From 0d0a4958ff85f8fa54557c91971603d0e804fc39 Mon Sep 17 00:00:00 2001 From: Natalie Arellano Date: Thu, 2 May 2024 11:03:45 -0400 Subject: [PATCH] Warn if NOT --pull-policy=always in container Fixes https://github.com/buildpacks/pack-private/issues/20 Signed-off-by: Natalie Arellano --- go.mod | 1 + go.sum | 10 ++++++---- pkg/client/build.go | 12 ++++++++++++ pkg/client/build_test.go | 32 ++++++++++++++++++++++++++++++++ 4 files changed, 51 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index 1d77f5a6..a6cb78c8 100644 --- a/go.mod +++ b/go.mod @@ -2,6 +2,7 @@ module github.com/buildpacks/pack require ( github.com/BurntSushi/toml v1.3.2 + github.com/GoogleContainerTools/kaniko v1.21.1 github.com/Masterminds/semver v1.5.0 github.com/Microsoft/go-winio v0.6.2 github.com/apex/log v1.9.0 diff --git a/go.sum b/go.sum index 7cc9ae8c..87db8eec 100644 --- a/go.sum +++ b/go.sum @@ -31,6 +31,8 @@ github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUM github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8= github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= +github.com/GoogleContainerTools/kaniko v1.21.1 h1:Q77TGiuSRopS1FvZY9Bzu9Wp9VYlpP6zU+/mu08/COs= +github.com/GoogleContainerTools/kaniko v1.21.1/go.mod h1:5kbaXGmhHLNc2Zzi/P1Se0qhFYDvK8R62QJh/O0n8rk= github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww= github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= @@ -522,8 +524,8 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9 h1:9+tzLLstTlPTRyJTh+ah5wIMsBW5c4tQwGTN3thOW9Y= -google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b h1:CIC2YMXmIhYw6evmhPxBKJ4fmLbOFtXQN/GV3XOZR8k= -google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:IBQ646DjkDkvUIsVq/cc03FUFQ9wbZu7yE396YcL870= +google.golang.org/genproto/googleapis/api v0.0.0-20240221002015-b0ce06bbee7c h1:9g7erC9qu44ks7UK4gDNlnk4kOxZG707xKm4jVniy6o= +google.golang.org/genproto/googleapis/api v0.0.0-20240221002015-b0ce06bbee7c/go.mod h1:5iCWqnniDlqZHrd3neWVTOwvh/v6s3232omMecelax8= google.golang.org/genproto/googleapis/rpc v0.0.0-20240213162025-012b6fc9bca9 h1:hZB7eLIaYlW9qXRfCq/qDaPdbeY3757uARz5Vvfv+cY= google.golang.org/genproto/googleapis/rpc v0.0.0-20240213162025-012b6fc9bca9/go.mod h1:YUWgXUFRPfoYK1IHMuxH5K6nPEXSCzIMljnQ59lLRCk= google.golang.org/grpc v1.61.1 h1:kLAiWrZs7YeDM6MumDe7m3y4aM6wacLzM1Y/wiLP9XY= @@ -551,5 +553,5 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= -gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= +gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o= +gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g= diff --git a/pkg/client/build.go b/pkg/client/build.go index 43c82e01..44e086f4 100644 --- a/pkg/client/build.go +++ b/pkg/client/build.go @@ -16,6 +16,7 @@ import ( "strings" "time" + "github.com/GoogleContainerTools/kaniko/pkg/util/proc" "github.com/Masterminds/semver" "github.com/buildpacks/imgutil" "github.com/buildpacks/imgutil/layout" @@ -55,6 +56,10 @@ const ( minLifecycleVersionSupportingCreatorWithExtensions = "0.19.0" ) +var RunningInContainer = func() bool { + return proc.GetContainerRuntime(0, 0) != proc.RuntimeNotFound +} + // LifecycleExecutor executes the lifecycle which satisfies the Cloud Native Buildpacks Lifecycle specification. // Implementations of the Lifecycle must execute the following phases by calling the // phase-specific lifecycle binary in order: @@ -290,6 +295,13 @@ var IsTrustedBuilderFunc = func(b string) bool { func (c *Client) Build(ctx context.Context, opts BuildOptions) error { var pathsConfig layoutPathConfig + if RunningInContainer() && !(opts.PullPolicy == image.PullAlways) { + c.logger.Warnf("Detected pack is running in a container; if using a shared docker host, failing to pull build inputs from a remote registry is insecure - " + + "other tenants may have compromised build inputs stored in the daemon." + + "This configuration is insecure and may become unsupported in the future." + + "Re-run with '--pull-policy=always' to silence this warning.") + } + imageRef, err := c.parseReference(opts) if err != nil { return errors.Wrapf(err, "invalid image name '%s'", opts.Image) diff --git a/pkg/client/build_test.go b/pkg/client/build_test.go index b01cb9b2..a6c61b36 100644 --- a/pkg/client/build_test.go +++ b/pkg/client/build_test.go @@ -2284,6 +2284,38 @@ api = "0.2" }) }) + when("containerized pack", func() { + it.Before(func() { + RunningInContainer = func() bool { + return true + } + }) + + when("--pull-policy=always", func() { + it("does not warn", func() { + h.AssertNil(t, subject.Build(context.TODO(), BuildOptions{ + Image: "some/app", + Builder: defaultBuilderName, + PullPolicy: image.PullAlways, + })) + + h.AssertNotContains(t, outBuf.String(), "failing to pull build inputs from a remote registry is insecure") + }) + }) + + when("not --pull-policy=always", func() { + it("warns", func() { + h.AssertNil(t, subject.Build(context.TODO(), BuildOptions{ + Image: "some/app", + Builder: defaultBuilderName, + PullPolicy: image.PullNever, + })) + + h.AssertContains(t, outBuf.String(), "failing to pull build inputs from a remote registry is insecure") + }) + }) + }) + when("always", func() { it("uses pulls the builder and run image before using them", func() { h.AssertNil(t, subject.Build(context.TODO(), BuildOptions{