conjur-debify 1.11.4 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 41e5d9399f2cfe965473a9230f63a4ad29ee6f4ad7cab16444102ea4c9d229ab
-  data.tar.gz: f96651968ae77964629c274601afe6753c44acc8b82cfd60d0831a4d360df899
+  metadata.gz: 2f1513a687cde9e9f2079436b6c9b290748d22a66ebd890c957e4dd1e9200592
+  data.tar.gz: bdbc0f7c3ce085d8ac9ad012b51c07498efcd21218896eb73e6bd4ef12806391
 SHA512:
-  metadata.gz: a0baafc13a1b48124f53ae33934d0ec9901a025ff5b3c61d0f1dfd01747b6c78b355eeb9757f6bf5e918a0b2418e1667be871220eb5365a8e7611f58d2c1bf4f
-  data.tar.gz: d6dcade119d526db7b035f7a109c40642008a5bbe15be5ae1faeabac50b21a11b420c0b3ded0ec2f88405fc9d01464801a6cedd3dfdb0305c43a5b137b8c9699
+  metadata.gz: 77413aeaa1c6e74e293522012375671357a265d25d7e9d70cae42df8218b265a12cdfe5612bcab58b569fc9cb07ba30a44ee595f962239322b4871849f8b3b69
+  data.tar.gz: dc986fbd9bb73204846c8a39ed791432c4d668ac9c1facb51863765e67c81d5ebe004152440ff67b963a5b69abb931924f984c980cd70208c83566d9c6fabcea

data/.gitignore

@@ -16,5 +16,6 @@ features/reports
 results.html
 mkmf.log
 *.deb
+*.rpm
 *.gem
 docker-debify

data/CHANGELOG.md

@@ -1,3 +1,37 @@
+## [Unreleased]
+
+# 2.1.0
+### Changed
+
+- Refine bundler related steps in `debify package` flow: only `package.sh` file configures
+  and invokes bundler. `Dockerfile.fpm` only copies files and adjusts folder structure.
+- Remove bundler 1.* support 
+
+# 2.0.0
+### Changed
+- Debify now receives the flag `--output` as input to indicate the file type that it should package (e.g `rpm`). If this 
+  flag is not given, the default value is `deb`.
+  [conjurinc/debify#56](https://github.com/conjurinc/debify/issues/56)
+
+# 1.12.0
+
+### Added
+- Debify now packages and publishes an RPM file, alongside a debian file.
+  [conjurinc/debify#49](https://github.com/conjurinc/debify/pull/49)
+- `debify package` now offers an `--additional-files` flag to provide a comma
+  separated list of files to include in the FPM build that are not provided
+  automatically by `git ls-files`.
+  [conjurinc/debify#52](https://github.com/conjurinc/debify/pull/52)
+
+### Fixed
+- Bug causing `all` files in the git repo to be added to the debian file.
+  [conjurinc/debify#50](https://github.com/conjurinc/debify/pull/50)
+
+# 1.11.5
+
+### Changed
+* Updated FPM and Test images to use a base image with FIPS-compliant Ruby and OpenSSL.
+
 # 1.11.4
 
 * Updated sandbox password to match Conjur password complexity requirements.

data/CONTRIBUTING.md

@@ -0,0 +1,16 @@
+# Contributing
+
+For general contribution and community guidelines, please see the [community repo](https://github.com/cyberark/community).
+
+## Contributing
+
+1. [Fork the project](https://help.github.com/en/github/getting-started-with-github/fork-a-repo)
+2. [Clone your fork](https://help.github.com/en/github/creating-cloning-and-archiving-repositories/cloning-a-repository)
+3. Make local changes to your fork by editing files
+3. [Commit your changes](https://help.github.com/en/github/managing-files-in-a-repository/adding-a-file-to-a-repository-using-the-command-line)
+4. [Push your local changes to the remote server](https://help.github.com/en/github/using-git/pushing-commits-to-a-remote-repository)
+5. [Create new Pull Request](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request-from-a-fork)
+
+From here your pull request will be reviewed and once you've responded to all
+feedback it will be merged into the project. Congratulations, you're a
+contributor!

data/Dockerfile

@@ -1,44 +1,33 @@
 FROM ruby:2.6-stretch
 
-### DockerInDocker support is take from
-### https://github.com/jpetazzo/dind/blob/master/Dockerfile . I
-### elected to base this image on ruby, then pull in the (slightly
-### outdated) support for DockerInDocker. Creation of the official
-### docker:dind image much more complicated and didn't lend itself to
-### also running ruby.
-
-RUN apt-get update -qq && apt-get install -qqy \
+RUN apt-get update -qq && \
+    apt-get dist-upgrade -qqy && \
+    apt-get install -qqy \
     apt-transport-https \
     ca-certificates \
-    curl \
-    lxc \
-    iptables
+    curl
     
-# Install Docker from Docker Inc. repositories.
-RUN curl -sSL https://get.docker.com/ | sh
-
-# Install the magic wrapper.
-RUN curl -sSL -o /usr/local/bin/wrapdocker https://raw.githubusercontent.com/jpetazzo/dind/master/wrapdocker
-RUN chmod +x /usr/local/bin/wrapdocker
-
-# Define additional metadata for our image.
-VOLUME /var/lib/docker
-
-### End of DockerInDocker support
+# Install Docker client tools
+ENV DOCKERVERSION=20.10.0
+RUN curl -fsSLO https://download.docker.com/linux/static/stable/x86_64/docker-${DOCKERVERSION}.tgz \
+  && tar xzvf docker-${DOCKERVERSION}.tgz --strip 1 \
+                 -C /usr/local/bin docker/docker \
+  && rm docker-${DOCKERVERSION}.tgz
 
 RUN mkdir -p /debify
 WORKDIR /debify
 
 COPY . ./
 
+RUN gem install bundler:2.2.30
 RUN gem build debify.gemspec
 
 ARG VERSION
 RUN gem install -N conjur-debify-${VERSION}.gem
 
 ARG CONJUR_APPLIANCE_URL
-ENV CONJUR_APPLIANCE_URL ${CONJUR_APPLIANCE_URL:-https://conjur-master-v2.itp.conjur.net/api}
+ENV CONJUR_APPLIANCE_URL ${CONJUR_APPLIANCE_URL:-https://conjurops.itp.conjur.net}
 ENV CONJUR_ACCOUNT ${CONJUR_ACCOUNT:-conjur}
-ENV CONJUR_VERSION ${CONJUR_VERSION:-4}
+ENV CONJUR_VERSION ${CONJUR_VERSION:-5}
 
 ENTRYPOINT ["/debify/distrib/entrypoint.sh"]

data/Jenkinsfile

@@ -32,6 +32,27 @@ pipeline {
       }
     }
 
+    stage('Scan Docker image') {
+      parallel {
+        stage('Scan Docker image for fixable issues') {
+          steps{
+            script {
+              VERSION = sh(returnStdout: true, script: 'cat VERSION')
+            }
+            scanAndReport("debify:${VERSION}", "HIGH", false)
+          }
+        }
+        stage('Scan Docker image for all issues') {
+          steps{
+            script {
+              VERSION = sh(returnStdout: true, script: 'cat VERSION')
+            }
+            scanAndReport("debify:${VERSION}", "NONE", true)
+          }
+        }
+      }
+    }
+
     stage('Run feature tests') {
       steps {
         sh './test.sh'
@@ -49,7 +70,6 @@ pipeline {
     }
 
     stage('Publish to RubyGems') {
-      agent { label 'releaser-v2' }
       when {
         allOf {
           branch 'master'
@@ -73,7 +93,6 @@ pipeline {
       steps {
         checkout scm
         sh './publish-rubygem.sh'
-        deleteDir()
       }
     }
   }

data/README.md

@@ -1,5 +1,10 @@
 # Debify
 
+Debify is a tool used for building and testing DAP appliance packages.
+It is mainly used to package and publish debian packages that are consumed into the
+appliance image in its build stage. However, it also packages and publishes an
+RPM package whenever it does so for a debian.
+
 ## Installation
 
 There are two different ways of installing debify: as a gem, or as a Docker image.
@@ -284,7 +289,7 @@ Start a sandbox, see that it can resolve the hostname `mydb`:
 
 ```sh-session
 
-example $ debify sandbox -t 4.9-stable --net testnet
+example $ debify sandbox -t 5.0-stable --net testnet
 example $ docker exec -it example-sandbox /bin/bash
 root@7d4217655332:/src/example# getent hosts mydb
 172.19.0.2      mydb
@@ -293,8 +298,6 @@ root@7d4217655332:/src/example# getent hosts mydb
 
 ## Contributing
 
-1. Fork it ( https://github.com/[my-github-username]/debify/fork )
-2. Create your feature branch (`git checkout -b my-new-feature`)
-3. Commit your changes (`git commit -am 'Add some feature'`)
-4. Push to the branch (`git push origin my-new-feature`)
-5. Create a new Pull Request
+For instructions on how to get started and 
+descriptions of our development workflows, please see our
+[contributing guide](CONTRIBUTING.md).

data/Rakefile

@@ -33,7 +33,8 @@ if cucumber?
   Cucumber::Rake::Task.new(:features) do |t|
     opts = "features --format junit -o #{CUKE_RESULTS} --format pretty -x"
     opts += " --tags #{ENV['TAGS']}" if ENV['TAGS']
-    t.cucumber_opts =  opts
+    opts += " --tags ~@skip"
+    t.cucumber_opts = opts
     t.fork = false
   end
 

data/VERSION

@@ -1 +1 @@
-1.11.4
+2.1.0

data/ci/test.sh

@@ -2,11 +2,6 @@
 
 bundle
 
-# Some tests need to be logged in to the registry, to pull a base
-# image if it's not already available. Have entrypoint.sh do something
-# simple, and log in as a side effect.
-/debify/distrib/entrypoint.sh detect-version
-
 for target in spec cucumber; do
   bundle exec rake $target
 done

data/debify.gemspec

@@ -6,8 +6,8 @@ require 'conjur/debify/version'
 Gem::Specification.new do |spec|
   spec.name          = "conjur-debify"
   spec.version       = Conjur::Debify::VERSION
-  spec.authors       = ["Kevin Gilpin"]
-  spec.email         = ["kgilpin@conjur.net"]
+  spec.authors       = ["CyberArk Software, Inc."]
+  spec.email         = ["conj_maintainers@cyberark.com"]
   spec.summary       = %q{Utility commands to build and package Conjur services as Debian packages}
   spec.homepage      = "https://github.com/conjurinc/debify"
   spec.license       = "MIT"
@@ -18,20 +18,20 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
   
   spec.add_dependency "gli"
-  spec.add_dependency "docker-api", "~> 1.33"
+  spec.add_dependency "docker-api", "~> 2.0"
   spec.add_dependency "conjur-cli" , "~> 6"
   spec.add_dependency "conjur-api", "~> 5"
 
-  spec.add_development_dependency "bundler", "~> 1.7"
+  spec.add_development_dependency "bundler", ">= 2.2.30"
   spec.add_development_dependency "fakefs", "~> 0"
-  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rake", "~> 13.0"
   
   # Pin to cucumbe v2. cucumber v3 changes (breaks) the behavior of
   # unmatched capture groups with \(d+). In v3, the value of such a
   # group is 0 instead of nil, which breaks aruba's "I successfully
   # run...." steps.
   spec.add_development_dependency "cucumber", '~> 2'
-  spec.add_development_dependency "aruba"
+  spec.add_development_dependency "aruba", "~> 1.0"
   spec.add_development_dependency 'rspec', '~> 3'
   spec.add_development_dependency 'ci_reporter_rspec', '~> 1.0'
 end

data/distrib/docker-debify

@@ -39,10 +39,12 @@ docker run -i $tty --rm \
   -e CONJUR_APPLIANCE_URL -e CONJUR_SSL_CERTIFICATE \
   -e GIT_BRANCH -e BRANCH_NAME \
   -e ARTIFACTORY_USER -e ARTIFACTORY_PASSWORD \
+  -e HOME \
   ${envfile_arg} \
-  -v $PWD:$PWD -w $PWD \
+  -v "$PWD:$PWD" -w "$PWD" \
   -v /var/run/docker.sock:/var/run/docker.sock \
-  -v ${netrc}:/root/.netrc:ro \
+  -v "${HOME}:${HOME}" \
+  -v "${netrc}:${HOME}/.netrc:ro" \
   ${rc_arg} \
   ${DEBIFY_ENTRYPOINT+--entrypoint $DEBIFY_ENTRYPOINT} \
   ${DEBIFY_IMAGE-registry.tld/conjurinc/debify:@@DEBIFY_VERSION@@} "$@"

data/distrib/entrypoint.sh

@@ -6,17 +6,14 @@ set +x
 
 creds=( $(ruby /debify/distrib/conjur_creds.rb) )
 
-# If there are creds, use them to log in to the registry. Then, run
-# the magic DockerInDocker wrapper script so debify can interact with
-# the Docker daemon.
+# If there are creds, use them to log in to the registry.
 #
-# If there are no creds, just run debify itself. Any commands that do
+# If there are no creds, any commands that do
 # Docker stuff will fail, but the non-Docker commands (e.g. the config
 # subcommands) will work fine.
 if [[ ${#creds[*]} > 0 ]]; then
   echo -n "${creds[1]}" | docker login registry.tld -u ${creds[0]} --password-stdin >/dev/null 2>&1
-  exec wrapdocker debify "$@"
-else
-  exec debify "$@"
 fi
 
+exec debify "$@"
+

data/example/Gemfile.lock

@@ -29,4 +29,4 @@ DEPENDENCIES
   rspec
 
 BUNDLED WITH
-   1.16.1
+   2.1.4

data/example/net-test.sh

@@ -2,6 +2,6 @@
 
 cid=$1
 
-docker exec $cid ping -c1 other_host
+docker exec $cid curl -s http://other_host > /dev/null
 
 echo Test succeeded

data/features/package.feature

@@ -2,16 +2,22 @@
 Feature: Packaging
 
   Background:
-    Given I successfully run `env DEBUG=true GLI_DEBUG=true debify package -d ../../example -v 0.0.1 example -- --post-install /distrib/postinstall.sh`
+    # We use version 0.0.1-suffix to verify that RPM converts dashes to underscores
+    # in the version as we expect
+    Given I successfully run `env DEBUG=true GLI_DEBUG=true debify package -d ../../example -v 0.0.1-suffix example -- --post-install /distrib/postinstall.sh`
+    And I successfully run `env DEBUG=true GLI_DEBUG=true debify package -d ../../example --output rpm  -v 0.0.1-suffix example  -- --post-install /distrib/postinstall.sh`
 
   Scenario: 'example' project can be packaged successfully
-    Then the stdout should contain "conjur-example_0.0.1_amd64.deb"
-    And the stdout should contain "conjur-example-dev_0.0.1_amd64.deb"
+    Then the stdout should contain "conjur-example_0.0.1-suffix_amd64.deb"
+    And the stdout should contain "conjur-example-dev_0.0.1-suffix_amd64.deb"
+    And the stdout should contain "conjur-example-0.0.1_suffix-1.x86_64.rpm"
+    And the stdout should contain "conjur-example-dev-0.0.1_suffix-1.x86_64.rpm"
 
   Scenario: 'clean' command will delete non-Git-managed files
     When I successfully run `env DEBUG=true GLI_DEBUG=true debify clean -d ../../example --force`
     And I successfully run `find ../../example`
-    Then the stdout from "find ../../example" should not contain "conjur-example_0.0.1_amd64.deb"
-    
+    Then the stdout from "find ../../example" should not contain "conjur-example_0.0.1-suffix_amd64.deb"
+    And the stdout from "find ../../example" should not contain "conjur-example-0.0.1_suffix-1.x86_64.rpm"
+
   Scenario: 'example' project can be published
-    When I successfully run `env DEBUG=true GLI_DEBUG=true debify publish -v 0.0.1 -d ../../example 4.9 example`
+    When I successfully run `env DEBUG=true GLI_DEBUG=true debify publish -v 0.0.1-suffix -d ../../example 5.0 example`

data/features/sandbox.feature

@@ -1,19 +1,23 @@
 @announce-output
 Feature: Running a sandbox
   Background:
-    Given I successfully run `docker pull registry.tld/conjur-appliance-cuke-master:4.9-stable`
+    Given I successfully run `docker pull registry.tld/conjur-appliance-cuke-master:5.0-stable`
+    # The extra containers will use the `alpine` image, so we need to pull it first on the
+    # host to use the authenticated DockerHub connection. This avoids hitting DockerHub
+    # rate limits.
+    And I successfully run `docker pull nginx`
 
   Scenario: sandbox for 'example' project be started
-    Given I successfully start a sandbox for "example" with arguments "-t 4.9-stable --no-pull"
+    Given I successfully start a sandbox for "example" with arguments "-t 5.0-stable --no-pull"
 
   Scenario: sandbox for 'example' project be started linked to another container
     Given I start a container named "other_host"
-    Then I successfully start a sandbox for "example" with arguments "-t 4.9-stable --no-pull --link other_host -c 'ping -c1 other_host'"
+    Then I successfully start a sandbox for "example" with arguments "-t 5.0-stable --no-pull --link other_host -c 'curl -s http://other_host > /dev/null'"
 
   Scenario: sandbox for 'example' project be started on a network other than the default
     Given I start a container named "other_host" on network "test-net"
-    Then I successfully start a sandbox for "example" with arguments "-t 4.9-stable --no-pull --net test-net -c 'ping -c1 other_host'"
+    Then I successfully start a sandbox for "example" with arguments "-t 5.0-stable --no-pull --net test-net -c 'curl -s http://other_host > /dev/null'"
 
   Scenario: sandbox for 'example' project be started on a network other than the default with a host aliased
     Given I start a container named "another_host" on network "test-net"
-    Then I successfully start a sandbox for "example" with arguments "-t 4.9-stable --no-pull --net test-net --link another_host:other_host -c 'ping -c1 other_host'"
+    Then I successfully start a sandbox for "example" with arguments "-t 5.0-stable --no-pull --net test-net --link another_host:other_host -c 'curl -s http://other_host > /dev/null'"

data/features/step_definitions/debify_steps.rb

@@ -12,11 +12,9 @@ When /^I start a container named "(.*?)"(?: on network "(.*?)")*$/ do |name, net
     networks << network
   end
   
-  alpine = Docker::Image.create('fromImage' => 'alpine')
   options = {
     'name' => name,
-    'Cmd' => [ "sh", "-c", "while true; do sleep 1; done" ],
-    'Image' => alpine.id
+    'Image' => 'nginx'
   }
   options['HostConfig'] = { 'NetworkMode' => net_name } if net_name
     

data/features/support/env.rb

@@ -6,5 +6,7 @@ LIB_DIR = File.join(File.expand_path(File.dirname(__FILE__)),'..','..','lib')
 
 Aruba.configure do |config|
   config.exit_timeout = 1200
+  # not a best practice from aruba's point of view
+  # but the only solution I've found to have docker credentials context
+  config.home_directory = ENV['HOME']
 end
-

data/features/test.feature

@@ -5,20 +5,20 @@ Feature: Testing
     Given I successfully run `env DEBUG=true GLI_DEBUG=true debify package -d ../../example -v 0.0.1 example -- --post-install /distrib/postinstall.sh`
 
   Scenario: 'example' project can be tested successfully
-    When I successfully run `env DEBUG=true GLI_DEBUG=true debify test -t 4.9-stable -v 0.0.1 -d ../../example --no-pull example test.sh`
+    When I successfully run `env DEBUG=true GLI_DEBUG=true debify test -t 5.0-stable -v 0.0.1 -d ../../example --no-pull example test.sh`
     Then the stderr should contain "Test succeeded"
 
   Scenario: 'example' project can be tested when linked to another container
     Given I start a container named "other_host"
-    When I successfully run `env DEBUG=true GLI_DEBUG=true debify test -t 4.9-stable -v 0.0.1 -d ../../example --no-pull --link other_host example net-test.sh`
+    When I successfully run `env DEBUG=true GLI_DEBUG=true debify test -t 5.0-stable -v 0.0.1 -d ../../example --no-pull --link other_host example net-test.sh`
     Then the stderr should contain "Test succeeded"
 
   Scenario: 'example' project can be tested on a network other than the default
     Given I start a container named "other_host" on network "test-net"
-    When I successfully run `env DEBUG=true GLI_DEBUG=true debify test -t 4.9-stable -v 0.0.1 -d ../../example --no-pull --net test-net example net-test.sh`
+    When I successfully run `env DEBUG=true GLI_DEBUG=true debify test -t 5.0-stable -v 0.0.1 -d ../../example --no-pull --net test-net example net-test.sh`
     Then the stderr should contain "Test succeeded"
 
   Scenario: 'example' project can be tested on a network other than the default with a host aliased
     Given I start a container named "another_host" on network "test-net"
-    When I successfully run `env DEBUG=true GLI_DEBUG=true debify test -t 4.9-stable -v 0.0.1 -d ../../example --no-pull --link another_host:other_host --net test-net example net-test.sh`
+    When I successfully run `env DEBUG=true GLI_DEBUG=true debify test -t 5.0-stable -v 0.0.1 -d ../../example --no-pull --link another_host:other_host --net test-net example net-test.sh`
     Then the stderr should contain "Test succeeded"

data/lib/conjur/debify/Dockerfile.fpm

@@ -7,10 +7,6 @@ WORKDIR /src/opt/conjur/project
 COPY Gemfile ./
 COPY Gemfile.lock ./
 
-RUN bundle --deployment
-RUN mkdir -p .bundle
-RUN cp /usr/local/bundle/config .bundle/config
-
 COPY . .
 ADD debify.sh /
 

data/lib/conjur/debify/action/publish.rb

@@ -25,14 +25,12 @@ module Conjur::Debify
 
         Dir.chdir dir do
           version = cmd_options[:version] || detect_version
-          component = cmd_options[:component] || detect_component
-          package_name = "conjur-#{project_name}_#{version}_amd64.deb"
 
           publish_image = create_image
           DebugMixin.debug_write "Built base publish image '#{publish_image.id}'\n"
 
           art_url = cmd_options[:url]
-          art_repo = cmd_options[:repo]
+          deb_art_repo = cmd_options[:repo]
 
           art_user = ENV['ARTIFACTORY_USER']
           art_password = ENV['ARTIFACTORY_PASSWORD']
@@ -40,23 +38,35 @@ module Conjur::Debify
             art_user, art_password = fetch_art_creds
           end
 
-          options = {
-            'Image' => publish_image.id,
-            'Cmd' => [
-              "jfrog", "rt", "upload",
-              "--url", art_url,
-              "--user", art_user,
-              "--password", art_password,
-              "--deb", "#{distribution}/#{component}/amd64",
-              package_name, "#{art_repo}/"
-            ],
-            'Binds' => [
-              [ dir, "/src" ].join(':')
-            ]
-          }
-          options['Privileged'] = true if Docker.version['Version'] >= '1.10.0'
-
-          publish(options)
+          # Publish deb package
+          component = cmd_options[:component] || detect_component
+          deb_info = "#{distribution}/#{component}/amd64"
+          package_name = "conjur-#{project_name}_#{version}_amd64.deb"
+          publish_package(
+            publish_image: publish_image,
+            art_url: art_url,
+            art_user: art_user,
+            art_password: art_password,
+            art_repo: deb_art_repo,
+            package_name: package_name,
+            dir: dir,
+            deb_info: deb_info
+          )
+
+          # Publish RPM package
+          # The rpm builder replaces dashes with underscores in the version
+          rpm_version = version.tr('-', '_')
+          package_name = "conjur-#{project_name}-#{rpm_version}-1.x86_64.rpm"
+          rpm_art_repo = cmd_options['rpm-repo']
+          publish_package(
+            publish_image: publish_image,
+            art_url: art_url,
+            art_user: art_user,
+            art_password: art_password,
+            art_repo: rpm_art_repo,
+            package_name: package_name,
+            dir: dir
+          )
         end
       end
 
@@ -77,6 +87,39 @@ module Conjur::Debify
         [conjur.resource(username_var).value, conjur.resource(password_var).value]
       end
 
+      def publish_package(
+        publish_image:,
+        art_url:,
+        art_user:,
+        art_password:,
+        art_repo:,
+        package_name:,
+        dir:,
+        deb_info: nil
+      )
+
+        cmd_args = [
+          "jfrog", "rt", "upload",
+          "--url", art_url,
+          "--user", art_user,
+          "--password", art_password,
+        ]
+
+        cmd_args += ["--deb", deb_info] if deb_info
+        cmd_args += [package_name, "#{art_repo}/"]
+
+        options = {
+          'Image' => publish_image.id,
+          'Cmd' => cmd_args,
+          'Binds' => [
+            [ dir, "/src" ].join(':')
+          ]
+        }
+        options['Privileged'] = true if Docker.version['Version'] >= '1.10.0'
+
+        publish(options)
+      end
+
       def publish(options)
         container = Docker::Container.create(options)
         begin

data/lib/conjur/debify/utils.rb

@@ -6,7 +6,7 @@ module Conjur::Debify::Utils
   # copy a file from container to the current working directory
   def copy_from_container container, path
     tar = StringIO.new
-    container.copy(path) { |chunk| tar.write chunk }
+    container.archive_out(path) { |chunk| tar.write chunk }
     tar.rewind
     Gem::Package::TarReader.new(tar).each do |entry|
       File.write entry.full_name, entry.read