diff --git a/api/services/control/control.pb.go b/api/services/control/control.pb.go index 48f277e4..a5bfa63d 100644 --- a/api/services/control/control.pb.go +++ b/api/services/control/control.pb.go @@ -35,6 +35,7 @@ import pb "github.com/moby/buildkit/solver/pb" import moby_buildkit_v1_types "github.com/moby/buildkit/api/types" import time "time" +import github_com_moby_buildkit_util_entitlements "github.com/moby/buildkit/util/entitlements" import github_com_opencontainers_go_digest "github.com/opencontainers/go-digest" import context "golang.org/x/net/context" @@ -225,14 +226,15 @@ func (m *UsageRecord) GetShared() bool { } type SolveRequest struct { - Ref string `protobuf:"bytes,1,opt,name=Ref,proto3" json:"Ref,omitempty"` - Definition *pb.Definition `protobuf:"bytes,2,opt,name=Definition" json:"Definition,omitempty"` - Exporter string `protobuf:"bytes,3,opt,name=Exporter,proto3" json:"Exporter,omitempty"` - ExporterAttrs map[string]string `protobuf:"bytes,4,rep,name=ExporterAttrs" json:"ExporterAttrs,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` - Session string `protobuf:"bytes,5,opt,name=Session,proto3" json:"Session,omitempty"` - Frontend string `protobuf:"bytes,6,opt,name=Frontend,proto3" json:"Frontend,omitempty"` - FrontendAttrs map[string]string `protobuf:"bytes,7,rep,name=FrontendAttrs" json:"FrontendAttrs,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` - Cache CacheOptions `protobuf:"bytes,8,opt,name=Cache" json:"Cache"` + Ref string `protobuf:"bytes,1,opt,name=Ref,proto3" json:"Ref,omitempty"` + Definition *pb.Definition `protobuf:"bytes,2,opt,name=Definition" json:"Definition,omitempty"` + Exporter string `protobuf:"bytes,3,opt,name=Exporter,proto3" json:"Exporter,omitempty"` + ExporterAttrs map[string]string `protobuf:"bytes,4,rep,name=ExporterAttrs" json:"ExporterAttrs,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` + Session string `protobuf:"bytes,5,opt,name=Session,proto3" json:"Session,omitempty"` + Frontend string `protobuf:"bytes,6,opt,name=Frontend,proto3" json:"Frontend,omitempty"` + FrontendAttrs map[string]string `protobuf:"bytes,7,rep,name=FrontendAttrs" json:"FrontendAttrs,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` + Cache CacheOptions `protobuf:"bytes,8,opt,name=Cache" json:"Cache"` + Entitlements []github_com_moby_buildkit_util_entitlements.Entitlement `protobuf:"bytes,9,rep,name=Entitlements,customtype=github.com/moby/buildkit/util/entitlements.Entitlement" json:"Entitlements,omitempty"` } func (m *SolveRequest) Reset() { *m = SolveRequest{} } @@ -1238,6 +1240,21 @@ func (m *SolveRequest) MarshalTo(dAtA []byte) (int, error) { return 0, err } i += n4 + if len(m.Entitlements) > 0 { + for _, s := range m.Entitlements { + dAtA[i] = 0x4a + i++ + l = len(s) + for l >= 1<<7 { + dAtA[i] = uint8(uint64(l)&0x7f | 0x80) + l >>= 7 + i++ + } + dAtA[i] = uint8(l) + i++ + i += copy(dAtA[i:], s) + } + } return i, nil } @@ -1833,6 +1850,12 @@ func (m *SolveRequest) Size() (n int) { } l = m.Cache.Size() n += 1 + l + sovControl(uint64(l)) + if len(m.Entitlements) > 0 { + for _, s := range m.Entitlements { + l = len(s) + n += 1 + l + sovControl(uint64(l)) + } + } return n } @@ -3111,6 +3134,35 @@ func (m *SolveRequest) Unmarshal(dAtA []byte) error { return err } iNdEx = postIndex + case 9: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Entitlements", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowControl + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthControl + } + postIndex := iNdEx + intStringLen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Entitlements = append(m.Entitlements, github_com_moby_buildkit_util_entitlements.Entitlement(dAtA[iNdEx:postIndex])) + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipControl(dAtA[iNdEx:]) @@ -4779,83 +4831,85 @@ var ( func init() { proto.RegisterFile("control.proto", fileDescriptorControl) } var fileDescriptorControl = []byte{ - // 1241 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x57, 0xcf, 0x6f, 0x1b, 0xc5, - 0x17, 0xef, 0xda, 0x8e, 0xed, 0x7d, 0x76, 0xaa, 0x7c, 0xe7, 0x0b, 0xd5, 0x6a, 0x81, 0xc4, 0x2c, - 0x20, 0x59, 0x55, 0xbb, 0xdb, 0x06, 0x2a, 0xa1, 0x08, 0x55, 0xad, 0xe3, 0x22, 0x12, 0x25, 0xa2, - 0xac, 0x13, 0x2a, 0x71, 0x5b, 0xdb, 0x13, 0x67, 0xe5, 0xf5, 0xce, 0x32, 0x33, 0x1b, 0x6a, 0xfe, - 0x00, 0xce, 0x1c, 0xf8, 0x4f, 0x38, 0xf0, 0x17, 0x20, 0xe5, 0xc8, 0x99, 0x43, 0x8a, 0x72, 0x87, - 0x3b, 0x37, 0x34, 0x3f, 0xd6, 0x5e, 0xc7, 0x4e, 0x9c, 0xa4, 0xa7, 0xcc, 0x7b, 0xfe, 0xbc, 0xcf, - 0xbe, 0x5f, 0x33, 0xef, 0x05, 0x56, 0x7b, 0x24, 0xe6, 0x94, 0x44, 0x6e, 0x42, 0x09, 0x27, 0x68, - 0x6d, 0x44, 0xba, 0x63, 0xb7, 0x9b, 0x86, 0x51, 0x7f, 0x18, 0x72, 0xf7, 0xe4, 0xb1, 0xfd, 0x70, - 0x10, 0xf2, 0xe3, 0xb4, 0xeb, 0xf6, 0xc8, 0xc8, 0x1b, 0x90, 0x01, 0xf1, 0x24, 0xb0, 0x9b, 0x1e, - 0x49, 0x49, 0x0a, 0xf2, 0xa4, 0x08, 0xec, 0x8d, 0x01, 0x21, 0x83, 0x08, 0x4f, 0x51, 0x3c, 0x1c, - 0x61, 0xc6, 0x83, 0x51, 0xa2, 0x01, 0x0f, 0x72, 0x7c, 0xe2, 0x63, 0x5e, 0xf6, 0x31, 0x8f, 0x91, - 0xe8, 0x04, 0x53, 0x2f, 0xe9, 0x7a, 0x24, 0x61, 0x1a, 0xed, 0x5d, 0x8a, 0x0e, 0x92, 0xd0, 0xe3, - 0xe3, 0x04, 0x33, 0xef, 0x07, 0x42, 0x87, 0x98, 0x2a, 0x03, 0xe7, 0x27, 0x03, 0xea, 0x2f, 0x69, - 0x1a, 0x63, 0x1f, 0x7f, 0x9f, 0x62, 0xc6, 0xd1, 0x3d, 0x28, 0x1f, 0x85, 0x11, 0xc7, 0xd4, 0x32, - 0x1a, 0xc5, 0xa6, 0xe9, 0x6b, 0x09, 0xad, 0x41, 0x31, 0x88, 0x22, 0xab, 0xd0, 0x30, 0x9a, 0x55, - 0x5f, 0x1c, 0x51, 0x13, 0xea, 0x43, 0x8c, 0x93, 0x76, 0x4a, 0x03, 0x1e, 0x92, 0xd8, 0x2a, 0x36, - 0x8c, 0x66, 0xb1, 0x55, 0x3a, 0x3d, 0xdb, 0x30, 0xfc, 0x99, 0x5f, 0x90, 0x03, 0xa6, 0x90, 0x5b, - 0x63, 0x8e, 0x99, 0x55, 0xca, 0xc1, 0xa6, 0x6a, 0xe7, 0x3e, 0xac, 0xb5, 0x43, 0x36, 0x3c, 0x64, - 0xc1, 0x60, 0x99, 0x2f, 0xce, 0x2e, 0xfc, 0x2f, 0x87, 0x65, 0x09, 0x89, 0x19, 0x46, 0x4f, 0xa0, - 0x4c, 0x71, 0x8f, 0xd0, 0xbe, 0x04, 0xd7, 0x36, 0x3f, 0x70, 0x2f, 0xd6, 0xc6, 0xd5, 0x06, 0x02, - 0xe4, 0x6b, 0xb0, 0xf3, 0x6f, 0x01, 0x6a, 0x39, 0x3d, 0xba, 0x0b, 0x85, 0x9d, 0xb6, 0x65, 0x34, - 0x8c, 0xa6, 0xe9, 0x17, 0x76, 0xda, 0xc8, 0x82, 0xca, 0x7e, 0xca, 0x83, 0x6e, 0x84, 0x75, 0xec, - 0x99, 0x88, 0xde, 0x81, 0x95, 0x9d, 0xf8, 0x90, 0x61, 0x19, 0x78, 0xd5, 0x57, 0x02, 0x42, 0x50, - 0xea, 0x84, 0x3f, 0x62, 0x15, 0xa6, 0x2f, 0xcf, 0x22, 0x8e, 0x97, 0x01, 0xc5, 0x31, 0xb7, 0x56, - 0x24, 0xaf, 0x96, 0x50, 0x0b, 0xcc, 0x6d, 0x8a, 0x03, 0x8e, 0xfb, 0xcf, 0xb9, 0x55, 0x6e, 0x18, - 0xcd, 0xda, 0xa6, 0xed, 0xaa, 0x86, 0x70, 0xb3, 0x86, 0x70, 0x0f, 0xb2, 0x86, 0x68, 0x55, 0x4f, - 0xcf, 0x36, 0xee, 0xfc, 0xfc, 0x46, 0xe4, 0x6d, 0x62, 0x86, 0x9e, 0x01, 0xec, 0x05, 0x8c, 0x1f, - 0x32, 0x49, 0x52, 0x59, 0x4a, 0x52, 0x92, 0x04, 0x39, 0x1b, 0xb4, 0x0e, 0x20, 0x13, 0xb0, 0x4d, - 0xd2, 0x98, 0x5b, 0x55, 0xe9, 0x77, 0x4e, 0x83, 0x1a, 0x50, 0x6b, 0x63, 0xd6, 0xa3, 0x61, 0x22, - 0xcb, 0x6c, 0xca, 0x10, 0xf2, 0x2a, 0xc1, 0xa0, 0xb2, 0x77, 0x30, 0x4e, 0xb0, 0x05, 0x12, 0x90, - 0xd3, 0x88, 0xf8, 0x3b, 0xc7, 0x01, 0xc5, 0x7d, 0xab, 0x26, 0x53, 0xa5, 0x25, 0xe7, 0x97, 0x12, - 0xd4, 0x3b, 0xa2, 0x8b, 0xb3, 0x82, 0xaf, 0x41, 0xd1, 0xc7, 0x47, 0x3a, 0xfb, 0xe2, 0x88, 0x5c, - 0x80, 0x36, 0x3e, 0x0a, 0xe3, 0x50, 0x7e, 0xbb, 0x20, 0xc3, 0xbb, 0xeb, 0x26, 0x5d, 0x77, 0xaa, - 0xf5, 0x73, 0x08, 0x64, 0x43, 0xf5, 0xc5, 0xeb, 0x84, 0x50, 0xd1, 0x34, 0x45, 0x49, 0x33, 0x91, - 0xd1, 0x2b, 0x58, 0xcd, 0xce, 0xcf, 0x39, 0xa7, 0xa2, 0x15, 0x45, 0xa3, 0x3c, 0x9e, 0x6f, 0x94, - 0xbc, 0x53, 0xee, 0x8c, 0xcd, 0x8b, 0x98, 0xd3, 0xb1, 0x3f, 0xcb, 0x23, 0x7a, 0xa4, 0x83, 0x19, - 0x13, 0x1e, 0xaa, 0x02, 0x67, 0xa2, 0x70, 0xe7, 0x4b, 0x4a, 0x62, 0x8e, 0xe3, 0xbe, 0x2c, 0xb0, - 0xe9, 0x4f, 0x64, 0xe1, 0x4e, 0x76, 0x56, 0xee, 0x54, 0xae, 0xe5, 0xce, 0x8c, 0x8d, 0x76, 0x67, - 0x46, 0x87, 0xb6, 0x60, 0x65, 0x3b, 0xe8, 0x1d, 0x63, 0x59, 0xcb, 0xda, 0xe6, 0xfa, 0x3c, 0xa1, - 0xfc, 0xf9, 0x6b, 0x59, 0x3c, 0x26, 0xaf, 0xe2, 0x1d, 0x5f, 0x99, 0xd8, 0xcf, 0x00, 0xcd, 0xc7, - 0x2b, 0xea, 0x32, 0xc4, 0xe3, 0xac, 0x2e, 0x43, 0x3c, 0x16, 0xcd, 0x7f, 0x12, 0x44, 0xa9, 0xba, - 0x14, 0xa6, 0xaf, 0x84, 0xad, 0xc2, 0xe7, 0x86, 0x60, 0x98, 0x77, 0xf1, 0x26, 0x0c, 0xce, 0x1b, - 0x03, 0xea, 0x79, 0x0f, 0xd1, 0xfb, 0x60, 0x2a, 0xa7, 0xa6, 0xcd, 0x31, 0x55, 0x88, 0xee, 0xdb, - 0x19, 0x69, 0x81, 0x59, 0x05, 0xf9, 0x52, 0xe4, 0x34, 0xe8, 0x1b, 0xa8, 0x29, 0xb0, 0xca, 0x72, - 0x51, 0x66, 0xd9, 0xbb, 0x3a, 0x29, 0x6e, 0xce, 0x42, 0xe5, 0x38, 0xcf, 0x61, 0x3f, 0x85, 0xb5, - 0x8b, 0x80, 0x1b, 0x45, 0xf8, 0x9b, 0x01, 0xab, 0xba, 0xa8, 0xfa, 0xf5, 0x0a, 0x32, 0x46, 0x4c, - 0x33, 0x9d, 0x7e, 0xc7, 0x9e, 0x5c, 0xda, 0x0f, 0x0a, 0xe6, 0x5e, 0xb4, 0x53, 0xfe, 0xce, 0xd1, - 0xd9, 0xdb, 0xf0, 0xee, 0x42, 0xe8, 0x8d, 0x3c, 0xff, 0x10, 0x56, 0x3b, 0x3c, 0xe0, 0x29, 0xbb, - 0xf4, 0xca, 0x3a, 0xbf, 0x1a, 0x70, 0x37, 0xc3, 0xe8, 0xe8, 0x3e, 0x83, 0xea, 0x09, 0xa6, 0x1c, - 0xbf, 0xc6, 0x4c, 0x47, 0x65, 0xcd, 0x47, 0xf5, 0xad, 0x44, 0xf8, 0x13, 0x24, 0xda, 0x82, 0x2a, - 0x93, 0x3c, 0x58, 0x95, 0x75, 0x61, 0x2b, 0x2b, 0x2b, 0xfd, 0xbd, 0x09, 0x1e, 0x79, 0x50, 0x8a, - 0xc8, 0x20, 0xab, 0xf6, 0x7b, 0x97, 0xd9, 0xed, 0x91, 0x81, 0x2f, 0x81, 0xce, 0x59, 0x01, 0xca, - 0x4a, 0x87, 0x76, 0xa1, 0xdc, 0x0f, 0x07, 0x98, 0x71, 0x15, 0x55, 0x6b, 0x53, 0x5c, 0x90, 0x3f, - 0xcf, 0x36, 0xee, 0xe7, 0x86, 0x2b, 0x49, 0x70, 0x2c, 0x56, 0x81, 0x20, 0x8c, 0x31, 0x65, 0xde, - 0x80, 0x3c, 0x54, 0x26, 0x6e, 0x5b, 0xfe, 0xf1, 0x35, 0x83, 0xe0, 0x0a, 0xe3, 0x24, 0xe5, 0xba, - 0x31, 0x6f, 0xc7, 0xa5, 0x18, 0xc4, 0x68, 0x89, 0x83, 0x11, 0xd6, 0xef, 0x9a, 0x3c, 0x8b, 0xa7, - 0xb5, 0x27, 0xfa, 0xb6, 0x2f, 0x07, 0x4e, 0xd5, 0xd7, 0x12, 0xda, 0x82, 0x0a, 0xe3, 0x01, 0xe5, - 0xb8, 0x2f, 0x9f, 0xa4, 0xeb, 0xcc, 0x84, 0xcc, 0x00, 0x3d, 0x05, 0xb3, 0x47, 0x46, 0x49, 0x84, - 0x85, 0x75, 0xf9, 0x9a, 0xd6, 0x53, 0x13, 0xd1, 0x3d, 0x98, 0x52, 0x42, 0xe5, 0x34, 0x32, 0x7d, - 0x25, 0x38, 0xff, 0x14, 0xa0, 0x9e, 0x2f, 0xd6, 0xdc, 0xa4, 0xdd, 0x85, 0xb2, 0x2a, 0xbd, 0xea, - 0xba, 0xdb, 0xa5, 0x4a, 0x31, 0x2c, 0x4c, 0x95, 0x05, 0x95, 0x5e, 0x4a, 0xe5, 0x18, 0x56, 0xc3, - 0x39, 0x13, 0x85, 0xc3, 0x9c, 0xf0, 0x20, 0x92, 0xa9, 0x2a, 0xfa, 0x4a, 0x10, 0xd3, 0x79, 0xb2, - 0x8c, 0xdd, 0x6c, 0x3a, 0x4f, 0xcc, 0xf2, 0x65, 0xa8, 0xbc, 0x55, 0x19, 0xaa, 0x37, 0x2e, 0x83, - 0xf3, 0xbb, 0x01, 0xe6, 0xa4, 0xcb, 0x73, 0xd9, 0x35, 0xde, 0x3a, 0xbb, 0x33, 0x99, 0x29, 0xdc, - 0x2e, 0x33, 0xf7, 0xa0, 0xcc, 0x38, 0xc5, 0xc1, 0x48, 0xed, 0x8d, 0xbe, 0x96, 0xc4, 0x7b, 0x32, - 0x62, 0x03, 0x59, 0xa1, 0xba, 0x2f, 0x8e, 0x8e, 0x03, 0x75, 0xb9, 0x22, 0xee, 0x63, 0x26, 0x96, - 0x12, 0x51, 0xdb, 0x7e, 0xc0, 0x03, 0x19, 0x47, 0xdd, 0x97, 0x67, 0xe7, 0x01, 0xa0, 0xbd, 0x90, - 0xf1, 0x57, 0x72, 0xb5, 0x65, 0xcb, 0xf6, 0xc7, 0x0e, 0xfc, 0x7f, 0x06, 0xad, 0x5f, 0xa9, 0x2f, - 0x2e, 0x6c, 0x90, 0x1f, 0xcf, 0xbf, 0x1a, 0x72, 0x83, 0x76, 0x95, 0xe1, 0xec, 0x22, 0xb9, 0xf9, - 0x77, 0x11, 0x2a, 0xdb, 0xea, 0x9f, 0x03, 0x74, 0x00, 0xe6, 0x64, 0x41, 0x45, 0xce, 0x3c, 0xcd, - 0xc5, 0x4d, 0xd7, 0xfe, 0xe8, 0x4a, 0x8c, 0xf6, 0xef, 0x2b, 0x58, 0x91, 0xab, 0x3a, 0x5a, 0xf0, - 0x0c, 0xe6, 0x77, 0x78, 0xfb, 0xea, 0xd5, 0xf7, 0x91, 0x21, 0x98, 0xe4, 0x0c, 0x59, 0xc4, 0x94, - 0x5f, 0x36, 0xec, 0x8d, 0x25, 0xc3, 0x07, 0xed, 0x43, 0x59, 0x5f, 0xe7, 0x45, 0xd0, 0xfc, 0xa4, - 0xb0, 0x1b, 0x97, 0x03, 0x14, 0xd9, 0x23, 0x03, 0xed, 0x4f, 0x36, 0xa9, 0x45, 0xae, 0xe5, 0xdb, - 0xc0, 0x5e, 0xf2, 0x7b, 0xd3, 0x78, 0x64, 0xa0, 0xef, 0xa0, 0x96, 0x2b, 0x34, 0x5a, 0x50, 0xd0, - 0xf9, 0xae, 0xb1, 0x3f, 0x59, 0x82, 0x52, 0xce, 0xb6, 0xea, 0xa7, 0xe7, 0xeb, 0xc6, 0x1f, 0xe7, - 0xeb, 0xc6, 0x5f, 0xe7, 0xeb, 0x46, 0xb7, 0x2c, 0xfb, 0xfe, 0xd3, 0xff, 0x02, 0x00, 0x00, 0xff, - 0xff, 0x61, 0x35, 0x4d, 0x35, 0x20, 0x0e, 0x00, 0x00, + // 1279 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x57, 0x4f, 0x6f, 0x1b, 0x45, + 0x14, 0xef, 0xda, 0x89, 0xed, 0x7d, 0x76, 0xaa, 0x30, 0x40, 0xb5, 0x5a, 0x20, 0x31, 0x0b, 0x48, + 0x56, 0xd5, 0xee, 0xb6, 0x81, 0x22, 0x14, 0xa1, 0xaa, 0x75, 0x5c, 0x44, 0xaa, 0x46, 0x94, 0x49, + 0x4b, 0x25, 0x0e, 0x48, 0x6b, 0x7b, 0xe2, 0xae, 0xb2, 0xde, 0x59, 0x66, 0x66, 0x43, 0xcd, 0x07, + 0xe0, 0xcc, 0x77, 0xe1, 0xc0, 0x27, 0x40, 0xea, 0x91, 0x73, 0x0f, 0x29, 0xea, 0x1d, 0x4e, 0x5c, + 0xb8, 0xa1, 0xf9, 0xb3, 0xce, 0x38, 0x76, 0xea, 0xa6, 0x3d, 0x65, 0xde, 0xe4, 0xf7, 0x7e, 0xfb, + 0xfe, 0xcd, 0x7b, 0xcf, 0xb0, 0x36, 0xa0, 0x99, 0x60, 0x34, 0x0d, 0x73, 0x46, 0x05, 0x45, 0xeb, + 0x63, 0xda, 0x9f, 0x84, 0xfd, 0x22, 0x49, 0x87, 0x87, 0x89, 0x08, 0x8f, 0xae, 0xfb, 0x57, 0x47, + 0x89, 0x78, 0x5c, 0xf4, 0xc3, 0x01, 0x1d, 0x47, 0x23, 0x3a, 0xa2, 0x91, 0x02, 0xf6, 0x8b, 0x03, + 0x25, 0x29, 0x41, 0x9d, 0x34, 0x81, 0xbf, 0x39, 0xa2, 0x74, 0x94, 0x92, 0x13, 0x94, 0x48, 0xc6, + 0x84, 0x8b, 0x78, 0x9c, 0x1b, 0xc0, 0x15, 0x8b, 0x4f, 0x7e, 0x2c, 0x2a, 0x3f, 0x16, 0x71, 0x9a, + 0x1e, 0x11, 0x16, 0xe5, 0xfd, 0x88, 0xe6, 0xdc, 0xa0, 0xa3, 0x33, 0xd1, 0x71, 0x9e, 0x44, 0x62, + 0x92, 0x13, 0x1e, 0xfd, 0x44, 0xd9, 0x21, 0x61, 0x5a, 0x21, 0xf8, 0xc5, 0x81, 0xd6, 0x7d, 0x56, + 0x64, 0x04, 0x93, 0x1f, 0x0b, 0xc2, 0x05, 0xba, 0x04, 0xb5, 0x83, 0x24, 0x15, 0x84, 0x79, 0x4e, + 0xbb, 0xda, 0x71, 0xb1, 0x91, 0xd0, 0x3a, 0x54, 0xe3, 0x34, 0xf5, 0x2a, 0x6d, 0xa7, 0xd3, 0xc0, + 0xf2, 0x88, 0x3a, 0xd0, 0x3a, 0x24, 0x24, 0xef, 0x15, 0x2c, 0x16, 0x09, 0xcd, 0xbc, 0x6a, 0xdb, + 0xe9, 0x54, 0xbb, 0x2b, 0x4f, 0x8f, 0x37, 0x1d, 0x3c, 0xf3, 0x1f, 0x14, 0x80, 0x2b, 0xe5, 0xee, + 0x44, 0x10, 0xee, 0xad, 0x58, 0xb0, 0x93, 0xeb, 0xe0, 0x32, 0xac, 0xf7, 0x12, 0x7e, 0xf8, 0x90, + 0xc7, 0xa3, 0x65, 0xb6, 0x04, 0x77, 0xe1, 0x2d, 0x0b, 0xcb, 0x73, 0x9a, 0x71, 0x82, 0x6e, 0x40, + 0x8d, 0x91, 0x01, 0x65, 0x43, 0x05, 0x6e, 0x6e, 0x7d, 0x10, 0x9e, 0xce, 0x4d, 0x68, 0x14, 0x24, + 0x08, 0x1b, 0x70, 0xf0, 0x5f, 0x05, 0x9a, 0xd6, 0x3d, 0xba, 0x08, 0x95, 0xdd, 0x9e, 0xe7, 0xb4, + 0x9d, 0x8e, 0x8b, 0x2b, 0xbb, 0x3d, 0xe4, 0x41, 0x7d, 0xaf, 0x10, 0x71, 0x3f, 0x25, 0xc6, 0xf7, + 0x52, 0x44, 0xef, 0xc0, 0xea, 0x6e, 0xf6, 0x90, 0x13, 0xe5, 0x78, 0x03, 0x6b, 0x01, 0x21, 0x58, + 0xd9, 0x4f, 0x7e, 0x26, 0xda, 0x4d, 0xac, 0xce, 0xd2, 0x8f, 0xfb, 0x31, 0x23, 0x99, 0xf0, 0x56, + 0x15, 0xaf, 0x91, 0x50, 0x17, 0xdc, 0x1d, 0x46, 0x62, 0x41, 0x86, 0xb7, 0x85, 0x57, 0x6b, 0x3b, + 0x9d, 0xe6, 0x96, 0x1f, 0xea, 0x82, 0x08, 0xcb, 0x82, 0x08, 0x1f, 0x94, 0x05, 0xd1, 0x6d, 0x3c, + 0x3d, 0xde, 0xbc, 0xf0, 0xeb, 0x73, 0x19, 0xb7, 0xa9, 0x1a, 0xba, 0x05, 0x70, 0x2f, 0xe6, 0xe2, + 0x21, 0x57, 0x24, 0xf5, 0xa5, 0x24, 0x2b, 0x8a, 0xc0, 0xd2, 0x41, 0x1b, 0x00, 0x2a, 0x00, 0x3b, + 0xb4, 0xc8, 0x84, 0xd7, 0x50, 0x76, 0x5b, 0x37, 0xa8, 0x0d, 0xcd, 0x1e, 0xe1, 0x03, 0x96, 0xe4, + 0x2a, 0xcd, 0xae, 0x72, 0xc1, 0xbe, 0x92, 0x0c, 0x3a, 0x7a, 0x0f, 0x26, 0x39, 0xf1, 0x40, 0x01, + 0xac, 0x1b, 0xe9, 0xff, 0xfe, 0xe3, 0x98, 0x91, 0xa1, 0xd7, 0x54, 0xa1, 0x32, 0x52, 0xf0, 0xef, + 0x0a, 0xb4, 0xf6, 0x65, 0x15, 0x97, 0x09, 0x5f, 0x87, 0x2a, 0x26, 0x07, 0x26, 0xfa, 0xf2, 0x88, + 0x42, 0x80, 0x1e, 0x39, 0x48, 0xb2, 0x44, 0x7d, 0xbb, 0xa2, 0xdc, 0xbb, 0x18, 0xe6, 0xfd, 0xf0, + 0xe4, 0x16, 0x5b, 0x08, 0xe4, 0x43, 0xe3, 0xce, 0x93, 0x9c, 0x32, 0x59, 0x34, 0x55, 0x45, 0x33, + 0x95, 0xd1, 0x23, 0x58, 0x2b, 0xcf, 0xb7, 0x85, 0x60, 0xb2, 0x14, 0x65, 0xa1, 0x5c, 0x9f, 0x2f, + 0x14, 0xdb, 0xa8, 0x70, 0x46, 0xe7, 0x4e, 0x26, 0xd8, 0x04, 0xcf, 0xf2, 0xc8, 0x1a, 0xd9, 0x27, + 0x9c, 0x4b, 0x0b, 0x75, 0x82, 0x4b, 0x51, 0x9a, 0xf3, 0x15, 0xa3, 0x99, 0x20, 0xd9, 0x50, 0x25, + 0xd8, 0xc5, 0x53, 0x59, 0x9a, 0x53, 0x9e, 0xb5, 0x39, 0xf5, 0x57, 0x32, 0x67, 0x46, 0xc7, 0x98, + 0x33, 0x73, 0x87, 0xb6, 0x61, 0x75, 0x27, 0x1e, 0x3c, 0x26, 0x2a, 0x97, 0xcd, 0xad, 0x8d, 0x79, + 0x42, 0xf5, 0xef, 0x6f, 0x54, 0xf2, 0xb8, 0x7a, 0x8a, 0x17, 0xb0, 0x56, 0x41, 0x3f, 0x40, 0xeb, + 0x4e, 0x26, 0x12, 0x91, 0x92, 0x31, 0xc9, 0x04, 0xf7, 0x5c, 0xf9, 0xf0, 0xba, 0xdb, 0xcf, 0x8e, + 0x37, 0x3f, 0x3f, 0xb3, 0xb5, 0x14, 0x22, 0x49, 0x23, 0x62, 0x69, 0x85, 0x16, 0x05, 0x9e, 0xe1, + 0xf3, 0x6f, 0x01, 0x9a, 0x8f, 0xa7, 0xcc, 0xfb, 0x21, 0x99, 0x94, 0x79, 0x3f, 0x24, 0x13, 0xf9, + 0xb8, 0x8e, 0xe2, 0xb4, 0xd0, 0x8f, 0xce, 0xc5, 0x5a, 0xd8, 0xae, 0x7c, 0xe1, 0x48, 0x86, 0xf9, + 0x10, 0x9c, 0x87, 0x21, 0x78, 0xee, 0x40, 0xcb, 0x8e, 0x00, 0x7a, 0x1f, 0x5c, 0x6d, 0xd4, 0x49, + 0xf1, 0x9d, 0x5c, 0xc8, 0xea, 0xde, 0x1d, 0x1b, 0x81, 0x7b, 0x15, 0xd5, 0x89, 0xac, 0x1b, 0xf4, + 0x2d, 0x34, 0x35, 0x58, 0x67, 0xb1, 0xaa, 0xb2, 0x18, 0xbd, 0x3c, 0xe8, 0xa1, 0xa5, 0xa1, 0x73, + 0x68, 0x73, 0xf8, 0x37, 0x61, 0xfd, 0x34, 0xe0, 0x5c, 0x1e, 0xfe, 0xee, 0xc0, 0x9a, 0x29, 0x1a, + 0xd3, 0x1d, 0xe3, 0x92, 0x91, 0xb0, 0xf2, 0xce, 0xf4, 0xc9, 0x1b, 0x67, 0xd6, 0x9b, 0x86, 0x85, + 0xa7, 0xf5, 0xb4, 0xbd, 0x73, 0x74, 0xfe, 0x0e, 0xbc, 0xbb, 0x10, 0x7a, 0x2e, 0xcb, 0x3f, 0x84, + 0xb5, 0x7d, 0x11, 0x8b, 0x82, 0x9f, 0xd9, 0x12, 0x82, 0xdf, 0x1c, 0xb8, 0x58, 0x62, 0x8c, 0x77, + 0x9f, 0x41, 0xe3, 0x88, 0x30, 0x41, 0x9e, 0x10, 0x6e, 0xbc, 0xf2, 0xe6, 0xbd, 0xfa, 0x4e, 0x21, + 0xf0, 0x14, 0x89, 0xb6, 0xa1, 0xc1, 0x15, 0x0f, 0xd1, 0x69, 0x5d, 0xf8, 0x54, 0xb4, 0x96, 0xf9, + 0xde, 0x14, 0x8f, 0x22, 0x58, 0x49, 0xe9, 0xa8, 0xcc, 0xf6, 0x7b, 0x67, 0xe9, 0xdd, 0xa3, 0x23, + 0xac, 0x80, 0xc1, 0x71, 0x05, 0x6a, 0xfa, 0x0e, 0xdd, 0x85, 0xda, 0x30, 0x19, 0x11, 0x2e, 0xb4, + 0x57, 0xdd, 0x2d, 0xf9, 0x00, 0x9f, 0x1d, 0x6f, 0x5e, 0xb6, 0x5e, 0x18, 0xcd, 0x49, 0x26, 0x57, + 0x8d, 0x38, 0xc9, 0x08, 0xe3, 0xd1, 0x88, 0x5e, 0xd5, 0x2a, 0x61, 0x4f, 0xfd, 0xc1, 0x86, 0x41, + 0x72, 0x25, 0x59, 0x5e, 0x08, 0x53, 0x98, 0xaf, 0xc7, 0xa5, 0x19, 0xe4, 0xe8, 0xca, 0xe2, 0x31, + 0x31, 0x7d, 0x53, 0x9d, 0x65, 0xeb, 0x1e, 0xc8, 0xba, 0x1d, 0xaa, 0x81, 0xd6, 0xc0, 0x46, 0x42, + 0xdb, 0x50, 0xe7, 0x22, 0x66, 0x82, 0x0c, 0x55, 0xcb, 0x7b, 0x95, 0x99, 0x53, 0x2a, 0xa0, 0x9b, + 0xe0, 0x0e, 0xe8, 0x38, 0x4f, 0x89, 0xd4, 0xae, 0xbd, 0xa2, 0xf6, 0x89, 0x8a, 0xac, 0x1e, 0xc2, + 0x18, 0x65, 0x6a, 0xda, 0xb9, 0x58, 0x0b, 0xc1, 0x3f, 0x15, 0x68, 0xd9, 0xc9, 0x9a, 0x9b, 0xe4, + 0x77, 0xa1, 0xa6, 0x53, 0xaf, 0xab, 0xee, 0xf5, 0x42, 0xa5, 0x19, 0x16, 0x86, 0xca, 0x83, 0xfa, + 0xa0, 0x60, 0x6a, 0xcc, 0xeb, 0xe1, 0x5f, 0x8a, 0xd2, 0x60, 0x41, 0x45, 0x9c, 0xaa, 0x50, 0x55, + 0xb1, 0x16, 0xe4, 0xf4, 0x9f, 0x2e, 0x7b, 0xe7, 0x9b, 0xfe, 0x53, 0x35, 0x3b, 0x0d, 0xf5, 0x37, + 0x4a, 0x43, 0xe3, 0xdc, 0x69, 0x08, 0xfe, 0x70, 0xc0, 0x9d, 0x56, 0xb9, 0x15, 0x5d, 0xe7, 0x8d, + 0xa3, 0x3b, 0x13, 0x99, 0xca, 0xeb, 0x45, 0xe6, 0x12, 0xd4, 0xb8, 0x60, 0x24, 0x1e, 0xeb, 0xbd, + 0x14, 0x1b, 0x49, 0xf6, 0x93, 0x31, 0x1f, 0xa9, 0x0c, 0xb5, 0xb0, 0x3c, 0x06, 0x01, 0xb4, 0xd4, + 0x0a, 0xba, 0x47, 0xb8, 0x5c, 0x7a, 0x64, 0x6e, 0x87, 0xb1, 0x88, 0x95, 0x1f, 0x2d, 0xac, 0xce, + 0xc1, 0x15, 0x40, 0xf7, 0x12, 0x2e, 0x1e, 0xa9, 0xd5, 0x99, 0x2f, 0xdb, 0x4f, 0xf7, 0xe1, 0xed, + 0x19, 0xb4, 0xe9, 0x52, 0x5f, 0x9e, 0xda, 0x50, 0x3f, 0x9e, 0xef, 0x1a, 0x6a, 0x43, 0x0f, 0xb5, + 0xe2, 0xec, 0xa2, 0xba, 0xf5, 0x77, 0x15, 0xea, 0x3b, 0xfa, 0xc7, 0x07, 0x7a, 0x00, 0xee, 0x74, + 0x01, 0x46, 0xc1, 0x3c, 0xcd, 0xe9, 0x4d, 0xda, 0xff, 0xe8, 0xa5, 0x18, 0x63, 0xdf, 0xd7, 0xb0, + 0xaa, 0x7e, 0x0a, 0xa0, 0x05, 0x6d, 0xd0, 0xfe, 0x8d, 0xe0, 0xbf, 0x7c, 0xb5, 0xbe, 0xe6, 0x48, + 0x26, 0x35, 0x43, 0x16, 0x31, 0xd9, 0xcb, 0x8c, 0xbf, 0xb9, 0x64, 0xf8, 0xa0, 0x3d, 0xa8, 0x99, + 0xe7, 0xbc, 0x08, 0x6a, 0x4f, 0x0a, 0xbf, 0x7d, 0x36, 0x40, 0x93, 0x5d, 0x73, 0xd0, 0xde, 0x74, + 0x53, 0x5b, 0x64, 0x9a, 0x5d, 0x06, 0xfe, 0x92, 0xff, 0x77, 0x9c, 0x6b, 0x0e, 0xfa, 0x1e, 0x9a, + 0x56, 0xa2, 0xd1, 0x82, 0x84, 0xce, 0x57, 0x8d, 0xff, 0xc9, 0x12, 0x94, 0x36, 0xb6, 0xdb, 0x7a, + 0xfa, 0x62, 0xc3, 0xf9, 0xf3, 0xc5, 0x86, 0xf3, 0xd7, 0x8b, 0x0d, 0xa7, 0x5f, 0x53, 0x75, 0xff, + 0xe9, 0xff, 0x01, 0x00, 0x00, 0xff, 0xff, 0xfe, 0x98, 0x98, 0x82, 0x80, 0x0e, 0x00, 0x00, } diff --git a/api/services/control/control.proto b/api/services/control/control.proto index 63a682d9..7ac4095b 100644 --- a/api/services/control/control.proto +++ b/api/services/control/control.proto @@ -62,6 +62,7 @@ message SolveRequest { string Frontend = 6; map FrontendAttrs = 7; CacheOptions Cache = 8 [(gogoproto.nullable) = false]; + repeated string Entitlements = 9 [(gogoproto.customtype) = "github.com/moby/buildkit/util/entitlements.Entitlement" ]; } message CacheOptions { diff --git a/client/client_test.go b/client/client_test.go index 52dae2ba..af0aefa3 100644 --- a/client/client_test.go +++ b/client/client_test.go @@ -61,6 +61,7 @@ func TestClientIntegration(t *testing.T) { testParallelLocalBuilds, testSecretMounts, testExtraHosts, + testNetworkMode, }) } @@ -81,6 +82,36 @@ func testExtraHosts(t *testing.T, sb integration.Sandbox) { require.NoError(t, err) } +func testNetworkMode(t *testing.T, sb integration.Sandbox) { + t.Parallel() + + c, err := New(context.TODO(), sb.Address()) + require.NoError(t, err) + defer c.Close() + + st := llb.Image("busybox:latest"). + Run(llb.Shlex(`sh -c 'wget https://example.com 2>&1 | grep "wget: bad address"'`), llb.Network(llb.NetModeNone)) + + def, err := st.Marshal() + require.NoError(t, err) + + _, err = c.Solve(context.TODO(), def, SolveOpt{}, nil) + require.NoError(t, err) + + st2 := llb.Image("busybox:latest"). + Run(llb.Shlex(`ifconfig`), llb.Network(llb.NetModeHost)) + + def, err = st2.Marshal() + require.NoError(t, err) + + _, err = c.Solve(context.TODO(), def, SolveOpt{ + // Currently disabled globally by default + // AllowedEntitlements: []entitlements.Entitlement{entitlements.EntitlementNetworkHost}, + }, nil) + require.Error(t, err) + require.Contains(t, err.Error(), "network.host is not allowed") +} + func testSecretMounts(t *testing.T, sb integration.Sandbox) { t.Parallel() diff --git a/client/llb/exec.go b/client/llb/exec.go index a0f2e41e..ebb5b712 100644 --- a/client/llb/exec.go +++ b/client/llb/exec.go @@ -17,6 +17,7 @@ type Meta struct { User string ProxyEnv *ProxyEnv ExtraHosts []HostIP + Network pb.NetMode } func NewExecOp(root Output, meta Meta, readOnly bool, c Constraints) *ExecOp { @@ -144,7 +145,11 @@ func (e *ExecOp) Marshal(c *Constraints) (digest.Digest, []byte, *pb.OpMetadata, } peo := &pb.ExecOp{ - Meta: meta, + Meta: meta, + Network: e.meta.Network, + } + if e.meta.Network != NetModeSandbox { + addCap(&e.constraints, pb.CapExecMetaNetwork) } if p := e.meta.ProxyEnv; p != nil { @@ -357,6 +362,12 @@ func (fn runOptionFunc) SetRunOption(ei *ExecInfo) { fn(ei) } +func Network(n pb.NetMode) RunOption { + return runOptionFunc(func(ei *ExecInfo) { + ei.State = network(n)(ei.State) + }) +} + func Shlex(str string) RunOption { return Shlexf(str) } @@ -509,3 +520,9 @@ const ( CacheMountPrivate CacheMountLocked ) + +const ( + NetModeSandbox = pb.NetMode_UNSET + NetModeHost = pb.NetMode_HOST + NetModeNone = pb.NetMode_NONE +) diff --git a/client/llb/meta.go b/client/llb/meta.go index f4cafd83..25b78853 100644 --- a/client/llb/meta.go +++ b/client/llb/meta.go @@ -7,6 +7,7 @@ import ( "github.com/containerd/containerd/platforms" "github.com/google/shlex" + "github.com/moby/buildkit/solver/pb" specs "github.com/opencontainers/image-spec/specs-go/v1" ) @@ -19,6 +20,7 @@ var ( keyUser = contextKeyT("llb.exec.user") keyExtraHost = contextKeyT("llb.exec.extrahost") keyPlatform = contextKeyT("llb.platform") + keyNetwork = contextKeyT("llb.network") ) func addEnv(key, value string) StateOption { @@ -145,6 +147,21 @@ type HostIP struct { IP net.IP } +func network(v pb.NetMode) StateOption { + return func(s State) State { + return s.WithValue(keyNetwork, v) + } +} + +func getNetwork(s State) pb.NetMode { + v := s.Value(keyNetwork) + if v != nil { + n := v.(pb.NetMode) + return n + } + return NetModeSandbox +} + type EnvList []KeyValue type KeyValue struct { diff --git a/client/llb/state.go b/client/llb/state.go index b0026755..6812ad36 100644 --- a/client/llb/state.go +++ b/client/llb/state.go @@ -188,6 +188,7 @@ func (s State) Run(ro ...RunOption) ExecState { User: getUser(ei.State), ProxyEnv: ei.ProxyEnv, ExtraHosts: getExtraHosts(ei.State), + Network: getNetwork(ei.State), } exec := NewExecOp(s.Output(), meta, ei.ReadonlyRootFS, ei.Constraints) @@ -249,6 +250,14 @@ func (s State) GetPlatform() *specs.Platform { return getPlatform(s) } +func (s State) Network(n pb.NetMode) State { + return network(n)(s) +} + +func (s State) GetNetwork() pb.NetMode { + return getNetwork(s) +} + func (s State) With(so ...StateOption) State { for _, o := range so { s = o(s) diff --git a/client/solve.go b/client/solve.go index 972b6b3e..840ce5e8 100644 --- a/client/solve.go +++ b/client/solve.go @@ -15,6 +15,7 @@ import ( "github.com/moby/buildkit/session/filesync" "github.com/moby/buildkit/session/grpchijack" "github.com/moby/buildkit/solver/pb" + "github.com/moby/buildkit/util/entitlements" opentracing "github.com/opentracing/opentracing-go" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -22,18 +23,19 @@ import ( ) type SolveOpt struct { - Exporter string - ExporterAttrs map[string]string - ExporterOutput io.WriteCloser // for ExporterOCI and ExporterDocker - ExporterOutputDir string // for ExporterLocal - LocalDirs map[string]string - SharedKey string - Frontend string - FrontendAttrs map[string]string - ExportCache string - ExportCacheAttrs map[string]string - ImportCache []string - Session []session.Attachable + Exporter string + ExporterAttrs map[string]string + ExporterOutput io.WriteCloser // for ExporterOCI and ExporterDocker + ExporterOutputDir string // for ExporterLocal + LocalDirs map[string]string + SharedKey string + Frontend string + FrontendAttrs map[string]string + ExportCache string + ExportCacheAttrs map[string]string + ImportCache []string + Session []session.Attachable + AllowedEntitlements []entitlements.Entitlement } // Solve calls Solve on the controller. @@ -137,6 +139,7 @@ func (c *Client) Solve(ctx context.Context, def *llb.Definition, opt SolveOpt, s ImportRefs: opt.ImportCache, ExportAttrs: opt.ExportCacheAttrs, }, + Entitlements: opt.AllowedEntitlements, }) if err != nil { return errors.Wrap(err, "failed to solve") diff --git a/control/control.go b/control/control.go index 25f076a9..1d598672 100644 --- a/control/control.go +++ b/control/control.go @@ -216,7 +216,7 @@ func (c *Controller) Solve(ctx context.Context, req *controlapi.SolveRequest) (* Exporter: expi, CacheExporter: cacheExporter, CacheExportMode: parseCacheExporterOpt(req.Cache.ExportAttrs), - }) + }, req.Entitlements) if err != nil { return nil, err } diff --git a/executor/containerdexecutor/executor.go b/executor/containerdexecutor/executor.go index e0878a3c..7044c0ef 100644 --- a/executor/containerdexecutor/executor.go +++ b/executor/containerdexecutor/executor.go @@ -15,6 +15,7 @@ import ( "github.com/moby/buildkit/executor/oci" "github.com/moby/buildkit/identity" "github.com/moby/buildkit/snapshot" + "github.com/moby/buildkit/solver/pb" "github.com/moby/buildkit/util/network" "github.com/moby/buildkit/util/system" "github.com/pkg/errors" @@ -78,17 +79,27 @@ func (w containerdExecutor) Exec(ctx context.Context, meta executor.Meta, root c lm.Unmount() } - hostNetworkEnabled := true var iface network.Interface - if w.networkProvider != nil { - iface, err = w.networkProvider.NewInterface() - if err == nil && iface != nil { - hostNetworkEnabled = false + // FIXME: still uses host if no provider configured + if meta.NetMode == pb.NetMode_UNSET { + if w.networkProvider != nil { + var err error + iface, err = w.networkProvider.NewInterface() + if err != nil || iface == nil { + meta.NetMode = pb.NetMode_HOST + } + } else { + meta.NetMode = pb.NetMode_HOST } } - if hostNetworkEnabled { + if meta.NetMode == pb.NetMode_HOST { logrus.Info("enabling HostNetworking") } + defer func() { + if iface != nil { + w.networkProvider.Release(iface) + } + }() opts := []containerdoci.SpecOpts{oci.WithUIDGID(uid, gid, sgids)} if meta.ReadonlyRootFS { @@ -97,7 +108,7 @@ func (w containerdExecutor) Exec(ctx context.Context, meta executor.Meta, root c if system.SeccompSupported() { opts = append(opts, seccomp.WithDefaultProfile()) } - spec, cleanup, err := oci.GenerateSpec(ctx, meta, mounts, id, resolvConf, hostsFile, hostNetworkEnabled, opts...) + spec, cleanup, err := oci.GenerateSpec(ctx, meta, mounts, id, resolvConf, hostsFile, meta.NetMode == pb.NetMode_HOST, opts...) if err != nil { return err } @@ -134,7 +145,6 @@ func (w containerdExecutor) Exec(ctx context.Context, meta executor.Meta, root c defer func() { if iface != nil { iface.Remove(int(task.Pid())) - w.networkProvider.Release(iface) } if _, err1 := task.Delete(context.TODO()); err == nil && err1 != nil { diff --git a/executor/executor.go b/executor/executor.go index 5f79363e..91ae976f 100644 --- a/executor/executor.go +++ b/executor/executor.go @@ -6,6 +6,7 @@ import ( "net" "github.com/moby/buildkit/cache" + "github.com/moby/buildkit/solver/pb" ) type Meta struct { @@ -15,9 +16,8 @@ type Meta struct { Cwd string Tty bool ReadonlyRootFS bool - // DisableNetworking bool - - ExtraHosts []HostIP + ExtraHosts []HostIP + NetMode pb.NetMode } type Mount struct { diff --git a/executor/runcexecutor/executor.go b/executor/runcexecutor/executor.go index 6401105c..28743141 100644 --- a/executor/runcexecutor/executor.go +++ b/executor/runcexecutor/executor.go @@ -22,6 +22,7 @@ import ( "github.com/moby/buildkit/executor" "github.com/moby/buildkit/executor/oci" "github.com/moby/buildkit/identity" + "github.com/moby/buildkit/solver/pb" "github.com/moby/buildkit/util/network" rootlessspecconv "github.com/moby/buildkit/util/rootless/specconv" "github.com/moby/buildkit/util/system" @@ -106,16 +107,20 @@ func New(opt Opt, networkProvider network.Provider) (executor.Executor, error) { } func (w *runcExecutor) Exec(ctx context.Context, meta executor.Meta, root cache.Mountable, mounts []executor.Mount, stdin io.ReadCloser, stdout, stderr io.WriteCloser) error { - hostNetworkEnabled := true var iface network.Interface - if w.networkProvider != nil { - var err error - iface, err = w.networkProvider.NewInterface() - if err == nil && iface != nil { - hostNetworkEnabled = false + // FIXME: still uses host if no provider configured + if meta.NetMode == pb.NetMode_UNSET { + if w.networkProvider != nil { + var err error + iface, err = w.networkProvider.NewInterface() + if err != nil || iface == nil { + meta.NetMode = pb.NetMode_HOST + } + } else { + meta.NetMode = pb.NetMode_HOST } } - if hostNetworkEnabled { + if meta.NetMode == pb.NetMode_HOST { logrus.Info("enabling HostNetworking") } defer func() { @@ -182,7 +187,7 @@ func (w *runcExecutor) Exec(ctx context.Context, meta executor.Meta, root cache. if meta.ReadonlyRootFS { opts = append(opts, containerdoci.WithRootFSReadonly()) } - spec, cleanup, err := oci.GenerateSpec(ctx, meta, mounts, id, resolvConf, hostsFile, hostNetworkEnabled, opts...) + spec, cleanup, err := oci.GenerateSpec(ctx, meta, mounts, id, resolvConf, hostsFile, meta.NetMode == pb.NetMode_HOST, opts...) if err != nil { return err } diff --git a/solver/jobs.go b/solver/jobs.go index b74021ee..15dcde88 100644 --- a/solver/jobs.go +++ b/solver/jobs.go @@ -21,6 +21,7 @@ type ResolveOpFunc func(Vertex, Builder) (Op, error) type Builder interface { Build(ctx context.Context, e Edge) (CachedResult, error) Context(ctx context.Context) context.Context + EachValue(ctx context.Context, key string, fn func(interface{}) error) error } // Solver provides a shared graph of all the vertexes currently being @@ -169,10 +170,22 @@ func (sb *subBuilder) Context(ctx context.Context) context.Context { return progress.WithProgress(ctx, sb.mpw) } +func (sb *subBuilder) EachValue(ctx context.Context, key string, fn func(interface{}) error) error { + sb.mu.Lock() + defer sb.mu.Lock() + for j := range sb.jobs { + if err := j.EachValue(ctx, key, fn); err != nil { + return err + } + } + return nil +} + type Job struct { - list *Solver - pr *progress.MultiReader - pw progress.Writer + list *Solver + pr *progress.MultiReader + pw progress.Writer + values sync.Map progressCloser func() SessionID string @@ -446,6 +459,18 @@ func (j *Job) Context(ctx context.Context) context.Context { return progress.WithProgress(ctx, j.pw) } +func (j *Job) SetValue(key string, v interface{}) { + j.values.Store(key, v) +} + +func (j *Job) EachValue(ctx context.Context, key string, fn func(interface{}) error) error { + v, ok := j.values.Load(key) + if ok { + return fn(v) + } + return nil +} + type cacheMapResp struct { *CacheMap complete bool diff --git a/solver/llbsolver/bridge.go b/solver/llbsolver/bridge.go index 2284afad..8f3b9d05 100644 --- a/solver/llbsolver/bridge.go +++ b/solver/llbsolver/bridge.go @@ -75,7 +75,12 @@ func (b *llbBridge) Solve(ctx context.Context, req frontend.SolveRequest) (res * } if req.Definition != nil && req.Definition.Def != nil { - edge, err := Load(req.Definition, WithCacheSources(cms), RuntimePlatforms(b.platforms), WithValidateCaps()) + ent, err := loadEntitlements(b.builder) + if err != nil { + return nil, err + } + + edge, err := Load(req.Definition, ValidateEntitlements(ent), WithCacheSources(cms), RuntimePlatforms(b.platforms), WithValidateCaps()) if err != nil { return nil, err } diff --git a/solver/llbsolver/ops/exec.go b/solver/llbsolver/ops/exec.go index fd9d4acc..3abb82c7 100644 --- a/solver/llbsolver/ops/exec.go +++ b/solver/llbsolver/ops/exec.go @@ -527,6 +527,7 @@ func (e *execOp) Exec(ctx context.Context, inputs []solver.Result) ([]solver.Res User: e.op.Meta.User, ReadonlyRootFS: readonlyRootFS, ExtraHosts: extraHosts, + NetMode: e.op.Network, } if e.op.Meta.ProxyEnv != nil { diff --git a/solver/llbsolver/solver.go b/solver/llbsolver/solver.go index 245b399b..60f0a58a 100644 --- a/solver/llbsolver/solver.go +++ b/solver/llbsolver/solver.go @@ -12,6 +12,7 @@ import ( "github.com/moby/buildkit/identity" "github.com/moby/buildkit/session" "github.com/moby/buildkit/solver" + "github.com/moby/buildkit/util/entitlements" "github.com/moby/buildkit/util/progress" "github.com/moby/buildkit/worker" digest "github.com/opencontainers/go-digest" @@ -19,6 +20,8 @@ import ( "github.com/pkg/errors" ) +const keyEntitlements = "llb.entitlements" + type ExporterRequest struct { Exporter exporter.ExporterInstance CacheExporter remotecache.Exporter @@ -78,12 +81,19 @@ func (s *Solver) Bridge(b solver.Builder) frontend.FrontendLLBBridge { } } -func (s *Solver) Solve(ctx context.Context, id string, req frontend.SolveRequest, exp ExporterRequest) (*client.SolveResponse, error) { +func (s *Solver) Solve(ctx context.Context, id string, req frontend.SolveRequest, exp ExporterRequest, ent []entitlements.Entitlement) (*client.SolveResponse, error) { + set, err := entitlements.WhiteList(ent, supportedEntitlements()) + if err != nil { + return nil, err + } + j, err := s.solver.NewJob(id) if err != nil { return nil, err } + j.SetValue(keyEntitlements, set) + defer j.Discard() j.SessionID = session.FromContext(ctx) @@ -232,3 +242,31 @@ func notifyCompleted(ctx context.Context, v *client.Vertex, err error, cached bo } pw.Write(v.Digest.String(), *v) } + +var AllowNetworkHostUnstable = false // TODO: enable in constructor + +func supportedEntitlements() []entitlements.Entitlement { + out := []entitlements.Entitlement{} // nil means no filter + if AllowNetworkHostUnstable { + out = append(out, entitlements.EntitlementNetworkHost) + } + return out +} + +func loadEntitlements(b solver.Builder) (entitlements.Set, error) { + var ent entitlements.Set = map[entitlements.Entitlement]struct{}{} + err := b.EachValue(context.TODO(), keyEntitlements, func(v interface{}) error { + set, ok := v.(entitlements.Set) + if !ok { + return errors.Errorf("invalid entitlements %T", v) + } + for k := range set { + ent[k] = struct{}{} + } + return nil + }) + if err != nil { + return nil, err + } + return ent, nil +} diff --git a/solver/llbsolver/vertex.go b/solver/llbsolver/vertex.go index 9278c231..f4cd9252 100644 --- a/solver/llbsolver/vertex.go +++ b/solver/llbsolver/vertex.go @@ -7,6 +7,7 @@ import ( "github.com/moby/buildkit/solver" "github.com/moby/buildkit/solver/pb" "github.com/moby/buildkit/source" + "github.com/moby/buildkit/util/entitlements" digest "github.com/opencontainers/go-digest" specs "github.com/opencontainers/image-spec/specs-go/v1" "github.com/pkg/errors" @@ -99,6 +100,25 @@ func RuntimePlatforms(p []specs.Platform) LoadOpt { } } +func ValidateEntitlements(ent entitlements.Set) LoadOpt { + return func(op *pb.Op, _ *pb.OpMetadata, opt *solver.VertexOptions) error { + switch op := op.Op.(type) { + case *pb.Op_Exec: + if op.Exec.Network == pb.NetMode_HOST { + if !ent.Allowed(entitlements.EntitlementNetworkHost) { + return errors.Errorf("%s is not allowed", entitlements.EntitlementNetworkHost) + } + } + if op.Exec.Network == pb.NetMode_NONE { + if !ent.Allowed(entitlements.EntitlementNetworkNone) { + return errors.Errorf("%s is not allowed", entitlements.EntitlementNetworkNone) + } + } + } + return nil + } +} + func Load(def *pb.Definition, opts ...LoadOpt) (solver.Edge, error) { return loadLLB(def, func(dgst digest.Digest, pbOp *pb.Op, load func(digest.Digest) (solver.Vertex, error)) (solver.Vertex, error) { opMetadata := def.Metadata[dgst] diff --git a/solver/pb/caps.go b/solver/pb/caps.go index b415ecb8..2fa16158 100644 --- a/solver/pb/caps.go +++ b/solver/pb/caps.go @@ -32,6 +32,7 @@ const ( CapExecMetaBase apicaps.CapID = "exec.meta.base" CapExecMetaProxy apicaps.CapID = "exec.meta.proxyenv" + CapExecMetaNetwork apicaps.CapID = "exec.meta.network" CapExecMountBind apicaps.CapID = "exec.mount.bind" CapExecMountCache apicaps.CapID = "exec.mount.cache" CapExecMountCacheSharing apicaps.CapID = "exec.mount.cache.sharing" @@ -162,6 +163,12 @@ func init() { Status: apicaps.CapStatusExperimental, }) + Caps.Init(apicaps.Cap{ + ID: CapExecMetaNetwork, + Enabled: true, + Status: apicaps.CapStatusExperimental, + }) + Caps.Init(apicaps.Cap{ ID: CapExecMountBind, Enabled: true, diff --git a/solver/pb/ops.pb.go b/solver/pb/ops.pb.go index 527c2d4f..7a78618b 100644 --- a/solver/pb/ops.pb.go +++ b/solver/pb/ops.pb.go @@ -54,6 +54,30 @@ var _ = math.Inf // proto package needs to be updated. const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package +type NetMode int32 + +const ( + NetMode_UNSET NetMode = 0 + NetMode_HOST NetMode = 1 + NetMode_NONE NetMode = 2 +) + +var NetMode_name = map[int32]string{ + 0: "UNSET", + 1: "HOST", + 2: "NONE", +} +var NetMode_value = map[string]int32{ + "UNSET": 0, + "HOST": 1, + "NONE": 2, +} + +func (x NetMode) String() string { + return proto.EnumName(NetMode_name, int32(x)) +} +func (NetMode) EnumDescriptor() ([]byte, []int) { return fileDescriptorOps, []int{0} } + // MountType defines a type of a mount from a supported set type MountType int32 @@ -83,7 +107,7 @@ var MountType_value = map[string]int32{ func (x MountType) String() string { return proto.EnumName(MountType_name, int32(x)) } -func (MountType) EnumDescriptor() ([]byte, []int) { return fileDescriptorOps, []int{0} } +func (MountType) EnumDescriptor() ([]byte, []int) { return fileDescriptorOps, []int{1} } // CacheSharingOpt defines different sharing modes for cache mount type CacheSharingOpt int32 @@ -111,7 +135,7 @@ var CacheSharingOpt_value = map[string]int32{ func (x CacheSharingOpt) String() string { return proto.EnumName(CacheSharingOpt_name, int32(x)) } -func (CacheSharingOpt) EnumDescriptor() ([]byte, []int) { return fileDescriptorOps, []int{1} } +func (CacheSharingOpt) EnumDescriptor() ([]byte, []int) { return fileDescriptorOps, []int{2} } // Op represents a vertex of the LLB DAG. type Op struct { @@ -388,8 +412,9 @@ func (*Input) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{2} // ExecOp executes a command in a container. type ExecOp struct { - Meta *Meta `protobuf:"bytes,1,opt,name=meta" json:"meta,omitempty"` - Mounts []*Mount `protobuf:"bytes,2,rep,name=mounts" json:"mounts,omitempty"` + Meta *Meta `protobuf:"bytes,1,opt,name=meta" json:"meta,omitempty"` + Mounts []*Mount `protobuf:"bytes,2,rep,name=mounts" json:"mounts,omitempty"` + Network NetMode `protobuf:"varint,3,opt,name=network,proto3,enum=pb.NetMode" json:"network,omitempty"` } func (m *ExecOp) Reset() { *m = ExecOp{} } @@ -411,6 +436,13 @@ func (m *ExecOp) GetMounts() []*Mount { return nil } +func (m *ExecOp) GetNetwork() NetMode { + if m != nil { + return m.Network + } + return NetMode_UNSET +} + // Meta is a set of arguments for ExecOp. // Meta is unrelated to LLB metadata. // FIXME: rename (ExecContext? ExecArgs?) @@ -917,6 +949,7 @@ func init() { proto.RegisterType((*WorkerConstraints)(nil), "pb.WorkerConstraints") proto.RegisterType((*Definition)(nil), "pb.Definition") proto.RegisterType((*HostIP)(nil), "pb.HostIP") + proto.RegisterEnum("pb.NetMode", NetMode_name, NetMode_value) proto.RegisterEnum("pb.MountType", MountType_name, MountType_value) proto.RegisterEnum("pb.CacheSharingOpt", CacheSharingOpt_name, CacheSharingOpt_value) } @@ -1156,6 +1189,11 @@ func (m *ExecOp) MarshalTo(dAtA []byte) (int, error) { i += n } } + if m.Network != 0 { + dAtA[i] = 0x18 + i++ + i = encodeVarintOps(dAtA, i, uint64(m.Network)) + } return i, nil } @@ -1988,6 +2026,9 @@ func (m *ExecOp) Size() (n int) { n += 1 + l + sovOps(uint64(l)) } } + if m.Network != 0 { + n += 1 + sovOps(uint64(m.Network)) + } return n } @@ -2967,6 +3008,25 @@ func (m *ExecOp) Unmarshal(dAtA []byte) error { return err } iNdEx = postIndex + case 3: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field Network", wireType) + } + m.Network = 0 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowOps + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + m.Network |= (NetMode(b) & 0x7F) << shift + if b < 0x80 { + break + } + } default: iNdEx = preIndex skippy, err := skipOps(dAtA[iNdEx:]) @@ -5603,91 +5663,94 @@ var ( func init() { proto.RegisterFile("ops.proto", fileDescriptorOps) } var fileDescriptorOps = []byte{ - // 1371 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x56, 0xcb, 0x6f, 0xdb, 0x46, - 0x13, 0x37, 0xa9, 0x87, 0xc5, 0xa1, 0xed, 0xe8, 0xdb, 0x3c, 0x3e, 0x7d, 0xfe, 0x52, 0xdb, 0x65, - 0x8a, 0xc2, 0xb1, 0x63, 0x19, 0x50, 0x80, 0x24, 0xe8, 0x21, 0xa8, 0xf5, 0x08, 0xac, 0xa6, 0xa9, - 0x8c, 0x95, 0xe1, 0x1e, 0x03, 0x9a, 0x5a, 0xc9, 0x44, 0x64, 0x2e, 0x41, 0xae, 0x52, 0xeb, 0xd2, - 0x43, 0xfe, 0x82, 0x02, 0x05, 0x7a, 0xef, 0xb1, 0x97, 0xfe, 0x07, 0xbd, 0xe7, 0xd8, 0x6b, 0x7b, - 0x48, 0x8b, 0xf4, 0x1f, 0x29, 0x66, 0x76, 0x29, 0x32, 0x8f, 0xa2, 0x09, 0xda, 0x13, 0x67, 0xe7, - 0xf1, 0xdb, 0xdd, 0xdf, 0xcc, 0xce, 0x10, 0x1c, 0x19, 0xa7, 0xcd, 0x38, 0x91, 0x4a, 0x32, 0x3b, - 0x3e, 0x5d, 0xdf, 0x9b, 0x84, 0xea, 0x6c, 0x76, 0xda, 0x0c, 0xe4, 0xf9, 0xfe, 0x44, 0x4e, 0xe4, - 0x3e, 0x99, 0x4e, 0x67, 0x63, 0x5a, 0xd1, 0x82, 0x24, 0x1d, 0xe2, 0x7d, 0x6f, 0x83, 0x3d, 0x88, - 0xd9, 0x87, 0x50, 0x0d, 0xa3, 0x78, 0xa6, 0xd2, 0x86, 0xb5, 0x55, 0xda, 0x76, 0x5b, 0x4e, 0x33, - 0x3e, 0x6d, 0xf6, 0x51, 0xc3, 0x8d, 0x81, 0x6d, 0x41, 0x59, 0x5c, 0x88, 0xa0, 0x61, 0x6f, 0x59, - 0xdb, 0x6e, 0x0b, 0xd0, 0xa1, 0x77, 0x21, 0x82, 0x41, 0x7c, 0xb8, 0xc4, 0xc9, 0xc2, 0x3e, 0x86, - 0x6a, 0x2a, 0x67, 0x49, 0x20, 0x1a, 0x25, 0xf2, 0x59, 0x41, 0x9f, 0x21, 0x69, 0xc8, 0xcb, 0x58, - 0x11, 0x29, 0x90, 0xf1, 0xbc, 0x51, 0xce, 0x91, 0x3a, 0x32, 0x9e, 0x6b, 0x24, 0xb4, 0xb0, 0x1b, - 0x50, 0x39, 0x9d, 0x85, 0xd3, 0x51, 0xa3, 0x42, 0x2e, 0x2e, 0xba, 0xb4, 0x51, 0x41, 0x3e, 0xda, - 0xc6, 0xb6, 0xa1, 0x16, 0x4f, 0x7d, 0x35, 0x96, 0xc9, 0x79, 0x03, 0xf2, 0x0d, 0x8f, 0x8c, 0x8e, - 0x2f, 0xac, 0xec, 0x2e, 0xb8, 0x81, 0x8c, 0x52, 0x95, 0xf8, 0x61, 0xa4, 0xd2, 0x86, 0x4b, 0xce, - 0x57, 0xd1, 0xf9, 0x4b, 0x99, 0x3c, 0x11, 0x49, 0x27, 0x37, 0xf2, 0xa2, 0x67, 0xbb, 0x0c, 0xb6, - 0x8c, 0xbd, 0xef, 0x2c, 0xa8, 0x65, 0xa8, 0xcc, 0x83, 0x95, 0x83, 0x24, 0x38, 0x0b, 0x95, 0x08, - 0xd4, 0x2c, 0x11, 0x0d, 0x6b, 0xcb, 0xda, 0x76, 0xf8, 0x2b, 0x3a, 0xb6, 0x06, 0xf6, 0x60, 0x48, - 0x44, 0x39, 0xdc, 0x1e, 0x0c, 0x59, 0x03, 0x96, 0x4f, 0xfc, 0x24, 0xf4, 0x23, 0x45, 0xcc, 0x38, - 0x3c, 0x5b, 0xb2, 0xeb, 0xe0, 0x0c, 0x86, 0x27, 0x22, 0x49, 0x43, 0x19, 0x11, 0x1f, 0x0e, 0xcf, - 0x15, 0x6c, 0x03, 0x60, 0x30, 0x7c, 0x20, 0x7c, 0x04, 0x4d, 0x1b, 0x95, 0xad, 0xd2, 0xb6, 0xc3, - 0x0b, 0x1a, 0xef, 0x6b, 0xa8, 0x50, 0x8e, 0xd8, 0x67, 0x50, 0x1d, 0x85, 0x13, 0x91, 0x2a, 0x7d, - 0x9c, 0x76, 0xeb, 0xf9, 0x8b, 0xcd, 0xa5, 0x5f, 0x5f, 0x6c, 0xee, 0x14, 0x8a, 0x41, 0xc6, 0x22, - 0x0a, 0x64, 0xa4, 0xfc, 0x30, 0x12, 0x49, 0xba, 0x3f, 0x91, 0x7b, 0x3a, 0xa4, 0xd9, 0xa5, 0x0f, - 0x37, 0x08, 0xec, 0x26, 0x54, 0xc2, 0x68, 0x24, 0x2e, 0xe8, 0xfc, 0xa5, 0xf6, 0x65, 0x03, 0xe5, - 0x0e, 0x66, 0x2a, 0x9e, 0xa9, 0x3e, 0x9a, 0xb8, 0xf6, 0xf0, 0xfa, 0x50, 0xd5, 0x25, 0xc0, 0xae, - 0x43, 0xf9, 0x5c, 0x28, 0x9f, 0xb6, 0x77, 0x5b, 0x35, 0xa4, 0xf6, 0x91, 0x50, 0x3e, 0x27, 0x2d, - 0x56, 0xd7, 0xb9, 0x9c, 0x21, 0xf5, 0x76, 0x5e, 0x5d, 0x8f, 0x50, 0xc3, 0x8d, 0xc1, 0xfb, 0xc1, - 0x82, 0x32, 0x46, 0x30, 0x06, 0x65, 0x3f, 0x99, 0xe8, 0x3a, 0x74, 0x38, 0xc9, 0xac, 0x0e, 0x25, - 0x11, 0x3d, 0xa5, 0x60, 0x87, 0xa3, 0x88, 0x9a, 0xe0, 0xab, 0x91, 0x61, 0x13, 0x45, 0x8c, 0x9b, - 0xa5, 0x22, 0x31, 0x24, 0x92, 0xcc, 0x6e, 0x82, 0x13, 0x27, 0xf2, 0x62, 0xfe, 0x18, 0xa3, 0x2b, - 0x85, 0x12, 0x41, 0x65, 0x2f, 0x7a, 0xca, 0x6b, 0xb1, 0x91, 0xd8, 0x0e, 0x80, 0xb8, 0x50, 0x89, - 0x7f, 0x28, 0x53, 0x95, 0x36, 0xaa, 0x74, 0x4c, 0xaa, 0x4c, 0x54, 0xf4, 0x8f, 0x78, 0xc1, 0xea, - 0xfd, 0x68, 0x43, 0x85, 0x4e, 0xcf, 0xb6, 0x91, 0xab, 0x78, 0xa6, 0x69, 0x2f, 0xb5, 0x99, 0xe1, - 0x0a, 0x28, 0x2b, 0x0b, 0xaa, 0x30, 0x43, 0xeb, 0x50, 0x4b, 0xc5, 0x54, 0x04, 0x4a, 0x26, 0xa6, - 0x30, 0x16, 0x6b, 0x3c, 0xfa, 0x08, 0x73, 0xa7, 0x6f, 0x43, 0x32, 0xdb, 0x85, 0xaa, 0x24, 0xc2, - 0xe9, 0x42, 0x7f, 0x91, 0x06, 0xe3, 0x82, 0xe0, 0x89, 0xf0, 0x47, 0x32, 0x9a, 0xce, 0xe9, 0x9a, - 0x35, 0xbe, 0x58, 0xb3, 0x5d, 0x70, 0x88, 0xe2, 0xe3, 0x79, 0x2c, 0x1a, 0xd5, 0x2d, 0x6b, 0x7b, - 0xad, 0xb5, 0xba, 0xa0, 0x1f, 0x95, 0x3c, 0xb7, 0xe3, 0x93, 0x0a, 0xfc, 0xe0, 0x4c, 0x0c, 0x62, - 0xd5, 0xb8, 0x92, 0xf3, 0xd5, 0x31, 0x3a, 0xbe, 0xb0, 0x22, 0x6c, 0x2a, 0x82, 0x44, 0x28, 0x74, - 0xbd, 0x4a, 0xae, 0x04, 0x3b, 0xcc, 0x94, 0x3c, 0xb7, 0x7b, 0x7d, 0xa8, 0x65, 0x10, 0xf8, 0x36, - 0xfa, 0x5d, 0xf3, 0x6a, 0xec, 0x7e, 0x97, 0xed, 0xc1, 0x72, 0x7a, 0xe6, 0x27, 0x61, 0x34, 0x21, - 0x5e, 0xd6, 0x5a, 0x97, 0x17, 0x3b, 0x0e, 0xb5, 0x1e, 0xc1, 0x32, 0x1f, 0x4f, 0x82, 0xb3, 0xd8, - 0xe2, 0x0d, 0xac, 0x3a, 0x94, 0x66, 0xe1, 0x88, 0x70, 0x56, 0x39, 0x8a, 0xa8, 0x99, 0x84, 0xba, - 0x4e, 0x56, 0x39, 0x8a, 0x48, 0xf6, 0xb9, 0x1c, 0x09, 0xa2, 0x75, 0x95, 0x93, 0x8c, 0xfc, 0xc9, - 0x58, 0x85, 0x32, 0xf2, 0xa7, 0x19, 0x7f, 0xd9, 0xda, 0xbb, 0x0f, 0x55, 0xdd, 0x9c, 0xd8, 0x16, - 0x94, 0xd2, 0x24, 0x30, 0x0d, 0x72, 0x2d, 0xeb, 0x5a, 0xba, 0xbf, 0x71, 0x34, 0x2d, 0x12, 0x69, - 0xe7, 0x89, 0xf4, 0x38, 0x40, 0xee, 0xf6, 0xef, 0x14, 0x8c, 0xf7, 0xad, 0x05, 0xb5, 0xac, 0xaf, - 0x62, 0x93, 0x08, 0x47, 0x22, 0x52, 0xe1, 0x38, 0x14, 0x89, 0x21, 0xa3, 0xa0, 0x61, 0x7b, 0x50, - 0xf1, 0x95, 0x4a, 0xb2, 0xb7, 0xf7, 0xdf, 0x62, 0x53, 0x6e, 0x1e, 0xa0, 0xa5, 0x17, 0xa9, 0x64, - 0xce, 0xb5, 0xd7, 0xfa, 0x3d, 0x80, 0x5c, 0x89, 0xfc, 0x3d, 0x11, 0x73, 0x83, 0x8a, 0x22, 0xbb, - 0x02, 0x95, 0xa7, 0xfe, 0x74, 0x26, 0xcc, 0xa1, 0xf4, 0xe2, 0x13, 0xfb, 0x9e, 0xe5, 0xfd, 0x64, - 0xc3, 0xb2, 0x69, 0xd2, 0xec, 0x16, 0x2c, 0x53, 0x93, 0x36, 0x27, 0x7a, 0xfb, 0x4d, 0x33, 0x17, - 0xb6, 0xbf, 0x98, 0x3e, 0x85, 0x33, 0x1a, 0x28, 0x3d, 0x85, 0xcc, 0x19, 0xf3, 0x59, 0x54, 0x1a, - 0x89, 0xb1, 0x19, 0x33, 0x94, 0x8a, 0xae, 0x18, 0x87, 0x51, 0x88, 0x39, 0xe3, 0x68, 0x62, 0xb7, - 0xb2, 0x5b, 0x97, 0x09, 0xf1, 0x5a, 0x11, 0xf1, 0xcd, 0x4b, 0xf7, 0xc1, 0x2d, 0x6c, 0xf3, 0x96, - 0x5b, 0x7f, 0x54, 0xbc, 0xb5, 0xd9, 0x92, 0xe0, 0xf4, 0x8c, 0xcc, 0x59, 0xf8, 0x07, 0xfc, 0xdd, - 0x01, 0xc8, 0x21, 0xdf, 0xbd, 0x52, 0xbc, 0x67, 0x25, 0x80, 0x41, 0x8c, 0xcd, 0x73, 0xe4, 0x53, - 0xb3, 0x5d, 0x09, 0x27, 0x91, 0x4c, 0xc4, 0x63, 0x7a, 0xac, 0x14, 0x5f, 0xe3, 0xae, 0xd6, 0xd1, - 0xbb, 0x62, 0x07, 0xe0, 0x8e, 0x44, 0x1a, 0x24, 0x21, 0x15, 0xb9, 0x21, 0x7d, 0x13, 0xef, 0x94, - 0xe3, 0x34, 0xbb, 0xb9, 0x87, 0xe6, 0xaa, 0x18, 0xc3, 0x5a, 0xb0, 0x22, 0x2e, 0x62, 0x99, 0x28, - 0xb3, 0x8b, 0x9e, 0xe5, 0x97, 0xf4, 0x5f, 0x01, 0xea, 0x69, 0x27, 0xee, 0x8a, 0x7c, 0xc1, 0x7c, - 0x28, 0x07, 0x7e, 0xac, 0x07, 0x99, 0xdb, 0x6a, 0xbc, 0xb6, 0x5f, 0xc7, 0x8f, 0x35, 0x69, 0xed, - 0xdb, 0x78, 0xd7, 0x67, 0xbf, 0x6d, 0xee, 0x16, 0xa6, 0xd7, 0xb9, 0x3c, 0x9d, 0xef, 0x53, 0xbd, - 0x3c, 0x09, 0xd5, 0xfe, 0x4c, 0x85, 0xd3, 0x7d, 0x3f, 0x0e, 0x11, 0x0e, 0x03, 0xfb, 0x5d, 0x4e, - 0xd0, 0xeb, 0xf7, 0xa1, 0xfe, 0xfa, 0xb9, 0xdf, 0x27, 0x07, 0xeb, 0x77, 0xc1, 0x59, 0x9c, 0xe3, - 0xef, 0x02, 0x6b, 0xc5, 0xe4, 0xdd, 0x00, 0xb7, 0x70, 0x6f, 0x74, 0x3c, 0x21, 0x47, 0xcd, 0xbe, - 0x5e, 0x78, 0xcf, 0xf0, 0x47, 0x22, 0x9b, 0x38, 0x1f, 0x00, 0x9c, 0x29, 0x15, 0x3f, 0xa6, 0x11, - 0x64, 0x36, 0x71, 0x50, 0x43, 0x1e, 0x6c, 0x13, 0x5c, 0x5c, 0xa4, 0xc6, 0xae, 0x4f, 0x4a, 0x11, - 0xa9, 0x76, 0xf8, 0x3f, 0x38, 0xe3, 0x45, 0xb8, 0x1e, 0x1d, 0xb5, 0x71, 0x16, 0xfd, 0x3f, 0xa8, - 0x45, 0xd2, 0xd8, 0xf4, 0x44, 0x5c, 0x8e, 0x24, 0x99, 0xbc, 0x5d, 0xf8, 0xcf, 0x1b, 0x7f, 0x3d, - 0xec, 0x1a, 0x54, 0xc7, 0xe1, 0x54, 0xd1, 0x73, 0xc5, 0x21, 0x6b, 0x56, 0xde, 0x2f, 0x16, 0x40, - 0xfe, 0xb4, 0x90, 0x11, 0x7c, 0x77, 0xe8, 0xb3, 0xa2, 0xdf, 0xd9, 0x14, 0x6a, 0xe7, 0x26, 0x83, - 0xa6, 0x8e, 0xae, 0xbf, 0xfa, 0x1c, 0x9b, 0x59, 0x82, 0x75, 0x6e, 0x5b, 0x26, 0xb7, 0xef, 0xf3, - 0x67, 0xb2, 0xd8, 0x61, 0xfd, 0x21, 0xac, 0xbe, 0x02, 0xf7, 0x8e, 0x2f, 0x35, 0xaf, 0xb2, 0x62, - 0xca, 0x6e, 0x41, 0x55, 0x0f, 0x77, 0xec, 0xdb, 0x28, 0x19, 0x18, 0x92, 0x69, 0xb6, 0x1c, 0x65, - 0xff, 0x70, 0xfd, 0xa3, 0x9d, 0x4f, 0xc1, 0x59, 0x8c, 0x4c, 0x56, 0x83, 0x72, 0xbb, 0xff, 0x45, - 0xb7, 0xbe, 0xc4, 0x00, 0xaa, 0xc3, 0x5e, 0x87, 0xf7, 0x8e, 0xeb, 0x16, 0x5b, 0x86, 0xd2, 0x70, - 0x78, 0x58, 0xb7, 0x99, 0x03, 0x95, 0xce, 0x41, 0xe7, 0xb0, 0x57, 0x2f, 0xa1, 0x78, 0xfc, 0xe8, - 0xe8, 0xc1, 0xb0, 0x5e, 0xde, 0xb9, 0x03, 0x97, 0x5e, 0x1b, 0x6b, 0x14, 0x7d, 0x78, 0xc0, 0x7b, - 0x88, 0xe4, 0xc2, 0xf2, 0x11, 0xef, 0x9f, 0x1c, 0x1c, 0xf7, 0xea, 0x16, 0x1a, 0x3e, 0x1f, 0x74, - 0x1e, 0xf6, 0xba, 0x75, 0xbb, 0x5d, 0x7f, 0xfe, 0x72, 0xc3, 0xfa, 0xf9, 0xe5, 0x86, 0xf5, 0xfb, - 0xcb, 0x0d, 0xeb, 0x9b, 0x3f, 0x36, 0x96, 0x4e, 0xab, 0xf4, 0xef, 0x7e, 0xfb, 0xcf, 0x00, 0x00, - 0x00, 0xff, 0xff, 0x5f, 0x7b, 0x2c, 0xa4, 0xfb, 0x0b, 0x00, 0x00, + // 1415 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x57, 0xcd, 0x6f, 0x1b, 0x45, + 0x14, 0x8f, 0xd7, 0x9f, 0xfb, 0x9c, 0xa4, 0x66, 0xfa, 0x81, 0x09, 0x25, 0x09, 0x5b, 0x40, 0x69, + 0xd2, 0x38, 0x92, 0x2b, 0xb5, 0x15, 0x87, 0x8a, 0xf8, 0xa3, 0x8a, 0x29, 0x89, 0xa3, 0x71, 0x08, + 0xc7, 0x6a, 0xb3, 0x1e, 0x3b, 0xab, 0x38, 0x3b, 0xab, 0xdd, 0x71, 0x1b, 0x5f, 0x38, 0xf4, 0x2f, + 0x40, 0x42, 0xe2, 0xce, 0x91, 0x0b, 0xff, 0x01, 0xf7, 0x1e, 0xb9, 0xc2, 0xa1, 0xa0, 0xf2, 0x8f, + 0xa0, 0xf7, 0x66, 0xd6, 0xbb, 0xfd, 0x40, 0xb4, 0x82, 0x93, 0xdf, 0xbc, 0xf7, 0x9b, 0xdf, 0xcc, + 0xfc, 0xde, 0x9b, 0x79, 0x6b, 0xb0, 0x65, 0x18, 0x37, 0xc2, 0x48, 0x2a, 0xc9, 0xac, 0xf0, 0x64, + 0x65, 0x7b, 0xec, 0xab, 0xd3, 0xe9, 0x49, 0xc3, 0x93, 0xe7, 0x3b, 0x63, 0x39, 0x96, 0x3b, 0x14, + 0x3a, 0x99, 0x8e, 0x68, 0x44, 0x03, 0xb2, 0xf4, 0x14, 0xe7, 0x47, 0x0b, 0xac, 0x7e, 0xc8, 0x3e, + 0x86, 0x92, 0x1f, 0x84, 0x53, 0x15, 0xd7, 0x73, 0xeb, 0xf9, 0x8d, 0x6a, 0xd3, 0x6e, 0x84, 0x27, + 0x8d, 0x1e, 0x7a, 0xb8, 0x09, 0xb0, 0x75, 0x28, 0x88, 0x0b, 0xe1, 0xd5, 0xad, 0xf5, 0xdc, 0x46, + 0xb5, 0x09, 0x08, 0xe8, 0x5e, 0x08, 0xaf, 0x1f, 0xee, 0x2d, 0x70, 0x8a, 0xb0, 0xcf, 0xa0, 0x14, + 0xcb, 0x69, 0xe4, 0x89, 0x7a, 0x9e, 0x30, 0x8b, 0x88, 0x19, 0x90, 0x87, 0x50, 0x26, 0x8a, 0x4c, + 0x9e, 0x0c, 0x67, 0xf5, 0x42, 0xca, 0xd4, 0x96, 0xe1, 0x4c, 0x33, 0x61, 0x84, 0xdd, 0x80, 0xe2, + 0xc9, 0xd4, 0x9f, 0x0c, 0xeb, 0x45, 0x82, 0x54, 0x11, 0xd2, 0x42, 0x07, 0x61, 0x74, 0x8c, 0x6d, + 0x40, 0x25, 0x9c, 0xb8, 0x6a, 0x24, 0xa3, 0xf3, 0x3a, 0xa4, 0x0b, 0x1e, 0x1a, 0x1f, 0x9f, 0x47, + 0xd9, 0x5d, 0xa8, 0x7a, 0x32, 0x88, 0x55, 0xe4, 0xfa, 0x81, 0x8a, 0xeb, 0x55, 0x02, 0x5f, 0x45, + 0xf0, 0x37, 0x32, 0x3a, 0x13, 0x51, 0x3b, 0x0d, 0xf2, 0x2c, 0xb2, 0x55, 0x00, 0x4b, 0x86, 0xce, + 0x0f, 0x39, 0xa8, 0x24, 0xac, 0xcc, 0x81, 0xc5, 0xdd, 0xc8, 0x3b, 0xf5, 0x95, 0xf0, 0xd4, 0x34, + 0x12, 0xf5, 0xdc, 0x7a, 0x6e, 0xc3, 0xe6, 0x2f, 0xf9, 0xd8, 0x32, 0x58, 0xfd, 0x01, 0x09, 0x65, + 0x73, 0xab, 0x3f, 0x60, 0x75, 0x28, 0x1f, 0xbb, 0x91, 0xef, 0x06, 0x8a, 0x94, 0xb1, 0x79, 0x32, + 0x64, 0xd7, 0xc1, 0xee, 0x0f, 0x8e, 0x45, 0x14, 0xfb, 0x32, 0x20, 0x3d, 0x6c, 0x9e, 0x3a, 0xd8, + 0x2a, 0x40, 0x7f, 0xf0, 0x40, 0xb8, 0x48, 0x1a, 0xd7, 0x8b, 0xeb, 0xf9, 0x0d, 0x9b, 0x67, 0x3c, + 0xce, 0xb7, 0x50, 0xa4, 0x1c, 0xb1, 0x2f, 0xa1, 0x34, 0xf4, 0xc7, 0x22, 0x56, 0x7a, 0x3b, 0xad, + 0xe6, 0xb3, 0xe7, 0x6b, 0x0b, 0xbf, 0x3f, 0x5f, 0xdb, 0xcc, 0x14, 0x83, 0x0c, 0x45, 0xe0, 0xc9, + 0x40, 0xb9, 0x7e, 0x20, 0xa2, 0x78, 0x67, 0x2c, 0xb7, 0xf5, 0x94, 0x46, 0x87, 0x7e, 0xb8, 0x61, + 0x60, 0x37, 0xa1, 0xe8, 0x07, 0x43, 0x71, 0x41, 0xfb, 0xcf, 0xb7, 0x2e, 0x1b, 0xaa, 0x6a, 0x7f, + 0xaa, 0xc2, 0xa9, 0xea, 0x61, 0x88, 0x6b, 0x84, 0x13, 0x42, 0x49, 0x97, 0x00, 0xbb, 0x0e, 0x85, + 0x73, 0xa1, 0x5c, 0x5a, 0xbe, 0xda, 0xac, 0xa0, 0xb4, 0xfb, 0x42, 0xb9, 0x9c, 0xbc, 0x58, 0x5d, + 0xe7, 0x72, 0x8a, 0xd2, 0x5b, 0x69, 0x75, 0xed, 0xa3, 0x87, 0x9b, 0x00, 0xfb, 0x14, 0xca, 0x81, + 0x50, 0x4f, 0x64, 0x74, 0x46, 0x12, 0x2d, 0xeb, 0x9c, 0x1f, 0x08, 0xb5, 0x2f, 0x87, 0x82, 0x27, + 0x31, 0xe7, 0xa7, 0x1c, 0x14, 0x90, 0x98, 0x31, 0x28, 0xb8, 0xd1, 0x58, 0x97, 0xab, 0xcd, 0xc9, + 0x66, 0x35, 0xc8, 0x8b, 0xe0, 0x31, 0xad, 0x61, 0x73, 0x34, 0xd1, 0xe3, 0x3d, 0x19, 0x1a, 0xd1, + 0xd1, 0xc4, 0x79, 0xd3, 0x58, 0x44, 0x46, 0x6b, 0xb2, 0xd9, 0x4d, 0xb0, 0xc3, 0x48, 0x5e, 0xcc, + 0x1e, 0xe1, 0xec, 0x62, 0xa6, 0x92, 0xd0, 0xd9, 0x0d, 0x1e, 0xf3, 0x4a, 0x68, 0x2c, 0xb6, 0x09, + 0x20, 0x2e, 0x54, 0xe4, 0xee, 0xc9, 0x58, 0xc5, 0xf5, 0x12, 0x9d, 0x86, 0x0a, 0x18, 0x1d, 0xbd, + 0x43, 0x9e, 0x89, 0x3a, 0x3f, 0x5b, 0x50, 0xa4, 0x43, 0xb2, 0x0d, 0x94, 0x34, 0x9c, 0xea, 0xec, + 0xe4, 0x5b, 0xcc, 0x48, 0x0a, 0x94, 0xbc, 0xb9, 0xa2, 0x98, 0xc8, 0x15, 0xa8, 0xc4, 0x62, 0x22, + 0x3c, 0x25, 0x23, 0x53, 0x3f, 0xf3, 0x31, 0x6e, 0x7d, 0x88, 0x29, 0xd6, 0xa7, 0x21, 0x9b, 0x6d, + 0x41, 0x49, 0x52, 0x5e, 0xe8, 0x40, 0xff, 0x90, 0x2d, 0x03, 0x41, 0xf2, 0x48, 0xb8, 0x43, 0x19, + 0x4c, 0x66, 0x74, 0xcc, 0x0a, 0x9f, 0x8f, 0xd9, 0x16, 0xd8, 0x94, 0x89, 0xa3, 0x59, 0x28, 0xea, + 0x25, 0xca, 0xc0, 0xd2, 0x3c, 0x4b, 0xe8, 0xe4, 0x69, 0x1c, 0x6f, 0x9e, 0xe7, 0x7a, 0xa7, 0xa2, + 0x1f, 0xaa, 0xfa, 0x95, 0x54, 0xaf, 0xb6, 0xf1, 0xf1, 0x79, 0x14, 0x69, 0x63, 0xe1, 0x45, 0x42, + 0x21, 0xf4, 0x2a, 0x41, 0x89, 0x76, 0x90, 0x38, 0x79, 0x1a, 0x77, 0x7a, 0x50, 0x49, 0x28, 0xf0, + 0x0a, 0xf5, 0x3a, 0xe6, 0x72, 0x59, 0xbd, 0x0e, 0xdb, 0x86, 0x72, 0x7c, 0xea, 0x46, 0x7e, 0x30, + 0x26, 0x5d, 0x96, 0x9b, 0x97, 0xe7, 0x2b, 0x0e, 0xb4, 0x1f, 0xc9, 0x12, 0x8c, 0x23, 0xc1, 0x9e, + 0x2f, 0xf1, 0x1a, 0x57, 0x0d, 0xf2, 0x53, 0x7f, 0x48, 0x3c, 0x4b, 0x1c, 0x4d, 0xf4, 0x8c, 0x7d, + 0x5d, 0x27, 0x4b, 0x1c, 0x4d, 0x14, 0xfb, 0x5c, 0x0e, 0x05, 0xc9, 0xba, 0xc4, 0xc9, 0x46, 0xfd, + 0x64, 0xa8, 0x7c, 0x19, 0xb8, 0x93, 0x44, 0xbf, 0x64, 0xec, 0xdc, 0x87, 0x92, 0x7e, 0xc3, 0xd8, + 0x3a, 0xe4, 0xe3, 0xc8, 0x33, 0xef, 0xe8, 0x72, 0xf2, 0xb8, 0xe9, 0x67, 0x90, 0x63, 0x68, 0x9e, + 0x48, 0x2b, 0x4d, 0xa4, 0xc3, 0x01, 0x52, 0xd8, 0xff, 0x53, 0x30, 0xce, 0xf7, 0x39, 0xa8, 0x24, + 0xcf, 0x2f, 0xbe, 0x25, 0xfe, 0x50, 0x04, 0xca, 0x1f, 0xf9, 0x22, 0x32, 0x62, 0x64, 0x3c, 0x6c, + 0x1b, 0x8a, 0xae, 0x52, 0x51, 0x72, 0x45, 0xdf, 0xcf, 0xbe, 0xdd, 0x8d, 0x5d, 0x8c, 0x74, 0x03, + 0x15, 0xcd, 0xb8, 0x46, 0xad, 0xdc, 0x03, 0x48, 0x9d, 0xa8, 0xdf, 0x99, 0x98, 0x19, 0x56, 0x34, + 0xd9, 0x15, 0x28, 0x3e, 0x76, 0x27, 0x53, 0x61, 0x36, 0xa5, 0x07, 0x9f, 0x5b, 0xf7, 0x72, 0xce, + 0x2f, 0x16, 0x94, 0xcd, 0x5b, 0xce, 0x6e, 0x41, 0x99, 0xde, 0x72, 0xb3, 0xa3, 0x37, 0x9f, 0x34, + 0x81, 0xb0, 0x9d, 0x79, 0x93, 0xca, 0xec, 0xd1, 0x50, 0xe9, 0x66, 0x65, 0xf6, 0x98, 0xb6, 0xac, + 0xfc, 0x50, 0x8c, 0x4c, 0x37, 0xa2, 0x54, 0x74, 0xc4, 0xc8, 0x0f, 0x7c, 0xcc, 0x19, 0xc7, 0x10, + 0xbb, 0x95, 0x9c, 0xba, 0x40, 0x8c, 0xd7, 0xb2, 0x8c, 0xaf, 0x1f, 0xba, 0x07, 0xd5, 0xcc, 0x32, + 0x6f, 0x38, 0xf5, 0x27, 0xd9, 0x53, 0x9b, 0x25, 0x89, 0x4e, 0xb7, 0xd2, 0x54, 0x85, 0xff, 0xa0, + 0xdf, 0x1d, 0x80, 0x94, 0xf2, 0xed, 0x2b, 0xc5, 0x79, 0x9a, 0x07, 0xe8, 0x87, 0xf8, 0x78, 0x0e, + 0x5d, 0x7a, 0x93, 0x17, 0xfd, 0x71, 0x20, 0x23, 0xf1, 0x88, 0x2e, 0x2b, 0xcd, 0xaf, 0xf0, 0xaa, + 0xf6, 0xd1, 0xbd, 0x62, 0xbb, 0x50, 0x1d, 0x8a, 0xd8, 0x8b, 0x7c, 0x2a, 0x72, 0x23, 0xfa, 0x1a, + 0x9e, 0x29, 0xe5, 0x69, 0x74, 0x52, 0x84, 0xd6, 0x2a, 0x3b, 0x87, 0x35, 0x61, 0x51, 0x5c, 0x84, + 0x32, 0x52, 0x66, 0x15, 0xdd, 0xf2, 0x2f, 0xe9, 0x8f, 0x07, 0xf4, 0xd3, 0x4a, 0xbc, 0x2a, 0xd2, + 0x01, 0x73, 0xa1, 0xe0, 0xb9, 0xa1, 0xee, 0x77, 0xd5, 0x66, 0xfd, 0x95, 0xf5, 0xda, 0x6e, 0xa8, + 0x45, 0x6b, 0xdd, 0xc6, 0xb3, 0x3e, 0xfd, 0x63, 0x6d, 0x2b, 0xd3, 0xe4, 0xce, 0xe5, 0xc9, 0x6c, + 0x87, 0xea, 0xe5, 0xcc, 0x57, 0x3b, 0x53, 0xe5, 0x4f, 0x76, 0xdc, 0xd0, 0x47, 0x3a, 0x9c, 0xd8, + 0xeb, 0x70, 0xa2, 0x5e, 0xb9, 0x0f, 0xb5, 0x57, 0xf7, 0xfd, 0x2e, 0x39, 0x58, 0xb9, 0x0b, 0xf6, + 0x7c, 0x1f, 0xff, 0x36, 0xb1, 0x92, 0x4d, 0xde, 0x0d, 0xa8, 0x66, 0xce, 0x8d, 0xc0, 0x63, 0x02, + 0x6a, 0xf5, 0xf5, 0xc0, 0x79, 0x8a, 0xdf, 0x1b, 0x49, 0xc7, 0xf9, 0x08, 0xe0, 0x54, 0xa9, 0xf0, + 0x11, 0xb5, 0x20, 0xb3, 0x88, 0x8d, 0x1e, 0x42, 0xb0, 0x35, 0xa8, 0xe2, 0x20, 0x36, 0x71, 0xbd, + 0x53, 0x9a, 0x11, 0x6b, 0xc0, 0x87, 0x60, 0x8f, 0xe6, 0xd3, 0x75, 0xeb, 0xa8, 0x8c, 0x92, 0xd9, + 0x1f, 0x40, 0x25, 0x90, 0x26, 0xa6, 0x3b, 0x62, 0x39, 0x90, 0x14, 0x72, 0xb6, 0xe0, 0xbd, 0xd7, + 0x3e, 0x8e, 0xd8, 0x35, 0x28, 0x8d, 0xfc, 0x89, 0xa2, 0xeb, 0x8a, 0x4d, 0xd6, 0x8c, 0x9c, 0xdf, + 0x72, 0x00, 0xe9, 0xd5, 0x42, 0x45, 0xf0, 0xde, 0x21, 0x66, 0x51, 0xdf, 0xb3, 0x09, 0x54, 0xce, + 0x4d, 0x06, 0x4d, 0x1d, 0x5d, 0x7f, 0xf9, 0x3a, 0x36, 0x92, 0x04, 0xeb, 0xdc, 0x36, 0x4d, 0x6e, + 0xdf, 0xe5, 0x03, 0x66, 0xbe, 0xc2, 0xca, 0x43, 0x58, 0x7a, 0x89, 0xee, 0x2d, 0x6f, 0x6a, 0x5a, + 0x65, 0xd9, 0x94, 0xdd, 0x82, 0x92, 0x6e, 0xee, 0xf8, 0x6e, 0xa3, 0x65, 0x68, 0xc8, 0xa6, 0xde, + 0x72, 0x98, 0x7c, 0xea, 0xf5, 0x0e, 0x37, 0x37, 0xa0, 0x6c, 0x3e, 0x5a, 0x98, 0x0d, 0xc5, 0xaf, + 0x0f, 0x06, 0xdd, 0xa3, 0xda, 0x02, 0xab, 0x40, 0x61, 0xaf, 0x3f, 0x38, 0xaa, 0xe5, 0xd0, 0x3a, + 0xe8, 0x1f, 0x74, 0x6b, 0xd6, 0xe6, 0x17, 0x60, 0xcf, 0x9b, 0x2b, 0xba, 0x5b, 0xbd, 0x83, 0x4e, + 0x6d, 0x81, 0x01, 0x94, 0x06, 0xdd, 0x36, 0xef, 0x22, 0xb8, 0x0c, 0xf9, 0xc1, 0x60, 0xaf, 0x66, + 0x21, 0x55, 0x7b, 0xb7, 0xbd, 0xd7, 0xad, 0xe5, 0xd1, 0x3c, 0xda, 0x3f, 0x7c, 0x30, 0xa8, 0x15, + 0x36, 0xef, 0xc0, 0xa5, 0x57, 0x1a, 0x20, 0xcd, 0xde, 0xdb, 0xe5, 0x5d, 0x64, 0xaa, 0x42, 0xf9, + 0x90, 0xf7, 0x8e, 0x77, 0x8f, 0xba, 0xb5, 0x1c, 0x06, 0xbe, 0xea, 0xb7, 0x1f, 0x76, 0x3b, 0x35, + 0xab, 0x55, 0x7b, 0xf6, 0x62, 0x35, 0xf7, 0xeb, 0x8b, 0xd5, 0xdc, 0x9f, 0x2f, 0x56, 0x73, 0xdf, + 0xfd, 0xb5, 0xba, 0x70, 0x52, 0xa2, 0x3f, 0x03, 0xb7, 0xff, 0x0e, 0x00, 0x00, 0xff, 0xff, 0x8c, + 0x1e, 0x1e, 0x98, 0x4c, 0x0c, 0x00, 0x00, } diff --git a/solver/pb/ops.proto b/solver/pb/ops.proto index 945df067..17b5506a 100644 --- a/solver/pb/ops.proto +++ b/solver/pb/ops.proto @@ -41,6 +41,7 @@ message Input { message ExecOp { Meta meta = 1; repeated Mount mounts = 2; + NetMode network = 3; } // Meta is a set of arguments for ExecOp. @@ -55,6 +56,12 @@ message Meta { repeated HostIP extraHosts = 6; } +enum NetMode { + UNSET = 0; // sandbox + HOST = 1; + NONE = 2; +} + // Mount specifies how to mount an input Op as a filesystem. message Mount { int64 input = 1 [(gogoproto.customtype) = "InputIndex", (gogoproto.nullable) = false]; diff --git a/util/entitlements/entitlements.go b/util/entitlements/entitlements.go new file mode 100644 index 00000000..4bd7f2a8 --- /dev/null +++ b/util/entitlements/entitlements.go @@ -0,0 +1,70 @@ +package entitlements + +import "github.com/pkg/errors" + +type Entitlement string + +const ( + EntitlementSecurityConfined Entitlement = "security.confined" + EntitlementSecurityUnconfined Entitlement = "security.unconfined" // unimplemented + EntitlementNetworkHost Entitlement = "network.host" + EntitlementNetworkNone Entitlement = "network.none" +) + +var all = map[Entitlement]struct{}{ + EntitlementSecurityConfined: {}, + EntitlementSecurityUnconfined: {}, + EntitlementNetworkHost: {}, + EntitlementNetworkNone: {}, +} + +var defaults = map[Entitlement]struct{}{ + EntitlementSecurityConfined: {}, + EntitlementNetworkNone: {}, +} + +func Parse(s string) (Entitlement, error) { + _, ok := all[Entitlement(s)] + if !ok { + return "", errors.Errorf("unknown entitlement %s", s) + } + return Entitlement(s), nil +} + +func WhiteList(allowed, supported []Entitlement) (Set, error) { + m := map[Entitlement]struct{}{} + + var supm Set + if supported != nil { + var err error + supm, err = WhiteList(supported, nil) + if err != nil { // should not happen + return nil, err + } + } + + for _, e := range allowed { + e, err := Parse(string(e)) + if err != nil { + return nil, err + } + if supported != nil { + if !supm.Allowed(e) { + return nil, errors.Errorf("entitlement %s is not allowed", e) + } + } + m[e] = struct{}{} + } + + for e := range defaults { + m[e] = struct{}{} + } + return Set(m), nil +} + +type Set map[Entitlement]struct{} + +func (s Set) Allowed(e Entitlement) bool { + _, ok := s[e] + return ok +}