Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

buildx prompts to add --allow=ssh to command, but adding it has no effect #2902

Closed
3 tasks done
Aposhian opened this issue Jan 9, 2025 · 1 comment
Closed
3 tasks done

buildx prompts to add --allow=ssh to command, but adding it has no effect #2902

Aposhian opened this issue Jan 9, 2025 · 1 comment

Comments

@Aposhian
Copy link

Aposhian commented Jan 9, 2025

Contributing guidelines

I've found a bug and checked that ...

  • ... the documentation does not mention anything about my problem
  • ... there are no open or closed issues that are related to my problem

Description

I have a docker-bake.hcl that passes SSH to the build. On the latest buildx version, this produces a warning when I run docker buildx bake and says I should add --allow=ssh to resolve the warning. However, if I add that, the warning stays.

Expected behaviour

No warning after adding --allow=ssh

Actual behaviour

It sees the --allow=ssh, but prompts to add it again:

[+] Building 0.0s (1/1) FINISHED                                                                                                                                    docker:default
 => [internal] load local bake definitions                                                                                                                                    0.0s
 => => reading docker-bake.hcl 42B / 42B                                                                                                                                      0.0s
Your build is requesting privileges for following possibly insecure capabilities:

 - Forwarding default SSH agent socket

In order to not see this message in the future pass "--allow=ssh" to grant requested privileges.

Your full command with requested privileges:

docker buildx bake --allow=ssh --allow=ssh

This warning will become an error in a future release. To enable filesystem entitlements checks at the moment, set BUILDX_BAKE_ENTITLEMENTS_FS=1 .

[+] Building 0.7s (7/7) FINISHED                                                                                                                                    docker:default
 => [internal] load build definition from Dockerfile                                                                                                                          0.0s
 => => transferring dockerfile: 145B                                                                                                                                          0.0s
 => [internal] load metadata for docker.io/library/alpine:latest                                                                                                              0.7s
 => [internal] load .dockerignore                                                                                                                                             0.0s
 => => transferring context: 2B                                                                                                                                               0.0s
 => [default 1/3] FROM docker.io/library/alpine:latest@sha256:56fa17d2a7e7f168a043a2712e63aed1f8543aeafdcee47c58dcffe38ed51099                                                0.0s
 => CACHED [default 2/3] RUN apk update && apk add openssh                                                                                                                    0.0s
 => CACHED [default 3/3] RUN --mount=type=ssh ssh -v [email protected] || true                                                                                                   0.0s
 => exporting to image                                                                                                                                                        0.0s
 => => exporting layers                                                                                                                                                       0.0s
 => => writing image sha256:c6a62c3d95e9e04f0081719b56a6ec0f44faa4646c33b4cee07103bc75aca07a

Buildx version

github.com/docker/buildx v0.19.3 48d6a39

Docker info

Client: Docker Engine - Community
 Version:    27.4.1
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.19.3
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.24.2
    Path:     /home/my-user/.docker/cli-plugins/docker-compose

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 24
 Server Version: 27.4.1
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: crun io.containerd.runc.v2 nvidia runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 88bf19b2105c8b17560993bee28a01ddc2f97182
 runc version: v1.2.2-0-g7cb3632
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.8.0-51-generic
 Operating System: Ubuntu 22.04.5 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 16
 Total Memory: 62.01GiB
 Name: my-computer
 ID: 1ab164cd-5e72-4ab9-95e5-d08a207e2f47
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Builders list

NAME/NODE     DRIVER/ENDPOINT   STATUS    BUILDKIT   PLATFORMS
default*      docker                                 
 \_ default    \_ default       running   v0.17.3    linux/amd64 (+4), linux/386

Configuration

FROM alpine AS default
RUN apk update && apk add openssh
RUN --mount=type=ssh ssh -v [email protected] || true
target "default" {
  ssh = ["default"]
}

Build logs

[+] Building 0.0s (1/1) FINISHED                                                                                                                                    docker:default
 => [internal] load local bake definitions                                                                                                                                    0.0s
 => => reading docker-bake.hcl 42B / 42B                                                                                                                                      0.0s
Your build is requesting privileges for following possibly insecure capabilities:

 - Forwarding default SSH agent socket

In order to not see this message in the future pass "--allow=ssh" to grant requested privileges.

Your full command with requested privileges:

docker buildx bake --allow=ssh 

This warning will become an error in a future release. To enable filesystem entitlements checks at the moment, set BUILDX_BAKE_ENTITLEMENTS_FS=1 .

[+] Building 0.3s (7/7) FINISHED                                                                                                                                    docker:default
 => [internal] load build definition from Dockerfile                                                                                                                          0.0s
 => => transferring dockerfile: 145B                                                                                                                                          0.0s
 => [internal] load metadata for docker.io/library/alpine:latest                                                                                                              0.3s
 => [internal] load .dockerignore                                                                                                                                             0.0s
 => => transferring context: 2B                                                                                                                                               0.0s
 => [default 1/3] FROM docker.io/library/alpine:latest@sha256:56fa17d2a7e7f168a043a2712e63aed1f8543aeafdcee47c58dcffe38ed51099                                                0.0s
 => CACHED [default 2/3] RUN apk update && apk add openssh                                                                                                                    0.0s
 => CACHED [default 3/3] RUN --mount=type=ssh ssh -v [email protected] || true                                                                                                   0.0s
 => exporting to image                                                                                                                                                        0.0s
 => => exporting layers                                                                                                                                                       0.0s
 => => writing image sha256:c6a62c3d95e9e04f0081719b56a6ec0f44faa4646c33b4cee07103bc75aca07a

Additional info

To my understanding, I don't think that this is a duplicate of #2895 because that seems to be adding the support for the entitlements keyword in HCL, rather than on the CLI.
@crazy-max
Copy link
Member

Thanks for your report, this has been fixed in #2898

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@crazy-max @Aposhian