isula-build: bump version to 0.9.5

Signed-off-by: DCCooper <1866858@gmail.com>
2021-01-26 15:45:02 +08:00 · 2021-01-26 15:45:02 +08:00 · 2342a5e3c9
commit 2342a5e3c9
parent 07e05fa10b
19 changed files with 33 additions and 7498 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-0.9.4-14
+0.9.5-1
--- a/2
+++ b/2
@ -1 +1 @@
-5304a15d147e95e6add30b8871eb40f457399ec1
+862d3b9742ceb1028d154284b5af5a889db99633
--- a/isula-build.spec
+++ b/isula-build.spec
@ -1,8 +1,8 @@
 %global is_systemd 1

 Name: isula-build
-Version: 0.9.4
-Release: 14
+Version: 0.9.5
+Release: 1
 Summary: A tool to build container images
 License: Mulan PSL V2
 URL: https://gitee.com/openeuler/isula-build
@ -85,6 +85,12 @@ fi
 /usr/share/bash-completion/completions/isula-build

 %changelog
+* Tue Jan 26 2021 lixiang <lixiang172@huawei.com> - 0.9.5-1
+- Type:enhancement
+- CVE:NA
+- SUG:restart
+- DESC:Bump version to 0.9.5
+
 * Fri Dec 11 2020 lixiang <lixiang172@huawei.com> - 0.9.4-14
 - Type:enhancement
 - CVE:NA
--- a/patch/0030-xattr-support-ima-and-evm.patch
+++ b/patch/0030-xattr-support-ima-and-evm.patch
@ -1,20 +1,17 @@
-From b179511d671e84c83d895444f1d0bc45152dc3ba Mon Sep 17 00:00:00 2001
+From 2b27e392632fa0506fef9d5d882ed72a92973e27 Mon Sep 17 00:00:00 2001
 From: yangfeiyu <yangfeiyu2@huawei.com>
-Date: Sat, 22 Aug 2020 16:44:16 +0800
+Date: Tue, 26 Jan 2021 15:24:39 +0800
 Subject: [PATCH] xattr: support ima and evm

 reason: support ima and evm

 Signed-off-by: yangfeiyu <yangfeiyu2@huawei.com>
 ---
- .../containers/storage/pkg/archive/archive.go | 50 +++++++++----------
- 1 file changed, 25 insertions(+), 25 deletions(-)
- mode change 100644 => 100755 vendor/github.com/containers/storage/pkg/archive/archive.go
+ vendor/github.com/containers/storage/pkg/archive/archive.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/vendor/github.com/containers/storage/pkg/archive/archive.go b/vendor/github.com/containers/storage/pkg/archive/archive.go
-old mode 100644
-new mode 100755
-index 78744e0..dd3b750
+index 4472511..479ade8 100644
 --- a/vendor/github.com/containers/storage/pkg/archive/archive.go
 +++ b/vendor/github.com/containers/storage/pkg/archive/archive.go
@@ -396,7 +396,7 @@ func ReadSecurityXattrToTarHeader(path string, hdr *tar.Header) error {
@ -26,68 +23,6 @@ index 78744e0..dd3b750
 		capability, err := system.Lgetxattr(path, xattr)
 		if err != nil && err != system.EOPNOTSUPP && err != system.ErrNotSupportedPlatform {
 			return errors.Wrapf(err, "failed to read %q attribute from %q", xattr, path)
-@@ -693,30 +693,7 @@ func createTarFile(path, extractDir string, hdr *tar.Header, reader io.Reader, L
- 			}
- 		}
- 	}
-
-	var errors []string
-	for key, value := range hdr.Xattrs {
-		if err := system.Lsetxattr(path, key, []byte(value), 0); err != nil {
-			if err == syscall.ENOTSUP || (err == syscall.EPERM && inUserns) {
-				// We ignore errors here because not all graphdrivers support
-				// xattrs *cough* old versions of AUFS *cough*. However only
-				// ENOTSUP should be emitted in that case, otherwise we still
-				// bail.  We also ignore EPERM errors if we are running in a
-				// user namespace.
-				errors = append(errors, err.Error())
-				continue
-			}
-			return err
-		}
-
-	}
-
-	if len(errors) > 0 {
-		logrus.WithFields(logrus.Fields{
-			"errors": errors,
-		}).Warn("ignored xattrs in archive: underlying filesystem doesn't support them")
-	}
-
-+	
- 	// There is no LChmod, so ignore mode for symlink. Also, this
- 	// must happen after chown, as that can modify the file mode
- 	if err := handleLChmod(hdr, path, hdrInfo); err != nil {
-@@ -746,6 +723,29 @@ func createTarFile(path, extractDir string, hdr *tar.Header, reader io.Reader, L
- 			return err
- 		}
- 	}
-+
-+	var errors []string
-+	for key, value := range hdr.Xattrs {
-+		if err := system.Lsetxattr(path, key, []byte(value), 0); err != nil {
-+			if err == syscall.ENOTSUP || (err == syscall.EPERM && inUserns) {
-+				// We ignore errors here because not all graphdrivers support
-+				// xattrs *cough* old versions of AUFS *cough*. However only
-+				// ENOTSUP should be emitted in that case, otherwise we still
-+				// bail.  We also ignore EPERM errors if we are running in a
-+				// user namespace.
-+				errors = append(errors, err.Error())
-+				continue
-+			}
-+			return err
-+		}
-+
-+	}
-+
-+	if len(errors) > 0 {
-+		logrus.WithFields(logrus.Fields{
-+			"errors": errors,
-+		}).Warn("ignored xattrs in archive: underlying filesystem doesn't support them")
-+	}
- 	return nil
- }
- 
 -- 
-2.23.0
+2.27.0

--- a/patch/0033-isula-build-remove-docker-releated-path-for-authenti.patch
+++ b/patch/0033-isula-build-remove-docker-releated-path-for-authenti.patch
@ -1,30 +1,32 @@
-From 1c39c596b5d4a07f88edbc8200a9952e357561f2 Mon Sep 17 00:00:00 2001
-From: lixiang <lixiang172@huawei.com>
-Date: Fri, 4 Sep 2020 09:42:31 +0800
-Subject: [PATCH] isula-build:remove docker releated path for authentication
+From d92dfab842cb72f695b704dfc8bf889378864432 Mon Sep 17 00:00:00 2001
+From: build <build@obs.com>
+Date: Tue, 26 Jan 2021 15:43:01 +0800
+Subject: [PATCH] isula-build:remove docker related path for authentication

-reason: remove docker releated authentication path ${HOME}/.docker/config.json and ${HOME}/.dockercfg
-
-Signed-off-by: lixiang <lixiang172@huawei.com>
+reason: remove docker related authentication path ${HOME}/.docker/config.json and ${HOME}/.dockercfg
 ---
- .../containers/image/v5/pkg/docker/config/config.go           | 4 ----
- 1 file changed, 4 deletions(-)
+ .../containers/image/v5/pkg/docker/config/config.go        | 7 -------
+ 1 file changed, 7 deletions(-)

 diff --git a/vendor/github.com/containers/image/v5/pkg/docker/config/config.go b/vendor/github.com/containers/image/v5/pkg/docker/config/config.go
-index 1a2ed7c3..125e21d9 100644
+index cf82ee8..1165d15 100644
 --- a/vendor/github.com/containers/image/v5/pkg/docker/config/config.go
 +++ b/vendor/github.com/containers/image/v5/pkg/docker/config/config.go
-@@ -159,10 +159,6 @@ func getAuthFilePaths(sys *types.SystemContext) []authPath {
- 		// Logging the error as a warning instead and moving on to pulling the image
- 		logrus.Warnf("%v: Trying to pull image in the event that it is a public image.", err)
- 	}
+@@ -146,14 +146,7 @@ func getAuthFilePaths(sys *types.SystemContext) []authPath {
+ 		paths = append(paths,
+ 			authPath{path: filepath.Join(dockerConfig, "config.json"), legacyFormat: false},
+ 		)
+-	} else {
 -		paths = append(paths,
 -			authPath{path: filepath.Join(homedir.Get(), dockerHomePath), legacyFormat: false},
+-		)
+ 	}
+-	paths = append(paths,
 -		authPath{path: filepath.Join(homedir.Get(), dockerLegacyHomePath), legacyFormat: true},
 -	)
 	return paths
 }
 
 -- 
-2.19.1
+2.27.0

--- a/patch/0065-fix-panic-when-user-knock-ctrl-c-when-pull-push-and-.patch
+++ b/patch/0065-fix-panic-when-user-knock-ctrl-c-when-pull-push-and-.patch
@ -1,135 +0,0 @@
-From a33d6ae4fb22a4d72d714733b3045272e050c0d7 Mon Sep 17 00:00:00 2001
-From: xingweizheng 00591739 <xingweizheng@huawei.com>
-Date: Mon, 9 Nov 2020 13:54:57 +0800
-Subject: [PATCH] fix panic when user knock ctrl+c when pull, push and save
-
---
- daemon/pull.go | 24 +++++++++---------------
- daemon/push.go | 24 +++++++++---------------
- daemon/save.go | 29 +++++++++--------------------
- 3 files changed, 27 insertions(+), 50 deletions(-)
-
-diff --git a/daemon/pull.go b/daemon/pull.go
-index f9dee3e..56be755 100644
--- a/daemon/pull.go
-+++ b/daemon/pull.go
-@@ -59,23 +59,17 @@ func (b *Backend) Pull(req *pb.PullRequest, stream pb.Control_PullServer) error
- 	eg.Go(pullMessageHandler(stream, opt.logger))
- 	errC := make(chan error, 1)
- 
-	go func() { errC <- eg.Wait() }()
-+	errC <- eg.Wait()
- 	defer close(errC)
- 
-	select {
-	case err2 := <-errC:
-		if err2 != nil {
-			return err2
-		}
-	case _, ok := <-stream.Context().Done():
-		if !ok {
-			logrus.WithField(util.LogKeySessionID, opt.pullID).Info("Channel stream done closed")
-			return nil
-		}
-		err := egCtx.Err()
-		if err != nil && err != context.Canceled {
-			logrus.WithField(util.LogKeySessionID, opt.pullID).Warnf("Stream closed with: %v", err)
-		}
-+	err, ok := <-errC
-+	if !ok {
-+		logrus.WithField(util.LogKeySessionID, opt.pullID).Info("Channel errC closed")
-+		return nil
-+	}
-+	if err != nil {
-+		logrus.WithField(util.LogKeySessionID, opt.pullID).Warnf("Stream closed with: %v", err)
-+		return err
- 	}
- 
- 	return nil
-diff --git a/daemon/push.go b/daemon/push.go
-index 712062e..ea5e47c 100644
--- a/daemon/push.go
-+++ b/daemon/push.go
-@@ -63,23 +63,17 @@ func (b *Backend) Push(req *pb.PushRequest, stream pb.Control_PushServer) error
- 	eg.Go(pushMessageHandler(stream, opt.logger))
- 	errC := make(chan error, 1)
- 
-	go func() { errC <- eg.Wait() }()
-+	errC <- eg.Wait()
- 	defer close(errC)
- 
-	select {
-	case err2 := <-errC:
-		if err2 != nil {
-			return err2
-		}
-	case _, ok := <-stream.Context().Done():
-		if !ok {
-			logrus.WithField(util.LogKeySessionID, opt.pushID).Info("Channel stream done closed")
-			return nil
-		}
-		err := egCtx.Err()
-		if err != nil && err != context.Canceled {
-			logrus.WithField(util.LogKeySessionID, opt.pushID).Warnf("Stream closed with: %v", err)
-		}
-+	err, ok := <-errC
-+	if !ok {
-+		logrus.WithField(util.LogKeySessionID, opt.pushID).Info("Channel errC closed")
-+		return nil
-+	}
-+	if err != nil {
-+		logrus.WithField(util.LogKeySessionID, opt.pushID).Warnf("Stream closed with: %v", err)
-+		return err
- 	}
- 
- 	return nil
-diff --git a/daemon/save.go b/daemon/save.go
-index 13ca8cd..156a1c2 100644
--- a/daemon/save.go
-+++ b/daemon/save.go
-@@ -102,33 +102,22 @@ func (b *Backend) Save(req *pb.SaveRequest, stream pb.Control_SaveServer) (err e
- 	}
- 
- 	ctx := context.WithValue(stream.Context(), util.LogFieldKey(util.LogKeySessionID), opts.saveID)
-	eg, egCtx := errgroup.WithContext(ctx)
-+	eg, _ := errgroup.WithContext(ctx)
- 
- 	eg.Go(exportHandler(ctx, stream, opts))
- 	eg.Go(messageHandler(stream, opts.logger))
- 	errC := make(chan error, 1)
- 
-	go func() { errC <- eg.Wait() }()
-+	errC <- eg.Wait()
- 	defer close(errC)
- 
-	select {
-	case err, ok = <-errC:
-		if !ok {
-			opts.logEntry.Info("Channel errC closed")
-			return nil
-		}
-		if err != nil {
-			return err
-		}
-	case _, ok := <-stream.Context().Done():
-		if !ok {
-			opts.logEntry.Info("Channel stream done closed")
-			return nil
-		}
-		err = egCtx.Err()
-		if err != nil && err != context.Canceled {
-			opts.logEntry.Infof("Stream closed with: %v", err)
-		}
-+	err, ok = <-errC
-+	if !ok {
-+		opts.logEntry.Info("Channel errC closed")
-+		return nil
-+	}
-+	if err != nil {
-+		return err
- 	}
- 
- 	return nil
-- 
-1.8.3.1
-
--- a/patch/0066-bugfix-chown-config-root-path-before-daemon-started.patch
+++ b/patch/0066-bugfix-chown-config-root-path-before-daemon-started.patch
@ -1,43 +0,0 @@
-From 11eac36a06326126ada8e42ea2b3bd0cfb9a3b4e Mon Sep 17 00:00:00 2001
-From: DCCooper <1866858@gmail.com>
-Date: Thu, 12 Nov 2020 15:39:33 +0800
-Subject: [PATCH] bugfix:chown config root path before daemon started
-
-Signed-off-by: DCCooper <1866858@gmail.com>
---
- cmd/daemon/main.go      | 6 ++++++
- cmd/daemon/main_test.go | 1 +
- 2 files changed, 7 insertions(+)
-
-diff --git a/cmd/daemon/main.go b/cmd/daemon/main.go
-index bd9c0cc..9fcde5c 100644
--- a/cmd/daemon/main.go
-+++ b/cmd/daemon/main.go
-@@ -276,6 +276,12 @@ func setupWorkingDirectories() error {
- 		}
- 	}
- 
-+	// change config root owner as group current defined
-+	if err := util.ChangeGroup(constant.ConfigRoot, daemonOpts.Group); err != nil {
-+		logrus.Errorf("Chown for %s failed: %v", constant.ConfigRoot, err)
-+		return err
-+	}
-+
- 	return nil
- }
- 
-diff --git a/cmd/daemon/main_test.go b/cmd/daemon/main_test.go
-index 46cc683..660d84d 100644
--- a/cmd/daemon/main_test.go
-+++ b/cmd/daemon/main_test.go
-@@ -97,6 +97,7 @@ func TestSetupWorkingDirectories(t *testing.T) {
- 			tt.prepareFunc(t)
- 			defer testDir.Remove()
- 
-+			daemonOpts.Group = "root"
- 			if err := setupWorkingDirectories(); (err != nil) != tt.wantErr {
- 				t.Errorf("testing failed! err = %v, wantErr = %v", err, tt.wantErr)
- 			}
-- 
-1.8.3.1
-
--- a/patch/0067-bugfix-fix-unsuitable-filemode-for-isula-build-er.patch
+++ b/patch/0067-bugfix-fix-unsuitable-filemode-for-isula-build-er.patch
@ -1,28 +0,0 @@
-From 06e8b4cf47eea4edfad8e9d37c094121d033d579 Mon Sep 17 00:00:00 2001
-From: DCCooper <1866858@gmail.com>
-Date: Tue, 17 Nov 2020 15:06:06 +0800
-Subject: [PATCH] bugfix: fix unsuitable filemode for isula-build(er)
-
-Signed-off-by: DCCooper <1866858@gmail.com>
---
- Makefile | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/Makefile b/Makefile
-index f4c95e35..11166cc2 100644
--- a/Makefile
-+++ b/Makefile
-@@ -95,8 +95,8 @@ proto:
- 
- .PHONY: install
- install:
-	install -D -m0555 bin/isula-build $(BINDIR)
-	install -D -m0555 bin/isula-builder $(BINDIR)
-+	install -D -m0551 bin/isula-build $(BINDIR)
-+	install -D -m0550 bin/isula-builder $(BINDIR)
- 	@[ ! -d ${CONFIG_DIR}/${CONFIG_FILE} ] && install -dm0640 ${CONFIG_DIR}
- 	@( [ -f ${CONFIG_DIR}/${CONFIG_FILE} ] && printf "%-20s %s\n" "${CONFIG_FILE}" "already exist in ${CONFIG_DIR}, please replace it manually." ) || install -D -m0600 ${LOCAL_CONF_PREFIX}/${CONFIG_FILE} ${CONFIG_DIR}/${CONFIG_FILE}
- 	@( [ -f ${CONFIG_DIR}/${POLICY_FILE} ] && printf "%-20s %s\n" "${POLICY_FILE}" "already exist in ${CONFIG_DIR}, please replace it manually." ) || install -D -m0600 ${LOCAL_CONF_PREFIX}/${POLICY_FILE} ${CONFIG_DIR}/${POLICY_FILE}
-- 
-2.19.1
-
--- a/patch/0068-isula-build-support-build-Dockerfile-only-have-FROM-.patch
+++ b/patch/0068-isula-build-support-build-Dockerfile-only-have-FROM-.patch
@ -1,283 +0,0 @@
-From 923ec55b36f0d3ec0065dc525e6a579b7b048663 Mon Sep 17 00:00:00 2001
-From: zvier <liuzekun@huawei.com>
-Date: Wed, 18 Nov 2020 14:56:08 +0800
-Subject: [PATCH] isula-build: support build Dockerfile only have FROM command
-
-Signed-off-by: liuzekun <liuzekun@huawei.com>
---
- Makefile                                 |  2 +-
- builder/dockerfile/builder_test.go       | 16 ++++-----
- builder/dockerfile/cmd_builder.go        |  1 +
- builder/dockerfile/cmd_builder_test.go   | 41 ++++++++++++------------
- builder/dockerfile/parser/parser.go      |  8 -----
- builder/dockerfile/parser/parser_test.go |  2 --
- builder/dockerfile/stage_builder.go      |  2 --
- 7 files changed, 31 insertions(+), 41 deletions(-)
-
-diff --git a/Makefile b/Makefile
-index 11166cc2..7e268678 100644
--- a/Makefile
-+++ b/Makefile
-@@ -97,7 +97,7 @@ proto:
- install:
- 	install -D -m0551 bin/isula-build $(BINDIR)
- 	install -D -m0550 bin/isula-builder $(BINDIR)
-	@[ ! -d ${CONFIG_DIR}/${CONFIG_FILE} ] && install -dm0640 ${CONFIG_DIR}
-+	@[ ! -d ${CONFIG_DIR}/${CONFIG_FILE} ] && install -dm0650 ${CONFIG_DIR}
- 	@( [ -f ${CONFIG_DIR}/${CONFIG_FILE} ] && printf "%-20s %s\n" "${CONFIG_FILE}" "already exist in ${CONFIG_DIR}, please replace it manually." ) || install -D -m0600 ${LOCAL_CONF_PREFIX}/${CONFIG_FILE} ${CONFIG_DIR}/${CONFIG_FILE}
- 	@( [ -f ${CONFIG_DIR}/${POLICY_FILE} ] && printf "%-20s %s\n" "${POLICY_FILE}" "already exist in ${CONFIG_DIR}, please replace it manually." ) || install -D -m0600 ${LOCAL_CONF_PREFIX}/${POLICY_FILE} ${CONFIG_DIR}/${POLICY_FILE}
- 	@( [ -f ${CONFIG_DIR}/${REGIST_FILE} ] && printf "%-20s %s\n" "${REGIST_FILE}" "already exist in ${CONFIG_DIR}, please replace it manually." ) || install -D -m0600 ${LOCAL_CONF_PREFIX}/${REGIST_FILE} ${CONFIG_DIR}/${REGIST_FILE}
-diff --git a/builder/dockerfile/builder_test.go b/builder/dockerfile/builder_test.go
-index 94842c71..b02768ea 100644
--- a/builder/dockerfile/builder_test.go
-+++ b/builder/dockerfile/builder_test.go
-@@ -248,13 +248,13 @@ RUN ls
- 	}
- 
- 	// check the arg and env taken by the command: RUN ls
-	assert.DeepEqual(t, b.stageBuilders[0].commands[0].args,
-+	assert.DeepEqual(t, b.stageBuilders[0].commands[1].args,
- 		map[string]string{"no_proxy": "10.0.0.0"})
-	assert.DeepEqual(t, b.stageBuilders[1].commands[1].args,
-+	assert.DeepEqual(t, b.stageBuilders[1].commands[2].args,
- 		map[string]string{"testArg": "0.1", "no_proxy": "10.0.0.0"})
-	assert.DeepEqual(t, b.stageBuilders[2].commands[2].args,
-+	assert.DeepEqual(t, b.stageBuilders[2].commands[3].args,
- 		map[string]string{"no_proxy": "10.0.0.0"})
-	assert.DeepEqual(t, b.stageBuilders[2].commands[2].envs,
-+	assert.DeepEqual(t, b.stageBuilders[2].commands[3].envs,
- 		map[string]string{"testArg": "1.0"})
- }
- 
-@@ -291,13 +291,13 @@ RUN ls
- 	}
- 
- 	// check the arg and env taken by the command: RUN ls
-	assert.DeepEqual(t, b.stageBuilders[0].commands[0].args,
-+	assert.DeepEqual(t, b.stageBuilders[0].commands[1].args,
- 		map[string]string{"HTTPS_PROXY": "127.0.0.1"})
-	assert.DeepEqual(t, b.stageBuilders[1].commands[1].args,
-+	assert.DeepEqual(t, b.stageBuilders[1].commands[2].args,
- 		map[string]string{"testArg": "0.1", "HTTPS_PROXY": "127.0.0.1"})
-	assert.DeepEqual(t, b.stageBuilders[2].commands[2].args,
-+	assert.DeepEqual(t, b.stageBuilders[2].commands[3].args,
- 		map[string]string{"HTTPS_PROXY": "127.0.0.1"})
-	assert.DeepEqual(t, b.stageBuilders[2].commands[2].envs,
-+	assert.DeepEqual(t, b.stageBuilders[2].commands[3].envs,
- 		map[string]string{"testArg": "1.0"})
- }
- 
-diff --git a/builder/dockerfile/cmd_builder.go b/builder/dockerfile/cmd_builder.go
-index 65ae364d..8b0d5ab9 100644
--- a/builder/dockerfile/cmd_builder.go
-+++ b/builder/dockerfile/cmd_builder.go
-@@ -39,6 +39,7 @@ var (
- 
- func init() {
- 	cmdExecutors = map[string]func(cb *cmdBuilder) error{
-+		dockerfile.From:        executeNoop,
- 		dockerfile.Add:         executeAdd,
- 		dockerfile.Arg:         executeNoop,
- 		dockerfile.Copy:        executeCopy,
-diff --git a/builder/dockerfile/cmd_builder_test.go b/builder/dockerfile/cmd_builder_test.go
-index 471314ba..df1c08f9 100644
--- a/builder/dockerfile/cmd_builder_test.go
-+++ b/builder/dockerfile/cmd_builder_test.go
-@@ -113,7 +113,7 @@ func TestExecuteHealthCheck(t *testing.T) {
- 			}
- 			err := s.analyzeStage(context.Background())
- 			assert.NilError(t, err)
-			if err := s.commands[0].cmdExecutor(); (err != nil) != tt.wantErr {
-+			if err := s.commands[1].cmdExecutor(); (err != nil) != tt.wantErr {
- 				t.Errorf("CmdExecutor() error: %v, wantErr: %v", err, tt.wantErr)
- 			}
- 			tt.funcCheck(t, s)
-@@ -195,7 +195,7 @@ CMD [""]`,
- 			}
- 			err := s.analyzeStage(context.Background())
- 			assert.NilError(t, err)
-			if err := s.commands[0].cmdExecutor(); (err != nil) != tt.wantErr {
-+			if err := s.commands[1].cmdExecutor(); (err != nil) != tt.wantErr {
- 				t.Errorf("cmdExecutor() error: %v, wantErr: %v", err, tt.wantErr)
- 			}
- 			tt.funcCheck(t, s)
-@@ -288,7 +288,7 @@ SHELL ["/bin/bash", "-c"]`,
- 			}
- 			err := s.analyzeStage(context.Background())
- 			assert.NilError(t, err)
-			if err := s.commands[0].cmdExecutor(); (err != nil) != tt.wantErr {
-+			if err := s.commands[1].cmdExecutor(); (err != nil) != tt.wantErr {
- 				t.Errorf("SHELL cmdExecutor() error: %v, wantErr: %v", err, tt.wantErr)
- 			}
- 			tt.funcCheck(t, s)
-@@ -316,15 +316,15 @@ CMD ls`
- 	err := s.analyzeStage(context.Background())
- 	assert.NilError(t, err)
- 
-	if err := s.commands[0].cmdExecutor(); err != nil {
-+	if err := s.commands[1].cmdExecutor(); err != nil {
- 		t.Errorf("CMD cmdExecutor() error: %v", err)
- 	}
- 	assert.DeepEqual(t, s.docker.Config.Cmd, strslice.StrSlice{"/bin/sh", "-c", "ls"})
- 
-	if err := s.commands[1].cmdExecutor(); err != nil {
-+	if err := s.commands[2].cmdExecutor(); err != nil {
- 		t.Errorf("SHELL cmdExecutor() error: %v", err)
- 	}
-	if err := s.commands[2].cmdExecutor(); err != nil {
-+	if err := s.commands[3].cmdExecutor(); err != nil {
- 		t.Errorf("CMD cmdExecutor() error: %v", err)
- 	}
- 	assert.DeepEqual(t, s.shellForm, strslice.StrSlice{"/bin/bash", "-c"})
-@@ -360,9 +360,10 @@ func TestExecuteNoop(t *testing.T) {
- 
- 	// the "STEP 1: FROM alpine" in production is done at stageBuilder.prepare()
- 	// no cmdExecutor for FROM, so no print for FROM here
-	expectedString := `STEP  1: ARG testArg
-STEP  2: ENV env1=env2
-STEP  3: ONBUILD CMD ls
-+	expectedString := `STEP  1: FROM alpine
-+STEP  2: ARG testArg
-+STEP  3: ENV env1=env2
-+STEP  4: ONBUILD CMD ls
- `
- 	assert.Equal(t, stepPrints, expectedString)
- }
-@@ -441,7 +442,7 @@ ENTRYPOINT [""]`,
- 			}
- 			err := s.analyzeStage(context.Background())
- 			assert.NilError(t, err)
-			if err := s.commands[0].cmdExecutor(); (err != nil) != tt.wantErr {
-+			if err := s.commands[1].cmdExecutor(); (err != nil) != tt.wantErr {
- 				t.Errorf("cmdExecutor() error: %v, wantErr: %v", err, tt.wantErr)
- 			}
- 			tt.funcCheck(t, s)
-@@ -903,15 +904,15 @@ WORKDIR /c`
- 	}
- 	err := s.analyzeStage(context.Background())
- 	assert.NilError(t, err)
-	if err := s.commands[0].cmdExecutor(); err != nil {
-+	if err := s.commands[1].cmdExecutor(); err != nil {
- 		t.Errorf("WORKDIR cmdExecutor() error: %v", err)
- 	}
- 	assert.DeepEqual(t, s.docker.Config.WorkingDir, "/a")
-	if err := s.commands[1].cmdExecutor(); err != nil {
-+	if err := s.commands[2].cmdExecutor(); err != nil {
- 		t.Errorf("WORKDIR cmdExecutor() error: %v", err)
- 	}
- 	assert.DeepEqual(t, s.docker.Config.WorkingDir, "/b")
-	if err := s.commands[2].cmdExecutor(); err != nil {
-+	if err := s.commands[3].cmdExecutor(); err != nil {
- 		t.Errorf("WORKDIR cmdExecutor() error: %v", err)
- 	}
- 	assert.DeepEqual(t, s.docker.Config.WorkingDir, "/c")
-@@ -938,15 +939,15 @@ WORKDIR c`
- 	}
- 	err := s.analyzeStage(context.Background())
- 	assert.NilError(t, err)
-	if err := s.commands[0].cmdExecutor(); err != nil {
-+	if err := s.commands[1].cmdExecutor(); err != nil {
- 		t.Errorf("WORKDIR cmdExecutor() error: %v", err)
- 	}
- 	assert.DeepEqual(t, s.docker.Config.WorkingDir, "/a")
-	if err := s.commands[1].cmdExecutor(); err != nil {
-+	if err := s.commands[2].cmdExecutor(); err != nil {
- 		t.Errorf("WORKDIR cmdExecutor() error: %v", err)
- 	}
- 	assert.DeepEqual(t, s.docker.Config.WorkingDir, "/a/b")
-	if err := s.commands[2].cmdExecutor(); err != nil {
-+	if err := s.commands[3].cmdExecutor(); err != nil {
- 		t.Errorf("WORKDIR cmdExecutor() error: %v", err)
- 	}
- 	assert.DeepEqual(t, s.docker.Config.WorkingDir, "/a/b/c")
-@@ -973,15 +974,15 @@ WORKDIR $DIRPATH/$DIRNAME`
- 	}
- 	err := s.analyzeStage(context.Background())
- 	assert.NilError(t, err)
-	if err = s.commands[0].cmdExecutor(); err != nil {
-+	if err = s.commands[1].cmdExecutor(); err != nil {
- 		t.Errorf("WORKDIR cmdExecutor() error: %v", err)
- 	}
- 	assert.NilError(t, err)
-	if err = s.commands[1].cmdExecutor(); err != nil {
-+	if err = s.commands[2].cmdExecutor(); err != nil {
- 		t.Errorf("WORKDIR cmdExecutor() error: %v", err)
- 	}
- 	assert.NilError(t, err)
-	if err = s.commands[2].cmdExecutor(); err != nil {
-+	if err = s.commands[3].cmdExecutor(); err != nil {
- 		t.Errorf("WORKDIR cmdExecutor() error: %v", err)
- 	}
- 	assert.NilError(t, err)
-@@ -1025,7 +1026,7 @@ Maintainer iSula iSula@huawei.com`,
- 			}
- 			err := s.analyzeStage(context.Background())
- 			assert.NilError(t, err)
-			if err := s.commands[0].cmdExecutor(); (err != nil) != tt.wantErr {
-+			if err := s.commands[1].cmdExecutor(); (err != nil) != tt.wantErr {
- 				t.Errorf("cmdExecutor() error: %v, wantErr: %v", err, tt.wantErr)
- 			}
- 			tt.funcCheck(t, s)
-diff --git a/builder/dockerfile/parser/parser.go b/builder/dockerfile/parser/parser.go
-index e8711fe7..82835e67 100644
--- a/builder/dockerfile/parser/parser.go
-+++ b/builder/dockerfile/parser/parser.go
-@@ -196,8 +196,6 @@ func constructPages(lines []*parser.Line, onbuild bool) ([]*parser.Page, error)
- 		currentPage *parser.Page
- 		pageNum     int
- 	)
-	// a stage should have at least one FROM and one command
-	const minLinesPerPage = 2
- 
- 	for _, line := range lines {
- 		if line == nil {
-@@ -215,9 +213,6 @@ func constructPages(lines []*parser.Line, onbuild bool) ([]*parser.Page, error)
- 				return nil, errors.New("onbuild does not support the from command")
- 			}
- 			if currentPage != nil {
-				if !onbuild && len(currentPage.Lines) < minLinesPerPage {
-					return nil, errors.Errorf("stage %s should have at least one command", currentPage.Name)
-				}
- 				pages = append(pages, currentPage)
- 			}
- 
-@@ -254,9 +249,6 @@ func constructPages(lines []*parser.Line, onbuild bool) ([]*parser.Page, error)
- 		currentPage.End = line.End
- 		currentPage.AddLine(line)
- 	}
-	if !onbuild && len(currentPage.Lines) < minLinesPerPage {
-		return nil, errors.Errorf("stage %s should have at least one command", currentPage.Name)
-	}
- 	// the last stage always need to commit
- 	currentPage.NeedCommit = true
- 	pages = append(pages, currentPage)
-diff --git a/builder/dockerfile/parser/parser_test.go b/builder/dockerfile/parser/parser_test.go
-index 34b1a61c..fe27dd95 100644
--- a/builder/dockerfile/parser/parser_test.go
-+++ b/builder/dockerfile/parser/parser_test.go
-@@ -180,8 +180,6 @@ func TestParse(t *testing.T) {
- 		},
- 		{
- 			name:   "busybox_no_command",
-			isErr:  true,
-			errStr: "stage 1 should have at least one command",
- 		},
- 		{
- 			name:   "env_before_from",
-diff --git a/builder/dockerfile/stage_builder.go b/builder/dockerfile/stage_builder.go
-index 7c928e34..47f55bf1 100644
--- a/builder/dockerfile/stage_builder.go
-+++ b/builder/dockerfile/stage_builder.go
-@@ -172,9 +172,7 @@ func (s *stageBuilder) analyzeStage(ctx context.Context) error {
- 		cb := newCmdBuilder(ctx, line, s, stageArgs, stageEnvs)
- 
- 		switch line.Command {
-		// From cmd is already pre-processed, we just pass it
- 		case dockerfile.From:
-			continue
- 		case dockerfile.Arg:
- 			if cb.args, err = analyzeArg(s.builder, line, stageArgs, stageEnvs); err != nil {
- 				return err
-- 
-2.19.1
-
--- a/patch/0069-isula-build-mask-proc-pin_memory.patch
+++ b/patch/0069-isula-build-mask-proc-pin_memory.patch
@ -1,25 +0,0 @@
-From e85ac3e92535311cbed6a6c6b1e714b31c1fc980 Mon Sep 17 00:00:00 2001
-From: xiadanni <xiadanni1@huawei.com>
-Date: Fri, 20 Nov 2020 09:46:40 +0800
-Subject: [PATCH] isula-build: mask /proc/pin_memory
-
-Signed-off-by: xiadanni <xiadanni1@huawei.com>
---
- constant.go | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/constant.go b/constant.go
-index 9c3f281..a0abfc9 100644
--- a/constant.go
-+++ b/constant.go
-@@ -97,6 +97,7 @@ var (
- 		"/proc/sig_catch",
- 		"/proc/kbox",
- 		"/proc/oom_extend",
-+		"/proc/pin_memory",
- 		"/sys/firmware",
- 		"/proc/cpuirqstat",
- 		"/proc/memstat",
-- 
-2.17.1
-
--- a/patch/0070-hack-add-compile-flag-ftrapv.patch
+++ b/patch/0070-hack-add-compile-flag-ftrapv.patch
@ -1,26 +0,0 @@
-From 9a212f5488b2e626eac23b2d0ab2dc6e288df5e7 Mon Sep 17 00:00:00 2001
-From: lixiang <lixiang172@huawei.com>
-Date: Fri, 27 Nov 2020 17:12:53 +0800
-Subject: [PATCH] hack:add compile flag ftrapv
-
-Signed-off-by: lixiang <lixiang172@huawei.com>
---
- Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Makefile b/Makefile
-index 7e268678..f40941b4 100644
--- a/Makefile
-+++ b/Makefile
-@@ -22,7 +22,7 @@ BUILDTAGS := seccomp
- BUILDFLAGS := -tags "$(BUILDTAGS)"
- TMPDIR := /tmp/isula_build_tmpdir
- BEFLAG := -tmpdir=${TMPDIR}
-SAFEBUILDFLAGS := -buildid=IdByIsula -buildmode=pie -extldflags=-static -extldflags=-zrelro -extldflags=-znow $(LDFLAGS) $(BEFLAG)
-+SAFEBUILDFLAGS := -buildid=IdByIsula -buildmode=pie -extldflags=-ftrapv -extldflags=-static -extldflags=-zrelro -extldflags=-znow $(LDFLAGS) $(BEFLAG)
- 
- IMAGE_BUILDARGS := $(if $(http_proxy), --build-arg http_proxy=$(http_proxy))
- IMAGE_BUILDARGS += $(if $(https_proxy), --build-arg https_proxy=$(https_proxy))
-- 
-2.27.0
-
--- a/patch/0071-imporve-daemon-push-and-pull-unit-test.patch
+++ b/patch/0071-imporve-daemon-push-and-pull-unit-test.patch
@ -1,138 +0,0 @@
-From fa98d546f9ced2552c6df203cb049c6570b202b8 Mon Sep 17 00:00:00 2001
-From: xingweizheng 00591739 <xingweizheng@huawei.com>
-Date: Thu, 26 Nov 2020 16:19:43 +0800
-Subject: [PATCH 2/5] imporve daemon push and pull unit test
-
---
- daemon/pull_test.go | 18 ++++++++++++++
- daemon/push_test.go | 60 +++++++++++++++++++++++++++++++++++++++------
- 2 files changed, 71 insertions(+), 7 deletions(-)
-
-diff --git a/daemon/pull_test.go b/daemon/pull_test.go
-index 7a77c44c..43c011be 100644
--- a/daemon/pull_test.go
-+++ b/daemon/pull_test.go
-@@ -21,6 +21,7 @@ import (
- 
- 	"github.com/containers/storage/pkg/reexec"
- 	"github.com/containers/storage/pkg/stringid"
-+	"golang.org/x/sync/errgroup"
- 	"golang.org/x/sys/unix"
- 	"google.golang.org/grpc"
- 	"gotest.tools/assert"
-@@ -28,6 +29,7 @@ import (
- 
- 	constant "isula.org/isula-build"
- 	pb "isula.org/isula-build/api/services"
-+	"isula.org/isula-build/pkg/logger"
- 	"isula.org/isula-build/store"
- )
- 
-@@ -100,3 +102,19 @@ func TestPull(t *testing.T) {
- 	assert.ErrorContains(t, err, "failed to get the image")
- 	tmpClean(d)
- }
-+
-+func TestPullHandler(t *testing.T) {
-+	stream := &controlPullServer{}
-+	cliLogger := logger.NewCliLogger(constant.CliLogBufferLen)
-+
-+	ctx := context.TODO()
-+	eg, _ := errgroup.WithContext(ctx)
-+	eg.Go(pullMessageHandler(stream, cliLogger))
-+	eg.Go(func() error {
-+		cliLogger.Print("Pull Response")
-+		cliLogger.CloseContent()
-+		return nil
-+	})
-+
-+	eg.Wait()
-+}
-diff --git a/daemon/push_test.go b/daemon/push_test.go
-index 3fc363ec..97040b86 100644
--- a/daemon/push_test.go
-+++ b/daemon/push_test.go
-@@ -17,13 +17,16 @@ import (
- 	"context"
- 	"testing"
- 
-+	"github.com/containers/storage"
- 	"github.com/containers/storage/pkg/reexec"
- 	"github.com/containers/storage/pkg/stringid"
-+	"golang.org/x/sync/errgroup"
- 	"google.golang.org/grpc"
- 	"gotest.tools/assert"
- 
- 	constant "isula.org/isula-build"
- 	pb "isula.org/isula-build/api/services"
-+	"isula.org/isula-build/pkg/logger"
- )
- 
- type controlPushServer struct {
-@@ -45,13 +48,56 @@ func init() {
- 
- func TestPush(t *testing.T) {
- 	d := prepare(t)
-	pushID := stringid.GenerateNonCryptoID()[:constant.DefaultIDLen]
-	req := &pb.PushRequest{
-		PushID:    pushID,
-		ImageName: "255.255.255.255/no-repository/no-name",
-	}
- 	stream := &controlPushServer{}
-	err := d.Daemon.backend.Push(req, stream)
-	assert.ErrorContains(t, err, "error: locating image")
-+
-+	testCases := []struct {
-+		testName    string
-+		pushRequest *pb.PushRequest
-+	}{
-+		{
-+			testName: "localNotExist",
-+			pushRequest: &pb.PushRequest{
-+				PushID:    stringid.GenerateNonCryptoID()[:constant.DefaultIDLen],
-+				ImageName: "255.255.255.255/no-repository/no-name",
-+			},
-+		},
-+		{
-+			testName: "manifestNotExist",
-+			pushRequest: &pb.PushRequest{
-+				PushID:    stringid.GenerateNonCryptoID()[:constant.DefaultIDLen],
-+				ImageName: "127.0.0.1/no-repository/no-name:latest",
-+			},
-+		},
-+	}
-+
-+	options := &storage.ImageOptions{}
-+	d.Daemon.localStore.CreateImage(stringid.GenerateRandomID(), []string{"127.0.0.1/no-repository/no-name:latest"}, "", "", options)
-+
-+	for _, tc := range testCases {
-+		err := d.Daemon.backend.Push(tc.pushRequest, stream)
-+		if tc.testName == "localNotExist" {
-+			assert.ErrorContains(t, err, "error: locating image")
-+		}
-+		if tc.testName == "manifestNotExist" {
-+			assert.ErrorContains(t, err, "file does not exist")
-+		}
-+	}
-+
- 	tmpClean(d)
- }
-+
-+func TestPushHandler(t *testing.T) {
-+	stream := &controlPushServer{}
-+	cliLogger := logger.NewCliLogger(constant.CliLogBufferLen)
-+
-+	ctx := context.TODO()
-+	eg, _ := errgroup.WithContext(ctx)
-+	eg.Go(pushMessageHandler(stream, cliLogger))
-+	eg.Go(func() error {
-+		cliLogger.Print("Push Response")
-+		cliLogger.CloseContent()
-+		return nil
-+	})
-+
-+	eg.Wait()
-+}
-- 
-2.27.0
-
--- a/patch/0072-fuzz-add-more-fuzz-tests.patch
+++ b/patch/0072-fuzz-add-more-fuzz-tests.patch
--- a/patch/0073-cleancode-fix-problems-found-by-code-review.patch
+++ b/patch/0073-cleancode-fix-problems-found-by-code-review.patch
@ -1,583 +0,0 @@
-From 6ee8705ae63ec9918f2cc19b1d903c5cdb0d5487 Mon Sep 17 00:00:00 2001
-From: DCCooper <1866858@gmail.com>
-Date: Mon, 30 Nov 2020 19:40:14 +0800
-Subject: [PATCH 3/4] cleancode:fix problems found by code review
-
-Signed-off-by: DCCooper <1866858@gmail.com>
---
- Makefile                       |  1 +
- builder/dockerfile/add_copy.go |  5 ++++-
- builder/dockerfile/builder.go  |  7 +++++--
- cmd/cli/build.go               | 18 ++++++++++--------
- cmd/cli/build_test.go          |  6 ++----
- cmd/daemon/main.go             | 34 +++++++++++++++++++++++++++-------
- daemon/daemon.go               | 15 +++++++++++++--
- daemon/import.go               |  8 ++++++--
- daemon/load.go                 |  8 +++++---
- daemon/login.go                | 10 +++++++---
- daemon/logout.go               | 13 ++++++++-----
- exporter/common.go             | 25 +++++++++++++++----------
- store/store.go                 |  8 ++++----
- util/common.go                 | 12 ++++++++++++
- util/common_test.go            | 18 +++++++++++++++---
- 15 files changed, 134 insertions(+), 54 deletions(-)
-
-diff --git a/Makefile b/Makefile
-index f40941b4..cbace592 100644
--- a/Makefile
-+++ b/Makefile
-@@ -97,6 +97,7 @@ proto:
- install:
- 	install -D -m0551 bin/isula-build $(BINDIR)
- 	install -D -m0550 bin/isula-builder $(BINDIR)
-+	@( getent group isula > /dev/null ) || ( groupadd --system isula )
- 	@[ ! -d ${CONFIG_DIR}/${CONFIG_FILE} ] && install -dm0650 ${CONFIG_DIR}
- 	@( [ -f ${CONFIG_DIR}/${CONFIG_FILE} ] && printf "%-20s %s\n" "${CONFIG_FILE}" "already exist in ${CONFIG_DIR}, please replace it manually." ) || install -D -m0600 ${LOCAL_CONF_PREFIX}/${CONFIG_FILE} ${CONFIG_DIR}/${CONFIG_FILE}
- 	@( [ -f ${CONFIG_DIR}/${POLICY_FILE} ] && printf "%-20s %s\n" "${POLICY_FILE}" "already exist in ${CONFIG_DIR}, please replace it manually." ) || install -D -m0600 ${LOCAL_CONF_PREFIX}/${POLICY_FILE} ${CONFIG_DIR}/${POLICY_FILE}
-diff --git a/builder/dockerfile/add_copy.go b/builder/dockerfile/add_copy.go
-index c5d966e2..42cda7f9 100644
--- a/builder/dockerfile/add_copy.go
-+++ b/builder/dockerfile/add_copy.go
-@@ -143,7 +143,10 @@ func (c *cmdBuilder) getCopyContextDir(from string) (string, func(), error) {
- 	if err != nil {
- 		return "", nil, err
- 	}
-	c.stage.buildOpt.systemContext.DockerCertPath = filepath.Join(constant.DefaultCertRoot, server)
-+	c.stage.buildOpt.systemContext.DockerCertPath, err = securejoin.SecureJoin(constant.DefaultCertRoot, server)
-+	if err != nil {
-+		return "", nil, err
-+	}
- 
- 	// "from" is neither name nor index of stage, consider that "from" is image description
- 	imgDesc, err := prepareImage(&image.PrepareImageOptions{
-diff --git a/builder/dockerfile/builder.go b/builder/dockerfile/builder.go
-index 757f4cd5..7e954f0d 100644
--- a/builder/dockerfile/builder.go
-+++ b/builder/dockerfile/builder.go
-@@ -22,13 +22,13 @@ import (
- 	"io"
- 	"io/ioutil"
- 	"os"
-	"path/filepath"
- 	"regexp"
- 	"sort"
- 	"strings"
- 	"time"
- 
- 	"github.com/containers/image/v5/docker/reference"
-+	securejoin "github.com/cyphar/filepath-securejoin"
- 	"github.com/opencontainers/go-digest"
- 	"github.com/pkg/errors"
- 	"github.com/sirupsen/logrus"
-@@ -257,7 +257,10 @@ func (b *Builder) newStageBuilders() error {
- 		if err != nil {
- 			return err
- 		}
-		sb.buildOpt.systemContext.DockerCertPath = filepath.Join(constant.DefaultCertRoot, server)
-+		sb.buildOpt.systemContext.DockerCertPath, err = securejoin.SecureJoin(constant.DefaultCertRoot, server)
-+		if err != nil {
-+			return err
-+		}
- 
- 		b.stageBuilders = append(b.stageBuilders, sb)
- 	}
-diff --git a/cmd/cli/build.go b/cmd/cli/build.go
-index f2a49e02..3ebbb90f 100644
--- a/cmd/cli/build.go
-+++ b/cmd/cli/build.go
-@@ -171,6 +171,13 @@ func newBuildOptions(args []string) error {
- 		return nil
- 	}
- 
-+	// check cap list
-+	for _, c := range buildOpts.capAddList {
-+		if !util.CheckCap(c) {
-+			return errors.Errorf("cap %v is invalid", c)
-+		}
-+	}
-+
- 	// the path may be a symbol link
- 	contextDir, err := filepath.Abs(args[0])
- 	if err != nil {
-@@ -236,8 +243,9 @@ func modifyLocalTransporter(transport string, absPath string, segments []string)
- 	const validIsuladFieldsLen = 3
- 	switch transport {
- 	case "docker-archive":
-		segments[1] = absPath
-		buildOpts.output = strings.Join(segments, ":")
-+		newSeg := util.CopyStrings(segments)
-+		newSeg[1] = absPath
-+		buildOpts.output = strings.Join(newSeg, ":")
- 		return nil
- 	case "isulad":
- 		if len(segments) != validIsuladFieldsLen {
-@@ -311,12 +319,6 @@ func runBuild(ctx context.Context, cli Cli) (string, error) {
- 		digest          string
- 	)
- 
-	for _, c := range buildOpts.capAddList {
-		if !util.CheckCap(c) {
-			return "", errors.Errorf("cap %v is invalid", c)
-		}
-	}
-
- 	if err = checkAndProcessOutput(); err != nil {
- 		return "", err
- 	}
-diff --git a/cmd/cli/build_test.go b/cmd/cli/build_test.go
-index 1fa8ecc4..b4c3a61f 100644
--- a/cmd/cli/build_test.go
-+++ b/cmd/cli/build_test.go
-@@ -602,17 +602,15 @@ func TestRunBuildWithCap(t *testing.T) {
- 	defer tmpDir.Remove()
- 	buildOpts.file = tmpDir.Join("Dockerfile")
- 	buildOpts.output = "docker-daemon:cap:latest"
-	mockBuild := newMockDaemon()
-	ctx := context.Background()
-	cli := newMockClient(&mockGrpcClient{imageBuildFunc: mockBuild.build})
- 
- 	for _, tt := range tests {
- 		t.Run(tt.name, func(t *testing.T) {
- 			buildOpts.capAddList = tt.caps
-			_, err := runBuild(ctx, &cli)
-+			err := newBuildOptions([]string{tmpDir.Path()})
- 			if tt.isErr {
- 				assert.ErrorContains(t, err, "is invalid")
- 			}
-+			buildOpts.capAddList = nil
- 		})
- 	}
- }
-diff --git a/cmd/daemon/main.go b/cmd/daemon/main.go
-index 9fcde5cd..d6f1d080 100644
--- a/cmd/daemon/main.go
-+++ b/cmd/daemon/main.go
-@@ -22,6 +22,7 @@ import (
- 
- 	"github.com/BurntSushi/toml"
- 	"github.com/containers/storage/pkg/reexec"
-+	securejoin "github.com/cyphar/filepath-securejoin"
- 	"github.com/pkg/errors"
- 	"github.com/sirupsen/logrus"
- 	"github.com/spf13/cobra"
-@@ -157,9 +158,17 @@ func before(cmd *cobra.Command) error {
- 	logrus.SetOutput(os.Stdout)
- 	logrus.SetFormatter(&logrus.TextFormatter{FullTimestamp: true})
- 
-+	runRoot, err := securejoin.SecureJoin(daemonOpts.RunRoot, "storage")
-+	if err != nil {
-+		return err
-+	}
-+	dataRoot, err := securejoin.SecureJoin(daemonOpts.DataRoot, "storage")
-+	if err != nil {
-+		return err
-+	}
- 	store.SetDefaultStoreOptions(store.DaemonStoreOptions{
-		RunRoot:      filepath.Join(daemonOpts.RunRoot, "storage"),
-		DataRoot:     filepath.Join(daemonOpts.DataRoot, "storage"),
-+		RunRoot:      runRoot,
-+		DataRoot:     dataRoot,
- 		Driver:       daemonOpts.StorageDriver,
- 		DriverOption: util.CopyStrings(daemonOpts.StorageOpts),
- 	})
-@@ -204,7 +213,7 @@ func loadConfig(path string) (config.TomlConfig, error) {
- 	return conf, err
- }
- 
-func mergeStorageConfig(cmd *cobra.Command) {
-+func mergeStorageConfig(cmd *cobra.Command) error {
- 	store.SetDefaultConfigFilePath(constant.StorageConfigPath)
- 	option, err := store.GetDefaultStoreOptions(true)
- 	if err == nil {
-@@ -218,10 +227,16 @@ func mergeStorageConfig(cmd *cobra.Command) {
- 
- 	var storeOpt store.DaemonStoreOptions
- 	if option.RunRoot == "" {
-		storeOpt.RunRoot = filepath.Join(daemonOpts.RunRoot, "storage")
-+		storeOpt.RunRoot, err = securejoin.SecureJoin(daemonOpts.RunRoot, "storage")
-+		if err != nil {
-+			return err
-+		}
- 	}
- 	if option.GraphRoot == "" {
-		storeOpt.DataRoot = filepath.Join(daemonOpts.DataRoot, "storage")
-+		storeOpt.DataRoot, err = securejoin.SecureJoin(daemonOpts.DataRoot, "storage")
-+		if err != nil {
-+			return err
-+		}
- 	}
- 	if daemonOpts.StorageDriver != "" {
- 		storeOpt.Driver = daemonOpts.StorageDriver
-@@ -230,6 +245,8 @@ func mergeStorageConfig(cmd *cobra.Command) {
- 		storeOpt.DriverOption = util.CopyStrings(daemonOpts.StorageOpts)
- 	}
- 	store.SetDefaultStoreOptions(storeOpt)
-+
-+	return nil
- }
- 
- func mergeConfig(conf config.TomlConfig, cmd *cobra.Command) {
-@@ -258,7 +275,10 @@ func setupWorkingDirectories() error {
- 		return errors.Errorf("runroot(%q) and dataroot(%q) must be different paths", daemonOpts.RunRoot, daemonOpts.DataRoot)
- 	}
- 
-	buildTmpDir := filepath.Join(daemonOpts.DataRoot, dataRootTmpDirPrefix)
-+	buildTmpDir, err := securejoin.SecureJoin(daemonOpts.DataRoot, dataRootTmpDirPrefix)
-+	if err != nil {
-+		return err
-+	}
- 	dirs := []string{daemonOpts.DataRoot, daemonOpts.RunRoot, buildTmpDir}
- 	for _, dir := range dirs {
- 		if !filepath.IsAbs(dir) {
-@@ -325,7 +345,7 @@ func checkAndValidateConfig(cmd *cobra.Command) error {
- 
- 	// if storage config file exists, merge storage config
- 	if util.IsExist(constant.StorageConfigPath) {
-		mergeStorageConfig(cmd)
-+		return mergeStorageConfig(cmd)
- 	}
- 
- 	return nil
-diff --git a/daemon/daemon.go b/daemon/daemon.go
-index 1237f35d..90ccf648 100644
--- a/daemon/daemon.go
-+++ b/daemon/daemon.go
-@@ -23,6 +23,7 @@ import (
- 	"time"
- 
- 	"github.com/containerd/containerd/sys/reaper"
-+	securejoin "github.com/cyphar/filepath-securejoin"
- 	"github.com/pkg/errors"
- 	"github.com/sirupsen/logrus"
- 	"golang.org/x/sys/unix"
-@@ -130,10 +131,20 @@ func (d *Daemon) Run() (err error) {
- 
- // NewBuilder returns the builder with request sent from GRPC service
- func (d *Daemon) NewBuilder(ctx context.Context, req *pb.BuildRequest) (b builder.Builder, err error) {
-+	var (
-+		buildDir string
-+		runDir   string
-+	)
- 	// buildDir is used to set directory which is used to store tmp data
-	buildDir := filepath.Join(d.opts.DataRoot, dataRootTmpDirPrefix, req.BuildID)
-+	buildDir, err = securejoin.SecureJoin(d.opts.DataRoot, filepath.Join(dataRootTmpDirPrefix, req.BuildID))
-+	if err != nil {
-+		return nil, err
-+	}
- 	// runDir is used to store such as container bundle directories
-	runDir := filepath.Join(d.opts.RunRoot, req.BuildID)
-+	runDir, err = securejoin.SecureJoin(d.opts.RunRoot, req.BuildID)
-+	if err != nil {
-+		return nil, err
-+	}
- 
- 	// this key with BuildDir will be used by exporter to save blob temporary
- 	// NOTE: keep it be updated before NewBuilder. ctx will be taken by Builder
-diff --git a/daemon/import.go b/daemon/import.go
-index a72d732e..21ffeaa3 100644
--- a/daemon/import.go
-+++ b/daemon/import.go
-@@ -22,6 +22,7 @@ import (
- 	"github.com/containers/image/v5/tarball"
- 	"github.com/containers/image/v5/transports"
- 	"github.com/containers/image/v5/types"
-+	securejoin "github.com/cyphar/filepath-securejoin"
- 	"github.com/pkg/errors"
- 	"github.com/sirupsen/logrus"
- 	"golang.org/x/sync/errgroup"
-@@ -43,6 +44,7 @@ func (b *Backend) Import(req *pb.ImportRequest, stream pb.Control_ImportServer)
- 		source     = req.Source
- 		reference  = req.Reference
- 		importID   = req.ImportID
-+		tmpDir     string
- 	)
- 	logEntry := logrus.WithFields(logrus.Fields{"ImportID": importID})
- 	logEntry.Info("ImportRequest received")
-@@ -78,8 +80,10 @@ func (b *Backend) Import(req *pb.ImportRequest, stream pb.Control_ImportServer)
- 
- 	log := logger.NewCliLogger(constant.CliLogBufferLen)
- 	imageCopyOptions := image.NewImageCopyOptions(log)
-
-	tmpDir := filepath.Join(b.daemon.opts.DataRoot, dataRootTmpDirPrefix, importID)
-+	tmpDir, err = securejoin.SecureJoin(b.daemon.opts.DataRoot, filepath.Join(dataRootTmpDirPrefix, importID))
-+	if err != nil {
-+		return err
-+	}
- 	if err = os.MkdirAll(tmpDir, constant.DefaultRootDirMode); err != nil {
- 		logEntry.Error(err)
- 		return err
-diff --git a/daemon/load.go b/daemon/load.go
-index d3f9bf6e..1f4c2f87 100644
--- a/daemon/load.go
-+++ b/daemon/load.go
-@@ -14,10 +14,9 @@
- package daemon
- 
- import (
-	"path/filepath"
-
- 	"github.com/containers/image/v5/docker/tarfile"
- 	"github.com/containers/storage"
-+	securejoin "github.com/cyphar/filepath-securejoin"
- 	"github.com/pkg/errors"
- 	"github.com/sirupsen/logrus"
- 	"golang.org/x/sync/errgroup"
-@@ -85,7 +84,10 @@ func (b *Backend) Load(req *pb.LoadRequest, stream pb.Control_LoadServer) error
- 
- func getRepoTagFromImageTar(dataRoot, path string) ([]string, error) {
- 	// tmp dir will be removed after NewSourceFromFileWithContext
-	tmpDir := filepath.Join(dataRoot, dataRootTmpDirPrefix)
-+	tmpDir, err := securejoin.SecureJoin(dataRoot, dataRootTmpDirPrefix)
-+	if err != nil {
-+		return nil, err
-+	}
- 	systemContext := image.GetSystemContext()
- 	systemContext.BigFilesTemporaryDir = tmpDir
- 
-diff --git a/daemon/login.go b/daemon/login.go
-index 012816a4..e3399983 100644
--- a/daemon/login.go
-+++ b/daemon/login.go
-@@ -16,11 +16,11 @@ package daemon
- import (
- 	"context"
- 	"crypto"
-	"path/filepath"
- 
- 	"github.com/containers/image/v5/docker"
- 	"github.com/containers/image/v5/pkg/docker/config"
- 	"github.com/containers/image/v5/types"
-+	securejoin "github.com/cyphar/filepath-securejoin"
- 	"github.com/pkg/errors"
- 	"github.com/sirupsen/logrus"
- 
-@@ -48,12 +48,16 @@ func (b *Backend) Login(ctx context.Context, req *pb.LoginRequest) (*pb.LoginRes
- 		"Username": req.GetUsername(),
- 	}).Info("LoginRequest received")
- 
-	if err := validLoginOpts(req); err != nil {
-+	err := validLoginOpts(req)
-+	if err != nil {
- 		return &pb.LoginResponse{Content: loginFailed}, err
- 	}
- 
- 	sysCtx := image.GetSystemContext()
-	sysCtx.DockerCertPath = filepath.Join(constant.DefaultCertRoot, req.Server)
-+	sysCtx.DockerCertPath, err = securejoin.SecureJoin(constant.DefaultCertRoot, req.Server)
-+	if err != nil {
-+		return &pb.LoginResponse{Content: loginFailed}, err
-+	}
- 
- 	if loginWithAuthFile(req) {
- 		auth, err := config.GetCredentials(sysCtx, req.Server)
-diff --git a/daemon/logout.go b/daemon/logout.go
-index 82c5beac..355b1f7a 100644
--- a/daemon/logout.go
-+++ b/daemon/logout.go
-@@ -16,10 +16,10 @@ package daemon
- import (
- 	"context"
- 	"fmt"
-	"path/filepath"
- 	"strings"
- 
- 	"github.com/containers/image/v5/pkg/docker/config"
-+	securejoin "github.com/cyphar/filepath-securejoin"
- 	"github.com/pkg/errors"
- 	"github.com/sirupsen/logrus"
- 
-@@ -35,12 +35,16 @@ func (b *Backend) Logout(ctx context.Context, req *pb.LogoutRequest) (*pb.Logout
- 		"All":    req.GetAll(),
- 	}).Info("LogoutRequest received")
- 
-	if err := validLogoutOpts(req); err != nil {
-+	err := validLogoutOpts(req)
-+	if err != nil {
- 		return &pb.LogoutResponse{Result: "Logout Failed"}, err
- 	}
- 
- 	sysCtx := image.GetSystemContext()
-	sysCtx.DockerCertPath = filepath.Join(constant.DefaultCertRoot, req.Server)
-+	sysCtx.DockerCertPath, err = securejoin.SecureJoin(constant.DefaultCertRoot, req.Server)
-+	if err != nil {
-+		return &pb.LogoutResponse{Result: "Logout Failed"}, err
-+	}
- 
- 	if req.All {
- 		if err := config.RemoveAllAuthentication(sysCtx); err != nil {
-@@ -51,8 +55,7 @@ func (b *Backend) Logout(ctx context.Context, req *pb.LogoutRequest) (*pb.Logout
- 		return &pb.LogoutResponse{Result: "Removed authentications"}, nil
- 	}
- 
-	err := config.RemoveAuthentication(sysCtx, req.Server)
-	if err == nil {
-+	if err = config.RemoveAuthentication(sysCtx, req.Server); err == nil {
- 		msg := fmt.Sprintf("Removed authentication for %s", req.Server)
- 		logrus.Infof("Success logout from server: %q", req.Server)
- 		return &pb.LogoutResponse{Result: msg}, nil
-diff --git a/exporter/common.go b/exporter/common.go
-index 1953b4e1..6e70a38e 100644
--- a/exporter/common.go
-+++ b/exporter/common.go
-@@ -20,7 +20,6 @@ import (
- 	"io"
- 	"os"
- 	"os/exec"
-	"path/filepath"
- 	"strings"
- 
- 	cp "github.com/containers/image/v5/copy"
-@@ -30,6 +29,7 @@ import (
- 	"github.com/containers/image/v5/types"
- 	"github.com/containers/storage/pkg/archive"
- 	"github.com/containers/storage/pkg/stringid"
-+	securejoin "github.com/cyphar/filepath-securejoin"
- 	"github.com/docker/distribution/reference"
- 	"github.com/opencontainers/go-digest"
- 	"github.com/pkg/errors"
-@@ -72,15 +72,12 @@ func Export(src, destSpec string, opts ExportOptions, localStore *store.Store) e
- 	if err != nil {
- 		return err
- 	}
-	opts.SystemContext.DockerCertPath = filepath.Join(constant.DefaultCertRoot, registry)
-
-	options := NewCopyOptions(opts)
-
-	policyContext, err := NewPolicyContext(opts.SystemContext)
-+	opts.SystemContext.DockerCertPath, err = securejoin.SecureJoin(constant.DefaultCertRoot, registry)
- 	if err != nil {
- 		return err
- 	}
-	ref, digest, err := export(opts, epter, policyContext, options)
-+
-+	ref, digest, err := export(epter, opts)
- 	if err != nil {
- 		return errors.Errorf("export image from %s to %s failed, got error: %s", src, destSpec, err)
- 	}
-@@ -117,13 +114,18 @@ func exportToIsulad(ctx context.Context, tarPath string) error {
- 	return nil
- }
- 
-func export(exOpts ExportOptions, e Exporter, policyContext *signature.PolicyContext, cpOpts *cp.Options) (reference.Canonical, digest.Digest, error) {
-+func export(e Exporter, exOpts ExportOptions) (reference.Canonical, digest.Digest, error) {
- 	var (
-		err            error
- 		ref            reference.Canonical
- 		manifestBytes  []byte
- 		manifestDigest digest.Digest
- 	)
-+
-+	cpOpts := NewCopyOptions(exOpts)
-+	policyContext, err := NewPolicyContext(exOpts.SystemContext)
-+	if err != nil {
-+		return nil, "", err
-+	}
- 	defer func() {
- 		destroyErr := policyContext.Destroy()
- 		if err == nil {
-@@ -176,7 +178,10 @@ func parseExporter(opts ExportOptions, src, destSpec string, localStore *store.S
- 	// 3. get dest reference
- 	if parts[0] == "isulad" {
- 		randomID := stringid.GenerateNonCryptoID()[:constant.DefaultIDLen]
-		isuladTarPath = filepath.Join(opts.DataDir, fmt.Sprintf("isula-build-tmp-%s.tar", randomID))
-+		isuladTarPath, err = securejoin.SecureJoin(opts.DataDir, fmt.Sprintf("isula-build-tmp-%s.tar", randomID))
-+		if err != nil {
-+			return nil, "", err
-+		}
- 		// construct format: transport:path:image:tag
- 		// parts[1] here could not be empty cause client-end already processed it
- 		destSpec = fmt.Sprintf("docker-archive:%s:%s", isuladTarPath, parts[1])
-diff --git a/store/store.go b/store/store.go
-index 263d69e8..410eef11 100644
--- a/store/store.go
-+++ b/store/store.go
-@@ -131,15 +131,15 @@ func (s *Store) CleanContainer(id string) error {
- 
- 	// Do not care about all the errors whiling cleaning the container,
- 	// just return one if the error occurs.
-	var err error
-+	var finalErr error
- 	if _, uerr := s.Unmount(id, false); uerr != nil {
-		err = uerr
-+		finalErr = uerr
- 		logrus.Warnf("Unmount container store failed while cleaning %q", id)
- 	}
- 	if derr := s.DeleteContainer(id); derr != nil {
-		err = derr
-+		finalErr = derr
- 		logrus.Warnf("Delete container store failed while cleaning %q", id)
- 	}
- 
-	return err
-+	return finalErr
- }
-diff --git a/util/common.go b/util/common.go
-index 9e2e2537..5cd4bb28 100644
--- a/util/common.go
-+++ b/util/common.go
-@@ -20,6 +20,7 @@ import (
- 	"path/filepath"
- 	"strings"
- 
-+	securejoin "github.com/cyphar/filepath-securejoin"
- 	"github.com/pkg/errors"
- 	"github.com/spf13/cobra"
- 	"golang.org/x/sys/unix"
-@@ -152,6 +153,17 @@ func ParseServer(server string) (string, error) {
- 		return "", errors.Errorf("invalid registry address %s", server)
- 	}
- 
-+	// to prevent directory traversal
-+	fakePrefix := "/fakePrefix"
-+	origAddr := fmt.Sprintf("%s/%s", fakePrefix, fields[0])
-+	cleanAddr, err := securejoin.SecureJoin(fakePrefix, fields[0])
-+	if err != nil {
-+		return "", err
-+	}
-+	if cleanAddr != origAddr {
-+		return "", errors.Errorf("invalid relative path detected")
-+	}
-+
- 	return fields[0], nil
- }
- 
-diff --git a/util/common_test.go b/util/common_test.go
-index b48c508f..e9b6ad85 100644
--- a/util/common_test.go
-+++ b/util/common_test.go
-@@ -153,17 +153,29 @@ func TestParseServer(t *testing.T) {
- 			want:    "",
- 			wantErr: true,
- 		},
-+		{
-+			name:    "TC10 - abnormal server address with relative filepath",
-+			args:    args{server: "https://mydockerhub/../../../"},
-+			want:    "mydockerhub",
-+			wantErr: false,
-+		},
-+		{
-+			name:    "TC11 - abnormal server address with relative filepath 2",
-+			args:    args{server: "https://../../../../mydockerhub"},
-+			want:    "",
-+			wantErr: true,
-+		},
- 	}
- 	for _, tt := range tests {
- 		t.Run(tt.name, func(t *testing.T) {
- 			got, err := ParseServer(tt.args.server)
-+			if got != tt.want {
-+				t.Errorf("ParseServer() got = %v, want %v", got, tt.want)
-+			}
- 			if (err != nil) != tt.wantErr {
- 				t.Errorf("ParseServer() error = %v, wantErr %v", err, tt.wantErr)
- 				return
- 			}
-			if got != tt.want {
-				t.Errorf("ParseServer() got = %v, want %v", got, tt.want)
-			}
- 		})
- 	}
- }
-- 
-2.27.0
-
--- a/patch/0074-fix-printing-FROM-command-double-times-to-console.patch
+++ b/patch/0074-fix-printing-FROM-command-double-times-to-console.patch
@ -1,434 +0,0 @@
-From f93ea5cf3ca956943711bbf0d4d86e330f248534 Mon Sep 17 00:00:00 2001
-From: xingweizheng 00591739 <xingweizheng@huawei.com>
-Date: Mon, 30 Nov 2020 17:13:15 +0800
-Subject: [PATCH 4/4] fix printing FROM command double times to console
-
---
- builder/dockerfile/builder_test.go            | 16 ++---
- builder/dockerfile/cmd_builder_test.go        | 41 ++++++-------
- builder/dockerfile/parser/parser.go           | 12 ++--
- builder/dockerfile/parser/parser_test.go      | 61 ++++++++++++++++++-
- .../preprocess/busybox_line_with_spaces       |  0
- .../testfiles/preprocess/busybox_no_command   |  2 +-
- .../preprocess/busybox_ubuntu_centos          |  3 +
- .../preprocess/busybox_with_from_only         |  1 +
- .../compelte_stage_with_single_from_stage     |  3 +
- ...single_from_stage_depend_on_previous_stage |  3 +
- .../final_stage_depend_on_previous_stage      |  3 +
- .../single_from_stage_with_complete_stage     |  3 +
- builder/dockerfile/stage_builder.go           | 12 +++-
- 13 files changed, 122 insertions(+), 38 deletions(-)
- mode change 100755 => 100644 builder/dockerfile/parser/testfiles/preprocess/busybox_line_with_spaces
- create mode 100755 builder/dockerfile/parser/testfiles/preprocess/busybox_ubuntu_centos
- create mode 100755 builder/dockerfile/parser/testfiles/preprocess/busybox_with_from_only
- create mode 100755 builder/dockerfile/parser/testfiles/preprocess/compelte_stage_with_single_from_stage
- create mode 100755 builder/dockerfile/parser/testfiles/preprocess/final_single_from_stage_depend_on_previous_stage
- create mode 100755 builder/dockerfile/parser/testfiles/preprocess/final_stage_depend_on_previous_stage
- create mode 100755 builder/dockerfile/parser/testfiles/preprocess/single_from_stage_with_complete_stage
-
-diff --git a/builder/dockerfile/builder_test.go b/builder/dockerfile/builder_test.go
-index b02768ea..94842c71 100644
--- a/builder/dockerfile/builder_test.go
-+++ b/builder/dockerfile/builder_test.go
-@@ -248,13 +248,13 @@ RUN ls
- 	}
- 
- 	// check the arg and env taken by the command: RUN ls
-	assert.DeepEqual(t, b.stageBuilders[0].commands[1].args,
-+	assert.DeepEqual(t, b.stageBuilders[0].commands[0].args,
- 		map[string]string{"no_proxy": "10.0.0.0"})
-	assert.DeepEqual(t, b.stageBuilders[1].commands[2].args,
-+	assert.DeepEqual(t, b.stageBuilders[1].commands[1].args,
- 		map[string]string{"testArg": "0.1", "no_proxy": "10.0.0.0"})
-	assert.DeepEqual(t, b.stageBuilders[2].commands[3].args,
-+	assert.DeepEqual(t, b.stageBuilders[2].commands[2].args,
- 		map[string]string{"no_proxy": "10.0.0.0"})
-	assert.DeepEqual(t, b.stageBuilders[2].commands[3].envs,
-+	assert.DeepEqual(t, b.stageBuilders[2].commands[2].envs,
- 		map[string]string{"testArg": "1.0"})
- }
- 
-@@ -291,13 +291,13 @@ RUN ls
- 	}
- 
- 	// check the arg and env taken by the command: RUN ls
-	assert.DeepEqual(t, b.stageBuilders[0].commands[1].args,
-+	assert.DeepEqual(t, b.stageBuilders[0].commands[0].args,
- 		map[string]string{"HTTPS_PROXY": "127.0.0.1"})
-	assert.DeepEqual(t, b.stageBuilders[1].commands[2].args,
-+	assert.DeepEqual(t, b.stageBuilders[1].commands[1].args,
- 		map[string]string{"testArg": "0.1", "HTTPS_PROXY": "127.0.0.1"})
-	assert.DeepEqual(t, b.stageBuilders[2].commands[3].args,
-+	assert.DeepEqual(t, b.stageBuilders[2].commands[2].args,
- 		map[string]string{"HTTPS_PROXY": "127.0.0.1"})
-	assert.DeepEqual(t, b.stageBuilders[2].commands[3].envs,
-+	assert.DeepEqual(t, b.stageBuilders[2].commands[2].envs,
- 		map[string]string{"testArg": "1.0"})
- }
- 
-diff --git a/builder/dockerfile/cmd_builder_test.go b/builder/dockerfile/cmd_builder_test.go
-index df1c08f9..471314ba 100644
--- a/builder/dockerfile/cmd_builder_test.go
-+++ b/builder/dockerfile/cmd_builder_test.go
-@@ -113,7 +113,7 @@ func TestExecuteHealthCheck(t *testing.T) {
- 			}
- 			err := s.analyzeStage(context.Background())
- 			assert.NilError(t, err)
-			if err := s.commands[1].cmdExecutor(); (err != nil) != tt.wantErr {
-+			if err := s.commands[0].cmdExecutor(); (err != nil) != tt.wantErr {
- 				t.Errorf("CmdExecutor() error: %v, wantErr: %v", err, tt.wantErr)
- 			}
- 			tt.funcCheck(t, s)
-@@ -195,7 +195,7 @@ CMD [""]`,
- 			}
- 			err := s.analyzeStage(context.Background())
- 			assert.NilError(t, err)
-			if err := s.commands[1].cmdExecutor(); (err != nil) != tt.wantErr {
-+			if err := s.commands[0].cmdExecutor(); (err != nil) != tt.wantErr {
- 				t.Errorf("cmdExecutor() error: %v, wantErr: %v", err, tt.wantErr)
- 			}
- 			tt.funcCheck(t, s)
-@@ -288,7 +288,7 @@ SHELL ["/bin/bash", "-c"]`,
- 			}
- 			err := s.analyzeStage(context.Background())
- 			assert.NilError(t, err)
-			if err := s.commands[1].cmdExecutor(); (err != nil) != tt.wantErr {
-+			if err := s.commands[0].cmdExecutor(); (err != nil) != tt.wantErr {
- 				t.Errorf("SHELL cmdExecutor() error: %v, wantErr: %v", err, tt.wantErr)
- 			}
- 			tt.funcCheck(t, s)
-@@ -316,15 +316,15 @@ CMD ls`
- 	err := s.analyzeStage(context.Background())
- 	assert.NilError(t, err)
- 
-	if err := s.commands[1].cmdExecutor(); err != nil {
-+	if err := s.commands[0].cmdExecutor(); err != nil {
- 		t.Errorf("CMD cmdExecutor() error: %v", err)
- 	}
- 	assert.DeepEqual(t, s.docker.Config.Cmd, strslice.StrSlice{"/bin/sh", "-c", "ls"})
- 
-	if err := s.commands[2].cmdExecutor(); err != nil {
-+	if err := s.commands[1].cmdExecutor(); err != nil {
- 		t.Errorf("SHELL cmdExecutor() error: %v", err)
- 	}
-	if err := s.commands[3].cmdExecutor(); err != nil {
-+	if err := s.commands[2].cmdExecutor(); err != nil {
- 		t.Errorf("CMD cmdExecutor() error: %v", err)
- 	}
- 	assert.DeepEqual(t, s.shellForm, strslice.StrSlice{"/bin/bash", "-c"})
-@@ -360,10 +360,9 @@ func TestExecuteNoop(t *testing.T) {
- 
- 	// the "STEP 1: FROM alpine" in production is done at stageBuilder.prepare()
- 	// no cmdExecutor for FROM, so no print for FROM here
-	expectedString := `STEP  1: FROM alpine
-STEP  2: ARG testArg
-STEP  3: ENV env1=env2
-STEP  4: ONBUILD CMD ls
-+	expectedString := `STEP  1: ARG testArg
-+STEP  2: ENV env1=env2
-+STEP  3: ONBUILD CMD ls
- `
- 	assert.Equal(t, stepPrints, expectedString)
- }
-@@ -442,7 +441,7 @@ ENTRYPOINT [""]`,
- 			}
- 			err := s.analyzeStage(context.Background())
- 			assert.NilError(t, err)
-			if err := s.commands[1].cmdExecutor(); (err != nil) != tt.wantErr {
-+			if err := s.commands[0].cmdExecutor(); (err != nil) != tt.wantErr {
- 				t.Errorf("cmdExecutor() error: %v, wantErr: %v", err, tt.wantErr)
- 			}
- 			tt.funcCheck(t, s)
-@@ -904,15 +903,15 @@ WORKDIR /c`
- 	}
- 	err := s.analyzeStage(context.Background())
- 	assert.NilError(t, err)
-	if err := s.commands[1].cmdExecutor(); err != nil {
-+	if err := s.commands[0].cmdExecutor(); err != nil {
- 		t.Errorf("WORKDIR cmdExecutor() error: %v", err)
- 	}
- 	assert.DeepEqual(t, s.docker.Config.WorkingDir, "/a")
-	if err := s.commands[2].cmdExecutor(); err != nil {
-+	if err := s.commands[1].cmdExecutor(); err != nil {
- 		t.Errorf("WORKDIR cmdExecutor() error: %v", err)
- 	}
- 	assert.DeepEqual(t, s.docker.Config.WorkingDir, "/b")
-	if err := s.commands[3].cmdExecutor(); err != nil {
-+	if err := s.commands[2].cmdExecutor(); err != nil {
- 		t.Errorf("WORKDIR cmdExecutor() error: %v", err)
- 	}
- 	assert.DeepEqual(t, s.docker.Config.WorkingDir, "/c")
-@@ -939,15 +938,15 @@ WORKDIR c`
- 	}
- 	err := s.analyzeStage(context.Background())
- 	assert.NilError(t, err)
-	if err := s.commands[1].cmdExecutor(); err != nil {
-+	if err := s.commands[0].cmdExecutor(); err != nil {
- 		t.Errorf("WORKDIR cmdExecutor() error: %v", err)
- 	}
- 	assert.DeepEqual(t, s.docker.Config.WorkingDir, "/a")
-	if err := s.commands[2].cmdExecutor(); err != nil {
-+	if err := s.commands[1].cmdExecutor(); err != nil {
- 		t.Errorf("WORKDIR cmdExecutor() error: %v", err)
- 	}
- 	assert.DeepEqual(t, s.docker.Config.WorkingDir, "/a/b")
-	if err := s.commands[3].cmdExecutor(); err != nil {
-+	if err := s.commands[2].cmdExecutor(); err != nil {
- 		t.Errorf("WORKDIR cmdExecutor() error: %v", err)
- 	}
- 	assert.DeepEqual(t, s.docker.Config.WorkingDir, "/a/b/c")
-@@ -974,15 +973,15 @@ WORKDIR $DIRPATH/$DIRNAME`
- 	}
- 	err := s.analyzeStage(context.Background())
- 	assert.NilError(t, err)
-	if err = s.commands[1].cmdExecutor(); err != nil {
-+	if err = s.commands[0].cmdExecutor(); err != nil {
- 		t.Errorf("WORKDIR cmdExecutor() error: %v", err)
- 	}
- 	assert.NilError(t, err)
-	if err = s.commands[2].cmdExecutor(); err != nil {
-+	if err = s.commands[1].cmdExecutor(); err != nil {
- 		t.Errorf("WORKDIR cmdExecutor() error: %v", err)
- 	}
- 	assert.NilError(t, err)
-	if err = s.commands[3].cmdExecutor(); err != nil {
-+	if err = s.commands[2].cmdExecutor(); err != nil {
- 		t.Errorf("WORKDIR cmdExecutor() error: %v", err)
- 	}
- 	assert.NilError(t, err)
-@@ -1026,7 +1025,7 @@ Maintainer iSula iSula@huawei.com`,
- 			}
- 			err := s.analyzeStage(context.Background())
- 			assert.NilError(t, err)
-			if err := s.commands[1].cmdExecutor(); (err != nil) != tt.wantErr {
-+			if err := s.commands[0].cmdExecutor(); (err != nil) != tt.wantErr {
- 				t.Errorf("cmdExecutor() error: %v, wantErr: %v", err, tt.wantErr)
- 			}
- 			tt.funcCheck(t, s)
-diff --git a/builder/dockerfile/parser/parser.go b/builder/dockerfile/parser/parser.go
-index 82835e67..821e18ea 100644
--- a/builder/dockerfile/parser/parser.go
-+++ b/builder/dockerfile/parser/parser.go
-@@ -238,19 +238,21 @@ func constructPages(lines []*parser.Line, onbuild bool) ([]*parser.Page, error)
- 			}
- 			pageMap[page.Name] = page
- 			// if the base image for current stage is from the previous stage,
-			// mark the previous stage need to commit
-			if from, ok := pageMap[line.Cells[0].Value]; ok {
-+			// mark the previous stage need to commit, for only from command we don't commit
-+			if from, ok := pageMap[line.Cells[0].Value]; ok && len(from.Lines) > 1 {
- 				from.NeedCommit = true
- 			}
- 			currentPage = page
- 		}
- 		// because a valid dockerfile is always start with 'FROM' command here, so no need
-		// to check currentPage wheather is nil
-+		// to check whether currentPage is nil or not
- 		currentPage.End = line.End
- 		currentPage.AddLine(line)
- 	}
-	// the last stage always need to commit
-	currentPage.NeedCommit = true
-+	// the last stage always need to commit except page that contains only from command
-+	if len(currentPage.Lines) > 1 {
-+		currentPage.NeedCommit = true
-+	}
- 	pages = append(pages, currentPage)
- 
- 	if len(pages) == 0 {
-diff --git a/builder/dockerfile/parser/parser_test.go b/builder/dockerfile/parser/parser_test.go
-index fe27dd95..8580b84c 100644
--- a/builder/dockerfile/parser/parser_test.go
-+++ b/builder/dockerfile/parser/parser_test.go
-@@ -119,7 +119,6 @@ func TestFormatWithSpacesAfterEscapeToken(t *testing.T) {
- 			name:   "busybox_line_with_spaces",
- 			expect: []int{12, 20, 96, 87, 10},
- 		},
-
- 	}
- 
- 	for _, tc := range testcases {
-@@ -194,8 +193,10 @@ func TestParse(t *testing.T) {
- 			r, err := os.Open(file)
- 			assert.NilError(t, err)
- 			defer r.Close()
-+
- 			df := dockerfile{}
- 			_, err = df.Parse(r, false)
-+
- 			if !tc.isErr {
- 				assert.NilError(t, err, file)
- 			} else {
-@@ -205,6 +206,64 @@ func TestParse(t *testing.T) {
- 	}
- }
- 
-+func TestParseContainSingleFrom(t *testing.T) {
-+	testcases := []struct {
-+		name      string
-+		isErr     bool
-+		committed bool
-+	}{
-+		{
-+			name:      "busybox_with_from_only",
-+			isErr:     false,
-+			committed: false,
-+		}, {
-+			name:      "busybox_ubuntu_centos",
-+			isErr:     false,
-+			committed: false,
-+		}, {
-+			name:      "compelte_stage_with_single_from_stage",
-+			isErr:     false,
-+			committed: false,
-+		}, {
-+			name:      "single_from_stage_with_complete_stage",
-+			isErr:     false,
-+			committed: true,
-+		}, {
-+			name:      "final_single_from_stage_depend_on_previous_stage",
-+			isErr:     false,
-+			committed: true,
-+		}, {
-+			name:      "final_stage_depend_on_previous_stage",
-+			isErr:     false,
-+			committed: true,
-+		},
-+	}
-+
-+	for _, tc := range testcases {
-+		t.Run(tc.name, func(t *testing.T) {
-+			file := filepath.Join("testfiles", "preprocess", tc.name)
-+			r, err := os.Open(file)
-+			assert.NilError(t, err)
-+			defer r.Close()
-+
-+			df := dockerfile{}
-+			playbook := &parser.PlayBook{}
-+			playbook, err = df.Parse(r, false)
-+
-+			if !tc.isErr {
-+				assert.NilError(t, err, file)
-+				if tc.committed {
-+					needCommit := false
-+					for _, page := range playbook.Pages {
-+						needCommit = page.NeedCommit || needCommit
-+					}
-+					assert.Equal(t, needCommit, true)
-+				}
-+			}
-+		})
-+	}
-+}
-+
- func TestParseIgnore(t *testing.T) {
- 	dockerignore := `
- # comment
-diff --git a/builder/dockerfile/parser/testfiles/preprocess/busybox_line_with_spaces b/builder/dockerfile/parser/testfiles/preprocess/busybox_line_with_spaces
-old mode 100755
-new mode 100644
-diff --git a/builder/dockerfile/parser/testfiles/preprocess/busybox_no_command b/builder/dockerfile/parser/testfiles/preprocess/busybox_no_command
-index da465805..a424e7e0 100644
--- a/builder/dockerfile/parser/testfiles/preprocess/busybox_no_command
-+++ b/builder/dockerfile/parser/testfiles/preprocess/busybox_no_command
-@@ -6,5 +6,5 @@ ENTRYPOINT ["sh"]
- RUN ["ls"]
- RUN echo "hello world"
- 
-# fail at here
-+# Support single FROM command at here
- FROM busybox
-diff --git a/builder/dockerfile/parser/testfiles/preprocess/busybox_ubuntu_centos b/builder/dockerfile/parser/testfiles/preprocess/busybox_ubuntu_centos
-new file mode 100755
-index 00000000..57f870ad
--- /dev/null
-+++ b/builder/dockerfile/parser/testfiles/preprocess/busybox_ubuntu_centos
-@@ -0,0 +1,3 @@
-+FROM busybox
-+FROM ubuntu
-+FROM centos
-\ No newline at end of file
-diff --git a/builder/dockerfile/parser/testfiles/preprocess/busybox_with_from_only b/builder/dockerfile/parser/testfiles/preprocess/busybox_with_from_only
-new file mode 100755
-index 00000000..84662517
--- /dev/null
-+++ b/builder/dockerfile/parser/testfiles/preprocess/busybox_with_from_only
-@@ -0,0 +1 @@
-+FROM busybox
-\ No newline at end of file
-diff --git a/builder/dockerfile/parser/testfiles/preprocess/compelte_stage_with_single_from_stage b/builder/dockerfile/parser/testfiles/preprocess/compelte_stage_with_single_from_stage
-new file mode 100755
-index 00000000..636a75df
--- /dev/null
-+++ b/builder/dockerfile/parser/testfiles/preprocess/compelte_stage_with_single_from_stage
-@@ -0,0 +1,3 @@
-+FROM busybox
-+RUN touch /tmp/a_test.txt
-+FROM ubuntu
-\ No newline at end of file
-diff --git a/builder/dockerfile/parser/testfiles/preprocess/final_single_from_stage_depend_on_previous_stage b/builder/dockerfile/parser/testfiles/preprocess/final_single_from_stage_depend_on_previous_stage
-new file mode 100755
-index 00000000..9493cbc0
--- /dev/null
-+++ b/builder/dockerfile/parser/testfiles/preprocess/final_single_from_stage_depend_on_previous_stage
-@@ -0,0 +1,3 @@
-+FROM busybox as new_busybox
-+RUN touch /tmp/a_test.txt
-+FROM new_busybox
-\ No newline at end of file
-diff --git a/builder/dockerfile/parser/testfiles/preprocess/final_stage_depend_on_previous_stage b/builder/dockerfile/parser/testfiles/preprocess/final_stage_depend_on_previous_stage
-new file mode 100755
-index 00000000..43bde170
--- /dev/null
-+++ b/builder/dockerfile/parser/testfiles/preprocess/final_stage_depend_on_previous_stage
-@@ -0,0 +1,3 @@
-+FROM busybox as new_busybox
-+FROM new_busybox
-+RUN touch /tmp/a_test.txt
-\ No newline at end of file
-diff --git a/builder/dockerfile/parser/testfiles/preprocess/single_from_stage_with_complete_stage b/builder/dockerfile/parser/testfiles/preprocess/single_from_stage_with_complete_stage
-new file mode 100755
-index 00000000..b4cf1190
--- /dev/null
-+++ b/builder/dockerfile/parser/testfiles/preprocess/single_from_stage_with_complete_stage
-@@ -0,0 +1,3 @@
-+FROM ubuntu
-+FROM busybox
-+RUN touch /tmp/a_test.txt
-\ No newline at end of file
-diff --git a/builder/dockerfile/stage_builder.go b/builder/dockerfile/stage_builder.go
-index 47f55bf1..23f488cb 100644
--- a/builder/dockerfile/stage_builder.go
-+++ b/builder/dockerfile/stage_builder.go
-@@ -172,7 +172,9 @@ func (s *stageBuilder) analyzeStage(ctx context.Context) error {
- 		cb := newCmdBuilder(ctx, line, s, stageArgs, stageEnvs)
- 
- 		switch line.Command {
-+		// From cmd is already pre-processed, we just pass it
- 		case dockerfile.From:
-+			continue
- 		case dockerfile.Arg:
- 			if cb.args, err = analyzeArg(s.builder, line, stageArgs, stageEnvs); err != nil {
- 				return err
-@@ -209,10 +211,16 @@ func (s *stageBuilder) stageBuild(ctx context.Context) (string, error) {
- 
- 	// 3. commit for new image if needed
- 	if s.rawStage.NeedCommit {
-		s.imageID, err = s.commit(ctx)
-+		if s.imageID, err = s.commit(ctx); err != nil {
-+			return s.imageID, errors.Wrapf(err, "commit image for stage %s failed", s.name)
-+		}
-+	}
-+	// for only from command in Dockerfile, there is no imageID committed, use fromImageID
-+	if s.imageID == "" {
-+		s.imageID = s.fromImageID
- 	}
- 
-	return s.imageID, errors.Wrapf(err, "commit image for stage %s failed", s.name)
-+	return s.imageID, nil
- }
- 
- func prepareImage(opt *image.PrepareImageOptions) (*image.Describe, error) {
-- 
-2.27.0
-
--- a/patch/0075-change-default-umask-of-isula-builder-pr.patch
+++ b/patch/0075-change-default-umask-of-isula-builder-pr.patch
@ -1,37 +0,0 @@
-From c9aa2a92e06d32dada0029fbf9154f23afbf506b Mon Sep 17 00:00:00 2001
-From: Lu Jingxiao <lujingxiao@huawei.com>
-Date: Fri, 11 Dec 2020 10:53:36 +0800
-Subject: [PATCH] isula-build: change default umask of isula-builder process
-
-As the daemon process, the working umask 0027 is not suitable.
-0022 is better.
-
-Take this example:
-isula-builder using 0027, the working dir of container for RUN command
-(overlay/merged dir, as an example), has the 0640. Then developer changes
-working user in RUN command to a non-root user, it will not have
-correct permission to work.
-
-Signed-off-by: Lu Jingxiao <lujingxiao@huawei.com>
---
- constant.go | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/constant.go b/constant.go
-index a0abfc9..30c1653 100644
--- a/constant.go
-+++ b/constant.go
-@@ -51,8 +51,8 @@ const (
- 	DefaultRootDirMode = 0700
- 	// DefaultReadOnlyFileMode is the default root read only file mode
- 	DefaultReadOnlyFileMode = 0444
-	// DefaultUmask is the working umask in isula-builder
-	DefaultUmask = 0027
-+	// DefaultUmask is the working umask of isula-builder as a process, not for users
-+	DefaultUmask = 0022
- 	// CliLogBufferLen is log channel buffer size
- 	CliLogBufferLen = 8
- 	// HostsFilePath is the path of file hosts
-- 
-2.17.1
-
--- a/series.conf
+++ b/series.conf
@ -2,14 +2,3 @@ patch/0013-vendor-change-auth.json-file-mode-from-0700-to-0600.patch
 patch/0030-xattr-support-ima-and-evm.patch
 patch/0033-isula-build-remove-docker-releated-path-for-authenti.patch
 patch/0037-isula-build-fix-goroutine-leak-problem.patch
-patch/0065-fix-panic-when-user-knock-ctrl-c-when-pull-push-and-.patch
-patch/0066-bugfix-chown-config-root-path-before-daemon-started.patch
-patch/0067-bugfix-fix-unsuitable-filemode-for-isula-build-er.patch
-patch/0068-isula-build-support-build-Dockerfile-only-have-FROM-.patch
-patch/0069-isula-build-mask-proc-pin_memory.patch
-patch/0070-hack-add-compile-flag-ftrapv.patch
-patch/0071-imporve-daemon-push-and-pull-unit-test.patch
-patch/0072-fuzz-add-more-fuzz-tests.patch
-patch/0073-cleancode-fix-problems-found-by-code-review.patch
-patch/0074-fix-printing-FROM-command-double-times-to-console.patch
-patch/0075-change-default-umask-of-isula-builder-pr.patch
--- a/v0.9.4.tar.gz
+++ b/v0.9.4.tar.gz
--- a/v0.9.5.tar.gz
+++ b/v0.9.5.tar.gz
 @ -1 +1 @@
 .9.4-14
 .9.5-1