* fix(ci): Bump golangci-lint to 1.51.1
* chore(lint): fix gofmt and goimport issues
* chore(lint): fix linter issues
- Adapted error comparison according to linter recommendation
- Disabled noctx linting for http request where canceling makes no sense
- Disabled nilerror linting where nil error is returned on purpose
- Disabled makezero linter where slice is explicitly deepcopied
* chore(ci): Update go version in tests workflows
* fix(ci): Allow boilerplate years from 2000-2099
Previously the regex only allowed the copyright notice to contain the
years 2018,2019,2020,2021, or 2022. This commit widens to regex to
20\d\d allowing any year in the range [2000-2099]
* feat(ci): Replace minikube with k3s for intregration tests
The existing setup for minikube is very complicated, replicating most of
the setup steps for a full kubernetes cluster in an only partially
supported minikube configuration (driver=none). Furthermore the existing
setup has been broken for sometime, likely, at least in part due to the
changes to CNI and CRI in recent kubernetes versions.
Since what we actually need is only a running Kubernetes cluster on the
node and access to a registry on localhost:5000, we can switch the
extremely complicated minikube setup for a lightweight cluster using
k3s. Minikube came with a default addon for running a registry on every
node, but the same is not the case for k3s, instead we make use of the
package helm controller and its HelmChart CR to deploy twuni/docker-registry.helm
and expose it on localhost using the integrated LoadBalancer controller.
* fix(test-684): pin base container version
The dockerfile for the regression test connected to issue 684 used a
rolling tag as base image, making it flaky and fail since it was
introduced.
This commit pins the base image to the digest of bionic-20200219, which,
based on the date of the commit that introduced to the dockerfile would
be the most newest ubuntu build and likely what the "rolling" tag
resolved to back then. Since this also an image from the pre-oci days of
ubuntu, this circumvents a bug in container-diff as well
(https://github.com/GoogleContainerTools/container-diff/issues/389)
WORKDIR ignores the currently set USER and creates the new directories
with the root user ownership.
This changes that, by executing a chown after the mkdir if needed, and
also handle the case where the provided USER is an uid and the passwd
file is not available to resolve to the username.
Fixes#2259
Signed-off-by: Aris Buzachis <buzachis.aris@gmail.com>
Signed-off-by: Aris Buzachis <buzachis.aris@gmail.com>
* Adds the ability to provide `--cache-repo` as an OCI image layout path
- Adds cache.LayoutCache to implement cache.LayerCache interface
- When opts.CacheRepo has "oci:" prefix, instantiates a LayoutCache
Signed-off-by: Natalie Arellano <narellano@vmware.com>
* Add integration test for layout cache
Signed-off-by: Natalie Arellano <narellano@vmware.com>
* Updates from PR review
Signed-off-by: Natalie Arellano <narellano@vmware.com>
Signed-off-by: Natalie Arellano <narellano@vmware.com>
On version 1.9.0 context fetch from S3 is broken since `url.Parse` requires full path: 90e426ba3f/pkg/util/bucket/bucket_util.go (L77)
Currently on a --context=s3://my-bucket/my-path/context.tar.gz we would pass only my-bucket/my-path/context.tar.gz which breaks context fetch
Closes#2200
- Adds a new option, InitialFSUnpacked
- When opts.InitialFSUnpacked is true, the first stage builder will
skip unpacking the file system; later stages are unaffected
Signed-off-by: Natalie Arellano <narellano@vmware.com>
Signed-off-by: Natalie Arellano <narellano@vmware.com>
Highlights
- Installed binaries are missing from image #2049
- proc: detect kubernetes runtime by mounts #2054
- Fixes#2046: make target stage lookup case insensitive #2047
- Fix: Refactor LayersMap to correct old strange code behavior #2066
- Fix missing setuid flags on COPY --from=build operation #2089
- Fixes#2046: make target stage lookup case insensitive #2047
- Add GitLab CI credentials helper #2040
- And a number of dependency bumps
* fix: getUIDandGID is able to resolve non-existing users and groups
A common pattern in dockerfiles is to provide a plain uid and gid number, which doesn't neccesarily exist inside the os.
Signed-off-by: Höhl, Lukas <lukas.hoehl@accso.de>
* test: add chown dockerfile
Signed-off-by: Höhl, Lukas <lukas.hoehl@accso.de>
* chore: format
Signed-off-by: Höhl, Lukas <lukas.hoehl@accso.de>
* chore: add comment
Signed-off-by: Höhl, Lukas <lukas.hoehl@accso.de>
* tests: fix chown dockerfile
Signed-off-by: Höhl, Lukas <lukas.hoehl@accso.de>
* refactor: split up getIdsFromUsernameAndGroup func
Signed-off-by: Höhl, Lukas <lukas.hoehl@accso.de>
* fix: implement raw uid logic for LookupUser
Signed-off-by: Höhl, Lukas <lukas.hoehl@accso.de>
* test: add dockerfiles for integration test
* fix: lookup user error message
* test: add dockerfiles for non-existing user testcase
* fix: forgot error check
* tests: fix syscall credentials test
* chore: add debug output for copy command
* tests: set specific gid for integration dockerfile
* tests: fix syscall credentials test
github runner had the exact uid that i was testing on, so the groups were not empty
Signed-off-by: Höhl, Lukas <lukas.hoehl@accso.de>
* tests: fix test script
Signed-off-by: Höhl, Lukas <lukas.hoehl@accso.de>
* chore: apply golangci lint checks
Signed-off-by: Höhl, Lukas <lukas.hoehl@accso.de>
* fix: reset file ownership in createFile if not root owned
Signed-off-by: Höhl, Lukas <lukas.hoehl@accso.de>
* chore: logrus.Debugf missed format variable
Signed-off-by: Höhl, Lukas <lukas.hoehl@accso.de>
* chore(test-script): remove go html coverage
Signed-off-by: Höhl, Lukas <lukas.hoehl@accso.de>
* test(k8s): increase wait timeout
Signed-off-by: Höhl, Lukas <lukas.hoehl@accso.de>
* Fix the /kaniko directory permissions in container
Create /kaniko directory with world permission to allow the creation of
sub directories by any user when the executor is run as non root. This
can lower the security but shouldn't have any impact in a container.
The tar unpack is the only way I found to have a directory with specific
permission as the image is created from "scratch" which doesn't have any
tool to change the permission otherwise.
Fixes#1363
* Avoid blackbox tar file creation
Use the Makefile to create the tar file use to create kaniko directory
in scratch container. This avoid having a "blackbox" binary file with
the empty directory.
* deploy: avoid duplicate certificates in images
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
* deploy: use current stable Debian release image
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
* Write parent directories to tar before whiteout files
Fixes#1149
The OCI image spec does not specify this order but it's a good idea and Docker
does the same.
When manually comparing layers created by Docker and Kaniko there are still
some differences (that container-diff does not show):
* Kaniko adds / to layers
* For `mkdir /test`, docker adds `/test` and an opaque whiteout file
`/test/.wh..wh..opq`. Kaniko only adds `/test/` (and /).
* snapshot_test: cleanup
Fix typos and use listFilesInTar() where possible
* Fix missing file permissions on multi-stage build
Fixes#2075
When a file with the setuid bit is copied from one stage
to another, the permissions were not copied over properly after
setting ownership on directory and the file itself.
* Update pkg/util/fs_util.go
Co-authored-by: Jason Hall <jason@chainguard.dev>
* Adding boilerplate to dockerfile
* Add bash check to bail with exit code 1 if setuid not present
Co-authored-by: Jason Hall <jason@chainguard.dev>
* fix: Correct flatten function in layers
- Added a test.
- Cache current image, track deletes in `whiteouts` as well as normal adds in `layers`.
- Fix ugly delete behavior of `layerHashCache`.
Delete it when crerating a new snapshot.
- Slight cleanup in `snapshot.go`.
- Format ugly `WalkFS` function.
* fix: Add symbolic link changes to Hasher and CacheHasher
* fix: Better log messages
* fix(ci): Integration tests
* fix(ci): Add `--no-cache` to docker builds
* fix(ci): Pass credentials for error integration test
* np: Missing .gitignore in `hack`
* np: Capitalize every log message
- Correct some linting.
* fix: Key function
- Merge only last layer onto `currentImage`.
* fix: Remove old obsolete `cacheHasher`
In Bash, "-eq" compares integers, and "==" compares strings, so "debug
-eq latest" always evaulated to true.
$ if [[ "debug" -eq "latest" ]]; then echo latest; else echo debug; fi
latest
$ if [[ "debug" == "latest" ]]; then echo latest; else echo debug; fi
debug
* update kaniko-dir flag description
* add dir check anonymous func for check to config or env
* add kaniko dir constant in default options
* Update cmd/executor/cmd/root.go
Co-authored-by: Jason Hall <jasonhall@redhat.com>
* add CopyDir util usage for checkKanikoDir func
* add removal of kaniko dir on successful copy of new files
* add comment for CopyDir usage
Co-authored-by: Jason Hall <jasonhall@redhat.com>
In Dockerfile, if there is something like:
```
RUN setcap cap_net_raw=+ep /path/to/binary
```
kaniko won't detect that there is a change on file `/path/to/binary` and
thus discards this layer. This patch allows the hasher function to
actually look at `security.capability` extended attributes.
Fix#1936
Kubernetes was not being detected by files not by /proc/?/cgroup
contents. Now it detects the kubernetes runtime if any of those
conditions are met:
* /var/run/secrets/kubernetes.io/serviceaccount exists
* /proc/mounts has the mount for "/" with fs type "overlay"
This simplifies usage of Kaniko in GitLab CI environments and
means that it's not longer necessary to manually cobble together
the config with the right values from the environment in
error-prone shell commands.
Joël Pepper
dependabot[bot]
Jerry Jones
Shude Li
Junwon Kwon
Aris Buzachis
Natalie Arellano
Chuang Wang
almg80
Abirdcfly
Jonas Gröger
dmr
Jason Hall
Bryan A. S
Gabriel Nützi
chenggui53
Ramy
Lukas
claudex
Konstantin Demin
Hingbong Lo
Andreas Fleig
Ishant Mrinal Haloi
Tony De La Nuez
Jason D'Amour
Yonatan Koren
Jack
zhouhaibing089
Víctor
François JACQUES
ePirat