The github.com/mitchellh/hashstructure/v2 module was archived, and
there's a maintained fork in the gohugoio org.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Delay containerd stdin CloseIO until BuildKit's stdin reader reaches EOF.
This avoids racing the shim FIFO copy path, where closing stdin before
the copy completes can leave execs stuck or missing stdin data.
Add a client gateway regression that runs concurrent execs writing stdin
into files and verifies every payload is present.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Keep exec network modes limited to sandbox, host, and none, and pass proxy
network configuration separately through solve and executor runtime state.
Proxy execs now use bridge-style egress by default, host egress only for host
network mode with entitlement, and no proxy for none mode. Add integration
coverage for bridge, host, and none proxy behavior across OCI and containerd
workers.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Forward non-tty stdin through an os.Pipe so runc receives an *os.File
instead of the caller's reader. This lets runc exit after the container
process is killed without waiting on Go's internal stdin copy.
Add gateway coverage for graceful pid1 exit, release-based cleanup, and
explicit SIGKILL while pid1 stdin is still open.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Add integration coverage for exec proxy source policy conversion. The test
requests /foo, rewrites it to /bar, and verifies exported content and
provenance materials use the converted source.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Record successful GET responses through the exec proxy as provenance
materials and report incomplete material coverage as a typed solve error.
Thread proxy policy and capture state through typed executor/network options.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Add a build request option that rewrites default exec networking to an
internal proxy network while preserving explicit none networking.
Route HTTP and HTTPS traffic through a BuildKit-owned proxy namespace, enforce
source policy checks for proxied requests, and inject a temporary CA into Linux
rootfs trust bundles for HTTPS interception.
Share namespace pooling between CNI and proxy providers, and cover proxy mode
with unit and integration tests.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Change how the runc executor kills runc processes by removing the
previous warning message that occurred every 50 milliseconds with a bit
more precision in how it sends the warning.
The previous version could potentially successfully kill the runc
process and then the runc process could take some time to exit. It would
spam the logs every 50 milliseconds until the process exited and would
attempt to rekill a container that was already marked as killed.
This change makes it so we detect a successful kill. If we detect a
successful kill, we then wait for the process while writing a warning to
the log that the process is taking a long time to end. We print one
message 50 milliseconds after the kill and then an additional one with
the exact time it took to exit after the exit succeeds.
If the kill is not successful, we stay in the same loop as previously
existed.
Signed-off-by: Jonathan A. Sternberg <jonathan.sternberg@docker.com>
Update non-generated code for the newer lint recommendations by using typed
atomic values, strings.Cut, and slices.Backward where applicable.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Update golangci-lint and adjust code for new gosec diagnostics. Use
root-scoped filesystem operations where appropriate, preserve explicit
user path behavior for SSH keys, and avoid background contexts in
request-scoped cleanup paths.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Merge the `tracing/env` and `tracing/exec` package into a single package
with some common types shared between the two.
Signed-off-by: Jonathan A. Sternberg <jonathan.sternberg@docker.com>
Use os.OpenRoot for resolv.conf and hosts state file creation, and
adapt executor callers and tests to the root-relative helper API.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Add executor.ValidContainerID and enforce it in runc/containerd Run paths.
Only runc executor used the ID in filesystem operations.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit 789df2422341960b7549d14ea475add43e73cd74)
Replace duplicate nopCloser, nopWriteCloser, and bufferCloser
type definitions across test and production code with the
shared iohelper.NopWriteCloser type.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
The moby/profiles/seccomp module was extracted from the Moby repository
at commit [e1281f09fceec4aab518267c319a7bd4c79cf3c5][1].
[1]: e1281f09fc
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Rewrite the resolvconf code to use libnetwork's internal packege, which
allows us to skip some of the moby-specific handling (writing to a file,
creating a hash of the file to detect changes made by the user (not
supported by BuildKit, which always mounts read-only).
This rewrite also allows us to skip GetNameservers, GetSearchDomains, GetOptions,
and FilterResolvDNS, which repeatedly would parse the resolvconf file for
each of them.
The new code parses the original resolvconf once, after which mutations
(overrides) are done in memory, after which we generate the resolv.conf to
write to disk.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Add a fork of github.com/docker/docker/daemon/libnetwork/internal/resolvconf,
taken at commit [254f64ded64027db0d2d1531a8ef9015de68e2f2]. I did not
preserve git history for this one (just a copy), but history can be found
in the Moby repository if needed.
[254f64ded64027db0d2d1531a8ef9015de68e2f2]: 254f64ded6
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Convert usages of `github.com/docker/docker/pkg/idtools` to
`github.com/moby/sys/user` in order to break the dependency between
buildkit and docker.
Signed-off-by: Jonathan A. Sternberg <jonathan.sternberg@docker.com>
Currently, mounts are not supported for WCOW builds,
see #5678. This commit introduces support for
bind and cache mounts. The remaining two require
a little more work and consultation with the platform
teams for enlightment.
WIP Checklist:
- [x] Support for bind mounts
- [x] Support for cache mounts
- [x] add frontend/dockerfile integration tests
- [x] add client integration tests (not all, `llb.AddMount` not
complete)
Fixes#5603
Signed-off-by: Anthony Nandaa <profnandaa@gmail.com>
