From e5a6b8e1409911c6e62f30920074f6316502500b Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Wed, 11 Sep 2024 14:32:06 +0200 Subject: [PATCH 1/3] bake: fix missing omitempty and optional tags for network field Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> (cherry picked from commit 9fb8b04b64d3908adfbaff7b4a716c0baf270918) --- bake/bake.go | 2 +- tests/bake.go | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/bake/bake.go b/bake/bake.go index 9ed1dfd8..3a50f7b4 100644 --- a/bake/bake.go +++ b/bake/bake.go @@ -704,7 +704,7 @@ type Target struct { Outputs []string `json:"output,omitempty" hcl:"output,optional" cty:"output"` Pull *bool `json:"pull,omitempty" hcl:"pull,optional" cty:"pull"` NoCache *bool `json:"no-cache,omitempty" hcl:"no-cache,optional" cty:"no-cache"` - NetworkMode *string `json:"network" hcl:"network" cty:"network"` + NetworkMode *string `json:"network,omitempty" hcl:"network,optional" cty:"network"` NoCacheFilter []string `json:"no-cache-filter,omitempty" hcl:"no-cache-filter,optional" cty:"no-cache-filter"` ShmSize *string `json:"shm-size,omitempty" hcl:"shm-size,optional"` Ulimits []string `json:"ulimits,omitempty" hcl:"ulimits,optional"` diff --git a/tests/bake.go b/tests/bake.go index bafd4ba6..b4407a28 100644 --- a/tests/bake.go +++ b/tests/bake.go @@ -103,6 +103,26 @@ target "build" { require.Equal(t, ".", *def.Target["build"].Context) require.Equal(t, "Dockerfile", *def.Target["build"].Dockerfile) require.Equal(t, map[string]*string{"HELLO": ptrstr("foo")}, def.Target["build"].Args) + + require.Equal(t, `{ + "group": { + "default": { + "targets": [ + "build" + ] + } + }, + "target": { + "build": { + "context": ".", + "dockerfile": "Dockerfile", + "args": { + "HELLO": "foo" + } + } + } +} +`, stdout.String()) } func testBakeLocal(t *testing.T, sb integration.Sandbox) { From e8ceaad0a81714fafbe549757acc86d16be4cc4a Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Wed, 11 Sep 2024 12:27:29 +0200 Subject: [PATCH 2/3] builder: do not set network.host entitlement flag if already set in buildkitd conf Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> (cherry picked from commit 617d59d70b272b618b100c739fb1ed27241fd09e) --- builder/builder.go | 41 ++++++++++++++++++++++---------- builder/builder_test.go | 48 ++++++++++++++++++++++++++++++++------ util/confutil/config.go | 4 ++-- util/confutil/container.go | 2 +- 4 files changed, 73 insertions(+), 22 deletions(-) diff --git a/builder/builder.go b/builder/builder.go index b603120f..1b25ebe8 100644 --- a/builder/builder.go +++ b/builder/builder.go @@ -435,7 +435,16 @@ func Create(ctx context.Context, txn *store.Txn, dockerCli command.Cli, opts Cre return nil, err } - buildkitdFlags, err := parseBuildkitdFlags(opts.BuildkitdFlags, driverName, driverOpts) + buildkitdConfigFile := opts.BuildkitdConfigFile + if buildkitdConfigFile == "" { + // if buildkit daemon config is not provided, check if the default one + // is available and use it + if f, ok := confutil.DefaultConfigFile(dockerCli); ok { + buildkitdConfigFile = f + } + } + + buildkitdFlags, err := parseBuildkitdFlags(opts.BuildkitdFlags, driverName, driverOpts, buildkitdConfigFile) if err != nil { return nil, err } @@ -496,15 +505,6 @@ func Create(ctx context.Context, txn *store.Txn, dockerCli command.Cli, opts Cre setEp = false } - buildkitdConfigFile := opts.BuildkitdConfigFile - if buildkitdConfigFile == "" { - // if buildkit daemon config is not provided, check if the default one - // is available and use it - if f, ok := confutil.DefaultConfigFile(dockerCli); ok { - buildkitdConfigFile = f - } - } - if err := ng.Update(opts.NodeName, ep, opts.Platforms, setEp, opts.Append, buildkitdFlags, buildkitdConfigFile, driverOpts); err != nil { return nil, err } @@ -641,7 +641,7 @@ func validateBuildkitEndpoint(ep string) (string, error) { } // parseBuildkitdFlags parses buildkit flags -func parseBuildkitdFlags(inp string, driver string, driverOpts map[string]string) (res []string, err error) { +func parseBuildkitdFlags(inp string, driver string, driverOpts map[string]string, buildkitdConfigFile string) (res []string, err error) { if inp != "" { res, err = shlex.Split(inp) if err != nil { @@ -663,10 +663,27 @@ func parseBuildkitdFlags(inp string, driver string, driverOpts map[string]string } } + var hasNetworkHostEntitlementInConf bool + if buildkitdConfigFile != "" { + btoml, err := confutil.LoadConfigTree(buildkitdConfigFile) + if err != nil { + return nil, err + } else if btoml != nil { + if ies := btoml.GetArray("insecure-entitlements"); ies != nil { + for _, e := range ies.([]string) { + if e == "network.host" { + hasNetworkHostEntitlementInConf = true + break + } + } + } + } + } + if v, ok := driverOpts["network"]; ok && v == "host" && !hasNetworkHostEntitlement && driver == "docker-container" { // always set network.host entitlement if user has set network=host res = append(res, "--allow-insecure-entitlement=network.host") - } else if len(allowInsecureEntitlements) == 0 && (driver == "kubernetes" || driver == "docker-container") { + } else if len(allowInsecureEntitlements) == 0 && !hasNetworkHostEntitlementInConf && (driver == "kubernetes" || driver == "docker-container") { // set network.host entitlement if user does not provide any as // network is isolated for container drivers. res = append(res, "--allow-insecure-entitlement=network.host") diff --git a/builder/builder_test.go b/builder/builder_test.go index 46037aff..97c09143 100644 --- a/builder/builder_test.go +++ b/builder/builder_test.go @@ -1,6 +1,8 @@ package builder import ( + "os" + "path" "testing" "github.com/stretchr/testify/assert" @@ -27,19 +29,34 @@ func TestCsvToMap(t *testing.T) { } func TestParseBuildkitdFlags(t *testing.T) { + buildkitdConf := ` +# debug enables additional debug logging +debug = true +# insecure-entitlements allows insecure entitlements, disabled by default. +insecure-entitlements = [ "network.host", "security.insecure" ] +[log] + # log formatter: json or text + format = "text" +` + dirConf := t.TempDir() + buildkitdConfPath := path.Join(dirConf, "buildkitd-conf.toml") + require.NoError(t, os.WriteFile(buildkitdConfPath, []byte(buildkitdConf), 0644)) + testCases := []struct { - name string - flags string - driver string - driverOpts map[string]string - expected []string - wantErr bool + name string + flags string + driver string + driverOpts map[string]string + buildkitdConfigFile string + expected []string + wantErr bool }{ { "docker-container no flags", "", "docker-container", nil, + "", []string{ "--allow-insecure-entitlement=network.host", }, @@ -50,6 +67,7 @@ func TestParseBuildkitdFlags(t *testing.T) { "", "kubernetes", nil, + "", []string{ "--allow-insecure-entitlement=network.host", }, @@ -60,6 +78,7 @@ func TestParseBuildkitdFlags(t *testing.T) { "", "remote", nil, + "", nil, false, }, @@ -68,6 +87,7 @@ func TestParseBuildkitdFlags(t *testing.T) { "--allow-insecure-entitlement=security.insecure", "docker-container", nil, + "", []string{ "--allow-insecure-entitlement=security.insecure", }, @@ -78,6 +98,7 @@ func TestParseBuildkitdFlags(t *testing.T) { "--allow-insecure-entitlement=network.host --allow-insecure-entitlement=security.insecure", "docker-container", nil, + "", []string{ "--allow-insecure-entitlement=network.host", "--allow-insecure-entitlement=security.insecure", @@ -89,6 +110,7 @@ func TestParseBuildkitdFlags(t *testing.T) { "", "docker-container", map[string]string{"network": "host"}, + "", []string{ "--allow-insecure-entitlement=network.host", }, @@ -99,6 +121,7 @@ func TestParseBuildkitdFlags(t *testing.T) { "--allow-insecure-entitlement=network.host", "docker-container", map[string]string{"network": "host"}, + "", []string{ "--allow-insecure-entitlement=network.host", }, @@ -109,17 +132,28 @@ func TestParseBuildkitdFlags(t *testing.T) { "--allow-insecure-entitlement=network.host --allow-insecure-entitlement=security.insecure", "docker-container", map[string]string{"network": "host"}, + "", []string{ "--allow-insecure-entitlement=network.host", "--allow-insecure-entitlement=security.insecure", }, false, }, + { + "docker-container with buildkitd conf setting network.host entitlement", + "", + "docker-container", + nil, + buildkitdConfPath, + nil, + false, + }, { "error parsing flags", "foo'", "docker-container", nil, + "", nil, true, }, @@ -127,7 +161,7 @@ func TestParseBuildkitdFlags(t *testing.T) { for _, tt := range testCases { tt := tt t.Run(tt.name, func(t *testing.T) { - flags, err := parseBuildkitdFlags(tt.flags, tt.driver, tt.driverOpts) + flags, err := parseBuildkitdFlags(tt.flags, tt.driver, tt.driverOpts, tt.buildkitdConfigFile) if tt.wantErr { require.Error(t, err) return diff --git a/util/confutil/config.go b/util/confutil/config.go index e789fcca..54d5e0ec 100644 --- a/util/confutil/config.go +++ b/util/confutil/config.go @@ -34,8 +34,8 @@ func DefaultConfigFile(dockerCli command.Cli) (string, bool) { return "", false } -// loadConfigTree loads BuildKit config toml tree -func loadConfigTree(fp string) (*toml.Tree, error) { +// LoadConfigTree loads BuildKit config toml tree +func LoadConfigTree(fp string) (*toml.Tree, error) { f, err := os.Open(fp) if err != nil { if errors.Is(err, os.ErrNotExist) { diff --git a/util/confutil/container.go b/util/confutil/container.go index 609217f9..5003cd77 100644 --- a/util/confutil/container.go +++ b/util/confutil/container.go @@ -32,7 +32,7 @@ func LoadConfigFiles(bkconfig string) (map[string][]byte, error) { } // Load config tree - btoml, err := loadConfigTree(bkconfig) + btoml, err := LoadConfigTree(bkconfig) if err != nil { return nil, err } From dd0d53efd51c9e680ad3cb1f674001c89c3f72c2 Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Thu, 12 Sep 2024 15:23:33 +0200 Subject: [PATCH 3/3] ci: fix golvulncheck job permissions Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> (cherry picked from commit 120578091f8a26bff65fc00992167164c90593fc) --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6b34dbb2..ef43856d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -220,6 +220,8 @@ jobs: permissions: # required to write sarif report security-events: write + # required to check out the repository + contents: read steps: - name: Checkout