Merge pull request #155 from tiborvass/vendor-buildkit

vendor: update buildkit to docker-19.03 (ae10b292)

Jenkinsfile

@@ -0,0 +1,29 @@
+
+@Library('jps')
+_
+
+pipeline {
+  agent {
+    node {
+      label 'ubuntu-1804-overlay2'
+    }
+  }
+  options {
+    disableConcurrentBuilds()
+  }
+  stages {
+    stage("FOSSA Analyze") {
+      steps {
+
+        withCredentials([string(credentialsId: 'fossa-api-key', variable: 'FOSSA_API_KEY')]) {
+          withGithubStatus('FOSSA.scan') {
+            labelledShell returnStatus: false, returnStdout: true, label: "make fossa-analyze",
+                  script:'make -f Makefile.fossa BRANCH_NAME=${BRANCH_NAME} fossa-analyze'
+            labelledShell returnStatus: false, returnStdout: true, label: "make fossa-test",
+                  script: 'make -f Makefile.fossa BRANCH_NAME=${BRANCH_NAME} fossa-test'
+          }
+        }
+      }
+    }
+  }
+}

Makefile.fossa

@@ -0,0 +1,18 @@
+REPO_PATH?=docker/buildx
+BUILD_ANALYZER?=docker/fossa-analyzer
+FOSSA_OPTS?=--option all-tags:true --option allow-unresolved:true --no-ansi
+
+fossa-analyze:
+	docker run -i --rm -e FOSSA_API_KEY=$(FOSSA_API_KEY) \
+		-v $(CURDIR)/$*:/go/src/github.com/$(REPO_PATH) \
+		-w /go/src/github.com/$(REPO_PATH) \
+		-e GO111MODULE=on \
+		$(BUILD_ANALYZER) analyze $(FOSSA_OPTS) --branch $(BRANCH_NAME)
+
+# This command is used to run the fossa test command
+fossa-test:
+	docker run -i --rm -e FOSSA_API_KEY=$(FOSSA_API_KEY) \
+		-v $(CURDIR)/$*:/go/src/github.com/$(REPO_PATH) \
+		-w /go/src/github.com/$(REPO_PATH) \
+		-e GO111MODULE=on \
+		$(BUILD_ANALYZER) test --debug

README.md

@@ -165,6 +165,7 @@ Options:
 | Flag | Description |
 | --- | --- |
 | --add-host []         | Add a custom host-to-IP mapping (host:ip)
+| --allow []        | Allow extra privileged entitlement, e.g. network.host, security.insecure
 | --build-arg []    | Set build-time variables
 | --cache-from []   | External cache sources (eg. user/app:cache, type=local,src=path/to/dir)
 | --cache-to []     | Cache export destinations (eg. user/app:cache, type=local,dest=path/to/dir)
@@ -286,7 +287,7 @@ Shorthand for [`--output=type=docker`](#docker). Will automatically load the sin
 
 #### `--cache-from=[NAME|type=TYPE[,KEY=VALUE]]`
 
-Use an external cache source for a build. Supported types are `registry` and `local`. The `registry` source can import cache from a cache manifest or (special) image configuration on the registry. The `local` source can export cache from local files previously exported with `--cache-to`.
+Use an external cache source for a build. Supported types are `registry` and `local`. The `registry` source can import cache from a cache manifest or (special) image configuration on the registry. The `local` source can import cache from local files previously exported with `--cache-to`.
 
 If no type is specified, `registry` exporter is used with a specified reference.
 
@@ -318,6 +319,20 @@ docker buildx build --cache-to=type=registry,ref=user/app .
 docker buildx build --cache-to=type=local,dest=path/to/cache .
 ```
 
+#### `--allow=ENTITLEMENT`
+
+Allow extra privileged entitlement. List of entitlements:
+
+- `network.host` - Allows executions with host networking.
+- `security.insecure` - Allows executions without sandbox. See [related Dockerfile extensions](https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/experimental.md#run---securityinsecuresandbox).
+
+For entitlements to be enabled, the `buildkitd` daemon also needs to allow them with `--allow-insecure-entitlement` (see [`create --buildkitd-flags`](#--buildkitd-flags-flags))
+
+Example:
+```
+$ docker buildx create --use --name insecure-builder --buildkitd-flags '--allow-insecure-entitlement security.insecure'
+$ docker buildx build --allow security.insecure .
+```
 
 ### `buildx create [OPTIONS] [CONTEXT|ENDPOINT]`
 
@@ -356,7 +371,7 @@ eager_beaver
 
 #### `--buildkitd-flags FLAGS`
 
-Adds flags when starting the buildkitd daemon. They take precedence over the configuration file specified by `--config`. See `buildkitd --help` for the available flags.
+Adds flags when starting the buildkitd daemon. They take precedence over the configuration file specified by [`--config`](#--config-file). See `buildkitd --help` for the available flags.
 
 Example:
 ```
@@ -365,7 +380,7 @@ Example:
 
 #### `--config FILE`
 
-Specifies the configuration file for the buildkitd daemon to use. The configuration can be overridden by `--buildkitd-flags`. See an [example buildkitd configuration file](https://github.com/moby/buildkit/blob/master/docs/buildkitd.toml.md).
+Specifies the configuration file for the buildkitd daemon to use. The configuration can be overridden by [`--buildkitd-flags`](#--buildkitd-flags-flags). See an [example buildkitd configuration file](https://github.com/moby/buildkit/blob/master/docs/buildkitd.toml.md).
 
 #### `--driver DRIVER`
 
@@ -562,23 +577,23 @@ Note: Design of bake command is work in progress, the user experience may change
 Example HCL defintion:
 
 ```
-group “default” {
-	targets = [“db”, “webapp-dev”]
+group "default" {
+	targets = ["db", "webapp-dev"]
 }
 
-target “webapp-dev” {
+target "webapp-dev" {
 	dockerfile = "Dockerfile.webapp"
 	tags = ["docker.io/username/webapp"]
 }
 
-target “webapp-release” {
-	inherits = [“webapp-dev”]
-	platforms = [“linux/amd64”, “linux/arm64”]
+target "webapp-release" {
+	inherits = ["webapp-dev"]
+	platforms = ["linux/amd64", "linux/arm64"]
 }
 
-target “db” {
+target "db" {
 	dockerfile = "Dockerfile.db"
-	tags = [“docker.io/username/db”]
+	tags = ["docker.io/username/db"]
 }
 ```
 

bake/bake.go

@@ -77,7 +77,20 @@ func mergeConfig(c1, c2 Config) Config {
 		if c1.Group == nil {
 			c1.Group = map[string]Group{}
 		}
-		c1.Group[k] = g
+		if g1, exists := c1.Group[k]; exists {
+		nextTarget:
+			for _, t := range g.Targets {
+				for _, t2 := range g1.Targets {
+					if t == t2 {
+						continue nextTarget
+					}
+				}
+				g1.Targets = append(g1.Targets, t)
+			}
+			c1.Group[k] = g1
+		} else {
+			c1.Group[k] = g
+		}
 	}
 
 	for k, t := range c2.Target {

bake/bake_test.go

@@ -59,11 +59,30 @@ services:
 `), 0600)
 	require.NoError(t, err)
 
-	ctx := context.TODO()
+	fp2 := filepath.Join(tmpdir, "docker-compose2.yml")
+	err = ioutil.WriteFile(fp2, []byte(`
+version: "3"
 
-	m, err := ReadTargets(ctx, []string{fp}, []string{"default"}, nil)
+services:
+  newservice:
+    build: .
+  webapp:
+    build:
+      args:
+        buildno2: 12
+`), 0600)
 	require.NoError(t, err)
 
+	ctx := context.TODO()
+
+	m, err := ReadTargets(ctx, []string{fp, fp2}, []string{"default"}, nil)
+	require.NoError(t, err)
+
+	require.Equal(t, 3, len(m))
+	_, ok := m["newservice"]
+	require.True(t, ok)
 	require.Equal(t, "Dockerfile.webapp", *m["webapp"].Dockerfile)
 	require.Equal(t, ".", *m["webapp"].Context)
+	require.Equal(t, "1", m["webapp"].Args["buildno"])
+	require.Equal(t, "12", m["webapp"].Args["buildno2"])
 }

build/build.go

@@ -400,7 +400,7 @@ func toSolveOpt(d driver.Driver, multiDriver bool, opt Options, dl dockerLoadCal
 						return nil, nil, err
 					}
 					defers = append(defers, cancel)
-					opt.Exports[i].Output = w
+					opt.Exports[i].Output = wrapWriteCloser(w)
 				}
 			} else if !d.Features()[driver.DockerExporter] {
 				return nil, nil, notSupported(d, driver.DockerExporter)
@@ -541,7 +541,7 @@ func Build(ctx context.Context, drivers []DriverInfo, opt map[string]Options, do
 	multiTarget := len(opt) > 1
 
 	for k, opt := range opt {
-		err := func() error {
+		err := func(k string) error {
 			opt := opt
 			dps := m[k]
 			multiDriver := len(m[k]) > 1
@@ -685,7 +685,7 @@ func Build(ctx context.Context, drivers []DriverInfo, opt map[string]Options, do
 			}
 
 			return nil
-		}()
+		}(k)
 		if err != nil {
 			return nil, err
 		}
@@ -735,7 +735,7 @@ func LoadInputs(inp Inputs, target *client.SolveOpt) (func(), error) {
 			return nil, errStdinConflict
 		}
 
-		buf := bufio.NewReader(os.Stdin)
+		buf := bufio.NewReader(inp.InStream)
 		magic, err := buf.Peek(archiveHeaderSize * 2)
 		if err != nil && err != io.EOF {
 			return nil, errors.Wrap(err, "failed to peek context header from STDIN")
@@ -761,7 +761,7 @@ func LoadInputs(inp Inputs, target *client.SolveOpt) (func(), error) {
 		target.LocalDirs["context"] = inp.ContextPath
 		switch inp.DockerfilePath {
 		case "-":
-			dockerfileReader = os.Stdin
+			dockerfileReader = inp.InStream
 		case "":
 			dockerfileDir = inp.ContextPath
 		default:
@@ -784,6 +784,7 @@ func LoadInputs(inp Inputs, target *client.SolveOpt) (func(), error) {
 			return nil, err
 		}
 		toRemove = append(toRemove, dockerfileDir)
+		dockerfileName = "Dockerfile"
 	}
 
 	if dockerfileName == "" {

build/output.go

@@ -2,6 +2,7 @@ package build
 
 import (
 	"encoding/csv"
+	"io"
 	"os"
 	"strings"
 
@@ -81,7 +82,7 @@ func ParseOutputs(inp []string) ([]client.ExportEntry, error) {
 				if _, err := console.ConsoleFromFile(os.Stdout); err == nil {
 					return nil, errors.Errorf("output file is required for %s exporter. refusing to write to console", out.Type)
 				}
-				out.Output = os.Stdout
+				out.Output = wrapWriteCloser(os.Stdout)
 			} else if dest != "" {
 				fi, err := os.Stat(dest)
 				if err != nil && !os.IsNotExist(err) {
@@ -94,7 +95,7 @@ func ParseOutputs(inp []string) ([]client.ExportEntry, error) {
 				if err != nil {
 					return nil, errors.Errorf("failed to open %s", err)
 				}
-				out.Output = f
+				out.Output = wrapWriteCloser(f)
 			}
 			delete(out.Attrs, "dest")
 		case "registry":
@@ -106,3 +107,9 @@ func ParseOutputs(inp []string) ([]client.ExportEntry, error) {
 	}
 	return outs, nil
 }
+
+func wrapWriteCloser(wc io.WriteCloser) func(map[string]string) (io.WriteCloser, error) {
+	return func(map[string]string) (io.WriteCloser, error) {
+		return wc, nil
+	}
+}

go.mod

@@ -14,7 +14,7 @@ require (
 	github.com/cenkalti/backoff v2.1.1+incompatible // indirect
 	github.com/cloudflare/cfssl v0.0.0-20181213083726-b94e044bb51e // indirect
 	github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50
-	github.com/containerd/containerd v1.3.0-0.20190426060238-3a3f0aac8819
+	github.com/containerd/containerd v1.3.0-0.20190507210959-7c1e88399ec0
 	github.com/containerd/fifo v0.0.0-20190226154929-a9fb20d87448 // indirect
 	github.com/containerd/typeurl v0.0.0-20190228175220-2a93cfde8c20 // indirect
 	github.com/denisenkom/go-mssqldb v0.0.0-20190315220205-a8ed825ac853 // indirect
@@ -52,7 +52,7 @@ require (
 	github.com/mattn/go-sqlite3 v1.10.0 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
 	github.com/miekg/pkcs11 v0.0.0-20190322140431-074fd7a1ed19 // indirect
-	github.com/moby/buildkit v0.5.2-0.20190513182223-f238f1efb04f
+	github.com/moby/buildkit v0.6.2-0.20190921002054-ae10b292fefb
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0-rc1

go.sum

@@ -39,20 +39,22 @@ github.com/containerd/cgroups v0.0.0-20190226200435-dbea6f2bd416/go.mod h1:X9rLE
 github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50 h1:WMpHmC6AxwWb9hMqhudkqG7A/p14KiMnl6d3r1iUMjU=
 github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw=
 github.com/containerd/containerd v1.2.4/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
-github.com/containerd/containerd v1.3.0-0.20190426060238-3a3f0aac8819 h1:otmq8xNIzAo+2SjPURbYZXVW+B6hZBAWJ+JApzCYWDk=
-github.com/containerd/containerd v1.3.0-0.20190426060238-3a3f0aac8819/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
+github.com/containerd/containerd v1.3.0-0.20190507210959-7c1e88399ec0 h1:enps1EZBEgR8QxwdrpsoSxcsCXWnMKchIQ/0dzC0eKw=
+github.com/containerd/containerd v1.3.0-0.20190507210959-7c1e88399ec0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
 github.com/containerd/continuity v0.0.0-20181001140422-bd77b46c8352/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
-github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc h1:TP+534wVlf61smEIq1nwLLAjQVEK2EADoW3CX9AuT+8=
-github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
+github.com/containerd/continuity v0.0.0-20190827140505-75bee3e2ccb6 h1:NmTXa/uVnDyp0TY5MKi197+3HWcnYWfnHGyaFthlnGw=
+github.com/containerd/continuity v0.0.0-20190827140505-75bee3e2ccb6/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
 github.com/containerd/fifo v0.0.0-20180307165137-3d5202aec260/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI=
 github.com/containerd/fifo v0.0.0-20190226154929-a9fb20d87448 h1:PUD50EuOMkXVcpBIA/R95d56duJR9VxhwncsFbNnxW4=
 github.com/containerd/fifo v0.0.0-20190226154929-a9fb20d87448/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI=
-github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0=
+github.com/containerd/go-cni v0.0.0-20190610170741-5a4663dad645/go.mod h1:2wlRxCQdiBY+OcjNg5x8kI+5mEL1fGt25L4IzQHYJsM=
+github.com/containerd/go-runc v0.0.0-20190911050354-e029b79d8cda/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0=
 github.com/containerd/ttrpc v0.0.0-20190411181408-699c4e40d1e7 h1:SKDlsIhYxNE1LO0xwuOR+3QWj3zRibVQu5jWIMQmOfU=
 github.com/containerd/ttrpc v0.0.0-20190411181408-699c4e40d1e7/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o=
 github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc=
 github.com/containerd/typeurl v0.0.0-20190228175220-2a93cfde8c20 h1:14r0i3IeJj6zkNLigAJiv/TWSR8EY+pxIjv5tFiT+n8=
 github.com/containerd/typeurl v0.0.0-20190228175220-2a93cfde8c20/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc=
+github.com/containernetworking/cni v0.6.1-0.20180218032124-142cde0c766c/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
@@ -89,7 +91,7 @@ github.com/docker/go-metrics v0.0.0-20170502235133-d466d4f6fd96 h1:HVQ/BC7Ze+bcV
 github.com/docker/go-metrics v0.0.0-20170502235133-d466d4f6fd96/go.mod h1:/u0gXw0Gay3ceNrsHubL3BtdOL2fHf93USgMTe0W5dI=
 github.com/docker/go-units v0.3.1 h1:QAFdsA6jLCnglbqE6mUsHuPcJlntY94DkxHf4deHKIU=
 github.com/docker/go-units v0.3.1/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/docker/libnetwork v0.0.0-20180913200009-36d3bed0e9f4/go.mod h1:93m0aTqz6z+g32wla4l4WxTrdtvBRmVzYRkYvasA5Z8=
+github.com/docker/libnetwork v0.8.0-dev.2.0.20190604151032-3c26b4e7495e/go.mod h1:93m0aTqz6z+g32wla4l4WxTrdtvBRmVzYRkYvasA5Z8=
 github.com/docker/libtrust v0.0.0-20150526203908-9cbd2a1374f4 h1:k8TfKGeAcDQFFQOGCQMRN04N4a9YrPlRMMKnzAuvM9Q=
 github.com/docker/libtrust v0.0.0-20150526203908-9cbd2a1374f4/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE=
 github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5 h1:Yzb9+7DPaBjB8zlTR87/ElzFsnQfuHnVUVqpZZIcV5Y=
@@ -181,8 +183,8 @@ github.com/miekg/pkcs11 v0.0.0-20190322140431-074fd7a1ed19/go.mod h1:WCBAbTOdfhH
 github.com/mitchellh/hashstructure v0.0.0-20170609045927-2bca23e0e452/go.mod h1:QjSHrPWS+BGUVBYkbTZWEnOh3G1DutKwClXU/ABz6AQ=
 github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
-github.com/moby/buildkit v0.5.2-0.20190513182223-f238f1efb04f h1:gNiytoQ3/71JJKWbLPtxoInde5kBRpvqH6EbUf12JDU=
-github.com/moby/buildkit v0.5.2-0.20190513182223-f238f1efb04f/go.mod h1:RozsxlEOjPuX/zKKrd0ZS76dlVNZu4qAff+vj7hR/qs=
+github.com/moby/buildkit v0.6.2-0.20190921002054-ae10b292fefb h1:enyviD1ZOxgo62sGpT2yQY1uTtruq84wYJPjFJwsbH0=
+github.com/moby/buildkit v0.6.2-0.20190921002054-ae10b292fefb/go.mod h1:JKVImCzxztxvULr5P6ZiBfA/B2P+ZpR6UHxOXQn4KiU=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
@@ -197,8 +199,8 @@ github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQ
 github.com/opencontainers/image-spec v1.0.1 h1:JMemWkRwHx4Zj+fVxWoMCFm/8sYGGrUVojFA6h/TRcI=
 github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
 github.com/opencontainers/runc v1.0.0-rc6/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
-github.com/opencontainers/runc v1.0.1-0.20190307181833-2b18fe1d885e h1:+uPGJuuDl61O9GKN/rLHkUCf597mpxmJI06RqMQX81A=
-github.com/opencontainers/runc v1.0.1-0.20190307181833-2b18fe1d885e/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
+github.com/opencontainers/runc v1.0.0-rc8 h1:dDCFes8Hj1r/i5qnypONo5jdOme/8HWZC/aNDyhECt0=
+github.com/opencontainers/runc v1.0.0-rc8/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
 github.com/opencontainers/runtime-spec v0.0.0-20180909173843-eba862dc2470/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.1 h1:wY4pOY8fBdSIvs9+IDHC55thBuEulhzfSgKeC1yFvzQ=
 github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
@@ -246,8 +248,8 @@ github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2 h1:b6uOv7YOFK0
 github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/theupdateframework/notary v0.6.1 h1:7wshjstgS9x9F5LuB1L5mBI2xNMObWqjz+cjWoom6l0=
 github.com/theupdateframework/notary v0.6.1/go.mod h1:MOfgIfmox8s7/7fduvB2xyPPMJCrjRLRizA8OFwpnKY=
-github.com/tonistiigi/fsutil v0.0.0-20190327153851-3bbb99cdbd76 h1:eGfgYrNUSD448sa4mxH6nQpyZfN39QH0mLB7QaKIjus=
-github.com/tonistiigi/fsutil v0.0.0-20190327153851-3bbb99cdbd76/go.mod h1:pzh7kdwkDRh+Bx8J30uqaKJ1M4QrSH/um8fcIXeM8rc=
+github.com/tonistiigi/fsutil v0.0.0-20190819224149-3d2716dd0a4d h1:HJg27yqwTV7vFG9dWPDbUi373o/bmSDYGN9mZgVwdH0=
+github.com/tonistiigi/fsutil v0.0.0-20190819224149-3d2716dd0a4d/go.mod h1:pzh7kdwkDRh+Bx8J30uqaKJ1M4QrSH/um8fcIXeM8rc=
 github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea h1:SXhTLE6pb6eld/v/cCndK0AMpt1wiVFb/YYmqB3/QG0=
 github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea/go.mod h1:WPnis/6cRcDZSUvVmezrxJPkiO87ThFYsoUiMwWNDJk=
 github.com/tonistiigi/vt100 v0.0.0-20190402012908-ad4c4a574305 h1:y/1cL5AL2oRcfzz8CAHHhR6kDDfIOT0WEyH5k40sccM=

vendor/github.com/containerd/containerd/README.md

@@ -1,4 +1,4 @@
-![containerd banner](https://raw.githubusercontent.com/cncf/artwork/master/containerd/horizontal/color/containerd-horizontal-color.png)
+![containerd banner](https://raw.githubusercontent.com/cncf/artwork/master/projects/containerd/horizontal/color/containerd-horizontal-color.png)
 
 [![GoDoc](https://godoc.org/github.com/containerd/containerd?status.svg)](https://godoc.org/github.com/containerd/containerd)
 [![Build Status](https://travis-ci.org/containerd/containerd.svg?branch=master)](https://travis-ci.org/containerd/containerd)

vendor/github.com/containerd/containerd/images/archive/importer.go

@@ -197,10 +197,7 @@ func onUntarJSON(r io.Reader, j interface{}) error {
 	if err != nil {
 		return err
 	}
-	if err := json.Unmarshal(b, j); err != nil {
-		return err
-	}
-	return nil
+	return json.Unmarshal(b, j)
 }
 
 func onUntarBlob(ctx context.Context, r io.Reader, store content.Ingester, size int64, ref string) (digest.Digest, error) {

vendor/github.com/containerd/containerd/mount/mount_linux.go

@@ -111,7 +111,18 @@ func unmount(target string, flags int) error {
 // UnmountAll repeatedly unmounts the given mount point until there
 // are no mounts remaining (EINVAL is returned by mount), which is
 // useful for undoing a stack of mounts on the same mount point.
+// UnmountAll all is noop when the first argument is an empty string.
+// This is done when the containerd client did not specify any rootfs
+// mounts (e.g. because the rootfs is managed outside containerd)
+// UnmountAll is noop when the mount path does not exist.
 func UnmountAll(mount string, flags int) error {
+	if mount == "" {
+		return nil
+	}
+	if _, err := os.Stat(mount); os.IsNotExist(err) {
+		return nil
+	}
+
 	for {
 		if err := unmount(mount, flags); err != nil {
 			// EINVAL is returned if the target is not a

vendor/github.com/containerd/containerd/remotes/docker/handler.go

@@ -88,7 +88,7 @@ func appendDistributionSourceLabel(originLabel, repo string) string {
 	}
 	repos = append(repos, repo)
 
-	// use emtpy string to present duplicate items
+	// use empty string to present duplicate items
 	for i := 1; i < len(repos); i++ {
 		tmp, j := repos[i], i-1
 		for ; j >= 0 && repos[j] >= tmp; j-- {

vendor/github.com/containerd/containerd/remotes/docker/resolver.go

@@ -18,10 +18,10 @@ package docker
 
 import (
 	"context"
+	"io"
 	"net/http"
 	"net/url"
 	"path"
-	"strconv"
 	"strings"
 
 	"github.com/containerd/containerd/errdefs"
@@ -29,6 +29,7 @@ import (
 	"github.com/containerd/containerd/log"
 	"github.com/containerd/containerd/reference"
 	"github.com/containerd/containerd/remotes"
+	"github.com/containerd/containerd/remotes/docker/schema1"
 	"github.com/containerd/containerd/version"
 	digest "github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
@@ -150,6 +151,32 @@ func NewResolver(options ResolverOptions) remotes.Resolver {
 	}
 }
 
+func getManifestMediaType(resp *http.Response) string {
+	// Strip encoding data (manifests should always be ascii JSON)
+	contentType := resp.Header.Get("Content-Type")
+	if sp := strings.IndexByte(contentType, ';'); sp != -1 {
+		contentType = contentType[0:sp]
+	}
+
+	// As of Apr 30 2019 the registry.access.redhat.com registry does not specify
+	// the content type of any data but uses schema1 manifests.
+	if contentType == "text/plain" {
+		contentType = images.MediaTypeDockerSchema1Manifest
+	}
+	return contentType
+}
+
+type countingReader struct {
+	reader    io.Reader
+	bytesRead int64
+}
+
+func (r *countingReader) Read(p []byte) (int, error) {
+	n, err := r.reader.Read(p)
+	r.bytesRead += int64(n)
+	return n, err
+}
+
 var _ remotes.Resolver = &dockerResolver{}
 
 func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocispec.Descriptor, error) {
@@ -220,40 +247,56 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp
 			}
 			return "", ocispec.Descriptor{}, errors.Errorf("unexpected status code %v: %v", u, resp.Status)
 		}
+		size := resp.ContentLength
 
 		// this is the only point at which we trust the registry. we use the
 		// content headers to assemble a descriptor for the name. when this becomes
 		// more robust, we mostly get this information from a secure trust store.
 		dgstHeader := digest.Digest(resp.Header.Get("Docker-Content-Digest"))
+		contentType := getManifestMediaType(resp)
 
-		if dgstHeader != "" {
+		if dgstHeader != "" && size != -1 {
 			if err := dgstHeader.Validate(); err != nil {
 				return "", ocispec.Descriptor{}, errors.Wrapf(err, "%q in header not a valid digest", dgstHeader)
 			}
 			dgst = dgstHeader
-		}
+		} else {
+			log.G(ctx).Debug("no Docker-Content-Digest header, fetching manifest instead")
 
-		if dgst == "" {
-			return "", ocispec.Descriptor{}, errors.Errorf("could not resolve digest for %v", ref)
-		}
+			req, err := http.NewRequest(http.MethodGet, u, nil)
+			if err != nil {
+				return "", ocispec.Descriptor{}, err
+			}
+			req.Header = r.headers
 
-		var (
-			size       int64
-			sizeHeader = resp.Header.Get("Content-Length")
-		)
+			resp, err := fetcher.doRequestWithRetries(ctx, req, nil)
+			if err != nil {
+				return "", ocispec.Descriptor{}, err
+			}
+			defer resp.Body.Close()
 
-		size, err = strconv.ParseInt(sizeHeader, 10, 64)
-		if err != nil {
+			bodyReader := countingReader{reader: resp.Body}
 
-			return "", ocispec.Descriptor{}, errors.Wrapf(err, "invalid size header: %q", sizeHeader)
-		}
-		if size < 0 {
-			return "", ocispec.Descriptor{}, errors.Errorf("%q in header not a valid size", sizeHeader)
+			contentType = getManifestMediaType(resp)
+			if contentType == images.MediaTypeDockerSchema1Manifest {
+				b, err := schema1.ReadStripSignature(&bodyReader)
+				if err != nil {
+					return "", ocispec.Descriptor{}, err
+				}
+
+				dgst = digest.FromBytes(b)
+			} else {
+				dgst, err = digest.FromReader(&bodyReader)
+				if err != nil {
+					return "", ocispec.Descriptor{}, err
+				}
+			}
+			size = bodyReader.bytesRead
 		}
 
 		desc := ocispec.Descriptor{
 			Digest:    dgst,
-			MediaType: resp.Header.Get("Content-Type"), // need to strip disposition?
+			MediaType: contentType,
 			Size:      size,
 		}
 

vendor/github.com/containerd/containerd/remotes/docker/schema1/converter.go

@@ -227,6 +227,17 @@ func (c *Converter) Convert(ctx context.Context, opts ...ConvertOpt) (ocispec.De
 	return desc, nil
 }
 
+// ReadStripSignature reads in a schema1 manifest and returns a byte array
+// with the "signatures" field stripped
+func ReadStripSignature(schema1Blob io.Reader) ([]byte, error) {
+	b, err := ioutil.ReadAll(io.LimitReader(schema1Blob, manifestSizeLimit)) // limit to 8MB
+	if err != nil {
+		return nil, err
+	}
+
+	return stripSignature(b)
+}
+
 func (c *Converter) fetchManifest(ctx context.Context, desc ocispec.Descriptor) error {
 	log.G(ctx).Debug("fetch schema 1")
 
@@ -235,17 +246,12 @@ func (c *Converter) fetchManifest(ctx context.Context, desc ocispec.Descriptor)
 		return err
 	}
 
-	b, err := ioutil.ReadAll(io.LimitReader(rc, manifestSizeLimit)) // limit to 8MB
+	b, err := ReadStripSignature(rc)
 	rc.Close()
 	if err != nil {
 		return err
 	}
 
-	b, err = stripSignature(b)
-	if err != nil {
-		return err
-	}
-
 	var m manifest
 	if err := json.Unmarshal(b, &m); err != nil {
 		return err

vendor/github.com/containerd/containerd/vendor.conf

@@ -20,7 +20,7 @@ github.com/gogo/protobuf v1.2.1
 github.com/gogo/googleapis v1.2.0
 github.com/golang/protobuf v1.2.0
 github.com/opencontainers/runtime-spec 29686dbc5559d93fb1ef402eeda3e35c38d75af4 # v1.0.1-59-g29686db
-github.com/opencontainers/runc 029124da7af7360afa781a0234d1b083550f797c
+github.com/opencontainers/runc v1.0.0-rc8
 github.com/konsorten/go-windows-terminal-sequences v1.0.1
 github.com/sirupsen/logrus v1.4.1
 github.com/urfave/cli 7bc6a0acffa589f415f88aca16cc1de5ffd66f9c
@@ -37,15 +37,15 @@ github.com/Microsoft/go-winio 84b4ab48a50763fe7b3abcef38e5205c12027fac
 github.com/Microsoft/hcsshim 8abdbb8205e4192c68b5f84c31197156f31be517
 google.golang.org/genproto d80a6e20e776b0b17a324d0ba1ab50a39c8e8944
 golang.org/x/text 19e51611da83d6be54ddafce4a4af510cb3e9ea4
-github.com/containerd/ttrpc f02858b1457c5ca3aaec3a0803eb0d59f96e41d6
+github.com/containerd/ttrpc 699c4e40d1e7416e08bf7019c7ce2e9beced4636
 github.com/syndtr/gocapability d98352740cb2c55f81556b63d4a1ec64c5a319c2
 gotest.tools v2.3.0
 github.com/google/go-cmp v0.2.0
 go.etcd.io/bbolt v1.3.2
 
 # cri dependencies
-github.com/containerd/cri 6d353571e64417d80c9478ffaea793714dd539d0 # master
-github.com/containerd/go-cni 40bcf8ec8acd7372be1d77031d585d5d8e561c90
+github.com/containerd/cri 2fc62db8146ce66f27b37306ad5fda34207835f3 # master
+github.com/containerd/go-cni 891c2a41e18144b2d7921f971d6c9789a68046b2
 github.com/containernetworking/cni v0.6.0
 github.com/containernetworking/plugins v0.7.0
 github.com/davecgh/go-spew v1.1.0
@@ -59,7 +59,7 @@ github.com/hashicorp/go-multierror ed905158d87462226a13fe39ddf685ea65f1c11f
 github.com/json-iterator/go 1.1.5
 github.com/modern-go/reflect2 1.0.1
 github.com/modern-go/concurrent 1.0.3
-github.com/opencontainers/selinux v1.2.1
+github.com/opencontainers/selinux v1.2.2
 github.com/seccomp/libseccomp-golang 32f571b70023028bd57d9288c20efbcb237f3ce0
 github.com/tchap/go-patricia v2.2.6
 golang.org/x/crypto 88737f569e3a9c7ab309cdc09a07fe7fc87233c3

vendor/github.com/containerd/continuity/fs/copy.go

@@ -80,7 +80,7 @@ func copyDirectory(dst, src string, inodes map[uint64]string, o *copyDirOpts) er
 		return errors.Wrapf(err, "failed to stat %s", src)
 	}
 	if !stat.IsDir() {
-		return errors.Errorf("source is not directory")
+		return errors.Errorf("source %s is not directory", src)
 	}
 
 	if st, err := os.Stat(dst); err != nil {

vendor/github.com/moby/buildkit/client/llb/exec.go

@@ -427,11 +427,13 @@ func Security(s pb.SecurityMode) RunOption {
 }
 
 func Shlex(str string) RunOption {
-	return Shlexf(str)
+	return runOptionFunc(func(ei *ExecInfo) {
+		ei.State = shlexf(str, false)(ei.State)
+	})
 }
 func Shlexf(str string, v ...interface{}) RunOption {
 	return runOptionFunc(func(ei *ExecInfo) {
-		ei.State = shlexf(str, v...)(ei.State)
+		ei.State = shlexf(str, true, v...)(ei.State)
 	})
 }
 
@@ -442,7 +444,9 @@ func Args(a []string) RunOption {
 }
 
 func AddEnv(key, value string) RunOption {
-	return AddEnvf(key, value)
+	return runOptionFunc(func(ei *ExecInfo) {
+		ei.State = ei.State.AddEnv(key, value)
+	})
 }
 
 func AddEnvf(key, value string, v ...interface{}) RunOption {
@@ -458,7 +462,9 @@ func User(str string) RunOption {
 }
 
 func Dir(str string) RunOption {
-	return Dirf(str)
+	return runOptionFunc(func(ei *ExecInfo) {
+		ei.State = ei.State.Dir(str)
+	})
 }
 func Dirf(str string, v ...interface{}) RunOption {
 	return runOptionFunc(func(ei *ExecInfo) {

vendor/github.com/moby/buildkit/client/llb/meta.go

@@ -24,19 +24,24 @@ var (
 	keySecurity  = contextKeyT("llb.security")
 )
 
-func addEnvf(key, value string, v ...interface{}) StateOption {
+func addEnvf(key, value string, replace bool, v ...interface{}) StateOption {
+	if replace {
+		value = fmt.Sprintf(value, v...)
+	}
 	return func(s State) State {
-		return s.WithValue(keyEnv, getEnv(s).AddOrReplace(key, fmt.Sprintf(value, v...)))
+		return s.WithValue(keyEnv, getEnv(s).AddOrReplace(key, value))
 	}
 }
 
 func dir(str string) StateOption {
-	return dirf(str)
+	return dirf(str, false)
 }
 
-func dirf(str string, v ...interface{}) StateOption {
+func dirf(value string, replace bool, v ...interface{}) StateOption {
+	if replace {
+		value = fmt.Sprintf(value, v...)
+	}
 	return func(s State) State {
-		value := fmt.Sprintf(str, v...)
 		if !path.IsAbs(value) {
 			prev := getDir(s)
 			if prev == "" {
@@ -100,9 +105,12 @@ func args(args ...string) StateOption {
 	}
 }
 
-func shlexf(str string, v ...interface{}) StateOption {
+func shlexf(str string, replace bool, v ...interface{}) StateOption {
+	if replace {
+		str = fmt.Sprintf(str, v...)
+	}
 	return func(s State) State {
-		arg, err := shlex.Split(fmt.Sprintf(str, v...))
+		arg, err := shlex.Split(str)
 		if err != nil {
 			// TODO: handle error
 		}

vendor/github.com/moby/buildkit/client/llb/state.go

@@ -240,18 +240,18 @@ func (s State) File(a *FileAction, opts ...ConstraintsOpt) State {
 }
 
 func (s State) AddEnv(key, value string) State {
-	return s.AddEnvf(key, value)
+	return addEnvf(key, value, false)(s)
 }
 
 func (s State) AddEnvf(key, value string, v ...interface{}) State {
-	return addEnvf(key, value, v...)(s)
+	return addEnvf(key, value, true, v...)(s)
 }
 
 func (s State) Dir(str string) State {
-	return s.Dirf(str)
+	return dirf(str, false)(s)
 }
 func (s State) Dirf(str string, v ...interface{}) State {
-	return dirf(str, v...)(s)
+	return dirf(str, true, v...)(s)
 }
 
 func (s State) GetEnv(key string) (string, bool) {

vendor/github.com/moby/buildkit/client/solve.go

@@ -46,8 +46,8 @@ type SolveOpt struct {
 type ExportEntry struct {
 	Type      string
 	Attrs     map[string]string
-	Output    io.WriteCloser // for ExporterOCI and ExporterDocker
-	OutputDir string         // for ExporterLocal
+	Output    func(map[string]string) (io.WriteCloser, error) // for ExporterOCI and ExporterDocker
+	OutputDir string                                          // for ExporterLocal
 }
 
 type CacheOptionsEntry struct {

vendor/github.com/moby/buildkit/frontend/gateway/grpcclient/client.go

@@ -128,7 +128,7 @@ func (c *grpcClient) Run(ctx context.Context, f client.BuildFunc) (retError erro
 				}
 			}
 			if retError != nil {
-				st, _ := status.FromError(retError)
+				st, _ := status.FromError(errors.Cause(retError))
 				stp := st.Proto()
 				req.Error = &rpc.Status{
 					Code:    stp.Code,

vendor/github.com/moby/buildkit/session/auth/auth.go

@@ -4,6 +4,7 @@ import (
 	"context"
 
 	"github.com/moby/buildkit/session"
+	"github.com/pkg/errors"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 )
@@ -16,10 +17,10 @@ func CredentialsFunc(ctx context.Context, c session.Caller) func(string) (string
 			Host: host,
 		})
 		if err != nil {
-			if st, ok := status.FromError(err); ok && st.Code() == codes.Unimplemented {
+			if st, ok := status.FromError(errors.Cause(err)); ok && st.Code() == codes.Unimplemented {
 				return "", "", nil
 			}
-			return "", "", err
+			return "", "", errors.WithStack(err)
 		}
 		return resp.Username, resp.Secret, nil
 	}

vendor/github.com/moby/buildkit/session/content/caller.go

@@ -9,6 +9,7 @@ import (
 	"github.com/moby/buildkit/session"
 	digest "github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
 	"google.golang.org/grpc/metadata"
 )
 
@@ -31,47 +32,53 @@ func (cs *callerContentStore) choose(ctx context.Context) context.Context {
 
 func (cs *callerContentStore) Info(ctx context.Context, dgst digest.Digest) (content.Info, error) {
 	ctx = cs.choose(ctx)
-	return cs.store.Info(ctx, dgst)
+	info, err := cs.store.Info(ctx, dgst)
+	return info, errors.WithStack(err)
 }
 
 func (cs *callerContentStore) Update(ctx context.Context, info content.Info, fieldpaths ...string) (content.Info, error) {
 	ctx = cs.choose(ctx)
-	return cs.store.Update(ctx, info, fieldpaths...)
+	info, err := cs.store.Update(ctx, info, fieldpaths...)
+	return info, errors.WithStack(err)
 }
 
 func (cs *callerContentStore) Walk(ctx context.Context, fn content.WalkFunc, fs ...string) error {
 	ctx = cs.choose(ctx)
-	return cs.store.Walk(ctx, fn, fs...)
+	return errors.WithStack(cs.store.Walk(ctx, fn, fs...))
 }
 
 func (cs *callerContentStore) Delete(ctx context.Context, dgst digest.Digest) error {
 	ctx = cs.choose(ctx)
-	return cs.store.Delete(ctx, dgst)
+	return errors.WithStack(cs.store.Delete(ctx, dgst))
 }
 
 func (cs *callerContentStore) ListStatuses(ctx context.Context, fs ...string) ([]content.Status, error) {
 	ctx = cs.choose(ctx)
-	return cs.store.ListStatuses(ctx, fs...)
+	resp, err := cs.store.ListStatuses(ctx, fs...)
+	return resp, errors.WithStack(err)
 }
 
 func (cs *callerContentStore) Status(ctx context.Context, ref string) (content.Status, error) {
 	ctx = cs.choose(ctx)
-	return cs.store.Status(ctx, ref)
+	st, err := cs.store.Status(ctx, ref)
+	return st, errors.WithStack(err)
 }
 
 func (cs *callerContentStore) Abort(ctx context.Context, ref string) error {
 	ctx = cs.choose(ctx)
-	return cs.store.Abort(ctx, ref)
+	return errors.WithStack(cs.store.Abort(ctx, ref))
 }
 
 func (cs *callerContentStore) Writer(ctx context.Context, opts ...content.WriterOpt) (content.Writer, error) {
 	ctx = cs.choose(ctx)
-	return cs.store.Writer(ctx, opts...)
+	w, err := cs.store.Writer(ctx, opts...)
+	return w, errors.WithStack(err)
 }
 
 func (cs *callerContentStore) ReaderAt(ctx context.Context, desc ocispec.Descriptor) (content.ReaderAt, error) {
 	ctx = cs.choose(ctx)
-	return cs.store.ReaderAt(ctx, desc)
+	ra, err := cs.store.ReaderAt(ctx, desc)
+	return ra, errors.WithStack(err)
 }
 
 // NewCallerStore creates content.Store from session.Caller with specified storeID

vendor/github.com/moby/buildkit/session/filesync/diffcopy.go

@@ -14,7 +14,7 @@ import (
 )
 
 func sendDiffCopy(stream grpc.Stream, fs fsutil.FS, progress progressCb) error {
-	return fsutil.Send(stream.Context(), stream, fs, progress)
+	return errors.WithStack(fsutil.Send(stream.Context(), stream, fs, progress))
 }
 
 func newStreamWriter(stream grpc.ClientStream) io.WriteCloser {
@@ -29,7 +29,7 @@ type bufferedWriteCloser struct {
 
 func (bwc *bufferedWriteCloser) Close() error {
 	if err := bwc.Writer.Flush(); err != nil {
-		return err
+		return errors.WithStack(err)
 	}
 	return bwc.Closer.Close()
 }
@@ -40,19 +40,25 @@ type streamWriterCloser struct {
 
 func (wc *streamWriterCloser) Write(dt []byte) (int, error) {
 	if err := wc.ClientStream.SendMsg(&BytesMessage{Data: dt}); err != nil {
-		return 0, err
+		// SendMsg return EOF on remote errors
+		if errors.Cause(err) == io.EOF {
+			if err := errors.WithStack(wc.ClientStream.RecvMsg(struct{}{})); err != nil {
+				return 0, err
+			}
+		}
+		return 0, errors.WithStack(err)
 	}
 	return len(dt), nil
 }
 
 func (wc *streamWriterCloser) Close() error {
 	if err := wc.ClientStream.CloseSend(); err != nil {
-		return err
+		return errors.WithStack(err)
 	}
 	// block until receiver is done
 	var bm BytesMessage
 	if err := wc.ClientStream.RecvMsg(&bm); err != io.EOF {
-		return err
+		return errors.WithStack(err)
 	}
 	return nil
 }
@@ -69,19 +75,19 @@ func recvDiffCopy(ds grpc.Stream, dest string, cu CacheUpdater, progress progres
 		cf = cu.HandleChange
 		ch = cu.ContentHasher()
 	}
-	return fsutil.Receive(ds.Context(), ds, dest, fsutil.ReceiveOpt{
+	return errors.WithStack(fsutil.Receive(ds.Context(), ds, dest, fsutil.ReceiveOpt{
 		NotifyHashed:  cf,
 		ContentHasher: ch,
 		ProgressCb:    progress,
 		Filter:        fsutil.FilterFunc(filter),
-	})
+	}))
 }
 
 func syncTargetDiffCopy(ds grpc.Stream, dest string) error {
 	if err := os.MkdirAll(dest, 0700); err != nil {
-		return err
+		return errors.Wrapf(err, "failed to create synctarget dest dir %s", dest)
 	}
-	return fsutil.Receive(ds.Context(), ds, dest, fsutil.ReceiveOpt{
+	return errors.WithStack(fsutil.Receive(ds.Context(), ds, dest, fsutil.ReceiveOpt{
 		Merge: true,
 		Filter: func() func(string, *fstypes.Stat) bool {
 			uid := os.Getuid()
@@ -92,7 +98,7 @@ func syncTargetDiffCopy(ds grpc.Stream, dest string) error {
 				return true
 			}
 		}(),
-	})
+	}))
 }
 
 func writeTargetFile(ds grpc.Stream, wc io.WriteCloser) error {
@@ -102,10 +108,10 @@ func writeTargetFile(ds grpc.Stream, wc io.WriteCloser) error {
 			if errors.Cause(err) == io.EOF {
 				return nil
 			}
-			return err
+			return errors.WithStack(err)
 		}
 		if _, err := wc.Write(bm.Data); err != nil {
-			return err
+			return errors.WithStack(err)
 		}
 	}
 }

vendor/github.com/moby/buildkit/session/filesync/filesync.go

@@ -18,11 +18,12 @@ import (
 )
 
 const (
-	keyOverrideExcludes = "override-excludes"
-	keyIncludePatterns  = "include-patterns"
-	keyExcludePatterns  = "exclude-patterns"
-	keyFollowPaths      = "followpaths"
-	keyDirName          = "dir-name"
+	keyOverrideExcludes   = "override-excludes"
+	keyIncludePatterns    = "include-patterns"
+	keyExcludePatterns    = "exclude-patterns"
+	keyFollowPaths        = "followpaths"
+	keyDirName            = "dir-name"
+	keyExporterMetaPrefix = "exporter-md-"
 )
 
 type fsSyncProvider struct {
@@ -238,16 +239,16 @@ func NewFSSyncTargetDir(outdir string) session.Attachable {
 }
 
 // NewFSSyncTarget allows writing into an io.WriteCloser
-func NewFSSyncTarget(w io.WriteCloser) session.Attachable {
+func NewFSSyncTarget(f func(map[string]string) (io.WriteCloser, error)) session.Attachable {
 	p := &fsSyncTarget{
-		outfile: w,
+		f: f,
 	}
 	return p
 }
 
 type fsSyncTarget struct {
-	outdir  string
-	outfile io.WriteCloser
+	outdir string
+	f      func(map[string]string) (io.WriteCloser, error)
 }
 
 func (sp *fsSyncTarget) Register(server *grpc.Server) {
@@ -258,11 +259,26 @@ func (sp *fsSyncTarget) DiffCopy(stream FileSend_DiffCopyServer) error {
 	if sp.outdir != "" {
 		return syncTargetDiffCopy(stream, sp.outdir)
 	}
-	if sp.outfile == nil {
+
+	if sp.f == nil {
 		return errors.New("empty outfile and outdir")
 	}
-	defer sp.outfile.Close()
-	return writeTargetFile(stream, sp.outfile)
+	opts, _ := metadata.FromIncomingContext(stream.Context()) // if no metadata continue with empty object
+	md := map[string]string{}
+	for k, v := range opts {
+		if strings.HasPrefix(k, keyExporterMetaPrefix) {
+			md[strings.TrimPrefix(k, keyExporterMetaPrefix)] = strings.Join(v, ",")
+		}
+	}
+	wc, err := sp.f(md)
+	if err != nil {
+		return err
+	}
+	if wc == nil {
+		return status.Errorf(codes.AlreadyExists, "target already exists")
+	}
+	defer wc.Close()
+	return writeTargetFile(stream, wc)
 }
 
 func CopyToCaller(ctx context.Context, fs fsutil.FS, c session.Caller, progress func(int, bool)) error {
@@ -275,13 +291,13 @@ func CopyToCaller(ctx context.Context, fs fsutil.FS, c session.Caller, progress
 
 	cc, err := client.DiffCopy(ctx)
 	if err != nil {
-		return err
+		return errors.WithStack(err)
 	}
 
 	return sendDiffCopy(cc, fs, progress)
 }
 
-func CopyFileWriter(ctx context.Context, c session.Caller) (io.WriteCloser, error) {
+func CopyFileWriter(ctx context.Context, md map[string]string, c session.Caller) (io.WriteCloser, error) {
 	method := session.MethodURL(_FileSend_serviceDesc.ServiceName, "diffcopy")
 	if !c.Supports(method) {
 		return nil, errors.Errorf("method %s not supported by the client", method)
@@ -289,9 +305,16 @@ func CopyFileWriter(ctx context.Context, c session.Caller) (io.WriteCloser, erro
 
 	client := NewFileSendClient(c.Conn())
 
+	opts := make(map[string][]string, len(md))
+	for k, v := range md {
+		opts[keyExporterMetaPrefix+k] = []string{v}
+	}
+
+	ctx = metadata.NewOutgoingContext(ctx, opts)
+
 	cc, err := client.DiffCopy(ctx)
 	if err != nil {
-		return nil, err
+		return nil, errors.WithStack(err)
 	}
 
 	return newStreamWriter(cc), nil

vendor/github.com/moby/buildkit/session/secrets/secrets.go

@@ -21,10 +21,10 @@ func GetSecret(ctx context.Context, c session.Caller, id string) ([]byte, error)
 		ID: id,
 	})
 	if err != nil {
-		if st, ok := status.FromError(err); ok && (st.Code() == codes.Unimplemented || st.Code() == codes.NotFound) {
+		if st, ok := status.FromError(errors.Cause(err)); ok && (st.Code() == codes.Unimplemented || st.Code() == codes.NotFound) {
 			return nil, errors.Wrapf(ErrNotFound, "secret %s not found", id)
 		}
-		return nil, err
+		return nil, errors.WithStack(err)
 	}
 	return resp.Data, nil
 }

vendor/github.com/moby/buildkit/session/sshforward/copy.go

@@ -3,23 +3,24 @@ package sshforward
 import (
 	io "io"
 
+	"github.com/pkg/errors"
 	context "golang.org/x/net/context"
 	"golang.org/x/sync/errgroup"
 	"google.golang.org/grpc"
 )
 
-func Copy(ctx context.Context, conn io.ReadWriteCloser, stream grpc.Stream) error {
+func Copy(ctx context.Context, conn io.ReadWriteCloser, stream grpc.Stream, closeStream func() error) error {
 	g, ctx := errgroup.WithContext(ctx)
 
 	g.Go(func() (retErr error) {
 		p := &BytesMessage{}
 		for {
 			if err := stream.RecvMsg(p); err != nil {
+				conn.Close()
 				if err == io.EOF {
 					return nil
 				}
-				conn.Close()
-				return err
+				return errors.WithStack(err)
 			}
 			select {
 			case <-ctx.Done():
@@ -29,7 +30,7 @@ func Copy(ctx context.Context, conn io.ReadWriteCloser, stream grpc.Stream) erro
 			}
 			if _, err := conn.Write(p.Data); err != nil {
 				conn.Close()
-				return err
+				return errors.WithStack(err)
 			}
 			p.Data = p.Data[:0]
 		}
@@ -41,9 +42,12 @@ func Copy(ctx context.Context, conn io.ReadWriteCloser, stream grpc.Stream) erro
 			n, err := conn.Read(buf)
 			switch {
 			case err == io.EOF:
+				if closeStream != nil {
+					closeStream()
+				}
 				return nil
 			case err != nil:
-				return err
+				return errors.WithStack(err)
 			}
 			select {
 			case <-ctx.Done():
@@ -52,7 +56,7 @@ func Copy(ctx context.Context, conn io.ReadWriteCloser, stream grpc.Stream) erro
 			}
 			p := &BytesMessage{Data: buf[:n]}
 			if err := stream.SendMsg(p); err != nil {
-				return err
+				return errors.WithStack(err)
 			}
 		}
 	})

vendor/github.com/moby/buildkit/session/sshforward/ssh.go

@@ -7,6 +7,7 @@ import (
 	"path/filepath"
 
 	"github.com/moby/buildkit/session"
+	"github.com/pkg/errors"
 	context "golang.org/x/net/context"
 	"golang.org/x/sync/errgroup"
 	"google.golang.org/grpc/metadata"
@@ -48,7 +49,7 @@ func (s *server) run(ctx context.Context, l net.Listener, id string) error {
 				return err
 			}
 
-			go Copy(ctx, conn, stream)
+			go Copy(ctx, conn, stream, stream.CloseSend)
 		}
 	})
 
@@ -65,7 +66,7 @@ type SocketOpt struct {
 func MountSSHSocket(ctx context.Context, c session.Caller, opt SocketOpt) (sockPath string, closer func() error, err error) {
 	dir, err := ioutil.TempDir("", ".buildkit-ssh-sock")
 	if err != nil {
-		return "", nil, err
+		return "", nil, errors.WithStack(err)
 	}
 
 	defer func() {
@@ -78,16 +79,16 @@ func MountSSHSocket(ctx context.Context, c session.Caller, opt SocketOpt) (sockP
 
 	l, err := net.Listen("unix", sockPath)
 	if err != nil {
-		return "", nil, err
+		return "", nil, errors.WithStack(err)
 	}
 
 	if err := os.Chown(sockPath, opt.UID, opt.GID); err != nil {
 		l.Close()
-		return "", nil, err
+		return "", nil, errors.WithStack(err)
 	}
 	if err := os.Chmod(sockPath, os.FileMode(opt.Mode)); err != nil {
 		l.Close()
-		return "", nil, err
+		return "", nil, errors.WithStack(err)
 	}
 
 	s := &server{caller: c}
@@ -102,12 +103,12 @@ func MountSSHSocket(ctx context.Context, c session.Caller, opt SocketOpt) (sockP
 	return sockPath, func() error {
 		err := l.Close()
 		os.RemoveAll(sockPath)
-		return err
+		return errors.WithStack(err)
 	}, nil
 }
 
 func CheckSSHID(ctx context.Context, c session.Caller, id string) error {
 	client := NewSSHClient(c.Conn())
 	_, err := client.CheckAgent(ctx, &CheckAgentRequest{ID: id})
-	return err
+	return errors.WithStack(err)
 }

vendor/github.com/moby/buildkit/session/sshforward/sshprovider/agentprovider.go

@@ -114,7 +114,7 @@ func (sp *socketProvider) ForwardAgent(stream sshforward.SSH_ForwardAgentServer)
 
 	eg.Go(func() error {
 		defer s1.Close()
-		return sshforward.Copy(ctx, s2, stream)
+		return sshforward.Copy(ctx, s2, stream, nil)
 	})
 
 	return eg.Wait()

vendor/github.com/moby/buildkit/session/upload/upload.go

@@ -6,6 +6,7 @@ import (
 	"net/url"
 
 	"github.com/moby/buildkit/session"
+	"github.com/pkg/errors"
 	"google.golang.org/grpc/metadata"
 )
 
@@ -26,7 +27,7 @@ func New(ctx context.Context, c session.Caller, url *url.URL) (*Upload, error) {
 
 	cc, err := client.Pull(ctx)
 	if err != nil {
-		return nil, err
+		return nil, errors.WithStack(err)
 	}
 
 	return &Upload{cc: cc}, nil
@@ -44,12 +45,12 @@ func (u *Upload) WriteTo(w io.Writer) (int, error) {
 			if err == io.EOF {
 				return n, nil
 			}
-			return n, err
+			return n, errors.WithStack(err)
 		}
 		nn, err := w.Write(bm.Data)
 		n += nn
 		if err != nil {
-			return n, err
+			return n, errors.WithStack(err)
 		}
 	}
 }

vendor/github.com/moby/buildkit/solver/pb/caps.go

@@ -30,19 +30,20 @@ const (
 
 	CapBuildOpLLBFileName apicaps.CapID = "source.buildop.llbfilename"
 
-	CapExecMetaBase            apicaps.CapID = "exec.meta.base"
-	CapExecMetaProxy           apicaps.CapID = "exec.meta.proxyenv"
-	CapExecMetaNetwork         apicaps.CapID = "exec.meta.network"
-	CapExecMetaSecurity        apicaps.CapID = "exec.meta.security"
-	CapExecMetaSetsDefaultPath apicaps.CapID = "exec.meta.setsdefaultpath"
-	CapExecMountBind           apicaps.CapID = "exec.mount.bind"
-	CapExecMountCache          apicaps.CapID = "exec.mount.cache"
-	CapExecMountCacheSharing   apicaps.CapID = "exec.mount.cache.sharing"
-	CapExecMountSelector       apicaps.CapID = "exec.mount.selector"
-	CapExecMountTmpfs          apicaps.CapID = "exec.mount.tmpfs"
-	CapExecMountSecret         apicaps.CapID = "exec.mount.secret"
-	CapExecMountSSH            apicaps.CapID = "exec.mount.ssh"
-	CapExecCgroupsMounted      apicaps.CapID = "exec.cgroup"
+	CapExecMetaBase                  apicaps.CapID = "exec.meta.base"
+	CapExecMetaProxy                 apicaps.CapID = "exec.meta.proxyenv"
+	CapExecMetaNetwork               apicaps.CapID = "exec.meta.network"
+	CapExecMetaSecurity              apicaps.CapID = "exec.meta.security"
+	CapExecMetaSetsDefaultPath       apicaps.CapID = "exec.meta.setsdefaultpath"
+	CapExecMountBind                 apicaps.CapID = "exec.mount.bind"
+	CapExecMountBindReadWriteNoOuput apicaps.CapID = "exec.mount.bind.readwrite-nooutput"
+	CapExecMountCache                apicaps.CapID = "exec.mount.cache"
+	CapExecMountCacheSharing         apicaps.CapID = "exec.mount.cache.sharing"
+	CapExecMountSelector             apicaps.CapID = "exec.mount.selector"
+	CapExecMountTmpfs                apicaps.CapID = "exec.mount.tmpfs"
+	CapExecMountSecret               apicaps.CapID = "exec.mount.secret"
+	CapExecMountSSH                  apicaps.CapID = "exec.mount.ssh"
+	CapExecCgroupsMounted            apicaps.CapID = "exec.cgroup"
 
 	CapFileBase apicaps.CapID = "file.base"
 
@@ -193,6 +194,12 @@ func init() {
 		Status:  apicaps.CapStatusExperimental,
 	})
 
+	Caps.Init(apicaps.Cap{
+		ID:      CapExecMountBindReadWriteNoOuput,
+		Enabled: true,
+		Status:  apicaps.CapStatusExperimental,
+	})
+
 	Caps.Init(apicaps.Cap{
 		ID:      CapExecMountCache,
 		Enabled: true,

vendor/github.com/tonistiigi/fsutil/stat.go

@@ -49,6 +49,9 @@ func mkstat(path, relpath string, fi os.FileInfo, inodemap map[uint64]string) (*
 		stat.Mode = noPermPart | permPart
 	}
 
+	// Clear the socket bit since archive/tar.FileInfoHeader does not handle it
+	stat.Mode &^= uint32(os.ModeSocket)
+
 	return stat, nil
 }
 

vendor/modules.txt

@@ -27,7 +27,7 @@ github.com/agl/ed25519/edwards25519
 github.com/beorn7/perks/quantile
 # github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50
 github.com/containerd/console
-# github.com/containerd/containerd v1.3.0-0.20190426060238-3a3f0aac8819
+# github.com/containerd/containerd v1.3.0-0.20190507210959-7c1e88399ec0
 github.com/containerd/containerd/images
 github.com/containerd/containerd/platforms
 github.com/containerd/containerd/content
@@ -40,6 +40,7 @@ github.com/containerd/containerd/containers
 github.com/containerd/containerd/oci
 github.com/containerd/containerd/labels
 github.com/containerd/containerd/reference
+github.com/containerd/containerd/remotes/docker/schema1
 github.com/containerd/containerd/version
 github.com/containerd/containerd/filters
 github.com/containerd/containerd/sys
@@ -50,6 +51,7 @@ github.com/containerd/containerd/mount
 github.com/containerd/containerd/namespaces
 github.com/containerd/containerd/snapshots
 github.com/containerd/containerd
+github.com/containerd/containerd/archive/compression
 github.com/containerd/containerd/api/services/containers/v1
 github.com/containerd/containerd/api/services/diff/v1
 github.com/containerd/containerd/api/services/events/v1
@@ -62,7 +64,6 @@ github.com/containerd/containerd/api/services/tasks/v1
 github.com/containerd/containerd/api/services/version/v1
 github.com/containerd/containerd/api/types
 github.com/containerd/containerd/archive
-github.com/containerd/containerd/archive/compression
 github.com/containerd/containerd/cio
 github.com/containerd/containerd/defaults
 github.com/containerd/containerd/diff
@@ -73,7 +74,6 @@ github.com/containerd/containerd/leases
 github.com/containerd/containerd/leases/proxy
 github.com/containerd/containerd/pkg/dialer
 github.com/containerd/containerd/plugin
-github.com/containerd/containerd/remotes/docker/schema1
 github.com/containerd/containerd/rootfs
 github.com/containerd/containerd/runtime/linux/runctypes
 github.com/containerd/containerd/runtime/v2/runc/options
@@ -81,7 +81,7 @@ github.com/containerd/containerd/snapshots/proxy
 github.com/containerd/containerd/api/types/task
 github.com/containerd/containerd/events/exchange
 github.com/containerd/containerd/identifiers
-# github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc
+# github.com/containerd/continuity v0.0.0-20190827140505-75bee3e2ccb6
 github.com/containerd/continuity
 github.com/containerd/continuity/fs
 github.com/containerd/continuity/pathdriver
@@ -259,7 +259,7 @@ github.com/matttproud/golang_protobuf_extensions/pbutil
 github.com/miekg/pkcs11
 # github.com/mitchellh/mapstructure v1.1.2
 github.com/mitchellh/mapstructure
-# github.com/moby/buildkit v0.5.2-0.20190513182223-f238f1efb04f
+# github.com/moby/buildkit v0.6.2-0.20190921002054-ae10b292fefb
 github.com/moby/buildkit/session/auth/authprovider
 github.com/moby/buildkit/client
 github.com/moby/buildkit/session
@@ -303,7 +303,7 @@ github.com/opencontainers/go-digest
 github.com/opencontainers/image-spec/specs-go/v1
 github.com/opencontainers/image-spec/specs-go
 github.com/opencontainers/image-spec/identity
-# github.com/opencontainers/runc v1.0.1-0.20190307181833-2b18fe1d885e
+# github.com/opencontainers/runc v1.0.0-rc8
 github.com/opencontainers/runc/libcontainer/user
 github.com/opencontainers/runc/libcontainer/system
 # github.com/opencontainers/runtime-spec v1.0.1
@@ -355,7 +355,7 @@ github.com/theupdateframework/notary/trustmanager/yubikey
 github.com/theupdateframework/notary/tuf
 github.com/theupdateframework/notary/tuf/utils
 github.com/theupdateframework/notary/tuf/validation
-# github.com/tonistiigi/fsutil v0.0.0-20190327153851-3bbb99cdbd76
+# github.com/tonistiigi/fsutil v0.0.0-20190819224149-3d2716dd0a4d
 github.com/tonistiigi/fsutil/types
 github.com/tonistiigi/fsutil
 # github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea