diff --git a/SOURCES/buildah-1756986.patch b/SOURCES/buildah-1756986.patch new file mode 100644 index 0000000..e70ea76 --- /dev/null +++ b/SOURCES/buildah-1756986.patch @@ -0,0 +1,98 @@ +From 6d7ab38f33edb9ab87a290a0c68cfd27b55b061f Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai +Date: Wed, 8 Jan 2020 11:02:05 -0500 +Subject: [PATCH 1/2] Check for .dockerignore specifically + +When generating the list of exclusions to process .dockerignore +contents, don't include .dockerignore if we don't have a .dockerignore +file in the context directory. That way, if the file doesn't exist, and +the caller didn't pass in any patterns, we get no patterns instead of +just one ".dockerignore" pattern, and we can hit the faster copy path. + +Signed-off-by: Nalin Dahyabhai + +Closes: #2072 +Approved by: giuseppe +--- + add.go | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/add.go b/add.go +index b5119e369..e82a5ef9a 100644 +--- a/add.go ++++ b/add.go +@@ -215,7 +215,12 @@ func dockerIgnoreMatcher(lines []string, contextDir string) (*fileutils.PatternM + if contextDir == "" { + return nil, nil + } +- patterns := []string{".dockerignore"} ++ // If there's no .dockerignore file, then we don't have to add a ++ // pattern to tell copy logic to ignore it later. ++ var patterns []string ++ if _, err := os.Stat(filepath.Join(contextDir, ".dockerignore")); err == nil || !os.IsNotExist(err) { ++ patterns = []string{".dockerignore"} ++ } + for _, ignoreSpec := range lines { + ignoreSpec = strings.TrimSpace(ignoreSpec) + // ignore comments passed back from .dockerignore +@@ -224,7 +229,8 @@ func dockerIgnoreMatcher(lines []string, contextDir string) (*fileutils.PatternM + } + // if the spec starts with '!' it means the pattern + // should be included. make a note so that we can move +- // it to the front of the updated pattern ++ // it to the front of the updated pattern, and insert ++ // the context dir's path in between + includeFlag := "" + if strings.HasPrefix(ignoreSpec, "!") { + includeFlag = "!" + +From f999964084ce75c833b0cffd17fb09b947dad506 Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai +Date: Wed, 8 Jan 2020 11:04:57 -0500 +Subject: [PATCH 2/2] copyFileWithTar: close source files at the right time + +Close source files after we've finished reading from them, rather than +leaving it for later. + +Signed-off-by: Nalin Dahyabhai + +Closes: #2072 +Approved by: giuseppe +--- + util.go | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/util.go b/util.go +index b4670e41c..2f923357c 100644 +--- a/util.go ++++ b/util.go +@@ -165,11 +165,6 @@ func (b *Builder) copyFileWithTar(tarIDMappingOptions *IDMappingOptions, chownOp + if err != nil { + return errors.Wrapf(err, "error opening %q to copy its contents", src) + } +- defer func() { +- if err := f.Close(); err != nil { +- logrus.Debugf("error closing %s: %v", fi.Name(), err) +- } +- }() + } + } + +@@ -200,6 +195,9 @@ func (b *Builder) copyFileWithTar(tarIDMappingOptions *IDMappingOptions, chownOp + logrus.Debugf("error copying contents of %s: %v", fi.Name(), err) + copyErr = err + } ++ if err = srcFile.Close(); err != nil { ++ logrus.Debugf("error closing %s: %v", fi.Name(), err) ++ } + } + if err = writer.Close(); err != nil { + logrus.Debugf("error closing write pipe for %s: %v", hdr.Name, err) +@@ -213,7 +211,6 @@ func (b *Builder) copyFileWithTar(tarIDMappingOptions *IDMappingOptions, chownOp + if err == nil { + err = copyErr + } +- f = nil + if pipeWriter != nil { + pipeWriter.Close() + } diff --git a/SOURCES/buildah-1784950.patch b/SOURCES/buildah-1784950.patch new file mode 100644 index 0000000..11ec21d --- /dev/null +++ b/SOURCES/buildah-1784950.patch @@ -0,0 +1,145 @@ +From fb7d2b6bd6a16ffdbe4a69428e3ba5b487719e78 Mon Sep 17 00:00:00 2001 +From: Daniel J Walsh +Date: Tue, 17 Dec 2019 15:24:29 -0500 +Subject: [PATCH] Add support for FIPS-Mode backends + +If host is running in fips mode, then RHEL8.2 and beyond container images +will come with a directory /usr/share/crypto-policies/back-ends/FIPS. +This directory needs to be bind mounted over /etc/crypto-policies/back-ends in +order to make all tools in the container follow the FIPS Mode rules. + +Signed-off-by: Daniel J Walsh +--- + pkg/secrets/secrets.go | 48 +++++++++++++++++++++++++++++++++--------- + run_linux.go | 2 +- + 2 files changed, 39 insertions(+), 11 deletions(-) + +diff -up ./buildah-9513cb8c7bec0f7789c696aee4d252ebf85194cc/pkg/secrets/secrets.go.1784950 ./buildah-9513cb8c7bec0f7789c696aee4d252ebf85194cc/pkg/secrets/secrets.go +--- buildah-9513cb8c7bec0f7789c696aee4d252ebf85194cc/pkg/secrets/secrets.go.1784950 2020-02-19 16:26:58.582289704 +0100 ++++ buildah-9513cb8c7bec0f7789c696aee4d252ebf85194cc/pkg/secrets/secrets.go 2020-02-19 16:26:58.584289732 +0100 +@@ -148,12 +148,21 @@ func getMountsMap(path string) (string, + } + + // SecretMounts copies, adds, and mounts the secrets to the container root filesystem ++// Deprecated, Please use SecretMountWithUIDGID + func SecretMounts(mountLabel, containerWorkingDir, mountFile string, rootless, disableFips bool) []rspec.Mount { + return SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, containerWorkingDir, 0, 0, rootless, disableFips) + } + +-// SecretMountsWithUIDGID specifies the uid/gid of the owner +-func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPrefix string, uid, gid int, rootless, disableFips bool) []rspec.Mount { ++// SecretMountsWithUIDGID copies, adds, and mounts the secrets to the container root filesystem ++// mountLabel: MAC/SELinux label for container content ++// containerWorkingDir: Private data for storing secrets on the host mounted in container. ++// mountFile: Additional mount points required for the container. ++// mountPoint: Container image mountpoint ++// uid: to assign to content created for secrets ++// gid: to assign to content created for secrets ++// rootless: indicates whether container is running in rootless mode ++// disableFips: indicates whether system should ignore fips mode ++func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPoint string, uid, gid int, rootless, disableFips bool) []rspec.Mount { + var ( + secretMounts []rspec.Mount + mountFiles []string +@@ -171,7 +180,7 @@ func SecretMountsWithUIDGID(mountLabel, + } + for _, file := range mountFiles { + if _, err := os.Stat(file); err == nil { +- mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, mountPrefix, uid, gid) ++ mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, uid, gid) + if err != nil { + logrus.Warnf("error mounting secrets, skipping entry in %s: %v", file, err) + } +@@ -187,7 +196,7 @@ func SecretMountsWithUIDGID(mountLabel, + // Add FIPS mode secret if /etc/system-fips exists on the host + _, err := os.Stat("/etc/system-fips") + if err == nil { +- if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPrefix, mountLabel, uid, gid); err != nil { ++ if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPoint, mountLabel, uid, gid); err != nil { + logrus.Errorf("error adding FIPS mode secret to container: %v", err) + } + } else if os.IsNotExist(err) { +@@ -206,7 +215,7 @@ func rchown(chowndir string, uid, gid in + + // addSecretsFromMountsFile copies the contents of host directory to container directory + // and returns a list of mounts +-func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPrefix string, uid, gid int) ([]rspec.Mount, error) { ++func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir string, uid, gid int) ([]rspec.Mount, error) { + var mounts []rspec.Mount + defaultMountsPaths := getMounts(filePath) + for _, path := range defaultMountsPaths { +@@ -285,7 +294,7 @@ func addSecretsFromMountsFile(filePath, + } + + m := rspec.Mount{ +- Source: filepath.Join(mountPrefix, ctrDirOrFile), ++ Source: ctrDirOrFileOnHost, + Destination: ctrDirOrFile, + Type: "bind", + Options: []string{"bind", "rprivate"}, +@@ -300,15 +309,15 @@ func addSecretsFromMountsFile(filePath, + // root filesystem if /etc/system-fips exists on hosts. + // This enables the container to be FIPS compliant and run openssl in + // FIPS mode as the host is also in FIPS mode. +-func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix, mountLabel string, uid, gid int) error { ++func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPoint, mountLabel string, uid, gid int) error { + secretsDir := "/run/secrets" + ctrDirOnHost := filepath.Join(containerWorkingDir, secretsDir) + if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) { + if err = idtools.MkdirAllAs(ctrDirOnHost, 0755, uid, gid); err != nil { +- return errors.Wrapf(err, "making container directory on host failed") ++ return errors.Wrapf(err, "making container directory %q on host failed", ctrDirOnHost) + } + if err = label.Relabel(ctrDirOnHost, mountLabel, false); err != nil { +- return errors.Wrap(err, "error applying correct labels") ++ return errors.Wrapf(err, "error applying correct labels on %q", ctrDirOnHost) + } + } + fipsFile := filepath.Join(ctrDirOnHost, "system-fips") +@@ -323,7 +332,7 @@ func addFIPSModeSecret(mounts *[]rspec.M + + if !mountExists(*mounts, secretsDir) { + m := rspec.Mount{ +- Source: filepath.Join(mountPrefix, secretsDir), ++ Source: ctrDirOnHost, + Destination: secretsDir, + Type: "bind", + Options: []string{"bind", "rprivate"}, +@@ -331,6 +340,25 @@ func addFIPSModeSecret(mounts *[]rspec.M + *mounts = append(*mounts, m) + } + ++ srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS" ++ destDir := "/etc/crypto-policies/back-ends" ++ srcOnHost := filepath.Join(mountPoint, srcBackendDir) ++ if _, err := os.Stat(srcOnHost); err != nil { ++ if os.IsNotExist(err) { ++ return nil ++ } ++ return errors.Wrapf(err, "failed to stat FIPS Backend directory %q", ctrDirOnHost) ++ } ++ ++ if !mountExists(*mounts, destDir) { ++ m := rspec.Mount{ ++ Source: srcOnHost, ++ Destination: destDir, ++ Type: "bind", ++ Options: []string{"bind", "rprivate"}, ++ } ++ *mounts = append(*mounts, m) ++ } + return nil + } + +diff -up ./buildah-9513cb8c7bec0f7789c696aee4d252ebf85194cc/run_linux.go.1784950 ./buildah-9513cb8c7bec0f7789c696aee4d252ebf85194cc/run_linux.go +--- buildah-9513cb8c7bec0f7789c696aee4d252ebf85194cc/run_linux.go.1784950 2020-02-19 16:26:58.555289325 +0100 ++++ buildah-9513cb8c7bec0f7789c696aee4d252ebf85194cc/run_linux.go 2020-02-19 16:26:58.557289353 +0100 +@@ -460,7 +460,7 @@ func (b *Builder) setupMounts(mountPoint + } + + // Get the list of secrets mounts. +- secretMounts := secrets.SecretMountsWithUIDGID(b.MountLabel, cdir, b.DefaultMountsFilePath, cdir, int(rootUID), int(rootGID), unshare.IsRootless(), false) ++ secretMounts := secrets.SecretMountsWithUIDGID(b.MountLabel, cdir, b.DefaultMountsFilePath, mountPoint, int(rootUID), int(rootGID), unshare.IsRootless(), false) + + // Add temporary copies of the contents of volume locations at the + // volume locations, unless we already have something there. diff --git a/SPECS/buildah.spec b/SPECS/buildah.spec index 68a8001..c4e478b 100644 --- a/SPECS/buildah.spec +++ b/SPECS/buildah.spec @@ -25,12 +25,18 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl Name: %{repo} Version: 1.11.6 -Release: 4%{?dist} +Release: 6%{?dist} Summary: A command line tool used for creating OCI Images License: ASL 2.0 URL: https://%{name}.io Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz Patch0: https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/1996.patch +# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1784950 +# backported: https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/2031.patch +Patch1: buildah-1784950.patch +# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1756986 +# patch: https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/2181.patch +Patch2: buildah-1756986.patch BuildRequires: golang >= 1.12.12-4 BuildRequires: git @@ -117,6 +123,14 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} -C docs install %{_datadir}/%{name}/test %changelog +* Tue Feb 25 2020 Jindrich Novy - 1.11.6-6 +- fix "COPY command takes long time with buildah" +- Resolves: #1806119 + +* Wed Feb 19 2020 Jindrich Novy - 1.11.6-5 +- fix "Podman support for FIPS Mode requires a bind mount inside the container" +- Resolves: #1804188 + * Wed Dec 11 2019 Jindrich Novy - 1.11.6-4 - compile in FIPS mode - Related: RHELPLAN-25138