Set's an apparmor profile on the OCI spec if one is configred on the
worker.
Adds selinux labels to containers (only added if selinux is enabled on
the system).
This assumes that the specified apparmor profile is already loaded on
the system and does not try to load it or even check if it is loaded.
SELinux support requires the `selinux` build tag to be added.
Likewise, `runc` would require both the `apparmor` and `selinux` build
tags.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Vendored go-selinux to v1.8.0
Fixed tests
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit 68bb095353)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Copy this const to a local constant to prevent importing the containerd
client in the front-end.
For consistency, I also updated the executor code to use the same const,
although not strictly needed.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
update run/exec tests for stdin and expected failures
move common tests for runc and container to shared tests package
Signed-off-by: Cory Bennett <cbennett@netflix.com>
Refactor the interface to avoid such issues in the future.
BuildKit own mounts are stateless and not affected but
a different mountable implementation could get confused.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
This patch allows downstream code to pass a DNSConfig that is
then used by executor/oci.GetResolvConf.
This would allow the BuildKit-based builder in Docker to honor
the docker daemon's DNS configuration, thus fixing a feature gap
with the legacy builder.
Signed-off-by: Tibor Vass <tibor@docker.com>
This flag allows DOCKER_BUILDKIT to be running on minikube host: https://github.com/kubernetes/minikube/issues/4143
moby/builder/build-next needs to be updated to set NoPivot when
$DOCKER_RAMDISK is set.
This flag is deprecated from its birth and not exposed to the standalone buildkitd OCI worker.
See https://github.com/kubernetes/minikube/issues/3512
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Note that this mode allows build executor containers to kill (and potentially ptrace) an arbitrary process in the BuildKit host namespace.
This mode should be enabled only when the BuildKit is running in a container as an unprivileged user.
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
This fixes the issues where buildkit and callers do not have to be a
subpreaper in order to use networking. I can add CNI provider later,
with a hidden sub command to create a new network namespace and bind
mount it to buildkit's state dir.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Brian Goff
Cory Bennett
Sebastiaan van Stijn
Tonis Tiigi
Akihiro Suda
Edgar Lee
Lu Jingxiao
Tibor Vass
Kunal Kushwaha
Akihiro Suda
Anda Xu
Michael Crosby
Miyachi Katsuya