The github.com/mitchellh/hashstructure/v2 module was archived, and
there's a maintained fork in the gohugoio org.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Keep exec network modes limited to sandbox, host, and none, and pass proxy
network configuration separately through solve and executor runtime state.
Proxy execs now use bridge-style egress by default, host egress only for host
network mode with entitlement, and no proxy for none mode. Add integration
coverage for bridge, host, and none proxy behavior across OCI and containerd
workers.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Add a passthrough LLB op that builds all inputs and exposes selected
inputs as outputs. Add State.Requires as a client shortcut for requiring
dependencies without returning their snapshots.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Updating to the lowest release that includes [protobuf@dfab275], which
removed use of the github.com/golang/protobuf/ptypes/timestamp.Timestamp
type alias (deprecated).
[protobuf@dfab275]: dfab275eca
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Add a proxyNetwork TOML setting and --proxy-network daemon flag to enable
exec proxy enforcement for every build. Wire the default through controller
and solver setup while preserving per-build enablement.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Apply proxy network as an explicit LLB mutation before digest recompute,
while keeping runtime load options such as platform normalization applied
when creating vertices.
This preserves distinct cache keys for proxy-network builds without
breaking gateway warning and source-map lookups that use the original LLB
digests from the frontend.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Record each proxied exec request and print a redacted method and URL list in
the exec progress logs after the process completes.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Route proxy network policy checks through the existing source policy evaluator so
session metadata, deny messages, and URL converts use the same path as LLB
sources. Keep proxy-specific request rewriting in the proxy provider.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Record successful GET responses through the exec proxy as provenance
materials and report incomplete material coverage as a typed solve error.
Thread proxy policy and capture state through typed executor/network options.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Add a build request option that rewrites default exec networking to an
internal proxy network while preserving explicit none networking.
Route HTTP and HTTPS traffic through a BuildKit-owned proxy namespace, enforce
source policy checks for proxied requests, and inject a temporary CA into Linux
rootfs trust bundles for HTTPS interception.
Share namespace pooling between CNI and proxy providers, and cover proxy mode
with unit and integration tests.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Add compatibility-version 30 for the new OCI media type default while keeping
version 20 pinned to the historical image exporter behavior through v0.31.x.
Track omitted oci-mediatypes separately from explicit false, add v30
compatibility goldens, and document the supported compatibility versions.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
FileOpSolver.getInput wrapped each input cache.ImmutableRef in a fresh
*workerRefResult without cloning, so ExecError.Inputs shared the same
*immutableRef entry with the caller. A release on either side cascaded
into equalMutable.release on a ref the other side still owned, surfacing
as "snapshot does not exist" on a later Finalize -- same shape as the
prior failed-exec output ref fix.
Clone the ref so ExecError owns its own counted ref.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
When an ExecOp exec fails, ExecOp.Exec commits each output mutable
snapshot to an immutable ref, appends it to the results returned to the
solver, AND stores it (via the error-decoration defer) into the
ExecError. The error path stored the SAME *workerRefResult into
ExecError.Mounts that was already handed to the solver, so a single
committed output ref was owned through two independent channels but
backed by only one counted cache ref.
When the error owner is released (e.g. gateway/solver error cleanup),
that single release drains the shared refcount to zero, cascading into
equalMutable.release and deleting the mutable record's lease. The active
snapshot is protected only by that lease, so a subsequent containerd
metadata GC collects it. The surviving solver-side owner is then used as
the upper parent of a Diff, whose Finalize -> Snapshotter.Commit runs on
the already-collected active snapshot, producing:
failed to finalize upper parent during diff: failed to commit <active>
to <final> during finalize: failed to stat active key during commit:
snapshot <active> does not exist: not found
The fix is twofold:
- exec.go: clone the result (res.Clone()) before embedding it in
ExecError.Mounts so the error owner has its own counted ref.
- worker/result.go: make workerRefResult.Clone produce an independent
*WorkerRef (and thus an independent cache ref) instead of sharing the
embedded one and orphaning the original.
Both are required: the call-site clone is what stops the over-release,
and the Clone-method fix is what makes that clone actually independent
(otherwise it aliases the shared *WorkerRef and leaks the original ref).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
RefManager.Commit nilled m.mr unconditionally, so Mount.Release became
a no-op on the failure path while the underlying cache.MutableRef was
never released. Release on failure before clearing m.mr.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
The error defer's active-commit loop wrapped the commit error into the
outer err but skipped releasing active.Ref via `continue`. The mutable
was neither put into execMounts nor released, leaking on each failed
Commit.
Release before continue.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
ExecOp.Exec's post-exec commit loop returned (nil, err) when
mutable.Commit failed mid-loop, leaving the already-committed outputs
in the named `results` return clobbered to nil with no holder -- a
permanent leak.
Release them inline instead. An internal commit failure is not a
user-facing exec error, so they don't belong in ExecError.Mounts
either.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Clone the existing slow-cache input result when wrapping errors instead of
creating a separate shared owner. This keeps SlowCacheError.Result tied to
the same release chain and avoids releasing the input while the error still
holds it.
Update the containerd cleanup check to ignore empty leases while still
failing on leases that retain resources, and add a deterministic regression.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Threads the existing OTEL MeterProvider through llbsolver.Opt and emits
three build-event instruments from the recordBuildHistory finalizer:
- buildkit.builds (counter; labels: status, error_code)
- buildkit.builds.steps (counter; labels: kind)
- buildkit.build.duration (Base2 exponential histogram; labels: status)
The duration histogram uses an exponential aggregation, rendered as a
Prometheus native histogram by the existing exporter, to avoid the
"tens of millions of series" cardinality blow-up reported in #5777.
MeterProvider is passed explicitly through the constructor — buildkit
policy (per the #4957 review) prohibits relying on the OTel global
provider in library packages.
error_code uses gRPC codes.Code.String() for a bounded set;
rec.Error.Message is intentionally never used as a label. The frontend
label is intentionally omitted — client.Build clears req.Frontend on
the wire, so the field is empty for every caller that goes through the
gateway-client API (buildctl, buildx). The metric is forward-compatible
with a future buildkit change that populates rec.Frontend on that path.
A follow-up PR will add observable gauges for worker count and cache
state, plus an operator guide at docs/metrics.md.
Refs #1544; addresses discussion #5777.
Signed-off-by: Ava Barron <abarron@coreweave.com>
Avoid storing typed nil HTTP metadata in the resolver cache after failed
metadata resolution. Also make resolver cache release functions consistently
callable when no error is returned.
Add a client integration test covering concurrent same-URL HTTP sources with
and without checksum when the server returns 401.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Update non-generated code for the newer lint recommendations by using typed
atomic values, strings.Cut, and slices.Backward where applicable.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Update golangci-lint and adjust code for new gosec diagnostics. Use
root-scoped filesystem operations where appropriate, preserve explicit
user path behavior for SSH keys, and avoid background contexts in
request-scoped cleanup paths.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Walking back the build definition for provenance could
cause a race when one of the builds used no-cache and was
tracked by a modified vertex digest.
This could have caused vtx.op or vtx.op.op to be nil, or
if a parallel build had created sharedOp but had not called
CacheKey yet, it could have left empty pin for the source
step that caused error when writing out the provenance.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Read provenance bridge slices through locked snapshots so concurrent
gateway solves cannot race with provenance collection. Protect the
frontend result append on child bridges as well.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
There's a large potential for a lock contention issue in the gateway
forwarder's logic. The previous iteration of this would keep a global
mapping of the build ids and, when a forwarder for a build id didn't
exist, the forwarder would wait 3 seconds for the build to register.
The issue with lock contention comes after this. Instead of having a
notification channel that a specific build was ready, the forwarder
would wake up all goroutines that were waiting each time a build was
registered. Since each of those builds took a read lock to check whether
its build was present and registering subsequent builds took a write
lock, it was very easy to end up in a lock contention scenario when
starting many builds at the same time. Then it was easy to hit the 3
second timeout especially when the machine itself was under load.
This changes the notification mechanism so the notify happens per build.
Looking up a build id creates a forwarder registrar with a channel that
can be polled for when the registration is complete. A forwarder will
then only be notified and woken when that specific build id is ready by
the go runtime rather than from the sync condition.
Signed-off-by: Jonathan A. Sternberg <jonathan.sternberg@docker.com>
Expose the builtin Dockerfile frontend version in BuildKit version
APIs and buildctl debug output.
Move Dockerfile version logic into frontend/dockerfile/version and
validate that the builtin version constant matches release tags.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Record the builtin Dockerfile frontend version in provenance
attestations for both SLSA v0.2 and v1 formats. The version
is derived from a new builder.Version constant, normalized
with the BuildKit release version suffix.
The external frontend Dockerfile validates that the builtin
version constant matches the git tag at release time.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Apply min provenance request scrubbing recursively to named inputs and root
requests so nested build args and labels do not leak into explicit min
provenance. Keep non-sensitive input request metadata and mark request
completeness incomplete only when scrubbed args are omitted.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Keep request provenance for solved refs by their LLB digest while the producing
build is still active. Use the stored request when another solve later provides
the same LLB definition as a frontend input.
This lets max provenance report root and nested input requests for gateway and
builtin Dockerfile frontend solves without accepting client-supplied request
metadata.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Support importing git sources from OCI or registry-backed bundle blobs
and exporting resolved checkouts as single-file git bundles.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Preserve the git context subdirectory in SLSA configSource while keeping
resolved materials scoped to the fetched repository ref.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Allow git sources to fetch a pinned commit without resolving the ref
against the remote tip, while preserving cache keys for canonical
branch refs and covering the behavior with tests.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Add solve-wide compatibility-version support for image and oci
exports, with historical goldens and release compatibility tests.
Backfill version 10 for v0.13-v0.14 git artifact behavior, keep
version 20 as current, and reject unsupported zstd on v10.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Bind session RPC contexts to caller lifetime so ongoing RPCs fail when the
session is canceled. Add an integration test that blocks the session tunnel
and verifies the health monitor releases the hung build after timeout.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
