run: add support for inline --network in RUN stmt

Buildah should allow clients to support inline --network in RUN stmts so users can create isolate or expose a particular build containers. ```Dockerfile FROM alpine RUN --network=host wget google.com RUN --network=none wget google.com ``` Closes: #4230 Signed-off-by: Aditya R <arajan@redhat.com>
containers · Mar 13, 2023 · dc9d40c · dc9d40c
1 parent e2210c3
commit dc9d40c
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 1 deletion.
diff --git a/imagebuildah/stage_executor.go b/imagebuildah/stage_executor.go
@@ -599,6 +599,7 @@ func (s *StageExecutor) Run(run imagebuilder.Run, config docker.Config) error {
 		defer devNull.Close()
 		stdin = devNull
 	}
+	namespaceOptions := s.executor.namespaceOptions
 	options := buildah.RunOptions{
 		Args:             s.executor.runtimeArgs,
 		Cmd:              config.Cmd,
@@ -609,7 +610,7 @@ func (s *StageExecutor) Run(run imagebuilder.Run, config docker.Config) error {
 		Hostname:         config.Hostname,
 		Logger:           s.executor.logger,
 		Mounts:           append([]Mount{}, s.executor.transientMounts...),
-		NamespaceOptions: s.executor.namespaceOptions,
+		NamespaceOptions: namespaceOptions,
 		NoHosts:          s.executor.noHosts,
 		NoPivot:          os.Getenv("BUILDAH_NOPIVOT") != "",
 		Quiet:            s.executor.quiet,
@@ -627,6 +628,23 @@ func (s *StageExecutor) Run(run imagebuilder.Run, config docker.Config) error {
 		WorkingDir:       config.WorkingDir,
 	}
 
+	// Honor `RUN --network=<>`.
+	switch run.Network {
+	case "host":
+		for _, namespace := range options.NamespaceOptions {
+			if namespace.Name == "network" {
+				namespace.Host = true
+			}
+		}
+		options.ConfigureNetwork = define.NetworkEnabled
+	case "none":
+		options.ConfigureNetwork = define.NetworkDisabled
+	case "":
+		// do nothing
+	default:
+		return fmt.Errorf(`unsupported value %q for "RUN --network", must be either "host" or "none"`, run.Network)
+	}
+
 	if config.NetworkDisabled {
 		options.ConfigureNetwork = buildah.NetworkDisabled
 	}

diff --git a/tests/bud.bats b/tests/bud.bats
@@ -25,6 +25,23 @@ load helpers
   expect_output --substring "options use-vc"
 }
 
+@test "build with inline RUN --network=host" {
+  run_buildah build $WITH_POLICY_JSON -t source -f $BUDFILES/inline-network/Dockerfile1
+  expect_output --substring "Connecting to google.com"
+  expect_output --substring "index.html"
+}
+
+@test "build with inline RUN --network=none" {
+  run_buildah 1 build $WITH_POLICY_JSON -t source -f $BUDFILES/inline-network/Dockerfile2
+  expect_output --substring "wget: bad address"
+}
+
+@test "build with inline RUN --network=fake" {
+  run_buildah 125 build $WITH_POLICY_JSON -t source -f $BUDFILES/inline-network/Dockerfile3
+  expect_output --substring "unsupported value"
+}
+
+
 @test "bud with ignoresymlink on default file" {
 	  cat > /tmp/private_file << _EOF
 hello

diff --git a/tests/bud/inline-network/Dockerfile1 b/tests/bud/inline-network/Dockerfile1
@@ -0,0 +1,2 @@
+FROM alpine
+RUN --network=host wget google.com
diff --git a/tests/bud/inline-network/Dockerfile2 b/tests/bud/inline-network/Dockerfile2
@@ -0,0 +1,2 @@
+FROM alpine
+RUN --network=none wget google.com
diff --git a/tests/bud/inline-network/Dockerfile3 b/tests/bud/inline-network/Dockerfile3
@@ -0,0 +1,3 @@
+FROM alpine
+RUN --network=fake wget google.com
+