bake: local dockerfile support for remote definition

[crazy-max]

fixes #1627

Allow to use a local dockerfile with a remote bake definition like we do for context using cwd:// protocol.

Can be tested with https://github.com/crazy-max/buildx-buildkit-tests/tree/main/buildx-1627:

$ cd /tmp
$ cat <<EOT >> Dockerfile.app
FROM scratch
COPY foo /foo
EOT
$ docker buildx bake https://github.com/crazy-max/buildx-buildkit-tests.git#:buildx-1627

[crazy-max]

We need to return the absolute representation of the dockerfile path after checking its a valid one like we do for context so we can set the right dockerfile dir if context is a remote URL during build.

I was also thinking reading the file in bi.DockerfileInline and then set bi.DockerfilePath = "-" but that's hacky and would be confusing.

[jedevc]

Should we add a test to make sure that #1880 (comment) still applies? So in the test, if Dockerfile.app appears without the cwd:// prefix, we should error.

Either - that case should error like in v0.11 (which reverted #1880), or it should pull the docker file from the remote.

[crazy-max]

Should we add a test to make sure that #1880 (comment) still applies? So in the test, if Dockerfile.app appears without the cwd:// prefix, we should error.

Either - that case should error like in v0.11 (which reverted #1880), or it should pull the docker file from the remote.

Yes so for a remote bake definition like:

target "default" {
  context = BAKE_CMD_CONTEXT
  dockerfile = "Dockerfile.app"
}

Invoked with:

docker buildx bake https://github.com/foo/bar.git

We should use local context but we don't support reading remote Dockerfile as expected:

#0 building with "default" instance using docker driver

#1 [internal] load git source https://github.com/foo/bar.git
#1 0.480 ref: refs/heads/main   HEAD
#1 0.480 dea0f6334d719a494a384a13812f604b6b79fed3       HEAD
#1 0.916 dea0f6334d719a494a384a13812f604b6b79fed3       refs/heads/main
#1 CACHED

#2 [internal] load .dockerignore
#2 transferring context:
#2 transferring context: 2B done
#2 DONE 0.0s

#3 [internal] load build definition from Dockerfile.app
#3 transferring dockerfile: 2B done
#3 DONE 0.0s
ERROR: failed to solve: failed to read dockerfile: open /var/lib/docker/tmp/buildkit-mount3004544897/Dockerfile.app: no such file or directory

[crazy-max]

Deny access to a local dockerfile for remote invocation with a local context. We need to check if a local Dockerfile exists early at the moment but in follow-up we should support reading a remote Dockerfile. Probably having a DockerfileState input like ContextState one.

[jedevc]

Just want to check - isn't this independent of what the Context is set to? Isn't it instead dependent on whether the bake file is coming from a remote?

[crazy-max]

It's dependent on remote bake but also if context is not local

[tonistiigi]

follow-up: this should work with remote URLs as well

[crazy-max]

you mean similar to what has been said in #2015 (comment) so we support reading a remote Dockerfile with a local context?

[tonistiigi]

I'm not sure I understand this condition:

!build.IsRemoteURL(bi.DockerfilePath) && strings.HasPrefix(bi.ContextPath, "cwd://")

If Dockerfile is not remote and context is based on local dir then why would that be invalid config?

Maybe a comment would help.

[tonistiigi]

Is this for security?

[crazy-max]

No, just not supported atm, see #2015 (comment)

[crazy-max]

Added a comment to better explain the issue.