This replaces the local SeccompSupported() utility for the implementation
in containerd, which performs the same check.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This will allow clients to retrieve exit error codes returned during a
solve without parsing the error messages.
Signed-off-by: Aaron Lehmann <alehmann@netflix.com>
full diff: https://github.com/docker/docker/compare/v20.10.7..0ad2293d0e5b
This applies the same / similar local changes to buildkit as were made in
the branch that moby is currently vendoring:
https://github.com/moby/buildkit/compare/244e8cde...cpuguy83:update_libnetwork_import
Unfortunately, this (again) requires a "replace" rule (probably until we tagged
a release with this change). Go mod refuses to pick a version from master, and
(without the replace rule), does weird, reverting docker to a very old version,
predating the sirupsen rename:
> [vendored 4/4] RUN --mount=target=/src,rw --mount=target=/go/pkg/mod,type=cache go mod tidy && go mod vendor && mkdir /out && cp -r go.mod go.sum vendor /out:
#10 0.500 go: finding github.com/docker/docker 8dbd90ec00daa26dc45d7da2431c965dec99e8b4
#10 0.599 warning: ignoring symlink /src/examples/kube-consistent-hash
#10 1.027 go: github.com/moby/buildkit/util/testutil/integration imports
#10 1.027 github.com/docker/docker/testutil/daemon imports
#10 1.027 github.com/docker/docker/opts imports
#10 1.027 github.com/docker/libnetwork/ipamutils imports
#10 1.027 github.com/docker/libnetwork/osl imports
#10 1.027 github.com/Sirupsen/logrus: github.com/Sirupsen/logrus@v1.8.1: parsing go.mod:
#10 1.027 module declares its path as: github.com/sirupsen/logrus
#10 1.027 but was required as: github.com/Sirupsen/logrus
------
error: failed to solve: rpc error: code = Unknown desc = executor failed running [/bin/sh -c go mod tidy && go mod vendor && mkdir /out && cp -r go.mod go.sum vendor /out]: exit code: 1
make: *** [vendor] Error 1
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Set's an apparmor profile on the OCI spec if one is configred on the
worker.
Adds selinux labels to containers (only added if selinux is enabled on
the system).
This assumes that the specified apparmor profile is already loaded on
the system and does not try to load it or even check if it is loaded.
SELinux support requires the `selinux` build tag to be added.
Likewise, `runc` would require both the `apparmor` and `selinux` build
tags.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Vendored go-selinux to v1.8.0
Fixed tests
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit 68bb095353)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
While we try to keep the containerd and docker seccomp profiles in sync,
they may not always be; this switches the executor to use the docker
seccomp profile, so that buildkit (when vendored in docker) will use
the same default seccomp profile as is used for containers.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Copy this const to a local constant to prevent importing the containerd
client in the front-end.
For consistency, I also updated the executor code to use the same const,
although not strictly needed.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This has the nice side-effect of unifying the mount- and
non-mount-changes made due to processMode and securityMode.
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
There's only a couple of things that are host-platform limited, i.e.,
security and process modes.
Everything else is specific to a target-platform. We can tell if we're
targeting a Linux platform, either on Linux or LCOW, by the presence of
the Linux key in the generated spec.
This doesn't introduce support for LCOW, as we'd need to plumb that down
from the caller. It will probably also need massaging to work with LCOW,
as some of the setup code here is probably incorrect for LCOW, e.g.,
the bind-mounts list may be incorrect.
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
Due to use of filepath.Clean(), on Windows we end up operating on the
paths in Windows-slashed form, even if the inputs were Unix-slashed.
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
update run/exec tests for stdin and expected failures
move common tests for runc and container to shared tests package
Signed-off-by: Cory Bennett <cbennett@netflix.com>
```
[5/5] RUN --mount=target=/go/src/github.com/moby/buildkit gometalinter ...
0.435 util/rootless/specconv/specconv_linux.go:1:⚠️ file is not goimported (goimports)
1.320 cache/manager.go:1:⚠️ file is not goimported (goimports)
1.335 cache/manager_test.go:1:⚠️ file is not goimported (goimports)
1.337 cache/migrate_v2.go:1:⚠️ file is not goimported (goimports)
1.342 cache/refs.go:1:⚠️ file is not goimported (goimports)
1.454 cache/remotecache/registry/registry.go:1:⚠️ file is not goimported (goimports)
2.285 cmd/buildctl/build.go:1:⚠️ file is not goimported (goimports)
3.082 executor/oci/user.go:1:⚠️ file is not goimported (goimports)
4.333 session/content/content_test.go:1:⚠️ file is not goimported (goimports)
4.614 snapshot/containerd/content.go:1:⚠️ file is not goimported (goimports)
4.721 solver/errdefs/vertex.go:1:⚠️ file is not goimported (goimports)
6.066 util/network/cniprovider/cni.go:1:⚠️ file is not goimported (goimports)
ERROR: executor failed running [/bin/sh -c gometalinter --config=gometalinter.json ./...]: buildkit-runc did not terminate successfully
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Sebastiaan van Stijn
coryb
Aaron Lehmann
Morlay
Akihiro Suda
Tonis Tiigi
Brian Goff
Akihiro Suda
Edgar Lee
Lu Jingxiao
Paul "TBBle" Hampson
Chanhun Jeong
Tibor Vass