From 001f0ffe3c9f73efbdedf364948d62557cc51d63 Mon Sep 17 00:00:00 2001 From: Guillaume Lours <705411+glours@users.noreply.github.com> Date: Wed, 21 Dec 2022 10:20:46 +0100 Subject: [PATCH] add support of privileged attribut in service.build section Signed-off-by: Guillaume Lours <705411+glours@users.noreply.github.com> --- pkg/compose/build.go | 7 +++- pkg/compose/build_classic.go | 5 +++ pkg/e2e/build_test.go | 34 +++++++++++++++++++ .../fixtures/build-test/privileged/Dockerfile | 19 +++++++++++ .../build-test/privileged/compose.yaml | 5 +++ 5 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 pkg/e2e/fixtures/build-test/privileged/Dockerfile create mode 100644 pkg/e2e/fixtures/build-test/privileged/compose.yaml diff --git a/pkg/compose/build.go b/pkg/compose/build.go index 0ad252e54a..9056209cd0 100644 --- a/pkg/compose/build.go +++ b/pkg/compose/build.go @@ -33,6 +33,7 @@ import ( "github.com/moby/buildkit/session/auth/authprovider" "github.com/moby/buildkit/session/secrets/secretsprovider" "github.com/moby/buildkit/session/sshforward/sshprovider" + "github.com/moby/buildkit/util/entitlements" specs "github.com/opencontainers/image-spec/specs-go/v1" "github.com/docker/compose/v2/pkg/api" @@ -71,7 +72,6 @@ func (s *composeService) build(ctx context.Context, project *types.Project, opti if err != nil { return err } - for _, image := range service.Build.CacheFrom { buildOptions.CacheFrom = append(buildOptions.CacheFrom, bclient.CacheOptionsEntry{ Type: "registry", @@ -258,6 +258,10 @@ func (s *composeService) toBuildOptions(project *types.Project, service types.Se if len(service.Build.Tags) > 0 { tags = append(tags, service.Build.Tags...) } + var allow []entitlements.Entitlement + if service.Build.Privileged { + allow = append(allow, entitlements.EntitlementSecurityInsecure) + } imageLabels := getImageBuildLabels(project, service) @@ -279,6 +283,7 @@ func (s *composeService) toBuildOptions(project *types.Project, service types.Se NetworkMode: service.Build.Network, ExtraHosts: service.Build.ExtraHosts.AsList(), Session: sessionConfig, + Allow: allow, }, nil } diff --git a/pkg/compose/build_classic.go b/pkg/compose/build_classic.go index 0251e4af2b..6c9a8b63d6 100644 --- a/pkg/compose/build_classic.go +++ b/pkg/compose/build_classic.go @@ -30,6 +30,7 @@ import ( buildx "github.com/docker/buildx/build" "github.com/docker/cli/cli" "github.com/docker/cli/cli/command/image/build" + "github.com/docker/compose/v2/pkg/utils" dockertypes "github.com/docker/docker/api/types" "github.com/docker/docker/builder/remotecontext/urlutil" "github.com/docker/docker/pkg/archive" @@ -38,6 +39,7 @@ import ( "github.com/docker/docker/pkg/progress" "github.com/docker/docker/pkg/streamformatter" "github.com/hashicorp/go-multierror" + "github.com/moby/buildkit/util/entitlements" "github.com/pkg/errors" "github.com/docker/compose/v2/pkg/api" @@ -92,6 +94,9 @@ func (s *composeService) doBuildClassicSimpleImage(ctx context.Context, options if len(options.Platforms) > 1 { return "", errors.Errorf("this builder doesn't support multi-arch build, set DOCKER_BUILDKIT=1 to use multi-arch builder") } + if utils.Contains(options.Allow, entitlements.EntitlementSecurityInsecure) { + return "", errors.Errorf("this builder doesn't support privileged mode, set DOCKER_BUILDKIT=1 to use builder supporting privileged mode") + } if options.Labels == nil { options.Labels = make(map[string]string) diff --git a/pkg/e2e/build_test.go b/pkg/e2e/build_test.go index 4d58906d4b..101761659c 100644 --- a/pkg/e2e/build_test.go +++ b/pkg/e2e/build_test.go @@ -338,6 +338,27 @@ func TestBuildPlatformsWithCorrectBuildxConfig(t *testing.T) { } +func TestBuildPrivileged(t *testing.T) { + c := NewParallelCLI(t) + + // declare builder + result := c.RunDockerCmd(t, "buildx", "create", "--name", "build-privileged", "--use", "--bootstrap", "--buildkitd-flags", + `'--allow-insecure-entitlement=security.insecure'`) + assert.NilError(t, result.Error) + + t.Cleanup(func() { + c.RunDockerComposeCmd(t, "--project-directory", "fixtures/build-test/privileged", "down") + _ = c.RunDockerCmd(t, "buildx", "rm", "-f", "build-privileged") + }) + + t.Run("use build privileged mode to run insecure build command", func(t *testing.T) { + res := c.RunDockerComposeCmdNoCheck(t, "--project-directory", "fixtures/build-test/privileged", "build") + assert.NilError(t, res.Error, res.Stderr()) + res.Assert(t, icmd.Expected{Out: "CapEff:\t0000003fffffffff"}) + + }) +} + func TestBuildPlatformsStandardErrors(t *testing.T) { c := NewParallelCLI(t) @@ -380,4 +401,17 @@ func TestBuildPlatformsStandardErrors(t *testing.T) { Err: `DOCKER_DEFAULT_PLATFORM "windows/amd64" value should be part of the service.build.platforms: ["linux/amd64" "linux/arm64"]`, }) }) + + t.Run("no privileged support with Classic Builder", func(t *testing.T) { + cmd := c.NewDockerComposeCmd(t, "--project-directory", "fixtures/build-test/privileged", "build") + + res := icmd.RunCmd(cmd, func(cmd *icmd.Cmd) { + cmd.Env = append(cmd.Env, "DOCKER_BUILDKIT=0") + }) + res.Assert(t, icmd.Expected{ + ExitCode: 1, + Err: "this builder doesn't support privileged mode, set DOCKER_BUILDKIT=1 to use builder supporting privileged mode", + }) + }) + } diff --git a/pkg/e2e/fixtures/build-test/privileged/Dockerfile b/pkg/e2e/fixtures/build-test/privileged/Dockerfile new file mode 100644 index 0000000000..a242eb52d4 --- /dev/null +++ b/pkg/e2e/fixtures/build-test/privileged/Dockerfile @@ -0,0 +1,19 @@ +# syntax = docker/dockerfile:experimental + + +# Copyright 2020 Docker Compose CLI authors + +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM alpine +RUN --security=insecure cat /proc/self/status | grep CapEff diff --git a/pkg/e2e/fixtures/build-test/privileged/compose.yaml b/pkg/e2e/fixtures/build-test/privileged/compose.yaml new file mode 100644 index 0000000000..ead867cae8 --- /dev/null +++ b/pkg/e2e/fixtures/build-test/privileged/compose.yaml @@ -0,0 +1,5 @@ +services: + privileged-service: + build: + context: . + privileged: true