diff --git a/cmd/nerdctl/builder_build.go b/cmd/nerdctl/builder_build.go index 567648f86b..a74d3876e9 100644 --- a/cmd/nerdctl/builder_build.go +++ b/cmd/nerdctl/builder_build.go @@ -51,6 +51,10 @@ If Dockerfile is not present and -f is not specified, it will look for Container buildCommand.Flags().StringP("output", "o", "", "Output destination (format: type=local,dest=path)") buildCommand.Flags().String("progress", "auto", "Set type of progress output (auto, plain, tty). Use plain to show container output") buildCommand.Flags().StringArray("secret", nil, "Secret file to expose to the build: id=mysecret,src=/local/secret") + buildCommand.Flags().StringArray("allow", nil, "Allow extra privileged entitlement, e.g. network.host, security.insecure") + buildCommand.RegisterFlagCompletionFunc("allow", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { + return []string{"network.host", "security.insecure"}, cobra.ShellCompDirectiveNoFileComp + }) buildCommand.Flags().StringArray("ssh", nil, "SSH agent socket or keys to expose to the build (format: default|[=|[,]])") buildCommand.Flags().BoolP("quiet", "q", false, "Suppress the build output and print image ID on success") buildCommand.Flags().StringArray("cache-from", nil, "External cache sources (eg. user/app:cache, type=local,src=path/to/dir)") @@ -129,6 +133,10 @@ func processBuildCommandFlag(cmd *cobra.Command, args []string) (types.BuilderBu if err != nil { return types.BuilderBuildOptions{}, err } + allow, err := cmd.Flags().GetStringArray("allow") + if err != nil { + return types.BuilderBuildOptions{}, err + } ssh, err := cmd.Flags().GetStringArray("ssh") if err != nil { return types.BuilderBuildOptions{}, err @@ -170,6 +178,7 @@ func processBuildCommandFlag(cmd *cobra.Command, args []string) (types.BuilderBu Label: label, NoCache: noCache, Secret: secret, + Allow: allow, SSH: ssh, CacheFrom: cacheFrom, CacheTo: cacheTo, diff --git a/docs/command-reference.md b/docs/command-reference.md index ba535cacf1..cbd7962799 100644 --- a/docs/command-reference.md +++ b/docs/command-reference.md @@ -681,6 +681,7 @@ Flags: - :whale: `type=image,name=example.com/image,push=true`: Push to a registry (see [`buildctl build`](https://github.com/moby/buildkit/tree/v0.9.0#imageregistry) documentation) - :whale: `--progress=(auto|plain|tty)`: Set type of progress output (auto, plain, tty). Use plain to show container output - :whale: `--secret`: Secret file to expose to the build: id=mysecret,src=/local/secret +- :whale: `--allow`: Allow extra privileged entitlement, e.g. network.host, security.insecure (It’s required to configure the buildkitd to enable the feature, see [`buildkitd.toml`](https://github.com/moby/buildkit/blob/master/docs/buildkitd.toml.md) documentation) - :whale: `--ssh`: SSH agent socket or keys to expose to the build (format: `default|[=|[,]]`) - :whale: `-q, --quiet`: Suppress the build output and print image ID on success - :whale: `--cache-from=CACHE`: External cache sources (eg. user/app:cache, type=local,src=path/to/dir) (compatible with `docker buildx build`) diff --git a/pkg/api/types/builder_types.go b/pkg/api/types/builder_types.go index c796c3568d..460814e9c0 100644 --- a/pkg/api/types/builder_types.go +++ b/pkg/api/types/builder_types.go @@ -43,6 +43,8 @@ type BuilderBuildOptions struct { Progress string // Secret file to expose to the build: id=mysecret,src=/local/secret Secret []string + // Allow extra privileged entitlement, e.g. network.host, security.insecure + Allow []string // SSH agent socket or keys to expose to the build (format: default|[=|[,]]) SSH []string // Quiet suppress the build output and print image ID on success diff --git a/pkg/cmd/builder/build.go b/pkg/cmd/builder/build.go index df575fcd95..fa2feeaa08 100644 --- a/pkg/cmd/builder/build.go +++ b/pkg/cmd/builder/build.go @@ -328,6 +328,10 @@ func generateBuildctlArgs(ctx context.Context, client *containerd.Client, option buildctlArgs = append(buildctlArgs, "--secret="+s) } + for _, s := range strutil.DedupeStrSlice(options.Allow) { + buildctlArgs = append(buildctlArgs, "--allow="+s) + } + for _, s := range strutil.DedupeStrSlice(options.SSH) { buildctlArgs = append(buildctlArgs, "--ssh="+s) }