Set's an apparmor profile on the OCI spec if one is configred on the
worker.
Adds selinux labels to containers (only added if selinux is enabled on
the system).
This assumes that the specified apparmor profile is already loaded on
the system and does not try to load it or even check if it is loaded.
SELinux support requires the `selinux` build tag to be added.
Likewise, `runc` would require both the `apparmor` and `selinux` build
tags.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Vendored go-selinux to v1.8.0
Fixed tests
Signed-off-by: Tibor Vass <tibor@docker.com>
This reverts commit 9290c15ffc.
This was pinned during the upgrade to containerd 1.3 series, which
changed the default runtime on Linux to io.containerd.runc.v2.
No specific rationale was listed for this pinning, and clearly it's the
wrong thing to do in the presence of Windows, which does not have this
runtime.
Instead, we rely on the containerd-internal defaults, which distinguish
the runtimes for Linux and Windows.
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
update run/exec tests for stdin and expected failures
move common tests for runc and container to shared tests package
Signed-off-by: Cory Bennett <cbennett@netflix.com>
This makes this code successfully discover the Windows Runtime V2
(hcsshim-based) plugin now that the Windows Runtime V1 (runhcs-based)
plugin has been removed upstream.
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
Wrapping a `nil` error produces `nil`, which causes the calling code to
see success, and continue on with a default-created WorkerOpt, which
causes segfaults later.
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
This patch allows downstream code to pass a DNSConfig that is
then used by executor/oci.GetResolvConf.
This would allow the BuildKit-based builder in Docker to honor
the docker daemon's DNS configuration, thus fixing a feature gap
with the legacy builder.
Signed-off-by: Tibor Vass <tibor@docker.com>
It is enhancement which allows to unpack image into containerd
snapshotter storage by `--output type=image,<.>=<.>,unpack=true`.
In order to support this feature, we needs to extend the Snapshotter
witwh `Name() string` function. Because we needs to set gc label for
snapshotter which need snapshotter name.
fix: #908
Signed-off-by: Wei Fu <fuweid89@gmail.com>
Allow user to customize containerd namespace, not just `buildkit`. It
can help user to integration with existing data easily.
Signed-off-by: Wei Fu <fuweid89@gmail.com>
This fixes the issues where buildkit and callers do not have to be a
subpreaper in order to use networking. I can add CNI provider later,
with a hidden sub command to create a new network namespace and bind
mount it to buildkit's state dir.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
- [X] put multiples workers in a single binary ("-tags containerd standalone")
- [X] add worker selector to LLB vertex metadata
- [X] s/worker/executor/g
- [X] introduce the new "worker" concept https://github.com/moby/buildkit/pull/176#discussion_r153693928
- [X] fix up CLI
- [X] fix up tests
- allow using multiples workers (requires inter-vertex cache copier, HUGE!) --> will be separate PR
Implementation notes:
- "Workers" are renamed to "executors" now
- The new "worker" instance holds an "executor" instance and its
related stuffs such as the snapshotter
- The default worker is "runc-overlay"
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>