use llb.WithNetworkConfig instead of secrets hack

Signed-off-by: Alex Suraci <alex@dagger.io>

cmd/dagger/engine.go

@@ -70,8 +70,7 @@ func withEngineAndTUI(
 	}
 
 	if engineConf.ExtraSearchDomains == nil {
-		// TODO(vito): _EXPERIMENTAL; must be in sync with shim
-		engineConf.ExtraSearchDomains = strings.Fields(os.Getenv("_DAGGER_SEARCH_DOMAIN"))
+		engineConf.ExtraSearchDomains = strings.Fields(os.Getenv("_EXPERIMENTAL_DAGGER_SEARCH_DOMAIN"))
 	}
 
 	if !silent {

cmd/engine/main.go

@@ -37,7 +37,7 @@ import (
 	"github.com/moby/buildkit/client"
 	"github.com/moby/buildkit/cmd/buildkitd/config"
 	"github.com/moby/buildkit/control"
-	"github.com/moby/buildkit/executor/oci"
+	"github.com/moby/buildkit/executor"
 	"github.com/moby/buildkit/frontend"
 	dockerfile "github.com/moby/buildkit/frontend/dockerfile/builder"
 	"github.com/moby/buildkit/frontend/gateway"
@@ -909,10 +909,10 @@ func getBuildkitVersion() client.BuildkitVersion {
 	}
 }
 
-func getDNSConfig(cfg *config.DNSConfig) *oci.DNSConfig {
-	var dns *oci.DNSConfig
+func getDNSConfig(cfg *config.DNSConfig) *executor.DNSConfig {
+	var dns *executor.DNSConfig
 	if cfg != nil {
-		dns = &oci.DNSConfig{
+		dns = &executor.DNSConfig{
 			Nameservers:   cfg.Nameservers,
 			Options:       cfg.Options,
 			SearchDomains: cfg.SearchDomains,

cmd/shim/main.go

@@ -426,41 +426,27 @@ func setupBundle() int {
 		spec.Process.Args = append([]string{shimPath}, spec.Process.Args...)
 	}
 
-	// collect service IPs first so they can be used for service aliases below
-	var searchDomains []string
-	for _, env := range spec.Process.Env {
-		if strings.HasPrefix(env, "_DAGGER_SEARCH_DOMAIN=") {
-			_, val, _ := strings.Cut(env, "=")
-			searchDomains = strings.Fields(val)
-		}
-	}
-
 	var hostsFilePath string
-	for i, mnt := range spec.Mounts {
+	var searchDomains []string
+	for _, mnt := range spec.Mounts {
 		switch mnt.Destination {
 		case "/etc/hosts":
 			hostsFilePath = mnt.Source
 		case "/etc/resolv.conf":
-			if len(searchDomains) == 0 {
-				break
-			}
-
-			newResolvPath := filepath.Join(bundleDir, "resolv.conf")
+			// collect search domains; we need them this early so that we can use
+			// them for resolving service aliases
 
-			newResolv, err := os.Create(newResolvPath)
+			var err error
+			searchDomains, err = collectSearchDomains(mnt.Source)
 			if err != nil {
-				panic(err)
-			}
-
-			if err := replaceSearch(newResolv, mnt.Source, searchDomains); err != nil {
-				panic(err)
-			}
-
-			if err := newResolv.Close(); err != nil {
-				panic(err)
+				fmt.Fprintln(os.Stderr, "collect search domains:", err)
+				return 1
 			}
 
-			spec.Mounts[i].Source = newResolvPath
+			// propagate search domains to the child
+			spec.Process.Env = append(spec.Process.Env,
+				"_EXPERIMENTAL_DAGGER_SEARCH_DOMAIN="+strings.Join(searchDomains, " "),
+			)
 		}
 	}
 
@@ -478,9 +464,6 @@ func setupBundle() int {
 				Options:     []string{"rbind"},
 				Source:      "/run/buildkit/buildkitd.sock",
 			})
-		case strings.HasPrefix(env, "_DAGGER_SEARCH_DOMAIN="):
-			// keep this env var; it is propagated to nested Dagger
-			keepEnv = append(keepEnv, env)
 		case strings.HasPrefix(env, aliasPrefix):
 			// NB: don't keep this env var, it's only for the bundling step
 			// keepEnv = append(keepEnv, env)
@@ -653,10 +636,10 @@ func runWithNesting(ctx context.Context, cmd *exec.Cmd) error {
 		RunnerHost:   "unix:///.runner.sock",
 	}
 
-	if searchDomains, found := os.LookupEnv("_DAGGER_SEARCH_DOMAIN"); found {
-		// NB: don't use internalEnv; we keep it around to propagate to the command
-		//
-		// TODO: maybe not?
+	if searchDomains, found := os.LookupEnv("_EXPERIMENTAL_DAGGER_SEARCH_DOMAIN"); found {
+		// NB: don't use internalEnv since it unsets the env var. we keep it around
+		// to propagate to the command, to support running 'dagger do' in dagger,
+		// though this is primarily motivated by tests
 		engineConf.ExtraSearchDomains = strings.Fields(searchDomains)
 	}
 
@@ -697,33 +680,28 @@ func runWithNesting(ctx context.Context, cmd *exec.Cmd) error {
 	return nil
 }
 
-func replaceSearch(dst io.Writer, resolv string, searchDomains []string) error {
+func collectSearchDomains(resolv string) ([]string, error) {
 	src, err := os.Open(resolv)
 	if err != nil {
-		return nil
+		return nil, err
 	}
 	defer src.Close()
 
 	srcScan := bufio.NewScanner(src)
 
-	var replaced bool
+	daggerDomains := []string{}
 	for srcScan.Scan() {
 		if !strings.HasPrefix(srcScan.Text(), "search") {
-			fmt.Fprintln(dst, srcScan.Text())
 			continue
 		}
 
-		oldDomains := strings.Fields(srcScan.Text())[1:]
-
-		newDomains := append([]string{}, searchDomains...)
-		newDomains = append(newDomains, oldDomains...)
-		fmt.Fprintln(dst, "search", strings.Join(newDomains, " "))
-		replaced = true
-	}
-
-	if !replaced {
-		fmt.Fprintln(dst, "search", strings.Join(searchDomains, " "))
+		domains := strings.Fields(srcScan.Text())[1:]
+		for _, domain := range domains {
+			if strings.HasSuffix(domain, ".dagger.local") {
+				daggerDomains = append(daggerDomains, domain)
+			}
+		}
 	}
 
-	return nil
+	return daggerDomains, nil
 }

core/container.go

@@ -1096,10 +1096,7 @@ func (container *Container) WithExec(ctx context.Context, gw bkgw.Client, progSo
 		)
 	}
 
-	runOpts = append(runOpts, llb.AddSecret(
-		"_DAGGER_SEARCH_DOMAIN",
-		llb.SecretID(ServicesSearchDomainSecret),
-		llb.SecretAsEnv(true)))
+	runOpts = append(runOpts, llb.WithNetworkConfig(DaggerNetwork))
 
 	metaSt, metaSourcePath := metaMount(opts.Stdin)
 

core/schema/git.go

@@ -131,7 +131,7 @@ func (s *gitSchema) tree(ctx *router.Context, parent gitRef, args gitTreeArgs) (
 		// we have to be a bit selective here to avoid breaking Dockerfile builds
 		// that use a Buildkit frontend (# syntax = ...) that doesn't have the
 		// networks API cap yet.
-		opts = append(opts, llb.WithNetwork(core.DaggerNetwork))
+		opts = append(opts, llb.WithNetworkConfig(core.DaggerNetwork))
 	}
 
 	st := llb.Git(parent.Repository.URL, parent.Name, opts...)

core/schema/http.go

@@ -63,7 +63,7 @@ func (s *httpSchema) http(ctx *router.Context, parent *core.Query, args httpArgs
 		// we have to be a bit selective here to avoid breaking Dockerfile builds
 		// that use a Buildkit frontend (# syntax = ...) that doesn't have the
 		// networks API cap yet.
-		opts = append(opts, llb.WithNetwork(core.DaggerNetwork))
+		opts = append(opts, llb.WithNetworkConfig(core.DaggerNetwork))
 	}
 
 	st := llb.HTTP(args.URL, opts...)

core/service.go

@@ -22,10 +22,6 @@ import (
 	"golang.org/x/sync/errgroup"
 )
 
-// ServicesSearchDomainSecret is the name of a special secret
-// that fetches the DNS search domain for the current session.
-const ServicesSearchDomainSecret = "internal:services-search-domain"
-
 // DaggerNetwork is the ID of the network used for the Buildkit networks
 // session attachable.
 const DaggerNetwork = "dagger"
@@ -37,7 +33,7 @@ var servicesDomainOnce = &sync.Once{}
 // hostname. It is randomly generated on the first call.
 func ServicesDomain() string {
 	servicesDomainOnce.Do(func() {
-		servicesDomain = hostHashStr(identity.NewID())
+		servicesDomain = hostHashStr(identity.NewID()) + ".dagger.local"
 	})
 	return servicesDomain
 }
@@ -223,12 +219,7 @@ func (svc *Service) Start(ctx context.Context, gw bkgw.Client, progSock *Socket)
 
 	cfg := ctr.Config
 
-	// search domain for reaching other services
-	searchDomain := ServicesDomain()
-
-	env := []string{
-		"_DAGGER_SEARCH_DOMAIN=" + searchDomain,
-	}
+	env := []string{}
 
 	for _, e := range cfg.Env {
 		// strip out any env that are meant for internal use only, to prevent
@@ -241,12 +232,7 @@ func (svc *Service) Start(ctx context.Context, gw bkgw.Client, progSock *Socket)
 		}
 	}
 
-	secretEnv := []*pb.SecretEnv{
-		{
-			ID:   ServicesSearchDomainSecret,
-			Name: "_DAGGER_SEARCH_DOMAIN", // TODO const
-		},
-	}
+	secretEnv := []*pb.SecretEnv{}
 	secretsToScrub := SecretToScrubInfo{}
 	for i, ctrSecret := range ctr.Secrets {
 		switch {
@@ -391,15 +377,15 @@ func (svc *Service) Start(ctx context.Context, gw bkgw.Client, progSock *Socket)
 
 	vtx := rec.Vertex(dig, "start "+strings.Join(args, " "))
 
-	// set a hostname qualified by the current session ID
-	fullHost := host + "." + searchDomain
+	fullHost := host + "." + ServicesDomain()
 
 	health := newHealth(gw, fullHost, svc.Container.Ports)
 
 	gc, err := gw.NewContainer(ctx, bkgw.NewContainerRequest{
-		Mounts:   mounts,
-		Hostname: fullHost,
-		Platform: &pbPlatform,
+		Mounts:          mounts,
+		Hostname:        fullHost,
+		Platform:        &pbPlatform,
+		NetworkConfigID: DaggerNetwork,
 	})
 	if err != nil {
 		return nil, err

engine/engine.go

@@ -155,7 +155,7 @@ func Start(ctx context.Context, startOpts Config, fn StartCallback) error {
 	}
 
 	router := router.New(startOpts.SessionToken, recorder)
-	secretStore := secret.NewStore(startOpts.ExtraSearchDomains)
+	secretStore := secret.NewStore()
 
 	socketProviders := SocketProvider{
 		EnableHostNetworkAccess: !startOpts.DisableHostRW,
@@ -182,10 +182,10 @@ func Start(ctx context.Context, startOpts Config, fn StartCallback) error {
 			registryAuth,
 			secretsprovider.NewSecretProvider(secretStore),
 			socketProviders,
-			networks.NewAttachable(func(id string) *networks.NetworkConfig {
+			networks.NewConfigProvider(func(id string) *networks.Config {
 				switch id {
 				case core.DaggerNetwork:
-					return &networks.NetworkConfig{
+					return &networks.Config{
 						Dns: &networks.DNSConfig{
 							SearchDomains: append(
 								[]string{core.ServicesDomain()},

go.mod

@@ -264,4 +264,4 @@ require (
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 
-replace github.com/moby/buildkit => github.com/vito/buildkit v0.10.1-0.20230620195901-f7ed19f7ce66
+replace github.com/moby/buildkit => github.com/vito/buildkit v0.10.1-0.20230621183425-780901296258

go.sum

@@ -1941,8 +1941,8 @@ github.com/vishvananda/netns v0.0.0-20180720170159-13995c7128cc/go.mod h1:ZjcWmF
 github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU=
 github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
 github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
-github.com/vito/buildkit v0.10.1-0.20230620195901-f7ed19f7ce66 h1:/zD1sJy2yZYznzDrMLdxXf05QHPPzgLH8Yft2PO2fiI=
-github.com/vito/buildkit v0.10.1-0.20230620195901-f7ed19f7ce66/go.mod h1:6Y1HYDrxg3sY5gBY2FVaEvQpswBj3g/ck7aKYCjOkk0=
+github.com/vito/buildkit v0.10.1-0.20230621183425-780901296258 h1:tDpr0iNho10j0p2MgjH5eS5hFVR9jceC7pOx/gwgZSM=
+github.com/vito/buildkit v0.10.1-0.20230621183425-780901296258/go.mod h1:6Y1HYDrxg3sY5gBY2FVaEvQpswBj3g/ck7aKYCjOkk0=
 github.com/vito/progrock v0.7.1-0.20230628234355-c8ce2c2e3c24 h1:E6NeGFp8/YGYHnWtwzP5lrphxXLmoKsoAvdwuIkUTOk=
 github.com/vito/progrock v0.7.1-0.20230628234355-c8ce2c2e3c24/go.mod h1:YjiMvY2X47zc9H5je8w4V59cTSrV2d0vQPwJOB5TLH8=
 github.com/vito/vt100 v0.1.2 h1:gRhKJ/shHTRfMHg+Wc5ExHJzV6HHZqyQIAL52x4EUmA=

secret/store.go

@@ -3,7 +3,6 @@ package secret
 import (
 	"context"
 	"errors"
-	"strings"
 	"sync"
 
 	"github.com/dagger/dagger/core"
@@ -14,10 +13,9 @@ import (
 // ErrNotFound indicates a secret can not be found.
 var ErrNotFound = errors.New("secret not found")
 
-func NewStore(extraSearchDomains []string) *Store {
+func NewStore() *Store {
 	return &Store{
-		extraSearchDomains: extraSearchDomains,
-		secrets:            map[string]string{},
+		secrets: map[string]string{},
 	}
 }
 
@@ -26,10 +24,6 @@ var _ secrets.SecretStore = &Store{}
 type Store struct {
 	gw bkgw.Client
 
-	// XXX(vito): this is awful lol, we should add SearchDomains to upstream
-	// buildkit instead
-	extraSearchDomains []string
-
 	mu      sync.Mutex
 	secrets map[string]string
 }
@@ -62,13 +56,6 @@ func (store *Store) AddSecret(_ context.Context, name, plaintext string) (core.S
 //
 // In all other cases, a SecretID is expected.
 func (store *Store) GetSecret(ctx context.Context, idOrName string) ([]byte, error) {
-	if idOrName == core.ServicesSearchDomainSecret {
-		return []byte(strings.Join(append(
-			[]string{core.ServicesDomain()},
-			store.extraSearchDomains...,
-		), " ")), nil
-	}
-
 	var name string
 	if secret, err := core.SecretID(idOrName).ToSecret(); err == nil {
 		if secret.IsOldFormat() {