Skip to content

Commit

Permalink
Reapply "Add PRIVILEGED_NESTED to the buildah task"
Browse files Browse the repository at this point in the history
This reverts commit ca880a9.

Signed-off-by: Wei Shi <[email protected]>
  • Loading branch information
shi2wei3 authored and chmeliik committed Jan 6, 2025
1 parent 832d2c3 commit bb14eed
Show file tree
Hide file tree
Showing 17 changed files with 184 additions and 1 deletion.
1 change: 1 addition & 0 deletions pipelines/docker-build-multi-platform-oci-ta/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
|LABELS| Additional key=value labels that should be applied to the image| []| |
|PLATFORM| The platform to build on| None| |
|PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | '$(params.prefetch-input)'|
|PRIVILEGED_NESTED| Whether to enable privileged mode| false| |
|SKIP_UNUSED_STAGES| Whether to skip stages in Containerfile that seem unused by subsequent stages| true| |
|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'|
|SQUASH| Squash all new and previous layers added as a part of this build, as per --squash| false| |
Expand Down
1 change: 1 addition & 0 deletions pipelines/docker-build-oci-ta/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
|IMAGE_EXPIRES_AFTER| Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'|
|LABELS| Additional key=value labels that should be applied to the image| []| |
|PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | '$(params.prefetch-input)'|
|PRIVILEGED_NESTED| Whether to enable privileged mode| false| |
|SKIP_UNUSED_STAGES| Whether to skip stages in Containerfile that seem unused by subsequent stages| true| |
|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'|
|SQUASH| Squash all new and previous layers added as a part of this build, as per --squash| false| |
Expand Down
1 change: 1 addition & 0 deletions pipelines/docker-build/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
|IMAGE_EXPIRES_AFTER| Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'|
|LABELS| Additional key=value labels that should be applied to the image| []| |
|PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | '$(params.prefetch-input)'|
|PRIVILEGED_NESTED| Whether to enable privileged mode| false| |
|SKIP_UNUSED_STAGES| Whether to skip stages in Containerfile that seem unused by subsequent stages| true| |
|SQUASH| Squash all new and previous layers added as a part of this build, as per --squash| false| |
|STORAGE_DRIVER| Storage driver to configure for buildah| vfs| |
Expand Down
1 change: 1 addition & 0 deletions pipelines/fbc-builder/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
|LABELS| Additional key=value labels that should be applied to the image| []| |
|PLATFORM| The platform to build on| None| |
|PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | '$(params.prefetch-input)'|
|PRIVILEGED_NESTED| Whether to enable privileged mode| false| |
|SKIP_UNUSED_STAGES| Whether to skip stages in Containerfile that seem unused by subsequent stages| true| |
|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'|
|SQUASH| Squash all new and previous layers added as a part of this build, as per --squash| false| |
Expand Down
13 changes: 12 additions & 1 deletion task-generator/remote/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,7 @@ if ! [[ $IS_LOCALHOST ]]; then
export BUILD_DIR=$(cat /ssh/user-dir)
export SSH_ARGS="-o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=10"
echo "$BUILD_DIR"
# shellcheck disable=SC2086
ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/workspaces" "$BUILD_DIR/scripts" "$BUILD_DIR/volumes"
PORT_FORWARD=""
Expand Down Expand Up @@ -238,13 +239,23 @@ if ! [[ $IS_LOCALHOST ]]; then
}
}
ret += "\nif ! [[ $IS_LOCALHOST ]]; then"
ret += "\n"
ret += ` PRIVILEGED_NESTED_FLAGS=()
if [[ "${PRIVILEGED_NESTED}" == "true" ]]; then
# This is a workaround for building bootc images because the cache filesystem (/var/tmp/ on the host) must be a real filesystem that supports setting SELinux security attributes.
# https://github.com/coreos/rpm-ostree/discussions/4648
# shellcheck disable=SC2086
ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/var/tmp"
PRIVILEGED_NESTED_FLAGS=(--privileged --mount "type=bind,source=$BUILD_DIR/var/tmp,target=/var/tmp,relabel=shared")
fi`
ret += "\n rsync -ra scripts \"$SSH_HOST:$BUILD_DIR\""
containerScript := "scripts/script-" + step.Name + ".sh"
for _, e := range step.Env {
env += " -e " + e.Name + "=\"$" + e.Name + "\" \\\n"
}
podmanArgs += " -v \"$BUILD_DIR/scripts:/scripts:Z\" \\\n"
ret += "\n ssh $SSH_ARGS \"$SSH_HOST\" $PORT_FORWARD podman run " + env + "" + podmanArgs + " --user=0 --rm \"$BUILDER_IMAGE\" /" + containerScript + ` "$@"`
podmanArgs += " \"${PRIVILEGED_NESTED_FLAGS[@]}\" \\\n"
ret += "\n # shellcheck disable=SC2086\n ssh $SSH_ARGS \"$SSH_HOST\" $PORT_FORWARD podman run " + env + "" + podmanArgs + " --user=0 --rm \"$BUILDER_IMAGE\" /" + containerScript + ` "$@"`

// Sync the contents of the workspaces back so subsequent tasks can use them
for _, workspace := range task.Spec.Workspaces {
Expand Down
1 change: 1 addition & 0 deletions task/buildah-oci-ta/0.2/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b
|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false|
|LABELS|Additional key=value labels that should be applied to the image|[]|false|
|PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false|
|PRIVILEGED_NESTED|Whether to enable privileged mode|false|false|
|SKIP_UNUSED_STAGES|Whether to skip stages in Containerfile that seem unused by subsequent stages|true|false|
|SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true|
|SQUASH|Squash all new and previous layers added as a part of this build, as per --squash|false|false|
Expand Down
12 changes: 12 additions & 0 deletions task/buildah-oci-ta/0.2/buildah-oci-ta.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,10 @@ spec:
be made available to the build.
type: string
default: ""
- name: PRIVILEGED_NESTED
description: Whether to enable privileged mode
type: string
default: "false"
- name: SKIP_UNUSED_STAGES
description: Whether to skip stages in Containerfile that seem unused
by subsequent stages
Expand Down Expand Up @@ -203,6 +207,8 @@ spec:
value: $(params.IMAGE)
- name: IMAGE_EXPIRES_AFTER
value: $(params.IMAGE_EXPIRES_AFTER)
- name: PRIVILEGED_NESTED
value: $(params.PRIVILEGED_NESTED)
- name: SKIP_UNUSED_STAGES
value: $(params.SKIP_UNUSED_STAGES)
- name: SOURCE_CODE_DIR
Expand Down Expand Up @@ -378,6 +384,12 @@ spec:
BUILDAH_ARGS+=("${BUILD_ARG_FLAGS[@]}")
if [ "${PRIVILEGED_NESTED}" == "true" ]; then
BUILDAH_ARGS+=("--security-opt=label=disable")
BUILDAH_ARGS+=("--cap-add=all")
BUILDAH_ARGS+=("--device=/dev/fuse")
fi
if [ -n "${ADD_CAPABILITIES}" ]; then
BUILDAH_ARGS+=("--cap-add=${ADD_CAPABILITIES}")
fi
Expand Down
1 change: 1 addition & 0 deletions task/buildah-oci-ta/0.3/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ When prefetch-dependencies task is activated it is using its artifacts to run bu
|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false|
|LABELS|Additional key=value labels that should be applied to the image|[]|false|
|PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false|
|PRIVILEGED_NESTED|Whether to enable privileged mode|false|false|
|SKIP_UNUSED_STAGES|Whether to skip stages in Containerfile that seem unused by subsequent stages|true|false|
|SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true|
|SQUASH|Squash all new and previous layers added as a part of this build, as per --squash|false|false|
Expand Down
12 changes: 12 additions & 0 deletions task/buildah-oci-ta/0.3/buildah-oci-ta.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,10 @@ spec:
be made available to the build.
type: string
default: ""
- name: PRIVILEGED_NESTED
description: Whether to enable privileged mode
type: string
default: "false"
- name: SKIP_UNUSED_STAGES
description: Whether to skip stages in Containerfile that seem unused
by subsequent stages
Expand Down Expand Up @@ -196,6 +200,8 @@ spec:
value: $(params.IMAGE)
- name: IMAGE_EXPIRES_AFTER
value: $(params.IMAGE_EXPIRES_AFTER)
- name: PRIVILEGED_NESTED
value: $(params.PRIVILEGED_NESTED)
- name: SKIP_UNUSED_STAGES
value: $(params.SKIP_UNUSED_STAGES)
- name: SOURCE_CODE_DIR
Expand Down Expand Up @@ -366,6 +372,12 @@ spec:
BUILDAH_ARGS+=("${BUILD_ARG_FLAGS[@]}")
if [ "${PRIVILEGED_NESTED}" == "true" ]; then
BUILDAH_ARGS+=("--security-opt=label=disable")
BUILDAH_ARGS+=("--cap-add=all")
BUILDAH_ARGS+=("--device=/dev/fuse")
fi
if [ -n "${ADD_CAPABILITIES}" ]; then
BUILDAH_ARGS+=("--cap-add=${ADD_CAPABILITIES}")
fi
Expand Down
11 changes: 11 additions & 0 deletions task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -241,6 +241,7 @@ spec:
export BUILD_DIR=$(cat /ssh/user-dir)
export SSH_ARGS="-o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=10"
echo "$BUILD_DIR"
# shellcheck disable=SC2086
ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/workspaces" "$BUILD_DIR/scripts" "$BUILD_DIR/volumes"
PORT_FORWARD=""
Expand Down Expand Up @@ -446,7 +447,16 @@ spec:
chmod +x scripts/script-build.sh
if ! [[ $IS_LOCALHOST ]]; then
PRIVILEGED_NESTED_FLAGS=()
if [[ "${PRIVILEGED_NESTED}" == "true" ]]; then
# This is a workaround for building bootc images because the cache filesystem (/var/tmp/ on the host) must be a real filesystem that supports setting SELinux security attributes.
# https://github.com/coreos/rpm-ostree/discussions/4648
# shellcheck disable=SC2086
ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/var/tmp"
PRIVILEGED_NESTED_FLAGS=(--privileged --mount "type=bind,source=$BUILD_DIR/var/tmp,target=/var/tmp,relabel=shared")
fi
rsync -ra scripts "$SSH_HOST:$BUILD_DIR"
# shellcheck disable=SC2086
ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman run $PODMAN_PORT_FORWARD \
--tmpfs /run/secrets \
-e ADDITIONAL_SECRET="$ADDITIONAL_SECRET" \
Expand Down Expand Up @@ -477,6 +487,7 @@ spec:
-v "$BUILD_DIR/.docker/:/root/.docker:Z" \
-v "$BUILD_DIR/results/:/tekton/results:Z" \
-v "$BUILD_DIR/scripts:/scripts:Z" \
"${PRIVILEGED_NESTED_FLAGS[@]}" \
--user=0 --rm "$BUILDER_IMAGE" /scripts/script-build.sh "$@"
rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/shared/" /shared/
rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/workdir/" /var/workdir/
Expand Down
24 changes: 24 additions & 0 deletions task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,10 @@ spec:
to the build.
name: PREFETCH_INPUT
type: string
- default: "false"
description: Whether to enable privileged mode
name: PRIVILEGED_NESTED
type: string
- default: "true"
description: Whether to skip stages in Containerfile that seem unused by subsequent
stages
Expand Down Expand Up @@ -182,6 +186,8 @@ spec:
value: $(params.IMAGE)
- name: IMAGE_EXPIRES_AFTER
value: $(params.IMAGE_EXPIRES_AFTER)
- name: PRIVILEGED_NESTED
value: $(params.PRIVILEGED_NESTED)
- name: SKIP_UNUSED_STAGES
value: $(params.SKIP_UNUSED_STAGES)
- name: SOURCE_CODE_DIR
Expand Down Expand Up @@ -267,6 +273,7 @@ spec:
export BUILD_DIR=$(cat /ssh/user-dir)
export SSH_ARGS="-o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=10"
echo "$BUILD_DIR"
# shellcheck disable=SC2086
ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/workspaces" "$BUILD_DIR/scripts" "$BUILD_DIR/volumes"
PORT_FORWARD=""
Expand Down Expand Up @@ -411,6 +418,12 @@ spec:
BUILDAH_ARGS+=("${BUILD_ARG_FLAGS[@]}")
if [ "${PRIVILEGED_NESTED}" == "true" ]; then
BUILDAH_ARGS+=("--security-opt=label=disable")
BUILDAH_ARGS+=("--cap-add=all")
BUILDAH_ARGS+=("--device=/dev/fuse")
fi
if [ -n "${ADD_CAPABILITIES}" ]; then
BUILDAH_ARGS+=("--cap-add=${ADD_CAPABILITIES}")
fi
Expand Down Expand Up @@ -582,7 +595,16 @@ spec:
chmod +x scripts/script-build.sh
if ! [[ $IS_LOCALHOST ]]; then
PRIVILEGED_NESTED_FLAGS=()
if [[ "${PRIVILEGED_NESTED}" == "true" ]]; then
# This is a workaround for building bootc images because the cache filesystem (/var/tmp/ on the host) must be a real filesystem that supports setting SELinux security attributes.
# https://github.com/coreos/rpm-ostree/discussions/4648
# shellcheck disable=SC2086
ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/var/tmp"
PRIVILEGED_NESTED_FLAGS=(--privileged --mount "type=bind,source=$BUILD_DIR/var/tmp,target=/var/tmp,relabel=shared")
fi
rsync -ra scripts "$SSH_HOST:$BUILD_DIR"
# shellcheck disable=SC2086
ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman run $PODMAN_PORT_FORWARD \
--tmpfs /run/secrets \
-e ACTIVATION_KEY="$ACTIVATION_KEY" \
Expand All @@ -595,6 +617,7 @@ spec:
-e HERMETIC="$HERMETIC" \
-e IMAGE="$IMAGE" \
-e IMAGE_EXPIRES_AFTER="$IMAGE_EXPIRES_AFTER" \
-e PRIVILEGED_NESTED="$PRIVILEGED_NESTED" \
-e SKIP_UNUSED_STAGES="$SKIP_UNUSED_STAGES" \
-e SOURCE_CODE_DIR="$SOURCE_CODE_DIR" \
-e SQUASH="$SQUASH" \
Expand All @@ -615,6 +638,7 @@ spec:
-v "$BUILD_DIR/.docker/:/root/.docker:Z" \
-v "$BUILD_DIR/results/:/tekton/results:Z" \
-v "$BUILD_DIR/scripts:/scripts:Z" \
"${PRIVILEGED_NESTED_FLAGS[@]}" \
--user=0 --rm "$BUILDER_IMAGE" /scripts/script-build.sh "$@"
rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/shared/" /shared/
rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/workdir/" /var/workdir/
Expand Down
24 changes: 24 additions & 0 deletions task/buildah-remote-oci-ta/0.3/buildah-remote-oci-ta.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,10 @@ spec:
to the build.
name: PREFETCH_INPUT
type: string
- default: "false"
description: Whether to enable privileged mode
name: PRIVILEGED_NESTED
type: string
- default: "true"
description: Whether to skip stages in Containerfile that seem unused by subsequent
stages
Expand Down Expand Up @@ -175,6 +179,8 @@ spec:
value: $(params.IMAGE)
- name: IMAGE_EXPIRES_AFTER
value: $(params.IMAGE_EXPIRES_AFTER)
- name: PRIVILEGED_NESTED
value: $(params.PRIVILEGED_NESTED)
- name: SKIP_UNUSED_STAGES
value: $(params.SKIP_UNUSED_STAGES)
- name: SOURCE_CODE_DIR
Expand Down Expand Up @@ -260,6 +266,7 @@ spec:
export BUILD_DIR=$(cat /ssh/user-dir)
export SSH_ARGS="-o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=10"
echo "$BUILD_DIR"
# shellcheck disable=SC2086
ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/workspaces" "$BUILD_DIR/scripts" "$BUILD_DIR/volumes"
PORT_FORWARD=""
Expand Down Expand Up @@ -399,6 +406,12 @@ spec:
BUILDAH_ARGS+=("${BUILD_ARG_FLAGS[@]}")
if [ "${PRIVILEGED_NESTED}" == "true" ]; then
BUILDAH_ARGS+=("--security-opt=label=disable")
BUILDAH_ARGS+=("--cap-add=all")
BUILDAH_ARGS+=("--device=/dev/fuse")
fi
if [ -n "${ADD_CAPABILITIES}" ]; then
BUILDAH_ARGS+=("--cap-add=${ADD_CAPABILITIES}")
fi
Expand Down Expand Up @@ -570,7 +583,16 @@ spec:
chmod +x scripts/script-build.sh
if ! [[ $IS_LOCALHOST ]]; then
PRIVILEGED_NESTED_FLAGS=()
if [[ "${PRIVILEGED_NESTED}" == "true" ]]; then
# This is a workaround for building bootc images because the cache filesystem (/var/tmp/ on the host) must be a real filesystem that supports setting SELinux security attributes.
# https://github.com/coreos/rpm-ostree/discussions/4648
# shellcheck disable=SC2086
ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/var/tmp"
PRIVILEGED_NESTED_FLAGS=(--privileged --mount "type=bind,source=$BUILD_DIR/var/tmp,target=/var/tmp,relabel=shared")
fi
rsync -ra scripts "$SSH_HOST:$BUILD_DIR"
# shellcheck disable=SC2086
ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman run $PODMAN_PORT_FORWARD \
--tmpfs /run/secrets \
-e ACTIVATION_KEY="$ACTIVATION_KEY" \
Expand All @@ -583,6 +605,7 @@ spec:
-e HERMETIC="$HERMETIC" \
-e IMAGE="$IMAGE" \
-e IMAGE_EXPIRES_AFTER="$IMAGE_EXPIRES_AFTER" \
-e PRIVILEGED_NESTED="$PRIVILEGED_NESTED" \
-e SKIP_UNUSED_STAGES="$SKIP_UNUSED_STAGES" \
-e SOURCE_CODE_DIR="$SOURCE_CODE_DIR" \
-e SQUASH="$SQUASH" \
Expand All @@ -603,6 +626,7 @@ spec:
-v "$BUILD_DIR/.docker/:/root/.docker:Z" \
-v "$BUILD_DIR/results/:/tekton/results:Z" \
-v "$BUILD_DIR/scripts:/scripts:Z" \
"${PRIVILEGED_NESTED_FLAGS[@]}" \
--user=0 --rm "$BUILDER_IMAGE" /scripts/script-build.sh "$@"
rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/shared/" /shared/
rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/workdir/" /var/workdir/
Expand Down
11 changes: 11 additions & 0 deletions task/buildah-remote/0.1/buildah-remote.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -229,6 +229,7 @@ spec:
export BUILD_DIR=$(cat /ssh/user-dir)
export SSH_ARGS="-o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=10"
echo "$BUILD_DIR"
# shellcheck disable=SC2086
ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/workspaces" "$BUILD_DIR/scripts" "$BUILD_DIR/volumes"
PORT_FORWARD=""
Expand Down Expand Up @@ -438,7 +439,16 @@ spec:
chmod +x scripts/script-build.sh
if ! [[ $IS_LOCALHOST ]]; then
PRIVILEGED_NESTED_FLAGS=()
if [[ "${PRIVILEGED_NESTED}" == "true" ]]; then
# This is a workaround for building bootc images because the cache filesystem (/var/tmp/ on the host) must be a real filesystem that supports setting SELinux security attributes.
# https://github.com/coreos/rpm-ostree/discussions/4648
# shellcheck disable=SC2086
ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/var/tmp"
PRIVILEGED_NESTED_FLAGS=(--privileged --mount "type=bind,source=$BUILD_DIR/var/tmp,target=/var/tmp,relabel=shared")
fi
rsync -ra scripts "$SSH_HOST:$BUILD_DIR"
# shellcheck disable=SC2086
ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman run $PODMAN_PORT_FORWARD \
--tmpfs /run/secrets \
-e BUILDAH_FORMAT="$BUILDAH_FORMAT" \
Expand Down Expand Up @@ -470,6 +480,7 @@ spec:
-v "$BUILD_DIR/.docker/:/root/.docker:Z" \
-v "$BUILD_DIR/results/:/tekton/results:Z" \
-v "$BUILD_DIR/scripts:/scripts:Z" \
"${PRIVILEGED_NESTED_FLAGS[@]}" \
--user=0 --rm "$BUILDER_IMAGE" /scripts/script-build.sh "$@"
rsync -ra "$SSH_HOST:$BUILD_DIR/workspaces/source/" "$(workspaces.source.path)/"
rsync -ra "$SSH_HOST:$BUILD_DIR/volumes/shared/" /shared/
Expand Down
Loading

0 comments on commit bb14eed

Please sign in to comment.