Remove duplicate entries from images JSON output
+ vendor parallel-copy from containers/image
+ blobcache.bats: adjust explicit push tests
+ Handle one line Dockerfile with layers
+ We should only warn if user actually requests Hostname be set in image
+ Fix compiler Warning about comparing different size types
+ imagebuildah: don't walk if rootdir and path are equal
+ Add aliases for buildah containers, so buildah list, ls and ps work
+ vendor: use faster version instead compress/gzip
+ vendor: update libpod
+ Properly handle Hostname inside of RUN command
+ docs: mention how to mount in rootless mode
+ tests: use fully qualified name for centos image
+ travis.yml: use the fully qualified name for alpine
+ mount: allow mount only when using vfs
+ Add some tests for buildah pull
+ Touch up images -q processing
+ Refactor: Use library shared idtools.ParseIDMap() instead of bundling it
+ bump GITVALIDATE_EPOCH
+ cli.BudFlags: add `--platform` nop
+ Makefile: allow packagers to more easily add tags
+ Makefile: soften the requirement on git
+ tests: add containers json test
+ Inline blobCache.putBlob into blobCacheDestination.PutBlob
+ Move saveStream and putBlob near blobCacheDestination.PutBlob
+ Remove BlobCache.PutBlob
+ Update for API changes
+ Vendor c/image after merging c/image#536
+ Handle 'COPY --from' in Dockerfile
+ Vendor in latest content from github.com/containers/storage
+ Clarify docker.io default in push with docker-daemon
+ Test blob caching
+ Wire in a hidden --blob-cache option
+ Use a blob cache when we're asked to use one
+ Add --disable-compression to 'build-using-dockerfile'
+ Add a blob cache implementation
+ vendor: update containers/storage
+ Update for sysregistriesv2 API changes
+ Update containers/image to 63a1cbdc5e6537056695cf0d627c0a33b334df53
+ clean up makefile variables
+ Fix file permission
+ Complete the instructions for the command
+ Show warning when a build arg not used
+ Assume user 0 group 0, if /etc/passwd file in container.
+ Add buildah info command
+ Enable -q when --filter is used for images command
+ Add v1.5 Release Announcement
+ Fix dangling filter for images command
+ Fix completions to print Names as well as IDs
+ tests: Fix file permissions
+ Bump 1.6-dev
+
+## v1.5-1 (2018-11-21)
+ Bump min go to 1.10 in install.md
+ vendor: update ostree-go
+ Update docker build command line in conformance test
+ Print command in SystemExec as debug information
+ Add some skip word for inspect check in conformance test
+ Update regex for multi stage base test
+ Sort CLI flags
+ vendor: update containers/storage
+ Add note to install about non-root on RHEL/CentOS
+ Update imagebuild depdency to support heading ARGs in Dockerfile
+ rootless: do not specify --rootless to the OCI runtime
+ Export resolvesymlink function
+ Exclude --force-rm from common bud cli flags
+ run: bind mount /etc/hosts and /etc/resolv.conf if not in a volume
+ rootless: use slirp4netns to setup the network namespace
+ Instructions for completing the pull command
+ Fix travis to not run environment variable patch
+ rootless: only discard network configuration names
+ run: only set up /etc/hosts or /etc/resolv.conf with network
+ common: getFormat: match entire string not only the prefix
+ vendor: update libpod
+ Change validation EPOCH
+ Fixing broken link for container-registries.conf
+ Restore rootless isolation test for from volume ro test
+ ostree: fix tag for build constraint
+ Handle directories better in bud -f
+ vndr in latest containers/storage
+ Fix unshare gofmt issue
+ runSetupBuiltinVolumes(): break up volume setup
+ common: support a per-user registries conf file
+ unshare: do not override the configuration
+ common: honor the rootless configuration file
+ unshare: create a new mount namespace
+ unshare: support libpod rootless pkg
+ Use libpod GetDefaultStorage to report proper storage config
+ Allow container storage to manage the SELinux labels
+ Resolve image names with default transport in from command
+ run: When the value of isolation is set, use the set value instead of the default value.
+ Vendor in latest containers/storage and opencontainers/selinux
+ Remove no longer valid todo
+ Check for empty buildTime in version
+ Change gofmt so it runs on all but 1.10
+ Run gofmt only on Go 1.11
+ Walk symlinks when checking cached images for copied/added files
+ ReserveSELinuxLabels(): handle wrapped errors from OpenBuilder
+ Set WorkingDir to empty, not / for conformance
+ Update calls in e2e to addres 1101
+ imagebuilder.BuildDockerfiles: return the image ID
+ Update for changes in the containers/image API
+ bump(github.com/containers/image)
+ Allow setting --no-pivot default with an env var
+ Add man page and bash completion, for --no-pivot
+ Add the --no-pivot flag to the run command
+ Improve reporting about individual pull failures
+ Move the "short name but no search registries" error handling to resolveImage
+ Return a "search registries were needed but empty" indication in util.ResolveName
+ Simplify handling of the "tried to pull an image but found nothing" case in newBuilder
+ Don't even invoke the pull loop if options.FromImage == ""
+ Eliminate the long-running ref and img variables in resolveImage
+ In resolveImage, return immediately on success
+ Fix From As in Dockerfile
+ Vendor latest containers/image
+ Vendor in latest libpod
+ Sort CLI flags of buildah bud
+ Change from testing with golang 1.9 to 1.11.
+ unshare: detect when unprivileged userns are disabled
+ Optimize redundant code
+ fix missing format param
+ chroot: fix the args check
+ imagebuildah: make ResolveSymLink public
+ Update copy chown test
+ buildah: use the same logic for XDG_RUNTIME_DIR as podman
+ V1.4 Release Announcement
+ Podman --privileged selinux is broken
+ papr: mount source at gopath
+ parse: Modify the return value
+ parse: modify the verification of the isolation value
+ Make sure we log or return every error
+ pullImage(): when completing an image name, try docker://
+ Fix up Tutorial 3 to account for format
+ Vendor in latest containers/storage and containers/image
+ docs/tutorials/01-intro.md: enhanced installation instructions
+ Enforce "blocked" for registries for the "docker" transport
+ Correctly set DockerInsecureSkipTLSVerify when pulling images
+ chroot: set up seccomp and capabilities after supplemental groups
+ chroot: fix capabilities list setup and application
+ .papr.yml: log the podman version
+ namespaces.bats: fix handling of uidmap/gidmap options in pairs
+ chroot: only create user namespaces when we know we need them
+ Check /proc/sys/user/max_user_namespaces on unshare(NEWUSERNS)
+ bash/buildah: add isolation option to the from command
+
+## v1.4 (2018-10-02)
+ from: fix isolation option
+ Touchup pull manpage
+ Export buildah ReserveSELinuxLables so podman can use it
+ Add buildah.io to README.md and doc fixes
+ Update rmi man for prune changes
+ Ignore file not found removal error in bud
+ bump(github.com/containers/{storage,image})
+ NewImageSource(): only create one Diff() at a time
+ Copy ExposedPorts from base image into the config
+ tests: run conformance test suite in Travis
+ Change rmi --prune to not accept an imageID
+ Clear intermediate container IDs after each stage
+ Request podman version for build issues
+ unshare: keep the additional groups of the user
+ Builtin volumes should be owned by the UID/GID of the container
+ Get rid of dangling whitespace in markdown files
+ Move buildah from projecatatomic/buildah to containers/buildah
+ nitpick: parse.validateFlags loop in bud cli
+ bash: Completion options
+ Add signature policy to push tests
+ vendor in latest containers/image
+ Fix grammar in Container Tools Guide
+ Don't build btrfs if it is not installed
+ new: Return image-pulling errors from resolveImage
+ pull: Return image-pulling errors from pullImage
+ Add more volume mount tests
+ chroot: create missing parent directories for volume mounts
+ Push: Allow an empty destination
+ Add Podman relationship to readme, create container tools guide
+ Fix arg usage in buildah-tag
+ Add flags/arguments order verification to other commands
+ Handle ErrDuplicateName errors from store.CreateContainer()
+ Evaluate symbolic links on Add/Copy Commands
+ Vendor in latest containers/image and containers/storage
+ Retain bounding set when running containers as non root
+ run container-diff tests in Travis
+ buildah-images.md: Fix option contents
+ push: show image digest after push succeed
+ Vendor in latest containers/storage,image,libpod and runc
+ Change references to cri-o to point at new repository
+ Exclude --layers from the common bug cli flags
+ demos: Increase the executable permissions
+ run: clear default seccomp filter if not enabled
+ Bump maximum cyclomatic complexity to 45
+ stdin: on HUP, read everything
+ nitpick: use tabs in tests/helpers.bash
+ Add flags/arguments order verification to one arg commands
+ nitpick: decrease cognitive complexity in buildah-bud
+ rename: Avoid renaming the same name as other containers
+ chroot isolation: chroot() before setting up seccomp
+ Small nitpick at the "if" condition in tag.go
+ cmd/images: Modify json option
+ cmd/images: Disallow the input of image when using the -a option
+ Fix examples to include context directory
+ Update containers/image to fix commit layer issue
+ cmd/containers: End loop early when using the json option
+ Make buildah-from error message clear when flags are after arg
+ Touch up README.md for conformance tests
+ Update container/storage for lock fix
+ cmd/rm: restore the correct containerID display
+ Remove debug lines
+ Remove docker build image after each test
+ Add README for conformance test
+ Update the MakeOptions to accept all command options for buildah
+ Update regrex to fit the docker output in test "run with JSON"
+ cmd/buildah: Remove redundant variable declarations
+ Warn about using Commands in Dockerfile that are not supported by OCI.
+ Add buildah bud conformance test
+ Fix rename to also change container name in builder
+ Makefile: use $(GO) env-var everywhere
+ Cleanup code to more closely match Docker Build images
+ Document BUILDAH_* environment variables in buildah bud --help output
+ Return error immediately if error occurs in Prepare step
+ Fix --layers ADD from url issue
+ Add "Sign your PRs" TOC item to contributing.md.
+ Display the correct ID after deleting image
+ rmi: Modify the handling of errors
+ Let util.ResolveName() return parsing errors
+ Explain Open Container Initiative (OCI) acronym, add link
+ Update vendor for urfave/cli back to master
+ Handle COPY --chown in Dockerfile
+ Switch to Recommends container-selinux
+ Update vendor for containernetworking, imagebuildah and podman
+ Document STORAGE_DRIVER and STORAGE_OPTS environment variable
+ Change references to projectatomic/libpod to containers/libpod
+ Add container PATH retrieval example
+ Expand variables names for --env
+ imagebuildah: provide a way to provide stdin for RUN
+ Remove an unused srcRef.NewImageSource in pullImage
+ chroot: correct a comment
+ chroot: bind mount an empty directory for masking
+ Don't bother with --no-pivot for rootless isolation
+ CentOS need EPEL repo
+ Export a Pull() function
+ Remove stream options, since docker build does not have it
+ release v1.3: mention openSUSE
+ Add Release Announcements directory
+ Bump to v1.4-dev
+
## 1.3 (2018-08-4)
Revert pull error handling from 881
bud should not search context directory for Dockerfile
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/buildah-1.7/README.md new/buildah-1.7.1/README.md
--- old/buildah-1.7/README.md 2019-02-21 17:59:11.000000000 +0100
+++ new/buildah-1.7.1/README.md 2019-02-26 21:27:29.000000000 +0100
@@ -35,18 +35,23 @@
## Buildah and Podman relationship
-Buildah and Podman are two complementary Open-source projects that are available on
-most Linux platforms and both projects reside at [GitHub.com](https://github.com)
-with Buildah [here](https://github.com/containers/buildah) and
-Podman [here](https://github.com/containers/libpod). Both Buildah and Podman are
-command line tools that work on OCI images and containers. The two projects
-differentiate in their specialization.
+Buildah and Podman are two complementary open-source projects that are
+available on most Linux platforms and both projects reside at
+[GitHub.com](https://github.com) with Buildah
+[here](https://github.com/containers/buildah) and Podman
+[here](https://github.com/containers/libpod). Both, Buildah and Podman are
+command line tools that work on Open Container Initiative (OCI) images and
+containers. The two projects differentiate in their specialization.
Buildah specializes in building OCI images. Buildah's commands replicate all
-of the commands that are found in a Dockerfile. Buildah’s goal is also to
-provide a lower level coreutils interface to build images, allowing people to build
-containers without requiring a Dockerfile. The intent with Buildah is to allow other
-scripting languages to build container images, without requiring a daemon.
+of the commands that are found in a Dockerfile. This allows building images
+with and without Dockerfiles while not requiring any root privileges.
+Buildah’s ultimate goal is to provide a lower-level coreutils interface to
+build images. The flexibility of building images without Dockerfiles allows
+for the integration of other scripting languages into the build process.
+Buildah follows a simple fork-exec model and does not run as a daemon
+but it is based on a comprehensive API in golang, which can be vendored
+into other tools.
Podman specializes in all of the commands and functions that help you to maintain and modify
OCI images, such as pulling and tagging. It also allows you to create, run, and maintain those containers
@@ -55,12 +60,12 @@
A major difference between Podman and Buildah is their concept of a container. Podman
allows users to create "traditional containers" where the intent of these containers is
to be long lived. While Buildah containers are really just created to allow content
-to be added back to the container image. An easy way to think of it is the
+to be added back to the container image. An easy way to think of it is the
`buildah run` command emulates the RUN command in a Dockerfile while the `podman run`
command emulates the `docker run` command in functionality. Because of this and their underlying
storage differences, you can not see Podman containers from within Buildah or vice versa.
-In short Buildah is an efficient way to create OCI images while Podman allows
+In short, Buildah is an efficient way to create OCI images while Podman allows
you to manage and maintain those images and containers in a production environment using
familiar container cli commands. For more details, see the
[Container Tools Guide](https://github.com/containers/buildah/tree/master/docs/containertools).
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/buildah-1.7/buildah.go new/buildah-1.7.1/buildah.go
--- old/buildah-1.7/buildah.go 2019-02-21 17:59:11.000000000 +0100
+++ new/buildah-1.7.1/buildah.go 2019-02-26 21:27:29.000000000 +0100
@@ -26,7 +26,7 @@
Package = "buildah"
// Version for the Package. Bump version in contrib/rpm/buildah.spec
// too.
- Version = "1.7"
+ Version = "1.7.1"
// The value we use to identify what type of information, currently a
// serialized Builder structure, we are using as per-container state.
// This should only be changed when we make incompatible changes to
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/buildah-1.7/changelog.txt new/buildah-1.7.1/changelog.txt
--- old/buildah-1.7/changelog.txt 2019-02-21 17:59:11.000000000 +0100
+++ new/buildah-1.7.1/changelog.txt 2019-02-26 21:27:29.000000000 +0100
@@ -1,3 +1,16 @@
+- Changelog for v1.7.1 (2019-02-26)
+ * vendor containers/image v1.5
+ * Move secrets code from libpod into buildah
+ * Update CHANGELOG.md with the past changes
+ * README.md: fix typo
+ * Fix a few issues found by tests/validate/gometalinter.sh
+ * Neutralize buildah/unshare on non-Linux platforms
+ * Explicitly specify a directory to find(1)
+ * README.md: rephrase Buildah description
+ * Stop printing default twice in cli --help
+ * install.md: add section about vendoring
+ * Bump to 1.8-dev
+
- Changelog for v1.7 (2019-02-21)
* vendor containers/image v1.4
* Make "images --all" faster
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/buildah-1.7/chroot/run_test.go new/buildah-1.7.1/chroot/run_test.go
--- old/buildah-1.7/chroot/run_test.go 2019-02-21 17:59:11.000000000 +0100
+++ new/buildah-1.7.1/chroot/run_test.go 2019-02-26 21:27:29.000000000 +0100
@@ -17,7 +17,7 @@
"github.com/containers/buildah/tests/testreport/types"
"github.com/containers/buildah/util"
"github.com/containers/storage/pkg/reexec"
- "github.com/opencontainers/runtime-spec/specs-go"
+ specs "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate"
)
@@ -81,7 +81,7 @@
modify(&g, rootDir, bundleDir)
}
- uid, gid, err := util.GetHostRootIDs(g.Spec())
+ uid, gid, err := util.GetHostRootIDs(g.Config)
if err != nil {
t.Fatalf("GetHostRootIDs: %v", err)
}
@@ -90,7 +90,7 @@
}
output := new(bytes.Buffer)
- if err := RunUsingChroot(g.Spec(), bundleDir, new(bytes.Buffer), output, output); err != nil {
+ if err := RunUsingChroot(g.Config, bundleDir, new(bytes.Buffer), output, output); err != nil {
t.Fatalf("run: %v: %s", err, output.String())
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/buildah-1.7/cmd/buildah/common.go new/buildah-1.7.1/cmd/buildah/common.go
--- old/buildah-1.7/cmd/buildah/common.go 2019-02-21 17:59:11.000000000 +0100
+++ new/buildah-1.7.1/cmd/buildah/common.go 2019-02-26 21:27:29.000000000 +0100
@@ -12,7 +12,7 @@
"github.com/containers/image/types"
lu "github.com/containers/libpod/pkg/util"
"github.com/containers/storage"
- "github.com/opencontainers/go-digest"
+ digest "github.com/opencontainers/go-digest"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
"github.com/spf13/cobra"
@@ -273,7 +273,7 @@
// the urfavecli Tail method for args
func Tail(a []string) []string {
if len(a) >= 2 {
- return []string(a)[1:]
+ return a[1:]
}
return []string{}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/buildah-1.7/cmd/buildah/unshare_unsupported.go new/buildah-1.7.1/cmd/buildah/unshare_unsupported.go
--- old/buildah-1.7/cmd/buildah/unshare_unsupported.go 2019-02-21 17:59:11.000000000 +0100
+++ new/buildah-1.7.1/cmd/buildah/unshare_unsupported.go 2019-02-26 21:27:29.000000000 +0100
@@ -22,5 +22,4 @@
}
func maybeReexecUsingUserNamespace(cmd string, evenForRoot bool) {
- return
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/buildah-1.7/contrib/rpm/buildah.spec new/buildah-1.7.1/contrib/rpm/buildah.spec
--- old/buildah-1.7/contrib/rpm/buildah.spec 2019-02-21 17:59:11.000000000 +0100
+++ new/buildah-1.7.1/contrib/rpm/buildah.spec 2019-02-26 21:27:29.000000000 +0100
@@ -26,7 +26,7 @@
Name: buildah
# Bump version in buildah.go too
-Version: 1.7
+Version: 1.7.1
Release: 1.git%{shortcommit}%{?dist}
Summary: A command line tool used to creating OCI Images
License: ASL 2.0
@@ -97,7 +97,74 @@
%{_datadir}/bash-completion/completions/*
%changelog
-* Fri Jan 18 2019 Tom Sweeney 1.7-dev-1
+* Tue Feb 26 2019 Tom Sweeney 1.7.1-1
+- vendor containers/image v1.5
+- Move secrets code from libpod into buildah
+- Update CHANGELOG.md with the past changes
+- README.md: fix typo
+- Fix a few issues found by tests/validate/gometalinter.sh
+- Neutralize buildah/unshare on non-Linux platforms
+- Explicitly specify a directory to find(1)
+- README.md: rephrase Buildah description
+- Stop printing default twice in cli --help
+- install.md: add section about vendoring
+- Bump to 1.8-dev
+
+* Thu Feb 21 2019 Tom Sweeney 1.7.0
+- vendor containers/image v1.4
+- Make "images --all" faster
+- Remove a misleading comment
+- Remove quiet option from pull options
+- Make sure buildah pull --all-tags only works with docker transport
+- Support oci layout format
+- Fix pulling of images within buildah
+- Fix tls-verify polarity
+- Travis: execute make vendor and hack/tree_status.sh
+- vendor.conf: remove unused dependencies
+- add missing vendor/github.com/containers/libpod/vendor.conf
+- vendor.conf: remove github.com/inconshreveable/mousetrap
+- make vendor: always fetch the latest vndr
+- add hack/tree_status.sh script
+- Bump c/Storage to 1.10
+- Add --all-tags test to pull
+- mount: make error clearer
+- Remove global flags from cli help
+- Set --disable-compression to true as documented
+- Help document using buildah mount in rootless mode
+- healthcheck start-period: update documentation
+- Vendor in latest c/storage and c/image
+- dumpbolt: handle nested buckets
+- Fix buildah commit compress by default
+- Test on xenial, not trusty
+- unshare: reexec using a memfd copy instead of the binary
+- Add --target to bud command
+- Fix example for setting multiple environment variables
+- main: fix rootless mode
+- buildah: force umask 022
+- pull.bats: specify registry config when using registries
+- pull.bats: use the temporary directory, not /tmp
+- unshare: do not set rootless mode if euid=0
+- Touch up cli help examples and a few nits
+- Add an undocumented dumpbolt command
+- Move tar commands into containers/storage
+- Fix bud issue with 2 line Dockerfile
+- Add package install descriptions
+- Note configuration file requirements
+- Replace urfave/cli with cobra
+- cleanup vendor.conf
+- Vendor in latest containers/storage
+- Add Quiet to PullOptions and PushOptions
+- cmd/commit: add flag omit-timestamp to allow for deterministic builds
+- Add options for empty-layer history entries
+- Make CLI help descriptions and usage a bit more consistent
+- vndr opencontainers/selinux
+- Bump baseline test Fedora to 29
+- Bump to v1.7-dev-1
+- Bump to v1.6-1
+- Add support for ADD --chown
+- imagebuildah: make EnsureContainerPath() check/create the right one
+- Bump 1.7-dev
+- Fix contrib/rpm/bulidah.spec changelog date
* Fri Jan 18 2019 Tom Sweeney 1.6-1
- Add support for ADD --chown
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/buildah-1.7/install.md new/buildah-1.7.1/install.md
--- old/buildah-1.7/install.md 2019-02-21 17:59:11.000000000 +0100
+++ new/buildah-1.7.1/install.md 2019-02-26 21:27:29.000000000 +0100
@@ -271,6 +271,19 @@
The build steps on Debian are otherwise the same as Ubuntu, above.
+## Vendoring - Dependency Management
+
+This project is using [vndr](https://github.com/LK4D4/vndr) for managing dependencies, which is a tedious and error-prone task. Doing it manually is likely to cause inconsistencies between the `./vendor` directory (i.e., the downloaded dependencies), the source code that imports those dependencies and the `vendor.conf` configuration file that describes which packages in which version (e.g., a release or git commit) are a dependency.
+
+To ease updating dependencies, we provide the `make vendor` target, which fetches all dependencies mentioned in `vendor.conf`. `make vendor` whitelists certain packages to prevent the `vndr` tool from removing packages that the test suite (see `./test`) imports.
+
+The CI of this project makes sure that each pull request leaves a clean vendor state behind by first running the aforementioned `make vendor` followed by running `./hack/tree_status.sh` which checks if any file in the git tree has changed.
+
+### Vendor Troubleshooting
+
+If the CI is complaining about a pull request leaving behind an unclean state, it is very likely right about it. Make sure to run `make vendor` and add all the changes to the commit. Also make sure that your local git tree does not include files not under version control that may reference other go packages. If some dependencies are removed but they should not, for instance, because the CI is needing them, then whitelist those dependencies in the `make vendor` target of the Makefile. Whitelisting a package will instruct `vndr` to not remove if during its cleanup phase.
+sd
+
## Configuration files
The following configuration files are required in order for Buildah to run appropriately. The
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/buildah-1.7/new.go new/buildah-1.7.1/new.go
--- old/buildah-1.7/new.go 2019-02-21 17:59:11.000000000 +0100
+++ new/buildah-1.7.1/new.go 2019-02-26 21:27:29.000000000 +0100
@@ -303,7 +303,7 @@
}
conflict := 100
- for true {
+ for {
coptions := storage.ContainerOptions{
LabelOpts: options.CommonBuildOpts.LabelOpts,
IDMappingOptions: newContainerIDMappingOptions(options.IDMappingOptions),
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/buildah-1.7/pkg/cli/common.go new/buildah-1.7.1/pkg/cli/common.go
--- old/buildah-1.7/pkg/cli/common.go 2019-02-21 17:59:11.000000000 +0100
+++ new/buildah-1.7.1/pkg/cli/common.go 2019-02-26 21:27:29.000000000 +0100
@@ -125,7 +125,7 @@
func GetLayerFlags(flags *LayerResults) pflag.FlagSet {
fs := pflag.FlagSet{}
fs.BoolVar(&flags.ForceRm, "force-rm", false, "Always remove intermediate containers after a build, even if the build is unsuccessful.")
- fs.BoolVar(&flags.Layers, "layers", false, fmt.Sprintf("cache intermediate layers during build. Use BUILDAH_LAYERS environment variable to override. (default %t)", UseLayers()))
+ fs.BoolVar(&flags.Layers, "layers", UseLayers(), fmt.Sprintf("cache intermediate layers during build. Use BUILDAH_LAYERS environment variable to override."))
return fs
}
@@ -152,7 +152,7 @@
fs.BoolVar(&flags.Pull, "pull", true, "pull the image if not present")
fs.BoolVar(&flags.PullAlways, "pull-always", false, "pull the image, even if a version is present")
fs.BoolVarP(&flags.Quiet, "quiet", "q", false, "refrain from announcing build instructions and image read/write progress")
- fs.BoolVar(&flags.Rm, "rm", true, "Remove intermediate containers after a successful build (default true)")
+ fs.BoolVar(&flags.Rm, "rm", true, "Remove intermediate containers after a successful build")
fs.StringVar(&flags.Runtime, "runtime", util.Runtime(), "`path` to an alternate runtime. Use BUILDAH_RUNTIME environment variable to override.")
fs.StringSliceVar(&flags.RuntimeFlags, "runtime-flag", []string{}, "add global flags for the container runtime")
fs.StringVar(&flags.SignaturePolicy, "signature-policy", "", "`pathname` of signature policy file (not usually used)")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/buildah-1.7/pkg/secrets/secrets.go new/buildah-1.7.1/pkg/secrets/secrets.go
--- old/buildah-1.7/pkg/secrets/secrets.go 1970-01-01 01:00:00.000000000 +0100
+++ new/buildah-1.7.1/pkg/secrets/secrets.go 2019-02-26 21:27:29.000000000 +0100
@@ -0,0 +1,319 @@
+package secrets
+
+import (
+ "bufio"
+ "io/ioutil"
+ "os"
+ "path/filepath"
+ "strings"
+
+ "github.com/containers/libpod/pkg/rootless"
+ rspec "github.com/opencontainers/runtime-spec/specs-go"
+ "github.com/opencontainers/selinux/go-selinux/label"
+ "github.com/pkg/errors"
+ "github.com/sirupsen/logrus"
+)
+
+var (
+ // DefaultMountsFile holds the default mount paths in the form
+ // "host_path:container_path"
+ DefaultMountsFile = "/usr/share/containers/mounts.conf"
+ // OverrideMountsFile holds the default mount paths in the form
+ // "host_path:container_path" overridden by the user
+ OverrideMountsFile = "/etc/containers/mounts.conf"
+ // UserOverrideMountsFile holds the default mount paths in the form
+ // "host_path:container_path" overridden by the rootless user
+ UserOverrideMountsFile = filepath.Join(os.Getenv("HOME"), ".config/containers/mounts.conf")
+)
+
+// secretData stores the name of the file and the content read from it
+type secretData struct {
+ name string
+ data []byte
+}
+
+// saveTo saves secret data to given directory
+func (s secretData) saveTo(dir string) error {
+ path := filepath.Join(dir, s.name)
+ if err := os.MkdirAll(filepath.Dir(path), 0700); err != nil && !os.IsExist(err) {
+ return err
+ }
+ return ioutil.WriteFile(path, s.data, 0700)
+}
+
+func readAll(root, prefix string) ([]secretData, error) {
+ path := filepath.Join(root, prefix)
+
+ data := []secretData{}
+
+ files, err := ioutil.ReadDir(path)
+ if err != nil {
+ if os.IsNotExist(err) {
+ return data, nil
+ }
+
+ return nil, err
+ }
+
+ for _, f := range files {
+ fileData, err := readFile(root, filepath.Join(prefix, f.Name()))
+ if err != nil {
+ // If the file did not exist, might be a dangling symlink
+ // Ignore the error
+ if os.IsNotExist(err) {
+ continue
+ }
+ return nil, err
+ }
+ data = append(data, fileData...)
+ }
+
+ return data, nil
+}
+
+func readFile(root, name string) ([]secretData, error) {
+ path := filepath.Join(root, name)
+
+ s, err := os.Stat(path)
+ if err != nil {
+ return nil, err
+ }
+
+ if s.IsDir() {
+ dirData, err := readAll(root, name)
+ if err != nil {
+ return nil, err
+ }
+ return dirData, nil
+ }
+ bytes, err := ioutil.ReadFile(path)
+ if err != nil {
+ return nil, err
+ }
+ return []secretData{{name: name, data: bytes}}, nil
+}
+
+func getHostSecretData(hostDir string) ([]secretData, error) {
+ var allSecrets []secretData
+ hostSecrets, err := readAll(hostDir, "")
+ if err != nil {
+ return nil, errors.Wrapf(err, "failed to read secrets from %q", hostDir)
+ }
+ return append(allSecrets, hostSecrets...), nil
+}
+
+func getMounts(filePath string) []string {
+ file, err := os.Open(filePath)
+ if err != nil {
+ // This is expected on most systems
+ logrus.Debugf("file %q not found, skipping...", filePath)
+ return nil
+ }
+ defer file.Close()
+ scanner := bufio.NewScanner(file)
+ if err = scanner.Err(); err != nil {
+ logrus.Errorf("error reading file %q, %v skipping...", filePath, err)
+ return nil
+ }
+ var mounts []string
+ for scanner.Scan() {
+ mounts = append(mounts, scanner.Text())
+ }
+ return mounts
+}
+
+// getHostAndCtrDir separates the host:container paths
+func getMountsMap(path string) (string, string, error) {
+ arr := strings.SplitN(path, ":", 2)
+ if len(arr) == 2 {
+ return arr[0], arr[1], nil
+ }
+ return "", "", errors.Errorf("unable to get host and container dir")
+}
+
+// SecretMounts copies, adds, and mounts the secrets to the container root filesystem
+func SecretMounts(mountLabel, containerWorkingDir, mountFile string) []rspec.Mount {
+ return SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, containerWorkingDir, 0, 0)
+}
+
+// SecretMountsWithUIDGID specifies the uid/gid of the owner
+func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPrefix string, uid, gid int) []rspec.Mount {
+ var (
+ secretMounts []rspec.Mount
+ mountFiles []string
+ )
+ // Add secrets from paths given in the mounts.conf files
+ // mountFile will have a value if the hidden --default-mounts-file flag is set
+ // Note for testing purposes only
+ if mountFile == "" {
+ mountFiles = append(mountFiles, []string{OverrideMountsFile, DefaultMountsFile}...)
+ if rootless.IsRootless() {
+ mountFiles = append([]string{UserOverrideMountsFile}, mountFiles...)
+ _, err := os.Stat(UserOverrideMountsFile)
+ if err != nil && os.IsNotExist(err) {
+ os.MkdirAll(filepath.Dir(UserOverrideMountsFile), 0755)
+ if f, err := os.Create(UserOverrideMountsFile); err != nil {
+ logrus.Warnf("could not create file %s: %v", UserOverrideMountsFile, err)
+ } else {
+ f.Close()
+ }
+ }
+ }
+ } else {
+ mountFiles = append(mountFiles, mountFile)
+ }
+ for _, file := range mountFiles {
+ if _, err := os.Stat(file); err == nil {
+ mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, mountPrefix, uid, gid)
+ if err != nil {
+ logrus.Warnf("error mounting secrets, skipping: %v", err)
+ }
+ secretMounts = mounts
+ break
+ }
+ }
+
+ // Add FIPS mode secret if /etc/system-fips exists on the host
+ _, err := os.Stat("/etc/system-fips")
+ if err == nil {
+ if err := addFIPSModeSecret(&secretMounts, containerWorkingDir); err != nil {
+ logrus.Errorf("error adding FIPS mode secret to container: %v", err)
+ }
+ } else if os.IsNotExist(err) {
+ logrus.Debug("/etc/system-fips does not exist on host, not mounting FIPS mode secret")
+ } else {
+ logrus.Errorf("stat /etc/system-fips failed for FIPS mode secret: %v", err)
+ }
+ return secretMounts
+}
+
+func rchown(chowndir string, uid, gid int) error {
+ return filepath.Walk(chowndir, func(filePath string, f os.FileInfo, err error) error {
+ return os.Lchown(filePath, uid, gid)
+ })
+}
+
+// addSecretsFromMountsFile copies the contents of host directory to container directory
+// and returns a list of mounts
+func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPrefix string, uid, gid int) ([]rspec.Mount, error) {
+ var mounts []rspec.Mount
+ defaultMountsPaths := getMounts(filePath)
+ for _, path := range defaultMountsPaths {
+ hostDir, ctrDir, err := getMountsMap(path)
+ if err != nil {
+ return nil, err
+ }
+ // skip if the hostDir path doesn't exist
+ if _, err = os.Stat(hostDir); err != nil {
+ if os.IsNotExist(err) {
+ logrus.Warnf("Path %q from %q doesn't exist, skipping", hostDir, filePath)
+ continue
+ }
+ return nil, errors.Wrapf(err, "failed to stat %q", hostDir)
+ }
+
+ ctrDirOnHost := filepath.Join(containerWorkingDir, ctrDir)
+
+ // In the event of a restart, don't want to copy secrets over again as they already would exist in ctrDirOnHost
+ _, err = os.Stat(ctrDirOnHost)
+ if os.IsNotExist(err) {
+ if err = os.MkdirAll(ctrDirOnHost, 0755); err != nil {
+ return nil, errors.Wrapf(err, "making container directory %q failed", ctrDirOnHost)
+ }
+ hostDir, err = resolveSymbolicLink(hostDir)
+ if err != nil {
+ return nil, err
+ }
+
+ data, err := getHostSecretData(hostDir)
+ if err != nil {
+ return nil, errors.Wrapf(err, "getting host secret data failed")
+ }
+ for _, s := range data {
+ if err := s.saveTo(ctrDirOnHost); err != nil {
+ return nil, errors.Wrapf(err, "error saving data to container filesystem on host %q", ctrDirOnHost)
+ }
+ }
+
+ err = label.Relabel(ctrDirOnHost, mountLabel, false)
+ if err != nil {
+ return nil, errors.Wrap(err, "error applying correct labels")
+ }
+ if uid != 0 || gid != 0 {
+ if err := rchown(ctrDirOnHost, uid, gid); err != nil {
+ return nil, err
+ }
+ }
+ } else if err != nil {
+ return nil, errors.Wrapf(err, "error getting status of %q", ctrDirOnHost)
+ }
+
+ m := rspec.Mount{
+ Source: filepath.Join(mountPrefix, ctrDir),
+ Destination: ctrDir,
+ Type: "bind",
+ Options: []string{"bind", "rprivate"},
+ }
+
+ mounts = append(mounts, m)
+ }
+ return mounts, nil
+}
+
+// addFIPSModeSecret creates /run/secrets/system-fips in the container
+// root filesystem if /etc/system-fips exists on hosts.
+// This enables the container to be FIPS compliant and run openssl in
+// FIPS mode as the host is also in FIPS mode.
+func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir string) error {
+ secretsDir := "/run/secrets"
+ ctrDirOnHost := filepath.Join(containerWorkingDir, secretsDir)
+ if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) {
+ if err = os.MkdirAll(ctrDirOnHost, 0755); err != nil {
+ return errors.Wrapf(err, "making container directory on host failed")
+ }
+ }
+ fipsFile := filepath.Join(ctrDirOnHost, "system-fips")
+ // In the event of restart, it is possible for the FIPS mode file to already exist
+ if _, err := os.Stat(fipsFile); os.IsNotExist(err) {
+ file, err := os.Create(fipsFile)
+ if err != nil {
+ return errors.Wrapf(err, "error creating system-fips file in container for FIPS mode")
+ }
+ defer file.Close()
+ }
+
+ if !mountExists(*mounts, secretsDir) {
+ m := rspec.Mount{
+ Source: ctrDirOnHost,
+ Destination: secretsDir,
+ Type: "bind",
+ Options: []string{"bind", "rprivate"},
+ }
+ *mounts = append(*mounts, m)
+ }
+
+ return nil
+}
+
+// mountExists checks if a mount already exists in the spec
+func mountExists(mounts []rspec.Mount, dest string) bool {
+ for _, mount := range mounts {
+ if mount.Destination == dest {
+ return true
+ }
+ }
+ return false
+}
+
+// resolveSymbolicLink resolves a possbile symlink path. If the path is a symlink, returns resolved
+// path; if not, returns the original path.
+func resolveSymbolicLink(path string) (string, error) {
+ info, err := os.Lstat(path)
+ if err != nil {
+ return "", err
+ }
+ if info.Mode()&os.ModeSymlink != os.ModeSymlink {
+ return path, nil
+ }
+ return filepath.EvalSymlinks(path)
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/buildah-1.7/pull.go new/buildah-1.7.1/pull.go
--- old/buildah-1.7/pull.go 2019-02-21 17:59:11.000000000 +0100
+++ new/buildah-1.7.1/pull.go 2019-02-26 21:27:29.000000000 +0100
@@ -194,12 +194,12 @@
errs = multierror.Append(errs, err)
continue
}
- img, err := is.Transport.GetStoreImage(options.Store, ref)
+ taggedImg, err := is.Transport.GetStoreImage(options.Store, ref)
if err != nil {
errs = multierror.Append(errs, err)
continue
}
- fmt.Printf("%s\n", img.ID)
+ fmt.Printf("%s\n", taggedImg.ID)
}
} else {
fmt.Printf("%s\n", img.ID)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/buildah-1.7/run.go new/buildah-1.7.1/run.go
--- old/buildah-1.7/run.go 2019-02-21 17:59:11.000000000 +0100
+++ new/buildah-1.7.1/run.go 2019-02-26 21:27:29.000000000 +0100
@@ -21,15 +21,15 @@
"github.com/containernetworking/cni/libcni"
"github.com/containers/buildah/bind"
"github.com/containers/buildah/chroot"
+ "github.com/containers/buildah/pkg/secrets"
"github.com/containers/buildah/util"
- "github.com/containers/libpod/pkg/secrets"
"github.com/containers/storage/pkg/idtools"
"github.com/containers/storage/pkg/ioutils"
"github.com/containers/storage/pkg/reexec"
"github.com/containers/storage/pkg/stringid"
units "github.com/docker/go-units"
digest "github.com/opencontainers/go-digest"
- "github.com/opencontainers/runtime-spec/specs-go"
+ specs "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate"
"github.com/opencontainers/selinux/go-selinux/label"
"github.com/pkg/errors"
@@ -840,7 +840,7 @@
// valid resolution.
func runLookupPath(g *generate.Generator, command []string) []string {
// Look for the configured $PATH.
- spec := g.Spec()
+ spec := g.Config
envPath := ""
for i := range spec.Process.Env {
if strings.HasPrefix(spec.Process.Env[i], "PATH=") {
@@ -953,7 +953,7 @@
}
found := false
- spec := g.Spec()
+ spec := g.Config
for i := range spec.Process.Env {
if strings.HasPrefix(spec.Process.Env[i], "HOSTNAME=") {
found = true
@@ -1054,7 +1054,7 @@
// Now grab the spec from the generator. Set the generator to nil so that future contributors
// will quickly be able to tell that they're supposed to be modifying the spec directly from here.
- spec := g.Spec()
+ spec := g.Config
g = nil
logrus.Debugf("ensuring working directory %q exists", filepath.Join(mountPoint, spec.Process.Cwd))
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/buildah-1.7/run_test.go new/buildah-1.7.1/run_test.go
--- old/buildah-1.7/run_test.go 2019-02-21 17:59:11.000000000 +0100
+++ new/buildah-1.7.1/run_test.go 2019-02-26 21:27:29.000000000 +0100
@@ -60,7 +60,7 @@
if e != nil {
return e
}
- rlimits := g.Spec().Process.Rlimits
+ rlimits := g.Config.Process.Rlimits
for _, rlimit := range rlimits {
if rlimit.Type == "RLIMIT_FSIZE" {
if rlimit.Hard != 4096 {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/buildah-1.7/tests/validate/gofmt.sh new/buildah-1.7.1/tests/validate/gofmt.sh
--- old/buildah-1.7/tests/validate/gofmt.sh 2019-02-21 17:59:11.000000000 +0100
+++ new/buildah-1.7.1/tests/validate/gofmt.sh 2019-02-26 21:27:29.000000000 +0100
@@ -1,7 +1,7 @@
#!/bin/bash
-if test $(find -name "*.go" -not -path "./vendor/*" -print0 | xargs -n 1 -0 gofmt -s -l | wc -l) -ne 0 ; then
+if test $(find . -name "*.go" -not -path "./vendor/*" -print0 | xargs -n 1 -0 gofmt -s -l | wc -l) -ne 0 ; then
echo Error: source files are not formatted according to recommendations. Run \"gofmt -s -w\" on:
- find -name "*.go" -not -path "./vendor/*" -print0 | xargs -n 1 -0 gofmt -s -l
+ find . -name "*.go" -not -path "./vendor/*" -print0 | xargs -n 1 -0 gofmt -s -l
exit 1
fi
exit 0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/buildah-1.7/unshare/unshare_unsupported.go new/buildah-1.7.1/unshare/unshare_unsupported.go
--- old/buildah-1.7/unshare/unshare_unsupported.go 2019-02-21 17:59:11.000000000 +0100
+++ new/buildah-1.7.1/unshare/unshare_unsupported.go 1970-01-01 01:00:00.000000000 +0100
@@ -1 +0,0 @@
-package unshare
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/buildah-1.7/vendor/github.com/containers/image/pkg/blobinfocache/memory.go new/buildah-1.7.1/vendor/github.com/containers/image/pkg/blobinfocache/memory.go
--- old/buildah-1.7/vendor/github.com/containers/image/pkg/blobinfocache/memory.go 2019-02-21 17:59:11.000000000 +0100
+++ new/buildah-1.7.1/vendor/github.com/containers/image/pkg/blobinfocache/memory.go 2019-02-26 21:27:29.000000000 +0100
@@ -1,6 +1,7 @@
package blobinfocache
import (
+ "sync"
"time"
"github.com/containers/image/types"
@@ -17,6 +18,7 @@
// memoryCache implements an in-memory-only BlobInfoCache
type memoryCache struct {
+ mutex *sync.Mutex // synchronizes concurrent accesses
uncompressedDigests map[digest.Digest]digest.Digest
digestsByUncompressed map[digest.Digest]map[digest.Digest]struct{} // stores a set of digests for each uncompressed digest
knownLocations map[locationKey]map[types.BICLocationReference]time.Time // stores last known existence time for each location reference
@@ -28,6 +30,7 @@
// Manual users of types.{ImageSource,ImageDestination} might also use this instead of a persistent cache.
func NewMemoryCache() types.BlobInfoCache {
return &memoryCache{
+ mutex: new(sync.Mutex),
uncompressedDigests: map[digest.Digest]digest.Digest{},
digestsByUncompressed: map[digest.Digest]map[digest.Digest]struct{}{},
knownLocations: map[locationKey]map[types.BICLocationReference]time.Time{},
@@ -38,6 +41,15 @@
// May return anyDigest if it is known to be uncompressed.
// Returns "" if nothing is known about the digest (it may be compressed or uncompressed).
func (mem *memoryCache) UncompressedDigest(anyDigest digest.Digest) digest.Digest {
+ mem.mutex.Lock()
+ defer mem.mutex.Unlock()
+ return mem.uncompressedDigest(anyDigest)
+}
+
+// uncompressedDigest returns an uncompressed digest corresponding to anyDigest.
+// May return anyDigest if it is known to be uncompressed.
+// Returns "" if nothing is known about the digest (it may be compressed or uncompressed).
+func (mem *memoryCache) uncompressedDigest(anyDigest digest.Digest) digest.Digest {
if d, ok := mem.uncompressedDigests[anyDigest]; ok {
return d
}
@@ -56,6 +68,8 @@
// because a manifest/config pair exists); otherwise the cache could be poisoned and allow substituting unexpected blobs.
// (Eventually, the DiffIDs in image config could detect the substitution, but that may be too late, and not all image formats contain that data.)
func (mem *memoryCache) RecordDigestUncompressedPair(anyDigest digest.Digest, uncompressed digest.Digest) {
+ mem.mutex.Lock()
+ defer mem.mutex.Unlock()
if previous, ok := mem.uncompressedDigests[anyDigest]; ok && previous != uncompressed {
logrus.Warnf("Uncompressed digest for blob %s previously recorded as %s, now %s", anyDigest, previous, uncompressed)
}
@@ -72,6 +86,8 @@
// RecordKnownLocation records that a blob with the specified digest exists within the specified (transport, scope) scope,
// and can be reused given the opaque location data.
func (mem *memoryCache) RecordKnownLocation(transport types.ImageTransport, scope types.BICTransportScope, blobDigest digest.Digest, location types.BICLocationReference) {
+ mem.mutex.Lock()
+ defer mem.mutex.Unlock()
key := locationKey{transport: transport.Name(), scope: scope, blobDigest: blobDigest}
locationScope, ok := mem.knownLocations[key]
if !ok {
@@ -103,11 +119,13 @@
// data from previous RecordDigestUncompressedPair calls is used to also look up variants of the blob which have the same
// uncompressed digest.
func (mem *memoryCache) CandidateLocations(transport types.ImageTransport, scope types.BICTransportScope, primaryDigest digest.Digest, canSubstitute bool) []types.BICReplacementCandidate {
+ mem.mutex.Lock()
+ defer mem.mutex.Unlock()
res := []candidateWithTime{}
res = mem.appendReplacementCandidates(res, transport, scope, primaryDigest)
var uncompressedDigest digest.Digest // = ""
if canSubstitute {
- if uncompressedDigest = mem.UncompressedDigest(primaryDigest); uncompressedDigest != "" {
+ if uncompressedDigest = mem.uncompressedDigest(primaryDigest); uncompressedDigest != "" {
otherDigests := mem.digestsByUncompressed[uncompressedDigest] // nil if not present in the map
for d := range otherDigests {
if d != primaryDigest && d != uncompressedDigest {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/buildah-1.7/vendor/github.com/containers/image/version/version.go new/buildah-1.7.1/vendor/github.com/containers/image/version/version.go
--- old/buildah-1.7/vendor/github.com/containers/image/version/version.go 2019-02-21 17:59:11.000000000 +0100
+++ new/buildah-1.7.1/vendor/github.com/containers/image/version/version.go 2019-02-26 21:27:29.000000000 +0100
@@ -11,7 +11,7 @@
VersionPatch = 5
// VersionDev indicates development branch. Releases will be empty string.
- VersionDev = "-dev"
+ VersionDev = ""
)
// Version is the specification version that the package types support.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/buildah-1.7/vendor/github.com/containers/libpod/pkg/secrets/secrets.go new/buildah-1.7.1/vendor/github.com/containers/libpod/pkg/secrets/secrets.go
--- old/buildah-1.7/vendor/github.com/containers/libpod/pkg/secrets/secrets.go 2019-02-21 17:59:11.000000000 +0100
+++ new/buildah-1.7.1/vendor/github.com/containers/libpod/pkg/secrets/secrets.go 1970-01-01 01:00:00.000000000 +0100
@@ -1,319 +0,0 @@
-package secrets
-
-import (
- "bufio"
- "io/ioutil"
- "os"
- "path/filepath"
- "strings"
-
- "github.com/containers/libpod/pkg/rootless"
- rspec "github.com/opencontainers/runtime-spec/specs-go"
- "github.com/opencontainers/selinux/go-selinux/label"
- "github.com/pkg/errors"
- "github.com/sirupsen/logrus"
-)
-
-var (
- // DefaultMountsFile holds the default mount paths in the form
- // "host_path:container_path"
- DefaultMountsFile = "/usr/share/containers/mounts.conf"
- // OverrideMountsFile holds the default mount paths in the form
- // "host_path:container_path" overridden by the user
- OverrideMountsFile = "/etc/containers/mounts.conf"
- // UserOverrideMountsFile holds the default mount paths in the form
- // "host_path:container_path" overridden by the rootless user
- UserOverrideMountsFile = filepath.Join(os.Getenv("HOME"), ".config/containers/mounts.conf")
-)
-
-// secretData stores the name of the file and the content read from it
-type secretData struct {
- name string
- data []byte
-}
-
-// saveTo saves secret data to given directory
-func (s secretData) saveTo(dir string) error {
- path := filepath.Join(dir, s.name)
- if err := os.MkdirAll(filepath.Dir(path), 0700); err != nil && !os.IsExist(err) {
- return err
- }
- return ioutil.WriteFile(path, s.data, 0700)
-}
-
-func readAll(root, prefix string) ([]secretData, error) {
- path := filepath.Join(root, prefix)
-
- data := []secretData{}
-
- files, err := ioutil.ReadDir(path)
- if err != nil {
- if os.IsNotExist(err) {
- return data, nil
- }
-
- return nil, err
- }
-
- for _, f := range files {
- fileData, err := readFile(root, filepath.Join(prefix, f.Name()))
- if err != nil {
- // If the file did not exist, might be a dangling symlink
- // Ignore the error
- if os.IsNotExist(err) {
- continue
- }
- return nil, err
- }
- data = append(data, fileData...)
- }
-
- return data, nil
-}
-
-func readFile(root, name string) ([]secretData, error) {
- path := filepath.Join(root, name)
-
- s, err := os.Stat(path)
- if err != nil {
- return nil, err
- }
-
- if s.IsDir() {
- dirData, err := readAll(root, name)
- if err != nil {
- return nil, err
- }
- return dirData, nil
- }
- bytes, err := ioutil.ReadFile(path)
- if err != nil {
- return nil, err
- }
- return []secretData{{name: name, data: bytes}}, nil
-}
-
-func getHostSecretData(hostDir string) ([]secretData, error) {
- var allSecrets []secretData
- hostSecrets, err := readAll(hostDir, "")
- if err != nil {
- return nil, errors.Wrapf(err, "failed to read secrets from %q", hostDir)
- }
- return append(allSecrets, hostSecrets...), nil
-}
-
-func getMounts(filePath string) []string {
- file, err := os.Open(filePath)
- if err != nil {
- // This is expected on most systems
- logrus.Debugf("file %q not found, skipping...", filePath)
- return nil
- }
- defer file.Close()
- scanner := bufio.NewScanner(file)
- if err = scanner.Err(); err != nil {
- logrus.Errorf("error reading file %q, %v skipping...", filePath, err)
- return nil
- }
- var mounts []string
- for scanner.Scan() {
- mounts = append(mounts, scanner.Text())
- }
- return mounts
-}
-
-// getHostAndCtrDir separates the host:container paths
-func getMountsMap(path string) (string, string, error) {
- arr := strings.SplitN(path, ":", 2)
- if len(arr) == 2 {
- return arr[0], arr[1], nil
- }
- return "", "", errors.Errorf("unable to get host and container dir")
-}
-
-// SecretMounts copies, adds, and mounts the secrets to the container root filesystem
-func SecretMounts(mountLabel, containerWorkingDir, mountFile string) []rspec.Mount {
- return SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, containerWorkingDir, 0, 0)
-}
-
-// SecretMountsWithUIDGID specifies the uid/gid of the owner
-func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPrefix string, uid, gid int) []rspec.Mount {
- var (
- secretMounts []rspec.Mount
- mountFiles []string
- )
- // Add secrets from paths given in the mounts.conf files
- // mountFile will have a value if the hidden --default-mounts-file flag is set
- // Note for testing purposes only
- if mountFile == "" {
- mountFiles = append(mountFiles, []string{OverrideMountsFile, DefaultMountsFile}...)
- if rootless.IsRootless() {
- mountFiles = append([]string{UserOverrideMountsFile}, mountFiles...)
- _, err := os.Stat(UserOverrideMountsFile)
- if err != nil && os.IsNotExist(err) {
- os.MkdirAll(filepath.Dir(UserOverrideMountsFile), 0755)
- if f, err := os.Create(UserOverrideMountsFile); err != nil {
- logrus.Warnf("could not create file %s: %v", UserOverrideMountsFile, err)
- } else {
- f.Close()
- }
- }
- }
- } else {
- mountFiles = append(mountFiles, mountFile)
- }
- for _, file := range mountFiles {
- if _, err := os.Stat(file); err == nil {
- mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, mountPrefix, uid, gid)
- if err != nil {
- logrus.Warnf("error mounting secrets, skipping: %v", err)
- }
- secretMounts = mounts
- break
- }
- }
-
- // Add FIPS mode secret if /etc/system-fips exists on the host
- _, err := os.Stat("/etc/system-fips")
- if err == nil {
- if err := addFIPSModeSecret(&secretMounts, containerWorkingDir); err != nil {
- logrus.Errorf("error adding FIPS mode secret to container: %v", err)
- }
- } else if os.IsNotExist(err) {
- logrus.Debug("/etc/system-fips does not exist on host, not mounting FIPS mode secret")
- } else {
- logrus.Errorf("stat /etc/system-fips failed for FIPS mode secret: %v", err)
- }
- return secretMounts
-}
-
-func rchown(chowndir string, uid, gid int) error {
- return filepath.Walk(chowndir, func(filePath string, f os.FileInfo, err error) error {
- return os.Lchown(filePath, uid, gid)
- })
-}
-
-// addSecretsFromMountsFile copies the contents of host directory to container directory
-// and returns a list of mounts
-func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPrefix string, uid, gid int) ([]rspec.Mount, error) {
- var mounts []rspec.Mount
- defaultMountsPaths := getMounts(filePath)
- for _, path := range defaultMountsPaths {
- hostDir, ctrDir, err := getMountsMap(path)
- if err != nil {
- return nil, err
- }
- // skip if the hostDir path doesn't exist
- if _, err = os.Stat(hostDir); err != nil {
- if os.IsNotExist(err) {
- logrus.Warnf("Path %q from %q doesn't exist, skipping", hostDir, filePath)
- continue
- }
- return nil, errors.Wrapf(err, "failed to stat %q", hostDir)
- }
-
- ctrDirOnHost := filepath.Join(containerWorkingDir, ctrDir)
-
- // In the event of a restart, don't want to copy secrets over again as they already would exist in ctrDirOnHost
- _, err = os.Stat(ctrDirOnHost)
- if os.IsNotExist(err) {
- if err = os.MkdirAll(ctrDirOnHost, 0755); err != nil {
- return nil, errors.Wrapf(err, "making container directory %q failed", ctrDirOnHost)
- }
- hostDir, err = resolveSymbolicLink(hostDir)
- if err != nil {
- return nil, err
- }
-
- data, err := getHostSecretData(hostDir)
- if err != nil {
- return nil, errors.Wrapf(err, "getting host secret data failed")
- }
- for _, s := range data {
- if err := s.saveTo(ctrDirOnHost); err != nil {
- return nil, errors.Wrapf(err, "error saving data to container filesystem on host %q", ctrDirOnHost)
- }
- }
-
- err = label.Relabel(ctrDirOnHost, mountLabel, false)
- if err != nil {
- return nil, errors.Wrap(err, "error applying correct labels")
- }
- if uid != 0 || gid != 0 {
- if err := rchown(ctrDirOnHost, uid, gid); err != nil {
- return nil, err
- }
- }
- } else if err != nil {
- return nil, errors.Wrapf(err, "error getting status of %q", ctrDirOnHost)
- }
-
- m := rspec.Mount{
- Source: filepath.Join(mountPrefix, ctrDir),
- Destination: ctrDir,
- Type: "bind",
- Options: []string{"bind", "rprivate"},
- }
-
- mounts = append(mounts, m)
- }
- return mounts, nil
-}
-
-// addFIPSModeSecret creates /run/secrets/system-fips in the container
-// root filesystem if /etc/system-fips exists on hosts.
-// This enables the container to be FIPS compliant and run openssl in
-// FIPS mode as the host is also in FIPS mode.
-func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir string) error {
- secretsDir := "/run/secrets"
- ctrDirOnHost := filepath.Join(containerWorkingDir, secretsDir)
- if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) {
- if err = os.MkdirAll(ctrDirOnHost, 0755); err != nil {
- return errors.Wrapf(err, "making container directory on host failed")
- }
- }
- fipsFile := filepath.Join(ctrDirOnHost, "system-fips")
- // In the event of restart, it is possible for the FIPS mode file to already exist
- if _, err := os.Stat(fipsFile); os.IsNotExist(err) {
- file, err := os.Create(fipsFile)
- if err != nil {
- return errors.Wrapf(err, "error creating system-fips file in container for FIPS mode")
- }
- defer file.Close()
- }
-
- if !mountExists(*mounts, secretsDir) {
- m := rspec.Mount{
- Source: ctrDirOnHost,
- Destination: secretsDir,
- Type: "bind",
- Options: []string{"bind", "rprivate"},
- }
- *mounts = append(*mounts, m)
- }
-
- return nil
-}
-
-// mountExists checks if a mount already exists in the spec
-func mountExists(mounts []rspec.Mount, dest string) bool {
- for _, mount := range mounts {
- if mount.Destination == dest {
- return true
- }
- }
- return false
-}
-
-// resolveSymbolicLink resolves a possbile symlink path. If the path is a symlink, returns resolved
-// path; if not, returns the original path.
-func resolveSymbolicLink(path string) (string, error) {
- info, err := os.Lstat(path)
- if err != nil {
- return "", err
- }
- if info.Mode()&os.ModeSymlink != os.ModeSymlink {
- return path, nil
- }
- return filepath.EvalSymlinks(path)
-}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/buildah-1.7/vendor.conf new/buildah-1.7.1/vendor.conf
--- old/buildah-1.7/vendor.conf 2019-02-21 17:59:11.000000000 +0100
+++ new/buildah-1.7.1/vendor.conf 2019-02-26 21:27:29.000000000 +0100
@@ -3,7 +3,7 @@
github.com/BurntSushi/toml v0.2.0
github.com/containerd/continuity 004b46473808b3e7a4a3049c20e4376c91eb966d
github.com/containernetworking/cni v0.7.0-alpha1
-github.com/containers/image v1.4
+github.com/containers/image v1.5
github.com/vbauerster/mpb v3.3.4
github.com/mattn/go-isatty v0.0.4
github.com/VividCortex/ewma v1.1.1