Browse code
Merge pull request #50942 from Vigilans/vigilans/buildkit-windows-isolation
daemon: Ensure buildkit created container's isolation mode is consistent with daemon's config in Windows
Paweł Gronowski authored on 2025/11/11 03:33:43Showing 7 changed files
- daemon/command/daemon.go
- daemon/daemon.go
- daemon/internal/builder-next/builder.go
- daemon/internal/builder-next/controller.go
- daemon/internal/builder-next/executor_linux.go
- daemon/internal/builder-next/executor_others.go
- daemon/internal/builder-next/executor_windows.go
| ... | ... |
@@ -424,6 +424,7 @@ func initBuildkit(ctx context.Context, d *daemon.Daemon, cdiCache *cdi.Cache) (_ |
| 424 | 424 |
Snapshotter: d.ImageService().StorageDriver(), |
| 425 | 425 |
ContainerdAddress: cfg.ContainerdAddr, |
| 426 | 426 |
ContainerdNamespace: cfg.ContainerdNamespace, |
| 427 |
+ HyperVIsolation: d.DefaultIsolation().IsHyperV(), |
|
| 427 | 428 |
Callbacks: exporter.BuildkitCallbacks{
|
| 428 | 429 |
Exported: d.ImageExportedByBuildkit, |
| 429 | 430 |
Named: d.ImageNamedByBuildkit, |
| ... | ... |
@@ -205,6 +205,11 @@ func (daemon *Daemon) UsesSnapshotter() bool {
|
| 205 | 205 |
return daemon.usesSnapshotter |
| 206 | 206 |
} |
| 207 | 207 |
|
| 208 |
+// DefaultIsolation returns the default isolation mode for the daemon to run in (only applicable on Windows). |
|
| 209 |
+func (daemon *Daemon) DefaultIsolation() containertypes.Isolation {
|
|
| 210 |
+ return daemon.defaultIsolation |
|
| 211 |
+} |
|
| 212 |
+ |
|
| 208 | 213 |
func (daemon *Daemon) loadContainers(ctx context.Context) (map[string]map[string]*container.Container, error) {
|
| 209 | 214 |
var mapLock sync.Mutex |
| 210 | 215 |
driverContainers := make(map[string]map[string]*container.Container) |
| ... | ... |
@@ -22,7 +22,7 @@ import ( |
| 22 | 22 |
|
| 23 | 23 |
const networkName = "bridge" |
| 24 | 24 |
|
| 25 |
-func newExecutor(root, cgroupParent string, net *libnetwork.Controller, dnsConfig *oci.DNSConfig, rootless bool, idmap user.IdentityMapping, apparmorProfile string, cdiManager *cdidevices.Manager, _, _ string) (executor.Executor, error) {
|
|
| 25 |
+func newExecutor(root, cgroupParent string, net *libnetwork.Controller, dnsConfig *oci.DNSConfig, rootless bool, idmap user.IdentityMapping, apparmorProfile string, cdiManager *cdidevices.Manager, _, _ string, _ bool) (executor.Executor, error) {
|
|
| 26 | 26 |
netRoot := filepath.Join(root, "net") |
| 27 | 27 |
networkProviders := map[pb.NetMode]network.Provider{
|
| 28 | 28 |
pb.NetMode_UNSET: &bridgeProvider{Controller: net, Root: netRoot},
|
| ... | ... |
@@ -88,6 +88,7 @@ func newExecutorGD(root, cgroupParent string, net *libnetwork.Controller, dnsCon |
| 88 | 88 |
cdiManager, |
| 89 | 89 |
"", |
| 90 | 90 |
"", |
| 91 |
+ false, |
|
| 91 | 92 |
) |
| 92 | 93 |
} |
| 93 | 94 |
|
| ... | ... |
@@ -10,6 +10,6 @@ import ( |
| 10 | 10 |
"github.com/moby/sys/user" |
| 11 | 11 |
) |
| 12 | 12 |
|
| 13 |
-func newExecutor(_, _ string, _ *libnetwork.Controller, _ *oci.DNSConfig, _ bool, _ user.IdentityMapping, _ string, _ *cdidevices.Manager, _, _ string) (executor.Executor, error) {
|
|
| 13 |
+func newExecutor(_, _ string, _ *libnetwork.Controller, _ *oci.DNSConfig, _ bool, _ user.IdentityMapping, _ string, _ *cdidevices.Manager, _, _ string, _ bool) (executor.Executor, error) {
|
|
| 14 | 14 |
return &stubExecutor{}, nil
|
| 15 | 15 |
} |
| ... | ... |
@@ -31,6 +31,7 @@ func newExecutor( |
| 31 | 31 |
cdiManager *cdidevices.Manager, |
| 32 | 32 |
containerdAddr string, |
| 33 | 33 |
containerdNamespace string, |
| 34 |
+ hypervIsolation bool, |
|
| 34 | 35 |
) (executor.Executor, error) {
|
| 35 | 36 |
netRoot := filepath.Join(root, "net") |
| 36 | 37 |
np := map[pb.NetMode]network.Provider{
|
| ... | ... |
@@ -50,6 +51,7 @@ func newExecutor( |
| 50 | 50 |
DNSConfig: dns, |
| 51 | 51 |
CDIManager: cdiManager, |
| 52 | 52 |
NetworkProviders: np, |
| 53 |
+ HyperVIsolation: hypervIsolation, |
|
| 53 | 54 |
} |
| 54 | 55 |
return containerdexecutor.New(executorOpts), nil |
| 55 | 56 |
} |