Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Need regression tests for podman build and mounts.conf #8679

Closed
vrothberg opened this issue Dec 10, 2020 · 7 comments
Closed

Need regression tests for podman build and mounts.conf #8679

vrothberg opened this issue Dec 10, 2020 · 7 comments
Labels
locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@vrothberg
Copy link
Member

I am currently looking at https://bugzilla.redhat.com/show_bug.cgi?id=1895027. We regressed in the 1.6.X series on mounting secrets during builds. It's fairly easy to reproduce with a Dockerfile:

FROM $IMAGE
RUN ls $MOUNT

With $MOUNT being the expected mount of the secret. For testing, we could setup a custom mounts.conf mounting a file.

Pulling in @edsantiago for input.
@github-actions
Copy link

A friendly reminder that this issue had no activity for 30 days.

@rhatdan
Copy link
Member

rhatdan commented Jan 10, 2021

@vrothberg @edsantiago No movement on this issue.

@edsantiago edsantiago changed the title Need regression tests for podma build and mounts.conf Need regression tests for podman build and mounts.conf Jan 25, 2021
@edsantiago
Copy link
Member

So, this may be a dumb question, but, do we expect this to actually work in podman right now?

# mkdir -p /tmp/podmantest/secrets
# echo /tmp/podmantest/secrets:/run/secrets >/tmp/podmantest/mounts.conf
# echo shhhh >/tmp/podmantest/secrets/file
# printf "FROM quay.io/libpod/testimage:20200929\nRUN ls -l /run/secrets\n" | podman --default-mounts-file=/tmp/podman/mounts.conf build -t foo -
STEP 1: FROM quay.io/libpod/testimage:20200929
STEP 2: RUN ls -l /run/secrets
total 0
STEP 3: COMMIT foo
--> 0acf9c0d708
0acf9c0d708255abb9ef5c1984c1558ca5d735b1fcd4619131a9b1c7254e18ed

It doesn't work via podman run either:

# podman --default-mounts-file=/tmp/podman/mounts.conf run quay.io/libpod/testimage:20200929 ls -l /run/secrets
total 0

Am I misunderstanding the --default-mounts-file option?

@rhatdan
Copy link
Member

rhatdan commented Jan 25, 2021

This worked for me as root.

# cat /tmp/podman/mounts.conf 
/tmp/dan:/run/secrets
# mkdir /tmp/dan/
# touch /tmp/dan/walsh
# podman --default-mounts-file=/tmp/podman/mounts.conf run quay.io/libpod/testimage:20200929 ls -l /run/secrets
total 0
-rw-r--r--    1 root     root             0 Jan 25 19:36 walsh

@edsantiago
Copy link
Member

@rhatdan the podman run error was a stupid typo on my end. I confirm that podman run works as expected with a custom mounts.conf. podman build does not (for me). Can you get podman build to see your secret?

# printf "FROM quay.io/libpod/testimage:20200929\nRUN ls -l /run/secrets\n" | podman --default-mounts-file=/tmp/podman/mounts.conf build -t foo -

@edsantiago
Copy link
Member

OK it looks like podman build is ignoring --default-mounts-file. Buildah has the equivalent option, it's just that podman isn't passing it through.

edsantiago added a commit to edsantiago/libpod that referenced this issue Jan 25, 2021
@edsantiago
System tests: cover gaps from the last month
33179c2 
- stop: test --all and --ignore (containers#9051)
- build: test /run/secrets (containers#8679, but see below)
- sensitive mount points: deal with 'stat' failures
- selinux: confirm useful diagnostics on unknown labels (containers#8946)

The 'build' test is intended as a fix for containers#8679, in which
'podman build' does not mount secrets from mounts.conf.
Unfortunately, as of this writing, 'podman build' does
not pass the --default-mounts-file option to buildah,
so there's no reasonable way to test this path. Still,
we can at least confirm /run/secrets on 'podman run'.

The /sys thing is related to containers#8949: RHEL8, rootless, cgroups v1.
It's just a workaround to get gating tests to pass on RHEL.

Signed-off-by: Ed Santiago <[email protected]>
This was referenced Jan 25, 2021
Merged
Closed
@edsantiago
Copy link
Member

Fixed in #9091

iwita pushed a commit to iwita/podman that referenced this issue Jan 26, 2021
@edsantiago
System tests: cover gaps from the last month
1519217 
- stop: test --all and --ignore (containers#9051)
- build: test /run/secrets (containers#8679, but see below)
- sensitive mount points: deal with 'stat' failures
- selinux: confirm useful diagnostics on unknown labels (containers#8946)

The 'build' test is intended as a fix for containers#8679, in which
'podman build' does not mount secrets from mounts.conf.
Unfortunately, as of this writing, 'podman build' does
not pass the --default-mounts-file option to buildah,
so there's no reasonable way to test this path. Still,
we can at least confirm /run/secrets on 'podman run'.

The /sys thing is related to containers#8949: RHEL8, rootless, cgroups v1.
It's just a workaround to get gating tests to pass on RHEL.

Signed-off-by: Ed Santiago <[email protected]>
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 22, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@edsantiago @rhatdan @vrothberg