feat: add --with-ssl-cert-file option to build command

This makes the root CAs from the host available to containers during a
build.

Signed-off-by: Adam Eijdenberg <adam@continusec.com>

Author: aeijdenberg

define/build.go

@@ -113,6 +113,8 @@ type CommonBuildOptions struct {
 	OCIHooksDir []string
 	// Paths to unmask
 	Unmasks []string
+	// WithSSLCertFile specifies whether the host root CAs should be ephemerally mounted within the container
+	WithSSLCertFile bool
 }
 
 // BuildOptions can be used to alter how an image is built.

docs/buildah-build.1.md

@@ -1232,6 +1232,11 @@ will convert /foo into a `shared` mount point.  The propagation properties of th
 mount can be changed directly. For instance if `/` is the source mount for
 `/foo`, then use `mount --make-shared /` to convert `/` into a `shared` mount.
 
+**--with-ssl-cert-file**
+
+If set, bind mount the host CA cert file (override location by setting `SSL_CERT_FILE`) within the RUN containers,
+and set environment variable `SSL_CERT_FILE` to point to it.
+
 ## BUILD TIME VARIABLES
 
 The ENV instruction in a Containerfile can be used to define variable values.  When the image

docs/buildah-from.1.md

@@ -690,6 +690,11 @@ will convert /foo into a `shared` mount point.  The propagation properties of th
 mount can be changed directly. For instance if `/` is the source mount for
 `/foo`, then use `mount --make-shared /` to convert `/` into a `shared` mount.
 
+**--with-ssl-cert-file**
+
+If set, bind mount the host CA cert file (override location by setting `SSL_CERT_FILE`) within the RUN containers,
+and set environment variable `SSL_CERT_FILE` to point to it.
+
 ## EXAMPLE
 
 buildah from --pull imagename

pkg/cli/common.go

@@ -125,32 +125,33 @@ type BudResults struct {
 // FromAndBugResults represents the results for common flags
 // in build and from
 type FromAndBudResults struct {
-	AddHost        []string
-	BlobCache      string
-	CapAdd         []string
-	CapDrop        []string
-	CDIConfigDir   string
-	CgroupParent   string
-	CPUPeriod      uint64
-	CPUQuota       int64
-	CPUSetCPUs     string
-	CPUSetMems     string
-	CPUShares      uint64
-	DecryptionKeys []string
-	Devices        []string
-	DNSSearch      []string
-	DNSServers     []string
-	DNSOptions     []string
-	HTTPProxy      bool
-	Isolation      string
-	Memory         string
-	MemorySwap     string
-	Retry          int
-	RetryDelay     string
-	SecurityOpt    []string
-	ShmSize        string
-	Ulimit         []string
-	Volumes        []string
+	AddHost         []string
+	BlobCache       string
+	CapAdd          []string
+	CapDrop         []string
+	CDIConfigDir    string
+	CgroupParent    string
+	CPUPeriod       uint64
+	CPUQuota        int64
+	CPUSetCPUs      string
+	CPUSetMems      string
+	CPUShares       uint64
+	DecryptionKeys  []string
+	Devices         []string
+	DNSSearch       []string
+	DNSServers      []string
+	DNSOptions      []string
+	HTTPProxy       bool
+	Isolation       string
+	Memory          string
+	MemorySwap      string
+	Retry           int
+	RetryDelay      string
+	SecurityOpt     []string
+	ShmSize         string
+	Ulimit          []string
+	Volumes         []string
+	WithSSLCertFile bool
 }
 
 // GetUserNSFlags returns the common flags for usernamespace
@@ -409,6 +410,7 @@ func GetFromAndBudFlags(flags *FromAndBudResults, usernsResults *UserNSResults,
 	fs.String("variant", "", "override the `variant` of the specified image")
 	fs.StringArrayVar(&flags.SecurityOpt, "security-opt", []string{}, "security options (default [])")
 	fs.StringVar(&flags.ShmSize, "shm-size", defaultContainerConfig.Containers.ShmSize, "size of '/dev/shm'. The format is `<number><unit>`.")
+	fs.BoolVar(&flags.WithSSLCertFile, "with-ssl-cert-file", false, "mount host root CAs to /host-ssl-cert-file in container during build, and set SSL_CERT_FILE to point to it")
 	fs.StringSliceVar(&flags.Ulimit, "ulimit", defaultContainerConfig.Containers.DefaultUlimits.Get(), "ulimit options")
 	fs.StringArrayVarP(&flags.Volumes, "volume", "v", defaultContainerConfig.Volumes(), "bind mount a volume into the container")
 

pkg/parse/parse.go

@@ -162,6 +162,7 @@ func CommonBuildOptionsFromFlagSet(flags *pflag.FlagSet, findFlagFunc func(name
 	cpuQuota, _ := flags.GetInt64("cpu-quota")
 	cpuShares, _ := flags.GetUint64("cpu-shares")
 	httpProxy, _ := flags.GetBool("http-proxy")
+	withSSLCertFile, _ := flags.GetBool("with-ssl-cert-file")
 	identityLabel, _ := flags.GetBool("identity-label")
 	omitHistory, _ := flags.GetBool("omit-history")
 
@@ -175,29 +176,30 @@ func CommonBuildOptionsFromFlagSet(flags *pflag.FlagSet, findFlagFunc func(name
 	ociHooks, _ := flags.GetStringArray("hooks-dir")
 
 	commonOpts := &define.CommonBuildOptions{
-		AddHost:       addHost,
-		CPUPeriod:     cpuPeriod,
-		CPUQuota:      cpuQuota,
-		CPUSetCPUs:    findFlagFunc("cpuset-cpus").Value.String(),
-		CPUSetMems:    findFlagFunc("cpuset-mems").Value.String(),
-		CPUShares:     cpuShares,
-		CgroupParent:  findFlagFunc("cgroup-parent").Value.String(),
-		DNSOptions:    dnsOptions,
-		DNSSearch:     dnsSearch,
-		DNSServers:    dnsServers,
-		HTTPProxy:     httpProxy,
-		IdentityLabel: types.NewOptionalBool(identityLabel),
-		Memory:        memoryLimit,
-		MemorySwap:    memorySwap,
-		NoHostname:    noHostname,
-		NoHosts:       noHosts,
-		OmitHistory:   omitHistory,
-		ShmSize:       findFlagFunc("shm-size").Value.String(),
-		Ulimit:        ulimit,
-		Volumes:       volumes,
-		Secrets:       secrets,
-		SSHSources:    sshsources,
-		OCIHooksDir:   ociHooks,
+		AddHost:         addHost,
+		CPUPeriod:       cpuPeriod,
+		CPUQuota:        cpuQuota,
+		CPUSetCPUs:      findFlagFunc("cpuset-cpus").Value.String(),
+		CPUSetMems:      findFlagFunc("cpuset-mems").Value.String(),
+		CPUShares:       cpuShares,
+		CgroupParent:    findFlagFunc("cgroup-parent").Value.String(),
+		DNSOptions:      dnsOptions,
+		DNSSearch:       dnsSearch,
+		DNSServers:      dnsServers,
+		HTTPProxy:       httpProxy,
+		IdentityLabel:   types.NewOptionalBool(identityLabel),
+		Memory:          memoryLimit,
+		MemorySwap:      memorySwap,
+		NoHostname:      noHostname,
+		NoHosts:         noHosts,
+		OmitHistory:     omitHistory,
+		ShmSize:         findFlagFunc("shm-size").Value.String(),
+		Ulimit:          ulimit,
+		Volumes:         volumes,
+		Secrets:         secrets,
+		SSHSources:      sshsources,
+		WithSSLCertFile: withSSLCertFile,
+		OCIHooksDir:     ociHooks,
 	}
 	securityOpts, _ := flags.GetStringArray("security-opt")
 	if err := parseSecurityOpts(securityOpts, commonOpts); err != nil {

run_common.go

@@ -326,6 +326,10 @@ func (b *Builder) configureEnvironment(g *generate.Generator, options RunOptions
 		}
 	}
 
+	if b.CommonBuildOpts.WithSSLCertFile {
+		g.AddProcessEnv("SSL_CERT_FILE", "/host-ssl-cert-file")
+	}
+
 	for _, envSpec := range util.MergeEnv(util.MergeEnv(defaultEnv, b.Env()), options.Env) {
 		env := strings.SplitN(envSpec, "=", 2)
 		if len(env) > 1 {

run_linux.go

@@ -503,6 +503,14 @@ rootless=%d
 		bindFiles["/run/.containerenv"] = containerenvPath
 	}
 
+	if b.CommonBuildOpts.WithSSLCertFile {
+		resolvedSSLCertPath, err := util.ResolveRootCACertFile()
+		if err != nil {
+			return err
+		}
+		bindFiles["/host-ssl-cert-file"] = resolvedSSLCertPath
+	}
+
 	// Setup OCI hooks
 	_, err = b.setupOCIHooks(spec, (len(options.Mounts) > 0 || len(volumes) > 0))
 	if err != nil {

tests/bud.bats

@@ -7383,3 +7383,19 @@ EOF
   find ${TEST_SCRATCH_DIR}/buildcontext -ls
   expect_output "" "build should not be able to write to build context"
 }
+
+@test "build-with-ssl-cert-file" {
+  echo "foofoofoofoo" > "${TEST_SCRATCH_DIR}/foocafile"
+  echo "barbarbarbar" > "${TEST_SCRATCH_DIR}/barcafile"
+
+  # use foocafile, and ensure that "foo" is output
+  SSL_CERT_FILE="${TEST_SCRATCH_DIR}/foocafile" run_buildah build -f <(echo 'FROM alpine'; echo 'RUN cat "${SSL_CERT_FILE}"') --tag="oci:${TEST_SCRATCH_DIR}/foodir" --timestamp 0 --with-ssl-cert-file
+  expect_output --substring "foofoofoofoo"
+
+  # use barcafile, and ensure that "bar" is output
+  SSL_CERT_FILE="${TEST_SCRATCH_DIR}/barcafile" run_buildah build -f <(echo 'FROM alpine'; echo 'RUN cat "${SSL_CERT_FILE}"') --tag="oci:${TEST_SCRATCH_DIR}/bardir" --timestamp 0 --with-ssl-cert-file
+  expect_output --substring "barbarbarbar"
+
+  # however regardless the produced images from both above should be identical as this is not persisted to image
+  diff -r "${TEST_SCRATCH_DIR}/foodir" "${TEST_SCRATCH_DIR}/bardir"
+}

util/x509.go

@@ -0,0 +1,23 @@
+package util
+
+import (
+	"errors"
+	"fmt"
+	"os"
+)
+
+func ResolveRootCACertFile() (string, error) {
+	if rv, ok := os.LookupEnv("SSL_CERT_FILE"); ok {
+		return rv, nil
+	}
+	for _, potFile := range certFiles {
+		if _, err := os.Stat(potFile); err != nil {
+			if os.IsNotExist(err) {
+				continue
+			}
+			return "", fmt.Errorf("unexpected error resolving cert file: %w", err)
+		}
+		return potFile, nil
+	}
+	return "", errors.New("please set SSL_CERT_FILE to use --ssl-cert-file option")
+}

util/x509_test.go

@@ -0,0 +1,16 @@
+package util
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestResolveRootCACertFileWitEnvSet(t *testing.T) {
+	t.Setenv("SSL_CERT_FILE", "/path/to/file")
+
+	path, err := ResolveRootCACertFile()
+	assert.Nil(t, err)
+
+	assert.Equal(t, "/path/to/file", path)
+}

util/x509_unix.go

@@ -0,0 +1,45 @@
+//go:build !windows
+
+package util
+
+// Source: https://cs.opensource.google/go/go/+/refs/tags/go1.24.1:src/crypto/x509/root_linux.go
+
+/*
+	Copyright 2009 The Go Authors.
+
+	Redistribution and use in source and binary forms, with or without
+	modification, are permitted provided that the following conditions are
+	met:
+
+	* Redistributions of source code must retain the above copyright
+	notice, this list of conditions and the following disclaimer.
+	* Redistributions in binary form must reproduce the above
+	copyright notice, this list of conditions and the following disclaimer
+	in the documentation and/or other materials provided with the
+	distribution.
+	* Neither the name of Google LLC nor the names of its
+	contributors may be used to endorse or promote products derived from
+	this software without specific prior written permission.
+
+	THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+	"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+	LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+	A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+	OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+	SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+	LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+	DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+	THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+	(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+	OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+// Possible certificate files; stop after finding one.
+var certFiles = []string{
+	"/etc/ssl/certs/ca-certificates.crt",                // Debian/Ubuntu/Gentoo etc.
+	"/etc/pki/tls/certs/ca-bundle.crt",                  // Fedora/RHEL 6
+	"/etc/ssl/ca-bundle.pem",                            // OpenSUSE
+	"/etc/pki/tls/cacert.pem",                           // OpenELEC
+	"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
+	"/etc/ssl/cert.pem",                                 // Alpine Linux
+}

util/x509_unix_test.go

@@ -0,0 +1,26 @@
+//go:build !windows
+
+package util
+
+import (
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestResolveRootCACertFileWithNoEnvSetUnix(t *testing.T) {
+	// calling t.SetEnv has the side-effect of restoring it to the previous
+	// value after the test (or leaving it unset).
+	// We call this before unsetting it so that we benefit from that cleanup
+	t.Setenv("SSL_CERT_FILE", "bogusval")
+
+	// now unset it (t.Unsetenv doesn't exist or we'd use that.)
+	assert.Nil(t, os.Unsetenv("SSL_CERT_FILE"))
+	path, err := ResolveRootCACertFile()
+	assert.Nil(t, err)
+
+	// if our test env doesn't have any of the default locations set,
+	// then we need to fix our lists
+	assert.NotEmpty(t, path)
+}

util/x509_windows.go

@@ -0,0 +1,4 @@
+package util
+
+// not implemented
+var certFiles []string