adding in updates

1 year ago · 027a8c16e7
parent a12bc79097
commit 027a8c16e7
3 changed files with 14 additions and 49 deletions
--- a/commands/inspect.go
+++ b/commands/inspect.go
@ -87,7 +87,7 @@ func runInspect(dockerCli command.Cli, in inspectOptions) error {
 				securityOpts = append(securityOpts, fmt.Sprintf("%s=%q", k, v))
 			}
 			if len(securityOpts) > 0 {
-				fmt.Fprintf(w, "Security Options:\t%s\n", strings.Join(securityOpts, " "))
+				fmt.Fprintf(w, "Security Options:\t%s\n", strings.Join(driverOpts, " "))
 			}

 			if err := n.Err; err != nil {
--- a/driver/docker-container/driver.go
+++ b/driver/docker-container/driver.go
@ -8,7 +8,6 @@ import (
 	"os"
 	"path"
 	"path/filepath"
-	"strconv"
 	"strings"
 	"sync/atomic"
 	"time"
@ -42,7 +41,6 @@ type Driver struct {
 	netMode      string
 	image        string
 	cgroupParent string
-	securityOpts map[string]string
 	env          []string
 }

@ -114,7 +112,7 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
 	useInit := true // let it cleanup exited processes created by BuildKit's container API
 	if err := l.Wrap("creating container "+d.Name, func() error {
 		hc := &container.HostConfig{
-			Privileged: true,
+			Privileged: false,
 			Mounts: []mount.Mount{
 				{
 					Type:   mount.TypeVolume,
@ -128,13 +126,6 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
 			hc.NetworkMode = container.NetworkMode(d.netMode)
 		}
 		if info, err := d.DockerAPI.Info(ctx); err == nil {
-			secOpts, err := dockertypes.DecodeSecurityOptions(info.SecurityOptions)
-			l.Wrap("driverOpts"+info.CgroupDriver, func() error {
-				return nil
-			})
-			if err != nil {
-				return err
-			}
 			if info.CgroupDriver == "cgroupfs" {
 				// Place all buildkit containers inside this cgroup by default so limits can be attached
 				// to all build activity on the host.
@ -143,27 +134,23 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
 					hc.CgroupParent = d.cgroupParent
 				}
 			}
+			secOpts, err := dockertypes.DecodeSecurityOptions(info.SecurityOptions)
+			if err != nil {
+				return err
+			}
 			for _, f := range secOpts {
 				if f.Name == "userns" {
 					hc.UsernsMode = "host"
 					break
 				}
 			}
-			for i, k := range d.securityOpts {
-				switch {
-				case i == "systempaths":
-					hc.MaskedPaths = []string{}
-					hc.ReadonlyPaths = []string{}
-				case i == "privileged":
-					val, err := strconv.ParseBool(k)
-					if err != nil {
-						return errors.Errorf("invalid value privleged security option, options are true/false")
-					}
-					hc.Privileged = val
-				default:
-					hc.SecurityOpt = append(hc.SecurityOpt, i+"="+k)
-				}
-			}
+			hc.SecurityOpt = append(hc.SecurityOpt, "seccomp=unconfined")
+			hc.SecurityOpt = append(hc.SecurityOpt, "apparmor=unconfined")
+			hc.Privileged = false
+			//hc.SecurityOpt = append(hc.SecurityOpt, "systempaths=unconfined")
+			hc.MaskedPaths = []string{}
+			hc.ReadonlyPaths = []string{}
+			//cfg.Env= append(cfg.Env,"systempaths=unconfined")
 		}
 		_, err := d.DockerAPI.ContainerCreate(ctx, cfg, hc, &network.NetworkingConfig{}, nil, d.Name)
 		if err != nil && !errdefs.IsConflict(err) {
--- a/driver/docker-container/factory.go
+++ b/driver/docker-container/factory.go
@ -40,7 +40,6 @@ func (f *factory) New(ctx context.Context, cfg driver.InitConfig) (driver.Driver
 		return nil, errors.Errorf("%s driver requires docker API access", f.Name())
 	}
 	d := &Driver{factory: f, InitConfig: cfg}
-	d.securityOpts = make(map[string]string)
 	for k, v := range cfg.DriverOpts {
 		switch {
 		case k == "network":
@ -58,32 +57,11 @@ func (f *factory) New(ctx context.Context, cfg driver.InitConfig) (driver.Driver
 				return nil, errors.Errorf("invalid env option %q, expecting env.FOO=bar", k)
 			}
 			d.env = append(d.env, fmt.Sprintf("%s=%s", envName, v))
-		case k == "seccomp":
-			d.securityOpts[k] = v
-		case k == "apparmor":
-			d.securityOpts[k] = v
-		case k == "systempaths":
-			d.securityOpts[k] = v
-		case k == "privileged":
-			d.securityOpts[k] = v
 		default:
 			return nil, errors.Errorf("invalid driver option %s for docker-container driver", k)
 		}
 	}
-	for i, _ := range cfg.SecurityOpts {
-		switch {
-		case i == "seccomp":
-			continue
-		case i == "apparmor":
-			continue
-		case i == "systempaths":
-			continue
-		case i == "privileged":
-			continue
-		default:
-			return nil, errors.Errorf("invalid Security option %s for docker-container driver", i)
-		}
-	}
+
 	return d, nil
 }