Merge pull request #242 from gabemontero/fix-host-entilements-46

Bug 1946363: move entitlement related secrets back to mounts.conf
openshift · Apr 15, 2021 · 263041a · 263041a
2 parents 11392a0 + 4a2303c
commit 263041a
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 22 deletions.
diff --git a/go.sum b/go.sum
@@ -178,6 +178,7 @@ github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHo
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
+github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e h1:Wf6HqHfScWJN9/ZjdUKyjop4mf3Qdd+1TvvltAvM3m8=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f h1:JOrtw2xFKzlg+cbHpyrpLDmnN1HqhBfnX7WDiW7eG2c=
 github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
@@ -651,7 +652,7 @@ github.com/openshift/library-go v0.0.0-20201126123001-e59ac21aada3 h1:sk60hcNw2I
 github.com/openshift/library-go v0.0.0-20201126123001-e59ac21aada3/go.mod h1:KNfLGf4dIRJ+QB2aGy67AOy1k+DV783cMCuJf0d4Zik=
 github.com/openshift/moby-moby v1.4.2-0.20190308215630-da810a85109d h1:1LuQzDKgiXj1omPNDcY1E/mEOE/90jdobR+7WBfBQYA=
 github.com/openshift/moby-moby v1.4.2-0.20190308215630-da810a85109d/go.mod h1:LJM49W8fBVSj+rvcopJZu9mgH5Tx6HwLHySIYeGeu4k=
-github.com/openshift/source-to-image v1.3.0 h1:ZktIgJ85Vn0HOyHdS6uQOMXhmYwc5h76w/6LpnJ60L8=
+github.com/openshift/source-to-image v1.3.0 h1:YDEH0PY0sMaUNbpJAGnDZA94tkAD6qi1Rou8ycWRPRc=
 github.com/openshift/source-to-image v1.3.0/go.mod h1:HEWMBvkkwGoJo+CMxnfYJW6O52zc052D83XBUo1zFRw=
 github.com/opentracing-contrib/go-stdlib v0.0.0-20171029140428-b1a47cfbdd75/go.mod h1:PLldrQSroqzH70Xl+1DQcGnefIbqsKR7UDaiux3zV+w=
 github.com/opentracing/opentracing-go v0.0.0-20171003133519-1361b9cd60be/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=

diff --git a/imagecontent/etc/containers/mounts.conf b/imagecontent/etc/containers/mounts.conf
@@ -0,0 +1,3 @@
+/run/secrets/rhsm:/run/secrets/rhsm
+/run/secrets/etc-pki-entitlement:/run/secrets/etc-pki-entitlement
+/run/secrets/redhat.repo:/run/secrets/redhat.repo
diff --git a/pkg/build/builder/daemonless.go b/pkg/build/builder/daemonless.go
@@ -32,7 +32,6 @@ import (
 
 	"github.com/openshift/builder/pkg/build/builder/cmd/dockercfg"
 	builderutil "github.com/openshift/builder/pkg/build/builder/util"
-	s2ifs "github.com/openshift/source-to-image/pkg/util/fs"
 )
 
 var (
@@ -216,25 +215,6 @@ func buildDaemonlessImage(sc types.SystemContext, store storage.Store, isolation
 		}
 	}
 
-	var transientMounts []string
-	if st, err := os.Stat("/run/secrets/rhsm"); err == nil && st.IsDir() {
-		// Add a bind of /run/secrets/rhsm, to pass along anything that the
-		// runtime mounted from the node into our /run/secrets/rhsm.
-		log.V(0).Infof("Adding transient rw bind mount for /run/secrets/rhsm")
-		tmpDir, err := ioutil.TempDir("/tmp", "rhsm-copy")
-		if err != nil {
-			log.V(0).Infof("Error creating tmpdir to set up /run/secrets/rhsm in build container: %s", err.Error())
-			return err
-		}
-		fs := s2ifs.NewFileSystem()
-		err = fs.CopyContents("/run/secrets/rhsm", tmpDir, map[string]string{})
-		if err != nil {
-			log.V(0).Infof("Error copying /run/secrets/rhsm to tmpdir %s: %s", tmpDir, err.Error())
-			return err
-		}
-		transientMounts = append(transientMounts, fmt.Sprintf("%s:/run/secrets/rhsm:rw,nodev,noexec,nosuid", tmpDir))
-	}
-
 	// Use a profile provided in the image instead of the default provided
 	// in runtime-tools's generator logic.
 	seccompProfilePath := "/usr/share/containers/seccomp.json"
@@ -243,7 +223,6 @@ func buildDaemonlessImage(sc types.SystemContext, store storage.Store, isolation
 		ContextDirectory: contextDir,
 		PullPolicy:       pullPolicy,
 		Isolation:        isolation,
-		TransientMounts:  transientMounts,
 		Args:             args,
 		Output:           opts.Name,
 		Out:              opts.OutputStream,