Add --no-hosts flag to eliminate use of /etc/hosts within containers

Users want to turn off addition of /etc/hosts file while building container images, this would allow them to customize the /etc/hosts file within the image. Fixes: #3808 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
containers · Mar 7, 2022 · f73c800 · f73c800
1 parent 4173c20
commit f73c800
Show file tree

Hide file tree

Showing 12 changed files with 38 additions and 3 deletions.
diff --git a/cmd/buildah/build.go b/cmd/buildah/build.go
@@ -367,6 +367,7 @@ func buildCmd(c *cobra.Command, inputArgs []string, iopts buildOptions) error {
 		Manifest:                iopts.Manifest,
 		MaxPullPushRetries:      maxPullPushRetries,
 		NamespaceOptions:        namespaceOptions,
+		NoHosts:                 iopts.NoHosts,
 		NoCache:                 iopts.NoCache,
 		OS:                      systemContext.OSChoice,
 		Out:                     stdout,

diff --git a/cmd/buildah/run.go b/cmd/buildah/run.go
@@ -24,6 +24,7 @@ type runInputOptions struct {
 	mounts      []string
 	runtime     string
 	runtimeFlag []string
+	noHosts     bool
 	noPivot     bool
 	terminal    bool
 	volumes     []string
@@ -66,6 +67,7 @@ func init() {
 	// Do not set a default runtime here, we'll do that later in the processing.
 	flags.StringVar(&opts.runtime, "runtime", util.Runtime(), "`path` to an alternate OCI runtime")
 	flags.StringSliceVar(&opts.runtimeFlag, "runtime-flag", []string{}, "add global flags for the container runtime")
+	flags.BoolVar(&opts.noHosts, "no-hosts", false, "do not override /etc/hosts file within the container")
 	flags.BoolVar(&opts.noPivot, "no-pivot", false, "do not use pivot root to jail process inside rootfs")
 	flags.BoolVarP(&opts.terminal, "terminal", "t", false, "allocate a pseudo-TTY in the container")
 	flags.StringArrayVarP(&opts.volumes, "volume", "v", []string{}, "bind mount a host location into the container while running the command")
@@ -127,6 +129,7 @@ func runCmd(c *cobra.Command, args []string, iopts runInputOptions) error {
 		Hostname:         iopts.hostname,
 		Runtime:          iopts.runtime,
 		Args:             runtimeFlags,
+		NoHosts:          iopts.noHosts,
 		NoPivot:          noPivot,
 		User:             c.Flag("user").Value.String(),
 		Isolation:        isolation,

diff --git a/define/build.go b/define/build.go
@@ -196,6 +196,9 @@ type BuildOptions struct {
 	// NoCache tells the builder to build the image from scratch without checking for a cache.
 	// It creates a new set of cached images for the build.
 	NoCache bool
+	// NoHosts tells the builder not create /etc/hosts content when running
+	// containers.
+	NoHosts bool
 	// RemoveIntermediateCtrs tells the builder whether to remove intermediate containers used
 	// during the build process. Default is true.
 	RemoveIntermediateCtrs bool

diff --git a/docs/buildah-build.1.md b/docs/buildah-build.1.md
@@ -396,6 +396,13 @@ Valid _mode_ values are:
 
 Do not use existing cached images for the container build. Build from the start with a new set of cached layers.
 
+**--no-hosts**
+
+Do not create _/etc/hosts_ for the container.
+
+By default, Buildah manages _/etc/hosts_, adding the container's own IP address.
+**--no-hosts** disables this, and the image's _/etc/hosts_ will be preserved unmodified.
+
 **--os**="OS"
 
 Set the OS of the image to be built, and that of the base image to be pulled, if the build uses one, instead of using the current operating system of the host.

diff --git a/docs/buildah-run.1.md b/docs/buildah-run.1.md
@@ -182,6 +182,13 @@ consult the manpages of the selected container runtime.
 Note: Do not pass the leading `--` to the flag. To pass the runc flag `--log-format json`
 to buildah run, the option given would be `--runtime-flag log-format=json`.
 
+**--no-hosts**
+
+Do not create _/etc/hosts_ for the container.
+
+By default, Buildah manages _/etc/hosts_, adding the container's own IP address.
+**--no-hosts** disables this, and the image's _/etc/hosts_ will be preserved unmodified.
+
 **--no-pivot**
 
 Do not use pivot root to jail process inside rootfs. This should be used

diff --git a/imagebuildah/executor.go b/imagebuildah/executor.go
@@ -96,6 +96,7 @@ type Executor struct {
 	labels                  []string
 	annotations             []string
 	layers                  bool
+	noHosts                 bool
 	useCache                bool
 	removeIntermediateCtrs  bool
 	forceRmIntermediateCtrs bool
@@ -245,6 +246,7 @@ func newExecutor(logger *logrus.Logger, logPrefix string, store storage.Store, o
 		labels:                         append([]string{}, options.Labels...),
 		annotations:                    append([]string{}, options.Annotations...),
 		layers:                         options.Layers,
+		noHosts:                        options.NoHosts,
 		useCache:                       !options.NoCache,
 		removeIntermediateCtrs:         options.RemoveIntermediateCtrs,
 		forceRmIntermediateCtrs:        options.ForceRmIntermediateCtrs,

diff --git a/imagebuildah/stage_executor.go b/imagebuildah/stage_executor.go
@@ -495,6 +495,7 @@ func (s *StageExecutor) Run(run imagebuilder.Run, config docker.Config) error {
 		Hostname:         config.Hostname,
 		Runtime:          s.executor.runtime,
 		Args:             s.executor.runtimeArgs,
+		NoHosts:          s.executor.noHosts,
 		NoPivot:          os.Getenv("BUILDAH_NOPIVOT") != "",
 		Mounts:           append([]Mount{}, s.executor.transientMounts...),
 		Env:              config.Env,

diff --git a/pkg/cli/common.go b/pkg/cli/common.go
@@ -67,6 +67,7 @@ type BudResults struct {
 	Label               []string
 	Logfile             string
 	Manifest            string
+	NoHosts             bool
 	NoCache             bool
 	Timestamp           int64
 	Pull                string
@@ -212,6 +213,7 @@ func GetBudFlags(flags *BudResults) pflag.FlagSet {
 		panic(fmt.Sprintf("error marking the rusage-logfile flag as hidden: %v", err))
 	}
 	fs.StringVar(&flags.Manifest, "manifest", "", "add the image to the specified manifest list. Creates manifest list if it does not exist")
+	fs.BoolVar(&flags.NoHosts, "no-hosts", false, "Do not create new containers /etc/hosts file, use the one from the current image.")
 	fs.BoolVar(&flags.NoCache, "no-cache", false, "Do not use existing cached images for the container build. Build from the start with a new set of cached layers.")
 	fs.String("os", runtime.GOOS, "set the OS to the provided value instead of the current operating system of the host")
 	fs.StringVar(&flags.Pull, "pull", "true", "pull the image from the registry if newer or not present in store, if false, only pull the image if not present, if always, pull the image even if the named image is present in store, if never, only use the image present in store if available")

diff --git a/run.go b/run.go
@@ -85,6 +85,8 @@ type RunOptions struct {
 	Runtime string
 	// Args adds global arguments for the runtime.
 	Args []string
+	// NoHosts use the images /etc/hosts file
+	NoHosts bool
 	// NoPivot adds the --no-pivot runtime flag.
 	NoPivot bool
 	// Mounts are additional mount points which we want to provide.

diff --git a/run_linux.go b/run_linux.go
@@ -210,7 +210,7 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 	namespaceOptions := append(b.NamespaceOptions, options.NamespaceOptions...)
 	volumes := b.Volumes()
 
-	if !contains(volumes, "/etc/hosts") {
+	if !options.NoHosts && !contains(volumes, "/etc/hosts") {
 		hostFile, err := b.generateHosts(path, spec.Hostname, b.CommonBuildOpts.AddHost, rootIDPair)
 		if err != nil {
 			return err

diff --git a/tests/bud.bats b/tests/bud.bats
@@ -3171,6 +3171,11 @@ _EOF
   run_buildah build --add-host=myhostname:$ip -t testbud \
                   --signature-policy ${TESTSDIR}/policy.json --file ${mytmpdir} .
   expect_output --from="${lines[2]}" --substring "^$ip\s+myhostname"
+
+  run_buildah 1 build --no-cache --add-host=myhostname:$ip \
+                  --no-hosts \
+                  --signature-policy ${TESTSDIR}/policy.json --file ${mytmpdir} .
+  expect_output --from="${lines[2]}" --substring "error while running runtime"
 }
 
 @test "bud with --cgroup-parent" {

diff --git a/tests/run.bats b/tests/run.bats
@@ -590,8 +590,7 @@ function configure_and_check_user() {
 	run_buildah from --quiet --pull=false --signature-policy ${TESTSDIR}/policy.json debian
 	cid=$output
 	run_buildah 125 run --network=bogus $cid cat /etc/hosts
-    expect_output --substring "unable to find network with name or ID bogus: network not found"
-
+	expect_output --substring "unable to find network with name or ID bogus: network not found"
 	run_buildah run $cid cat /etc/hosts
 	expect_output --substring "127.0.0.1.*$cid"
 	expect_output --substring "::1.*$cid"
@@ -609,11 +608,14 @@ function configure_and_check_user() {
 	run_buildah from --quiet --pull=false --signature-policy ${TESTSDIR}/policy.json debian
 	cid=$output
 	run_buildah run --network=host $cid cat /etc/hosts
+	hostOutput=$output
 	expect_output --substring "# Generated by Buildah"
 	m=$(buildah mount $cid)
 	run cat $m/etc/hosts
 	[ "$status" -eq 0 ]
 	expect_output --substring ""
+	run_buildah run --network=host --no-hosts $cid cat /etc/hosts
+	[ "$output" != "$hostOutput" ]
 	run_buildah rm -a
 
 	run_buildah from --quiet --pull=false --signature-policy ${TESTSDIR}/policy.json debian