Merge pull request #567 from tonistiigi/dockerfile-secrets

dockerfile: implement secret type mounts
docker-18.09
Akihiro Suda 2018-08-10 00:09:17 +09:00 committed by GitHub
commit a6e6f3fd09
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 92 additions and 3 deletions

View File

@ -0,0 +1,13 @@
// +build dfrunmount,!dfsecrets
package dockerfile2llb
import (
"github.com/moby/buildkit/client/llb"
"github.com/moby/buildkit/frontend/dockerfile/instructions"
"github.com/pkg/errors"
)
func dispatchSecret(m *instructions.Mount) (llb.RunOption, error) {
return nil, errors.Errorf("secret mounts not allowed")
}

View File

@ -57,6 +57,14 @@ func dispatchRunMounts(d *dispatchState, c *instructions.RunCommand, sources []*
st = llb.Scratch()
mountOpts = append(mountOpts, llb.Tmpfs())
}
if mount.Type == instructions.MountTypeSecret {
secret, err := dispatchSecret(mount)
if err != nil {
return nil, err
}
out = append(out, secret)
continue
}
if mount.ReadOnly {
mountOpts = append(mountOpts, llb.Readonly)
}

View File

@ -0,0 +1,32 @@
// +build dfsecrets dfextall
package dockerfile2llb
import (
"path"
"github.com/moby/buildkit/client/llb"
"github.com/moby/buildkit/frontend/dockerfile/instructions"
"github.com/pkg/errors"
)
func dispatchSecret(m *instructions.Mount) (llb.RunOption, error) {
id := m.CacheID
if m.Source != "" {
id = m.Source
}
if id == "" {
if m.Target == "" {
return nil, errors.Errorf("one of source, target required")
}
id = path.Base(m.Target)
}
target := m.Target
if target == "" {
target = "/run/secrets/" + path.Base(id)
}
return llb.AddSecret(target, llb.SecretID(id)), nil
}

View File

@ -0,0 +1,7 @@
// +build !dfsecrets
package instructions
func isSecretMountsSupported() bool {
return false
}

View File

@ -13,11 +13,13 @@ import (
const MountTypeBind = "bind"
const MountTypeCache = "cache"
const MountTypeTmpfs = "tmpfs"
const MountTypeSecret = "secret"
var allowedMountTypes = map[string]struct{}{
MountTypeBind: {},
MountTypeCache: {},
MountTypeTmpfs: {},
MountTypeSecret: {},
}
const MountSharingShared = "shared"
@ -40,6 +42,11 @@ func init() {
}
func isValidMountType(s string) bool {
if s == "secret" {
if !isSecretMountsSupported() {
return false
}
}
_, ok := allowedMountTypes[s]
return ok
}
@ -177,5 +184,20 @@ func parseMount(value string) (*Mount, error) {
return nil, errors.Errorf("invalid cache sharing set for %v mount", m.Type)
}
if m.Type == MountTypeSecret {
if m.From != "" {
return nil, errors.Errorf("secret mount should not have a from")
}
if m.CacheSharing != "" {
return nil, errors.Errorf("secret mount should not define sharing")
}
if m.Source == "" && m.Target == "" && m.CacheID == "" {
return nil, errors.Errorf("invalid secret mount. one of source, target required")
}
if m.Source != "" && m.CacheID != "" {
return nil, errors.Errorf("both source and id can't be set")
}
}
return m, nil
}

View File

@ -0,0 +1,7 @@
// +build dfsecrets dfextall
package instructions
func isSecretMountsSupported() bool {
return true
}