Browse code
vendor buildkit 68bb095353c65bc3993fd534c26cf77fe05e61b1
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit 4afe620fac1abf75f11a44dfa234a56907753568)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Tibor Vass authored on 2021/01/27 02:50:55Showing 7 changed files
- vendor.conf
- vendor/github.com/moby/buildkit/cmd/buildkitd/config/config.go
- vendor/github.com/moby/buildkit/executor/oci/spec.go
- vendor/github.com/moby/buildkit/executor/oci/spec_unix.go
- vendor/github.com/moby/buildkit/executor/oci/spec_windows.go
- vendor/github.com/moby/buildkit/executor/runcexecutor/executor.go
- vendor/github.com/moby/buildkit/go.mod
| ... | ... |
@@ -33,7 +33,7 @@ github.com/imdario/mergo 1afb36080aec31e0d1528973ebe6 |
| 33 | 33 |
golang.org/x/sync cd5d95a43a6e21273425c7ae415d3df9ea832eeb |
| 34 | 34 |
|
| 35 | 35 |
# buildkit |
| 36 |
-github.com/moby/buildkit 8142d66b5ebde79846b869fba30d9d30633e74aa # v0.8.1 |
|
| 36 |
+github.com/moby/buildkit 68bb095353c65bc3993fd534c26cf77fe05e61b1 # v0.8 branch |
|
| 37 | 37 |
github.com/tonistiigi/fsutil 0834f99b7b85462efb69b4f571a4fa3ca7da5ac9 |
| 38 | 38 |
github.com/tonistiigi/units 6950e57a87eaf136bbe44ef2ec8e75b9e3569de2 |
| 39 | 39 |
github.com/grpc-ecosystem/grpc-opentracing 8e809c8a86450a29b90dcc9efbf062d0fe6d9746 |
| ... | ... |
@@ -87,6 +87,10 @@ type OCIConfig struct {
|
| 87 | 87 |
// Decoding this is delayed in order to remove the dependency from this |
| 88 | 88 |
// config pkg to stargz snapshotter's config pkg. |
| 89 | 89 |
StargzSnapshotterConfig toml.Primitive `toml:"stargzSnapshotter"` |
| 90 |
+ |
|
| 91 |
+ // ApparmorProfile is the name of the apparmor profile that should be used to constrain build containers. |
|
| 92 |
+ // The profile should already be loaded (by a higher level system) before creating a worker. |
|
| 93 |
+ ApparmorProfile string `toml:"apparmor-profile"` |
|
| 90 | 94 |
} |
| 91 | 95 |
|
| 92 | 96 |
type ContainerdConfig struct {
|
| ... | ... |
@@ -98,6 +102,10 @@ type ContainerdConfig struct {
|
| 98 | 98 |
GCConfig |
| 99 | 99 |
NetworkConfig |
| 100 | 100 |
Snapshotter string `toml:"snapshotter"` |
| 101 |
+ |
|
| 102 |
+ // ApparmorProfile is the name of the apparmor profile that should be used to constrain build containers. |
|
| 103 |
+ // The profile should already be loaded (by a higher level system) before creating a worker. |
|
| 104 |
+ ApparmorProfile string `toml:"apparmor-profile"` |
|
| 101 | 105 |
} |
| 102 | 106 |
|
| 103 | 107 |
type GCPolicy struct {
|
| ... | ... |
@@ -16,6 +16,7 @@ import ( |
| 16 | 16 |
"github.com/moby/buildkit/snapshot" |
| 17 | 17 |
"github.com/moby/buildkit/util/network" |
| 18 | 18 |
specs "github.com/opencontainers/runtime-spec/specs-go" |
| 19 |
+ "github.com/opencontainers/selinux/go-selinux" |
|
| 19 | 20 |
"github.com/pkg/errors" |
| 20 | 21 |
) |
| 21 | 22 |
|
| ... | ... |
@@ -35,7 +36,7 @@ const ( |
| 35 | 35 |
|
| 36 | 36 |
// GenerateSpec generates spec using containerd functionality. |
| 37 | 37 |
// opts are ignored for s.Process, s.Hostname, and s.Mounts . |
| 38 |
-func GenerateSpec(ctx context.Context, meta executor.Meta, mounts []executor.Mount, id, resolvConf, hostsFile string, namespace network.Namespace, processMode ProcessMode, idmap *idtools.IdentityMapping, opts ...oci.SpecOpts) (*specs.Spec, func(), error) {
|
|
| 38 |
+func GenerateSpec(ctx context.Context, meta executor.Meta, mounts []executor.Mount, id, resolvConf, hostsFile string, namespace network.Namespace, processMode ProcessMode, idmap *idtools.IdentityMapping, apparmorProfile string, opts ...oci.SpecOpts) (*specs.Spec, func(), error) {
|
|
| 39 | 39 |
c := &containers.Container{
|
| 40 | 40 |
ID: id, |
| 41 | 41 |
} |
| ... | ... |
@@ -52,7 +53,7 @@ func GenerateSpec(ctx context.Context, meta executor.Meta, mounts []executor.Mou |
| 52 | 52 |
return nil, nil, err |
| 53 | 53 |
} |
| 54 | 54 |
|
| 55 |
- if securityOpts, err := generateSecurityOpts(meta.SecurityMode); err == nil {
|
|
| 55 |
+ if securityOpts, err := generateSecurityOpts(meta.SecurityMode, apparmorProfile); err == nil {
|
|
| 56 | 56 |
opts = append(opts, securityOpts...) |
| 57 | 57 |
} else {
|
| 58 | 58 |
return nil, nil, err |
| ... | ... |
@@ -103,6 +104,9 @@ func GenerateSpec(ctx context.Context, meta executor.Meta, mounts []executor.Mou |
| 103 | 103 |
for _, f := range releasers {
|
| 104 | 104 |
f() |
| 105 | 105 |
} |
| 106 |
+ if s.Process.SelinuxLabel != "" {
|
|
| 107 |
+ selinux.ReleaseLabel(s.Process.SelinuxLabel) |
|
| 108 |
+ } |
|
| 106 | 109 |
} |
| 107 | 110 |
|
| 108 | 111 |
for _, m := range mounts {
|
| ... | ... |
@@ -13,6 +13,7 @@ import ( |
| 13 | 13 |
"github.com/moby/buildkit/util/entitlements/security" |
| 14 | 14 |
"github.com/moby/buildkit/util/system" |
| 15 | 15 |
specs "github.com/opencontainers/runtime-spec/specs-go" |
| 16 |
+ "github.com/opencontainers/selinux/go-selinux/label" |
|
| 16 | 17 |
) |
| 17 | 18 |
|
| 18 | 19 |
func generateMountOpts(resolvConf, hostsFile string) ([]oci.SpecOpts, error) {
|
| ... | ... |
@@ -26,15 +27,32 @@ func generateMountOpts(resolvConf, hostsFile string) ([]oci.SpecOpts, error) {
|
| 26 | 26 |
} |
| 27 | 27 |
|
| 28 | 28 |
// generateSecurityOpts may affect mounts, so must be called after generateMountOpts |
| 29 |
-func generateSecurityOpts(mode pb.SecurityMode) ([]oci.SpecOpts, error) {
|
|
| 30 |
- if mode == pb.SecurityMode_INSECURE {
|
|
| 29 |
+func generateSecurityOpts(mode pb.SecurityMode, apparmorProfile string) (opts []oci.SpecOpts, _ error) {
|
|
| 30 |
+ switch mode {
|
|
| 31 |
+ case pb.SecurityMode_INSECURE: |
|
| 31 | 32 |
return []oci.SpecOpts{
|
| 32 | 33 |
security.WithInsecureSpec(), |
| 33 | 34 |
oci.WithWriteableCgroupfs, |
| 34 | 35 |
oci.WithWriteableSysfs, |
| 36 |
+ func(_ context.Context, _ oci.Client, _ *containers.Container, s *oci.Spec) error {
|
|
| 37 |
+ var err error |
|
| 38 |
+ s.Process.SelinuxLabel, s.Linux.MountLabel, err = label.InitLabels([]string{"disable"})
|
|
| 39 |
+ return err |
|
| 40 |
+ }, |
|
| 35 | 41 |
}, nil |
| 36 |
- } else if system.SeccompSupported() && mode == pb.SecurityMode_SANDBOX {
|
|
| 37 |
- return []oci.SpecOpts{withDefaultProfile()}, nil
|
|
| 42 |
+ case pb.SecurityMode_SANDBOX: |
|
| 43 |
+ if system.SeccompSupported() {
|
|
| 44 |
+ opts = append(opts, withDefaultProfile()) |
|
| 45 |
+ } |
|
| 46 |
+ if apparmorProfile != "" {
|
|
| 47 |
+ opts = append(opts, oci.WithApparmorProfile(apparmorProfile)) |
|
| 48 |
+ } |
|
| 49 |
+ opts = append(opts, func(_ context.Context, _ oci.Client, _ *containers.Container, s *oci.Spec) error {
|
|
| 50 |
+ var err error |
|
| 51 |
+ s.Process.SelinuxLabel, s.Linux.MountLabel, err = label.InitLabels(nil) |
|
| 52 |
+ return err |
|
| 53 |
+ }) |
|
| 54 |
+ return opts, nil |
|
| 38 | 55 |
} |
| 39 | 56 |
return nil, nil |
| 40 | 57 |
} |
| ... | ... |
@@ -14,7 +14,7 @@ func generateMountOpts(resolvConf, hostsFile string) ([]oci.SpecOpts, error) {
|
| 14 | 14 |
} |
| 15 | 15 |
|
| 16 | 16 |
// generateSecurityOpts may affect mounts, so must be called after generateMountOpts |
| 17 |
-func generateSecurityOpts(mode pb.SecurityMode) ([]oci.SpecOpts, error) {
|
|
| 17 |
+func generateSecurityOpts(mode pb.SecurityMode, apparmorProfile string) ([]oci.SpecOpts, error) {
|
|
| 18 | 18 |
if mode == pb.SecurityMode_INSECURE {
|
| 19 | 19 |
return nil, errors.New("no support for running in insecure mode on Windows")
|
| 20 | 20 |
} |
| ... | ... |
@@ -42,9 +42,10 @@ type Opt struct {
|
| 42 | 42 |
ProcessMode oci.ProcessMode |
| 43 | 43 |
IdentityMapping *idtools.IdentityMapping |
| 44 | 44 |
// runc run --no-pivot (unrecommended) |
| 45 |
- NoPivot bool |
|
| 46 |
- DNS *oci.DNSConfig |
|
| 47 |
- OOMScoreAdj *int |
|
| 45 |
+ NoPivot bool |
|
| 46 |
+ DNS *oci.DNSConfig |
|
| 47 |
+ OOMScoreAdj *int |
|
| 48 |
+ ApparmorProfile string |
|
| 48 | 49 |
} |
| 49 | 50 |
|
| 50 | 51 |
var defaultCommandCandidates = []string{"buildkit-runc", "runc"}
|
| ... | ... |
@@ -62,6 +63,7 @@ type runcExecutor struct {
|
| 62 | 62 |
oomScoreAdj *int |
| 63 | 63 |
running map[string]chan error |
| 64 | 64 |
mu sync.Mutex |
| 65 |
+ apparmorProfile string |
|
| 65 | 66 |
} |
| 66 | 67 |
|
| 67 | 68 |
func New(opt Opt, networkProviders map[pb.NetMode]network.Provider) (executor.Executor, error) {
|
| ... | ... |
@@ -124,6 +126,7 @@ func New(opt Opt, networkProviders map[pb.NetMode]network.Provider) (executor.Ex |
| 124 | 124 |
dns: opt.DNS, |
| 125 | 125 |
oomScoreAdj: opt.OOMScoreAdj, |
| 126 | 126 |
running: make(map[string]chan error), |
| 127 |
+ apparmorProfile: opt.ApparmorProfile, |
|
| 127 | 128 |
} |
| 128 | 129 |
return w, nil |
| 129 | 130 |
} |
| ... | ... |
@@ -253,7 +256,7 @@ func (w *runcExecutor) Run(ctx context.Context, id string, root executor.Mount, |
| 253 | 253 |
} |
| 254 | 254 |
opts = append(opts, containerdoci.WithCgroup(cgroupsPath)) |
| 255 | 255 |
} |
| 256 |
- spec, cleanup, err := oci.GenerateSpec(ctx, meta, mounts, id, resolvConf, hostsFile, namespace, w.processMode, w.idmap, opts...) |
|
| 256 |
+ spec, cleanup, err := oci.GenerateSpec(ctx, meta, mounts, id, resolvConf, hostsFile, namespace, w.processMode, w.idmap, w.apparmorProfile, opts...) |
|
| 257 | 257 |
if err != nil {
|
| 258 | 258 |
return err |
| 259 | 259 |
} |
| ... | ... |
@@ -46,6 +46,7 @@ require ( |
| 46 | 46 |
github.com/opencontainers/image-spec v1.0.1 |
| 47 | 47 |
github.com/opencontainers/runc v1.0.0-rc92 |
| 48 | 48 |
github.com/opencontainers/runtime-spec v1.0.3-0.20200728170252-4d89ac9fbff6 |
| 49 |
+ github.com/opencontainers/selinux v1.8.0 |
|
| 49 | 50 |
github.com/opentracing-contrib/go-stdlib v1.0.0 |
| 50 | 51 |
github.com/opentracing/opentracing-go v1.2.0 |
| 51 | 52 |
github.com/pkg/errors v0.9.1 |