master #1

Merged
nathan merged 10 commits from wagshome/buildx:master into master 1 year ago

@ -0,0 +1,25 @@
// For format details, see https://aka.ms/devcontainer.json. For config options, see the
// README at: https://github.com/devcontainers/templates/tree/main/src/go
{
"name": "Go",
// Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
"image": "mcr.microsoft.com/devcontainers/go:1-1.21-bullseye",
"features": {
"ghcr.io/devcontainers/features/docker-in-docker:2": {}
}
// Features to add to the dev container. More info: https://containers.dev/features.
// "features": {},
// Use 'forwardPorts' to make a list of ports inside the container available locally.
// "forwardPorts": [],
// Use 'postCreateCommand' to run commands after the container is created.
// "postCreateCommand": "go version",
// Configure tool-specific properties.
// "customizations": {},
// Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.
// "remoteUser": "root"
}

@ -121,7 +121,7 @@ RUN --mount=from=binaries \
--mount=type=bind,from=buildx-version,source=/buildx-version,target=/buildx-version <<EOT --mount=type=bind,from=buildx-version,source=/buildx-version,target=/buildx-version <<EOT
set -e set -e
mkdir -p /out mkdir -p /out
cp buildx* "/out/buildx-$(cat /buildx-version/version).$(echo $TARGETPLATFORM | sed 's/\//-/g')$(ls buildx* | sed -e 's/^buildx//')" cp buildx* "/out/buildx"
EOT EOT
FROM scratch AS release FROM scratch AS release

@ -109,7 +109,7 @@ func (b *Builder) LoadNodes(ctx context.Context, withData bool) (_ []Node, err e
} }
} }
d, err := driver.GetDriver(ctx, "buildx_buildkit_"+n.Name, factory, n.Endpoint, dockerapi, imageopt.Auth, kcc, n.Flags, n.Files, n.DriverOpts, n.Platforms, b.opts.contextPathHash) d, err := driver.GetDriver(ctx, "buildx_buildkit_"+n.Name, factory, n.Endpoint, dockerapi, imageopt.Auth, kcc, n.Flags, n.Files, n.DriverOpts, n.SecurityOpts, n.Platforms, b.opts.contextPathHash)
if err != nil { if err != nil {
node.Err = err node.Err = err
return nil return nil

@ -42,6 +42,7 @@ type createOptions struct {
flags string flags string
configFile string configFile string
driverOpts []string driverOpts []string
securityOpts []string
bootstrap bool bootstrap bool
// upgrade bool // perform upgrade of the driver // upgrade bool // perform upgrade of the driver
} }
@ -239,6 +240,11 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
return err return err
} }
s, err := csvToMap(in.securityOpts)
if err != nil {
return err
}
if in.configFile == "" { if in.configFile == "" {
// if buildkit config is not provided, check if the default one is // if buildkit config is not provided, check if the default one is
// available and use it // available and use it
@ -248,7 +254,7 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
} }
} }
if err := ng.Update(in.nodeName, ep, in.platform, setEp, in.actionAppend, flags, in.configFile, m); err != nil { if err := ng.Update(in.nodeName, ep, in.platform, setEp, in.actionAppend, flags, in.configFile, m, s); err != nil {
return err return err
} }
} }
@ -340,6 +346,7 @@ func createCmd(dockerCli command.Cli) *cobra.Command {
flags.StringVar(&options.configFile, "config", "", "BuildKit config file") flags.StringVar(&options.configFile, "config", "", "BuildKit config file")
flags.StringArrayVar(&options.platform, "platform", []string{}, "Fixed platforms for current node") flags.StringArrayVar(&options.platform, "platform", []string{}, "Fixed platforms for current node")
flags.StringArrayVar(&options.driverOpts, "driver-opt", []string{}, "Options for the driver") flags.StringArrayVar(&options.driverOpts, "driver-opt", []string{}, "Options for the driver")
flags.StringArrayVar(&options.securityOpts, "security-opt", []string{}, "Options for the security profile of driver")
flags.BoolVar(&options.bootstrap, "bootstrap", false, "Boot builder after creation") flags.BoolVar(&options.bootstrap, "bootstrap", false, "Boot builder after creation")
flags.BoolVar(&options.actionAppend, "append", false, "Append a node to builder instead of changing it") flags.BoolVar(&options.actionAppend, "append", false, "Append a node to builder instead of changing it")

@ -82,6 +82,13 @@ func runInspect(dockerCli command.Cli, in inspectOptions) error {
if len(driverOpts) > 0 { if len(driverOpts) > 0 {
fmt.Fprintf(w, "Driver Options:\t%s\n", strings.Join(driverOpts, " ")) fmt.Fprintf(w, "Driver Options:\t%s\n", strings.Join(driverOpts, " "))
} }
var securityOpts []string
for k, v := range n.SecurityOpts {
securityOpts = append(securityOpts, fmt.Sprintf("%s=%q", k, v))
}
if len(securityOpts) > 0 {
fmt.Fprintf(w, "Security Options:\t%s\n", strings.Join(driverOpts, " "))
}
if err := n.Err; err != nil { if err := n.Err; err != nil {
fmt.Fprintf(w, "Error:\t%s\n", err.Error()) fmt.Fprintf(w, "Error:\t%s\n", err.Error())

@ -8,6 +8,7 @@ import (
"os" "os"
"path" "path"
"path/filepath" "path/filepath"
"strconv"
"strings" "strings"
"sync/atomic" "sync/atomic"
"time" "time"
@ -41,6 +42,7 @@ type Driver struct {
netMode string netMode string
image string image string
cgroupParent string cgroupParent string
securityOpts map[string]string
env []string env []string
} }
@ -109,7 +111,6 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
if d.InitConfig.BuildkitFlags != nil { if d.InitConfig.BuildkitFlags != nil {
cfg.Cmd = d.InitConfig.BuildkitFlags cfg.Cmd = d.InitConfig.BuildkitFlags
} }
useInit := true // let it cleanup exited processes created by BuildKit's container API useInit := true // let it cleanup exited processes created by BuildKit's container API
if err := l.Wrap("creating container "+d.Name, func() error { if err := l.Wrap("creating container "+d.Name, func() error {
hc := &container.HostConfig{ hc := &container.HostConfig{
@ -127,6 +128,13 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
hc.NetworkMode = container.NetworkMode(d.netMode) hc.NetworkMode = container.NetworkMode(d.netMode)
} }
if info, err := d.DockerAPI.Info(ctx); err == nil { if info, err := d.DockerAPI.Info(ctx); err == nil {
secOpts, err := dockertypes.DecodeSecurityOptions(info.SecurityOptions)
l.Wrap("driverOpts"+info.CgroupDriver, func() error {
return nil
})
if err != nil {
return err
}
if info.CgroupDriver == "cgroupfs" { if info.CgroupDriver == "cgroupfs" {
// Place all buildkit containers inside this cgroup by default so limits can be attached // Place all buildkit containers inside this cgroup by default so limits can be attached
// to all build activity on the host. // to all build activity on the host.
@ -135,18 +143,27 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
hc.CgroupParent = d.cgroupParent hc.CgroupParent = d.cgroupParent
} }
} }
secOpts, err := dockertypes.DecodeSecurityOptions(info.SecurityOptions)
if err != nil {
return err
}
for _, f := range secOpts { for _, f := range secOpts {
if f.Name == "userns" { if f.Name == "userns" {
hc.UsernsMode = "host" hc.UsernsMode = "host"
break break
} }
} }
for i, k := range d.securityOpts {
switch {
case i == "systempaths":
hc.MaskedPaths = []string{}
hc.ReadonlyPaths = []string{}
case i == "privileged":
val, err := strconv.ParseBool(k)
if err != nil {
return errors.Errorf("invalid value privleged security option, options are true/false")
}
hc.Privileged = val
default:
hc.SecurityOpt = append(hc.SecurityOpt, i+"="+k)
}
}
} }
_, err := d.DockerAPI.ContainerCreate(ctx, cfg, hc, &network.NetworkingConfig{}, nil, d.Name) _, err := d.DockerAPI.ContainerCreate(ctx, cfg, hc, &network.NetworkingConfig{}, nil, d.Name)
if err != nil && !errdefs.IsConflict(err) { if err != nil && !errdefs.IsConflict(err) {

@ -40,6 +40,7 @@ func (f *factory) New(ctx context.Context, cfg driver.InitConfig) (driver.Driver
return nil, errors.Errorf("%s driver requires docker API access", f.Name()) return nil, errors.Errorf("%s driver requires docker API access", f.Name())
} }
d := &Driver{factory: f, InitConfig: cfg} d := &Driver{factory: f, InitConfig: cfg}
d.securityOpts = make(map[string]string)
for k, v := range cfg.DriverOpts { for k, v := range cfg.DriverOpts {
switch { switch {
case k == "network": case k == "network":
@ -57,11 +58,32 @@ func (f *factory) New(ctx context.Context, cfg driver.InitConfig) (driver.Driver
return nil, errors.Errorf("invalid env option %q, expecting env.FOO=bar", k) return nil, errors.Errorf("invalid env option %q, expecting env.FOO=bar", k)
} }
d.env = append(d.env, fmt.Sprintf("%s=%s", envName, v)) d.env = append(d.env, fmt.Sprintf("%s=%s", envName, v))
case k == "seccomp":
d.securityOpts[k] = v
case k == "apparmor":
d.securityOpts[k] = v
case k == "systempaths":
d.securityOpts[k] = v
case k == "privileged":
d.securityOpts[k] = v
default: default:
return nil, errors.Errorf("invalid driver option %s for docker-container driver", k) return nil, errors.Errorf("invalid driver option %s for docker-container driver", k)
} }
} }
for i, _ := range cfg.SecurityOpts {
switch {
case i == "seccomp":
continue
case i == "apparmor":
continue
case i == "systempaths":
continue
case i == "privileged":
continue
default:
return nil, errors.Errorf("invalid Security option %s for docker-container driver", i)
}
}
return d, nil return d, nil
} }

@ -80,7 +80,6 @@ func Boot(ctx, clientContext context.Context, d *DriverHandle, pw progress.Write
return nil, err return nil, err
} }
} }
c, err := d.Client(clientContext) c, err := d.Client(clientContext)
if err != nil { if err != nil {
if errors.Cause(err) == ErrNotRunning && try <= 2 { if errors.Cause(err) == ErrNotRunning && try <= 2 {

@ -56,6 +56,7 @@ type InitConfig struct {
BuildkitFlags []string BuildkitFlags []string
Files map[string][]byte Files map[string][]byte
DriverOpts map[string]string DriverOpts map[string]string
SecurityOpts map[string]string
Auth Auth Auth Auth
Platforms []specs.Platform Platforms []specs.Platform
// ContextPathHash can be used for determining pods in the driver instance // ContextPathHash can be used for determining pods in the driver instance
@ -104,7 +105,7 @@ func GetFactory(name string, instanceRequired bool) (Factory, error) {
return nil, errors.Errorf("failed to find driver %q", name) return nil, errors.Errorf("failed to find driver %q", name)
} }
func GetDriver(ctx context.Context, name string, f Factory, endpointAddr string, api dockerclient.APIClient, auth Auth, kcc KubeClientConfig, flags []string, files map[string][]byte, do map[string]string, platforms []specs.Platform, contextPathHash string) (*DriverHandle, error) { func GetDriver(ctx context.Context, name string, f Factory, endpointAddr string, api dockerclient.APIClient, auth Auth, kcc KubeClientConfig, flags []string, files map[string][]byte, do map[string]string, so map[string]string, platforms []specs.Platform, contextPathHash string) (*DriverHandle, error) {
ic := InitConfig{ ic := InitConfig{
EndpointAddr: endpointAddr, EndpointAddr: endpointAddr,
DockerAPI: api, DockerAPI: api,
@ -112,6 +113,7 @@ func GetDriver(ctx context.Context, name string, f Factory, endpointAddr string,
Name: name, Name: name,
BuildkitFlags: flags, BuildkitFlags: flags,
DriverOpts: do, DriverOpts: do,
SecurityOpts: so,
Auth: auth, Auth: auth,
Platforms: platforms, Platforms: platforms,
ContextPathHash: contextPathHash, ContextPathHash: contextPathHash,

Binary file not shown.

@ -29,6 +29,7 @@ type Node struct {
Platforms []specs.Platform Platforms []specs.Platform
Flags []string Flags []string
DriverOpts map[string]string DriverOpts map[string]string
SecurityOpts map[string]string
Files map[string][]byte Files map[string][]byte
} }
@ -48,7 +49,7 @@ func (ng *NodeGroup) Leave(name string) error {
return nil return nil
} }
func (ng *NodeGroup) Update(name, endpoint string, platforms []string, endpointsSet bool, actionAppend bool, flags []string, configFile string, do map[string]string) error { func (ng *NodeGroup) Update(name, endpoint string, platforms []string, endpointsSet bool, actionAppend bool, flags []string, configFile string, do map[string]string, so map[string]string) error {
if ng.Dynamic { if ng.Dynamic {
return errors.New("dynamic node group does not support Update") return errors.New("dynamic node group does not support Update")
} }
@ -91,6 +92,10 @@ func (ng *NodeGroup) Update(name, endpoint string, platforms []string, endpoints
n.DriverOpts = do n.DriverOpts = do
needsRestart = true needsRestart = true
} }
if so != nil {
n.SecurityOpts = so
needsRestart = true
}
if configFile != "" { if configFile != "" {
for k, v := range files { for k, v := range files {
n.Files[k] = v n.Files[k] = v
@ -123,6 +128,7 @@ func (ng *NodeGroup) Update(name, endpoint string, platforms []string, endpoints
Platforms: pp, Platforms: pp,
Flags: flags, Flags: flags,
DriverOpts: do, DriverOpts: do,
SecurityOpts: so,
Files: files, Files: files,
} }
@ -156,6 +162,10 @@ func (n *Node) Copy() *Node {
for k, v := range n.DriverOpts { for k, v := range n.DriverOpts {
driverOpts[k] = v driverOpts[k] = v
} }
securityOpts := map[string]string{}
for k, v := range n.SecurityOpts {
securityOpts[k] = v
}
files := map[string][]byte{} files := map[string][]byte{}
for k, v := range n.Files { for k, v := range n.Files {
vv := []byte{} vv := []byte{}
@ -168,6 +178,7 @@ func (n *Node) Copy() *Node {
Platforms: platforms, Platforms: platforms,
Flags: flags, Flags: flags,
DriverOpts: driverOpts, DriverOpts: driverOpts,
SecurityOpts: securityOpts,
Files: files, Files: files,
} }
} }

Loading…
Cancel
Save