build: add support for inherit-labels

Allows users to specify if they want to inherit labels from base image
or not.

Signed-off-by: flouthoc <[email protected]>

Author: flouthoc

define/build.go

@@ -236,6 +236,9 @@ type BuildOptions struct {
 	// ID mapping options to use if we're setting up our own user namespace
 	// when handling RUN instructions.
 	IDMappingOptions *IDMappingOptions
+	// InheritLabels allows users to specify if they want
+	// to inherit labels from base image or not.
+	InheritLabels types.OptionalBool
 	// AddCapabilities is a list of capabilities to add to the default set when
 	// handling RUN instructions.
 	AddCapabilities []string

docs/buildah-build.1.md

@@ -497,6 +497,10 @@ Path to an alternative .containerignore (.dockerignore) file.
 Write the built image's ID to the file.  When `--platform` is specified more
 than once, attempting to use this option will trigger an error.
 
+**--inherit-labels** *bool-value*
+
+Inherit the labels from the base image (default true).
+
 **--ipc** *how*
 
 Sets the configuration for IPC namespaces when handling `RUN` instructions.

imagebuildah/executor.go

@@ -82,6 +82,7 @@ type Executor struct {
 	additionalTags                 []string
 	log                            func(format string, args ...interface{}) // can be nil
 	in                             io.Reader
+	inheritLabels                  types.OptionalBool
 	out                            io.Writer
 	err                            io.Writer
 	signaturePolicyPath            string
@@ -261,6 +262,7 @@ func newExecutor(logger *logrus.Logger, logPrefix string, store storage.Store, o
 		err:                                     options.Err,
 		reportWriter:                            writer,
 		isolation:                               options.Isolation,
+		inheritLabels:                           options.InheritLabels,
 		namespaceOptions:                        options.NamespaceOptions,
 		configureNetwork:                        options.ConfigureNetwork,
 		cniPluginPath:                           options.CNIPluginPath,

imagebuildah/stage_executor.go

@@ -1078,6 +1078,11 @@ func (s *StageExecutor) prepare(ctx context.Context, from string, initializeIBCo
 			RootFS:          rootfs,
 		}
 		dImage.Config = &dImage.ContainerConfig
+		if s.executor.inheritLabels == types.OptionalBoolFalse {
+			// If user has selected `--inherit-labels=false` lets not
+			// inherit labels from base image.
+			dImage.Config.Labels = nil
+		}
 		err = ib.FromImage(&dImage, node)
 		if err != nil {
 			if err2 := builder.Delete(); err2 != nil {
@@ -1881,6 +1886,11 @@ func (s *StageExecutor) getCreatedBy(node *parser.Node, addedContentSummary stri
 	if node == nil {
 		return "/bin/sh", nil
 	}
+	inheritLabels := ""
+	// If --inherit-label was manually set to false then update history.
+	if s.executor.inheritLabels == types.OptionalBoolFalse {
+		inheritLabels = "|inheritLabels=false"
+	}
 	switch strings.ToUpper(node.Value) {
 	case "ARG":
 		for _, variable := range strings.Fields(node.Original) {
@@ -1889,7 +1899,7 @@ func (s *StageExecutor) getCreatedBy(node *parser.Node, addedContentSummary stri
 			}
 		}
 		buildArgs := s.getBuildArgsKey()
-		return "/bin/sh -c #(nop) ARG " + buildArgs, nil
+		return "/bin/sh -c #(nop) ARG " + buildArgs + inheritLabels, nil
 	case "RUN":
 		shArg := ""
 		buildArgs := s.getBuildArgsResolvedForRun()
@@ -1965,16 +1975,16 @@ func (s *StageExecutor) getCreatedBy(node *parser.Node, addedContentSummary stri
 		if buildArgs != "" {
 			result = result + "|" + strconv.Itoa(len(strings.Split(buildArgs, " "))) + " " + buildArgs + " "
 		}
-		result = result + "/bin/sh -c " + shArg + heredoc + appendCheckSum
+		result = result + "/bin/sh -c " + shArg + heredoc + appendCheckSum + inheritLabels
 		return result, nil
 	case "ADD", "COPY":
 		destination := node
 		for destination.Next != nil {
 			destination = destination.Next
 		}
-		return "/bin/sh -c #(nop) " + strings.ToUpper(node.Value) + " " + addedContentSummary + " in " + destination.Value + " ", nil
+		return "/bin/sh -c #(nop) " + strings.ToUpper(node.Value) + " " + addedContentSummary + " in " + destination.Value + " " + inheritLabels, nil
 	default:
-		return "/bin/sh -c #(nop) " + node.Original, nil
+		return "/bin/sh -c #(nop) " + node.Original + inheritLabels, nil
 	}
 }
 

pkg/cli/build.go

@@ -378,6 +378,7 @@ func GenBuildOptions(c *cobra.Command, inputArgs []string, iopts BuildOptions) (
 		IIDFile:                 iopts.Iidfile,
 		IgnoreFile:              iopts.IgnoreFile,
 		In:                      stdin,
+		InheritLabels:           types.NewOptionalBool(iopts.InheritLabels),
 		Isolation:               isolation,
 		Jobs:                    &iopts.Jobs,
 		Labels:                  iopts.Label,

pkg/cli/common.go

@@ -71,6 +71,7 @@ type BudResults struct {
 	Format              string
 	From                string
 	Iidfile             string
+	InheritLabels       bool
 	Label               []string
 	LayerLabel          []string
 	Logfile             string
@@ -230,6 +231,7 @@ func GetBudFlags(flags *BudResults) pflag.FlagSet {
 	fs.StringVar(&flags.CertDir, "cert-dir", "", "use certificates at the specified path to access the registry")
 	fs.BoolVar(&flags.Compress, "compress", false, "this is a legacy option, which has no effect on the image")
 	fs.BoolVar(&flags.CompatVolumes, "compat-volumes", false, "preserve the contents of VOLUMEs during RUN instructions")
+	fs.BoolVar(&flags.InheritLabels, "inherit-labels", true, "inherit the labels from the base image")
 	fs.StringArrayVar(&flags.CPPFlags, "cpp-flag", []string{}, "set additional flag to pass to C preprocessor (cpp)")
 	fs.StringVar(&flags.Creds, "creds", "", "use `[username[:password]]` for accessing the registry")
 	fs.StringVarP(&flags.CWOptions, "cw", "", "", "confidential workload `options`")

tests/bud.bats

@@ -2670,6 +2670,49 @@ _EOF
   expect_output "$want_output"
 }
 
+@test "bud and test inherit-labels" {
+  run_buildah --version
+  local -a output_fields=($output)
+  buildah_version=${output_fields[2]}
+  run_buildah build $WITH_POLICY_JSON -t exp -f $BUDFILES/base-with-labels/Containerfile
+
+  run_buildah inspect --format '{{ index .Docker.Config.Labels "license"}}' exp
+  expect_output "MIT" "license must be MIT from fedora base image"
+  run_buildah inspect --format '{{ index .Docker.Config.Labels "name"}}' exp
+  expect_output "fedora-minimal" "name must be fedora from base image"
+
+  run_buildah build $WITH_POLICY_JSON --inherit-labels=false --label hello=world -t exp -f $BUDFILES/base-with-labels/Containerfile
+  # no labels should be inherited from base image only the, buildah version label
+  # and `hello=world` which we just added using cli flag
+  want_output='map["hello":"world" "io.buildah.version":"'$buildah_version'"]'
+  run_buildah inspect --format '{{printf "%q" .Docker.Config.Labels}}' exp
+  expect_output "$want_output"
+  
+  # Try building another file with multiple layers 
+  run_buildah build $WITH_POLICY_JSON --layers -t exp -f $BUDFILES/base-with-labels/Containerfile.layer
+  run_buildah inspect --format '{{ index .Docker.Config.Labels "license"}}' exp
+  expect_output "MIT" "license must be MIT from fedora base image"
+  run_buildah inspect --format '{{ index .Docker.Config.Labels "name"}}' exp
+  expect_output "world" "name must be world from Containerfile"
+
+  # Now build same file with  --inherit-labels=false and verify if we are not using the cache again.
+  run_buildah build $WITH_POLICY_JSON --layers --inherit-labels=false -t exp -f $BUDFILES/base-with-labels/Containerfile.layer
+  # Should not contain `Using cache` at all since
+  assert "$output" !~ "Using cache"
+  want_output='map["io.buildah.version":"'$buildah_version'" "name":"world"]'
+  run_buildah inspect --format '{{printf "%q" .Docker.Config.Labels}}' exp
+  expect_output "$want_output"
+
+  # Now build same file with  --inherit-labels=true and verify if using the cache
+  run_buildah build $WITH_POLICY_JSON --layers --inherit-labels=true -t exp -f $BUDFILES/base-with-labels/Containerfile.layer
+  # Should contain `Using cache` at all since
+  expect_output --substring " Using cache"
+  run_buildah inspect --format '{{ index .Docker.Config.Labels "license"}}' exp
+  expect_output "MIT" "license must be MIT from fedora base image"
+  run_buildah inspect --format '{{ index .Docker.Config.Labels "name"}}' exp
+  expect_output "world" "name must be world from Containerfile"
+}
+
 @test "build using intermediate images should not inherit label" {
   _prefetch alpine
 

tests/bud/base-with-labels/Containerfile.layer

@@ -0,0 +1,4 @@
+FROM registry.fedoraproject.org/fedora-minimal
+LABEL name world
+RUN echo world
+RUN echo hello