diff --git a/imagebuildah/stage_executor.go b/imagebuildah/stage_executor.go index ac1068fbf49..d9e515c926a 100644 --- a/imagebuildah/stage_executor.go +++ b/imagebuildah/stage_executor.go @@ -19,6 +19,7 @@ import ( "github.com/containers/buildah/pkg/parse" "github.com/containers/buildah/pkg/rusage" "github.com/containers/buildah/util" + config "github.com/containers/common/pkg/config" cp "github.com/containers/image/v5/copy" "github.com/containers/image/v5/docker/reference" "github.com/containers/image/v5/manifest" @@ -64,6 +65,7 @@ type StageExecutor struct { output string containerIDs []string stage *imagebuilder.Stage + processedArgs []string // contains args which are processed and were added implicitly in Containerfile using ARG } // Preserve informs the stage executor that from this point on, it needs to @@ -1228,6 +1230,11 @@ func (s *StageExecutor) getCreatedBy(node *parser.Node, addedContentSummary stri } switch strings.ToUpper(node.Value) { case "ARG": + for _, variable := range strings.Fields(node.Original) { + if variable != "ARG" { + s.processedArgs = append(s.processedArgs, variable) + } + } buildArgs := s.getBuildArgsKey() return "/bin/sh -c #(nop) ARG " + buildArgs case "RUN": @@ -1271,7 +1278,31 @@ func (s *StageExecutor) getBuildArgsResolvedForRun() string { if inImage { envs = append(envs, fmt.Sprintf("%s=%s", key, configuredEnvs[key])) } else { - envs = append(envs, fmt.Sprintf("%s=%s", key, value)) + // by default everything must be added to history + // this is configured to false only for special cases + addToHistory := true + + // following value is being assigned from build-args + // check if this key belongs to any of the predefined whitelisted args e.g Proxy Variables + // and if that arg is not manually set in Containerfile/Dockerfile + // then don't write its value to history. + // following behaviour ensures parity with docker/buildkit behviour + for _, variable := range config.ProxyEnv { + if key == variable { + // found in predefined args + // so don't add to history + // unless user did implicit `ARG ` + addToHistory = false + for _, processedArg := range s.processedArgs { + if key == processedArg { + addToHistory = true + } + } + } + } + if addToHistory { + envs = append(envs, fmt.Sprintf("%s=%s", key, value)) + } } } } diff --git a/tests/history.bats b/tests/history.bats index ee28895e8f7..99e17d4d652 100644 --- a/tests/history.bats +++ b/tests/history.bats @@ -108,3 +108,37 @@ function testconfighistory() { run_buildah inspect --format '{{range .Docker.History}}{{println .CreatedBy}}{{end}}' runimg expect_output --substring "/bin/sh -c uname -a" } + +@test "history should not contain whitelisted vars unless set in ARG" { + _prefetch busybox + ctxdir=${TESTDIR}/bud + mkdir -p $ctxdir + cat >$ctxdir/Dockerfile <$ctxdir/Dockerfile <