Commit Graph

44 Commits (a6e29dcdd4ad31a48cfcb9093e6748b3f1f36662)

Author SHA1 Message Date
Kunal Kushwaha a2bbb5ff39 security entitlement support
Signed-off-by: Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>
2019-03-27 13:57:03 +09:00
Akihiro Suda c54f4a986d support --oci-worker-no-process-sandbox
Note that this mode allows build executor containers to kill (and potentially ptrace) an arbitrary process in the BuildKit host namespace.
This mode should be enabled only when the BuildKit is running in a container as an unprivileged user.

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2019-01-08 10:42:52 +09:00
Tonis Tiigi 09742778eb oci: avoid nonewprivileges in default spec
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-12-10 10:58:12 +00:00
Tonis Tiigi 76692bbe5f executor: clean up static config files
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-10-03 13:59:33 -07:00
Tonis Tiigi 9dc04755dd executor: reset file limit in default spec
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-10-02 23:24:43 -07:00
Tonis Tiigi cd451ec063 executor: make sure hostname is resolvable
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-10-02 23:24:37 -07:00
Tonis Tiigi ec0e352aae executor: mount cgroups in default spec
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-10-02 23:22:07 -07:00
Tonis Tiigi f99352fee1 solver: make sure to return proper canceled errors
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-09-26 17:38:16 -07:00
Tonis Tiigi 895950cecf executor: fix submount symlink resolution
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-09-24 17:42:38 -07:00
Tonis Tiigi bb3dc1b918 runc: fix process leak on cancellation
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-09-20 11:06:40 -07:00
Tonis Tiigi 0940cdc6fe update golint comments
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-09-18 22:06:47 -07:00
Tonis Tiigi 4e810968f4 runcexecutor: revert forwardio
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-09-11 22:40:48 -07:00
Michael Crosby 8eed5bfd15 Provide nil stdin to containerd when not required
This allows builds that inspect stdin to not block and hang forever.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2018-09-11 14:22:22 -07:00
Anda Xu b0677e7ef1 allow customized cgroup-parent for runcexecutor
Signed-off-by: Anda Xu <anda.xu@docker.com>
2018-09-05 12:53:57 -07:00
Tibor Vass 2f0c048493 network: move handling of NetMode_UNSET to Default()
This allows other workers to implement their own behavior for NetMode_UNSET

Signed-off-by: Tibor Vass <tibor@docker.com>
2018-08-23 00:06:06 +00:00
Michael Crosby b97bc71adb Refactor networking with ns paths
This fixes the issues where buildkit and callers do not have to be a
subpreaper in order to use networking.  I can add CNI provider later,
with a hidden sub command to create a new network namespace and bind
mount it to buildkit's state dir.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2018-08-21 13:37:47 -04:00
Tonis Tiigi 130f5f5ab0 solver: net host with basic entitlements support
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-08-09 14:03:35 -07:00
Tonis Tiigi f8dd602282 runc: improve canceling
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-08-07 11:51:56 -07:00
Kunal Kushwaha 765f1b64b9 executor: allow network providers
Signed-off-by: Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-08-07 11:51:56 -07:00
Tonis Tiigi 96f24ca7bb executor: improve hosts cleanup
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-08-03 14:01:54 -07:00
Tonis Tiigi 4945fe758c llbsolver: add support for extra host records
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-08-03 13:56:13 -07:00
Miyachi Katsuya e1895c398c feat: create workdir permission with 755 according to existing docker 2018-07-23 18:21:03 +09:00
Akihiro Suda 72327724c0 rootless: refactor libcontainer_specconv
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-07-04 19:27:54 +09:00
Akihiro Suda f9eeae6f48 rootless: remove MapSubUIDGID flag that is ignored when already in userns
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-07-02 19:11:30 +09:00
Anda Xu 7f64188f17 add missing supplementary group IDs
Signed-off-by: Anda Xu <anda.xu@docker.com>
2018-06-29 18:50:03 -07:00
Akihiro Suda 43af03e59a oci-executor: eval symlink for root
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-06-07 16:05:06 +09:00
Kunal Kushwaha e991a846be Default mounts set for buildkit
containerd/oci_specs mounts /run, which is not
required by buildkit.

Signed-off-by: Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>
2018-06-07 14:43:44 +09:00
Akihiro Suda adef0dedef oci-worker: experimental support for rootless mode
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-05-31 16:05:13 +09:00
Tonis Tiigi 3b874e95f1 executor: runtime check if seccomp is supported
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-05-24 16:34:35 -07:00
Tonis Tiigi 566e28c174 snapshot: update mounts to mountable interface
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-04-27 17:58:24 -07:00
Tonis Tiigi bab967b352 runc: set command name from config
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-04-18 17:01:20 -07:00
Tonis Tiigi 2dba0488c8 runc: make command name configurable
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-04-17 20:39:19 -07:00
Ian Campbell ddae5a6ea4 Make llb.ReadonlyRootFS usable with common container images
e.g. with busybox image:

    OCI runtime create failed: container_linux.go:348:
    starting container process caused "process_linux.go:402:
    container init caused \"rootfs_linux.go:58:
    mounting \\\"proc\\\" to rootfs \\\"/.../rootfs\\\" at \\\"/proc\\\"
    caused \\\"mkdir /.../rootfs/proc: read-only file system\\\"\"": unknown

This is because we were setting the underlying snapshot readonly so the various
mountpoints (here /proc) cannot be created. This would not be necessary if
those mountpoints were present in images but they typically are not.

The right way to get around this (used e.g. by `ctr`) is to use a writeable
snapshot but to set root readonly in the OCI spec. In this configuration the
rootfs is writeable when mounts are processed but is then made readonly by the
runtime (runc) just before entering the user specified binary within the
container.

This involved a surprising amount of plumbing.

Use this new found ability in the dockerfile converter's `dispatchCopy`
function.

Signed-off-by: Ian Campbell <ijc@docker.com>
2018-04-03 11:04:07 +01:00
Tõnis Tiigi 5b499d557b
Merge pull request #321 from jessfraz/seccomp
add containerd package for default seccomp profile
2018-03-23 10:14:09 -07:00
Jess Frazelle 863736d818
add containerd package for default seccomp profile
Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
2018-03-22 12:25:55 -04:00
Ian Campbell ac6598d255 Check that mounts always have a target.
Otherwise the daemon panics when generating the OCI spec.

For belt and braces check in the ExecOp Run function but also when generating the spec.

Signed-off-by: Ian Campbell <ijc@docker.com>
2018-03-22 12:05:12 +00:00
Tonis Tiigi 7906fb3085 vendor: update containerd to v1.0.2
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-02-13 16:00:09 -08:00
Tonis Tiigi 6e40e83d35 Remove net/context dependencies
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-01-17 09:11:22 -08:00
Tonis Tiigi b8dc00de71 vendor: update containerd to 1.0.1-rc0
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-01-11 17:49:09 -08:00
Tonis Tiigi e58e6d1175 replace FollowSymlink with fs.RootPath
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2017-12-17 20:54:49 -08:00
Akihiro Suda 571e14e003
Merge pull request #203 from tonistiigi/user
Add support for setting user
2017-12-13 13:06:07 +09:00
Tonis Tiigi 4c1ffbcc45 containerd: fix cancellation issue
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2017-12-12 19:15:29 -08:00
Tonis Tiigi 7a5390f355 worker: add support for custom user
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2017-12-12 10:26:30 -08:00
Akihiro Suda c3aa849014 multi-worker daemon
- [X] put multiples workers in a single binary ("-tags containerd standalone")
- [X] add worker selector to LLB vertex metadata
- [X] s/worker/executor/g
- [X] introduce the new "worker" concept https://github.com/moby/buildkit/pull/176#discussion_r153693928
- [X] fix up CLI
- [X] fix up tests
- allow using multiples workers (requires inter-vertex cache copier, HUGE!) --> will be separate PR

Implementation notes:
- "Workers" are renamed to "executors" now
- The new "worker" instance holds an "executor" instance and its
related stuffs such as the snapshotter
- The default worker is "runc-overlay"

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2017-12-12 15:17:58 +09:00