Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CRI: Add Buildah to ISO, for building OCI images #3225

Closed
wants to merge 3 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions deploy/iso/minikube-iso/package/Config.in
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ menu "System tools"
source "$BR2_EXTERNAL_MINIKUBE_PATH/package/rkt-bin/Config.in"
source "$BR2_EXTERNAL_MINIKUBE_PATH/package/runc-master/Config.in"
source "$BR2_EXTERNAL_MINIKUBE_PATH/package/podman/Config.in"
source "$BR2_EXTERNAL_MINIKUBE_PATH/package/buildah/Config.in"
source "$BR2_EXTERNAL_MINIKUBE_PATH/package/crio-bin/Config.in"
source "$BR2_EXTERNAL_MINIKUBE_PATH/package/crictl-bin/Config.in"
source "$BR2_EXTERNAL_MINIKUBE_PATH/package/automount/Config.in"
Expand Down
169 changes: 169 additions & 0 deletions deploy/iso/minikube-iso/package/buildah/1071.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,169 @@
From 23d1a4c1e60820b463982997617ee15478691043 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Anders=20F=20Bj=C3=B6rklund?= <[email protected]>
Date: Fri, 5 Oct 2018 23:53:23 +0200
Subject: [PATCH 1/3] Add the --no-pivot flag to the run command
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

--no-pivot: "do not use pivot root to jail process inside rootfs.
This should be used whenever the rootfs is on top of a ramdisk"

Signed-off-by: Anders F Björklund <[email protected]>
---
cmd/buildah/run.go | 7 +++++++
run.go | 10 +++++++++-
2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/cmd/buildah/run.go b/cmd/buildah/run.go
index 45cae49..a314347 100644
--- a/cmd/buildah/run.go
+++ b/cmd/buildah/run.go
@@ -43,6 +43,10 @@ var (
Name: "runtime-flag",
Usage: "add global flags for the container runtime",
},
+ cli.BoolFlag{
+ Name: "no-pivot",
+ Usage: "do not use pivot root to jail process inside rootfs",
+ },
cli.StringSliceFlag{
Name: "security-opt",
Usage: "security options (default [])",
@@ -108,6 +112,8 @@ func runCmd(c *cli.Context) error {
runtimeFlags = append(runtimeFlags, "--"+arg)
}

+ noPivot := c.Bool("no-pivot")
+
namespaceOptions, networkPolicy, err := parse.NamespaceOptions(c)
if err != nil {
return errors.Wrapf(err, "error parsing namespace-related options")
@@ -117,6 +123,7 @@ func runCmd(c *cli.Context) error {
Hostname: c.String("hostname"),
Runtime: c.String("runtime"),
Args: runtimeFlags,
+ NoPivot: noPivot,
User: c.String("user"),
Isolation: isolation,
NamespaceOptions: namespaceOptions,
diff --git a/run.go b/run.go
index d73f0d2..0a93515 100644
--- a/run.go
+++ b/run.go
@@ -146,6 +146,8 @@ type RunOptions struct {
Runtime string
// Args adds global arguments for the runtime.
Args []string
+ // NoPivot adds the --no-pivot runtime flag.
+ NoPivot bool
// Mounts are additional mount points which we want to provide.
Mounts []specs.Mount
// Env is additional environment variables to set.
@@ -1091,7 +1093,13 @@ func (b *Builder) Run(command []string, options RunOptions) error {
// }
// }
// options.Args = append(options.Args, rootlessFlag...)
- err = b.runUsingRuntimeSubproc(options, configureNetwork, configureNetworks, nil, spec, mountPoint, path, Package+"-"+filepath.Base(path))
+ var moreCreateArgs []string
+ if options.NoPivot {
+ moreCreateArgs = []string{"--no-pivot"}
+ } else {
+ moreCreateArgs = nil
+ }
+ err = b.runUsingRuntimeSubproc(options, configureNetwork, configureNetworks, moreCreateArgs, spec, mountPoint, path, Package+"-"+filepath.Base(path))
case IsolationChroot:
err = chroot.RunUsingChroot(spec, path, options.Stdin, options.Stdout, options.Stderr)
case IsolationOCIRootless:
--
2.7.4

From 49b559f0ce30c3c673b7d3699890a019c17fdc50 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Anders=20F=20Bj=C3=B6rklund?= <[email protected]>
Date: Sun, 7 Oct 2018 14:04:10 +0200
Subject: [PATCH 2/3] Add man page and bash completion, for --no-pivot
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Anders F Björklund <[email protected]>
---
contrib/completions/bash/buildah | 1 +
docs/buildah-run.md | 5 +++++
2 files changed, 6 insertions(+)

diff --git a/contrib/completions/bash/buildah b/contrib/completions/bash/buildah
index d974817..68b4460 100644
--- a/contrib/completions/bash/buildah
+++ b/contrib/completions/bash/buildah
@@ -397,6 +397,7 @@ return 1
--memory-swap
--net
--network
+ --no-pivot
--pid
--runtime
--runtime-flag
diff --git a/docs/buildah-run.md b/docs/buildah-run.md
index cea65f0..874c7a4 100644
--- a/docs/buildah-run.md
+++ b/docs/buildah-run.md
@@ -111,6 +111,11 @@ runtime, the manpage to consult is `runc(8)`).
Note: Do not pass the leading `--` to the flag. To pass the runc flag `--log-format json`
to buildah run, the option given would be `--runtime-flag log-format=json`.

+**--no-pivot**
+
+Do not use pivot root to jail process inside rootfs. This should be used
+whenever the rootfs is on top of a ramdisk.
+
**-t**, **--tty**, **--terminal**

By default a pseudo-TTY is allocated only when buildah's standard input is
--
2.7.4

From 4386d22866717ca81c6b298188141ac77a71a383 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Anders=20F=20Bj=C3=B6rklund?= <[email protected]>
Date: Sun, 7 Oct 2018 14:33:45 +0200
Subject: [PATCH 3/3] Allow setting --no-pivot default with an env var
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Anders F Björklund <[email protected]>
---
cmd/buildah/run.go | 2 +-
docs/buildah-run.md | 3 +++
2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/cmd/buildah/run.go b/cmd/buildah/run.go
index a314347..3569b01 100644
--- a/cmd/buildah/run.go
+++ b/cmd/buildah/run.go
@@ -112,7 +112,7 @@ func runCmd(c *cli.Context) error {
runtimeFlags = append(runtimeFlags, "--"+arg)
}

- noPivot := c.Bool("no-pivot")
+ noPivot := c.Bool("no-pivot") || (os.Getenv("BUILDAH_NOPIVOT") != "")

namespaceOptions, networkPolicy, err := parse.NamespaceOptions(c)
if err != nil {
diff --git a/docs/buildah-run.md b/docs/buildah-run.md
index 874c7a4..bbee1a6 100644
--- a/docs/buildah-run.md
+++ b/docs/buildah-run.md
@@ -116,6 +116,9 @@ to buildah run, the option given would be `--runtime-flag log-format=json`.
Do not use pivot root to jail process inside rootfs. This should be used
whenever the rootfs is on top of a ramdisk.

+Note: You can make this option the default by setting the BUILDAH\_NOPIVOT
+environment variable. `export BUILDAH_NOPIVOT=true`
+
**-t**, **--tty**, **--terminal**

By default a pseudo-TTY is allocated only when buildah's standard input is
--
2.7.4

11 changes: 11 additions & 0 deletions deploy/iso/minikube-iso/package/buildah/Config.in
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
config BR2_PACKAGE_BUILDAH
bool "buildah"
default y
depends on BR2_x86_64
depends on BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS
depends on BR2_PACKAGE_HOST_GO_CGO_LINKING_SUPPORTS
depends on BR2_TOOLCHAIN_HAS_THREADS
select BR2_PACKAGE_LIBSECCOMP
select BR2_PACKAGE_LIBGPGME
select BR2_PACKAGE_LVM2
select BR2_PACKAGE_LIBGLIB2
1 change: 1 addition & 0 deletions deploy/iso/minikube-iso/package/buildah/buildah.hash
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
sha256 1f502d76178ffe177651fba63c1ee4d7ba8c5411d8124ca24ffbec613b115bb6 v1.4.tar.gz
34 changes: 34 additions & 0 deletions deploy/iso/minikube-iso/package/buildah/buildah.mk
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
BUILDAH_VERSION = v1.4
BUILDAH_SITE = https://github.com/containers/buildah/archive
BUILDAH_SOURCE = $(BUILDAH_VERSION).tar.gz
BUILDAH_LICENSE = Apache-2.0
BUILDAH_LICENSE_FILES = LICENSE

BUILDAH_DEPENDENCIES = host-go

BUILDAH_GOPATH = $(@D)/_output
BUILDAH_BIN_ENV = \
CGO_ENABLED=1 \
GOPATH="$(BUILDAH_GOPATH)" \
GOBIN="$(BUILDAH_GOPATH)/bin" \
PATH=$(BUILDAH_GOPATH)/bin:$(BR_PATH)


define BUILDAH_CONFIGURE_CMDS
mkdir -p $(BUILDAH_GOPATH)
mv $(@D)/vendor $(BUILDAH_GOPATH)/src
mkdir -p $(BUILDAH_GOPATH)/src/github.com/containers
ln -sf $(@D) $(BUILDAH_GOPATH)/src/github.com/containers/buildah
endef

define BUILDAH_BUILD_CMDS
mkdir -p $(@D)/bin
$(BUILDAH_BIN_ENV) $(MAKE) $(TARGET_CONFIGURE_OPTS) -C $(@D) PREFIX=/usr buildah
endef

define BUILDAH_INSTALL_TARGET_CMDS
$(INSTALL) -Dm755 $(@D)/buildah $(TARGET_DIR)/usr/bin/buildah
$(INSTALL) -Dm644 $(BR2_EXTERNAL_MINIKUBE_PATH)/package/buildah/buildah.profile $(TARGET_DIR)/etc/profile.d/buildah.sh
endef

$(eval $(generic-package))
1 change: 1 addition & 0 deletions deploy/iso/minikube-iso/package/buildah/buildah.profile
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
export BUILDAH_NOPIVOT=true