Merge pull request #2275 from crazy-max/buildkitd-flags-network-mode

driver: docs to set buildkitd network mode and add tests
2025-11-01 00:23:56 +08:00 · 2024-02-23 13:20:20 -08:00
parent d8e9c7f5b5 aa518f9b88
commit fd11d93381
8 changed files with 115 additions and 6 deletions
--- a/docs/reference/buildx_create.md
+++ b/docs/reference/buildx_create.md
@@ -90,6 +90,22 @@ configuration file specified by [`--buildkitd-config`](#buildkitd-config). See
 --buildkitd-flags '--debug --debugaddr 0.0.0.0:6666'
 ```

+#### BuildKit daemon network mode
+
+You can specify the network mode for the BuildKit daemon with either the
+configuration file specified by [`--buildkitd-config`](#buildkitd-config) using the
+`worker.oci.networkMode` option or `--oci-worker-net` flag here. The default
+value is `auto` and can be one of `bridge`, `cni`, `host`:
+
+```text
+--buildkitd-flags '--oci-worker-net bridge'
+```
+
+> **Note**
+>
+> Network mode "bridge" is supported since BuildKit v0.13 and will become the
+> default in next v0.14.
+
 ### <a name="driver"></a> Set the builder driver to use (--driver)

 ```text
--- a/go.mod
+++ b/go.mod
@@ -24,7 +24,7 @@ require (
 	github.com/google/uuid v1.5.0
 	github.com/hashicorp/go-cty-funcs v0.0.0-20230405223818-a090f58aa992
 	github.com/hashicorp/hcl/v2 v2.19.1
-	github.com/moby/buildkit v0.13.0-rc1.0.20240221065707-db304eb93126 // master (v0.13.0-dev)
+	github.com/moby/buildkit v0.13.0-rc1.0.20240222164755-8e3fe35738c2 // master (v0.13.0-dev)
 	github.com/moby/sys/mountinfo v0.7.1
 	github.com/moby/sys/signal v0.7.0
 	github.com/morikuni/aec v1.0.0
--- a/go.sum
+++ b/go.sum
@@ -320,8 +320,8 @@ github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyua
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
 github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
-github.com/moby/buildkit v0.13.0-rc1.0.20240221065707-db304eb93126 h1:aXdgP8jLyDnKEOXis4Aydp4VlXYpg2loUJarhygTOuU=
-github.com/moby/buildkit v0.13.0-rc1.0.20240221065707-db304eb93126/go.mod h1:XaLDo1L55QqXS/04FE91+mAbwjkr0vZu9g6zZlzvXL8=
+github.com/moby/buildkit v0.13.0-rc1.0.20240222164755-8e3fe35738c2 h1:e3FYb+yyx1SM1w4Mjn8L9WP5h/6u23P/xCAPZXx4m2Y=
+github.com/moby/buildkit v0.13.0-rc1.0.20240222164755-8e3fe35738c2/go.mod h1:XaLDo1L55QqXS/04FE91+mAbwjkr0vZu9g6zZlzvXL8=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=
--- a/tests/build.go
+++ b/tests/build.go
@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"net"
 	"os"
 	"path"
 	"path/filepath"
@@ -15,6 +16,7 @@ import (
 	"github.com/containerd/containerd/platforms"
 	"github.com/containerd/continuity/fs/fstest"
 	"github.com/creack/pty"
+	"github.com/moby/buildkit/util/appdefaults"
 	"github.com/moby/buildkit/util/contentutil"
 	"github.com/moby/buildkit/util/testutil"
 	"github.com/moby/buildkit/util/testutil/integration"
@@ -48,6 +50,7 @@ var buildTests = []func(t *testing.T, sb integration.Sandbox){
 	testBuildOCIExportNotSupported,
 	testBuildMultiPlatformNotSupported,
 	testDockerHostGateway,
+	testBuildNetworkModeBridge,
 }

 func testBuild(t *testing.T, sb integration.Sandbox) {
@@ -432,3 +435,54 @@ RUN ping -c 1 buildx.host-gateway-ip.local
 		require.NoError(t, err, string(out))
 	}
 }
+
+func testBuildNetworkModeBridge(t *testing.T, sb integration.Sandbox) {
+	if sb.Name() != "docker" {
+		t.Skip("skipping test for non-docker workers")
+	}
+
+	var builderName string
+	t.Cleanup(func() {
+		if builderName == "" {
+			return
+		}
+		out, err := rmCmd(sb, withArgs(builderName))
+		require.NoError(t, err, out)
+	})
+
+	// TODO: use stable buildkit image when v0.13.0 released
+	out, err := createCmd(sb, withArgs("--driver", "docker-container", "--buildkitd-flags=--oci-worker-net=bridge --allow-insecure-entitlement=network.host", "--driver-opt", "image=moby/buildkit:master"))
+	require.NoError(t, err, out)
+	builderName = strings.TrimSpace(out)
+
+	dockerfile := []byte(`
+FROM busybox AS build
+RUN ip a show eth0 | awk '/inet / {split($2, a, "/"); print a[1]}' > /ip-bridge.txt
+RUN --network=host ip a show eth0 | awk '/inet / {split($2, a, "/"); print a[1]}' > /ip-host.txt
+FROM scratch
+COPY --from=build /ip*.txt /`)
+	dir := tmpdir(t, fstest.CreateFile("Dockerfile", dockerfile, 0600))
+
+	cmd := buildxCmd(sb, withArgs("build", "--allow=network.host", fmt.Sprintf("--output=type=local,dest=%s", dir), dir))
+	cmd.Env = append(cmd.Env, "BUILDX_BUILDER="+builderName)
+	outb, err := cmd.CombinedOutput()
+	require.NoError(t, err, string(outb))
+
+	dt, err := os.ReadFile(filepath.Join(dir, "ip-bridge.txt"))
+	require.NoError(t, err)
+
+	ipBridge := net.ParseIP(strings.TrimSpace(string(dt)))
+	require.NotNil(t, ipBridge)
+
+	_, subnet, err := net.ParseCIDR(appdefaults.BridgeSubnet)
+	require.NoError(t, err)
+	require.True(t, subnet.Contains(ipBridge))
+
+	dt, err = os.ReadFile(filepath.Join(dir, "ip-host.txt"))
+	require.NoError(t, err)
+
+	ip := net.ParseIP(strings.TrimSpace(string(dt)))
+	require.NotNil(t, ip)
+
+	require.NotEqual(t, ip, ipBridge)
+}
--- a/tests/inspect.go
+++ b/tests/inspect.go
@@ -17,6 +17,7 @@ func inspectCmd(sb integration.Sandbox, opts ...cmdOpt) (string, error) {

 var inspectTests = []func(t *testing.T, sb integration.Sandbox){
 	testInspect,
+	testInspectBuildkitdFlags,
 }

 func testInspect(t *testing.T, sb integration.Sandbox) {
@@ -47,3 +48,33 @@ func testInspect(t *testing.T, sb integration.Sandbox) {
 		require.Empty(t, hostGatewayIP, "host-gateway-ip worker label should not be set with non-docker driver")
 	}
 }
+
+func testInspectBuildkitdFlags(t *testing.T, sb integration.Sandbox) {
+	if sb.Name() != "docker-container" {
+		t.Skip("only testing for docker-container driver")
+	}
+
+	var builderName string
+	t.Cleanup(func() {
+		if builderName == "" {
+			return
+		}
+		out, err := rmCmd(sb, withArgs(builderName))
+		require.NoError(t, err, out)
+	})
+
+	out, err := createCmd(sb, withArgs("--driver", "docker-container", "--buildkitd-flags=--oci-worker-net=bridge"))
+	require.NoError(t, err, out)
+	builderName = strings.TrimSpace(out)
+
+	out, err = inspectCmd(sb, withArgs(builderName))
+	require.NoError(t, err, out)
+
+	for _, line := range strings.Split(out, "\n") {
+		if v, ok := strings.CutPrefix(line, "BuildKit daemon flags:"); ok {
+			require.Contains(t, v, "--oci-worker-net=bridge")
+			return
+		}
+	}
+	require.Fail(t, "--oci-worker-net=bridge not found in inspect output")
+}
--- a/tests/integration.go
+++ b/tests/integration.go
@@ -47,8 +47,10 @@ func buildxCmd(sb integration.Sandbox, opts ...cmdOpt) *exec.Cmd {
 	}

 	if builder := sb.Address(); builder != "" {
-		cmd.Args = append(cmd.Args, "--builder="+builder)
-		cmd.Env = append(cmd.Env, "BUILDX_CONFIG=/tmp/buildx-"+builder)
+		cmd.Env = append(cmd.Env,
+			"BUILDX_CONFIG=/tmp/buildx-"+builder,
+			"BUILDX_BUILDER="+builder,
+		)
 	}
 	if context := sb.DockerAddress(); context != "" {
 		cmd.Env = append(cmd.Env, "DOCKER_CONTEXT="+context)
--- a/vendor/github.com/moby/buildkit/util/appdefaults/appdefaults.go
+++ b/vendor/github.com/moby/buildkit/util/appdefaults/appdefaults.go
@@ -0,0 +1,6 @@
+package appdefaults
+
+const (
+	BridgeName   = "buildkit0"
+	BridgeSubnet = "10.10.0.0/16"
+)
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -509,7 +509,7 @@ github.com/mitchellh/mapstructure
 # github.com/mitchellh/reflectwalk v1.0.2
 ## explicit
 github.com/mitchellh/reflectwalk
-# github.com/moby/buildkit v0.13.0-rc1.0.20240221065707-db304eb93126
+# github.com/moby/buildkit v0.13.0-rc1.0.20240222164755-8e3fe35738c2
 ## explicit; go 1.21
 github.com/moby/buildkit/api/services/control
 github.com/moby/buildkit/api/types