Tõnis Tiigi
GitHub
commit
a258bd18b2
|
|
@ -0,0 +1,13 @@
|
|||
package oci
|
||||
|
||||
// ProcMode configures PID namespaces
|
||||
type ProcessMode int
|
||||
|
||||
const (
|
||||
// ProcessSandbox unshares pidns and mount procfs.
|
||||
ProcessSandbox ProcessMode = iota
|
||||
// NoProcessSandbox uses host pidns and bind-mount procfs.
|
||||
// Note that NoProcessSandbox allows build containers to kill (and potentially ptrace) an arbitrary process in the BuildKit host namespace.
|
||||
// NoProcessSandbox should be enabled only when the BuildKit is running in a container as an unprivileged user.
|
||||
NoProcessSandbox
|
||||
)
|
||||
|
|
@ -27,18 +27,6 @@ import (
|
|||
|
||||
// Ideally we don't have to import whole containerd just for the default spec
|
||||
|
||||
// ProcMode configures PID namespaces
|
||||
type ProcessMode int
|
||||
|
||||
const (
|
||||
// ProcessSandbox unshares pidns and mount procfs.
|
||||
ProcessSandbox ProcessMode = iota
|
||||
// NoProcessSandbox uses host pidns and bind-mount procfs.
|
||||
// Note that NoProcessSandbox allows build containers to kill (and potentially ptrace) an arbitrary process in the BuildKit host namespace.
|
||||
// NoProcessSandbox should be enabled only when the BuildKit is running in a container as an unprivileged user.
|
||||
NoProcessSandbox
|
||||
)
|
||||
|
||||
// GenerateSpec generates spec using containerd functionality.
|
||||
// opts are ignored for s.Process, s.Hostname, and s.Mounts .
|
||||
func GenerateSpec(ctx context.Context, meta executor.Meta, mounts []executor.Mount, id, resolvConf, hostsFile string, namespace network.Namespace, processMode ProcessMode, idmap *idtools.IdentityMapping, opts ...oci.SpecOpts) (*specs.Spec, func(), error) {
|
||||
|
|
|
|||
|
|
@ -20,19 +20,11 @@ func GetUser(ctx context.Context, root, username string) (uint32, uint32, []uint
|
|||
return uid, gid, nil, nil
|
||||
}
|
||||
|
||||
passwdPath, err := user.GetPasswdPath()
|
||||
if err != nil {
|
||||
return 0, 0, nil, err
|
||||
}
|
||||
groupPath, err := user.GetGroupPath()
|
||||
if err != nil {
|
||||
return 0, 0, nil, err
|
||||
}
|
||||
passwdFile, err := openUserFile(root, passwdPath)
|
||||
passwdFile, err := openUserFile(root, "/etc/passwd")
|
||||
if err == nil {
|
||||
defer passwdFile.Close()
|
||||
}
|
||||
groupFile, err := openUserFile(root, groupPath)
|
||||
groupFile, err := openUserFile(root, "/etc/group")
|
||||
if err == nil {
|
||||
defer groupFile.Close()
|
||||
}
|
||||
|
|
|
|||
|
|
@ -90,14 +90,14 @@ RUN --mount=target=. --mount=target=/root/.cache,type=cache \
|
|||
|
||||
# build buildkitd binary
|
||||
FROM buildkit-base AS buildkitd
|
||||
ENV CGO_ENABLED=1
|
||||
ARG TARGETPLATFORM
|
||||
ARG BUILDKITD_TAGS
|
||||
ENV BUILDKITD_TAGS="osusergo netgo static_build seccomp ${BUILDKITD_TAGS}"
|
||||
RUN --mount=target=. --mount=target=/root/.cache,type=cache \
|
||||
--mount=target=/go/pkg/mod,type=cache \
|
||||
--mount=source=/tmp/.ldflags,target=/tmp/.ldflags,from=buildkit-version \
|
||||
go build -ldflags "$(cat /tmp/.ldflags) -w -extldflags -static" -tags "osusergo seccomp netgo cgo static_build ${BUILDKITD_TAGS}" -o /usr/bin/buildkitd ./cmd/buildkitd && \
|
||||
file /usr/bin/buildkitd | grep "statically linked"
|
||||
go build -ldflags "$(cat /tmp/.ldflags) -w -extldflags -static" -tags "${BUILDKITD_TAGS}" -o /usr/bin/buildkitd ./cmd/buildkitd && \
|
||||
file /usr/bin/buildkitd | egrep "statically linked|Windows"
|
||||
|
||||
FROM scratch AS binaries-linux
|
||||
COPY --from=runc /usr/bin/runc /buildkit-runc
|
||||
|
|
@ -186,7 +186,10 @@ COPY --from=binaries / /usr/bin/
|
|||
ENTRYPOINT ["buildkitd"]
|
||||
|
||||
FROM binaries AS buildkit-buildkitd-darwin
|
||||
|
||||
FROM binaries AS buildkit-buildkitd-windows
|
||||
# this is not in binaries-windows because it is not intended for release yet, just CI
|
||||
COPY --from=buildkitd /usr/bin/buildkitd /buildkitd.exe
|
||||
|
||||
FROM buildkit-buildkitd-$TARGETOS AS buildkit-buildkitd
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue