Intermediate commit for review with debug messages

moby · Dec 12, 2018 · 2472d41 · 2472d41
1 parent 3e33847
commit 2472d41
Show file tree

Hide file tree

Showing 23 changed files with 238 additions and 152 deletions.
diff --git a/api/services/control/control.proto b/api/services/control/control.proto
@@ -118,7 +118,7 @@ message BytesMessage {
 	bytes data = 1;
 }
 
-message ListWorkersRequest {git am --show-current-patch
+message ListWorkersRequest {
 	repeated string filter = 1; // containerd style
 }
 

diff --git a/client/llb/exec.go b/client/llb/exec.go
@@ -20,7 +20,7 @@ type Meta struct {
 	ProxyEnv   *ProxyEnv
 	ExtraHosts []HostIP
 	Network    pb.NetMode
-	Security   pb.SecMode
+	Security   pb.SecuityMode
 }
 
 func NewExecOp(root Output, meta Meta, readOnly bool, c Constraints) *ExecOp {
@@ -175,7 +175,7 @@ func (e *ExecOp) Marshal(c *Constraints) (digest.Digest, []byte, *pb.OpMetadata,
 		addCap(&e.constraints, pb.CapExecMetaNetwork)
 	}
 
-	if e.meta.Security != SecurityModeConfined {
+	if e.meta.Security != SecurityModeUnconfined {
 		addCap(&e.constraints, pb.CapExecMetaSecurity)
 	}
 
@@ -414,7 +414,7 @@ func Network(n pb.NetMode) RunOption {
 	})
 }
 
-func Security(s pb.SecMode) RunOption {
+func Security(s pb.SecuityMode) RunOption {
 	return runOptionFunc(func(ei *ExecInfo) {
 		ei.State = security(s)(ei.State)
 	})
@@ -637,6 +637,6 @@ const (
 )
 
 const (
-	SecurityModeUnconfined = pb.SecMode_UNCONFINED
-	SecurityModeConfined   = pb.SecMode_CONFINED
+	SecurityModeUnconfined = pb.SecuityMode_UNCONFINED
+	SecurityModeConfined   = pb.SecuityMode_CONFINED
 )
diff --git a/client/llb/meta.go b/client/llb/meta.go
@@ -158,15 +158,15 @@ func getNetwork(s State) pb.NetMode {
 	return NetModeSandbox
 }
 
-func security(v pb.SecMode) StateOption {
+func security(v pb.SecuityMode) StateOption {
 	return func(s State) State {
 		return s.WithValue(keySecurity, v)
 	}
 }
-func getSecurity(s State) pb.SecMode {
+func getSecurity(s State) pb.SecuityMode {
 	v := s.Value(keySecurity)
 	if v != nil {
-		n := v.(pb.SecMode)
+		n := v.(pb.SecuityMode)
 		return n
 	}
 	return SecurityModeConfined

diff --git a/client/llb/state.go b/client/llb/state.go
@@ -13,6 +13,7 @@ import (
 	"github.com/moby/buildkit/util/apicaps"
 	digest "github.com/opencontainers/go-digest"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/sirupsen/logrus"
 )
 
 type StateOption func(State) State
@@ -217,6 +218,8 @@ func (s State) Run(ro ...RunOption) ExecState {
 		Security:   getSecurity(ei.State),
 	}
 
+	logrus.Info("state.Run meta : ", meta.Security, meta.Network)
+
 	exec := NewExecOp(s.Output(), meta, ei.ReadonlyRootFS, ei.Constraints)
 	for _, m := range ei.Mounts {
 		exec.AddMount(m.Target, m.Source, m.Opts...)
@@ -284,11 +287,11 @@ func (s State) Network(n pb.NetMode) State {
 func (s State) GetNetwork() pb.NetMode {
 	return getNetwork(s)
 }
-func (s State) Security(n pb.SecMode) State {
+func (s State) Security(n pb.SecuityMode) State {
 	return security(n)(s)
 }
 
-func (s State) GetSecurity() pb.SecMode {
+func (s State) GetSecurity() pb.SecuityMode {
 	return getSecurity(s)
 }
 

diff --git a/cmd/buildkitd/main.go b/cmd/buildkitd/main.go
@@ -30,12 +30,8 @@ import (
 	"github.com/moby/buildkit/frontend/gateway"
 	"github.com/moby/buildkit/frontend/gateway/forwarder"
 	"github.com/moby/buildkit/session"
-<<<<<<< HEAD
 	"github.com/moby/buildkit/solver/bboltcachestorage"
-=======
-	"github.com/moby/buildkit/solver/boltdbcachestorage"
 	"github.com/moby/buildkit/solver/llbsolver"
->>>>>>> security entitlement support
 	"github.com/moby/buildkit/util/apicaps"
 	"github.com/moby/buildkit/util/appcontext"
 	"github.com/moby/buildkit/util/appdefaults"

diff --git a/control/control.go b/control/control.go
@@ -180,6 +180,15 @@ func (c *Controller) Prune(req *controlapi.PruneRequest, stream controlapi.Contr
 }
 
 func (c *Controller) Solve(ctx context.Context, req *controlapi.SolveRequest) (*controlapi.SolveResponse, error) {
+	//;TODO: Kunal How to fix this?
+	//	req.FrontendAttrs["force-security-mode"] = "security.unconfined"
+	//	for a, b := range req.FrontendAttrs {
+	//	req.FrontendAttrs[b] = ""
+	//		logrus.Info("controller.Solve reqs : ", a, b)
+	//	}
+	//if req.Definition != nil {
+	//	logrus.Info("control.Solve() : ", req.Definition)
+	//}
 	ctx = session.NewContext(ctx, req.Session)
 
 	defer func() {

diff --git a/executor/executor.go b/executor/executor.go
@@ -18,7 +18,7 @@ type Meta struct {
 	ReadonlyRootFS bool
 	ExtraHosts     []HostIP
 	NetMode        pb.NetMode
-	SecMode        pb.SecMode
+	SecuityMode    pb.SecuityMode
 }
 
 type Mount struct {

diff --git a/executor/oci/spec_unix.go b/executor/oci/spec_unix.go
@@ -4,6 +4,7 @@ package oci
 
 import (
 	"context"
+	"fmt"
 	"path"
 	"sync"
 
@@ -17,10 +18,12 @@ import (
 	"github.com/moby/buildkit/executor"
 	"github.com/moby/buildkit/snapshot"
 	"github.com/moby/buildkit/solver/pb"
+	"github.com/moby/buildkit/util/entitlements"
 	"github.com/moby/buildkit/util/network"
 	"github.com/moby/buildkit/util/system"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )
 
 // Ideally we don't have to import whole containerd just for the default spec
@@ -30,12 +33,16 @@ func GenerateSpec(ctx context.Context, meta executor.Meta, mounts []executor.Mou
 	c := &containers.Container{
 		ID: id,
 	}
+	//debug.PrintStack()
 	_, ok := namespaces.Namespace(ctx)
 	if !ok {
 		ctx = namespaces.WithNamespace(ctx, "buildkit")
 	}
-
-	if system.SeccompSupported() && meta.SecMode == pb.SecMode_CONFINED {
+	logrus.Info("SecurityMode set : ", meta.SecuityMode, meta)
+	if meta.SecuityMode == pb.SecuityMode_UNCONFINED {
+		fmt.Println("using admin- profile.")
+		opts = append(opts, entitlements.WithDefaultUnconfiedProfile())
+	} else if system.SeccompSupported() && meta.SecuityMode == pb.SecuityMode_CONFINED {
 		opts = append(opts, seccomp.WithDefaultProfile())
 	}
 

diff --git a/frontend/dockerfile/builder/build.go b/frontend/dockerfile/builder/build.go
@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"net"
 	"regexp"
+	"runtime/debug"
 	"strconv"
 	"strings"
 
@@ -21,6 +22,7 @@ import (
 	"github.com/moby/buildkit/solver/pb"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 	"golang.org/x/sync/errgroup"
 )
 
@@ -50,6 +52,10 @@ var gitUrlPathWithFragmentSuffix = regexp.MustCompile("\\.git(?:#.+)?$")
 func Build(ctx context.Context, c client.Client) (*client.Result, error) {
 	opts := c.BuildOpts().Opts
 	caps := c.BuildOpts().LLBCaps
+	debug.PrintStack()
+	for a, b := range opts {
+		logrus.Info("Build - ", a, b)
+	}
 
 	marshalOpts := []llb.ConstraintsOpt{llb.WithCaps(caps)}
 
@@ -83,7 +89,8 @@ func Build(ctx context.Context, c client.Client) (*client.Result, error) {
 		return nil, err
 	}
 
-	defaultSecMode, err := parseSecMode(opts[keyForceSecurity])
+	// Should take LLBCaps and get security mode from caps.
+	defaultSecuityMode, err := parseSecuityMode(opts[keyForceSecurity])
 	if err != nil {
 		return nil, err
 	}
@@ -277,7 +284,7 @@ func Build(ctx context.Context, c client.Client) (*client.Result, error) {
 					PrefixPlatform:    exportMap,
 					ExtraHosts:        extraHosts,
 					ForceNetMode:      defaultNetMode,
-					ForceSecMode:      defaultSecMode,
+					ForceSecuityMode:  defaultSecuityMode,
 					OverrideCopyImage: opts[keyOverrideCopyImage],
 					LLBCaps:           &caps,
 				})
@@ -486,16 +493,16 @@ func parseNetMode(v string) (pb.NetMode, error) {
 	}
 }
 
-func parseSecMode(v string) (pb.SecMode, error) {
+func parseSecuityMode(v string) (pb.SecuityMode, error) {
 	if v == "" {
 		return llb.SecurityModeConfined, nil
 	}
 	switch v {
-	case "confined":
+	case "security.confined":
 		return llb.SecurityModeConfined, nil
-	case "unconfined":
+	case "security.unconfined":
 		return llb.SecurityModeUnconfined, nil
 	default:
-		return 0, errors.Errorf("invalid secmode %s", v)
+		return 0, errors.Errorf("invalid SecuityMode %s", v)
 	}
 }
diff --git a/frontend/dockerfile/dockerfile2llb/convert.go b/frontend/dockerfile/dockerfile2llb/convert.go
@@ -27,6 +27,7 @@ import (
 	"github.com/moby/buildkit/util/system"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 	"golang.org/x/sync/errgroup"
 )
 
@@ -57,12 +58,13 @@ type ConvertOpt struct {
 	PrefixPlatform    bool
 	ExtraHosts        []llb.HostIP
 	ForceNetMode      pb.NetMode
-	ForceSecMode      pb.SecMode
+	ForceSecuityMode  pb.SecuityMode
 	OverrideCopyImage string
 	LLBCaps           *apicaps.CapSet
 }
 
 func Dockerfile2LLB(ctx context.Context, dt []byte, opt ConvertOpt) (*llb.State, *Image, error) {
+	logrus.Info("Dockerfile2LLB : ", opt.ForceSecuityMode, opt.ForceNetMode)
 	if len(dt) == 0 {
 		return nil, nil, errors.Errorf("the Dockerfile cannot be empty")
 	}
@@ -314,6 +316,7 @@ func Dockerfile2LLB(ctx context.Context, dt []byte, opt ConvertOpt) (*llb.State,
 			}
 		}
 		d.state = d.state.Network(opt.ForceNetMode)
+		d.state = d.state.Security(opt.ForceSecuityMode)
 
 		opt := dispatchOpt{
 			allDispatchStates: allDispatchStates,
@@ -607,6 +610,8 @@ func dispatchEnv(d *dispatchState, c *instructions.EnvCommand) error {
 }
 
 func dispatchRun(d *dispatchState, c *instructions.RunCommand, proxy *llb.ProxyEnv, sources []*dispatchState, dopt dispatchOpt) error {
+	logrus.Info("========== dispatchRun invoked ======")
+
 	var args []string = c.CmdLine
 	if c.PrependShell {
 		args = withShell(d.image, args)
@@ -639,6 +644,11 @@ func dispatchRun(d *dispatchState, c *instructions.RunCommand, proxy *llb.ProxyE
 	for _, h := range dopt.extraHosts {
 		opt = append(opt, llb.AddExtraHost(h.Host, h.IP))
 	}
+
+	for _, o := range opt {
+		logrus.Info("dispatchRun opt : ", o)
+	}
+
 	d.state = d.state.Run(opt...).Root()
 	return commitToHistory(&d.image, "RUN "+runCommandString(args, d.buildArgs), true, &d.state)
 }
@@ -744,6 +754,12 @@ func dispatchCopy(d *dispatchState, c instructions.SourcesAndDest, sourceState l
 		}
 	}
 
+	if opt.llbCaps != nil {
+		if err := opt.llbCaps.Supports(pb.CapExecMetaSecurity); err == nil {
+			runOpt = append(runOpt, llb.Security(llb.SecurityModeUnconfined))
+		}
+	}
+
 	run := img.Run(append(runOpt, mounts...)...)
 	d.state = run.AddMount("/dest", d.state).Platform(platform)
 

diff --git a/frontend/gateway/client/client.go b/frontend/gateway/client/client.go
@@ -5,6 +5,7 @@ import (
 
 	"github.com/moby/buildkit/solver/pb"
 	"github.com/moby/buildkit/util/apicaps"
+	"github.com/moby/buildkit/util/entitlements"
 	digest "github.com/opencontainers/go-digest"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
 	fstypes "github.com/tonistiigi/fsutil/types"
@@ -47,6 +48,7 @@ type SolveRequest struct {
 	Frontend        string
 	FrontendOpt     map[string]string
 	ImportCacheRefs []string
+	Entitlements    []entitlements.Entitlement
 }
 
 type WorkerInfo struct {

diff --git a/frontend/gateway/gateway.go b/frontend/gateway/gateway.go
@@ -66,6 +66,9 @@ func filterPrefix(opts map[string]string, pfx string) map[string]string {
 }
 
 func (gf *gatewayFrontend) Solve(ctx context.Context, llbBridge frontend.FrontendLLBBridge, opts map[string]string) (*frontend.Result, error) {
+	for a, b := range opts {
+		logrus.Info("gateway.Solve Opts : ", a, b)
+	}
 	source, ok := opts[keySource]
 	if !ok {
 		return nil, errors.Errorf("no source specified for gateway")
@@ -404,6 +407,7 @@ func (lbf *llbBridgeForwarder) Solve(ctx context.Context, req *pb.SolveRequest)
 		Frontend:        req.Frontend,
 		FrontendOpt:     req.FrontendOpt,
 		ImportCacheRefs: req.ImportCacheRefs,
+		Entitlements:    req.Entitlements,
 	})
 	if err != nil {
 		return nil, err

diff --git a/frontend/gateway/grpcclient/client.go b/frontend/gateway/grpcclient/client.go
@@ -16,6 +16,7 @@ import (
 	"github.com/moby/buildkit/util/apicaps"
 	digest "github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 	fstypes "github.com/tonistiigi/fsutil/types"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/status"
@@ -250,8 +251,10 @@ func (c *grpcClient) requestForRef(ref client.Reference) (*pb.SolveRequest, erro
 }
 
 func (c *grpcClient) Solve(ctx context.Context, creq client.SolveRequest) (*client.Result, error) {
+	logrus.Info("grpcClient.Solve..... ")
 	if creq.Definition != nil {
 		for _, md := range creq.Definition.Metadata {
+			logrus.Info("grpcClient.Solve : metadata set ", md)
 			for cap := range md.Caps {
 				if err := c.llbCaps.Supports(cap); err != nil {
 					return nil, err
@@ -266,6 +269,7 @@ func (c *grpcClient) Solve(ctx context.Context, creq client.SolveRequest) (*clie
 		FrontendOpt:       creq.FrontendOpt,
 		ImportCacheRefs:   creq.ImportCacheRefs,
 		AllowResultReturn: true,
+		Entitlements:      creq.Entitlements,
 	}
 
 	// backwards compatibility with inline return

diff --git a/solver/jobs.go b/solver/jobs.go
@@ -15,6 +15,7 @@ import (
 	digest "github.com/opencontainers/go-digest"
 	opentracing "github.com/opentracing/opentracing-go"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )
 
 // ResolveOpFunc finds an Op implementation for a Vertex
@@ -257,7 +258,7 @@ func (jl *Solver) load(v, parent Vertex, j *Job) (Vertex, error) {
 	defer jl.mu.Unlock()
 
 	cache := map[Vertex]Vertex{}
-
+	logrus.Info("cache: ", cache)
 	return jl.loadUnlocked(v, parent, j, cache)
 }
 
@@ -373,6 +374,7 @@ func (jl *Solver) connectProgressFromState(target, src *state) {
 }
 
 func (jl *Solver) NewJob(id string) (*Job, error) {
+	logrus.Info("=== NewJob added ", id)
 	jl.mu.Lock()
 	defer jl.mu.Unlock()
 
@@ -437,6 +439,7 @@ func (jl *Solver) deleteIfUnreferenced(k digest.Digest, st *state) {
 }
 
 func (j *Job) Build(ctx context.Context, e Edge) (CachedResult, error) {
+	logrus.Info("=== job.Build invoked ", e.Vertex.Name())
 	if span := opentracing.SpanFromContext(ctx); span != nil {
 		j.span = span
 	}