This repository has been archived by the owner on Nov 30, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
workeropt.go
104 lines (90 loc) · 3.06 KB
/
workeropt.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
package bkimage
import (
"fmt"
"os/exec"
"path/filepath"
"syscall"
"github.com/containerd/containerd/diff/apply"
"github.com/containerd/containerd/diff/walking"
ctdmetadata "github.com/containerd/containerd/metadata"
"github.com/containerd/containerd/platforms"
bkmetadata "github.com/moby/buildkit/cache/metadata"
"github.com/moby/buildkit/executor/oci"
"github.com/moby/buildkit/executor/runcexecutor"
containerdsnapshot "github.com/moby/buildkit/snapshot/containerd"
"github.com/moby/buildkit/util/binfmt_misc"
"github.com/moby/buildkit/util/leaseutil"
"github.com/moby/buildkit/util/network/netproviders"
"github.com/moby/buildkit/worker/base"
specs "github.com/opencontainers/image-spec/specs-go/v1"
"github.com/opencontainers/runc/libcontainer/system"
)
func (c *Client) createWorkerOpt() (opt base.WorkerOpt, err error) {
md, err := bkmetadata.NewStore(filepath.Join(c.rootDir, "metadata.db"))
if err != nil {
return opt, err
}
// worker executor
unprivileged := system.GetParentNSeuid() != 0
c.logger.V(1).Info(fmt.Sprintf("Executor running unprivileged: %t", unprivileged))
exeOpt := runcexecutor.Opt{
Root: filepath.Join(c.rootDir, "executor"),
Rootless: unprivileged,
ProcessMode: c.getProcessMode(),
}
np, err := netproviders.Providers(netproviders.Opt{Mode: "auto"})
if err != nil {
return opt, err
}
exe, err := runcexecutor.New(exeOpt, np)
if err != nil {
return opt, err
}
// worker metadata
id, err := base.ID(c.rootDir)
if err != nil {
return opt, err
}
executorLabels := base.Labels("oci", c.backend)
var supportedPlatforms []specs.Platform
for _, s := range binfmt_misc.SupportedPlatforms(false) {
p, err := platforms.Parse(s)
if err != nil {
return opt, err
}
supportedPlatforms = append(supportedPlatforms, platforms.Normalize(p))
}
opt = base.WorkerOpt{
ID: id,
Labels: executorLabels,
Platforms: supportedPlatforms,
GCPolicy: nil,
MetadataStore: md,
Executor: exe,
Snapshotter: containerdsnapshot.NewSnapshotter(c.backend, c.metadataDB.Snapshotter(c.backend), "buildkit", nil),
ContentStore: c.contentStore,
Applier: apply.NewFileSystemApplier(c.contentStore),
Differ: walking.NewWalkingDiff(c.contentStore),
ImageStore: c.imageStore,
RegistryHosts: c.getRegistryHosts(),
IdentityMapping: nil,
LeaseManager: leaseutil.WithNamespace(ctdmetadata.NewLeaseManager(c.metadataDB), "buildkit"),
GarbageCollect: c.metadataDB.GarbageCollect,
}
c.workerOpt = &opt // NOTE: modified
return
}
func (c *Client) getProcessMode() oci.ProcessMode {
mountArgs := []string{"-t", "proc", "none", "/proc"}
cmd := exec.Command("mount", mountArgs...)
cmd.SysProcAttr = &syscall.SysProcAttr{
Pdeathsig: syscall.SIGKILL,
Cloneflags: syscall.CLONE_NEWPID,
Unshareflags: syscall.CLONE_NEWNS,
}
if bs, err := cmd.CombinedOutput(); err != nil {
c.logger.V(1).Info(fmt.Sprintf("Process sandbox is not available, consider unmasking procfs: %v", string(bs)))
return oci.NoProcessSandbox
}
return oci.ProcessSandbox
}