Merge pull request #2818 from tonistiigi/vendor-buildkit-v0.18.0-rc2

vendor: update buildkit to v0.18.0-rc2
2025-08-23 03:59:06 +08:00 · 2024-11-25 17:52:46 -08:00 · 2024-11-25 17:42:30 -08:00 · 2024-11-25 20:29:14 +01:00 · 2024-11-25 20:13:27 +01:00 · 2024-11-25 10:11:09 -08:00
11 changed files with 83 additions and 88 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -54,7 +54,7 @@ jobs:
          - master
          - latest
          - buildx-stable-1
-          - v0.17.0
+          - v0.17.2
          - v0.16.0
          - v0.15.2
        worker:
--- a/2
+++ b/2
@@ -9,7 +9,7 @@ ARG DOCKER_VERSION_ALT_26=26.1.3
 ARG DOCKER_CLI_VERSION=${DOCKER_VERSION}
 ARG GOTESTSUM_VERSION=v1.12.0
 ARG REGISTRY_VERSION=2.8.3
-ARG BUILDKIT_VERSION=v0.17.1
+ARG BUILDKIT_VERSION=v0.17.2
 ARG UNDOCK_VERSION=0.8.0
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
--- a/bake/entitlements.go
+++ b/bake/entitlements.go
@@ -326,7 +326,14 @@ func isParentOrEqualPath(p, parent string) bool {
 }
 func findMissingPaths(set []string, paths map[string]struct{}) ([]string, error) {
-	paths, err := evaluateToExistingPaths(paths)
+	set, allowAny, err := evaluatePaths(set)
 	if err != nil {
 		return nil, err
 	} else if allowAny {
 		return nil, nil
 	}
 	paths, err = evaluateToExistingPaths(paths)
 	if err != nil {
 		return nil, err
 	}
@@ -335,11 +342,6 @@ func findMissingPaths(set []string, paths map[string]struct{}) ([]string, error)
 		return nil, err
 	}
 	set, err = evaluatePaths(set)
 	if err != nil {
 		return nil, err
 	}
 	out := make([]string, 0, len(paths))
 loop0:
 	for p := range paths {
@@ -441,6 +443,27 @@ func removeCommonPaths(in, common []string) []string {
 	return filtered
 }
 func evaluatePaths(in []string) ([]string, bool, error) {
 	out := make([]string, 0, len(in))
 	allowAny := false
 	for _, p := range in {
 		if p == "*" {
 			allowAny = true
 			continue
 		}
 		v, err := filepath.Abs(p)
 		if err != nil {
 			return nil, false, errors.Wrapf(err, "failed to evaluate path %q", p)
 		}
 		v, err = filepath.EvalSymlinks(v)
 		if err != nil {
 			return nil, false, errors.Wrapf(err, "failed to evaluate path %q", p)
 		}
 		out = append(out, v)
 	}
 	return out, allowAny, nil
 }
 func evaluateToExistingPaths(in map[string]struct{}) (map[string]struct{}, error) {
 	m := make(map[string]struct{}, len(in))
 	for p := range in {
--- a/bake/entitlements_test.go
+++ b/bake/entitlements_test.go
@@ -175,15 +175,22 @@ func TestDedupePaths(t *testing.T) {
 }
 func TestValidateEntitlements(t *testing.T) {
-	dir1, err := osutil.GetLongPathName(t.TempDir())
+	dir1 := t.TempDir()
 	dir2 := t.TempDir()
 	// the paths returned by entitlements validation will have symlinks resolved
 	expDir1, err := filepath.EvalSymlinks(dir1)
 	require.NoError(t, err)
-	dir2, err := osutil.GetLongPathName(t.TempDir())
+	expDir2, err := filepath.EvalSymlinks(dir2)
 	require.NoError(t, err)
 	escapeLink := filepath.Join(dir1, "escape_link")
 	require.NoError(t, os.Symlink("../../aa", escapeLink))
-	wd := osutil.GetWd()
+	wd, err := os.Getwd()
 	require.NoError(t, err)
 	expWd, err := filepath.EvalSymlinks(wd)
 	require.NoError(t, err)
 	tcases := []struct {
 		name     string
@@ -208,7 +215,7 @@ func TestValidateEntitlements(t *testing.T) {
 			},
 			expected: EntitlementConf{
 				NetworkHost: true,
-				FSRead:      []string{wd},
+				FSRead:      []string{expWd},
 			},
 		},
 		{
@@ -222,7 +229,7 @@ func TestValidateEntitlements(t *testing.T) {
 				},
 			},
 			expected: EntitlementConf{
-				FSRead: []string{wd},
+				FSRead: []string{expWd},
 			},
 		},
 		{
@@ -236,7 +243,7 @@ func TestValidateEntitlements(t *testing.T) {
 			expected: EntitlementConf{
 				NetworkHost:      true,
 				SecurityInsecure: true,
-				FSRead:           []string{wd},
+				FSRead:           []string{expWd},
 			},
 		},
 		{
@@ -252,7 +259,7 @@ func TestValidateEntitlements(t *testing.T) {
 			},
 			expected: EntitlementConf{
 				SecurityInsecure: true,
-				FSRead:           []string{wd},
+				FSRead:           []string{expWd},
 			},
 		},
 		{
@@ -266,7 +273,7 @@ func TestValidateEntitlements(t *testing.T) {
 			},
 			expected: EntitlementConf{
 				SSH:    true,
-				FSRead: []string{wd},
+				FSRead: []string{expWd},
 			},
 		},
 		{
@@ -295,11 +302,11 @@ func TestValidateEntitlements(t *testing.T) {
 			},
 			expected: EntitlementConf{
 				FSWrite: func() []string {
-					exp := []string{dir1, dir2}
+					exp := []string{expDir1, expDir2}
 					slices.Sort(exp)
 					return exp
 				}(),
-				FSRead: []string{wd},
+				FSRead: []string{expWd},
 			},
 		},
 		{
@@ -328,7 +335,7 @@ func TestValidateEntitlements(t *testing.T) {
 				FSRead: []string{wd, dir1},
 			},
 			expected: EntitlementConf{
-				FSRead: []string{filepath.Join(dir1, "../..")},
+				FSRead: []string{filepath.Join(expDir1, "../..")},
 			},
 		},
 		{
@@ -343,6 +350,33 @@ func TestValidateEntitlements(t *testing.T) {
 			conf: EntitlementConf{
 				FSRead: []string{"/"},
 			},
 			expected: EntitlementConf{
 				FSRead: func() []string {
 					// on windows root (/) is only allowed if it is the same volume as wd
 					if filepath.VolumeName(wd) == filepath.VolumeName(escapeLink) {
 						return nil
 					}
 					// if not, then escapeLink is not allowed
 					exp, err := evaluateToExistingPath(escapeLink)
 					require.NoError(t, err)
 					exp, err = filepath.EvalSymlinks(exp)
 					require.NoError(t, err)
 					return []string{exp}
 				}(),
 			},
 		},
 		{
 			name: "SecretFromEscapeLinkAllowAny",
 			opt: build.Options{
 				SecretSpecs: []*pb.Secret{
 					{
 						FilePath: escapeLink,
 					},
 				},
 			},
 			conf: EntitlementConf{
 				FSRead: []string{"*"},
 			},
 			expected: EntitlementConf{},
 		},
 	}
--- a/bake/entitlements_unix.go
+++ b/bake/entitlements_unix.go
@@ -1,26 +0,0 @@
 //go:build !windows
 // +build !windows
 package bake
 import (
 	"path/filepath"
 	"github.com/pkg/errors"
 )
 func evaluatePaths(in []string) ([]string, error) {
 	out := make([]string, 0, len(in))
 	for _, p := range in {
 		v, err := filepath.Abs(p)
 		if err != nil {
 			return nil, err
 		}
 		v, err = filepath.EvalSymlinks(v)
 		if err != nil {
 			return nil, errors.Wrapf(err, "failed to evaluate path %q", p)
 		}
 		out = append(out, v)
 	}
 	return out, nil
 }
--- a/bake/entitlements_windows.go
+++ b/bake/entitlements_windows.go
@@ -1,39 +0,0 @@
 package bake
 import (
 	"os"
 	"path/filepath"
 	"github.com/pkg/errors"
 )
 func evaluatePaths(in []string) ([]string, error) {
 	out := make([]string, 0, len(in))
 	for _, p := range in {
 		if p == "/" {
 			out = append(out, getAllVolumes()...)
 			continue
 		}
 		v, err := filepath.Abs(p)
 		if err != nil {
 			return nil, err
 		}
 		v, err = filepath.EvalSymlinks(v)
 		if err != nil {
 			return nil, errors.Wrapf(err, "failed to evaluate path %q", p)
 		}
 		out = append(out, v)
 	}
 	return out, nil
 }
 func getAllVolumes() []string {
 	var volumes []string
 	for _, drive := range "ABCDEFGHIJKLMNOPQRSTUVWXYZ" {
 		p := string(drive) + ":" + string(filepath.Separator)
 		if _, err := os.Stat(p); !os.IsNotExist(err) {
 			volumes = append(volumes, p)
 		}
 	}
 	return volumes
 }
--- a/go.mod
+++ b/go.mod
@@ -28,7 +28,7 @@ require (
 	github.com/hashicorp/hcl/v2 v2.20.1
 	github.com/in-toto/in-toto-golang v0.5.0
 	github.com/mitchellh/hashstructure/v2 v2.0.2
-	github.com/moby/buildkit v0.18.0-rc1
+	github.com/moby/buildkit v0.18.0-rc2
 	github.com/moby/sys/mountinfo v0.7.2
 	github.com/moby/sys/signal v0.7.1
 	github.com/morikuni/aec v1.0.0
--- a/go.sum
+++ b/go.sum
@@ -301,8 +301,8 @@ github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/z
 github.com/mitchellh/mapstructure v0.0.0-20150613213606-2caf8efc9366/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/moby/buildkit v0.18.0-rc1 h1:fxurq9IkqaX7ZXRlxbBpY3DO7xw/vISJoNFw1Gtl4c0=
+github.com/moby/buildkit v0.18.0-rc2 h1:Q4jxxicZM5sqdy6gJPikgILBrBUncPok0Z0rRbhtVWk=
-github.com/moby/buildkit v0.18.0-rc1/go.mod h1:vCR5CX8NGsPTthTg681+9kdmfvkvqJBXEv71GZe5msU=
+github.com/moby/buildkit v0.18.0-rc2/go.mod h1:vCR5CX8NGsPTthTg681+9kdmfvkvqJBXEv71GZe5msU=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=
--- a/vendor/github.com/moby/buildkit/util/testutil/workers/dockerd.go
+++ b/vendor/github.com/moby/buildkit/util/testutil/workers/dockerd.go
@@ -50,6 +50,7 @@ func InitDockerdWorker() {
 		Unsupported: []string{
 			FeatureSecurityMode,
 			FeatureCNINetwork,
 			FeatureContentCheck,
 		},
 	})
 }
--- a/vendor/github.com/moby/buildkit/util/testutil/workers/features.go
+++ b/vendor/github.com/moby/buildkit/util/testutil/workers/features.go
@@ -30,6 +30,7 @@ const (
 	FeatureSecurityMode         = "security_mode"
 	FeatureSourceDateEpoch      = "source_date_epoch"
 	FeatureCNINetwork           = "cni_network"
 	FeatureContentCheck         = "content_check"
 )
 var features = map[string]struct{}{
@@ -56,6 +57,7 @@ var features = map[string]struct{}{
 	FeatureSecurityMode:         {},
 	FeatureSourceDateEpoch:      {},
 	FeatureCNINetwork:           {},
 	FeatureContentCheck:         {},
 }
 func CheckFeatureCompat(t *testing.T, sb integration.Sandbox, reason ...string) {
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -483,7 +483,7 @@ github.com/mitchellh/go-wordwrap
 github.com/mitchellh/hashstructure/v2
 # github.com/mitchellh/mapstructure v1.5.0
 ## explicit; go 1.14
-# github.com/moby/buildkit v0.18.0-rc1
+# github.com/moby/buildkit v0.18.0-rc2
 ## explicit; go 1.22.0
 github.com/moby/buildkit/api/services/control
 github.com/moby/buildkit/api/types
Author	SHA1	Message	Date
Tõnis Tiigi	6a1cf78879	Merge pull request #2818 from tonistiigi/vendor-buildkit-v0.18.0-rc2 vendor: update buildkit to v0.18.0-rc2	2024-11-25 17:52:46 -08:00
Tonis Tiigi	ec1f712328	vendor: update buildkit to v0.18.0-rc2 Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>	2024-11-25 17:42:30 -08:00
CrazyMax	5ce6597c07	Merge pull request #2812 from crazy-max/bake-win-fs-ent bake: add wildcard to fs entitlements to allow any paths	2024-11-25 20:29:14 +01:00
CrazyMax	9c75071793	bake: add wildcard to fs entitlements to allow any paths Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2024-11-25 20:13:27 +01:00
Tõnis Tiigi	d612139b19	Merge pull request #2811 from crazy-max/update-buildkit dockerfile: update buildkit to v0.17.2	2024-11-25 10:11:09 -08:00
Tõnis Tiigi	42f7898c53	Merge pull request #2815 from tonistiigi/entitlements-symlink-tests bake: fix entitlement test when running from symlink temp	2024-11-25 10:08:19 -08:00
Tonis Tiigi	3148c098a2	bake: remove unnecessary GetLongPathName calls Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>	2024-11-25 08:26:02 -08:00
Tonis Tiigi	f95d574f94	bake: fix entitlement test when running from symlink temp As the paths returned by validator have the symlinks resolved, the test needs to resolve the symlinks also in the expected values. Previously this would fail if t.TempDir() or os.GetWd() returned a path that contained a symlink. The issue was purely in the test and not in the entitlements validation logic. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>	2024-11-25 00:03:54 -08:00
CrazyMax	60822781be	ci: update buildkit to v0.17.2 Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2024-11-22 13:00:07 +01:00
CrazyMax	4c83475703	dockerfile: update buildkit to v0.17.2 Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2024-11-22 11:27:33 +01:00