Merge pull request containerd#2746 from yankay/add-build-flag-allow

Add `--allow` option in `build`

cmd/nerdctl/builder_build.go

@@ -51,6 +51,10 @@ If Dockerfile is not present and -f is not specified, it will look for Container
 	buildCommand.Flags().StringP("output", "o", "", "Output destination (format: type=local,dest=path)")
 	buildCommand.Flags().String("progress", "auto", "Set type of progress output (auto, plain, tty). Use plain to show container output")
 	buildCommand.Flags().StringArray("secret", nil, "Secret file to expose to the build: id=mysecret,src=/local/secret")
+	buildCommand.Flags().StringArray("allow", nil, "Allow extra privileged entitlement, e.g. network.host, security.insecure")
+	buildCommand.RegisterFlagCompletionFunc("allow", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+		return []string{"network.host", "security.insecure"}, cobra.ShellCompDirectiveNoFileComp
+	})
 	buildCommand.Flags().StringArray("ssh", nil, "SSH agent socket or keys to expose to the build (format: default|<id>[=<socket>|<key>[,<key>]])")
 	buildCommand.Flags().BoolP("quiet", "q", false, "Suppress the build output and print image ID on success")
 	buildCommand.Flags().StringArray("cache-from", nil, "External cache sources (eg. user/app:cache, type=local,src=path/to/dir)")
@@ -129,6 +133,10 @@ func processBuildCommandFlag(cmd *cobra.Command, args []string) (types.BuilderBu
 	if err != nil {
 		return types.BuilderBuildOptions{}, err
 	}
+	allow, err := cmd.Flags().GetStringArray("allow")
+	if err != nil {
+		return types.BuilderBuildOptions{}, err
+	}
 	ssh, err := cmd.Flags().GetStringArray("ssh")
 	if err != nil {
 		return types.BuilderBuildOptions{}, err
@@ -170,6 +178,7 @@ func processBuildCommandFlag(cmd *cobra.Command, args []string) (types.BuilderBu
 		Label:        label,
 		NoCache:      noCache,
 		Secret:       secret,
+		Allow:        allow,
 		SSH:          ssh,
 		CacheFrom:    cacheFrom,
 		CacheTo:      cacheTo,

docs/command-reference.md

@@ -681,6 +681,7 @@ Flags:
   - :whale: `type=image,name=example.com/image,push=true`: Push to a registry (see [`buildctl build`](https://github.com/moby/buildkit/tree/v0.9.0#imageregistry) documentation)
 - :whale: `--progress=(auto|plain|tty)`: Set type of progress output (auto, plain, tty). Use plain to show container output
 - :whale: `--secret`: Secret file to expose to the build: id=mysecret,src=/local/secret
+- :whale: `--allow`: Allow extra privileged entitlement, e.g. network.host, security.insecure  (It’s required to configure the buildkitd to enable the feature, see [`buildkitd.toml`](https://github.com/moby/buildkit/blob/master/docs/buildkitd.toml.md) documentation)
 - :whale: `--ssh`: SSH agent socket or keys to expose to the build (format: `default|<id>[=<socket>|<key>[,<key>]]`)
 - :whale: `-q, --quiet`: Suppress the build output and print image ID on success
 - :whale: `--cache-from=CACHE`: External cache sources (eg. user/app:cache, type=local,src=path/to/dir) (compatible with `docker buildx build`)

pkg/api/types/builder_types.go

@@ -43,6 +43,8 @@ type BuilderBuildOptions struct {
 	Progress string
 	// Secret file to expose to the build: id=mysecret,src=/local/secret
 	Secret []string
+	// Allow extra privileged entitlement, e.g. network.host, security.insecure
+	Allow []string
 	// SSH agent socket or keys to expose to the build (format: default|<id>[=<socket>|<key>[,<key>]])
 	SSH []string
 	// Quiet suppress the build output and print image ID on success

pkg/cmd/builder/build.go

@@ -328,6 +328,10 @@ func generateBuildctlArgs(ctx context.Context, client *containerd.Client, option
 		buildctlArgs = append(buildctlArgs, "--secret="+s)
 	}
 
+	for _, s := range strutil.DedupeStrSlice(options.Allow) {
+		buildctlArgs = append(buildctlArgs, "--allow="+s)
+	}
+
 	for _, s := range strutil.DedupeStrSlice(options.SSH) {
 		buildctlArgs = append(buildctlArgs, "--ssh="+s)
 	}