Commit Graph

34 Commits

Author SHA1 Message Date
Cory Bennett
5909d1642e simplify done channel handling, fix other pr comments.
Signed-off-by: Cory Bennett <cbennett@netflix.com>
2020-07-11 01:14:37 +00:00
Cory Bennett
5e91dff4ed fix error handling for exec when container fails to start
update run/exec tests for stdin and expected failures
move common tests for runc and container to shared tests package

Signed-off-by: Cory Bennett <cbennett@netflix.com>
2020-07-10 22:06:42 +00:00
Cory Bennett
6d58121c11 Update Executor interface for Run and Exec
Signed-off-by: Cory Bennett <cbennett@netflix.com>
2020-07-09 23:40:36 +00:00
Paul "TBBle" Hampson
b9cf317850 Distinguish containerd failure from process exit code
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2020-01-30 00:39:11 +11:00
Tonis Tiigi
a0dead0809 fix possible double release on mountable
Refactor the interface to avoid such issues in the future.

BuildKit own mounts are stateless and not affected but
a different mountable implementation could get confused.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2019-08-16 08:03:16 -07:00
Tonis Tiigi
2cd19dbc34 executor: ignore workdir if already exists
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2019-07-26 16:28:43 -07:00
Tibor Vass
8e692507ee executor: allow setting DNSConfig to be used by resolvconf
This patch allows downstream code to pass a DNSConfig that is
then used by executor/oci.GetResolvConf.

This would allow the BuildKit-based builder in Docker to honor
the docker daemon's DNS configuration, thus fixing a feature gap
with the legacy builder.

Signed-off-by: Tibor Vass <tibor@docker.com>
2019-06-17 20:43:33 +00:00
Tonis Tiigi
7b41906d89 executor: create hosts and resolv.conf with userns root
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2019-06-10 16:35:03 -07:00
Tonis Tiigi
858b4c7076 executor: make sure cwd created with correct user
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2019-05-11 22:11:26 -07:00
Tonis Tiigi
9f53ea3d78 userns support for sources and executor
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2019-04-02 18:26:04 -07:00
Kunal Kushwaha
a2bbb5ff39 security entitlement support
Signed-off-by: Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>
2019-03-27 13:57:03 +09:00
Akihiro Suda
c54f4a986d support --oci-worker-no-process-sandbox
Note that this mode allows build executor containers to kill (and potentially ptrace) an arbitrary process in the BuildKit host namespace.
This mode should be enabled only when the BuildKit is running in a container as an unprivileged user.

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2019-01-08 10:42:52 +09:00
Tonis Tiigi
76692bbe5f executor: clean up static config files
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-10-03 13:59:33 -07:00
Tonis Tiigi
f99352fee1 solver: make sure to return proper canceled errors
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-09-26 17:38:16 -07:00
Tonis Tiigi
0940cdc6fe update golint comments
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-09-18 22:06:47 -07:00
Michael Crosby
8eed5bfd15 Provide nil stdin to containerd when not required
This allows builds that inspect stdin to not block and hang forever.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2018-09-11 14:22:22 -07:00
Anda Xu
b0677e7ef1 allow customized cgroup-parent for runcexecutor
Signed-off-by: Anda Xu <anda.xu@docker.com>
2018-09-05 12:53:57 -07:00
Tibor Vass
2f0c048493 network: move handling of NetMode_UNSET to Default()
This allows other workers to implement their own behavior for NetMode_UNSET

Signed-off-by: Tibor Vass <tibor@docker.com>
2018-08-23 00:06:06 +00:00
Michael Crosby
b97bc71adb Refactor networking with ns paths
This fixes the issues where buildkit and callers do not have to be a
subpreaper in order to use networking.  I can add CNI provider later,
with a hidden sub command to create a new network namespace and bind
mount it to buildkit's state dir.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2018-08-21 13:37:47 -04:00
Tonis Tiigi
130f5f5ab0 solver: net host with basic entitlements support
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-08-09 14:03:35 -07:00
Tonis Tiigi
f8dd602282 runc: improve canceling
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-08-07 11:51:56 -07:00
Kunal Kushwaha
765f1b64b9 executor: allow network providers
Signed-off-by: Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-08-07 11:51:56 -07:00
Tonis Tiigi
96f24ca7bb executor: improve hosts cleanup
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-08-03 14:01:54 -07:00
Tonis Tiigi
4945fe758c llbsolver: add support for extra host records
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-08-03 13:56:13 -07:00
Anda Xu
7f64188f17 add missing supplementary group IDs
Signed-off-by: Anda Xu <anda.xu@docker.com>
2018-06-29 18:50:03 -07:00
Tonis Tiigi
3b874e95f1 executor: runtime check if seccomp is supported
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-05-24 16:34:35 -07:00
Tonis Tiigi
566e28c174 snapshot: update mounts to mountable interface
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-04-27 17:58:24 -07:00
Ian Campbell
ddae5a6ea4 Make llb.ReadonlyRootFS usable with common container images
e.g. with busybox image:

    OCI runtime create failed: container_linux.go:348:
    starting container process caused "process_linux.go:402:
    container init caused \"rootfs_linux.go:58:
    mounting \\\"proc\\\" to rootfs \\\"/.../rootfs\\\" at \\\"/proc\\\"
    caused \\\"mkdir /.../rootfs/proc: read-only file system\\\"\"": unknown

This is because we were setting the underlying snapshot readonly so the various
mountpoints (here /proc) cannot be created. This would not be necessary if
those mountpoints were present in images but they typically are not.

The right way to get around this (used e.g. by `ctr`) is to use a writeable
snapshot but to set root readonly in the OCI spec. In this configuration the
rootfs is writeable when mounts are processed but is then made readonly by the
runtime (runc) just before entering the user specified binary within the
container.

This involved a surprising amount of plumbing.

Use this new found ability in the dockerfile converter's `dispatchCopy`
function.

Signed-off-by: Ian Campbell <ijc@docker.com>
2018-04-03 11:04:07 +01:00
Tonis Tiigi
6e40e83d35 Remove net/context dependencies
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-01-17 09:11:22 -08:00
Tonis Tiigi
b8dc00de71 vendor: update containerd to 1.0.1-rc0
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-01-11 17:49:09 -08:00
Akihiro Suda
571e14e003 Merge pull request #203 from tonistiigi/user
Add support for setting user
2017-12-13 13:06:07 +09:00
Tonis Tiigi
4c1ffbcc45 containerd: fix cancellation issue
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2017-12-12 19:15:29 -08:00
Tonis Tiigi
7a5390f355 worker: add support for custom user
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2017-12-12 10:26:30 -08:00
Akihiro Suda
c3aa849014 multi-worker daemon
- [X] put multiples workers in a single binary ("-tags containerd standalone")
- [X] add worker selector to LLB vertex metadata
- [X] s/worker/executor/g
- [X] introduce the new "worker" concept https://github.com/moby/buildkit/pull/176#discussion_r153693928
- [X] fix up CLI
- [X] fix up tests
- allow using multiples workers (requires inter-vertex cache copier, HUGE!) --> will be separate PR

Implementation notes:
- "Workers" are renamed to "executors" now
- The new "worker" instance holds an "executor" instance and its
related stuffs such as the snapshotter
- The default worker is "runc-overlay"

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2017-12-12 15:17:58 +09:00