From c81a518b84ff825fddf3d97edb0182c3e2575825 Mon Sep 17 00:00:00 2001 From: Wei Shi Date: Mon, 28 Oct 2024 19:07:39 +0800 Subject: [PATCH] Add security-opt, device, priviledged and bindmount to the buildah task Signed-off-by: Wei Shi --- .../README.md | 4 + pipelines/docker-build-oci-ta/README.md | 4 + pipelines/docker-build/README.md | 4 + pipelines/fbc-builder/README.md | 4 + task-generator/remote/main.go | 29 ++++++++ task/buildah-oci-ta/0.2/README.md | 4 + task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 45 +++++++++++ .../0.1/buildah-remote-oci-ta.yaml | 26 +++++++ .../0.2/buildah-remote-oci-ta.yaml | 74 +++++++++++++++++++ task/buildah-remote/0.1/buildah-remote.yaml | 26 +++++++ task/buildah-remote/0.2/buildah-remote.yaml | 74 +++++++++++++++++++ task/buildah/0.2/buildah.yaml | 44 +++++++++++ 12 files changed, 338 insertions(+) diff --git a/pipelines/docker-build-multi-platform-oci-ta/README.md b/pipelines/docker-build-multi-platform-oci-ta/README.md index cb1641950..5362a8425 100644 --- a/pipelines/docker-build-multi-platform-oci-ta/README.md +++ b/pipelines/docker-build-multi-platform-oci-ta/README.md @@ -47,11 +47,13 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |ACTIVATION_KEY| Name of secret which contains subscription activation key| activation-key| | |ADDITIONAL_SECRET| Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET| does-not-exist| | |ADD_CAPABILITIES| Comma separated list of extra capabilities to add when running 'buildah build'| | | +|BIND_MOUNT_VAR_TMP| Whether to bind mount a host folder into a remote container as /var/tmp| false| | |BUILD_ARGS| Array of --build-arg values ("arg=value" strings)| []| '['$(params.build-args[*])']'| |BUILD_ARGS_FILE| Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file| | '$(params.build-args-file)'| |CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| |COMMIT_SHA| The image is built from this commit.| | '$(tasks.clone-repository.results.commit)'| |CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| +|DEVICES| Comma separated list of --device values to add| | | |DOCKERFILE| Path to the Dockerfile to build.| ./Dockerfile| '$(params.dockerfile)'| |ENTITLEMENT_SECRET| Name of secret which contains the entitlement certificates| etc-pki-entitlement| | |HERMETIC| Determines if build will be executed without network access.| false| '$(params.hermetic)'| @@ -61,6 +63,8 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |LABELS| Additional key=value labels that should be applied to the image| []| | |PLATFORM| The platform to build on| None| | |PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | '$(params.prefetch-input)'| +|PRIVILEGED| Whether to add --privileged to podman run which runs remotely| false| | +|SECURITY_OPTS| Comma separated list of --security-opt values to add| | | |SKIP_UNUSED_STAGES| Whether to skip stages in Containerfile that seem unused by subsequent stages| true| | |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| |SQUASH| Squash all new and previous layers added as a part of this build, as per --squash| false| | diff --git a/pipelines/docker-build-oci-ta/README.md b/pipelines/docker-build-oci-ta/README.md index b25906a52..971fce75e 100644 --- a/pipelines/docker-build-oci-ta/README.md +++ b/pipelines/docker-build-oci-ta/README.md @@ -46,11 +46,13 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |ACTIVATION_KEY| Name of secret which contains subscription activation key| activation-key| | |ADDITIONAL_SECRET| Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET| does-not-exist| | |ADD_CAPABILITIES| Comma separated list of extra capabilities to add when running 'buildah build'| | | +|BIND_MOUNT_VAR_TMP| Whether to bind mount a host folder into a remote container as /var/tmp| false| | |BUILD_ARGS| Array of --build-arg values ("arg=value" strings)| []| '['$(params.build-args[*])']'| |BUILD_ARGS_FILE| Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file| | '$(params.build-args-file)'| |CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| |COMMIT_SHA| The image is built from this commit.| | '$(tasks.clone-repository.results.commit)'| |CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| +|DEVICES| Comma separated list of --device values to add| | | |DOCKERFILE| Path to the Dockerfile to build.| ./Dockerfile| '$(params.dockerfile)'| |ENTITLEMENT_SECRET| Name of secret which contains the entitlement certificates| etc-pki-entitlement| | |HERMETIC| Determines if build will be executed without network access.| false| '$(params.hermetic)'| @@ -58,6 +60,8 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |IMAGE_EXPIRES_AFTER| Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| |LABELS| Additional key=value labels that should be applied to the image| []| | |PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | '$(params.prefetch-input)'| +|PRIVILEGED| Whether to add --privileged to podman run which runs remotely| false| | +|SECURITY_OPTS| Comma separated list of --security-opt values to add| | | |SKIP_UNUSED_STAGES| Whether to skip stages in Containerfile that seem unused by subsequent stages| true| | |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| |SQUASH| Squash all new and previous layers added as a part of this build, as per --squash| false| | diff --git a/pipelines/docker-build/README.md b/pipelines/docker-build/README.md index 348b74d8e..9f3c8030c 100644 --- a/pipelines/docker-build/README.md +++ b/pipelines/docker-build/README.md @@ -46,10 +46,12 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |ACTIVATION_KEY| Name of secret which contains subscription activation key| activation-key| | |ADDITIONAL_SECRET| Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET| does-not-exist| | |ADD_CAPABILITIES| Comma separated list of extra capabilities to add when running 'buildah build'| | | +|BIND_MOUNT_VAR_TMP| Whether to bind mount a host folder into a remote container as /var/tmp| false| | |BUILD_ARGS| Array of --build-arg values ("arg=value" strings)| []| '['$(params.build-args[*])']'| |BUILD_ARGS_FILE| Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file| | '$(params.build-args-file)'| |COMMIT_SHA| The image is built from this commit.| | '$(tasks.clone-repository.results.commit)'| |CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| +|DEVICES| Comma separated list of --device values to add| | | |DOCKERFILE| Path to the Dockerfile to build.| ./Dockerfile| '$(params.dockerfile)'| |ENTITLEMENT_SECRET| Name of secret which contains the entitlement certificates| etc-pki-entitlement| | |HERMETIC| Determines if build will be executed without network access.| false| '$(params.hermetic)'| @@ -57,6 +59,8 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |IMAGE_EXPIRES_AFTER| Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| |LABELS| Additional key=value labels that should be applied to the image| []| | |PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | '$(params.prefetch-input)'| +|PRIVILEGED| Whether to add --privileged to podman run which runs remotely| false| | +|SECURITY_OPTS| Comma separated list of --security-opt values to add| | | |SKIP_UNUSED_STAGES| Whether to skip stages in Containerfile that seem unused by subsequent stages| true| | |SQUASH| Squash all new and previous layers added as a part of this build, as per --squash| false| | |STORAGE_DRIVER| Storage driver to configure for buildah| vfs| | diff --git a/pipelines/fbc-builder/README.md b/pipelines/fbc-builder/README.md index 492877390..8ced0cf5a 100644 --- a/pipelines/fbc-builder/README.md +++ b/pipelines/fbc-builder/README.md @@ -44,10 +44,12 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |ACTIVATION_KEY| Name of secret which contains subscription activation key| activation-key| | |ADDITIONAL_SECRET| Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET| does-not-exist| | |ADD_CAPABILITIES| Comma separated list of extra capabilities to add when running 'buildah build'| | | +|BIND_MOUNT_VAR_TMP| Whether to bind mount a host folder into a remote container as /var/tmp| false| | |BUILD_ARGS| Array of --build-arg values ("arg=value" strings)| []| | |BUILD_ARGS_FILE| Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file| | | |COMMIT_SHA| The image is built from this commit.| | '$(tasks.clone-repository.results.commit)'| |CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| +|DEVICES| Comma separated list of --device values to add| | | |DOCKERFILE| Path to the Dockerfile to build.| ./Dockerfile| '$(params.dockerfile)'| |ENTITLEMENT_SECRET| Name of secret which contains the entitlement certificates| etc-pki-entitlement| | |HERMETIC| Determines if build will be executed without network access.| false| '$(params.hermetic)'| @@ -55,6 +57,8 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |IMAGE_EXPIRES_AFTER| Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| |LABELS| Additional key=value labels that should be applied to the image| []| | |PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | | +|PRIVILEGED| Whether to add --privileged to podman run which runs remotely| false| | +|SECURITY_OPTS| Comma separated list of --security-opt values to add| | | |SKIP_UNUSED_STAGES| Whether to skip stages in Containerfile that seem unused by subsequent stages| true| | |SQUASH| Squash all new and previous layers added as a part of this build, as per --squash| false| | |STORAGE_DRIVER| Storage driver to configure for buildah| vfs| | diff --git a/task-generator/remote/main.go b/task-generator/remote/main.go index f7fa66514..d15234ddc 100644 --- a/task-generator/remote/main.go +++ b/task-generator/remote/main.go @@ -228,18 +228,47 @@ if ! [[ $IS_LOCALHOST ]]; then ret += "\nREMOTESSHEOF" ret += "\nchmod +x " + script + "\n" + ret += `SECURITY_OPT_FLAGS=() +if [ -n "${SECURITY_OPTS}" ]; then + IFS=',' read -ra SECURITY_OPTS_ARRAY <<< "$SECURITY_OPTS" + for SECURITY_OPT in "${SECURITY_OPTS_ARRAY[@]}"; do + SECURITY_OPT_FLAGS+=("--security-opt=$SECURITY_OPT") + done +fi + +DEVICE_FLAGS=() +if [ -n "${DEVICES}" ]; then + IFS=',' read -ra DEVICES_ARRAY <<< "$DEVICES" + for DEVICE in "${DEVICES_ARRAY[@]}"; do + DEVICE_FLAGS+=("--device=$DEVICE") + done +fi` + if task.Spec.StepTemplate != nil { for _, e := range task.Spec.StepTemplate.Env { env += " -e " + e.Name + "=\"$" + e.Name + "\" \\\n" } } ret += "\nif ! [[ $IS_LOCALHOST ]]; then" + ret += "\n" + ret += ` PRIVILEGED_FLAG="" + if [[ "${PRIVILEGED}" == "true" ]]; then + PRIVILEGED_FLAG="--privileged" + fi + + BIND_MOUNT_VAR_TMP_FLAG="" + if [[ "${BIND_MOUNT_VAR_TMP}" == "true" ]]; then + ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/var/tmp" + BIND_MOUNT_VAR_TMP_FLAG="--mount type=bind,source=$BUILD_DIR/var/tmp,target=/var/tmp,relabel=shared" + fi` ret += "\n rsync -ra scripts \"$SSH_HOST:$BUILD_DIR\"" containerScript := "scripts/script-" + step.Name + ".sh" for _, e := range step.Env { env += " -e " + e.Name + "=\"$" + e.Name + "\" \\\n" } podmanArgs += " -v \"$BUILD_DIR/scripts:/scripts:Z\" \\\n" + podmanArgs += " \"$PRIVILEGED_FLAG\" \"$BIND_MOUNT_VAR_TMP_FLAG\" \\\n" + podmanArgs += " \"${SECURITY_OPT_FLAGS[@]}\" \"${DEVICE_FLAGS[@]}\" \\\n" ret += "\n ssh $SSH_ARGS \"$SSH_HOST\" $PORT_FORWARD podman run " + env + "" + podmanArgs + " --user=0 --rm \"$BUILDER_IMAGE\" /" + containerScript + ` "$@"` // Sync the contents of the workspaces back so subsequent tasks can use them diff --git a/task/buildah-oci-ta/0.2/README.md b/task/buildah-oci-ta/0.2/README.md index 1718940ae..9042ad400 100644 --- a/task/buildah-oci-ta/0.2/README.md +++ b/task/buildah-oci-ta/0.2/README.md @@ -11,11 +11,13 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |ACTIVATION_KEY|Name of secret which contains subscription activation key|activation-key|false| |ADDITIONAL_SECRET|Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET|does-not-exist|false| |ADD_CAPABILITIES|Comma separated list of extra capabilities to add when running 'buildah build'|""|false| +|BIND_MOUNT_VAR_TMP|Whether to bind mount a host folder into a remote container as /var/tmp|false|false| |BUILD_ARGS|Array of --build-arg values ("arg=value" strings)|[]|false| |BUILD_ARGS_FILE|Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file|""|false| |CACHI2_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.|""|false| |COMMIT_SHA|The image is built from this commit.|""|false| |CONTEXT|Path to the directory to use as context.|.|false| +|DEVICES|Comma separated list of --device values to add|""|false| |DOCKERFILE|Path to the Dockerfile to build.|./Dockerfile|false| |ENTITLEMENT_SECRET|Name of secret which contains the entitlement certificates|etc-pki-entitlement|false| |HERMETIC|Determines if build will be executed without network access.|false|false| @@ -23,6 +25,8 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| |LABELS|Additional key=value labels that should be applied to the image|[]|false| |PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false| +|PRIVILEGED|Whether to add --privileged to podman run which runs remotely|false|false| +|SECURITY_OPTS|Comma separated list of --security-opt values to add|""|false| |SKIP_UNUSED_STAGES|Whether to skip stages in Containerfile that seem unused by subsequent stages|true|false| |SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| |SQUASH|Squash all new and previous layers added as a part of this build, as per --squash|false|false| diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index e8610d44a..6322e2590 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -30,6 +30,11 @@ spec: running 'buildah build' type: string default: "" + - name: BIND_MOUNT_VAR_TMP + description: Whether to bind mount a host folder into a remote container + as /var/tmp + type: string + default: "false" - name: BUILD_ARGS description: Array of --build-arg values ("arg=value" strings) type: array @@ -51,6 +56,10 @@ spec: description: Path to the directory to use as context. type: string default: . + - name: DEVICES + description: Comma separated list of --device values to add + type: string + default: "" - name: DOCKERFILE description: Path to the Dockerfile to build. type: string @@ -82,6 +91,14 @@ spec: be made available to the build. type: string default: "" + - name: PRIVILEGED + description: Whether to add --privileged to podman run which runs remotely + type: string + default: "false" + - name: SECURITY_OPTS + description: Comma separated list of --security-opt values to add + type: string + default: "" - name: SKIP_UNUSED_STAGES description: Whether to skip stages in Containerfile that seem unused by subsequent stages @@ -182,12 +199,16 @@ spec: value: $(params.ADDITIONAL_SECRET) - name: ADD_CAPABILITIES value: $(params.ADD_CAPABILITIES) + - name: BIND_MOUNT_VAR_TMP + value: $(params.BIND_MOUNT_VAR_TMP) - name: BUILDAH_FORMAT value: oci - name: BUILD_ARGS_FILE value: $(params.BUILD_ARGS_FILE) - name: CONTEXT value: $(params.CONTEXT) + - name: DEVICES + value: $(params.DEVICES) - name: ENTITLEMENT_SECRET value: $(params.ENTITLEMENT_SECRET) - name: HERMETIC @@ -196,6 +217,10 @@ spec: value: $(params.IMAGE) - name: IMAGE_EXPIRES_AFTER value: $(params.IMAGE_EXPIRES_AFTER) + - name: PRIVILEGED + value: $(params.PRIVILEGED) + - name: SECURITY_OPTS + value: $(params.SECURITY_OPTS) - name: SKIP_UNUSED_STAGES value: $(params.SKIP_UNUSED_STAGES) - name: SOURCE_CODE_DIR @@ -372,6 +397,26 @@ spec: BUILDAH_ARGS+=("${BUILD_ARG_FLAGS[@]}") + SECURITY_OPT_FLAGS=() + if [ -n "${SECURITY_OPTS}" ]; then + IFS=',' read -ra SECURITY_OPTS_ARRAY <<<"$SECURITY_OPTS" + for SECURITY_OPT in "${SECURITY_OPTS_ARRAY[@]}"; do + SECURITY_OPT_FLAGS+=("--security-opt=$SECURITY_OPT") + done + fi + + BUILDAH_ARGS+=("${SECURITY_OPT_FLAGS[@]}") + + DEVICE_FLAGS=() + if [ -n "${DEVICES}" ]; then + IFS=',' read -ra DEVICES_ARRAY <<<"$DEVICES" + for DEVICE in "${DEVICES_ARRAY[@]}"; do + DEVICE_FLAGS+=("--device=$DEVICE") + done + fi + + BUILDAH_ARGS+=("${DEVICE_FLAGS[@]}") + if [ -n "${ADD_CAPABILITIES}" ]; then BUILDAH_ARGS+=("--cap-add=${ADD_CAPABILITIES}") fi diff --git a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml index e8bcb1659..638717735 100644 --- a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml @@ -444,8 +444,32 @@ spec: buildah push "$IMAGE" "oci:konflux-final-image:$IMAGE" REMOTESSHEOF chmod +x scripts/script-build.sh + SECURITY_OPT_FLAGS=() + if [ -n "${SECURITY_OPTS}" ]; then + IFS=',' read -ra SECURITY_OPTS_ARRAY <<< "$SECURITY_OPTS" + for SECURITY_OPT in "${SECURITY_OPTS_ARRAY[@]}"; do + SECURITY_OPT_FLAGS+=("--security-opt=$SECURITY_OPT") + done + fi + DEVICE_FLAGS=() + if [ -n "${DEVICES}" ]; then + IFS=',' read -ra DEVICES_ARRAY <<< "$DEVICES" + for DEVICE in "${DEVICES_ARRAY[@]}"; do + DEVICE_FLAGS+=("--device=$DEVICE") + done + fi if ! [[ $IS_LOCALHOST ]]; then + PRIVILEGED_FLAG="" + if [[ "${PRIVILEGED}" == "true" ]]; then + PRIVILEGED_FLAG="--privileged" + fi + + BIND_MOUNT_VAR_TMP_FLAG="" + if [[ "${BIND_MOUNT_VAR_TMP}" == "true" ]]; then + ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/var/tmp" + BIND_MOUNT_VAR_TMP_FLAG="--mount type=bind,source=$BUILD_DIR/var/tmp,target=/var/tmp,relabel=shared" + fi rsync -ra scripts "$SSH_HOST:$BUILD_DIR" ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman run $PODMAN_PORT_FORWARD \ --tmpfs /run/secrets \ @@ -477,6 +501,8 @@ spec: -v "$BUILD_DIR/.docker/:/root/.docker:Z" \ -v "$BUILD_DIR/results/:/tekton/results:Z" \ -v "$BUILD_DIR/scripts:/scripts:Z" \ + "$PRIVILEGED_FLAG" "$BIND_MOUNT_VAR_TMP_FLAG" \ + "${SECURITY_OPT_FLAGS[@]}" "${DEVICE_FLAGS[@]}" \ --user=0 --rm "$BUILDER_IMAGE" /scripts/script-build.sh "$@" rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/shared/" /shared/ rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/workdir/" /var/workdir/ diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index b8c141324..1f4025e34 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -30,6 +30,10 @@ spec: build' name: ADD_CAPABILITIES type: string + - default: "false" + description: Whether to bind mount a host folder into a remote container as /var/tmp + name: BIND_MOUNT_VAR_TMP + type: string - default: [] description: Array of --build-arg values ("arg=value" strings) name: BUILD_ARGS @@ -51,6 +55,10 @@ spec: description: Path to the directory to use as context. name: CONTEXT type: string + - default: "" + description: Comma separated list of --device values to add + name: DEVICES + type: string - default: ./Dockerfile description: Path to the Dockerfile to build. name: DOCKERFILE @@ -81,6 +89,14 @@ spec: to the build. name: PREFETCH_INPUT type: string + - default: "false" + description: Whether to add --privileged to podman run which runs remotely + name: PRIVILEGED + type: string + - default: "" + description: Comma separated list of --security-opt values to add + name: SECURITY_OPTS + type: string - default: "true" description: Whether to skip stages in Containerfile that seem unused by subsequent stages @@ -162,12 +178,16 @@ spec: value: $(params.ADDITIONAL_SECRET) - name: ADD_CAPABILITIES value: $(params.ADD_CAPABILITIES) + - name: BIND_MOUNT_VAR_TMP + value: $(params.BIND_MOUNT_VAR_TMP) - name: BUILDAH_FORMAT value: oci - name: BUILD_ARGS_FILE value: $(params.BUILD_ARGS_FILE) - name: CONTEXT value: $(params.CONTEXT) + - name: DEVICES + value: $(params.DEVICES) - name: ENTITLEMENT_SECRET value: $(params.ENTITLEMENT_SECRET) - name: HERMETIC @@ -176,6 +196,10 @@ spec: value: $(params.IMAGE) - name: IMAGE_EXPIRES_AFTER value: $(params.IMAGE_EXPIRES_AFTER) + - name: PRIVILEGED + value: $(params.PRIVILEGED) + - name: SECURITY_OPTS + value: $(params.SECURITY_OPTS) - name: SKIP_UNUSED_STAGES value: $(params.SKIP_UNUSED_STAGES) - name: SOURCE_CODE_DIR @@ -406,6 +430,26 @@ spec: BUILDAH_ARGS+=("${BUILD_ARG_FLAGS[@]}") + SECURITY_OPT_FLAGS=() + if [ -n "${SECURITY_OPTS}" ]; then + IFS=',' read -ra SECURITY_OPTS_ARRAY <<<"$SECURITY_OPTS" + for SECURITY_OPT in "${SECURITY_OPTS_ARRAY[@]}"; do + SECURITY_OPT_FLAGS+=("--security-opt=$SECURITY_OPT") + done + fi + + BUILDAH_ARGS+=("${SECURITY_OPT_FLAGS[@]}") + + DEVICE_FLAGS=() + if [ -n "${DEVICES}" ]; then + IFS=',' read -ra DEVICES_ARRAY <<<"$DEVICES" + for DEVICE in "${DEVICES_ARRAY[@]}"; do + DEVICE_FLAGS+=("--device=$DEVICE") + done + fi + + BUILDAH_ARGS+=("${DEVICE_FLAGS[@]}") + if [ -n "${ADD_CAPABILITIES}" ]; then BUILDAH_ARGS+=("--cap-add=${ADD_CAPABILITIES}") fi @@ -573,21 +617,49 @@ spec: buildah push "$IMAGE" "oci:konflux-final-image:$IMAGE" REMOTESSHEOF chmod +x scripts/script-build.sh + SECURITY_OPT_FLAGS=() + if [ -n "${SECURITY_OPTS}" ]; then + IFS=',' read -ra SECURITY_OPTS_ARRAY <<< "$SECURITY_OPTS" + for SECURITY_OPT in "${SECURITY_OPTS_ARRAY[@]}"; do + SECURITY_OPT_FLAGS+=("--security-opt=$SECURITY_OPT") + done + fi + DEVICE_FLAGS=() + if [ -n "${DEVICES}" ]; then + IFS=',' read -ra DEVICES_ARRAY <<< "$DEVICES" + for DEVICE in "${DEVICES_ARRAY[@]}"; do + DEVICE_FLAGS+=("--device=$DEVICE") + done + fi if ! [[ $IS_LOCALHOST ]]; then + PRIVILEGED_FLAG="" + if [[ "${PRIVILEGED}" == "true" ]]; then + PRIVILEGED_FLAG="--privileged" + fi + + BIND_MOUNT_VAR_TMP_FLAG="" + if [[ "${BIND_MOUNT_VAR_TMP}" == "true" ]]; then + ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/var/tmp" + BIND_MOUNT_VAR_TMP_FLAG="--mount type=bind,source=$BUILD_DIR/var/tmp,target=/var/tmp,relabel=shared" + fi rsync -ra scripts "$SSH_HOST:$BUILD_DIR" ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman run $PODMAN_PORT_FORWARD \ --tmpfs /run/secrets \ -e ACTIVATION_KEY="$ACTIVATION_KEY" \ -e ADDITIONAL_SECRET="$ADDITIONAL_SECRET" \ -e ADD_CAPABILITIES="$ADD_CAPABILITIES" \ + -e BIND_MOUNT_VAR_TMP="$BIND_MOUNT_VAR_TMP" \ -e BUILDAH_FORMAT="$BUILDAH_FORMAT" \ -e BUILD_ARGS_FILE="$BUILD_ARGS_FILE" \ -e CONTEXT="$CONTEXT" \ + -e DEVICES="$DEVICES" \ -e ENTITLEMENT_SECRET="$ENTITLEMENT_SECRET" \ -e HERMETIC="$HERMETIC" \ -e IMAGE="$IMAGE" \ -e IMAGE_EXPIRES_AFTER="$IMAGE_EXPIRES_AFTER" \ + -e PRIVILEGED="$PRIVILEGED" \ + -e SECURITY_OPTS="$SECURITY_OPTS" \ -e SKIP_UNUSED_STAGES="$SKIP_UNUSED_STAGES" \ -e SOURCE_CODE_DIR="$SOURCE_CODE_DIR" \ -e SQUASH="$SQUASH" \ @@ -608,6 +680,8 @@ spec: -v "$BUILD_DIR/.docker/:/root/.docker:Z" \ -v "$BUILD_DIR/results/:/tekton/results:Z" \ -v "$BUILD_DIR/scripts:/scripts:Z" \ + "$PRIVILEGED_FLAG" "$BIND_MOUNT_VAR_TMP_FLAG" \ + "${SECURITY_OPT_FLAGS[@]}" "${DEVICE_FLAGS[@]}" \ --user=0 --rm "$BUILDER_IMAGE" /scripts/script-build.sh "$@" rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/shared/" /shared/ rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/workdir/" /var/workdir/ diff --git a/task/buildah-remote/0.1/buildah-remote.yaml b/task/buildah-remote/0.1/buildah-remote.yaml index da45323fc..23cd9c956 100644 --- a/task/buildah-remote/0.1/buildah-remote.yaml +++ b/task/buildah-remote/0.1/buildah-remote.yaml @@ -436,8 +436,32 @@ spec: buildah push "$IMAGE" "oci:konflux-final-image:$IMAGE" REMOTESSHEOF chmod +x scripts/script-build.sh + SECURITY_OPT_FLAGS=() + if [ -n "${SECURITY_OPTS}" ]; then + IFS=',' read -ra SECURITY_OPTS_ARRAY <<< "$SECURITY_OPTS" + for SECURITY_OPT in "${SECURITY_OPTS_ARRAY[@]}"; do + SECURITY_OPT_FLAGS+=("--security-opt=$SECURITY_OPT") + done + fi + DEVICE_FLAGS=() + if [ -n "${DEVICES}" ]; then + IFS=',' read -ra DEVICES_ARRAY <<< "$DEVICES" + for DEVICE in "${DEVICES_ARRAY[@]}"; do + DEVICE_FLAGS+=("--device=$DEVICE") + done + fi if ! [[ $IS_LOCALHOST ]]; then + PRIVILEGED_FLAG="" + if [[ "${PRIVILEGED}" == "true" ]]; then + PRIVILEGED_FLAG="--privileged" + fi + + BIND_MOUNT_VAR_TMP_FLAG="" + if [[ "${BIND_MOUNT_VAR_TMP}" == "true" ]]; then + ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/var/tmp" + BIND_MOUNT_VAR_TMP_FLAG="--mount type=bind,source=$BUILD_DIR/var/tmp,target=/var/tmp,relabel=shared" + fi rsync -ra scripts "$SSH_HOST:$BUILD_DIR" ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman run $PODMAN_PORT_FORWARD \ --tmpfs /run/secrets \ @@ -470,6 +494,8 @@ spec: -v "$BUILD_DIR/.docker/:/root/.docker:Z" \ -v "$BUILD_DIR/results/:/tekton/results:Z" \ -v "$BUILD_DIR/scripts:/scripts:Z" \ + "$PRIVILEGED_FLAG" "$BIND_MOUNT_VAR_TMP_FLAG" \ + "${SECURITY_OPT_FLAGS[@]}" "${DEVICE_FLAGS[@]}" \ --user=0 --rm "$BUILDER_IMAGE" /scripts/script-build.sh "$@" rsync -ra "$SSH_HOST:$BUILD_DIR/workspaces/source/" "$(workspaces.source.path)/" rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/shared/" /shared/ diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index 473823696..a8eda083b 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -119,6 +119,22 @@ spec: description: Additional key=value labels that should be applied to the image name: LABELS type: array + - default: "" + description: Comma separated list of --security-opt values to add + name: SECURITY_OPTS + type: string + - default: "" + description: Comma separated list of --device values to add + name: DEVICES + type: string + - default: "false" + description: Whether to add --privileged to podman run which runs remotely + name: PRIVILEGED + type: string + - default: "false" + description: Whether to bind mount a host folder into a remote container as /var/tmp + name: BIND_MOUNT_VAR_TMP + type: string - description: The platform to build on name: PLATFORM type: string @@ -185,6 +201,14 @@ spec: value: $(params.SQUASH) - name: SKIP_UNUSED_STAGES value: $(params.SKIP_UNUSED_STAGES) + - name: SECURITY_OPTS + value: $(params.SECURITY_OPTS) + - name: DEVICES + value: $(params.DEVICES) + - name: PRIVILEGED + value: $(params.PRIVILEGED) + - name: BIND_MOUNT_VAR_TMP + value: $(params.BIND_MOUNT_VAR_TMP) - name: BUILDER_IMAGE value: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c - name: PLATFORM @@ -382,6 +406,26 @@ spec: BUILDAH_ARGS+=("${BUILD_ARG_FLAGS[@]}") + SECURITY_OPT_FLAGS=() + if [ -n "${SECURITY_OPTS}" ]; then + IFS=',' read -ra SECURITY_OPTS_ARRAY <<< "$SECURITY_OPTS" + for SECURITY_OPT in "${SECURITY_OPTS_ARRAY[@]}"; do + SECURITY_OPT_FLAGS+=("--security-opt=$SECURITY_OPT") + done + fi + + BUILDAH_ARGS+=("${SECURITY_OPT_FLAGS[@]}") + + DEVICE_FLAGS=() + if [ -n "${DEVICES}" ]; then + IFS=',' read -ra DEVICES_ARRAY <<< "$DEVICES" + for DEVICE in "${DEVICES_ARRAY[@]}"; do + DEVICE_FLAGS+=("--device=$DEVICE") + done + fi + + BUILDAH_ARGS+=("${DEVICE_FLAGS[@]}") + if [ -n "${ADD_CAPABILITIES}" ]; then BUILDAH_ARGS+=("--cap-add=${ADD_CAPABILITIES}") fi @@ -550,8 +594,32 @@ spec: buildah push "$IMAGE" "oci:konflux-final-image:$IMAGE" REMOTESSHEOF chmod +x scripts/script-build.sh + SECURITY_OPT_FLAGS=() + if [ -n "${SECURITY_OPTS}" ]; then + IFS=',' read -ra SECURITY_OPTS_ARRAY <<< "$SECURITY_OPTS" + for SECURITY_OPT in "${SECURITY_OPTS_ARRAY[@]}"; do + SECURITY_OPT_FLAGS+=("--security-opt=$SECURITY_OPT") + done + fi + DEVICE_FLAGS=() + if [ -n "${DEVICES}" ]; then + IFS=',' read -ra DEVICES_ARRAY <<< "$DEVICES" + for DEVICE in "${DEVICES_ARRAY[@]}"; do + DEVICE_FLAGS+=("--device=$DEVICE") + done + fi if ! [[ $IS_LOCALHOST ]]; then + PRIVILEGED_FLAG="" + if [[ "${PRIVILEGED}" == "true" ]]; then + PRIVILEGED_FLAG="--privileged" + fi + + BIND_MOUNT_VAR_TMP_FLAG="" + if [[ "${BIND_MOUNT_VAR_TMP}" == "true" ]]; then + ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/var/tmp" + BIND_MOUNT_VAR_TMP_FLAG="--mount type=bind,source=$BUILD_DIR/var/tmp,target=/var/tmp,relabel=shared" + fi rsync -ra scripts "$SSH_HOST:$BUILD_DIR" ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman run $PODMAN_PORT_FORWARD \ --tmpfs /run/secrets \ @@ -574,6 +642,10 @@ spec: -e ADD_CAPABILITIES="$ADD_CAPABILITIES" \ -e SQUASH="$SQUASH" \ -e SKIP_UNUSED_STAGES="$SKIP_UNUSED_STAGES" \ + -e SECURITY_OPTS="$SECURITY_OPTS" \ + -e DEVICES="$DEVICES" \ + -e PRIVILEGED="$PRIVILEGED" \ + -e BIND_MOUNT_VAR_TMP="$BIND_MOUNT_VAR_TMP" \ -e COMMIT_SHA="$COMMIT_SHA" \ -e DOCKERFILE="$DOCKERFILE" \ -v "$BUILD_DIR/workspaces/source:$(workspaces.source.path):Z" \ @@ -585,6 +657,8 @@ spec: -v "$BUILD_DIR/.docker/:/root/.docker:Z" \ -v "$BUILD_DIR/results/:/tekton/results:Z" \ -v "$BUILD_DIR/scripts:/scripts:Z" \ + "$PRIVILEGED_FLAG" "$BIND_MOUNT_VAR_TMP_FLAG" \ + "${SECURITY_OPT_FLAGS[@]}" "${DEVICE_FLAGS[@]}" \ --user=0 --rm "$BUILDER_IMAGE" /scripts/script-build.sh "$@" rsync -ra "$SSH_HOST:$BUILD_DIR/workspaces/source/" "$(workspaces.source.path)/" rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/shared/" /shared/ diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index 467ecd5b9..fc3d1eebd 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -107,6 +107,22 @@ spec: description: Additional key=value labels that should be applied to the image type: array default: [] + - name: SECURITY_OPTS + description: Comma separated list of --security-opt values to add + type: string + default: "" + - name: DEVICES + description: Comma separated list of --device values to add + type: string + default: "" + - default: "false" + description: Whether to add --privileged to podman run which runs remotely + name: PRIVILEGED + type: string + - default: "false" + description: Whether to bind mount a host folder into a remote container as /var/tmp + name: BIND_MOUNT_VAR_TMP + type: string results: - description: Digest of the image just built @@ -166,6 +182,14 @@ spec: value: $(params.SQUASH) - name: SKIP_UNUSED_STAGES value: $(params.SKIP_UNUSED_STAGES) + - name: SECURITY_OPTS + value: $(params.SECURITY_OPTS) + - name: DEVICES + value: $(params.DEVICES) + - name: PRIVILEGED + value: $(params.PRIVILEGED) + - name: BIND_MOUNT_VAR_TMP + value: $(params.BIND_MOUNT_VAR_TMP) steps: - image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c @@ -303,6 +327,26 @@ spec: BUILDAH_ARGS+=("${BUILD_ARG_FLAGS[@]}") + SECURITY_OPT_FLAGS=() + if [ -n "${SECURITY_OPTS}" ]; then + IFS=',' read -ra SECURITY_OPTS_ARRAY <<< "$SECURITY_OPTS" + for SECURITY_OPT in "${SECURITY_OPTS_ARRAY[@]}"; do + SECURITY_OPT_FLAGS+=("--security-opt=$SECURITY_OPT") + done + fi + + BUILDAH_ARGS+=("${SECURITY_OPT_FLAGS[@]}") + + DEVICE_FLAGS=() + if [ -n "${DEVICES}" ]; then + IFS=',' read -ra DEVICES_ARRAY <<< "$DEVICES" + for DEVICE in "${DEVICES_ARRAY[@]}"; do + DEVICE_FLAGS+=("--device=$DEVICE") + done + fi + + BUILDAH_ARGS+=("${DEVICE_FLAGS[@]}") + if [ -n "${ADD_CAPABILITIES}" ]; then BUILDAH_ARGS+=("--cap-add=${ADD_CAPABILITIES}") fi