From a5b6c20c386e24dde27ce3859161d74fb19e382a Mon Sep 17 00:00:00 2001 From: Tonis Tiigi Date: Mon, 19 Jul 2021 13:54:15 -0700 Subject: [PATCH] Update Dockerfile references to use 1.3 Signed-off-by: Tonis Tiigi --- Dockerfile | 2 +- .../cmd/dockerfile-frontend/Dockerfile | 2 +- frontend/dockerfile/docs/syntax.md | 97 +++++++++---------- hack/dockerfiles/generated-files.Dockerfile | 2 +- hack/dockerfiles/lint.Dockerfile | 2 +- hack/dockerfiles/shfmt.Dockerfile | 2 +- hack/dockerfiles/vendor.Dockerfile | 2 +- 7 files changed, 53 insertions(+), 56 deletions(-) diff --git a/Dockerfile b/Dockerfile index ac52c6d3..15c429b9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -# syntax = docker/dockerfile:1.2 +# syntax = docker/dockerfile:1.3 ARG RUNC_VERSION=v1.0.0 ARG CONTAINERD_VERSION=v1.5.3 diff --git a/frontend/dockerfile/cmd/dockerfile-frontend/Dockerfile b/frontend/dockerfile/cmd/dockerfile-frontend/Dockerfile index 2c0f7135..b4cf72b2 100644 --- a/frontend/dockerfile/cmd/dockerfile-frontend/Dockerfile +++ b/frontend/dockerfile/cmd/dockerfile-frontend/Dockerfile @@ -1,4 +1,4 @@ -# syntax = docker/dockerfile:1.1-experimental +# syntax = docker/dockerfile:1.3 # xx is a helper for cross-compilation FROM --platform=$BUILDPLATFORM tonistiigi/xx:golang@sha256:810dc54d5144f133a218e88e319184bf8b9ce01d37d46ddb37573e90decd9eef AS xx diff --git a/frontend/dockerfile/docs/syntax.md b/frontend/dockerfile/docs/syntax.md index 2f853626..41a552af 100644 --- a/frontend/dockerfile/docs/syntax.md +++ b/frontend/dockerfile/docs/syntax.md @@ -12,7 +12,7 @@ If you are using Docker v18.09 or later, BuildKit mode can be enabled by setting BuildKit supports loading frontends dynamically from container images. Images for Dockerfile frontends are available at [`docker/dockerfile`](https://hub.docker.com/r/docker/dockerfile/tags/) repository. -To use the external frontend, the first line of your Dockerfile needs to be `# syntax=docker/dockerfile:1.2` pointing to the +To use the external frontend, the first line of your Dockerfile needs to be `# syntax=docker/dockerfile:1.3` pointing to the specific image you want to use. BuildKit also ships with Dockerfile frontend builtin but it is recommended to use an external image to make sure that all @@ -30,7 +30,7 @@ change in between releases on labs channel, the old versions are guaranteed to b To use this flag set Dockerfile version to at least `1.2` ``` -# syntax=docker/dockerfile:1.2 +# syntax=docker/dockerfile:1.3 ``` `RUN --mount` allows you to create mounts that process running as part of the build can access. This can be used to bind @@ -73,7 +73,7 @@ it if more storage space is needed. #### Example: cache Go packages ```dockerfile -# syntax = docker/dockerfile:1.2 +# syntax = docker/dockerfile:1.3 FROM golang ... RUN --mount=type=cache,target=/root/.cache/go-build go build ... @@ -82,7 +82,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build go build ... #### Example: cache apt packages ```dockerfile -# syntax = docker/dockerfile:1.2 +# syntax = docker/dockerfile:1.3 FROM ubuntu RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache RUN --mount=type=cache,target=/var/cache/apt --mount=type=cache,target=/var/lib/apt \ @@ -115,7 +115,7 @@ This mount type allows the build container to access secure files such as privat #### Example: access to S3 ```dockerfile -# syntax = docker/dockerfile:1.2 +# syntax = docker/dockerfile:1.3 FROM python:3 RUN pip install awscli RUN --mount=type=secret,id=aws,target=/root/.aws/credentials aws s3 cp s3://... ... @@ -147,7 +147,7 @@ This mount type allows the build container to access SSH keys via SSH agents, wi #### Example: access to Gitlab ```dockerfile -# syntax = docker/dockerfile:1.2 +# syntax = docker/dockerfile:1.3 FROM alpine RUN apk add --no-cache openssh-client RUN mkdir -p -m 0700 ~/.ssh && ssh-keyscan gitlab.com >> ~/.ssh/known_hosts @@ -172,42 +172,10 @@ You can also specify a path to `*.pem` file on the host directly instead of `$SS However, pem files with passphrases are not supported. - -## Security context `RUN --security=insecure|sandbox` - -To use this flag, set Dockerfile version to `labs` channel. - -``` -# syntax=docker/dockerfile:1.2-labs -``` - -With `--security=insecure`, builder runs the command without sandbox in insecure mode, -which allows to run flows requiring elevated privileges (e.g. containerd). This is equivalent -to running `docker run --privileged`. In order to access this feature, entitlement -`security.insecure` should be enabled when starting the buildkitd daemon -(`--allow-insecure-entitlement security.insecure`) and for a build request -(`--allow security.insecure`). - -Default sandbox mode can be activated via `--security=sandbox`, but that is no-op. - -#### Example: check entitlements - -```dockerfile -# syntax = docker/dockerfile:1.2-labs -FROM ubuntu -RUN --security=insecure cat /proc/self/status | grep CapEff -``` - -``` -#84 0.093 CapEff: 0000003fffffffff -``` - ## Network modes `RUN --network=none|host|default` -To use this flag, set Dockerfile version to `labs` channel. - ``` -# syntax=docker/dockerfile:1.2-labs +# syntax=docker/dockerfile:1.3 ``` `RUN --network` allows control over which networking environment the command is run in. @@ -229,7 +197,7 @@ which needs to be enabled when starting the buildkitd daemon #### Example: isolating external effects ```dockerfile -# syntax = docker/dockerfile:1.2-labs +# syntax = docker/dockerfile:1.3 FROM python:3.6 ADD mypackage.tgz wheels/ RUN --network=none pip install --find-links wheels mypackage @@ -239,13 +207,42 @@ RUN --network=none pip install --find-links wheels mypackage can be controlled by an earlier build stage. -## Here-Documents +## Security context `RUN --security=insecure|sandbox` -To use this flag, set Dockerfile version to `labs` channel. Currently this feature is only available -in `docker/dockerfile-upstream:master-labs` image. +To use this flag, set Dockerfile version to `labs` channel. ``` -# syntax=docker/dockerfile-upstream:master-labs +# syntax=docker/dockerfile:1.3-labs +``` + +With `--security=insecure`, builder runs the command without sandbox in insecure mode, +which allows to run flows requiring elevated privileges (e.g. containerd). This is equivalent +to running `docker run --privileged`. In order to access this feature, entitlement +`security.insecure` should be enabled when starting the buildkitd daemon +(`--allow-insecure-entitlement security.insecure`) and for a build request +(`--allow security.insecure`). + +Default sandbox mode can be activated via `--security=sandbox`, but that is no-op. + +#### Example: check entitlements + +```dockerfile +# syntax = docker/dockerfile:1.3-labs +FROM ubuntu +RUN --security=insecure cat /proc/self/status | grep CapEff +``` + +``` +#84 0.093 CapEff: 0000003fffffffff +``` + +## Here-Documents + +To use this flag, set Dockerfile version to `labs` channel. This feature is available +since `docker/dockerfile:1.3.0-labs` release. + +``` +# syntax=docker/dockerfile:1.3-labs ``` Here-documents allow redirection of subsequent Dockerfile lines to the input of `RUN` or `COPY` commands. @@ -255,7 +252,7 @@ Dockerfile will consider the next lines until the line only containing a here-do #### Example: running a multi-line script ```dockerfile -# syntax = docker/dockerfile-upstream:master-labs +# syntax = docker/dockerfile:1.3-labs FROM debian RUN < file1 && < file2 I am @@ -304,7 +301,7 @@ In `COPY` commands source parameters can be replaced with here-doc indicators. Regular here-doc [variable expansion and tab stripping rules](https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_07_04) apply. ```dockerfile -# syntax = docker/dockerfile-upstream:master-labs +# syntax = docker/dockerfile:1.3-labs FROM alpine ARG FOO=bar COPY <<-eot /app/foo @@ -313,7 +310,7 @@ eot ``` ```dockerfile -# syntax = docker/dockerfile-upstream:master-labs +# syntax = docker/dockerfile:1.3-labs FROM alpine COPY <<-"eot" /app/script.sh echo hello ${FOO} diff --git a/hack/dockerfiles/generated-files.Dockerfile b/hack/dockerfiles/generated-files.Dockerfile index 3f7b8749..010aabee 100644 --- a/hack/dockerfiles/generated-files.Dockerfile +++ b/hack/dockerfiles/generated-files.Dockerfile @@ -1,4 +1,4 @@ -# syntax=docker/dockerfile:1.2 +# syntax=docker/dockerfile:1.3 # protoc is dynamically linked to glibc to can't use golang:1.10-alpine FROM golang:1.16-buster AS gobuild-base diff --git a/hack/dockerfiles/lint.Dockerfile b/hack/dockerfiles/lint.Dockerfile index c8099d69..3e094d01 100644 --- a/hack/dockerfiles/lint.Dockerfile +++ b/hack/dockerfiles/lint.Dockerfile @@ -1,4 +1,4 @@ -# syntax=docker/dockerfile:1.2 +# syntax=docker/dockerfile:1.3 FROM golang:1.16-alpine RUN apk add --no-cache gcc musl-dev yamllint diff --git a/hack/dockerfiles/shfmt.Dockerfile b/hack/dockerfiles/shfmt.Dockerfile index 2c14fe93..f7f0a271 100644 --- a/hack/dockerfiles/shfmt.Dockerfile +++ b/hack/dockerfiles/shfmt.Dockerfile @@ -1,4 +1,4 @@ -# syntax = docker/dockerfile:1.2 +# syntax = docker/dockerfile:1.3 FROM mvdan/shfmt:v3.1.2-alpine AS shfmt WORKDIR /src ARG SHFMT_FLAGS="-i 2 -ci" diff --git a/hack/dockerfiles/vendor.Dockerfile b/hack/dockerfiles/vendor.Dockerfile index bb37b4d3..99d75a75 100644 --- a/hack/dockerfiles/vendor.Dockerfile +++ b/hack/dockerfiles/vendor.Dockerfile @@ -1,4 +1,4 @@ -# syntax = docker/dockerfile:1.2 +# syntax = docker/dockerfile:1.3 FROM golang:1.16-alpine AS vendored RUN apk add --no-cache git WORKDIR /src