vendor: github.com/moby/buildkit 6bd81372ad6f (master)

- tests: implement NetNSDetached method

full diff: 6e200afad5...6bd81372ad

Co-authored-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

vendor/github.com/moby/buildkit/util/testutil/integration/run.go

@@ -38,6 +38,7 @@ type Backend interface {
 	ContainerdAddress() string
 
 	Rootless() bool
+	NetNSDetached() bool
 	Snapshotter() string
 	Supports(feature string) bool
 }
@@ -66,6 +67,7 @@ type Worker interface {
 	Close() error
 	Name() string
 	Rootless() bool
+	NetNSDetached() bool
 }
 
 type ConfigUpdater interface {

vendor/github.com/moby/buildkit/util/testutil/workers/backend.go

@@ -10,6 +10,7 @@ type backend struct {
 	dockerAddress       string
 	containerdAddress   string
 	rootless            bool
+	netnsDetached       bool
 	snapshotter         string
 	unsupportedFeatures []string
 	isDockerd           bool
@@ -31,6 +32,10 @@ func (b backend) Rootless() bool {
 	return b.rootless
 }
 
+func (b backend) NetNSDetached() bool {
+	return b.netnsDetached
+}
+
 func (b backend) Snapshotter() string {
 	return b.snapshotter
 }

vendor/github.com/moby/buildkit/util/testutil/workers/containerd.go

@@ -55,6 +55,8 @@ func InitContainerdWorker() {
 				GID:         gid,
 				Snapshotter: "native", // TODO: test with fuse-overlayfs as well, or automatically determine snapshotter
 			})
+
+			// TODO: add RootlessKitDetachNetNS after updating containerd-rootless.sh to include https://github.com/containerd/nerdctl/pull/2723
 		}
 	}
 
@@ -84,6 +86,10 @@ func (c *Containerd) Rootless() bool {
 	return c.UID != 0
 }
 
+func (c *Containerd) NetNSDetached() bool {
+	return false
+}
+
 func (c *Containerd) New(ctx context.Context, cfg *integration.BackendConfig) (b integration.Backend, cl func() error, err error) {
 	if err := integration.LookupBinary(c.Containerd); err != nil {
 		return nil, nil, err
@@ -236,6 +242,7 @@ disabled_plugins = ["cri"]
 		address:           buildkitdSock,
 		containerdAddress: address,
 		rootless:          rootless,
+		netnsDetached:     false,
 		snapshotter:       c.Snapshotter,
 	}, cl, nil
 }

vendor/github.com/moby/buildkit/util/testutil/workers/dockerd.go

@@ -71,6 +71,10 @@ func (c Moby) Rootless() bool {
 	return c.IsRootless
 }
 
+func (c Moby) NetNSDetached() bool {
+	return false
+}
+
 func (c Moby) New(ctx context.Context, cfg *integration.BackendConfig) (b integration.Backend, cl func() error, err error) {
 	if err := requireRoot(); err != nil {
 		return nil, nil, err
@@ -224,6 +228,7 @@ func (c Moby) New(ctx context.Context, cfg *integration.BackendConfig) (b integr
 		address:             "unix://" + listener.Addr().String(),
 		dockerAddress:       d.Sock(),
 		rootless:            c.IsRootless,
+		netnsDetached:       false,
 		isDockerd:           true,
 		unsupportedFeatures: c.Unsupported,
 	}, cl, nil

vendor/github.com/moby/buildkit/util/testutil/workers/oci.go

@@ -19,10 +19,12 @@ func InitOCIWorker() {
 }
 
 type OCI struct {
-	ID          string
-	UID         int
-	GID         int
-	Snapshotter string
+	ID                     string
+	UID                    int
+	GID                    int
+	Snapshotter            string
+	RootlessKitNet         string // e.g., "slirp4netns"
+	RootlessKitDetachNetNS bool   // needs RootlessKitNet to be non-host network
 }
 
 func (s *OCI) Name() string {
@@ -33,6 +35,10 @@ func (s *OCI) Rootless() bool {
 	return s.UID != 0
 }
 
+func (s *OCI) NetNSDetached() bool {
+	return s.Rootless() && s.RootlessKitDetachNetNS
+}
+
 func (s *OCI) New(ctx context.Context, cfg *integration.BackendConfig) (integration.Backend, func() error, error) {
 	if err := integration.LookupBinary("buildkitd"); err != nil {
 		return nil, nil, err
@@ -52,8 +58,19 @@ func (s *OCI) New(ctx context.Context, cfg *integration.BackendConfig) (integrat
 		if s.GID == 0 {
 			return nil, nil, errors.Errorf("unsupported id pair: uid=%d, gid=%d", s.UID, s.GID)
 		}
+		var rootlessKitArgs []string
+		switch s.RootlessKitNet {
+		case "", "host":
+		// NOP
+		default:
+			// See docs/rootless.md
+			rootlessKitArgs = append(rootlessKitArgs, "--net="+s.RootlessKitNet, "--copy-up=/etc", "--disable-host-loopback")
+		}
+		if s.RootlessKitDetachNetNS {
+			rootlessKitArgs = append(rootlessKitArgs, "--detach-netns")
+		}
 		// TODO: make sure the user exists and subuid/subgid are configured.
-		buildkitdArgs = append([]string{"sudo", "-u", fmt.Sprintf("#%d", s.UID), "-i", "--", "exec", "rootlesskit"}, buildkitdArgs...)
+		buildkitdArgs = append(append([]string{"sudo", "-u", fmt.Sprintf("#%d", s.UID), "-i", "--", "exec", "rootlesskit"}, rootlessKitArgs...), buildkitdArgs...)
 	}
 
 	var extraEnv []string
@@ -67,9 +84,10 @@ func (s *OCI) New(ctx context.Context, cfg *integration.BackendConfig) (integrat
 	}
 
 	return backend{
-		address:     buildkitdSock,
-		rootless:    s.UID != 0,
-		snapshotter: s.Snapshotter,
+		address:       buildkitdSock,
+		rootless:      s.UID != 0,
+		netnsDetached: s.NetNSDetached(),
+		snapshotter:   s.Snapshotter,
 	}, stop, nil
 }
 

vendor/github.com/moby/buildkit/util/testutil/workers/oci_unix.go

@@ -22,6 +22,8 @@ func initOCIWorker() {
 		}
 		if integration.RootlessSupported(uid) {
 			integration.Register(&OCI{ID: "oci-rootless", UID: uid, GID: gid})
+			integration.Register(&OCI{ID: "oci-rootless-slirp4netns-detachnetns", UID: uid, GID: gid,
+				RootlessKitNet: "slirp4netns", RootlessKitDetachNetNS: true})
 		}
 	}