@@ -7,6 +7,7 @@ import (

 	"io/ioutil"

 	nethttp "net/http"

 	"runtime"

+	"strings"

 	"time"

 	"github.com/containerd/containerd/content"

@@ -43,6 +44,7 @@ import (

 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"

 	"github.com/pkg/errors"

 	"github.com/sirupsen/logrus"

+	bolt "go.etcd.io/bbolt"

 )

 const labelCreatedAt = "buildkit/createdat"

@@ -257,6 +259,47 @@ func (w *Worker) GetRemote(ctx context.Context, ref cache.ImmutableRef, createIf

 	}, nil

 }

+// PruneCacheMounts removes the current cache snapshots for specified IDs

+func (w *Worker) PruneCacheMounts(ctx context.Context, ids []string) error {

+	mu := ops.CacheMountsLocker()

+	mu.Lock()

+	defer mu.Unlock()

+

+	for _, id := range ids {

+		id = "cache-dir:" + id

+		sis, err := w.MetadataStore.Search(id)

+		if err != nil {

+			return err

+		}

+		for _, si := range sis {

+			for _, k := range si.Indexes() {

+				if k == id || strings.HasPrefix(k, id+":") {

+					if siCached := w.CacheManager.Metadata(si.ID()); siCached != nil {

+						si = siCached

+					}

+					if err := cache.CachePolicyDefault(si); err != nil {

+						return err

+					}

+					si.Queue(func(b *bolt.Bucket) error {

+						return si.SetValue(b, k, nil)

+					})

+					if err := si.Commit(); err != nil {

+						return err

+					}

+					// if ref is unused try to clean it up right away by releasing it

+					if mref, err := w.CacheManager.GetMutable(ctx, si.ID()); err == nil {

+						go mref.Release(context.TODO())

+					}

+					break

+				}

+			}

+		}

+	}

+

+	ops.ClearActiveCacheMounts()

+	return nil

+}

+

 // FromRemote converts a remote snapshot reference to a local one

 func (w *Worker) FromRemote(ctx context.Context, remote *solver.Remote) (cache.ImmutableRef, error) {

 	rootfs, err := getLayers(ctx, remote.Descriptors)

@@ -27,7 +27,7 @@ github.com/imdario/mergo                            7c29201646fa3de8506f70121347

 golang.org/x/sync                                   e225da77a7e68af35c70ccbf71af2b83e6acac3c

 # buildkit

-github.com/moby/buildkit                            a258bd18b2c55aac4e8a10a3074757d66d45cef6

+github.com/moby/buildkit                            f5a55a9516d1c6e2ade9bec22b83259caeed3a84 

 github.com/tonistiigi/fsutil                        3bbb99cdbd76619ab717299830c60f6f2a533a6b

 github.com/grpc-ecosystem/grpc-opentracing          8e809c8a86450a29b90dcc9efbf062d0fe6d9746

 github.com/opentracing/opentracing-go               1361b9cd60be79c4c3a7fa9841b3c132e40066a7

@@ -1,27 +1,25 @@

 [![asciicinema example](https://asciinema.org/a/gPEIEo1NzmDTUu2bEPsUboqmU.png)](https://asciinema.org/a/gPEIEo1NzmDTUu2bEPsUboqmU)

-

 ## BuildKit

 [![GoDoc](https://godoc.org/github.com/moby/buildkit?status.svg)](https://godoc.org/github.com/moby/buildkit/client/llb)

 [![Build Status](https://travis-ci.org/moby/buildkit.svg?branch=master)](https://travis-ci.org/moby/buildkit)

 [![Go Report Card](https://goreportcard.com/badge/github.com/moby/buildkit)](https://goreportcard.com/report/github.com/moby/buildkit)

-

 BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner.

 Key features:

-- Automatic garbage collection

-- Extendable frontend formats

-- Concurrent dependency resolution

-- Efficient instruction caching

-- Build cache import/export

-- Nested build job invocations

-- Distributable workers

-- Multiple output formats

-- Pluggable architecture

-- Execution without root privileges

+-   Automatic garbage collection

+-   Extendable frontend formats

+-   Concurrent dependency resolution

+-   Efficient instruction caching

+-   Build cache import/export

+-   Nested build job invocations

+-   Distributable workers

+-   Multiple output formats

+-   Pluggable architecture

+-   Execution without root privileges

 Read the proposal from https://github.com/moby/moby/issues/32925

@@ -33,20 +31,21 @@ Introductory blog post https://blog.mobyproject.org/introducing-buildkit-17e056c

 BuildKit is used by the following projects:

-- [Moby & Docker](https://github.com/moby/moby/pull/37151)

-- [img](https://github.com/genuinetools/img)

-- [OpenFaaS Cloud](https://github.com/openfaas/openfaas-cloud)

-- [container build interface](https://github.com/containerbuilding/cbi)

-- [Knative Build Templates](https://github.com/knative/build-templates)

-- [vab](https://github.com/stellarproject/vab)

-- [Rio](https://github.com/rancher/rio) (on roadmap)

+-   [Moby & Docker](https://github.com/moby/moby/pull/37151)

+-   [img](https://github.com/genuinetools/img)

+-   [OpenFaaS Cloud](https://github.com/openfaas/openfaas-cloud)

+-   [container build interface](https://github.com/containerbuilding/cbi)

+-   [Knative Build Templates](https://github.com/knative/build-templates)

+-   [the Sanic build tool](https://github.com/distributed-containers-inc/sanic)

+-   [vab](https://github.com/stellarproject/vab)

+-   [Rio](https://github.com/rancher/rio) (on roadmap)

 ### Quick start

 Dependencies:

-- [runc](https://github.com/opencontainers/runc)

-- [containerd](https://github.com/containerd/containerd) (if you want to use containerd worker)

+-   [runc](https://github.com/opencontainers/runc)

+-   [containerd](https://github.com/containerd/containerd) (if you want to use containerd worker)

 The following command installs `buildkitd` and `buildctl` to `/usr/local/bin`:

@@ -58,14 +57,13 @@ You can also use `make binaries-all` to prepare `buildkitd.containerd_only` and

 #### Starting the buildkitd daemon:

-```

+```bash

 buildkitd --debug --root /var/lib/buildkit

 ```

 The buildkitd daemon supports two worker backends: OCI (runc) and containerd.

-By default, the OCI (runc) worker is used.

-You can set `--oci-worker=false --containerd-worker=true` to use the containerd worker.

+By default, the OCI (runc) worker is used. You can set `--oci-worker=false --containerd-worker=true` to use the containerd worker.

 We are open to adding more backends.

@@ -73,44 +71,46 @@ We are open to adding more backends.

 BuildKit builds are based on a binary intermediate format called LLB that is used for defining the dependency graph for processes running part of your build. tl;dr: LLB is to Dockerfile what LLVM IR is to C.

-- Marshaled as Protobuf messages

-- Concurrently executable

-- Efficiently cacheable

-- Vendor-neutral (i.e. non-Dockerfile languages can be easily implemented)

+-   Marshaled as Protobuf messages

+-   Concurrently executable

+-   Efficiently cacheable

+-   Vendor-neutral (i.e. non-Dockerfile languages can be easily implemented)

 See [`solver/pb/ops.proto`](./solver/pb/ops.proto) for the format definition.

 Currently, following high-level languages has been implemented for LLB:

-- Dockerfile (See [Exploring Dockerfiles](#exploring-dockerfiles))

-- [Buildpacks](https://github.com/tonistiigi/buildkit-pack)

-- (open a PR to add your own language)

+-   Dockerfile (See [Exploring Dockerfiles](#exploring-dockerfiles))

+-   [Buildpacks](https://github.com/tonistiigi/buildkit-pack)

+-   (open a PR to add your own language)

 For understanding the basics of LLB, `examples/buildkit*` directory contains scripts that define how to build different configurations of BuildKit itself and its dependencies using the `client` package. Running one of these scripts generates a protobuf definition of a build graph. Note that the script itself does not execute any steps of the build.

 You can use `buildctl debug dump-llb` to see what data is in this definition. Add `--dot` to generate dot layout.

 ```bash

-go run examples/buildkit0/buildkit.go | buildctl debug dump-llb | jq .

+go run examples/buildkit0/buildkit.go \

+    | buildctl debug dump-llb \

+    | jq .

 ```

-To start building use `buildctl build` command. The example script accepts `--with-containerd` flag to choose if containerd binaries and support should be included in the end result as well. 

+To start building use `buildctl build` command. The example script accepts `--with-containerd` flag to choose if containerd binaries and support should be included in the end result as well.

 ```bash

-go run examples/buildkit0/buildkit.go | buildctl build

+go run examples/buildkit0/buildkit.go \

+    | buildctl build

 ```

 `buildctl build` will show interactive progress bar by default while the build job is running. If the path to the trace file is specified, the trace file generated will contain all information about the timing of the individual steps and logs.

 Different versions of the example scripts show different ways of describing the build definition for this project to show the capabilities of the library. New versions have been added when new features have become available.

-- `./examples/buildkit0` - uses only exec operations, defines a full stage per component.

-- `./examples/buildkit1` - cloning git repositories has been separated for extra concurrency.

-- `./examples/buildkit2` - uses git sources directly instead of running `git clone`, allowing better performance and much safer caching.

-- `./examples/buildkit3` - allows using local source files for separate components eg. `./buildkit3 --runc=local | buildctl build --local runc-src=some/local/path`  

-- `./examples/dockerfile2llb` - can be used to convert a Dockerfile to LLB for debugging purposes

-- `./examples/gobuild` - shows how to use nested invocation to generate LLB for Go package internal dependencies

-

+-   `./examples/buildkit0` - uses only exec operations, defines a full stage per component.

+-   `./examples/buildkit1` - cloning git repositories has been separated for extra concurrency.

+-   `./examples/buildkit2` - uses git sources directly instead of running `git clone`, allowing better performance and much safer caching.

+-   `./examples/buildkit3` - allows using local source files for separate components eg. `./buildkit3 --runc=local | buildctl build --local runc-src=some/local/path`

+-   `./examples/dockerfile2llb` - can be used to convert a Dockerfile to LLB for debugging purposes

+-   `./examples/gobuild` - shows how to use nested invocation to generate LLB for Go package internal dependencies

 #### Exploring Dockerfiles

@@ -120,9 +120,18 @@ During development, Dockerfile frontend (dockerfile.v0) is also part of the Buil

 ##### Building a Dockerfile with `buildctl`

-```

-buildctl build --frontend=dockerfile.v0 --local context=. --local dockerfile=.

-buildctl build --frontend=dockerfile.v0 --local context=. --local dockerfile=. --opt target=foo --opt build-arg:foo=bar

+```bash

+buildctl build \

+    --frontend=dockerfile.v0 \

+    --local context=. \

+    --local dockerfile=.

+# or

+buildctl build \

+    --frontend=dockerfile.v0 \

+    --local context=. \

+    --local dockerfile=. \

+    --opt target=foo \

+    --opt build-arg:foo=bar

 ```

 `--local` exposes local source files from client to the builder. `context` and `dockerfile` are the names Dockerfile frontend looks for build context and Dockerfile location.

@@ -131,8 +140,9 @@ buildctl build --frontend=dockerfile.v0 --local context=. --local dockerfile=. -

 For people familiar with `docker build` command, there is an example wrapper utility in `./examples/build-using-dockerfile` that allows building Dockerfiles with BuildKit using a syntax similar to `docker build`.

-```

-go build ./examples/build-using-dockerfile && sudo install build-using-dockerfile /usr/local/bin

+```bash

+go build ./examples/build-using-dockerfile \

+    && sudo install build-using-dockerfile /usr/local/bin

 build-using-dockerfile -t myimage .

 build-using-dockerfile -t mybuildkit -f ./hack/dockerfiles/test.Dockerfile .

@@ -145,10 +155,18 @@ docker inspect myimage

 External versions of the Dockerfile frontend are pushed to https://hub.docker.com/r/docker/dockerfile-upstream and https://hub.docker.com/r/docker/dockerfile and can be used with the gateway frontend. The source for the external frontend is currently located in `./frontend/dockerfile/cmd/dockerfile-frontend` but will move out of this repository in the future ([#163](https://github.com/moby/buildkit/issues/163)). For automatic build from master branch of this repository `docker/dockerfile-upsteam:master` or `docker/dockerfile-upstream:master-experimental` image can be used.

+```bash

+buildctl build \

+    --frontend gateway.v0 \

+    --opt source=docker/dockerfile \

+    --local context=. \

+    --local dockerfile=.

+buildctl build \

+    --frontend gateway.v0 \

+    --opt source=docker/dockerfile \

+    --opt context=git://github.com/moby/moby \

+    --opt build-arg:APT_MIRROR=cdn-fastly.deb.debian.org

 ```

-buildctl build --frontend gateway.v0 --opt source=docker/dockerfile --local context=. --local dockerfile=.

-buildctl build --frontend gateway.v0 --opt source=docker/dockerfile --opt context=git://github.com/moby/moby --opt build-arg:APT_MIRROR=cdn-fastly.deb.debian.org

-````

 ##### Building a Dockerfile with experimental features like `RUN --mount=type=(bind|cache|tmpfs|secret|ssh)`

@@ -162,29 +180,29 @@ By default, the build result and intermediate cache will only remain internally

 The containerd worker needs to be used

-```

+```bash

 buildctl build ... --output type=image,name=docker.io/username/image

 ctr --namespace=buildkit images ls

 ```

 ##### Push resulting image to registry

-```

+```bash

 buildctl build ... --output type=image,name=docker.io/username/image,push=true

 ```

 If credentials are required, `buildctl` will attempt to read Docker configuration file.

-

 ##### Exporting build result back to client

 The local client will copy the files directly to the client. This is useful if BuildKit is being used for building something else than container images.

-```

+```bash

 buildctl build ... --output type=local,dest=path/to/output-dir

 ```

 To export specific files use multi-stage builds with a scratch stage and copy the needed files into that stage with `COPY --from`.

+

 ```dockerfile

 ...

 FROM scratch as testresult

@@ -193,28 +211,27 @@ COPY --from=builder /usr/src/app/testresult.xml .

 ...

 ```

-```

+```bash

 buildctl build ... --opt target=testresult --output type=local,dest=path/to/output-dir

 ```

 Tar exporter is similar to local exporter but transfers the files through a tarball.

-```

+```bash

 buildctl build ... --output type=tar,dest=out.tar

 buildctl build ... --output type=tar > out.tar

 ```

-

 ##### Exporting built image to Docker

-```

+```bash

 # exported tarball is also compatible with OCI spec

 buildctl build ... --output type=docker,name=myimage | docker load

 ```

 ##### Exporting [OCI Image Format](https://github.com/opencontainers/image-spec) tarball to client

-```

+```bash

 buildctl build ... --output type=oci,dest=path/to/output.tar

 buildctl build ... --output type=oci > output.tar

 ```

@@ -223,14 +240,14 @@ buildctl build ... --output type=oci > output.tar

 #### To/From registry

-```

+```bash

 buildctl build ... --export-cache type=registry,ref=localhost:5000/myrepo:buildcache

 buildctl build ... --import-cache type=registry,ref=localhost:5000/myrepo:buildcache

 ```

 #### To/From local filesystem

-```

+```bash

 buildctl build ... --export-cache type=local,dest=path/to/output-dir

 buildctl build ... --import-cache type=local,src=path/to/input-dir

 ```

@@ -238,27 +255,29 @@ buildctl build ... --import-cache type=local,src=path/to/input-dir

 The directory layout conforms to OCI Image Spec v1.0.

 #### `--export-cache` options

-* `mode=min` (default): only export layers for the resulting image

-* `mode=max`: export all the layers of all intermediate steps

-* `ref=docker.io/user/image:tag`: reference for `registry` cache exporter

-* `dest=path/to/output-dir`: directory for `local` cache exporter

+

+-   `mode=min` (default): only export layers for the resulting image

+-   `mode=max`: export all the layers of all intermediate steps

+-   `ref=docker.io/user/image:tag`: reference for `registry` cache exporter

+-   `dest=path/to/output-dir`: directory for `local` cache exporter

 #### `--import-cache` options

-* `ref=docker.io/user/image:tag`: reference for `registry` cache importer

-* `src=path/to/input-dir`: directory for `local` cache importer

-* `digest=sha256:deadbeef`: digest of the manifest list to import for `local` cache importer. Defaults to the digest of "latest" tag in `index.json`

+

+-   `ref=docker.io/user/image:tag`: reference for `registry` cache importer

+-   `src=path/to/input-dir`: directory for `local` cache importer

+-   `digest=sha256:deadbeef`: digest of the manifest list to import for `local` cache importer. Defaults to the digest of "latest" tag in `index.json`

 ### Other

 #### View build cache

-```

+```bash

 buildctl du -v

 ```

 #### Show enabled workers

-```

+```bash

 buildctl debug workers -v

 ```

@@ -268,14 +287,14 @@ BuildKit can also be used by running the `buildkitd` daemon inside a Docker cont

 We provide `buildkitd` container images as [`moby/buildkit`](https://hub.docker.com/r/moby/buildkit/tags/):

-* `moby/buildkit:latest`: built from the latest regular [release](https://github.com/moby/buildkit/releases)

-* `moby/buildkit:rootless`: same as `latest` but runs as an unprivileged user, see [`docs/rootless.md`](docs/rootless.md)

-* `moby/buildkit:master`: built from the master branch

-* `moby/buildkit:master-rootless`: same as master but runs as an unprivileged user, see [`docs/rootless.md`](docs/rootless.md)

+-   `moby/buildkit:latest`: built from the latest regular [release](https://github.com/moby/buildkit/releases)

+-   `moby/buildkit:rootless`: same as `latest` but runs as an unprivileged user, see [`docs/rootless.md`](docs/rootless.md)

+-   `moby/buildkit:master`: built from the master branch

+-   `moby/buildkit:master-rootless`: same as master but runs as an unprivileged user, see [`docs/rootless.md`](docs/rootless.md)

 To run daemon in a container:

-```

+```bash

 docker run -d --privileged -p 1234:1234 moby/buildkit:latest --addr tcp://0.0.0.0:1234

 export BUILDKIT_HOST=tcp://0.0.0.0:1234

 buildctl build --help

@@ -283,26 +302,50 @@ buildctl build --help

 To run client and an ephemeral daemon in a single container ("daemonless mode"):

+```bash

+docker run \

+    -it \

+    --rm \

+    --privileged \

+    -v /path/to/dir:/tmp/work \

+    --entrypoint buildctl-daemonless.sh \

+    moby/buildkit:master \

+        build \

+        --frontend dockerfile.v0 \

+        --local context=/tmp/work \

+        --local dockerfile=/tmp/work

 ```

-docker run -it --rm --privileged -v /path/to/dir:/tmp/work --entrypoint buildctl-daemonless.sh moby/buildkit:master build --frontend dockerfile.v0 --local context=/tmp/work --local dockerfile=/tmp/work

-```

+

 or

-```

-docker run -it --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined -e BUILDKITD_FLAGS=--oci-worker-no-process-sandbox -v /path/to/dir:/tmp/work --entrypoint buildctl-daemonless.sh moby/buildkit:master-rootless build --frontend dockerfile.v0 --local context=/tmp/work --local dockerfile=/tmp/work

-```

-The images can be also built locally using `./hack/dockerfiles/test.Dockerfile` (or `./hack/dockerfiles/test.buildkit.Dockerfile` if you already have BuildKit).

-Run `make images` to build the images as `moby/buildkit:local` and `moby/buildkit:local-rootless`.

+```bash

+docker run \

+    -it \

+    --rm \

+    --security-opt seccomp=unconfined \

+    --security-opt apparmor=unconfined \

+    -e BUILDKITD_FLAGS=--oci-worker-no-process-sandbox \

+    -v /path/to/dir:/tmp/work \

+    --entrypoint buildctl-daemonless.sh \

+    moby/buildkit:master-rootless \

+        build \

+        --frontend \

+        dockerfile.v0 \

+        --local context=/tmp/work \

+        --local dockerfile=/tmp/work

+```

+

+The images can be also built locally using `./hack/dockerfiles/test.Dockerfile` (or `./hack/dockerfiles/test.buildkit.Dockerfile` if you already have BuildKit). Run `make images` to build the images as `moby/buildkit:local` and `moby/buildkit:local-rootless`.

 #### Connection helpers

 If you are running `moby/buildkit:master` or `moby/buildkit:master-rootless` as a Docker/Kubernetes container, you can use special `BUILDKIT_HOST` URL for connecting to the BuildKit daemon in the container:

-```

+```bash

 export BUILDKIT_HOST=docker-container://<container>

 ```

-```

+```bash

 export BUILDKIT_HOST=kube-pod://<pod>

 ```

@@ -310,15 +353,13 @@ export BUILDKIT_HOST=kube-pod://<pod>

 BuildKit supports opentracing for buildkitd gRPC API and buildctl commands. To capture the trace to [Jaeger](https://github.com/jaegertracing/jaeger), set `JAEGER_TRACE` environment variable to the collection address.

-

-```

+```bash

 docker run -d -p6831:6831/udp -p16686:16686 jaegertracing/all-in-one:latest

 export JAEGER_TRACE=0.0.0.0:6831

 # restart buildkitd and buildctl so they know JAEGER_TRACE

 # any buildctl command should be traced to http://127.0.0.1:16686/

 ```

-

 ### Supported runc version

 During development, BuildKit is tested with the version of runc that is being used by the containerd repository. Please refer to [runc.md](https://github.com/containerd/containerd/blob/v1.2.1/RUNC.md) for more information.

@@ -329,5 +370,4 @@ Please refer to [`docs/rootless.md`](docs/rootless.md).

 ### Contributing

-Want to contribute to BuildKit? Awesome! You can find information about

-contributing to this project in the [CONTRIBUTING.md](/.github/CONTRIBUTING.md)

+Want to contribute to BuildKit? Awesome! You can find information about contributing to this project in the [CONTRIBUTING.md](/.github/CONTRIBUTING.md)

@@ -36,6 +36,7 @@ type Accessor interface {

 	New(ctx context.Context, s ImmutableRef, opts ...RefOption) (MutableRef, error)

 	GetMutable(ctx context.Context, id string) (MutableRef, error) // Rebase?

 	IdentityMapping() *idtools.IdentityMapping

+	Metadata(string) *metadata.StorageItem

 }

 type Controller interface {

@@ -124,6 +125,16 @@ func (cm *cacheManager) GetFromSnapshotter(ctx context.Context, id string, opts

 	return cm.get(ctx, id, true, opts...)

 }

+func (cm *cacheManager) Metadata(id string) *metadata.StorageItem {

+	cm.mu.Lock()

+	defer cm.mu.Unlock()

+	r, ok := cm.records[id]

+	if !ok {

+		return nil

+	}

+	return r.Metadata()

+}

+

 // get requires manager lock to be taken

 func (cm *cacheManager) get(ctx context.Context, id string, fromSnapshotter bool, opts ...RefOption) (*immutableRef, error) {

 	rec, err := cm.getRecord(ctx, id, fromSnapshotter, opts...)

@@ -250,6 +250,10 @@ func (s *StorageItem) Update(fn func(b *bolt.Bucket) error) error {

 	return s.storage.Update(s.id, fn)

 }

+func (s *StorageItem) Metadata() *StorageItem {

+	return s

+}

+

 func (s *StorageItem) Keys() []string {

 	keys := make([]string, 0, len(s.values))

 	for k := range s.values {

@@ -333,6 +337,15 @@ func (s *StorageItem) Indexes() (out []string) {

 func (s *StorageItem) SetValue(b *bolt.Bucket, key string, v *Value) error {

 	if v == nil {

+		if old, ok := s.values[key]; ok {

+			if old.Index != "" {

+				b, err := b.Tx().CreateBucketIfNotExists([]byte(indexBucket))

+				if err != nil {

+					return errors.WithStack(err)

+				}

+				b.Delete([]byte(indexKey(old.Index, s.ID()))) // ignore error

+			}

+		}

 		if err := b.Put([]byte(key), nil); err != nil {

 			return err

 		}

@@ -2,6 +2,7 @@ package cache

 import (

 	"context"

+	"strings"

 	"sync"

 	"github.com/containerd/containerd/mount"

@@ -429,6 +430,10 @@ func (m *readOnlyMounter) Mount() ([]mount.Mount, error) {

 		return nil, err

 	}

 	for i, m := range mounts {

+		if m.Type == "overlay" {

+			mounts[i].Options = readonlyOverlay(m.Options)

+			continue

+		}

 		opts := make([]string, 0, len(m.Options))

 		for _, opt := range m.Options {

 			if opt != "rw" {

@@ -440,3 +445,23 @@ func (m *readOnlyMounter) Mount() ([]mount.Mount, error) {

 	}

 	return mounts, nil

 }

+

+func readonlyOverlay(opt []string) []string {

+	out := make([]string, 0, len(opt))

+	upper := ""

+	for _, o := range opt {

+		if strings.HasPrefix(o, "upperdir=") {

+			upper = strings.TrimPrefix(o, "upperdir=")

+		} else if !strings.HasPrefix(o, "workdir=") {

+			out = append(out, o)

+		}

+	}

+	if upper != "" {

+		for i, o := range out {

+			if strings.HasPrefix(o, "lowerdir=") {

+				out[i] = "lowerdir=" + upper + ":" + strings.TrimPrefix(o, "lowerdir=")

+			}

+		}

+	}

+	return out

+}

@@ -67,8 +67,8 @@ func sortConfig(cc *CacheConfig) {

 		if ri.Digest != rj.Digest {

 			return ri.Digest < rj.Digest

 		}

-		if len(ri.Inputs) != len(ri.Inputs) {

-			return len(ri.Inputs) < len(ri.Inputs)

+		if len(ri.Inputs) != len(rj.Inputs) {

+			return len(ri.Inputs) < len(rj.Inputs)

 		}

 		for i, inputs := range ri.Inputs {

 			if len(ri.Inputs[i]) != len(rj.Inputs[i]) {

@@ -76,7 +76,7 @@ func sortConfig(cc *CacheConfig) {

 			}

 			for j := range inputs {

 				if ri.Inputs[i][j].Selector != rj.Inputs[i][j].Selector {

-					return ri.Inputs[i][j].Selector != rj.Inputs[i][j].Selector

+					return ri.Inputs[i][j].Selector < rj.Inputs[i][j].Selector

 				}

 				return cc.Records[ri.Inputs[i][j].LinkIndex].Digest < cc.Records[rj.Inputs[i][j].LinkIndex].Digest

 			}

@@ -46,8 +46,8 @@ type SolveOpt struct {

 type ExportEntry struct {

 	Type      string

 	Attrs     map[string]string

-	Output    io.WriteCloser // for ExporterOCI and ExporterDocker

-	OutputDir string         // for ExporterLocal

+	Output    func(map[string]string) (io.WriteCloser, error) // for ExporterOCI and ExporterDocker

+	OutputDir string                                          // for ExporterLocal

 }

 type CacheOptionsEntry struct {

@@ -38,13 +38,13 @@ type Opt struct {

 }

 type Controller struct { // TODO: ControlService

+	buildCount       int64

 	opt              Opt

 	solver           *llbsolver.Solver

 	cache            solver.CacheManager

 	gatewayForwarder *controlgateway.GatewayForwarder

 	throttledGC      func()

 	gcmu             sync.Mutex

-	buildCount       int64

 }

 func NewController(opt Opt) (*Controller, error) {

@@ -101,11 +101,11 @@ func GenerateSpec(ctx context.Context, meta executor.Meta, mounts []executor.Mou

 	}

 	if meta.SecurityMode == pb.SecurityMode_INSECURE {

-		//make sysfs rw mount for insecure mode.

-		for _, m := range s.Mounts {

-			if m.Type == "sysfs" {

-				m.Options = []string{"nosuid", "noexec", "nodev", "rw"}

-			}

+		if err = oci.WithWriteableCgroupfs(ctx, nil, c, s); err != nil {

+			return nil, nil, err

+		}

+		if err = oci.WithWriteableSysfs(ctx, nil, c, s); err != nil {

+			return nil, nil, err

 		}

 	}

@@ -236,8 +236,10 @@ func (w *runcExecutor) Exec(ctx context.Context, meta executor.Meta, root cache.

 	if err != nil {

 		return errors.Wrapf(err, "working dir %s points to invalid target", newp)

 	}

-	if err := idtools.MkdirAllAndChown(newp, 0755, identity); err != nil {

-		return errors.Wrapf(err, "failed to create working directory %s", newp)

+	if _, err := os.Stat(newp); err != nil {

+		if err := idtools.MkdirAllAndChown(newp, 0755, identity); err != nil {

+			return errors.Wrapf(err, "failed to create working directory %s", newp)

+		}

 	}

 	if err := setOOMScoreAdj(spec); err != nil {

@@ -147,7 +147,7 @@ func (e *localExporterInstance) Export(ctx context.Context, inp exporter.Source)

 		fs = d.FS

 	}

-	w, err := filesync.CopyFileWriter(ctx, e.caller)

+	w, err := filesync.CopyFileWriter(ctx, nil, e.caller)

 	if err != nil {

 		return nil, err

 	}

@@ -34,6 +34,7 @@ const (

 	keyFilename                = "filename"

 	keyCacheFrom               = "cache-from"    // for registry only. deprecated in favor of keyCacheImports

 	keyCacheImports            = "cache-imports" // JSON representation of []CacheOptionsEntry

+	keyCacheNS                 = "build-arg:BUILDKIT_CACHE_MOUNT_NS"

 	defaultDockerfileName      = "Dockerfile"

 	dockerignoreFilename       = ".dockerignore"

 	buildArgPrefix             = "build-arg:"

@@ -322,6 +323,7 @@ func Build(ctx context.Context, c client.Client) (*client.Result, error) {

 					MetaResolver:      c,

 					BuildArgs:         filter(opts, buildArgPrefix),

 					Labels:            filter(opts, labelPrefix),

+					CacheIDNamespace:  opts[keyCacheNS],

 					SessionID:         c.BuildOpts().SessionID,

 					BuildContext:      buildContext,

 					Excludes:          excludes,

@@ -461,7 +461,7 @@ type dispatchOpt struct {

 func dispatch(d *dispatchState, cmd command, opt dispatchOpt) error {

 	if ex, ok := cmd.Command.(instructions.SupportsSingleWordExpansion); ok {

 		err := ex.Expand(func(word string) (string, error) {

-			return opt.shlex.ProcessWordWithMap(word, toEnvMap(d.buildArgs, d.image.Config.Env))

+			return opt.shlex.ProcessWord(word, d.state.Env())

 		})

 		if err != nil {

 			return err

@@ -626,14 +626,7 @@ func dispatchRun(d *dispatchState, c *instructions.RunCommand, proxy *llb.ProxyE

 		args = withShell(d.image, args)

 	}

 	env := d.state.Env()

-	opt := []llb.RunOption{llb.Args(args)}

-	for _, arg := range d.buildArgs {

-		if arg.Value != nil {

-			env = append(env, fmt.Sprintf("%s=%s", arg.Key, arg.ValueString()))

-			opt = append(opt, llb.AddEnv(arg.Key, arg.ValueString()))

-		}

-	}

-	opt = append(opt, dfCmd(c))

+	opt := []llb.RunOption{llb.Args(args), dfCmd(c)}

 	if d.ignoreCache {

 		opt = append(opt, llb.IgnoreCache)

 	}

@@ -647,6 +640,11 @@ func dispatchRun(d *dispatchState, c *instructions.RunCommand, proxy *llb.ProxyE

 	}

 	opt = append(opt, runMounts...)

+	err = dispatchRunSecurity(d, c)

+	if err != nil {

+		return err

+	}

+

 	shlex := *dopt.shlex

 	shlex.RawQuotes = true

 	shlex.SkipUnsetEnv = true

@@ -656,7 +654,7 @@ func dispatchRun(d *dispatchState, c *instructions.RunCommand, proxy *llb.ProxyE

 		opt = append(opt, llb.AddExtraHost(h.Host, h.IP))

 	}

 	d.state = d.state.Run(opt...).Root()

-	return commitToHistory(&d.image, "RUN "+runCommandString(args, d.buildArgs), true, &d.state)

+	return commitToHistory(&d.image, "RUN "+runCommandString(args, d.buildArgs, shell.BuildEnvs(env)), true, &d.state)

 }

 func dispatchWorkdir(d *dispatchState, c *instructions.WorkdirCommand, commit bool, opt *dispatchOpt) error {

@@ -927,7 +925,7 @@ func dispatchHealthcheck(d *dispatchState, c *instructions.HealthCheckCommand) e

 func dispatchExpose(d *dispatchState, c *instructions.ExposeCommand, shlex *shell.Lex) error {

 	ports := []string{}

 	for _, p := range c.Ports {

-		ps, err := shlex.ProcessWordsWithMap(p, toEnvMap(d.buildArgs, d.image.Config.Env))

+		ps, err := shlex.ProcessWords(p, d.state.Env())

 		if err != nil {

 			return err

 		}

@@ -1000,6 +998,10 @@ func dispatchArg(d *dispatchState, c *instructions.ArgCommand, metaArgs []instru

 		}

 	}

+	if buildArg.Value != nil {

+		d.state = d.state.AddEnv(buildArg.Key, *buildArg.Value)

+	}

+

 	d.buildArgs = append(d.buildArgs, buildArg)

 	return commitToHistory(&d.image, commitStr, false, nil)

 }

@@ -1065,21 +1067,6 @@ func setKVValue(kvpo instructions.KeyValuePairOptional, values map[string]string

 	return kvpo

 }

-func toEnvMap(args []instructions.KeyValuePairOptional, env []string) map[string]string {

-	m := shell.BuildEnvs(env)

-

-	for _, arg := range args {

-		// If key already exists, keep previous value.

-		if _, ok := m[arg.Key]; ok {

-			continue

-		}

-		if arg.Value != nil {

-			m[arg.Key] = arg.ValueString()

-		}

-	}

-	return m

-}

-

 func dfCmd(cmd interface{}) llb.ConstraintsOpt {

 	// TODO: add fmt.Stringer to instructions.Command to remove interface{}

 	var cmdStr string

@@ -1094,10 +1081,14 @@ func dfCmd(cmd interface{}) llb.ConstraintsOpt {

 	})

 }

-func runCommandString(args []string, buildArgs []instructions.KeyValuePairOptional) string {

+func runCommandString(args []string, buildArgs []instructions.KeyValuePairOptional, envMap map[string]string) string {

 	var tmpBuildEnv []string

 	for _, arg := range buildArgs {

-		tmpBuildEnv = append(tmpBuildEnv, arg.Key+"="+arg.ValueString())

+		v, ok := envMap[arg.Key]

+		if !ok {

+			v = arg.ValueString()

+		}

+		tmpBuildEnv = append(tmpBuildEnv, arg.Key+"="+v)

 	}

 	if len(tmpBuildEnv) > 0 {

 		tmpBuildEnv = append([]string{fmt.Sprintf("|%d", len(tmpBuildEnv))}, tmpBuildEnv...)

new file mode 100644

@@ -0,0 +1,11 @@

+// +build !dfrunsecurity

+

+package dockerfile2llb

+

+import (

+	"github.com/moby/buildkit/frontend/dockerfile/instructions"

+)

+

+func dispatchRunSecurity(d *dispatchState, c *instructions.RunCommand) error {

+	return nil

+}

@@ -124,6 +124,9 @@ func dispatchRunMounts(d *dispatchState, c *instructions.RunCommand, sources []*

 			if mount.CacheSharing == instructions.MountSharingLocked {

 				sharing = llb.CacheMountLocked

 			}

+			if mount.CacheID == "" {

+				mount.CacheID = path.Clean(mount.Target)

+			}

 			mountOpts = append(mountOpts, llb.AsPersistentCacheDir(opt.cacheIDNamespace+"/"+mount.CacheID, sharing))

 		}

 		target := mount.Target

@@ -144,7 +147,9 @@ func dispatchRunMounts(d *dispatchState, c *instructions.RunCommand, sources []*

 		out = append(out, llb.AddMount(target, st, mountOpts...))

-		d.ctxPaths[path.Join("/", filepath.ToSlash(mount.Source))] = struct{}{}

+		if mount.From == "" {

+			d.ctxPaths[path.Join("/", filepath.ToSlash(mount.Source))] = struct{}{}

+		}

 	}

 	return out, nil

 }

new file mode 100644

@@ -0,0 +1,27 @@

+// +build dfrunsecurity

+

+package dockerfile2llb

+

+import (

+	"github.com/pkg/errors"

+

+	"github.com/moby/buildkit/frontend/dockerfile/instructions"

+	"github.com/moby/buildkit/solver/pb"

+)

+

+func dispatchRunSecurity(d *dispatchState, c *instructions.RunCommand) error {

+	security := instructions.GetSecurity(c)

+

+	for _, sec := range security {

+		switch sec {

+		case instructions.SecurityInsecure:

+			d.state = d.state.Security(pb.SecurityMode_INSECURE)