feat: add --with-ssl-cert-file option to build command

This makes the root CAs from the host available to containers during a
build.

Co-authored-by: Tom Sweeney <[email protected]>
Signed-off-by: Adam Eijdenberg <[email protected]>

Author: aeijdenberg

define/build.go

@@ -113,6 +113,8 @@ type CommonBuildOptions struct {
 	OCIHooksDir []string
 	// Paths to unmask
 	Unmasks []string
+	// WithSSLCertFile specifies whether the host root CAs should be ephemerally mounted within the container
+	WithSSLCertFile bool
 }
 
 // BuildOptions can be used to alter how an image is built.

docs/buildah-build.1.md

@@ -1232,6 +1232,11 @@ will convert /foo into a `shared` mount point.  The propagation properties of th
 mount can be changed directly. For instance if `/` is the source mount for
 `/foo`, then use `mount --make-shared /` to convert `/` into a `shared` mount.
 
+**--with-ssl-cert-file**
+
+If set, bind mount the host CA cert file (override location by setting `SSL_CERT_FILE`) within the RUN containers,
+and set the environment variable `SSL_CERT_FILE` to point to it.
+
 ## BUILD TIME VARIABLES
 
 The ENV instruction in a Containerfile can be used to define variable values.  When the image

docs/buildah-from.1.md

@@ -690,6 +690,11 @@ will convert /foo into a `shared` mount point.  The propagation properties of th
 mount can be changed directly. For instance if `/` is the source mount for
 `/foo`, then use `mount --make-shared /` to convert `/` into a `shared` mount.
 
+**--with-ssl-cert-file**
+
+If set, bind mount the host CA cert file (override location by setting `SSL_CERT_FILE`) within the RUN containers,
+and set the environment variable `SSL_CERT_FILE` to point to it.
+
 ## EXAMPLE
 
 buildah from --pull imagename

pkg/cli/common.go

@@ -125,32 +125,33 @@ type BudResults struct {
 // FromAndBugResults represents the results for common flags
 // in build and from
 type FromAndBudResults struct {
-	AddHost        []string
-	BlobCache      string
-	CapAdd         []string
-	CapDrop        []string
-	CDIConfigDir   string
-	CgroupParent   string
-	CPUPeriod      uint64
-	CPUQuota       int64
-	CPUSetCPUs     string
-	CPUSetMems     string
-	CPUShares      uint64
-	DecryptionKeys []string
-	Devices        []string
-	DNSSearch      []string
-	DNSServers     []string
-	DNSOptions     []string
-	HTTPProxy      bool
-	Isolation      string
-	Memory         string
-	MemorySwap     string
-	Retry          int
-	RetryDelay     string
-	SecurityOpt    []string
-	ShmSize        string
-	Ulimit         []string
-	Volumes        []string
+	AddHost         []string
+	BlobCache       string
+	CapAdd          []string
+	CapDrop         []string
+	CDIConfigDir    string
+	CgroupParent    string
+	CPUPeriod       uint64
+	CPUQuota        int64
+	CPUSetCPUs      string
+	CPUSetMems      string
+	CPUShares       uint64
+	DecryptionKeys  []string
+	Devices         []string
+	DNSSearch       []string
+	DNSServers      []string
+	DNSOptions      []string
+	HTTPProxy       bool
+	Isolation       string
+	Memory          string
+	MemorySwap      string
+	Retry           int
+	RetryDelay      string
+	SecurityOpt     []string
+	ShmSize         string
+	Ulimit          []string
+	Volumes         []string
+	WithSSLCertFile bool
 }
 
 // GetUserNSFlags returns the common flags for usernamespace
@@ -409,6 +410,7 @@ func GetFromAndBudFlags(flags *FromAndBudResults, usernsResults *UserNSResults,
 	fs.String("variant", "", "override the `variant` of the specified image")
 	fs.StringArrayVar(&flags.SecurityOpt, "security-opt", []string{}, "security options (default [])")
 	fs.StringVar(&flags.ShmSize, "shm-size", defaultContainerConfig.Containers.ShmSize, "size of '/dev/shm'. The format is `<number><unit>`.")
+	fs.BoolVar(&flags.WithSSLCertFile, "with-ssl-cert-file", false, "mount host root CA bundle within container during build, and set SSL_CERT_FILE to point to that bundle")
 	fs.StringSliceVar(&flags.Ulimit, "ulimit", defaultContainerConfig.Containers.DefaultUlimits.Get(), "ulimit options")
 	fs.StringArrayVarP(&flags.Volumes, "volume", "v", defaultContainerConfig.Volumes(), "bind mount a volume into the container")
 

pkg/parse/parse.go

@@ -162,6 +162,7 @@ func CommonBuildOptionsFromFlagSet(flags *pflag.FlagSet, findFlagFunc func(name
 	cpuQuota, _ := flags.GetInt64("cpu-quota")
 	cpuShares, _ := flags.GetUint64("cpu-shares")
 	httpProxy, _ := flags.GetBool("http-proxy")
+	withSSLCertFile, _ := flags.GetBool("with-ssl-cert-file")
 	identityLabel, _ := flags.GetBool("identity-label")
 	omitHistory, _ := flags.GetBool("omit-history")
 
@@ -175,29 +176,30 @@ func CommonBuildOptionsFromFlagSet(flags *pflag.FlagSet, findFlagFunc func(name
 	ociHooks, _ := flags.GetStringArray("hooks-dir")
 
 	commonOpts := &define.CommonBuildOptions{
-		AddHost:       addHost,
-		CPUPeriod:     cpuPeriod,
-		CPUQuota:      cpuQuota,
-		CPUSetCPUs:    findFlagFunc("cpuset-cpus").Value.String(),
-		CPUSetMems:    findFlagFunc("cpuset-mems").Value.String(),
-		CPUShares:     cpuShares,
-		CgroupParent:  findFlagFunc("cgroup-parent").Value.String(),
-		DNSOptions:    dnsOptions,
-		DNSSearch:     dnsSearch,
-		DNSServers:    dnsServers,
-		HTTPProxy:     httpProxy,
-		IdentityLabel: types.NewOptionalBool(identityLabel),
-		Memory:        memoryLimit,
-		MemorySwap:    memorySwap,
-		NoHostname:    noHostname,
-		NoHosts:       noHosts,
-		OmitHistory:   omitHistory,
-		ShmSize:       findFlagFunc("shm-size").Value.String(),
-		Ulimit:        ulimit,
-		Volumes:       volumes,
-		Secrets:       secrets,
-		SSHSources:    sshsources,
-		OCIHooksDir:   ociHooks,
+		AddHost:         addHost,
+		CPUPeriod:       cpuPeriod,
+		CPUQuota:        cpuQuota,
+		CPUSetCPUs:      findFlagFunc("cpuset-cpus").Value.String(),
+		CPUSetMems:      findFlagFunc("cpuset-mems").Value.String(),
+		CPUShares:       cpuShares,
+		CgroupParent:    findFlagFunc("cgroup-parent").Value.String(),
+		DNSOptions:      dnsOptions,
+		DNSSearch:       dnsSearch,
+		DNSServers:      dnsServers,
+		HTTPProxy:       httpProxy,
+		IdentityLabel:   types.NewOptionalBool(identityLabel),
+		Memory:          memoryLimit,
+		MemorySwap:      memorySwap,
+		NoHostname:      noHostname,
+		NoHosts:         noHosts,
+		OmitHistory:     omitHistory,
+		ShmSize:         findFlagFunc("shm-size").Value.String(),
+		Ulimit:          ulimit,
+		Volumes:         volumes,
+		Secrets:         secrets,
+		SSHSources:      sshsources,
+		WithSSLCertFile: withSSLCertFile,
+		OCIHooksDir:     ociHooks,
 	}
 	securityOpts, _ := flags.GetStringArray("security-opt")
 	if err := parseSecurityOpts(securityOpts, commonOpts); err != nil {

run_common.go

@@ -208,6 +208,54 @@ func (b *Builder) generateHostname(rdir, hostname string, chownOpts *idtools.IDP
 	return cfile, nil
 }
 
+// createSSLCertFile creates a containers CA cert file
+func (b *Builder) createSSLCertFile(rdir, containerPath string, chownOpts *idtools.IDPair) (_ string, retErr error) {
+	resolvedSSLCertPath, err := util.ResolveRootCACertFile()
+	if err != nil {
+		return "", fmt.Errorf("error resolving cert file on host: %w", err)
+	}
+
+	inCertFile, err := os.Open(resolvedSSLCertPath)
+	if err != nil {
+		return "", fmt.Errorf("error opening ssl cert file on host: %w", err)
+	}
+	defer func() {
+		if err := inCertFile.Close(); err != nil && retErr == nil {
+			retErr = fmt.Errorf("error closing ssl cert file on host: %w", err)
+		}
+	}()
+
+	cfile := filepath.Join(rdir, filepath.Base(containerPath))
+	outCertFile, err := os.Create(cfile)
+	if err != nil {
+		return "", fmt.Errorf("error opening ssl cert file for container: %w", err)
+	}
+	defer func() {
+		if err := outCertFile.Close(); err != nil && retErr == nil {
+			retErr = fmt.Errorf("error closing ssl cert file for container: %w", err)
+		}
+	}()
+
+	if _, err = io.Copy(outCertFile, inCertFile); err != nil {
+		return "", fmt.Errorf("error copying cert file for container: %w", err)
+	}
+
+	uid := 0
+	gid := 0
+	if chownOpts != nil {
+		uid = chownOpts.UID
+		gid = chownOpts.GID
+	}
+	if err = os.Chown(cfile, uid, gid); err != nil {
+		return "", err
+	}
+	if err = relabel(cfile, b.MountLabel, false); err != nil {
+		return "", err
+	}
+
+	return cfile, nil
+}
+
 func setupTerminal(g *generate.Generator, terminalPolicy TerminalPolicy, terminalSize *specs.Box) {
 	switch terminalPolicy {
 	case DefaultTerminal:

run_linux.go

@@ -4,6 +4,8 @@ package buildah
 
 import (
 	"context"
+	"crypto/rand"
+	"encoding/hex"
 	"errors"
 	"fmt"
 	"os"
@@ -367,6 +369,17 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 
 	g.SetProcessApparmorProfile(b.CommonBuildOpts.ApparmorProfile)
 
+	var optionalContainerCaBundlePath string
+	if b.CommonBuildOpts.WithSSLCertFile {
+		// we populate this later in this function, but generate the filename
+		// now so we can set it in the env. We make it random so that this path
+		// is not relied on, and instead the env var is used
+		var b [8]byte
+		_, _ = rand.Read(b[:]) // documented to never return an err
+		optionalContainerCaBundlePath = "/cabundle-" + hex.EncodeToString(b[:])
+		g.AddProcessEnv("SSL_CERT_FILE", optionalContainerCaBundlePath)
+	}
+
 	// Now grab the spec from the generator.  Set the generator to nil so that future contributors
 	// will quickly be able to tell that they're supposed to be modifying the spec directly from here.
 	spec := g.Config
@@ -503,6 +516,14 @@ rootless=%d
 		bindFiles["/run/.containerenv"] = containerenvPath
 	}
 
+	if b.CommonBuildOpts.WithSSLCertFile {
+		resolvedSSLCertPath, err := b.createSSLCertFile(path, optionalContainerCaBundlePath, rootIDPair)
+		if err != nil {
+			return err
+		}
+		bindFiles[optionalContainerCaBundlePath] = resolvedSSLCertPath
+	}
+
 	// Setup OCI hooks
 	_, err = b.setupOCIHooks(spec, (len(options.Mounts) > 0 || len(volumes) > 0))
 	if err != nil {

tests/bud.bats

@@ -7442,3 +7442,19 @@ EOF
   # should be the same
   diff "${outpath}.b" "${outpath}.c"
 }
+
+@test "build-with-ssl-cert-file" {
+  echo "foofoofoofoo" > "${TEST_SCRATCH_DIR}/foocafile"
+  echo "barbarbarbar" > "${TEST_SCRATCH_DIR}/barcafile"
+
+  # use foocafile, and ensure that "foo" is output
+  SSL_CERT_FILE="${TEST_SCRATCH_DIR}/foocafile" run_buildah build -f <(echo 'FROM alpine'; echo 'RUN cat "${SSL_CERT_FILE}"') --tag="oci-archive:${TEST_SCRATCH_DIR}/foo.tar" --timestamp 0 --with-ssl-cert-file
+  expect_output --substring "foofoofoofoo"
+
+  # use barcafile, and ensure that "bar" is output
+  SSL_CERT_FILE="${TEST_SCRATCH_DIR}/barcafile" run_buildah build -f <(echo 'FROM alpine'; echo 'RUN cat "${SSL_CERT_FILE}"') --tag="oci-archive:${TEST_SCRATCH_DIR}/bar.tar" --timestamp 0 --with-ssl-cert-file
+  expect_output --substring "barbarbarbar"
+
+  # however regardless the produced images from both above should be identical as this is not persisted to image
+  diff "${TEST_SCRATCH_DIR}/foo.tar" "${TEST_SCRATCH_DIR}/bar.tar"
+}

util/x509.go

@@ -0,0 +1,23 @@
+package util
+
+import (
+	"errors"
+	"fmt"
+	"os"
+)
+
+func ResolveRootCACertFile() (string, error) {
+	if rv, ok := os.LookupEnv("SSL_CERT_FILE"); ok {
+		return rv, nil
+	}
+	for _, potFile := range certFiles {
+		if _, err := os.Stat(potFile); err != nil {
+			if os.IsNotExist(err) {
+				continue
+			}
+			return "", fmt.Errorf("unexpected error resolving cert file: %w", err)
+		}
+		return potFile, nil
+	}
+	return "", errors.New("unable to resolve host cert file. Consider setting SSL_CERT_FILE environment variable")
+}

util/x509_test.go

@@ -0,0 +1,16 @@
+package util
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestResolveRootCACertFileWitEnvSet(t *testing.T) {
+	t.Setenv("SSL_CERT_FILE", "/path/to/file")
+
+	path, err := ResolveRootCACertFile()
+	assert.Nil(t, err)
+
+	assert.Equal(t, "/path/to/file", path)
+}

util/x509_unix.go

@@ -0,0 +1,45 @@
+//go:build !windows
+
+package util
+
+// Source: https://cs.opensource.google/go/go/+/refs/tags/go1.24.1:src/crypto/x509/root_linux.go
+
+/*
+	Copyright 2009 The Go Authors.
+
+	Redistribution and use in source and binary forms, with or without
+	modification, are permitted provided that the following conditions are
+	met:
+
+	* Redistributions of source code must retain the above copyright
+	notice, this list of conditions and the following disclaimer.
+	* Redistributions in binary form must reproduce the above
+	copyright notice, this list of conditions and the following disclaimer
+	in the documentation and/or other materials provided with the
+	distribution.
+	* Neither the name of Google LLC nor the names of its
+	contributors may be used to endorse or promote products derived from
+	this software without specific prior written permission.
+
+	THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+	"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+	LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+	A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+	OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+	SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+	LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+	DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+	THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+	(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+	OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+// Possible certificate files; stop after finding one.
+var certFiles = []string{
+	"/etc/ssl/certs/ca-certificates.crt",                // Debian/Ubuntu/Gentoo etc.
+	"/etc/pki/tls/certs/ca-bundle.crt",                  // Fedora/RHEL 6
+	"/etc/ssl/ca-bundle.pem",                            // OpenSUSE
+	"/etc/pki/tls/cacert.pem",                           // OpenELEC
+	"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
+	"/etc/ssl/cert.pem",                                 // Alpine Linux
+}

util/x509_unix_test.go

@@ -0,0 +1,26 @@
+//go:build !windows
+
+package util
+
+import (
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestResolveRootCACertFileWithNoEnvSetUnix(t *testing.T) {
+	// calling t.SetEnv has the side-effect of restoring it to the previous
+	// value after the test (or leaving it unset).
+	// We call this before unsetting it so that we benefit from that cleanup
+	t.Setenv("SSL_CERT_FILE", "bogusval")
+
+	// now unset it (t.Unsetenv doesn't exist or we'd use that.)
+	assert.Nil(t, os.Unsetenv("SSL_CERT_FILE"))
+	path, err := ResolveRootCACertFile()
+	assert.Nil(t, err)
+
+	// if our test env doesn't have any of the default locations set,
+	// then we need to fix our lists
+	assert.NotEmpty(t, path)
+}

util/x509_windows.go

@@ -0,0 +1,4 @@
+package util
+
+// not implemented
+var certFiles []string