full diff: 4634ce647c...c2cc352355
also adds github.com/cilium/ebpf as a dependency, which I set to the same
version as is set in containerd/cgroups version
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
`cmd/buildkitd/config` pkg is imported and used by other packages including
moby/moby.
Though stargz snapshotter configuration is currently effective only with
buildkitd + OCI worker, `cmd/buildkitd/config` consumer needs to introduce an
indirect dependency to stargz snapshotter's config pkg
(`github.com/containerd/stargz-snapshotter/stargz/config`), which is too much.
This commit solves this by delaying decoding the stargz config until OCI
worker's initialization phase.
Signed-off-by: ktock <ktokunaga.mail@gmail.com>
Current stargz snapshotter pkg doesn't contain registry configuration and the
client of that pkg needs to pass it to that pkg. So this commit includes changes
of propagating buildkitd's registry configuration to stargz snapshotter.
But this is a partial integration of registry logic between buildkitd and stargz
snapshotter because buildkitd's session-based authentication logic is still not
applied to stargz snapshotter. This means private images that require
`~/.docker/config.json` creds can't be lazily pulled yet.
Signed-off-by: ktock <ktokunaga.mail@gmail.com>
It's not fully-functional at this time, but it now compiles, which means
we are getting nearer to the point where we can start enabling tests.
This will ensure that it _stays_ compilable over time.
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
This reverts commit 9290c15ffc.
This was pinned during the upgrade to containerd 1.3 series, which
changed the default runtime on Linux to io.containerd.runc.v2.
No specific rationale was listed for this pinning, and clearly it's the
wrong thing to do in the presence of Windows, which does not have this
runtime.
Instead, we rely on the containerd-internal defaults, which distinguish
the runtimes for Linux and Windows.
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
Before this, the check was always returning that containerd wasn't running and
thus skipping the rest of several test cases.
Signed-off-by: Erik Sipsma <erik@sipsma.dev>
The implementation in libcontainer/system is quite complicated,
and we only use it to detect if user-namespaces are enabled.
In addition, the implementation in containerd uses a sync.Once,
so that detection (and reading/parsing `/proc/self/uid_map`) is
only performed once.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
```
[5/5] RUN --mount=target=/go/src/github.com/moby/buildkit gometalinter ...
0.435 util/rootless/specconv/specconv_linux.go:1:⚠️ file is not goimported (goimports)
1.320 cache/manager.go:1:⚠️ file is not goimported (goimports)
1.335 cache/manager_test.go:1:⚠️ file is not goimported (goimports)
1.337 cache/migrate_v2.go:1:⚠️ file is not goimported (goimports)
1.342 cache/refs.go:1:⚠️ file is not goimported (goimports)
1.454 cache/remotecache/registry/registry.go:1:⚠️ file is not goimported (goimports)
2.285 cmd/buildctl/build.go:1:⚠️ file is not goimported (goimports)
3.082 executor/oci/user.go:1:⚠️ file is not goimported (goimports)
4.333 session/content/content_test.go:1:⚠️ file is not goimported (goimports)
4.614 snapshot/containerd/content.go:1:⚠️ file is not goimported (goimports)
4.721 solver/errdefs/vertex.go:1:⚠️ file is not goimported (goimports)
6.066 util/network/cniprovider/cni.go:1:⚠️ file is not goimported (goimports)
ERROR: executor failed running [/bin/sh -c gometalinter --config=gometalinter.json ./...]: buildkit-runc did not terminate successfully
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
While real overlayfs is available only in Ubuntu and Debian kernels,
fuse-overlayfs is universally available for kernel >= 4.18.
For dockerized deployment, `--device /dev/fuse` needs to be added to
`docker run` flags.
Kubernetes deployment needs a custom device plugin that enables
`/dev/fuse`, e.g. https://github.com/honkiko/k8s-hostdev-plugin
Instead of a device plugin, the device can be also enabled by setting
`securityContext.privileged` to `true`.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
The check for running as a non-admin euid() doesn't work on Windows,
always returning -1.
For now, treat -1 as "Probably root", and let the failures happen later.
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
The same function used to support Unix sockets automatically supports
Named Pipes on Windows.
This makes the default configuration option for the daemon address work
correctly on Windows.
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
Added a command-line flag (tlsdir) to buildctl that allowed for specifying a directory that contains a ca.pem, cert.pem, and key.pem. This command-line flag acts an alias of --tlscacert, --tlscert, and --tlskey. --tlsdir cannot be used at the same time as those flags, and will cause an error if done. The pkg/errors package has been added to cmd/buildctl/common/common.go to allow for the creation of this error message.
Signed-off-by: Jeffrey Huang <jeffreyhuang23@gmail.com>
To support switching the OCI worker binary via buildkitd and without modifying the Dockerfile, an optional command-line flag was added to main_oci_worker.go that allowed for input the name of an OCI worker binary (ex. crun). This OCI worker binary would then replace the current buildkit-runc with a symbolic link to that binary. The above was done using the os/exec package's Command func.
Signed-off-by: Jeffrey Huang <jeffreyhuang23@gmail.com>
Sebastiaan van Stijn
ktock
Tonis Tiigi
Akihiro Suda
Akihiro Suda
Paul "TBBle" Hampson
Erik Sipsma
Darren Shepherd
Wei Fu
Jeffrey Huang
Nikhil Pandeti