buildkit: supports additionalBuildContext in builds via --build-context

As builds got more complicated, the ability to only access files from one location became quite limiting. With `multi-stage` builds where you can `copy` files from other parts of the Containerfile by adding the `--from` flag and pointing it to the name of another Containerfile stage or a remote image.

The new named build context feature is an extension of this pattern. You can now define additional build contexts when running the build command, give them a name, and then access them inside a Dockerfile the same way you previously did with build stages.

Additional build contexts can be defined with a new `--build-context [name]=[value]` flag. The key component defines the name for your build context and the value can be:

```console

    Local directory – e.g. --build-context project2=../path/to/project2/src
    HTTP URL to a tarball – e.g. --build-context src=https://example.org/releases/src.tar
    Container image – Define with a docker-image:// prefix, e.g. --build-context alpine=docker-image://alpine:3.15, ( also supports docker://, container-image:// )
```

On the Containerfile side, you can reference the build context on all commands that accept the “from” parameter. Here’s how that might look:
```Dockerfile
FROM [name]
COPY --from=[name] ...
RUN --mount=from=[name] …
```

The value of [name] is matched with the following priority order:

* Named build context defined with `--build-context [name]=..`
* Stage defined with `AS [name]` inside Dockerfile
* Remote image `[name]` in a container registry

Added Features

* Pinning images for `FROM` and `COPY`
* Specifying multiple buildcontexts from different projects
  and using them with `--from` in `ADD` and `COPY` directive
* Override a Remote Dependency with a Local One.
* Using additional context from external `Tar`

Signed-off-by: Aditya R <[email protected]>

Author: flouthoc

cmd/buildah/build.go

@@ -157,6 +157,20 @@ func buildCmd(c *cobra.Command, inputArgs []string, iopts buildOptions) error {
 		}
 	}
 
+	additionalBuildContext := make(map[string]*define.AdditionalBuildContext)
+	if c.Flag("build-context").Changed {
+		for _, contextString := range iopts.BuildContext {
+			av := strings.SplitN(contextString, "=", 2)
+			if len(av) > 1 {
+				parseAdditionalBuildContext, err := parse.GetAdditionalBuildContext(av[1])
+				if err != nil {
+					return errors.Wrapf(err, "while parsing additional build context")
+				}
+				additionalBuildContext[av[0]] = &parseAdditionalBuildContext
+			}
+		}
+	}
+
 	containerfiles := getContainerfiles(iopts.File)
 	format, err := getFormat(iopts.Format)
 	if err != nil {
@@ -344,6 +358,7 @@ func buildCmd(c *cobra.Command, inputArgs []string, iopts buildOptions) error {
 		Annotations:             iopts.Annotation,
 		Architecture:            systemContext.ArchitectureChoice,
 		Args:                    args,
+		AdditionalBuildContexts: additionalBuildContext,
 		BlobDirectory:           iopts.BlobCache,
 		CNIConfigDir:            iopts.CNIConfigDir,
 		CNIPluginPath:           iopts.CNIPlugInPath,

define/build.go

@@ -11,6 +11,21 @@ import (
 	"golang.org/x/sync/semaphore"
 )
 
+// AdditionalBuildContext contains verbose details about a parsed build context from --build-context
+type AdditionalBuildContext struct {
+	// Value is the URL of an external tar archive.
+	IsURL bool
+	// Value is the name of an image which may or may not have already been pulled.
+	IsImage bool
+	// Value holds a URL, an image name, or an absolute filesystem path.
+	Value string
+	// Absolute filesystem path to downloaded and exported build context
+	// from external tar archive. This will be populated only if following
+	// buildcontext is created from IsURL and was downloaded before in any
+	// of the RUN step.
+	DownloadedCache string
+}
+
 // CommonBuildOptions are resources that can be defined by flags for both buildah from and build
 type CommonBuildOptions struct {
 	// AddHost is the list of hostnames to add to the build container's /etc/hosts.
@@ -121,6 +136,8 @@ type BuildOptions struct {
 	Compression archive.Compression
 	// Arguments which can be interpolated into Dockerfiles
 	Args map[string]string
+	// Map of external additional build contexts
+	AdditionalBuildContexts map[string]*AdditionalBuildContext
 	// Name of the image to write to.
 	Output string
 	// BuildOutput specifies if any custom build output is selected for following build.

docs/buildah-build.1.md

@@ -68,6 +68,32 @@ resulting image's configuration.
 Please refer to the [BUILD TIME VARIABLES](#build-time-variables) section for the
 list of variables that can be overridden within the Containerfile at run time.
 
+**--build-context** *name=value*
+
+Specify an additional build context using its short name and its location. Additional
+build contexts can be referenced in the same manner as we access different stages in `COPY`
+instruction.
+
+Valid values could be:
+* Local directory – e.g. --build-context project2=../path/to/project2/src
+* HTTP URL to a tarball – e.g. --build-context src=https://example.org/releases/src.tar
+* Container image – specified with a container-image:// prefix, e.g. --build-context alpine=container-image://alpine:3.15, ( also accepts docker://, docker-image://)
+
+On the Containerfile side, you can reference the build context on all commands that accept the “from” parameter.
+Here’s how that might look:
+
+```Dockerfile
+FROM [name]
+COPY --from=[name] ...
+RUN --mount=from=[name] …
+```
+
+The value of `[name]` is matched with the following priority order:
+
+* Named build context defined with --build-context [name]=..
+* Stage defined with AS [name] inside Containerfile
+* Image [name], either local or in a remote registry
+
 **--cache-from**
 
 Images to utilise as potential cache sources. Buildah does not currently support --cache-from so this is a NOOP.

imagebuildah/build.go

@@ -211,7 +211,12 @@ func BuildDockerfiles(ctx context.Context, store storage.Store, options define.B
 	}
 
 	if options.AllPlatforms {
-		options.Platforms, err = platformsForBaseImages(ctx, logger, paths, files, options.From, options.Args, options.SystemContext)
+		additionalBuildContexts := options.AdditionalBuildContexts
+		if additionalBuildContexts == nil {
+			// Create empty map for additionalbuildContexts
+			additionalBuildContexts = make(map[string]*define.AdditionalBuildContext)
+		}
+		options.Platforms, err = platformsForBaseImages(ctx, logger, paths, files, options.From, options.Args, additionalBuildContexts, options.SystemContext)
 		if err != nil {
 			return "", nil, err
 		}
@@ -502,8 +507,8 @@ func preprocessContainerfileContents(logger *logrus.Logger, containerfile string
 // platformsForBaseImages resolves the names of base images from the
 // dockerfiles, and if they are all valid references to manifest lists, returns
 // the list of platforms that are supported by all of the base images.
-func platformsForBaseImages(ctx context.Context, logger *logrus.Logger, dockerfilepaths []string, dockerfiles [][]byte, from string, args map[string]string, systemContext *types.SystemContext) ([]struct{ OS, Arch, Variant string }, error) {
-	baseImages, err := baseImages(dockerfilepaths, dockerfiles, from, args)
+func platformsForBaseImages(ctx context.Context, logger *logrus.Logger, dockerfilepaths []string, dockerfiles [][]byte, from string, args map[string]string, additionalBuildContext map[string]*define.AdditionalBuildContext, systemContext *types.SystemContext) ([]struct{ OS, Arch, Variant string }, error) {
+	baseImages, err := baseImages(logger, dockerfilepaths, dockerfiles, from, args, additionalBuildContext)
 	if err != nil {
 		return nil, errors.Wrapf(err, "determining list of base images")
 	}
@@ -631,7 +636,7 @@ func platformsForBaseImages(ctx context.Context, logger *logrus.Logger, dockerfi
 // stage's base image with FROM, and returns the list of base images as
 // provided.  Each entry in the dockerfilenames slice corresponds to a slice in
 // dockerfilecontents.
-func baseImages(dockerfilenames []string, dockerfilecontents [][]byte, from string, args map[string]string) ([]string, error) {
+func baseImages(logger *logrus.Logger, dockerfilenames []string, dockerfilecontents [][]byte, from string, args map[string]string, additionalBuildContext map[string]*define.AdditionalBuildContext) ([]string, error) {
 	mainNode, err := imagebuilder.ParseDockerfile(bytes.NewReader(dockerfilecontents[0]))
 	if err != nil {
 		return nil, errors.Wrapf(err, "error parsing main Dockerfile: %s", dockerfilenames[0])
@@ -670,6 +675,13 @@ func baseImages(dockerfilenames []string, dockerfilecontents [][]byte, from stri
 							child.Next.Value = from
 							from = ""
 						}
+						if replaceBuildContext, ok := additionalBuildContext[child.Next.Value]; ok {
+							if replaceBuildContext.IsImage {
+								child.Next.Value = replaceBuildContext.Value
+							} else {
+								logger.Warnf("additionalContext for nickname %q was found but its not an image hence it will be not used with FROM %q", child.Next.Value, child.Next.Value)
+							}
+						}
 						base := child.Next.Value
 						if base != "scratch" && !nicknames[base] {
 							// TODO: this didn't undergo variable and arg

imagebuildah/executor.go

@@ -126,6 +126,7 @@ type Executor struct {
 	imageInfoLock           sync.Mutex
 	imageInfoCache          map[string]imageTypeAndHistoryAndDiffIDs
 	fromOverride            string
+	additionalBuildContexts map[string]*define.AdditionalBuildContext
 	manifest                string
 	secrets                 map[string]define.Secret
 	sshsources              map[string]*sshagent.Source
@@ -275,6 +276,7 @@ func newExecutor(logger *logrus.Logger, logPrefix string, store storage.Store, o
 		rusageLogFile:                  rusageLogFile,
 		imageInfoCache:                 make(map[string]imageTypeAndHistoryAndDiffIDs),
 		fromOverride:                   options.From,
+		additionalBuildContexts:        options.AdditionalBuildContexts,
 		manifest:                       options.Manifest,
 		secrets:                        secrets,
 		sshsources:                     sshsources,
@@ -609,6 +611,12 @@ func (b *Executor) Build(ctx context.Context, stages imagebuilder.Stages) (image
 						}
 						base := child.Next.Value
 						if base != "scratch" {
+							if replaceBuildContext, ok := b.additionalBuildContexts[child.Next.Value]; ok {
+								if replaceBuildContext != nil && replaceBuildContext.IsImage {
+									child.Next.Value = replaceBuildContext.Value
+									base = child.Next.Value
+								}
+							}
 							userArgs := argsMapToSlice(stage.Builder.Args)
 							baseWithArg, err := imagebuilder.ProcessWord(base, userArgs)
 							if err != nil {

imagebuildah/stage_executor.go

@@ -362,25 +362,78 @@ func (s *StageExecutor) Copy(excludes []string, copies ...imagebuilder.Copy) err
 		stripSetgid := false
 		preserveOwnership := false
 		contextDir := s.executor.contextDir
+
 		if len(copy.From) > 0 {
+			// If additionalContext is selected do not process anything else
+			didSelectAdditionalContext := false
+			// If additionalContext is selected but it was image only process
+			// image and ignore stages if any. [ Buildx parity ]
+			didSelectImageAsAdditionalContext := false
 			// If from has an argument within it, resolve it to its
 			// value.  Otherwise just return the value found.
 			from, fromErr := imagebuilder.ProcessWord(copy.From, s.stage.Builder.Arguments())
 			if fromErr != nil {
 				return errors.Wrapf(fromErr, "unable to resolve argument %q", copy.From)
 			}
-			if isStage, err := s.executor.waitForStage(s.ctx, from, s.stages[:s.index]); isStage && err != nil {
-				return err
+			if additionalBuildContext, ok := s.executor.additionalBuildContexts[from]; ok {
+				if additionalBuildContext != nil {
+					didSelectAdditionalContext = true
+					if !additionalBuildContext.IsImage {
+						contextDir = additionalBuildContext.Value
+						if additionalBuildContext.IsURL {
+							// Check if following buildContext was already downloaded before in any other RUN step.
+							// If yes lets check if we are hitting any cache and cache actually exists on host.
+							cacheExistsOnHost := false
+							if additionalBuildContext.DownloadedCache != "" {
+								if stat, err := os.Stat(additionalBuildContext.DownloadedCache); err == nil && stat.IsDir() {
+									cacheExistsOnHost = true
+								}
+							}
+							if !cacheExistsOnHost {
+								// additional context contains a tar file
+								// so download and explode tar to buildah
+								// temp and point context to that.
+								path, subdir, err := define.TempDirForURL(internalUtil.GetTempDir(), internal.BuildahExternalArtifactsDir, additionalBuildContext.Value)
+								if err != nil {
+									return errors.Wrapf(err, "unable to download context from external source %q", additionalBuildContext.Value)
+								}
+								// point context dir to the extracted path
+								contextDir = filepath.Join(path, subdir)
+								// populate cache for next RUN step
+								additionalBuildContext.DownloadedCache = contextDir
+							} else {
+								contextDir = additionalBuildContext.DownloadedCache
+							}
+						}
+					} else {
+						didSelectImageAsAdditionalContext = true
+						copy.From = additionalBuildContext.Value
+					}
+				}
 			}
-			if other, ok := s.executor.stages[from]; ok && other.index < s.index {
-				contextDir = other.mountPoint
-				idMappingOptions = &other.builder.IDMappingOptions
-			} else if builder, ok := s.executor.containerMap[copy.From]; ok {
-				contextDir = builder.MountPoint
-				idMappingOptions = &builder.IDMappingOptions
-			} else {
-				return errors.Errorf("the stage %q has not been built", copy.From)
+			if !didSelectAdditionalContext {
+				if isStage, err := s.executor.waitForStage(s.ctx, from, s.stages[:s.index]); isStage && err != nil {
+					return err
+				}
+				if other, ok := s.executor.stages[from]; ok && other.index < s.index {
+					contextDir = other.mountPoint
+					idMappingOptions = &other.builder.IDMappingOptions
+				} else if builder, ok := s.executor.containerMap[copy.From]; ok {
+					contextDir = builder.MountPoint
+					idMappingOptions = &builder.IDMappingOptions
+				} else {
+					return errors.Errorf("the stage %q has not been built", copy.From)
+				}
+			} else if didSelectImageAsAdditionalContext {
+				// Image was selected as additionalContext so only process image.
+				if builder, ok := s.executor.containerMap[copy.From]; ok {
+					contextDir = builder.MountPoint
+					idMappingOptions = &builder.IDMappingOptions
+				} else {
+					return errors.Errorf("the image %q is not mounted", copy.From)
+				}
 			}
+			// Original behaviour of buildah still stays true for COPY irrespective of additional context.
 			preserveOwnership = true
 			copyExcludes = excludes
 		} else {
@@ -446,6 +499,61 @@ func (s *StageExecutor) runStageMountPoints(mountList []string) (map[string]inte
 					if fromErr != nil {
 						return nil, errors.Wrapf(fromErr, "unable to resolve argument %q", kv[1])
 					}
+					// If additional buildContext contains this
+					// give priority to that and break if additional
+					// is not an external image.
+					if additionalBuildContext, ok := s.executor.additionalBuildContexts[from]; ok {
+						if additionalBuildContext != nil {
+							if additionalBuildContext.IsImage {
+								mountPoint, err := s.getImageRootfs(s.ctx, additionalBuildContext.Value)
+								if err != nil {
+									return nil, errors.Errorf("%s from=%s: no stage or image found with that name", flag, from)
+								}
+								// The `from` in stageMountPoints should point
+								// to `mountPoint` replaced from additional
+								// build-context. Reason: Parser will use this
+								//  `from` to refer from stageMountPoints map later.
+								stageMountPoints[from] = internal.StageMountDetails{IsStage: false, MountPoint: mountPoint}
+								break
+							} else {
+								// Most likely this points to path on filesystem
+								// or external tar archive, Treat it as a stage
+								// nothing is different for this. So process and
+								// point mountPoint to path on host and it will
+								// be automatically handled correctly by since
+								// GetBindMount will honor IsStage:false while
+								// processing stageMountPoints.
+								mountPoint := additionalBuildContext.Value
+								if additionalBuildContext.IsURL {
+									// Check if following buildContext was already downloaded before in any other RUN step.
+									// If yes lets check if we are hitting any cache and cache actually exists on host.
+									cacheExistsOnHost := false
+									if additionalBuildContext.DownloadedCache != "" {
+										if stat, err := os.Stat(additionalBuildContext.DownloadedCache); err == nil && stat.IsDir() {
+											cacheExistsOnHost = true
+										}
+									}
+									if !cacheExistsOnHost {
+										// additional context contains a tar file
+										// so download and explode tar to buildah
+										// temp and point context to that.
+										path, subdir, err := define.TempDirForURL(internalUtil.GetTempDir(), internal.BuildahExternalArtifactsDir, additionalBuildContext.Value)
+										if err != nil {
+											return nil, errors.Wrapf(err, "unable to download context from external source %q", additionalBuildContext.Value)
+										}
+										// point context dir to the extracted path
+										mountPoint = filepath.Join(path, subdir)
+										// populate cache for next RUN step
+										additionalBuildContext.DownloadedCache = mountPoint
+									} else {
+										mountPoint = additionalBuildContext.DownloadedCache
+									}
+								}
+								stageMountPoints[from] = internal.StageMountDetails{IsStage: true, MountPoint: mountPoint}
+								break
+							}
+						}
+					}
 					// If the source's name corresponds to the
 					// result of an earlier stage, wait for that
 					// stage to finish being built.
@@ -923,6 +1031,27 @@ func (s *StageExecutor) Execute(ctx context.Context, base string) (imgID string,
 				if fromErr != nil {
 					return "", nil, errors.Wrapf(fromErr, "unable to resolve argument %q", arr[1])
 				}
+				// If additional buildContext contains this
+				// give priority to that and break if additional
+				// is not an external image.
+				if additionalBuildContext, ok := s.executor.additionalBuildContexts[from]; ok {
+					if additionalBuildContext != nil {
+						if !additionalBuildContext.IsImage {
+							// We don't need to pull this
+							// since this additional context
+							// is not an image.
+							break
+						} else {
+							// replace with image set in build context
+							from = additionalBuildContext.Value
+							if _, err := s.getImageRootfs(ctx, from); err != nil {
+								return "", nil, errors.Errorf("%s --from=%s: no stage or image found with that name", command, from)
+							}
+							break
+						}
+					}
+				}
+
 				// If the source's name corresponds to the
 				// result of an earlier stage, wait for that
 				// stage to finish being built.

internal/parse/parse.go

@@ -309,7 +309,7 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
 		// add subdirectory if specified
 
 		// cache parent directory
-		cacheParent := filepath.Join(getTempDir(), BuildahCacheDir)
+		cacheParent := filepath.Join(internalUtil.GetTempDir(), BuildahCacheDir)
 		// create cache on host if not present
 		err = os.MkdirAll(cacheParent, os.FileMode(0755))
 		if err != nil {
@@ -597,12 +597,3 @@ func GetTmpfsMount(args []string) (specs.Mount, error) {
 
 	return newMount, nil
 }
-
-/* This is internal function and could be changed at any time */
-/* for external usage please refer to buildah/pkg/parse.GetTempDir() */
-func getTempDir() string {
-	if tmpdir, ok := os.LookupEnv("TMPDIR"); ok {
-		return tmpdir
-	}
-	return "/var/tmp"
-}

internal/types.go

@@ -1,5 +1,11 @@
 package internal
 
+const (
+	// Temp directory which stores external artifacts which are download for a build.
+	// Example: tar files from external sources.
+	BuildahExternalArtifactsDir = "buildah-external-artifacts"
+)
+
 // Types is internal packages are suspected to change with releases avoid using these outside of buildah
 
 // StageMountDetails holds the Stage/Image mountpoint returned by StageExecutor

internal/util/util.go

@@ -32,6 +32,14 @@ func LookupImage(ctx *types.SystemContext, store storage.Store, image string) (*
 	return localImage, nil
 }
 
+// GetTempDir returns base for a temporary directory on host.
+func GetTempDir() string {
+	if tmpdir, ok := os.LookupEnv("TMPDIR"); ok {
+		return tmpdir
+	}
+	return "/var/tmp"
+}
+
 // ExportFromReader reads bytes from given reader and exports to external tar, directory or stdout.
 func ExportFromReader(input io.Reader, opts define.BuildOutputOption) error {
 	var err error