podman
228 строк · 6.5 Кб
1package buildah
2
3import (
4"errors"
5"fmt"
6"io"
7"os"
8"path/filepath"
9"sync"
10
11"github.com/containers/buildah/copier"
12"github.com/containers/image/v5/docker/reference"
13"github.com/containers/image/v5/pkg/sysregistriesv2"
14"github.com/containers/image/v5/types"
15"github.com/containers/storage"
16"github.com/containers/storage/pkg/idtools"
17"github.com/containers/storage/pkg/reexec"
18v1 "github.com/opencontainers/image-spec/specs-go/v1"
19rspec "github.com/opencontainers/runtime-spec/specs-go"
20"github.com/opencontainers/selinux/go-selinux/label"
21"github.com/sirupsen/logrus"
22)
23
24// InitReexec is a wrapper for reexec.Init(). It should be called at
25// the start of main(), and if it returns true, main() should return
26// immediately.
27func InitReexec() bool {
28return reexec.Init()
29}
30
31func copyStringStringMap(m map[string]string) map[string]string {
32n := map[string]string{}
33for k, v := range m {
34n[k] = v
35}
36return n
37}
38
39func copyStringSlice(s []string) []string {
40t := make([]string, len(s))
41copy(t, s)
42return t
43}
44
45func copyHistory(history []v1.History) []v1.History {
46if len(history) == 0 {
47return nil
48}
49h := make([]v1.History, 0, len(history))
50for _, entry := range history {
51created := entry.Created
52if created != nil {
53timestamp := *created
54created = ×tamp
55}
56h = append(h, v1.History{
57Created: created,
58CreatedBy: entry.CreatedBy,
59Author: entry.Author,
60Comment: entry.Comment,
61EmptyLayer: entry.EmptyLayer,
62})
63}
64return h
65}
66
67func convertStorageIDMaps(UIDMap, GIDMap []idtools.IDMap) ([]rspec.LinuxIDMapping, []rspec.LinuxIDMapping) {
68uidmap := make([]rspec.LinuxIDMapping, 0, len(UIDMap))
69gidmap := make([]rspec.LinuxIDMapping, 0, len(GIDMap))
70for _, m := range UIDMap {
71uidmap = append(uidmap, rspec.LinuxIDMapping{
72HostID: uint32(m.HostID),
73ContainerID: uint32(m.ContainerID),
74Size: uint32(m.Size),
75})
76}
77for _, m := range GIDMap {
78gidmap = append(gidmap, rspec.LinuxIDMapping{
79HostID: uint32(m.HostID),
80ContainerID: uint32(m.ContainerID),
81Size: uint32(m.Size),
82})
83}
84return uidmap, gidmap
85}
86
87func convertRuntimeIDMaps(UIDMap, GIDMap []rspec.LinuxIDMapping) ([]idtools.IDMap, []idtools.IDMap) {
88uidmap := make([]idtools.IDMap, 0, len(UIDMap))
89gidmap := make([]idtools.IDMap, 0, len(GIDMap))
90for _, m := range UIDMap {
91uidmap = append(uidmap, idtools.IDMap{
92HostID: int(m.HostID),
93ContainerID: int(m.ContainerID),
94Size: int(m.Size),
95})
96}
97for _, m := range GIDMap {
98gidmap = append(gidmap, idtools.IDMap{
99HostID: int(m.HostID),
100ContainerID: int(m.ContainerID),
101Size: int(m.Size),
102})
103}
104return uidmap, gidmap
105}
106
107// isRegistryBlocked checks if the named registry is marked as blocked
108func isRegistryBlocked(registry string, sc *types.SystemContext) (bool, error) {
109reginfo, err := sysregistriesv2.FindRegistry(sc, registry)
110if err != nil {
111return false, fmt.Errorf("unable to parse the registries configuration (%s): %w", sysregistriesv2.ConfigPath(sc), err)
112}
113if reginfo != nil {
114if reginfo.Blocked {
115logrus.Debugf("registry %q is marked as blocked in registries configuration %q", registry, sysregistriesv2.ConfigPath(sc))
116} else {
117logrus.Debugf("registry %q is not marked as blocked in registries configuration %q", registry, sysregistriesv2.ConfigPath(sc))
118}
119return reginfo.Blocked, nil
120}
121logrus.Debugf("registry %q is not listed in registries configuration %q, assuming it's not blocked", registry, sysregistriesv2.ConfigPath(sc))
122return false, nil
123}
124
125// isReferenceSomething checks if the registry part of a reference is insecure or blocked
126func isReferenceSomething(ref types.ImageReference, sc *types.SystemContext, what func(string, *types.SystemContext) (bool, error)) (bool, error) {
127if ref != nil {
128if named := ref.DockerReference(); named != nil {
129if domain := reference.Domain(named); domain != "" {
130return what(domain, sc)
131}
132}
133}
134return false, nil
135}
136
137// isReferenceBlocked checks if the registry part of a reference is blocked
138func isReferenceBlocked(ref types.ImageReference, sc *types.SystemContext) (bool, error) {
139if ref != nil && ref.Transport() != nil {
140switch ref.Transport().Name() {
141case "docker":
142return isReferenceSomething(ref, sc, isRegistryBlocked)
143}
144}
145return false, nil
146}
147
148// ReserveSELinuxLabels reads containers storage and reserves SELinux contexts
149// which are already being used by buildah containers.
150func ReserveSELinuxLabels(store storage.Store, id string) error {
151if selinuxGetEnabled() {
152containers, err := store.Containers()
153if err != nil {
154return fmt.Errorf("getting list of containers: %w", err)
155}
156
157for _, c := range containers {
158if id == c.ID {
159continue
160} else {
161b, err := OpenBuilder(store, c.ID)
162if err != nil {
163if errors.Is(err, os.ErrNotExist) {
164// Ignore not exist errors since containers probably created by other tool
165// TODO, we need to read other containers json data to reserve their SELinux labels
166continue
167}
168return err
169}
170// Prevent different containers from using same MCS label
171if err := label.ReserveLabel(b.ProcessLabel); err != nil {
172return fmt.Errorf("reserving SELinux label %q: %w", b.ProcessLabel, err)
173}
174}
175}
176}
177return nil
178}
179
180// IsContainer identifies if the specified container id is a buildah container
181// in the specified store.
182func IsContainer(id string, store storage.Store) (bool, error) {
183cdir, err := store.ContainerDirectory(id)
184if err != nil {
185return false, err
186}
187// Assuming that if the stateFile exists, that this is a Buildah
188// container.
189if _, err = os.Stat(filepath.Join(cdir, stateFile)); err != nil {
190if errors.Is(err, os.ErrNotExist) {
191return false, nil
192}
193return false, err
194}
195return true, nil
196}
197
198// Copy content from the directory "src" to the directory "dest", ensuring that
199// content from outside of "root" (which is a parent of "src" or "src" itself)
200// isn't read.
201func extractWithTar(root, src, dest string) error {
202var getErr, putErr error
203var wg sync.WaitGroup
204
205pipeReader, pipeWriter := io.Pipe()
206
207wg.Add(1)
208go func() {
209getErr = copier.Get(root, src, copier.GetOptions{}, []string{"."}, pipeWriter)
210pipeWriter.Close()
211wg.Done()
212}()
213wg.Add(1)
214go func() {
215putErr = copier.Put(dest, dest, copier.PutOptions{}, pipeReader)
216pipeReader.Close()
217wg.Done()
218}()
219wg.Wait()
220
221if getErr != nil {
222return fmt.Errorf("reading %q: %w", src, getErr)
223}
224if putErr != nil {
225return fmt.Errorf("copying contents of %q to %q: %w", src, dest, putErr)
226}
227return nil
228}
229