Propagate Dockerfile-defined SOURCE_DATE_EPOCH through frontend result
metadata so exporters can consume it, including per-platform export
paths and rewrite-timestamp handling.
Refactor Dockerfile2LLB to return a structured result, preserve exporter
reset semantics, and cover the exporter-facing behavior with Dockerfile
integration tests.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Fix issue 5763
- Discourage `--oci-worker-no-process-sandbox`, due to the leakage of
the processes (by design).
Instead, encourage setting `systempaths=unconfined` in `docker run`.
This corresponds to `securityContext.procMount: Unmasked` in Kubernetes,
however, the configuration is hard on Kubernetes, as it has to be used
in conjunction with `hostUsers: false`.
- Remove `--device /dev/fuse`, as fuse-overlayfs is no longer used typically.
- Use the new Kubernetes struct for AppArmor
- Add a hint about `kernel.apparmor_restrict_unprivileged_userns`
- Remove `$` from command snippets for ease of copypasting
- Make `job.*.yaml` more practical
- Add `*.userns.yaml`. Needs `UserNamespaceSupport` feature gate to be enabled.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
The base image config will be used later for avoiding applying
`SOURCE_DATE_EPOCH` to the base image layers (issue 4614).
The exporter stores this as the `ExporterImageBaseConfigKey` metadata.
NOTE: For a multi-stage Dockerfile like below, the base image refers to
`busybox`, not to `foo`:
```dockerfile
FROM busybox AS foo
FROM foo AS bar
```
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
`-partial-metadata-file` was substantially removed in
9acc6d30eb (`refactor buildinfo into provenance capture`)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
WithFailFast was not actually causing any change in behavior, so we can
remove the option completely.
The option set FailOnNonTempDialError(true) on the gRPC connection.
However, the help text for this method option declares that it "does not
do anything useful unless you are also using WithBlock()" - which we do
not do. I've verified that the only client-side code path that actually
handles this option is under a check for if WithBlock() was also used.
We can remove this option instead of fixing it, since the need for this
functionality has been replaced by the more buildkit-native client.Wait
function - this function also correctly waits for the buildkit server to
begin running, and to start serving requests (which is generally the
desired behaviour).
If users actually desire this option (which was not fully working
previously), they can use the WithGRPCDialOption, and pass
FailOnNonTempDialError(true) directly, alongside WithBlock.
Signed-off-by: Justin Chadwell <me@jedevc.com>
This adds an additional display output for the progress indicator to
support a json output. It refators the progressui package a bit to add a
new method that takes in a `SolveStatusDisplay`. This
`SolveStatusDisplay` can be created by the user using `NewDisplay` with
the various modes as input parameters.
The json output will print the raw events as JSON blobs. It will not
throttle the messages or limit the display. It is meant as a pure raw
marshaling of the underlying event stream.
Signed-off-by: Jonathan A. Sternberg <jonathan.sternberg@docker.com>
This patch adds BUILDKIT_SBOM_SCAN_CONTEXT and BUILDKIT_SBOM_SCAN_STAGE
which configure scanning the build context and stages respectively.
To use these, the underlying Dockerfile must declare these args, and
optionally assign a default value. BUILDKIT_SBOM_SCAN_CONTEXT must
either be set in the global meta args before a FROM or in the target
stage, while BUILDKIT_SBOM_SCAN_STAGE must be set in each target stage.
The user can additionally override the values set in the Dockerfile to
change the behavior.
Signed-off-by: Justin Chadwell <me@jedevc.com>
Change how provenance information is captured from builds.
While previously frontend passed the buildinfo
sources with metadata, now all information is captured
through buildkit. A frontend does not need to implement
buildinfo and can't set incorrect/incomplete buildinfo
for a build result.
All LLB operations can now collect as much provenance
info as they like that will be used when making the
attestation. Previously this was limited to a single Pin
value. For example now we also detect secrets and SSH IDs
that the build uses, or if it accesses network, if local
sources are used etc.. The new design makes sure this
can be easily extended in the future.
Provenance capture can now detect builds that do
multiple separate subsolves in sequence. For example,
first subsolve gathers the sources for the build and
second one builds from immutable sources without a
network connection. If first solve does not participate
in final build result it does not end up in provenance.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Dockerfile has `VOLUME /home/user/.local/share/buildkit` by default too,
but the default VOLUME does not work with rootless on Google's Container-Optimized OS
as it is mounted with `nosuid,nodev`.
So the volume has to be explicitly mounted as an `emptyDir` volume.
Tested with GKE Autopilot 1.24.3-gke.200 (kernel 5.10.123+, containerd 1.6.6).
Fix issue 879
Thanks to Andrew Grigorev (ei-grad) and Ben Cressey (bcressey).
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
we use this script inside a rootless-pod (https://github.com/moby/buildkit/blob/master/examples/kubernetes/pod.rootless.yaml) to perform our builds and call it via a CI/CD tool, which returns a non-zero exit code, as the trap cannot kill the process, as it is already gone, in case everything went fine
so we need to catch the error code from kill, which tries to kill a process that doesn't exist anymore and the suggestion is to just add || true, because we don't care about the exit code of kill
```
#17 DONE 4.2s
sh: can't kill pid 65: No such process
command terminated with exit code 1
```
Signed-off-by: Steve Lohr <schdief.law@gmail.com>
Kubernetes added the official `securityContext.seccompProfile` support in Kubernetes 1.19.
Seccomp is still disabled by default.
The legacy `container.seccomp.security.alpha.kubernetes.io/<PODNAME>` annotation has been deprecated and will be unsupported in Kubernetes 1.25.
https://kubernetes.io/docs/tutorials/security/seccomp/
A test cluster can be created with the following minikube command:
```
minikube start --feature-gates SeccompDefault=true --extra-config kubelet.seccomp-default=true
```
Fix issue 2515
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
