Set's an apparmor profile on the OCI spec if one is configred on the
worker.
Adds selinux labels to containers (only added if selinux is enabled on
the system).
This assumes that the specified apparmor profile is already loaded on
the system and does not try to load it or even check if it is loaded.
SELinux support requires the `selinux` build tag to be added.
Likewise, `runc` would require both the `apparmor` and `selinux` build
tags.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Vendored go-selinux to v1.8.0
Fixed tests
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit 68bb095353)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Cache mount instances are shared between multiple vertextes/builds
so if one of the cloned instance gets committed reference count
will get corrupted as other parts of the code still see reference as
mountable.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
The FlagsUsed contains a list of flags that were used, which allows the classic
(non-buildkit) builder in dockerd to produce an error when non-supported options
are used in a Dockerfile.
This is a short-term solution; a more permanent solution will be to keep track
of which version of the Dockerfile syntax is supported, and to have the classic
builder pass the maximum supported version of the syntax.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Used go-systemd code from moby/moby daemon
Only added `buildkitd --addr fd://` for now.
Don't do systemd fds for windows buildkitd
Add buildkit systemd units README/examples
Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
The git repo of github.com/containerd/stargz-snapshotter now has two go.mod modules:
- github.com/containerd/stargz-snapshotter
- github.com/containerd/stargz-snapshotter/estargz
So we need to have the following `replace` directive in `go.mod`:
```
github.com/containerd/stargz-snapshotter/estargz => github.com/containerd/stargz-snapshotter/estargz <VERSION>
```
Otherwise `go mod tidy` fails with the following error:
```
go: github.com/containerd/stargz-snapshotter@v0.2.1-0.20201217071531-2b97b583765b requires
github.com/containerd/stargz-snapshotter/estargz@v0.0.0-00010101000000-000000000000: invalid version: unknown revision 000000000000
```
ref: https://github.com/containerd/stargz-snapshotter/pull/195
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
DOCKER_BUILDKIT CLI is slightly different from buildx.
It is hard to maintain DOCKER_BUILDKIT as a buildx alternative.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>