mirror of
https://github.com/mudler/luet.git
synced 2025-09-15 14:48:55 +00:00
Trim the Domain Name from cached image references
This commit removes the Domain Name, if any, from the cached image reference before computing the image fingerprint. This way the same image, if stored in some oter mirror, is still seen as the same one. Fixes #158
This commit is contained in:
David Cassany
163
vendor/github.com/moby/buildkit/util/entitlements/security/security_linux.go
generated
vendored
163
vendor/github.com/moby/buildkit/util/entitlements/security/security_linux.go
generated
vendored
@@ -1,163 +0,0 @@
|
||||
package security
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"os"
|
||||
|
||||
"github.com/containerd/containerd/containers"
|
||||
"github.com/containerd/containerd/oci"
|
||||
"github.com/opencontainers/runc/libcontainer/system"
|
||||
specs "github.com/opencontainers/runtime-spec/specs-go"
|
||||
"github.com/pkg/errors"
|
||||
"github.com/sirupsen/logrus"
|
||||
"golang.org/x/sys/unix"
|
||||
)
|
||||
|
||||
// WithInsecureSpec sets spec with All capability.
|
||||
func WithInsecureSpec() oci.SpecOpts {
|
||||
return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error {
|
||||
addCaps := []string{
|
||||
"CAP_FSETID",
|
||||
"CAP_KILL",
|
||||
"CAP_FOWNER",
|
||||
"CAP_MKNOD",
|
||||
"CAP_CHOWN",
|
||||
"CAP_DAC_OVERRIDE",
|
||||
"CAP_NET_RAW",
|
||||
"CAP_SETGID",
|
||||
"CAP_SETUID",
|
||||
"CAP_SETPCAP",
|
||||
"CAP_SETFCAP",
|
||||
"CAP_NET_BIND_SERVICE",
|
||||
"CAP_SYS_CHROOT",
|
||||
"CAP_AUDIT_WRITE",
|
||||
"CAP_MAC_ADMIN",
|
||||
"CAP_MAC_OVERRIDE",
|
||||
"CAP_DAC_READ_SEARCH",
|
||||
"CAP_SYS_PTRACE",
|
||||
"CAP_SYS_MODULE",
|
||||
"CAP_SYSLOG",
|
||||
"CAP_SYS_RAWIO",
|
||||
"CAP_SYS_ADMIN",
|
||||
"CAP_LINUX_IMMUTABLE",
|
||||
"CAP_SYS_BOOT",
|
||||
"CAP_SYS_NICE",
|
||||
"CAP_SYS_PACCT",
|
||||
"CAP_SYS_TTY_CONFIG",
|
||||
"CAP_SYS_TIME",
|
||||
"CAP_WAKE_ALARM",
|
||||
"CAP_AUDIT_READ",
|
||||
"CAP_AUDIT_CONTROL",
|
||||
"CAP_SYS_RESOURCE",
|
||||
"CAP_BLOCK_SUSPEND",
|
||||
"CAP_IPC_LOCK",
|
||||
"CAP_IPC_OWNER",
|
||||
"CAP_LEASE",
|
||||
"CAP_NET_ADMIN",
|
||||
"CAP_NET_BROADCAST",
|
||||
}
|
||||
for _, cap := range addCaps {
|
||||
s.Process.Capabilities.Bounding = append(s.Process.Capabilities.Bounding, cap)
|
||||
s.Process.Capabilities.Ambient = append(s.Process.Capabilities.Ambient, cap)
|
||||
s.Process.Capabilities.Effective = append(s.Process.Capabilities.Effective, cap)
|
||||
s.Process.Capabilities.Inheritable = append(s.Process.Capabilities.Inheritable, cap)
|
||||
s.Process.Capabilities.Permitted = append(s.Process.Capabilities.Permitted, cap)
|
||||
}
|
||||
s.Linux.ReadonlyPaths = []string{}
|
||||
s.Linux.MaskedPaths = []string{}
|
||||
s.Process.ApparmorProfile = ""
|
||||
|
||||
s.Linux.Resources.Devices = []specs.LinuxDeviceCgroup{
|
||||
{
|
||||
Allow: true,
|
||||
Type: "c",
|
||||
Access: "rwm",
|
||||
},
|
||||
{
|
||||
Allow: true,
|
||||
Type: "b",
|
||||
Access: "rwm",
|
||||
},
|
||||
}
|
||||
|
||||
if !system.RunningInUserNS() {
|
||||
// Devices automatically mounted on insecure mode
|
||||
s.Linux.Devices = append(s.Linux.Devices, []specs.LinuxDevice{
|
||||
// Writes to this come out as printk's, reads export the buffered printk records. (dmesg)
|
||||
{
|
||||
Path: "/dev/kmsg",
|
||||
Type: "c",
|
||||
Major: 1,
|
||||
Minor: 11,
|
||||
},
|
||||
// Cuse (character device in user-space)
|
||||
{
|
||||
Path: "/dev/cuse",
|
||||
Type: "c",
|
||||
Major: 10,
|
||||
Minor: 203,
|
||||
},
|
||||
// Fuse (virtual filesystem in user-space)
|
||||
{
|
||||
Path: "/dev/fuse",
|
||||
Type: "c",
|
||||
Major: 10,
|
||||
Minor: 229,
|
||||
},
|
||||
// Kernel-based virtual machine (hardware virtualization extensions)
|
||||
{
|
||||
Path: "/dev/kvm",
|
||||
Type: "c",
|
||||
Major: 10,
|
||||
Minor: 232,
|
||||
},
|
||||
// TAP/TUN network device
|
||||
{
|
||||
Path: "/dev/net/tun",
|
||||
Type: "c",
|
||||
Major: 10,
|
||||
Minor: 200,
|
||||
},
|
||||
// Loopback control device
|
||||
{
|
||||
Path: "/dev/loop-control",
|
||||
Type: "c",
|
||||
Major: 10,
|
||||
Minor: 237,
|
||||
},
|
||||
}...)
|
||||
|
||||
loopID, err := getFreeLoopID()
|
||||
if err != nil {
|
||||
logrus.Debugf("failed to get next free loop device: %v", err)
|
||||
}
|
||||
|
||||
for i := 0; i <= loopID+7; i++ {
|
||||
s.Linux.Devices = append(s.Linux.Devices, specs.LinuxDevice{
|
||||
Path: fmt.Sprintf("/dev/loop%d", i),
|
||||
Type: "b",
|
||||
Major: 7,
|
||||
Minor: int64(i),
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func getFreeLoopID() (int, error) {
|
||||
fd, err := os.OpenFile("/dev/loop-control", os.O_RDWR, 0644)
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
defer fd.Close()
|
||||
|
||||
const _LOOP_CTL_GET_FREE = 0x4C82
|
||||
r1, _, uerr := unix.Syscall(unix.SYS_IOCTL, fd.Fd(), _LOOP_CTL_GET_FREE, 0)
|
||||
if uerr == 0 {
|
||||
return int(r1), nil
|
||||
}
|
||||
return 0, errors.Errorf("error getting free loop device: %v", uerr)
|
||||
}
|
||||
Reference in New Issue
Block a user