Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

solver: net host with basic entitlements support #560

Merged
merged 2 commits into from Aug 16, 2018

Conversation

Projects
None yet
3 participants
@tonistiigi
Copy link
Member

tonistiigi commented Aug 7, 2018

This adds capabilities for configuring networking modes to support network=none in llb and --net=host, --net=none in Moby Dockerfiles.

In order to implement it, I needed to do some basic preparation for entitlements. cc @kunalkushwaha PTAL . There are no entitlements in llb yet, nor any support for the security.unconfined, nor daemon config but I created the base package to run the validation.

network.host is disabled atm globally https://github.com/moby/buildkit/pull/560/files#diff-d2a8a37b660c457a954dfeae935c476eR246. In the end, it could be configurable from daemon config but this is enough for Moby integration the enable it if needed.

Based on #556

@@ -76,6 +77,10 @@ var buildCommand = cli.Command{
Name: "secret",
Usage: "Secret value exposed to the build. Format id=secretname,src=filepath",
},
cli.StringSliceFlag{
Name: "allow",
Usage: "Allow extra privileged entitlement",

This comment has been minimized.

Copy link
@AkihiroSuda

AkihiroSuda Aug 7, 2018

Member

Allow extra privileged entitlement, e.g. network.host, security.unconfined?

defer c.Close()

st := llb.Image("busybox:latest").
Run(llb.Shlex(`sh -c 'ping -c 1 8.8.8.8 2>&1 | grep "Network is unreachable"'`), llb.Network(llb.NetModeNone))

This comment has been minimized.

Copy link
@AkihiroSuda

AkihiroSuda Aug 7, 2018

Member

wget https://example.com? (ping does not work for unprivileged users by default)

@AkihiroSuda

This comment has been minimized.

Copy link
Member

AkihiroSuda commented Aug 7, 2018

lint failure

client/client_test.go:1::warning: file is not gofmted with -s (gofmt)
util/entitlements/entitlements.go:1::warning: file is not gofmted with -s (gofmt)
client/client_test.go:1::warning: file is not goimported (goimports)
make: *** [lint] Error 1
@kunalkushwaha

This comment has been minimized.

Copy link
Contributor

kunalkushwaha commented Aug 7, 2018

For my entitlements work, I took relevant code from libentitlement project and created an entitlement package. https://github.com/moby/buildkit/compare/master...kunalkushwaha:entitlements?expand=1#diff-cd696a71b0295c7363b5387afd2f174a

Was stuck on how to pass the flags to buildkit worker, this PR will help me.

tonistiigi referenced this pull request Aug 7, 2018

protobuf updated
Signed-off-by: Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>

tonistiigi referenced this pull request Aug 7, 2018

relevent entilement code from moby/libentitlement
Signed-off-by: Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>

@tonistiigi tonistiigi force-pushed the tonistiigi:nethost branch 3 times, most recently from 555c8ff to e62a6b0 Aug 7, 2018

tonistiigi added some commits Aug 4, 2018

solver: net host with basic entitlements support
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
dockerfile: enable global net-mode settings
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>

@tonistiigi tonistiigi force-pushed the tonistiigi:nethost branch from e62a6b0 to 95e0348 Aug 9, 2018

@AkihiroSuda AkihiroSuda merged commit 250401f into moby:master Aug 16, 2018

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.