Merge #2495

2495: Dev/tsweeney/b1.15.1 r=rhatdan a=TomSweeneyRedHat As the title says! This was my first big cherry-pick and kit build on a release branch. I'd problems with the cherry-pick, it didn't like one of the buildahimage/Containerfiles, so hopefully I didn't mess it up much. Co-authored-by: Marius Hoch <[email protected]> Co-authored-by: Zvi "CtrlZvi" Effron <[email protected]> Co-authored-by: Giuseppe Scrivano <[email protected]> Co-authored-by: Daniel J Walsh <[email protected]>
containers · Jul 31, 2020 · c967e88 · c967e88
2 parents 3b1d6eb + cd67d69
commit c967e88
Show file tree

Hide file tree

Showing 13 changed files with 67 additions and 21 deletions.
diff --git a/.cirrus.yml b/.cirrus.yml
@@ -6,7 +6,7 @@ env:
     #### Global variables used for all tasks
     ####
     # Name of the ultimate destination branch for this CI run, PR or post-merge.
-    DEST_BRANCH: "master"
+    DEST_BRANCH: "release-1.15"
     GOPATH: "/var/tmp/go"
     GOSRC: "${GOPATH}/src/github.com/containers/buildah"
     # Overrides default location (/tmp/cirrus) for repo clone

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,18 @@
 
 # Changelog
 
+## v1.15.1 (2020-07-27)
+    Mask over the /sys/fs/selinux in mask branch
+    chroot: do not use setgroups if it is blocked
+    chroot, run: not fail on bind mounts from /sys
+    Allow "readonly" as alias to "ro" in mount options
+    Add VFS additional image store to container
+    Ignore OS X specific consistency mount option
+    vendor golang.org/x/[email protected]
+    Cirrus: Fix missing htpasswd in registry img
+    Switch scripts to use containers.conf
+    Make imagebuildah.BuildOptions.Architecture/OS optional
+
 ## v1.15.0 (2020-06-17)
     Bump github.com/containers/common from 0.12.0 to 0.13.1
     Bump github.com/containers/storage from 1.20.1 to 1.20.2

diff --git a/buildah.go b/buildah.go
@@ -28,7 +28,7 @@ const (
 	Package = "buildah"
 	// Version for the Package.  Bump version in contrib/rpm/buildah.spec
 	// too.
-	Version = "1.15.0"
+	Version = "1.15.1"
 	// The value we use to identify what type of information, currently a
 	// serialized Builder structure, we are using as per-container state.
 	// This should only be changed when we make incompatible changes to

diff --git a/changelog.txt b/changelog.txt
@@ -1,3 +1,15 @@
+- Changelog for v1.15.0 (2020-06-17)
+  * Mask over the /sys/fs/selinux in mask branch
+  * chroot: do not use setgroups if it is blocked
+  * chroot, run: not fail on bind mounts from /sys
+  * Allow "readonly" as alias to "ro" in mount options
+  * Add VFS additional image store to container
+  * Ignore OS X specific consistency mount option
+  * vendor golang.org/x/[email protected]
+  * Cirrus: Fix missing htpasswd in registry img
+  * Switch scripts to use containers.conf
+  * Make imagebuildah.BuildOptions.Architecture/OS optional
+
 - Changelog for v1.15.0 (2020-06-17)
   * Bump github.com/containers/common from 0.12.0 to 0.13.1
   * Bump github.com/containers/storage from 1.20.1 to 1.20.2

diff --git a/chroot/run.go b/chroot/run.go
@@ -7,6 +7,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -741,10 +742,13 @@ func runUsingChrootExecMain() {
 			os.Exit(1)
 		}
 	} else {
-		logrus.Debugf("clearing supplemental groups")
-		if err = syscall.Setgroups([]int{}); err != nil {
-			fmt.Fprintf(os.Stderr, "error clearing supplemental groups list: %v", err)
-			os.Exit(1)
+		setgroups, _ := ioutil.ReadFile("/proc/self/setgroups")
+		if strings.Trim(string(setgroups), "\n") != "deny" {
+			logrus.Debugf("clearing supplemental groups")
+			if err = syscall.Setgroups([]int{}); err != nil {
+				fmt.Fprintf(os.Stderr, "error clearing supplemental groups list: %v", err)
+				os.Exit(1)
+			}
 		}
 	}
 
@@ -1093,18 +1097,15 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
 		}
 		subSys := filepath.Join(spec.Root.Path, m.Mountpoint)
 		if err := unix.Mount(m.Mountpoint, subSys, "bind", sysFlags, ""); err != nil {
-			return undoBinds, errors.Wrapf(err, "error bind mounting /sys from host into mount namespace")
+			logrus.Warningf("could not bind mount %q, skipping: %v", m.Mountpoint, err)
+			continue
 		}
 		if err := makeReadOnly(subSys, sysFlags); err != nil {
 			return undoBinds, err
 		}
 	}
 	logrus.Debugf("bind mounted %q to %q", "/sys", filepath.Join(spec.Root.Path, "/sys"))
 
-	// Add /sys/fs/selinux to the set of masked paths, to ensure that we don't have processes
-	// attempting to interact with labeling, when they aren't allowed to do so.
-	spec.Linux.MaskedPaths = append(spec.Linux.MaskedPaths, "/sys/fs/selinux")
-
 	// Bind mount in everything we've been asked to mount.
 	for _, m := range spec.Mounts {
 		// Skip anything that we just mounted.

diff --git a/contrib/buildahimage/stable/Dockerfile b/contrib/buildahimage/stable/Dockerfile
@@ -17,7 +17,7 @@ ADD https://raw.githubusercontent.com/containers/buildah/master/contrib/buildahi
 
 # Adjust storage.conf to enable Fuse storage.
 RUN chmod 644 /etc/containers/containers.conf; sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf
-RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
+RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers /var/lib/shared/vfs-images /var/lib/shared/vfs-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock; touch /var/lib/shared/vfs-images/images.lock; touch /var/lib/shared/vfs-layers/layers.lock
 
 # Set an environment variable to default to chroot isolation for RUN
 # instructions and "buildah run".

diff --git a/contrib/buildahimage/stablebyhand/Containerfile.buildahstable b/contrib/buildahimage/stablebyhand/Containerfile.buildahstable
@@ -29,7 +29,7 @@ ADD https://raw.githubusercontent.com/containers/buildah/master/contrib/buildahi
 
 # Adjust storage.conf to enable Fuse storage.
 RUN chmod 644 /etc/containers/containers.conf; sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf
-RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
+RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers /var/lib/shared/vfs-images /var/lib/shared/vfs-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock; touch /var/lib/shared/vfs-images/images.lock; touch /var/lib/shared/vfs-layers/layers.lock
 
 # Set an environment variable to default to chroot isolation for RUN
 # instructions and "buildah run".

diff --git a/contrib/buildahimage/testing/Dockerfile b/contrib/buildahimage/testing/Dockerfile
@@ -19,7 +19,7 @@ ADD https://raw.githubusercontent.com/containers/buildah/master/contrib/buildahi
 
 # Adjust storage.conf to enable Fuse storage.
 RUN chmod 644 /etc/containers/containers.conf; sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf
-RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
+RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers /var/lib/shared/vfs-images /var/lib/shared/vfs-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock; touch /var/lib/shared/vfs-images/images.lock; touch /var/lib/shared/vfs-layers/layers.lock
 
 # Set an environment variable to default to chroot isolation for RUN
 # instructions and "buildah run".

diff --git a/contrib/buildahimage/upstream/Dockerfile b/contrib/buildahimage/upstream/Dockerfile
@@ -47,7 +47,7 @@ ADD https://raw.githubusercontent.com/containers/buildah/master/contrib/buildahi
 
 # Adjust storage.conf to enable Fuse storage.
 RUN chmod 644 /etc/containers/containers.conf; sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf
-RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
+RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers /var/lib/shared/vfs-images /var/lib/shared/vfs-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock; touch /var/lib/shared/vfs-images/images.lock; touch /var/lib/shared/vfs-layers/layers.lock
 
 # Set an environment variable to default to chroot isolation for RUN
 # instructions and "buildah run".

diff --git a/contrib/rpm/buildah.spec b/contrib/rpm/buildah.spec
@@ -26,7 +26,7 @@
 
 Name:           buildah
 # Bump version in buildah.go too
-Version:        1.15.0
+Version:        1.15.1
 Release:        1.git%{shortcommit}%{?dist}
 Summary:        A command line tool used to creating OCI Images
 License:        ASL 2.0
@@ -99,6 +99,18 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} install install.completions
 %{_datadir}/bash-completion/completions/*
 
 %changelog
+* Mon Jul 17, 2020 Tom Sweeney <[email protected]> 1.15.1-1
+- Mask over the /sys/fs/selinux in mask branch 
+- chroot: do not use setgroups if it is blocked
+- chroot, run: not fail on bind mounts from /sys
+- Allow "readonly" as alias to "ro" in mount options
+- Add VFS additional image store to container
+- Ignore OS X specific consistency mount option
+- vendor golang.org/x/[email protected]
+- Cirrus: Fix missing htpasswd in registry img
+- Switch scripts to use containers.conf 
+- Make imagebuildah.BuildOptions.Architecture/OS optional
+
 * Wed Jun 17, 2020 Tom Sweeney <[email protected]> 1.15.0-1
 - Bump github.com/containers/common from 0.12.0 to 0.13.1
 - Bump github.com/containers/storage from 1.20.1 to 1.20.2

diff --git a/pkg/parse/parse.go b/pkg/parse/parse.go
@@ -342,6 +342,9 @@ func GetBindMount(args []string) (specs.Mount, error) {
 			// TODO: detect duplication of these options.
 			// (Is this necessary?)
 			newMount.Options = append(newMount.Options, kv[0])
+		case "readonly":
+			// Alias for "ro"
+			newMount.Options = append(newMount.Options, "ro")
 		case "shared", "rshared", "private", "rprivate", "slave", "rslave", "Z", "z":
 			newMount.Options = append(newMount.Options, kv[0])
 		case "bind-propagation":
@@ -367,6 +370,10 @@ func GetBindMount(args []string) (specs.Mount, error) {
 			}
 			newMount.Destination = kv[1]
 			setDest = true
+		case "consistency":
+			// Option for OS X only, has no meaning on other platforms
+			// and can thus be safely ignored.
+			// See also the handling of the equivalent "delegated" and "cached" in ValidateVolumeOpts
 		default:
 			return newMount, errors.Wrapf(errBadMntOption, kv[0])
 		}
@@ -403,6 +410,9 @@ func GetTmpfsMount(args []string) (specs.Mount, error) {
 		switch kv[0] {
 		case "ro", "nosuid", "nodev", "noexec":
 			newMount.Options = append(newMount.Options, kv[0])
+		case "readonly":
+			// Alias for "ro"
+			newMount.Options = append(newMount.Options, "ro")
 		case "tmpfs-mode":
 			if len(kv) == 1 {
 				return newMount, errors.Wrapf(optionArgError, kv[0])

diff --git a/run_linux.go b/run_linux.go
@@ -1779,6 +1779,7 @@ func setupMaskedPaths(g *generate.Generator) {
 		"/proc/sched_debug",
 		"/proc/scsi",
 		"/sys/firmware",
+		"/sys/fs/selinux",
 	} {
 		g.AddLinuxMaskedPaths(mp)
 	}
@@ -2023,13 +2024,10 @@ func setupRootlessSpecChanges(spec *specs.Spec, bundleDir string, shmSize string
 			Options:     []string{bind.NoBindOption, "rbind", "private", "nodev", "noexec", "nosuid", "ro"},
 		},
 	}
-	// Cover up /sys/fs/cgroup and /sys/fs/selinux, if they exist in our source for /sys.
+	// Cover up /sys/fs/cgroup, if it exist in our source for /sys.
 	if _, err := os.Stat("/sys/fs/cgroup"); err == nil {
 		spec.Linux.MaskedPaths = append(spec.Linux.MaskedPaths, "/sys/fs/cgroup")
 	}
-	if _, err := os.Stat("/sys/fs/selinux"); err == nil {
-		spec.Linux.MaskedPaths = append(spec.Linux.MaskedPaths, "/sys/fs/selinux")
-	}
 	// Keep anything that isn't under /dev, /proc, or /sys.
 	for i := range spec.Mounts {
 		if spec.Mounts[i].Destination == "/dev" || strings.HasPrefix(spec.Mounts[i].Destination, "/dev/") ||

diff --git a/tests/validate/git-validation.sh b/tests/validate/git-validation.sh
@@ -13,7 +13,8 @@ fi
 
 if [[ "$TRAVIS" != 'true' ]]; then
 	#GITVALIDATE_EPOCH=":/git-validation epoch"
-	GITVALIDATE_EPOCH="c5546750573cdef524be7159fe837f23274e9718"
+	# Set to the branch's origin point
+	GITVALIDATE_EPOCH="3b1d6ebe12445dfe84cb5932634440a20b10fc03"
 fi
 
 OUTPUT_OPTIONS="-q"