From fe15878c6c1470af0be6be9fe198211d2fa74eda Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Thu, 4 Sep 2025 09:58:43 +0200 Subject: [PATCH] Update buildkit reference to v0.24.0 Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- .../moby/buildkit/docs/buildkitd.toml.md | 10 +--- .../frontend/dockerfile/docs/reference.md | 41 ++++++++++---- .../frontend/dockerfile/docs/rules/_index.md | 8 +++ .../docs/rules/expose-invalid-format.md | 55 +++++++++++++++++++ .../docs/rules/expose-proto-casing.md | 37 +++++++++++++ go.mod | 2 +- go.sum | 2 + 7 files changed, 135 insertions(+), 20 deletions(-) create mode 100644 _vendor/github.com/moby/buildkit/frontend/dockerfile/docs/rules/expose-invalid-format.md create mode 100644 _vendor/github.com/moby/buildkit/frontend/dockerfile/docs/rules/expose-proto-casing.md diff --git a/_vendor/github.com/moby/buildkit/docs/buildkitd.toml.md b/_vendor/github.com/moby/buildkit/docs/buildkitd.toml.md index 3565a28a2173..584b69780c27 100644 --- a/_vendor/github.com/moby/buildkit/docs/buildkitd.toml.md +++ b/_vendor/github.com/moby/buildkit/docs/buildkitd.toml.md @@ -20,7 +20,7 @@ trace = true # root is where all buildkit state is stored. root = "/var/lib/buildkit" # insecure-entitlements allows insecure entitlements, disabled by default. -insecure-entitlements = [ "network.host", "security.insecure" ] +insecure-entitlements = [ "network.host", "security.insecure", "device" ] [log] # log formatter: json or text @@ -69,7 +69,6 @@ insecure-entitlements = [ "network.host", "security.insecure" ] # Whether run subprocesses in main pid namespace or not, this is useful for # running rootless buildkit inside a container. noProcessSandbox = false - # gc enables/disables garbage collection gc = true # reservedSpace is the minimum amount of disk space guaranteed to be @@ -87,7 +86,6 @@ insecure-entitlements = [ "network.host", "security.insecure" ] # collector will attempt to leave - however, it will never be bought below # reservedSpace. minFreeSpace = "20GB" - # alternate OCI worker binary name(example 'crun'), by default either # buildkit-runc or runc binary is used binary = "" @@ -116,7 +114,6 @@ insecure-entitlements = [ "network.host", "security.insecure" ] # collector will attempt to leave - however, it will never be bought below # reservedSpace. minFreeSpace = "10GB" - # keepDuration can be an integer number of seconds (e.g. 172800), or a # string duration (e.g. "48h") keepDuration = "48h" @@ -148,7 +145,8 @@ insecure-entitlements = [ "network.host", "security.insecure" ] # collector will attempt to leave - however, it will never be bought below # reservedSpace. minFreeSpace = "20GB" - + # limit the number of parallel build steps that can run at the same time + max-parallelism = 4 # maintain a pool of reusable CNI network namespaces to amortize the overhead # of allocating and releasing the namespaces cniPoolSize = 16 @@ -195,7 +193,6 @@ insecure-entitlements = [ "network.host", "security.insecure" ] [frontend."gateway.v0"] enabled = true - # If allowedRepositories is empty, all gateway sources are allowed. # Otherwise, only the listed repositories are allowed as a gateway source. # @@ -208,5 +205,4 @@ insecure-entitlements = [ "network.host", "security.insecure" ] [system] # how often buildkit scans for changes in the supported emulated platforms platformsCacheMaxAge = "1h" - ``` diff --git a/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/reference.md b/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/reference.md index 5b32b7f01e13..3e87ac3a5739 100644 --- a/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/reference.md +++ b/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/reference.md @@ -721,6 +721,12 @@ RUN --device=name,[required] `RUN --device` allows build to request [CDI devices](https://github.com/moby/buildkit/blob/master/docs/cdi.md) to be available to the build step. +> [!WARNING] +> The use of `--device` is protected by the `device` entitlement, which needs +> to be enabled when starting the buildkitd daemon with +> `--allow-insecure-entitlement device` flag or in [buildkitd config](https://github.com/moby/buildkit/blob/master/docs/buildkitd.toml.md), +> and for a build request with [`--allow device` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/#allow). + The device `name` is provided by the CDI specification registered in BuildKit. In the following example, multiple devices are registered in the CDI @@ -752,6 +758,8 @@ devices: containerEdits: env: - QUX=injected +annotations: + org.mobyproject.buildkit.device.autoallow: true ``` The device name format is flexible and accepts various patterns to support @@ -762,6 +770,14 @@ multiple device configurations: * `vendor1.com/device=*`: request all devices for this vendor * `class1`: request devices by `org.mobyproject.buildkit.device.class` annotation +> [!NOTE] +> Annotations are supported by the CDI specification since 0.6.0. + +> [!NOTE] +> To automatically allow all devices registered in the CDI specification, you +> can set the `org.mobyproject.buildkit.device.autoallow` annotation. You can +> also set this annotation for a specific device. + #### Example: CUDA-Powered LLaMA Inference In this example we use the `--device` flag to run `llama.cpp` inference using @@ -1889,7 +1905,7 @@ conditions for cache reuse. ### COPY --parents > [!NOTE] -> Not yet available in stable syntax, use [`docker/dockerfile:1.7-labs`](#syntax) version. +> Not yet available in stable syntax, use [`docker/dockerfile:1-labs`](#syntax) version. ```dockerfile COPY [--parents[=]] ... @@ -1946,7 +1962,7 @@ with the `--parents` flag, the Buildkit is capable of packing multiple ### COPY --exclude > [!NOTE] -> Not yet available in stable syntax, use [`docker/dockerfile:1.7-labs`](#syntax) version. +> Not yet available in stable syntax, use [`docker/dockerfile:1-labs`](#syntax) version. ```dockerfile COPY [--exclude= ...] ... @@ -2608,16 +2624,17 @@ RUN echo "I'm building for $TARGETPLATFORM" ### BuildKit built-in build args -| Arg | Type | Description | -|----------------------------------|--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `BUILDKIT_CACHE_MOUNT_NS` | String | Set optional cache ID namespace. | -| `BUILDKIT_CONTEXT_KEEP_GIT_DIR` | Bool | Trigger Git context to keep the `.git` directory. | -| `BUILDKIT_HISTORY_PROVENANCE_V1` | Bool | Enable [SLSA Provenance v1](https://slsa.dev/spec/v1.1/provenance) for build history record. | -| `BUILDKIT_INLINE_CACHE`[^2] | Bool | Inline cache metadata to image config or not. | -| `BUILDKIT_MULTI_PLATFORM` | Bool | Opt into deterministic output regardless of multi-platform output or not. | -| `BUILDKIT_SANDBOX_HOSTNAME` | String | Set the hostname (default `buildkitsandbox`) | -| `BUILDKIT_SYNTAX` | String | Set frontend image | -| `SOURCE_DATE_EPOCH` | Int | Set the Unix timestamp for created image and layers. More info from [reproducible builds](https://reproducible-builds.org/docs/source-date-epoch/). Supported since Dockerfile 1.5, BuildKit 0.11 | +| Arg | Type | Description | +|----------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `BUILDKIT_BUILD_NAME` | String | Override the build name shown in [`buildx history` command](https://docs.docker.com/reference/cli/docker/buildx/history/) and [Docker Desktop Builds view](https://docs.docker.com/desktop/use-desktop/builds/). | +| `BUILDKIT_CACHE_MOUNT_NS` | String | Set optional cache ID namespace. | +| `BUILDKIT_CONTEXT_KEEP_GIT_DIR` | Bool | Trigger Git context to keep the `.git` directory. | +| `BUILDKIT_HISTORY_PROVENANCE_V1` | Bool | Enable [SLSA Provenance v1](https://slsa.dev/spec/v1.1/provenance) for build history record. | +| `BUILDKIT_INLINE_CACHE`[^2] | Bool | Inline cache metadata to image config or not. | +| `BUILDKIT_MULTI_PLATFORM` | Bool | Opt into deterministic output regardless of multi-platform output or not. | +| `BUILDKIT_SANDBOX_HOSTNAME` | String | Set the hostname (default `buildkitsandbox`) | +| `BUILDKIT_SYNTAX` | String | Set frontend image | +| `SOURCE_DATE_EPOCH` | Int | Set the Unix timestamp for created image and layers. More info from [reproducible builds](https://reproducible-builds.org/docs/source-date-epoch/). Supported since Dockerfile 1.5, BuildKit 0.11 | #### Example: keep `.git` dir diff --git a/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/rules/_index.md b/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/rules/_index.md index 0938ace3dfe8..d1b1f1050d26 100644 --- a/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/rules/_index.md +++ b/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/rules/_index.md @@ -107,5 +107,13 @@ To learn more about how to use build checks, see InvalidDefinitionDescription (experimental) Comment for build stage or argument should follow the format: `# `. If this is not intended to be a description comment, add an empty line or comment between the instruction and the comment. + + ExposeProtoCasing + Protocol in EXPOSE instruction should be lowercase + + + ExposeInvalidFormat + IP address and host-port mapping should not be used in EXPOSE instruction. This will become an error in a future release + diff --git a/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/rules/expose-invalid-format.md b/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/rules/expose-invalid-format.md new file mode 100644 index 000000000000..9198178f3305 --- /dev/null +++ b/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/rules/expose-invalid-format.md @@ -0,0 +1,55 @@ +--- +title: ExposeInvalidFormat +description: >- + IP address and host-port mapping should not be used in EXPOSE instruction. This will become an error in a future release +aliases: + - /go/dockerfile/rule/expose-invalid-format/ +--- + +## Output + +```text +EXPOSE instruction should not define an IP address or host-port mapping, found '127.0.0.1:80:80' +``` + +## Description + +The [`EXPOSE`](https://docs.docker.com/reference/dockerfile/#expose) instruction +in a Dockerfile is used to indicate which ports the container listens on at +runtime. It should not include an IP address or host-port mapping, as this is +not the intended use of the `EXPOSE` instruction. Instead, it should only +specify the port number and optionally the protocol (TCP or UDP). + +> [!IMPORTANT] +> This will become an error in a future release. + +## Examples + +❌ Bad: IP address and host-port mapping used. + +```dockerfile +FROM alpine +EXPOSE 127.0.0.1:80:80 +``` + +✅ Good: only the port number is specified. + +```dockerfile +FROM alpine +EXPOSE 80 +``` + +❌ Bad: Host-port mapping used. + +```dockerfile +FROM alpine +EXPOSE 80:80 +``` + +✅ Good: only the port number is specified. + +```dockerfile +FROM alpine +EXPOSE 80 +``` + diff --git a/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/rules/expose-proto-casing.md b/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/rules/expose-proto-casing.md new file mode 100644 index 000000000000..cfde7fe322ec --- /dev/null +++ b/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/rules/expose-proto-casing.md @@ -0,0 +1,37 @@ +--- +title: ExposeProtoCasing +description: >- + Protocol in EXPOSE instruction should be lowercase +aliases: + - /go/dockerfile/rule/expose-proto-casing/ +--- + +## Output + +```text +Defined protocol '80/TcP' in EXPOSE instruction should be lowercase +``` + +## Description + +Protocol names in the [`EXPOSE`](https://docs.docker.com/reference/dockerfile/#expose) +instruction should be specified in lowercase to maintain consistency and +readability. This rule checks for protocols that are not in lowercase and +reports them. + +## Examples + +❌ Bad: protocol is not in lowercase. + +```dockerfile +FROM alpine +EXPOSE 80/TcP +``` + +✅ Good: protocol is in lowercase. + +```dockerfile +FROM alpine +EXPOSE 80/tcp +``` + diff --git a/go.mod b/go.mod index 3f2729e6c830..a92e0103ba8b 100644 --- a/go.mod +++ b/go.mod @@ -114,7 +114,7 @@ replace ( github.com/docker/compose/v2 => github.com/docker/compose/v2 v2.39.2 github.com/docker/model-cli => github.com/docker/model-cli v0.1.39 github.com/docker/scout-cli => github.com/docker/scout-cli v1.18.1 - github.com/moby/buildkit => github.com/moby/buildkit v0.23.2 + github.com/moby/buildkit => github.com/moby/buildkit v0.24.0 github.com/moby/moby => github.com/moby/moby v28.3.3+incompatible ) diff --git a/go.sum b/go.sum index 3d114425fb10..2d1a9db4bea7 100644 --- a/go.sum +++ b/go.sum @@ -194,6 +194,8 @@ github.com/moby/buildkit v0.22.0 h1:aWN06w1YGSVN1XfeZbj2ZbgY+zi5xDAjEFI8Cy9fTjA= github.com/moby/buildkit v0.22.0/go.mod h1:j4pP5hxiTWcz7xuTK2cyxQislHl/N2WWHzOy43DlLJw= github.com/moby/buildkit v0.23.2 h1:gt/dkfcpgTXKx+B9I310kV767hhVqTvEyxGgI3mqsGQ= github.com/moby/buildkit v0.23.2/go.mod h1:iEjAfPQKIuO+8y6OcInInvzqTMiKMbb2RdJz1K/95a0= +github.com/moby/buildkit v0.24.0 h1:qYfTl7W1SIJzWDIDCcPT8FboHIZCYfi++wvySi3eyFE= +github.com/moby/buildkit v0.24.0/go.mod h1:4qovICAdR2H4C7+EGMRva5zgHW1gyhT4/flHI7F5F9k= github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0= github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=