Merge pull request #155 from tiborvass/vendor-buildkit

vendor: update buildkit to docker-19.03 (ae10b292)

.fossa.yml

@@ -0,0 +1,14 @@
+# Generated by FOSSA CLI (https://github.com/fossas/fossa-cli)
+# Visit https://fossa.com to learn more
+
+version: 2
+cli:
+  server: https://app.fossa.io
+  fetcher: custom
+  project: git@github.com:docker/buildx
+analyze:
+  modules:
+  - name: github.com/docker/buildx/cmd/buildx
+    type: go
+    target: github.com/docker/buildx/cmd/buildx
+    path: cmd/buildx

.github/CODE_OF_CONDUCT.md

@@ -0,0 +1,4 @@
+# Code of conduct
+
+- [Moby community guidelines](https://github.com/moby/moby/blob/master/CONTRIBUTING.md#moby-community-guidelines)
+- [Docker Code of Conduct](https://github.com/docker/code-of-conduct)

.github/CONTRIBUTING.md

@@ -0,0 +1,292 @@
+# Contribute to the Buildx project
+
+This page contains information about reporting issues as well as some tips and
+guidelines useful to experienced open source contributors.
+
+## Reporting security issues
+
+The project maintainers take security seriously. If you discover a security
+issue, please bring it to their attention right away!
+
+**Please _DO NOT_ file a public issue**, instead send your report privately to
+[security@docker.com](mailto:security@docker.com).
+
+Security reports are greatly appreciated and we will publicly thank you for it.
+We also like to send gifts—if you're into schwag, make sure to let
+us know. We currently do not offer a paid security bounty program, but are not
+ruling it out in the future.
+
+
+## Reporting other issues
+
+A great way to contribute to the project is to send a detailed report when you
+encounter an issue. We always appreciate a well-written, thorough bug report,
+and will thank you for it!
+
+Check that [our issue database](https://github.com/docker/buildx/issues)
+doesn't already include that problem or suggestion before submitting an issue.
+If you find a match, you can use the "subscribe" button to get notified on
+updates. Do *not* leave random "+1" or "I have this too" comments, as they
+only clutter the discussion, and don't help resolving it. However, if you
+have ways to reproduce the issue or have additional information that may help
+resolving the issue, please leave a comment.
+
+Include the steps required to reproduce the problem if possible and applicable.
+This information will help us review and fix your issue faster. When sending
+lengthy log-files, consider posting them as an attachment, instead of posting
+inline.
+
+**Do not forget to remove sensitive data from your logfiles before submitting**
+ (you can replace those parts with "REDACTED").
+
+### Pull requests are always welcome
+
+Not sure if that typo is worth a pull request? Found a bug and know how to fix
+it? Do it! We will appreciate it.
+
+If your pull request is not accepted on the first try, don't be discouraged! If
+there's a problem with the implementation, hopefully you received feedback on
+what to improve.
+
+We're trying very hard to keep Buildx lean and focused. We don't want it to
+do everything for everybody. This means that we might decide against
+incorporating a new feature. However, there might be a way to implement that
+feature *on top of* Buildx.
+
+### Design and cleanup proposals
+
+You can propose new designs for existing features. You can also design
+entirely new features. We really appreciate contributors who want to refactor or
+otherwise cleanup our project.
+
+### Sign your work
+
+The sign-off is a simple line at the end of the explanation for the patch. Your
+signature certifies that you wrote the patch or otherwise have the right to pass
+it on as an open-source patch. The rules are pretty simple: if you can certify
+the below (from [developercertificate.org](http://developercertificate.org/)):
+
+```
+Developer Certificate of Origin
+Version 1.1
+
+Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
+1 Letterman Drive
+Suite D4700
+San Francisco, CA, 94129
+
+Everyone is permitted to copy and distribute verbatim copies of this
+license document, but changing it is not allowed.
+
+Developer's Certificate of Origin 1.1
+
+By making a contribution to this project, I certify that:
+
+(a) The contribution was created in whole or in part by me and I
+    have the right to submit it under the open source license
+    indicated in the file; or
+
+(b) The contribution is based upon previous work that, to the best
+    of my knowledge, is covered under an appropriate open source
+    license and I have the right under that license to submit that
+    work with modifications, whether created in whole or in part
+    by me, under the same open source license (unless I am
+    permitted to submit under a different license), as indicated
+    in the file; or
+
+(c) The contribution was provided directly to me by some other
+    person who certified (a), (b) or (c) and I have not modified
+    it.
+
+(d) I understand and agree that this project and the contribution
+    are public and that a record of the contribution (including all
+    personal information I submit with it, including my sign-off) is
+    maintained indefinitely and may be redistributed consistent with
+    this project or the open source license(s) involved.
+```
+
+Then you just add a line to every git commit message:
+
+    Signed-off-by: Joe Smith <joe.smith@email.com>
+
+**Use your real name** (sorry, no pseudonyms or anonymous contributions.)
+
+If you set your `user.name` and `user.email` git configs, you can sign your
+commit automatically with `git commit -s`.
+
+### Run the unit- and integration-tests
+
+To enter a demo container environment and experiment, you may run:
+
+```
+$ make shell
+```
+
+To validate PRs before submitting them you should run:
+
+```
+$ make validate-all
+```
+
+To generate new vendored files with go modules run:
+
+```
+$ make vendor
+```
+
+
+### Conventions
+
+- Fork the repository and make changes on your fork in a feature branch
+- Submit tests for your changes. See [run the unit- and integration-tests](#run-the-unit--and-integration-tests)
+  for details.
+- [Sign your work](#sign-your-work)
+
+Write clean code. Universally formatted code promotes ease of writing, reading,
+and maintenance. Always run `gofmt -s -w file.go` on each changed file before
+committing your changes. Most editors have plug-ins that do this automatically.
+
+Pull request descriptions should be as clear as possible and include a
+reference to all the issues that they address. Be sure that the [commit
+messages](#commit-messages) also contain the relevant information.
+
+### Successful Changes
+
+Before contributing large or high impact changes, make the effort to coordinate
+with the maintainers of the project before submitting a pull request. This
+prevents you from doing extra work that may or may not be merged.
+
+Large PRs that are just submitted without any prior communication are unlikely
+to be successful.
+
+While pull requests are the methodology for submitting changes to code, changes
+are much more likely to be accepted if they are accompanied by additional
+engineering work. While we don't define this explicitly, most of these goals
+are accomplished through communication of the design goals and subsequent
+solutions. Often times, it helps to first state the problem before presenting
+solutions.
+
+Typically, the best methods of accomplishing this are to submit an issue,
+stating the problem. This issue can include a problem statement and a
+checklist with requirements. If solutions are proposed, alternatives should be
+listed and eliminated. Even if the criteria for elimination of a solution is
+frivolous, say so.
+
+Larger changes typically work best with design documents. These are focused on
+providing context to the design at the time the feature was conceived and can
+inform future documentation contributions.
+
+### Commit Messages
+
+Commit messages must start with a capitalized and short summary (max. 50 chars)
+written in the imperative, followed by an optional, more detailed explanatory
+text which is separated from the summary by an empty line.
+
+Commit messages should follow best practices, including explaining the context
+of the problem and how it was solved, including in caveats or follow up changes
+required. They should tell the story of the change and provide readers
+understanding of what led to it.
+
+If you're lost about what this even means, please see [How to Write a Git
+Commit Message](http://chris.beams.io/posts/git-commit/) for a start.
+
+In practice, the best approach to maintaining a nice commit message is to
+leverage a `git add -p` and `git commit --amend` to formulate a solid
+changeset. This allows one to piece together a change, as information becomes
+available.
+
+If you squash a series of commits, don't just submit that. Re-write the commit
+message, as if the series of commits was a single stroke of brilliance.
+
+That said, there is no requirement to have a single commit for a PR, as long as
+each commit tells the story. For example, if there is a feature that requires a
+package, it might make sense to have the package in a separate commit then have
+a subsequent commit that uses it.
+
+Remember, you're telling part of the story with the commit message. Don't make
+your chapter weird.
+
+### Review
+
+Code review comments may be added to your pull request. Discuss, then make the
+suggested modifications and push additional commits to your feature branch. Post
+a comment after pushing. New commits show up in the pull request automatically,
+but the reviewers are notified only when you comment.
+
+Pull requests must be cleanly rebased on top of master without multiple branches
+mixed into the PR.
+
+> **Git tip**: If your PR no longer merges cleanly, use `rebase master` in your
+> feature branch to update your pull request rather than `merge master`.
+
+Before you make a pull request, squash your commits into logical units of work
+using `git rebase -i` and `git push -f`. A logical unit of work is a consistent
+set of patches that should be reviewed together: for example, upgrading the
+version of a vendored dependency and taking advantage of its now available new
+feature constitute two separate units of work. Implementing a new function and
+calling it in another file constitute a single logical unit of work. The very
+high majority of submissions should have a single commit, so if in doubt: squash
+down to one.
+
+- After every commit, [make sure the test suite passes](#run-the-unit--and-integration-tests).
+  Include documentation changes in the same pull request so that a revert would
+  remove all traces of the feature or fix.
+- Include an issue reference like `closes #XXXX` or `fixes #XXXX` in the PR
+  description that close an issue. Including references automatically closes
+  the issue on a merge.
+- Do not add yourself to the `AUTHORS` file, as it is regenerated regularly
+  from the Git history.
+- See the [Coding Style](#coding-style) for further guidelines.
+
+
+### Merge approval
+
+Project maintainers use LGTM (Looks Good To Me) in comments on the code review to
+indicate acceptance, or use the Github review approval feature.
+
+
+## Coding Style
+
+Unless explicitly stated, we follow all coding guidelines from the Go
+community. While some of these standards may seem arbitrary, they somehow seem
+to result in a solid, consistent codebase.
+
+It is possible that the code base does not currently comply with these
+guidelines. We are not looking for a massive PR that fixes this, since that
+goes against the spirit of the guidelines. All new contributions should make a
+best effort to clean up and make the code base better than they left it.
+Obviously, apply your best judgement. Remember, the goal here is to make the
+code base easier for humans to navigate and understand. Always keep that in
+mind when nudging others to comply.
+
+The rules:
+
+1. All code should be formatted with `gofmt -s`.
+2. All code should pass the default levels of
+   [`golint`](https://github.com/golang/lint).
+3. All code should follow the guidelines covered in [Effective
+   Go](http://golang.org/doc/effective_go.html) and [Go Code Review
+   Comments](https://github.com/golang/go/wiki/CodeReviewComments).
+4. Comment the code. Tell us the why, the history and the context.
+5. Document _all_ declarations and methods, even private ones. Declare
+   expectations, caveats and anything else that may be important. If a type
+   gets exported, having the comments already there will ensure it's ready.
+6. Variable name length should be proportional to its context and no longer.
+   `noCommaALongVariableNameLikeThisIsNotMoreClearWhenASimpleCommentWouldDo`.
+   In practice, short methods will have short variable names and globals will
+   have longer names.
+7. No underscores in package names. If you need a compound name, step back,
+   and re-examine why you need a compound name. If you still think you need a
+   compound name, lose the underscore.
+8. No utils or helpers packages. If a function is not general enough to
+   warrant its own package, it has not been written generally enough to be a
+   part of a util package. Just leave it unexported and well-documented.
+9. All tests should run with `go test` and outside tooling should not be
+   required. No, we don't need another unit testing framework. Assertion
+   packages are acceptable if they provide _real_ incremental value.
+10. Even though we call these "rules" above, they are actually just
+    guidelines. Since you've read all the rules, you now know that.
+
+If you are having trouble getting into the mood of idiomatic Go, we recommend
+reading through [Effective Go](https://golang.org/doc/effective_go.html). The
+[Go Blog](https://blog.golang.org) is also a great resource.

.mailmap

@@ -0,0 +1,6 @@
+# This file lists all individuals having contributed content to the repository.
+# For how it is generated, see `hack/generate-authors`.
+
+Tibor Vass <tibor@docker.com>
+Tibor Vass <tibor@docker.com> <tiborvass@users.noreply.github.com>
+Tõnis Tiigi <tonistiigi@gmail.com>

AUTHORS

@@ -0,0 +1,7 @@
+# This file lists all individuals having contributed content to the repository.
+# For how it is generated, see `scripts/generate-authors.sh`.
+
+Bin Du <bindu@microsoft.com>
+Brian Goff <cpuguy83@gmail.com>
+Tibor Vass <tibor@docker.com>
+Tõnis Tiigi <tonistiigi@gmail.com>

Jenkinsfile

@@ -0,0 +1,29 @@
+
+@Library('jps')
+_
+
+pipeline {
+  agent {
+    node {
+      label 'ubuntu-1804-overlay2'
+    }
+  }
+  options {
+    disableConcurrentBuilds()
+  }
+  stages {
+    stage("FOSSA Analyze") {
+      steps {
+
+        withCredentials([string(credentialsId: 'fossa-api-key', variable: 'FOSSA_API_KEY')]) {
+          withGithubStatus('FOSSA.scan') {
+            labelledShell returnStatus: false, returnStdout: true, label: "make fossa-analyze",
+                  script:'make -f Makefile.fossa BRANCH_NAME=${BRANCH_NAME} fossa-analyze'
+            labelledShell returnStatus: false, returnStdout: true, label: "make fossa-test",
+                  script: 'make -f Makefile.fossa BRANCH_NAME=${BRANCH_NAME} fossa-test'
+          }
+        }
+      }
+    }
+  }
+}

LICENSE

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

MAINTAINERS

@@ -0,0 +1,192 @@
+# Buildx maintainers file
+#
+# This file describes the maintainer groups within the project.
+# More detail on Moby project governance is available in the
+# https://github.com/moby/moby/blob/master/project/GOVERNANCE.md file.
+#
+# It is structured to be consumable by both humans and programs.
+# To extract its contents programmatically, use any TOML-compliant
+# parser.
+#
+
+[Rules]
+
+		[Rules.maintainers]
+
+		title = "What is a maintainer?"
+
+		text = """
+There are different types of maintainers, with different
+responsibilities, but all maintainers have 3 things in common:
+
+1) They share responsibility in the project's success.
+2) They have made a long-term, recurring time investment to improve
+   the project.
+3) They spend that time doing whatever needs to be done, not
+   necessarily what is the most interesting or fun.
+
+Maintainers are often under-appreciated, because their work is harder
+to appreciate.  It's easy to appreciate a really cool and technically
+advanced feature. It's harder to appreciate the absence of bugs, the
+slow but steady improvement in stability, or the reliability of a
+release process. But those things distinguish a good project from a
+great one.
+"""
+
+		[Rules.adding-maintainers]
+
+		title = "How are maintainers added?"
+
+		text = """
+Maintainers are first and foremost contributors that have shown they
+are committed to the long term success of a project. Contributors
+wanting to become maintainers are expected to be deeply involved in
+contributing code, pull request review, and triage of issues in the
+project for more than three months.
+
+Just contributing does not make you a maintainer, it is about building
+trust with the current maintainers of the project and being a person
+that they can depend on and trust to make decisions in the best
+interest of the project.
+
+Periodically, the existing maintainers curate a list of contributors
+that have shown regular activity on the project over the prior
+months. From this list, maintainer candidates are selected.
+
+After a candidate has been announced, the existing maintainers are
+given five business days to discuss the candidate, raise objections
+and cast their vote. Candidates must be approved by at least 66% of
+the current maintainers by adding their vote on the slack
+channel. Only maintainers of the repository that the candidate is
+proposed for are allowed to vote.
+
+If a candidate is approved, a maintainer will contact the candidate to
+invite the candidate to open a pull request that adds the contributor
+to the MAINTAINERS file. The candidate becomes a maintainer once the
+pull request is merged.
+"""
+
+		[Rules.stepping-down-policy]
+
+		title = "Stepping down policy"
+
+		text = """
+Life priorities, interests, and passions can change. If you're a
+maintainer but feel you must remove yourself from the list, inform
+other maintainers that you intend to step down, and if possible, help
+find someone to pick up your work.  At the very least, ensure your
+work can be continued where you left off.
+
+After you've informed other maintainers, create a pull request to
+remove yourself from the MAINTAINERS file.
+"""
+
+		[Rules.inactive-maintainers]
+
+		title = "Removal of inactive maintainers"
+
+		text = """
+Similar to the procedure for adding new maintainers, existing
+maintainers can be removed from the list if they do not show
+significant activity on the project. Periodically, the maintainers
+review the list of maintainers and their activity over the last three
+months.
+
+If a maintainer has shown insufficient activity over this period, a
+neutral person will contact the maintainer to ask if they want to
+continue being a maintainer. If the maintainer decides to step down as
+a maintainer, they open a pull request to be removed from the
+MAINTAINERS file.
+
+If the maintainer wants to remain a maintainer, but is unable to
+perform the required duties they can be removed with a vote of at
+least 66% of the current maintainers.  The voting period is five
+business days. Issues related to a maintainer's performance should be
+discussed with them among the other maintainers so that they are not
+surprised by a pull request removing them.
+"""
+
+		[Rules.DCO]
+
+		title = "Helping contributors with the DCO"
+
+		text = """
+The [DCO or `Sign your work`](
+https://github.com/moby/buildkit/blob/master/CONTRIBUTING.md#sign-your-work)
+requirement is not intended as a roadblock or speed bump.
+
+Some BuildKit contributors are not as familiar with `git`, or have
+used a web based editor, and thus asking them to `git commit --amend
+-s` is not the best way forward.
+
+In this case, maintainers can update the commits based on clause (c)
+of the DCO.  The most trivial way for a contributor to allow the
+maintainer to do this, is to add a DCO signature in a pull requests's
+comment, or a maintainer can simply note that the change is
+sufficiently trivial that it does not substantially change the
+existing contribution - i.e., a spelling change.
+
+When you add someone's DCO, please also add your own to keep a log.
+"""
+
+		[Rules."no direct push"]
+
+		title = "I'm a maintainer. Should I make pull requests too?"
+
+		text = """
+Yes. Nobody should ever push to master directly. All changes should be
+made through a pull request.
+"""
+
+		[Rules.meta]
+
+		title = "How is this process changed?"
+
+		text = "Just like everything else: by making a pull request :)"
+
+
+[Org]
+
+	[Org.Maintainers]
+
+		people = [
+			"tiborvass",
+			"tonistiigi",
+		]
+
+	[Org.Curators]
+
+	# The curators help ensure that incoming issues and pull requests are properly triaged and
+	# that our various contribution and reviewing processes are respected. With their knowledge of
+	# the repository activity, they can also guide contributors to relevant material or
+	# discussions.
+	#
+	# They are neither code nor docs reviewers, so they are never expected to merge. They can
+	# however:
+	# - close an issue or pull request when it's an exact duplicate
+	# - close an issue or pull request when it's inappropriate or off-topic
+
+		people = [
+			"thajeztah",
+		]
+
+[people]
+
+# A reference list of all people associated with the project.
+# All other sections should refer to people by their canonical key
+# in the people section.
+
+	[people.thajeztah]
+	Name = "Sebastiaan van Stijn"
+	Email = "github@gone.nl"
+	GitHub = "thaJeztah"
+
+	[people.tiborvass]
+	Name = "Tibor Vass"
+	Email = "tibor@docker.com"
+	GitHub = "tiborvass"
+
+	[people.tonistiigi]
+	Name = "Tõnis Tiigi"
+	Email = "tonis@docker.com"
+	GitHub = "tonistiigi"

Makefile

@@ -25,4 +25,7 @@ validate-all: lint test validate-vendor
 vendor:
 	./hack/update-vendor
 
-.PHONY: vendor lint shell binaries install binaries-cross validate-all
+generate-authors:
+	./hack/generate-authors
+
+.PHONY: vendor lint shell binaries install binaries-cross validate-all generate-authors

Makefile.fossa

@@ -0,0 +1,18 @@
+REPO_PATH?=docker/buildx
+BUILD_ANALYZER?=docker/fossa-analyzer
+FOSSA_OPTS?=--option all-tags:true --option allow-unresolved:true --no-ansi
+
+fossa-analyze:
+	docker run -i --rm -e FOSSA_API_KEY=$(FOSSA_API_KEY) \
+		-v $(CURDIR)/$*:/go/src/github.com/$(REPO_PATH) \
+		-w /go/src/github.com/$(REPO_PATH) \
+		-e GO111MODULE=on \
+		$(BUILD_ANALYZER) analyze $(FOSSA_OPTS) --branch $(BRANCH_NAME)
+
+# This command is used to run the fossa test command
+fossa-test:
+	docker run -i --rm -e FOSSA_API_KEY=$(FOSSA_API_KEY) \
+		-v $(CURDIR)/$*:/go/src/github.com/$(REPO_PATH) \
+		-w /go/src/github.com/$(REPO_PATH) \
+		-e GO111MODULE=on \
+		$(BUILD_ANALYZER) test --debug

README.md

@@ -41,30 +41,21 @@ _buildx is Tech Preview_
 
 # Installing
 
-Using `buildx` as a docker CLI plugin requires using Docker 19.03.0 beta. A limited set of functionality works with older versions of Docker when invoking the binary directly.
+Using `buildx` as a docker CLI plugin requires using Docker 19.03. A limited set of functionality works with older versions of Docker when invoking the binary directly.
 
-### Docker Desktop (Edge)
+### Docker CE
 
-`buildx` is included with Docker Desktop Edge builds since 19.03.0-beta3.
-
-For more information see https://docs.docker.com/docker-for-mac/edge-release-notes/
-
-### Docker CE nightly builds
-
-`buildx` comes bundled with the Docker CE nightly builds. 
-- Mac: https://download.docker.com/mac/static/nightly/
-- Linux:
-```
-$ # uncomment next line to uninstall previous Docker CE installation if present
-$ # apt purge docker-ce docker-ce-cli
-$ curl -fsSL https://get.docker.com/ -o docker-install.sh
-$ CHANNEL=nightly sh docker-install.sh
-```
+`buildx` comes bundled with Docker CE starting with 19.03, but requires experimental mode to be enabled on the Docker CLI.
+To enable it, `"experimental": "enabled"` can be added to the CLI configuration file `~/.docker/config.json`. An alternative is to set the `DOCKER_CLI_EXPERIMENTAL=enabled` environment variable.
 
 ### Binary release
 
 Download the latest binary release from https://github.com/docker/buildx/releases/latest and copy it to `~/.docker/cli-plugins` folder with name `docker-buildx`.
 
+Change the permission to execute:
+```sh
+chmod a+x ~/.docker/cli-plugins/docker-buildx
+```
 
 After installing you can run `docker buildx` to see the new commands.
 
@@ -79,8 +70,7 @@ $ make install
 ### with buildx or Docker 19.03
 ```
 $ export DOCKER_BUILDKIT=1
-$ # choose a platform that matches your architecture
-$ docker build --platform=[darwin,windows,linux,linux/arm64] -o . git://github.com/docker/buildx
+$ docker build --platform=local -o . git://github.com/docker/buildx
 $ mv buildx ~/.docker/cli-plugins/docker-buildx
 ```
 
@@ -143,7 +133,7 @@ $ docker buildx build --platform linux/amd64,linux/arm64 .
 Finally, depending on your project, the language that you use may have good support for cross-compilation. In that case, multi-stage builds in Dockerfiles can be effectively used to build binaries for the platform specified with `--platform` using the native architecture of the build node. List of build arguments like `BUILDPLATFORM` and `TARGETPLATFORM` are available automatically inside your Dockerfile and can be leveraged by the processes running as part of your build.
 
 ```
-FROM --platform $BUILDPLATFORM golang:alpine AS build
+FROM --platform=$BUILDPLATFORM golang:alpine AS build
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
 RUN echo "I am running on $BUILDPLATFORM, building for $TARGETPLATFORM" > /log
@@ -175,6 +165,7 @@ Options:
 | Flag | Description |
 | --- | --- |
 | --add-host []         | Add a custom host-to-IP mapping (host:ip)
+| --allow []        | Allow extra privileged entitlement, e.g. network.host, security.insecure
 | --build-arg []    | Set build-time variables
 | --cache-from []   | External cache sources (eg. user/app:cache, type=local,src=path/to/dir)
 | --cache-to []     | Cache export destinations (eg. user/app:cache, type=local,dest=path/to/dir)
@@ -296,7 +287,7 @@ Shorthand for [`--output=type=docker`](#docker). Will automatically load the sin
 
 #### `--cache-from=[NAME|type=TYPE[,KEY=VALUE]]`
 
-Use an external cache source for a build. Supported types are `registry` and `local`. The `registry` source can import cache from a cache manifest or (special) image configuration on the registry. The `local` source can export cache from local files previously exported with `--cache-to`.
+Use an external cache source for a build. Supported types are `registry` and `local`. The `registry` source can import cache from a cache manifest or (special) image configuration on the registry. The `local` source can import cache from local files previously exported with `--cache-to`.
 
 If no type is specified, `registry` exporter is used with a specified reference.
 
@@ -328,6 +319,20 @@ docker buildx build --cache-to=type=registry,ref=user/app .
 docker buildx build --cache-to=type=local,dest=path/to/cache .
 ```
 
+#### `--allow=ENTITLEMENT`
+
+Allow extra privileged entitlement. List of entitlements:
+
+- `network.host` - Allows executions with host networking.
+- `security.insecure` - Allows executions without sandbox. See [related Dockerfile extensions](https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/experimental.md#run---securityinsecuresandbox).
+
+For entitlements to be enabled, the `buildkitd` daemon also needs to allow them with `--allow-insecure-entitlement` (see [`create --buildkitd-flags`](#--buildkitd-flags-flags))
+
+Example:
+```
+$ docker buildx create --use --name insecure-builder --buildkitd-flags '--allow-insecure-entitlement security.insecure'
+$ docker buildx build --allow security.insecure .
+```
 
 ### `buildx create [OPTIONS] [CONTEXT|ENDPOINT]`
 
@@ -341,21 +346,16 @@ Options:
 
 | Flag | Description |
 | --- | --- |
-| --append                | Append a node to builder instead of changing it
-| --driver string         | Driver to use (eg. docker-container)
-| --leave                 | Remove a node from builder instead of changing it
-| --name string           | Builder instance name
-| --node string           | Create/modify node with given name
-| --platform stringArray  | Fixed platforms for current node
-| --use                   | Set the current builder instance
-
-#### `--driver DRIVER`
-
-Sets the builder driver to be used. There are two available drivers, each have their own specificities.
-
-- `docker` - Uses the builder that is built into the docker daemon. With this driver, the [`--load`](#--load) flag is implied by default on `buildx build`. However, building multi-platform images or exporting cache is not currently supported.
-
-- `docker-container` - Uses a buildkit container that will be spawned via docker. With this driver, both building multi-platform images and exporting cache are supported. However, images built will not automatically appear in `docker images` (see [`build --load`](#--load)).
+| --append                 | Append a node to builder instead of changing it
+| --buildkitd-flags string | Flags for buildkitd daemon
+| --config string          | BuildKit config file
+| --driver string          | Driver to use (eg. docker-container)
+| --driver-opt stringArray | Options for the driver
+| --leave                  | Remove a node from builder instead of changing it
+| --name string            | Builder instance name
+| --node string            | Create/modify node with given name
+| --platform stringArray   | Fixed platforms for current node
+| --use                    | Set the current builder instance
 
 #### `--append`
 
@@ -369,6 +369,41 @@ $ docker buildx create --name eager_beaver --append mycontext2
 eager_beaver
 ```
 
+#### `--buildkitd-flags FLAGS`
+
+Adds flags when starting the buildkitd daemon. They take precedence over the configuration file specified by [`--config`](#--config-file). See `buildkitd --help` for the available flags.
+
+Example:
+```
+--buildkitd-flags '--debug --debugaddr 0.0.0.0:6666'
+```
+
+#### `--config FILE`
+
+Specifies the configuration file for the buildkitd daemon to use. The configuration can be overridden by [`--buildkitd-flags`](#--buildkitd-flags-flags). See an [example buildkitd configuration file](https://github.com/moby/buildkit/blob/master/docs/buildkitd.toml.md).
+
+#### `--driver DRIVER`
+
+Sets the builder driver to be used. There are two available drivers, each have their own specificities.
+
+- `docker` - Uses the builder that is built into the docker daemon. With this driver, the [`--load`](#--load) flag is implied by default on `buildx build`. However, building multi-platform images or exporting cache is not currently supported.
+
+- `docker-container` - Uses a buildkit container that will be spawned via docker. With this driver, both building multi-platform images and exporting cache are supported. However, images built will not automatically appear in `docker images` (see [`build --load`](#--load)).
+
+
+#### `--driver-opt OPTIONS`
+
+Passes additional driver-specific options. Details for each driver:
+
+- `docker` - No driver options
+- `docker-container`
+  - `image` - Sets the container image to be used for running buildkit.
+  - `network` - Sets the network mode for running the buildkit container.
+  - Example:
+    ```
+    --driver docker-container --driver-opt image=moby/buildkit:master,network=host
+    ```
+
 #### `--leave`
 
 Changes the action of the command to removes a node from a builder. The builder needs to be specified with `--name` and node that is removed is set with `--node`.
@@ -542,23 +577,23 @@ Note: Design of bake command is work in progress, the user experience may change
 Example HCL defintion:
 
 ```
-group “default” {
-	targets = [“db”, “webapp-dev”]
+group "default" {
+	targets = ["db", "webapp-dev"]
 }
 
-target “webapp-dev” {
+target "webapp-dev" {
 	dockerfile = "Dockerfile.webapp"
 	tags = ["docker.io/username/webapp"]
 }
 
-target “webapp-release” {
-	inherits = [“webapp-dev”]
-	platforms = [“linux/amd64”, “linux/arm64”]
+target "webapp-release" {
+	inherits = ["webapp-dev"]
+	platforms = ["linux/amd64", "linux/arm64"]
 }
 
-target “db” {
+target "db" {
 	dockerfile = "Dockerfile.db"
-	tags = [“docker.io/username/db”]
+	tags = ["docker.io/username/db"]
 }
 ```
 
@@ -640,20 +675,5 @@ To remove this alias, you can run `docker buildx uninstall`.
 
 # Contributing
 
-To enter a demo container environment and experiment, you may run:
-
-```
-$ make shell
-```
-
-To validate PRs before submitting them you should run:
-
-```
-$ make validate-all
-```
-
-To generate new vendored files with go modules run:
-
-```
-$ make vendor
-```
+Want to contribute to Buildx? Awesome! You can find information about
+contributing to this project in the [CONTRIBUTING.md](/.github/CONTRIBUTING.md)

bake/bake.go

@@ -77,7 +77,20 @@ func mergeConfig(c1, c2 Config) Config {
 		if c1.Group == nil {
 			c1.Group = map[string]Group{}
 		}
-		c1.Group[k] = g
+		if g1, exists := c1.Group[k]; exists {
+		nextTarget:
+			for _, t := range g.Targets {
+				for _, t2 := range g1.Targets {
+					if t == t2 {
+						continue nextTarget
+					}
+				}
+				g1.Targets = append(g1.Targets, t)
+			}
+			c1.Group[k] = g1
+		} else {
+			c1.Group[k] = g
+		}
 	}
 
 	for k, t := range c2.Target {
@@ -248,10 +261,10 @@ func (t *Target) normalize() {
 	t.Outputs = removeDupes(t.Outputs)
 }
 
-func TargetsToBuildOpt(m map[string]Target) (map[string]build.Options, error) {
+func TargetsToBuildOpt(m map[string]Target, noCache, pull bool) (map[string]build.Options, error) {
 	m2 := make(map[string]build.Options, len(m))
 	for k, v := range m {
-		bo, err := toBuildOpt(v)
+		bo, err := toBuildOpt(v, noCache, pull)
 		if err != nil {
 			return nil, err
 		}
@@ -260,7 +273,7 @@ func TargetsToBuildOpt(m map[string]Target) (map[string]build.Options, error) {
 	return m2, nil
 }
 
-func toBuildOpt(t Target) (*build.Options, error) {
+func toBuildOpt(t Target, noCache, pull bool) (*build.Options, error) {
 	if v := t.Context; v != nil && *v == "-" {
 		return nil, errors.Errorf("context from stdin not allowed in bake")
 	}
@@ -289,6 +302,8 @@ func toBuildOpt(t Target) (*build.Options, error) {
 		Tags:      t.Tags,
 		BuildArgs: t.Args,
 		Labels:    t.Labels,
+		NoCache:   noCache,
+		Pull:      pull,
 	}
 
 	platforms, err := platformutil.Parse(t.Platforms)

bake/bake_test.go

@@ -59,11 +59,30 @@ services:
 `), 0600)
 	require.NoError(t, err)
 
-	ctx := context.TODO()
+	fp2 := filepath.Join(tmpdir, "docker-compose2.yml")
+	err = ioutil.WriteFile(fp2, []byte(`
+version: "3"
 
-	m, err := ReadTargets(ctx, []string{fp}, []string{"default"}, nil)
+services:
+  newservice:
+    build: .
+  webapp:
+    build:
+      args:
+        buildno2: 12
+`), 0600)
 	require.NoError(t, err)
 
+	ctx := context.TODO()
+
+	m, err := ReadTargets(ctx, []string{fp, fp2}, []string{"default"}, nil)
+	require.NoError(t, err)
+
+	require.Equal(t, 3, len(m))
+	_, ok := m["newservice"]
+	require.True(t, ok)
 	require.Equal(t, "Dockerfile.webapp", *m["webapp"].Dockerfile)
 	require.Equal(t, ".", *m["webapp"].Context)
+	require.Equal(t, "1", m["webapp"].Args["buildno"])
+	require.Equal(t, "12", m["webapp"].Args["buildno2"])
 }

bake/compose.go

@@ -1,6 +1,11 @@
 package bake
 
 import (
+	"fmt"
+	"os"
+	"reflect"
+	"strings"
+
 	"github.com/docker/cli/cli/compose/loader"
 	composetypes "github.com/docker/cli/cli/compose/types"
 )
@@ -16,9 +21,22 @@ func parseCompose(dt []byte) (*composetypes.Config, error) {
 				Config: parsed,
 			},
 		},
+		Environment: envMap(os.Environ()),
 	})
 }
 
+func envMap(env []string) map[string]string {
+	result := make(map[string]string, len(env))
+	for _, s := range env {
+		kv := strings.SplitN(s, "=", 2)
+		if len(kv) != 2 {
+			continue
+		}
+		result[kv[0]] = kv[1]
+	}
+	return result
+}
+
 func ParseCompose(dt []byte) (*Config, error) {
 	cfg, err := parseCompose(dt)
 	if err != nil {
@@ -26,6 +44,7 @@ func ParseCompose(dt []byte) (*Config, error) {
 	}
 
 	var c Config
+	var zeroBuildConfig composetypes.BuildConfig
 	if len(cfg.Services) > 0 {
 		c.Group = map[string]Group{}
 		c.Target = map[string]Target{}
@@ -33,7 +52,15 @@ func ParseCompose(dt []byte) (*Config, error) {
 		var g Group
 
 		for _, s := range cfg.Services {
-			g.Targets = append(g.Targets, s.Name)
+
+			if reflect.DeepEqual(s.Build, zeroBuildConfig) {
+				// if not make sure they're setting an image or it's invalid d-c.yml
+				if s.Image == "" {
+					return nil, fmt.Errorf("compose file invalid: service %s has neither an image nor a build context specified. At least one must be provided.", s.Name)
+				}
+				continue
+			}
+
 			var contextPathP *string
 			if s.Build.Context != "" {
 				contextPath := s.Build.Context
@@ -44,6 +71,7 @@ func ParseCompose(dt []byte) (*Config, error) {
 				dockerfilePath := s.Build.Dockerfile
 				dockerfilePathP = &dockerfilePath
 			}
+			g.Targets = append(g.Targets, s.Name)
 			t := Target{
 				Context:    contextPathP,
 				Dockerfile: dockerfilePathP,
@@ -73,6 +101,8 @@ func toMap(in composetypes.MappingWithEquals) map[string]string {
 	for k, v := range in {
 		if v != nil {
 			m[k] = *v
+		} else {
+			m[k] = os.Getenv(k)
 		}
 	}
 	return m

bake/compose_test.go

@@ -40,6 +40,21 @@ services:
 	require.Equal(t, "123", c.Target["webapp"].Args["buildno"])
 }
 
+func TestNoBuildOutOfTreeService(t *testing.T) {
+	var dt = []byte(`
+version: "3.7"
+
+services:
+    external:
+        image: "verycooldb:1337"
+    webapp:
+        build: ./db
+`)
+	c, err := ParseCompose(dt)
+	require.NoError(t, err)
+	require.Equal(t, 1, len(c.Group))
+}
+
 func TestParseComposeTarget(t *testing.T) {
 	var dt = []byte(`
 version: "3.7"
@@ -47,9 +62,11 @@ version: "3.7"
 services:
   db:
     build:
+      context: ./db
       target: db
   webapp:
     build:
+      context: .
       target: webapp
 `)
 
@@ -59,3 +76,42 @@ services:
 	require.Equal(t, "db", *c.Target["db"].Target)
 	require.Equal(t, "webapp", *c.Target["webapp"].Target)
 }
+
+func TestComposeBuildWithoutContext(t *testing.T) {
+	var dt = []byte(`
+version: "3.7"
+
+services:
+  db:
+    build:
+      target: db
+  webapp:
+    build:
+      context: .
+      target: webapp
+`)
+
+	c, err := ParseCompose(dt)
+	require.NoError(t, err)
+	require.Equal(t, "db", *c.Target["db"].Target)
+	require.Equal(t, "webapp", *c.Target["webapp"].Target)
+}
+
+func TestBogusCompose(t *testing.T) {
+	var dt = []byte(`
+version: "3.7"
+
+services:
+  db:
+    labels:
+      - "foo"
+  webapp:
+    build:
+      context: .
+      target: webapp
+`)
+
+	_, err := ParseCompose(dt)
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "has neither an image nor a build context specified. At least one must be provided")
+}

build/build.go

@@ -24,6 +24,7 @@ import (
 	"github.com/moby/buildkit/client"
 	"github.com/moby/buildkit/session"
 	"github.com/moby/buildkit/session/upload/uploadprovider"
+	"github.com/moby/buildkit/util/entitlements"
 	"github.com/opencontainers/go-digest"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
@@ -55,6 +56,7 @@ type Options struct {
 	CacheFrom []client.CacheOptionsEntry
 	CacheTo   []client.CacheOptionsEntry
 
+	Allow []entitlements.Entitlement
 	// DockerTarget
 }
 
@@ -324,11 +326,12 @@ func toSolveOpt(d driver.Driver, multiDriver bool, opt Options, dl dockerLoadCal
 	}
 
 	so := client.SolveOpt{
-		Frontend:      "dockerfile.v0",
-		FrontendAttrs: map[string]string{},
-		LocalDirs:     map[string]string{},
-		CacheExports:  opt.CacheTo,
-		CacheImports:  opt.CacheFrom,
+		Frontend:            "dockerfile.v0",
+		FrontendAttrs:       map[string]string{},
+		LocalDirs:           map[string]string{},
+		CacheExports:        opt.CacheTo,
+		CacheImports:        opt.CacheFrom,
+		AllowedEntitlements: opt.Allow,
 	}
 
 	if multiDriver {
@@ -397,7 +400,7 @@ func toSolveOpt(d driver.Driver, multiDriver bool, opt Options, dl dockerLoadCal
 						return nil, nil, err
 					}
 					defers = append(defers, cancel)
-					opt.Exports[i].Output = w
+					opt.Exports[i].Output = wrapWriteCloser(w)
 				}
 			} else if !d.Features()[driver.DockerExporter] {
 				return nil, nil, notSupported(d, driver.DockerExporter)
@@ -454,6 +457,7 @@ func toSolveOpt(d driver.Driver, multiDriver bool, opt Options, dl dockerLoadCal
 	switch opt.NetworkMode {
 	case "host", "none":
 		so.FrontendAttrs["force-network-mode"] = opt.NetworkMode
+		so.AllowedEntitlements = append(so.AllowedEntitlements, entitlements.EntitlementNetworkHost)
 	case "", "default":
 	default:
 		return nil, nil, errors.Errorf("network mode %q not supported by buildkit", opt.NetworkMode)
@@ -537,7 +541,7 @@ func Build(ctx context.Context, drivers []DriverInfo, opt map[string]Options, do
 	multiTarget := len(opt) > 1
 
 	for k, opt := range opt {
-		err := func() error {
+		err := func(k string) error {
 			opt := opt
 			dps := m[k]
 			multiDriver := len(m[k]) > 1
@@ -681,7 +685,7 @@ func Build(ctx context.Context, drivers []DriverInfo, opt map[string]Options, do
 			}
 
 			return nil
-		}()
+		}(k)
 		if err != nil {
 			return nil, err
 		}
@@ -731,7 +735,7 @@ func LoadInputs(inp Inputs, target *client.SolveOpt) (func(), error) {
 			return nil, errStdinConflict
 		}
 
-		buf := bufio.NewReader(os.Stdin)
+		buf := bufio.NewReader(inp.InStream)
 		magic, err := buf.Peek(archiveHeaderSize * 2)
 		if err != nil && err != io.EOF {
 			return nil, errors.Wrap(err, "failed to peek context header from STDIN")
@@ -757,7 +761,7 @@ func LoadInputs(inp Inputs, target *client.SolveOpt) (func(), error) {
 		target.LocalDirs["context"] = inp.ContextPath
 		switch inp.DockerfilePath {
 		case "-":
-			dockerfileReader = os.Stdin
+			dockerfileReader = inp.InStream
 		case "":
 			dockerfileDir = inp.ContextPath
 		default:
@@ -780,6 +784,7 @@ func LoadInputs(inp Inputs, target *client.SolveOpt) (func(), error) {
 			return nil, err
 		}
 		toRemove = append(toRemove, dockerfileDir)
+		dockerfileName = "Dockerfile"
 	}
 
 	if dockerfileName == "" {

build/entitlements.go

@@ -0,0 +1,21 @@
+package build
+
+import (
+	"github.com/moby/buildkit/util/entitlements"
+	"github.com/pkg/errors"
+)
+
+func ParseEntitlements(in []string) ([]entitlements.Entitlement, error) {
+	out := make([]entitlements.Entitlement, 0, len(in))
+	for _, v := range in {
+		switch v {
+		case "security.insecure":
+			out = append(out, entitlements.EntitlementSecurityInsecure)
+		case "network.host":
+			out = append(out, entitlements.EntitlementNetworkHost)
+		default:
+			return nil, errors.Errorf("invalid entitlement: %v", v)
+		}
+	}
+	return out, nil
+}

build/output.go

@@ -2,6 +2,7 @@ package build
 
 import (
 	"encoding/csv"
+	"io"
 	"os"
 	"strings"
 
@@ -81,7 +82,7 @@ func ParseOutputs(inp []string) ([]client.ExportEntry, error) {
 				if _, err := console.ConsoleFromFile(os.Stdout); err == nil {
 					return nil, errors.Errorf("output file is required for %s exporter. refusing to write to console", out.Type)
 				}
-				out.Output = os.Stdout
+				out.Output = wrapWriteCloser(os.Stdout)
 			} else if dest != "" {
 				fi, err := os.Stat(dest)
 				if err != nil && !os.IsNotExist(err) {
@@ -94,7 +95,7 @@ func ParseOutputs(inp []string) ([]client.ExportEntry, error) {
 				if err != nil {
 					return nil, errors.Errorf("failed to open %s", err)
 				}
-				out.Output = f
+				out.Output = wrapWriteCloser(f)
 			}
 			delete(out.Attrs, "dest")
 		case "registry":
@@ -106,3 +107,9 @@ func ParseOutputs(inp []string) ([]client.ExportEntry, error) {
 	}
 	return outs, nil
 }
+
+func wrapWriteCloser(wc io.WriteCloser) func(map[string]string) (io.WriteCloser, error) {
+	return func(map[string]string) (io.WriteCloser, error) {
+		return wc, nil
+	}
+}

commands/bake.go

@@ -51,7 +51,7 @@ func runBake(dockerCli command.Cli, targets []string, in bakeOptions) error {
 		return nil
 	}
 
-	bo, err := bake.TargetsToBuildOpt(m)
+	bo, err := bake.TargetsToBuildOpt(m, in.noCache, in.pull)
 	if err != nil {
 		return err
 	}

commands/build.go

@@ -44,6 +44,8 @@ type buildOptions struct {
 	squash bool
 	quiet  bool
 
+	allow []string
+
 	// hidden
 	// untrusted   bool
 	// ulimits        *opts.UlimitOpt
@@ -84,8 +86,8 @@ func runBuild(dockerCli command.Cli, in buildOptions) error {
 			InStream:       os.Stdin,
 		},
 		Tags:        in.tags,
-		Labels:      listToMap(in.labels),
-		BuildArgs:   listToMap(in.buildArgs),
+		Labels:      listToMap(in.labels, false),
+		BuildArgs:   listToMap(in.buildArgs, true),
 		Pull:        in.pull,
 		NoCache:     in.noCache,
 		Target:      in.target,
@@ -167,6 +169,12 @@ func runBuild(dockerCli command.Cli, in buildOptions) error {
 	}
 	opts.CacheTo = cacheExports
 
+	allow, err := build.ParseEntitlements(in.allow)
+	if err != nil {
+		return err
+	}
+	opts.Allow = allow
+
 	return buildTargets(ctx, dockerCli, map[string]build.Options{"default": opts}, in.progress)
 }
 
@@ -214,6 +222,8 @@ func buildCmd(dockerCli command.Cli) *cobra.Command {
 
 	flags.StringVar(&options.target, "target", "", "Set the target build stage to build.")
 
+	flags.StringSliceVar(&options.allow, "allow", []string{}, "Allow extra privileged entitlement, e.g. network.host, security.insecure")
+
 	// not implemented
 	flags.BoolVarP(&options.quiet, "quiet", "q", false, "Suppress the build output and print image ID on success")
 	flags.StringVar(&options.networkMode, "network", "default", "Set the networking mode for the RUN instructions during build")
@@ -282,12 +292,16 @@ func commonFlags(options *commonOptions, flags *pflag.FlagSet) {
 	flags.BoolVar(&options.pull, "pull", false, "Always attempt to pull a newer version of the image")
 }
 
-func listToMap(values []string) map[string]string {
+func listToMap(values []string, defaultEnv bool) map[string]string {
 	result := make(map[string]string, len(values))
 	for _, value := range values {
 		kv := strings.SplitN(value, "=", 2)
 		if len(kv) == 1 {
-			result[kv[0]] = ""
+			if defaultEnv {
+				result[kv[0]] = os.Getenv(kv[0])
+			} else {
+				result[kv[0]] = ""
+			}
 		} else {
 			result[kv[0]] = kv[1]
 		}

commands/create.go

@@ -1,13 +1,16 @@
 package commands
 
 import (
+	"encoding/csv"
 	"fmt"
 	"os"
+	"strings"
 
 	"github.com/docker/buildx/driver"
 	"github.com/docker/buildx/store"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
+	"github.com/google/shlex"
 	"github.com/moby/buildkit/util/appcontext"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -22,6 +25,9 @@ type createOptions struct {
 	actionAppend bool
 	actionLeave  bool
 	use          bool
+	flags        string
+	configFile   string
+	driverOpts   []string
 	// upgrade      bool // perform upgrade of the driver
 }
 
@@ -107,6 +113,14 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 		ng.Driver = driverName
 	}
 
+	var flags []string
+	if in.flags != "" {
+		flags, err = shlex.Split(in.flags)
+		if err != nil {
+			return errors.Wrap(err, "failed to parse buildkit flags")
+		}
+	}
+
 	var ep string
 	if in.actionLeave {
 		if err := ng.Leave(in.nodeName); err != nil {
@@ -128,7 +142,11 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 				return err
 			}
 		}
-		if err := ng.Update(in.nodeName, ep, in.platform, len(args) > 0, in.actionAppend); err != nil {
+		m, err := csvToMap(in.driverOpts)
+		if err != nil {
+			return err
+		}
+		if err := ng.Update(in.nodeName, ep, in.platform, len(args) > 0, in.actionAppend, flags, in.configFile, m); err != nil {
 			return err
 		}
 	}
@@ -154,6 +172,11 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 func createCmd(dockerCli command.Cli) *cobra.Command {
 	var options createOptions
 
+	var drivers []string
+	for s := range driver.GetFactories() {
+		drivers = append(drivers, s)
+	}
+
 	cmd := &cobra.Command{
 		Use:   "create [OPTIONS] [CONTEXT|ENDPOINT]",
 		Short: "Create a new builder instance",
@@ -166,9 +189,12 @@ func createCmd(dockerCli command.Cli) *cobra.Command {
 	flags := cmd.Flags()
 
 	flags.StringVar(&options.name, "name", "", "Builder instance name")
-	flags.StringVar(&options.driver, "driver", "", "Driver to use (eg. docker-container)")
+	flags.StringVar(&options.driver, "driver", "", fmt.Sprintf("Driver to use (available: %v)", drivers))
 	flags.StringVar(&options.nodeName, "node", "", "Create/modify node with given name")
+	flags.StringVar(&options.flags, "buildkitd-flags", "", "Flags for buildkitd daemon")
+	flags.StringVar(&options.configFile, "config", "", "BuildKit config file")
 	flags.StringArrayVar(&options.platform, "platform", []string{}, "Fixed platforms for current node")
+	flags.StringArrayVar(&options.driverOpts, "driver-opt", []string{}, "Options for the driver")
 
 	flags.BoolVar(&options.actionAppend, "append", false, "Append a node to builder instead of changing it")
 	flags.BoolVar(&options.actionLeave, "leave", false, "Remove a node from builder instead of changing it")
@@ -178,3 +204,22 @@ func createCmd(dockerCli command.Cli) *cobra.Command {
 
 	return cmd
 }
+
+func csvToMap(in []string) (map[string]string, error) {
+	m := make(map[string]string, len(in))
+	for _, s := range in {
+		csvReader := csv.NewReader(strings.NewReader(s))
+		fields, err := csvReader.Read()
+		if err != nil {
+			return nil, err
+		}
+		for _, v := range fields {
+			p := strings.SplitN(v, "=", 2)
+			if len(p) != 2 {
+				return nil, errors.Errorf("invalid value %q, expecting k=v", v)
+			}
+			m[p[0]] = p[1]
+		}
+	}
+	return m, nil
+}

commands/inspect.go

@@ -114,6 +114,9 @@ func runInspect(dockerCli command.Cli, in inspectOptions, args []string) error {
 				fmt.Fprintf(w, "Error:\t%s\n", err.Error())
 			} else {
 				fmt.Fprintf(w, "Status:\t%s\n", ngi.drivers[i].info.Status)
+				if len(n.Flags) > 0 {
+					fmt.Fprintf(w, "Flags:\t%s\n", strings.Join(n.Flags, " "))
+				}
 				fmt.Fprintf(w, "Platforms:\t%s\n", strings.Join(platformutil.Format(platformutil.Dedupe(append(n.Platforms, ngi.drivers[i].platforms...))), ", "))
 			}
 		}

commands/util.go

@@ -174,7 +174,7 @@ func driversForNodeGroup(ctx context.Context, dockerCli command.Cli, ng *store.N
 				// TODO: replace the following line with dockerclient.WithAPIVersionNegotiation option in clientForEndpoint
 				dockerapi.NegotiateAPIVersion(ctx)
 
-				d, err := driver.GetDriver(ctx, "buildx_buildkit_"+n.Name, f, dockerapi)
+				d, err := driver.GetDriver(ctx, "buildx_buildkit_"+n.Name, f, dockerapi, n.Flags, n.ConfigFile, n.DriverOpts)
 				if err != nil {
 					di.Err = err
 					return nil
@@ -251,7 +251,7 @@ func getDefaultDrivers(ctx context.Context, dockerCli command.Cli) ([]build.Driv
 		return driversForNodeGroup(ctx, dockerCli, ng)
 	}
 
-	d, err := driver.GetDriver(ctx, "buildx_buildkit_default", nil, dockerCli.Client())
+	d, err := driver.GetDriver(ctx, "buildx_buildkit_default", nil, dockerCli.Client(), nil, "", nil)
 	if err != nil {
 		return nil, err
 	}

driver/docker-container/driver.go

@@ -1,6 +1,8 @@
 package docker
 
 import (
+	"archive/tar"
+	"bytes"
 	"context"
 	"io"
 	"io/ioutil"
@@ -20,11 +22,13 @@ import (
 	"github.com/pkg/errors"
 )
 
-var buildkitImage = "moby/buildkit:master" // TODO: make this verified and configuratble
+var defaultBuildkitImage = "moby/buildkit:buildx-stable-1" // TODO: make this verified
 
 type Driver struct {
 	driver.InitConfig
 	factory driver.Factory
+	netMode string
+	image   string
 }
 
 func (d *Driver) Bootstrap(ctx context.Context, l progress.Logger) error {
@@ -49,8 +53,12 @@ func (d *Driver) Bootstrap(ctx context.Context, l progress.Logger) error {
 }
 
 func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
-	if err := l.Wrap("pulling image "+buildkitImage, func() error {
-		rc, err := d.DockerAPI.ImageCreate(ctx, buildkitImage, types.ImageCreateOptions{})
+	imageName := defaultBuildkitImage
+	if d.image != "" {
+		imageName = d.image
+	}
+	if err := l.Wrap("pulling image "+imageName, func() error {
+		rc, err := d.DockerAPI.ImageCreate(ctx, imageName, types.ImageCreateOptions{})
 		if err != nil {
 			return err
 		}
@@ -59,15 +67,34 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
 	}); err != nil {
 		return err
 	}
+
+	cfg := &container.Config{
+		Image: imageName,
+	}
+	if d.InitConfig.BuildkitFlags != nil {
+		cfg.Cmd = d.InitConfig.BuildkitFlags
+	}
+
 	if err := l.Wrap("creating container "+d.Name, func() error {
-		_, err := d.DockerAPI.ContainerCreate(ctx, &container.Config{
-			Image: buildkitImage,
-		}, &container.HostConfig{
+		hc := &container.HostConfig{
 			Privileged: true,
-		}, &network.NetworkingConfig{}, d.Name)
+		}
+		if d.netMode != "" {
+			hc.NetworkMode = container.NetworkMode(d.netMode)
+		}
+		_, err := d.DockerAPI.ContainerCreate(ctx, cfg, hc, &network.NetworkingConfig{}, d.Name)
 		if err != nil {
 			return err
 		}
+		if f := d.InitConfig.ConfigFile; f != "" {
+			buf, err := readFileToTar(f)
+			if err != nil {
+				return err
+			}
+			if err := d.DockerAPI.CopyToContainer(ctx, d.Name, "/", buf, dockertypes.CopyToContainerOptions{}); err != nil {
+				return err
+			}
+		}
 		if err := d.start(ctx, l); err != nil {
 			return err
 		}
@@ -239,3 +266,26 @@ type demux struct {
 func (d *demux) Read(dt []byte) (int, error) {
 	return d.Reader.Read(dt)
 }
+
+func readFileToTar(fn string) (*bytes.Buffer, error) {
+	buf := bytes.NewBuffer(nil)
+	tw := tar.NewWriter(buf)
+	dt, err := ioutil.ReadFile(fn)
+	if err != nil {
+		return nil, err
+	}
+	if err := tw.WriteHeader(&tar.Header{
+		Name: "/etc/buildkit/buildkitd.toml",
+		Size: int64(len(dt)),
+		Mode: 0644,
+	}); err != nil {
+		return nil, err
+	}
+	if _, err := tw.Write(dt); err != nil {
+		return nil, err
+	}
+	if err := tw.Close(); err != nil {
+		return nil, err
+	}
+	return buf, nil
+}

driver/docker-container/factory.go

@@ -37,8 +37,22 @@ func (f *factory) New(ctx context.Context, cfg driver.InitConfig) (driver.Driver
 	if cfg.DockerAPI == nil {
 		return nil, errors.Errorf("%s driver requires docker API access", f.Name())
 	}
+	d := &Driver{factory: f, InitConfig: cfg}
+	for k, v := range cfg.DriverOpts {
+		switch k {
+		case "network":
+			d.netMode = v
+			if v == "host" {
+				d.InitConfig.BuildkitFlags = append(d.InitConfig.BuildkitFlags, "--allow-insecure-entitlement=network.host")
+			}
+		case "image":
+			d.image = v
+		default:
+			return nil, errors.Errorf("invalid driver option %s for docker-container driver", k)
+		}
+	}
 
-	return &Driver{factory: f, InitConfig: cfg}, nil
+	return d, nil
 }
 
 func (f *factory) AllowsInstances() bool {

driver/docker/factory.go

@@ -44,6 +44,9 @@ func (f *factory) New(ctx context.Context, cfg driver.InitConfig) (driver.Driver
 	if cfg.DockerAPI == nil {
 		return nil, errors.Errorf("docker driver requires docker API access")
 	}
+	if cfg.ConfigFile != "" {
+		return nil, errors.Errorf("setting config file is not supported for docker driver, use dockerd configuration file")
+	}
 
 	return &Driver{factory: f, InitConfig: cfg}, nil
 }

driver/manager.go

@@ -23,10 +23,11 @@ type BuildkitConfig struct {
 
 type InitConfig struct {
 	// This object needs updates to be generic for different drivers
-	Name           string
-	DockerAPI      dockerclient.APIClient
-	BuildkitConfig BuildkitConfig
-	Meta           map[string]interface{}
+	Name          string
+	DockerAPI     dockerclient.APIClient
+	BuildkitFlags []string
+	ConfigFile    string
+	DriverOpts    map[string]string
 }
 
 var drivers map[string]Factory
@@ -71,10 +72,13 @@ func GetFactory(name string, instanceRequired bool) Factory {
 	return nil
 }
 
-func GetDriver(ctx context.Context, name string, f Factory, api dockerclient.APIClient) (Driver, error) {
+func GetDriver(ctx context.Context, name string, f Factory, api dockerclient.APIClient, flags []string, config string, do map[string]string) (Driver, error) {
 	ic := InitConfig{
-		DockerAPI: api,
-		Name:      name,
+		DockerAPI:     api,
+		Name:          name,
+		BuildkitFlags: flags,
+		ConfigFile:    config,
+		DriverOpts:    do,
 	}
 	if f == nil {
 		var err error
@@ -85,3 +89,7 @@ func GetDriver(ctx context.Context, name string, f Factory, api dockerclient.API
 	}
 	return f.New(ctx, ic)
 }
+
+func GetFactories() map[string]Factory {
+	return drivers
+}

go.mod

@@ -14,7 +14,7 @@ require (
 	github.com/cenkalti/backoff v2.1.1+incompatible // indirect
 	github.com/cloudflare/cfssl v0.0.0-20181213083726-b94e044bb51e // indirect
 	github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50
-	github.com/containerd/containerd v1.3.0-0.20190426060238-3a3f0aac8819
+	github.com/containerd/containerd v1.3.0-0.20190507210959-7c1e88399ec0
 	github.com/containerd/fifo v0.0.0-20190226154929-a9fb20d87448 // indirect
 	github.com/containerd/typeurl v0.0.0-20190228175220-2a93cfde8c20 // indirect
 	github.com/denisenkom/go-mssqldb v0.0.0-20190315220205-a8ed825ac853 // indirect
@@ -35,6 +35,7 @@ require (
 	github.com/gogo/protobuf v1.2.1 // indirect
 	github.com/google/certificate-transparency-go v1.0.21 // indirect
 	github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf // indirect
+	github.com/google/shlex v0.0.0-20150127133951-6f45313302b9
 	github.com/gorilla/mux v1.7.0 // indirect
 	github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed // indirect
 	github.com/hashicorp/go-version v1.1.0 // indirect
@@ -51,7 +52,7 @@ require (
 	github.com/mattn/go-sqlite3 v1.10.0 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
 	github.com/miekg/pkcs11 v0.0.0-20190322140431-074fd7a1ed19 // indirect
-	github.com/moby/buildkit v0.5.2-0.20190513182223-f238f1efb04f
+	github.com/moby/buildkit v0.6.2-0.20190921002054-ae10b292fefb
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0-rc1

go.sum

@@ -39,20 +39,22 @@ github.com/containerd/cgroups v0.0.0-20190226200435-dbea6f2bd416/go.mod h1:X9rLE
 github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50 h1:WMpHmC6AxwWb9hMqhudkqG7A/p14KiMnl6d3r1iUMjU=
 github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw=
 github.com/containerd/containerd v1.2.4/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
-github.com/containerd/containerd v1.3.0-0.20190426060238-3a3f0aac8819 h1:otmq8xNIzAo+2SjPURbYZXVW+B6hZBAWJ+JApzCYWDk=
-github.com/containerd/containerd v1.3.0-0.20190426060238-3a3f0aac8819/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
+github.com/containerd/containerd v1.3.0-0.20190507210959-7c1e88399ec0 h1:enps1EZBEgR8QxwdrpsoSxcsCXWnMKchIQ/0dzC0eKw=
+github.com/containerd/containerd v1.3.0-0.20190507210959-7c1e88399ec0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
 github.com/containerd/continuity v0.0.0-20181001140422-bd77b46c8352/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
-github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc h1:TP+534wVlf61smEIq1nwLLAjQVEK2EADoW3CX9AuT+8=
-github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
+github.com/containerd/continuity v0.0.0-20190827140505-75bee3e2ccb6 h1:NmTXa/uVnDyp0TY5MKi197+3HWcnYWfnHGyaFthlnGw=
+github.com/containerd/continuity v0.0.0-20190827140505-75bee3e2ccb6/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
 github.com/containerd/fifo v0.0.0-20180307165137-3d5202aec260/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI=
 github.com/containerd/fifo v0.0.0-20190226154929-a9fb20d87448 h1:PUD50EuOMkXVcpBIA/R95d56duJR9VxhwncsFbNnxW4=
 github.com/containerd/fifo v0.0.0-20190226154929-a9fb20d87448/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI=
-github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0=
+github.com/containerd/go-cni v0.0.0-20190610170741-5a4663dad645/go.mod h1:2wlRxCQdiBY+OcjNg5x8kI+5mEL1fGt25L4IzQHYJsM=
+github.com/containerd/go-runc v0.0.0-20190911050354-e029b79d8cda/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0=
 github.com/containerd/ttrpc v0.0.0-20190411181408-699c4e40d1e7 h1:SKDlsIhYxNE1LO0xwuOR+3QWj3zRibVQu5jWIMQmOfU=
 github.com/containerd/ttrpc v0.0.0-20190411181408-699c4e40d1e7/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o=
 github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc=
 github.com/containerd/typeurl v0.0.0-20190228175220-2a93cfde8c20 h1:14r0i3IeJj6zkNLigAJiv/TWSR8EY+pxIjv5tFiT+n8=
 github.com/containerd/typeurl v0.0.0-20190228175220-2a93cfde8c20/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc=
+github.com/containernetworking/cni v0.6.1-0.20180218032124-142cde0c766c/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
@@ -89,7 +91,7 @@ github.com/docker/go-metrics v0.0.0-20170502235133-d466d4f6fd96 h1:HVQ/BC7Ze+bcV
 github.com/docker/go-metrics v0.0.0-20170502235133-d466d4f6fd96/go.mod h1:/u0gXw0Gay3ceNrsHubL3BtdOL2fHf93USgMTe0W5dI=
 github.com/docker/go-units v0.3.1 h1:QAFdsA6jLCnglbqE6mUsHuPcJlntY94DkxHf4deHKIU=
 github.com/docker/go-units v0.3.1/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/docker/libnetwork v0.0.0-20180913200009-36d3bed0e9f4/go.mod h1:93m0aTqz6z+g32wla4l4WxTrdtvBRmVzYRkYvasA5Z8=
+github.com/docker/libnetwork v0.8.0-dev.2.0.20190604151032-3c26b4e7495e/go.mod h1:93m0aTqz6z+g32wla4l4WxTrdtvBRmVzYRkYvasA5Z8=
 github.com/docker/libtrust v0.0.0-20150526203908-9cbd2a1374f4 h1:k8TfKGeAcDQFFQOGCQMRN04N4a9YrPlRMMKnzAuvM9Q=
 github.com/docker/libtrust v0.0.0-20150526203908-9cbd2a1374f4/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE=
 github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5 h1:Yzb9+7DPaBjB8zlTR87/ElzFsnQfuHnVUVqpZZIcV5Y=
@@ -181,8 +183,8 @@ github.com/miekg/pkcs11 v0.0.0-20190322140431-074fd7a1ed19/go.mod h1:WCBAbTOdfhH
 github.com/mitchellh/hashstructure v0.0.0-20170609045927-2bca23e0e452/go.mod h1:QjSHrPWS+BGUVBYkbTZWEnOh3G1DutKwClXU/ABz6AQ=
 github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
-github.com/moby/buildkit v0.5.2-0.20190513182223-f238f1efb04f h1:gNiytoQ3/71JJKWbLPtxoInde5kBRpvqH6EbUf12JDU=
-github.com/moby/buildkit v0.5.2-0.20190513182223-f238f1efb04f/go.mod h1:RozsxlEOjPuX/zKKrd0ZS76dlVNZu4qAff+vj7hR/qs=
+github.com/moby/buildkit v0.6.2-0.20190921002054-ae10b292fefb h1:enyviD1ZOxgo62sGpT2yQY1uTtruq84wYJPjFJwsbH0=
+github.com/moby/buildkit v0.6.2-0.20190921002054-ae10b292fefb/go.mod h1:JKVImCzxztxvULr5P6ZiBfA/B2P+ZpR6UHxOXQn4KiU=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
@@ -197,8 +199,8 @@ github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQ
 github.com/opencontainers/image-spec v1.0.1 h1:JMemWkRwHx4Zj+fVxWoMCFm/8sYGGrUVojFA6h/TRcI=
 github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
 github.com/opencontainers/runc v1.0.0-rc6/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
-github.com/opencontainers/runc v1.0.1-0.20190307181833-2b18fe1d885e h1:+uPGJuuDl61O9GKN/rLHkUCf597mpxmJI06RqMQX81A=
-github.com/opencontainers/runc v1.0.1-0.20190307181833-2b18fe1d885e/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
+github.com/opencontainers/runc v1.0.0-rc8 h1:dDCFes8Hj1r/i5qnypONo5jdOme/8HWZC/aNDyhECt0=
+github.com/opencontainers/runc v1.0.0-rc8/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
 github.com/opencontainers/runtime-spec v0.0.0-20180909173843-eba862dc2470/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.1 h1:wY4pOY8fBdSIvs9+IDHC55thBuEulhzfSgKeC1yFvzQ=
 github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
@@ -246,8 +248,8 @@ github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2 h1:b6uOv7YOFK0
 github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/theupdateframework/notary v0.6.1 h1:7wshjstgS9x9F5LuB1L5mBI2xNMObWqjz+cjWoom6l0=
 github.com/theupdateframework/notary v0.6.1/go.mod h1:MOfgIfmox8s7/7fduvB2xyPPMJCrjRLRizA8OFwpnKY=
-github.com/tonistiigi/fsutil v0.0.0-20190327153851-3bbb99cdbd76 h1:eGfgYrNUSD448sa4mxH6nQpyZfN39QH0mLB7QaKIjus=
-github.com/tonistiigi/fsutil v0.0.0-20190327153851-3bbb99cdbd76/go.mod h1:pzh7kdwkDRh+Bx8J30uqaKJ1M4QrSH/um8fcIXeM8rc=
+github.com/tonistiigi/fsutil v0.0.0-20190819224149-3d2716dd0a4d h1:HJg27yqwTV7vFG9dWPDbUi373o/bmSDYGN9mZgVwdH0=
+github.com/tonistiigi/fsutil v0.0.0-20190819224149-3d2716dd0a4d/go.mod h1:pzh7kdwkDRh+Bx8J30uqaKJ1M4QrSH/um8fcIXeM8rc=
 github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea h1:SXhTLE6pb6eld/v/cCndK0AMpt1wiVFb/YYmqB3/QG0=
 github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea/go.mod h1:WPnis/6cRcDZSUvVmezrxJPkiO87ThFYsoUiMwWNDJk=
 github.com/tonistiigi/vt100 v0.0.0-20190402012908-ad4c4a574305 h1:y/1cL5AL2oRcfzz8CAHHhR6kDDfIOT0WEyH5k40sccM=

hack/demo-env/examples/compose/docker-compose.yml

@@ -7,6 +7,7 @@ services:
     image: docker.io/tonistiigi/db
   webapp:
     build:
+      context: .
       dockerfile: Dockerfile.webapp
       args:
         buildno: 1

hack/generate-authors

@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+
+set -eu -o pipefail -x
+
+if [ -x "$(command -v greadlink)" ]; then
+	# on macOS, GNU readlink is ava (greadlink) can be installed through brew install coreutils
+	cd "$(dirname "$(greadlink -f "$BASH_SOURCE")")/.."
+else
+	cd "$(dirname "$(readlink -f "$BASH_SOURCE")")/.."
+fi
+
+# see also ".mailmap" for how email addresses and names are deduplicated
+
+{
+	cat <<-'EOH'
+	# This file lists all individuals having contributed content to the repository.
+	# For how it is generated, see `scripts/generate-authors.sh`.
+	EOH
+	echo
+	git log --format='%aN <%aE>' | LC_ALL=C.UTF-8 sort -uf
+} > AUTHORS

store/nodegroup.go

@@ -16,9 +16,12 @@ type NodeGroup struct {
 }
 
 type Node struct {
-	Name      string
-	Endpoint  string
-	Platforms []specs.Platform
+	Name       string
+	Endpoint   string
+	Platforms  []specs.Platform
+	Flags      []string
+	ConfigFile string
+	DriverOpts map[string]string
 }
 
 func (ng *NodeGroup) Leave(name string) error {
@@ -33,7 +36,7 @@ func (ng *NodeGroup) Leave(name string) error {
 	return nil
 }
 
-func (ng *NodeGroup) Update(name, endpoint string, platforms []string, endpointsSet bool, actionAppend bool) error {
+func (ng *NodeGroup) Update(name, endpoint string, platforms []string, endpointsSet bool, actionAppend bool, flags []string, configFile string, do map[string]string) error {
 	i := ng.findNode(name)
 	if i == -1 && !actionAppend {
 		if len(ng.Nodes) > 0 {
@@ -55,6 +58,9 @@ func (ng *NodeGroup) Update(name, endpoint string, platforms []string, endpoints
 		if len(platforms) > 0 {
 			n.Platforms = pp
 		}
+		if flags != nil {
+			n.Flags = flags
+		}
 		ng.Nodes[i] = n
 		if err := ng.validateDuplicates(endpoint, i); err != nil {
 			return err
@@ -72,9 +78,12 @@ func (ng *NodeGroup) Update(name, endpoint string, platforms []string, endpoints
 	}
 
 	n := Node{
-		Name:      name,
-		Endpoint:  endpoint,
-		Platforms: pp,
+		Name:       name,
+		Endpoint:   endpoint,
+		Platforms:  pp,
+		ConfigFile: configFile,
+		Flags:      flags,
+		DriverOpts: do,
 	}
 	ng.Nodes = append(ng.Nodes, n)
 

store/nodegroup_test.go

@@ -11,16 +11,16 @@ func TestNodeGroupUpdate(t *testing.T) {
 	t.Parallel()
 
 	ng := &NodeGroup{}
-	err := ng.Update("foo", "foo0", []string{"linux/amd64"}, true, false)
+	err := ng.Update("foo", "foo0", []string{"linux/amd64"}, true, false, []string{"--debug"}, "", nil)
 	require.NoError(t, err)
 
-	err = ng.Update("foo1", "foo1", []string{"linux/arm64", "linux/arm/v7"}, true, true)
+	err = ng.Update("foo1", "foo1", []string{"linux/arm64", "linux/arm/v7"}, true, true, nil, "", nil)
 	require.NoError(t, err)
 
 	require.Equal(t, len(ng.Nodes), 2)
 
 	// update
-	err = ng.Update("foo", "foo2", []string{"linux/amd64", "linux/arm"}, true, false)
+	err = ng.Update("foo", "foo2", []string{"linux/amd64", "linux/arm"}, true, false, nil, "", nil)
 	require.NoError(t, err)
 
 	require.Equal(t, len(ng.Nodes), 2)
@@ -28,9 +28,11 @@ func TestNodeGroupUpdate(t *testing.T) {
 	require.Equal(t, []string{"linux/arm64"}, platformutil.Format(ng.Nodes[1].Platforms))
 
 	require.Equal(t, "foo2", ng.Nodes[0].Endpoint)
+	require.Equal(t, []string{"--debug"}, ng.Nodes[0].Flags)
+	require.Equal(t, []string(nil), ng.Nodes[1].Flags)
 
 	// duplicate endpoint
-	err = ng.Update("foo1", "foo2", nil, true, false)
+	err = ng.Update("foo1", "foo2", nil, true, false, nil, "", nil)
 	require.Error(t, err)
 	require.Contains(t, err.Error(), "duplicate endpoint")
 

vendor/github.com/containerd/containerd/README.md

@@ -1,4 +1,4 @@
-![containerd banner](https://raw.githubusercontent.com/cncf/artwork/master/containerd/horizontal/color/containerd-horizontal-color.png)
+![containerd banner](https://raw.githubusercontent.com/cncf/artwork/master/projects/containerd/horizontal/color/containerd-horizontal-color.png)
 
 [![GoDoc](https://godoc.org/github.com/containerd/containerd?status.svg)](https://godoc.org/github.com/containerd/containerd)
 [![Build Status](https://travis-ci.org/containerd/containerd.svg?branch=master)](https://travis-ci.org/containerd/containerd)

vendor/github.com/containerd/containerd/images/archive/importer.go

@@ -197,10 +197,7 @@ func onUntarJSON(r io.Reader, j interface{}) error {
 	if err != nil {
 		return err
 	}
-	if err := json.Unmarshal(b, j); err != nil {
-		return err
-	}
-	return nil
+	return json.Unmarshal(b, j)
 }
 
 func onUntarBlob(ctx context.Context, r io.Reader, store content.Ingester, size int64, ref string) (digest.Digest, error) {

vendor/github.com/containerd/containerd/mount/mount_linux.go

@@ -111,7 +111,18 @@ func unmount(target string, flags int) error {
 // UnmountAll repeatedly unmounts the given mount point until there
 // are no mounts remaining (EINVAL is returned by mount), which is
 // useful for undoing a stack of mounts on the same mount point.
+// UnmountAll all is noop when the first argument is an empty string.
+// This is done when the containerd client did not specify any rootfs
+// mounts (e.g. because the rootfs is managed outside containerd)
+// UnmountAll is noop when the mount path does not exist.
 func UnmountAll(mount string, flags int) error {
+	if mount == "" {
+		return nil
+	}
+	if _, err := os.Stat(mount); os.IsNotExist(err) {
+		return nil
+	}
+
 	for {
 		if err := unmount(mount, flags); err != nil {
 			// EINVAL is returned if the target is not a

vendor/github.com/containerd/containerd/remotes/docker/handler.go

@@ -88,7 +88,7 @@ func appendDistributionSourceLabel(originLabel, repo string) string {
 	}
 	repos = append(repos, repo)
 
-	// use emtpy string to present duplicate items
+	// use empty string to present duplicate items
 	for i := 1; i < len(repos); i++ {
 		tmp, j := repos[i], i-1
 		for ; j >= 0 && repos[j] >= tmp; j-- {

vendor/github.com/containerd/containerd/remotes/docker/resolver.go

@@ -18,10 +18,10 @@ package docker
 
 import (
 	"context"
+	"io"
 	"net/http"
 	"net/url"
 	"path"
-	"strconv"
 	"strings"
 
 	"github.com/containerd/containerd/errdefs"
@@ -29,6 +29,7 @@ import (
 	"github.com/containerd/containerd/log"
 	"github.com/containerd/containerd/reference"
 	"github.com/containerd/containerd/remotes"
+	"github.com/containerd/containerd/remotes/docker/schema1"
 	"github.com/containerd/containerd/version"
 	digest "github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
@@ -150,6 +151,32 @@ func NewResolver(options ResolverOptions) remotes.Resolver {
 	}
 }
 
+func getManifestMediaType(resp *http.Response) string {
+	// Strip encoding data (manifests should always be ascii JSON)
+	contentType := resp.Header.Get("Content-Type")
+	if sp := strings.IndexByte(contentType, ';'); sp != -1 {
+		contentType = contentType[0:sp]
+	}
+
+	// As of Apr 30 2019 the registry.access.redhat.com registry does not specify
+	// the content type of any data but uses schema1 manifests.
+	if contentType == "text/plain" {
+		contentType = images.MediaTypeDockerSchema1Manifest
+	}
+	return contentType
+}
+
+type countingReader struct {
+	reader    io.Reader
+	bytesRead int64
+}
+
+func (r *countingReader) Read(p []byte) (int, error) {
+	n, err := r.reader.Read(p)
+	r.bytesRead += int64(n)
+	return n, err
+}
+
 var _ remotes.Resolver = &dockerResolver{}
 
 func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocispec.Descriptor, error) {
@@ -220,40 +247,56 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp
 			}
 			return "", ocispec.Descriptor{}, errors.Errorf("unexpected status code %v: %v", u, resp.Status)
 		}
+		size := resp.ContentLength
 
 		// this is the only point at which we trust the registry. we use the
 		// content headers to assemble a descriptor for the name. when this becomes
 		// more robust, we mostly get this information from a secure trust store.
 		dgstHeader := digest.Digest(resp.Header.Get("Docker-Content-Digest"))
+		contentType := getManifestMediaType(resp)
 
-		if dgstHeader != "" {
+		if dgstHeader != "" && size != -1 {
 			if err := dgstHeader.Validate(); err != nil {
 				return "", ocispec.Descriptor{}, errors.Wrapf(err, "%q in header not a valid digest", dgstHeader)
 			}
 			dgst = dgstHeader
-		}
+		} else {
+			log.G(ctx).Debug("no Docker-Content-Digest header, fetching manifest instead")
 
-		if dgst == "" {
-			return "", ocispec.Descriptor{}, errors.Errorf("could not resolve digest for %v", ref)
-		}
+			req, err := http.NewRequest(http.MethodGet, u, nil)
+			if err != nil {
+				return "", ocispec.Descriptor{}, err
+			}
+			req.Header = r.headers
 
-		var (
-			size       int64
-			sizeHeader = resp.Header.Get("Content-Length")
-		)
+			resp, err := fetcher.doRequestWithRetries(ctx, req, nil)
+			if err != nil {
+				return "", ocispec.Descriptor{}, err
+			}
+			defer resp.Body.Close()
 
-		size, err = strconv.ParseInt(sizeHeader, 10, 64)
-		if err != nil {
+			bodyReader := countingReader{reader: resp.Body}
 
-			return "", ocispec.Descriptor{}, errors.Wrapf(err, "invalid size header: %q", sizeHeader)
-		}
-		if size < 0 {
-			return "", ocispec.Descriptor{}, errors.Errorf("%q in header not a valid size", sizeHeader)
+			contentType = getManifestMediaType(resp)
+			if contentType == images.MediaTypeDockerSchema1Manifest {
+				b, err := schema1.ReadStripSignature(&bodyReader)
+				if err != nil {
+					return "", ocispec.Descriptor{}, err
+				}
+
+				dgst = digest.FromBytes(b)
+			} else {
+				dgst, err = digest.FromReader(&bodyReader)
+				if err != nil {
+					return "", ocispec.Descriptor{}, err
+				}
+			}
+			size = bodyReader.bytesRead
 		}
 
 		desc := ocispec.Descriptor{
 			Digest:    dgst,
-			MediaType: resp.Header.Get("Content-Type"), // need to strip disposition?
+			MediaType: contentType,
 			Size:      size,
 		}
 

vendor/github.com/containerd/containerd/remotes/docker/schema1/converter.go

@@ -227,6 +227,17 @@ func (c *Converter) Convert(ctx context.Context, opts ...ConvertOpt) (ocispec.De
 	return desc, nil
 }
 
+// ReadStripSignature reads in a schema1 manifest and returns a byte array
+// with the "signatures" field stripped
+func ReadStripSignature(schema1Blob io.Reader) ([]byte, error) {
+	b, err := ioutil.ReadAll(io.LimitReader(schema1Blob, manifestSizeLimit)) // limit to 8MB
+	if err != nil {
+		return nil, err
+	}
+
+	return stripSignature(b)
+}
+
 func (c *Converter) fetchManifest(ctx context.Context, desc ocispec.Descriptor) error {
 	log.G(ctx).Debug("fetch schema 1")
 
@@ -235,17 +246,12 @@ func (c *Converter) fetchManifest(ctx context.Context, desc ocispec.Descriptor)
 		return err
 	}
 
-	b, err := ioutil.ReadAll(io.LimitReader(rc, manifestSizeLimit)) // limit to 8MB
+	b, err := ReadStripSignature(rc)
 	rc.Close()
 	if err != nil {
 		return err
 	}
 
-	b, err = stripSignature(b)
-	if err != nil {
-		return err
-	}
-
 	var m manifest
 	if err := json.Unmarshal(b, &m); err != nil {
 		return err

vendor/github.com/containerd/containerd/vendor.conf

@@ -20,7 +20,7 @@ github.com/gogo/protobuf v1.2.1
 github.com/gogo/googleapis v1.2.0
 github.com/golang/protobuf v1.2.0
 github.com/opencontainers/runtime-spec 29686dbc5559d93fb1ef402eeda3e35c38d75af4 # v1.0.1-59-g29686db
-github.com/opencontainers/runc 029124da7af7360afa781a0234d1b083550f797c
+github.com/opencontainers/runc v1.0.0-rc8
 github.com/konsorten/go-windows-terminal-sequences v1.0.1
 github.com/sirupsen/logrus v1.4.1
 github.com/urfave/cli 7bc6a0acffa589f415f88aca16cc1de5ffd66f9c
@@ -37,15 +37,15 @@ github.com/Microsoft/go-winio 84b4ab48a50763fe7b3abcef38e5205c12027fac
 github.com/Microsoft/hcsshim 8abdbb8205e4192c68b5f84c31197156f31be517
 google.golang.org/genproto d80a6e20e776b0b17a324d0ba1ab50a39c8e8944
 golang.org/x/text 19e51611da83d6be54ddafce4a4af510cb3e9ea4
-github.com/containerd/ttrpc f02858b1457c5ca3aaec3a0803eb0d59f96e41d6
+github.com/containerd/ttrpc 699c4e40d1e7416e08bf7019c7ce2e9beced4636
 github.com/syndtr/gocapability d98352740cb2c55f81556b63d4a1ec64c5a319c2
 gotest.tools v2.3.0
 github.com/google/go-cmp v0.2.0
 go.etcd.io/bbolt v1.3.2
 
 # cri dependencies
-github.com/containerd/cri 6d353571e64417d80c9478ffaea793714dd539d0 # master
-github.com/containerd/go-cni 40bcf8ec8acd7372be1d77031d585d5d8e561c90
+github.com/containerd/cri 2fc62db8146ce66f27b37306ad5fda34207835f3 # master
+github.com/containerd/go-cni 891c2a41e18144b2d7921f971d6c9789a68046b2
 github.com/containernetworking/cni v0.6.0
 github.com/containernetworking/plugins v0.7.0
 github.com/davecgh/go-spew v1.1.0
@@ -59,7 +59,7 @@ github.com/hashicorp/go-multierror ed905158d87462226a13fe39ddf685ea65f1c11f
 github.com/json-iterator/go 1.1.5
 github.com/modern-go/reflect2 1.0.1
 github.com/modern-go/concurrent 1.0.3
-github.com/opencontainers/selinux v1.2.1
+github.com/opencontainers/selinux v1.2.2
 github.com/seccomp/libseccomp-golang 32f571b70023028bd57d9288c20efbcb237f3ce0
 github.com/tchap/go-patricia v2.2.6
 golang.org/x/crypto 88737f569e3a9c7ab309cdc09a07fe7fc87233c3

vendor/github.com/containerd/continuity/fs/copy.go

@@ -80,7 +80,7 @@ func copyDirectory(dst, src string, inodes map[uint64]string, o *copyDirOpts) er
 		return errors.Wrapf(err, "failed to stat %s", src)
 	}
 	if !stat.IsDir() {
-		return errors.Errorf("source is not directory")
+		return errors.Errorf("source %s is not directory", src)
 	}
 
 	if st, err := os.Stat(dst); err != nil {

vendor/github.com/moby/buildkit/client/llb/exec.go

@@ -427,11 +427,13 @@ func Security(s pb.SecurityMode) RunOption {
 }
 
 func Shlex(str string) RunOption {
-	return Shlexf(str)
+	return runOptionFunc(func(ei *ExecInfo) {
+		ei.State = shlexf(str, false)(ei.State)
+	})
 }
 func Shlexf(str string, v ...interface{}) RunOption {
 	return runOptionFunc(func(ei *ExecInfo) {
-		ei.State = shlexf(str, v...)(ei.State)
+		ei.State = shlexf(str, true, v...)(ei.State)
 	})
 }
 
@@ -442,7 +444,9 @@ func Args(a []string) RunOption {
 }
 
 func AddEnv(key, value string) RunOption {
-	return AddEnvf(key, value)
+	return runOptionFunc(func(ei *ExecInfo) {
+		ei.State = ei.State.AddEnv(key, value)
+	})
 }
 
 func AddEnvf(key, value string, v ...interface{}) RunOption {
@@ -458,7 +462,9 @@ func User(str string) RunOption {
 }
 
 func Dir(str string) RunOption {
-	return Dirf(str)
+	return runOptionFunc(func(ei *ExecInfo) {
+		ei.State = ei.State.Dir(str)
+	})
 }
 func Dirf(str string, v ...interface{}) RunOption {
 	return runOptionFunc(func(ei *ExecInfo) {

vendor/github.com/moby/buildkit/client/llb/meta.go

@@ -24,19 +24,24 @@ var (
 	keySecurity  = contextKeyT("llb.security")
 )
 
-func addEnvf(key, value string, v ...interface{}) StateOption {
+func addEnvf(key, value string, replace bool, v ...interface{}) StateOption {
+	if replace {
+		value = fmt.Sprintf(value, v...)
+	}
 	return func(s State) State {
-		return s.WithValue(keyEnv, getEnv(s).AddOrReplace(key, fmt.Sprintf(value, v...)))
+		return s.WithValue(keyEnv, getEnv(s).AddOrReplace(key, value))
 	}
 }
 
 func dir(str string) StateOption {
-	return dirf(str)
+	return dirf(str, false)
 }
 
-func dirf(str string, v ...interface{}) StateOption {
+func dirf(value string, replace bool, v ...interface{}) StateOption {
+	if replace {
+		value = fmt.Sprintf(value, v...)
+	}
 	return func(s State) State {
-		value := fmt.Sprintf(str, v...)
 		if !path.IsAbs(value) {
 			prev := getDir(s)
 			if prev == "" {
@@ -100,9 +105,12 @@ func args(args ...string) StateOption {
 	}
 }
 
-func shlexf(str string, v ...interface{}) StateOption {
+func shlexf(str string, replace bool, v ...interface{}) StateOption {
+	if replace {
+		str = fmt.Sprintf(str, v...)
+	}
 	return func(s State) State {
-		arg, err := shlex.Split(fmt.Sprintf(str, v...))
+		arg, err := shlex.Split(str)
 		if err != nil {
 			// TODO: handle error
 		}

vendor/github.com/moby/buildkit/client/llb/state.go

@@ -240,18 +240,18 @@ func (s State) File(a *FileAction, opts ...ConstraintsOpt) State {
 }
 
 func (s State) AddEnv(key, value string) State {
-	return s.AddEnvf(key, value)
+	return addEnvf(key, value, false)(s)
 }
 
 func (s State) AddEnvf(key, value string, v ...interface{}) State {
-	return addEnvf(key, value, v...)(s)
+	return addEnvf(key, value, true, v...)(s)
 }
 
 func (s State) Dir(str string) State {
-	return s.Dirf(str)
+	return dirf(str, false)(s)
 }
 func (s State) Dirf(str string, v ...interface{}) State {
-	return dirf(str, v...)(s)
+	return dirf(str, true, v...)(s)
 }
 
 func (s State) GetEnv(key string) (string, bool) {

vendor/github.com/moby/buildkit/client/solve.go

@@ -46,8 +46,8 @@ type SolveOpt struct {
 type ExportEntry struct {
 	Type      string
 	Attrs     map[string]string
-	Output    io.WriteCloser // for ExporterOCI and ExporterDocker
-	OutputDir string         // for ExporterLocal
+	Output    func(map[string]string) (io.WriteCloser, error) // for ExporterOCI and ExporterDocker
+	OutputDir string                                          // for ExporterLocal
 }
 
 type CacheOptionsEntry struct {

vendor/github.com/moby/buildkit/frontend/gateway/grpcclient/client.go

@@ -128,7 +128,7 @@ func (c *grpcClient) Run(ctx context.Context, f client.BuildFunc) (retError erro
 				}
 			}
 			if retError != nil {
-				st, _ := status.FromError(retError)
+				st, _ := status.FromError(errors.Cause(retError))
 				stp := st.Proto()
 				req.Error = &rpc.Status{
 					Code:    stp.Code,

vendor/github.com/moby/buildkit/session/auth/auth.go

@@ -4,6 +4,7 @@ import (
 	"context"
 
 	"github.com/moby/buildkit/session"
+	"github.com/pkg/errors"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 )
@@ -16,10 +17,10 @@ func CredentialsFunc(ctx context.Context, c session.Caller) func(string) (string
 			Host: host,
 		})
 		if err != nil {
-			if st, ok := status.FromError(err); ok && st.Code() == codes.Unimplemented {
+			if st, ok := status.FromError(errors.Cause(err)); ok && st.Code() == codes.Unimplemented {
 				return "", "", nil
 			}
-			return "", "", err
+			return "", "", errors.WithStack(err)
 		}
 		return resp.Username, resp.Secret, nil
 	}

vendor/github.com/moby/buildkit/session/content/caller.go

@@ -9,6 +9,7 @@ import (
 	"github.com/moby/buildkit/session"
 	digest "github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
 	"google.golang.org/grpc/metadata"
 )
 
@@ -31,47 +32,53 @@ func (cs *callerContentStore) choose(ctx context.Context) context.Context {
 
 func (cs *callerContentStore) Info(ctx context.Context, dgst digest.Digest) (content.Info, error) {
 	ctx = cs.choose(ctx)
-	return cs.store.Info(ctx, dgst)
+	info, err := cs.store.Info(ctx, dgst)
+	return info, errors.WithStack(err)
 }
 
 func (cs *callerContentStore) Update(ctx context.Context, info content.Info, fieldpaths ...string) (content.Info, error) {
 	ctx = cs.choose(ctx)
-	return cs.store.Update(ctx, info, fieldpaths...)
+	info, err := cs.store.Update(ctx, info, fieldpaths...)
+	return info, errors.WithStack(err)
 }
 
 func (cs *callerContentStore) Walk(ctx context.Context, fn content.WalkFunc, fs ...string) error {
 	ctx = cs.choose(ctx)
-	return cs.store.Walk(ctx, fn, fs...)
+	return errors.WithStack(cs.store.Walk(ctx, fn, fs...))
 }
 
 func (cs *callerContentStore) Delete(ctx context.Context, dgst digest.Digest) error {
 	ctx = cs.choose(ctx)
-	return cs.store.Delete(ctx, dgst)
+	return errors.WithStack(cs.store.Delete(ctx, dgst))
 }
 
 func (cs *callerContentStore) ListStatuses(ctx context.Context, fs ...string) ([]content.Status, error) {
 	ctx = cs.choose(ctx)
-	return cs.store.ListStatuses(ctx, fs...)
+	resp, err := cs.store.ListStatuses(ctx, fs...)
+	return resp, errors.WithStack(err)
 }
 
 func (cs *callerContentStore) Status(ctx context.Context, ref string) (content.Status, error) {
 	ctx = cs.choose(ctx)
-	return cs.store.Status(ctx, ref)
+	st, err := cs.store.Status(ctx, ref)
+	return st, errors.WithStack(err)
 }
 
 func (cs *callerContentStore) Abort(ctx context.Context, ref string) error {
 	ctx = cs.choose(ctx)
-	return cs.store.Abort(ctx, ref)
+	return errors.WithStack(cs.store.Abort(ctx, ref))
 }
 
 func (cs *callerContentStore) Writer(ctx context.Context, opts ...content.WriterOpt) (content.Writer, error) {
 	ctx = cs.choose(ctx)
-	return cs.store.Writer(ctx, opts...)
+	w, err := cs.store.Writer(ctx, opts...)
+	return w, errors.WithStack(err)
 }
 
 func (cs *callerContentStore) ReaderAt(ctx context.Context, desc ocispec.Descriptor) (content.ReaderAt, error) {
 	ctx = cs.choose(ctx)
-	return cs.store.ReaderAt(ctx, desc)
+	ra, err := cs.store.ReaderAt(ctx, desc)
+	return ra, errors.WithStack(err)
 }
 
 // NewCallerStore creates content.Store from session.Caller with specified storeID

vendor/github.com/moby/buildkit/session/filesync/diffcopy.go

@@ -14,7 +14,7 @@ import (
 )
 
 func sendDiffCopy(stream grpc.Stream, fs fsutil.FS, progress progressCb) error {
-	return fsutil.Send(stream.Context(), stream, fs, progress)
+	return errors.WithStack(fsutil.Send(stream.Context(), stream, fs, progress))
 }
 
 func newStreamWriter(stream grpc.ClientStream) io.WriteCloser {
@@ -29,7 +29,7 @@ type bufferedWriteCloser struct {
 
 func (bwc *bufferedWriteCloser) Close() error {
 	if err := bwc.Writer.Flush(); err != nil {
-		return err
+		return errors.WithStack(err)
 	}
 	return bwc.Closer.Close()
 }
@@ -40,19 +40,25 @@ type streamWriterCloser struct {
 
 func (wc *streamWriterCloser) Write(dt []byte) (int, error) {
 	if err := wc.ClientStream.SendMsg(&BytesMessage{Data: dt}); err != nil {
-		return 0, err
+		// SendMsg return EOF on remote errors
+		if errors.Cause(err) == io.EOF {
+			if err := errors.WithStack(wc.ClientStream.RecvMsg(struct{}{})); err != nil {
+				return 0, err
+			}
+		}
+		return 0, errors.WithStack(err)
 	}
 	return len(dt), nil
 }
 
 func (wc *streamWriterCloser) Close() error {
 	if err := wc.ClientStream.CloseSend(); err != nil {
-		return err
+		return errors.WithStack(err)
 	}
 	// block until receiver is done
 	var bm BytesMessage
 	if err := wc.ClientStream.RecvMsg(&bm); err != io.EOF {
-		return err
+		return errors.WithStack(err)
 	}
 	return nil
 }
@@ -69,19 +75,19 @@ func recvDiffCopy(ds grpc.Stream, dest string, cu CacheUpdater, progress progres
 		cf = cu.HandleChange
 		ch = cu.ContentHasher()
 	}
-	return fsutil.Receive(ds.Context(), ds, dest, fsutil.ReceiveOpt{
+	return errors.WithStack(fsutil.Receive(ds.Context(), ds, dest, fsutil.ReceiveOpt{
 		NotifyHashed:  cf,
 		ContentHasher: ch,
 		ProgressCb:    progress,
 		Filter:        fsutil.FilterFunc(filter),
-	})
+	}))
 }
 
 func syncTargetDiffCopy(ds grpc.Stream, dest string) error {
 	if err := os.MkdirAll(dest, 0700); err != nil {
-		return err
+		return errors.Wrapf(err, "failed to create synctarget dest dir %s", dest)
 	}
-	return fsutil.Receive(ds.Context(), ds, dest, fsutil.ReceiveOpt{
+	return errors.WithStack(fsutil.Receive(ds.Context(), ds, dest, fsutil.ReceiveOpt{
 		Merge: true,
 		Filter: func() func(string, *fstypes.Stat) bool {
 			uid := os.Getuid()
@@ -92,7 +98,7 @@ func syncTargetDiffCopy(ds grpc.Stream, dest string) error {
 				return true
 			}
 		}(),
-	})
+	}))
 }
 
 func writeTargetFile(ds grpc.Stream, wc io.WriteCloser) error {
@@ -102,10 +108,10 @@ func writeTargetFile(ds grpc.Stream, wc io.WriteCloser) error {
 			if errors.Cause(err) == io.EOF {
 				return nil
 			}
-			return err
+			return errors.WithStack(err)
 		}
 		if _, err := wc.Write(bm.Data); err != nil {
-			return err
+			return errors.WithStack(err)
 		}
 	}
 }

vendor/github.com/moby/buildkit/session/filesync/filesync.go

@@ -18,11 +18,12 @@ import (
 )
 
 const (
-	keyOverrideExcludes = "override-excludes"
-	keyIncludePatterns  = "include-patterns"
-	keyExcludePatterns  = "exclude-patterns"
-	keyFollowPaths      = "followpaths"
-	keyDirName          = "dir-name"
+	keyOverrideExcludes   = "override-excludes"
+	keyIncludePatterns    = "include-patterns"
+	keyExcludePatterns    = "exclude-patterns"
+	keyFollowPaths        = "followpaths"
+	keyDirName            = "dir-name"
+	keyExporterMetaPrefix = "exporter-md-"
 )
 
 type fsSyncProvider struct {
@@ -238,16 +239,16 @@ func NewFSSyncTargetDir(outdir string) session.Attachable {
 }
 
 // NewFSSyncTarget allows writing into an io.WriteCloser
-func NewFSSyncTarget(w io.WriteCloser) session.Attachable {
+func NewFSSyncTarget(f func(map[string]string) (io.WriteCloser, error)) session.Attachable {
 	p := &fsSyncTarget{
-		outfile: w,
+		f: f,
 	}
 	return p
 }
 
 type fsSyncTarget struct {
-	outdir  string
-	outfile io.WriteCloser
+	outdir string
+	f      func(map[string]string) (io.WriteCloser, error)
 }
 
 func (sp *fsSyncTarget) Register(server *grpc.Server) {
@@ -258,11 +259,26 @@ func (sp *fsSyncTarget) DiffCopy(stream FileSend_DiffCopyServer) error {
 	if sp.outdir != "" {
 		return syncTargetDiffCopy(stream, sp.outdir)
 	}
-	if sp.outfile == nil {
+
+	if sp.f == nil {
 		return errors.New("empty outfile and outdir")
 	}
-	defer sp.outfile.Close()
-	return writeTargetFile(stream, sp.outfile)
+	opts, _ := metadata.FromIncomingContext(stream.Context()) // if no metadata continue with empty object
+	md := map[string]string{}
+	for k, v := range opts {
+		if strings.HasPrefix(k, keyExporterMetaPrefix) {
+			md[strings.TrimPrefix(k, keyExporterMetaPrefix)] = strings.Join(v, ",")
+		}
+	}
+	wc, err := sp.f(md)
+	if err != nil {
+		return err
+	}
+	if wc == nil {
+		return status.Errorf(codes.AlreadyExists, "target already exists")
+	}
+	defer wc.Close()
+	return writeTargetFile(stream, wc)
 }
 
 func CopyToCaller(ctx context.Context, fs fsutil.FS, c session.Caller, progress func(int, bool)) error {
@@ -275,13 +291,13 @@ func CopyToCaller(ctx context.Context, fs fsutil.FS, c session.Caller, progress
 
 	cc, err := client.DiffCopy(ctx)
 	if err != nil {
-		return err
+		return errors.WithStack(err)
 	}
 
 	return sendDiffCopy(cc, fs, progress)
 }
 
-func CopyFileWriter(ctx context.Context, c session.Caller) (io.WriteCloser, error) {
+func CopyFileWriter(ctx context.Context, md map[string]string, c session.Caller) (io.WriteCloser, error) {
 	method := session.MethodURL(_FileSend_serviceDesc.ServiceName, "diffcopy")
 	if !c.Supports(method) {
 		return nil, errors.Errorf("method %s not supported by the client", method)
@@ -289,9 +305,16 @@ func CopyFileWriter(ctx context.Context, c session.Caller) (io.WriteCloser, erro
 
 	client := NewFileSendClient(c.Conn())
 
+	opts := make(map[string][]string, len(md))
+	for k, v := range md {
+		opts[keyExporterMetaPrefix+k] = []string{v}
+	}
+
+	ctx = metadata.NewOutgoingContext(ctx, opts)
+
 	cc, err := client.DiffCopy(ctx)
 	if err != nil {
-		return nil, err
+		return nil, errors.WithStack(err)
 	}
 
 	return newStreamWriter(cc), nil

vendor/github.com/moby/buildkit/session/secrets/secrets.go

@@ -21,10 +21,10 @@ func GetSecret(ctx context.Context, c session.Caller, id string) ([]byte, error)
 		ID: id,
 	})
 	if err != nil {
-		if st, ok := status.FromError(err); ok && (st.Code() == codes.Unimplemented || st.Code() == codes.NotFound) {
+		if st, ok := status.FromError(errors.Cause(err)); ok && (st.Code() == codes.Unimplemented || st.Code() == codes.NotFound) {
 			return nil, errors.Wrapf(ErrNotFound, "secret %s not found", id)
 		}
-		return nil, err
+		return nil, errors.WithStack(err)
 	}
 	return resp.Data, nil
 }

vendor/github.com/moby/buildkit/session/sshforward/copy.go

@@ -3,23 +3,24 @@ package sshforward
 import (
 	io "io"
 
+	"github.com/pkg/errors"
 	context "golang.org/x/net/context"
 	"golang.org/x/sync/errgroup"
 	"google.golang.org/grpc"
 )
 
-func Copy(ctx context.Context, conn io.ReadWriteCloser, stream grpc.Stream) error {
+func Copy(ctx context.Context, conn io.ReadWriteCloser, stream grpc.Stream, closeStream func() error) error {
 	g, ctx := errgroup.WithContext(ctx)
 
 	g.Go(func() (retErr error) {
 		p := &BytesMessage{}
 		for {
 			if err := stream.RecvMsg(p); err != nil {
+				conn.Close()
 				if err == io.EOF {
 					return nil
 				}
-				conn.Close()
-				return err
+				return errors.WithStack(err)
 			}
 			select {
 			case <-ctx.Done():
@@ -29,7 +30,7 @@ func Copy(ctx context.Context, conn io.ReadWriteCloser, stream grpc.Stream) erro
 			}
 			if _, err := conn.Write(p.Data); err != nil {
 				conn.Close()
-				return err
+				return errors.WithStack(err)
 			}
 			p.Data = p.Data[:0]
 		}
@@ -41,9 +42,12 @@ func Copy(ctx context.Context, conn io.ReadWriteCloser, stream grpc.Stream) erro
 			n, err := conn.Read(buf)
 			switch {
 			case err == io.EOF:
+				if closeStream != nil {
+					closeStream()
+				}
 				return nil
 			case err != nil:
-				return err
+				return errors.WithStack(err)
 			}
 			select {
 			case <-ctx.Done():
@@ -52,7 +56,7 @@ func Copy(ctx context.Context, conn io.ReadWriteCloser, stream grpc.Stream) erro
 			}
 			p := &BytesMessage{Data: buf[:n]}
 			if err := stream.SendMsg(p); err != nil {
-				return err
+				return errors.WithStack(err)
 			}
 		}
 	})

vendor/github.com/moby/buildkit/session/sshforward/ssh.go

@@ -7,6 +7,7 @@ import (
 	"path/filepath"
 
 	"github.com/moby/buildkit/session"
+	"github.com/pkg/errors"
 	context "golang.org/x/net/context"
 	"golang.org/x/sync/errgroup"
 	"google.golang.org/grpc/metadata"
@@ -48,7 +49,7 @@ func (s *server) run(ctx context.Context, l net.Listener, id string) error {
 				return err
 			}
 
-			go Copy(ctx, conn, stream)
+			go Copy(ctx, conn, stream, stream.CloseSend)
 		}
 	})
 
@@ -65,7 +66,7 @@ type SocketOpt struct {
 func MountSSHSocket(ctx context.Context, c session.Caller, opt SocketOpt) (sockPath string, closer func() error, err error) {
 	dir, err := ioutil.TempDir("", ".buildkit-ssh-sock")
 	if err != nil {
-		return "", nil, err
+		return "", nil, errors.WithStack(err)
 	}
 
 	defer func() {
@@ -78,16 +79,16 @@ func MountSSHSocket(ctx context.Context, c session.Caller, opt SocketOpt) (sockP
 
 	l, err := net.Listen("unix", sockPath)
 	if err != nil {
-		return "", nil, err
+		return "", nil, errors.WithStack(err)
 	}
 
 	if err := os.Chown(sockPath, opt.UID, opt.GID); err != nil {
 		l.Close()
-		return "", nil, err
+		return "", nil, errors.WithStack(err)
 	}
 	if err := os.Chmod(sockPath, os.FileMode(opt.Mode)); err != nil {
 		l.Close()
-		return "", nil, err
+		return "", nil, errors.WithStack(err)
 	}
 
 	s := &server{caller: c}
@@ -102,12 +103,12 @@ func MountSSHSocket(ctx context.Context, c session.Caller, opt SocketOpt) (sockP
 	return sockPath, func() error {
 		err := l.Close()
 		os.RemoveAll(sockPath)
-		return err
+		return errors.WithStack(err)
 	}, nil
 }
 
 func CheckSSHID(ctx context.Context, c session.Caller, id string) error {
 	client := NewSSHClient(c.Conn())
 	_, err := client.CheckAgent(ctx, &CheckAgentRequest{ID: id})
-	return err
+	return errors.WithStack(err)
 }

vendor/github.com/moby/buildkit/session/sshforward/sshprovider/agentprovider.go

@@ -114,7 +114,7 @@ func (sp *socketProvider) ForwardAgent(stream sshforward.SSH_ForwardAgentServer)
 
 	eg.Go(func() error {
 		defer s1.Close()
-		return sshforward.Copy(ctx, s2, stream)
+		return sshforward.Copy(ctx, s2, stream, nil)
 	})
 
 	return eg.Wait()

vendor/github.com/moby/buildkit/session/upload/upload.go

@@ -6,6 +6,7 @@ import (
 	"net/url"
 
 	"github.com/moby/buildkit/session"
+	"github.com/pkg/errors"
 	"google.golang.org/grpc/metadata"
 )
 
@@ -26,7 +27,7 @@ func New(ctx context.Context, c session.Caller, url *url.URL) (*Upload, error) {
 
 	cc, err := client.Pull(ctx)
 	if err != nil {
-		return nil, err
+		return nil, errors.WithStack(err)
 	}
 
 	return &Upload{cc: cc}, nil
@@ -44,12 +45,12 @@ func (u *Upload) WriteTo(w io.Writer) (int, error) {
 			if err == io.EOF {
 				return n, nil
 			}
-			return n, err
+			return n, errors.WithStack(err)
 		}
 		nn, err := w.Write(bm.Data)
 		n += nn
 		if err != nil {
-			return n, err
+			return n, errors.WithStack(err)
 		}
 	}
 }

vendor/github.com/moby/buildkit/solver/pb/caps.go

@@ -30,19 +30,20 @@ const (
 
 	CapBuildOpLLBFileName apicaps.CapID = "source.buildop.llbfilename"
 
-	CapExecMetaBase            apicaps.CapID = "exec.meta.base"
-	CapExecMetaProxy           apicaps.CapID = "exec.meta.proxyenv"
-	CapExecMetaNetwork         apicaps.CapID = "exec.meta.network"
-	CapExecMetaSecurity        apicaps.CapID = "exec.meta.security"
-	CapExecMetaSetsDefaultPath apicaps.CapID = "exec.meta.setsdefaultpath"
-	CapExecMountBind           apicaps.CapID = "exec.mount.bind"
-	CapExecMountCache          apicaps.CapID = "exec.mount.cache"
-	CapExecMountCacheSharing   apicaps.CapID = "exec.mount.cache.sharing"
-	CapExecMountSelector       apicaps.CapID = "exec.mount.selector"
-	CapExecMountTmpfs          apicaps.CapID = "exec.mount.tmpfs"
-	CapExecMountSecret         apicaps.CapID = "exec.mount.secret"
-	CapExecMountSSH            apicaps.CapID = "exec.mount.ssh"
-	CapExecCgroupsMounted      apicaps.CapID = "exec.cgroup"
+	CapExecMetaBase                  apicaps.CapID = "exec.meta.base"
+	CapExecMetaProxy                 apicaps.CapID = "exec.meta.proxyenv"
+	CapExecMetaNetwork               apicaps.CapID = "exec.meta.network"
+	CapExecMetaSecurity              apicaps.CapID = "exec.meta.security"
+	CapExecMetaSetsDefaultPath       apicaps.CapID = "exec.meta.setsdefaultpath"
+	CapExecMountBind                 apicaps.CapID = "exec.mount.bind"
+	CapExecMountBindReadWriteNoOuput apicaps.CapID = "exec.mount.bind.readwrite-nooutput"
+	CapExecMountCache                apicaps.CapID = "exec.mount.cache"
+	CapExecMountCacheSharing         apicaps.CapID = "exec.mount.cache.sharing"
+	CapExecMountSelector             apicaps.CapID = "exec.mount.selector"
+	CapExecMountTmpfs                apicaps.CapID = "exec.mount.tmpfs"
+	CapExecMountSecret               apicaps.CapID = "exec.mount.secret"
+	CapExecMountSSH                  apicaps.CapID = "exec.mount.ssh"
+	CapExecCgroupsMounted            apicaps.CapID = "exec.cgroup"
 
 	CapFileBase apicaps.CapID = "file.base"
 
@@ -193,6 +194,12 @@ func init() {
 		Status:  apicaps.CapStatusExperimental,
 	})
 
+	Caps.Init(apicaps.Cap{
+		ID:      CapExecMountBindReadWriteNoOuput,
+		Enabled: true,
+		Status:  apicaps.CapStatusExperimental,
+	})
+
 	Caps.Init(apicaps.Cap{
 		ID:      CapExecMountCache,
 		Enabled: true,

vendor/github.com/tonistiigi/fsutil/stat.go

@@ -49,6 +49,9 @@ func mkstat(path, relpath string, fi os.FileInfo, inodemap map[uint64]string) (*
 		stat.Mode = noPermPart | permPart
 	}
 
+	// Clear the socket bit since archive/tar.FileInfoHeader does not handle it
+	stat.Mode &^= uint32(os.ModeSocket)
+
 	return stat, nil
 }
 

vendor/modules.txt

@@ -27,7 +27,7 @@ github.com/agl/ed25519/edwards25519
 github.com/beorn7/perks/quantile
 # github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50
 github.com/containerd/console
-# github.com/containerd/containerd v1.3.0-0.20190426060238-3a3f0aac8819
+# github.com/containerd/containerd v1.3.0-0.20190507210959-7c1e88399ec0
 github.com/containerd/containerd/images
 github.com/containerd/containerd/platforms
 github.com/containerd/containerd/content
@@ -36,20 +36,22 @@ github.com/containerd/containerd/remotes
 github.com/containerd/containerd/remotes/docker
 github.com/containerd/containerd/log
 github.com/containerd/containerd/content/local
+github.com/containerd/containerd/containers
+github.com/containerd/containerd/oci
 github.com/containerd/containerd/labels
 github.com/containerd/containerd/reference
+github.com/containerd/containerd/remotes/docker/schema1
 github.com/containerd/containerd/version
 github.com/containerd/containerd/filters
 github.com/containerd/containerd/sys
 github.com/containerd/containerd/api/services/content/v1
 github.com/containerd/containerd/content/proxy
 github.com/containerd/containerd/services/content/contentserver
-github.com/containerd/containerd/containers
-github.com/containerd/containerd/oci
-github.com/containerd/containerd
-github.com/containerd/containerd/namespaces
 github.com/containerd/containerd/mount
+github.com/containerd/containerd/namespaces
 github.com/containerd/containerd/snapshots
+github.com/containerd/containerd
+github.com/containerd/containerd/archive/compression
 github.com/containerd/containerd/api/services/containers/v1
 github.com/containerd/containerd/api/services/diff/v1
 github.com/containerd/containerd/api/services/events/v1
@@ -62,7 +64,6 @@ github.com/containerd/containerd/api/services/tasks/v1
 github.com/containerd/containerd/api/services/version/v1
 github.com/containerd/containerd/api/types
 github.com/containerd/containerd/archive
-github.com/containerd/containerd/archive/compression
 github.com/containerd/containerd/cio
 github.com/containerd/containerd/defaults
 github.com/containerd/containerd/diff
@@ -73,7 +74,6 @@ github.com/containerd/containerd/leases
 github.com/containerd/containerd/leases/proxy
 github.com/containerd/containerd/pkg/dialer
 github.com/containerd/containerd/plugin
-github.com/containerd/containerd/remotes/docker/schema1
 github.com/containerd/containerd/rootfs
 github.com/containerd/containerd/runtime/linux/runctypes
 github.com/containerd/containerd/runtime/v2/runc/options
@@ -81,14 +81,14 @@ github.com/containerd/containerd/snapshots/proxy
 github.com/containerd/containerd/api/types/task
 github.com/containerd/containerd/events/exchange
 github.com/containerd/containerd/identifiers
-# github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc
+# github.com/containerd/continuity v0.0.0-20190827140505-75bee3e2ccb6
 github.com/containerd/continuity
+github.com/containerd/continuity/fs
 github.com/containerd/continuity/pathdriver
 github.com/containerd/continuity/devices
 github.com/containerd/continuity/driver
 github.com/containerd/continuity/proto
 github.com/containerd/continuity/sysx
-github.com/containerd/continuity/fs
 github.com/containerd/continuity/syscallx
 # github.com/containerd/fifo v0.0.0-20190226154929-a9fb20d87448
 github.com/containerd/fifo
@@ -259,13 +259,14 @@ github.com/matttproud/golang_protobuf_extensions/pbutil
 github.com/miekg/pkcs11
 # github.com/mitchellh/mapstructure v1.1.2
 github.com/mitchellh/mapstructure
-# github.com/moby/buildkit v0.5.2-0.20190513182223-f238f1efb04f
+# github.com/moby/buildkit v0.6.2-0.20190921002054-ae10b292fefb
 github.com/moby/buildkit/session/auth/authprovider
 github.com/moby/buildkit/client
 github.com/moby/buildkit/session
 github.com/moby/buildkit/session/secrets/secretsprovider
 github.com/moby/buildkit/session/sshforward/sshprovider
 github.com/moby/buildkit/session/upload/uploadprovider
+github.com/moby/buildkit/util/entitlements
 github.com/moby/buildkit/util/appcontext
 github.com/moby/buildkit/identity
 github.com/moby/buildkit/util/progress/progressui
@@ -285,7 +286,6 @@ github.com/moby/buildkit/session/grpchijack
 github.com/moby/buildkit/solver/pb
 github.com/moby/buildkit/util/apicaps
 github.com/moby/buildkit/util/appdefaults
-github.com/moby/buildkit/util/entitlements
 github.com/moby/buildkit/session/secrets
 github.com/moby/buildkit/session/sshforward
 github.com/moby/buildkit/session/upload
@@ -303,7 +303,7 @@ github.com/opencontainers/go-digest
 github.com/opencontainers/image-spec/specs-go/v1
 github.com/opencontainers/image-spec/specs-go
 github.com/opencontainers/image-spec/identity
-# github.com/opencontainers/runc v1.0.1-0.20190307181833-2b18fe1d885e
+# github.com/opencontainers/runc v1.0.0-rc8
 github.com/opencontainers/runc/libcontainer/user
 github.com/opencontainers/runc/libcontainer/system
 # github.com/opencontainers/runtime-spec v1.0.1
@@ -355,7 +355,7 @@ github.com/theupdateframework/notary/trustmanager/yubikey
 github.com/theupdateframework/notary/tuf
 github.com/theupdateframework/notary/tuf/utils
 github.com/theupdateframework/notary/tuf/validation
-# github.com/tonistiigi/fsutil v0.0.0-20190327153851-3bbb99cdbd76
+# github.com/tonistiigi/fsutil v0.0.0-20190819224149-3d2716dd0a4d
 github.com/tonistiigi/fsutil/types
 github.com/tonistiigi/fsutil
 # github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea