Skip to content

solver: net host with basic entitlements support #560

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 16, 2018
Merged

solver: net host with basic entitlements support #560

merged 2 commits into from
Aug 16, 2018

Conversation

tonistiigi
Copy link
Member

@tonistiigi tonistiigi commented Aug 7, 2018
edited
Loading

This adds capabilities for configuring networking modes to support network=none in llb and --net=host, --net=none in Moby Dockerfiles.

In order to implement it, I needed to do some basic preparation for entitlements. cc @kunalkushwaha PTAL . There are no entitlements in llb yet, nor any support for the security.unconfined, nor daemon config but I created the base package to run the validation.

network.host is disabled atm globally https://github.com/moby/buildkit/pull/560/files#diff-d2a8a37b660c457a954dfeae935c476eR246. In the end, it could be configurable from daemon config but this is enough for Moby integration the enable it if needed.

Based on #556

AkihiroSuda
AkihiroSuda reviewed Aug 7, 2018
View reviewed changes
cmd/buildctl/build.go Outdated
@@ -76,6 +77,10 @@ var buildCommand = cli.Command{
Name: "secret",
Usage: "Secret value exposed to the build. Format id=secretname,src=filepath",
},
cli.StringSliceFlag{
Name: "allow",
Usage: "Allow extra privileged entitlement",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Allow extra privileged entitlement, e.g. network.host, security.unconfined?

AkihiroSuda
AkihiroSuda reviewed Aug 7, 2018
View reviewed changes
client/client_test.go Outdated
defer c.Close()

st := llb.Image("busybox:latest").
Run(llb.Shlex(`sh -c 'ping -c 1 8.8.8.8 2>&1 | grep "Network is unreachable"'`), llb.Network(llb.NetModeNone))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wget https://example.com? (ping does not work for unprivileged users by default)

@AkihiroSuda
Copy link
Member

lint failure

client/client_test.go:1::warning: file is not gofmted with -s (gofmt)
util/entitlements/entitlements.go:1::warning: file is not gofmted with -s (gofmt)
client/client_test.go:1::warning: file is not goimported (goimports)
make: *** [lint] Error 1

@kunalkushwaha
Copy link
Collaborator

For my entitlements work, I took relevant code from libentitlement project and created an entitlement package. https://github.com/moby/buildkit/compare/master...kunalkushwaha:entitlements?expand=1#diff-cd696a71b0295c7363b5387afd2f174a

Was stuck on how to pass the flags to buildkit worker, this PR will help me.

tonistiigi referenced this pull request Aug 7, 2018
@kunalkushwaha
protobuf updated
e319d04 
Signed-off-by: Kunal Kushwaha <[email protected]>
tonistiigi referenced this pull request Aug 7, 2018
@kunalkushwaha
relevent entilement code from moby/libentitlement
ce30614 
Signed-off-by: Kunal Kushwaha <[email protected]>
@tonistiigi tonistiigi force-pushed the nethost branch 3 times, most recently from 555c8ff to e62a6b0 Compare August 9, 2018 20:38
@tonistiigi tonistiigi mentioned this pull request Aug 9, 2018
Merged
@kunalkushwaha kunalkushwaha mentioned this pull request Aug 14, 2018
Merged
@AkihiroSuda AkihiroSuda merged commit 250401f into moby:master Aug 16, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tonistiigi @AkihiroSuda @kunalkushwaha