mount,cache: lockfiles must not be part of users cache content

`--mount=type=cache` must not add internal lockfiles to cache directory created by users instead store it in a different central directory with path as `/base/buildah-cache/buildah-lockfiles`. There are use-cases where users can wipe cache between the builds so lockfiles will be removed in unexpected manner and also its not okay to mix buildah's internal construct with user's cache content. Helps in: containers#4342 Signed-off-by: Aditya R <arajan@redhat.com>
flouthoc · Oct 19, 2022 · f2e0af5 · f2e0af5
1 parent 7f2e17e
commit f2e0af5
Showing 1 changed file with 15 additions and 2 deletions.
diff --git a/internal/parse/parse.go b/internal/parse/parse.go
@@ -33,6 +33,9 @@ const (
 	BuildahCacheDir = "buildah-cache"
 	// mount=type=cache allows users to lock a cache store while its being used by another build
 	BuildahCacheLockfile = "buildah-cache-lockfile"
+	// All the lockfiles are stored in a separate directory inside `BuildahCacheDir`
+	// Example `/var/tmp/buildah-cache/<target>/buildah-cache-lockfile`
+	BuildahCacheLockfileDir = "buildah-cache-lockfiles"
 )
 
 var (
@@ -187,6 +190,7 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st
 func GetCacheMount(args []string, store storage.Store, imageMountLabel string, additionalMountPoints map[string]internal.StageMountDetails) (specs.Mount, []string, error) {
 	var err error
 	var mode uint64
+	var buildahLockFilesDir string
 	lockedTargets := make([]string, 0)
 	var (
 		setDest           bool
@@ -336,8 +340,10 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
 
 		if id != "" {
 			newMount.Source = filepath.Join(cacheParent, filepath.Clean(id))
+			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(id))
 		} else {
 			newMount.Source = filepath.Join(cacheParent, filepath.Clean(newMount.Destination))
+			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(newMount.Destination))
 		}
 		idPair := idtools.IDPair{
 			UID: uid,
@@ -348,18 +354,25 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
 		if err != nil {
 			return newMount, lockedTargets, fmt.Errorf("unable to change uid,gid of cache directory: %w", err)
 		}
+
+		// create a subdirectory inside `cacheParent` just to store lockfiles
+		buildahLockFilesDir = filepath.Join(cacheParent, buildahLockFilesDir)
+		err = os.MkdirAll(buildahLockFilesDir, os.FileMode(0700))
+		if err != nil {
+			return newMount, lockedTargets, fmt.Errorf("unable to create build cache lockfiles directory: %w", err)
+		}
 	}
 
 	switch sharing {
 	case "locked":
 		// lock parent cache
-		lockfile, err := lockfile.GetLockfile(filepath.Join(newMount.Source, BuildahCacheLockfile))
+		lockfile, err := lockfile.GetLockfile(filepath.Join(buildahLockFilesDir, BuildahCacheLockfile))
 		if err != nil {
 			return newMount, lockedTargets, fmt.Errorf("unable to acquire lock when sharing mode is locked: %w", err)
 		}
 		// Will be unlocked after the RUN step is executed.
 		lockfile.Lock()
-		lockedTargets = append(lockedTargets, filepath.Join(newMount.Source, BuildahCacheLockfile))
+		lockedTargets = append(lockedTargets, filepath.Join(buildahLockFilesDir, BuildahCacheLockfile))
 	case "shared":
 		// do nothing since default is `shared`
 		break