Merge pull request #9947 from smarterclayton/override_repo

Merged by openshift-bot

Author: OpenShift Bot

Makefile

@@ -13,7 +13,12 @@ OS_OUTPUT_GOPATH ?= 1
 
 export GOFLAGS
 export TESTFLAGS
+# If set to 1, create an isolated GOPATH inside _output using symlinks to avoid
+# other packages being accidentally included. Defaults to on.
 export OS_OUTPUT_GOPATH
+# May be used to set additional arguments passed to the image build commands for
+# mounting secrets specific to a build environment.
+export OS_BUILD_IMAGE_ARGS
 
 # Build code.
 #

contrib/completions/bash/oc

@@ -10624,6 +10624,7 @@ _oc_ex_dockerbuild()
     flags+=("--dockerfile=")
     flags_with_completion+=("--dockerfile")
     flags_completion+=("_filedir")
+    flags+=("--mount=")
     flags+=("--api-version=")
     flags+=("--as=")
     flags+=("--certificate-authority=")

contrib/completions/bash/openshift

@@ -14957,6 +14957,7 @@ _openshift_cli_ex_dockerbuild()
     flags+=("--dockerfile=")
     flags_with_completion+=("--dockerfile")
     flags_completion+=("_filedir")
+    flags+=("--mount=")
     flags+=("--api-version=")
     flags+=("--as=")
     flags+=("--certificate-authority=")

contrib/completions/zsh/oc

@@ -10785,6 +10785,7 @@ _oc_ex_dockerbuild()
     flags+=("--dockerfile=")
     flags_with_completion+=("--dockerfile")
     flags_completion+=("_filedir")
+    flags+=("--mount=")
     flags+=("--api-version=")
     flags+=("--as=")
     flags+=("--certificate-authority=")

contrib/completions/zsh/openshift

@@ -15118,6 +15118,7 @@ _openshift_cli_ex_dockerbuild()
     flags+=("--dockerfile=")
     flags_with_completion+=("--dockerfile")
     flags_completion+=("_filedir")
+    flags+=("--mount=")
     flags+=("--api-version=")
     flags+=("--as=")
     flags+=("--certificate-authority=")

docs/generated/oc_by_example_content.adoc

@@ -1348,6 +1348,9 @@ Perform a direct Docker build
 ----
   # Build the current directory into a single layer and tag
   oc ex dockerbuild . myimage:latest
+
+  # Mount a client secret into the build at a certain path
+  oc ex dockerbuild . myimage:latest --mount ~/mysecret.pem:/etc/pki/secret/mysecret.pem
 ----
 ====
 

docs/man/man1/oc-ex-dockerbuild.1

@@ -17,7 +17,12 @@ Build a Dockerfile into a single layer
 
 .PP
 Builds the provided directory with a Dockerfile into a single layered image.
-Requires that you have a working connection to a Docker engine.
+Requires that you have a working connection to a Docker engine. You may mount
+secrets or config into the build with the \-\-mount flag \- these files will not
+be included in the final image.
+
+.PP
+Experimental: This command is under active development and may change without notice.
 
 
 .SH OPTIONS
@@ -29,6 +34,10 @@ Requires that you have a working connection to a Docker engine.
 \fB\-\-dockerfile\fP=""
     An optional path to a Dockerfile to use.
 
+.PP
+\fB\-\-mount\fP=[]
+    An optional list of files and directories to mount during the build. Use SRC:DST syntax for each path.
+
 
 .SH OPTIONS INHERITED FROM PARENT COMMANDS
 .PP
@@ -104,6 +113,9 @@ Requires that you have a working connection to a Docker engine.
   # Build the current directory into a single layer and tag
   oc ex dockerbuild . myimage:latest
 
+  # Mount a client secret into the build at a certain path
+  oc ex dockerbuild . myimage:latest \-\-mount \~/mysecret.pem:/etc/pki/secret/mysecret.pem
+
 .fi
 .RE
 

docs/man/man1/openshift-cli-ex-dockerbuild.1

@@ -17,7 +17,12 @@ Build a Dockerfile into a single layer
 
 .PP
 Builds the provided directory with a Dockerfile into a single layered image.
-Requires that you have a working connection to a Docker engine.
+Requires that you have a working connection to a Docker engine. You may mount
+secrets or config into the build with the \-\-mount flag \- these files will not
+be included in the final image.
+
+.PP
+Experimental: This command is under active development and may change without notice.
 
 
 .SH OPTIONS
@@ -29,6 +34,10 @@ Requires that you have a working connection to a Docker engine.
 \fB\-\-dockerfile\fP=""
     An optional path to a Dockerfile to use.
 
+.PP
+\fB\-\-mount\fP=[]
+    An optional list of files and directories to mount during the build. Use SRC:DST syntax for each path.
+
 
 .SH OPTIONS INHERITED FROM PARENT COMMANDS
 .PP
@@ -104,6 +113,9 @@ Requires that you have a working connection to a Docker engine.
   # Build the current directory into a single layer and tag
   openshift cli ex dockerbuild . myimage:latest
 
+  # Mount a client secret into the build at a certain path
+  openshift cli ex dockerbuild . myimage:latest \-\-mount \~/mysecret.pem:/etc/pki/secret/mysecret.pem
+
 .fi
 .RE
 

hack/build-base-images.sh

@@ -24,7 +24,7 @@ if [[ -z "${oc}" ]]; then
 fi
 
 function build() {
-  "${oc}" ex dockerbuild $2 $1
+  eval "'${oc}' ex dockerbuild $2 $1 ${OS_BUILD_IMAGE_ARGS:-}"
 }
 
 # Build the images

hack/build-images.sh

@@ -61,7 +61,7 @@ if [[ -z "${oc}" ]]; then
 fi
 
 function build() {
-  "${oc}" ex dockerbuild $2 $1
+  eval "'${oc}' ex dockerbuild $2 $1 ${OS_BUILD_IMAGE_ARGS:-}"
 }
 
 # Create link to file if the FS supports hardlinks, otherwise copy the file

images/base/Dockerfile

@@ -1,17 +1,11 @@
 #
 # This is the base image from which all OpenShift Origin images inherit. Only packages
-# common to all downstream images should be here. Depends on Centos 7.2+
+# common to all downstream images should be here. Depends on Centos 7.2+.
 #
 # The standard name for this image is openshift/origin-base
 #
 FROM centos:centos7
 
-# Until nss-3.21.0-9.el7_2 and openssl-libs-1.0.1e-51.el7_2.5.x86_64 is
-# released in the base image we need to manually update this to workaround an
-# issue where some of the mirrors are using a certificate
-RUN yum update -y nss openssl-libs && \
-    yum clean all
-
 RUN INSTALL_PKGS="which git tar wget hostname sysvinit-tools util-linux bsdtar epel-release \
       socat ethtool device-mapper iptables tree findutils nmap-ncat e2fsprogs xfsprogs lsof" && \
     yum install -y $INSTALL_PKGS && \

images/openvswitch/Dockerfile

@@ -3,7 +3,7 @@
 #
 # The standard name for this image is openshift/openvswitch
 #
-FROM centos:centos7
+FROM openshift/origin-base
 
 COPY scripts/* /usr/local/bin/
 

pkg/cmd/cli/cmd/dockerbuild/dockerbuild.go

@@ -25,10 +25,17 @@ const (
 Build a Dockerfile into a single layer
 
 Builds the provided directory with a Dockerfile into a single layered image.
-Requires that you have a working connection to a Docker engine.`
+Requires that you have a working connection to a Docker engine. You may mount
+secrets or config into the build with the --mount flag - these files will not
+be included in the final image.
+
+Experimental: This command is under active development and may change without notice.`
 
 	dockerbuildExample = `  # Build the current directory into a single layer and tag
-  %[1]s ex dockerbuild . myimage:latest`
+  %[1]s ex dockerbuild . myimage:latest
+
+  # Mount a client secret into the build at a certain path
+  %[1]s ex dockerbuild . myimage:latest --mount ~/mysecret.pem:/etc/pki/secret/mysecret.pem`
 )
 
 type DockerbuildOptions struct {
@@ -37,6 +44,9 @@ type DockerbuildOptions struct {
 
 	Client *docker.Client
 
+	MountSpecs []string
+
+	Mounts         []builder.Mount
 	Directory      string
 	Tag            string
 	DockerfilePath string
@@ -68,6 +78,7 @@ func NewCmdDockerbuild(fullName string, f *clientcmd.Factory, out, errOut io.Wri
 		},
 	}
 
+	cmd.Flags().StringSliceVar(&options.MountSpecs, "mount", options.MountSpecs, "An optional list of files and directories to mount during the build. Use SRC:DST syntax for each path.")
 	cmd.Flags().StringVar(&options.DockerfilePath, "dockerfile", options.DockerfilePath, "An optional path to a Dockerfile to use.")
 	cmd.Flags().BoolVar(&options.AllowPull, "allow-pull", true, "Pull the images that are not present.")
 	cmd.MarkFlagFilename("dockerfile")
@@ -89,6 +100,17 @@ func (o *DockerbuildOptions) Complete(f *clientcmd.Factory, cmd *cobra.Command,
 	if len(o.DockerfilePath) == 0 {
 		o.DockerfilePath = filepath.Join(o.Directory, "Dockerfile")
 	}
+
+	var mounts []builder.Mount
+	for _, s := range o.MountSpecs {
+		segments := strings.Split(s, ":")
+		if len(segments) != 2 {
+			return kcmdutil.UsageError(cmd, "--mount must be of the form SOURCE:DEST")
+		}
+		mounts = append(mounts, builder.Mount{SourcePath: segments[0], DestinationPath: segments[1]})
+	}
+	o.Mounts = mounts
+
 	client, err := docker.NewClientFromEnv()
 	if err != nil {
 		return err
@@ -114,6 +136,7 @@ func (o *DockerbuildOptions) Run() error {
 	e.Out, e.ErrOut = o.Out, o.Err
 	e.AllowPull = o.AllowPull
 	e.Directory = o.Directory
+	e.TransientMounts = o.Mounts
 	e.Tag = o.Tag
 	e.AuthFn = o.Keyring.Lookup
 	e.LogFn = func(format string, args ...interface{}) {

pkg/util/docker/dockerfile/builder/client.go

@@ -8,7 +8,9 @@ import (
 	"io"
 	"os"
 	"path"
+	"path/filepath"
 	"runtime"
+	"strconv"
 	"strings"
 
 	"k8s.io/kubernetes/pkg/credentialprovider"
@@ -22,6 +24,12 @@ import (
 	"github.com/openshift/origin/pkg/util/docker/dockerfile/builder/imageprogress"
 )
 
+// Mount represents a binding between the current system and the destination client
+type Mount struct {
+	SourcePath      string
+	DestinationPath string
+}
+
 // ClientExecutor can run Docker builds from a Docker client.
 type ClientExecutor struct {
 	// Client is a client to a Docker daemon.
@@ -38,6 +46,11 @@ type ClientExecutor struct {
 	// AllowPull when set will pull images that are not present on
 	// the daemon.
 	AllowPull bool
+	// TransientMounts are a set of mounts from outside the build
+	// to the inside that will not be part of the final image. Any
+	// content created inside the mount's destinationPath will be
+	// omitted from the final image.
+	TransientMounts []Mount
 
 	Out, ErrOut io.Writer
 
@@ -125,6 +138,8 @@ func (e *ClientExecutor) Build(r io.Reader, args map[string]string) error {
 	e.LogFn("FROM %s", from)
 	glog.V(4).Infof("step: FROM %s", from)
 
+	var sharedMount string
+
 	// create a container to execute in, if necessary
 	mustStart := b.RequiresStart(node)
 	if e.Container == nil {
@@ -134,6 +149,23 @@ func (e *ClientExecutor) Build(r io.Reader, args map[string]string) error {
 			},
 		}
 		if mustStart {
+			// Transient mounts only make sense on images that will be running processes
+			if len(e.TransientMounts) > 0 {
+				volumeName, err := randSeq(imageSafeCharacters, 24)
+				if err != nil {
+					return err
+				}
+				v, err := e.Client.CreateVolume(docker.CreateVolumeOptions{Name: volumeName})
+				if err != nil {
+					return err
+				}
+				defer e.cleanupVolume(volumeName)
+				sharedMount = v.Mountpoint
+				opts.HostConfig = &docker.HostConfig{
+					Binds: []string{sharedMount + ":/tmp/__temporarymount"},
+				}
+			}
+
 			// TODO: windows support
 			if len(e.Command) > 0 {
 				opts.Config.Cmd = e.Command
@@ -157,9 +189,40 @@ func (e *ClientExecutor) Build(r io.Reader, args map[string]string) error {
 		defer e.Cleanup()
 	}
 
+	// copy any source content into the temporary mount path
+	if mustStart && len(e.TransientMounts) > 0 {
+		var copies []Copy
+		for i, mount := range e.TransientMounts {
+			source := mount.SourcePath
+			copies = append(copies, Copy{
+				Src:  source,
+				Dest: []string{path.Join("/tmp/__temporarymount", strconv.Itoa(i))},
+			})
+		}
+		if err := e.Copy(copies...); err != nil {
+			return err
+		}
+	}
+
 	// TODO: lazy start
 	if mustStart && !e.Container.State.Running {
-		if err := e.Client.StartContainer(e.Container.ID, e.HostConfig); err != nil {
+		var hostConfig docker.HostConfig
+		if e.HostConfig != nil {
+			hostConfig = *e.HostConfig
+		}
+
+		// mount individual items temporarily
+		for i, mount := range e.TransientMounts {
+			if len(sharedMount) == 0 {
+				return fmt.Errorf("no mount point available for temporary mounts")
+			}
+			hostConfig.Binds = append(
+				hostConfig.Binds,
+				fmt.Sprintf("%s:%s:%s", path.Join(sharedMount, strconv.Itoa(i)), mount.DestinationPath, "ro"),
+			)
+		}
+
+		if err := e.Client.StartContainer(e.Container.ID, &hostConfig); err != nil {
 			return err
 		}
 		// TODO: is this racy? may have to loop wait in the actual run step
@@ -276,6 +339,11 @@ func randSeq(source string, n int) (string, error) {
 	return string(random), nil
 }
 
+// cleanupVolume attempts to remove the provided volume
+func (e *ClientExecutor) cleanupVolume(name string) error {
+	return e.Client.RemoveVolume(name)
+}
+
 // CleanupImage attempts to remove the provided image.
 func (e *ClientExecutor) CleanupImage(name string) error {
 	return e.Client.RemoveImage(name)
@@ -448,7 +516,15 @@ func (e *ClientExecutor) Archive(src, dst string, allowDecompression, allowDownl
 			closer = append(closer, func() error { return os.RemoveAll(base) })
 		}
 	} else {
-		base = e.Directory
+		if filepath.IsAbs(src) {
+			base = filepath.Dir(src)
+			src, err = filepath.Rel(base, src)
+			if err != nil {
+				return nil, nil, err
+			}
+		} else {
+			base = e.Directory
+		}
 		infos, err = CalcCopyInfo(src, base, allowDecompression, true)
 	}
 	if err != nil {