From 6b81b0bed6883c4c23e9a68449c2a2b157ae1377 Mon Sep 17 00:00:00 2001 From: Tonis Tiigi Date: Mon, 8 Jul 2019 15:58:38 -0700 Subject: [PATCH] build: add allowed entitlements Signed-off-by: Tonis Tiigi --- build/build.go | 14 +++++++++----- build/entitlements.go | 21 +++++++++++++++++++++ commands/build.go | 10 ++++++++++ vendor/modules.txt | 12 ++++++------ 4 files changed, 46 insertions(+), 11 deletions(-) create mode 100644 build/entitlements.go diff --git a/build/build.go b/build/build.go index e81e5a91..5e748b55 100644 --- a/build/build.go +++ b/build/build.go @@ -24,6 +24,7 @@ import ( "github.com/moby/buildkit/client" "github.com/moby/buildkit/session" "github.com/moby/buildkit/session/upload/uploadprovider" + "github.com/moby/buildkit/util/entitlements" "github.com/opencontainers/go-digest" specs "github.com/opencontainers/image-spec/specs-go/v1" "github.com/pkg/errors" @@ -55,6 +56,7 @@ type Options struct { CacheFrom []client.CacheOptionsEntry CacheTo []client.CacheOptionsEntry + Allow []entitlements.Entitlement // DockerTarget } @@ -324,11 +326,12 @@ func toSolveOpt(d driver.Driver, multiDriver bool, opt Options, dl dockerLoadCal } so := client.SolveOpt{ - Frontend: "dockerfile.v0", - FrontendAttrs: map[string]string{}, - LocalDirs: map[string]string{}, - CacheExports: opt.CacheTo, - CacheImports: opt.CacheFrom, + Frontend: "dockerfile.v0", + FrontendAttrs: map[string]string{}, + LocalDirs: map[string]string{}, + CacheExports: opt.CacheTo, + CacheImports: opt.CacheFrom, + AllowedEntitlements: opt.Allow, } if multiDriver { @@ -454,6 +457,7 @@ func toSolveOpt(d driver.Driver, multiDriver bool, opt Options, dl dockerLoadCal switch opt.NetworkMode { case "host", "none": so.FrontendAttrs["force-network-mode"] = opt.NetworkMode + so.AllowedEntitlements = append(so.AllowedEntitlements, entitlements.EntitlementNetworkHost) case "", "default": default: return nil, nil, errors.Errorf("network mode %q not supported by buildkit", opt.NetworkMode) diff --git a/build/entitlements.go b/build/entitlements.go new file mode 100644 index 00000000..cbf24d48 --- /dev/null +++ b/build/entitlements.go @@ -0,0 +1,21 @@ +package build + +import ( + "github.com/moby/buildkit/util/entitlements" + "github.com/pkg/errors" +) + +func ParseEntitlements(in []string) ([]entitlements.Entitlement, error) { + out := make([]entitlements.Entitlement, 0, len(in)) + for _, v := range in { + switch v { + case "security.insecure": + out = append(out, entitlements.EntitlementSecurityInsecure) + case "network.host": + out = append(out, entitlements.EntitlementNetworkHost) + default: + return nil, errors.Errorf("invalid entitlement: %v", v) + } + } + return out, nil +} diff --git a/commands/build.go b/commands/build.go index 1e583293..153bc3f6 100644 --- a/commands/build.go +++ b/commands/build.go @@ -44,6 +44,8 @@ type buildOptions struct { squash bool quiet bool + allow []string + // hidden // untrusted bool // ulimits *opts.UlimitOpt @@ -167,6 +169,12 @@ func runBuild(dockerCli command.Cli, in buildOptions) error { } opts.CacheTo = cacheExports + allow, err := build.ParseEntitlements(in.allow) + if err != nil { + return err + } + opts.Allow = allow + return buildTargets(ctx, dockerCli, map[string]build.Options{"default": opts}, in.progress) } @@ -214,6 +222,8 @@ func buildCmd(dockerCli command.Cli) *cobra.Command { flags.StringVar(&options.target, "target", "", "Set the target build stage to build.") + flags.StringSliceVar(&options.allow, "allow", []string{}, "Allow extra privileged entitlement, e.g. network.host, security.insecure") + // not implemented flags.BoolVarP(&options.quiet, "quiet", "q", false, "Suppress the build output and print image ID on success") flags.StringVar(&options.networkMode, "network", "default", "Set the networking mode for the RUN instructions during build") diff --git a/vendor/modules.txt b/vendor/modules.txt index 113a2a96..4ae93421 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -36,6 +36,8 @@ github.com/containerd/containerd/remotes github.com/containerd/containerd/remotes/docker github.com/containerd/containerd/log github.com/containerd/containerd/content/local +github.com/containerd/containerd/containers +github.com/containerd/containerd/oci github.com/containerd/containerd/labels github.com/containerd/containerd/reference github.com/containerd/containerd/version @@ -44,12 +46,10 @@ github.com/containerd/containerd/sys github.com/containerd/containerd/api/services/content/v1 github.com/containerd/containerd/content/proxy github.com/containerd/containerd/services/content/contentserver -github.com/containerd/containerd/containers -github.com/containerd/containerd/oci -github.com/containerd/containerd -github.com/containerd/containerd/namespaces github.com/containerd/containerd/mount +github.com/containerd/containerd/namespaces github.com/containerd/containerd/snapshots +github.com/containerd/containerd github.com/containerd/containerd/api/services/containers/v1 github.com/containerd/containerd/api/services/diff/v1 github.com/containerd/containerd/api/services/events/v1 @@ -83,12 +83,12 @@ github.com/containerd/containerd/events/exchange github.com/containerd/containerd/identifiers # github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc github.com/containerd/continuity +github.com/containerd/continuity/fs github.com/containerd/continuity/pathdriver github.com/containerd/continuity/devices github.com/containerd/continuity/driver github.com/containerd/continuity/proto github.com/containerd/continuity/sysx -github.com/containerd/continuity/fs github.com/containerd/continuity/syscallx # github.com/containerd/fifo v0.0.0-20190226154929-a9fb20d87448 github.com/containerd/fifo @@ -266,6 +266,7 @@ github.com/moby/buildkit/session github.com/moby/buildkit/session/secrets/secretsprovider github.com/moby/buildkit/session/sshforward/sshprovider github.com/moby/buildkit/session/upload/uploadprovider +github.com/moby/buildkit/util/entitlements github.com/moby/buildkit/util/appcontext github.com/moby/buildkit/identity github.com/moby/buildkit/util/progress/progressui @@ -285,7 +286,6 @@ github.com/moby/buildkit/session/grpchijack github.com/moby/buildkit/solver/pb github.com/moby/buildkit/util/apicaps github.com/moby/buildkit/util/appdefaults -github.com/moby/buildkit/util/entitlements github.com/moby/buildkit/session/secrets github.com/moby/buildkit/session/sshforward github.com/moby/buildkit/session/upload