Merge pull request #3394 from nalind/copy-release-1.21

[release-1.21]  add and use a "copy" helper instead of podman load/save

.cirrus.yml

@@ -190,6 +190,7 @@ cross_build_task:
         image: 'catalina-base'
 
     script:
+        - brew update
         - brew install go
         - brew install go-md2man
         - brew install gpgme

Makefile

@@ -34,7 +34,7 @@ LIBSECCOMP_COMMIT := release-2.3
 
 EXTRA_LDFLAGS ?=
 BUILDAH_LDFLAGS := -ldflags '-X main.GitCommit=$(GIT_COMMIT) -X main.buildInfo=$(SOURCE_DATE_EPOCH) -X main.cniVersion=$(CNI_COMMIT) $(EXTRA_LDFLAGS)'
-SOURCES=*.go imagebuildah/*.go bind/*.go chroot/*.go cmd/buildah/*.go copier/*.go docker/*.go pkg/blobcache/*.go pkg/cli/*.go pkg/parse/*.go util/*.go
+SOURCES=*.go imagebuildah/*.go bind/*.go chroot/*.go copier/*.go docker/*.go manifests/*.go pkg/blobcache/*.go pkg/chrootuser/*.go pkg/cli/*.go pkg/formats/*.go pkg/manifests/*.go pkg/overlay/*.go pkg/parse/*.go pkg/rusage/*.go util/*.go
 
 LINTFLAGS ?=
 
@@ -46,7 +46,7 @@ endif
 #     Note: Uses the -N -l go compiler options to disable compiler optimizations
 #           and inlining. Using these build options allows you to subsequently
 #           use source debugging tools like delve.
-all: bin/buildah bin/imgtype docs
+all: bin/buildah bin/imgtype bin/copy docs
 
 # Update nix/nixpkgs.json its latest stable commit
 .PHONY: nixpkgs
@@ -64,8 +64,7 @@ static:
 	mkdir -p ./bin
 	cp -rfp ./result/bin/* ./bin/
 
-.PHONY: bin/buildah
-bin/buildah:  $(SOURCES)
+bin/buildah: $(SOURCES) cmd/buildah/*.go
 	$(GO_BUILD) $(BUILDAH_LDFLAGS) -gcflags "$(GOGCFLAGS)" -o $@ $(BUILDFLAGS) ./cmd/buildah
 
 .PHONY: buildah
@@ -74,15 +73,16 @@ buildah: bin/buildah
 .PHONY: cross
 cross: bin/buildah.darwin.amd64 bin/buildah.linux.386 bin/buildah.linux.amd64 bin/buildah.linux.arm64 bin/buildah.linux.arm bin/buildah.linux.mips64 bin/buildah.linux.mips64le bin/buildah.linux.mips bin/buildah.linux.mipsle bin/buildah.linux.ppc64 bin/buildah.linux.ppc64le bin/buildah.linux.riscv64 bin/buildah.linux.s390x bin/buildah.windows.amd64.exe
 
-.PHONY: bin/buildah.%
 bin/buildah.%:
 	mkdir -p ./bin
 	GOOS=$(word 2,$(subst ., ,$@)) GOARCH=$(word 3,$(subst ., ,$@)) $(GO_BUILD) $(BUILDAH_LDFLAGS) -o $@ -tags "containers_image_openpgp" ./cmd/buildah
 
-.PHONY: bin/imgtype
-bin/imgtype: *.go docker/*.go util/*.go tests/imgtype/imgtype.go
+bin/imgtype: $(SOURCES) tests/imgtype/imgtype.go
 	$(GO_BUILD) $(BUILDAH_LDFLAGS) -o $@ $(BUILDFLAGS) ./tests/imgtype/imgtype.go
 
+bin/copy: $(SOURCES) tests/copy/copy.go
+	$(GO_BUILD) $(BUILDAH_LDFLAGS) -o $@ $(BUILDFLAGS) ./tests/copy/copy.go
+
 .PHONY: clean
 clean:
 	$(RM) -r bin tests/testreport/testreport
@@ -99,7 +99,7 @@ gopath:
 	test $(shell pwd) = $(shell cd ../../../../src/github.com/containers/buildah ; pwd)
 
 codespell:
-	codespell -S Makefile,build,buildah,buildah.spec,imgtype,AUTHORS,bin,vendor,.git,go.sum,CHANGELOG.md,changelog.txt,seccomp.json,.cirrus.yml,"*.xz,*.gz,*.tar,*.tgz,*ico,*.png,*.1,*.5,*.orig,*.rej" -L uint,iff,od
+	codespell -S Makefile,build,buildah,buildah.spec,imgtype,copy,AUTHORS,bin,vendor,.git,go.sum,CHANGELOG.md,changelog.txt,seccomp.json,.cirrus.yml,"*.xz,*.gz,*.tar,*.tgz,*ico,*.png,*.1,*.5,*.orig,*.rej" -L uint,iff,od
 
 .PHONY: validate
 validate: install.tools

cmd/buildah/main.go

@@ -24,20 +24,21 @@ import (
 )
 
 type globalFlags struct {
-	Debug             bool
-	LogLevel          string
-	Root              string
-	RunRoot           string
-	StorageDriver     string
-	RegistriesConf    string
-	RegistriesConfDir string
-	DefaultMountsFile string
-	StorageOpts       []string
-	UserNSUID         []string
-	UserNSGID         []string
-	CPUProfile        string
-	cpuProfileFile    *os.File
-	MemoryProfile     string
+	Debug                      bool
+	LogLevel                   string
+	Root                       string
+	RunRoot                    string
+	StorageDriver              string
+	RegistriesConf             string
+	RegistriesConfDir          string
+	DefaultMountsFile          string
+	StorageOpts                []string
+	UserNSUID                  []string
+	UserNSGID                  []string
+	CPUProfile                 string
+	cpuProfileFile             *os.File
+	MemoryProfile              string
+	UserShortNameAliasConfPath string
 }
 
 var rootCmd = &cobra.Command{
@@ -83,6 +84,7 @@ func init() {
 	// TODO Need to allow for environment variable
 	rootCmd.PersistentFlags().StringVar(&globalFlagResults.RegistriesConf, "registries-conf", "", "path to registries.conf file (not usually used)")
 	rootCmd.PersistentFlags().StringVar(&globalFlagResults.RegistriesConfDir, "registries-conf-dir", "", "path to registries.conf.d directory (not usually used)")
+	rootCmd.PersistentFlags().StringVar(&globalFlagResults.UserShortNameAliasConfPath, "short-name-alias-conf", "", "path to short name alias cache file (not usually used)")
 	rootCmd.PersistentFlags().StringVar(&globalFlagResults.Root, "root", storageOptions.GraphRoot, "storage root dir")
 	rootCmd.PersistentFlags().StringVar(&globalFlagResults.RunRoot, "runroot", storageOptions.RunRoot, "storage state dir")
 	rootCmd.PersistentFlags().StringVar(&globalFlagResults.StorageDriver, "storage-driver", storageOptions.GraphDriverName, "storage-driver")

docs/buildah.md

@@ -54,6 +54,19 @@ Default root dir is configured in /etc/containers/storage.conf
 Storage state dir (default: "/run/containers/storage" for UID 0, "/run/user/$UID" for other users)
 Default state dir is configured in /etc/containers/storage.conf
 
+**--short-name-alias-conf** *path*
+
+Pathname of the file which contains cached mappings between short image names
+and their corresponding fully-qualified names.  It is used for mapping from
+names of images specified using short names like "hello-world" which don't
+include a registry component and a corresponding fully-specified name which
+includes a registry and any other components, such as
+"docker.io/library/hello-world".  It is not recommended that this option be
+used, as the default behavior of using the system-wide cache
+(*/var/cache/containers/short-name-aliases.conf*) or per-user cache
+(*$HOME/.cache/containers/short-name-aliases.conf*) to supplement system-wide
+defaults is most often preferred.
+
 **--storage-driver** **value**
 
 Storage driver.  The default storage driver for UID 0 is configured in /etc/containers/storage.conf (`$HOME/.config/containers/storage.conf` in rootless mode), and is *vfs* for other users.  The `STORAGE_DRIVER` environment variable overrides the default.  The --storage-driver specified driver overrides all.

pkg/parse/parse.go

@@ -622,6 +622,10 @@ func SystemContextFromOptions(c *cobra.Command) (*types.SystemContext, error) {
 	if err == nil && c.Flag("registries-conf-dir").Changed {
 		ctx.RegistriesDirPath = regConfDir
 	}
+	shortNameAliasConf, err := c.Flags().GetString("short-name-alias-conf")
+	if err == nil && c.Flag("short-name-alias-conf").Changed {
+		ctx.UserShortNameAliasConfPath = shortNameAliasConf
+	}
 	ctx.DockerRegistryUserAgent = fmt.Sprintf("Buildah/%s", define.Version)
 	if c.Flag("os") != nil && c.Flag("os").Changed {
 		if os, err := c.Flags().GetString("os"); err == nil {

tests/bud.bats

@@ -2461,16 +2461,16 @@ EOM
 
 @test "bud capabilities test" {
   _prefetch busybox
-  # --cap-add necessary b/c https://github.com/containers/common/pull/319
-  # removed cap_net_raw, cap_mknod, and cap_audit_write
-  run_buildah bud --cap-add cap_net_raw,cap_mknod,cap_audit_write -t testcap --signature-policy ${TESTSDIR}/policy.json -f ${TESTSDIR}/bud/capabilities/Dockerfile
+  # something not enabled by default in containers.conf
+  run_buildah bud --cap-add cap_sys_ptrace -t testcap --signature-policy ${TESTSDIR}/policy.json -f ${TESTSDIR}/bud/capabilities/Dockerfile
   expect_output --substring "uid=3267"
-  expect_output --substring "CapBnd:	00000000a80425fb"
+  expect_output --substring "CapBnd:	00000000a80c25fb"
   expect_output --substring "CapEff:	0000000000000000"
 
+  # some things enabled by default in containers.conf
   run_buildah bud --cap-drop cap_chown,cap_dac_override,cap_fowner -t testcapd --signature-policy ${TESTSDIR}/policy.json -f ${TESTSDIR}/bud/capabilities/Dockerfile
   expect_output --substring "uid=3267"
-  expect_output --substring "CapBnd:	00000000800405f0"
+  expect_output --substring "CapBnd:	00000000a80425f0"
   expect_output --substring "CapEff:	0000000000000000"
 }
 

tests/containers.conf

@@ -59,3 +59,7 @@ default_capabilities = [
     "SETUID",
     "SYS_CHROOT",
 ]
+
+default_sysctls = [
+    "net.ipv4.ping_group_range=0 0",
+]

tests/copy/copy.go

@@ -0,0 +1,111 @@
+package main
+
+import (
+	"context"
+	"os"
+
+	"github.com/containers/buildah"
+	cp "github.com/containers/image/v5/copy"
+	"github.com/containers/image/v5/signature"
+	imageStorage "github.com/containers/image/v5/storage"
+	"github.com/containers/image/v5/transports/alltransports"
+	"github.com/containers/image/v5/types"
+	"github.com/containers/storage"
+	"github.com/containers/storage/pkg/unshare"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+func main() {
+	var storeOptions storage.StoreOptions
+	var systemContext types.SystemContext
+	var logLevel string
+
+	if buildah.InitReexec() {
+		return
+	}
+
+	unshare.MaybeReexecUsingUserNamespace(false)
+
+	rootCmd := &cobra.Command{
+		Use:  "copy [flags] source destination",
+		Long: "copies an image",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if err := cobra.ExactArgs(2)(cmd, args); err != nil {
+				return err
+			}
+
+			level, err := logrus.ParseLevel(logLevel)
+			if err != nil {
+				return err
+			}
+			logrus.SetLevel(level)
+
+			store, err := storage.GetStore(storeOptions)
+			if err != nil {
+				return err
+			}
+			imageStorage.Transport.SetStore(store)
+
+			if len(args) < 1 {
+				return errors.Wrapf(err, "no source name provided")
+			}
+			src, err := alltransports.ParseImageName(args[0])
+			if err != nil {
+				return errors.Wrapf(err, "error parsing source name")
+			}
+			if len(args) < 1 {
+				return errors.Wrapf(err, "no destination name provided")
+			}
+			dest, err := alltransports.ParseImageName(args[1])
+			if err != nil {
+				return errors.Wrapf(err, "error parsing destination name")
+			}
+
+			policy, err := signature.DefaultPolicy(&systemContext)
+			if err != nil {
+				return errors.Wrapf(err, "error reading signature policy")
+			}
+			policyContext, err := signature.NewPolicyContext(policy)
+			if err != nil {
+				return errors.Wrapf(err, "error creating new signature policy context")
+			}
+			defer func() {
+				if err := policyContext.Destroy(); err != nil {
+					logrus.Error(errors.Wrapf(err, "error destroying signature policy context"))
+				}
+			}()
+
+			options := cp.Options{
+				ReportWriter:   os.Stdout,
+				SourceCtx:      &systemContext,
+				DestinationCtx: &systemContext,
+			}
+			if _, err = cp.Image(context.TODO(), policyContext, dest, src, &options); err != nil {
+				return err
+			}
+
+			defer func() {
+				_, err := store.Shutdown(false)
+				if err != nil {
+					logrus.Error(err)
+				}
+			}()
+			return nil
+		},
+	}
+
+	rootCmd.PersistentFlags().StringVar(&storeOptions.GraphRoot, "root", "", "storage root")
+	rootCmd.PersistentFlags().StringVar(&storeOptions.RunRoot, "runroot", "", "runtime root")
+	rootCmd.PersistentFlags().StringVar(&storeOptions.GraphDriverName, "storage-driver", "", "storage driver")
+	rootCmd.PersistentFlags().StringSliceVar(&storeOptions.GraphDriverOptions, "storage-opt", nil, "storage option")
+	rootCmd.PersistentFlags().StringVar(&systemContext.SystemRegistriesConfPath, "registries-conf", "", "location of registries.conf")
+	rootCmd.PersistentFlags().StringVar(&systemContext.SystemRegistriesConfDirPath, "registries-conf-dir", "", "location of registries.d")
+	rootCmd.PersistentFlags().StringVar(&systemContext.SignaturePolicyPath, "signature-policy", "", "`pathname` of signature policy file")
+	rootCmd.PersistentFlags().StringVar(&systemContext.UserShortNameAliasConfPath, "short-name-alias-conf", "", "`pathname` of short name alias cache file (not usually used)")
+	rootCmd.PersistentFlags().StringVar(&logLevel, "log-level", "warn", "logging level")
+	if err := rootCmd.Execute(); err != nil {
+		os.Exit(1)
+	}
+}

tests/from.bats

@@ -397,8 +397,8 @@ load helpers
 @test "from encrypted registry image" {
   _prefetch busybox
   mkdir ${TESTDIR}/tmp
-  openssl genrsa -out ${TESTDIR}/tmp/mykey.pem 1024
-  openssl genrsa -out ${TESTDIR}/tmp/mykey2.pem 1024
+  openssl genrsa -out ${TESTDIR}/tmp/mykey.pem 2048
+  openssl genrsa -out ${TESTDIR}/tmp/mykey2.pem 2048
   openssl rsa -in ${TESTDIR}/tmp/mykey.pem -pubout > ${TESTDIR}/tmp/mykey.pub
   run_buildah push --signature-policy ${TESTSDIR}/policy.json --tls-verify=false --creds testuser:testpassword --encryption-key jwe:${TESTDIR}/tmp/mykey.pub busybox docker://localhost:5000/buildah/busybox_encrypted:latest
 
@@ -412,6 +412,7 @@ load helpers
 
   # Providing the right key should succeed
   run_buildah from --tls-verify=false --creds testuser:testpassword --decryption-key ${TESTDIR}/tmp/mykey.pem docker://localhost:5000/buildah/busybox_encrypted:latest
+  run_buildah rm -a
   run_buildah rmi localhost:5000/buildah/busybox_encrypted:latest
 
   rm -rf ${TESTDIR}/tmp