docker/buildx
1
0
Fork 0
mirror of https://github.com/docker/buildx.git synced 2024-11-22 15:37:16 +08:00
Code Issues Packages Projects Releases Wiki Activity

builder: do not set network.host entitlement flag if already set in buildkitd conf

Browse Source 
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
This commit is contained in:
CrazyMax 2024-09-11 12:27:29 +02:00
parent 40f444f4b8
commit 617d59d70b
No known key found for this signature in database
GPG Key ID: ADE44D8C9D44FBE4
4 changed files with 73 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
builder/builder.go
View File

@ -435,7 +435,16 @@ func Create(ctx context.Context, txn *store.Txn, dockerCli command.Cli, opts Cre
return nil, err return nil, err
} }
buildkitdFlags, err := parseBuildkitdFlags(opts.BuildkitdFlags, driverName, driverOpts) buildkitdConfigFile := opts.BuildkitdConfigFile
if buildkitdConfigFile == "" {
// if buildkit daemon config is not provided, check if the default one
// is available and use it
if f, ok := confutil.DefaultConfigFile(dockerCli); ok {
buildkitdConfigFile = f
}
}
buildkitdFlags, err := parseBuildkitdFlags(opts.BuildkitdFlags, driverName, driverOpts, buildkitdConfigFile)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -496,15 +505,6 @@ func Create(ctx context.Context, txn *store.Txn, dockerCli command.Cli, opts Cre
setEp = false setEp = false
} }
buildkitdConfigFile := opts.BuildkitdConfigFile
if buildkitdConfigFile == "" {
// if buildkit daemon config is not provided, check if the default one
// is available and use it
if f, ok := confutil.DefaultConfigFile(dockerCli); ok {
buildkitdConfigFile = f
}
}
if err := ng.Update(opts.NodeName, ep, opts.Platforms, setEp, opts.Append, buildkitdFlags, buildkitdConfigFile, driverOpts); err != nil { if err := ng.Update(opts.NodeName, ep, opts.Platforms, setEp, opts.Append, buildkitdFlags, buildkitdConfigFile, driverOpts); err != nil {
return nil, err return nil, err
} }
@ -641,7 +641,7 @@ func validateBuildkitEndpoint(ep string) (string, error) {
} }
// parseBuildkitdFlags parses buildkit flags // parseBuildkitdFlags parses buildkit flags
func parseBuildkitdFlags(inp string, driver string, driverOpts map[string]string) (res []string, err error) { func parseBuildkitdFlags(inp string, driver string, driverOpts map[string]string, buildkitdConfigFile string) (res []string, err error) {
if inp != "" { if inp != "" {
res, err = shlex.Split(inp) res, err = shlex.Split(inp)
if err != nil { if err != nil {
@ -663,10 +663,27 @@ func parseBuildkitdFlags(inp string, driver string, driverOpts map[string]string
} }
} }
var hasNetworkHostEntitlementInConf bool
if buildkitdConfigFile != "" {
btoml, err := confutil.LoadConfigTree(buildkitdConfigFile)
if err != nil {
return nil, err
} else if btoml != nil {
if ies := btoml.GetArray("insecure-entitlements"); ies != nil {
for _, e := range ies.([]string) {
if e == "network.host" {
hasNetworkHostEntitlementInConf = true
break
}
}
}
}
}
if v, ok := driverOpts["network"]; ok && v == "host" && !hasNetworkHostEntitlement && driver == "docker-container" { if v, ok := driverOpts["network"]; ok && v == "host" && !hasNetworkHostEntitlement && driver == "docker-container" {
// always set network.host entitlement if user has set network=host // always set network.host entitlement if user has set network=host
res = append(res, "--allow-insecure-entitlement=network.host") res = append(res, "--allow-insecure-entitlement=network.host")
} else if len(allowInsecureEntitlements) == 0 && (driver == "kubernetes" || driver == "docker-container") { } else if len(allowInsecureEntitlements) == 0 && !hasNetworkHostEntitlementInConf && (driver == "kubernetes" || driver == "docker-container") {
// set network.host entitlement if user does not provide any as // set network.host entitlement if user does not provide any as
// network is isolated for container drivers. // network is isolated for container drivers.
res = append(res, "--allow-insecure-entitlement=network.host") res = append(res, "--allow-insecure-entitlement=network.host")

48
builder/builder_test.go
View File

@ -1,6 +1,8 @@
package builder package builder
import ( import (
"os"
"path"
"testing" "testing"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
@ -27,19 +29,34 @@ func TestCsvToMap(t *testing.T) {
} }
func TestParseBuildkitdFlags(t *testing.T) { func TestParseBuildkitdFlags(t *testing.T) {
buildkitdConf := `
# debug enables additional debug logging
debug = true
# insecure-entitlements allows insecure entitlements, disabled by default.
insecure-entitlements = [ "network.host", "security.insecure" ]
[log]
# log formatter: json or text
format = "text"
`
dirConf := t.TempDir()
buildkitdConfPath := path.Join(dirConf, "buildkitd-conf.toml")
require.NoError(t, os.WriteFile(buildkitdConfPath, []byte(buildkitdConf), 0644))
testCases := []struct { testCases := []struct {
name string name string
flags string flags string
driver string driver string
driverOpts map[string]string driverOpts map[string]string
expected []string buildkitdConfigFile string
wantErr bool expected []string
wantErr bool
}{ }{
{ {
"docker-container no flags", "docker-container no flags",
"", "",
"docker-container", "docker-container",
nil, nil,
"",
[]string{ []string{
"--allow-insecure-entitlement=network.host", "--allow-insecure-entitlement=network.host",
}, },
@ -50,6 +67,7 @@ func TestParseBuildkitdFlags(t *testing.T) {
"", "",
"kubernetes", "kubernetes",
nil, nil,
"",
[]string{ []string{
"--allow-insecure-entitlement=network.host", "--allow-insecure-entitlement=network.host",
}, },
@ -60,6 +78,7 @@ func TestParseBuildkitdFlags(t *testing.T) {
"", "",
"remote", "remote",
nil, nil,
"",
nil, nil,
false, false,
}, },
@ -68,6 +87,7 @@ func TestParseBuildkitdFlags(t *testing.T) {
"--allow-insecure-entitlement=security.insecure", "--allow-insecure-entitlement=security.insecure",
"docker-container", "docker-container",
nil, nil,
"",
[]string{ []string{
"--allow-insecure-entitlement=security.insecure", "--allow-insecure-entitlement=security.insecure",
}, },
@ -78,6 +98,7 @@ func TestParseBuildkitdFlags(t *testing.T) {
"--allow-insecure-entitlement=network.host --allow-insecure-entitlement=security.insecure", "--allow-insecure-entitlement=network.host --allow-insecure-entitlement=security.insecure",
"docker-container", "docker-container",
nil, nil,
"",
[]string{ []string{
"--allow-insecure-entitlement=network.host", "--allow-insecure-entitlement=network.host",
"--allow-insecure-entitlement=security.insecure", "--allow-insecure-entitlement=security.insecure",
@ -89,6 +110,7 @@ func TestParseBuildkitdFlags(t *testing.T) {
"", "",
"docker-container", "docker-container",
map[string]string{"network": "host"}, map[string]string{"network": "host"},
"",
[]string{ []string{
"--allow-insecure-entitlement=network.host", "--allow-insecure-entitlement=network.host",
}, },
@ -99,6 +121,7 @@ func TestParseBuildkitdFlags(t *testing.T) {
"--allow-insecure-entitlement=network.host", "--allow-insecure-entitlement=network.host",
"docker-container", "docker-container",
map[string]string{"network": "host"}, map[string]string{"network": "host"},
"",
[]string{ []string{
"--allow-insecure-entitlement=network.host", "--allow-insecure-entitlement=network.host",
}, },
@ -109,17 +132,28 @@ func TestParseBuildkitdFlags(t *testing.T) {
"--allow-insecure-entitlement=network.host --allow-insecure-entitlement=security.insecure", "--allow-insecure-entitlement=network.host --allow-insecure-entitlement=security.insecure",
"docker-container", "docker-container",
map[string]string{"network": "host"}, map[string]string{"network": "host"},
"",
[]string{ []string{
"--allow-insecure-entitlement=network.host", "--allow-insecure-entitlement=network.host",
"--allow-insecure-entitlement=security.insecure", "--allow-insecure-entitlement=security.insecure",
}, },
false, false,
}, },
{
"docker-container with buildkitd conf setting network.host entitlement",
"",
"docker-container",
nil,
buildkitdConfPath,
nil,
false,
},
{ {
"error parsing flags", "error parsing flags",
"foo'", "foo'",
"docker-container", "docker-container",
nil, nil,
"",
nil, nil,
true, true,
}, },
@ -127,7 +161,7 @@ func TestParseBuildkitdFlags(t *testing.T) {
for _, tt := range testCases { for _, tt := range testCases {
tt := tt tt := tt
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
flags, err := parseBuildkitdFlags(tt.flags, tt.driver, tt.driverOpts) flags, err := parseBuildkitdFlags(tt.flags, tt.driver, tt.driverOpts, tt.buildkitdConfigFile)
if tt.wantErr { if tt.wantErr {
require.Error(t, err) require.Error(t, err)
return return

4
util/confutil/config.go
View File

@ -34,8 +34,8 @@ func DefaultConfigFile(dockerCli command.Cli) (string, bool) {
return "", false return "", false
} }
// loadConfigTree loads BuildKit config toml tree // LoadConfigTree loads BuildKit config toml tree
func loadConfigTree(fp string) (*toml.Tree, error) { func LoadConfigTree(fp string) (*toml.Tree, error) {
f, err := os.Open(fp) f, err := os.Open(fp)
if err != nil { if err != nil {
if errors.Is(err, os.ErrNotExist) { if errors.Is(err, os.ErrNotExist) {

2
util/confutil/container.go
View File

@ -32,7 +32,7 @@ func LoadConfigFiles(bkconfig string) (map[string][]byte, error) {
} }
// Load config tree // Load config tree
btoml, err := loadConfigTree(bkconfig) btoml, err := LoadConfigTree(bkconfig)
if err != nil { if err != nil {
return nil, err return nil, err
} }