diff --git a/go.mod b/go.mod
index 1972eb2d28..ea121e16c2 100644
--- a/go.mod
+++ b/go.mod
@@ -11,7 +11,7 @@ require (
github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd // indirect
github.com/containernetworking/cni v0.8.1
github.com/containernetworking/plugins v0.9.0
- github.com/containers/buildah v1.19.6
+ github.com/containers/buildah v1.19.7
github.com/containers/common v0.35.0
github.com/containers/conmon v2.0.20+incompatible
github.com/containers/image/v5 v5.10.2
diff --git a/go.sum b/go.sum
index 5dc5687195..771cf3fdb6 100644
--- a/go.sum
+++ b/go.sum
@@ -97,8 +97,8 @@ github.com/containernetworking/cni v0.8.1/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ
github.com/containernetworking/plugins v0.8.7/go.mod h1:R7lXeZaBzpfqapcAbHRW8/CYwm0dHzbz0XEjofx0uB0=
github.com/containernetworking/plugins v0.9.0 h1:c+1gegKhR7+d0Caum9pEHugZlyhXPOG6v3V6xJgIGCI=
github.com/containernetworking/plugins v0.9.0/go.mod h1:dbWv4dI0QrBGuVgj+TuVQ6wJRZVOhrCQj91YyC92sxg=
-github.com/containers/buildah v1.19.6 h1:8mPysB7QzHxX9okR+Bwq/lsKAZA/FjDcqB+vebgwI1g=
-github.com/containers/buildah v1.19.6/go.mod h1:VnyHWgNmfR1d89/zJ/F4cbwOzaQS+6sBky46W7dCo3E=
+github.com/containers/buildah v1.19.7 h1:/g11GlhTo177xFex+5GHlF22hq01SyWaJuSA26UGFNU=
+github.com/containers/buildah v1.19.7/go.mod h1:VnyHWgNmfR1d89/zJ/F4cbwOzaQS+6sBky46W7dCo3E=
github.com/containers/common v0.33.4/go.mod h1:PhgL71XuC4jJ/1BIqeP7doke3aMFkCP90YBXwDeUr9g=
github.com/containers/common v0.35.0 h1:1OLZ2v+Tj/CN9BTQkKZ5VOriOiArJedinMMqfJRUI38=
github.com/containers/common v0.35.0/go.mod h1:gs1th7XFTOvVUl4LDPdQjOfOeNiVRDbQ7CNrZ0wS6F8=
diff --git a/vendor/github.com/containers/buildah/add.go b/vendor/github.com/containers/buildah/add.go
index 0903fc7db5..cd466ccb39 100644
--- a/vendor/github.com/containers/buildah/add.go
+++ b/vendor/github.com/containers/buildah/add.go
@@ -324,13 +324,33 @@ func (b *Builder) Add(destination string, extract bool, options AddAndCopyOption
return errors.Wrapf(err, "error processing excludes list %v", options.Excludes)
}
- // Copy each source in turn.
+ // Make sure that, if it's a symlink, we'll chroot to the target of the link;
+ // knowing that target requires that we resolve it within the chroot.
+ evalOptions := copier.EvalOptions{}
+ evaluated, err := copier.Eval(mountPoint, extractDirectory, evalOptions)
+ if err != nil {
+ return errors.Wrapf(err, "error checking on destination %v", extractDirectory)
+ }
+ extractDirectory = evaluated
+
+ // Set up ID maps.
var srcUIDMap, srcGIDMap []idtools.IDMap
if options.IDMappingOptions != nil {
srcUIDMap, srcGIDMap = convertRuntimeIDMaps(options.IDMappingOptions.UIDMap, options.IDMappingOptions.GIDMap)
}
destUIDMap, destGIDMap := convertRuntimeIDMaps(b.IDMappingOptions.UIDMap, b.IDMappingOptions.GIDMap)
+ // Create the target directory if it doesn't exist yet.
+ mkdirOptions := copier.MkdirOptions{
+ UIDMap: destUIDMap,
+ GIDMap: destGIDMap,
+ ChownNew: chownDirs,
+ }
+ if err := copier.Mkdir(mountPoint, extractDirectory, mkdirOptions); err != nil {
+ return errors.Wrapf(err, "error ensuring target directory exists")
+ }
+
+ // Copy each source in turn.
for _, src := range sources {
var multiErr *multierror.Error
var getErr, closeErr, renameErr, putErr error
@@ -363,7 +383,7 @@ func (b *Builder) Add(destination string, extract bool, options AddAndCopyOption
ChmodFiles: nil,
IgnoreDevices: rsystem.RunningInUserNS(),
}
- putErr = copier.Put(mountPoint, extractDirectory, putOptions, io.TeeReader(pipeReader, hasher))
+ putErr = copier.Put(extractDirectory, extractDirectory, putOptions, io.TeeReader(pipeReader, hasher))
}
hashCloser.Close()
pipeReader.Close()
@@ -498,7 +518,7 @@ func (b *Builder) Add(destination string, extract bool, options AddAndCopyOption
ChmodFiles: nil,
IgnoreDevices: rsystem.RunningInUserNS(),
}
- putErr = copier.Put(mountPoint, extractDirectory, putOptions, io.TeeReader(pipeReader, hasher))
+ putErr = copier.Put(extractDirectory, extractDirectory, putOptions, io.TeeReader(pipeReader, hasher))
}
hashCloser.Close()
pipeReader.Close()
diff --git a/vendor/github.com/containers/buildah/buildah.go b/vendor/github.com/containers/buildah/buildah.go
index dd43ea99af..77d313c586 100644
--- a/vendor/github.com/containers/buildah/buildah.go
+++ b/vendor/github.com/containers/buildah/buildah.go
@@ -28,7 +28,7 @@ const (
Package = "buildah"
// Version for the Package. Bump version in contrib/rpm/buildah.spec
// too.
- Version = "1.19.6"
+ Version = "1.19.7"
// The value we use to identify what type of information, currently a
// serialized Builder structure, we are using as per-container state.
// This should only be changed when we make incompatible changes to
diff --git a/vendor/github.com/containers/buildah/copier/copier.go b/vendor/github.com/containers/buildah/copier/copier.go
index 63cdb19748..b5e107d4ba 100644
--- a/vendor/github.com/containers/buildah/copier/copier.go
+++ b/vendor/github.com/containers/buildah/copier/copier.go
@@ -70,6 +70,7 @@ func isArchivePath(path string) bool {
type requestType string
const (
+ requestEval requestType = "EVAL"
requestStat requestType = "STAT"
requestGet requestType = "GET"
requestPut requestType = "PUT"
@@ -95,6 +96,8 @@ type request struct {
func (req *request) Excludes() []string {
switch req.Request {
+ case requestEval:
+ return nil
case requestStat:
return req.StatOptions.Excludes
case requestGet:
@@ -112,6 +115,8 @@ func (req *request) Excludes() []string {
func (req *request) UIDMap() []idtools.IDMap {
switch req.Request {
+ case requestEval:
+ return nil
case requestStat:
return nil
case requestGet:
@@ -129,6 +134,8 @@ func (req *request) UIDMap() []idtools.IDMap {
func (req *request) GIDMap() []idtools.IDMap {
switch req.Request {
+ case requestEval:
+ return nil
case requestStat:
return nil
case requestGet:
@@ -148,6 +155,7 @@ func (req *request) GIDMap() []idtools.IDMap {
type response struct {
Error string `json:",omitempty"`
Stat statResponse
+ Eval evalResponse
Get getResponse
Put putResponse
Mkdir mkdirResponse
@@ -158,6 +166,11 @@ type statResponse struct {
Globs []*StatsForGlob
}
+// evalResponse encodes a response for a single Eval request.
+type evalResponse struct {
+ Evaluated string
+}
+
// StatsForGlob encode results for a single glob pattern passed to Stat().
type StatsForGlob struct {
Error string `json:",omitempty"` // error if the Glob pattern was malformed
@@ -192,6 +205,33 @@ type putResponse struct {
type mkdirResponse struct {
}
+// EvalOptions controls parts of Eval()'s behavior.
+type EvalOptions struct {
+}
+
+// Eval evaluates the directory's path, including any intermediate symbolic
+// links.
+// If root is specified and the current OS supports it, and the calling process
+// has the necessary privileges, evaluation is performed in a chrooted context.
+// If the directory is specified as an absolute path, it should either be the
+// root directory or a subdirectory of the root directory. Otherwise, the
+// directory is treated as a path relative to the root directory.
+func Eval(root string, directory string, options EvalOptions) (string, error) {
+ req := request{
+ Request: requestEval,
+ Root: root,
+ Directory: directory,
+ }
+ resp, err := copier(nil, nil, req)
+ if err != nil {
+ return "", err
+ }
+ if resp.Error != "" {
+ return "", errors.New(resp.Error)
+ }
+ return resp.Eval.Evaluated, nil
+}
+
// StatOptions controls parts of Stat()'s behavior.
type StatOptions struct {
CheckForArchives bool // check for and populate the IsArchive bit in returned values
@@ -243,6 +283,7 @@ type GetOptions struct {
StripXattrs bool // don't record extended attributes of items being copied. no effect on archives being extracted
KeepDirectoryNames bool // don't strip the top directory's basename from the paths of items in subdirectories
Rename map[string]string // rename items with the specified names, or under the specified names
+ NoDerefSymlinks bool // don't follow symlinks when globs match them
}
// Get produces an archive containing items that match the specified glob
@@ -557,6 +598,9 @@ func copierWithSubprocess(bulkReader io.Reader, bulkWriter io.Writer, req reques
return killAndReturn(err, "error encoding request for copier subprocess")
}
if err = decoder.Decode(&resp); err != nil {
+ if errors.Is(err, io.EOF) && errorBuffer.Len() > 0 {
+ return killAndReturn(errors.New(errorBuffer.String()), "error in copier subprocess")
+ }
return killAndReturn(err, "error decoding response from copier subprocess")
}
if err = encoder.Encode(&request{Request: requestQuit}); err != nil {
@@ -667,7 +711,7 @@ func copierMain() {
var err error
chrooted, err = chroot(req.Root)
if err != nil {
- fmt.Fprintf(os.Stderr, "error changing to intended-new-root directory %q: %v", req.Root, err)
+ fmt.Fprintf(os.Stderr, "%v", err)
os.Exit(1)
}
}
@@ -762,6 +806,9 @@ func copierHandler(bulkReader io.Reader, bulkWriter io.Writer, req request) (*re
switch req.Request {
default:
return nil, nil, errors.Errorf("not an implemented request type: %q", req.Request)
+ case requestEval:
+ resp := copierHandlerEval(req)
+ return resp, nil, nil
case requestStat:
resp := copierHandlerStat(req, pm)
return resp, nil, nil
@@ -870,6 +917,17 @@ func resolvePath(root, path string, pm *fileutils.PatternMatcher) (string, error
return workingPath, nil
}
+func copierHandlerEval(req request) *response {
+ errorResponse := func(fmtspec string, args ...interface{}) *response {
+ return &response{Error: fmt.Sprintf(fmtspec, args...), Eval: evalResponse{}}
+ }
+ resolvedTarget, err := resolvePath(req.Root, req.Directory, nil)
+ if err != nil {
+ return errorResponse("copier: eval: error resolving %q: %v", req.Directory, err)
+ }
+ return &response{Eval: evalResponse{Evaluated: filepath.Join(req.rootPrefix, resolvedTarget)}}
+}
+
func copierHandlerStat(req request, pm *fileutils.PatternMatcher) *response {
errorResponse := func(fmtspec string, args ...interface{}) *response {
return &response{Error: fmt.Sprintf(fmtspec, args...), Stat: statResponse{}}
@@ -1024,7 +1082,7 @@ func copierHandlerGet(bulkWriter io.Writer, req request, pm *fileutils.PatternMa
// chase links. if we hit a dead end, we should just fail
followedLinks := 0
const maxFollowedLinks = 16
- for info.Mode()&os.ModeType == os.ModeSymlink && followedLinks < maxFollowedLinks {
+ for !req.GetOptions.NoDerefSymlinks && info.Mode()&os.ModeType == os.ModeSymlink && followedLinks < maxFollowedLinks {
path, err := os.Readlink(item)
if err != nil {
continue
@@ -1139,7 +1197,8 @@ func handleRename(rename map[string]string, name string) string {
return path.Join(mappedPrefix, remainder)
}
if prefix[len(prefix)-1] == '/' {
- if mappedPrefix, ok := rename[prefix[:len(prefix)-1]]; ok {
+ prefix = prefix[:len(prefix)-1]
+ if mappedPrefix, ok := rename[prefix]; ok {
return path.Join(mappedPrefix, remainder)
}
}
diff --git a/vendor/github.com/containers/buildah/copier/syscall_unix.go b/vendor/github.com/containers/buildah/copier/syscall_unix.go
index 2c2806d0a3..aa40f327c9 100644
--- a/vendor/github.com/containers/buildah/copier/syscall_unix.go
+++ b/vendor/github.com/containers/buildah/copier/syscall_unix.go
@@ -3,10 +3,10 @@
package copier
import (
- "fmt"
"os"
"time"
+ "github.com/pkg/errors"
"golang.org/x/sys/unix"
)
@@ -15,13 +15,13 @@ var canChroot = os.Getuid() == 0
func chroot(root string) (bool, error) {
if canChroot {
if err := os.Chdir(root); err != nil {
- return false, fmt.Errorf("error changing to intended-new-root directory %q: %v", root, err)
+ return false, errors.Wrapf(err, "error changing to intended-new-root directory %q", root)
}
if err := unix.Chroot(root); err != nil {
- return false, fmt.Errorf("error chrooting to directory %q: %v", root, err)
+ return false, errors.Wrapf(err, "error chrooting to directory %q", root)
}
if err := os.Chdir(string(os.PathSeparator)); err != nil {
- return false, fmt.Errorf("error changing to just-became-root directory %q: %v", root, err)
+ return false, errors.Wrapf(err, "error changing to just-became-root directory %q", root)
}
return true, nil
}
diff --git a/vendor/github.com/containers/buildah/pkg/overlay/overlay.go b/vendor/github.com/containers/buildah/pkg/overlay/overlay.go
index a3e5866eef..4625619836 100644
--- a/vendor/github.com/containers/buildah/pkg/overlay/overlay.go
+++ b/vendor/github.com/containers/buildah/pkg/overlay/overlay.go
@@ -77,13 +77,11 @@ func mountHelper(contentDir, source, dest string, _, _ int, graphOptions []strin
// Read-write overlay mounts want a lower, upper and a work layer.
workDir := filepath.Join(contentDir, "work")
upperDir := filepath.Join(contentDir, "upper")
- st, err := os.Stat(dest)
- if err == nil {
- if err := os.Chmod(upperDir, st.Mode()); err != nil {
- return mount, err
- }
+ st, err := os.Stat(source)
+ if err != nil {
+ return mount, err
}
- if !os.IsNotExist(err) {
+ if err := os.Chmod(upperDir, st.Mode()); err != nil {
return mount, err
}
overlayOptions = fmt.Sprintf("lowerdir=%s,upperdir=%s,workdir=%s,private", source, upperDir, workDir)
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 1d192693da..b5e8d974e9 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -72,7 +72,7 @@ github.com/containernetworking/plugins/pkg/utils/hwaddr
github.com/containernetworking/plugins/pkg/utils/sysctl
github.com/containernetworking/plugins/plugins/ipam/host-local/backend
github.com/containernetworking/plugins/plugins/ipam/host-local/backend/allocator
-# github.com/containers/buildah v1.19.6
+# github.com/containers/buildah v1.19.7
github.com/containers/buildah
github.com/containers/buildah/bind
github.com/containers/buildah/chroot