[release-1.34] Cherry Pick a number of commits from main #5343
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/picker2
branch
from
55d4471
to
daba20d
Compare
|
Looks like 6 or 7 of the picks I did are not signed, but I've no clue how to get them to be signed? Thoughts? |
Replaces: containers#5014 Signed-off-by: Aditya R <arajan@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
This is a common mistake by users and is ignored in some places but not everywhere. This change will help this to be ignored everwhere. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
When using the working container's rootfs to populate a plaintext disk image with mkfs, instead of writing .krun_config.json to the rootfs and then removing it afterward (since we don't want it to show up if the same working container is later committed to non confidential-workload image), mount an overlay filesystem using a temporary directory as the upper and the rootfs as the lower, create the .krun_config.json file in the overlay filesystem, and use the overlay filesystem as the source directory for mkfs. Add the necessary stubs to allow pkg/overlay to at least compile on non-Linux systems. Change the naming scheme for a test so that the path names it uses for temporary directories don't include "," or "=", which can confuse the kernel. Creating confidential workload images will now only be possible on Linux systems, but we exec'd out to sevctl to read platform certificates, and that requires kernel support with vendor firmware, so I don't know that anyone will actually be impacted by the change. Teach pkg/overlay.MountWithOptions() to accept `nil` as a pointer to a struct parameter that is otherwise optional. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Add a flag to `buildah commit` which allows adding arbitrary files to the image while we're committing it. When not squashing, they'll take the form of a second new layer. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Fixes: containers#4740 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Introduced in go 1.18: golang/go#46336 [NO NEW TESTS NEEDED] Signed-off-by: Philip Dubé <philip@peerdb.io> Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Signed-off-by: Philip Dubé <philip@peerdb.io> Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
When using buildah with `--layers` then buildah must correctly burst layer cache if `heredoc` content is changed. Following is achieved via properly adding `heredoc` content to the history of the built image. Closes: containers#5225 Signed-off-by: flouthoc <flouthoc.git@gmail.com> Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
If there are any shebang in heredoc file then buildah must honor that.
Consider a case of
```Dockerfile
FROM python:3.11-slim-bullseye
RUN <<EOF
print('hello world')
EOF
```
Closes: containers#5251
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
And don't refer to a filename in an example as a directory in accompanying text. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
If the parent image has layers but no history, force our own omitHistory setting on. The alternative is to create a history that only explains the presence of some of the layers in our output image, which looks broken to everyone who might consume that image, including ourselves if we try to use it as a base image later. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Some new heredoc test added "FROM blah blah python whatever", an image that (presumably) exists on docker.io but does not exist in our cache. Plus, test was completely broken anyway. It would've found the "this is the output" lines even without python, as part of the verbose build. Solution: don't use python. You don't need python to test a shebang. You can use anything. 'cat' is traditional, but I choose 'rev' because that makes it nearly impossible for the test to match merely due to a build-step echo. Signed-off-by: Ed Santiago <santiago@redhat.com> Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
The build breaks trying to build libcontainer/userns which no longer builds on FreeBSD. Fortunately we only need this for userns.RunningInUserNS so this change moves that call to a linux-only file and adds a stub for FreeBSD. [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org> Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
We have this same parsing code in 3 maybe 4 places in our sources, Someone needs to go through it all and get this to be parsed in less places. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
It was generating an error when parsing "14.0-RELEASE-p4" due to a stupid bug when attempting to check that the version part only has two parts. Signed-off-by: Doug Rabson <dfr@rabson.org> Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Followthrough on containers#5221, with thanks to @krumelmonster: move footnotes on divisive language to exactly where divisive language is used Signed-off-by: Ed Santiago <santiago@redhat.com> Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
fix a crash when RUN is executed without any argument. Closes: containers#5312 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Podman currently sets the ulimits of nofile and nproc to max in rootless mode, if the user does not override. Buildah on the other hand just passes in the current defaults. Podman build should match podman run, and this will fix that problem. Fixes: containers#5273 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Signed-off-by: James Fraser <wulfgar.pro@gmail.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Buildah must show summary of heredoc content in build output so its easy for developers to understand which heredoc got executed, this is similar to what buildkit does for heredoc content. See: https://github.com/moby/buildkit/blob/master/frontend/dockerfile/dockerfile2llb/convert.go#L1853 Sample output of buildah ```console STEP 1/5: FROM docker.io/library/python:latest STEP 2/5: RUN <<EOF (echo "Hello" >> /hello...) STEP 3/5: RUN python3 <<EOF (with open("/hello", "w") as f:...) STEP 4/5: RUN ls -a ``` Signed-off-by: flouthoc <flouthoc.git@gmail.com> Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Signed-off-by: flouthoc <flouthoc.git@gmail.com> Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
This is needed until there is netavark support on FreeBSD [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org> Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Replaces: containers#5014 Signed-off-by: Aditya R <arajan@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/picker2
branch
from
daba20d
to
83a1368
Compare
|
Figured it out, in my mass cherry-pick command, I neglected to add the |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: flouthoc, TomSweeneyRedHat The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/lgtm |
openshift-merge-bot
bot
merged commit 5009a39
into
containers:release-1.34
36 checks passed
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Picks a number of commits from main to get some of the new functionality there and to prepare for a v1.34.1 release for Fedora and friends.
Once merged, I plan to update/vendor a number of libraries for security and other fixes, and then will spin a new release.
This is my first time doing a massive cherry pick like this, so buyer beware.
What type of PR is this?
What this PR does / why we need it:
How to verify it
Which issue(s) this PR fixes:
Special notes for your reviewer:
Does this PR introduce a user-facing change?