podman
643 строки · 20.9 Кб
1package volumes2import (4"context"5"fmt"6"os"7"path"8"path/filepath"9"strconv"10"strings"11"errors"13"github.com/containers/buildah/copier"15"github.com/containers/buildah/define"16"github.com/containers/buildah/internal"17internalParse "github.com/containers/buildah/internal/parse"18"github.com/containers/buildah/internal/tmpdir"19internalUtil "github.com/containers/buildah/internal/util"20"github.com/containers/common/pkg/parse"21"github.com/containers/image/v5/types"22"github.com/containers/storage"23"github.com/containers/storage/pkg/idtools"24"github.com/containers/storage/pkg/lockfile"25"github.com/containers/storage/pkg/unshare"26specs "github.com/opencontainers/runtime-spec/specs-go"27selinux "github.com/opencontainers/selinux/go-selinux"28)29const (31// TypeTmpfs is the type for mounting tmpfs32TypeTmpfs = "tmpfs"33// TypeCache is the type for mounting a common persistent cache from host34TypeCache = "cache"35// mount=type=cache must create a persistent directory on host so its available for all consecutive builds.36// Lifecycle of following directory will be inherited from how host machine treats temporary directory37buildahCacheDir = "buildah-cache"38// mount=type=cache allows users to lock a cache store while its being used by another build39BuildahCacheLockfile = "buildah-cache-lockfile"40// All the lockfiles are stored in a separate directory inside `BuildahCacheDir`41// Example `/var/tmp/buildah-cache/<target>/buildah-cache-lockfile`42BuildahCacheLockfileDir = "buildah-cache-lockfiles"43)44var (46errBadMntOption = errors.New("invalid mount option")47errBadOptionArg = errors.New("must provide an argument for option")48errBadVolDest = errors.New("must set volume destination")49errBadVolSrc = errors.New("must set volume source")50errDuplicateDest = errors.New("duplicate mount destination")51)52// CacheParent returns a cache parent for --mount=type=cache54func CacheParent() string {55return filepath.Join(tmpdir.GetTempDir(), buildahCacheDir+"-"+strconv.Itoa(unshare.GetRootlessUID()))56}57// FIXME: this code needs to be merged with pkg/parse/parse.go ValidateVolumeOpts59// GetBindMount parses a single bind mount entry from the --mount flag.60// Returns specifiedMount and a string which contains name of image that we mounted otherwise its empty.61// Caller is expected to perform unmount of any mounted images62func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, store storage.Store, imageMountLabel string, additionalMountPoints map[string]internal.StageMountDetails, workDir string) (specs.Mount, string, error) {63newMount := specs.Mount{64Type: define.TypeBind,65}66setRelabel := false68mountReadability := false69setDest := false70bindNonRecursive := false71fromImage := ""72for _, val := range args {74argName, argValue, hasArgValue := strings.Cut(val, "=")75switch argName {76case "type":77// This is already processed78continue79case "bind-nonrecursive":80newMount.Options = append(newMount.Options, "bind")81bindNonRecursive = true82case "ro", "nosuid", "nodev", "noexec":83// TODO: detect duplication of these options.84// (Is this necessary?)85newMount.Options = append(newMount.Options, argName)86mountReadability = true87case "rw", "readwrite":88newMount.Options = append(newMount.Options, "rw")89mountReadability = true90case "readonly":91// Alias for "ro"92newMount.Options = append(newMount.Options, "ro")93mountReadability = true94case "shared", "rshared", "private", "rprivate", "slave", "rslave", "Z", "z", "U", "no-dereference":95if hasArgValue {96return newMount, "", fmt.Errorf("%v: %w", val, errBadOptionArg)97}98newMount.Options = append(newMount.Options, argName)99case "from":100if !hasArgValue {101return newMount, "", fmt.Errorf("%v: %w", argName, errBadOptionArg)102}103fromImage = argValue104case "bind-propagation":105if !hasArgValue {106return newMount, "", fmt.Errorf("%v: %w", argName, errBadOptionArg)107}108newMount.Options = append(newMount.Options, argValue)109case "src", "source":110if !hasArgValue {111return newMount, "", fmt.Errorf("%v: %w", argName, errBadOptionArg)112}113newMount.Source = argValue114case "target", "dst", "destination":115if !hasArgValue {116return newMount, "", fmt.Errorf("%v: %w", argName, errBadOptionArg)117}118targetPath := argValue119if !path.IsAbs(targetPath) {120targetPath = filepath.Join(workDir, targetPath)121}122if err := parse.ValidateVolumeCtrDir(targetPath); err != nil {123return newMount, "", err124}125newMount.Destination = targetPath126setDest = true127case "relabel":128if setRelabel {129return newMount, "", fmt.Errorf("cannot pass 'relabel' option more than once: %w", errBadOptionArg)130}131setRelabel = true132switch argValue {133case "private":134newMount.Options = append(newMount.Options, "Z")135case "shared":136newMount.Options = append(newMount.Options, "z")137default:138return newMount, "", fmt.Errorf("%s mount option must be 'private' or 'shared': %w", argName, errBadMntOption)139}140case "consistency":141// Option for OS X only, has no meaning on other platforms142// and can thus be safely ignored.143// See also the handling of the equivalent "delegated" and "cached" in ValidateVolumeOpts144default:145return newMount, "", fmt.Errorf("%v: %w", argName, errBadMntOption)146}147}148// default mount readability is always readonly150if !mountReadability {151newMount.Options = append(newMount.Options, "ro")152}153// Following variable ensures that we return imagename only if we did additional mount155isImageMounted := false156if fromImage != "" {157mountPoint := ""158if additionalMountPoints != nil {159if val, ok := additionalMountPoints[fromImage]; ok {160mountPoint = val.MountPoint161}162}163// if mountPoint of image was not found in additionalMap164// or additionalMap was nil, try mounting image165if mountPoint == "" {166image, err := internalUtil.LookupImage(ctx, store, fromImage)167if err != nil {168return newMount, "", err169}170mountPoint, err = image.Mount(context.Background(), nil, imageMountLabel)172if err != nil {173return newMount, "", err174}175isImageMounted = true176}177contextDir = mountPoint178}179// buildkit parity: default bind option must be `rbind`181// unless specified182if !bindNonRecursive {183newMount.Options = append(newMount.Options, "rbind")184}185if !setDest {187return newMount, fromImage, errBadVolDest188}189// buildkit parity: support absolute path for sources from current build context191if contextDir != "" {192// path should be /contextDir/specified path193evaluated, err := copier.Eval(contextDir, newMount.Source, copier.EvalOptions{})194if err != nil {195return newMount, "", err196}197newMount.Source = evaluated198} else {199// looks like its coming from `build run --mount=type=bind` allow using absolute path200// error out if no source is set201if newMount.Source == "" {202return newMount, "", errBadVolSrc203}204if err := parse.ValidateVolumeHostDir(newMount.Source); err != nil {205return newMount, "", err206}207}208opts, err := parse.ValidateVolumeOpts(newMount.Options)210if err != nil {211return newMount, fromImage, err212}213newMount.Options = opts214if !isImageMounted {216// we don't want any cleanups if image was not mounted explicitly217// so dont return anything218fromImage = ""219}220return newMount, fromImage, nil222}223// GetCacheMount parses a single cache mount entry from the --mount flag.225//226// If this function succeeds and returns a non-nil *lockfile.LockFile, the caller must unlock it (when??).227func GetCacheMount(args []string, store storage.Store, imageMountLabel string, additionalMountPoints map[string]internal.StageMountDetails, workDir string) (specs.Mount, *lockfile.LockFile, error) {228var err error229var mode uint64230var buildahLockFilesDir string231var (232setDest bool233setShared bool234setReadOnly bool235foundSElinuxLabel bool236)237fromStage := ""238newMount := specs.Mount{239Type: define.TypeBind,240}241// if id is set a new subdirectory with `id` will be created under /host-temp/buildah-build-cache/id242id := ""243// buildkit parity: cache directory defaults to 755244mode = 0o755245// buildkit parity: cache directory defaults to uid 0 if not specified246uid := 0247// buildkit parity: cache directory defaults to gid 0 if not specified248gid := 0249// sharing mode250sharing := "shared"251for _, val := range args {253argName, argValue, hasArgValue := strings.Cut(val, "=")254switch argName {255case "type":256// This is already processed257continue258case "nosuid", "nodev", "noexec":259// TODO: detect duplication of these options.260// (Is this necessary?)261newMount.Options = append(newMount.Options, argName)262case "rw", "readwrite":263newMount.Options = append(newMount.Options, "rw")264case "readonly", "ro":265// Alias for "ro"266newMount.Options = append(newMount.Options, "ro")267setReadOnly = true268case "Z", "z":269newMount.Options = append(newMount.Options, argName)270foundSElinuxLabel = true271case "shared", "rshared", "private", "rprivate", "slave", "rslave", "U":272newMount.Options = append(newMount.Options, argName)273setShared = true274case "sharing":275sharing = argValue276case "bind-propagation":277if !hasArgValue {278return newMount, nil, fmt.Errorf("%v: %w", argName, errBadOptionArg)279}280newMount.Options = append(newMount.Options, argValue)281case "id":282if !hasArgValue {283return newMount, nil, fmt.Errorf("%v: %w", argName, errBadOptionArg)284}285id = argValue286case "from":287if !hasArgValue {288return newMount, nil, fmt.Errorf("%v: %w", argName, errBadOptionArg)289}290fromStage = argValue291case "target", "dst", "destination":292if !hasArgValue {293return newMount, nil, fmt.Errorf("%v: %w", argName, errBadOptionArg)294}295targetPath := argValue296if !path.IsAbs(targetPath) {297targetPath = filepath.Join(workDir, targetPath)298}299if err := parse.ValidateVolumeCtrDir(targetPath); err != nil {300return newMount, nil, err301}302newMount.Destination = targetPath303setDest = true304case "src", "source":305if !hasArgValue {306return newMount, nil, fmt.Errorf("%v: %w", argName, errBadOptionArg)307}308newMount.Source = argValue309case "mode":310if !hasArgValue {311return newMount, nil, fmt.Errorf("%v: %w", argName, errBadOptionArg)312}313mode, err = strconv.ParseUint(argValue, 8, 32)314if err != nil {315return newMount, nil, fmt.Errorf("unable to parse cache mode: %w", err)316}317case "uid":318if !hasArgValue {319return newMount, nil, fmt.Errorf("%v: %w", argName, errBadOptionArg)320}321uid, err = strconv.Atoi(argValue)322if err != nil {323return newMount, nil, fmt.Errorf("unable to parse cache uid: %w", err)324}325case "gid":326if !hasArgValue {327return newMount, nil, fmt.Errorf("%v: %w", argName, errBadOptionArg)328}329gid, err = strconv.Atoi(argValue)330if err != nil {331return newMount, nil, fmt.Errorf("unable to parse cache gid: %w", err)332}333default:334return newMount, nil, fmt.Errorf("%v: %w", argName, errBadMntOption)335}336}337// If selinux is enabled and no selinux option was configured339// default to `z` i.e shared content label.340if !foundSElinuxLabel && (selinux.EnforceMode() != selinux.Disabled) && fromStage == "" {341newMount.Options = append(newMount.Options, "z")342}343if !setDest {345return newMount, nil, errBadVolDest346}347if fromStage != "" {349// do not create cache on host350// instead use read-only mounted stage as cache351mountPoint := ""352if additionalMountPoints != nil {353if val, ok := additionalMountPoints[fromStage]; ok {354if val.IsStage {355mountPoint = val.MountPoint356}357}358}359// Cache does not supports using image so if not stage found360// return with error361if mountPoint == "" {362return newMount, nil, fmt.Errorf("no stage found with name %s", fromStage)363}364// path should be /contextDir/specified path365newMount.Source = filepath.Join(mountPoint, filepath.Clean(string(filepath.Separator)+newMount.Source))366} else {367// we need to create cache on host if no image is being used368// since type is cache and cache can be reused by consecutive builds370// create a common cache directory, which persists on hosts within temp lifecycle371// add subdirectory if specified372// cache parent directory: creates separate cache parent for each user.374cacheParent := CacheParent()375// create cache on host if not present376err = os.MkdirAll(cacheParent, os.FileMode(0755))377if err != nil {378return newMount, nil, fmt.Errorf("unable to create build cache directory: %w", err)379}380if id != "" {382newMount.Source = filepath.Join(cacheParent, filepath.Clean(id))383buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(id))384} else {385newMount.Source = filepath.Join(cacheParent, filepath.Clean(newMount.Destination))386buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(newMount.Destination))387}388idPair := idtools.IDPair{389UID: uid,390GID: gid,391}392// buildkit parity: change uid and gid if specified otheriwise keep `0`393err = idtools.MkdirAllAndChownNew(newMount.Source, os.FileMode(mode), idPair)394if err != nil {395return newMount, nil, fmt.Errorf("unable to change uid,gid of cache directory: %w", err)396}397// create a subdirectory inside `cacheParent` just to store lockfiles399buildahLockFilesDir = filepath.Join(cacheParent, buildahLockFilesDir)400err = os.MkdirAll(buildahLockFilesDir, os.FileMode(0700))401if err != nil {402return newMount, nil, fmt.Errorf("unable to create build cache lockfiles directory: %w", err)403}404}405var targetLock *lockfile.LockFile // = nil407succeeded := false408defer func() {409if !succeeded && targetLock != nil {410targetLock.Unlock()411}412}()413switch sharing {414case "locked":415// lock parent cache416lockfile, err := lockfile.GetLockFile(filepath.Join(buildahLockFilesDir, BuildahCacheLockfile))417if err != nil {418return newMount, nil, fmt.Errorf("unable to acquire lock when sharing mode is locked: %w", err)419}420// Will be unlocked after the RUN step is executed.421lockfile.Lock()422targetLock = lockfile423case "shared":424// do nothing since default is `shared`425break426default:427// error out for unknown values428return newMount, nil, fmt.Errorf("unrecognized value %q for field `sharing`: %w", sharing, err)429}430// buildkit parity: default sharing should be shared432// unless specified433if !setShared {434newMount.Options = append(newMount.Options, "shared")435}436// buildkit parity: cache must writable unless `ro` or `readonly` is configured explicitly438if !setReadOnly {439newMount.Options = append(newMount.Options, "rw")440}441newMount.Options = append(newMount.Options, "bind")443opts, err := parse.ValidateVolumeOpts(newMount.Options)445if err != nil {446return newMount, nil, err447}448newMount.Options = opts449succeeded = true451return newMount, targetLock, nil452}453func getVolumeMounts(volumes []string) (map[string]specs.Mount, error) {455finalVolumeMounts := make(map[string]specs.Mount)456for _, volume := range volumes {458volumeMount, err := internalParse.Volume(volume)459if err != nil {460return nil, err461}462if _, ok := finalVolumeMounts[volumeMount.Destination]; ok {463return nil, fmt.Errorf("%v: %w", volumeMount.Destination, errDuplicateDest)464}465finalVolumeMounts[volumeMount.Destination] = volumeMount466}467return finalVolumeMounts, nil468}469// UnlockLockArray is a helper for cleaning up after GetVolumes and the like.471func UnlockLockArray(locks []*lockfile.LockFile) {472for _, lock := range locks {473lock.Unlock()474}475}476// GetVolumes gets the volumes from --volume and --mount478//479// If this function succeeds, the caller must unlock the returned *lockfile.LockFile s if any (when??).480func GetVolumes(ctx *types.SystemContext, store storage.Store, volumes []string, mounts []string, contextDir string, workDir string) ([]specs.Mount, []string, []*lockfile.LockFile, error) {481unifiedMounts, mountedImages, targetLocks, err := getMounts(ctx, store, mounts, contextDir, workDir)482if err != nil {483return nil, mountedImages, nil, err484}485succeeded := false486defer func() {487if !succeeded {488UnlockLockArray(targetLocks)489}490}()491volumeMounts, err := getVolumeMounts(volumes)492if err != nil {493return nil, mountedImages, nil, err494}495for dest, mount := range volumeMounts {496if _, ok := unifiedMounts[dest]; ok {497return nil, mountedImages, nil, fmt.Errorf("%v: %w", dest, errDuplicateDest)498}499unifiedMounts[dest] = mount500}501finalMounts := make([]specs.Mount, 0, len(unifiedMounts))503for _, mount := range unifiedMounts {504finalMounts = append(finalMounts, mount)505}506succeeded = true507return finalMounts, mountedImages, targetLocks, nil508}509// getMounts takes user-provided input from the --mount flag and creates OCI511// spec mounts.512// buildah run --mount type=bind,src=/etc/resolv.conf,target=/etc/resolv.conf ...513// buildah run --mount type=tmpfs,target=/dev/shm ...514//515// If this function succeeds, the caller must unlock the returned *lockfile.LockFile s if any (when??).516func getMounts(ctx *types.SystemContext, store storage.Store, mounts []string, contextDir string, workDir string) (map[string]specs.Mount, []string, []*lockfile.LockFile, error) {517// If `type` is not set default to "bind"518mountType := define.TypeBind519finalMounts := make(map[string]specs.Mount)520mountedImages := make([]string, 0)521targetLocks := make([]*lockfile.LockFile, 0)522succeeded := false523defer func() {524if !succeeded {525UnlockLockArray(targetLocks)526}527}()528errInvalidSyntax := errors.New("incorrect mount format: should be --mount type=<bind|tmpfs>,[src=<host-dir>,]target=<ctr-dir>[,options]")530// TODO(vrothberg): the manual parsing can be replaced with a regular expression532// to allow a more robust parsing of the mount format and to give533// precise errors regarding supported format versus supported options.534for _, mount := range mounts {535tokens := strings.Split(mount, ",")536if len(tokens) < 2 {537return nil, mountedImages, nil, fmt.Errorf("%q: %w", mount, errInvalidSyntax)538}539for _, field := range tokens {540if strings.HasPrefix(field, "type=") {541kv := strings.Split(field, "=")542if len(kv) != 2 {543return nil, mountedImages, nil, fmt.Errorf("%q: %w", mount, errInvalidSyntax)544}545mountType = kv[1]546}547}548switch mountType {549case define.TypeBind:550mount, image, err := GetBindMount(ctx, tokens, contextDir, store, "", nil, workDir)551if err != nil {552return nil, mountedImages, nil, err553}554if _, ok := finalMounts[mount.Destination]; ok {555return nil, mountedImages, nil, fmt.Errorf("%v: %w", mount.Destination, errDuplicateDest)556}557finalMounts[mount.Destination] = mount558mountedImages = append(mountedImages, image)559case TypeCache:560mount, tl, err := GetCacheMount(tokens, store, "", nil, workDir)561if err != nil {562return nil, mountedImages, nil, err563}564if tl != nil {565targetLocks = append(targetLocks, tl)566}567if _, ok := finalMounts[mount.Destination]; ok {568return nil, mountedImages, nil, fmt.Errorf("%v: %w", mount.Destination, errDuplicateDest)569}570finalMounts[mount.Destination] = mount571case TypeTmpfs:572mount, err := GetTmpfsMount(tokens)573if err != nil {574return nil, mountedImages, nil, err575}576if _, ok := finalMounts[mount.Destination]; ok {577return nil, mountedImages, nil, fmt.Errorf("%v: %w", mount.Destination, errDuplicateDest)578}579finalMounts[mount.Destination] = mount580default:581return nil, mountedImages, nil, fmt.Errorf("invalid filesystem type %q", mountType)582}583}584succeeded = true586return finalMounts, mountedImages, targetLocks, nil587}588// GetTmpfsMount parses a single tmpfs mount entry from the --mount flag590func GetTmpfsMount(args []string) (specs.Mount, error) {591newMount := specs.Mount{592Type: TypeTmpfs,593Source: TypeTmpfs,594}595setDest := false597for _, val := range args {599argName, argValue, hasArgValue := strings.Cut(val, "=")600switch argName {601case "type":602// This is already processed603continue604case "ro", "nosuid", "nodev", "noexec":605newMount.Options = append(newMount.Options, argName)606case "readonly":607// Alias for "ro"608newMount.Options = append(newMount.Options, "ro")609case "tmpcopyup":610// the path that is shadowed by the tmpfs mount is recursively copied up to the tmpfs itself.611newMount.Options = append(newMount.Options, argName)612case "tmpfs-mode":613if !hasArgValue {614return newMount, fmt.Errorf("%v: %w", argName, errBadOptionArg)615}616newMount.Options = append(newMount.Options, fmt.Sprintf("mode=%s", argValue))617case "tmpfs-size":618if !hasArgValue {619return newMount, fmt.Errorf("%v: %w", argName, errBadOptionArg)620}621newMount.Options = append(newMount.Options, fmt.Sprintf("size=%s", argValue))622case "src", "source":623return newMount, errors.New("source is not supported with tmpfs mounts")624case "target", "dst", "destination":625if !hasArgValue {626return newMount, fmt.Errorf("%v: %w", argName, errBadOptionArg)627}628if err := parse.ValidateVolumeCtrDir(argValue); err != nil {629return newMount, err630}631newMount.Destination = argValue632setDest = true633default:634return newMount, fmt.Errorf("%v: %w", argName, errBadMntOption)635}636}637if !setDest {639return newMount, errBadVolDest640}641return newMount, nil643}644