doing it

1 year ago · 4d142d8b45
parent 44dd1f1f5e
commit 4d142d8b45
8 changed files with 65 additions and 26 deletions
--- a/builder/node.go
+++ b/builder/node.go
@ -109,7 +109,7 @@ func (b *Builder) LoadNodes(ctx context.Context, withData bool) (_ []Node, err e
 					}
 				}

-				d, err := driver.GetDriver(ctx, "buildx_buildkit_"+n.Name, factory, n.Endpoint, dockerapi, imageopt.Auth, kcc, n.Flags, n.Files, n.DriverOpts, n.Platforms, b.opts.contextPathHash)
+				d, err := driver.GetDriver(ctx, "buildx_buildkit_"+n.Name, factory, n.Endpoint, dockerapi, imageopt.Auth, kcc, n.Flags, n.Files, n.DriverOpts, n.SecurityOpts, n.Platforms, b.opts.contextPathHash)
 				if err != nil {
 					node.Err = err
 					return nil
--- a/commands/create.go
+++ b/commands/create.go
@ -42,6 +42,7 @@ type createOptions struct {
 	flags        string
 	configFile   string
 	driverOpts   []string
+	securityOpts []string
 	bootstrap    bool
 	// upgrade      bool // perform upgrade of the driver
 }
@ -239,6 +240,11 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 			return err
 		}

+		s, err := csvToMap(in.securityOpts)
+		if err != nil {
+			return err
+		}
+
 		if in.configFile == "" {
 			// if buildkit config is not provided, check if the default one is
 			// available and use it
@ -248,7 +254,7 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 			}
 		}

-		if err := ng.Update(in.nodeName, ep, in.platform, setEp, in.actionAppend, flags, in.configFile, m); err != nil {
+		if err := ng.Update(in.nodeName, ep, in.platform, setEp, in.actionAppend, flags, in.configFile, m, s); err != nil {
 			return err
 		}
 	}
@ -340,6 +346,7 @@ func createCmd(dockerCli command.Cli) *cobra.Command {
 	flags.StringVar(&options.configFile, "config", "", "BuildKit config file")
 	flags.StringArrayVar(&options.platform, "platform", []string{}, "Fixed platforms for current node")
 	flags.StringArrayVar(&options.driverOpts, "driver-opt", []string{}, "Options for the driver")
+	flags.StringArrayVar(&options.securityOpts, "security-opt", []string{}, "Options for the security profile of driver")
 	flags.BoolVar(&options.bootstrap, "bootstrap", false, "Boot builder after creation")

 	flags.BoolVar(&options.actionAppend, "append", false, "Append a node to builder instead of changing it")
--- a/commands/inspect.go
+++ b/commands/inspect.go
@ -82,6 +82,13 @@ func runInspect(dockerCli command.Cli, in inspectOptions) error {
 			if len(driverOpts) > 0 {
 				fmt.Fprintf(w, "Driver Options:\t%s\n", strings.Join(driverOpts, " "))
 			}
+			var securityOpts []string
+			for k, v := range n.SecurityOpts {
+				securityOpts = append(securityOpts, fmt.Sprintf("%s=%q", k, v))
+			}
+			if len(securityOpts) > 0 {
+				fmt.Fprintf(w, "Security Options:\t%s\n", strings.Join(driverOpts, " "))
+			}

 			if err := n.Err; err != nil {
 				fmt.Fprintf(w, "Error:\t%s\n", err.Error())
--- a/driver/docker-container/driver.go
+++ b/driver/docker-container/driver.go
@ -3,6 +3,7 @@ package docker
 import (
 	"bytes"
 	"context"
+	"fmt"
 	"io"
 	"net"
 	"os"
@ -109,11 +110,10 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
 	if d.InitConfig.BuildkitFlags != nil {
 		cfg.Cmd = d.InitConfig.BuildkitFlags
 	}
-
 	useInit := true // let it cleanup exited processes created by BuildKit's container API
 	if err := l.Wrap("creating container "+d.Name, func() error {
 		hc := &container.HostConfig{
-			Privileged: true,
+			Privileged: false,
 			Mounts: []mount.Mount{
 				{
 					Type:   mount.TypeVolume,
@ -135,19 +135,25 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
 					hc.CgroupParent = d.cgroupParent
 				}
 			}
-
 			secOpts, err := dockertypes.DecodeSecurityOptions(info.SecurityOptions)
 			if err != nil {
 				return err
 			}
 			for _, f := range secOpts {
+				fmt.Println(f)
 				if f.Name == "userns" {
 					hc.UsernsMode = "host"
 					break
 				}
 			}
-
+			//hc.SecurityOpt=["seccomp:unconfined" "apparmor:unconfined" "systempaths:unconfined"]
+			hc.SecurityOpt = append(hc.SecurityOpt, "seccomp=unconfined")
+			hc.SecurityOpt = append(hc.SecurityOpt, "apparmor=unconfined")
+			hc.SecurityOpt = append(hc.SecurityOpt, "systempaths=unconfined")
+			hc.Privileged = false
 		}
+		fmt.Println(cfg)
+		fmt.Println(hc)
 		_, err := d.DockerAPI.ContainerCreate(ctx, cfg, hc, &network.NetworkingConfig{}, nil, d.Name)
 		if err != nil && !errdefs.IsConflict(err) {
 			return err
@ -273,6 +279,7 @@ func (d *Driver) run(ctx context.Context, cmd []string, stdout, stderr io.Writer
 	if resp.ExitCode != 0 {
 		return errors.Errorf("exit code %d", resp.ExitCode)
 	}
+	fmt.Println("did I get in here")
 	return nil
 }

--- a/driver/driver.go
+++ b/driver/driver.go
@ -2,6 +2,7 @@ package driver

 import (
 	"context"
+	"fmt"
 	"io"

 	"github.com/docker/buildx/store"
@ -65,12 +66,15 @@ type Driver interface {
 }

 func Boot(ctx, clientContext context.Context, d *DriverHandle, pw progress.Writer) (*client.Client, error) {
+	fmt.Println("I don't like being confused")
 	try := 0
 	for {
+		fmt.Println("in the for...block?")
 		info, err := d.Info(ctx)
 		if err != nil {
 			return nil, err
 		}
+		fmt.Println("I think d.Info might be doing an out of band thing")
 		try++
 		if info.Status != Running {
 			if try > 2 {
@ -80,7 +84,7 @@ func Boot(ctx, clientContext context.Context, d *DriverHandle, pw progress.Write
 				return nil, err
 			}
 		}
-
+		fmt.Println("before or after running")
 		c, err := d.Client(clientContext)
 		if err != nil {
 			if errors.Cause(err) == ErrNotRunning && try <= 2 {
@ -88,6 +92,7 @@ func Boot(ctx, clientContext context.Context, d *DriverHandle, pw progress.Write
 			}
 			return nil, err
 		}
+		fmt.Println("before final return")
 		return c, nil
 	}
 }
--- a/driver/manager.go
+++ b/driver/manager.go
@ -56,6 +56,7 @@ type InitConfig struct {
 	BuildkitFlags    []string
 	Files            map[string][]byte
 	DriverOpts       map[string]string
+	SecurityOpts     map[string]string
 	Auth             Auth
 	Platforms        []specs.Platform
 	// ContextPathHash can be used for determining pods in the driver instance
@ -104,7 +105,7 @@ func GetFactory(name string, instanceRequired bool) (Factory, error) {
 	return nil, errors.Errorf("failed to find driver %q", name)
 }

-func GetDriver(ctx context.Context, name string, f Factory, endpointAddr string, api dockerclient.APIClient, auth Auth, kcc KubeClientConfig, flags []string, files map[string][]byte, do map[string]string, platforms []specs.Platform, contextPathHash string) (*DriverHandle, error) {
+func GetDriver(ctx context.Context, name string, f Factory, endpointAddr string, api dockerclient.APIClient, auth Auth, kcc KubeClientConfig, flags []string, files map[string][]byte, do map[string]string, so map[string]string, platforms []specs.Platform, contextPathHash string) (*DriverHandle, error) {
 	ic := InitConfig{
 		EndpointAddr:     endpointAddr,
 		DockerAPI:        api,
@ -112,6 +113,7 @@ func GetDriver(ctx context.Context, name string, f Factory, endpointAddr string,
 		Name:             name,
 		BuildkitFlags:    flags,
 		DriverOpts:       do,
+		SecurityOpts:     so,
 		Auth:             auth,
 		Platforms:        platforms,
 		ContextPathHash:  contextPathHash,
--- a/out/buildx
+++ b/out/buildx
--- a/store/nodegroup.go
+++ b/store/nodegroup.go
@ -24,11 +24,12 @@ type NodeGroup struct {
 }

 type Node struct {
-	Name       string
-	Endpoint   string
-	Platforms  []specs.Platform
-	Flags      []string
-	DriverOpts map[string]string
+	Name         string
+	Endpoint     string
+	Platforms    []specs.Platform
+	Flags        []string
+	DriverOpts   map[string]string
+	SecurityOpts map[string]string

 	Files map[string][]byte
 }
@ -48,7 +49,7 @@ func (ng *NodeGroup) Leave(name string) error {
 	return nil
 }

-func (ng *NodeGroup) Update(name, endpoint string, platforms []string, endpointsSet bool, actionAppend bool, flags []string, configFile string, do map[string]string) error {
+func (ng *NodeGroup) Update(name, endpoint string, platforms []string, endpointsSet bool, actionAppend bool, flags []string, configFile string, do map[string]string, so map[string]string) error {
 	if ng.Dynamic {
 		return errors.New("dynamic node group does not support Update")
 	}
@ -91,6 +92,10 @@ func (ng *NodeGroup) Update(name, endpoint string, platforms []string, endpoints
 			n.DriverOpts = do
 			needsRestart = true
 		}
+		if so != nil {
+			n.SecurityOpts = so
+			needsRestart = true
+		}
 		if configFile != "" {
 			for k, v := range files {
 				n.Files[k] = v
@ -118,12 +123,13 @@ func (ng *NodeGroup) Update(name, endpoint string, platforms []string, endpoints
 	}

 	n := Node{
-		Name:       name,
-		Endpoint:   endpoint,
-		Platforms:  pp,
-		Flags:      flags,
-		DriverOpts: do,
-		Files:      files,
+		Name:         name,
+		Endpoint:     endpoint,
+		Platforms:    pp,
+		Flags:        flags,
+		DriverOpts:   do,
+		SecurityOpts: so,
+		Files:        files,
 	}

 	ng.Nodes = append(ng.Nodes, n)
@ -156,6 +162,10 @@ func (n *Node) Copy() *Node {
 	for k, v := range n.DriverOpts {
 		driverOpts[k] = v
 	}
+	securityOpts := map[string]string{}
+	for k, v := range n.SecurityOpts {
+		securityOpts[k] = v
+	}
 	files := map[string][]byte{}
 	for k, v := range n.Files {
 		vv := []byte{}
@ -163,12 +173,13 @@ func (n *Node) Copy() *Node {
 		files[k] = vv
 	}
 	return &Node{
-		Name:       n.Name,
-		Endpoint:   n.Endpoint,
-		Platforms:  platforms,
-		Flags:      flags,
-		DriverOpts: driverOpts,
-		Files:      files,
+		Name:         n.Name,
+		Endpoint:     n.Endpoint,
+		Platforms:    platforms,
+		Flags:        flags,
+		DriverOpts:   driverOpts,
+		SecurityOpts: securityOpts,
+		Files:        files,
 	}
 }