The BurntSushi/toml project has been deprecated, and the ecosystem
is converging on using pelletier/go-toml as the "canonical" replacement.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This allows using the resolver package without having to import
the buildkit daemon configuration.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Set's an apparmor profile on the OCI spec if one is configred on the
worker.
Adds selinux labels to containers (only added if selinux is enabled on
the system).
This assumes that the specified apparmor profile is already loaded on
the system and does not try to load it or even check if it is loaded.
SELinux support requires the `selinux` build tag to be added.
Likewise, `runc` would require both the `apparmor` and `selinux` build
tags.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Vendored go-selinux to v1.8.0
Fixed tests
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit 68bb095353)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
`cmd/buildkitd/config` pkg is imported and used by other packages including
moby/moby.
Though stargz snapshotter configuration is currently effective only with
buildkitd + OCI worker, `cmd/buildkitd/config` consumer needs to introduce an
indirect dependency to stargz snapshotter's config pkg
(`github.com/containerd/stargz-snapshotter/stargz/config`), which is too much.
This commit solves this by delaying decoding the stargz config until OCI
worker's initialization phase.
Signed-off-by: ktock <ktokunaga.mail@gmail.com>
To support switching the OCI worker binary via buildkitd and without modifying the Dockerfile, an optional command-line flag was added to main_oci_worker.go that allowed for input the name of an OCI worker binary (ex. crun). This OCI worker binary would then replace the current buildkit-runc with a symbolic link to that binary. The above was done using the os/exec package's Command func.
Signed-off-by: Jeffrey Huang <jeffreyhuang23@gmail.com>
This patch allows downstream code to pass a DNSConfig that is
then used by executor/oci.GetResolvConf.
This would allow the BuildKit-based builder in Docker to honor
the docker daemon's DNS configuration, thus fixing a feature gap
with the legacy builder.
Signed-off-by: Tibor Vass <tibor@docker.com>
Note that this mode allows build executor containers to kill (and potentially ptrace) an arbitrary process in the BuildKit host namespace.
This mode should be enabled only when the BuildKit is running in a container as an unprivileged user.
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
Allow user to customize containerd namespace, not just `buildkit`. It
can help user to integration with existing data easily.
Signed-off-by: Wei Fu <fuweid89@gmail.com>
CrazyMax
Sebastiaan van Stijn
Tonis Tiigi
Vlad A. Ionescu
Brian Goff
ktock
Nikhil Pandeti
Jeffrey Huang
Tibor Vass
Kunal Kushwaha
Akihiro Suda
Akihiro Suda
Wei Fu