diff --git a/builder/node.go b/builder/node.go index a8056240..d9fe4a32 100644 --- a/builder/node.go +++ b/builder/node.go @@ -109,7 +109,7 @@ func (b *Builder) LoadNodes(ctx context.Context, withData bool) (_ []Node, err e } } - d, err := driver.GetDriver(ctx, "buildx_buildkit_"+n.Name, factory, n.Endpoint, dockerapi, imageopt.Auth, kcc, n.Flags, n.Files, n.DriverOpts, n.Platforms, b.opts.contextPathHash) + d, err := driver.GetDriver(ctx, "buildx_buildkit_"+n.Name, factory, n.Endpoint, dockerapi, imageopt.Auth, kcc, n.Flags, n.Files, n.DriverOpts, n.SecurityOpts, n.Platforms, b.opts.contextPathHash) if err != nil { node.Err = err return nil diff --git a/commands/create.go b/commands/create.go index 522a1432..7da33d6c 100644 --- a/commands/create.go +++ b/commands/create.go @@ -42,6 +42,7 @@ type createOptions struct { flags string configFile string driverOpts []string + securityOpts []string bootstrap bool // upgrade bool // perform upgrade of the driver } @@ -239,6 +240,11 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error { return err } + s, err := csvToMap(in.securityOpts) + if err != nil { + return err + } + if in.configFile == "" { // if buildkit config is not provided, check if the default one is // available and use it @@ -248,7 +254,7 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error { } } - if err := ng.Update(in.nodeName, ep, in.platform, setEp, in.actionAppend, flags, in.configFile, m); err != nil { + if err := ng.Update(in.nodeName, ep, in.platform, setEp, in.actionAppend, flags, in.configFile, m, s); err != nil { return err } } @@ -340,6 +346,7 @@ func createCmd(dockerCli command.Cli) *cobra.Command { flags.StringVar(&options.configFile, "config", "", "BuildKit config file") flags.StringArrayVar(&options.platform, "platform", []string{}, "Fixed platforms for current node") flags.StringArrayVar(&options.driverOpts, "driver-opt", []string{}, "Options for the driver") + flags.StringArrayVar(&options.securityOpts, "security-opt", []string{}, "Options for the security profile of driver") flags.BoolVar(&options.bootstrap, "bootstrap", false, "Boot builder after creation") flags.BoolVar(&options.actionAppend, "append", false, "Append a node to builder instead of changing it") diff --git a/commands/inspect.go b/commands/inspect.go index 1e1f313a..b61dcf1c 100644 --- a/commands/inspect.go +++ b/commands/inspect.go @@ -82,6 +82,13 @@ func runInspect(dockerCli command.Cli, in inspectOptions) error { if len(driverOpts) > 0 { fmt.Fprintf(w, "Driver Options:\t%s\n", strings.Join(driverOpts, " ")) } + var securityOpts []string + for k, v := range n.SecurityOpts { + securityOpts = append(securityOpts, fmt.Sprintf("%s=%q", k, v)) + } + if len(securityOpts) > 0 { + fmt.Fprintf(w, "Security Options:\t%s\n", strings.Join(driverOpts, " ")) + } if err := n.Err; err != nil { fmt.Fprintf(w, "Error:\t%s\n", err.Error()) diff --git a/driver/docker-container/driver.go b/driver/docker-container/driver.go index d42d233a..c842d091 100644 --- a/driver/docker-container/driver.go +++ b/driver/docker-container/driver.go @@ -3,6 +3,7 @@ package docker import ( "bytes" "context" + "fmt" "io" "net" "os" @@ -109,11 +110,10 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error { if d.InitConfig.BuildkitFlags != nil { cfg.Cmd = d.InitConfig.BuildkitFlags } - useInit := true // let it cleanup exited processes created by BuildKit's container API if err := l.Wrap("creating container "+d.Name, func() error { hc := &container.HostConfig{ - Privileged: true, + Privileged: false, Mounts: []mount.Mount{ { Type: mount.TypeVolume, @@ -135,19 +135,25 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error { hc.CgroupParent = d.cgroupParent } } - secOpts, err := dockertypes.DecodeSecurityOptions(info.SecurityOptions) if err != nil { return err } for _, f := range secOpts { + fmt.Println(f) if f.Name == "userns" { hc.UsernsMode = "host" break } } - + //hc.SecurityOpt=["seccomp:unconfined" "apparmor:unconfined" "systempaths:unconfined"] + hc.SecurityOpt = append(hc.SecurityOpt, "seccomp=unconfined") + hc.SecurityOpt = append(hc.SecurityOpt, "apparmor=unconfined") + hc.SecurityOpt = append(hc.SecurityOpt, "systempaths=unconfined") + hc.Privileged = false } + fmt.Println(cfg) + fmt.Println(hc) _, err := d.DockerAPI.ContainerCreate(ctx, cfg, hc, &network.NetworkingConfig{}, nil, d.Name) if err != nil && !errdefs.IsConflict(err) { return err @@ -273,6 +279,7 @@ func (d *Driver) run(ctx context.Context, cmd []string, stdout, stderr io.Writer if resp.ExitCode != 0 { return errors.Errorf("exit code %d", resp.ExitCode) } + fmt.Println("did I get in here") return nil } diff --git a/driver/driver.go b/driver/driver.go index 8642a543..50f1aa9e 100644 --- a/driver/driver.go +++ b/driver/driver.go @@ -2,6 +2,7 @@ package driver import ( "context" + "fmt" "io" "github.com/docker/buildx/store" @@ -65,12 +66,15 @@ type Driver interface { } func Boot(ctx, clientContext context.Context, d *DriverHandle, pw progress.Writer) (*client.Client, error) { + fmt.Println("I don't like being confused") try := 0 for { + fmt.Println("in the for...block?") info, err := d.Info(ctx) if err != nil { return nil, err } + fmt.Println("I think d.Info might be doing an out of band thing") try++ if info.Status != Running { if try > 2 { @@ -80,7 +84,7 @@ func Boot(ctx, clientContext context.Context, d *DriverHandle, pw progress.Write return nil, err } } - + fmt.Println("before or after running") c, err := d.Client(clientContext) if err != nil { if errors.Cause(err) == ErrNotRunning && try <= 2 { @@ -88,6 +92,7 @@ func Boot(ctx, clientContext context.Context, d *DriverHandle, pw progress.Write } return nil, err } + fmt.Println("before final return") return c, nil } } diff --git a/driver/manager.go b/driver/manager.go index b4ec318f..e91c99dc 100644 --- a/driver/manager.go +++ b/driver/manager.go @@ -56,6 +56,7 @@ type InitConfig struct { BuildkitFlags []string Files map[string][]byte DriverOpts map[string]string + SecurityOpts map[string]string Auth Auth Platforms []specs.Platform // ContextPathHash can be used for determining pods in the driver instance @@ -104,7 +105,7 @@ func GetFactory(name string, instanceRequired bool) (Factory, error) { return nil, errors.Errorf("failed to find driver %q", name) } -func GetDriver(ctx context.Context, name string, f Factory, endpointAddr string, api dockerclient.APIClient, auth Auth, kcc KubeClientConfig, flags []string, files map[string][]byte, do map[string]string, platforms []specs.Platform, contextPathHash string) (*DriverHandle, error) { +func GetDriver(ctx context.Context, name string, f Factory, endpointAddr string, api dockerclient.APIClient, auth Auth, kcc KubeClientConfig, flags []string, files map[string][]byte, do map[string]string, so map[string]string, platforms []specs.Platform, contextPathHash string) (*DriverHandle, error) { ic := InitConfig{ EndpointAddr: endpointAddr, DockerAPI: api, @@ -112,6 +113,7 @@ func GetDriver(ctx context.Context, name string, f Factory, endpointAddr string, Name: name, BuildkitFlags: flags, DriverOpts: do, + SecurityOpts: so, Auth: auth, Platforms: platforms, ContextPathHash: contextPathHash, diff --git a/out/buildx b/out/buildx new file mode 100755 index 00000000..277a72b8 Binary files /dev/null and b/out/buildx differ diff --git a/store/nodegroup.go b/store/nodegroup.go index 823470dd..4d56daa5 100644 --- a/store/nodegroup.go +++ b/store/nodegroup.go @@ -24,11 +24,12 @@ type NodeGroup struct { } type Node struct { - Name string - Endpoint string - Platforms []specs.Platform - Flags []string - DriverOpts map[string]string + Name string + Endpoint string + Platforms []specs.Platform + Flags []string + DriverOpts map[string]string + SecurityOpts map[string]string Files map[string][]byte } @@ -48,7 +49,7 @@ func (ng *NodeGroup) Leave(name string) error { return nil } -func (ng *NodeGroup) Update(name, endpoint string, platforms []string, endpointsSet bool, actionAppend bool, flags []string, configFile string, do map[string]string) error { +func (ng *NodeGroup) Update(name, endpoint string, platforms []string, endpointsSet bool, actionAppend bool, flags []string, configFile string, do map[string]string, so map[string]string) error { if ng.Dynamic { return errors.New("dynamic node group does not support Update") } @@ -91,6 +92,10 @@ func (ng *NodeGroup) Update(name, endpoint string, platforms []string, endpoints n.DriverOpts = do needsRestart = true } + if so != nil { + n.SecurityOpts = so + needsRestart = true + } if configFile != "" { for k, v := range files { n.Files[k] = v @@ -118,12 +123,13 @@ func (ng *NodeGroup) Update(name, endpoint string, platforms []string, endpoints } n := Node{ - Name: name, - Endpoint: endpoint, - Platforms: pp, - Flags: flags, - DriverOpts: do, - Files: files, + Name: name, + Endpoint: endpoint, + Platforms: pp, + Flags: flags, + DriverOpts: do, + SecurityOpts: so, + Files: files, } ng.Nodes = append(ng.Nodes, n) @@ -156,6 +162,10 @@ func (n *Node) Copy() *Node { for k, v := range n.DriverOpts { driverOpts[k] = v } + securityOpts := map[string]string{} + for k, v := range n.SecurityOpts { + securityOpts[k] = v + } files := map[string][]byte{} for k, v := range n.Files { vv := []byte{} @@ -163,12 +173,13 @@ func (n *Node) Copy() *Node { files[k] = vv } return &Node{ - Name: n.Name, - Endpoint: n.Endpoint, - Platforms: platforms, - Flags: flags, - DriverOpts: driverOpts, - Files: files, + Name: n.Name, + Endpoint: n.Endpoint, + Platforms: platforms, + Flags: flags, + DriverOpts: driverOpts, + SecurityOpts: securityOpts, + Files: files, } }