Bump to v0.8

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Closes: #333
Approved by: TomSweeneyRedHat

add.go

@@ -59,7 +59,7 @@ func addURL(destination, srcurl string) error {
 // filesystem, optionally extracting contents of local files that look like
 // non-empty archives.
 func (b *Builder) Add(destination string, extract bool, source ...string) error {
-	mountPoint, err := b.Mount("")
+	mountPoint, err := b.Mount(b.MountLabel)
 	if err != nil {
 		return err
 	}

buildah.go

@@ -20,7 +20,7 @@ const (
 	// identify working containers.
 	Package = "buildah"
 	// Version for the Package
-	Version = "0.6"
+	Version = "0.8"
 	// The value we use to identify what type of information, currently a
 	// serialized Builder structure, we are using as per-container state.
 	// This should only be changed when we make incompatible changes to

cmd/buildah/bud.go

@@ -13,6 +13,10 @@ import (
 
 var (
 	budFlags = []cli.Flag{
+		cli.StringFlag{
+			Name:  "authfile",
+			Usage: "path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json",
+		},
 		cli.StringSliceFlag{
 			Name:  "build-arg",
 			Usage: "`argument=value` to supply to the builder",
@@ -56,7 +60,7 @@ var (
 		},
 		cli.BoolTFlag{
 			Name:  "tls-verify",
-			Usage: "Require HTTPS and verify certificates when accessing the registry",
+			Usage: "require HTTPS and verify certificates when accessing the registry",
 		},
 	}
 
@@ -190,6 +194,7 @@ func budCmd(c *cli.Context) error {
 		Runtime:             c.String("runtime"),
 		RuntimeArgs:         c.StringSlice("runtime-flag"),
 		OutputFormat:        format,
+		AuthFilePath:        c.String("authfile"),
 	}
 	if !c.Bool("quiet") {
 		options.ReportWriter = os.Stderr

cmd/buildah/common.go

@@ -133,6 +133,9 @@ func systemContextFromOptions(c *cli.Context) (*types.SystemContext, error) {
 	if c.IsSet("signature-policy") {
 		ctx.SignaturePolicyPath = c.String("signature-policy")
 	}
+	if c.IsSet("authfile") {
+		ctx.AuthFilePath = c.String("authfile")
+	}
 	return ctx, nil
 }
 

cmd/buildah/from.go

@@ -11,6 +11,10 @@ import (
 
 var (
 	fromFlags = []cli.Flag{
+		cli.StringFlag{
+			Name:  "authfile",
+			Usage: "path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json",
+		},
 		cli.StringFlag{
 			Name:  "cert-dir",
 			Value: "",
@@ -43,7 +47,7 @@ var (
 		},
 		cli.BoolTFlag{
 			Name:  "tls-verify",
-			Usage: "Require HTTPS and verify certificates when accessing the registry",
+			Usage: "require HTTPS and verify certificates when accessing the registry",
 		},
 	}
 	fromDescription = "Creates a new working container, either from scratch or using a specified\n   image as a starting point"

cmd/buildah/mount.go

@@ -46,7 +46,7 @@ func mountCmd(c *cli.Context) error {
 		if err != nil {
 			return errors.Wrapf(err, "error reading build container %q", name)
 		}
-		mountPoint, err := builder.Mount("")
+		mountPoint, err := builder.Mount(builder.MountLabel)
 		if err != nil {
 			return errors.Wrapf(err, "error mounting %q container %q", name, builder.Container)
 		}

cmd/buildah/push.go

@@ -17,6 +17,10 @@ import (
 
 var (
 	pushFlags = []cli.Flag{
+		cli.StringFlag{
+			Name:  "authfile",
+			Usage: "path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json",
+		},
 		cli.StringFlag{
 			Name:  "cert-dir",
 			Value: "",
@@ -45,7 +49,7 @@ var (
 		},
 		cli.BoolTFlag{
 			Name:  "tls-verify",
-			Usage: "Require HTTPS and verify certificates when accessing the registry",
+			Usage: "require HTTPS and verify certificates when accessing the registry",
 		},
 	}
 	pushDescription = fmt.Sprintf(`

contrib/completions/bash/buildah

@@ -345,6 +345,7 @@ return 1
   "
 
      local options_with_args="
+     --authfile
      --signature-policy
      --runtime
      --runtime-flag
@@ -481,6 +482,7 @@ return 1
   "
 
      local options_with_args="
+          --authfile
           --cert-dir
           --creds
           --format
@@ -629,6 +631,7 @@ return 1
   "
 
      local options_with_args="
+     --authfile
      --cert-dir
      --creds
      --name

contrib/rpm/buildah.spec

@@ -25,7 +25,7 @@
 %global shortcommit    %(c=%{commit}; echo ${c:0:7})
 
 Name:           buildah
-Version:        0.6
+Version:        0.7
 Release:        1.git%{shortcommit}%{?dist}
 Summary:        A command line tool used to creating OCI Images
 License:        ASL 2.0
@@ -88,6 +88,10 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} install install.completions
 %{_datadir}/bash-completion/completions/*
 
 %changelog
+* Thu Nov 16 2017 Dan Walsh <dwalsh@redhat.com> 0.7-1
+- Ignore errors when trying to read containers buildah.json for loading SELinux reservations
+-     Use credentials from kpod login for buildah
+
 * Wed Nov 15 2017 Dan Walsh <dwalsh@redhat.com> 0.6-1
 - Adds support for converting manifest types when using the dir transport
 - Rework how we do UID resolution in images

docs/buildah-bud.md

@@ -14,6 +14,11 @@ to a temporary location.
 
 ## OPTIONS
 
+**--authfile** *path*
+
+Path of the authentication file. Default is ${XDG_RUNTIME\_DIR}/containers/auth.json, which is set using `kpod login`.
+If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`.
+
 **--build-arg** *arg=value*
 
 Specifies a build argument and its value, which will be interpolated in
@@ -93,4 +98,4 @@ buildah bud --tls-verify=true -t imageName -f Dockerfile.simple
 buildah bud --tls-verify=false -t imageName .
 
 ## SEE ALSO
-buildah(1)
+buildah(1), kpod-login(1), docker-login(1)

docs/buildah-from.md

@@ -17,7 +17,7 @@ Multiple transports are supported:
   An existing local directory _path_ retrieving the manifest, layer tarballs and signatures as individual files. This is a non-standardized format, primarily useful for debugging or noninvasive container inspection.
 
   **docker://**_docker-reference_ (Default)
-  An image in a registry implementing the "Docker Registry HTTP API V2". By default, uses the authorization state in `$HOME/.docker/config.json`, which is set e.g. using `(docker login)`.
+  An image in a registry implementing the "Docker Registry HTTP API V2". By default, uses the authorization state in `$XDG_RUNTIME_DIR/containers/auth.json`, which is set using `(kpod login)`. If the authorization state is not found there, `$HOME/.docker/config.json` is checked, which is set using `(docker login)`.
 
   **docker-archive:**_path_
   An image is retrieved as a `docker load` formatted file.
@@ -36,6 +36,11 @@ The container ID of the container that was created.  On error, -1 is returned an
 
 ## OPTIONS
 
+**--authfile** *path*
+
+Path of the authentication file. Default is ${XDG_RUNTIME\_DIR}/containers/auth.json, which is set using `kpod login`.
+If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`.
+
 **--cert-dir** *path*
 
 Use certificates at *path* (*.crt, *.cert, *.key) to connect to the registry
@@ -86,5 +91,7 @@ buildah from myregistry/myrepository/imagename:imagetag --tls-verify=false
 
 buildah from myregistry/myrepository/imagename:imagetag --creds=myusername:mypassword --cert-dir ~/auth
 
+buildah from myregistry/myrepository/imagename:imagetag --authfile=/tmp/auths/myauths.json
+
 ## SEE ALSO
-buildah(1)
+buildah(1), kpod-login(1), docker-login(1)

docs/buildah-push.md

@@ -24,7 +24,7 @@ Image stored in local container/storage
   An existing local directory _path_ storing the manifest, layer tarballs and signatures as individual files. This is a non-standardized format, primarily useful for debugging or noninvasive container inspection.
 
   **docker://**_docker-reference_
-  An image in a registry implementing the "Docker Registry HTTP API V2". By default, uses the authorization state in `$HOME/.docker/config.json`, which is set e.g. using `(docker login)`.
+  An image in a registry implementing the "Docker Registry HTTP API V2". By default, uses the authorization state in `$XDG_RUNTIME_DIR/containers/auth.json`, which is set using `(kpod login)`. If the authorization state is not found there, `$HOME/.docker/config.json` is checked, which is set using `(docker login)`.
 
   **docker-archive:**_path_[**:**_docker-reference_]
   An image is stored in the `docker save` formatted file.  _docker-reference_ is only used when creating such a file, and it must not contain a digest.
@@ -40,6 +40,11 @@ Image stored in local container/storage
 
 ## OPTIONS
 
+**--authfile** *path*
+
+Path of the authentication file. Default is ${XDG_RUNTIME\_DIR}/containers/auth.json, which is set using `kpod login`.
+If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`.
+
 **--cert-dir** *path*
 
 Use certificates at *path* (*.crt, *.cert, *.key) to connect to the registry
@@ -84,6 +89,10 @@ This example extracts the imageID image to a container registry named registry.e
 
  `# buildah push imageID docker://registry.example.com/repository:tag`
 
+This example extracts the imageID image to a private container registry named registry.example.com with authentication from /tmp/auths/myauths.json.
+
+ `# buildah push --authfile /tmp/auths/myauths.json imageID docker://registry.example.com/repository:tag`
+
 This example extracts the imageID image and puts into the local docker container store.
 
  `# buildah push imageID docker-daemon:image:tag`
@@ -95,4 +104,4 @@ This example extracts the imageID image and puts it into the registry on the loc
  `# buildah push --cert-dir ~/auth --tls-verify=true --creds=username:password imageID docker://localhost:5000/my-imageID`
 
 ## SEE ALSO
-buildah(1)
+buildah(1), kpod-login(1), docker-login(1)

imagebuildah/build.go

@@ -105,6 +105,7 @@ type BuildOptions struct {
 	// configuration data.
 	// Accepted values are OCIv1ImageFormat and Dockerv2ImageFormat.
 	OutputFormat string
+	AuthFilePath string
 }
 
 // Executor is a buildah-based implementation of the imagebuilder.Executor
@@ -138,11 +139,14 @@ type Executor struct {
 	reportWriter                   io.Writer
 }
 
-func makeSystemContext(signaturePolicyPath string, skipTLSVerify bool) *types.SystemContext {
+func makeSystemContext(signaturePolicyPath, authFilePath string, skipTLSVerify bool) *types.SystemContext {
 	sc := &types.SystemContext{}
 	if signaturePolicyPath != "" {
 		sc.SignaturePolicyPath = signaturePolicyPath
 	}
+	if authFilePath != "" {
+		sc.AuthFilePath = authFilePath
+	}
 	sc.DockerInsecureSkipTLSVerify = skipTLSVerify
 	return sc
 }
@@ -423,7 +427,7 @@ func NewExecutor(store storage.Store, options BuildOptions) (*Executor, error) {
 		outputFormat:        options.OutputFormat,
 		additionalTags:      options.AdditionalTags,
 		signaturePolicyPath: options.SignaturePolicyPath,
-		systemContext:       makeSystemContext(options.SignaturePolicyPath, options.SkipTLSVerify),
+		systemContext:       makeSystemContext(options.SignaturePolicyPath, options.AuthFilePath, options.SkipTLSVerify),
 		volumeCache:         make(map[string]string),
 		volumeCacheInfo:     make(map[string]os.FileInfo),
 		log:                 options.Log,
@@ -517,7 +521,7 @@ func (b *Executor) Prepare(ib *imagebuilder.Builder, node *parser.Node, from str
 		}
 		return errors.Wrapf(err, "error updating build context")
 	}
-	mountPoint, err := builder.Mount("")
+	mountPoint, err := builder.Mount(builder.MountLabel)
 	if err != nil {
 		if err2 := builder.Delete(); err2 != nil {
 			logrus.Debugf("error deleting container which we failed to mount: %v", err2)

new.go

@@ -2,6 +2,7 @@ package buildah
 
 import (
 	"fmt"
+	"os"
 	"strings"
 
 	is "github.com/containers/image/storage"
@@ -40,7 +41,9 @@ func reserveSELinuxLabels(store storage.Store, id string) error {
 			} else {
 				b, err := OpenBuilder(store, c.ID)
 				if err != nil {
-					if err == storage.ErrContainerUnknown {
+					if os.IsNotExist(err) {
+						// Ignore not exist errors since containers probably created by other tool
+						// TODO, we need to read other containers json data to reserve their SELinux labels
 						continue
 					}
 					return err

run.go

@@ -208,6 +208,28 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 			logrus.Errorf("error unmounting container: %v", err2)
 		}
 	}()
+	for _, mp := range []string{
+		"/proc/kcore",
+		"/proc/latency_stats",
+		"/proc/timer_list",
+		"/proc/timer_stats",
+		"/proc/sched_debug",
+		"/proc/scsi",
+		"/sys/firmware",
+	} {
+		g.AddLinuxMaskedPaths(mp)
+	}
+
+	for _, rp := range []string{
+		"/proc/asound",
+		"/proc/bus",
+		"/proc/fs",
+		"/proc/irq",
+		"/proc/sys",
+		"/proc/sysrq-trigger",
+	} {
+		g.AddLinuxReadonlyPaths(rp)
+	}
 	g.SetRootPath(mountPoint)
 	switch options.Terminal {
 	case DefaultTerminal:

tests/test_buildah_authentication.sh

@@ -1,10 +1,18 @@
 #!/bin/bash
 # test_buildah_authentication
 # A script to be run at the command line with Buildah installed.
+# This currently needs to be run as root and Docker must be
+# installed on the system.
 # This will test the code and should be run with this command:
 #
 # /bin/bash -v test_buildah_authentication.sh
 
+########
+# System setup - dir for creds and start docker
+########
+mkdir -p /root/auth
+systemctl restart docker
+
 ########
 # Create creds and store in /root/auth/htpasswd
 ########

tests/test_buildah_baseline.sh

@@ -0,0 +1,193 @@
+#!/bin/bash
+# test_buildah_baseline.sh 
+# A script to be run at the command line with Buildah installed.
+# This should be run against a new kit to provide base level testing
+# on a freshly installed machine with no images or containers in 
+# play.  This currently needs to be run as root.
+#
+# Commands based on the tutorial provided by William Henry.
+#
+# To run this command:
+#
+# /bin/bash -v test_buildah_baseline.sh 
+
+########
+# Next two commands should return blanks 
+########
+buildah images
+buildah containers
+
+########
+# Create Fedora based container
+########
+container=$(buildah from fedora)
+echo $container
+
+########
+# Run container and display contents in /etc 
+########
+buildah run $container -- ls -alF /etc
+
+########
+# Run Java in the container - should FAIL
+########
+buildah run $container java
+
+########
+# Install java onto the container
+########
+buildah run $container -- dnf -y install java
+
+########
+# Run Java in the container - should show java usage
+########
+buildah run $container java
+
+########
+# Create a scratch container 
+########
+newcontainer=$(buildah from scratch)
+
+########
+# Check and find two containers
+########
+buildah containers
+
+########
+# Check images, no "scratch" image
+########
+buildah images
+
+########
+# Run the container - should FAIL
+########
+buildah run $newcontainer bash
+
+########
+# Mount the container's root file system
+########
+scratchmnt=$(buildah mount $newcontainer)
+
+########
+# Show the location, should be /var/lib/containers/storage/overlay/{id}/dif
+########
+echo $scratchmnt
+
+########
+# Install Fedora 26 bash and coreutils
+########
+dnf install --installroot $scratchmnt --release 26 bash coreutils --setopt install_weak_deps=false -y
+
+########
+# Check /usr/bin on the new container
+########
+buildah run $newcontainer -- ls -alF /usr/bin
+
+########
+# Create shell script to test on
+########
+FILE=./runecho.sh
+/bin/cat <<EOM >$FILE
+#!/bin/bash
+for i in {1..9};
+do
+    echo "This is a new container from ipbabble [" $i "]"
+done
+EOM
+chmod +x $FILE
+
+########
+# Copy and run file on scratch container 
+########
+buildah copy $newcontainer $FILE /usr/bin
+buildah config --cmd /usr/bin/runecho.sh $newcontainer
+buildah run $newcontainer
+
+########
+# Add configuration information
+########
+buildah config --created-by "ipbabble"  $newcontainer
+buildah config --author "wgh at redhat.com @ipbabble" --label name=fedora26-bashecho $newcontainer
+
+########
+# Inspect the container, verifying above was put into it
+########
+buildah inspect $newcontainer
+
+########
+# Unmount the container
+########
+buildah unmount $newcontainer
+
+########
+# Commit the image
+########
+buildah commit $newcontainer fedora-bashecho
+
+########
+# Check the images there should be a fedora-basecho:latest image
+########
+buildah images
+
+########
+# Inspect the fedora-baseecho image
+########
+buildah inspect --type=image fedora-bashecho
+
+########
+# Remove the container
+########
+buildah rm $newcontainer
+
+########
+# Install Docker, but not for long!
+########
+dnf -y install docker
+systemctl start docker
+
+########
+# Push fedora-basecho to the Docker daemon 
+########
+buildah push fedora-bashecho docker-daemon:fedora-bashecho:latest
+
+########
+# Run fedora-bashecho from Docker
+########
+docker run fedoara-baseecho
+
+########
+# Time to remove Docker
+########
+dnf -y remove docker
+
+########
+# Build Dockerfile
+########
+FILE=./Dockerfile
+/bin/cat <<EOM >$FILE
+FROM docker/whalesay:latest
+RUN apt-get -y update && apt-get install -y fortunes
+CMD /usr/games/fortune -a | cowsay
+EOM
+chmod +x $FILE
+
+########
+# Build with the Dockerfile
+########
+buildah bud -f Dockerfile -t whale-says 
+
+########
+# Create a whalesays container 
+########
+whalesays=$(buildah from whale-says)
+
+########
+# Run the container to see what the whale says
+########
+buildah run $whalesays
+
+########
+# Clean up Buildah
+########
+buildah rm $(buildah containers -q)
+buildah rmi -f $(buildah --debug=false images -q)