If override specifies a path, mark it automatically allowed
so there is no need to use duplicate flags for defining the
same feature.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Previous check based on dest attributes was not correct
as the attributes already get converted before validation happens.
Because the local path is not preserved for single-file
outputs and gets replaced by io.Writer, a temporary array variable
was needed. This value should instead be added to ExportEntry
struct in BuildKit in future revision.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
As the paths returned by validator have the symlinks resolved,
the test needs to resolve the symlinks also in the expected
values. Previously this would fail if t.TempDir() or os.GetWd()
returned a path that contained a symlink.
The issue was purely in the test and not in the entitlements
validation logic.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
This allows using either the csv syntax or object syntax to specify
certain attributes.
This applies to the following fields:
- output
- cache-from
- cache-to
- secret
- ssh
There are still some remaining fields to translate. Specifically
ulimits, annotations, and attest.
Signed-off-by: Jonathan A. Sternberg <jonathan.sternberg@docker.com>
Improves the error message when using an incorrect format for setting
labels. This includes the intended format directly in the error message
instead of assuming the user knows what the format is.
Signed-off-by: Jonathan A. Sternberg <jonathan.sternberg@docker.com>
Similar to https://github.com/docker/buildx/pull/2716.
Use the file size rather than the proto size, raise the allowed limit to
the same value for consistency, and improve the error message to include
the limit in human units.
Signed-off-by: Jonathan A. Sternberg <jonathan.sternberg@docker.com>
Removes gogo/protobuf from buildx and updates to a version of
moby/buildkit where gogo is removed.
This also changes how the proto files are generated. This is because
newer versions of protobuf are more strict about name conflicts. If two
files have the same name (even if they are relative paths) and are used
in different protoc commands, they'll conflict in the registry.
Since protobuf file generation doesn't work very well with
`paths=source_relative`, this removes the `go:generate` expression and
just relies on the dockerfile to perform the generation.
Signed-off-by: Jonathan A. Sternberg <jonathan.sternberg@docker.com>
When linked target requires entitlement, same entitlement
is also needed by the caller. Otherwise, the request will
fail when the build is processed.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Add support for security.insecure and network.host
entitlements via bake. User needs to confirm elevated
privileges through a prompt or CLI flags.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
