Merge pull request #6740 from tonistiigi/exec-net-proxy

solver: add proxy network mode

cmd/buildctl/build.go

@@ -103,6 +103,10 @@ var buildCommand = cli.Command{
 			Name:  "source-policy-file",
 			Usage: "Read source policy file from a JSON file",
 		},
+		cli.BoolFlag{
+			Name:  "proxy-network",
+			Usage: "Run build with proxy network enforcement",
+		},
 		cli.StringFlag{
 			Name:  "ref-file",
 			Usage: "Write build ref to a file",
@@ -243,7 +247,6 @@ func buildAction(clicontext *cli.Context) error {
 		}
 		srcPol = &srcPolStruct
 	}
-
 	eg, ctx := errgroup.WithContext(bccommon.CommandContext(clicontext))
 
 	ref := identity.NewID()
@@ -259,6 +262,7 @@ func buildAction(clicontext *cli.Context) error {
 		Session:             attachable,
 		AllowedEntitlements: clicontext.StringSlice("allow"),
 		SourcePolicy:        srcPol,
+		ProxyNetwork:        clicontext.Bool("proxy-network"),
 		Ref:                 ref,
 	}
 

cmd/buildkitd/config/config.go

@@ -19,6 +19,9 @@ type Config struct {
 	// Entitlements e.g. security.insecure, network.host, device
 	Entitlements []string `toml:"insecure-entitlements"`
 
+	// ProxyNetwork enables proxy network enforcement for all builds.
+	ProxyNetwork bool `toml:"proxyNetwork"`
+
 	// LogFormat is the format of the logs. It can be "json" or "text".
 	Log LogConfig `toml:"log"`
 

cmd/buildkitd/config/load_test.go

@@ -14,6 +14,7 @@ root = "/foo/bar"
 debug=true
 trace=true
 insecure-entitlements = ["security.insecure"]
+proxyNetwork = true
 
 [gc]
 enabled=true
@@ -85,6 +86,7 @@ searchDomains=["example.com"]
 	require.Equal(t, true, cfg.Debug)
 	require.Equal(t, true, cfg.Trace)
 	require.Equal(t, "security.insecure", cfg.Entitlements[0])
+	require.True(t, cfg.ProxyNetwork)
 
 	require.Equal(t, "buildkit.sock", cfg.GRPC.Address[0])
 	require.Equal(t, "debug.sock", cfg.GRPC.DebugAddress)

cmd/buildkitd/main.go

@@ -230,6 +230,10 @@ func main() {
 			Name:  "allow-insecure-entitlement",
 			Usage: "allows insecure entitlements e.g. network.host, security.insecure, device",
 		},
+		cli.BoolFlag{
+			Name:  "proxy-network",
+			Usage: "enable proxy network enforcement for all builds",
+		},
 		cli.StringFlag{
 			Name:  "otel-socket-path",
 			Usage: "OTEL collector trace socket path",
@@ -665,6 +669,9 @@ func applyMainFlags(c *cli.Context, cfg *config.Config, warnings *[]string) erro
 		// override values from config
 		cfg.Entitlements = c.StringSlice("allow-insecure-entitlement")
 	}
+	if c.IsSet("proxy-network") {
+		cfg.ProxyNetwork = c.Bool("proxy-network")
+	}
 
 	if c.IsSet("debugaddr") {
 		cfg.GRPC.DebugAddress = c.String("debugaddr")
@@ -947,6 +954,7 @@ func newController(ctx context.Context, c *cli.Context, cfg *config.Config, mp m
 		LeaseManager:              w.LeaseManager(),
 		ContentStore:              w.ContentStore(),
 		HistoryConfig:             cfg.History,
+		ProxyNetwork:              cfg.ProxyNetwork,
 		GarbageCollect:            w.GarbageCollect,
 		GracefulStop:              ctx.Done(),
 		ProvenanceEnv:             provenanceEnv,

cmd/buildkitd/main_test.go

@@ -0,0 +1,32 @@
+package main
+
+import (
+	"flag"
+	"testing"
+
+	"github.com/moby/buildkit/cmd/buildkitd/config"
+	"github.com/stretchr/testify/require"
+	"github.com/urfave/cli"
+)
+
+func TestApplyMainFlagsProxyNetwork(t *testing.T) {
+	fs := flag.NewFlagSet("buildkitd", flag.ContinueOnError)
+	fs.Bool("proxy-network", false, "")
+	require.NoError(t, fs.Set("proxy-network", "true"))
+
+	cfg := config.Config{}
+	err := applyMainFlags(cli.NewContext(cli.NewApp(), fs, nil), &cfg, nil)
+	require.NoError(t, err)
+	require.True(t, cfg.ProxyNetwork)
+}
+
+func TestApplyMainFlagsProxyNetworkOverridesConfig(t *testing.T) {
+	fs := flag.NewFlagSet("buildkitd", flag.ContinueOnError)
+	fs.Bool("proxy-network", false, "")
+	require.NoError(t, fs.Set("proxy-network", "false"))
+
+	cfg := config.Config{ProxyNetwork: true}
+	err := applyMainFlags(cli.NewContext(cli.NewApp(), fs, nil), &cfg, nil)
+	require.NoError(t, err)
+	require.False(t, cfg.ProxyNetwork)
+}