openshift · gabemontero · Apr 4, 2021 · Apr 4, 2021
diff --git a/go.mod b/go.mod
@@ -5,25 +5,25 @@ go 1.13
 require (
 	github.com/MakeNowJust/heredoc v0.0.0-20170808103936-bb23615498cd
 	github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect
-	github.com/containernetworking/cni v0.8.1 // indirect
-	github.com/containers/buildah v1.16.4
-	github.com/containers/common v0.21.0
+	github.com/containers/buildah v1.20.1-0.20210331202609-d29b04dba7fa
+	github.com/containers/common v0.35.4
 	github.com/containers/image/v5 v5.10.5
-	github.com/containers/storage v1.24.8
+	github.com/containers/storage v1.28.1
 	github.com/docker/distribution v2.7.1+incompatible
 	github.com/elazarl/goproxy v0.0.0-20191011121108-aa519ddbe484 // indirect
-	github.com/fsouza/go-dockerclient v1.6.5
-	github.com/opencontainers/runc v1.0.0-rc91.0.20200707015106-819fcc687efb
-	github.com/opencontainers/runtime-spec v1.0.3-0.20200710190001-3e4195d92445
+	github.com/fsouza/go-dockerclient v1.7.2
+	github.com/mattn/go-isatty v0.0.12 // indirect
+	github.com/opencontainers/runc v1.0.0-rc93
+	github.com/opencontainers/runtime-spec v1.0.3-0.20200929063507-e6143ca7d51d
 	github.com/openshift/api v0.0.0-20201019163320-c6a5ec25f267
 	github.com/openshift/client-go v0.0.0-20201020074620-f8fd44879f7c
-	github.com/openshift/imagebuilder v1.1.7
+	github.com/openshift/imagebuilder v1.2.0
 	github.com/openshift/library-go v0.0.0-20201123212217-43f358922ea0
 	github.com/openshift/source-to-image v1.3.1
 	github.com/pkg/errors v0.9.1
-	github.com/spf13/cobra v1.1.1
+	github.com/spf13/cobra v1.1.3
 	github.com/spf13/pflag v1.0.5
-	golang.org/x/sys v0.0.0-20201218084310-7d0127a74742
+	golang.org/x/sys v0.0.0-20210216224549-f992740a1bac
 	k8s.io/api v0.20.0
 	k8s.io/apimachinery v0.20.0
 	k8s.io/client-go v0.20.0
@@ -39,7 +39,7 @@ replace (
 	github.com/docker/libnetwork => github.com/docker/libnetwork v0.8.0-dev.2.0.20171107005402-dcf79f8c7fcb
 	github.com/godbus/dbus => github.com/godbus/dbus v0.0.0-20181101234600-2ff6f7ffd60f
 	// these dependencies are needed for runtime-tools, where "mod tidy" disrupts them
-	github.com/opencontainers/runc => github.com/opencontainers/runc v1.0.0-rc91
+	github.com/opencontainers/runc => github.com/opencontainers/runc v1.0.0-rc93
 	github.com/opencontainers/runtime-spec => github.com/opencontainers/runtime-spec v1.0.1
 	github.com/opencontainers/runtime-tools => github.com/opencontainers/runtime-tools v0.8.0
 	// Needed to resolve broken transitive dependencies in buildkit and s2i

diff --git a/go.sum b/go.sum
diff --git a/pkg/build/builder/daemonless.go b/pkg/build/builder/daemonless.go
@@ -32,6 +32,15 @@ import (
 
 	"github.com/openshift/builder/pkg/build/builder/cmd/dockercfg"
 	builderutil "github.com/openshift/builder/pkg/build/builder/util"
+
+	s2ifs "github.com/openshift/source-to-image/pkg/util/fs"
+)
+
+const (
+	defaultMountStart = "/run/secrets"
+	repoFile          = "redhat.repo"
+	subMgrCertDir     = "rhsm"
+	etcPkiEntitle     = "etc-pki-entitlement"
 )
 
 var (
@@ -263,6 +272,7 @@ func buildDaemonlessImage(sc types.SystemContext, store storage.Store, isolation
 		}
 	}
 
+	transientMounts := generateTransientMounts()
 	// Use a profile provided in the image instead of the default provided
 	// in runtime-tools's generator logic.
 	seccompProfilePath := "/usr/share/containers/seccomp.json"
@@ -271,6 +281,7 @@ func buildDaemonlessImage(sc types.SystemContext, store storage.Store, isolation
 		ContextDirectory: contextDir,
 		PullPolicy:       pullPolicy,
 		Isolation:        isolation,
+		TransientMounts:  transientMounts,
 		Args:             args,
 		Output:           opts.Name,
 		Out:              opts.OutputStream,
@@ -303,6 +314,86 @@ func buildDaemonlessImage(sc types.SystemContext, store storage.Store, isolation
 	return err
 }
 
+func generateTransientMounts() []string {
+	mounts := []string{}
+	mounts = appendRHSMMount(defaultMountStart, mounts)
+	mounts = appendETCPKIMount(defaultMountStart, mounts)
+	mounts = appendRHRepoMount(defaultMountStart, mounts)
+	return mounts
+}
+
+func appendRHRepoMount(pathStart string, mounts []string) []string {
+	path := filepath.Join(pathStart, repoFile)
+	st, err := os.Stat(path)
+	if err != nil {
+		// since the presence of the repo file is not a given, we won't log this a V(0)
+		log.V(4).Infof("Failed to stat %s, falling back to the Red Hat yum repository configuration in the build's base image. Error: %v", path, err)
+		return mounts
+	}
+	if !st.Mode().IsRegular() {
+		// if the file is there, but an unexpected type, then always have log show up via V(0)
+		log.V(0).Infof("Falling back to the Red Hat yum repository configuration in the build's base image: %s secrets location %s is a directory.", repoFile, path)
+		return mounts
+	}
+
+	// Add a bind of repo file, to pass along anything that the runtime mounted from the node
+	log.V(0).Infof("Adding transient rw bind mount for %s", path)
+	tmpDir, err := ioutil.TempDir("/tmp", repoFile+"-copy")
+	if err != nil {
+		log.V(0).Infof("Falling back to the Red Hat yum repository configuration in the base image: failed to create tmpdir for %s secret: %v", repoFile, err)
+		return mounts
+	}
+	fs := s2ifs.NewFileSystem()
+	err = fs.Copy(path, filepath.Join(tmpDir, repoFile), map[string]string{})
+	if err != nil {
+		log.V(0).Infof("Falling back to the Red Hat yum repository configuration in the base image: failed to copy %s secret: %v", repoFile, err)
+		return mounts
+	}
+	mounts = append(mounts, fmt.Sprintf("%s:/run/secrets/%s:rw,nodev,noexec,nosuid", filepath.Join(tmpDir, repoFile), repoFile))
+	return mounts
+}
+
+func coreAppendSecretLinksToDirs(pathStart, pathEnd string, mounts []string) []string {
+	path := filepath.Join(pathStart, pathEnd)
+	st, err := os.Stat(path)
+	if err != nil {
+		// since the presence of dir secret is not a given, we won't log this a V(0)
+		log.V(0).Infof("Red Hat subscription content will not be available in this build: failed to stat directory %s: %v", path, err)
+		return mounts
+	}
+	if !st.IsDir() && st.Mode()&os.ModeSymlink == 0 {
+		// if the file is there, but an unexpected type, then always have log show up via V(0)
+		log.V(0).Infof("Red Hat subscription content will not be available in this build: %s is not a directory", path)
+		return mounts
+	}
+
+	// Add a bind of dir secret, to pass along anything that the runtime mounted from the node
+	log.V(0).Infof("Adding transient rw bind mount for %s", path)
+	tmpDir, err := ioutil.TempDir("/tmp", pathEnd+"-copy")
+	if err != nil {
+		log.V(0).Infof("Red Hat subscription content will not be available in this build: failed to create tmpdir for %s secrets: %v", pathEnd, err)
+		return mounts
+	}
+	fs := s2ifs.NewFileSystem()
+	err = fs.CopyContents(path, tmpDir, map[string]string{})
+	if err != nil {
+		log.V(0).Infof("Red Hat subscription content will not be available in this build: failed to copy %s secrets: %v", pathEnd, err)
+		return mounts
+	}
+	mounts = append(mounts, fmt.Sprintf("%s:/run/secrets/%s:rw,nodev,noexec,nosuid", tmpDir, pathEnd))
+	return mounts
+	return mounts
+}
+
+func appendETCPKIMount(pathStart string, mounts []string) []string {
+	return coreAppendSecretLinksToDirs(pathStart, etcPkiEntitle, mounts)
+
+}
+
+func appendRHSMMount(pathStart string, mounts []string) []string {
+	return coreAppendSecretLinksToDirs(pathStart, subMgrCertDir, mounts)
+}
+
 func tagDaemonlessImage(sc types.SystemContext, store storage.Store, buildTag, pushTag string) error {
 	log.V(2).Infof("Tagging local image %q with name %q.", buildTag, pushTag)