|
|
@ -8,6 +8,7 @@ import (
|
|
|
|
"os"
|
|
|
|
"os"
|
|
|
|
"path"
|
|
|
|
"path"
|
|
|
|
"path/filepath"
|
|
|
|
"path/filepath"
|
|
|
|
|
|
|
|
"strconv"
|
|
|
|
"strings"
|
|
|
|
"strings"
|
|
|
|
"sync/atomic"
|
|
|
|
"sync/atomic"
|
|
|
|
"time"
|
|
|
|
"time"
|
|
|
@ -112,7 +113,7 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
|
|
|
|
useInit := true // let it cleanup exited processes created by BuildKit's container API
|
|
|
|
useInit := true // let it cleanup exited processes created by BuildKit's container API
|
|
|
|
if err := l.Wrap("creating container "+d.Name, func() error {
|
|
|
|
if err := l.Wrap("creating container "+d.Name, func() error {
|
|
|
|
hc := &container.HostConfig{
|
|
|
|
hc := &container.HostConfig{
|
|
|
|
Privileged: false,
|
|
|
|
Privileged: true,
|
|
|
|
Mounts: []mount.Mount{
|
|
|
|
Mounts: []mount.Mount{
|
|
|
|
{
|
|
|
|
{
|
|
|
|
Type: mount.TypeVolume,
|
|
|
|
Type: mount.TypeVolume,
|
|
|
@ -126,6 +127,13 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
|
|
|
|
hc.NetworkMode = container.NetworkMode(d.netMode)
|
|
|
|
hc.NetworkMode = container.NetworkMode(d.netMode)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if info, err := d.DockerAPI.Info(ctx); err == nil {
|
|
|
|
if info, err := d.DockerAPI.Info(ctx); err == nil {
|
|
|
|
|
|
|
|
secOpts, err := dockertypes.DecodeSecurityOptions(info.SecurityOptions)
|
|
|
|
|
|
|
|
l.Wrap("driverOpts"+info.CgroupDriver, func() error {
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
|
|
|
})
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
|
|
return err
|
|
|
|
|
|
|
|
}
|
|
|
|
if info.CgroupDriver == "cgroupfs" {
|
|
|
|
if info.CgroupDriver == "cgroupfs" {
|
|
|
|
// Place all buildkit containers inside this cgroup by default so limits can be attached
|
|
|
|
// Place all buildkit containers inside this cgroup by default so limits can be attached
|
|
|
|
// to all build activity on the host.
|
|
|
|
// to all build activity on the host.
|
|
|
@ -134,23 +142,27 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
|
|
|
|
hc.CgroupParent = d.cgroupParent
|
|
|
|
hc.CgroupParent = d.cgroupParent
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
secOpts, err := dockertypes.DecodeSecurityOptions(info.SecurityOptions)
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
|
|
return err
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, f := range secOpts {
|
|
|
|
for _, f := range secOpts {
|
|
|
|
if f.Name == "userns" {
|
|
|
|
if f.Name == "userns" {
|
|
|
|
hc.UsernsMode = "host"
|
|
|
|
hc.UsernsMode = "host"
|
|
|
|
break
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
hc.SecurityOpt = append(hc.SecurityOpt, "seccomp=unconfined")
|
|
|
|
for i, k := range d.SecurityOpts {
|
|
|
|
hc.SecurityOpt = append(hc.SecurityOpt, "apparmor=unconfined")
|
|
|
|
switch {
|
|
|
|
hc.Privileged = false
|
|
|
|
case i == "systempaths":
|
|
|
|
//hc.SecurityOpt = append(hc.SecurityOpt, "systempaths=unconfined")
|
|
|
|
|
|
|
|
hc.MaskedPaths = []string{}
|
|
|
|
hc.MaskedPaths = []string{}
|
|
|
|
hc.ReadonlyPaths = []string{}
|
|
|
|
hc.ReadonlyPaths = []string{}
|
|
|
|
//cfg.Env= append(cfg.Env,"systempaths=unconfined")
|
|
|
|
case i == "privileged":
|
|
|
|
|
|
|
|
val, err := strconv.ParseBool(k)
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
|
|
return errors.Errorf("invalid value privleged security option, options are true/false")
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
hc.Privileged = val
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
|
|
|
hc.SecurityOpt = append(hc.SecurityOpt, i+"="+k)
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
_, err := d.DockerAPI.ContainerCreate(ctx, cfg, hc, &network.NetworkingConfig{}, nil, d.Name)
|
|
|
|
_, err := d.DockerAPI.ContainerCreate(ctx, cfg, hc, &network.NetworkingConfig{}, nil, d.Name)
|
|
|
|
if err != nil && !errdefs.IsConflict(err) {
|
|
|
|
if err != nil && !errdefs.IsConflict(err) {
|
|
|
|