From c97639d6c4b5b7e0e102528cee5c034c2d7409cd Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Tue, 24 Sep 2024 13:40:22 +0200 Subject: [PATCH] buildah-*: re-generate includes: - buildah: don't modify Dockerfile in place - buildah: address uncovered checkton warnings Signed-off-by: Adam Cmiel --- task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 19 +++++++++++++------ .../0.2/buildah-remote-oci-ta.yaml | 19 +++++++++++++------ task/buildah-remote/0.2/buildah-remote.yaml | 19 +++++++++++++------ 3 files changed, 39 insertions(+), 18 deletions(-) diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index 133df7524f..8e76906d99 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -273,8 +273,12 @@ spec: echo "Cannot find Dockerfile $DOCKERFILE" exit 1 fi - if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_path"; then - sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"mirror.defaulthttp://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/*\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_path" + + dockerfile_copy=/tmp/$(basename "$dockerfile_path") + cp "$dockerfile_path" "$dockerfile_copy" + + if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_copy"; then + sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"mirror.defaulthttp://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/*\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_copy" touch /var/lib/containers/java fi @@ -309,7 +313,7 @@ spec: done BASE_IMAGES=$( - dockerfile-json "${BUILD_ARG_FLAGS[@]}" "$dockerfile_path" | + dockerfile-json "${BUILD_ARG_FLAGS[@]}" "$dockerfile_copy" | jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test("^oci-archive:") | not)' ) @@ -351,7 +355,7 @@ spec: sed -E -i \ -e 'H;1h;$!d;x' \ -e 's@^\s*(run((\s|\\\n)+-\S+)*(\s|\\\n)+)@\1. /cachi2/cachi2.env \&\& \\\n @igM' \ - "$dockerfile_path" + "$dockerfile_copy" echo "Prefetched content will be made available" prefetched_repo_for_my_arch="/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo" @@ -412,15 +416,18 @@ spec: done < <(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \;) fi + # Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not. + declare IMAGE + unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- buildah build \ $VOLUME_MOUNTS \ "${BUILDAH_ARGS[@]}" \ "${LABELS[@]}" \ --tls-verify=$TLSVERIFY --no-cache \ --ulimit nofile=4096:4096 \ - -f "$dockerfile_path" -t $IMAGE . + -f "$dockerfile_copy" -t "$IMAGE" . - container=$(buildah from --pull-never $IMAGE) + container=$(buildah from --pull-never "$IMAGE") buildah mount $container | tee /shared/container_path # delete symlinks - they may point outside the container rootfs, messing with SBOM scanners find $(cat /shared/container_path) -xtype l -delete diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index 24743cc0b1..8e77a97bf3 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -308,8 +308,12 @@ spec: echo "Cannot find Dockerfile $DOCKERFILE" exit 1 fi - if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_path"; then - sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"mirror.defaulthttp://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/*\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_path" + + dockerfile_copy=/tmp/$(basename "$dockerfile_path") + cp "$dockerfile_path" "$dockerfile_copy" + + if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_copy"; then + sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"mirror.defaulthttp://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/*\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_copy" touch /var/lib/containers/java fi @@ -344,7 +348,7 @@ spec: done BASE_IMAGES=$( - dockerfile-json "${BUILD_ARG_FLAGS[@]}" "$dockerfile_path" | + dockerfile-json "${BUILD_ARG_FLAGS[@]}" "$dockerfile_copy" | jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test("^oci-archive:") | not)' ) @@ -386,7 +390,7 @@ spec: sed -E -i \ -e 'H;1h;$!d;x' \ -e 's@^\s*(run((\s|\\\n)+-\S+)*(\s|\\\n)+)@\1. /cachi2/cachi2.env \&\& \\\n @igM' \ - "$dockerfile_path" + "$dockerfile_copy" echo "Prefetched content will be made available" prefetched_repo_for_my_arch="/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo" @@ -447,15 +451,18 @@ spec: done < <(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \;) fi + # Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not. + declare IMAGE + unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- buildah build \ $VOLUME_MOUNTS \ "${BUILDAH_ARGS[@]}" \ "${LABELS[@]}" \ --tls-verify=$TLSVERIFY --no-cache \ --ulimit nofile=4096:4096 \ - -f "$dockerfile_path" -t $IMAGE . + -f "$dockerfile_copy" -t "$IMAGE" . - container=$(buildah from --pull-never $IMAGE) + container=$(buildah from --pull-never "$IMAGE") buildah mount $container | tee /shared/container_path # delete symlinks - they may point outside the container rootfs, messing with SBOM scanners find $(cat /shared/container_path) -xtype l -delete diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index 2d5a682359..ec481f49bc 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -290,8 +290,12 @@ spec: echo "Cannot find Dockerfile $DOCKERFILE" exit 1 fi - if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_path"; then - sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"mirror.defaulthttp://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/*\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_path" + + dockerfile_copy=/tmp/$(basename "$dockerfile_path") + cp "$dockerfile_path" "$dockerfile_copy" + + if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_copy"; then + sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"mirror.defaulthttp://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/*\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_copy" touch /var/lib/containers/java fi @@ -326,7 +330,7 @@ spec: done BASE_IMAGES=$( - dockerfile-json "${BUILD_ARG_FLAGS[@]}" "$dockerfile_path" | + dockerfile-json "${BUILD_ARG_FLAGS[@]}" "$dockerfile_copy" | jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test("^oci-archive:") | not)' ) @@ -368,7 +372,7 @@ spec: sed -E -i \ -e 'H;1h;$!d;x' \ -e 's@^\s*(run((\s|\\\n)+-\S+)*(\s|\\\n)+)@\1. /cachi2/cachi2.env \&\& \\\n @igM' \ - "$dockerfile_path" + "$dockerfile_copy" echo "Prefetched content will be made available" prefetched_repo_for_my_arch="/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo" @@ -429,15 +433,18 @@ spec: done < <(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \;) fi + # Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not. + declare IMAGE + unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- buildah build \ $VOLUME_MOUNTS \ "${BUILDAH_ARGS[@]}" \ "${LABELS[@]}" \ --tls-verify=$TLSVERIFY --no-cache \ --ulimit nofile=4096:4096 \ - -f "$dockerfile_path" -t $IMAGE . + -f "$dockerfile_copy" -t "$IMAGE" . - container=$(buildah from --pull-never $IMAGE) + container=$(buildah from --pull-never "$IMAGE") buildah mount $container | tee /shared/container_path # delete symlinks - they may point outside the container rootfs, messing with SBOM scanners find $(cat /shared/container_path) -xtype l -delete