When git runs as root under sudo it consults SUDO_UID to decide whether a
repository's ownership can be trusted, additionally granting access to
repositories owned by the user who invoked sudo. GitCLI builds a
restricted environment for the git subprocess and did not forward
SUDO_UID, so commands such as `sudo docker build` tripped git's "detected
dubious ownership" check and silently lost commit provenance: the build
still succeeds but prints "current commit information was not captured by
the build".
Forward SUDO_UID (only when present) on the host git config path enabled
via WithHostGitConfig, i.e. client-side local git inspection. The default
isolated path used by daemon-side callers is left untouched so it does not
pick up host environment. This matches git's own default behavior under
sudo: it does not disable safe.directory checks and is not equivalent to
safe.directory=*; it merely lets git trust repositories owned by the
invoking user. Only SUDO_UID is forwarded (git's ownership check is
uid-based and never consults SUDO_GID).
Fixes the root cause for docker/buildx#3855. buildx inspects the build
context through this GitCLI with WithHostGitConfig enabled, so buildx
picks the fix up via a moby/buildkit dependency bump with no buildx-side
code change.
Signed-off-by: MohammadHasan Akbari <jarqvi.jarqvi@gmail.com>
Dialing from a CNI namespace with the standard net.Dialer can escape the
namespace through happy-eyeballs connection attempts or resolver goroutines.
Use a serial dialer and route Go resolver sockets through the target
namespace, while preserving host loopback DNS stubs such as systemd-resolved
and Docker embedded DNS.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Commit 91cc422d5 split exec proxying from exec network mode and
started cloning the proxy transport per egress namespace with a custom
DialContext.
Without ForceAttemptHTTP2, the cloned transport could advertise h2 via
ALPN without a registered HTTP/2 RoundTripper, causing Alpine apk update
requests to fail with proxy 502 responses.
Restoring HTTP/2 upstream also exposes unknown-length HTTP/2 responses.
When those responses are rewritten for the MITM HTTP/1.1 client, close
the client-facing connection so clients can delimit the response body.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Use the worker default provider for proxy UNSET egress so host fallback
is preserved when no CNI config is configured.
Extend proxy integration coverage across default, host, bridge, and
default-no-cni worker network modes.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Keep exec network modes limited to sandbox, host, and none, and pass proxy
network configuration separately through solve and executor runtime state.
Proxy execs now use bridge-style egress by default, host egress only for host
network mode with entitlement, and no proxy for none mode. Add integration
coverage for bridge, host, and none proxy behavior across OCI and containerd
workers.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
resolveDefaultPlatform used platforms.Default(), which also matches
sub-platforms (e.g. 386 for amd64, arm for arm64). When an index lists a
compatible variant before the host platform, the wrong single-arch
manifest could be copied to the local mirror.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Progress reads collapse unread updates by ID, so the raw item count can vary
with scheduling. Assert the final status for each nested writer instead.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Updating to the lowest release that includes [protobuf@dfab275], which
removed use of the github.com/golang/protobuf/ptypes/timestamp.Timestamp
type alias (deprecated).
[protobuf@dfab275]: dfab275eca
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The github.com/golang/protobuf/ptypes/any.Any type is an alias for
google.golang.org/protobuf/types/known/anypb.Any, so we can remove those
direct imports of the deprecated github.com/golang/protobuf module.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Traces are now forwarded in a non-blocking goroutine when sent through
the traces exporter. This prevents traces forwarded from the client from
being stalled while waiting for an upstream uploader to appear.
In addition, adds a shutdown context to `appcontext` that will only
cancel when an interrupt has been received twice. One interrupt will
signal the program should clean up and shut down, the second indicates
we should skip shutdown procedures (more forceful), and the third will
indicate that we should immediately terminate the program.
This gives a bit more of a degree of control to shutdown procedures like
the traces and metrics exporter so there's a difference between forcibly
calling exit and just waiting a long time for the shutdown to happen.
Includes a more aggressive shutdown timeout for `buildctl` that is
similar to the export timeout on `docker-buildx` for the tracing
shutdown as another preventative measure to ensure the CLI hangs up at
an appropriate time interval.
Signed-off-by: Jonathan A. Sternberg <jonathan.sternberg@docker.com>
Refresh generated proxy leaf certificates before they expire and cap cached
hosts to avoid daemon-lifetime growth. Clean stale proxy network namespaces
on provider startup to mirror CNI cleanup after daemon crashes.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Add integration coverage for exec proxy source policy conversion. The test
requests /foo, rewrites it to /bar, and verifies exported content and
provenance materials use the converted source.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Record each proxied exec request and print a redacted method and URL list in
the exec progress logs after the process completes.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Route proxy network policy checks through the existing source policy evaluator so
session metadata, deny messages, and URL converts use the same path as LLB
sources. Keep proxy-specific request rewriting in the proxy provider.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Record successful GET responses through the exec proxy as provenance
materials and report incomplete material coverage as a typed solve error.
Thread proxy policy and capture state through typed executor/network options.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Add a build request option that rewrites default exec networking to an
internal proxy network while preserving explicit none networking.
Route HTTP and HTTPS traffic through a BuildKit-owned proxy namespace, enforce
source policy checks for proxied requests, and inject a temporary CA into Linux
rootfs trust bundles for HTTPS interception.
Share namespace pooling between CNI and proxy providers, and cover proxy mode
with unit and integration tests.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Add process runtime and socket wait diagnostics to integration test helpers
so future daemon startup flakes include useful timing data.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Allow annotation and attestation exports with OCI media types enabled, fix
the zstd media type map, and update integration tests for the new default.
Keep Docker media types explicit where legacy behavior is under test.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
When support for zstd was introduced, these mediaTypes were not yet
available in released versions of their respective Go packages. That is
no longer the case.
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
Clone the containerd worker environment before sandbox setup so
parallel integration tests do not race while appending debug env.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Adds a new field to the system configuration that sets the maximum
concurrency for registry connections.
Signed-off-by: Jonathan A. Sternberg <jonathan.sternberg@docker.com>
Update non-generated code for the newer lint recommendations by using typed
atomic values, strings.Cut, and slices.Backward where applicable.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Update golangci-lint and adjust code for new gosec diagnostics. Use
root-scoped filesystem operations where appropriate, preserve explicit
user path behavior for SSH keys, and avoid background contexts in
request-scoped cleanup paths.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
There's a large potential for a lock contention issue in the gateway
forwarder's logic. The previous iteration of this would keep a global
mapping of the build ids and, when a forwarder for a build id didn't
exist, the forwarder would wait 3 seconds for the build to register.
The issue with lock contention comes after this. Instead of having a
notification channel that a specific build was ready, the forwarder
would wake up all goroutines that were waiting each time a build was
registered. Since each of those builds took a read lock to check whether
its build was present and registering subsequent builds took a write
lock, it was very easy to end up in a lock contention scenario when
starting many builds at the same time. Then it was easy to hit the 3
second timeout especially when the machine itself was under load.
This changes the notification mechanism so the notify happens per build.
Looking up a build id creates a forwarder registrar with a channel that
can be polled for when the registration is complete. A forwarder will
then only be notified and woken when that specific build id is ready by
the go runtime rather than from the sync condition.
Signed-off-by: Jonathan A. Sternberg <jonathan.sternberg@docker.com>
