Skip to content

Commit 72ffc75

Browse files
author
Natalie Arellano
authored
Merge pull request #31 from buildpacks/fix/warn-container-daemon
Warn if NOT --pull-policy=always in container
2 parents 57c0368 + 456342b commit 72ffc75

File tree

4 files changed

+54
-7
lines changed

4 files changed

+54
-7
lines changed

go.mod

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@ module github.com/buildpacks/pack
22

33
require (
44
github.com/BurntSushi/toml v1.3.2
5+
github.com/GoogleContainerTools/kaniko v1.22.0
56
github.com/Masterminds/semver v1.5.0
67
github.com/Microsoft/go-winio v0.6.2
78
github.com/apex/log v1.9.0
@@ -108,7 +109,7 @@ require (
108109
github.com/mattn/go-isatty v0.0.20 // indirect
109110
github.com/mattn/go-runewidth v0.0.15 // indirect
110111
github.com/mitchellh/go-homedir v1.1.0 // indirect
111-
github.com/mitchellh/mapstructure v1.4.1 // indirect
112+
github.com/mitchellh/mapstructure v1.5.0 // indirect
112113
github.com/moby/buildkit v0.13.2 // indirect
113114
github.com/moby/docker-image-spec v1.3.1 // indirect
114115
github.com/moby/patternmatcher v0.6.0 // indirect

go.sum

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,8 @@ github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUM
3131
github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
3232
github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8=
3333
github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
34+
github.com/GoogleContainerTools/kaniko v1.22.0 h1:WIL8Wuc+lQW8sv1R+zOZsCy4lQtTzrVJ76K2VMkB++0=
35+
github.com/GoogleContainerTools/kaniko v1.22.0/go.mod h1:Kki7uX+HlskobmD7PRrGZvL0S9Aejf8kzfzoQUv68pQ=
3436
github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
3537
github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
3638
github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
@@ -272,8 +274,8 @@ github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG
272274
github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
273275
github.com/mitchellh/ioprogress v0.0.0-20180201004757-6a23b12fa88e h1:Qa6dnn8DlasdXRnacluu8HzPts0S1I9zvvUPDbBnXFI=
274276
github.com/mitchellh/ioprogress v0.0.0-20180201004757-6a23b12fa88e/go.mod h1:waEya8ee1Ro/lgxpVhkJI4BVASzkm3UZqkx/cFJiYHM=
275-
github.com/mitchellh/mapstructure v1.4.1 h1:CpVNEelQCZBooIPDn+AR3NpivK/TIKU8bDxdASFVQag=
276-
github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
277+
github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
278+
github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
277279
github.com/moby/buildkit v0.13.2 h1:nXNszM4qD9E7QtG7bFWPnDI1teUQFQglBzon/IU3SzI=
278280
github.com/moby/buildkit v0.13.2/go.mod h1:2cyVOv9NoHM7arphK9ZfHIWKn9YVZRFd1wXB8kKmEzY=
279281
github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
@@ -533,8 +535,8 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T
533535
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
534536
google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
535537
google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9 h1:9+tzLLstTlPTRyJTh+ah5wIMsBW5c4tQwGTN3thOW9Y=
536-
google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b h1:CIC2YMXmIhYw6evmhPxBKJ4fmLbOFtXQN/GV3XOZR8k=
537-
google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:IBQ646DjkDkvUIsVq/cc03FUFQ9wbZu7yE396YcL870=
538+
google.golang.org/genproto/googleapis/api v0.0.0-20240311132316-a219d84964c2 h1:rIo7ocm2roD9DcFIX67Ym8icoGCKSARAiPljFhh5suQ=
539+
google.golang.org/genproto/googleapis/api v0.0.0-20240311132316-a219d84964c2/go.mod h1:O1cOfN1Cy6QEYr7VxtjOyP5AdAuR0aJ/MYZaaof623Y=
538540
google.golang.org/genproto/googleapis/rpc v0.0.0-20240314234333-6e1732d8331c h1:lfpJ/2rWPa/kJgxyyXM8PrNnfCzcmxJ265mADgwmvLI=
539541
google.golang.org/genproto/googleapis/rpc v0.0.0-20240314234333-6e1732d8331c/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY=
540542
google.golang.org/grpc v1.62.1 h1:B4n+nfKzOICUXMgyrNd19h/I9oH0L1pizfk1d4zSgTk=
@@ -561,5 +563,5 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C
561563
gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
562564
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
563565
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
564-
gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
565-
gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
566+
gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o=
567+
gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g=

pkg/client/build.go

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ import (
1616
"strings"
1717
"time"
1818

19+
"github.com/GoogleContainerTools/kaniko/pkg/util/proc"
1920
"github.com/Masterminds/semver"
2021
"github.com/buildpacks/imgutil"
2122
"github.com/buildpacks/imgutil/layout"
@@ -55,6 +56,10 @@ const (
5556
minLifecycleVersionSupportingCreatorWithExtensions = "0.19.0"
5657
)
5758

59+
var RunningInContainer = func() bool {
60+
return proc.GetContainerRuntime(0, 0) != proc.RuntimeNotFound
61+
}
62+
5863
// LifecycleExecutor executes the lifecycle which satisfies the Cloud Native Buildpacks Lifecycle specification.
5964
// Implementations of the Lifecycle must execute the following phases by calling the
6065
// phase-specific lifecycle binary in order:
@@ -284,6 +289,13 @@ type layoutPathConfig struct {
284289
func (c *Client) Build(ctx context.Context, opts BuildOptions) error {
285290
var pathsConfig layoutPathConfig
286291

292+
if RunningInContainer() && !(opts.PullPolicy == image.PullAlways) {
293+
c.logger.Warnf("Detected pack is running in a container; if using a shared docker host, failing to pull build inputs from a remote registry is insecure - " +
294+
"other tenants may have compromised build inputs stored in the daemon." +
295+
"This configuration is insecure and may become unsupported in the future." +
296+
"Re-run with '--pull-policy=always' to silence this warning.")
297+
}
298+
287299
imageRef, err := c.parseReference(opts)
288300
if err != nil {
289301
return errors.Wrapf(err, "invalid image name '%s'", opts.Image)

pkg/client/build_test.go

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2379,6 +2379,38 @@ api = "0.2"
23792379
})
23802380
})
23812381

2382+
when("containerized pack", func() {
2383+
it.Before(func() {
2384+
RunningInContainer = func() bool {
2385+
return true
2386+
}
2387+
})
2388+
2389+
when("--pull-policy=always", func() {
2390+
it("does not warn", func() {
2391+
h.AssertNil(t, subject.Build(context.TODO(), BuildOptions{
2392+
Image: "some/app",
2393+
Builder: defaultBuilderName,
2394+
PullPolicy: image.PullAlways,
2395+
}))
2396+
2397+
h.AssertNotContains(t, outBuf.String(), "failing to pull build inputs from a remote registry is insecure")
2398+
})
2399+
})
2400+
2401+
when("not --pull-policy=always", func() {
2402+
it("warns", func() {
2403+
h.AssertNil(t, subject.Build(context.TODO(), BuildOptions{
2404+
Image: "some/app",
2405+
Builder: defaultBuilderName,
2406+
PullPolicy: image.PullNever,
2407+
}))
2408+
2409+
h.AssertContains(t, outBuf.String(), "failing to pull build inputs from a remote registry is insecure")
2410+
})
2411+
})
2412+
})
2413+
23822414
when("always", func() {
23832415
it("uses pulls the builder and run image before using them", func() {
23842416
h.AssertNil(t, subject.Build(context.TODO(), BuildOptions{

0 commit comments

Comments
 (0)