Skip to content

Switch buildx remote driver from TCP to docker-container#24

Merged
dash14 merged 2 commits intomainfrom
refactor/buildx-docker-container
Mar 17, 2026
Merged

Switch buildx remote driver from TCP to docker-container#24
dash14 merged 2 commits intomainfrom
refactor/buildx-docker-container

Conversation

@dash14
Copy link
Copy Markdown
Owner

@dash14 dash14 commented Mar 17, 2026
edited
Loading

Summary

Switch the buildx remote driver connection from tcp://localhost:1234 to docker-container://buildcage.

Why

The TCP-based connection had several drawbacks:

  • Unnecessary network exposure: The BuildKit API had to be exposed on a TCP port (1234) on the host, increasing the attack surface.
  • Defensive complexity from TCP exposure: An iptables rule was needed to explicitly block access to the API port from inside the build container (buildkit0). This was a secondary security measure required solely because of the TCP exposure — not an inherently necessary concern.
  • Port management overhead: The port parameter, its input/output plumbing, and a health check TCP probe were scattered across multiple files, adding incidental complexity.

The docker-container:// driver communicates through Docker's internal channel, eliminating the need to expose a TCP port entirely. This removes all of the above issues at once.

Changes

  • Switch buildx endpoint to docker-container://buildcage
  • Remove ports mapping from compose.yml
  • Remove --addr tcp://0.0.0.0:1234 from buildkitd CMD
  • Remove iptables rules blocking port 1234 access (no longer needed)
  • Remove TCP port probe from health check
  • Replace port input/output with builder_name input for container name configuration

dash14 added 2 commits March 17, 2026 20:16
@dash14
Switch buildx remote driver from TCP to docker-container
45265e7 
Replace tcp://localhost:1234 endpoint with docker-container://buildcage.
This eliminates the need for TCP port exposure and simplifies the connection between buildx and the builder container.
@dash14
Update test workflow to use docker-container driver
63995b8
@dash14 dash14 merged commit 8a28180 into main Mar 17, 2026
6 checks passed
@dash14 dash14 deleted the refactor/buildx-docker-container branch March 17, 2026 12:21
dash14 added a commit that referenced this pull request Mar 17, 2026
@dash14
Update example workflows to use docker-container driver
7bbb128 
Replace the legacy TCP endpoint with docker-container://buildcage
to match the README and the driver migration in #24.
@dash14 dash14 mentioned this pull request Mar 17, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dash14