From 20258652b3d17fb63285f001ae5eb6eada00cdb9 Mon Sep 17 00:00:00 2001 From: Jeffrey Huang Date: Mon, 9 Dec 2019 00:15:55 -0600 Subject: [PATCH 1/3] Fix issue #1230 To support switching the OCI worker binary via buildkitd and without modifying the Dockerfile, an optional command-line flag was added to main_oci_worker.go that allowed for input the name of an OCI worker binary (ex. crun). This OCI worker binary would then replace the current buildkit-runc with a symbolic link to that binary. The above was done using the os/exec package's Command func. Signed-off-by: Jeffrey Huang --- cmd/buildkitd/config/config.go | 2 ++ cmd/buildkitd/main_oci_worker.go | 10 +++++++++- worker/runc/runc.go | 11 ++++++++++- 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/cmd/buildkitd/config/config.go b/cmd/buildkitd/config/config.go index 03c71c31..65e36493 100644 --- a/cmd/buildkitd/config/config.go +++ b/cmd/buildkitd/config/config.go @@ -76,6 +76,8 @@ type OCIConfig struct { // UserRemapUnsupported is unsupported key for testing. The feature is // incomplete and the intention is to make it default without config. UserRemapUnsupported string `toml:"userRemapUnsupported"` + // For use in storing the OCI worker binary name that will replace buildkit-runc + Binary string `toml:"binary"` } type ContainerdConfig struct { diff --git a/cmd/buildkitd/main_oci_worker.go b/cmd/buildkitd/main_oci_worker.go index c8bf6bdd..2ba68bba 100644 --- a/cmd/buildkitd/main_oci_worker.go +++ b/cmd/buildkitd/main_oci_worker.go @@ -70,6 +70,11 @@ func init() { Usage: "path of cni binary files", Value: defaultConf.Workers.OCI.NetworkConfig.CNIBinaryPath, }, + cli.StringFlag{ + Name: "oci-worker-binary", + Usage: "name of specified oci worker binary", + Value: defaultConf.Workers.OCI.Binary, + }, } n := "oci-worker-rootless" u := "enable rootless mode" @@ -180,6 +185,9 @@ func applyOCIFlags(c *cli.Context, cfg *config.Config) error { if c.GlobalIsSet("oci-cni-binary-dir") { cfg.Workers.OCI.NetworkConfig.CNIBinaryPath = c.GlobalString("oci-cni-binary-dir") } + if c.GlobalIsSet("oci-worker-binary") { + cfg.Workers.OCI.Binary = c.GlobalString("oci-worker-binary") + } return nil } @@ -232,7 +240,7 @@ func ociWorkerInitializer(c *cli.Context, common workerInitializerOpt) ([]worker }, } - opt, err := runc.NewWorkerOpt(common.config.Root, snFactory, cfg.Rootless, processMode, cfg.Labels, idmapping, nc, dns) + opt, err := runc.NewWorkerOpt(common.config.Root, snFactory, cfg.Rootless, processMode, cfg.Labels, idmapping, nc, dns, cfg.Binary) if err != nil { return nil, err } diff --git a/worker/runc/runc.go b/worker/runc/runc.go index b80e93ac..0cbbc72f 100644 --- a/worker/runc/runc.go +++ b/worker/runc/runc.go @@ -32,7 +32,7 @@ type SnapshotterFactory struct { } // NewWorkerOpt creates a WorkerOpt. -func NewWorkerOpt(root string, snFactory SnapshotterFactory, rootless bool, processMode oci.ProcessMode, labels map[string]string, idmap *idtools.IdentityMapping, nopt netproviders.Opt, dns *oci.DNSConfig) (base.WorkerOpt, error) { +func NewWorkerOpt(root string, snFactory SnapshotterFactory, rootless bool, processMode oci.ProcessMode, labels map[string]string, idmap *idtools.IdentityMapping, nopt netproviders.Opt, dns *oci.DNSConfig, binary string) (base.WorkerOpt, error) { var opt base.WorkerOpt name := "runc-" + snFactory.Name root = filepath.Join(root, name) @@ -45,9 +45,18 @@ func NewWorkerOpt(root string, snFactory SnapshotterFactory, rootless bool, proc return opt, err } + // Check if user has specified OCI worker binary; if they have, append it to cmds + var cmds []string + if binary != "" { + cmds = append(cmds, binary) + } + exe, err := runcexecutor.New(runcexecutor.Opt{ // Root directory Root: filepath.Join(root, "executor"), + // If user has specified OCI worker binary, it will be sent to the runc executor to find and use + // Otherwise, a nil array will be sent and the default OCI worker binary will be used + CommandCandidates: cmds, // without root privileges Rootless: rootless, ProcessMode: processMode, From cb237bf24ef6e3ac7746e0b3e9dce715450966da Mon Sep 17 00:00:00 2001 From: Nikhil Pandeti Date: Thu, 12 Dec 2019 12:32:47 -0600 Subject: [PATCH 2/3] Gofmt and goimports config.go, add documentation Signed-off-by: Nikhil Pandeti --- cmd/buildkitd/config/config.go | 2 +- docs/buildkitd.toml.md | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/cmd/buildkitd/config/config.go b/cmd/buildkitd/config/config.go index 65e36493..97ba3f5b 100644 --- a/cmd/buildkitd/config/config.go +++ b/cmd/buildkitd/config/config.go @@ -77,7 +77,7 @@ type OCIConfig struct { // incomplete and the intention is to make it default without config. UserRemapUnsupported string `toml:"userRemapUnsupported"` // For use in storing the OCI worker binary name that will replace buildkit-runc - Binary string `toml:"binary"` + Binary string `toml:"binary"` } type ContainerdConfig struct { diff --git a/docs/buildkitd.toml.md b/docs/buildkitd.toml.md index 5836f7e4..d1440ba5 100644 --- a/docs/buildkitd.toml.md +++ b/docs/buildkitd.toml.md @@ -46,6 +46,7 @@ insecure-entitlements = [ "network.host", "security.insecure" ] noProcessSandbox = false gc = true gckeepstorage = 9000 + binary = "" # OCI worker binary name, default binary is buildkit-runc [worker.oci.labels] "foo" = "bar" From 7efcee49c54cb04715508eedf23038e3123283c9 Mon Sep 17 00:00:00 2001 From: Nikhil Pandeti Date: Thu, 12 Dec 2019 13:25:56 -0600 Subject: [PATCH 3/3] Oci worker binary documentation and add missing constructor arg in runc_test Signed-off-by: Nikhil Pandeti --- docs/buildkitd.toml.md | 4 +++- worker/runc/runc_test.go | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/buildkitd.toml.md b/docs/buildkitd.toml.md index d1440ba5..bdf2cc7e 100644 --- a/docs/buildkitd.toml.md +++ b/docs/buildkitd.toml.md @@ -46,7 +46,9 @@ insecure-entitlements = [ "network.host", "security.insecure" ] noProcessSandbox = false gc = true gckeepstorage = 9000 - binary = "" # OCI worker binary name, default binary is buildkit-runc + # alternate OCI worker binary name(example 'crun'), by default either + # buildkit-runc or runc binary is used + binary = "" [worker.oci.labels] "foo" = "bar" diff --git a/worker/runc/runc_test.go b/worker/runc/runc_test.go index 7fb2d277..cbb94532 100644 --- a/worker/runc/runc_test.go +++ b/worker/runc/runc_test.go @@ -40,7 +40,7 @@ func newWorkerOpt(t *testing.T, processMode oci.ProcessMode) (base.WorkerOpt, fu }, } rootless := false - workerOpt, err := NewWorkerOpt(tmpdir, snFactory, rootless, processMode, nil, nil, netproviders.Opt{Mode: "host"}, nil) + workerOpt, err := NewWorkerOpt(tmpdir, snFactory, rootless, processMode, nil, nil, netproviders.Opt{Mode: "host"}, nil, "") require.NoError(t, err) return workerOpt, cleanup