Updating to the lowest release that includes [protobuf@dfab275], which
removed use of the github.com/golang/protobuf/ptypes/timestamp.Timestamp
type alias (deprecated).
[protobuf@dfab275]: dfab275eca
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Update golangci-lint and adjust code for new gosec diagnostics. Use
root-scoped filesystem operations where appropriate, preserve explicit
user path behavior for SSH keys, and avoid background contexts in
request-scoped cleanup paths.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
This adds a way to set the log level of buildkitd outside of using
`--debug` or `--trace` which allows increasing the log level rather than
only lowering it.
The `--debug` and `--trace` options are now deprecated along with the
configuration options. A warning will be printed to the log when they
are used.
Signed-off-by: Jonathan A. Sternberg <jonathan.sternberg@docker.com>
Move compatibility-releases to a single job that reuses the
integration test image flow from the main test workflow.
Add hack/test support for injecting a buildkitd binary and add a
dedicated hack/test-compatibility-releases wrapper for the release
sweep.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
The v2.4.0 release had a minor regression and didn't detect the HTML
comments correctly;
```
diff --git a/README.md b/README.md
index 3f271be8625e..8ec4a7c5a421 100644
--- a/README.md
+++ b/README.md
@@ -42,6 +42,7 @@ Join `#buildkit` channel on [Docker Community Slack](https://dockr.ly/comm-slack
<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
+<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
- [Used by](#used-by)
- [Quick start](#quick-start)
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These requests allow computing additional checksum algorithms
for the payload of HTTP sources.
Optionally suffix can be passed that is added to payload. This
is needed to make validation of PGP signatures possible remotely.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Introduce a new entrypoint script for the Linux image that, if cgroup v2
is in use, creates a new cgroup and mount namespace for buildkitd within
a new entrypoint using `unshare` and remounts `/sys/fs/cgroup` to
restrict its view of the unified cgroup hierarchy. This will ensure its
`init` cgroup and all OCI worker managed cgroups are kept beneath the
root cgroup of the initial entrypoint process.
When buildkitd is run in a managed environment like Kubernetes without
its own cgroup namespace (the default behavior of privileged pods in
Kubernetes where cgroup v2 is in use; see [cgroup v2 KEP][kep]), the OCI
worker will spawn processes in cgroups that are outside of the cgroup
hierarchy that was created for the buildkitd container, leading to
incorrect resource accounting and enforcement which in turn can cause
OOM errors and CPU contention on the node.
Example behavior without this change:
```console
root@k8s-node:/# cat /proc/$(pgrep -n buildkitd)/cgroup
0::/init
root@k8s-node:/# cat /proc/$(pgrep -n some-build-process)/cgroup
0::/buildkit/{runc-container-id}
```
Example behavior with this change:
```console
root@k8s-node:/# cat /proc/$(pgrep -n buildkitd)/cgroup
0::/kubepods/burstable/pod{pod-id}/{container-id}/init
root@k8s-node:/# cat /proc/$(pgrep -n some-build-process)/cgroup
0::/kubepods/burstable/pod{pod-id}/{container-id}/buildkit/{runc-container-id}
```
Note this was developed as an alternative approach to moby/buildkit#6343
[kep]: 6d3210f7dd/keps/sig-node/2254-cgroup-v2 (cgroup-namespace)
Signed-off-by: Dan Duvall <dduvall@wikimedia.org>
Currently it is not possible to update to more
recent version as modernize causes errors in generated code.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Modifies the hack/compose script to use a newer otel collector and try
to suppress miscellaneous logs when it fails to export traces. Disable
jaeger, prometheus, and grafana by default.
It also adds a metrics pipeline that goes to a nop exporter. This is
force the otel collector to start the metrics service and prevent an
error when buildkit exports metrics to the otel collector related to the
metrics service being missing.
Signed-off-by: Jonathan A. Sternberg <jonathan.sternberg@docker.com>
Removes the `tools/tools.go` file used as a hack to get `go.mod` to
track tools in favor of the new method introduced in go 1.24 of being
formally supported in the `go.mod` file. This will allow the tools to be
managed with the new `go get tool` and `go install tool` commands.
Signed-off-by: Jonathan A. Sternberg <jonathan.sternberg@docker.com>
This moves the aggregation of the various protobuf includes (binaries
and include files) to a separate stage so the files can be retrieved
more easily by external tools.
Since the canonical way of retrieving the protobuf dependencies is to
use this file and the dependencies can be quite complicated to retrieve,
this makes it easier for outside contributors to retrieve the
dependencies and copy them into their own repositories.
This was possible before by using the `tools` target, but that would
also include the entire `golang` image. Now you can retrieve just the
`protobuf` target to get the binaries and the include files.
Signed-off-by: Jonathan A. Sternberg <jonathan.sternberg@docker.com>
One should not use their regular docker credentials here
but make a special config file with only public readonly
token inside.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
