Merge pull request #2698 from tonistiigi/v0.17-cli-vendor

[v0.17] update docker/cli to 48a2cdff97

.github/workflows/build.yml

@@ -220,6 +220,8 @@ jobs:
     permissions:
       # required to write sarif report
       security-events: write
+      # required to check out the repository
+      contents: read
     steps:
       -
         name: Checkout

bake/bake.go

@@ -704,7 +704,7 @@ type Target struct {
 	Outputs          []string           `json:"output,omitempty" hcl:"output,optional" cty:"output"`
 	Pull             *bool              `json:"pull,omitempty" hcl:"pull,optional" cty:"pull"`
 	NoCache          *bool              `json:"no-cache,omitempty" hcl:"no-cache,optional" cty:"no-cache"`
-	NetworkMode      *string            `json:"network" hcl:"network" cty:"network"`
+	NetworkMode      *string            `json:"network,omitempty" hcl:"network,optional" cty:"network"`
 	NoCacheFilter    []string           `json:"no-cache-filter,omitempty" hcl:"no-cache-filter,optional" cty:"no-cache-filter"`
 	ShmSize          *string            `json:"shm-size,omitempty" hcl:"shm-size,optional"`
 	Ulimits          []string           `json:"ulimits,omitempty" hcl:"ulimits,optional"`

builder/builder.go

@@ -435,7 +435,16 @@ func Create(ctx context.Context, txn *store.Txn, dockerCli command.Cli, opts Cre
 		return nil, err
 	}
 
-	buildkitdFlags, err := parseBuildkitdFlags(opts.BuildkitdFlags, driverName, driverOpts)
+	buildkitdConfigFile := opts.BuildkitdConfigFile
+	if buildkitdConfigFile == "" {
+		// if buildkit daemon config is not provided, check if the default one
+		// is available and use it
+		if f, ok := confutil.DefaultConfigFile(dockerCli); ok {
+			buildkitdConfigFile = f
+		}
+	}
+
+	buildkitdFlags, err := parseBuildkitdFlags(opts.BuildkitdFlags, driverName, driverOpts, buildkitdConfigFile)
 	if err != nil {
 		return nil, err
 	}
@@ -496,15 +505,6 @@ func Create(ctx context.Context, txn *store.Txn, dockerCli command.Cli, opts Cre
 		setEp = false
 	}
 
-	buildkitdConfigFile := opts.BuildkitdConfigFile
-	if buildkitdConfigFile == "" {
-		// if buildkit daemon config is not provided, check if the default one
-		// is available and use it
-		if f, ok := confutil.DefaultConfigFile(dockerCli); ok {
-			buildkitdConfigFile = f
-		}
-	}
-
 	if err := ng.Update(opts.NodeName, ep, opts.Platforms, setEp, opts.Append, buildkitdFlags, buildkitdConfigFile, driverOpts); err != nil {
 		return nil, err
 	}
@@ -641,7 +641,7 @@ func validateBuildkitEndpoint(ep string) (string, error) {
 }
 
 // parseBuildkitdFlags parses buildkit flags
-func parseBuildkitdFlags(inp string, driver string, driverOpts map[string]string) (res []string, err error) {
+func parseBuildkitdFlags(inp string, driver string, driverOpts map[string]string, buildkitdConfigFile string) (res []string, err error) {
 	if inp != "" {
 		res, err = shlex.Split(inp)
 		if err != nil {
@@ -663,10 +663,27 @@ func parseBuildkitdFlags(inp string, driver string, driverOpts map[string]string
 		}
 	}
 
+	var hasNetworkHostEntitlementInConf bool
+	if buildkitdConfigFile != "" {
+		btoml, err := confutil.LoadConfigTree(buildkitdConfigFile)
+		if err != nil {
+			return nil, err
+		} else if btoml != nil {
+			if ies := btoml.GetArray("insecure-entitlements"); ies != nil {
+				for _, e := range ies.([]string) {
+					if e == "network.host" {
+						hasNetworkHostEntitlementInConf = true
+						break
+					}
+				}
+			}
+		}
+	}
+
 	if v, ok := driverOpts["network"]; ok && v == "host" && !hasNetworkHostEntitlement && driver == "docker-container" {
 		// always set network.host entitlement if user has set network=host
 		res = append(res, "--allow-insecure-entitlement=network.host")
-	} else if len(allowInsecureEntitlements) == 0 && (driver == "kubernetes" || driver == "docker-container") {
+	} else if len(allowInsecureEntitlements) == 0 && !hasNetworkHostEntitlementInConf && (driver == "kubernetes" || driver == "docker-container") {
 		// set network.host entitlement if user does not provide any as
 		// network is isolated for container drivers.
 		res = append(res, "--allow-insecure-entitlement=network.host")

builder/builder_test.go

@@ -1,6 +1,8 @@
 package builder
 
 import (
+	"os"
+	"path"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -27,19 +29,34 @@ func TestCsvToMap(t *testing.T) {
 }
 
 func TestParseBuildkitdFlags(t *testing.T) {
+	buildkitdConf := `
+# debug enables additional debug logging
+debug = true
+# insecure-entitlements allows insecure entitlements, disabled by default.
+insecure-entitlements = [ "network.host", "security.insecure" ]
+[log]
+  # log formatter: json or text
+  format = "text"
+`
+	dirConf := t.TempDir()
+	buildkitdConfPath := path.Join(dirConf, "buildkitd-conf.toml")
+	require.NoError(t, os.WriteFile(buildkitdConfPath, []byte(buildkitdConf), 0644))
+
 	testCases := []struct {
-		name       string
-		flags      string
-		driver     string
-		driverOpts map[string]string
-		expected   []string
-		wantErr    bool
+		name                string
+		flags               string
+		driver              string
+		driverOpts          map[string]string
+		buildkitdConfigFile string
+		expected            []string
+		wantErr             bool
 	}{
 		{
 			"docker-container no flags",
 			"",
 			"docker-container",
 			nil,
+			"",
 			[]string{
 				"--allow-insecure-entitlement=network.host",
 			},
@@ -50,6 +67,7 @@ func TestParseBuildkitdFlags(t *testing.T) {
 			"",
 			"kubernetes",
 			nil,
+			"",
 			[]string{
 				"--allow-insecure-entitlement=network.host",
 			},
@@ -60,6 +78,7 @@ func TestParseBuildkitdFlags(t *testing.T) {
 			"",
 			"remote",
 			nil,
+			"",
 			nil,
 			false,
 		},
@@ -68,6 +87,7 @@ func TestParseBuildkitdFlags(t *testing.T) {
 			"--allow-insecure-entitlement=security.insecure",
 			"docker-container",
 			nil,
+			"",
 			[]string{
 				"--allow-insecure-entitlement=security.insecure",
 			},
@@ -78,6 +98,7 @@ func TestParseBuildkitdFlags(t *testing.T) {
 			"--allow-insecure-entitlement=network.host --allow-insecure-entitlement=security.insecure",
 			"docker-container",
 			nil,
+			"",
 			[]string{
 				"--allow-insecure-entitlement=network.host",
 				"--allow-insecure-entitlement=security.insecure",
@@ -89,6 +110,7 @@ func TestParseBuildkitdFlags(t *testing.T) {
 			"",
 			"docker-container",
 			map[string]string{"network": "host"},
+			"",
 			[]string{
 				"--allow-insecure-entitlement=network.host",
 			},
@@ -99,6 +121,7 @@ func TestParseBuildkitdFlags(t *testing.T) {
 			"--allow-insecure-entitlement=network.host",
 			"docker-container",
 			map[string]string{"network": "host"},
+			"",
 			[]string{
 				"--allow-insecure-entitlement=network.host",
 			},
@@ -109,17 +132,28 @@ func TestParseBuildkitdFlags(t *testing.T) {
 			"--allow-insecure-entitlement=network.host --allow-insecure-entitlement=security.insecure",
 			"docker-container",
 			map[string]string{"network": "host"},
+			"",
 			[]string{
 				"--allow-insecure-entitlement=network.host",
 				"--allow-insecure-entitlement=security.insecure",
 			},
 			false,
 		},
+		{
+			"docker-container with buildkitd conf setting network.host entitlement",
+			"",
+			"docker-container",
+			nil,
+			buildkitdConfPath,
+			nil,
+			false,
+		},
 		{
 			"error parsing flags",
 			"foo'",
 			"docker-container",
 			nil,
+			"",
 			nil,
 			true,
 		},
@@ -127,7 +161,7 @@ func TestParseBuildkitdFlags(t *testing.T) {
 	for _, tt := range testCases {
 		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
-			flags, err := parseBuildkitdFlags(tt.flags, tt.driver, tt.driverOpts)
+			flags, err := parseBuildkitdFlags(tt.flags, tt.driver, tt.driverOpts, tt.buildkitdConfigFile)
 			if tt.wantErr {
 				require.Error(t, err)
 				return

go.mod

@@ -16,7 +16,7 @@ require (
 	github.com/containerd/typeurl/v2 v2.2.0
 	github.com/creack/pty v1.1.21
 	github.com/distribution/reference v0.6.0
-	github.com/docker/cli v27.2.1+incompatible
+	github.com/docker/cli v27.2.2-0.20240913085431-48a2cdff970d+incompatible
 	github.com/docker/cli-docs-tool v0.8.0
 	github.com/docker/docker v27.2.1+incompatible
 	github.com/docker/go-units v0.5.0

go.sum

@@ -124,8 +124,8 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/denisenkom/go-mssqldb v0.0.0-20191128021309-1d7a30a10f73/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/cli v27.2.1+incompatible h1:U5BPtiD0viUzjGAjV1p0MGB8eVA3L3cbIrnyWmSJI70=
-github.com/docker/cli v27.2.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v27.2.2-0.20240913085431-48a2cdff970d+incompatible h1:jbTJwvM0LKQUti9X1KfPCnRasE5894IGaqs5Y90YeXM=
+github.com/docker/cli v27.2.2-0.20240913085431-48a2cdff970d+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/cli-docs-tool v0.8.0 h1:YcDWl7rQJC3lJ7WVZRwSs3bc9nka97QLWfyJQli8yJU=
 github.com/docker/cli-docs-tool v0.8.0/go.mod h1:8TQQ3E7mOXoYUs811LiPdUnAhXrcVsBIrW21a5pUbdk=
 github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=

tests/bake.go

@@ -103,6 +103,26 @@ target "build" {
 	require.Equal(t, ".", *def.Target["build"].Context)
 	require.Equal(t, "Dockerfile", *def.Target["build"].Dockerfile)
 	require.Equal(t, map[string]*string{"HELLO": ptrstr("foo")}, def.Target["build"].Args)
+
+	require.Equal(t, `{
+  "group": {
+    "default": {
+      "targets": [
+        "build"
+      ]
+    }
+  },
+  "target": {
+    "build": {
+      "context": ".",
+      "dockerfile": "Dockerfile",
+      "args": {
+        "HELLO": "foo"
+      }
+    }
+  }
+}
+`, stdout.String())
 }
 
 func testBakeLocal(t *testing.T, sb integration.Sandbox) {

util/confutil/config.go

@@ -34,8 +34,8 @@ func DefaultConfigFile(dockerCli command.Cli) (string, bool) {
 	return "", false
 }
 
-// loadConfigTree loads BuildKit config toml tree
-func loadConfigTree(fp string) (*toml.Tree, error) {
+// LoadConfigTree loads BuildKit config toml tree
+func LoadConfigTree(fp string) (*toml.Tree, error) {
 	f, err := os.Open(fp)
 	if err != nil {
 		if errors.Is(err, os.ErrNotExist) {

util/confutil/container.go

@@ -32,7 +32,7 @@ func LoadConfigFiles(bkconfig string) (map[string][]byte, error) {
 	}
 
 	// Load config tree
-	btoml, err := loadConfigTree(bkconfig)
+	btoml, err := LoadConfigTree(bkconfig)
 	if err != nil {
 		return nil, err
 	}

vendor/github.com/docker/cli/cli/command/telemetry_docker.go

@@ -5,9 +5,14 @@ package command
 
 import (
 	"context"
+	"fmt"
+	"io/fs"
 	"net/url"
 	"os"
 	"path"
+	"path/filepath"
+	"strings"
+	"unicode"
 
 	"github.com/pkg/errors"
 	"go.opentelemetry.io/otel"
@@ -77,14 +82,7 @@ func dockerExporterOTLPEndpoint(cli Cli) (endpoint string, secure bool) {
 
 	switch u.Scheme {
 	case "unix":
-		// Unix sockets are a bit weird. OTEL seems to imply they
-		// can be used as an environment variable and are handled properly,
-		// but they don't seem to be as the behavior of the environment variable
-		// is to strip the scheme from the endpoint, but the underlying implementation
-		// needs the scheme to use the correct resolver.
-		//
-		// We'll just handle this in a special way and add the unix:// back to the endpoint.
-		endpoint = "unix://" + path.Join(u.Host, u.Path)
+		endpoint = unixSocketEndpoint(u)
 	case "https":
 		secure = true
 		fallthrough
@@ -135,3 +133,109 @@ func dockerMetricExporter(ctx context.Context, cli Cli) []sdkmetric.Option {
 	}
 	return []sdkmetric.Option{sdkmetric.WithReader(newCLIReader(exp))}
 }
+
+// unixSocketEndpoint converts the unix scheme from URL to
+// an OTEL endpoint that can be used with the OTLP exporter.
+//
+// The OTLP exporter handles unix sockets in a strange way.
+// It seems to imply they can be used as an environment variable
+// and are handled properly, but they don't seem to be as the behavior
+// of the environment variable is to strip the scheme from the endpoint
+// while the underlying implementation needs the scheme to use the
+// correct resolver.
+func unixSocketEndpoint(u *url.URL) string {
+	// GRPC does not allow host to be used.
+	socketPath := u.Path
+
+	// If we are on windows and we have an absolute path
+	// that references a letter drive, check to see if the
+	// WSL equivalent path exists and we should use that instead.
+	if isWsl() {
+		if p := wslSocketPath(socketPath, os.DirFS("/")); p != "" {
+			socketPath = p
+		}
+	}
+	// Enforce that we are using forward slashes.
+	return "unix://" + filepath.ToSlash(socketPath)
+}
+
+// wslSocketPath will convert the referenced URL to a WSL-compatible
+// path and check if that path exists. If the path exists, it will
+// be returned.
+func wslSocketPath(s string, f fs.FS) string {
+	if p := toWslPath(s); p != "" {
+		if _, err := stat(p, f); err == nil {
+			return "/" + p
+		}
+	}
+	return ""
+}
+
+// toWslPath converts the referenced URL to a WSL-compatible
+// path if this looks like a Windows absolute path.
+//
+// If no drive is in the URL, defaults to the C drive.
+func toWslPath(s string) string {
+	drive, p, ok := parseUNCPath(s)
+	if !ok {
+		return ""
+	}
+	return fmt.Sprintf("mnt/%s%s", drive, p)
+}
+
+func parseUNCPath(s string) (drive, p string, ok bool) {
+	// UNC paths use backslashes but we're using forward slashes
+	// so also enforce that here.
+	//
+	// In reality, this should have been enforced much earlier
+	// than here since backslashes aren't allowed in URLs, but
+	// we're going to code defensively here.
+	s = filepath.ToSlash(s)
+
+	const uncPrefix = "//./"
+	if !strings.HasPrefix(s, uncPrefix) {
+		// Not a UNC path.
+		return "", "", false
+	}
+	s = s[len(uncPrefix):]
+
+	parts := strings.SplitN(s, "/", 2)
+	if len(parts) != 2 {
+		// Not enough components.
+		return "", "", false
+	}
+
+	drive, ok = splitWindowsDrive(parts[0])
+	if !ok {
+		// Not a windows drive.
+		return "", "", false
+	}
+	return drive, "/" + parts[1], true
+}
+
+// splitWindowsDrive checks if the string references a windows
+// drive (such as c:) and returns the drive letter if it is.
+func splitWindowsDrive(s string) (string, bool) {
+	if b := []rune(s); len(b) == 2 && unicode.IsLetter(b[0]) && b[1] == ':' {
+		return string(b[0]), true
+	}
+	return "", false
+}
+
+func stat(p string, f fs.FS) (fs.FileInfo, error) {
+	if f, ok := f.(fs.StatFS); ok {
+		return f.Stat(p)
+	}
+
+	file, err := f.Open(p)
+	if err != nil {
+		return nil, err
+	}
+
+	defer file.Close()
+	return file.Stat()
+}
+
+func isWsl() bool {
+	return os.Getenv("WSL_DISTRO_NAME") != ""
+}

vendor/modules.txt

@@ -218,7 +218,7 @@ github.com/davecgh/go-spew/spew
 # github.com/distribution/reference v0.6.0
 ## explicit; go 1.20
 github.com/distribution/reference
-# github.com/docker/cli v27.2.1+incompatible
+# github.com/docker/cli v27.2.2-0.20240913085431-48a2cdff970d+incompatible
 ## explicit
 github.com/docker/cli/cli
 github.com/docker/cli/cli-plugins/hooks