github/linuxkit
1
0
Fork 0
mirror of https://github.com/linuxkit/linuxkit.git synced 2025-09-18 00:01:15 +00:00
Code Issues Projects Releases Wiki Activity

when comparing builder config files, ensure only compare post-processed

Browse Source 
Signed-off-by: Avi Deitcher <avi@deitcher.net>
This commit is contained in:
Avi Deitcher
2025-09-12 10:47:46 +03:00
committed by Avi Deitcher
parent a755fd917d
commit 2ed6850397
7 changed files with 134 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
src/cmd/linuxkit/pkglib/dockerimpl.go
View File

@@ -63,7 +63,8 @@ const (
buildkitCheckInterval = 1 // seconds buildkitCheckInterval = 1 // seconds
sbomFrontEndKey = "attest:sbom" sbomFrontEndKey = "attest:sbom"
buildkitConfigDir = "/etc/buildkit" buildkitConfigDir = "/etc/buildkit"
buildkitConfigPath = buildkitConfigDir + "/buildkitd.toml" buildkitConfigFileName = "buildkitd.toml"
buildkitConfigPath = buildkitConfigDir + "/" + buildkitConfigFileName
) )
type dockerRunnerImpl struct { type dockerRunnerImpl struct {
@@ -277,6 +278,7 @@ func (dr *dockerRunnerImpl) builderEnsureContainer(ctx context.Context, name, im
for range buildKitCheckRetryCount { for range buildKitCheckRetryCount {
var b bytes.Buffer var b bytes.Buffer
var cid string var cid string
var filesToLoadIntoContainer map[string][]byte
if err := dr.command(nil, &b, io.Discard, "--context", dockerContext, "container", "inspect", name); err == nil { if err := dr.command(nil, &b, io.Discard, "--context", dockerContext, "container", "inspect", name); err == nil {
// we already have a container named "linuxkit-builder" in the provided context. // we already have a container named "linuxkit-builder" in the provided context.
// get its state and config // get its state and config
@@ -295,16 +297,25 @@ func (dr *dockerRunnerImpl) builderEnsureContainer(ctx context.Context, name, im
// if it is provided, we assume it is false until proven true // if it is provided, we assume it is false until proven true
log.Debugf("checking if configPath %s is correct in container %s", configPath, name) log.Debugf("checking if configPath %s is correct in container %s", configPath, name)
configPathCorrect = false configPathCorrect = false
if err := dr.command(nil, &b, io.Discard, "--context", dockerContext, "container", "exec", name, "cat", buildkitConfigPath); err == nil { var configB bytes.Buffer
// sha256sum the config file to see if it matches the provided configPath // we cannot exactly use the local config file, as it gets modified to get loaded into the container
containerConfigFileHash := sha256.Sum256(b.Bytes()) // so we preprocess it using the same library that would load it up
log.Debugf("container %s has configPath %s with sha256sum %x", name, buildkitConfigPath, containerConfigFileHash) filesToLoadIntoContainer, err = confutil.LoadConfigFiles(configPath)
configFileContents, err := os.ReadFile(configPath)
if err != nil { if err != nil {
return nil, fmt.Errorf("unable to read buildkit config file %s: %v", configPath, err) return nil, fmt.Errorf("failed to load buildkit config file %s: %v", configPath, err)
}
if err := dr.command(nil, &configB, io.Discard, "--context", dockerContext, "container", "exec", name, "cat", buildkitConfigPath); err == nil {
// sha256sum the config file to see if it matches the provided configPath
containerConfigFileHash := sha256.Sum256(configB.Bytes())
log.Debugf("container %s has configPath %s with sha256sum %x", name, buildkitConfigPath, containerConfigFileHash)
log.Tracef("container %s has configPath %s with contents:\n%s", name, buildkitConfigPath, configB.String())
configFileContents, ok := filesToLoadIntoContainer[buildkitConfigFileName]
if !ok {
return nil, fmt.Errorf("unable to read provided buildkit config file %s: %v", configPath, err)
} }
localConfigFileHash := sha256.Sum256(configFileContents) localConfigFileHash := sha256.Sum256(configFileContents)
log.Debugf("local %s has configPath %s with sha256sum %x", name, configPath, localConfigFileHash) log.Debugf("local %s has configPath %s with sha256sum %x", name, configPath, localConfigFileHash)
log.Tracef("local %s has configPath %s with contents:\n%s", name, buildkitConfigPath, string(configFileContents))
if bytes.Equal(containerConfigFileHash[:], localConfigFileHash[:]) { if bytes.Equal(containerConfigFileHash[:], localConfigFileHash[:]) {
log.Debugf("configPath %s in container %s matches local configPath %s", buildkitConfigPath, name, configPath) log.Debugf("configPath %s in container %s matches local configPath %s", buildkitConfigPath, name, configPath)
configPathCorrect = true configPathCorrect = true
@@ -314,8 +325,6 @@ func (dr *dockerRunnerImpl) builderEnsureContainer(ctx context.Context, name, im
} else { } else {
log.Debugf("could not read configPath %s from container %s, assuming it is not correct", buildkitConfigPath, name) log.Debugf("could not read configPath %s from container %s, assuming it is not correct", buildkitConfigPath, name)
} }
// now rewrite and copy over certs, if needed
//https://github.com/docker/buildx/blob/master/util/confutil/container.go#L27
} }
switch { switch {
@@ -338,7 +347,7 @@ func (dr *dockerRunnerImpl) builderEnsureContainer(ctx context.Context, name, im
stop = isRunning stop = isRunning
remove = true remove = true
case !configPathCorrect: case !configPathCorrect:
fmt.Printf("existing container has wrong configPath mount, restarting\n") fmt.Printf("existing container has wrong configPath contents, restarting\n")
recreate = true recreate = true
stop = isRunning stop = isRunning
remove = true remove = true
@@ -405,11 +414,7 @@ func (dr *dockerRunnerImpl) builderEnsureContainer(ctx context.Context, name, im
} }
// copy in the buildkit config file, if provided // copy in the buildkit config file, if provided
if configPath != "" { if configPath != "" {
files, err := confutil.LoadConfigFiles(configPath) if err := dr.copyFilesToContainer(name, filesToLoadIntoContainer); err != nil {
if err != nil {
return nil, fmt.Errorf("failed to load buildkit config file %s: %v", configPath, err)
}
if err := dr.copyFilesToContainer(name, files); err != nil {
return nil, fmt.Errorf("failed to copy buildkit config file %s and certificates into container %s: %v", configPath, name, err) return nil, fmt.Errorf("failed to copy buildkit config file %s and certificates into container %s: %v", configPath, name, err)
} }
} }

1
test/cases/040_packages/026_buildkit_config/.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
docker-config/

2
test/cases/040_packages/026_buildkit_config/Dockerfile Normal file
View File

@@ -0,0 +1,2 @@
FROM alpine:3.21
RUN echo hi

2
test/cases/040_packages/026_buildkit_config/build.yml Normal file
View File

@@ -0,0 +1,2 @@
org: linuxkit
image: builder-config

18
test/cases/040_packages/026_buildkit_config/buildkitd-2.toml Normal file
View File

@@ -0,0 +1,18 @@
# it does not matter what these contents are, as long as they are valid and can be processed
# and are different than the ones in buildkitd.toml
debug = true
# trace = true
insecure-entitlements = [ "network.host", "security.insecure" ]
[worker.oci]
max-parallelism = 48
[worker.oci.gcpulimits]
enabled = true
[log]
# log formatter: json or text
format = "json"
[registry."172.17.0.2:5001"]
insecure = true
http = true

17
test/cases/040_packages/026_buildkit_config/buildkitd.toml Normal file
View File

@@ -0,0 +1,17 @@
# it does not matter what these contents are, as long as they are valid and can be processed
debug = true
# trace = true
insecure-entitlements = [ "network.host", "security.insecure" ]
[worker.oci]
max-parallelism = 56
[worker.oci.gcpulimits]
enabled = false
[log]
# log formatter: json or text
format = "text"
[registry."172.17.0.2:5000"]
insecure = true
http = true

69
test/cases/040_packages/026_buildkit_config/test.sh Normal file
View File

@@ -0,0 +1,69 @@
#!/bin/sh
# SUMMARY: Check that we can access a registry with auth
# LABELS:
set -e
# Source libraries. Uncomment if needed/defined
#. "${RT_LIB}"
. "${RT_PROJECT_ROOT}/_lib/lib.sh"
clean_up() {
[ -n "${CACHEDIR}" ] && rm -rf "${CACHEDIR}"
}
trap clean_up EXIT
# determine platform
ARCH=$(uname -m)
if [ "${ARCH}" = "x86_64" ]; then
ARCH="amd64"
elif [ "${ARCH}" = "aarch64" ]; then
ARCH="arm64"
fi
PLATFORM="linux/${ARCH}"
CACHEDIR=$(mktemp -d)
# tests:
# 1. build the local package with the custom buildkitd.toml - should succeed
# 2. rebuild the local package with the same buildkitd.toml - should succeed without starting a new builder container
# 3. rebuild the local package with the different buildkitd-2.toml - should succeed after starting a new builder container
if ! linuxkit --verbose 3 --cache "${CACHEDIR}" pkg build --platforms "${PLATFORM}" \
--builder-config "$(pwd)/buildkitd.toml" --force \
.; then
echo "Build 1 failed"
exit 1
fi
CID1=$(docker inspect linuxkit-builder --format '{{.ID}}')
# get the containerd
if ! linuxkit --verbose 3 --cache "${CACHEDIR}" pkg build --platforms "${PLATFORM}" \
--builder-config "$(pwd)/buildkitd.toml" --force \
.; then
echo "Build 2 failed"
exit 1
fi
CID2=$(docker inspect linuxkit-builder --format '{{.ID}}')
if ! linuxkit --verbose 3 --cache "${CACHEDIR}" pkg build --platforms "${PLATFORM}" \
--builder-config "$(pwd)/buildkitd-2.toml" --force \
.; then
echo "Build 3 failed"
exit 1
fi
CID3=$(docker inspect linuxkit-builder --format '{{.ID}}')
# CID1 and CID2 should match, CID3 should not
echo "CID1: ${CID1}"
echo "CID2: ${CID2}"
echo "CID3: ${CID3}"
if [ "${CID1}" = "${CID2}" ] && [ "${CID2}" != "${CID3}" ]; then
echo "Build 1 and 2 used the same builder container, but Build 3 used a different one"
else
echo "Unexpected builder container behavior"
exit 1
fi
exit 0