docker-container: move userns detection into driver

This moves the detection of the docker daemon's security options into
the driver from the factory, handling them in a similar way to how we do
cgroups.

Because of recent changes that modify error detection in driver
creation, this attempt to contact the docker daemon during builder
creation meant that a docker-container builder could not be created
without access to the docker socket. This patch resolves this, by
defering the Info call to the driver, when the container is actually
created.

Signed-off-by: Justin Chadwell <me@jedevc.com>
pull/1368/head
Justin Chadwell 2 years ago
parent a6caf4b948
commit 33ef1b3a30

@ -36,7 +36,6 @@ const (
type Driver struct { type Driver struct {
driver.InitConfig driver.InitConfig
factory driver.Factory factory driver.Factory
userNSRemap bool // true if dockerd is running with userns-remap mode
netMode string netMode string
image string image string
cgroupParent string cgroupParent string
@ -120,19 +119,30 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
}, },
}, },
} }
if d.userNSRemap {
hc.UsernsMode = "host"
}
if d.netMode != "" { if d.netMode != "" {
hc.NetworkMode = container.NetworkMode(d.netMode) hc.NetworkMode = container.NetworkMode(d.netMode)
} }
if info, err := d.DockerAPI.Info(ctx); err == nil && info.CgroupDriver == "cgroupfs" { if info, err := d.DockerAPI.Info(ctx); err == nil {
// Place all buildkit containers inside this cgroup by default so limits can be attached if info.CgroupDriver == "cgroupfs" {
// to all build activity on the host. // Place all buildkit containers inside this cgroup by default so limits can be attached
hc.CgroupParent = "/docker/buildx" // to all build activity on the host.
if d.cgroupParent != "" { hc.CgroupParent = "/docker/buildx"
hc.CgroupParent = d.cgroupParent if d.cgroupParent != "" {
hc.CgroupParent = d.cgroupParent
}
}
secOpts, err := dockertypes.DecodeSecurityOptions(info.SecurityOptions)
if err != nil {
return err
}
for _, f := range secOpts {
if f.Name == "userns" {
hc.UsernsMode = "host"
break
}
} }
} }
_, err := d.DockerAPI.ContainerCreate(ctx, cfg, hc, &network.NetworkingConfig{}, nil, d.Name) _, err := d.DockerAPI.ContainerCreate(ctx, cfg, hc, &network.NetworkingConfig{}, nil, d.Name)
if err != nil { if err != nil {

@ -6,7 +6,6 @@ import (
"strings" "strings"
"github.com/docker/buildx/driver" "github.com/docker/buildx/driver"
dockertypes "github.com/docker/docker/api/types"
dockerclient "github.com/docker/docker/client" dockerclient "github.com/docker/docker/client"
"github.com/pkg/errors" "github.com/pkg/errors"
) )
@ -41,20 +40,6 @@ func (f *factory) New(ctx context.Context, cfg driver.InitConfig) (driver.Driver
return nil, errors.Errorf("%s driver requires docker API access", f.Name()) return nil, errors.Errorf("%s driver requires docker API access", f.Name())
} }
d := &Driver{factory: f, InitConfig: cfg} d := &Driver{factory: f, InitConfig: cfg}
dockerInfo, err := cfg.DockerAPI.Info(ctx)
if err != nil {
return nil, err
}
secOpts, err := dockertypes.DecodeSecurityOptions(dockerInfo.SecurityOptions)
if err != nil {
return nil, err
}
for _, f := range secOpts {
if f.Name == "userns" {
d.userNSRemap = true
break
}
}
for k, v := range cfg.DriverOpts { for k, v := range cfg.DriverOpts {
switch { switch {
case k == "network": case k == "network":

Loading…
Cancel
Save