
720 lines
19 KiB
Raw Normal View History

package main
import (
buildd: fix "Lockfiles must be given as absolute path names" error Tested with the standalone controller. Without this patch, the daemon fails to build an image: ERRO[0008] /control.Control/Solve returned error: Lockfiles must be given as absolute path names error creating lockfile .buildstate/content/ingest/b8bc9e0954dc1413b6ffd69c106a1d8967130398f50626b5c5a098c5149b0bf3/lock*store).ingestPaths /home/suda/gopath/src/*store).Writer /home/suda/gopath/src/ /home/suda/gopath/src/ /home/suda/gopath/src/ /home/suda/gopath/src/ /home/suda/gopath/src/ /home/suda/gopath/src/ /home/suda/gopath/src/*Group).Go.func1 /home/suda/gopath/src/ runtime.goexit /usr/local/go/src/runtime/asm_amd64.s:2197 Signed-off-by: Akihiro Suda <>
2017-06-12 08:49:48 +00:00
sddaemon ""
inlineremotecache ""
localremotecache ""
registryremotecache ""
dockerfile ""
specs ""
func init() {
apicaps.ExportedProduct = "buildkit"
type workerInitializerOpt struct {
config *config.Config
type workerInitializer struct {
fn func(c *cli.Context, common workerInitializerOpt) ([]worker.Worker, error)
// less priority number, more preferred
priority int
var (
appFlags []cli.Flag
workerInitializers []workerInitializer
func registerWorkerInitializer(wi workerInitializer, flags ...cli.Flag) {
workerInitializers = append(workerInitializers, wi)
func(i, j int) bool {
return workerInitializers[i].priority < workerInitializers[j].priority
appFlags = append(appFlags, flags...)
func main() {
cli.VersionPrinter = func(c *cli.Context) {
fmt.Println(c.App.Name, version.Package, c.App.Version, version.Revision)
app := cli.NewApp()
app.Name = "buildkitd"
app.Usage = "build daemon"
app.Version = version.Version
defaultConf, md, err := defaultConf()
if err != nil {
fmt.Fprintf(os.Stderr, "%+v\n", err)
rootlessUsage := "set all the default options to be compatible with rootless containers"
if system.RunningInUserNS() {
app.Flags = append(app.Flags, cli.BoolTFlag{
Name: "rootless",
Usage: rootlessUsage + " (default: true)",
} else {
app.Flags = append(app.Flags, cli.BoolFlag{
Name: "rootless",
Usage: rootlessUsage,
groupValue := func(gid int) string {
if md == nil || !md.IsDefined("grpc", "gid") {
return ""
return strconv.Itoa(gid)
app.Flags = append(app.Flags,
Name: "config",
Usage: "path to config file",
Value: defaultConfigPath(),
Name: "debug",
Usage: "enable debug output in logs",
Name: "root",
Usage: "path to state directory",
Value: defaultConf.Root,
Name: "addr",
Usage: "listening address (socket or tcp)",
Value: &cli.StringSlice{defaultConf.GRPC.Address[0]},
Name: "group",
Usage: "group (name or gid) which will own all Unix socket listening addresses",
Value: groupValue(defaultConf.GRPC.GID),
Name: "debugaddr",
Usage: "debugging address (eg.",
Value: defaultConf.GRPC.DebugAddress,
Name: "tlscert",
Usage: "certificate file to use",
Value: defaultConf.GRPC.TLS.Cert,
Name: "tlskey",
Usage: "key file to use",
Value: defaultConf.GRPC.TLS.Key,
Name: "tlscacert",
Usage: "ca certificate to verify clients",
Value: defaultConf.GRPC.TLS.CA,
Name: "allow-insecure-entitlement",
Usage: "allows insecure entitlements e.g., security.insecure",
app.Flags = append(app.Flags, appFlags...)
app.Action = func(c *cli.Context) error {
// TODO: On Windows this always returns -1. The actual "are you admin" check is very Windows-specific.
// See for the "short" version.
if os.Geteuid() > 0 {
return errors.New("rootless mode requires to be executed as the mapped root in a user namespace; you may use RootlessKit for setting up the namespace")
ctx, cancel := context.WithCancel(appcontext.Context())
defer cancel()
cfg, md, err := LoadFile(c.GlobalString("config"))
if err != nil {
return err
if err := applyMainFlags(c, &cfg, md); err != nil {
return err
if cfg.Debug {
if cfg.GRPC.DebugAddress != "" {
if err := setupDebugHandlers(cfg.GRPC.DebugAddress); err != nil {
return err
opts := []grpc.ServerOption{unaryInterceptor(ctx), grpc.StreamInterceptor(otgrpc.OpenTracingStreamServerInterceptor(tracer))}
server := grpc.NewServer(opts...)
buildd: fix "Lockfiles must be given as absolute path names" error Tested with the standalone controller. Without this patch, the daemon fails to build an image: ERRO[0008] /control.Control/Solve returned error: Lockfiles must be given as absolute path names error creating lockfile .buildstate/content/ingest/b8bc9e0954dc1413b6ffd69c106a1d8967130398f50626b5c5a098c5149b0bf3/lock*store).ingestPaths /home/suda/gopath/src/*store).Writer /home/suda/gopath/src/ /home/suda/gopath/src/ /home/suda/gopath/src/ /home/suda/gopath/src/ /home/suda/gopath/src/ /home/suda/gopath/src/ /home/suda/gopath/src/*Group).Go.func1 /home/suda/gopath/src/ runtime.goexit /usr/local/go/src/runtime/asm_amd64.s:2197 Signed-off-by: Akihiro Suda <>
2017-06-12 08:49:48 +00:00
// relative path does not work with nightlyone/lockfile
root, err := filepath.Abs(cfg.Root)
buildd: fix "Lockfiles must be given as absolute path names" error Tested with the standalone controller. Without this patch, the daemon fails to build an image: ERRO[0008] /control.Control/Solve returned error: Lockfiles must be given as absolute path names error creating lockfile .buildstate/content/ingest/b8bc9e0954dc1413b6ffd69c106a1d8967130398f50626b5c5a098c5149b0bf3/lock*store).ingestPaths /home/suda/gopath/src/*store).Writer /home/suda/gopath/src/ /home/suda/gopath/src/ /home/suda/gopath/src/ /home/suda/gopath/src/ /home/suda/gopath/src/ /home/suda/gopath/src/ /home/suda/gopath/src/*Group).Go.func1 /home/suda/gopath/src/ runtime.goexit /usr/local/go/src/runtime/asm_amd64.s:2197 Signed-off-by: Akihiro Suda <>
2017-06-12 08:49:48 +00:00
if err != nil {
return err
cfg.Root = root
if err := os.MkdirAll(root, 0700); err != nil {
return errors.Wrapf(err, "failed to create %s", root)
lockPath := filepath.Join(root, "buildkitd.lock")
lock := flock.New(lockPath)
locked, err := lock.TryLock()
if err != nil {
return errors.Wrapf(err, "could not lock %s", lockPath)
if !locked {
return errors.Errorf("could not lock %s, another instance running?", lockPath)
defer func() {
controller, err := newController(c, &cfg)
if err != nil {
return err
ents := c.GlobalStringSlice("allow-insecure-entitlement")
if len(ents) > 0 {
cfg.Entitlements = []string{}
for _, e := range ents {
switch e {
case "security.insecure":
cfg.Entitlements = append(cfg.Entitlements, e)
case "":
cfg.Entitlements = append(cfg.Entitlements, e)
return fmt.Errorf("invalid entitlement : %v", e)
errCh := make(chan error, 1)
if err := serveGRPC(cfg.GRPC, server, errCh); err != nil {
return err
select {
case serverErr := <-errCh:
err = serverErr
case <-ctx.Done():
err = ctx.Err()
logrus.Infof("stopping server")
if os.Getenv("NOTIFY_SOCKET") != "" {
notified, notifyErr := sddaemon.SdNotify(false, sddaemon.SdNotifyStopping)
logrus.Debugf("SdNotifyStopping notified=%v, err=%v", notified, notifyErr)
return err
app.After = func(context *cli.Context) error {
if closeTracer != nil {
return closeTracer.Close()
return nil
if err := app.Run(os.Args); err != nil {
fmt.Fprintf(os.Stderr, "buildkitd: %s\n", err)
func serveGRPC(cfg config.GRPCConfig, server *grpc.Server, errCh chan error) error {
addrs := cfg.Address
if len(addrs) == 0 {
return errors.New("--addr cannot be empty")
tlsConfig, err := serverCredentials(cfg.TLS)
if err != nil {
return err
eg, _ := errgroup.WithContext(context.Background())
listeners := make([]net.Listener, 0, len(addrs))
for _, addr := range addrs {
l, err := getListener(addr, cfg.UID, cfg.GID, tlsConfig)
if err != nil {
for _, l := range listeners {
return err
listeners = append(listeners, l)
if os.Getenv("NOTIFY_SOCKET") != "" {
notified, notifyErr := sddaemon.SdNotify(false, sddaemon.SdNotifyReady)
logrus.Debugf("SdNotifyReady notified=%v, err=%v", notified, notifyErr)
for _, l := range listeners {
func(l net.Listener) {
eg.Go(func() error {
defer l.Close()
logrus.Infof("running server on %s", l.Addr())
return server.Serve(l)
go func() {
errCh <- eg.Wait()
return nil
func defaultConfigPath() string {
if system.RunningInUserNS() {
return filepath.Join(appdefaults.UserConfigDir(), "buildkitd.toml")
return filepath.Join(appdefaults.ConfigDir, "buildkitd.toml")
func defaultConf() (config.Config, *toml.MetaData, error) {
cfg, md, err := LoadFile(defaultConfigPath())
if err != nil {
var pe os.PathError
if !errors.As(err, &pe) {
return config.Config{}, nil, err
return cfg, nil, nil
return cfg, md, nil
func setDefaultNetworkConfig(nc config.NetworkConfig) config.NetworkConfig {
if nc.Mode == "" {
nc.Mode = "auto"
if nc.CNIConfigPath == "" {
nc.CNIConfigPath = "/etc/buildkit/cni.json"
if nc.CNIBinaryPath == "" {
nc.CNIBinaryPath = "/opt/cni/bin"
return nc
func setDefaultConfig(cfg *config.Config) {
orig := *cfg
if cfg.Root == "" {
cfg.Root = appdefaults.Root
if len(cfg.GRPC.Address) == 0 {
cfg.GRPC.Address = []string{appdefaults.Address}
if cfg.Workers.OCI.Platforms == nil {
cfg.Workers.OCI.Platforms = binfmt_misc.SupportedPlatforms(false)
if cfg.Workers.Containerd.Platforms == nil {
cfg.Workers.Containerd.Platforms = binfmt_misc.SupportedPlatforms(false)
cfg.Workers.OCI.NetworkConfig = setDefaultNetworkConfig(cfg.Workers.OCI.NetworkConfig)
cfg.Workers.Containerd.NetworkConfig = setDefaultNetworkConfig(cfg.Workers.Containerd.NetworkConfig)
if system.RunningInUserNS() {
// if buildkitd is being executed as the mapped-root (not only EUID==0 but also $USER==root)
// in a user namespace, we need to enable the rootless mode but
// we don't want to honor $HOME for setting up default paths.
if u := os.Getenv("USER"); u != "" && u != "root" {
if orig.Root == "" {
cfg.Root = appdefaults.UserRoot()
if len(orig.GRPC.Address) == 0 {
cfg.GRPC.Address = []string{appdefaults.UserAddress()}
func applyMainFlags(c *cli.Context, cfg *config.Config, md *toml.MetaData) error {
if c.IsSet("debug") {
cfg.Debug = c.Bool("debug")
if c.IsSet("root") {
cfg.Root = c.String("root")
if c.IsSet("addr") || len(cfg.GRPC.Address) == 0 {
addrs := c.StringSlice("addr")
if len(addrs) > 1 {
addrs = addrs[1:] //
cfg.GRPC.Address = make([]string, 0, len(addrs))
for _, v := range addrs {
cfg.GRPC.Address = append(cfg.GRPC.Address, v)
if c.IsSet("allow-insecure-entitlement") {
//override values from config
cfg.Entitlements = c.StringSlice("allow-insecure-entitlement")
if c.IsSet("debugaddr") {
cfg.GRPC.DebugAddress = c.String("debugaddr")
if md == nil || !md.IsDefined("grpc", "uid") {
cfg.GRPC.UID = os.Getuid()
if md == nil || !md.IsDefined("grpc", "gid") {
cfg.GRPC.GID = os.Getgid()
if group := c.String("group"); group != "" {
gid, err := groupToGid(group)
if err != nil {
return err
cfg.GRPC.GID = gid
if tlscert := c.String("tlscert"); tlscert != "" {
cfg.GRPC.TLS.Cert = tlscert
if tlskey := c.String("tlskey"); tlskey != "" {
cfg.GRPC.TLS.Key = tlskey
if tlsca := c.String("tlscacert"); tlsca != "" {
cfg.GRPC.TLS.CA = tlsca
return nil
// Convert a string containing either a group name or a stringified gid into a numeric id)
func groupToGid(group string) (int, error) {
if group == "" {
return os.Getgid(), nil
var (
err error
id int
// Try and parse as a number, if the error is ErrSyntax
// (i.e. its not a number) then we carry on and try it as a
// name.
if id, err = strconv.Atoi(group); err == nil {
return id, nil
} else if err.(*strconv.NumError).Err != strconv.ErrSyntax {
return 0, err
ginfo, err := user.LookupGroup(group)
if err != nil {
return 0, err
group = ginfo.Gid
if id, err = strconv.Atoi(group); err != nil {
return 0, err
return id, nil
func getListener(addr string, uid, gid int, tlsConfig *tls.Config) (net.Listener, error) {
addrSlice := strings.SplitN(addr, "://", 2)
if len(addrSlice) < 2 {
return nil, errors.Errorf("address %s does not contain proto, you meant unix://%s ?",
addr, addr)
proto := addrSlice[0]
listenAddr := addrSlice[1]
switch proto {
case "unix", "npipe":
if tlsConfig != nil {
logrus.Warnf("TLS is disabled for %s", addr)
return sys.GetLocalListener(listenAddr, uid, gid)
case "tcp":
if tlsConfig == nil {
logrus.Warnf("TLS is not enabled for %s. enabling mutual TLS authentication is highly recommended", addr)
return sockets.NewTCPSocket(listenAddr, tlsConfig)
return nil, errors.Errorf("addr %s not supported", addr)
func unaryInterceptor(globalCtx context.Context) grpc.ServerOption {
withTrace := otgrpc.OpenTracingServerInterceptor(tracer, otgrpc.LogPayloads())
return grpc.UnaryInterceptor(func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (resp interface{}, err error) {
ctx, cancel := context.WithCancel(ctx)
defer cancel()
go func() {
select {
case <-ctx.Done():
case <-globalCtx.Done():
resp, err = withTrace(ctx, req, info, handler)
if err != nil {
logrus.Errorf("%s returned error: %+v", info.FullMethod, err)
func serverCredentials(cfg config.TLSConfig) (*tls.Config, error) {
certFile := cfg.Cert
keyFile := cfg.Key
caFile := cfg.CA
if certFile == "" && keyFile == "" {
return nil, nil
err := errors.New("you must specify key and cert file if one is specified")
if certFile == "" {
return nil, err
if keyFile == "" {
return nil, err
certificate, err := tls.LoadX509KeyPair(certFile, keyFile)
if err != nil {
return nil, errors.Wrap(err, "could not load server key pair")
tlsConf := &tls.Config{
Certificates: []tls.Certificate{certificate},
if caFile != "" {
certPool := x509.NewCertPool()
ca, err := ioutil.ReadFile(caFile)
if err != nil {
return nil, errors.Wrap(err, "could not read ca certificate")
// Append the client certificates from the CA
if ok := certPool.AppendCertsFromPEM(ca); !ok {
return nil, errors.New("failed to append ca cert")
tlsConf.ClientAuth = tls.RequireAndVerifyClientCert
tlsConf.ClientCAs = certPool
return tlsConf, nil
func newController(c *cli.Context, cfg *config.Config) (*control.Controller, error) {
sessionManager, err := session.NewManager()
if err != nil {
return nil, err
wc, err := newWorkerController(c, workerInitializerOpt{
config: cfg,
if err != nil {
return nil, err
frontends := map[string]frontend.Frontend{}
frontends["dockerfile.v0"] = forwarder.NewGatewayForwarder(wc, dockerfile.Build)
frontends["gateway.v0"] = gateway.NewGatewayFrontend(wc)
cacheStorage, err := bboltcachestorage.NewStore(filepath.Join(cfg.Root, "cache.db"))
if err != nil {
return nil, err
resolverFn := resolverFunc(cfg)
w, err := wc.GetDefault()
if err != nil {
return nil, err
remoteCacheExporterFuncs := map[string]remotecache.ResolveCacheExporterFunc{
"registry": registryremotecache.ResolveCacheExporterFunc(sessionManager, resolverFn),
"local": localremotecache.ResolveCacheExporterFunc(sessionManager),
"inline": inlineremotecache.ResolveCacheExporterFunc(),
remoteCacheImporterFuncs := map[string]remotecache.ResolveCacheImporterFunc{
"registry": registryremotecache.ResolveCacheImporterFunc(sessionManager, w.ContentStore(), resolverFn),
"local": localremotecache.ResolveCacheImporterFunc(sessionManager),
return control.NewController(control.Opt{
SessionManager: sessionManager,
WorkerController: wc,
Frontends: frontends,
ResolveCacheExporterFuncs: remoteCacheExporterFuncs,
ResolveCacheImporterFuncs: remoteCacheImporterFuncs,
CacheKeyStorage: cacheStorage,
Entitlements: cfg.Entitlements,
func resolverFunc(cfg *config.Config) docker.RegistryHosts {
return resolver.NewRegistryConfig(cfg.Registries)
func newWorkerController(c *cli.Context, wiOpt workerInitializerOpt) (*worker.Controller, error) {
wc := &worker.Controller{}
nWorkers := 0
for _, wi := range workerInitializers {
ws, err := wi.fn(c, wiOpt)
if err != nil {
return nil, err
for _, w := range ws {
p := formatPlatforms(w.Platforms(false))
logrus.Infof("found worker %q, labels=%v, platforms=%v", w.ID(), w.Labels(), p)
if err = wc.Add(w); err != nil {
return nil, err
if nWorkers == 0 {
return nil, errors.New("no worker found, rebuild the buildkit daemon?")
defaultWorker, err := wc.GetDefault()
if err != nil {
return nil, err
logrus.Infof("found %d workers, default=%q", nWorkers, defaultWorker.ID())
logrus.Warn("currently, only the default worker can be used.")
return wc, nil
func attrMap(sl []string) (map[string]string, error) {
m := map[string]string{}
for _, v := range sl {
parts := strings.SplitN(v, "=", 2)
if len(parts) != 2 {
return nil, errors.Errorf("invalid value %s", v)
m[parts[0]] = parts[1]
return m, nil
func formatPlatforms(p []specs.Platform) []string {
str := make([]string, 0, len(p))
for _, pp := range p {
str = append(str, platforms.Format(platforms.Normalize(pp)))
return str
func parsePlatforms(platformsStr []string) ([]specs.Platform, error) {
out := make([]specs.Platform, 0, len(platformsStr))
for _, s := range platformsStr {
p, err := platforms.Parse(s)
if err != nil {
return nil, err
out = append(out, platforms.Normalize(p))
return out, nil
func getGCPolicy(cfg config.GCConfig, root string) []client.PruneInfo {
if cfg.GC != nil && !*cfg.GC {
return nil
if len(cfg.GCPolicy) == 0 {
cfg.GCPolicy = config.DefaultGCPolicy(root, cfg.GCKeepStorage)
out := make([]client.PruneInfo, 0, len(cfg.GCPolicy))
for _, rule := range cfg.GCPolicy {
out = append(out, client.PruneInfo{
Filter: rule.Filters,
All: rule.All,
KeepBytes: rule.KeepBytes,
KeepDuration: time.Duration(rule.KeepDuration) * time.Second,
return out
func getDNSConfig(cfg *config.DNSConfig) *oci.DNSConfig {
var dns *oci.DNSConfig
if cfg != nil {
dns = &oci.DNSConfig{
Nameservers: cfg.Nameservers,
Options: cfg.Options,
SearchDomains: cfg.SearchDomains,
return dns