From 3b31a33d59cdd5ea397e3d11d26941690bdc4a67 Mon Sep 17 00:00:00 2001 From: Tonis Tiigi Date: Mon, 17 Feb 2025 20:59:48 -0800 Subject: [PATCH 1/5] progress: fix race on pausing progress on debug shell Current progress writer has a logic of pausing/unpausing the printer and internally recreating internal channels. This conflicts with a change that added sync.Once to Wait to allow it being called multiple times without erroring. In debug shell this could mean that new progress printer showed up in debug shell because it was not closed. Signed-off-by: Tonis Tiigi --- util/progress/printer.go | 1 + 1 file changed, 1 insertion(+) diff --git a/util/progress/printer.go b/util/progress/printer.go index 95fb680d..bb3f347d 100644 --- a/util/progress/printer.go +++ b/util/progress/printer.go @@ -122,6 +122,7 @@ func NewPrinter(ctx context.Context, out console.File, mode progressui.DisplayMo for { pw.status = make(chan *client.SolveStatus) pw.done = make(chan struct{}) + pw.closeOnce = sync.Once{} pw.logMu.Lock() pw.logSourceMap = map[digest.Digest]interface{}{} From 9430ed675281bc7ac5a280065b703129a23b33a3 Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Mon, 17 Feb 2025 18:13:12 +0100 Subject: [PATCH 2/5] cache: enable gha cache backend if cache service v2 detected Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- util/buildflags/cache.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/buildflags/cache.go b/util/buildflags/cache.go index abaa8acf..f0c2a164 100644 --- a/util/buildflags/cache.go +++ b/util/buildflags/cache.go @@ -266,5 +266,5 @@ func isActive(pb *controllerapi.CacheOptionsEntry) bool { if pb.Type != "gha" { return true } - return pb.Attrs["token"] != "" && pb.Attrs["url"] != "" + return pb.Attrs["token"] != "" && (pb.Attrs["url"] != "" || pb.Attrs["url_v2"] != "") } From c09d38af8a14aabdca9a164ae8419080c320527c Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Mon, 17 Feb 2025 18:59:38 +0100 Subject: [PATCH 3/5] cache: fix gha cache url handling Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- util/buildflags/cache.go | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/util/buildflags/cache.go b/util/buildflags/cache.go index f0c2a164..e9256900 100644 --- a/util/buildflags/cache.go +++ b/util/buildflags/cache.go @@ -207,6 +207,7 @@ func addGithubToken(ci *controllerapi.CacheOptionsEntry) { } version, ok := ci.Attrs["version"] if !ok { + // https://github.com/actions/toolkit/blob/2b08dc18f261b9fdd978b70279b85cbef81af8bc/packages/cache/src/internal/config.ts#L19 if v, ok := os.LookupEnv("ACTIONS_CACHE_SERVICE_V2"); ok { if b, err := strconv.ParseBool(v); err == nil && b { version = "2" @@ -218,15 +219,18 @@ func addGithubToken(ci *controllerapi.CacheOptionsEntry) { ci.Attrs["token"] = v } } + if _, ok := ci.Attrs["url_v2"]; !ok && version == "2" { + // https://github.com/actions/toolkit/blob/2b08dc18f261b9fdd978b70279b85cbef81af8bc/packages/cache/src/internal/config.ts#L34-L35 + if v, ok := os.LookupEnv("ACTIONS_RESULTS_URL"); ok { + ci.Attrs["url_v2"] = v + } + } if _, ok := ci.Attrs["url"]; !ok { - if version == "2" { - if v, ok := os.LookupEnv("ACTIONS_RESULTS_URL"); ok { - ci.Attrs["url_v2"] = v - } - } else { - if v, ok := os.LookupEnv("ACTIONS_CACHE_URL"); ok { - ci.Attrs["url"] = v - } + // https://github.com/actions/toolkit/blob/2b08dc18f261b9fdd978b70279b85cbef81af8bc/packages/cache/src/internal/config.ts#L28-L33 + if v, ok := os.LookupEnv("ACTIONS_CACHE_URL"); ok { + ci.Attrs["url"] = v + } else if v, ok := os.LookupEnv("ACTIONS_RESULTS_URL"); ok { + ci.Attrs["url"] = v } } } From 20256b69995424cf9be1037c48229796233fe238 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?T=C3=B5nis=20Tiigi?= Date: Fri, 14 Feb 2025 11:31:51 +0100 Subject: [PATCH 4/5] support for device entitlement in build and bake Allow access to CDI Devices in Buildkit v0.20.0+ for devices that are not automatically allowed to be used by everyone in BuildKit configuration. Signed-off-by: Tonis Tiigi Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- bake/bake.go | 5 +- bake/bake_test.go | 8 +- bake/entitlements.go | 62 +++++++++- bake/entitlements_test.go | 20 ++-- build/build.go | 3 +- build/opt.go | 2 +- commands/build.go | 2 +- docs/reference/buildx_build.md | 2 +- docs/reference/buildx_debug_build.md | 2 +- go.mod | 2 + go.sum | 4 +- util/buildflags/entitlements.go | 17 ++- .../github.com/moby/buildkit/client/solve.go | 14 +-- .../buildkit/cmd/buildkitd/config/config.go | 5 +- .../util/entitlements/entitlements.go | 109 ++++++++++++++++-- vendor/modules.txt | 3 +- 16 files changed, 205 insertions(+), 55 deletions(-) diff --git a/bake/bake.go b/bake/bake.go index 41e1ec5c..cde0e3cd 100644 --- a/bake/bake.go +++ b/bake/bake.go @@ -27,7 +27,6 @@ import ( "github.com/moby/buildkit/client" "github.com/moby/buildkit/client/llb" "github.com/moby/buildkit/session/auth/authprovider" - "github.com/moby/buildkit/util/entitlements" "github.com/pkg/errors" "github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty/convert" @@ -1434,9 +1433,7 @@ func toBuildOpt(t *Target, inp *Input) (*build.Options, error) { } bo.Ulimits = ulimits - for _, ent := range t.Entitlements { - bo.Allow = append(bo.Allow, entitlements.Entitlement(ent)) - } + bo.Allow = append(bo.Allow, t.Entitlements...) return bo, nil } diff --git a/bake/bake_test.go b/bake/bake_test.go index f1f0a9f2..afd5c99e 100644 --- a/bake/bake_test.go +++ b/bake/bake_test.go @@ -1806,8 +1806,8 @@ func TestHCLEntitlements(t *testing.T) { require.Equal(t, "network.host", m["app"].Entitlements[1]) require.Len(t, bo["app"].Allow, 2) - require.Equal(t, entitlements.EntitlementSecurityInsecure, bo["app"].Allow[0]) - require.Equal(t, entitlements.EntitlementNetworkHost, bo["app"].Allow[1]) + require.Equal(t, entitlements.EntitlementSecurityInsecure.String(), bo["app"].Allow[0]) + require.Equal(t, entitlements.EntitlementNetworkHost.String(), bo["app"].Allow[1]) } func TestEntitlementsForNetHostCompose(t *testing.T) { @@ -1846,7 +1846,7 @@ func TestEntitlementsForNetHostCompose(t *testing.T) { require.Equal(t, "host", *m["app"].NetworkMode) require.Len(t, bo["app"].Allow, 1) - require.Equal(t, entitlements.EntitlementNetworkHost, bo["app"].Allow[0]) + require.Equal(t, entitlements.EntitlementNetworkHost.String(), bo["app"].Allow[0]) require.Equal(t, "host", bo["app"].NetworkMode) } @@ -1877,7 +1877,7 @@ func TestEntitlementsForNetHost(t *testing.T) { require.Equal(t, "host", *m["app"].NetworkMode) require.Len(t, bo["app"].Allow, 1) - require.Equal(t, entitlements.EntitlementNetworkHost, bo["app"].Allow[0]) + require.Equal(t, entitlements.EntitlementNetworkHost.String(), bo["app"].Allow[0]) require.Equal(t, "host", bo["app"].NetworkMode) } diff --git a/bake/entitlements.go b/bake/entitlements.go index 4a1d0b03..389d0dd9 100644 --- a/bake/entitlements.go +++ b/bake/entitlements.go @@ -20,6 +20,7 @@ import ( "github.com/moby/buildkit/util/entitlements" "github.com/pkg/errors" "github.com/sirupsen/logrus" + "github.com/tonistiigi/go-csvvalue" ) type EntitlementKey string @@ -27,6 +28,7 @@ type EntitlementKey string const ( EntitlementKeyNetworkHost EntitlementKey = "network.host" EntitlementKeySecurityInsecure EntitlementKey = "security.insecure" + EntitlementKeyDevice EntitlementKey = "device" EntitlementKeyFSRead EntitlementKey = "fs.read" EntitlementKeyFSWrite EntitlementKey = "fs.write" EntitlementKeyFS EntitlementKey = "fs" @@ -39,6 +41,7 @@ const ( type EntitlementConf struct { NetworkHost bool SecurityInsecure bool + Devices *EntitlementsDevicesConf FSRead []string FSWrite []string ImagePush []string @@ -46,6 +49,11 @@ type EntitlementConf struct { SSH bool } +type EntitlementsDevicesConf struct { + All bool + Devices map[string]struct{} +} + func ParseEntitlements(in []string) (EntitlementConf, error) { var conf EntitlementConf for _, e := range in { @@ -59,6 +67,22 @@ func ParseEntitlements(in []string) (EntitlementConf, error) { default: k, v, _ := strings.Cut(e, "=") switch k { + case string(EntitlementKeyDevice): + if v == "" { + conf.Devices = &EntitlementsDevicesConf{All: true} + continue + } + fields, err := csvvalue.Fields(v, nil) + if err != nil { + return EntitlementConf{}, errors.Wrapf(err, "failed to parse device entitlement %q", v) + } + if conf.Devices == nil { + conf.Devices = &EntitlementsDevicesConf{} + } + if conf.Devices.Devices == nil { + conf.Devices.Devices = make(map[string]struct{}, 0) + } + conf.Devices.Devices[fields[0]] = struct{}{} case string(EntitlementKeyFSRead): conf.FSRead = append(conf.FSRead, v) case string(EntitlementKeyFSWrite): @@ -95,12 +119,34 @@ func (c EntitlementConf) Validate(m map[string]build.Options) (EntitlementConf, func (c EntitlementConf) check(bo build.Options, expected *EntitlementConf) error { for _, e := range bo.Allow { + k, rest, _ := strings.Cut(e, "=") + switch k { + case entitlements.EntitlementDevice.String(): + if rest == "" { + if c.Devices == nil || !c.Devices.All { + expected.Devices = &EntitlementsDevicesConf{All: true} + } + continue + } + fields, err := csvvalue.Fields(rest, nil) + if err != nil { + return errors.Wrapf(err, "failed to parse device entitlement %q", rest) + } + if expected.Devices == nil { + expected.Devices = &EntitlementsDevicesConf{} + } + if expected.Devices.Devices == nil { + expected.Devices.Devices = make(map[string]struct{}, 0) + } + expected.Devices.Devices[fields[0]] = struct{}{} + } + switch e { - case entitlements.EntitlementNetworkHost: + case entitlements.EntitlementNetworkHost.String(): if !c.NetworkHost { expected.NetworkHost = true } - case entitlements.EntitlementSecurityInsecure: + case entitlements.EntitlementSecurityInsecure.String(): if !c.SecurityInsecure { expected.SecurityInsecure = true } @@ -187,6 +233,18 @@ func (c EntitlementConf) Prompt(ctx context.Context, isRemote bool, out io.Write flags = append(flags, string(EntitlementKeySecurityInsecure)) } + if c.Devices != nil { + if c.Devices.All { + msgs = append(msgs, " - Access to CDI devices") + flags = append(flags, string(EntitlementKeyDevice)) + } else { + for d := range c.Devices.Devices { + msgs = append(msgs, fmt.Sprintf(" - Access to device %s", d)) + flags = append(flags, string(EntitlementKeyDevice)+"="+d) + } + } + } + if c.SSH { msgsFS = append(msgsFS, " - Forwarding default SSH agent socket") flagsFS = append(flagsFS, string(EntitlementKeySSH)) diff --git a/bake/entitlements_test.go b/bake/entitlements_test.go index df9c5f34..2bd2a5ba 100644 --- a/bake/entitlements_test.go +++ b/bake/entitlements_test.go @@ -208,8 +208,8 @@ func TestValidateEntitlements(t *testing.T) { { name: "NetworkHostMissing", opt: build.Options{ - Allow: []entitlements.Entitlement{ - entitlements.EntitlementNetworkHost, + Allow: []string{ + entitlements.EntitlementNetworkHost.String(), }, }, expected: EntitlementConf{ @@ -223,8 +223,8 @@ func TestValidateEntitlements(t *testing.T) { NetworkHost: true, }, opt: build.Options{ - Allow: []entitlements.Entitlement{ - entitlements.EntitlementNetworkHost, + Allow: []string{ + entitlements.EntitlementNetworkHost.String(), }, }, expected: EntitlementConf{ @@ -234,9 +234,9 @@ func TestValidateEntitlements(t *testing.T) { { name: "SecurityAndNetworkHostMissing", opt: build.Options{ - Allow: []entitlements.Entitlement{ - entitlements.EntitlementNetworkHost, - entitlements.EntitlementSecurityInsecure, + Allow: []string{ + entitlements.EntitlementNetworkHost.String(), + entitlements.EntitlementSecurityInsecure.String(), }, }, expected: EntitlementConf{ @@ -251,9 +251,9 @@ func TestValidateEntitlements(t *testing.T) { NetworkHost: true, }, opt: build.Options{ - Allow: []entitlements.Entitlement{ - entitlements.EntitlementNetworkHost, - entitlements.EntitlementSecurityInsecure, + Allow: []string{ + entitlements.EntitlementNetworkHost.String(), + entitlements.EntitlementSecurityInsecure.String(), }, }, expected: EntitlementConf{ diff --git a/build/build.go b/build/build.go index acec972d..56fbc4b4 100644 --- a/build/build.go +++ b/build/build.go @@ -40,7 +40,6 @@ import ( "github.com/moby/buildkit/solver/errdefs" "github.com/moby/buildkit/solver/pb" spb "github.com/moby/buildkit/sourcepolicy/pb" - "github.com/moby/buildkit/util/entitlements" "github.com/moby/buildkit/util/progress/progresswriter" "github.com/moby/buildkit/util/tracing" "github.com/opencontainers/go-digest" @@ -63,7 +62,7 @@ type Options struct { Inputs Inputs Ref string - Allow []entitlements.Entitlement + Allow []string Attests map[string]*string BuildArgs map[string]string CacheFrom []client.CacheOptionsEntry diff --git a/build/opt.go b/build/opt.go index 931c586c..af4986e0 100644 --- a/build/opt.go +++ b/build/opt.go @@ -318,7 +318,7 @@ func toSolveOpt(ctx context.Context, node builder.Node, multiDriver bool, opt *O switch opt.NetworkMode { case "host": so.FrontendAttrs["force-network-mode"] = opt.NetworkMode - so.AllowedEntitlements = append(so.AllowedEntitlements, entitlements.EntitlementNetworkHost) + so.AllowedEntitlements = append(so.AllowedEntitlements, entitlements.EntitlementNetworkHost.String()) case "none": so.FrontendAttrs["force-network-mode"] = opt.NetworkMode case "", "default": diff --git a/commands/build.go b/commands/build.go index ce89d11d..9ee09333 100644 --- a/commands/build.go +++ b/commands/build.go @@ -593,7 +593,7 @@ func buildCmd(dockerCli command.Cli, rootOpts *rootOptions, debugConfig *debug.D flags.StringSliceVar(&options.extraHosts, "add-host", []string{}, `Add a custom host-to-IP mapping (format: "host:ip")`) - flags.StringSliceVar(&options.allow, "allow", []string{}, `Allow extra privileged entitlement (e.g., "network.host", "security.insecure")`) + flags.StringArrayVar(&options.allow, "allow", []string{}, `Allow extra privileged entitlement (e.g., "network.host", "security.insecure")`) flags.StringArrayVarP(&options.annotations, "annotation", "", []string{}, "Add annotation to the image") diff --git a/docs/reference/buildx_build.md b/docs/reference/buildx_build.md index 215eff9a..3765dddc 100644 --- a/docs/reference/buildx_build.md +++ b/docs/reference/buildx_build.md @@ -16,7 +16,7 @@ Start a build | Name | Type | Default | Description | |:----------------------------------------|:--------------|:----------|:-------------------------------------------------------------------------------------------------------------| | [`--add-host`](#add-host) | `stringSlice` | | Add a custom host-to-IP mapping (format: `host:ip`) | -| [`--allow`](#allow) | `stringSlice` | | Allow extra privileged entitlement (e.g., `network.host`, `security.insecure`) | +| [`--allow`](#allow) | `stringArray` | | Allow extra privileged entitlement (e.g., `network.host`, `security.insecure`) | | [`--annotation`](#annotation) | `stringArray` | | Add annotation to the image | | [`--attest`](#attest) | `stringArray` | | Attestation parameters (format: `type=sbom,generator=image`) | | [`--build-arg`](#build-arg) | `stringArray` | | Set build-time variables | diff --git a/docs/reference/buildx_debug_build.md b/docs/reference/buildx_debug_build.md index 66340169..609ca150 100644 --- a/docs/reference/buildx_debug_build.md +++ b/docs/reference/buildx_debug_build.md @@ -12,7 +12,7 @@ Start a build | Name | Type | Default | Description | |:--------------------|:--------------|:----------|:-------------------------------------------------------------------------------------------------------------| | `--add-host` | `stringSlice` | | Add a custom host-to-IP mapping (format: `host:ip`) | -| `--allow` | `stringSlice` | | Allow extra privileged entitlement (e.g., `network.host`, `security.insecure`) | +| `--allow` | `stringArray` | | Allow extra privileged entitlement (e.g., `network.host`, `security.insecure`) | | `--annotation` | `stringArray` | | Add annotation to the image | | `--attest` | `stringArray` | | Attestation parameters (format: `type=sbom,generator=image`) | | `--build-arg` | `stringArray` | | Set build-time variables | diff --git a/go.mod b/go.mod index 69e3ffba..3b00a9b0 100644 --- a/go.mod +++ b/go.mod @@ -194,3 +194,5 @@ exclude ( github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 ) + +replace github.com/moby/buildkit => github.com/tonistiigi/buildkit v0.10.0-rc2.0.20250214043642-c9e788c50beb diff --git a/go.sum b/go.sum index c8fabf8f..2935b1e5 100644 --- a/go.sum +++ b/go.sum @@ -297,8 +297,6 @@ github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/z github.com/mitchellh/mapstructure v0.0.0-20150613213606-2caf8efc9366/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= -github.com/moby/buildkit v0.20.0-rc2 h1:QjACghvG0pSAp7dk9aQMYWioDEOljDWyyoUjyg35qfg= -github.com/moby/buildkit v0.20.0-rc2/go.mod h1:kMXf90l/f3zygRK8bYbyetfyzoJYntb6Bpi2VsLfXgQ= github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0= github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= @@ -441,6 +439,8 @@ github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtse github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= github.com/theupdateframework/notary v0.7.0 h1:QyagRZ7wlSpjT5N2qQAh/pN+DVqgekv4DzbAiAiEL3c= github.com/theupdateframework/notary v0.7.0/go.mod h1:c9DRxcmhHmVLDay4/2fUYdISnHqbFDGRSlXPO0AhYWw= +github.com/tonistiigi/buildkit v0.10.0-rc2.0.20250214043642-c9e788c50beb h1:uk0jspTfKpsaTGWqWO/MHWGQy4atLlOeJ6zjL7V1OeI= +github.com/tonistiigi/buildkit v0.10.0-rc2.0.20250214043642-c9e788c50beb/go.mod h1:kMXf90l/f3zygRK8bYbyetfyzoJYntb6Bpi2VsLfXgQ= github.com/tonistiigi/dchapes-mode v0.0.0-20241001053921-ca0759fec205 h1:eUk79E1w8yMtXeHSzjKorxuC8qJOnyXQnLaJehxpJaI= github.com/tonistiigi/dchapes-mode v0.0.0-20241001053921-ca0759fec205/go.mod h1:3Iuxbr0P7D3zUzBMAZB+ois3h/et0shEz0qApgHYGpY= github.com/tonistiigi/fsutil v0.0.0-20250113203817-b14e27f4135a h1:EfGw4G0x/8qXWgtcZ6KVaPS+wpWOQMaypczzP8ojkMY= diff --git a/util/buildflags/entitlements.go b/util/buildflags/entitlements.go index 970739bc..0f655295 100644 --- a/util/buildflags/entitlements.go +++ b/util/buildflags/entitlements.go @@ -1,19 +1,24 @@ package buildflags -import "github.com/moby/buildkit/util/entitlements" +import ( + "log" -func ParseEntitlements(in []string) ([]entitlements.Entitlement, error) { - out := make([]entitlements.Entitlement, 0, len(in)) + "github.com/moby/buildkit/util/entitlements" +) + +func ParseEntitlements(in []string) ([]string, error) { + out := make([]string, 0, len(in)) + log.Printf("in: %#v", in) for _, v := range in { if v == "" { continue } - e, err := entitlements.Parse(v) - if err != nil { + if _, _, err := entitlements.Parse(v); err != nil { return nil, err } - out = append(out, e) + out = append(out, v) } + log.Printf("Parsed entitlements: %v", out) return out, nil } diff --git a/vendor/github.com/moby/buildkit/client/solve.go b/vendor/github.com/moby/buildkit/client/solve.go index efdf9fa9..57ee82d0 100644 --- a/vendor/github.com/moby/buildkit/client/solve.go +++ b/vendor/github.com/moby/buildkit/client/solve.go @@ -7,6 +7,7 @@ import ( "io" "maps" "os" + "slices" "strings" "time" @@ -24,7 +25,6 @@ import ( "github.com/moby/buildkit/solver/pb" spb "github.com/moby/buildkit/sourcepolicy/pb" "github.com/moby/buildkit/util/bklog" - "github.com/moby/buildkit/util/entitlements" ocispecs "github.com/opencontainers/image-spec/specs-go/v1" "github.com/pkg/errors" "github.com/tonistiigi/fsutil" @@ -45,7 +45,7 @@ type SolveOpt struct { CacheExports []CacheOptionsEntry CacheImports []CacheOptionsEntry Session []session.Attachable - AllowedEntitlements []entitlements.Entitlement + AllowedEntitlements []string SharedSession *session.Session // TODO: refactor to better session syncing SessionPreInitialized bool // TODO: refactor to better session syncing Internal bool @@ -277,7 +277,7 @@ func (c *Client) solve(ctx context.Context, def *llb.Definition, runGateway runG FrontendAttrs: frontendAttrs, FrontendInputs: frontendInputs, Cache: &cacheOpt.options, - Entitlements: entitlementsToPB(opt.AllowedEntitlements), + Entitlements: slices.Clone(opt.AllowedEntitlements), Internal: opt.Internal, SourcePolicy: opt.SourcePolicy, }) @@ -553,11 +553,3 @@ func prepareMounts(opt *SolveOpt) (map[string]fsutil.FS, error) { } return mounts, nil } - -func entitlementsToPB(entitlements []entitlements.Entitlement) []string { - clone := make([]string, len(entitlements)) - for i, e := range entitlements { - clone[i] = string(e) - } - return clone -} diff --git a/vendor/github.com/moby/buildkit/cmd/buildkitd/config/config.go b/vendor/github.com/moby/buildkit/cmd/buildkitd/config/config.go index 381effcd..3222406a 100644 --- a/vendor/github.com/moby/buildkit/cmd/buildkitd/config/config.go +++ b/vendor/github.com/moby/buildkit/cmd/buildkitd/config/config.go @@ -77,8 +77,9 @@ type OTELConfig struct { } type CDIConfig struct { - Disabled *bool `toml:"disabled"` - SpecDirs []string `toml:"specDirs"` + Disabled *bool `toml:"disabled"` + SpecDirs []string `toml:"specDirs"` + AutoAllowed []string `toml:"autoAllowed"` } type GCConfig struct { diff --git a/vendor/github.com/moby/buildkit/util/entitlements/entitlements.go b/vendor/github.com/moby/buildkit/util/entitlements/entitlements.go index 328580c3..106f492c 100644 --- a/vendor/github.com/moby/buildkit/util/entitlements/entitlements.go +++ b/vendor/github.com/moby/buildkit/util/entitlements/entitlements.go @@ -1,31 +1,119 @@ package entitlements import ( + "strings" + "github.com/pkg/errors" + "github.com/tonistiigi/go-csvvalue" ) type Entitlement string +func (e Entitlement) String() string { + return string(e) +} + const ( EntitlementSecurityInsecure Entitlement = "security.insecure" EntitlementNetworkHost Entitlement = "network.host" + EntitlementDevice Entitlement = "device" ) var all = map[Entitlement]struct{}{ EntitlementSecurityInsecure: {}, EntitlementNetworkHost: {}, + EntitlementDevice: {}, } -func Parse(s string) (Entitlement, error) { +type EntitlementsConfig interface { + Merge(EntitlementsConfig) error +} + +type DevicesConfig struct { + Devices map[string]string + All bool +} + +var _ EntitlementsConfig = &DevicesConfig{} + +func ParseDevicesConfig(s string) (*DevicesConfig, error) { + if s == "" { + return &DevicesConfig{All: true}, nil + } + + fields, err := csvvalue.Fields(s, nil) + if err != nil { + return nil, err + } + deviceName := fields[0] + var deviceAlias string + + for _, field := range fields[1:] { + k, v, ok := strings.Cut(field, "=") + if !ok { + return nil, errors.Errorf("invalid device config %q", field) + } + switch k { + case "alias": + deviceAlias = v + default: + return nil, errors.Errorf("unknown device config key %q", k) + } + } + + cfg := &DevicesConfig{Devices: map[string]string{}} + + if deviceAlias != "" { + cfg.Devices[deviceAlias] = deviceName + } else { + cfg.Devices[deviceName] = "" + } + return cfg, nil +} + +func (c *DevicesConfig) Merge(in EntitlementsConfig) error { + c2, ok := in.(*DevicesConfig) + if !ok { + return errors.Errorf("cannot merge %T into %T", in, c) + } + + if c2.All { + c.All = true + return nil + } + + for k, v := range c2.Devices { + if c.Devices == nil { + c.Devices = map[string]string{} + } + c.Devices[k] = v + } + return nil +} + +func Parse(s string) (Entitlement, EntitlementsConfig, error) { + var cfg EntitlementsConfig + key, rest, _ := strings.Cut(s, "=") + switch Entitlement(key) { + case EntitlementDevice: + s = key + var err error + cfg, err = ParseDevicesConfig(rest) + if err != nil { + return "", nil, err + } + default: + } + _, ok := all[Entitlement(s)] if !ok { - return "", errors.Errorf("unknown entitlement %s", s) + return "", nil, errors.Errorf("unknown entitlement %s", s) } - return Entitlement(s), nil + return Entitlement(s), cfg, nil } func WhiteList(allowed, supported []Entitlement) (Set, error) { - m := map[Entitlement]struct{}{} + m := map[Entitlement]EntitlementsConfig{} var supm Set if supported != nil { @@ -37,7 +125,7 @@ func WhiteList(allowed, supported []Entitlement) (Set, error) { } for _, e := range allowed { - e, err := Parse(string(e)) + e, cfg, err := Parse(string(e)) if err != nil { return nil, err } @@ -46,13 +134,19 @@ func WhiteList(allowed, supported []Entitlement) (Set, error) { return nil, errors.Errorf("granting entitlement %s is not allowed by build daemon configuration", e) } } - m[e] = struct{}{} + if prev, ok := m[e]; ok && prev != nil { + if err := prev.Merge(cfg); err != nil { + return nil, err + } + } else { + m[e] = cfg + } } return Set(m), nil } -type Set map[Entitlement]struct{} +type Set map[Entitlement]EntitlementsConfig func (s Set) Allowed(e Entitlement) bool { _, ok := s[e] @@ -77,4 +171,5 @@ func (s Set) Check(v Values) error { type Values struct { NetworkHost bool SecurityInsecure bool + Devices map[string]struct{} } diff --git a/vendor/modules.txt b/vendor/modules.txt index 6d82b395..47b56493 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -495,7 +495,7 @@ github.com/mitchellh/go-wordwrap github.com/mitchellh/hashstructure/v2 # github.com/mitchellh/mapstructure v1.5.0 ## explicit; go 1.14 -# github.com/moby/buildkit v0.20.0-rc2 +# github.com/moby/buildkit v0.20.0-rc2 => github.com/tonistiigi/buildkit v0.10.0-rc2.0.20250214043642-c9e788c50beb ## explicit; go 1.22.0 github.com/moby/buildkit/api/services/control github.com/moby/buildkit/api/types @@ -1389,3 +1389,4 @@ sigs.k8s.io/structured-merge-diff/v4/value ## explicit; go 1.12 sigs.k8s.io/yaml sigs.k8s.io/yaml/goyaml.v2 +# github.com/moby/buildkit => github.com/tonistiigi/buildkit v0.10.0-rc2.0.20250214043642-c9e788c50beb From af5d0d4ab53a79e1fe1099029cb14c4da2912b87 Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Tue, 18 Feb 2025 21:59:36 +0100 Subject: [PATCH 5/5] vendor: update buildkit to v0.20.0-rc3 Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- go.mod | 4 +--- go.sum | 4 ++-- vendor/modules.txt | 3 +-- 3 files changed, 4 insertions(+), 7 deletions(-) diff --git a/go.mod b/go.mod index 3b00a9b0..56a7236f 100644 --- a/go.mod +++ b/go.mod @@ -29,7 +29,7 @@ require ( github.com/hashicorp/hcl/v2 v2.23.0 github.com/in-toto/in-toto-golang v0.5.0 github.com/mitchellh/hashstructure/v2 v2.0.2 - github.com/moby/buildkit v0.20.0-rc2 + github.com/moby/buildkit v0.20.0-rc3 github.com/moby/sys/mountinfo v0.7.2 github.com/moby/sys/signal v0.7.1 github.com/morikuni/aec v1.0.0 @@ -194,5 +194,3 @@ exclude ( github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 ) - -replace github.com/moby/buildkit => github.com/tonistiigi/buildkit v0.10.0-rc2.0.20250214043642-c9e788c50beb diff --git a/go.sum b/go.sum index 2935b1e5..6e487187 100644 --- a/go.sum +++ b/go.sum @@ -297,6 +297,8 @@ github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/z github.com/mitchellh/mapstructure v0.0.0-20150613213606-2caf8efc9366/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/moby/buildkit v0.20.0-rc3 h1:iExrfuZZuFgFudeNJhXfp/5vzJWTNrlqZ/LYJk4dG2Q= +github.com/moby/buildkit v0.20.0-rc3/go.mod h1:kMXf90l/f3zygRK8bYbyetfyzoJYntb6Bpi2VsLfXgQ= github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0= github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= @@ -439,8 +441,6 @@ github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtse github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= github.com/theupdateframework/notary v0.7.0 h1:QyagRZ7wlSpjT5N2qQAh/pN+DVqgekv4DzbAiAiEL3c= github.com/theupdateframework/notary v0.7.0/go.mod h1:c9DRxcmhHmVLDay4/2fUYdISnHqbFDGRSlXPO0AhYWw= -github.com/tonistiigi/buildkit v0.10.0-rc2.0.20250214043642-c9e788c50beb h1:uk0jspTfKpsaTGWqWO/MHWGQy4atLlOeJ6zjL7V1OeI= -github.com/tonistiigi/buildkit v0.10.0-rc2.0.20250214043642-c9e788c50beb/go.mod h1:kMXf90l/f3zygRK8bYbyetfyzoJYntb6Bpi2VsLfXgQ= github.com/tonistiigi/dchapes-mode v0.0.0-20241001053921-ca0759fec205 h1:eUk79E1w8yMtXeHSzjKorxuC8qJOnyXQnLaJehxpJaI= github.com/tonistiigi/dchapes-mode v0.0.0-20241001053921-ca0759fec205/go.mod h1:3Iuxbr0P7D3zUzBMAZB+ois3h/et0shEz0qApgHYGpY= github.com/tonistiigi/fsutil v0.0.0-20250113203817-b14e27f4135a h1:EfGw4G0x/8qXWgtcZ6KVaPS+wpWOQMaypczzP8ojkMY= diff --git a/vendor/modules.txt b/vendor/modules.txt index 47b56493..e15c787f 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -495,7 +495,7 @@ github.com/mitchellh/go-wordwrap github.com/mitchellh/hashstructure/v2 # github.com/mitchellh/mapstructure v1.5.0 ## explicit; go 1.14 -# github.com/moby/buildkit v0.20.0-rc2 => github.com/tonistiigi/buildkit v0.10.0-rc2.0.20250214043642-c9e788c50beb +# github.com/moby/buildkit v0.20.0-rc3 ## explicit; go 1.22.0 github.com/moby/buildkit/api/services/control github.com/moby/buildkit/api/types @@ -1389,4 +1389,3 @@ sigs.k8s.io/structured-merge-diff/v4/value ## explicit; go 1.12 sigs.k8s.io/yaml sigs.k8s.io/yaml/goyaml.v2 -# github.com/moby/buildkit => github.com/tonistiigi/buildkit v0.10.0-rc2.0.20250214043642-c9e788c50beb