Default secret mode to 400

[ashley-cui]

Signed-off-by: Ashley Cui acui@redhat.com

What type of PR is this?

/kind bug

What this PR does / why we need it:

Fixed a bug where buildah bud mounted secrets permissions were incorrect due to a decimal/octal conversion error. buildah bud mounted secrets now have a default permission of 400.

How to verify it

Which issue(s) this PR fixes:

Fixes #3557

Special notes for your reviewer:

Does this PR introduce a user-facing change?

[rhatdan]

LGTM

[rhatdan]

@TomSweeneyRedHat @nalind @umohnani8 @flouthoc @vrothberg PTAL

[nalind]

LGTM

[umohnani8]

/lgtm
/hold

[flouthoc]

LGTM, restarting flakes

[flouthoc]

/hold cancel
/approve
/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ashley-cui, flouthoc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [ashley-cui,flouthoc]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[seb-afk]

Hi @ashley-cui thank you very much for this bugfix! Unfortunately my build is currently stuck due to this issue - is it already possible to install a buildah version with this bugfix included? (I am on RHEL8 using buildah version 1.21.4 (image-spec 1.0.1-dev, runtime-spec 1.0.2-dev). Thank you very much in advance! 🙌

[ashley-cui]

@sebastianbertoli Looks like this hasn't gotten into a release version of buildah yet. Your best bet would be to either manually changing the mode of the secret using mode=400 or building from upstream.

[seb-afk]

Hi @ashley-cui, thank you for the advice! I'll try it out the mode=400 tomorrow and hopefully get rid of my temporary workaround. 🚀

[seb-afk]

Hi @ashley-cui,

is this supposed to work or am I overlooking something? Thanks!

$ buildah bud --tag foo:latest --secret id=MY_SECRET,src=SECRET_FILE,mode=400 .

I am getting this error: error creating build executor: incorrect secret flag format: should be --secret id=foo,src=bar

[rhatdan]

You might need a newer buildah?

[seb-afk]

Hi @rhatdan thank you for reaching out! I am on RHEL8.4 and 1.21.4 which I thought is the latest official release: https://buildah.io/releases/ (?)

Do I need to follow these steps? https://github.com/containers/buildah/blob/main/install.md#rhel8-beta

Cheers! :)

[rhatdan]

https://github.com/containers/buildah/releases

[rhatdan]

RHEL8.5 should have buildah 1.23.1
@jnovy correct?

[jnovy]

There is currently buildah-1.22.3 in the current 8.5. There will be 1.23.1 in the next 8.5 batch update - happening soon.