Merge pull request #5934 from nalind/cache-mount-images

Accept image names as sources for cache mounts

Author: openshift-merge-bot[bot]

cmd/buildah/run.go

@@ -191,7 +191,7 @@ func runCmd(c *cobra.Command, args []string, iopts runInputOptions) error {
 	if err != nil {
 		return fmt.Errorf("building system context: %w", err)
 	}
-	mounts, mountedImages, intermediateMounts, _, targetLocks, err := volumes.GetVolumes(systemContext, store, builder.MountLabel, iopts.volumes, iopts.mounts, iopts.contextDir, iopts.workingDir, tmpDir)
+	mounts, mountedImages, intermediateMounts, _, targetLocks, err := volumes.GetVolumes(systemContext, store, builder.MountLabel, iopts.volumes, iopts.mounts, iopts.contextDir, builder.IDMappingOptions, iopts.workingDir, tmpDir)
 	if err != nil {
 		return err
 	}

internal/volumes/volumes.go

@@ -6,6 +6,7 @@ import (
 	"github.com/containers/image/v5/types"
 	"github.com/containers/storage"
 	storageTypes "github.com/containers/storage/types"
+	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -14,6 +15,8 @@ func TestGetMount(t *testing.T) {
 	tempDir := t.TempDir()
 	rootDir := t.TempDir()
 	runDir := t.TempDir()
+	sys := &types.SystemContext{}
+	var emptyIDmap []specs.LinuxIDMapping
 
 	store, err := storage.GetStore(storageTypes.StoreOptions{
 		GraphDriverName: "vfs",
@@ -29,26 +32,26 @@ func TestGetMount(t *testing.T) {
 
 	t.Run("GetBindMount", func(t *testing.T) {
 		for _, argNeeder := range []string{"from", "bind-propagation", "src", "source", "target", "dst", "destination", "relabel"} {
-			_, _, _, _, err := GetBindMount(&types.SystemContext{}, []string{argNeeder}, tempDir, store, "", nil, tempDir, tempDir)
+			_, _, _, _, err := GetBindMount(sys, []string{argNeeder}, tempDir, store, "", nil, tempDir, tempDir)
 			assert.ErrorIsf(t, err, errBadOptionArg, "option %q was supposed to have an arg, but wasn't flagged when it didn't have one", argNeeder)
-			_, _, _, _, err = GetBindMount(&types.SystemContext{}, []string{argNeeder + "="}, tempDir, store, "", nil, tempDir, tempDir)
+			_, _, _, _, err = GetBindMount(sys, []string{argNeeder + "="}, tempDir, store, "", nil, tempDir, tempDir)
 			assert.ErrorIsf(t, err, errBadOptionArg, "option %q was supposed to have an arg, but wasn't flagged when it didn't have one", argNeeder)
 		}
 		for _, argHater := range []string{"bind-nonrecursive", "nodev", "noexec", "nosuid", "ro", "readonly", "rw", "readwrite", "shared", "rshared", "private", "rprivate", "slave", "rslave", "Z", "z", "U", "no-dereference"} {
-			_, _, _, _, err := GetBindMount(&types.SystemContext{}, []string{argHater + "=nonce"}, tempDir, store, "", nil, tempDir, tempDir)
+			_, _, _, _, err := GetBindMount(sys, []string{argHater + "=nonce"}, tempDir, store, "", nil, tempDir, tempDir)
 			assert.ErrorIsf(t, err, errBadOptionNoArg, "option %q is not supposed to have an arg, but wasn't flagged when it tried to supply one", argHater)
 		}
 	})
 
 	t.Run("GetCacheMount", func(t *testing.T) {
 		for _, argNeeder := range []string{"sharing", "id", "from", "bind-propagation", "src", "source", "target", "dst", "destination", "mode", "uid", "gid"} {
-			_, _, _, err := GetCacheMount([]string{argNeeder}, nil, tempDir, tempDir)
+			_, _, _, _, _, err := GetCacheMount(sys, []string{argNeeder}, store, "", nil, emptyIDmap, emptyIDmap, tempDir, tempDir)
 			assert.ErrorIsf(t, err, errBadOptionArg, "option %q was supposed to have an arg, but wasn't flagged when it didn't have one", argNeeder)
-			_, _, _, err = GetCacheMount([]string{argNeeder + "="}, nil, tempDir, tempDir)
+			_, _, _, _, _, err = GetCacheMount(sys, []string{argNeeder + "="}, store, "", nil, emptyIDmap, emptyIDmap, tempDir, tempDir)
 			assert.ErrorIsf(t, err, errBadOptionArg, "option %q was supposed to have an arg, but wasn't flagged when it didn't have one", argNeeder)
 		}
 		for _, argHater := range []string{"nodev", "noexec", "nosuid", "U", "rw", "readwrite", "ro", "readonly", "shared", "Z", "z", "rshared", "private", "rprivate", "slave", "rslave"} {
-			_, _, _, err := GetCacheMount([]string{argHater + "=nonce"}, nil, tempDir, tempDir)
+			_, _, _, _, _, err := GetCacheMount(sys, []string{argHater + "=nonce"}, store, "", nil, emptyIDmap, emptyIDmap, tempDir, tempDir)
 			assert.ErrorIsf(t, err, errBadOptionNoArg, "option %q is not supposed to have an arg, but wasn't flagged when it tried to supply one", argHater)
 		}
 	})

internal/volumes/volumes_test.go

@@ -1640,12 +1640,12 @@ func (b *Builder) runSetupRunMounts(mountPoint, bundlePath string, mounts []stri
 			if image != "" {
 				mountImages = append(mountImages, image)
 			}
-			if overlayDir != "" {
-				overlayDirs = append(overlayDirs, overlayDir)
-			}
 			if intermediateMount != "" {
 				intermediateMounts = append(intermediateMounts, intermediateMount)
 			}
+			if overlayDir != "" {
+				overlayDirs = append(overlayDirs, overlayDir)
+			}
 			finalMounts = append(finalMounts, *mountSpec)
 		case "tmpfs":
 			mountSpec, err = b.getTmpfsMount(tokens, idMaps, sources.WorkDir)
@@ -1659,13 +1659,19 @@ func (b *Builder) runSetupRunMounts(mountPoint, bundlePath string, mounts []stri
 					return nil, nil, err
 				}
 			}
-			mountSpec, intermediateMount, tl, err = b.getCacheMount(tokens, sources.StageMountPoints, idMaps, sources.WorkDir, bundleMountsDir)
+			mountSpec, image, intermediateMount, overlayDir, tl, err = b.getCacheMount(tokens, sources.SystemContext, sources.StageMountPoints, idMaps, sources.WorkDir, bundleMountsDir)
 			if err != nil {
 				return nil, nil, err
 			}
+			if image != "" {
+				mountImages = append(mountImages, image)
+			}
 			if intermediateMount != "" {
 				intermediateMounts = append(intermediateMounts, intermediateMount)
 			}
+			if overlayDir != "" {
+				overlayDirs = append(overlayDirs, overlayDir)
+			}
 			if tl != nil {
 				targetLocks = append(targetLocks, tl)
 			}
@@ -1706,15 +1712,39 @@ func (b *Builder) getBindMount(tokens []string, sys *types.SystemContext, contex
 		return nil, "", "", "", errors.New("context directory for current run invocation is not configured")
 	}
 	var optionMounts []specs.Mount
-	mount, image, intermediateMount, overlayMount, err := volumes.GetBindMount(sys, tokens, contextDir, b.store, b.MountLabel, stageMountPoints, workDir, tmpDir)
+	optionMount, image, intermediateMount, overlayMount, err := volumes.GetBindMount(sys, tokens, contextDir, b.store, b.MountLabel, stageMountPoints, workDir, tmpDir)
 	if err != nil {
 		return nil, "", "", "", err
 	}
-	optionMounts = append(optionMounts, mount)
+	succeeded := false
+	defer func() {
+		if !succeeded {
+			if overlayMount != "" {
+				if err := overlay.RemoveTemp(overlayMount); err != nil {
+					b.Logger.Debug(err.Error())
+				}
+			}
+			if intermediateMount != "" {
+				if err := mount.Unmount(intermediateMount); err != nil {
+					b.Logger.Debugf("unmounting %q: %v", intermediateMount, err)
+				}
+				if err := os.Remove(intermediateMount); err != nil {
+					b.Logger.Debugf("removing should-be-empty directory %q: %v", intermediateMount, err)
+				}
+			}
+			if image != "" {
+				if _, err := b.store.UnmountImage(image, false); err != nil {
+					b.Logger.Debugf("unmounting image %q: %v", image, err)
+				}
+			}
+		}
+	}()
+	optionMounts = append(optionMounts, optionMount)
 	volumes, err := b.runSetupVolumeMounts(b.MountLabel, nil, optionMounts, idMaps)
 	if err != nil {
 		return nil, "", "", "", err
 	}
+	succeeded = true
 	return &volumes[0], image, intermediateMount, overlayMount, nil
 }
 

run_common.go

@@ -27,6 +27,7 @@ import (
 	nettypes "github.com/containers/common/libnetwork/types"
 	netUtil "github.com/containers/common/libnetwork/util"
 	"github.com/containers/common/pkg/config"
+	"github.com/containers/image/v5/types"
 	"github.com/containers/storage/pkg/idtools"
 	"github.com/containers/storage/pkg/lockfile"
 	"github.com/containers/storage/pkg/stringid"
@@ -373,11 +374,12 @@ func setupSpecialMountSpecChanges(spec *specs.Spec, shmSize string) ([]specs.Mou
 }
 
 // If this succeeded, the caller would be expected to, after the command which
-// uses the mount exits, unmount the mounted filesystem and remove its
-// mountpoint (if we provided the path to its mountpoint), and release the lock
-// (if we took one).
-func (b *Builder) getCacheMount(tokens []string, stageMountPoints map[string]internal.StageMountDetails, idMaps IDMaps, workDir, tmpDir string) (*specs.Mount, string, *lockfile.LockFile, error) {
-	return nil, "", nil, errors.New("cache mounts not supported on freebsd")
+// uses the mount exits, clean up the overlay filesystem (if we returned one),
+// unmount the mounted filesystem (if we provided the path to its mountpoint)
+// and remove its mountpoint, unmount the image (if we mounted one), and
+// release the lock (if we took one).
+func (b *Builder) getCacheMount(tokens []string, sys *types.SystemContext, stageMountPoints map[string]internal.StageMountDetails, idMaps IDMaps, workDir, tmpDir string) (*specs.Mount, string, string, string, *lockfile.LockFile, error) {
+	return nil, "", "", "", nil, errors.New("cache mounts not supported on freebsd")
 }
 
 func (b *Builder) runSetupVolumeMounts(mountLabel string, volumeMounts []string, optionMounts []specs.Mount, idMaps IDMaps) (mounts []specs.Mount, Err error) {

run_freebsd.go

@@ -36,6 +36,7 @@ import (
 	"github.com/containers/common/pkg/config"
 	"github.com/containers/common/pkg/hooks"
 	hooksExec "github.com/containers/common/pkg/hooks/exec"
+	"github.com/containers/image/v5/types"
 	"github.com/containers/storage/pkg/fileutils"
 	"github.com/containers/storage/pkg/idtools"
 	"github.com/containers/storage/pkg/ioutils"
@@ -1427,21 +1428,29 @@ func checkIDsGreaterThan5(ids []specs.LinuxIDMapping) bool {
 	return false
 }
 
-// Returns a Mount to add to the runtime spec's list of mounts, an optional
-// path of a mounted filesystem, unmounted, and an optional lock, or an error.
+// Returns a Mount to add to the runtime spec's list of mounts, the ID of an
+// image, the path to a mounted filesystem, and the path to an overlay
+// filesystem, and an optional lock, or an error.
 //
 // The caller is expected to, after the command which uses the mount exits,
-// unmount the mounted filesystem (if we provided the path to its mountpoint)
-// and remove its mountpoint, , and release the lock (if we took one).
-func (b *Builder) getCacheMount(tokens []string, stageMountPoints map[string]internal.StageMountDetails, idMaps IDMaps, workDir, tmpDir string) (*specs.Mount, string, *lockfile.LockFile, error) {
+// clean up the overlay filesystem (if we returned one), unmount the mounted
+// filesystem (if we provided the path to its mountpoint) and remove its
+// mountpoint, unmount the image (if we mounted one), and release the lock (if
+// we took one).
+func (b *Builder) getCacheMount(tokens []string, sys *types.SystemContext, stageMountPoints map[string]internal.StageMountDetails, idMaps IDMaps, workDir, tmpDir string) (*specs.Mount, string, string, string, *lockfile.LockFile, error) {
 	var optionMounts []specs.Mount
-	optionMount, intermediateMount, targetLock, err := volumes.GetCacheMount(tokens, stageMountPoints, workDir, tmpDir)
+	optionMount, mountedImage, intermediateMount, overlayMount, targetLock, err := volumes.GetCacheMount(sys, tokens, b.store, b.MountLabel, stageMountPoints, idMaps.uidmap, idMaps.gidmap, workDir, tmpDir)
 	if err != nil {
-		return nil, "", nil, err
+		return nil, "", "", "", nil, err
 	}
 	succeeded := false
 	defer func() {
 		if !succeeded {
+			if overlayMount != "" {
+				if err := overlay.RemoveTemp(overlayMount); err != nil {
+					b.Logger.Debug(err.Error())
+				}
+			}
 			if intermediateMount != "" {
 				if err := mount.Unmount(intermediateMount); err != nil {
 					b.Logger.Debugf("unmounting %q: %v", intermediateMount, err)
@@ -1450,6 +1459,11 @@ func (b *Builder) getCacheMount(tokens []string, stageMountPoints map[string]int
 					b.Logger.Debugf("removing should-be-empty directory %q: %v", intermediateMount, err)
 				}
 			}
+			if mountedImage != "" {
+				if _, err := b.store.UnmountImage(mountedImage, false); err != nil {
+					b.Logger.Debugf("unmounting image %q: %v", mountedImage, err)
+				}
+			}
 			if targetLock != nil {
 				targetLock.Unlock()
 			}
@@ -1458,8 +1472,8 @@ func (b *Builder) getCacheMount(tokens []string, stageMountPoints map[string]int
 	optionMounts = append(optionMounts, optionMount)
 	volumes, err := b.runSetupVolumeMounts(b.MountLabel, nil, optionMounts, idMaps)
 	if err != nil {
-		return nil, "", nil, err
+		return nil, "", "", "", nil, err
 	}
 	succeeded = true
-	return &volumes[0], intermediateMount, targetLock, nil
+	return &volumes[0], mountedImage, intermediateMount, overlayMount, targetLock, nil
 }

run_linux.go

@@ -895,8 +895,40 @@ _EOF
   expect_output --substring "Groups:	1000"
 }
 
+@test "build-mount-cache-with-id-mappings" {
+  _prefetch alpine
+  local contextdir=${TEST_SCRATCH_DIR}/context
+  mkdir ${contextdir}
+
+  # with no ID mappings
+  local cacheid=${SRANDOM}
+  cat > ${contextdir}/Dockerfile << EOF
+  FROM alpine
+  USER 1000:1000
+  RUN --mount=type=cache,id=${cacheid},target=/var/tmp,uid=1000,gid=1000 stat / /var/tmp
+  RUN --mount=type=cache,id=${cacheid},target=/var/tmp,uid=1000,gid=1000 test \`stat -c %u /var/tmp\` -eq 1000
+  RUN --mount=type=cache,id=${cacheid},target=/var/tmp,uid=1000,gid=1000 touch /var/tmp/should-be-able-to-write
+EOF
+  run_buildah build $WITH_POLICY_JSON ${contextdir}
+
+  # with non-default ID mappings
+  local cacheid=${SRANDOM}
+  cat > ${contextdir}/Dockerfile << EOF
+  FROM alpine
+  USER 1000:1000
+  RUN --mount=type=cache,id=${cacheid},target=/var/tmp,uid=1000,gid=1000 stat / /var/tmp
+  RUN --mount=type=cache,id=${cacheid},target=/var/tmp,uid=1000,gid=1000 test \`stat -c %u /var/tmp\` -eq 1000
+  RUN --mount=type=cache,id=${cacheid},target=/var/tmp,uid=1000,gid=1000 touch /var/tmp/should-be-able-to-write
+EOF
+  if test `id -u` -eq 0 ; then
+    run_buildah build --userns-uid-map 0:1:1023 --userns-gid-map 0:1:1023 $WITH_POLICY_JSON ${contextdir}
+  else
+    run_buildah build --userns auto:size=1023 $WITH_POLICY_JSON ${contextdir}
+  fi
+}
+
 @test "build test if supplemental groups has gid with --isolation chroot" {
-  test -z "${BUILDAH_ISOLATION}" || skip "BUILDAH_ISOLATION=${BUILDAH_ISOLATION} overrides --isolation"
+  test "${BUILDAH_ISOLATION}" != chroot || skip "BUILDAH_ISOLATION=${BUILDAH_ISOLATION} overrides --isolation"
 
   _prefetch alpine
   run_buildah build --isolation chroot $WITH_POLICY_JSON -t source -f $BUDFILES/supplemental-groups/Dockerfile
@@ -6676,20 +6708,17 @@ _EOF
   expect_output --substring "hello"
 }
 
-# following test must fail
 @test "bud-with-mount-cache-image-from-like-buildkit" {
   skip_if_no_runtime
   skip_if_in_container
   _prefetch alpine
-  local contextdir=${TEST_SCRATCH_DIR}/buildkit-mount-from
-  cp -R $BUDFILES/buildkit-mount-from $contextdir
+  local contextdir=${BUDFILES}/buildkit-mount-from
 
   # build base image which we will use as our `from`
   TMPDIR=${TEST_SCRATCH_DIR} run_buildah build -t buildkitbase $WITH_POLICY_JSON -f $contextdir/Dockerfilebuildkitbase $contextdir/
 
   # try reading something from persistent cache in a different build
-  TMPDIR=${TEST_SCRATCH_DIR} run_buildah 125 build -t testbud $WITH_POLICY_JSON -f $contextdir/Dockerfilecachefromimage
-  expect_output --substring "no stage or additional build context found with name buildkitbase"
+  TMPDIR=${TEST_SCRATCH_DIR} run_buildah build -t testbud $WITH_POLICY_JSON -f $contextdir/Dockerfilecachefromimage
 }
 
 @test "bud-with-mount-cache-multiple-from-like-buildkit" {

tests/bud.bats

@@ -1,5 +1,8 @@
 FROM alpine
 RUN mkdir /test
 # use another image as cache source
-# following should fail as cache does not supports mounting image
 RUN --mount=type=cache,from=buildkitbase,target=/test cat /test/hello
+# should be able to "write" to the cache
+RUN --mount=type=cache,from=buildkitbase,target=/test rm /test/hello
+# should be able to "write" to the cache again, since that last write was discarded
+RUN --mount=type=cache,from=buildkitbase,target=/test rm /test/hello