From 5e6729e56f48c64be3a32f7b84b3ce004d0197fb Mon Sep 17 00:00:00 2001 From: Tonis Tiigi Date: Wed, 8 Aug 2018 18:11:26 -0700 Subject: [PATCH] dockerfile: implement secret type mounts Signed-off-by: Tonis Tiigi --- .../dockerfile2llb/convert_nosecrets.go | 13 ++++++++ .../dockerfile2llb/convert_runmount.go | 8 +++++ .../dockerfile2llb/convert_secrets.go | 32 +++++++++++++++++++ .../instructions/commands_nosecrets.go | 7 ++++ .../instructions/commands_runmount.go | 28 ++++++++++++++-- .../instructions/commands_secrets.go | 7 ++++ 6 files changed, 92 insertions(+), 3 deletions(-) create mode 100644 frontend/dockerfile/dockerfile2llb/convert_nosecrets.go create mode 100644 frontend/dockerfile/dockerfile2llb/convert_secrets.go create mode 100644 frontend/dockerfile/instructions/commands_nosecrets.go create mode 100644 frontend/dockerfile/instructions/commands_secrets.go diff --git a/frontend/dockerfile/dockerfile2llb/convert_nosecrets.go b/frontend/dockerfile/dockerfile2llb/convert_nosecrets.go new file mode 100644 index 00000000..d7547021 --- /dev/null +++ b/frontend/dockerfile/dockerfile2llb/convert_nosecrets.go @@ -0,0 +1,13 @@ +// +build dfrunmount,!dfsecrets + +package dockerfile2llb + +import ( + "github.com/moby/buildkit/client/llb" + "github.com/moby/buildkit/frontend/dockerfile/instructions" + "github.com/pkg/errors" +) + +func dispatchSecret(m *instructions.Mount) (llb.RunOption, error) { + return nil, errors.Errorf("secret mounts not allowed") +} diff --git a/frontend/dockerfile/dockerfile2llb/convert_runmount.go b/frontend/dockerfile/dockerfile2llb/convert_runmount.go index aea61b36..c726b15c 100644 --- a/frontend/dockerfile/dockerfile2llb/convert_runmount.go +++ b/frontend/dockerfile/dockerfile2llb/convert_runmount.go @@ -57,6 +57,14 @@ func dispatchRunMounts(d *dispatchState, c *instructions.RunCommand, sources []* st = llb.Scratch() mountOpts = append(mountOpts, llb.Tmpfs()) } + if mount.Type == instructions.MountTypeSecret { + secret, err := dispatchSecret(mount) + if err != nil { + return nil, err + } + out = append(out, secret) + continue + } if mount.ReadOnly { mountOpts = append(mountOpts, llb.Readonly) } diff --git a/frontend/dockerfile/dockerfile2llb/convert_secrets.go b/frontend/dockerfile/dockerfile2llb/convert_secrets.go new file mode 100644 index 00000000..72403525 --- /dev/null +++ b/frontend/dockerfile/dockerfile2llb/convert_secrets.go @@ -0,0 +1,32 @@ +// +build dfsecrets dfextall + +package dockerfile2llb + +import ( + "path" + + "github.com/moby/buildkit/client/llb" + "github.com/moby/buildkit/frontend/dockerfile/instructions" + "github.com/pkg/errors" +) + +func dispatchSecret(m *instructions.Mount) (llb.RunOption, error) { + id := m.CacheID + if m.Source != "" { + id = m.Source + } + + if id == "" { + if m.Target == "" { + return nil, errors.Errorf("one of source, target required") + } + id = path.Base(m.Target) + } + + target := m.Target + if target == "" { + target = "/run/secrets/" + path.Base(id) + } + + return llb.AddSecret(target, llb.SecretID(id)), nil +} diff --git a/frontend/dockerfile/instructions/commands_nosecrets.go b/frontend/dockerfile/instructions/commands_nosecrets.go new file mode 100644 index 00000000..58780648 --- /dev/null +++ b/frontend/dockerfile/instructions/commands_nosecrets.go @@ -0,0 +1,7 @@ +// +build !dfsecrets + +package instructions + +func isSecretMountsSupported() bool { + return false +} diff --git a/frontend/dockerfile/instructions/commands_runmount.go b/frontend/dockerfile/instructions/commands_runmount.go index 569c60bc..d95a8393 100644 --- a/frontend/dockerfile/instructions/commands_runmount.go +++ b/frontend/dockerfile/instructions/commands_runmount.go @@ -13,11 +13,13 @@ import ( const MountTypeBind = "bind" const MountTypeCache = "cache" const MountTypeTmpfs = "tmpfs" +const MountTypeSecret = "secret" var allowedMountTypes = map[string]struct{}{ - MountTypeBind: {}, - MountTypeCache: {}, - MountTypeTmpfs: {}, + MountTypeBind: {}, + MountTypeCache: {}, + MountTypeTmpfs: {}, + MountTypeSecret: {}, } const MountSharingShared = "shared" @@ -40,6 +42,11 @@ func init() { } func isValidMountType(s string) bool { + if s == "secret" { + if !isSecretMountsSupported() { + return false + } + } _, ok := allowedMountTypes[s] return ok } @@ -177,5 +184,20 @@ func parseMount(value string) (*Mount, error) { return nil, errors.Errorf("invalid cache sharing set for %v mount", m.Type) } + if m.Type == MountTypeSecret { + if m.From != "" { + return nil, errors.Errorf("secret mount should not have a from") + } + if m.CacheSharing != "" { + return nil, errors.Errorf("secret mount should not define sharing") + } + if m.Source == "" && m.Target == "" && m.CacheID == "" { + return nil, errors.Errorf("invalid secret mount. one of source, target required") + } + if m.Source != "" && m.CacheID != "" { + return nil, errors.Errorf("both source and id can't be set") + } + } + return m, nil } diff --git a/frontend/dockerfile/instructions/commands_secrets.go b/frontend/dockerfile/instructions/commands_secrets.go new file mode 100644 index 00000000..63b3e215 --- /dev/null +++ b/frontend/dockerfile/instructions/commands_secrets.go @@ -0,0 +1,7 @@ +// +build dfsecrets dfextall + +package instructions + +func isSecretMountsSupported() bool { + return true +}