podman
627 строк · 18.9 Кб
1//go:build freebsd2// +build freebsd3package buildah5import (7"errors"8"fmt"9"os"10"path/filepath"11"strings"12"unsafe"13"github.com/containers/buildah/bind"15"github.com/containers/buildah/chroot"16"github.com/containers/buildah/copier"17"github.com/containers/buildah/define"18"github.com/containers/buildah/internal"19"github.com/containers/buildah/internal/tmpdir"20"github.com/containers/buildah/pkg/jail"21"github.com/containers/buildah/pkg/overlay"22"github.com/containers/buildah/pkg/parse"23butil "github.com/containers/buildah/pkg/util"24"github.com/containers/buildah/util"25"github.com/containers/common/libnetwork/etchosts"26"github.com/containers/common/libnetwork/resolvconf"27nettypes "github.com/containers/common/libnetwork/types"28netUtil "github.com/containers/common/libnetwork/util"29"github.com/containers/common/pkg/config"30"github.com/containers/storage/pkg/idtools"31"github.com/containers/storage/pkg/lockfile"32"github.com/containers/storage/pkg/stringid"33"github.com/docker/go-units"34"github.com/opencontainers/runtime-spec/specs-go"35spec "github.com/opencontainers/runtime-spec/specs-go"36"github.com/opencontainers/runtime-tools/generate"37"github.com/sirupsen/logrus"38"golang.org/x/exp/slices"39"golang.org/x/sys/unix"40)41const (43P_PID = 044P_PGID = 245PROC_REAP_ACQUIRE = 246PROC_REAP_RELEASE = 347)48var (50// We dont want to remove destinations with /etc, /dev as51// rootfs already contains these files and unionfs will create52// a `whiteout` i.e `.wh` files on removal of overlapping53// files from these directories. everything other than these54// will be cleaned up55nonCleanablePrefixes = []string{56"/etc", "/dev",57}58)59func procctl(idtype int, id int, cmd int, arg *byte) error {61_, _, e1 := unix.Syscall6(62unix.SYS_PROCCTL, uintptr(idtype), uintptr(id),63uintptr(cmd), uintptr(unsafe.Pointer(arg)), 0, 0)64if e1 != 0 {65return unix.Errno(e1)66}67return nil68}69func setChildProcess() error {71if err := procctl(P_PID, unix.Getpid(), PROC_REAP_ACQUIRE, nil); err != nil {72fmt.Fprintf(os.Stderr, "procctl(PROC_REAP_ACQUIRE): %v\n", err)73return err74}75return nil76}77func (b *Builder) Run(command []string, options RunOptions) error {79p, err := os.MkdirTemp(tmpdir.GetTempDir(), define.Package)80if err != nil {81return err82}83// On some hosts like AH, /tmp is a symlink and we need an84// absolute path.85path, err := filepath.EvalSymlinks(p)86if err != nil {87return err88}89logrus.Debugf("using %q to hold bundle data", path)90defer func() {91if err2 := os.RemoveAll(path); err2 != nil {92logrus.Errorf("error removing %q: %v", path, err2)93}94}()95gp, err := generate.New("freebsd")97if err != nil {98return fmt.Errorf("generating new 'freebsd' runtime spec: %w", err)99}100g := &gp101isolation := options.Isolation103if isolation == IsolationDefault {104isolation = b.Isolation105if isolation == IsolationDefault {106isolation, err = parse.IsolationOption("")107if err != nil {108logrus.Debugf("got %v while trying to determine default isolation, guessing OCI", err)109isolation = IsolationOCI110} else if isolation == IsolationDefault {111isolation = IsolationOCI112}113}114}115if err := checkAndOverrideIsolationOptions(isolation, &options); err != nil {116return err117}118// hardwire the environment to match docker build to avoid subtle and hard-to-debug differences due to containers.conf120b.configureEnvironment(g, options, []string{"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"})121if b.CommonBuildOpts == nil {123return fmt.Errorf("invalid format on container you must recreate the container")124}125if err := addCommonOptsToSpec(b.CommonBuildOpts, g); err != nil {127return err128}129if options.WorkingDir != "" {131g.SetProcessCwd(options.WorkingDir)132} else if b.WorkDir() != "" {133g.SetProcessCwd(b.WorkDir())134}135mountPoint, err := b.Mount(b.MountLabel)136if err != nil {137return fmt.Errorf("mounting container %q: %w", b.ContainerID, err)138}139defer func() {140if err := b.Unmount(); err != nil {141logrus.Errorf("error unmounting container: %v", err)142}143}()144g.SetRootPath(mountPoint)145if len(command) > 0 {146command = runLookupPath(g, command)147g.SetProcessArgs(command)148} else {149g.SetProcessArgs(nil)150}151setupTerminal(g, options.Terminal, options.TerminalSize)153configureNetwork, networkString, err := b.configureNamespaces(g, &options)155if err != nil {156return err157}158containerName := Package + "-" + filepath.Base(path)160if configureNetwork {161if jail.NeedVnetJail() {162g.AddAnnotation("org.freebsd.parentJail", containerName+"-vnet")163} else {164g.AddAnnotation("org.freebsd.jail.vnet", "new")165}166}167homeDir, err := b.configureUIDGID(g, mountPoint, options)169if err != nil {170return err171}172// Now grab the spec from the generator. Set the generator to nil so that future contributors174// will quickly be able to tell that they're supposed to be modifying the spec directly from here.175spec := g.Config176g = nil177// Set the seccomp configuration using the specified profile name. Some syscalls are179// allowed if certain capabilities are to be granted (example: CAP_SYS_CHROOT and chroot),180// so we sorted out the capabilities lists first.181if err = setupSeccomp(spec, b.CommonBuildOpts.SeccompProfilePath); err != nil {182return err183}184uid, gid := spec.Process.User.UID, spec.Process.User.GID186idPair := &idtools.IDPair{UID: int(uid), GID: int(gid)}187mode := os.FileMode(0755)189coptions := copier.MkdirOptions{190ChownNew: idPair,191ChmodNew: &mode,192}193if err := copier.Mkdir(mountPoint, filepath.Join(mountPoint, spec.Process.Cwd), coptions); err != nil {194return err195}196bindFiles := make(map[string]string)198volumes := b.Volumes()199// Figure out who owns files that will appear to be owned by UID/GID 0 in the container.201rootUID, rootGID, err := util.GetHostRootIDs(spec)202if err != nil {203return err204}205rootIDPair := &idtools.IDPair{UID: int(rootUID), GID: int(rootGID)}206hostsFile := ""208if !options.NoHosts && !slices.Contains(volumes, config.DefaultHostsFile) && options.ConfigureNetwork != define.NetworkDisabled {209hostsFile, err = b.createHostsFile(path, rootIDPair)210if err != nil {211return err212}213bindFiles[config.DefaultHostsFile] = hostsFile214// Only add entries here if we do not have to setup network,216// if we do we have to do it much later after the network setup.217if !configureNetwork {218var entries etchosts.HostEntries219// add host entry for local ip when running in host network220if spec.Hostname != "" {221ip := netUtil.GetLocalIP()222if ip != "" {223entries = append(entries, etchosts.HostEntry{224Names: []string{spec.Hostname},225IP: ip,226})227}228}229err = b.addHostsEntries(hostsFile, mountPoint, entries, nil)230if err != nil {231return err232}233}234}235resolvFile := ""237if !slices.Contains(volumes, resolvconf.DefaultResolvConf) && options.ConfigureNetwork != define.NetworkDisabled && !(len(b.CommonBuildOpts.DNSServers) == 1 && strings.ToLower(b.CommonBuildOpts.DNSServers[0]) == "none") {238resolvFile, err = b.createResolvConf(path, rootIDPair)239if err != nil {240return err241}242bindFiles[resolvconf.DefaultResolvConf] = resolvFile243// Only add entries here if we do not have to do setup network,245// if we do we have to do it much later after the network setup.246if !configureNetwork {247err = b.addResolvConfEntries(resolvFile, nil, nil, false, true)248if err != nil {249return err250}251}252}253runMountInfo := runMountInfo{255ContextDir: options.ContextDir,256Secrets: options.Secrets,257SSHSources: options.SSHSources,258StageMountPoints: options.StageMountPoints,259SystemContext: options.SystemContext,260}261runArtifacts, err := b.setupMounts(mountPoint, spec, path, options.Mounts, bindFiles, volumes, b.CommonBuildOpts.Volumes, options.RunMounts, runMountInfo)263if err != nil {264return fmt.Errorf("resolving mountpoints for container %q: %w", b.ContainerID, err)265}266if runArtifacts.SSHAuthSock != "" {267sshenv := "SSH_AUTH_SOCK=" + runArtifacts.SSHAuthSock268spec.Process.Env = append(spec.Process.Env, sshenv)269}270// following run was called from `buildah run`272// and some images were mounted for this run273// add them to cleanup artifacts274if len(options.ExternalImageMounts) > 0 {275runArtifacts.MountedImages = append(runArtifacts.MountedImages, options.ExternalImageMounts...)276}277defer func() {279if err := b.cleanupRunMounts(options.SystemContext, mountPoint, runArtifacts); err != nil {280options.Logger.Errorf("unable to cleanup run mounts %v", err)281}282}()283defer b.cleanupTempVolumes()285// If we are creating a network, make the vnet here so that we can287// execute the OCI runtime inside it. For FreeBSD-13.3 and later, we can288// configure the container network settings from outside the jail, which289// removes the need for a separate jail to manage the vnet.290if configureNetwork && jail.NeedVnetJail() {291mynetns := containerName + "-vnet"292jconf := jail.NewConfig()294jconf.Set("name", mynetns)295jconf.Set("vnet", jail.NEW)296jconf.Set("children.max", 1)297jconf.Set("persist", true)298jconf.Set("enforce_statfs", 0)299jconf.Set("devfs_ruleset", 4)300jconf.Set("allow.raw_sockets", true)301jconf.Set("allow.chflags", true)302jconf.Set("securelevel", -1)303netjail, err := jail.Create(jconf)304if err != nil {305return err306}307defer func() {308jconf := jail.NewConfig()309jconf.Set("persist", false)310err2 := netjail.Set(jconf)311if err2 != nil {312logrus.Errorf("error releasing vnet jail %q: %v", mynetns, err2)313}314}()315}316switch isolation {318case IsolationOCI:319var moreCreateArgs []string320if options.NoPivot {321moreCreateArgs = []string{"--no-pivot"}322} else {323moreCreateArgs = nil324}325err = b.runUsingRuntimeSubproc(isolation, options, configureNetwork, networkString, moreCreateArgs, spec, mountPoint, path, containerName, b.Container, hostsFile, resolvFile)326case IsolationChroot:327err = chroot.RunUsingChroot(spec, path, homeDir, options.Stdin, options.Stdout, options.Stderr)328default:329err = errors.New("don't know how to run this command")330}331return err332}333func addCommonOptsToSpec(commonOpts *define.CommonBuildOptions, g *generate.Generator) error {335defaultContainerConfig, err := config.Default()336if err != nil {337return fmt.Errorf("failed to get container config: %w", err)338}339// Other process resource limits340if err := addRlimits(commonOpts.Ulimit, g, defaultContainerConfig.Containers.DefaultUlimits.Get()); err != nil {341return err342}343logrus.Debugf("Resources: %#v", commonOpts)345return nil346}347// setupSpecialMountSpecChanges creates special mounts for depending349// on the namespaces - nothing yet for freebsd350func setupSpecialMountSpecChanges(spec *spec.Spec, shmSize string) ([]specs.Mount, error) {351return spec.Mounts, nil352}353// If this function succeeds and returns a non-nil *lockfile.LockFile, the caller must unlock it (when??).355func (b *Builder) getCacheMount(tokens []string, stageMountPoints map[string]internal.StageMountDetails, idMaps IDMaps, workDir string) (*spec.Mount, *lockfile.LockFile, error) {356return nil, nil, errors.New("cache mounts not supported on freebsd")357}358func (b *Builder) runSetupVolumeMounts(mountLabel string, volumeMounts []string, optionMounts []specs.Mount, idMaps IDMaps) (mounts []specs.Mount, Err error) {360// Make sure the overlay directory is clean before running361_, err := b.store.ContainerDirectory(b.ContainerID)362if err != nil {363return nil, fmt.Errorf("looking up container directory for %s: %w", b.ContainerID, err)364}365parseMount := func(mountType, host, container string, options []string) (specs.Mount, error) {367var foundrw, foundro, foundO bool368var upperDir string369for _, opt := range options {370switch opt {371case "rw":372foundrw = true373case "ro":374foundro = true375case "O":376foundO = true377}378if strings.HasPrefix(opt, "upperdir") {379splitOpt := strings.SplitN(opt, "=", 2)380if len(splitOpt) > 1 {381upperDir = splitOpt[1]382}383}384}385if !foundrw && !foundro {386options = append(options, "rw")387}388if mountType == "bind" || mountType == "rbind" {389mountType = "nullfs"390}391if foundO {392containerDir, err := b.store.ContainerDirectory(b.ContainerID)393if err != nil {394return specs.Mount{}, err395}396contentDir, err := overlay.TempDir(containerDir, idMaps.rootUID, idMaps.rootGID)398if err != nil {399return specs.Mount{}, fmt.Errorf("failed to create TempDir in the %s directory: %w", containerDir, err)400}401overlayOpts := overlay.Options{403RootUID: idMaps.rootUID,404RootGID: idMaps.rootGID,405UpperDirOptionFragment: upperDir,406GraphOpts: b.store.GraphOptions(),407}408overlayMount, err := overlay.MountWithOptions(contentDir, host, container, &overlayOpts)410if err == nil {411b.TempVolumes[contentDir] = true412}413return overlayMount, err414}415return specs.Mount{416Destination: container,417Type: mountType,418Source: host,419Options: options,420}, nil421}422// Bind mount volumes specified for this particular Run() invocation424for _, i := range optionMounts {425logrus.Debugf("setting up mounted volume at %q", i.Destination)426mount, err := parseMount(i.Type, i.Source, i.Destination, i.Options)427if err != nil {428return nil, err429}430mounts = append(mounts, mount)431}432// Bind mount volumes given by the user when the container was created433for _, i := range volumeMounts {434var options []string435spliti := strings.Split(i, ":")436if len(spliti) > 2 {437options = strings.Split(spliti[2], ",")438}439mount, err := parseMount("nullfs", spliti[0], spliti[1], options)440if err != nil {441return nil, err442}443mounts = append(mounts, mount)444}445return mounts, nil446}447func setupCapabilities(g *generate.Generator, defaultCapabilities, adds, drops []string) error {449return nil450}451func (b *Builder) runConfigureNetwork(pid int, isolation define.Isolation, options RunOptions, networkString string, containerName string, hostnames []string) (func(), *netResult, error) {453//if isolation == IsolationOCIRootless {454//return setupRootlessNetwork(pid)455//}456var configureNetworks []string458if len(networkString) > 0 {459configureNetworks = strings.Split(networkString, ",")460}461if len(configureNetworks) == 0 {463configureNetworks = []string{b.NetworkInterface.DefaultNetworkName()}464}465logrus.Debugf("configureNetworks: %v", configureNetworks)466var mynetns string468if jail.NeedVnetJail() {469mynetns = containerName + "-vnet"470} else {471mynetns = containerName472}473networks := make(map[string]nettypes.PerNetworkOptions, len(configureNetworks))475for i, network := range configureNetworks {476networks[network] = nettypes.PerNetworkOptions{477InterfaceName: fmt.Sprintf("eth%d", i),478}479}480opts := nettypes.NetworkOptions{482ContainerID: containerName,483ContainerName: containerName,484Networks: networks,485}486netStatus, err := b.NetworkInterface.Setup(mynetns, nettypes.SetupOptions{NetworkOptions: opts})487if err != nil {488return nil, nil, err489}490teardown := func() {492err := b.NetworkInterface.Teardown(mynetns, nettypes.TeardownOptions{NetworkOptions: opts})493if err != nil {494logrus.Errorf("failed to cleanup network: %v", err)495}496}497return teardown, netStatusToNetResult(netStatus, hostnames), nil499}500func setupNamespaces(logger *logrus.Logger, g *generate.Generator, namespaceOptions define.NamespaceOptions, idmapOptions define.IDMappingOptions, policy define.NetworkConfigurationPolicy) (configureNetwork bool, networkString string, configureUTS bool, err error) {502// Set namespace options in the container configuration.503for _, namespaceOption := range namespaceOptions {504switch namespaceOption.Name {505case string(specs.NetworkNamespace):506configureNetwork = false507if !namespaceOption.Host && (namespaceOption.Path == "" || !filepath.IsAbs(namespaceOption.Path)) {508if namespaceOption.Path != "" && !filepath.IsAbs(namespaceOption.Path) {509networkString = namespaceOption.Path510namespaceOption.Path = ""511}512configureNetwork = (policy != define.NetworkDisabled)513}514case string(specs.UTSNamespace):515configureUTS = false516if !namespaceOption.Host && namespaceOption.Path == "" {517configureUTS = true518}519}520// TODO: re-visit this when there is consensus on a521// FreeBSD runtime-spec. FreeBSD jails have rough522// equivalents for UTS and and network namespaces.523}524return configureNetwork, networkString, configureUTS, nil526}527func (b *Builder) configureNamespaces(g *generate.Generator, options *RunOptions) (bool, string, error) {529defaultNamespaceOptions, err := DefaultNamespaceOptions()530if err != nil {531return false, "", err532}533namespaceOptions := defaultNamespaceOptions535namespaceOptions.AddOrReplace(b.NamespaceOptions...)536namespaceOptions.AddOrReplace(options.NamespaceOptions...)537networkPolicy := options.ConfigureNetwork539//Nothing was specified explicitly so network policy should be inherited from builder540if networkPolicy == NetworkDefault {541networkPolicy = b.ConfigureNetwork542// If builder policy was NetworkDisabled and544// we want to disable network for this run.545// reset options.ConfigureNetwork to NetworkDisabled546// since it will be treated as source of truth later.547if networkPolicy == NetworkDisabled {548options.ConfigureNetwork = networkPolicy549}550}551configureNetwork, networkString, configureUTS, err := setupNamespaces(options.Logger, g, namespaceOptions, b.IDMappingOptions, networkPolicy)553if err != nil {554return false, "", err555}556if configureUTS {558if options.Hostname != "" {559g.SetHostname(options.Hostname)560} else if b.Hostname() != "" {561g.SetHostname(b.Hostname())562} else {563g.SetHostname(stringid.TruncateID(b.ContainerID))564}565} else {566g.SetHostname("")567}568found := false570spec := g.Config571for i := range spec.Process.Env {572if strings.HasPrefix(spec.Process.Env[i], "HOSTNAME=") {573found = true574break575}576}577if !found {578spec.Process.Env = append(spec.Process.Env, fmt.Sprintf("HOSTNAME=%s", spec.Hostname))579}580return configureNetwork, networkString, nil582}583func runSetupBoundFiles(bundlePath string, bindFiles map[string]string) (mounts []specs.Mount) {585for dest, src := range bindFiles {586options := []string{}587if strings.HasPrefix(src, bundlePath) {588options = append(options, bind.NoBindOption)589}590mounts = append(mounts, specs.Mount{591Source: src,592Destination: dest,593Type: "nullfs",594Options: options,595})596}597return mounts598}599func addRlimits(ulimit []string, g *generate.Generator, defaultUlimits []string) error {601var (602ul *units.Ulimit603err error604)605ulimit = append(defaultUlimits, ulimit...)607for _, u := range ulimit {608if ul, err = butil.ParseUlimit(u); err != nil {609return fmt.Errorf("ulimit option %q requires name=SOFT:HARD, failed to be parsed: %w", u, err)610}611g.AddProcessRlimits("RLIMIT_"+strings.ToUpper(ul.Name), uint64(ul.Hard), uint64(ul.Soft))613}614return nil615}616// Create pipes to use for relaying stdio.618func runMakeStdioPipe(uid, gid int) ([][]int, error) {619stdioPipe := make([][]int, 3)620for i := range stdioPipe {621stdioPipe[i] = make([]int, 2)622if err := unix.Pipe(stdioPipe[i]); err != nil {623return nil, fmt.Errorf("creating pipe for container FD %d: %w", i, err)624}625}626return stdioPipe, nil627}628