diff --git a/go.mod b/go.mod index 63f184011a..fa694e40a3 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/checkpoint-restore/checkpointctl v1.3.0 github.com/checkpoint-restore/go-criu/v7 v7.2.0 github.com/containernetworking/plugins v1.5.1 - github.com/containers/buildah v1.38.0 + github.com/containers/buildah v1.38.1-0.20241115143500-f1543bdd7d37 github.com/containers/common v0.61.1-0.20241112152446-305e9ce69b0f github.com/containers/conmon v2.0.20+incompatible github.com/containers/gvisor-tap-vsock v0.8.0 diff --git a/go.sum b/go.sum index 2168c9459c..5473d5ca6f 100644 --- a/go.sum +++ b/go.sum @@ -79,8 +79,8 @@ github.com/containernetworking/cni v1.2.3 h1:hhOcjNVUQTnzdRJ6alC5XF+wd9mfGIUaj8F github.com/containernetworking/cni v1.2.3/go.mod h1:DuLgF+aPd3DzcTQTtp/Nvl1Kim23oFKdm2okJzBQA5M= github.com/containernetworking/plugins v1.5.1 h1:T5ji+LPYjjgW0QM+KyrigZbLsZ8jaX+E5J/EcKOE4gQ= github.com/containernetworking/plugins v1.5.1/go.mod h1:MIQfgMayGuHYs0XdNudf31cLLAC+i242hNm6KuDGqCM= -github.com/containers/buildah v1.38.0 h1:FmciZMwzhdcvtWj+8IE+61+lfTG2JfgrbZ2DUnEMnTE= -github.com/containers/buildah v1.38.0/go.mod h1:tUsHC2bcgR5Q/R76qZUn7x0FRglqPFry2g5KhWfH4LI= +github.com/containers/buildah v1.38.1-0.20241115143500-f1543bdd7d37 h1:dcafNYeXF36G5/3bBR7XZtR+2IiKaHl8IWeKIbuQpY4= +github.com/containers/buildah v1.38.1-0.20241115143500-f1543bdd7d37/go.mod h1:bjeQEXG0EDiLEkUmi4m7ihv6Ic1BugUF/wUfIcKBcU0= github.com/containers/common v0.61.1-0.20241112152446-305e9ce69b0f h1:K3jmJrkDJJhLnRdVFI7Gb5mv4/jb2ue9StZ2F1y2rsE= github.com/containers/common v0.61.1-0.20241112152446-305e9ce69b0f/go.mod h1:NGRISq2vTFPSbhNqj6MLwyes4tWSlCnqbJg7R77B8xc= github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg= diff --git a/libpod/runtime_img.go b/libpod/runtime_img.go index 585e1f0217..bac8ec31f2 100644 --- a/libpod/runtime_img.go +++ b/libpod/runtime_img.go @@ -120,6 +120,8 @@ func (r *Runtime) Build(ctx context.Context, options buildahDefine.BuildOptions, if options.Runtime == "" { options.Runtime = r.GetOCIRuntimePath() } + options.NoPivotRoot = r.config.Engine.NoPivotRoot + // share the network interface between podman and buildah options.NetworkInterface = r.network id, ref, err := imagebuildah.BuildDockerfiles(ctx, r.store, options, dockerfiles...) diff --git a/vendor/github.com/containers/buildah/.cirrus.yml b/vendor/github.com/containers/buildah/.cirrus.yml index 32ecc0f79c..5ac4bd8b71 100644 --- a/vendor/github.com/containers/buildah/.cirrus.yml +++ b/vendor/github.com/containers/buildah/.cirrus.yml @@ -32,7 +32,7 @@ env: DEBIAN_NAME: "debian-13" # Image identifiers - IMAGE_SUFFIX: "c20241106t163000z-f41f40d13" + IMAGE_SUFFIX: "c20241107t210000z-f41f40d13" FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}" PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${IMAGE_SUFFIX}" DEBIAN_CACHE_IMAGE_NAME: "debian-${IMAGE_SUFFIX}" @@ -120,13 +120,14 @@ vendor_task: # Runs within Cirrus's "community cluster" container: - image: docker.io/library/golang:latest + image: docker.io/library/golang:1.22 cpu: 1 memory: 1 timeout_in: 5m vendor_script: + - './hack/check_vendor_toolchain.sh Try updating the image used by the vendor_task in .cirrus.yml.' - 'make vendor' - './hack/tree_status.sh' diff --git a/vendor/github.com/containers/buildah/.codespellrc b/vendor/github.com/containers/buildah/.codespellrc new file mode 100644 index 0000000000..64a29fe602 --- /dev/null +++ b/vendor/github.com/containers/buildah/.codespellrc @@ -0,0 +1,3 @@ +[codespell] +skip = ./vendor,./.git,./go.sum,./docs/*.1,./docker/AUTHORS,./CHANGELOG.md,./changelog.txt,./tests/tools/vendor,./tests/tools/go.mod,./tests/tools/go.sum +ignore-words-list = fo,passt,secon,erro diff --git a/vendor/github.com/containers/buildah/Makefile b/vendor/github.com/containers/buildah/Makefile index 37dbeb43e9..8ca47072da 100644 --- a/vendor/github.com/containers/buildah/Makefile +++ b/vendor/github.com/containers/buildah/Makefile @@ -1,7 +1,7 @@ export GOPROXY=https://proxy.golang.org APPARMORTAG := $(shell hack/apparmor_tag.sh) -STORAGETAGS := exclude_graphdriver_devicemapper $(shell ./btrfs_tag.sh) $(shell ./btrfs_installed_tag.sh) $(shell ./hack/libsubid_tag.sh) +STORAGETAGS := $(shell ./btrfs_tag.sh) $(shell ./btrfs_installed_tag.sh) $(shell ./hack/libsubid_tag.sh) SECURITYTAGS ?= seccomp $(APPARMORTAG) TAGS ?= $(SECURITYTAGS) $(STORAGETAGS) $(shell ./hack/systemd_tag.sh) ifeq ($(shell uname -s),FreeBSD) @@ -29,15 +29,12 @@ RACEFLAGS := $(shell $(GO_TEST) -race ./pkg/dummy > /dev/null 2>&1 && echo -race COMMIT_NO ?= $(shell git rev-parse HEAD 2> /dev/null || true) GIT_COMMIT ?= $(if $(shell git status --porcelain --untracked-files=no),${COMMIT_NO}-dirty,${COMMIT_NO}) SOURCE_DATE_EPOCH ?= $(if $(shell date +%s),$(shell date +%s),$(error "date failed")) -STATIC_STORAGETAGS = "containers_image_openpgp $(STORAGE_TAGS)" # we get GNU make 3.x in MacOS build envs, which wants # to be escaped in # strings, while the 4.x we have on Linux doesn't. this is the documented # workaround COMMENT := \# CNI_COMMIT := $(shell sed -n 's;^$(COMMENT) github.com/containernetworking/cni \([^ \n]*\).*$$;\1;p' vendor/modules.txt) -RUNC_COMMIT := $(shell sed -n 's;^$(COMMENT) github.com/opencontainers/runc \([^ \n]*\).*$$;\1;p' vendor/modules.txt) -LIBSECCOMP_COMMIT := release-2.3 EXTRA_LDFLAGS ?= BUILDAH_LDFLAGS := $(GO_LDFLAGS) '-X main.GitCommit=$(GIT_COMMIT) -X main.buildInfo=$(SOURCE_DATE_EPOCH) -X main.cniVersion=$(CNI_COMMIT) $(EXTRA_LDFLAGS)' @@ -122,14 +119,8 @@ clean: docs: install.tools ## build the docs on the host $(MAKE) -C docs -# For vendoring to work right, the checkout directory must be such that our top -# level is at $GOPATH/src/github.com/containers/buildah. -.PHONY: gopath -gopath: - test $(shell pwd) = $(shell cd ../../../../src/github.com/containers/buildah ; pwd) - codespell: - codespell -S Makefile,buildah.spec.rpkg,AUTHORS,bin,vendor,.git,go.mod,go.sum,CHANGELOG.md,changelog.txt,seccomp.json,.cirrus.yml,"*.xz,*.gz,*.tar,*.tgz,*ico,*.png,*.1,*.5,*.orig,*.rej" -L secon,passt,bu,uint,iff,od,erro -w + codespell -w .PHONY: validate validate: install.tools @@ -142,25 +133,6 @@ validate: install.tools install.tools: $(MAKE) -C tests/tools -.PHONY: runc -runc: gopath - rm -rf ../../opencontainers/runc - git clone https://github.com/opencontainers/runc ../../opencontainers/runc - cd ../../opencontainers/runc && git checkout $(RUNC_COMMIT) && $(GO) build -tags "$(STORAGETAGS) $(SECURITYTAGS)" - ln -sf ../../opencontainers/runc/runc - -.PHONY: install.libseccomp.sudo -install.libseccomp.sudo: gopath - rm -rf ../../seccomp/libseccomp - git clone https://github.com/seccomp/libseccomp ../../seccomp/libseccomp - cd ../../seccomp/libseccomp && git checkout $(LIBSECCOMP_COMMIT) && ./autogen.sh && ./configure --prefix=/usr && make all && sudo make install - -.PHONY: install.cni.sudo -install.cni.sudo: gopath - rm -rf ../../containernetworking/plugins - git clone https://github.com/containernetworking/plugins ../../containernetworking/plugins - cd ../../containernetworking/plugins && ./build_linux.sh && sudo install -D -v -m755 -t /opt/cni/bin/ bin/* - .PHONY: install install: install -d -m 755 $(DESTDIR)/$(BINDIR) @@ -178,10 +150,6 @@ install.completions: install -m 755 -d $(DESTDIR)/$(BASHINSTALLDIR) install -m 644 contrib/completions/bash/buildah $(DESTDIR)/$(BASHINSTALLDIR)/buildah -.PHONY: install.runc -install.runc: - install -m 755 ../../opencontainers/runc/runc $(DESTDIR)/$(BINDIR)/ - .PHONY: test-conformance test-conformance: $(GO_TEST) -v -tags "$(STORAGETAGS) $(SECURITYTAGS)" -cover -timeout 60m ./tests/conformance @@ -202,10 +170,11 @@ test-unit: tests/testreport/testreport $(GO_TEST) -v -tags "$(STORAGETAGS) $(SECURITYTAGS)" -cover $(RACEFLAGS) ./cmd/buildah -args --root $$tmp/root --runroot $$tmp/runroot --storage-driver vfs --signature-policy $(shell pwd)/tests/policy.json --registries-conf $(shell pwd)/tests/registries.conf vendor-in-container: + goversion=$(shell sed -e '/^go /!d' -e '/^go /s,.* ,,g' go.mod) ; \ if test -d `go env GOCACHE` && test -w `go env GOCACHE` ; then \ - podman run --privileged --rm --env HOME=/root -v `go env GOCACHE`:/root/.cache/go-build --env GOCACHE=/root/.cache/go-build -v `pwd`:/src -w /src docker.io/library/golang:1.21 make vendor ; \ + podman run --privileged --rm --env HOME=/root -v `go env GOCACHE`:/root/.cache/go-build --env GOCACHE=/root/.cache/go-build -v `pwd`:/src -w /src docker.io/library/golang:$$goversion make vendor ; \ else \ - podman run --privileged --rm --env HOME=/root -v `pwd`:/src -w /src docker.io/library/golang:1.21 make vendor ; \ + podman run --privileged --rm --env HOME=/root -v `pwd`:/src -w /src docker.io/library/golang:$$goversion make vendor ; \ fi .PHONY: vendor diff --git a/vendor/github.com/containers/buildah/copier/syscall_unix.go b/vendor/github.com/containers/buildah/copier/syscall_unix.go index 30356caa2c..f03503b32f 100644 --- a/vendor/github.com/containers/buildah/copier/syscall_unix.go +++ b/vendor/github.com/containers/buildah/copier/syscall_unix.go @@ -77,12 +77,12 @@ func sameDevice(a, b os.FileInfo) bool { if aSys == nil || bSys == nil { return true } - au, aok := aSys.(*syscall.Stat_t) - bu, bok := bSys.(*syscall.Stat_t) - if !aok || !bok { + uA, okA := aSys.(*syscall.Stat_t) + uB, okB := bSys.(*syscall.Stat_t) + if !okA || !okB { return true } - return au.Dev == bu.Dev + return uA.Dev == uB.Dev } const ( diff --git a/vendor/github.com/containers/buildah/define/build.go b/vendor/github.com/containers/buildah/define/build.go index 68f3455b34..359eec7d16 100644 --- a/vendor/github.com/containers/buildah/define/build.go +++ b/vendor/github.com/containers/buildah/define/build.go @@ -379,4 +379,6 @@ type BuildOptions struct { // provides a minimal initial configuration with a working directory // set in it. CompatScratchConfig types.OptionalBool + // NoPivotRoot inhibits the usage of pivot_root when setting up the rootfs + NoPivotRoot bool } diff --git a/vendor/github.com/containers/buildah/define/types.go b/vendor/github.com/containers/buildah/define/types.go index 044705f382..1b85ba1dad 100644 --- a/vendor/github.com/containers/buildah/define/types.go +++ b/vendor/github.com/containers/buildah/define/types.go @@ -29,7 +29,7 @@ const ( // identify working containers. Package = "buildah" // Version for the Package. Also used by .packit.sh for Packit builds. - Version = "1.38.0" + Version = "1.39.0-dev" // DefaultRuntime if containers.conf fails. DefaultRuntime = "runc" diff --git a/vendor/github.com/containers/buildah/imagebuildah/executor.go b/vendor/github.com/containers/buildah/imagebuildah/executor.go index b2526d0390..e3ee9fc4fa 100644 --- a/vendor/github.com/containers/buildah/imagebuildah/executor.go +++ b/vendor/github.com/containers/buildah/imagebuildah/executor.go @@ -163,6 +163,7 @@ type Executor struct { compatSetParent types.OptionalBool compatVolumes types.OptionalBool compatScratchConfig types.OptionalBool + noPivotRoot bool } type imageTypeAndHistoryAndDiffIDs struct { @@ -322,6 +323,7 @@ func newExecutor(logger *logrus.Logger, logPrefix string, store storage.Store, o compatSetParent: options.CompatSetParent, compatVolumes: options.CompatVolumes, compatScratchConfig: options.CompatScratchConfig, + noPivotRoot: options.NoPivotRoot, } if exec.err == nil { exec.err = os.Stderr diff --git a/vendor/github.com/containers/buildah/imagebuildah/stage_executor.go b/vendor/github.com/containers/buildah/imagebuildah/stage_executor.go index 9ac5cc4313..3b1784e750 100644 --- a/vendor/github.com/containers/buildah/imagebuildah/stage_executor.go +++ b/vendor/github.com/containers/buildah/imagebuildah/stage_executor.go @@ -800,7 +800,7 @@ func (s *StageExecutor) Run(run imagebuilder.Run, config docker.Config) error { NamespaceOptions: namespaceOptions, NoHostname: s.executor.noHostname, NoHosts: s.executor.noHosts, - NoPivot: os.Getenv("BUILDAH_NOPIVOT") != "", + NoPivot: os.Getenv("BUILDAH_NOPIVOT") != "" || s.executor.noPivotRoot, Quiet: s.executor.quiet, CompatBuiltinVolumes: types.OptionalBoolFalse, RunMounts: run.Mounts, diff --git a/vendor/github.com/containers/buildah/install.md b/vendor/github.com/containers/buildah/install.md index 87657897e3..df8a82560e 100644 --- a/vendor/github.com/containers/buildah/install.md +++ b/vendor/github.com/containers/buildah/install.md @@ -194,11 +194,8 @@ In Fedora, you can use this command: Then to install Buildah on Fedora follow the steps in this example: ``` - mkdir ~/buildah - cd ~/buildah - export GOPATH=`pwd` - git clone https://github.com/containers/buildah ./src/github.com/containers/buildah - cd ./src/github.com/containers/buildah + git clone https://github.com/containers/buildah + cd buildah make sudo make install buildah --help @@ -252,18 +249,10 @@ In Ubuntu 22.10 (Karmic) or Debian 12 (Bookworm) you can use these commands: ``` sudo apt-get -y -qq update - sudo apt-get -y install bats btrfs-progs git go-md2man golang libapparmor-dev libglib2.0-dev libgpgme11-dev libseccomp-dev libselinux1-dev make skopeo libbtrfs-dev + sudo apt-get -y install bats btrfs-progs git go-md2man golang libapparmor-dev libglib2.0-dev libgpgme11-dev libseccomp-dev libselinux1-dev make runc skopeo libbtrfs-dev ``` -Then to install Buildah follow the steps in this example: - -``` - git clone https://github.com/containers/buildah - cd buildah - make runc all SECURITYTAGS="apparmor seccomp" - sudo make install install.runc - buildah --help -``` +The build steps for Buildah on Debian or Ubuntu are the same as for Fedora, above. ## Vendoring - Dependency Management diff --git a/vendor/modules.txt b/vendor/modules.txt index 82cdfa0e10..72ac9a2e11 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -143,7 +143,7 @@ github.com/containernetworking/cni/pkg/version # github.com/containernetworking/plugins v1.5.1 ## explicit; go 1.20 github.com/containernetworking/plugins/pkg/ns -# github.com/containers/buildah v1.38.0 +# github.com/containers/buildah v1.38.1-0.20241115143500-f1543bdd7d37 ## explicit; go 1.22.6 github.com/containers/buildah github.com/containers/buildah/bind