Set's an apparmor profile on the OCI spec if one is configred on the
worker.
Adds selinux labels to containers (only added if selinux is enabled on
the system).
This assumes that the specified apparmor profile is already loaded on
the system and does not try to load it or even check if it is loaded.
SELinux support requires the `selinux` build tag to be added.
Likewise, `runc` would require both the `apparmor` and `selinux` build
tags.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Vendored go-selinux to v1.8.0
Fixed tests
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit 68bb095353)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
While we try to keep the containerd and docker seccomp profiles in sync,
they may not always be; this switches the executor to use the docker
seccomp profile, so that buildkit (when vendored in docker) will use
the same default seccomp profile as is used for containers.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This has the nice side-effect of unifying the mount- and
non-mount-changes made due to processMode and securityMode.
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
There's only a couple of things that are host-platform limited, i.e.,
security and process modes.
Everything else is specific to a target-platform. We can tell if we're
targeting a Linux platform, either on Linux or LCOW, by the presence of
the Linux key in the generated spec.
This doesn't introduce support for LCOW, as we'd need to plumb that down
from the caller. It will probably also need massaging to work with LCOW,
as some of the setup code here is probably incorrect for LCOW, e.g.,
the bind-mounts list may be incorrect.
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
Due to use of filepath.Clean(), on Windows we end up operating on the
paths in Windows-slashed form, even if the inputs were Unix-slashed.
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
```
[5/5] RUN --mount=target=/go/src/github.com/moby/buildkit gometalinter ...
0.435 util/rootless/specconv/specconv_linux.go:1:⚠️ file is not goimported (goimports)
1.320 cache/manager.go:1:⚠️ file is not goimported (goimports)
1.335 cache/manager_test.go:1:⚠️ file is not goimported (goimports)
1.337 cache/migrate_v2.go:1:⚠️ file is not goimported (goimports)
1.342 cache/refs.go:1:⚠️ file is not goimported (goimports)
1.454 cache/remotecache/registry/registry.go:1:⚠️ file is not goimported (goimports)
2.285 cmd/buildctl/build.go:1:⚠️ file is not goimported (goimports)
3.082 executor/oci/user.go:1:⚠️ file is not goimported (goimports)
4.333 session/content/content_test.go:1:⚠️ file is not goimported (goimports)
4.614 snapshot/containerd/content.go:1:⚠️ file is not goimported (goimports)
4.721 solver/errdefs/vertex.go:1:⚠️ file is not goimported (goimports)
6.066 util/network/cniprovider/cni.go:1:⚠️ file is not goimported (goimports)
ERROR: executor failed running [/bin/sh -c gometalinter --config=gometalinter.json ./...]: buildkit-runc did not terminate successfully
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Refactor the interface to avoid such issues in the future.
BuildKit own mounts are stateless and not affected but
a different mountable implementation could get confused.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
There were two bugs: Mount was matched by Type which is actually
`cgroup`, not `sysfs`. And the second problem was that copy of the value
was modified, not value in the slice.
Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
This patch allows downstream code to pass a DNSConfig that is
then used by executor/oci.GetResolvConf.
This would allow the BuildKit-based builder in Docker to honor
the docker daemon's DNS configuration, thus fixing a feature gap
with the legacy builder.
Signed-off-by: Tibor Vass <tibor@docker.com>
Note that this mode allows build executor containers to kill (and potentially ptrace) an arbitrary process in the BuildKit host namespace.
This mode should be enabled only when the BuildKit is running in a container as an unprivileged user.
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
This fixes the issues where buildkit and callers do not have to be a
subpreaper in order to use networking. I can add CNI provider later,
with a hidden sub command to create a new network namespace and bind
mount it to buildkit's state dir.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Otherwise the daemon panics when generating the OCI spec.
For belt and braces check in the ExecOp Run function but also when generating the spec.
Signed-off-by: Ian Campbell <ijc@docker.com>
- [X] put multiples workers in a single binary ("-tags containerd standalone")
- [X] add worker selector to LLB vertex metadata
- [X] s/worker/executor/g
- [X] introduce the new "worker" concept https://github.com/moby/buildkit/pull/176#discussion_r153693928
- [X] fix up CLI
- [X] fix up tests
- allow using multiples workers (requires inter-vertex cache copier, HUGE!) --> will be separate PR
Implementation notes:
- "Workers" are renamed to "executors" now
- The new "worker" instance holds an "executor" instance and its
related stuffs such as the snapshotter
- The default worker is "runc-overlay"
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
Brian Goff
Sebastiaan van Stijn
Lu Jingxiao
Paul "TBBle" Hampson
Chanhun Jeong
Tonis Tiigi
Tibor Vass
Andrey Smirnov
Akihiro Suda
Kunal Kushwaha
Akihiro Suda
Michael Crosby
Anda Xu
Ian Campbell