diff --git a/vendor.mod b/vendor.mod index 46c3f22162100..54f463070e145 100644 --- a/vendor.mod +++ b/vendor.mod @@ -7,6 +7,9 @@ module github.com/docker/docker go 1.22.0 +// FIXME(thaJeztah); testing 0.20_backport_rc3 branch from https://github.com/moby/buildkit/pull/5755 +replace github.com/moby/buildkit => github.com/crazy-max/buildkit v0.7.1-0.20250218091528-281e8c9d0ef8 + require ( cloud.google.com/go/compute/metadata v0.5.2 cloud.google.com/go/logging v1.9.0 diff --git a/vendor.sum b/vendor.sum index e9af9b05fadf9..05c3b2b1819bd 100644 --- a/vendor.sum +++ b/vendor.sum @@ -162,6 +162,8 @@ github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSV github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/cpuguy83/tar2go v0.3.1 h1:DMWlaIyoh9FBWR4hyfZSOEDA7z8rmCiGF1IJIzlTlR8= github.com/cpuguy83/tar2go v0.3.1/go.mod h1:2Ys2/Hu+iPHQRa4DjIVJ7UAaKnDhAhNACeK3A0Rr5rM= +github.com/crazy-max/buildkit v0.7.1-0.20250218091528-281e8c9d0ef8 h1:j+JQVgHC5VtTtS7WnktNFRZT1MHlIXGe4H7VCuV8Hfo= +github.com/crazy-max/buildkit v0.7.1-0.20250218091528-281e8c9d0ef8/go.mod h1:kMXf90l/f3zygRK8bYbyetfyzoJYntb6Bpi2VsLfXgQ= github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s= github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE= github.com/cyphar/filepath-securejoin v0.3.5 h1:L81NHjquoQmcPgXcttUS9qTSR/+bXry6pbSINQGpjj4= @@ -383,8 +385,6 @@ github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:F github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ= github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/mndrix/tap-go v0.0.0-20171203230836-629fa407e90b/go.mod h1:pzzDgJWZ34fGzaAZGFW22KVZDfyrYW+QABMrWnJBnSs= -github.com/moby/buildkit v0.20.0-rc2 h1:QjACghvG0pSAp7dk9aQMYWioDEOljDWyyoUjyg35qfg= -github.com/moby/buildkit v0.20.0-rc2/go.mod h1:kMXf90l/f3zygRK8bYbyetfyzoJYntb6Bpi2VsLfXgQ= github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0= github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= github.com/moby/ipvs v1.1.0 h1:ONN4pGaZQgAx+1Scz5RvWV4Q7Gb+mvfRh3NsPS+1XQQ= diff --git a/vendor/github.com/moby/buildkit/cache/remotecache/gha/gha.go b/vendor/github.com/moby/buildkit/cache/remotecache/gha/gha.go index 59f0c21ee6a8a..a7af088e752ac 100644 --- a/vendor/github.com/moby/buildkit/cache/remotecache/gha/gha.go +++ b/vendor/github.com/moby/buildkit/cache/remotecache/gha/gha.go @@ -63,10 +63,6 @@ func getConfig(attrs map[string]string) (*Config, error) { if !ok { scope = "buildkit" } - url, ok := attrs[attrURL] - if !ok { - return nil, errors.Errorf("url not set for github actions cache") - } token, ok := attrs[attrToken] if !ok { return nil, errors.Errorf("token not set for github actions cache") @@ -80,12 +76,19 @@ func getConfig(attrs map[string]string) (*Config, error) { } apiVersionInt = int(i) } + var url string if apiVersionInt != 1 { if v, ok := attrs[attrURLV2]; ok { url = v apiVersionInt = 2 } } + if v, ok := attrs[attrURL]; ok && url == "" { + url = v + } + if url == "" { + return nil, errors.Errorf("url not set for github actions cache") + } // best effort on old clients if apiVersionInt == 0 { if strings.Contains(url, "results-receiver.actions.githubusercontent.com") { diff --git a/vendor/github.com/moby/buildkit/client/solve.go b/vendor/github.com/moby/buildkit/client/solve.go index efdf9fa9f1055..57ee82d056691 100644 --- a/vendor/github.com/moby/buildkit/client/solve.go +++ b/vendor/github.com/moby/buildkit/client/solve.go @@ -7,6 +7,7 @@ import ( "io" "maps" "os" + "slices" "strings" "time" @@ -24,7 +25,6 @@ import ( "github.com/moby/buildkit/solver/pb" spb "github.com/moby/buildkit/sourcepolicy/pb" "github.com/moby/buildkit/util/bklog" - "github.com/moby/buildkit/util/entitlements" ocispecs "github.com/opencontainers/image-spec/specs-go/v1" "github.com/pkg/errors" "github.com/tonistiigi/fsutil" @@ -45,7 +45,7 @@ type SolveOpt struct { CacheExports []CacheOptionsEntry CacheImports []CacheOptionsEntry Session []session.Attachable - AllowedEntitlements []entitlements.Entitlement + AllowedEntitlements []string SharedSession *session.Session // TODO: refactor to better session syncing SessionPreInitialized bool // TODO: refactor to better session syncing Internal bool @@ -277,7 +277,7 @@ func (c *Client) solve(ctx context.Context, def *llb.Definition, runGateway runG FrontendAttrs: frontendAttrs, FrontendInputs: frontendInputs, Cache: &cacheOpt.options, - Entitlements: entitlementsToPB(opt.AllowedEntitlements), + Entitlements: slices.Clone(opt.AllowedEntitlements), Internal: opt.Internal, SourcePolicy: opt.SourcePolicy, }) @@ -553,11 +553,3 @@ func prepareMounts(opt *SolveOpt) (map[string]fsutil.FS, error) { } return mounts, nil } - -func entitlementsToPB(entitlements []entitlements.Entitlement) []string { - clone := make([]string, len(entitlements)) - for i, e := range entitlements { - clone[i] = string(e) - } - return clone -} diff --git a/vendor/github.com/moby/buildkit/cmd/buildkitd/config/config.go b/vendor/github.com/moby/buildkit/cmd/buildkitd/config/config.go index 381effcdc9b77..3222406a42da7 100644 --- a/vendor/github.com/moby/buildkit/cmd/buildkitd/config/config.go +++ b/vendor/github.com/moby/buildkit/cmd/buildkitd/config/config.go @@ -77,8 +77,9 @@ type OTELConfig struct { } type CDIConfig struct { - Disabled *bool `toml:"disabled"` - SpecDirs []string `toml:"specDirs"` + Disabled *bool `toml:"disabled"` + SpecDirs []string `toml:"specDirs"` + AutoAllowed []string `toml:"autoAllowed"` } type GCConfig struct { diff --git a/vendor/github.com/moby/buildkit/control/control.go b/vendor/github.com/moby/buildkit/control/control.go index ca50913190b9d..a54425168d6e5 100644 --- a/vendor/github.com/moby/buildkit/control/control.go +++ b/vendor/github.com/moby/buildkit/control/control.go @@ -695,7 +695,7 @@ func toPBCDIDevices(manager *cdidevices.Manager) []*apitypes.CDIDevice { for _, dev := range devs { out = append(out, &apitypes.CDIDevice{ Name: dev.Name, - AutoAllow: true, // TODO + AutoAllow: dev.AutoAllow, Annotations: dev.Annotations, OnDemand: dev.OnDemand, }) diff --git a/vendor/github.com/moby/buildkit/solver/llbsolver/bridge.go b/vendor/github.com/moby/buildkit/solver/llbsolver/bridge.go index 18b20ba0c7852..b3466c65066ff 100644 --- a/vendor/github.com/moby/buildkit/solver/llbsolver/bridge.go +++ b/vendor/github.com/moby/buildkit/solver/llbsolver/bridge.go @@ -138,7 +138,7 @@ func (b *llbBridge) loadResult(ctx context.Context, def *pb.Definition, cacheImp } dpc := &detectPrunedCacheID{} - edge, err := Load(ctx, def, polEngine, dpc.Load, ValidateEntitlements(ent), WithCacheSources(cms), NormalizeRuntimePlatforms(), WithValidateCaps()) + edge, err := Load(ctx, def, polEngine, dpc.Load, ValidateEntitlements(ent, w.CDIManager()), WithCacheSources(cms), NormalizeRuntimePlatforms(), WithValidateCaps()) if err != nil { return nil, errors.Wrap(err, "failed to load LLB") } diff --git a/vendor/github.com/moby/buildkit/solver/llbsolver/cdidevices/manager.go b/vendor/github.com/moby/buildkit/solver/llbsolver/cdidevices/manager.go index 1996a41c8f7f6..673c823f25c81 100644 --- a/vendor/github.com/moby/buildkit/solver/llbsolver/cdidevices/manager.go +++ b/vendor/github.com/moby/buildkit/solver/llbsolver/cdidevices/manager.go @@ -2,6 +2,7 @@ package cdidevices import ( "context" + "strconv" "strings" "github.com/moby/buildkit/solver/pb" @@ -13,7 +14,10 @@ import ( "tags.cncf.io/container-device-interface/pkg/parser" ) -const deviceAnnotationClass = "org.mobyproject.buildkit.device.class" +const ( + deviceAnnotationClass = "org.mobyproject.buildkit.device.class" + deviceAnnotationAutoAllow = "org.mobyproject.buildkit.device.autoallow" +) var installers = map[string]Setup{} @@ -35,17 +39,38 @@ type Device struct { } type Manager struct { - cache *cdi.Cache - locker *locker.Locker + cache *cdi.Cache + locker *locker.Locker + autoAllowed map[string]struct{} } -func NewManager(cache *cdi.Cache) *Manager { +func NewManager(cache *cdi.Cache, autoAllowed []string) *Manager { + m := make(map[string]struct{}) + for _, d := range autoAllowed { + m[d] = struct{}{} + } return &Manager{ - cache: cache, - locker: locker.New(), + cache: cache, + locker: locker.New(), + autoAllowed: m, } } +func (m *Manager) isAutoAllowed(kind, name string, annotations map[string]string) bool { + if _, ok := m.autoAllowed[name]; ok { + return true + } + if _, ok := m.autoAllowed[kind]; ok { + return true + } + if v, ok := annotations[deviceAnnotationAutoAllow]; ok { + if b, err := strconv.ParseBool(v); err == nil && b { + return true + } + } + return false +} + func (m *Manager) ListDevices() []Device { devs := m.cache.ListDevices() out := make([]Device, 0, len(devs)) @@ -53,10 +78,11 @@ func (m *Manager) ListDevices() []Device { for _, dev := range devs { kind, _, _ := strings.Cut(dev, "=") dd := m.cache.GetDevice(dev) + annotations := deviceAnnotations(dd) out = append(out, Device{ Name: dev, - AutoAllow: true, // TODO - Annotations: deviceAnnotations(dd), + AutoAllow: m.isAutoAllowed(kind, dev, annotations), + Annotations: annotations, }) kinds[kind] = struct{}{} } @@ -69,20 +95,31 @@ func (m *Manager) ListDevices() []Device { continue } out = append(out, Device{ - Name: k, - OnDemand: true, + Name: k, + OnDemand: true, + AutoAllow: true, }) } return out } +func (m *Manager) GetDevice(name string) Device { + kind, _, _ := strings.Cut(name, "=") + annotations := deviceAnnotations(m.cache.GetDevice(name)) + return Device{ + Name: name, + AutoAllow: m.isAutoAllowed(kind, name, annotations), + Annotations: annotations, + } +} + func (m *Manager) Refresh() error { return m.cache.Refresh() } func (m *Manager) InjectDevices(spec *specs.Spec, devs ...*pb.CDIDevice) error { - pdevs, err := m.parseDevices(devs...) + pdevs, err := m.FindDevices(devs...) if err != nil { return err } else if len(pdevs) == 0 { @@ -93,13 +130,17 @@ func (m *Manager) InjectDevices(spec *specs.Spec, devs ...*pb.CDIDevice) error { return err } -func (m *Manager) parseDevices(devs ...*pb.CDIDevice) ([]string, error) { +func (m *Manager) FindDevices(devs ...*pb.CDIDevice) ([]string, error) { var out []string + if len(devs) == 0 { + return out, nil + } + list := m.cache.ListDevices() for _, dev := range devs { if dev == nil { continue } - pdev, err := m.parseDevice(dev) + pdev, err := m.parseDevice(dev, list) if err != nil { return nil, err } else if len(pdev) == 0 { @@ -110,7 +151,7 @@ func (m *Manager) parseDevices(devs ...*pb.CDIDevice) ([]string, error) { return dedupSlice(out), nil } -func (m *Manager) parseDevice(dev *pb.CDIDevice) ([]string, error) { +func (m *Manager) parseDevice(dev *pb.CDIDevice, all []string) ([]string, error) { var out []string kind, name, _ := strings.Cut(dev.Name, "=") @@ -127,7 +168,7 @@ func (m *Manager) parseDevice(dev *pb.CDIDevice) ([]string, error) { switch name { case "": // first device of kind if no name is specified - for _, d := range m.cache.ListDevices() { + for _, d := range all { if strings.HasPrefix(d, kind+"=") { out = append(out, d) break @@ -135,14 +176,14 @@ func (m *Manager) parseDevice(dev *pb.CDIDevice) ([]string, error) { } case "*": // all devices of kind if the name is a wildcard - for _, d := range m.cache.ListDevices() { + for _, d := range all { if strings.HasPrefix(d, kind+"=") { out = append(out, d) } } default: // the specified device - for _, d := range m.cache.ListDevices() { + for _, d := range all { if d == dev.Name { out = append(out, d) break @@ -150,7 +191,7 @@ func (m *Manager) parseDevice(dev *pb.CDIDevice) ([]string, error) { } if len(out) == 0 { // check class annotation if name unknown - for _, d := range m.cache.ListDevices() { + for _, d := range all { if !strings.HasPrefix(d, kind+"=") { continue } @@ -214,6 +255,9 @@ func (m *Manager) OnDemandInstaller(name string) (func(context.Context) error, b return errors.Wrapf(err, "failed to refresh CDI cache") } + // TODO: this needs to be set as annotation to survive reboot + m.autoAllowed[name] = struct{}{} + return nil }, true } diff --git a/vendor/github.com/moby/buildkit/solver/llbsolver/solver.go b/vendor/github.com/moby/buildkit/solver/llbsolver/solver.go index 15a1f0911372c..2ac9070a1fcf9 100644 --- a/vendor/github.com/moby/buildkit/solver/llbsolver/solver.go +++ b/vendor/github.com/moby/buildkit/solver/llbsolver/solver.go @@ -1110,19 +1110,26 @@ func supportedEntitlements(ents []string) []entitlements.Entitlement { if e == string(entitlements.EntitlementSecurityInsecure) { out = append(out, entitlements.EntitlementSecurityInsecure) } + if e == string(entitlements.EntitlementDevice) { + out = append(out, entitlements.EntitlementDevice) + } } return out } func loadEntitlements(b solver.Builder) (entitlements.Set, error) { - var ent entitlements.Set = map[entitlements.Entitlement]struct{}{} + var ent entitlements.Set = map[entitlements.Entitlement]entitlements.EntitlementsConfig{} err := b.EachValue(context.TODO(), keyEntitlements, func(v interface{}) error { set, ok := v.(entitlements.Set) if !ok { return errors.Errorf("invalid entitlements %T", v) } - for k := range set { - ent[k] = struct{}{} + for k, v := range set { + if prev, ok := ent[k]; ok && prev != nil { + prev.Merge(v) + } else { + ent[k] = v + } } return nil }) diff --git a/vendor/github.com/moby/buildkit/solver/llbsolver/vertex.go b/vendor/github.com/moby/buildkit/solver/llbsolver/vertex.go index 21ae0f9f22b82..c61f3b9ea7198 100644 --- a/vendor/github.com/moby/buildkit/solver/llbsolver/vertex.go +++ b/vendor/github.com/moby/buildkit/solver/llbsolver/vertex.go @@ -7,6 +7,7 @@ import ( "github.com/containerd/platforms" "github.com/moby/buildkit/solver" + "github.com/moby/buildkit/solver/llbsolver/cdidevices" "github.com/moby/buildkit/solver/llbsolver/ops/opsutils" "github.com/moby/buildkit/solver/pb" "github.com/moby/buildkit/util/apicaps" @@ -109,7 +110,7 @@ func NormalizeRuntimePlatforms() LoadOpt { } } -func ValidateEntitlements(ent entitlements.Set) LoadOpt { +func ValidateEntitlements(ent entitlements.Set, cdiManager *cdidevices.Manager) LoadOpt { return func(op *pb.Op, _ *pb.OpMetadata, opt *solver.VertexOptions) error { switch op := op.Op.(type) { case *pb.Op_Exec: @@ -120,6 +121,75 @@ func ValidateEntitlements(ent entitlements.Set) LoadOpt { if err := ent.Check(v); err != nil { return err } + if device := op.Exec.CdiDevices; len(device) > 0 { + var cfg *entitlements.DevicesConfig + if ent, ok := ent[entitlements.EntitlementDevice]; ok { + cfg, ok = ent.(*entitlements.DevicesConfig) + if !ok { + return errors.Errorf("invalid device entitlement config %T", ent) + } + } + if cfg != nil && cfg.All { + return nil + } + + var allowedDevices []*pb.CDIDevice + var nonAliasedDevices []*pb.CDIDevice + if cfg != nil { + for _, d := range op.Exec.CdiDevices { + if newName, ok := cfg.Devices[d.Name]; ok && newName != "" { + d.Name = newName + allowedDevices = append(allowedDevices, d) + } else { + nonAliasedDevices = append(nonAliasedDevices, d) + } + } + } else { + nonAliasedDevices = op.Exec.CdiDevices + } + + mountedDevices, err := cdiManager.FindDevices(nonAliasedDevices...) + if err != nil { + return err + } + if len(mountedDevices) == 0 { + op.Exec.CdiDevices = allowedDevices + return nil + } + + grantedDevices := make(map[string]struct{}) + if cfg != nil { + for d := range cfg.Devices { + resolved, err := cdiManager.FindDevices(&pb.CDIDevice{Name: d}) + if err != nil { + return err + } + for _, r := range resolved { + grantedDevices[r] = struct{}{} + } + } + } + + var forbidden []string + for _, d := range mountedDevices { + if _, ok := grantedDevices[d]; !ok { + if dev := cdiManager.GetDevice(d); !dev.AutoAllow { + forbidden = append(forbidden, d) + continue + } + } + allowedDevices = append(allowedDevices, &pb.CDIDevice{Name: d}) + } + + if len(forbidden) > 0 { + if len(forbidden) == 1 { + return errors.Errorf("device %s is requested by the build but not allowed", forbidden[0]) + } + return errors.Errorf("devices %s are requested by the build but not allowed", strings.Join(forbidden, ", ")) + } + + op.Exec.CdiDevices = allowedDevices + } } return nil } diff --git a/vendor/github.com/moby/buildkit/util/entitlements/entitlements.go b/vendor/github.com/moby/buildkit/util/entitlements/entitlements.go index 328580c326df4..106f492ceee24 100644 --- a/vendor/github.com/moby/buildkit/util/entitlements/entitlements.go +++ b/vendor/github.com/moby/buildkit/util/entitlements/entitlements.go @@ -1,31 +1,119 @@ package entitlements import ( + "strings" + "github.com/pkg/errors" + "github.com/tonistiigi/go-csvvalue" ) type Entitlement string +func (e Entitlement) String() string { + return string(e) +} + const ( EntitlementSecurityInsecure Entitlement = "security.insecure" EntitlementNetworkHost Entitlement = "network.host" + EntitlementDevice Entitlement = "device" ) var all = map[Entitlement]struct{}{ EntitlementSecurityInsecure: {}, EntitlementNetworkHost: {}, + EntitlementDevice: {}, +} + +type EntitlementsConfig interface { + Merge(EntitlementsConfig) error } -func Parse(s string) (Entitlement, error) { +type DevicesConfig struct { + Devices map[string]string + All bool +} + +var _ EntitlementsConfig = &DevicesConfig{} + +func ParseDevicesConfig(s string) (*DevicesConfig, error) { + if s == "" { + return &DevicesConfig{All: true}, nil + } + + fields, err := csvvalue.Fields(s, nil) + if err != nil { + return nil, err + } + deviceName := fields[0] + var deviceAlias string + + for _, field := range fields[1:] { + k, v, ok := strings.Cut(field, "=") + if !ok { + return nil, errors.Errorf("invalid device config %q", field) + } + switch k { + case "alias": + deviceAlias = v + default: + return nil, errors.Errorf("unknown device config key %q", k) + } + } + + cfg := &DevicesConfig{Devices: map[string]string{}} + + if deviceAlias != "" { + cfg.Devices[deviceAlias] = deviceName + } else { + cfg.Devices[deviceName] = "" + } + return cfg, nil +} + +func (c *DevicesConfig) Merge(in EntitlementsConfig) error { + c2, ok := in.(*DevicesConfig) + if !ok { + return errors.Errorf("cannot merge %T into %T", in, c) + } + + if c2.All { + c.All = true + return nil + } + + for k, v := range c2.Devices { + if c.Devices == nil { + c.Devices = map[string]string{} + } + c.Devices[k] = v + } + return nil +} + +func Parse(s string) (Entitlement, EntitlementsConfig, error) { + var cfg EntitlementsConfig + key, rest, _ := strings.Cut(s, "=") + switch Entitlement(key) { + case EntitlementDevice: + s = key + var err error + cfg, err = ParseDevicesConfig(rest) + if err != nil { + return "", nil, err + } + default: + } + _, ok := all[Entitlement(s)] if !ok { - return "", errors.Errorf("unknown entitlement %s", s) + return "", nil, errors.Errorf("unknown entitlement %s", s) } - return Entitlement(s), nil + return Entitlement(s), cfg, nil } func WhiteList(allowed, supported []Entitlement) (Set, error) { - m := map[Entitlement]struct{}{} + m := map[Entitlement]EntitlementsConfig{} var supm Set if supported != nil { @@ -37,7 +125,7 @@ func WhiteList(allowed, supported []Entitlement) (Set, error) { } for _, e := range allowed { - e, err := Parse(string(e)) + e, cfg, err := Parse(string(e)) if err != nil { return nil, err } @@ -46,13 +134,19 @@ func WhiteList(allowed, supported []Entitlement) (Set, error) { return nil, errors.Errorf("granting entitlement %s is not allowed by build daemon configuration", e) } } - m[e] = struct{}{} + if prev, ok := m[e]; ok && prev != nil { + if err := prev.Merge(cfg); err != nil { + return nil, err + } + } else { + m[e] = cfg + } } return Set(m), nil } -type Set map[Entitlement]struct{} +type Set map[Entitlement]EntitlementsConfig func (s Set) Allowed(e Entitlement) bool { _, ok := s[e] @@ -77,4 +171,5 @@ func (s Set) Check(v Values) error { type Values struct { NetworkHost bool SecurityInsecure bool + Devices map[string]struct{} } diff --git a/vendor/modules.txt b/vendor/modules.txt index f90c3c74870a4..ec4e3d3b8e7e2 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -755,7 +755,7 @@ github.com/mitchellh/hashstructure/v2 # github.com/mitchellh/reflectwalk v1.0.2 ## explicit github.com/mitchellh/reflectwalk -# github.com/moby/buildkit v0.20.0-rc2 +# github.com/moby/buildkit v0.20.0-rc2 => github.com/crazy-max/buildkit v0.7.1-0.20250218091528-281e8c9d0ef8 ## explicit; go 1.22.0 github.com/moby/buildkit/api/services/control github.com/moby/buildkit/api/types @@ -1690,3 +1690,4 @@ tags.cncf.io/container-device-interface/pkg/parser # tags.cncf.io/container-device-interface/specs-go v0.8.0 ## explicit; go 1.19 tags.cncf.io/container-device-interface/specs-go +# github.com/moby/buildkit => github.com/crazy-max/buildkit v0.7.1-0.20250218091528-281e8c9d0ef8