From bb14eeddb2ff64a9cfe2e89e6f376c4912635424 Mon Sep 17 00:00:00 2001 From: Wei Shi Date: Mon, 6 Jan 2025 09:56:27 +0800 Subject: [PATCH] Reapply "Add PRIVILEGED_NESTED to the buildah task" This reverts commit ca880a9e47d12f534e0dbde30369cdf0ccb9d7e2. Signed-off-by: Wei Shi --- .../README.md | 1 + pipelines/docker-build-oci-ta/README.md | 1 + pipelines/docker-build/README.md | 1 + pipelines/fbc-builder/README.md | 1 + task-generator/remote/main.go | 13 +++++++++- task/buildah-oci-ta/0.2/README.md | 1 + task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 12 ++++++++++ task/buildah-oci-ta/0.3/README.md | 1 + task/buildah-oci-ta/0.3/buildah-oci-ta.yaml | 12 ++++++++++ .../0.1/buildah-remote-oci-ta.yaml | 11 +++++++++ .../0.2/buildah-remote-oci-ta.yaml | 24 +++++++++++++++++++ .../0.3/buildah-remote-oci-ta.yaml | 24 +++++++++++++++++++ task/buildah-remote/0.1/buildah-remote.yaml | 11 +++++++++ task/buildah-remote/0.2/buildah-remote.yaml | 24 +++++++++++++++++++ task/buildah-remote/0.3/buildah-remote.yaml | 24 +++++++++++++++++++ task/buildah/0.2/buildah.yaml | 12 ++++++++++ task/buildah/0.3/buildah.yaml | 12 ++++++++++ 17 files changed, 184 insertions(+), 1 deletion(-) diff --git a/pipelines/docker-build-multi-platform-oci-ta/README.md b/pipelines/docker-build-multi-platform-oci-ta/README.md index 2e646b2d1f..d4922f0e9b 100644 --- a/pipelines/docker-build-multi-platform-oci-ta/README.md +++ b/pipelines/docker-build-multi-platform-oci-ta/README.md @@ -61,6 +61,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |LABELS| Additional key=value labels that should be applied to the image| []| | |PLATFORM| The platform to build on| None| | |PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | '$(params.prefetch-input)'| +|PRIVILEGED_NESTED| Whether to enable privileged mode| false| | |SKIP_UNUSED_STAGES| Whether to skip stages in Containerfile that seem unused by subsequent stages| true| | |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| |SQUASH| Squash all new and previous layers added as a part of this build, as per --squash| false| | diff --git a/pipelines/docker-build-oci-ta/README.md b/pipelines/docker-build-oci-ta/README.md index a639a829be..a546bb3fa2 100644 --- a/pipelines/docker-build-oci-ta/README.md +++ b/pipelines/docker-build-oci-ta/README.md @@ -58,6 +58,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |IMAGE_EXPIRES_AFTER| Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| |LABELS| Additional key=value labels that should be applied to the image| []| | |PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | '$(params.prefetch-input)'| +|PRIVILEGED_NESTED| Whether to enable privileged mode| false| | |SKIP_UNUSED_STAGES| Whether to skip stages in Containerfile that seem unused by subsequent stages| true| | |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| |SQUASH| Squash all new and previous layers added as a part of this build, as per --squash| false| | diff --git a/pipelines/docker-build/README.md b/pipelines/docker-build/README.md index 329ae149d4..bd03768836 100644 --- a/pipelines/docker-build/README.md +++ b/pipelines/docker-build/README.md @@ -57,6 +57,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |IMAGE_EXPIRES_AFTER| Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| |LABELS| Additional key=value labels that should be applied to the image| []| | |PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | '$(params.prefetch-input)'| +|PRIVILEGED_NESTED| Whether to enable privileged mode| false| | |SKIP_UNUSED_STAGES| Whether to skip stages in Containerfile that seem unused by subsequent stages| true| | |SQUASH| Squash all new and previous layers added as a part of this build, as per --squash| false| | |STORAGE_DRIVER| Storage driver to configure for buildah| vfs| | diff --git a/pipelines/fbc-builder/README.md b/pipelines/fbc-builder/README.md index 2057044844..5e2c52e31d 100644 --- a/pipelines/fbc-builder/README.md +++ b/pipelines/fbc-builder/README.md @@ -61,6 +61,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |LABELS| Additional key=value labels that should be applied to the image| []| | |PLATFORM| The platform to build on| None| | |PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | '$(params.prefetch-input)'| +|PRIVILEGED_NESTED| Whether to enable privileged mode| false| | |SKIP_UNUSED_STAGES| Whether to skip stages in Containerfile that seem unused by subsequent stages| true| | |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| |SQUASH| Squash all new and previous layers added as a part of this build, as per --squash| false| | diff --git a/task-generator/remote/main.go b/task-generator/remote/main.go index a99585980a..221fb73c39 100644 --- a/task-generator/remote/main.go +++ b/task-generator/remote/main.go @@ -168,6 +168,7 @@ if ! [[ $IS_LOCALHOST ]]; then export BUILD_DIR=$(cat /ssh/user-dir) export SSH_ARGS="-o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=10" echo "$BUILD_DIR" + # shellcheck disable=SC2086 ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/workspaces" "$BUILD_DIR/scripts" "$BUILD_DIR/volumes" PORT_FORWARD="" @@ -238,13 +239,23 @@ if ! [[ $IS_LOCALHOST ]]; then } } ret += "\nif ! [[ $IS_LOCALHOST ]]; then" + ret += "\n" + ret += ` PRIVILEGED_NESTED_FLAGS=() + if [[ "${PRIVILEGED_NESTED}" == "true" ]]; then + # This is a workaround for building bootc images because the cache filesystem (/var/tmp/ on the host) must be a real filesystem that supports setting SELinux security attributes. + # https://github.com/coreos/rpm-ostree/discussions/4648 + # shellcheck disable=SC2086 + ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/var/tmp" + PRIVILEGED_NESTED_FLAGS=(--privileged --mount "type=bind,source=$BUILD_DIR/var/tmp,target=/var/tmp,relabel=shared") + fi` ret += "\n rsync -ra scripts \"$SSH_HOST:$BUILD_DIR\"" containerScript := "scripts/script-" + step.Name + ".sh" for _, e := range step.Env { env += " -e " + e.Name + "=\"$" + e.Name + "\" \\\n" } podmanArgs += " -v \"$BUILD_DIR/scripts:/scripts:Z\" \\\n" - ret += "\n ssh $SSH_ARGS \"$SSH_HOST\" $PORT_FORWARD podman run " + env + "" + podmanArgs + " --user=0 --rm \"$BUILDER_IMAGE\" /" + containerScript + ` "$@"` + podmanArgs += " \"${PRIVILEGED_NESTED_FLAGS[@]}\" \\\n" + ret += "\n # shellcheck disable=SC2086\n ssh $SSH_ARGS \"$SSH_HOST\" $PORT_FORWARD podman run " + env + "" + podmanArgs + " --user=0 --rm \"$BUILDER_IMAGE\" /" + containerScript + ` "$@"` // Sync the contents of the workspaces back so subsequent tasks can use them for _, workspace := range task.Spec.Workspaces { diff --git a/task/buildah-oci-ta/0.2/README.md b/task/buildah-oci-ta/0.2/README.md index 1718940ae7..b0de913eef 100644 --- a/task/buildah-oci-ta/0.2/README.md +++ b/task/buildah-oci-ta/0.2/README.md @@ -23,6 +23,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| |LABELS|Additional key=value labels that should be applied to the image|[]|false| |PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false| +|PRIVILEGED_NESTED|Whether to enable privileged mode|false|false| |SKIP_UNUSED_STAGES|Whether to skip stages in Containerfile that seem unused by subsequent stages|true|false| |SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| |SQUASH|Squash all new and previous layers added as a part of this build, as per --squash|false|false| diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index 98d25feb48..b6403bae1b 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -82,6 +82,10 @@ spec: be made available to the build. type: string default: "" + - name: PRIVILEGED_NESTED + description: Whether to enable privileged mode + type: string + default: "false" - name: SKIP_UNUSED_STAGES description: Whether to skip stages in Containerfile that seem unused by subsequent stages @@ -203,6 +207,8 @@ spec: value: $(params.IMAGE) - name: IMAGE_EXPIRES_AFTER value: $(params.IMAGE_EXPIRES_AFTER) + - name: PRIVILEGED_NESTED + value: $(params.PRIVILEGED_NESTED) - name: SKIP_UNUSED_STAGES value: $(params.SKIP_UNUSED_STAGES) - name: SOURCE_CODE_DIR @@ -378,6 +384,12 @@ spec: BUILDAH_ARGS+=("${BUILD_ARG_FLAGS[@]}") + if [ "${PRIVILEGED_NESTED}" == "true" ]; then + BUILDAH_ARGS+=("--security-opt=label=disable") + BUILDAH_ARGS+=("--cap-add=all") + BUILDAH_ARGS+=("--device=/dev/fuse") + fi + if [ -n "${ADD_CAPABILITIES}" ]; then BUILDAH_ARGS+=("--cap-add=${ADD_CAPABILITIES}") fi diff --git a/task/buildah-oci-ta/0.3/README.md b/task/buildah-oci-ta/0.3/README.md index ea84a85ffc..17a8eaa358 100644 --- a/task/buildah-oci-ta/0.3/README.md +++ b/task/buildah-oci-ta/0.3/README.md @@ -22,6 +22,7 @@ When prefetch-dependencies task is activated it is using its artifacts to run bu |IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| |LABELS|Additional key=value labels that should be applied to the image|[]|false| |PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false| +|PRIVILEGED_NESTED|Whether to enable privileged mode|false|false| |SKIP_UNUSED_STAGES|Whether to skip stages in Containerfile that seem unused by subsequent stages|true|false| |SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| |SQUASH|Squash all new and previous layers added as a part of this build, as per --squash|false|false| diff --git a/task/buildah-oci-ta/0.3/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.3/buildah-oci-ta.yaml index e204c760b8..551c792a35 100644 --- a/task/buildah-oci-ta/0.3/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.3/buildah-oci-ta.yaml @@ -81,6 +81,10 @@ spec: be made available to the build. type: string default: "" + - name: PRIVILEGED_NESTED + description: Whether to enable privileged mode + type: string + default: "false" - name: SKIP_UNUSED_STAGES description: Whether to skip stages in Containerfile that seem unused by subsequent stages @@ -196,6 +200,8 @@ spec: value: $(params.IMAGE) - name: IMAGE_EXPIRES_AFTER value: $(params.IMAGE_EXPIRES_AFTER) + - name: PRIVILEGED_NESTED + value: $(params.PRIVILEGED_NESTED) - name: SKIP_UNUSED_STAGES value: $(params.SKIP_UNUSED_STAGES) - name: SOURCE_CODE_DIR @@ -366,6 +372,12 @@ spec: BUILDAH_ARGS+=("${BUILD_ARG_FLAGS[@]}") + if [ "${PRIVILEGED_NESTED}" == "true" ]; then + BUILDAH_ARGS+=("--security-opt=label=disable") + BUILDAH_ARGS+=("--cap-add=all") + BUILDAH_ARGS+=("--device=/dev/fuse") + fi + if [ -n "${ADD_CAPABILITIES}" ]; then BUILDAH_ARGS+=("--cap-add=${ADD_CAPABILITIES}") fi diff --git a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml index 7967e4be69..b47ade17e7 100644 --- a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml @@ -241,6 +241,7 @@ spec: export BUILD_DIR=$(cat /ssh/user-dir) export SSH_ARGS="-o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=10" echo "$BUILD_DIR" + # shellcheck disable=SC2086 ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/workspaces" "$BUILD_DIR/scripts" "$BUILD_DIR/volumes" PORT_FORWARD="" @@ -446,7 +447,16 @@ spec: chmod +x scripts/script-build.sh if ! [[ $IS_LOCALHOST ]]; then + PRIVILEGED_NESTED_FLAGS=() + if [[ "${PRIVILEGED_NESTED}" == "true" ]]; then + # This is a workaround for building bootc images because the cache filesystem (/var/tmp/ on the host) must be a real filesystem that supports setting SELinux security attributes. + # https://github.com/coreos/rpm-ostree/discussions/4648 + # shellcheck disable=SC2086 + ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/var/tmp" + PRIVILEGED_NESTED_FLAGS=(--privileged --mount "type=bind,source=$BUILD_DIR/var/tmp,target=/var/tmp,relabel=shared") + fi rsync -ra scripts "$SSH_HOST:$BUILD_DIR" + # shellcheck disable=SC2086 ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman run $PODMAN_PORT_FORWARD \ --tmpfs /run/secrets \ -e ADDITIONAL_SECRET="$ADDITIONAL_SECRET" \ @@ -477,6 +487,7 @@ spec: -v "$BUILD_DIR/.docker/:/root/.docker:Z" \ -v "$BUILD_DIR/results/:/tekton/results:Z" \ -v "$BUILD_DIR/scripts:/scripts:Z" \ + "${PRIVILEGED_NESTED_FLAGS[@]}" \ --user=0 --rm "$BUILDER_IMAGE" /scripts/script-build.sh "$@" rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/shared/" /shared/ rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/workdir/" /var/workdir/ diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index 79105a5e12..c723c359f4 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -81,6 +81,10 @@ spec: to the build. name: PREFETCH_INPUT type: string + - default: "false" + description: Whether to enable privileged mode + name: PRIVILEGED_NESTED + type: string - default: "true" description: Whether to skip stages in Containerfile that seem unused by subsequent stages @@ -182,6 +186,8 @@ spec: value: $(params.IMAGE) - name: IMAGE_EXPIRES_AFTER value: $(params.IMAGE_EXPIRES_AFTER) + - name: PRIVILEGED_NESTED + value: $(params.PRIVILEGED_NESTED) - name: SKIP_UNUSED_STAGES value: $(params.SKIP_UNUSED_STAGES) - name: SOURCE_CODE_DIR @@ -267,6 +273,7 @@ spec: export BUILD_DIR=$(cat /ssh/user-dir) export SSH_ARGS="-o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=10" echo "$BUILD_DIR" + # shellcheck disable=SC2086 ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/workspaces" "$BUILD_DIR/scripts" "$BUILD_DIR/volumes" PORT_FORWARD="" @@ -411,6 +418,12 @@ spec: BUILDAH_ARGS+=("${BUILD_ARG_FLAGS[@]}") + if [ "${PRIVILEGED_NESTED}" == "true" ]; then + BUILDAH_ARGS+=("--security-opt=label=disable") + BUILDAH_ARGS+=("--cap-add=all") + BUILDAH_ARGS+=("--device=/dev/fuse") + fi + if [ -n "${ADD_CAPABILITIES}" ]; then BUILDAH_ARGS+=("--cap-add=${ADD_CAPABILITIES}") fi @@ -582,7 +595,16 @@ spec: chmod +x scripts/script-build.sh if ! [[ $IS_LOCALHOST ]]; then + PRIVILEGED_NESTED_FLAGS=() + if [[ "${PRIVILEGED_NESTED}" == "true" ]]; then + # This is a workaround for building bootc images because the cache filesystem (/var/tmp/ on the host) must be a real filesystem that supports setting SELinux security attributes. + # https://github.com/coreos/rpm-ostree/discussions/4648 + # shellcheck disable=SC2086 + ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/var/tmp" + PRIVILEGED_NESTED_FLAGS=(--privileged --mount "type=bind,source=$BUILD_DIR/var/tmp,target=/var/tmp,relabel=shared") + fi rsync -ra scripts "$SSH_HOST:$BUILD_DIR" + # shellcheck disable=SC2086 ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman run $PODMAN_PORT_FORWARD \ --tmpfs /run/secrets \ -e ACTIVATION_KEY="$ACTIVATION_KEY" \ @@ -595,6 +617,7 @@ spec: -e HERMETIC="$HERMETIC" \ -e IMAGE="$IMAGE" \ -e IMAGE_EXPIRES_AFTER="$IMAGE_EXPIRES_AFTER" \ + -e PRIVILEGED_NESTED="$PRIVILEGED_NESTED" \ -e SKIP_UNUSED_STAGES="$SKIP_UNUSED_STAGES" \ -e SOURCE_CODE_DIR="$SOURCE_CODE_DIR" \ -e SQUASH="$SQUASH" \ @@ -615,6 +638,7 @@ spec: -v "$BUILD_DIR/.docker/:/root/.docker:Z" \ -v "$BUILD_DIR/results/:/tekton/results:Z" \ -v "$BUILD_DIR/scripts:/scripts:Z" \ + "${PRIVILEGED_NESTED_FLAGS[@]}" \ --user=0 --rm "$BUILDER_IMAGE" /scripts/script-build.sh "$@" rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/shared/" /shared/ rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/workdir/" /var/workdir/ diff --git a/task/buildah-remote-oci-ta/0.3/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.3/buildah-remote-oci-ta.yaml index 001a119ae4..0a7ff19b56 100644 --- a/task/buildah-remote-oci-ta/0.3/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.3/buildah-remote-oci-ta.yaml @@ -80,6 +80,10 @@ spec: to the build. name: PREFETCH_INPUT type: string + - default: "false" + description: Whether to enable privileged mode + name: PRIVILEGED_NESTED + type: string - default: "true" description: Whether to skip stages in Containerfile that seem unused by subsequent stages @@ -175,6 +179,8 @@ spec: value: $(params.IMAGE) - name: IMAGE_EXPIRES_AFTER value: $(params.IMAGE_EXPIRES_AFTER) + - name: PRIVILEGED_NESTED + value: $(params.PRIVILEGED_NESTED) - name: SKIP_UNUSED_STAGES value: $(params.SKIP_UNUSED_STAGES) - name: SOURCE_CODE_DIR @@ -260,6 +266,7 @@ spec: export BUILD_DIR=$(cat /ssh/user-dir) export SSH_ARGS="-o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=10" echo "$BUILD_DIR" + # shellcheck disable=SC2086 ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/workspaces" "$BUILD_DIR/scripts" "$BUILD_DIR/volumes" PORT_FORWARD="" @@ -399,6 +406,12 @@ spec: BUILDAH_ARGS+=("${BUILD_ARG_FLAGS[@]}") + if [ "${PRIVILEGED_NESTED}" == "true" ]; then + BUILDAH_ARGS+=("--security-opt=label=disable") + BUILDAH_ARGS+=("--cap-add=all") + BUILDAH_ARGS+=("--device=/dev/fuse") + fi + if [ -n "${ADD_CAPABILITIES}" ]; then BUILDAH_ARGS+=("--cap-add=${ADD_CAPABILITIES}") fi @@ -570,7 +583,16 @@ spec: chmod +x scripts/script-build.sh if ! [[ $IS_LOCALHOST ]]; then + PRIVILEGED_NESTED_FLAGS=() + if [[ "${PRIVILEGED_NESTED}" == "true" ]]; then + # This is a workaround for building bootc images because the cache filesystem (/var/tmp/ on the host) must be a real filesystem that supports setting SELinux security attributes. + # https://github.com/coreos/rpm-ostree/discussions/4648 + # shellcheck disable=SC2086 + ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/var/tmp" + PRIVILEGED_NESTED_FLAGS=(--privileged --mount "type=bind,source=$BUILD_DIR/var/tmp,target=/var/tmp,relabel=shared") + fi rsync -ra scripts "$SSH_HOST:$BUILD_DIR" + # shellcheck disable=SC2086 ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman run $PODMAN_PORT_FORWARD \ --tmpfs /run/secrets \ -e ACTIVATION_KEY="$ACTIVATION_KEY" \ @@ -583,6 +605,7 @@ spec: -e HERMETIC="$HERMETIC" \ -e IMAGE="$IMAGE" \ -e IMAGE_EXPIRES_AFTER="$IMAGE_EXPIRES_AFTER" \ + -e PRIVILEGED_NESTED="$PRIVILEGED_NESTED" \ -e SKIP_UNUSED_STAGES="$SKIP_UNUSED_STAGES" \ -e SOURCE_CODE_DIR="$SOURCE_CODE_DIR" \ -e SQUASH="$SQUASH" \ @@ -603,6 +626,7 @@ spec: -v "$BUILD_DIR/.docker/:/root/.docker:Z" \ -v "$BUILD_DIR/results/:/tekton/results:Z" \ -v "$BUILD_DIR/scripts:/scripts:Z" \ + "${PRIVILEGED_NESTED_FLAGS[@]}" \ --user=0 --rm "$BUILDER_IMAGE" /scripts/script-build.sh "$@" rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/shared/" /shared/ rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/workdir/" /var/workdir/ diff --git a/task/buildah-remote/0.1/buildah-remote.yaml b/task/buildah-remote/0.1/buildah-remote.yaml index 71f6ebdabd..8d12e7f080 100644 --- a/task/buildah-remote/0.1/buildah-remote.yaml +++ b/task/buildah-remote/0.1/buildah-remote.yaml @@ -229,6 +229,7 @@ spec: export BUILD_DIR=$(cat /ssh/user-dir) export SSH_ARGS="-o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=10" echo "$BUILD_DIR" + # shellcheck disable=SC2086 ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/workspaces" "$BUILD_DIR/scripts" "$BUILD_DIR/volumes" PORT_FORWARD="" @@ -438,7 +439,16 @@ spec: chmod +x scripts/script-build.sh if ! [[ $IS_LOCALHOST ]]; then + PRIVILEGED_NESTED_FLAGS=() + if [[ "${PRIVILEGED_NESTED}" == "true" ]]; then + # This is a workaround for building bootc images because the cache filesystem (/var/tmp/ on the host) must be a real filesystem that supports setting SELinux security attributes. + # https://github.com/coreos/rpm-ostree/discussions/4648 + # shellcheck disable=SC2086 + ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/var/tmp" + PRIVILEGED_NESTED_FLAGS=(--privileged --mount "type=bind,source=$BUILD_DIR/var/tmp,target=/var/tmp,relabel=shared") + fi rsync -ra scripts "$SSH_HOST:$BUILD_DIR" + # shellcheck disable=SC2086 ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman run $PODMAN_PORT_FORWARD \ --tmpfs /run/secrets \ -e BUILDAH_FORMAT="$BUILDAH_FORMAT" \ @@ -470,6 +480,7 @@ spec: -v "$BUILD_DIR/.docker/:/root/.docker:Z" \ -v "$BUILD_DIR/results/:/tekton/results:Z" \ -v "$BUILD_DIR/scripts:/scripts:Z" \ + "${PRIVILEGED_NESTED_FLAGS[@]}" \ --user=0 --rm "$BUILDER_IMAGE" /scripts/script-build.sh "$@" rsync -ra "$SSH_HOST:$BUILD_DIR/workspaces/source/" "$(workspaces.source.path)/" rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/shared/" /shared/ diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index ef885af6b4..75b4b6a1dc 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -119,6 +119,10 @@ spec: description: Additional key=value labels that should be applied to the image name: LABELS type: array + - default: "false" + description: Whether to enable privileged mode + name: PRIVILEGED_NESTED + type: string - description: The platform to build on name: PLATFORM type: string @@ -191,6 +195,8 @@ spec: value: $(params.SQUASH) - name: SKIP_UNUSED_STAGES value: $(params.SKIP_UNUSED_STAGES) + - name: PRIVILEGED_NESTED + value: $(params.PRIVILEGED_NESTED) - name: BUILDER_IMAGE value: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c - name: PLATFORM @@ -249,6 +255,7 @@ spec: export BUILD_DIR=$(cat /ssh/user-dir) export SSH_ARGS="-o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=10" echo "$BUILD_DIR" + # shellcheck disable=SC2086 ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/workspaces" "$BUILD_DIR/scripts" "$BUILD_DIR/volumes" PORT_FORWARD="" @@ -387,6 +394,12 @@ spec: BUILDAH_ARGS+=("${BUILD_ARG_FLAGS[@]}") + if [ "${PRIVILEGED_NESTED}" == "true" ]; then + BUILDAH_ARGS+=("--security-opt=label=disable") + BUILDAH_ARGS+=("--cap-add=all") + BUILDAH_ARGS+=("--device=/dev/fuse") + fi + if [ -n "${ADD_CAPABILITIES}" ]; then BUILDAH_ARGS+=("--cap-add=${ADD_CAPABILITIES}") fi @@ -558,7 +571,16 @@ spec: chmod +x scripts/script-build.sh if ! [[ $IS_LOCALHOST ]]; then + PRIVILEGED_NESTED_FLAGS=() + if [[ "${PRIVILEGED_NESTED}" == "true" ]]; then + # This is a workaround for building bootc images because the cache filesystem (/var/tmp/ on the host) must be a real filesystem that supports setting SELinux security attributes. + # https://github.com/coreos/rpm-ostree/discussions/4648 + # shellcheck disable=SC2086 + ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/var/tmp" + PRIVILEGED_NESTED_FLAGS=(--privileged --mount "type=bind,source=$BUILD_DIR/var/tmp,target=/var/tmp,relabel=shared") + fi rsync -ra scripts "$SSH_HOST:$BUILD_DIR" + # shellcheck disable=SC2086 ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman run $PODMAN_PORT_FORWARD \ --tmpfs /run/secrets \ -e BUILDAH_FORMAT="$BUILDAH_FORMAT" \ @@ -580,6 +602,7 @@ spec: -e ADD_CAPABILITIES="$ADD_CAPABILITIES" \ -e SQUASH="$SQUASH" \ -e SKIP_UNUSED_STAGES="$SKIP_UNUSED_STAGES" \ + -e PRIVILEGED_NESTED="$PRIVILEGED_NESTED" \ -e COMMIT_SHA="$COMMIT_SHA" \ -e DOCKERFILE="$DOCKERFILE" \ -v "$BUILD_DIR/workspaces/source:$(workspaces.source.path):Z" \ @@ -591,6 +614,7 @@ spec: -v "$BUILD_DIR/.docker/:/root/.docker:Z" \ -v "$BUILD_DIR/results/:/tekton/results:Z" \ -v "$BUILD_DIR/scripts:/scripts:Z" \ + "${PRIVILEGED_NESTED_FLAGS[@]}" \ --user=0 --rm "$BUILDER_IMAGE" /scripts/script-build.sh "$@" rsync -ra "$SSH_HOST:$BUILD_DIR/workspaces/source/" "$(workspaces.source.path)/" rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/shared/" /shared/ diff --git a/task/buildah-remote/0.3/buildah-remote.yaml b/task/buildah-remote/0.3/buildah-remote.yaml index eba4d2c72c..63343f5dc8 100644 --- a/task/buildah-remote/0.3/buildah-remote.yaml +++ b/task/buildah-remote/0.3/buildah-remote.yaml @@ -118,6 +118,10 @@ spec: description: Additional key=value labels that should be applied to the image name: LABELS type: array + - default: "false" + description: Whether to enable privileged mode + name: PRIVILEGED_NESTED + type: string - description: The platform to build on name: PLATFORM type: string @@ -184,6 +188,8 @@ spec: value: $(params.SQUASH) - name: SKIP_UNUSED_STAGES value: $(params.SKIP_UNUSED_STAGES) + - name: PRIVILEGED_NESTED + value: $(params.PRIVILEGED_NESTED) - name: BUILDER_IMAGE value: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c - name: PLATFORM @@ -242,6 +248,7 @@ spec: export BUILD_DIR=$(cat /ssh/user-dir) export SSH_ARGS="-o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=10" echo "$BUILD_DIR" + # shellcheck disable=SC2086 ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/workspaces" "$BUILD_DIR/scripts" "$BUILD_DIR/volumes" PORT_FORWARD="" @@ -375,6 +382,12 @@ spec: BUILDAH_ARGS+=("${BUILD_ARG_FLAGS[@]}") + if [ "${PRIVILEGED_NESTED}" == "true" ]; then + BUILDAH_ARGS+=("--security-opt=label=disable") + BUILDAH_ARGS+=("--cap-add=all") + BUILDAH_ARGS+=("--device=/dev/fuse") + fi + if [ -n "${ADD_CAPABILITIES}" ]; then BUILDAH_ARGS+=("--cap-add=${ADD_CAPABILITIES}") fi @@ -546,7 +559,16 @@ spec: chmod +x scripts/script-build.sh if ! [[ $IS_LOCALHOST ]]; then + PRIVILEGED_NESTED_FLAGS=() + if [[ "${PRIVILEGED_NESTED}" == "true" ]]; then + # This is a workaround for building bootc images because the cache filesystem (/var/tmp/ on the host) must be a real filesystem that supports setting SELinux security attributes. + # https://github.com/coreos/rpm-ostree/discussions/4648 + # shellcheck disable=SC2086 + ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/var/tmp" + PRIVILEGED_NESTED_FLAGS=(--privileged --mount "type=bind,source=$BUILD_DIR/var/tmp,target=/var/tmp,relabel=shared") + fi rsync -ra scripts "$SSH_HOST:$BUILD_DIR" + # shellcheck disable=SC2086 ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman run $PODMAN_PORT_FORWARD \ --tmpfs /run/secrets \ -e BUILDAH_FORMAT="$BUILDAH_FORMAT" \ @@ -568,6 +590,7 @@ spec: -e ADD_CAPABILITIES="$ADD_CAPABILITIES" \ -e SQUASH="$SQUASH" \ -e SKIP_UNUSED_STAGES="$SKIP_UNUSED_STAGES" \ + -e PRIVILEGED_NESTED="$PRIVILEGED_NESTED" \ -e COMMIT_SHA="$COMMIT_SHA" \ -e DOCKERFILE="$DOCKERFILE" \ -v "$BUILD_DIR/workspaces/source:$(workspaces.source.path):Z" \ @@ -579,6 +602,7 @@ spec: -v "$BUILD_DIR/.docker/:/root/.docker:Z" \ -v "$BUILD_DIR/results/:/tekton/results:Z" \ -v "$BUILD_DIR/scripts:/scripts:Z" \ + "${PRIVILEGED_NESTED_FLAGS[@]}" \ --user=0 --rm "$BUILDER_IMAGE" /scripts/script-build.sh "$@" rsync -ra "$SSH_HOST:$BUILD_DIR/workspaces/source/" "$(workspaces.source.path)/" rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/shared/" /shared/ diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index 214314fd72..2b0f37a84f 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -107,6 +107,10 @@ spec: description: Additional key=value labels that should be applied to the image type: array default: [] + - name: PRIVILEGED_NESTED + description: Whether to enable privileged mode + type: string + default: "false" results: - description: Digest of the image just built @@ -173,6 +177,8 @@ spec: value: $(params.SQUASH) - name: SKIP_UNUSED_STAGES value: $(params.SKIP_UNUSED_STAGES) + - name: PRIVILEGED_NESTED + value: $(params.PRIVILEGED_NESTED) steps: - image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c @@ -309,6 +315,12 @@ spec: BUILDAH_ARGS+=("${BUILD_ARG_FLAGS[@]}") + if [ "${PRIVILEGED_NESTED}" == "true" ]; then + BUILDAH_ARGS+=("--security-opt=label=disable") + BUILDAH_ARGS+=("--cap-add=all") + BUILDAH_ARGS+=("--device=/dev/fuse") + fi + if [ -n "${ADD_CAPABILITIES}" ]; then BUILDAH_ARGS+=("--cap-add=${ADD_CAPABILITIES}") fi diff --git a/task/buildah/0.3/buildah.yaml b/task/buildah/0.3/buildah.yaml index e011de82df..9016aeef44 100644 --- a/task/buildah/0.3/buildah.yaml +++ b/task/buildah/0.3/buildah.yaml @@ -106,6 +106,10 @@ spec: description: Additional key=value labels that should be applied to the image type: array default: [] + - name: PRIVILEGED_NESTED + description: Whether to enable privileged mode + type: string + default: "false" results: - description: Digest of the image just built @@ -167,6 +171,8 @@ spec: value: $(params.SQUASH) - name: SKIP_UNUSED_STAGES value: $(params.SKIP_UNUSED_STAGES) + - name: PRIVILEGED_NESTED + value: $(params.PRIVILEGED_NESTED) steps: - image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c @@ -298,6 +304,12 @@ spec: BUILDAH_ARGS+=("${BUILD_ARG_FLAGS[@]}") + if [ "${PRIVILEGED_NESTED}" == "true" ]; then + BUILDAH_ARGS+=("--security-opt=label=disable") + BUILDAH_ARGS+=("--cap-add=all") + BUILDAH_ARGS+=("--device=/dev/fuse") + fi + if [ -n "${ADD_CAPABILITIES}" ]; then BUILDAH_ARGS+=("--cap-add=${ADD_CAPABILITIES}") fi