run: add support for inline --network in RUN stmt

Buildah should allow clients to support inline --network in RUN stmts so users can create isolate or expose a particular build containers. ```Dockerfile FROM alpine RUN --network=host wget google.com RUN --network=none wget google.com ``` Closes: #4230 Signed-off-by: Aditya R <arajan@redhat.com>
containers · Mar 14, 2023 · fe4e0f3 · fe4e0f3
1 parent e2210c3
commit fe4e0f3
Show file tree

Hide file tree

Showing 5 changed files with 50 additions and 1 deletion.
diff --git a/imagebuildah/stage_executor.go b/imagebuildah/stage_executor.go
@@ -599,6 +599,7 @@ func (s *StageExecutor) Run(run imagebuilder.Run, config docker.Config) error {
 		defer devNull.Close()
 		stdin = devNull
 	}
+	namespaceOptions := append([]define.NamespaceOption{}, s.executor.namespaceOptions...)
 	options := buildah.RunOptions{
 		Args:             s.executor.runtimeArgs,
 		Cmd:              config.Cmd,
@@ -609,7 +610,7 @@ func (s *StageExecutor) Run(run imagebuilder.Run, config docker.Config) error {
 		Hostname:         config.Hostname,
 		Logger:           s.executor.logger,
 		Mounts:           append([]Mount{}, s.executor.transientMounts...),
-		NamespaceOptions: s.executor.namespaceOptions,
+		NamespaceOptions: namespaceOptions,
 		NoHosts:          s.executor.noHosts,
 		NoPivot:          os.Getenv("BUILDAH_NOPIVOT") != "",
 		Quiet:            s.executor.quiet,
@@ -627,6 +628,28 @@ func (s *StageExecutor) Run(run imagebuilder.Run, config docker.Config) error {
 		WorkingDir:       config.WorkingDir,
 	}
 
+	// Honor `RUN --network=<>`.
+	switch run.Network {
+	case "host":
+		didConfigure := false
+		for i, namespace := range options.NamespaceOptions {
+			if namespace.Name == "network" {
+				didConfigure = true
+				options.NamespaceOptions[i].Host = true
+			}
+		}
+		if !didConfigure {
+			options.NamespaceOptions.AddOrReplace(define.NamespaceOption{Name: "network", Host: true})
+		}
+		options.ConfigureNetwork = define.NetworkEnabled
+	case "none":
+		options.ConfigureNetwork = define.NetworkDisabled
+	case "":
+		// do nothing
+	default:
+		return fmt.Errorf(`unsupported value %q for "RUN --network", must be either "host" or "none"`, run.Network)
+	}
+
 	if config.NetworkDisabled {
 		options.ConfigureNetwork = buildah.NetworkDisabled
 	}

diff --git a/tests/bud.bats b/tests/bud.bats
@@ -25,6 +25,25 @@ load helpers
   expect_output --substring "options use-vc"
 }
 
+@test "build with inline RUN --network=host" {
+  #hostns=$(readlink /proc/self/ns/net)
+  run readlink /proc/self/ns/net
+  hostns="$output"
+  run_buildah build $WITH_POLICY_JSON -t source -f $BUDFILES/inline-network/Dockerfile1
+  expect_output --from="${lines[9]}" "${hostns}"
+}
+
+@test "build with inline RUN --network=none" {
+  run_buildah 1 build $WITH_POLICY_JSON -t source -f $BUDFILES/inline-network/Dockerfile2
+  expect_output --substring "wget: bad address"
+}
+
+@test "build with inline RUN --network=fake" {
+  run_buildah 125 build $WITH_POLICY_JSON -t source -f $BUDFILES/inline-network/Dockerfile3
+  expect_output --substring "unsupported value"
+}
+
+
 @test "bud with ignoresymlink on default file" {
 	  cat > /tmp/private_file << _EOF
 hello

diff --git a/tests/bud/inline-network/Dockerfile1 b/tests/bud/inline-network/Dockerfile1
@@ -0,0 +1,2 @@
+FROM alpine
+RUN --network=host readlink /proc/self/ns/net
diff --git a/tests/bud/inline-network/Dockerfile2 b/tests/bud/inline-network/Dockerfile2
@@ -0,0 +1,2 @@
+FROM alpine
+RUN --network=none wget google.com
diff --git a/tests/bud/inline-network/Dockerfile3 b/tests/bud/inline-network/Dockerfile3
@@ -0,0 +1,3 @@
+FROM alpine
+RUN --network=fake wget google.com
+