Run the containers with an 'unconfined' security profile.

containers/buildah#1901 [noissue]
mdellweg · Oct 21, 2020 · 42900bd · 42900bd
1 parent 67ab8b7
commit 42900bd
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 21 deletions.
diff --git a/.travis/start_container.yaml b/.travis/start_container.yaml
@@ -41,6 +41,8 @@
         volumes: "{{ item.volumes | default(omit) }}"
         env: "{{ item.env | default(omit) }}"
         command: "{{ item.command | default(omit) }}"
+        security_opts:
+          - "seccomp:unconfined"
         state: started
       loop: "{{ services | default([]) }}"
 

diff --git a/pulp_container/app/tasks/builder.py b/pulp_container/app/tasks/builder.py
@@ -114,6 +114,10 @@ def build_image_from_containerfile(
     repository = ContainerRepository.objects.get(pk=repository_pk)
     name = str(uuid4())
     with WorkingDirectory() as working_directory:
+        buildah_env = os.environ.copy()
+        buildah_env.update(
+            {"_BUILDAH_STARTED_IN_USERNS": "", "BUILDAH_ISOLATION": "chroot", "HOME": "/"}
+        )
         path = "{}/".format(working_directory.path)
         for key, val in artifacts.items():
             artifact = Artifact.objects.get(pk=key)
@@ -126,6 +130,7 @@ def build_image_from_containerfile(
             ["buildah", "bud", "-f", containerfile.file.path, "-t", name, path],
             stdout=subprocess.PIPE,
             stderr=subprocess.PIPE,
+            env=buildah_env,
         )
         if bud_cp.returncode != 0:
             raise Exception(bud_cp.stderr)
@@ -135,6 +140,7 @@ def build_image_from_containerfile(
             ["buildah", "push", "-f", "oci", name, "dir:{}".format(image_dir)],
             stdout=subprocess.PIPE,
             stderr=subprocess.PIPE,
+            env=buildah_env,
         )
         if push_cp.returncode != 0:
             raise Exception(push_cp.stderr)

diff --git a/pulp_container/tests/functional/api/test_build_image.py b/pulp_container/tests/functional/api/test_build_image.py
@@ -10,12 +10,11 @@
     gen_distribution,
     gen_repo,
 )
+from pulp_smash.pulp3.bindings import monitor_task
 
 from pulp_container.tests.functional.utils import (
     core_client,
     gen_container_client,
-    gen_token_signing_keys,
-    monitor_task,
 )
 
 from pulpcore.client.pulpcore import ArtifactsApi
@@ -42,7 +41,6 @@ def setUpClass(cls):
         5. Create a container distribution to serve the repository version
         """
         cls.cfg = config.get_config()
-        gen_token_signing_keys(cls.cfg)
 
         client_api = gen_container_client()
         cls.artifacts_api = ArtifactsApi(core_client)
@@ -61,36 +59,34 @@ def setUpClass(cls):
 
             # Step 2
             with NamedTemporaryFile() as text_file:
-                text_file.write(b'some text')
+                text_file.write(b"some text")
                 text_file.flush()
                 artifact = cls.artifacts_api.create(file=text_file.name)
-                cls.teardown_cleanups.append(
-                    (cls.artifacts_api.delete, artifact.pulp_href)
-                )
+                cls.teardown_cleanups.append((cls.artifacts_api.delete, artifact.pulp_href))
 
             # Step 3
             with NamedTemporaryFile() as containerfile:
-                containerfile.write(b"""FROM busybox:latest
+                containerfile.write(
+                    b"""FROM busybox:latest
 
 # Copy a file using COPY statement. Use the relative path specified in the 'artifacts' parameter.
 COPY foo/bar/example.txt /inside-image.txt
 
 # Print the content of the file when the container starts
-CMD ["cat", "/inside-image.txt"]""")
+CMD ["cat", "/inside-image.txt"]"""
+                )
                 containerfile.flush()
                 # Step 4
-                artifacts = "{{\"{}\": \"foo/bar/example.txt\"}}".format(artifact.pulp_href)
-                build_response = cls.repositories_api.build_image(_repo.pulp_href,
-                                                                  containerfile=containerfile.name,
-                                                                  artifacts=artifacts)
+                artifacts = '{{"{}": "foo/bar/example.txt"}}'.format(artifact.pulp_href)
+                build_response = cls.repositories_api.build_image(
+                    _repo.pulp_href, containerfile=containerfile.name, artifacts=artifacts
+                )
                 monitor_task(build_response.task)
                 cls.repo = cls.repositories_api.read(_repo.pulp_href)
 
             # Step 5.
             distribution_response = cls.distributions_api.create(
-                ContainerContainerDistribution(
-                    **gen_distribution(repository=cls.repo.pulp_href)
-                )
+                ContainerContainerDistribution(**gen_distribution(repository=cls.repo.pulp_href))
             )
             created_resources = monitor_task(distribution_response.task)
             distribution = cls.distributions_api.read(created_resources[0])
@@ -115,13 +111,10 @@ def test_build_image_with_artifact_and_pull_from_repository(self):
         2. Ensure image is deleted after the test.
         """
         registry = cli.RegistryClient(self.cfg)
-        registry.raise_if_unsupported(
-            unittest.SkipTest, "Test requires podman/docker"
-        )
+        registry.raise_if_unsupported(unittest.SkipTest, "Test requires podman/docker")
 
         local_url = urljoin(
-            self.cfg.get_content_host_base_url(),
-            self.distribution_with_repo.base_path
+            self.cfg.get_content_host_base_url(), self.distribution_with_repo.base_path
         )
 
         registry.pull(local_url)