publicWagsHome/buildx
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

adding in updates

Browse Source
This commit is contained in:
nathan wagner
2023-09-11 09:57:24 -04:00
parent a12bc79097
commit 027a8c16e7
3 changed files with 14 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
commands/inspect.go
View File

@@ -87,7 +87,7 @@ func runInspect(dockerCli command.Cli, in inspectOptions) error {
securityOpts = append(securityOpts, fmt.Sprintf("%s=%q", k, v)) securityOpts = append(securityOpts, fmt.Sprintf("%s=%q", k, v))
} }
if len(securityOpts) > 0 { if len(securityOpts) > 0 {
fmt.Fprintf(w, "Security Options:\t%s\n", strings.Join(securityOpts, " ")) fmt.Fprintf(w, "Security Options:\t%s\n", strings.Join(driverOpts, " "))
} }
if err := n.Err; err != nil { if err := n.Err; err != nil {

37
driver/docker-container/driver.go
View File

@@ -8,7 +8,6 @@ import (
"os" "os"
"path" "path"
"path/filepath" "path/filepath"
"strconv"
"strings" "strings"
"sync/atomic" "sync/atomic"
"time" "time"
@@ -42,7 +41,6 @@ type Driver struct {
netMode string netMode string
image string image string
cgroupParent string cgroupParent string
securityOpts map[string]string
env []string env []string
} }
@@ -114,7 +112,7 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
useInit := true // let it cleanup exited processes created by BuildKit's container API useInit := true // let it cleanup exited processes created by BuildKit's container API
if err := l.Wrap("creating container "+d.Name, func() error { if err := l.Wrap("creating container "+d.Name, func() error {
hc := &container.HostConfig{ hc := &container.HostConfig{
Privileged: true, Privileged: false,
Mounts: []mount.Mount{ Mounts: []mount.Mount{
{ {
Type: mount.TypeVolume, Type: mount.TypeVolume,
@@ -128,13 +126,6 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
hc.NetworkMode = container.NetworkMode(d.netMode) hc.NetworkMode = container.NetworkMode(d.netMode)
} }
if info, err := d.DockerAPI.Info(ctx); err == nil { if info, err := d.DockerAPI.Info(ctx); err == nil {
secOpts, err := dockertypes.DecodeSecurityOptions(info.SecurityOptions)
l.Wrap("driverOpts"+info.CgroupDriver, func() error {
return nil
})
if err != nil {
return err
}
if info.CgroupDriver == "cgroupfs" { if info.CgroupDriver == "cgroupfs" {
// Place all buildkit containers inside this cgroup by default so limits can be attached // Place all buildkit containers inside this cgroup by default so limits can be attached
// to all build activity on the host. // to all build activity on the host.
@@ -143,27 +134,23 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
hc.CgroupParent = d.cgroupParent hc.CgroupParent = d.cgroupParent
} }
} }
secOpts, err := dockertypes.DecodeSecurityOptions(info.SecurityOptions)
if err != nil {
return err
}
for _, f := range secOpts { for _, f := range secOpts {
if f.Name == "userns" { if f.Name == "userns" {
hc.UsernsMode = "host" hc.UsernsMode = "host"
break break
} }
} }
for i, k := range d.securityOpts { hc.SecurityOpt = append(hc.SecurityOpt, "seccomp=unconfined")
switch { hc.SecurityOpt = append(hc.SecurityOpt, "apparmor=unconfined")
case i == "systempaths": hc.Privileged = false
hc.MaskedPaths = []string{} //hc.SecurityOpt = append(hc.SecurityOpt, "systempaths=unconfined")
hc.ReadonlyPaths = []string{} hc.MaskedPaths = []string{}
case i == "privileged": hc.ReadonlyPaths = []string{}
val, err := strconv.ParseBool(k) //cfg.Env= append(cfg.Env,"systempaths=unconfined")
if err != nil {
return errors.Errorf("invalid value privleged security option, options are true/false")
}
hc.Privileged = val
default:
hc.SecurityOpt = append(hc.SecurityOpt, i+"="+k)
}
}
} }
_, err := d.DockerAPI.ContainerCreate(ctx, cfg, hc, &network.NetworkingConfig{}, nil, d.Name) _, err := d.DockerAPI.ContainerCreate(ctx, cfg, hc, &network.NetworkingConfig{}, nil, d.Name)
if err != nil && !errdefs.IsConflict(err) { if err != nil && !errdefs.IsConflict(err) {

24
driver/docker-container/factory.go
View File

@@ -40,7 +40,6 @@ func (f *factory) New(ctx context.Context, cfg driver.InitConfig) (driver.Driver
return nil, errors.Errorf("%s driver requires docker API access", f.Name()) return nil, errors.Errorf("%s driver requires docker API access", f.Name())
} }
d := &Driver{factory: f, InitConfig: cfg} d := &Driver{factory: f, InitConfig: cfg}
d.securityOpts = make(map[string]string)
for k, v := range cfg.DriverOpts { for k, v := range cfg.DriverOpts {
switch { switch {
case k == "network": case k == "network":
@@ -58,32 +57,11 @@ func (f *factory) New(ctx context.Context, cfg driver.InitConfig) (driver.Driver
return nil, errors.Errorf("invalid env option %q, expecting env.FOO=bar", k) return nil, errors.Errorf("invalid env option %q, expecting env.FOO=bar", k)
} }
d.env = append(d.env, fmt.Sprintf("%s=%s", envName, v)) d.env = append(d.env, fmt.Sprintf("%s=%s", envName, v))
case k == "seccomp":
d.securityOpts[k] = v
case k == "apparmor":
d.securityOpts[k] = v
case k == "systempaths":
d.securityOpts[k] = v
case k == "privileged":
d.securityOpts[k] = v
default: default:
return nil, errors.Errorf("invalid driver option %s for docker-container driver", k) return nil, errors.Errorf("invalid driver option %s for docker-container driver", k)
} }
} }
for i, _ := range cfg.SecurityOpts {
switch {
case i == "seccomp":
continue
case i == "apparmor":
continue
case i == "systempaths":
continue
case i == "privileged":
continue
default:
return nil, errors.Errorf("invalid Security option %s for docker-container driver", i)
}
}
return d, nil return d, nil
} }