Add a proxyNetwork TOML setting and --proxy-network daemon flag to enable
exec proxy enforcement for every build. Wire the default through controller
and solver setup while preserving per-build enablement.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Apply proxy network as an explicit LLB mutation before digest recompute,
while keeping runtime load options such as platform normalization applied
when creating vertices.
This preserves distinct cache keys for proxy-network builds without
breaking gateway warning and source-map lookups that use the original LLB
digests from the frontend.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Add compatibility-version 30 for the new OCI media type default while keeping
version 20 pinned to the historical image exporter behavior through v0.31.x.
Track omitted oci-mediatypes separately from explicit false, add v30
compatibility goldens, and document the supported compatibility versions.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Adds a new field to the system configuration that sets the maximum
concurrency for registry connections.
Signed-off-by: Jonathan A. Sternberg <jonathan.sternberg@docker.com>
Update golangci-lint and adjust code for new gosec diagnostics. Use
root-scoped filesystem operations where appropriate, preserve explicit
user path behavior for SSH keys, and avoid background contexts in
request-scoped cleanup paths.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
This adds a way to set the log level of buildkitd outside of using
`--debug` or `--trace` which allows increasing the log level rather than
only lowering it.
The `--debug` and `--trace` options are now deprecated along with the
configuration options. A warning will be printed to the log when they
are used.
Signed-off-by: Jonathan A. Sternberg <jonathan.sternberg@docker.com>
Add solve-wide compatibility-version support for image and oci
exports, with historical goldens and release compatibility tests.
Backfill version 10 for v0.13-v0.14 git artifact behavior, keep
version 20 as current, and reject unsupported zstd on v10.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Resolve SOURCE_DATE_EPOCH=context in the Dockerfile frontend from the
main build context and pass the resolved numeric epoch through normal
ARG handling and exporter metadata.
Use git commit time for git contexts, HTTP Last-Modified when present,
and newest archive entry mtime for HTTP archives. Leave local contexts
unset.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Allow Dockerfiles to define a default SOURCE_DATE_EPOCH value
via a global-scope ARG. The explicit caller-provided epoch
still takes priority. This lets Dockerfiles be self-contained
for reproducible builds without requiring external build args.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
The repository was renamed to https://github.com/dragonflyoss/nydus,
and while GitHub does provide redirects, their services have been
a bit flaky recently so sometimes the redirects would fail.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
I faced 'The string is missing the terminator: ".' by following the readme guide and copy/pasting the given snippets, so I propose to fix it for other users.
Signed-off-by: Nicolas Schweitzer <nicolas.schweitzer@datadoghq.com>
-S, --show-error: show an error on failure
-f, --fail: fail fast with no output at all on server errors
Prior to this commit, curl was just saving an error HTML as the content
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
`tldir` flag handling now properly handles the old logic and the new
logic for cert-manager.io without failing.
Improved error message when files are missing.
Co-authored-by: Gleb Nebolyubov <gleb.nebo@gmail.com>
Signed-off-by: Jonathan A. Sternberg <jonathan.sternberg@docker.com>
To enable CNI networking for WCOW, you needed to provide
long paths when running the daemon, e.g.
```
buildkitd `
--containerd-cni-config-path="C:\Program Files\containerd\cni\conf\0-containerd-nat.conf" `
--containerd-cni-binary-dir="C:\Program Files\containerd\cni\bin"
```
Fix this so that the default paths are set in appdefaults,
instead of the one that had be set previously.
Now you can just run: `buildkitd`.
Also, refactor the script for setting up CNI binaries
and configs, to make it easy to refresh the configs
without having to download the binaries afresh.
Signed-off-by: Anthony Nandaa <profnandaa@gmail.com>
Fix issue 5763
- Discourage `--oci-worker-no-process-sandbox`, due to the leakage of
the processes (by design).
Instead, encourage setting `systempaths=unconfined` in `docker run`.
This corresponds to `securityContext.procMount: Unmasked` in Kubernetes,
however, the configuration is hard on Kubernetes, as it has to be used
in conjunction with `hostUsers: false`.
- Remove `--device /dev/fuse`, as fuse-overlayfs is no longer used typically.
- Use the new Kubernetes struct for AppArmor
- Add a hint about `kernel.apparmor_restrict_unprivileged_userns`
- Remove `$` from command snippets for ease of copypasting
- Make `job.*.yaml` more practical
- Add `*.userns.yaml`. Needs `UserNamespaceSupport` feature gate to be enabled.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Since CDI support is enabled by default, add a default
CDI spec directory for Windows. Without this, the
buildkitd fails to start with error:
buildkitd: No CDI specification directories specified
Also add a note on the docs that the support is yet
to be tested on Windows.
Signed-off-by: Anthony Nandaa <profnandaa@gmail.com>
The previous instructions had a slight mistake where the CNI
version was similar to the CNI plugin Version. At that time,
that was true, we had 0.3.0. However, the latest plugin
version is 0.3.1 and supports upto CNI v 1.0.0.
Fix the installation scripts to have `$cniVersion` and
`$cniPluginVersion` as separate variables.
Also add script to set up HNS Network on WS2019 when
it is not already available by default, like in the
rest of the SKUs WS2022+, after enabling Hyper-V.
Signed-off-by: Anthony Nandaa <profnandaa@gmail.com>
