driver: set network.host entitlement by default for container drivers

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
2025-07-10 05:27:07 +08:00 · 2024-02-21 11:29:44 +01:00
parent fd11d93381
commit e008b846bb
4 changed files with 188 additions and 14 deletions
--- a/tests/inspect.go
+++ b/tests/inspect.go
@ -18,6 +18,7 @@ func inspectCmd(sb integration.Sandbox, opts ...cmdOpt) (string, error) {
 var inspectTests = []func(t *testing.T, sb integration.Sandbox){
 	testInspect,
 	testInspectBuildkitdFlags,
+	testInspectNetworkHostEntitlement,
 }

 func testInspect(t *testing.T, sb integration.Sandbox) {
@ -78,3 +79,33 @@ func testInspectBuildkitdFlags(t *testing.T, sb integration.Sandbox) {
 	}
 	require.Fail(t, "--oci-worker-net=bridge not found in inspect output")
 }
+
+func testInspectNetworkHostEntitlement(t *testing.T, sb integration.Sandbox) {
+	if sb.Name() != "docker-container" {
+		t.Skip("only testing for docker-container driver")
+	}
+
+	var builderName string
+	t.Cleanup(func() {
+		if builderName == "" {
+			return
+		}
+		out, err := rmCmd(sb, withArgs(builderName))
+		require.NoError(t, err, out)
+	})
+
+	out, err := createCmd(sb, withArgs("--driver", "docker-container"))
+	require.NoError(t, err, out)
+	builderName = strings.TrimSpace(out)
+
+	out, err = inspectCmd(sb, withArgs(builderName))
+	require.NoError(t, err, out)
+
+	for _, line := range strings.Split(out, "\n") {
+		if v, ok := strings.CutPrefix(line, "BuildKit daemon flags:"); ok {
+			require.Contains(t, v, "--allow-insecure-entitlement=network.host")
+			return
+		}
+	}
+	require.Fail(t, "network.host insecure entitlement not found in inspect output")
+}