The problem this change is trying to fix are the environments where some
capabilities are already dropped, so they can't be granted to the
job with `--security=insecure`.
I know that probably fixed set of capabilities was implemented to
provide a stable build environment, but at the same time this breaks
environments with reduced capabilities.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
There are a few goals with this refactor:
1. Remove external access to fields that no longer make sense and/or
won't make sense soon due to other potential changes. For example,
there can now be multiple blobs associated with a ref (for different
compression types), so the fact that you could access the "Blob"
field from the Info method on Ref incorrectly implied there was just
a single blob for the ref. This is on top of the fact that there is
no need for external access to blob digests.
2. Centralize use of cache metadata inside the cache package.
Previously, many parts of the code outside the cache package could
obtain the bolt storage item for any ref and read/write it directly.
This made it hard to understand what fields are used and when. Now,
the Metadata method has been removed from the Ref interface and
replaced with getters+setters for metadata fields we want to expose
outside the package, which makes it much easier to track and
understand. Similar changes have been made to the metadata search
interface.
3. Use a consistent getter+setter interface for metadata, replacing
the mix of interfaces like Metadata(), Size(), Info() and other
inconsistencies.
Signed-off-by: Erik Sipsma <erik@sipsma.dev>
This will allow clients to retrieve exit error codes returned during a
solve without parsing the error messages.
Signed-off-by: Aaron Lehmann <alehmann@netflix.com>
Previously, heredoc names were restricted to simple alphanumeric
strings. However, heredocs should support much more complex use-cases,
including quoting anywhere, as well as allowing special symbols like `.`
for easily expressing file extensions.
This patch adds support for these more complex cases, by using the shell
lexer to parse each heredoc name. Additionally, we include improvements
to the lexer to optionally preserve escape tokens to avoid problems when
lexing words that have already been lexed before.
Signed-off-by: Justin Chadwell <me@jedevc.com>
This modifies the command structures to support inline files, as well as
provides the logic to compile them down into appropriate LLB
definitions.
Signed-off-by: Justin Chadwell <me@jedevc.com>
This provides the basic functionality for the parser to recognize and
parse provided heredocs in supported commands.
Signed-off-by: Justin Chadwell <me@jedevc.com>
This updates all occurrences of Go 1.13 to Go 1.16; also updated
the code that's used to redact credentials in URLs to use the Go
implementation.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Relates to a82fff6377/docs/packages.md (proxies)
> (..) the first four of these are the standard built-in build-arg options
> available for `docker build`
> (..) The last, `all_proxy`, is a standard var used for socks proxying. Since
> it is not built into `docker build`, if you want to use it, you will need to
> add the following line to the dockerfile:
>
> ARG all_proxy
Given the we support all other commonly known proxy env-vars by default, it makes
sense to add this one as well.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
I noticed this when building a Dockerfile that failed because a file didn't
exist, so went through error messages that looked like they had a duplicate
"not found" in the output;
[+] Building 0.9s (6/9)
=> [internal] load build definition from Dockerfile 0.2s
=> => transferring dockerfile: 306B 0.0s
=> [internal] load .dockerignore 0.1s
=> => transferring context: 2B 0.0s
=> [internal] load metadata for docker.io/library/alpine:latest 0.0s
=> CACHED [1/5] FROM docker.io/library/alpine 0.0s
=> [internal] load build context 0.6s
=> => transferring context: 701B 0.5s
=> ERROR [2/5] ADD no-such-file.txt / 0.0s
------
> [2/5] ADD no-such-file.txt /:
------
failed to compute cache key: "/no-such-file.txt" not found: not found
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
While we generally ignore the basename in this layer, for wildcards
there in no other place to add the basename to the checksum as they
can not be resolved earlier. Before the basename that was in the
checksum was the wildcard itself, so if the wildcard remained same,
content remained same but the file where wildcard pointed to was
renamed, the cache was not invalidated.
Unfortunately, this change breaks cache for all copy commands that
use a wildcard.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
This sets the platform prefix based on the `BUILDKIT_MULTI_PLATFORM`
value (if set). This is similar to the changes here in
docker/buildx@7f58ad45fa
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Cache mount instances are shared between multiple vertextes/builds
so if one of the cloned instance gets committed reference count
will get corrupted as other parts of the code still see reference as
mountable.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
The FlagsUsed contains a list of flags that were used, which allows the classic
(non-buildkit) builder in dockerd to produce an error when non-supported options
are used in a Dockerfile.
This is a short-term solution; a more permanent solution will be to keep track
of which version of the Dockerfile syntax is supported, and to have the classic
builder pass the maximum supported version of the syntax.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This reverts commit 174bcf85ef.
This commit attempted to fix a situation where an empty entrypoint
was specified, causing a confusing error when running the image,
however, allowing the entrypoint to be reset should be a valid
use-case, and running such image on docker 20.10 at least
produces an informative error;
docker build -t foo -<<'EOF'
FROM busybox
ENTRYPOINT []
EOF
Or, to reset a previously set entrypoint:
docker build -t foo -<<'EOF'
FROM busybox AS one
ENTRYPOINT ["/bin/busybox"]
FROM one AS two
ENTRYPOINT []
EOF
If no command is specified for the image above:
docker run -it --rm foo
docker: Error response from daemon: No command specified.
See 'docker run --help'.
Passing a command to run:
docker run -it --rm foo sh
/#
Given that this commit resulted in a regression/breaking change
this reverts the commit.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Copy this const to a local constant to prevent importing the containerd
client in the front-end.
For consistency, I also updated the executor code to use the same const,
although not strictly needed.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Experimental name confuses users as backwards compatibility
rules are different for other tools called experimental.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
- Plumb default worker by adding GetDefault() to frontend.WorkerInfos
- To avoid cyclic dependency, refactor frontend.WorkerInfos to worker.Infos
- Refactor gateway.NewContainer to share code with llbsolver/ops/exec.go
Signed-off-by: Edgar Lee <edgarl@netflix.com>
CrazyMax
Andrey Smirnov
Erik Sipsma
Tonis Tiigi
Cory Bennett
Koichi Shiraishi
Sebastiaan van Stijn
Aaron Lehmann
Morlay
Justin Chadwell
Akihiro Suda
Edgar Lee
Omer Mizrahi
Marko Kohtala
Brian Goff
Tibor Vass
Andrew Chang
岁丰