Merge pull request #5443 from nalind/cdi

Add support for passing CDI specs to --device

buildah.go

@@ -91,7 +91,7 @@ type Builder struct {
 	// Logger is the logrus logger to write log messages with
 	Logger *logrus.Logger `json:"-"`
 
-	// Args define variables that users can pass at build-time to the builder
+	// Args define variables that users can pass at build-time to the builder.
 	Args map[string]string
 	// Type is used to help identify a build container's metadata.  It
 	// should not be modified.
@@ -118,7 +118,7 @@ type Builder struct {
 	// MountPoint is the last location where the container's root
 	// filesystem was mounted.  It should not be modified.
 	MountPoint string `json:"mountpoint,omitempty"`
-	// ProcessLabel is the SELinux process label associated with the container
+	// ProcessLabel is the SELinux process label to use during subsequent Run() calls.
 	ProcessLabel string `json:"process-label,omitempty"`
 	// MountLabel is the SELinux mount label associated with the container
 	MountLabel string `json:"mount-label,omitempty"`
@@ -139,7 +139,7 @@ type Builder struct {
 
 	// Isolation controls how we handle "RUN" statements and the Run() method.
 	Isolation define.Isolation
-	// NamespaceOptions controls how we set up the namespaces for processes that we run in the container.
+	// NamespaceOptions controls how we set up the namespaces for processes that we Run().
 	NamespaceOptions define.NamespaceOptions
 	// ConfigureNetwork controls whether or not network interfaces and
 	// routing are configured for a new network namespace (i.e., when not
@@ -157,11 +157,11 @@ type Builder struct {
 	// NetworkInterface is the libnetwork network interface used to setup CNI or netavark networks.
 	NetworkInterface nettypes.ContainerNetwork `json:"-"`
 
-	// GroupAdd is a list of groups to add to the primary process within
-	// the container. 'keep-groups' allows container processes to use
-	// supplementary groups.
+	// GroupAdd is a list of groups to add to the primary process when Run() is
+	// called. The magic 'keep-groups' value indicates that the process should
+	// be allowed to inherit the current set of supplementary groups.
 	GroupAdd []string
-	// ID mapping options to use when running processes in the container with non-host user namespaces.
+	// ID mapping options to use when running processes with non-host user namespaces.
 	IDMappingOptions define.IDMappingOptions
 	// Capabilities is a list of capabilities to use when running commands in the container.
 	Capabilities []string
@@ -177,14 +177,20 @@ type Builder struct {
 	CommonBuildOpts     *define.CommonBuildOptions
 	// TopLayer is the top layer of the image
 	TopLayer string
-	// Format for the build Image
+	// Format to use for a container image we eventually commit, when we do.
 	Format string
-	// TempVolumes are temporary mount points created during container runs
+	// TempVolumes are temporary mount points created during Run() calls.
 	TempVolumes map[string]bool
-	// ContentDigester counts the digest of all Add()ed content
+	// ContentDigester counts the digest of all Add()ed content since it was
+	// last restarted.
 	ContentDigester CompositeDigester
-	// Devices are the additional devices to add to the containers
+	// Devices are parsed additional devices to provide to Run() calls.
 	Devices define.ContainerDevices
+	// DeviceSpecs are unparsed additional devices to provide to Run() calls.
+	DeviceSpecs []string
+	// CDIConfigDir is the location of CDI configuration files, if the files in
+	// the default configuration locations shouldn't be used.
+	CDIConfigDir string
 }
 
 // BuilderInfo are used as objects to display container information
@@ -215,6 +221,8 @@ type BuilderInfo struct {
 	IDMappingOptions      define.IDMappingOptions
 	History               []v1.History
 	Devices               define.ContainerDevices
+	DeviceSpecs           []string
+	CDIConfigDir          string
 }
 
 // GetBuildInfo gets a pointer to a Builder object and returns a BuilderInfo object from it.
@@ -251,6 +259,8 @@ func GetBuildInfo(b *Builder) BuilderInfo {
 		Capabilities:          b.Capabilities,
 		History:               history,
 		Devices:               b.Devices,
+		DeviceSpecs:           b.DeviceSpecs,
+		CDIConfigDir:          b.CDIConfigDir,
 	}
 }
 
@@ -328,13 +338,15 @@ type BuilderOptions struct {
 	// ID mapping options to use if we're setting up our own user namespace.
 	IDMappingOptions *define.IDMappingOptions
 	// Capabilities is a list of capabilities to use when
-	// running commands in the container.
+	// running commands for Run().
 	Capabilities    []string
 	CommonBuildOpts *define.CommonBuildOptions
-	// Format for the container image
+	// Format to use for a container image we eventually commit, when we do.
 	Format string
-	// Devices are the additional devices to add to the containers
+	// Devices are additional parsed devices to provide for Run() calls.
 	Devices define.ContainerDevices
+	// DeviceSpecs are additional unparsed devices to provide for Run() calls.
+	DeviceSpecs []string
 	// DefaultEnv is deprecated and ignored.
 	DefaultEnv []string
 	// MaxPullRetries is the maximum number of attempts we'll make to pull
@@ -345,16 +357,19 @@ type BuilderOptions struct {
 	// OciDecryptConfig contains the config that can be used to decrypt an image if it is
 	// encrypted if non-nil. If nil, it does not attempt to decrypt an image.
 	OciDecryptConfig *encconfig.DecryptConfig
-	// ProcessLabel is the SELinux process label associated with the container
+	// ProcessLabel is the SELinux process label associated with commands we Run()
 	ProcessLabel string
-	// MountLabel is the SELinux mount label associated with the container
+	// MountLabel is the SELinux mount label associated with the working container
 	MountLabel string
 	// PreserveBaseImageAnns indicates that we should preserve base
 	// image information (Annotations) that are present in our base image,
 	// rather than overwriting them with information about the base image
 	// itself. Useful as an internal implementation detail of multistage
 	// builds, and does not need to be set by most callers.
 	PreserveBaseImageAnns bool
+	// CDIConfigDir is the location of CDI configuration files, if the files in
+	// the default configuration locations shouldn't be used.
+	CDIConfigDir string
 }
 
 // ImportOptions are used to initialize a Builder from an existing container

cmd/buildah/from.go

@@ -9,7 +9,6 @@ import (
 	"time"
 
 	"github.com/containers/buildah"
-	"github.com/containers/buildah/define"
 	"github.com/containers/buildah/pkg/cli"
 	"github.com/containers/buildah/pkg/parse"
 	"github.com/containers/common/pkg/auth"
@@ -248,14 +247,6 @@ func fromCmd(c *cobra.Command, args []string, iopts fromReply) error {
 	if err != nil {
 		return err
 	}
-	devices := define.ContainerDevices{}
-	for _, device := range append(defaultContainerConfig.Containers.Devices.Get(), iopts.Devices...) {
-		dev, err := parse.DeviceFromPath(device)
-		if err != nil {
-			return err
-		}
-		devices = append(devices, dev...)
-	}
 
 	capabilities, err := defaultContainerConfig.Capabilities("", iopts.CapAdd, iopts.CapDrop)
 	if err != nil {
@@ -288,9 +279,10 @@ func fromCmd(c *cobra.Command, args []string, iopts fromReply) error {
 		CommonBuildOpts:       commonOpts,
 		Format:                format,
 		BlobDirectory:         iopts.BlobCache,
-		Devices:               devices,
+		DeviceSpecs:           iopts.Devices,
 		MaxPullRetries:        iopts.Retry,
 		OciDecryptConfig:      decConfig,
+		CDIConfigDir:          iopts.CDIConfigDir,
 	}
 
 	if iopts.RetryDelay != "" {

cmd/buildah/run.go

@@ -17,22 +17,24 @@ import (
 )
 
 type runInputOptions struct {
-	addHistory  bool
-	capAdd      []string
-	capDrop     []string
-	contextDir  string
-	env         []string
-	hostname    string
-	isolation   string
-	mounts      []string
-	runtime     string
-	runtimeFlag []string
-	noHostname  bool
-	noHosts     bool
-	noPivot     bool
-	terminal    bool
-	volumes     []string
-	workingDir  string
+	addHistory   bool
+	capAdd       []string
+	capDrop      []string
+	cdiConfigDir string
+	contextDir   string
+	devices      []string
+	env          []string
+	hostname     string
+	isolation    string
+	mounts       []string
+	runtime      string
+	runtimeFlag  []string
+	noHostname   bool
+	noHosts      bool
+	noPivot      bool
+	terminal     bool
+	volumes      []string
+	workingDir   string
 	*buildahcli.NameSpaceResults
 }
 
@@ -64,7 +66,10 @@ func init() {
 	flags.BoolVar(&opts.addHistory, "add-history", false, "add an entry for this operation to the image's history.  Use BUILDAH_HISTORY environment variable to override. (default false)")
 	flags.StringSliceVar(&opts.capAdd, "cap-add", []string{}, "add the specified capability (default [])")
 	flags.StringSliceVar(&opts.capDrop, "cap-drop", []string{}, "drop the specified capability (default [])")
+	flags.StringVar(&opts.cdiConfigDir, "cdi-config-dir", "", "`directory` of CDI configuration files")
+	_ = flags.MarkHidden("cdi-config-dir")
 	flags.StringVar(&opts.contextDir, "contextdir", "", "context directory path")
+	flags.StringArrayVar(&opts.devices, "device", []string{}, "additional devices to provide")
 	flags.StringArrayVarP(&opts.env, "env", "e", []string{}, "add environment variable to be set temporarily when running command (default [])")
 	flags.StringVar(&opts.hostname, "hostname", "", "set the hostname inside of the container")
 	flags.StringVar(&opts.isolation, "isolation", "", "`type` of process isolation to use. Use BUILDAH_ISOLATION environment variable to override.")
@@ -156,6 +161,8 @@ func runCmd(c *cobra.Command, args []string, iopts runInputOptions) error {
 		AddCapabilities:  iopts.capAdd,
 		DropCapabilities: iopts.capDrop,
 		WorkingDir:       iopts.workingDir,
+		DeviceSpecs:      iopts.devices,
+		CDIConfigDir:     iopts.cdiConfigDir,
 	}
 
 	if c.Flag("terminal").Changed {

define/build.go

@@ -59,7 +59,7 @@ type CommonBuildOptions struct {
 	DNSServers []string
 	// DNSOptions is the list of DNS
 	DNSOptions []string
-	// LabelOpts is the a slice of fields of an SELinux context, given in "field:pair" format, or "disable".
+	// LabelOpts is a slice of the fields of an SELinux context, given in "field:pair" format, or "disable".
 	// Recognized field names are "role", "type", and "level".
 	LabelOpts []string
 	// MemorySwap limits the amount of memory and swap together.
@@ -140,7 +140,8 @@ type BuildOptions struct {
 	Runtime string
 	// RuntimeArgs adds global arguments for the runtime.
 	RuntimeArgs []string
-	// TransientMounts is a list of mounts that won't be kept in the image.
+	// TransientMounts is a list of unparsed mounts that will be provided to
+	// RUN instructions.
 	TransientMounts []string
 	// CacheFrom specifies any remote repository which can be treated as
 	// potential cache source.
@@ -242,22 +243,24 @@ type BuildOptions struct {
 	CommonBuildOpts *CommonBuildOptions
 	// CPPFlags are additional arguments to pass to the C Preprocessor (cpp).
 	CPPFlags []string
-	// DefaultMountsFilePath is the file path holding the mounts to be mounted in "host-path:container-path" format
+	// DefaultMountsFilePath is the file path holding the mounts to be mounted for RUN
+	// instructions in "host-path:container-path" format
 	DefaultMountsFilePath string
 	// IIDFile tells the builder to write the image ID to the specified file
 	IIDFile string
-	// Squash tells the builder to produce an image with a single layer
-	// instead of with possibly more than one layer.
+	// Squash tells the builder to produce an image with a single layer instead of with
+	// possibly more than one layer, by only committing a new layer after processing the
+	// final instruction.
 	Squash bool
-	// Labels metadata for an image
+	// Labels to set in a committed image.
 	Labels []string
 	// LayerLabels metadata for an intermediate image
 	LayerLabels []string
-	// Annotation metadata for an image
+	// Annotations to set in a committed image, in OCI format.
 	Annotations []string
-	// OnBuild commands to be run by images based on this image
+	// OnBuild commands to be run by builds that use the image we'll commit as a base image.
 	OnBuild []string
-	// Layers tells the builder to create a cache of images for each step in the Dockerfile
+	// Layers tells the builder to commit an image for each step in the Dockerfile.
 	Layers bool
 	// NoCache tells the builder to build the image from scratch without checking for a cache.
 	// It creates a new set of cached images for the build.
@@ -272,7 +275,7 @@ type BuildOptions struct {
 	BlobDirectory string
 	// Target the targeted FROM in the Dockerfile to build.
 	Target string
-	// Devices are the additional devices to add to the containers.
+	// Devices are unparsed devices to provide to RUN instructions.
 	Devices []string
 	// SignBy is the fingerprint of a GPG key to use for signing images.
 	SignBy string
@@ -298,18 +301,18 @@ type BuildOptions struct {
 	JobSemaphore *semaphore.Weighted
 	// LogRusage logs resource usage for each step.
 	LogRusage bool
-	// File to which the Rusage logs will be saved to instead of stdout
+	// File to which the Rusage logs will be saved to instead of stdout.
 	RusageLogFile string
 	// Excludes is a list of excludes to be used instead of the .dockerignore file.
 	Excludes []string
 	// IgnoreFile is a name of the .containerignore file
 	IgnoreFile string
 	// From is the image name to use to replace the value specified in the first
-	// FROM instruction in the Containerfile
+	// FROM instruction in the Containerfile.
 	From string
-	// GroupAdd is a list of groups to add to the primary process within
-	// the container. 'keep-groups' allows container processes to use
-	// supplementary groups.
+	// GroupAdd is a list of groups to add to the primary process when handling RUN
+	// instructions. The magic 'keep-groups' value indicates that the process should
+	// be allowed to inherit the current set of supplementary groups.
 	GroupAdd []string
 	// Platforms is the list of parsed OS/Arch/Variant triples that we want
 	// to build the image for.  If this slice has items in it, the OS and
@@ -336,4 +339,7 @@ type BuildOptions struct {
 	// SBOMScanOptions encapsulates options which control whether or not we
 	// run scanners on the rootfs that we're about to commit, and how.
 	SBOMScanOptions []SBOMScanOptions
+	// CDIConfigDir is the location of CDI configuration files, if the files in
+	// the default configuration locations shouldn't be used.
+	CDIConfigDir string
 }

docs/buildah-build.1.md

@@ -350,15 +350,19 @@ The [key[:passphrase]] to be used for decryption of images. Key can point to key
 
 **--device**=*device*
 
-Add a host device to the container. Optional *permissions* parameter
-can be used to specify device permissions, it is combination of
+Add a host device, or devices under a directory, to the environment of any
+**RUN** instructions run during the build.  The optional *permissions*
+parameter can be used to specify device permissions, using any one or more of
 **r** for read, **w** for write, and **m** for **mknod**(2).
 
 Example: **--device=/dev/sdc:/dev/xvdc:rwm**.
 
-Note: if _host_device_ is a symbolic link then it will be resolved first.
+Note: if _host-device_ is a symbolic link then it will be resolved first.
 The container will only store the major and minor numbers of the host device.
 
+The device to share can also be specified using a Container Device Interface
+(CDI) specification (https://github.com/cncf-tags/container-device-interface).
+
 Note: if the user only has access rights via a group, accessing the device
 from inside a rootless container will fail. The **crun**(1) runtime offers a
 workaround for this by adding the option **--annotation run.oci.keep_original_groups=1**.
@@ -913,18 +917,18 @@ Note: Changing the contents of secret files will not trigger a rebuild of layers
 
 Security Options
 
-  "apparmor=unconfined" : Turn off apparmor confinement for the container
+  "apparmor=unconfined"   : Turn off apparmor confinement for the container
   "apparmor=your-profile" : Set the apparmor confinement profile for the container
 
-  "label=user:USER"   : Set the label user for the container
-  "label=role:ROLE"   : Set the label role for the container
-  "label=type:TYPE"   : Set the label type for the container
-  "label=level:LEVEL" : Set the label level for the container
-  "label=disable"     : Turn off label confinement for the container
-  "no-new-privileges" : Disable container processes from gaining additional privileges
+  "label=user:USER"       : Set the label user for the container
+  "label=role:ROLE"       : Set the label role for the container
+  "label=type:TYPE"       : Set the label type for the container
+  "label=level:LEVEL"     : Set the label level for the container
+  "label=disable"         : Turn off label confinement for the container
+  "no-new-privileges"     : Disable container processes from gaining additional privileges
 
-  "seccomp=unconfined" : Turn off seccomp confinement for the container
-  "seccomp=profile.json :  White listed syscalls seccomp Json file to be used as a seccomp filter
+  "seccomp=unconfined"    : Turn off seccomp confinement for the container
+  "seccomp=profile.json   : JSON configuration for a seccomp filter
 
 **--shm-size**=""
 

docs/buildah-from.1.md

@@ -177,7 +177,23 @@ The [key[:passphrase]] to be used for decryption of images. Key can point to key
 
 **--device**=*device*
 
-Add a host device or devices under a directory to the container. The format is `<device-on-host>[:<device-on-container>][:<permissions>]` (e.g. --device=/dev/sdc:/dev/xvdc:rwm)
+Add a host device, or devices under a directory, to the environment of
+subsequent **buildah run** invocations for the new working container.  The
+optional *permissions* parameter can be used to specify device permissions,
+using any one or more of **r** for read, **w** for write, and **m** for
+**mknod**(2).
+
+Example: **--device=/dev/sdc:/dev/xvdc:rwm**.
+
+Note: if _host-device_ is a symbolic link then it will be resolved first.
+The container will only store the major and minor numbers of the host device.
+
+The device to share can also be specified using a Container Device Interface
+(CDI) specification (https://github.com/cncf-tags/container-device-interface).
+
+Note: if the user only has access rights via a group, accessing the device
+from inside a rootless container will fail. The **crun**(1) runtime offers a
+workaround for this by adding the option **--annotation run.oci.keep_original_groups=1**.
 
 **--dns**=[]