diff --git a/.cirrus.yml b/.cirrus.yml index cb16fa89c67..c4e0e6f1fec 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -6,7 +6,7 @@ env: #### Global variables used for all tasks #### # Name of the ultimate destination branch for this CI run, PR or post-merge. - DEST_BRANCH: "master" + DEST_BRANCH: "release-1.15" GOPATH: "/var/tmp/go" GOSRC: "${GOPATH}/src/github.com/containers/buildah" # Overrides default location (/tmp/cirrus) for repo clone diff --git a/CHANGELOG.md b/CHANGELOG.md index 0664b4040dd..cedb12798f8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,18 @@ # Changelog +## v1.15.1 (2020-07-27) + Mask over the /sys/fs/selinux in mask branch + chroot: do not use setgroups if it is blocked + chroot, run: not fail on bind mounts from /sys + Allow "readonly" as alias to "ro" in mount options + Add VFS additional image store to container + Ignore OS X specific consistency mount option + vendor golang.org/x/text@v0.3.3 + Cirrus: Fix missing htpasswd in registry img + Switch scripts to use containers.conf + Make imagebuildah.BuildOptions.Architecture/OS optional + ## v1.15.0 (2020-06-17) Bump github.com/containers/common from 0.12.0 to 0.13.1 Bump github.com/containers/storage from 1.20.1 to 1.20.2 diff --git a/buildah.go b/buildah.go index b5f0993fa3e..0ca3a270779 100644 --- a/buildah.go +++ b/buildah.go @@ -28,7 +28,7 @@ const ( Package = "buildah" // Version for the Package. Bump version in contrib/rpm/buildah.spec // too. - Version = "1.15.0" + Version = "1.15.1" // The value we use to identify what type of information, currently a // serialized Builder structure, we are using as per-container state. // This should only be changed when we make incompatible changes to diff --git a/changelog.txt b/changelog.txt index ab0fd2415ba..6a688fb5ea3 100644 --- a/changelog.txt +++ b/changelog.txt @@ -1,3 +1,15 @@ +- Changelog for v1.15.0 (2020-06-17) + * Mask over the /sys/fs/selinux in mask branch + * chroot: do not use setgroups if it is blocked + * chroot, run: not fail on bind mounts from /sys + * Allow "readonly" as alias to "ro" in mount options + * Add VFS additional image store to container + * Ignore OS X specific consistency mount option + * vendor golang.org/x/text@v0.3.3 + * Cirrus: Fix missing htpasswd in registry img + * Switch scripts to use containers.conf + * Make imagebuildah.BuildOptions.Architecture/OS optional + - Changelog for v1.15.0 (2020-06-17) * Bump github.com/containers/common from 0.12.0 to 0.13.1 * Bump github.com/containers/storage from 1.20.1 to 1.20.2 diff --git a/chroot/run.go b/chroot/run.go index d65c36470e7..8616c4cac80 100644 --- a/chroot/run.go +++ b/chroot/run.go @@ -7,6 +7,7 @@ import ( "encoding/json" "fmt" "io" + "io/ioutil" "os" "os/exec" "path/filepath" @@ -741,10 +742,13 @@ func runUsingChrootExecMain() { os.Exit(1) } } else { - logrus.Debugf("clearing supplemental groups") - if err = syscall.Setgroups([]int{}); err != nil { - fmt.Fprintf(os.Stderr, "error clearing supplemental groups list: %v", err) - os.Exit(1) + setgroups, _ := ioutil.ReadFile("/proc/self/setgroups") + if strings.Trim(string(setgroups), "\n") != "deny" { + logrus.Debugf("clearing supplemental groups") + if err = syscall.Setgroups([]int{}); err != nil { + fmt.Fprintf(os.Stderr, "error clearing supplemental groups list: %v", err) + os.Exit(1) + } } } @@ -1093,7 +1097,8 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func( } subSys := filepath.Join(spec.Root.Path, m.Mountpoint) if err := unix.Mount(m.Mountpoint, subSys, "bind", sysFlags, ""); err != nil { - return undoBinds, errors.Wrapf(err, "error bind mounting /sys from host into mount namespace") + logrus.Warningf("could not bind mount %q, skipping: %v", m.Mountpoint, err) + continue } if err := makeReadOnly(subSys, sysFlags); err != nil { return undoBinds, err @@ -1101,10 +1106,6 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func( } logrus.Debugf("bind mounted %q to %q", "/sys", filepath.Join(spec.Root.Path, "/sys")) - // Add /sys/fs/selinux to the set of masked paths, to ensure that we don't have processes - // attempting to interact with labeling, when they aren't allowed to do so. - spec.Linux.MaskedPaths = append(spec.Linux.MaskedPaths, "/sys/fs/selinux") - // Bind mount in everything we've been asked to mount. for _, m := range spec.Mounts { // Skip anything that we just mounted. diff --git a/contrib/buildahimage/stable/Dockerfile b/contrib/buildahimage/stable/Dockerfile index df1761811d6..f09f25fd562 100644 --- a/contrib/buildahimage/stable/Dockerfile +++ b/contrib/buildahimage/stable/Dockerfile @@ -17,7 +17,7 @@ ADD https://raw.githubusercontent.com/containers/buildah/master/contrib/buildahi # Adjust storage.conf to enable Fuse storage. RUN chmod 644 /etc/containers/containers.conf; sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf -RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock +RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers /var/lib/shared/vfs-images /var/lib/shared/vfs-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock; touch /var/lib/shared/vfs-images/images.lock; touch /var/lib/shared/vfs-layers/layers.lock # Set an environment variable to default to chroot isolation for RUN # instructions and "buildah run". diff --git a/contrib/buildahimage/stablebyhand/Containerfile.buildahstable b/contrib/buildahimage/stablebyhand/Containerfile.buildahstable index 82911c81c21..8e153875db7 100644 --- a/contrib/buildahimage/stablebyhand/Containerfile.buildahstable +++ b/contrib/buildahimage/stablebyhand/Containerfile.buildahstable @@ -29,7 +29,7 @@ ADD https://raw.githubusercontent.com/containers/buildah/master/contrib/buildahi # Adjust storage.conf to enable Fuse storage. RUN chmod 644 /etc/containers/containers.conf; sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf -RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock +RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers /var/lib/shared/vfs-images /var/lib/shared/vfs-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock; touch /var/lib/shared/vfs-images/images.lock; touch /var/lib/shared/vfs-layers/layers.lock # Set an environment variable to default to chroot isolation for RUN # instructions and "buildah run". diff --git a/contrib/buildahimage/testing/Dockerfile b/contrib/buildahimage/testing/Dockerfile index 6ca7ab75926..baff91fc094 100644 --- a/contrib/buildahimage/testing/Dockerfile +++ b/contrib/buildahimage/testing/Dockerfile @@ -19,7 +19,7 @@ ADD https://raw.githubusercontent.com/containers/buildah/master/contrib/buildahi # Adjust storage.conf to enable Fuse storage. RUN chmod 644 /etc/containers/containers.conf; sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf -RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock +RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers /var/lib/shared/vfs-images /var/lib/shared/vfs-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock; touch /var/lib/shared/vfs-images/images.lock; touch /var/lib/shared/vfs-layers/layers.lock # Set an environment variable to default to chroot isolation for RUN # instructions and "buildah run". diff --git a/contrib/buildahimage/upstream/Dockerfile b/contrib/buildahimage/upstream/Dockerfile index da7d53e5bf6..4516ac2cedb 100644 --- a/contrib/buildahimage/upstream/Dockerfile +++ b/contrib/buildahimage/upstream/Dockerfile @@ -47,7 +47,7 @@ ADD https://raw.githubusercontent.com/containers/buildah/master/contrib/buildahi # Adjust storage.conf to enable Fuse storage. RUN chmod 644 /etc/containers/containers.conf; sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf -RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock +RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers /var/lib/shared/vfs-images /var/lib/shared/vfs-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock; touch /var/lib/shared/vfs-images/images.lock; touch /var/lib/shared/vfs-layers/layers.lock # Set an environment variable to default to chroot isolation for RUN # instructions and "buildah run". diff --git a/contrib/rpm/buildah.spec b/contrib/rpm/buildah.spec index 9d618cba239..ad63cd9d8b0 100644 --- a/contrib/rpm/buildah.spec +++ b/contrib/rpm/buildah.spec @@ -26,7 +26,7 @@ Name: buildah # Bump version in buildah.go too -Version: 1.15.0 +Version: 1.15.1 Release: 1.git%{shortcommit}%{?dist} Summary: A command line tool used to creating OCI Images License: ASL 2.0 @@ -99,6 +99,18 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} install install.completions %{_datadir}/bash-completion/completions/* %changelog +* Mon Jul 17, 2020 Tom Sweeney 1.15.1-1 +- Mask over the /sys/fs/selinux in mask branch +- chroot: do not use setgroups if it is blocked +- chroot, run: not fail on bind mounts from /sys +- Allow "readonly" as alias to "ro" in mount options +- Add VFS additional image store to container +- Ignore OS X specific consistency mount option +- vendor golang.org/x/text@v0.3.3 +- Cirrus: Fix missing htpasswd in registry img +- Switch scripts to use containers.conf +- Make imagebuildah.BuildOptions.Architecture/OS optional + * Wed Jun 17, 2020 Tom Sweeney 1.15.0-1 - Bump github.com/containers/common from 0.12.0 to 0.13.1 - Bump github.com/containers/storage from 1.20.1 to 1.20.2 diff --git a/pkg/parse/parse.go b/pkg/parse/parse.go index 3b7d7587f9a..5b966b239f2 100644 --- a/pkg/parse/parse.go +++ b/pkg/parse/parse.go @@ -342,6 +342,9 @@ func GetBindMount(args []string) (specs.Mount, error) { // TODO: detect duplication of these options. // (Is this necessary?) newMount.Options = append(newMount.Options, kv[0]) + case "readonly": + // Alias for "ro" + newMount.Options = append(newMount.Options, "ro") case "shared", "rshared", "private", "rprivate", "slave", "rslave", "Z", "z": newMount.Options = append(newMount.Options, kv[0]) case "bind-propagation": @@ -367,6 +370,10 @@ func GetBindMount(args []string) (specs.Mount, error) { } newMount.Destination = kv[1] setDest = true + case "consistency": + // Option for OS X only, has no meaning on other platforms + // and can thus be safely ignored. + // See also the handling of the equivalent "delegated" and "cached" in ValidateVolumeOpts default: return newMount, errors.Wrapf(errBadMntOption, kv[0]) } @@ -403,6 +410,9 @@ func GetTmpfsMount(args []string) (specs.Mount, error) { switch kv[0] { case "ro", "nosuid", "nodev", "noexec": newMount.Options = append(newMount.Options, kv[0]) + case "readonly": + // Alias for "ro" + newMount.Options = append(newMount.Options, "ro") case "tmpfs-mode": if len(kv) == 1 { return newMount, errors.Wrapf(optionArgError, kv[0]) diff --git a/run_linux.go b/run_linux.go index fd2597d6229..412d1f38578 100644 --- a/run_linux.go +++ b/run_linux.go @@ -1779,6 +1779,7 @@ func setupMaskedPaths(g *generate.Generator) { "/proc/sched_debug", "/proc/scsi", "/sys/firmware", + "/sys/fs/selinux", } { g.AddLinuxMaskedPaths(mp) } @@ -2023,13 +2024,10 @@ func setupRootlessSpecChanges(spec *specs.Spec, bundleDir string, shmSize string Options: []string{bind.NoBindOption, "rbind", "private", "nodev", "noexec", "nosuid", "ro"}, }, } - // Cover up /sys/fs/cgroup and /sys/fs/selinux, if they exist in our source for /sys. + // Cover up /sys/fs/cgroup, if it exist in our source for /sys. if _, err := os.Stat("/sys/fs/cgroup"); err == nil { spec.Linux.MaskedPaths = append(spec.Linux.MaskedPaths, "/sys/fs/cgroup") } - if _, err := os.Stat("/sys/fs/selinux"); err == nil { - spec.Linux.MaskedPaths = append(spec.Linux.MaskedPaths, "/sys/fs/selinux") - } // Keep anything that isn't under /dev, /proc, or /sys. for i := range spec.Mounts { if spec.Mounts[i].Destination == "/dev" || strings.HasPrefix(spec.Mounts[i].Destination, "/dev/") || diff --git a/tests/validate/git-validation.sh b/tests/validate/git-validation.sh index 1ecd9b6d077..823d80c3b6e 100755 --- a/tests/validate/git-validation.sh +++ b/tests/validate/git-validation.sh @@ -13,7 +13,8 @@ fi if [[ "$TRAVIS" != 'true' ]]; then #GITVALIDATE_EPOCH=":/git-validation epoch" - GITVALIDATE_EPOCH="c5546750573cdef524be7159fe837f23274e9718" + # Set to the branch's origin point + GITVALIDATE_EPOCH="3b1d6ebe12445dfe84cb5932634440a20b10fc03" fi OUTPUT_OPTIONS="-q"