bake: add --allow support

Signed-off-by: Tibor Vass <tibor@docker.com>
6 years ago · cd086fc8d6
parent 7ec8912591
commit cd086fc8d6
4 changed files with 19 additions and 8 deletions
--- a/README.md
+++ b/README.md
@ -500,6 +500,7 @@ Options:

 | Flag | Description |
 | --- | --- |
+|  --allow stringArray     | Allow extra privileged entitlement, e.g. network.host, security.insecure
 |  -f, --file stringArray  | Build definition file
 |      --no-cache          | Do not use cache when building the image
 |      --print             | Print the options without building
@ -507,6 +508,10 @@ Options:
 |      --pull              | Always attempt to pull a newer version of the image
 |      --set stringArray   | Override target value (eg: target.key=value)

+#### `--allow=ENTITLEMENT`
+
+Same as [`build --allow`](#--allowentitlement).
+
 #### `-f, --file FILE`

 Specifies the bake definition file. The file can be a Docker Compose, JSON or HCL file. If multiple files are specified they are all read and configurations are combined. By default, if no files are specified, the following are parsed:
--- a/bake/bake.go
+++ b/bake/bake.go
@ -11,6 +11,7 @@ import (
 	"github.com/docker/buildx/util/platformutil"
 	"github.com/docker/docker/pkg/urlutil"
 	"github.com/moby/buildkit/session/auth/authprovider"
+	"github.com/moby/buildkit/util/entitlements"
 	"github.com/pkg/errors"
 )

@ -248,10 +249,10 @@ func (t *Target) normalize() {
 	t.Outputs = removeDupes(t.Outputs)
 }

-func TargetsToBuildOpt(m map[string]Target, noCache, pull bool) (map[string]build.Options, error) {
+func TargetsToBuildOpt(m map[string]Target, noCache, pull bool, allow []entitlements.Entitlement) (map[string]build.Options, error) {
 	m2 := make(map[string]build.Options, len(m))
 	for k, v := range m {
-		bo, err := toBuildOpt(v, noCache, pull)
+		bo, err := toBuildOpt(v, noCache, pull, allow)
 		if err != nil {
 			return nil, err
 		}
@ -260,7 +261,7 @@ func TargetsToBuildOpt(m map[string]Target, noCache, pull bool) (map[string]buil
 	return m2, nil
 }

-func toBuildOpt(t Target, noCache, pull bool) (*build.Options, error) {
+func toBuildOpt(t Target, noCache, pull bool, allow []entitlements.Entitlement) (*build.Options, error) {
 	if v := t.Context; v != nil && *v == "-" {
 		return nil, errors.Errorf("context from stdin not allowed in bake")
 	}
@ -291,6 +292,7 @@ func toBuildOpt(t Target, noCache, pull bool) (*build.Options, error) {
 		Labels:    t.Labels,
 		NoCache:   noCache,
 		Pull:      pull,
+		Allow:     allow,
 	}

 	platforms, err := platformutil.Parse(t.Platforms)
--- a/commands/bake.go
+++ b/commands/bake.go
@ -6,6 +6,7 @@ import (
 	"os"

 	"github.com/docker/buildx/bake"
+	"github.com/docker/buildx/build"
 	"github.com/docker/cli/cli/command"
 	"github.com/moby/buildkit/util/appcontext"
 	"github.com/pkg/errors"
@ -51,7 +52,12 @@ func runBake(dockerCli command.Cli, targets []string, in bakeOptions) error {
 		return nil
 	}

-	bo, err := bake.TargetsToBuildOpt(m, in.noCache, in.pull)
+	allow, err := build.ParseEntitlements(in.allow)
+	if err != nil {
+		return err
+	}
+
+	bo, err := bake.TargetsToBuildOpt(m, in.noCache, in.pull, allow)
 	if err != nil {
 		return err
 	}
--- a/commands/build.go
+++ b/commands/build.go
@ -44,8 +44,6 @@ type buildOptions struct {
 	squash bool
 	quiet  bool

-	allow []string
-
 	// hidden
 	// untrusted   bool
 	// ulimits        *opts.UlimitOpt
@ -67,6 +65,7 @@ type commonOptions struct {
 	noCache  bool
 	progress string
 	pull     bool
+	allow    []string
 }

 func runBuild(dockerCli command.Cli, in buildOptions) error {
@ -222,8 +221,6 @@ func buildCmd(dockerCli command.Cli) *cobra.Command {

 	flags.StringVar(&options.target, "target", "", "Set the target build stage to build.")

-	flags.StringSliceVar(&options.allow, "allow", []string{}, "Allow extra privileged entitlement, e.g. network.host, security.insecure")
-
 	// not implemented
 	flags.BoolVarP(&options.quiet, "quiet", "q", false, "Suppress the build output and print image ID on success")
 	flags.StringVar(&options.networkMode, "network", "default", "Set the networking mode for the RUN instructions during build")
@ -287,6 +284,7 @@ func buildCmd(dockerCli command.Cli) *cobra.Command {
 }

 func commonFlags(options *commonOptions, flags *pflag.FlagSet) {
+	flags.StringSliceVar(&options.allow, "allow", []string{}, "Allow extra privileged entitlement, e.g. network.host, security.insecure")
 	flags.BoolVar(&options.noCache, "no-cache", false, "Do not use cache when building the image")
 	flags.StringVar(&options.progress, "progress", "auto", "Set type of progress output (auto, plain, tty). Use plain to show container output")
 	flags.BoolVar(&options.pull, "pull", false, "Always attempt to pull a newer version of the image")