Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document more buildah build --secret options #5784

Merged
merged 1 commit into from
Oct 18, 2024
Merged

Document more buildah build --secret options #5784

merged 1 commit into from
Oct 18, 2024

Conversation

nalind
Copy link
Member

@nalind nalind commented Oct 16, 2024

What type of PR is this?

/kind documentation
/kind other

What this PR does / why we need it:

  • Describe the "env" and "type" options in the buildah-build(1) man page.
  • When parsing the "--secret=" flag for the CLI, instead of ignoring an option that we don't recognize, return an error.
  • Even though the set of meaningful "id" values for secrets is passed in via the command line, don't directly use it to construct a file path.
  • Change the default mode for SSH agent sockets that we create from 0o620 to 0o600.

How to verify it

Updated test to verify that we complain about unrecognized --secret= options!

Which issue(s) this PR fixes:

Resolves #5282, or at least points people in the right direction.

Special notes for your reviewer:

Does this PR introduce a user-facing change?

`buildah build` will now complain if an unrecognized option is passed in the list of options to the `--secret` flag.

@openshift-ci openshift-ci bot added kind/documentation Categorizes issue or PR as related to documentation. kind/other approved labels Oct 16, 2024
@nalind
Copy link
Member Author

nalind commented Oct 16, 2024

/retitle Document more buildah build --secret options

@openshift-ci openshift-ci bot changed the title Document the buildah build --secret options Document more buildah build --secret options Oct 16, 2024
@packit-as-a-service Packit-as-a-Service
Copy link

Ephemeral COPR build failed. @containers/packit-build please check.

flouthoc
flouthoc approved these changes Oct 16, 2024
View reviewed changes
Copy link
Collaborator

@flouthoc flouthoc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR looks good to me, but should changes in parse.go go in seperate commit ? Not sure.

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Oct 16, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: flouthoc, nalind

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

rhatdan
rhatdan reviewed Oct 17, 2024
View reviewed changes
docs/buildah-build.1.md

To later use the secret, use the --mount flag in a `RUN` instruction within a `Containerfile`:

`RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret`

Note: Changing the contents of secret files will not trigger a rebuild of layers that use said secrets.
The location of the secret in the container can be overridden using the
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about an example?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added one.

@nalind nalind force-pushed the secret-flags branch 2 times, most recently from 759059a to af1fe4e Compare October 17, 2024 13:52
@nalind
Document more buildah build --secret options
6c85740 
Describe the "env" and "type" options in the buildah-build(1) man page.

When parsing the "--secret=" flag for the CLI, instead of ignoring an
option that we don't recognize, return an error.

Even though the set of meaningful "id" values for secrets is passed in
via the command line, don't directly use it to construct a file path.

Change the default mode for SSH agent sockets that we create from 0o620
to 0o600.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
@rhatdan
Copy link
Member

rhatdan commented Oct 18, 2024

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Oct 18, 2024
@openshift-merge-bot openshift-merge-bot bot merged commit bb9d622 into containers:main Oct 18, 2024
32 checks passed
@nalind nalind deleted the secret-flags branch October 18, 2024 15:00
@stale-locking-app stale-locking-app bot locked as resolved and limited conversation to collaborators Jan 17, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@rhatdan rhatdan rhatdan left review comments

@flouthoc flouthoc flouthoc approved these changes

Assignees

@rhatdan rhatdan

Labels
approved kind/documentation Categorizes issue or PR as related to documentation. kind/other lgtm locked - please file new issue/PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Secret src not working if env variable matches id
3 participants
@nalind @rhatdan @flouthoc