Browse code
vendor: github.com/moby/buildkit v0.10.5
https://github.com/moby/buildkit/releases/tag/v0.10.5
full diff: https://github.com/moby/buildkit/compare/v0.10.4...v0.10.5
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Sebastiaan van Stijn authored on 2022/10/19 05:38:34Showing 7 changed files
- vendor.mod
- vendor.sum
- vendor/github.com/moby/buildkit/source/git/gitsource.go
- vendor/github.com/moby/buildkit/util/contentutil/buffer.go
- vendor/github.com/moby/buildkit/util/contentutil/source.go
- vendor/github.com/moby/buildkit/util/imageutil/config.go
- vendor/modules.txt
| ... | ... |
@@ -50,7 +50,7 @@ require ( |
| 50 | 50 |
github.com/klauspost/compress v1.15.9 |
| 51 | 51 |
github.com/miekg/dns v1.1.27 |
| 52 | 52 |
github.com/mistifyio/go-zfs v2.1.2-0.20190413222219-f784269be439+incompatible |
| 53 |
- github.com/moby/buildkit v0.10.4 |
|
| 53 |
+ github.com/moby/buildkit v0.10.5 |
|
| 54 | 54 |
github.com/moby/ipvs v1.0.2 |
| 55 | 55 |
github.com/moby/locker v1.0.1 |
| 56 | 56 |
github.com/moby/patternmatcher v0.5.0 |
| ... | ... |
@@ -764,8 +764,8 @@ github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0Qu |
| 764 | 764 |
github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= |
| 765 | 765 |
github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= |
| 766 | 766 |
github.com/mitchellh/osext v0.0.0-20151018003038-5e2d6d41470f/go.mod h1:OkQIRizQZAeMln+1tSwduZz7+Af5oFlKirV/MSYes2A= |
| 767 |
-github.com/moby/buildkit v0.10.4 h1:FvC+buO8isGpUFZ1abdSLdGHZVqg9sqI4BbFL8tlzP4= |
|
| 768 |
-github.com/moby/buildkit v0.10.4/go.mod h1:Yajz9vt1Zw5q9Pp4pdb3TCSUXJBIroIQGQ3TTs/sLug= |
|
| 767 |
+github.com/moby/buildkit v0.10.5 h1:d9krS/lG3dn6N7y+R8o9PTgIixlYAaDk35f3/B4jZOw= |
|
| 768 |
+github.com/moby/buildkit v0.10.5/go.mod h1:Yajz9vt1Zw5q9Pp4pdb3TCSUXJBIroIQGQ3TTs/sLug= |
|
| 769 | 769 |
github.com/moby/ipvs v1.0.2 h1:NSbzuRTvfneftLU3VwPU5QuA6NZ0IUmqq9+VHcQxqHw= |
| 770 | 770 |
github.com/moby/ipvs v1.0.2/go.mod h1:2pngiyseZbIKXNv7hsKj3O9UEz30c53MT9005gt2hxQ= |
| 771 | 771 |
github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= |
| ... | ... |
@@ -126,7 +126,11 @@ func (gs *gitSource) mountRemote(ctx context.Context, remote string, auth []stri |
| 126 | 126 |
}() |
| 127 | 127 |
|
| 128 | 128 |
if initializeRepo {
|
| 129 |
- if _, err := gitWithinDir(ctx, dir, "", "", "", auth, "init", "--bare"); err != nil {
|
|
| 129 |
+ // Explicitly set the Git config 'init.defaultBranch' to the |
|
| 130 |
+ // implied default to suppress "hint:" output about not having a |
|
| 131 |
+ // default initial branch name set which otherwise spams unit |
|
| 132 |
+ // test logs. |
|
| 133 |
+ if _, err := gitWithinDir(ctx, dir, "", "", "", auth, "-c", "init.defaultBranch=master", "init", "--bare"); err != nil {
|
|
| 130 | 134 |
return "", nil, errors.Wrapf(err, "failed to init repo at %s", dir) |
| 131 | 135 |
} |
| 132 | 136 |
|
| ... | ... |
@@ -493,11 +497,14 @@ func (gs *gitSourceHandler) Snapshot(ctx context.Context, g session.Group) (out |
| 493 | 493 |
if err := os.MkdirAll(checkoutDir, 0711); err != nil {
|
| 494 | 494 |
return nil, err |
| 495 | 495 |
} |
| 496 |
- _, err = gitWithinDir(ctx, checkoutDirGit, "", sock, knownHosts, nil, "init") |
|
| 496 |
+ _, err = gitWithinDir(ctx, checkoutDirGit, "", sock, knownHosts, nil, "-c", "init.defaultBranch=master", "init") |
|
| 497 | 497 |
if err != nil {
|
| 498 | 498 |
return nil, err |
| 499 | 499 |
} |
| 500 |
- _, err = gitWithinDir(ctx, checkoutDirGit, "", sock, knownHosts, nil, "remote", "add", "origin", gitDir) |
|
| 500 |
+ // Defense-in-depth: clone using the file protocol to disable local-clone |
|
| 501 |
+ // optimizations which can be abused on some versions of Git to copy unintended |
|
| 502 |
+ // host files into the build context. |
|
| 503 |
+ _, err = gitWithinDir(ctx, checkoutDirGit, "", sock, knownHosts, nil, "remote", "add", "origin", "file://"+gitDir) |
|
| 501 | 504 |
if err != nil {
|
| 502 | 505 |
return nil, err |
| 503 | 506 |
} |
| ... | ... |
@@ -650,6 +657,7 @@ func git(ctx context.Context, dir, sshAuthSock, knownHosts string, args ...strin |
| 650 | 650 |
flush() |
| 651 | 651 |
} |
| 652 | 652 |
}() |
| 653 |
+ args = append([]string{"-c", "protocol.file.allow=user"}, args...) // Block sneaky repositories from using repos from the filesystem as submodules.
|
|
| 653 | 654 |
cmd := exec.Command("git", args...)
|
| 654 | 655 |
cmd.Dir = dir // some commands like submodule require this |
| 655 | 656 |
buf := bytes.NewBuffer(nil) |
| ... | ... |
@@ -662,6 +670,8 @@ func git(ctx context.Context, dir, sshAuthSock, knownHosts string, args ...strin |
| 662 | 662 |
"GIT_TERMINAL_PROMPT=0", |
| 663 | 663 |
"GIT_SSH_COMMAND=" + getGitSSHCommand(knownHosts), |
| 664 | 664 |
// "GIT_TRACE=1", |
| 665 |
+ "GIT_CONFIG_NOSYSTEM=1", // Disable reading from system gitconfig. |
|
| 666 |
+ "HOME=/dev/null", // Disable reading from user gitconfig. |
|
| 665 | 667 |
} |
| 666 | 668 |
if sshAuthSock != "" {
|
| 667 | 669 |
cmd.Env = append(cmd.Env, "SSH_AUTH_SOCK="+sshAuthSock) |
| ... | ... |
@@ -4,6 +4,7 @@ import ( |
| 4 | 4 |
"bytes" |
| 5 | 5 |
"context" |
| 6 | 6 |
"io/ioutil" |
| 7 |
+ "strings" |
|
| 7 | 8 |
"sync" |
| 8 | 9 |
"time" |
| 9 | 10 |
|
| ... | ... |
@@ -18,12 +19,14 @@ import ( |
| 18 | 18 |
type Buffer interface {
|
| 19 | 19 |
content.Provider |
| 20 | 20 |
content.Ingester |
| 21 |
+ content.Manager |
|
| 21 | 22 |
} |
| 22 | 23 |
|
| 23 | 24 |
// NewBuffer returns a new buffer |
| 24 | 25 |
func NewBuffer() Buffer {
|
| 25 | 26 |
return &buffer{
|
| 26 | 27 |
buffers: map[digest.Digest][]byte{},
|
| 28 |
+ infos: map[digest.Digest]content.Info{},
|
|
| 27 | 29 |
refs: map[string]struct{}{},
|
| 28 | 30 |
} |
| 29 | 31 |
} |
| ... | ... |
@@ -31,9 +34,59 @@ func NewBuffer() Buffer {
|
| 31 | 31 |
type buffer struct {
|
| 32 | 32 |
mu sync.Mutex |
| 33 | 33 |
buffers map[digest.Digest][]byte |
| 34 |
+ infos map[digest.Digest]content.Info |
|
| 34 | 35 |
refs map[string]struct{}
|
| 35 | 36 |
} |
| 36 | 37 |
|
| 38 |
+func (b *buffer) Info(ctx context.Context, dgst digest.Digest) (content.Info, error) {
|
|
| 39 |
+ b.mu.Lock() |
|
| 40 |
+ v, ok := b.infos[dgst] |
|
| 41 |
+ b.mu.Unlock() |
|
| 42 |
+ if !ok {
|
|
| 43 |
+ return content.Info{}, errdefs.ErrNotFound
|
|
| 44 |
+ } |
|
| 45 |
+ return v, nil |
|
| 46 |
+} |
|
| 47 |
+ |
|
| 48 |
+func (b *buffer) Update(ctx context.Context, new content.Info, fieldpaths ...string) (content.Info, error) {
|
|
| 49 |
+ b.mu.Lock() |
|
| 50 |
+ defer b.mu.Unlock() |
|
| 51 |
+ |
|
| 52 |
+ updated, ok := b.infos[new.Digest] |
|
| 53 |
+ if !ok {
|
|
| 54 |
+ return content.Info{}, errdefs.ErrNotFound
|
|
| 55 |
+ } |
|
| 56 |
+ |
|
| 57 |
+ if len(fieldpaths) == 0 {
|
|
| 58 |
+ fieldpaths = []string{"labels"}
|
|
| 59 |
+ } |
|
| 60 |
+ |
|
| 61 |
+ for _, path := range fieldpaths {
|
|
| 62 |
+ if strings.HasPrefix(path, "labels.") {
|
|
| 63 |
+ if updated.Labels == nil {
|
|
| 64 |
+ updated.Labels = map[string]string{}
|
|
| 65 |
+ } |
|
| 66 |
+ key := strings.TrimPrefix(path, "labels.") |
|
| 67 |
+ updated.Labels[key] = new.Labels[key] |
|
| 68 |
+ continue |
|
| 69 |
+ } |
|
| 70 |
+ if path == "labels" {
|
|
| 71 |
+ updated.Labels = new.Labels |
|
| 72 |
+ } |
|
| 73 |
+ } |
|
| 74 |
+ |
|
| 75 |
+ b.infos[new.Digest] = updated |
|
| 76 |
+ return updated, nil |
|
| 77 |
+} |
|
| 78 |
+ |
|
| 79 |
+func (b *buffer) Walk(ctx context.Context, fn content.WalkFunc, filters ...string) error {
|
|
| 80 |
+ return nil // not implemented |
|
| 81 |
+} |
|
| 82 |
+ |
|
| 83 |
+func (b *buffer) Delete(ctx context.Context, dgst digest.Digest) error {
|
|
| 84 |
+ return nil // not implemented |
|
| 85 |
+} |
|
| 86 |
+ |
|
| 37 | 87 |
func (b *buffer) Writer(ctx context.Context, opts ...content.WriterOpt) (content.Writer, error) {
|
| 38 | 88 |
var wOpts content.WriterOpts |
| 39 | 89 |
for _, opt := range opts {
|
| ... | ... |
@@ -82,6 +135,7 @@ func (b *buffer) addValue(k digest.Digest, dt []byte) {
|
| 82 | 82 |
b.mu.Lock() |
| 83 | 83 |
defer b.mu.Unlock() |
| 84 | 84 |
b.buffers[k] = dt |
| 85 |
+ b.infos[k] = content.Info{Digest: k, Size: int64(len(dt))}
|
|
| 85 | 86 |
} |
| 86 | 87 |
|
| 87 | 88 |
type bufferedWriter struct {
|
| 88 | 89 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,34 @@ |
| 0 |
+package contentutil |
|
| 1 |
+ |
|
| 2 |
+import ( |
|
| 3 |
+ "net/url" |
|
| 4 |
+ "strings" |
|
| 5 |
+ |
|
| 6 |
+ "github.com/containerd/containerd/content" |
|
| 7 |
+ "github.com/containerd/containerd/reference" |
|
| 8 |
+) |
|
| 9 |
+ |
|
| 10 |
+func HasSource(info content.Info, refspec reference.Spec) (bool, error) {
|
|
| 11 |
+ u, err := url.Parse("dummy://" + refspec.Locator)
|
|
| 12 |
+ if err != nil {
|
|
| 13 |
+ return false, err |
|
| 14 |
+ } |
|
| 15 |
+ |
|
| 16 |
+ if info.Labels == nil {
|
|
| 17 |
+ return false, nil |
|
| 18 |
+ } |
|
| 19 |
+ |
|
| 20 |
+ source, target := u.Hostname(), strings.TrimPrefix(u.Path, "/") |
|
| 21 |
+ repoLabel, ok := info.Labels["containerd.io/distribution.source."+source] |
|
| 22 |
+ if !ok || repoLabel == "" {
|
|
| 23 |
+ return false, nil |
|
| 24 |
+ } |
|
| 25 |
+ |
|
| 26 |
+ for _, repo := range strings.Split(repoLabel, ",") {
|
|
| 27 |
+ // the target repo is not a candidate |
|
| 28 |
+ if repo == target {
|
|
| 29 |
+ return true, nil |
|
| 30 |
+ } |
|
| 31 |
+ } |
|
| 32 |
+ return false, nil |
|
| 33 |
+} |
| ... | ... |
@@ -13,6 +13,7 @@ import ( |
| 13 | 13 |
"github.com/containerd/containerd/reference" |
| 14 | 14 |
"github.com/containerd/containerd/remotes" |
| 15 | 15 |
"github.com/containerd/containerd/remotes/docker" |
| 16 |
+ "github.com/moby/buildkit/util/contentutil" |
|
| 16 | 17 |
"github.com/moby/buildkit/util/leaseutil" |
| 17 | 18 |
"github.com/moby/buildkit/util/resolver/limited" |
| 18 | 19 |
"github.com/moby/buildkit/util/resolver/retryhandler" |
| ... | ... |
@@ -24,6 +25,7 @@ import ( |
| 24 | 24 |
type ContentCache interface {
|
| 25 | 25 |
content.Ingester |
| 26 | 26 |
content.Provider |
| 27 |
+ content.Manager |
|
| 27 | 28 |
} |
| 28 | 29 |
|
| 29 | 30 |
var leasesMu sync.Mutex |
| ... | ... |
@@ -75,10 +77,15 @@ func Config(ctx context.Context, str string, resolver remotes.Resolver, cache Co |
| 75 | 75 |
if desc.Digest != "" {
|
| 76 | 76 |
ra, err := cache.ReaderAt(ctx, desc) |
| 77 | 77 |
if err == nil {
|
| 78 |
- desc.Size = ra.Size() |
|
| 79 |
- mt, err := DetectManifestMediaType(ra) |
|
| 78 |
+ info, err := cache.Info(ctx, desc.Digest) |
|
| 80 | 79 |
if err == nil {
|
| 81 |
- desc.MediaType = mt |
|
| 80 |
+ if ok, err := contentutil.HasSource(info, ref); err == nil && ok {
|
|
| 81 |
+ desc.Size = ra.Size() |
|
| 82 |
+ mt, err := DetectManifestMediaType(ra) |
|
| 83 |
+ if err == nil {
|
|
| 84 |
+ desc.MediaType = mt |
|
| 85 |
+ } |
|
| 86 |
+ } |
|
| 82 | 87 |
} |
| 83 | 88 |
} |
| 84 | 89 |
} |
| ... | ... |
@@ -101,8 +108,14 @@ func Config(ctx context.Context, str string, resolver remotes.Resolver, cache Co |
| 101 | 101 |
|
| 102 | 102 |
children := childrenConfigHandler(cache, platform) |
| 103 | 103 |
|
| 104 |
+ dslHandler, err := docker.AppendDistributionSourceLabel(cache, ref.String()) |
|
| 105 |
+ if err != nil {
|
|
| 106 |
+ return "", nil, err |
|
| 107 |
+ } |
|
| 108 |
+ |
|
| 104 | 109 |
handlers := []images.Handler{
|
| 105 | 110 |
retryhandler.New(limited.FetchHandler(cache, fetcher, str), func(_ []byte) {}),
|
| 111 |
+ dslHandler, |
|
| 106 | 112 |
children, |
| 107 | 113 |
} |
| 108 | 114 |
if err := images.Dispatch(ctx, images.Handlers(handlers...), nil, desc); err != nil {
|
| ... | ... |
@@ -475,7 +475,7 @@ github.com/mistifyio/go-zfs |
| 475 | 475 |
# github.com/mitchellh/hashstructure/v2 v2.0.2 |
| 476 | 476 |
## explicit; go 1.14 |
| 477 | 477 |
github.com/mitchellh/hashstructure/v2 |
| 478 |
-# github.com/moby/buildkit v0.10.4 |
|
| 478 |
+# github.com/moby/buildkit v0.10.5 |
|
| 479 | 479 |
## explicit; go 1.17 |
| 480 | 480 |
github.com/moby/buildkit/api/services/control |
| 481 | 481 |
github.com/moby/buildkit/api/types |