Add security-opt, device, priviledged and bindmount to the buildah task

Signed-off-by: Wei Shi <[email protected]>

pipelines/docker-build-multi-platform-oci-ta/README.md

@@ -47,11 +47,13 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
 |ACTIVATION_KEY| Name of secret which contains subscription activation key| activation-key| |
 |ADDITIONAL_SECRET| Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET| does-not-exist| |
 |ADD_CAPABILITIES| Comma separated list of extra capabilities to add when running 'buildah build'| | |
+|BIND_MOUNT_VAR_TMP| Whether to bind mount a host folder into a remote container as /var/tmp| false| |
 |BUILD_ARGS| Array of --build-arg values ("arg=value" strings)| []| '['$(params.build-args[*])']'|
 |BUILD_ARGS_FILE| Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file| | '$(params.build-args-file)'|
 |CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'|
 |COMMIT_SHA| The image is built from this commit.| | '$(tasks.clone-repository.results.commit)'|
 |CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'|
+|DEVICES| Comma separated list of --device values to add| | |
 |DOCKERFILE| Path to the Dockerfile to build.| ./Dockerfile| '$(params.dockerfile)'|
 |ENTITLEMENT_SECRET| Name of secret which contains the entitlement certificates| etc-pki-entitlement| |
 |HERMETIC| Determines if build will be executed without network access.| false| '$(params.hermetic)'|
@@ -61,6 +63,8 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
 |LABELS| Additional key=value labels that should be applied to the image| []| |
 |PLATFORM| The platform to build on| None| |
 |PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | '$(params.prefetch-input)'|
+|PRIVILEGED| Whether to add --privileged to podman run which runs remotely| false| |
+|SECURITY_OPTS| Comma separated list of --security-opt values to add| | |
 |SKIP_UNUSED_STAGES| Whether to skip stages in Containerfile that seem unused by subsequent stages| true| |
 |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'|
 |SQUASH| Squash all new and previous layers added as a part of this build, as per --squash| false| |

pipelines/docker-build-oci-ta/README.md

@@ -46,18 +46,22 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
 |ACTIVATION_KEY| Name of secret which contains subscription activation key| activation-key| |
 |ADDITIONAL_SECRET| Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET| does-not-exist| |
 |ADD_CAPABILITIES| Comma separated list of extra capabilities to add when running 'buildah build'| | |
+|BIND_MOUNT_VAR_TMP| Whether to bind mount a host folder into a remote container as /var/tmp| false| |
 |BUILD_ARGS| Array of --build-arg values ("arg=value" strings)| []| '['$(params.build-args[*])']'|
 |BUILD_ARGS_FILE| Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file| | '$(params.build-args-file)'|
 |CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'|
 |COMMIT_SHA| The image is built from this commit.| | '$(tasks.clone-repository.results.commit)'|
 |CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'|
+|DEVICES| Comma separated list of --device values to add| | |
 |DOCKERFILE| Path to the Dockerfile to build.| ./Dockerfile| '$(params.dockerfile)'|
 |ENTITLEMENT_SECRET| Name of secret which contains the entitlement certificates| etc-pki-entitlement| |
 |HERMETIC| Determines if build will be executed without network access.| false| '$(params.hermetic)'|
 |IMAGE| Reference of the image buildah will produce.| None| '$(params.output-image)'|
 |IMAGE_EXPIRES_AFTER| Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'|
 |LABELS| Additional key=value labels that should be applied to the image| []| |
 |PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | '$(params.prefetch-input)'|
+|PRIVILEGED| Whether to add --privileged to podman run which runs remotely| false| |
+|SECURITY_OPTS| Comma separated list of --security-opt values to add| | |
 |SKIP_UNUSED_STAGES| Whether to skip stages in Containerfile that seem unused by subsequent stages| true| |
 |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'|
 |SQUASH| Squash all new and previous layers added as a part of this build, as per --squash| false| |

pipelines/docker-build/README.md

@@ -46,17 +46,21 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
 |ACTIVATION_KEY| Name of secret which contains subscription activation key| activation-key| |
 |ADDITIONAL_SECRET| Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET| does-not-exist| |
 |ADD_CAPABILITIES| Comma separated list of extra capabilities to add when running 'buildah build'| | |
+|BIND_MOUNT_VAR_TMP| Whether to bind mount a host folder into a remote container as /var/tmp| false| |
 |BUILD_ARGS| Array of --build-arg values ("arg=value" strings)| []| '['$(params.build-args[*])']'|
 |BUILD_ARGS_FILE| Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file| | '$(params.build-args-file)'|
 |COMMIT_SHA| The image is built from this commit.| | '$(tasks.clone-repository.results.commit)'|
 |CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'|
+|DEVICES| Comma separated list of --device values to add| | |
 |DOCKERFILE| Path to the Dockerfile to build.| ./Dockerfile| '$(params.dockerfile)'|
 |ENTITLEMENT_SECRET| Name of secret which contains the entitlement certificates| etc-pki-entitlement| |
 |HERMETIC| Determines if build will be executed without network access.| false| '$(params.hermetic)'|
 |IMAGE| Reference of the image buildah will produce.| None| '$(params.output-image)'|
 |IMAGE_EXPIRES_AFTER| Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'|
 |LABELS| Additional key=value labels that should be applied to the image| []| |
 |PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | '$(params.prefetch-input)'|
+|PRIVILEGED| Whether to add --privileged to podman run which runs remotely| false| |
+|SECURITY_OPTS| Comma separated list of --security-opt values to add| | |
 |SKIP_UNUSED_STAGES| Whether to skip stages in Containerfile that seem unused by subsequent stages| true| |
 |SQUASH| Squash all new and previous layers added as a part of this build, as per --squash| false| |
 |STORAGE_DRIVER| Storage driver to configure for buildah| vfs| |

pipelines/fbc-builder/README.md

@@ -44,17 +44,21 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
 |ACTIVATION_KEY| Name of secret which contains subscription activation key| activation-key| |
 |ADDITIONAL_SECRET| Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET| does-not-exist| |
 |ADD_CAPABILITIES| Comma separated list of extra capabilities to add when running 'buildah build'| | |
+|BIND_MOUNT_VAR_TMP| Whether to bind mount a host folder into a remote container as /var/tmp| false| |
 |BUILD_ARGS| Array of --build-arg values ("arg=value" strings)| []| |
 |BUILD_ARGS_FILE| Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file| | |
 |COMMIT_SHA| The image is built from this commit.| | '$(tasks.clone-repository.results.commit)'|
 |CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'|
+|DEVICES| Comma separated list of --device values to add| | |
 |DOCKERFILE| Path to the Dockerfile to build.| ./Dockerfile| '$(params.dockerfile)'|
 |ENTITLEMENT_SECRET| Name of secret which contains the entitlement certificates| etc-pki-entitlement| |
 |HERMETIC| Determines if build will be executed without network access.| false| '$(params.hermetic)'|
 |IMAGE| Reference of the image buildah will produce.| None| '$(params.output-image)'|
 |IMAGE_EXPIRES_AFTER| Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'|
 |LABELS| Additional key=value labels that should be applied to the image| []| |
 |PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | |
+|PRIVILEGED| Whether to add --privileged to podman run which runs remotely| false| |
+|SECURITY_OPTS| Comma separated list of --security-opt values to add| | |
 |SKIP_UNUSED_STAGES| Whether to skip stages in Containerfile that seem unused by subsequent stages| true| |
 |SQUASH| Squash all new and previous layers added as a part of this build, as per --squash| false| |
 |STORAGE_DRIVER| Storage driver to configure for buildah| vfs| |

task-generator/remote/main.go

@@ -228,18 +228,47 @@ if ! [[ $IS_LOCALHOST ]]; then
 		ret += "\nREMOTESSHEOF"
 		ret += "\nchmod +x " + script + "\n"
 
+    ret += `SECURITY_OPT_FLAGS=()
+if [ -n "${SECURITY_OPTS}" ]; then
+  IFS=',' read -ra SECURITY_OPTS_ARRAY <<< "$SECURITY_OPTS"
+  for SECURITY_OPT in "${SECURITY_OPTS_ARRAY[@]}"; do
+    SECURITY_OPT_FLAGS+=("--security-opt=$SECURITY_OPT")
+  done
+fi
+
+DEVICE_FLAGS=()
+if [ -n "${DEVICES}" ]; then
+  IFS=',' read -ra DEVICES_ARRAY <<< "$DEVICES"
+  for DEVICE in "${DEVICES_ARRAY[@]}"; do
+    DEVICE_FLAGS+=("--device=$DEVICE")
+  done
+fi`
+
 		if task.Spec.StepTemplate != nil {
 			for _, e := range task.Spec.StepTemplate.Env {
 				env += "    -e " + e.Name + "=\"$" + e.Name + "\" \\\n"
 			}
 		}
 		ret += "\nif ! [[ $IS_LOCALHOST ]]; then"
+    ret += "\n"
+    ret += `  PRIVILEGED_FLAG=""
+  if [[ "${PRIVILEGED}" == "true" ]]; then
+    PRIVILEGED_FLAG="--privileged"
+  fi
+
+  BIND_MOUNT_VAR_TMP_FLAG=""
+  if [[ "${BIND_MOUNT_VAR_TMP}" == "true" ]]; then
+    ssh $SSH_ARGS "$SSH_HOST"  mkdir -p "$BUILD_DIR/var/tmp"
+    BIND_MOUNT_VAR_TMP_FLAG="--mount type=bind,source=$BUILD_DIR/var/tmp,target=/var/tmp,relabel=shared"
+  fi`
 		ret += "\n  rsync -ra scripts \"$SSH_HOST:$BUILD_DIR\""
 		containerScript := "scripts/script-" + step.Name + ".sh"
 		for _, e := range step.Env {
 			env += "    -e " + e.Name + "=\"$" + e.Name + "\" \\\n"
 		}
 		podmanArgs += "    -v \"$BUILD_DIR/scripts:/scripts:Z\" \\\n"
+		podmanArgs += "    \"$PRIVILEGED_FLAG\" \"$BIND_MOUNT_VAR_TMP_FLAG\" \\\n"
+		podmanArgs += "    \"${SECURITY_OPT_FLAGS[@]}\" \"${DEVICE_FLAGS[@]}\" \\\n"
 		ret += "\n  ssh $SSH_ARGS \"$SSH_HOST\" $PORT_FORWARD podman  run " + env + "" + podmanArgs + "    --user=0  --rm  \"$BUILDER_IMAGE\" /" + containerScript + ` "$@"`
 
 		// Sync the contents of the workspaces back so subsequent tasks can use them

task/buildah-oci-ta/0.2/README.md

@@ -11,18 +11,22 @@ When prefetch-dependencies task was activated it is using its artifacts to run b
 |ACTIVATION_KEY|Name of secret which contains subscription activation key|activation-key|false|
 |ADDITIONAL_SECRET|Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET|does-not-exist|false|
 |ADD_CAPABILITIES|Comma separated list of extra capabilities to add when running 'buildah build'|""|false|
+|BIND_MOUNT_VAR_TMP|Whether to bind mount a host folder into a remote container as /var/tmp|false|false|
 |BUILD_ARGS|Array of --build-arg values ("arg=value" strings)|[]|false|
 |BUILD_ARGS_FILE|Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file|""|false|
 |CACHI2_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.|""|false|
 |COMMIT_SHA|The image is built from this commit.|""|false|
 |CONTEXT|Path to the directory to use as context.|.|false|
+|DEVICES|Comma separated list of --device values to add|""|false|
 |DOCKERFILE|Path to the Dockerfile to build.|./Dockerfile|false|
 |ENTITLEMENT_SECRET|Name of secret which contains the entitlement certificates|etc-pki-entitlement|false|
 |HERMETIC|Determines if build will be executed without network access.|false|false|
 |IMAGE|Reference of the image buildah will produce.||true|
 |IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false|
 |LABELS|Additional key=value labels that should be applied to the image|[]|false|
 |PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false|
+|PRIVILEGED|Whether to add --privileged to podman run which runs remotely|false|false|
+|SECURITY_OPTS|Comma separated list of --security-opt values to add|""|false|
 |SKIP_UNUSED_STAGES|Whether to skip stages in Containerfile that seem unused by subsequent stages|true|false|
 |SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true|
 |SQUASH|Squash all new and previous layers added as a part of this build, as per --squash|false|false|

task/buildah-oci-ta/0.2/buildah-oci-ta.yaml

@@ -30,6 +30,11 @@ spec:
         running 'buildah build'
       type: string
       default: ""
+    - name: BIND_MOUNT_VAR_TMP
+      description: Whether to bind mount a host folder into a remote container
+        as /var/tmp
+      type: string
+      default: "false"
     - name: BUILD_ARGS
       description: Array of --build-arg values ("arg=value" strings)
       type: array
@@ -51,6 +56,10 @@ spec:
       description: Path to the directory to use as context.
       type: string
       default: .
+    - name: DEVICES
+      description: Comma separated list of --device values to add
+      type: string
+      default: ""
     - name: DOCKERFILE
       description: Path to the Dockerfile to build.
       type: string
@@ -82,6 +91,14 @@ spec:
         be made available to the build.
       type: string
       default: ""
+    - name: PRIVILEGED
+      description: Whether to add --privileged to podman run which runs remotely
+      type: string
+      default: "false"
+    - name: SECURITY_OPTS
+      description: Comma separated list of --security-opt values to add
+      type: string
+      default: ""
     - name: SKIP_UNUSED_STAGES
       description: Whether to skip stages in Containerfile that seem unused
         by subsequent stages
@@ -182,12 +199,16 @@ spec:
         value: $(params.ADDITIONAL_SECRET)
       - name: ADD_CAPABILITIES
         value: $(params.ADD_CAPABILITIES)
+      - name: BIND_MOUNT_VAR_TMP
+        value: $(params.BIND_MOUNT_VAR_TMP)
       - name: BUILDAH_FORMAT
         value: oci
       - name: BUILD_ARGS_FILE
         value: $(params.BUILD_ARGS_FILE)
       - name: CONTEXT
         value: $(params.CONTEXT)
+      - name: DEVICES
+        value: $(params.DEVICES)
       - name: ENTITLEMENT_SECRET
         value: $(params.ENTITLEMENT_SECRET)
       - name: HERMETIC
@@ -196,6 +217,10 @@ spec:
         value: $(params.IMAGE)
       - name: IMAGE_EXPIRES_AFTER
         value: $(params.IMAGE_EXPIRES_AFTER)
+      - name: PRIVILEGED
+        value: $(params.PRIVILEGED)
+      - name: SECURITY_OPTS
+        value: $(params.SECURITY_OPTS)
       - name: SKIP_UNUSED_STAGES
         value: $(params.SKIP_UNUSED_STAGES)
       - name: SOURCE_CODE_DIR
@@ -372,6 +397,26 @@ spec:
 
         BUILDAH_ARGS+=("${BUILD_ARG_FLAGS[@]}")
 
+        SECURITY_OPT_FLAGS=()
+        if [ -n "${SECURITY_OPTS}" ]; then
+          IFS=',' read -ra SECURITY_OPTS_ARRAY <<<"$SECURITY_OPTS"
+          for SECURITY_OPT in "${SECURITY_OPTS_ARRAY[@]}"; do
+            SECURITY_OPT_FLAGS+=("--security-opt=$SECURITY_OPT")
+          done
+        fi
+
+        BUILDAH_ARGS+=("${SECURITY_OPT_FLAGS[@]}")
+
+        DEVICE_FLAGS=()
+        if [ -n "${DEVICES}" ]; then
+          IFS=',' read -ra DEVICES_ARRAY <<<"$DEVICES"
+          for DEVICE in "${DEVICES_ARRAY[@]}"; do
+            DEVICE_FLAGS+=("--device=$DEVICE")
+          done
+        fi
+
+        BUILDAH_ARGS+=("${DEVICE_FLAGS[@]}")
+
         if [ -n "${ADD_CAPABILITIES}" ]; then
           BUILDAH_ARGS+=("--cap-add=${ADD_CAPABILITIES}")
         fi

task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml

@@ -444,8 +444,32 @@ spec:
       buildah push "$IMAGE" "oci:konflux-final-image:$IMAGE"
       REMOTESSHEOF
       chmod +x scripts/script-build.sh
+      SECURITY_OPT_FLAGS=()
+      if [ -n "${SECURITY_OPTS}" ]; then
+        IFS=',' read -ra SECURITY_OPTS_ARRAY <<< "$SECURITY_OPTS"
+        for SECURITY_OPT in "${SECURITY_OPTS_ARRAY[@]}"; do
+          SECURITY_OPT_FLAGS+=("--security-opt=$SECURITY_OPT")
+        done
+      fi
 
+      DEVICE_FLAGS=()
+      if [ -n "${DEVICES}" ]; then
+        IFS=',' read -ra DEVICES_ARRAY <<< "$DEVICES"
+        for DEVICE in "${DEVICES_ARRAY[@]}"; do
+          DEVICE_FLAGS+=("--device=$DEVICE")
+        done
+      fi
       if ! [[ $IS_LOCALHOST ]]; then
+        PRIVILEGED_FLAG=""
+        if [[ "${PRIVILEGED}" == "true" ]]; then
+          PRIVILEGED_FLAG="--privileged"
+        fi
+
+        BIND_MOUNT_VAR_TMP_FLAG=""
+        if [[ "${BIND_MOUNT_VAR_TMP}" == "true" ]]; then
+          ssh $SSH_ARGS "$SSH_HOST"  mkdir -p "$BUILD_DIR/var/tmp"
+          BIND_MOUNT_VAR_TMP_FLAG="--mount type=bind,source=$BUILD_DIR/var/tmp,target=/var/tmp,relabel=shared"
+        fi
         rsync -ra scripts "$SSH_HOST:$BUILD_DIR"
         ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman  run $PODMAN_PORT_FORWARD \
           --tmpfs /run/secrets \
@@ -477,6 +501,8 @@ spec:
           -v "$BUILD_DIR/.docker/:/root/.docker:Z" \
           -v "$BUILD_DIR/results/:/tekton/results:Z" \
           -v "$BUILD_DIR/scripts:/scripts:Z" \
+          "$PRIVILEGED_FLAG" "$BIND_MOUNT_VAR_TMP_FLAG" \
+          "${SECURITY_OPT_FLAGS[@]}" "${DEVICE_FLAGS[@]}" \
           --user=0  --rm  "$BUILDER_IMAGE" /scripts/script-build.sh "$@"
         rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/shared/" /shared/
         rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/workdir/" /var/workdir/