Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Copying a symlinked wildcard directory leads to incorrect caching #2300

Closed
aaronlehmann opened this issue Aug 10, 2021 · 13 comments · Fixed by #2318
Closed

Copying a symlinked wildcard directory leads to incorrect caching #2300

aaronlehmann opened this issue Aug 10, 2021 · 13 comments · Fixed by #2318

Comments

@aaronlehmann
Copy link
Collaborator

aaronlehmann commented Aug 10, 2021

In this scenario, there is a symlink from /data -> /mnt/data. On a subsequent layer, files are created under /data. A copy operation with a source path under /mnt/data ends up copying these files, but the cache key is set as if no files would be copied, because the contenthash logic only considers files with a /mnt/data prefix. This can lead to a very bad situation where the results of the copy are returned from cache for any similar copy that does not match any files.

This gist contains a repro case which demonstrates the problem: https://gist.github.com/aaronlehmann/77bd093d5f904719e0a329450d7c8453

In this repro case, we first copy /mnt/data/d1 from st1. The copy is done correctly, but the contenthash logic does not realize that any files would be copied, so it returns digest.FromBytes([]byte{}) for the cache key. Then when we run the same copy with a stock alpine image as input, the copy is cached, which is completely wrong because this directory doesn't even exist in the image.

This is the output from running the repro case:

Copying from st1 with a single file at /data/d1/foo:
#1 docker-image://docker.io/library/alpine:latest
#1 resolve docker.io/library/alpine:latest
#1 resolve docker.io/library/alpine:latest 1.0s done
#1 DONE 1.1s

#3 sh -c mkdir -p /mnt/data/d1 && ln -s /mnt/data /data
#3 CACHED

#4 sh -c echo abc > /data/d1/foo
#4 CACHED

#5 copy /mnt/data/d1 /
#5 CACHED

#2 sh -c apk add -U findutils
#2 CACHED

#6 sh -c find . -ls
#6 0.105   3343154      4 drwxr-xr-x   1 root     root         4096 Aug 10 18:28 .
#6 0.106   3343062      4 drwxr-xr-x   2 root     root         4096 Aug 10 18:17 ./d1
#6 0.106   3340803      4 -rw-r--r--   1 root     root            4 Aug 10 18:17 ./d1/foo
#6 DONE 0.1s

#7 exporting to client
#7 copying files 1.53MB 0.1s
#7 copying files 8.09MB 0.5s done
#7 DONE 0.5s
Copying from stock alpine image - copy should not be cached!:
#4 docker-image://docker.io/library/alpine:latest
#4 resolve docker.io/library/alpine:latest
#4 resolve docker.io/library/alpine:latest 0.2s done
#4 DONE 0.2s

#2 copy /mnt/data/d1 /
#2 CACHED

#1 sh -c apk add -U findutils
#1 CACHED

#3 sh -c find . -ls
#3 0.177   3343164      4 drwxr-xr-x   1 root     root         4096 Aug 10 18:28 .
#3 0.178   3343062      4 drwxr-xr-x   2 root     root         4096 Aug 10 18:17 ./d1
#3 0.178   3340803      4 -rw-r--r--   1 root     root            4 Aug 10 18:17 ./d1/foo
#3 DONE 0.2s

#5 exporting to client
#5 copying files
#5 copying files 8.09MB 0.4s done
#5 DONE 0.4s

cc @coryb @sipsma

aaronlehmann added a commit to aaronlehmann/buildkit that referenced this issue Aug 10, 2021
This adds a little extra testing around ** patterns, and adds a
(currently skipped) test for copying directories under symlinks (moby#2300).

It removes an extra call to `filepath.FromSlash` in `shouldIncludePath`
and an unused argument to that function.

Signed-off-by: Aaron Lehmann <[email protected]>
@tonistiigi
Copy link
Member

I don't understand why the symlink matters if /mnt/data is real dir and this is where you are copying from. Creating a file though symlink in previous layer shouldn't matter at all as no metadata is saved and file actually gets stored in /mnt/data. Is this specific to IncludePatterns?

@aaronlehmann
Copy link
Collaborator Author

aaronlehmann commented Aug 10, 2021

I don't understand why the symlink matters if /mnt/data is real dir and this is where you are copying from. Creating a file though symlink in previous layer shouldn't matter at all as no metadata is saved and file actually gets stored in /mnt/data.

In the overlayfs, the file gets created in /data/d1 rather than /mnt/data/d1. When the fsutil code walks /mnt/data/d1 to perform the actual copy, it does the right thing (presumably overlayfs hides the fact that the file was created in /data). But I think the in-memory prefix tree in cache/contenthash ends up tracking this file under /data/d1 and doesn't realize it should actually match the /mnt/data/d1/ prefix.

Is this specific to IncludePatterns?

I think it's specific to the code path where we have IncludePatterns, ExcludePatterns, or Wildcard:

includedPaths, err := cc.includedPaths(ctx, m, p, opts)
if err != nil {
return "", err
}
if opts.FollowLinks {
for i, w := range includedPaths {
if w.Record.Type == CacheRecordTypeSymlink {
dgst, err := cc.checksumFollow(ctx, m, w.Path, opts.FollowLinks)
if err != nil {
return "", err
}
includedPaths[i].Record = &CacheRecord{Digest: dgst}
}
}
}
if len(includedPaths) == 0 {
return digest.FromBytes([]byte{}), nil
}

The really bad part here is that since the code doesn't think any files match, it hits:

	if len(includedPaths) == 0 {
		return digest.FromBytes([]byte{}), nil
	}

and ends up caching the result of this copy as if it was an empty result.

I haven't found a way to reproduce it without IncludePatterns, so it may be IncludePatterns-specific.

aaronlehmann added a commit to aaronlehmann/buildkit that referenced this issue Aug 10, 2021
This adds a little extra testing around ** patterns, and adds a
(currently skipped) test for copying directories under symlinks (moby#2300).

It removes an extra call to `filepath.FromSlash` in `shouldIncludePath`
and an unused argument to that function.

Signed-off-by: Aaron Lehmann <[email protected]>
@aaronlehmann
Copy link
Collaborator Author

So it turns out that the issue with symlinks was actually a bit more complicated. The original gist was exposing a separate, similar bug with IncludePatterns. I will open a PR to fix that one.

For the actual symlink issue, here's an updated repro case which doesn't use IncludePatterns: https://gist.github.com/aaronlehmann/64054c9a2cff0d27e200cc107bba3d69

The scenario is a little weird so I'll let the code speak for itself. One layer has a symlink /mnt/data -> /data, and another layer has the opposite symlink /data -> /mnt/data. Once again, the copy and caching have different logic, and the copy actually copies files, but Checksum thinks no files would be copied.

@tonistiigi
Copy link
Member

tonistiigi commented Aug 12, 2021

In the overlayfs, the file gets created in /data/d1 rather than /mnt/data/d1.

That does not seem right. What's the difference?

/tmp # mkdir -p lower upper work merged
/tmp # mkdir -p lower/mnt/data/d1
/tmp # ln -s mnt/data lower/data
/tmp # mount -t overlay overlay -o lowerdir=lower,upperdir=upper,workdir=work merged
/tmp # echo abc > merged/data/d1/foo
/tmp # find upper
upper
upper/mnt
upper/mnt/data
upper/mnt/data/d1
upper/mnt/data/d1/foo

@aaronlehmann
Copy link
Collaborator Author

Please refer to the updated scenario in https://gist.github.com/aaronlehmann/64054c9a2cff0d27e200cc107bba3d69:

(root) /tmp # mkdir -p lower upper work merged
(root) /tmp # mkdir -p lower/mnt/data/d1 &&  ln -s mnt/data lower/data
(root) /tmp # mkdir -p upper/data upper/mnt && ln -s ../data upper/mnt/data
(root) /tmp # mount -t overlay overlay -o lowerdir=lower,upperdir=upper,workdir=work merged
(root) /tmp # mkdir merged/data/d1
(root) /tmp # echo abc > merged/data/d1/foo
(root) /tmp # find upper
upper
upper/data
upper/data/d1
upper/data/d1/foo
upper/mnt
upper/mnt/data
(root) /tmp # ls upper/mnt/data/d1
foo

@tonistiigi
Copy link
Member

Ok, in the latest gist you are copying through symlink so I guess something can get wrong in scanning there. But I don't think it is any weird overlay logic. In your overlay commands, you create a dir manually in upper that overrides the symlink in lower. Afaik this can't happen when just creating files through the overlay mountpoint.

@aaronlehmann
Copy link
Collaborator Author

Yes, I think something does go wrong. The in-memory radix tree does not have files matching the prefix we are copying from, so it thinks nothing will be copied.

I don't think there's any weird overlay logic. It's just an inconsistency between the actual copy and contenthash.

@tonistiigi
Copy link
Member

I guess for the symlink and wildcard to work together, only way is for matcher to match per path component, and then follow symlink per component if needed. Does the same thing work for diffcopy?

@aaronlehmann
Copy link
Collaborator Author

I guess for the symlink and wildcard to work together, only way is for matcher to match per path component, and then follow symlink per component if needed.

I think this makes sense. There might be some extra complexity from the FollowLinks option. I think if FollowLinks is false, we need to follow links that might lead to something ending up inside the source path (i.e. data -> mnt/data in this case), but not follow links inside the actual source path. I'm not sure exactly how this would look.

Does the same thing work for diffcopy?

I'm not sure - I'm not familiar with the diffcopy code.

@tonistiigi
Copy link
Member

I think if FollowLinks is false, we need to follow links that might lead to something ending up inside the source path

Yes,

func getFollowLinks(root *iradix.Node, k []byte, follow bool) ([]byte, *CacheRecord, error) {
gets called even on !FollowLinks, same for scanning I believe. But wildcards are trickier as you can't easily split the pattern.

@tonistiigi tonistiigi changed the title Copying a symlinked directory leads to incorrect caching Copying a symlinked wildcard directory leads to incorrect caching Aug 17, 2021
@aaronlehmann
Copy link
Collaborator Author

Started looking at this, and I think the following should be done to make it consistent with the actual copy implementation:

  • Non-wildcard case: Split the base path into components, and resolve the path one component at a time, following symlinks along the way (this will match the behavior of the fsutil copier calling os.Lstat and ioutil.ReadDir on a dir that has a symlink somewhere inside the path prefix). Keep track of the prefix tree key (which has path prefix symlinks resolved) separately from the path used as input to the matcher (path prefix symlinks not resolved).
  • Wildcard case: Split the wildcard pattern into a prefix without wildcards, and the rest of the pattern. Then apply the same logic as above on the non-wildcard part of the prefix. See https://github.com/tonistiigi/fsutil/blob/d72af97c0eaf93c1d20360e3cb9c63c223675b83/copy/copy.go#L41 for the equivalent fsutil code.

The complexity here is that several places where we call convertPathToKey in order to do a prefix tree lookup need to be changed to do the lookup one component at a time, so this will touch a lot of code. Right now we have a fast path that uses checksumFollow for no wildcards and no include/exclude patterns, and a slow path using includedPaths. They each have separate logic for walking the tree, and both need to be fixed.

I might work on this but I'm not sure if or when I'll have time.

I am wondering if a narrower fix might make sense, at least as a short-term work around. It seems like it's been very complex to get the caching logic to exactly match what the copier does, and small differences can be catastrophic (for example, returning the wrong cached values for very broad sets of copy ops). Is there a way we could fall back to a slow path without caching for cases where the caching logic isn't known to match the copier 100%? Maybe we could detect a digest(null) cache key being returned for a copy operation that actually copied things, and avoid caching that data.

@tonistiigi
Copy link
Member

Non-wildcard case:

What's the reproducer for the non-wildcard case?

@aaronlehmann
Copy link
Collaborator Author

What's the reproducer for the non-wildcard case?

Anything using IncludePatterns or ExcludePatterns would reproduce it, even with opts.AllowWildcard = false, because includedPaths does not call getFollowLinks. But I suppose your point is that getFollowLinks should take care of this for the fast path (non-wildcard, no include or exclude patterns), and the slow path without wildcard should be relatively easily fixable since it could also call getFollowLinks to resolve the base path in the tree. Then the only remaining hurdle is the wildcard case in includedPaths, and I think splitting out the non-wildcard prefix from the pattern and using getFollowLinks on it would address that. So maybe this isn't a big change, after all.

aaronlehmann added a commit to aaronlehmann/buildkit that referenced this issue Aug 18, 2021
…e path is behind symlink

As discussed in moby#2300, includedPaths does not resolve symlinks when
looking up the source path in the prefix tree. If the user requests a
path that involves symlinks (for example, /a/foo when a symlink /a -> /b
exists), includedPaths will not find it, and will expect nothing to be
copied. This does not match the actual copy behavior implemented in
fsutil, which will follow symlinks in prefix components of a given path,
so it can end up caching an empty result even though the copy will
produce a non-empty result, which is quite bad.

To fix this, use getFollowLinks to resolve the path before walking it.
In the wildcard case, this is done to the non-wildcard prefix of the
path (if any), which matches the behavior in fsutil.

Fixes the repro case here:
https://gist.github.com/aaronlehmann/64054c9a2cff0d27e200cc107bba3d69

Fixes moby#2300

Signed-off-by: Aaron Lehmann <[email protected]>
alexcb added a commit to earthly/buildkit-old-fork that referenced this issue Oct 19, 2021
* hack: update proto generators for arm64

Signed-off-by: Tonis Tiigi <[email protected]>

* test: fix mirror cache handling

Signed-off-by: Tonis Tiigi <[email protected]>

* cache: fix possible nil dereferences

Signed-off-by: Tonis Tiigi <[email protected]>

* move RegistryConfig to resolver package

This allows using the resolver package without having to import
the buildkit daemon configuration.

Signed-off-by: Sebastiaan van Stijn <[email protected]>

* vendor: fix broken gosum

Signed-off-by: Tonis Tiigi <[email protected]>

* add hack/shell helper for dev shell environment

Signed-off-by: Tonis Tiigi <[email protected]>

* session: make sure all token request keep correct context

Signed-off-by: Tonis Tiigi <[email protected]>

* filesync: ensure sendclose is always called

Signed-off-by: Tonis Tiigi <[email protected]>

* Enable stargz snapshotter to use session for snapshot auth

Signed-off-by: ktock <[email protected]>

* Implement low-level parser primitives for heredocs

This provides the basic functionality for the parser to recognize and
parse provided heredocs in supported commands.

Signed-off-by: Justin Chadwell <[email protected]>

* Add support for parsing heredocs in ADD/COPY and RUN

Signed-off-by: Justin Chadwell <[email protected]>

* Integrate heredoc support into ADD/COPY and RUN

This modifies the command structures to support inline files, as well as
provides the logic to compile them down into appropriate LLB
definitions.

Signed-off-by: Justin Chadwell <[email protected]>

* Add integration tests for dockerfile heredocs

Signed-off-by: Justin Chadwell <[email protected]>

* Update docker/docker to master / v21.xx-dev (post libnetwork integration)

full diff: https://github.com/docker/docker/compare/v20.10.7..0ad2293d0e5b

This applies the same / similar local changes to buildkit as were made in
the branch that moby is currently vendoring:
moby/buildkit@244e8cd...cpuguy83:update_libnetwork_import

Unfortunately, this (again) requires a "replace" rule (probably until we tagged
a release with this change). Go mod refuses to pick a version from master, and
(without the replace rule), does weird, reverting docker to a very old version,
predating the sirupsen rename:

    > [vendored 4/4] RUN --mount=target=/src,rw   --mount=target=/go/pkg/mod,type=cache   go mod tidy && go mod vendor &&   mkdir /out && cp -r go.mod go.sum vendor /out:
    #10 0.500 go: finding github.com/docker/docker 8dbd90ec00daa26dc45d7da2431c965dec99e8b4
    #10 0.599 warning: ignoring symlink /src/examples/kube-consistent-hash
    #10 1.027 go: github.com/moby/buildkit/util/testutil/integration imports
    #10 1.027       github.com/docker/docker/testutil/daemon imports
    #10 1.027 	github.com/docker/docker/opts imports
    #10 1.027 	github.com/docker/libnetwork/ipamutils imports
    #10 1.027 	github.com/docker/libnetwork/osl imports
    #10 1.027 	github.com/Sirupsen/logrus: github.com/Sirupsen/[email protected]: parsing go.mod:
    #10 1.027 	module declares its path as: github.com/sirupsen/logrus
    #10 1.027 	        but was required as: github.com/Sirupsen/logrus
    ------
    error: failed to solve: rpc error: code = Unknown desc = executor failed running [/bin/sh -c go mod tidy && go mod vendor &&   mkdir /out && cp -r go.mod go.sum vendor /out]: exit code: 1
    make: *** [vendor] Error 1

Signed-off-by: Sebastiaan van Stijn <[email protected]>

* Fix doc about Stargz Snapshotter and registry authentication

Signed-off-by: ktock <[email protected]>

* dockerfile: add documentation for here-docs

Signed-off-by: Tonis Tiigi <[email protected]>

* add differ support for local source

Signed-off-by: Tonis Tiigi <[email protected]>

* llb: don't allow content diff for now

Signed-off-by: Tonis Tiigi <[email protected]>

* Fix file modes with remote ADD commands

Signed-off-by: Justin Chadwell <[email protected]>

* cache: avoid concurrent maps write on prune

remove() needs to be called while holding the manager lock

Signed-off-by: Tonis Tiigi <[email protected]>

* metadata: hold lock on storageitem update

The locks usage is mixed up because two locks separate locks
are actually needed. With a specific lock, calls to SetValue
can be protected.

Signed-off-by: Tonis Tiigi <[email protected]>

* Dockerfile: install fuse-overlayfs from apk

fuse-overlayfs is available as an apk since Alpine 3.14.

Signed-off-by: Akihiro Suda <[email protected]>

* vendor: update vt100 to fork and remove replace rule

Signed-off-by: Tonis Tiigi <[email protected]>

* add support for opentelemetry

Signed-off-by: Tonis Tiigi <[email protected]>

* replace opentracing with opentelemetry tracers

Signed-off-by: Tonis Tiigi <[email protected]>

* hack: avoid updating generated proto version

This can be done as a separate change when needed.
Also should analyze if this would affect the gogo
incompatibility issues with newer proto.

Signed-off-by: Tonis Tiigi <[email protected]>

* session: avoid tracing health checkpoint

Upstream fixes needed for cleaner solution

Signed-off-by: Tonis Tiigi <[email protected]>

* disable otel error logging

Signed-off-by: Tonis Tiigi <[email protected]>

* correctly validate span from context

Signed-off-by: Tonis Tiigi <[email protected]>

* dockerfile: ensure config resolve errors keep source location

Signed-off-by: Tonis Tiigi <[email protected]>

* remove go fork for building windows/arm64

Signed-off-by: Tonis Tiigi <[email protected]>

* Dockerfile: remove nsswitch as default in go1.16

Signed-off-by: Tonis Tiigi <[email protected]>

* retryhandler: use net.ErrClosed for error check

Signed-off-by: Tonis Tiigi <[email protected]>

* replace uses of deprecated containerd/sys.RunningInUserNS()

This utility was moved to a separate package, which has no dependencies.

Signed-off-by: Sebastiaan van Stijn <[email protected]>

* integration: add common context base to all integration tests

Signed-off-by: Tonis Tiigi <[email protected]>

* vendor: update opentelemetry to 1.0.0-rc

Signed-off-by: Tonis Tiigi <[email protected]>

* add current tracing context detection and exec propagation

Signed-off-by: Tonis Tiigi <[email protected]>
(cherry picked from commit bc9a83144c83e9fd78007b7bfe92e8082c59d40e)

* add transform package to convert from otlp

Signed-off-by: Tonis Tiigi <[email protected]>

* tracing: add delegated exporter

Signed-off-by: Tonis Tiigi <[email protected]>

* otlgrpc: provide a way to get otlp client from grpc conn

Hopefully this can be removed with a future upstream change
that could make this configurable. The package also needs
internal dependency that is copied in.

Signed-off-by: Tonis Tiigi <[email protected]>

* enable collecting traces via control api

Signed-off-by: Tonis Tiigi <[email protected]>

* support collecting traces from llb.Exec

Signed-off-by: Tonis Tiigi <[email protected]>

* client: pass delegated exporter as parameter

Avoid client package having dependency on global detect package.

Signed-off-by: Tonis Tiigi <[email protected]>

* update runc binary to v1.0.0 GA

Signed-off-by: Akihiro Suda <[email protected]>

* handle unconfigured spans without errors

Signed-off-by: Tonis Tiigi <[email protected]>

* llb: add constraints to vertex and validate

Signed-off-by: Tonis Tiigi <[email protected]>

* llb: add constraints to async llb

Signed-off-by: Tonis Tiigi <[email protected]>

* llb: ensure meta resolver uses platform form constraints

Signed-off-by: Tonis Tiigi <[email protected]>

* flightcontrol: reduce contention between goroutines

Signed-off-by: Tonis Tiigi <[email protected]>

* Avoid nil pointer dereference when copying from image with no layers

Fix this panic when copying from an image with no layers:

```
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x50 pc=0xdd8c17]

goroutine 326 [running]:
github.com/moby/buildkit/cache/contenthash.(*cacheManager).Checksum(0xc0005ec030, 0x1682c00, 0xc000842140, 0x0, 0x0, 0xc0005d4023, 0x1, 0x0, 0x0, 0x0, ...)
	/src/cache/contenthash/checksum.go:95 +0x37
github.com/moby/buildkit/cache/contenthash.Checksum(0x1682c00, 0xc000842140, 0x0, 0x0, 0xc0005d4023, 0x1, 0x0, 0x0, 0x0, 0x0, ...)
	/src/cache/contenthash/checksum.go:59 +0xd5
github.com/moby/buildkit/solver/llbsolver.NewContentHashFunc.func1.1(0x0, 0x4425d6)
	/src/solver/llbsolver/result.go:59 +0x20a
golang.org/x/sync/errgroup.(*Group).Go.func1(0xc00056a360, 0xc000594510)
	/src/vendor/golang.org/x/sync/errgroup/errgroup.go:57 +0x59
created by golang.org/x/sync/errgroup.(*Group).Go
	/src/vendor/golang.org/x/sync/errgroup/errgroup.go:54 +0x66
```

When the path is "/", we allow it because it's a noop.

Based on moby#2185

Signed-off-by: Aaron Lehmann <[email protected]>

* Add test for copying from scratch

Signed-off-by: Aaron Lehmann <[email protected]>

* Check that scratch is mounted as empty dir

Signed-off-by: Aaron Lehmann <[email protected]>

* Make error message consistent when layer is empty

Signed-off-by: Aaron Lehmann <[email protected]>

* Test with tonistiigi/test:nolayers as well

Signed-off-by: Aaron Lehmann <[email protected]>

* ensure containerd io is complete and closed before returning

Signed-off-by: Cory Bennett <[email protected]>

* [moby#2112] progress.Controller should own the progress.Writer to prevent leaks

Signed-off-by: Cory Bennett <[email protected]>

* [moby#2112] progress.FromContext returns a writer factory
this allows progress.Controller to manage the writer lifecycle

Signed-off-by: Cory Bennett <[email protected]>

* contenthash: use SeekLowerBound to seek radix tree

Signed-off-by: Tonis Tiigi <[email protected]>

* dockerfile: fix git version detection

Signed-off-by: Tonis Tiigi <[email protected]>

* Add support for heredocs with ONBUILD

Signed-off-by: Justin Chadwell <[email protected]>

* dockerfile: use none differ for dockerfile/dockerignore

This avoids wrong metadata matches on small files

Signed-off-by: Tonis Tiigi <[email protected]>

* progressui: print logs for failed step as summary in plain mode

Signed-off-by: Tonis Tiigi <[email protected]>

* grpcerrors: avoid rpc error wrapping in error messages

Signed-off-by: Tonis Tiigi <[email protected]>

* exec: improve error message on exec errors

Signed-off-by: Tonis Tiigi <[email protected]>

* Improve heredoc parsing to allow more generic words

Previously, heredoc names were restricted to simple alphanumeric
strings. However, heredocs should support much more complex use-cases,
including quoting anywhere, as well as allowing special symbols like `.`
for easily expressing file extensions.

This patch adds support for these more complex cases, by using the shell
lexer to parse each heredoc name. Additionally, we include improvements
to the lexer to optionally preserve escape tokens to avoid problems when
lexing words that have already been lexed before.

Signed-off-by: Justin Chadwell <[email protected]>

* Improve progress and history messages for heredoc-related commands

Signed-off-by: Justin Chadwell <[email protected]>

* Remove unneeded Finalize method from ImmutableRef.

Finalize was only used outside the cache package in one place, which
called it with the commit arg set to false. The code path followed
when commit==false turned out to essentially be a no-op because
it set "retain cache" to true if it was already set to true.

It was thus safe to remove the only external call to it and remove it
from the interface. This should be helpful for future efforts to
simplify the equal{Mutable,Immutable} fields in cacheRecord, which exist
due to the "lazy commit" feature that Finalize is tied into.

Signed-off-by: Erik Sipsma <[email protected]>

* Fix ref leak if fileop ref fails to mount.

Signed-off-by: Erik Sipsma <[email protected]>

* add error suggest pkg

Signed-off-by: Tonis Tiigi <[email protected]>

* dockerfile: suggest mistyped flag names

Signed-off-by: Tonis Tiigi <[email protected]>

* dockerfile: provide suggestions for mount options

Signed-off-by: Tonis Tiigi <[email protected]>

* dockerfile: add tests for error suggestions

Signed-off-by: Tonis Tiigi <[email protected]>

* dockerfile: remove unnecessary error wrappings

Signed-off-by: Tonis Tiigi <[email protected]>

* enable riscv64 build

Signed-off-by: Tonis Tiigi <[email protected]>

* Update QEMU emulators

Signed-off-by: CrazyMax <[email protected]>

* dockerfile: move run network to stable channel

Signed-off-by: Tonis Tiigi <[email protected]>

* Automatically detect default git branch

Instead of just assuming that the default branch is master, use ls-remote to find out. Also removed tests that didn't specifiy a branch but required authentication, because those will fail now that the repo is actually checked.

Signed-off-by: Levi Harrison <[email protected]>

* Moved getDefaultBranch function to gitsource

It is my suspecion that the tests were failing on previous commits because of the lack of authentication and other stuff like that available in gitidentifier as compared to gitsource

Signed-off-by: Levi Harrison <[email protected]>

* Fix tests

Unfortunately, further test cases will have to be removed because gitindentifier will now leave the branch blank instead of filling it in

Signed-off-by: Levi Harrison <[email protected]>

* git: fix default branch detection

Signed-off-by: Tonis Tiigi <[email protected]>

* Enable to forcefully specify compression type

Signed-off-by: ktock <[email protected]>

* Add full timestamp to logs

Signed-off-by: Yamazaki Masashi <[email protected]>

* Remove meaningless encode

Signed-off-by: Yamazaki Masashi <[email protected]>

* Ignore missing providers for blobs w/ same chainid.

GetByBlob checks to see if there are any other blobs with the same
(uncompressed) ChainID and, if so, reuses their unpacked snapshot if it
exists.

The problem is if this code finds a match, it was trying to get the
matching record, but couldn't do so when the match is lazy because the
caller doesn't necessarily have descriptor handlers setup for it.

This commit changes the behavior to just ignore any match with the same
ChainID that's also lazy as they just aren't usable for the
snapshot-reuse optimization.

Signed-off-by: Erik Sipsma <[email protected]>

* authprovider: handle eaccess on storing token seeds

Signed-off-by: Tonis Tiigi <[email protected]>

* log with traceID and spanID

Signed-off-by: Morlay <[email protected]>

* github: update CI buildkit to v0.9.0-rc1

Signed-off-by: Tonis Tiigi <[email protected]>

* initial version of github cache

Signed-off-by: Tonis Tiigi <[email protected]>

* vendor: add goactionscache

Signed-off-by: Tonis Tiigi <[email protected]>

* caps: add cap for gha cache backend

Signed-off-by: Tonis Tiigi <[email protected]>

* remove tracetransform package

Signed-off-by: Tonis Tiigi <[email protected]>

* resolver: increase default idle conns reuse

The current default were even lower than stdlib defaults.

Signed-off-by: Tonis Tiigi <[email protected]>

* refactor to use util/bklog instead of using logurs directly

Signed-off-by: Morlay <[email protected]>

* GitHub Actions cache docs

Signed-off-by: CrazyMax <[email protected]>

* Skips getting UID/GUID if passwd/group file is not found

When running a WORKDIR instruction, buildkit will create that folder
and chown it to the currently set user. For this, it will try to read
the /etc/passwd file to get the proper UID, and if that user is not
found in the file, the root user will be considered as the owner.

However, Windows image do not have that file, which will result in
an error while building the image. We can consider not finding
the /etc/passwd file as the same as not finding the user in the file,
which would solve this issue.

Signed-off-by: Claudiu Belu <[email protected]>

* add per domain semaphore to limit concurrent connections

This is a safer alternative until we figure out why
http.Transport based limiting fails.

Some connections like cache export/import do not have a
domain key atm and these connections use global pool.

Signed-off-by: Tonis Tiigi <[email protected]>

* update to github.com/containerd/containerd v1.5.3

Signed-off-by: coryb <[email protected]>

* vendor: update go-actions-cache with custom client support

Signed-off-by: Tonis Tiigi <[email protected]>

* tracing: update to otelhttp roundtripper

Signed-off-by: Tonis Tiigi <[email protected]>

* Enhance test matrix

Signed-off-by: CrazyMax <[email protected]>

* fix dropped pull progress output due to canceled context

fixes moby#2248

Signed-off-by: coryb <[email protected]>

* Add span for layer export

This can be a significant amount of time that isn't currently accounted
for in traces.

Signed-off-by: Aaron Lehmann <[email protected]>

* new implementation for limiting tcp connections

The previous implementation had many issues. Eg. on fetch, even if
the data already existed and no remote connections were needed
the request would still be waiting in the queue. Or if two fetches
of same blob happened together they would take up two places in queue
although there was only one remote request.

Signed-off-by: Tonis Tiigi <[email protected]>

* limited: allow extra high-priority connection for json requests

Signed-off-by: Tonis Tiigi <[email protected]>

* ensure wrappers support seeking to continue partial downloads

Signed-off-by: Tonis Tiigi <[email protected]>

* contentutil: change offset to int64 to simplify

Signed-off-by: Tonis Tiigi <[email protected]>

* Exporter config digest typo

Signed-off-by: CrazyMax <[email protected]>

* daemonless: wait for daemon to finish before exit

Signed-off-by: Tonis Tiigi <[email protected]>

* github: update CI buildkit to v0.9.0

Signed-off-by: Tonis Tiigi <[email protected]>

* add docs for new config options

Signed-off-by: Tonis Tiigi <[email protected]>

* add ktock and crazy-max to maintainers

Signed-off-by: Tonis Tiigi <[email protected]>

* Update Dockerfile references to use 1.3

Signed-off-by: Tonis Tiigi <[email protected]>

* docs: update images-readme to v0.9

Signed-off-by: Tonis Tiigi <[email protected]>

* Bump to codecov/codecov-action v2

Signed-off-by: CrazyMax <[email protected]>

* build(deps): bump github.com/containerd/containerd from 1.5.3 to 1.5.4

Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.5.3 to 1.5.4.
- [Release notes](https://github.com/containerd/containerd/releases)
- [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md)
- [Commits](containerd/containerd@v1.5.3...v1.5.4)

---
updated-dependencies:
- dependency-name: github.com/containerd/containerd
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

* util/tracing: remove incorrect import enforcing comment

This import comment caused compilation of buildx to fail if `GO111MODULE` was
set to `off`:

Without `GO111MODULE` set (but with `-mod=vendor`:

    echo $GO111MODULE

    export PKG=github.com/docker/buildx
    export LDFLAGS="-X ${PKG}/version.Version=$(git describe --match 'v[0-9]*' --always --tags) -X ${PKG}/version.Revision=$(git rev-parse HEAD) -X ${PKG}/version.Package=${PKG}"
    GOFLAGS=-mod=vendor go build -o bin/docker-buildx -ldflags "${LDFLAGS}" ./cmd/buildx
    bin/docker-buildx version
    github.com/docker/buildx v0.6.0 d9ee3b134cbc2d09513fa7fee4176a3919e05887

When setting `GO111MODULE=off`, it fails on the incorrect import path in the
vendored file (looks like GO111MODULE=on ignores import-path comments?):

    export GO111MODULE=off
    root@5a55ec1c1eed:/go/src/github.com/docker/buildx# GOFLAGS=-mod=vendor go build -o bin/docker-buildx -ldflags "${LDFLAGS}" ./cmd/buildx
    vendor/github.com/moby/buildkit/client/client.go:20:2: code in directory /go/src/github.com/docker/buildx/vendor/github.com/moby/buildkit/util/tracing/otlptracegrpc expects import "go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc"
    vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/connection/connection.go:33:2: found import comments "go.opentelemetry.io/otel/exporters/otlp/internal/otlpconfig" (options.go) and "go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/otlpconfig" (optiontypes.go) in /go/src/github.com/docker/buildx/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/otlpconfig

Signed-off-by: Sebastiaan van Stijn <[email protected]>

* Fix protoc link

Signed-off-by: CrazyMax <[email protected]>

* Allow ExitError type to be transmitted over GRPC

This will allow clients to retrieve exit error codes returned during a
solve without parsing the error messages.

Signed-off-by: Aaron Lehmann <[email protected]>

* Update to github.com/opencontainers/runc v1.0.1

Signed-off-by: CrazyMax <[email protected]>

* Split cache options doc for each exporter

Signed-off-by: CrazyMax <[email protected]>

* Set default socket permissions to 660

The systemd default is 666, it seems.

Signed-off-by: Anders F Björklund <[email protected]>

* fix SecurityMode being dropped on gateway container Start

Signed-off-by: Cory Bennett <[email protected]>

* bump containerd from 1.5.4 to 1.5.5

Signed-off-by: CrazyMax <[email protected]>

* go.mod: golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c

In preparation of replacing the deprecated github.com/docker/docker/pkg/signal,
which uses this version (updating it separately for easier review).

Signed-off-by: Sebastiaan van Stijn <[email protected]>

* replace use of deprecated github.com/docker/docker/pkg/signal

This package was moved to a separate module in github.com/moby/sys/signal

Signed-off-by: Sebastiaan van Stijn <[email protected]>

* Additional tests and cleanup for cache/contenthash

This adds a little extra testing around ** patterns, and adds a
(currently skipped) test for copying directories under symlinks (moby#2300).

It removes an extra call to `filepath.FromSlash` in `shouldIncludePath`
and an unused argument to that function.

Signed-off-by: Aaron Lehmann <[email protected]>

* all: remove duplicate imports

Signed-off-by: Koichi Shiraishi <[email protected]>

* all: unify the specs-go package import alias to ocispecs

ocispecs means "O"pen "C"ontainer "I"nitiative image-spec/"specs"-go/v1
                      opencontainers          /image-spec/specs-go/v1

Signed-off-by: Koichi Shiraishi <[email protected]>

* hack/dockerfiles: upgrade golangci-lint version to v1.41.1

Signed-off-by: Koichi Shiraishi <[email protected]>

* golangci-lint: enable importas and add settings for specs-go package

Signed-off-by: Koichi Shiraishi <[email protected]>

* all: unify the go-digest package import alias to digest

Signed-off-by: Koichi Shiraishi <[email protected]>

* golangci-lint: add go-digest importas setting

Signed-off-by: Koichi Shiraishi <[email protected]>

* Fix IncludePattern/ExcludePattern matching

The transformation to rootedPatterns seems very wrong and inconsistent
with what the copy logic did. Change it to match the copy logic, and add
more testing.

Signed-off-by: Aaron Lehmann <[email protected]>

* dockerfile: fix parsing required key without value

Signed-off-by: Tonis Tiigi <[email protected]>

* generated files: use "go install" to install binaries

Now that this repository moved to go1.16, we can use 'go install' to install
these binaries.

Signed-off-by: Sebastiaan van Stijn <[email protected]>

* util/stack: update protoc options to work with newer versions

Generating the util/stack protos failed when updating protoc-gen-go to v1.5.2;
it looks like this is the only proto that's not generated using protoc-gen-gogo):

    util/stack/generate.go
    protoc-gen-go: unable to determine Go import path for "stack.proto"

    Please specify either:
        • a "go_package" option in the .proto source file, or
        • a "M" argument on the command line.

    See https://developers.google.com/protocol-buffers/docs/reference/go-generated#package for more information.

    --go_out: protoc-gen-go: Plugin failed with status code 1.
    util/stack/generate.go:3: running "protoc": exit status 1

Newer protobuf versions expect a go package to be set. Other .proto files in
this repository use the bare package name, but with protoc-gen-go v1.5.2, this
produces an error (package names must at least have a "/"). In addition to
including the option to the .proto file also changes the generated result
(`options go_package "<package name>"`).

Using the `-go_opt=M<package name>` option on the other hand, didn't change the
result (while still on protoc-gen-go v1.3.5), so I used that option instead.

protoc-gen-go v1.5.2 also changed the behavior where the generated file is stored,
seemingly relative to the `../../vendor` path specified. This coud be fixed either
by setting `--go_out=../../`, which was a bit counter-intuitive, or setting the
`--go_opt=paths=source_relative` option. The latter also prevented v1.5.2 from
storing the file in `utils/stack/github.com/moby/buildkit/utils/stack/` (sigh).

Signed-off-by: Sebastiaan van Stijn <[email protected]>

* add missing ExtraHosts to gateway exec

Also adding tests for ExtraHosts and NetMode via gateway exec

Signed-off-by: Cory Bennett <[email protected]>

* add gateway.exec.extrahosts capability

Signed-off-by: Cory Bennett <[email protected]>

* cache: Fix flightcontrol use in computeBlobChain.

Previously, the flightcontrol group was being given a key just set to
the ref's ID, which meant that concurrent calls using different values
of compressionType, createIfNeeded and forceCompression would
incorrectly be de-duplicated.

The change here splits up the flightcontrol group into a few separate
calls and ensures that all the correct input variables are put into the
flightcontrol keys.

Signed-off-by: Erik Sipsma <[email protected]>

* solver: include cachemap index in flightcontrol.

Signed-off-by: Erik Sipsma <[email protected]>

* pull: use resolvemode in flightcontrol key.

Signed-off-by: Erik Sipsma <[email protected]>

* util: remove outdated flightcontrol test assertion.

The test was making an assertion that is no longer expected to always be
true after moby#2195, which purposely made flightcontrol less deterministic.
This lead to occasional failures.

Signed-off-by: Erik Sipsma <[email protected]>

* update go to 1.17

Signed-off-by: Tonis Tiigi <[email protected]>

* gomod: update to go1.17

Signed-off-by: Tonis Tiigi <[email protected]>

* cmd/buildkitd: replace BurntSushi/toml with pelletier/go-toml

The BurntSushi/toml project has been deprecated, and the ecosystem
is converging on using pelletier/go-toml as the "canonical" replacement.

Signed-off-by: Sebastiaan van Stijn <[email protected]>

* control: fix 64bit alignment for buildcount

Signed-off-by: Tonis Tiigi <[email protected]>

* Use fixed fileutils matching functions

This is important for two reasons:

1) Keeps caching logic consistent with recent fsutil changes to use
   these functions (also vendored here).

2) Allows us to move forward with removal of the original buggy Matches
   implementation in moby/moby.

Signed-off-by: Aaron Lehmann <[email protected]>

* Add `estargz` compression type

Signed-off-by: Kohei Tokunaga <[email protected]>

Co-authored-by: Tõnis Tiigi <[email protected]>
Co-authored-by: Akihiro Suda <[email protected]>
Co-authored-by: Sebastiaan van Stijn <[email protected]>
Co-authored-by: Sebastiaan van Stijn <[email protected]>
Co-authored-by: ktock <[email protected]>
Co-authored-by: Justin Chadwell <[email protected]>
Co-authored-by: Akihiro Suda <[email protected]>
Co-authored-by: Aaron Lehmann <[email protected]>
Co-authored-by: Cory Bennett <[email protected]>
Co-authored-by: Erik Sipsma <[email protected]>
Co-authored-by: CrazyMax <[email protected]>
Co-authored-by: Levi Harrison <[email protected]>
Co-authored-by: masibw <[email protected]>
Co-authored-by: Morlay <[email protected]>
Co-authored-by: CrazyMax <[email protected]>
Co-authored-by: Claudiu Belu <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Anders F Björklund <[email protected]>
Co-authored-by: CrazyMax <[email protected]>
Co-authored-by: Koichi Shiraishi <[email protected]>
alexcb added a commit to earthly/buildkit-old-fork that referenced this issue Oct 26, 2021
* dockerfile: fix git version detection

Signed-off-by: Tonis Tiigi <[email protected]>

* Add support for heredocs with ONBUILD

Signed-off-by: Justin Chadwell <[email protected]>

* dockerfile: use none differ for dockerfile/dockerignore

This avoids wrong metadata matches on small files

Signed-off-by: Tonis Tiigi <[email protected]>

* progressui: print logs for failed step as summary in plain mode

Signed-off-by: Tonis Tiigi <[email protected]>

* grpcerrors: avoid rpc error wrapping in error messages

Signed-off-by: Tonis Tiigi <[email protected]>

* exec: improve error message on exec errors

Signed-off-by: Tonis Tiigi <[email protected]>

* Improve heredoc parsing to allow more generic words

Previously, heredoc names were restricted to simple alphanumeric
strings. However, heredocs should support much more complex use-cases,
including quoting anywhere, as well as allowing special symbols like `.`
for easily expressing file extensions.

This patch adds support for these more complex cases, by using the shell
lexer to parse each heredoc name. Additionally, we include improvements
to the lexer to optionally preserve escape tokens to avoid problems when
lexing words that have already been lexed before.

Signed-off-by: Justin Chadwell <[email protected]>

* Improve progress and history messages for heredoc-related commands

Signed-off-by: Justin Chadwell <[email protected]>

* Remove unneeded Finalize method from ImmutableRef.

Finalize was only used outside the cache package in one place, which
called it with the commit arg set to false. The code path followed
when commit==false turned out to essentially be a no-op because
it set "retain cache" to true if it was already set to true.

It was thus safe to remove the only external call to it and remove it
from the interface. This should be helpful for future efforts to
simplify the equal{Mutable,Immutable} fields in cacheRecord, which exist
due to the "lazy commit" feature that Finalize is tied into.

Signed-off-by: Erik Sipsma <[email protected]>

* Fix ref leak if fileop ref fails to mount.

Signed-off-by: Erik Sipsma <[email protected]>

* add error suggest pkg

Signed-off-by: Tonis Tiigi <[email protected]>

* dockerfile: suggest mistyped flag names

Signed-off-by: Tonis Tiigi <[email protected]>

* dockerfile: provide suggestions for mount options

Signed-off-by: Tonis Tiigi <[email protected]>

* dockerfile: add tests for error suggestions

Signed-off-by: Tonis Tiigi <[email protected]>

* dockerfile: remove unnecessary error wrappings

Signed-off-by: Tonis Tiigi <[email protected]>

* enable riscv64 build

Signed-off-by: Tonis Tiigi <[email protected]>

* Update QEMU emulators

Signed-off-by: CrazyMax <[email protected]>

* dockerfile: move run network to stable channel

Signed-off-by: Tonis Tiigi <[email protected]>

* Automatically detect default git branch

Instead of just assuming that the default branch is master, use ls-remote to find out. Also removed tests that didn't specifiy a branch but required authentication, because those will fail now that the repo is actually checked.

Signed-off-by: Levi Harrison <[email protected]>

* Moved getDefaultBranch function to gitsource

It is my suspecion that the tests were failing on previous commits because of the lack of authentication and other stuff like that available in gitidentifier as compared to gitsource

Signed-off-by: Levi Harrison <[email protected]>

* Fix tests

Unfortunately, further test cases will have to be removed because gitindentifier will now leave the branch blank instead of filling it in

Signed-off-by: Levi Harrison <[email protected]>

* git: fix default branch detection

Signed-off-by: Tonis Tiigi <[email protected]>

* Enable to forcefully specify compression type

Signed-off-by: ktock <[email protected]>

* Add full timestamp to logs

Signed-off-by: Yamazaki Masashi <[email protected]>

* Remove meaningless encode

Signed-off-by: Yamazaki Masashi <[email protected]>

* Ignore missing providers for blobs w/ same chainid.

GetByBlob checks to see if there are any other blobs with the same
(uncompressed) ChainID and, if so, reuses their unpacked snapshot if it
exists.

The problem is if this code finds a match, it was trying to get the
matching record, but couldn't do so when the match is lazy because the
caller doesn't necessarily have descriptor handlers setup for it.

This commit changes the behavior to just ignore any match with the same
ChainID that's also lazy as they just aren't usable for the
snapshot-reuse optimization.

Signed-off-by: Erik Sipsma <[email protected]>

* authprovider: handle eaccess on storing token seeds

Signed-off-by: Tonis Tiigi <[email protected]>

* log with traceID and spanID

Signed-off-by: Morlay <[email protected]>

* github: update CI buildkit to v0.9.0-rc1

Signed-off-by: Tonis Tiigi <[email protected]>

* initial version of github cache

Signed-off-by: Tonis Tiigi <[email protected]>

* vendor: add goactionscache

Signed-off-by: Tonis Tiigi <[email protected]>

* caps: add cap for gha cache backend

Signed-off-by: Tonis Tiigi <[email protected]>

* remove tracetransform package

Signed-off-by: Tonis Tiigi <[email protected]>

* resolver: increase default idle conns reuse

The current default were even lower than stdlib defaults.

Signed-off-by: Tonis Tiigi <[email protected]>

* refactor to use util/bklog instead of using logurs directly

Signed-off-by: Morlay <[email protected]>

* GitHub Actions cache docs

Signed-off-by: CrazyMax <[email protected]>

* Skips getting UID/GUID if passwd/group file is not found

When running a WORKDIR instruction, buildkit will create that folder
and chown it to the currently set user. For this, it will try to read
the /etc/passwd file to get the proper UID, and if that user is not
found in the file, the root user will be considered as the owner.

However, Windows image do not have that file, which will result in
an error while building the image. We can consider not finding
the /etc/passwd file as the same as not finding the user in the file,
which would solve this issue.

Signed-off-by: Claudiu Belu <[email protected]>

* add per domain semaphore to limit concurrent connections

This is a safer alternative until we figure out why
http.Transport based limiting fails.

Some connections like cache export/import do not have a
domain key atm and these connections use global pool.

Signed-off-by: Tonis Tiigi <[email protected]>

* update to github.com/containerd/containerd v1.5.3

Signed-off-by: coryb <[email protected]>

* vendor: update go-actions-cache with custom client support

Signed-off-by: Tonis Tiigi <[email protected]>

* tracing: update to otelhttp roundtripper

Signed-off-by: Tonis Tiigi <[email protected]>

* Enhance test matrix

Signed-off-by: CrazyMax <[email protected]>

* fix dropped pull progress output due to canceled context

fixes moby#2248

Signed-off-by: coryb <[email protected]>

* Add span for layer export

This can be a significant amount of time that isn't currently accounted
for in traces.

Signed-off-by: Aaron Lehmann <[email protected]>

* new implementation for limiting tcp connections

The previous implementation had many issues. Eg. on fetch, even if
the data already existed and no remote connections were needed
the request would still be waiting in the queue. Or if two fetches
of same blob happened together they would take up two places in queue
although there was only one remote request.

Signed-off-by: Tonis Tiigi <[email protected]>

* limited: allow extra high-priority connection for json requests

Signed-off-by: Tonis Tiigi <[email protected]>

* ensure wrappers support seeking to continue partial downloads

Signed-off-by: Tonis Tiigi <[email protected]>

* contentutil: change offset to int64 to simplify

Signed-off-by: Tonis Tiigi <[email protected]>

* Exporter config digest typo

Signed-off-by: CrazyMax <[email protected]>

* daemonless: wait for daemon to finish before exit

Signed-off-by: Tonis Tiigi <[email protected]>

* github: update CI buildkit to v0.9.0

Signed-off-by: Tonis Tiigi <[email protected]>

* add docs for new config options

Signed-off-by: Tonis Tiigi <[email protected]>

* add ktock and crazy-max to maintainers

Signed-off-by: Tonis Tiigi <[email protected]>

* Update Dockerfile references to use 1.3

Signed-off-by: Tonis Tiigi <[email protected]>

* docs: update images-readme to v0.9

Signed-off-by: Tonis Tiigi <[email protected]>

* Bump to codecov/codecov-action v2

Signed-off-by: CrazyMax <[email protected]>

* build(deps): bump github.com/containerd/containerd from 1.5.3 to 1.5.4

Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.5.3 to 1.5.4.
- [Release notes](https://github.com/containerd/containerd/releases)
- [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md)
- [Commits](containerd/containerd@v1.5.3...v1.5.4)

---
updated-dependencies:
- dependency-name: github.com/containerd/containerd
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

* util/tracing: remove incorrect import enforcing comment

This import comment caused compilation of buildx to fail if `GO111MODULE` was
set to `off`:

Without `GO111MODULE` set (but with `-mod=vendor`:

    echo $GO111MODULE

    export PKG=github.com/docker/buildx
    export LDFLAGS="-X ${PKG}/version.Version=$(git describe --match 'v[0-9]*' --always --tags) -X ${PKG}/version.Revision=$(git rev-parse HEAD) -X ${PKG}/version.Package=${PKG}"
    GOFLAGS=-mod=vendor go build -o bin/docker-buildx -ldflags "${LDFLAGS}" ./cmd/buildx
    bin/docker-buildx version
    github.com/docker/buildx v0.6.0 d9ee3b134cbc2d09513fa7fee4176a3919e05887

When setting `GO111MODULE=off`, it fails on the incorrect import path in the
vendored file (looks like GO111MODULE=on ignores import-path comments?):

    export GO111MODULE=off
    root@5a55ec1c1eed:/go/src/github.com/docker/buildx# GOFLAGS=-mod=vendor go build -o bin/docker-buildx -ldflags "${LDFLAGS}" ./cmd/buildx
    vendor/github.com/moby/buildkit/client/client.go:20:2: code in directory /go/src/github.com/docker/buildx/vendor/github.com/moby/buildkit/util/tracing/otlptracegrpc expects import "go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc"
    vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/connection/connection.go:33:2: found import comments "go.opentelemetry.io/otel/exporters/otlp/internal/otlpconfig" (options.go) and "go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/otlpconfig" (optiontypes.go) in /go/src/github.com/docker/buildx/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/otlpconfig

Signed-off-by: Sebastiaan van Stijn <[email protected]>

* Fix protoc link

Signed-off-by: CrazyMax <[email protected]>

* Allow ExitError type to be transmitted over GRPC

This will allow clients to retrieve exit error codes returned during a
solve without parsing the error messages.

Signed-off-by: Aaron Lehmann <[email protected]>

* Update to github.com/opencontainers/runc v1.0.1

Signed-off-by: CrazyMax <[email protected]>

* Split cache options doc for each exporter

Signed-off-by: CrazyMax <[email protected]>

* Set default socket permissions to 660

The systemd default is 666, it seems.

Signed-off-by: Anders F Björklund <[email protected]>

* fix SecurityMode being dropped on gateway container Start

Signed-off-by: Cory Bennett <[email protected]>

* bump containerd from 1.5.4 to 1.5.5

Signed-off-by: CrazyMax <[email protected]>

* go.mod: golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c

In preparation of replacing the deprecated github.com/docker/docker/pkg/signal,
which uses this version (updating it separately for easier review).

Signed-off-by: Sebastiaan van Stijn <[email protected]>

* replace use of deprecated github.com/docker/docker/pkg/signal

This package was moved to a separate module in github.com/moby/sys/signal

Signed-off-by: Sebastiaan van Stijn <[email protected]>

* Additional tests and cleanup for cache/contenthash

This adds a little extra testing around ** patterns, and adds a
(currently skipped) test for copying directories under symlinks (moby#2300).

It removes an extra call to `filepath.FromSlash` in `shouldIncludePath`
and an unused argument to that function.

Signed-off-by: Aaron Lehmann <[email protected]>

* all: remove duplicate imports

Signed-off-by: Koichi Shiraishi <[email protected]>

* all: unify the specs-go package import alias to ocispecs

ocispecs means "O"pen "C"ontainer "I"nitiative image-spec/"specs"-go/v1
                      opencontainers          /image-spec/specs-go/v1

Signed-off-by: Koichi Shiraishi <[email protected]>

* hack/dockerfiles: upgrade golangci-lint version to v1.41.1

Signed-off-by: Koichi Shiraishi <[email protected]>

* golangci-lint: enable importas and add settings for specs-go package

Signed-off-by: Koichi Shiraishi <[email protected]>

* all: unify the go-digest package import alias to digest

Signed-off-by: Koichi Shiraishi <[email protected]>

* golangci-lint: add go-digest importas setting

Signed-off-by: Koichi Shiraishi <[email protected]>

* Fix IncludePattern/ExcludePattern matching

The transformation to rootedPatterns seems very wrong and inconsistent
with what the copy logic did. Change it to match the copy logic, and add
more testing.

Signed-off-by: Aaron Lehmann <[email protected]>

* dockerfile: fix parsing required key without value

Signed-off-by: Tonis Tiigi <[email protected]>

* generated files: use "go install" to install binaries

Now that this repository moved to go1.16, we can use 'go install' to install
these binaries.

Signed-off-by: Sebastiaan van Stijn <[email protected]>

* util/stack: update protoc options to work with newer versions

Generating the util/stack protos failed when updating protoc-gen-go to v1.5.2;
it looks like this is the only proto that's not generated using protoc-gen-gogo):

    util/stack/generate.go
    protoc-gen-go: unable to determine Go import path for "stack.proto"

    Please specify either:
        • a "go_package" option in the .proto source file, or
        • a "M" argument on the command line.

    See https://developers.google.com/protocol-buffers/docs/reference/go-generated#package for more information.

    --go_out: protoc-gen-go: Plugin failed with status code 1.
    util/stack/generate.go:3: running "protoc": exit status 1

Newer protobuf versions expect a go package to be set. Other .proto files in
this repository use the bare package name, but with protoc-gen-go v1.5.2, this
produces an error (package names must at least have a "/"). In addition to
including the option to the .proto file also changes the generated result
(`options go_package "<package name>"`).

Using the `-go_opt=M<package name>` option on the other hand, didn't change the
result (while still on protoc-gen-go v1.3.5), so I used that option instead.

protoc-gen-go v1.5.2 also changed the behavior where the generated file is stored,
seemingly relative to the `../../vendor` path specified. This coud be fixed either
by setting `--go_out=../../`, which was a bit counter-intuitive, or setting the
`--go_opt=paths=source_relative` option. The latter also prevented v1.5.2 from
storing the file in `utils/stack/github.com/moby/buildkit/utils/stack/` (sigh).

Signed-off-by: Sebastiaan van Stijn <[email protected]>

* add missing ExtraHosts to gateway exec

Also adding tests for ExtraHosts and NetMode via gateway exec

Signed-off-by: Cory Bennett <[email protected]>

* add gateway.exec.extrahosts capability

Signed-off-by: Cory Bennett <[email protected]>

* cache: Fix flightcontrol use in computeBlobChain.

Previously, the flightcontrol group was being given a key just set to
the ref's ID, which meant that concurrent calls using different values
of compressionType, createIfNeeded and forceCompression would
incorrectly be de-duplicated.

The change here splits up the flightcontrol group into a few separate
calls and ensures that all the correct input variables are put into the
flightcontrol keys.

Signed-off-by: Erik Sipsma <[email protected]>

* solver: include cachemap index in flightcontrol.

Signed-off-by: Erik Sipsma <[email protected]>

* pull: use resolvemode in flightcontrol key.

Signed-off-by: Erik Sipsma <[email protected]>

* util: remove outdated flightcontrol test assertion.

The test was making an assertion that is no longer expected to always be
true after moby#2195, which purposely made flightcontrol less deterministic.
This lead to occasional failures.

Signed-off-by: Erik Sipsma <[email protected]>

* update go to 1.17

Signed-off-by: Tonis Tiigi <[email protected]>

* gomod: update to go1.17

Signed-off-by: Tonis Tiigi <[email protected]>

* Follow links in includedPaths to resolve incorrect caching when source path is behind symlink

As discussed in moby#2300, includedPaths does not resolve symlinks when
looking up the source path in the prefix tree. If the user requests a
path that involves symlinks (for example, /a/foo when a symlink /a -> /b
exists), includedPaths will not find it, and will expect nothing to be
copied. This does not match the actual copy behavior implemented in
fsutil, which will follow symlinks in prefix components of a given path,
so it can end up caching an empty result even though the copy will
produce a non-empty result, which is quite bad.

To fix this, use getFollowLinks to resolve the path before walking it.
In the wildcard case, this is done to the non-wildcard prefix of the
path (if any), which matches the behavior in fsutil.

Fixes the repro case here:
https://gist.github.com/aaronlehmann/64054c9a2cff0d27e200cc107bba3d69

Fixes moby#2300

Signed-off-by: Aaron Lehmann <[email protected]>

* cmd/buildkitd: replace BurntSushi/toml with pelletier/go-toml

The BurntSushi/toml project has been deprecated, and the ecosystem
is converging on using pelletier/go-toml as the "canonical" replacement.

Signed-off-by: Sebastiaan van Stijn <[email protected]>

* control: fix 64bit alignment for buildcount

Signed-off-by: Tonis Tiigi <[email protected]>

* Use fixed fileutils matching functions

This is important for two reasons:

1) Keeps caching logic consistent with recent fsutil changes to use
   these functions (also vendored here).

2) Allows us to move forward with removal of the original buggy Matches
   implementation in moby/moby.

Signed-off-by: Aaron Lehmann <[email protected]>

* Add `estargz` compression type

Signed-off-by: Kohei Tokunaga <[email protected]>

* Refactor cache metadata interface.

There are a few goals with this refactor:
1. Remove external access to fields that no longer make sense and/or
   won't make sense soon due to other potential changes. For example,
   there can now be multiple blobs associated with a ref (for different
   compression types), so the fact that you could access the "Blob"
   field from the Info method on Ref incorrectly implied there was just
   a single blob for the ref. This is on top of the fact that there is
   no need for external access to blob digests.
2. Centralize use of cache metadata inside the cache package.
   Previously, many parts of the code outside the cache package could
   obtain the bolt storage item for any ref and read/write it directly.
   This made it hard to understand what fields are used and when. Now,
   the Metadata method has been removed from the Ref interface and
   replaced with getters+setters for metadata fields we want to expose
   outside the package, which makes it much easier to track and
   understand. Similar changes have been made to the metadata search
   interface.
3. Use a consistent getter+setter interface for metadata, replacing
   the mix of interfaces like Metadata(), Size(), Info() and other
   inconsistencies.

Signed-off-by: Erik Sipsma <[email protected]>

* Use containerd/pkg/seccomp.IsEnabled()

This replaces the local SeccompSupported() utility for the implementation
in containerd, which performs the same check.

Signed-off-by: Sebastiaan van Stijn <[email protected]>

* Compute diff from the upper dir of overlayfs-based snapshotter

Signed-off-by: Kohei Tokunaga <[email protected]>

* go.mod: github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6

full diff: moby/term@bea5bbe...3f7ff69

updates Azure/go-ansiterm to fix integer overflow on arm

Signed-off-by: Sebastiaan van Stijn <[email protected]>

* go.mod: split the indirect packages

After go1.17, all indirect packages are listed in the go.mod file.

In addition, has been introduced the ability to list indirect packages separately.
Split the indirect packages to make the dependency packages clearer.

Signed-off-by: Koichi Shiraishi <[email protected]>

* exporter: support creating blobs with zstd compression

Signed-off-by: Tonis Tiigi <[email protected]>

* update getremote test for zstd

Estargz support has been removed from this test as
implementation does not guarantee digest stability
and only reason it passed were the exceptions in the
test via variant map that ignored cases where timing
resulted the digest to go wrong. This needs to be
addressed in the follow up if we want to keep estargz
support.

Signed-off-by: Tonis Tiigi <[email protected]>

* Add test case for symlink which is not final path component before wildcard

Signed-off-by: Aaron Lehmann <[email protected]>

* hack: allow mounting in workdir in shell

Signed-off-by: Tonis Tiigi <[email protected]>

* Handle the case of multiple path component symlinks (including last component) in wildcard prefix

Signed-off-by: Aaron Lehmann <[email protected]>

* Use getFollowLinksWalked

Signed-off-by: Aaron Lehmann <[email protected]>

* bklog: only log tracing ids when span exporter not nil

Signed-off-by: Morlay <[email protected]>

* Refactor url redacting util

Signed-off-by: CrazyMax <[email protected]>

* Clean up old TODOs

Signed-off-by: Tonis Tiigi <[email protected]>

* Move config parsing to a dedicated pkg

Signed-off-by: CrazyMax <[email protected]>

* Generate and embed build sources

Signed-off-by: CrazyMax <[email protected]>

* resolver: use different mutext for handlers and hosts

hosts mutex is called on initialization, meaning `GetResolver` might
block if it is in the middle of auth exchange. This is currently bad
in the case where Job initialization needs to register a name before
timeout is reached.

Signed-off-by: Tonis Tiigi <[email protected]>

* resolver: make sure authorizer is not overwritten on other resolvers 

Authorizer stores the current session.Group so if it is
overwritten for another resolver it means that session might
have been dropped and authentication will fail.

Signed-off-by: Tonis Tiigi <[email protected]>

* solver: increase timeout for job registration

Signed-off-by: Tonis Tiigi <[email protected]>

* go.mod: sort and move self-managed indirect dependencies to first block

Signed-off-by: Koichi Shiraishi <[email protected]>

* Fix issues moby#1980 and moby#2198

Signed-off-by: Jonathan Giannuzzi <[email protected]>

* Add BUILDKIT_SANDBOX_HOSTNAME build-arg

Signed-off-by: CrazyMax <[email protected]>

* Fix estargz compression loses the original tar metadata

Currently, eStargz compression doesn't preserve the original tar metadata
(header bytes and their order). This causes failure of `TestGetRemote` because
an uncompressed blob converted from a gzip blob provides different digset
against the one converted from eStargz blob even if their original tar (computed
by differ) are the same.
This commit solves this issue by fixing eStargz to preserve original tar's
metadata that is modified by eStargz.

Signed-off-by: Kohei Tokunaga <[email protected]>

* Enhance ANSI color for progress ui

Signed-off-by: CrazyMax <[email protected]>

* Move resolver config to a dedicated package

Signed-off-by: CrazyMax <[email protected]>

* Standard user umask for git process

Signed-off-by: CrazyMax <[email protected]>

* make sure ci runs on version branches

Signed-off-by: Tonis Tiigi <[email protected]>

* return an error instead of panicking when failing to get edge

Signed-off-by: Maxime Lagresle <[email protected]>

* Add support for shm size

Signed-off-by: CrazyMax <[email protected]>

* gha: handle already exist error on save

Signed-off-by: Tonis Tiigi <[email protected]>

* don't cast Value when pipe is errored

Signed-off-by: Maxime Lagresle <[email protected]>

* gha: handle missing blob gracefully

FromRemote now calls CheckDescriptor to validate
if the blob still exists. Otherwise cache loading
fallback does not get triggered because cache is
actually lazily pulled in only on exporting phase.

Signed-off-by: Tonis Tiigi <[email protected]>

* solver: make sure previous error gets reset

This happens for example when cache loading fails
but then fallback step execution succeeds. 

Signed-off-by: Tonis Tiigi <[email protected]>

* vendor: update go-actions-cache to 4d48f2ff

Signed-off-by: Tonis Tiigi <[email protected]>

* Differ: write diff to the content store over bufio writer

Signed-off-by: Kohei Tokunaga <[email protected]>

* Do not enable overlayfs differ for fuse-overlayfs-snapshotter

Signed-off-by: Kohei Tokunaga <[email protected]>

* Converter: make sure uncompressed digest annotation is set

Signed-off-by: Kohei Tokunaga <[email protected]>

* Use gha cache on CI

Signed-off-by: CrazyMax <[email protected]>

* Creating tcp socket without using go-connections.

Signed-off-by: Jacob MacElroy <[email protected]>

* limited: fix possible deadlock when pushhandler calls fetcher

Signed-off-by: Tonis Tiigi <[email protected]>

* README.md: improve "Building multi-platform images" section

Signed-off-by: Akihiro Suda <[email protected]>

* Add support for ulimit

Signed-off-by: CrazyMax <[email protected]>

* solver: fix exporters unsafely sharing records

Signed-off-by: Tonis Tiigi <[email protected]>

* fix: provide only available capabilities to insecure environment

The problem this change is trying to fix are the environments where some
capabilities are already dropped, so they can't be granted to the
job with `--security=insecure`.

I know that probably fixed set of capabilities was implemented to
provide a stable build environment, but at the same time this breaks
environments with reduced capabilities.

Signed-off-by: Andrey Smirnov <[email protected]>

* client: allow setting custom dialer for session endpoint

Signed-off-by: Tonis Tiigi <[email protected]>

* add size to tmpfs mounts

Signed-off-by: CrazyMax <[email protected]>

* deduplicate mounts

Signed-off-by: CrazyMax <[email protected]>

* use bytes as given size for tmpfs mount

Signed-off-by: CrazyMax <[email protected]>

* use `opts.MemBytes` for tmpfs size run mount instruction

Signed-off-by: CrazyMax <[email protected]>

* Re-add Finalize method to ImmutableRef.

It turns out that while Buildkit code did not need this method to
be public, moby code does still use it, so we have to re-add it
after its removal in moby#2216 (commit b85ef15).

This commit is not a revert because some of the changes are
still desireable, namely the removal of the "commit" parameter
which didn't serve any purpose.

Signed-off-by: Erik Sipsma <[email protected]>

Co-authored-by: Tonis Tiigi <[email protected]>
Co-authored-by: Akihiro Suda <[email protected]>
Co-authored-by: Justin Chadwell <[email protected]>
Co-authored-by: Erik Sipsma <[email protected]>
Co-authored-by: Akihiro Suda <[email protected]>
Co-authored-by: CrazyMax <[email protected]>
Co-authored-by: Levi Harrison <[email protected]>
Co-authored-by: ktock <[email protected]>
Co-authored-by: masibw <[email protected]>
Co-authored-by: Morlay <[email protected]>
Co-authored-by: CrazyMax <[email protected]>
Co-authored-by: Claudiu Belu <[email protected]>
Co-authored-by: coryb <[email protected]>
Co-authored-by: Aaron Lehmann <[email protected]>
Co-authored-by: Sebastiaan van Stijn <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Sebastiaan van Stijn <[email protected]>
Co-authored-by: Anders F Björklund <[email protected]>
Co-authored-by: CrazyMax <[email protected]>
Co-authored-by: Koichi Shiraishi <[email protected]>
Co-authored-by: Jonathan Giannuzzi <[email protected]>
Co-authored-by: Maxime Lagresle <[email protected]>
Co-authored-by: Jacob MacElroy <[email protected]>
Co-authored-by: Andrey Smirnov <[email protected]>
alexcb added a commit to earthly/buildkit-old-fork that referenced this issue Oct 28, 2021
* integration: add common context base to all integration tests

Signed-off-by: Tonis Tiigi <[email protected]>

* vendor: update opentelemetry to 1.0.0-rc

Signed-off-by: Tonis Tiigi <[email protected]>

* add current tracing context detection and exec propagation

Signed-off-by: Tonis Tiigi <[email protected]>
(cherry picked from commit bc9a83144c83e9fd78007b7bfe92e8082c59d40e)

* add transform package to convert from otlp

Signed-off-by: Tonis Tiigi <[email protected]>

* tracing: add delegated exporter

Signed-off-by: Tonis Tiigi <[email protected]>

* otlgrpc: provide a way to get otlp client from grpc conn

Hopefully this can be removed with a future upstream change
that could make this configurable. The package also needs
internal dependency that is copied in.

Signed-off-by: Tonis Tiigi <[email protected]>

* enable collecting traces via control api

Signed-off-by: Tonis Tiigi <[email protected]>

* support collecting traces from llb.Exec

Signed-off-by: Tonis Tiigi <[email protected]>

* client: pass delegated exporter as parameter

Avoid client package having dependency on global detect package.

Signed-off-by: Tonis Tiigi <[email protected]>

* update runc binary to v1.0.0 GA

Signed-off-by: Akihiro Suda <[email protected]>

* handle unconfigured spans without errors

Signed-off-by: Tonis Tiigi <[email protected]>

* llb: add constraints to vertex and validate

Signed-off-by: Tonis Tiigi <[email protected]>

* llb: add constraints to async llb

Signed-off-by: Tonis Tiigi <[email protected]>

* llb: ensure meta resolver uses platform form constraints

Signed-off-by: Tonis Tiigi <[email protected]>

* flightcontrol: reduce contention between goroutines

Signed-off-by: Tonis Tiigi <[email protected]>

* Avoid nil pointer dereference when copying from image with no layers

Fix this panic when copying from an image with no layers:

```
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x50 pc=0xdd8c17]

goroutine 326 [running]:
github.com/moby/buildkit/cache/contenthash.(*cacheManager).Checksum(0xc0005ec030, 0x1682c00, 0xc000842140, 0x0, 0x0, 0xc0005d4023, 0x1, 0x0, 0x0, 0x0, ...)
	/src/cache/contenthash/checksum.go:95 +0x37
github.com/moby/buildkit/cache/contenthash.Checksum(0x1682c00, 0xc000842140, 0x0, 0x0, 0xc0005d4023, 0x1, 0x0, 0x0, 0x0, 0x0, ...)
	/src/cache/contenthash/checksum.go:59 +0xd5
github.com/moby/buildkit/solver/llbsolver.NewContentHashFunc.func1.1(0x0, 0x4425d6)
	/src/solver/llbsolver/result.go:59 +0x20a
golang.org/x/sync/errgroup.(*Group).Go.func1(0xc00056a360, 0xc000594510)
	/src/vendor/golang.org/x/sync/errgroup/errgroup.go:57 +0x59
created by golang.org/x/sync/errgroup.(*Group).Go
	/src/vendor/golang.org/x/sync/errgroup/errgroup.go:54 +0x66
```

When the path is "/", we allow it because it's a noop.

Based on moby#2185

Signed-off-by: Aaron Lehmann <[email protected]>

* Add test for copying from scratch

Signed-off-by: Aaron Lehmann <[email protected]>

* Check that scratch is mounted as empty dir

Signed-off-by: Aaron Lehmann <[email protected]>

* Make error message consistent when layer is empty

Signed-off-by: Aaron Lehmann <[email protected]>

* Test with tonistiigi/test:nolayers as well

Signed-off-by: Aaron Lehmann <[email protected]>

* ensure containerd io is complete and closed before returning

Signed-off-by: Cory Bennett <[email protected]>

* [moby#2112] progress.Controller should own the progress.Writer to prevent leaks

Signed-off-by: Cory Bennett <[email protected]>

* [moby#2112] progress.FromContext returns a writer factory
this allows progress.Controller to manage the writer lifecycle

Signed-off-by: Cory Bennett <[email protected]>

* contenthash: use SeekLowerBound to seek radix tree

Signed-off-by: Tonis Tiigi <[email protected]>

* dockerfile: fix git version detection

Signed-off-by: Tonis Tiigi <[email protected]>

* Add support for heredocs with ONBUILD

Signed-off-by: Justin Chadwell <[email protected]>

* dockerfile: use none differ for dockerfile/dockerignore

This avoids wrong metadata matches on small files

Signed-off-by: Tonis Tiigi <[email protected]>

* progressui: print logs for failed step as summary in plain mode

Signed-off-by: Tonis Tiigi <[email protected]>

* grpcerrors: avoid rpc error wrapping in error messages

Signed-off-by: Tonis Tiigi <[email protected]>

* exec: improve error message on exec errors

Signed-off-by: Tonis Tiigi <[email protected]>

* Improve heredoc parsing to allow more generic words

Previously, heredoc names were restricted to simple alphanumeric
strings. However, heredocs should support much more complex use-cases,
including quoting anywhere, as well as allowing special symbols like `.`
for easily expressing file extensions.

This patch adds support for these more complex cases, by using the shell
lexer to parse each heredoc name. Additionally, we include improvements
to the lexer to optionally preserve escape tokens to avoid problems when
lexing words that have already been lexed before.

Signed-off-by: Justin Chadwell <[email protected]>

* Improve progress and history messages for heredoc-related commands

Signed-off-by: Justin Chadwell <[email protected]>

* Remove unneeded Finalize method from ImmutableRef.

Finalize was only used outside the cache package in one place, which
called it with the commit arg set to false. The code path followed
when commit==false turned out to essentially be a no-op because
it set "retain cache" to true if it was already set to true.

It was thus safe to remove the only external call to it and remove it
from the interface. This should be helpful for future efforts to
simplify the equal{Mutable,Immutable} fields in cacheRecord, which exist
due to the "lazy commit" feature that Finalize is tied into.

Signed-off-by: Erik Sipsma <[email protected]>

* Fix ref leak if fileop ref fails to mount.

Signed-off-by: Erik Sipsma <[email protected]>

* add error suggest pkg

Signed-off-by: Tonis Tiigi <[email protected]>

* dockerfile: suggest mistyped flag names

Signed-off-by: Tonis Tiigi <[email protected]>

* dockerfile: provide suggestions for mount options

Signed-off-by: Tonis Tiigi <[email protected]>

* dockerfile: add tests for error suggestions

Signed-off-by: Tonis Tiigi <[email protected]>

* dockerfile: remove unnecessary error wrappings

Signed-off-by: Tonis Tiigi <[email protected]>

* enable riscv64 build

Signed-off-by: Tonis Tiigi <[email protected]>

* Update QEMU emulators

Signed-off-by: CrazyMax <[email protected]>

* dockerfile: move run network to stable channel

Signed-off-by: Tonis Tiigi <[email protected]>

* Automatically detect default git branch

Instead of just assuming that the default branch is master, use ls-remote to find out. Also removed tests that didn't specifiy a branch but required authentication, because those will fail now that the repo is actually checked.

Signed-off-by: Levi Harrison <[email protected]>

* Moved getDefaultBranch function to gitsource

It is my suspecion that the tests were failing on previous commits because of the lack of authentication and other stuff like that available in gitidentifier as compared to gitsource

Signed-off-by: Levi Harrison <[email protected]>

* Fix tests

Unfortunately, further test cases will have to be removed because gitindentifier will now leave the branch blank instead of filling it in

Signed-off-by: Levi Harrison <[email protected]>

* git: fix default branch detection

Signed-off-by: Tonis Tiigi <[email protected]>

* Enable to forcefully specify compression type

Signed-off-by: ktock <[email protected]>

* Add full timestamp to logs

Signed-off-by: Yamazaki Masashi <[email protected]>

* Remove meaningless encode

Signed-off-by: Yamazaki Masashi <[email protected]>

* Ignore missing providers for blobs w/ same chainid.

GetByBlob checks to see if there are any other blobs with the same
(uncompressed) ChainID and, if so, reuses their unpacked snapshot if it
exists.

The problem is if this code finds a match, it was trying to get the
matching record, but couldn't do so when the match is lazy because the
caller doesn't necessarily have descriptor handlers setup for it.

This commit changes the behavior to just ignore any match with the same
ChainID that's also lazy as they just aren't usable for the
snapshot-reuse optimization.

Signed-off-by: Erik Sipsma <[email protected]>

* authprovider: handle eaccess on storing token seeds

Signed-off-by: Tonis Tiigi <[email protected]>

* log with traceID and spanID

Signed-off-by: Morlay <[email protected]>

* github: update CI buildkit to v0.9.0-rc1

Signed-off-by: Tonis Tiigi <[email protected]>

* initial version of github cache

Signed-off-by: Tonis Tiigi <[email protected]>

* vendor: add goactionscache

Signed-off-by: Tonis Tiigi <[email protected]>

* caps: add cap for gha cache backend

Signed-off-by: Tonis Tiigi <[email protected]>

* remove tracetransform package

Signed-off-by: Tonis Tiigi <[email protected]>

* resolver: increase default idle conns reuse

The current default were even lower than stdlib defaults.

Signed-off-by: Tonis Tiigi <[email protected]>

* refactor to use util/bklog instead of using logurs directly

Signed-off-by: Morlay <[email protected]>

* GitHub Actions cache docs

Signed-off-by: CrazyMax <[email protected]>

* Skips getting UID/GUID if passwd/group file is not found

When running a WORKDIR instruction, buildkit will create that folder
and chown it to the currently set user. For this, it will try to read
the /etc/passwd file to get the proper UID, and if that user is not
found in the file, the root user will be considered as the owner.

However, Windows image do not have that file, which will result in
an error while building the image. We can consider not finding
the /etc/passwd file as the same as not finding the user in the file,
which would solve this issue.

Signed-off-by: Claudiu Belu <[email protected]>

* add per domain semaphore to limit concurrent connections

This is a safer alternative until we figure out why
http.Transport based limiting fails.

Some connections like cache export/import do not have a
domain key atm and these connections use global pool.

Signed-off-by: Tonis Tiigi <[email protected]>

* update to github.com/containerd/containerd v1.5.3

Signed-off-by: coryb <[email protected]>

* vendor: update go-actions-cache with custom client support

Signed-off-by: Tonis Tiigi <[email protected]>

* tracing: update to otelhttp roundtripper

Signed-off-by: Tonis Tiigi <[email protected]>

* Enhance test matrix

Signed-off-by: CrazyMax <[email protected]>

* fix dropped pull progress output due to canceled context

fixes moby#2248

Signed-off-by: coryb <[email protected]>

* Add span for layer export

This can be a significant amount of time that isn't currently accounted
for in traces.

Signed-off-by: Aaron Lehmann <[email protected]>

* new implementation for limiting tcp connections

The previous implementation had many issues. Eg. on fetch, even if
the data already existed and no remote connections were needed
the request would still be waiting in the queue. Or if two fetches
of same blob happened together they would take up two places in queue
although there was only one remote request.

Signed-off-by: Tonis Tiigi <[email protected]>

* limited: allow extra high-priority connection for json requests

Signed-off-by: Tonis Tiigi <[email protected]>

* ensure wrappers support seeking to continue partial downloads

Signed-off-by: Tonis Tiigi <[email protected]>

* contentutil: change offset to int64 to simplify

Signed-off-by: Tonis Tiigi <[email protected]>

* Exporter config digest typo

Signed-off-by: CrazyMax <[email protected]>

* daemonless: wait for daemon to finish before exit

Signed-off-by: Tonis Tiigi <[email protected]>

* github: update CI buildkit to v0.9.0

Signed-off-by: Tonis Tiigi <[email protected]>

* add docs for new config options

Signed-off-by: Tonis Tiigi <[email protected]>

* add ktock and crazy-max to maintainers

Signed-off-by: Tonis Tiigi <[email protected]>

* Update Dockerfile references to use 1.3

Signed-off-by: Tonis Tiigi <[email protected]>

* docs: update images-readme to v0.9

Signed-off-by: Tonis Tiigi <[email protected]>

* Bump to codecov/codecov-action v2

Signed-off-by: CrazyMax <[email protected]>

* build(deps): bump github.com/containerd/containerd from 1.5.3 to 1.5.4

Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.5.3 to 1.5.4.
- [Release notes](https://github.com/containerd/containerd/releases)
- [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md)
- [Commits](containerd/containerd@v1.5.3...v1.5.4)

---
updated-dependencies:
- dependency-name: github.com/containerd/containerd
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

* util/tracing: remove incorrect import enforcing comment

This import comment caused compilation of buildx to fail if `GO111MODULE` was
set to `off`:

Without `GO111MODULE` set (but with `-mod=vendor`:

    echo $GO111MODULE

    export PKG=github.com/docker/buildx
    export LDFLAGS="-X ${PKG}/version.Version=$(git describe --match 'v[0-9]*' --always --tags) -X ${PKG}/version.Revision=$(git rev-parse HEAD) -X ${PKG}/version.Package=${PKG}"
    GOFLAGS=-mod=vendor go build -o bin/docker-buildx -ldflags "${LDFLAGS}" ./cmd/buildx
    bin/docker-buildx version
    github.com/docker/buildx v0.6.0 d9ee3b134cbc2d09513fa7fee4176a3919e05887

When setting `GO111MODULE=off`, it fails on the incorrect import path in the
vendored file (looks like GO111MODULE=on ignores import-path comments?):

    export GO111MODULE=off
    root@5a55ec1c1eed:/go/src/github.com/docker/buildx# GOFLAGS=-mod=vendor go build -o bin/docker-buildx -ldflags "${LDFLAGS}" ./cmd/buildx
    vendor/github.com/moby/buildkit/client/client.go:20:2: code in directory /go/src/github.com/docker/buildx/vendor/github.com/moby/buildkit/util/tracing/otlptracegrpc expects import "go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc"
    vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/connection/connection.go:33:2: found import comments "go.opentelemetry.io/otel/exporters/otlp/internal/otlpconfig" (options.go) and "go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/otlpconfig" (optiontypes.go) in /go/src/github.com/docker/buildx/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/otlpconfig

Signed-off-by: Sebastiaan van Stijn <[email protected]>

* Fix protoc link

Signed-off-by: CrazyMax <[email protected]>

* Allow ExitError type to be transmitted over GRPC

This will allow clients to retrieve exit error codes returned during a
solve without parsing the error messages.

Signed-off-by: Aaron Lehmann <[email protected]>

* Update to github.com/opencontainers/runc v1.0.1

Signed-off-by: CrazyMax <[email protected]>

* Split cache options doc for each exporter

Signed-off-by: CrazyMax <[email protected]>

* Set default socket permissions to 660

The systemd default is 666, it seems.

Signed-off-by: Anders F Björklund <[email protected]>

* fix SecurityMode being dropped on gateway container Start

Signed-off-by: Cory Bennett <[email protected]>

* bump containerd from 1.5.4 to 1.5.5

Signed-off-by: CrazyMax <[email protected]>

* go.mod: golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c

In preparation of replacing the deprecated github.com/docker/docker/pkg/signal,
which uses this version (updating it separately for easier review).

Signed-off-by: Sebastiaan van Stijn <[email protected]>

* replace use of deprecated github.com/docker/docker/pkg/signal

This package was moved to a separate module in github.com/moby/sys/signal

Signed-off-by: Sebastiaan van Stijn <[email protected]>

* Additional tests and cleanup for cache/contenthash

This adds a little extra testing around ** patterns, and adds a
(currently skipped) test for copying directories under symlinks (moby#2300).

It removes an extra call to `filepath.FromSlash` in `shouldIncludePath`
and an unused argument to that function.

Signed-off-by: Aaron Lehmann <[email protected]>

* all: remove duplicate imports

Signed-off-by: Koichi Shiraishi <[email protected]>

* all: unify the specs-go package import alias to ocispecs

ocispecs means "O"pen "C"ontainer "I"nitiative image-spec/"specs"-go/v1
                      opencontainers          /image-spec/specs-go/v1

Signed-off-by: Koichi Shiraishi <[email protected]>

* hack/dockerfiles: upgrade golangci-lint version to v1.41.1

Signed-off-by: Koichi Shiraishi <[email protected]>

* golangci-lint: enable importas and add settings for specs-go package

Signed-off-by: Koichi Shiraishi <[email protected]>

* all: unify the go-digest package import alias to digest

Signed-off-by: Koichi Shiraishi <[email protected]>

* golangci-lint: add go-digest importas setting

Signed-off-by: Koichi Shiraishi <[email protected]>

* Fix IncludePattern/ExcludePattern matching

The transformation to rootedPatterns seems very wrong and inconsistent
with what the copy logic did. Change it to match the copy logic, and add
more testing.

Signed-off-by: Aaron Lehmann <[email protected]>

* dockerfile: fix parsing required key without value

Signed-off-by: Tonis Tiigi <[email protected]>

* generated files: use "go install" to install binaries

Now that this repository moved to go1.16, we can use 'go install' to install
these binaries.

Signed-off-by: Sebastiaan van Stijn <[email protected]>

* util/stack: update protoc options to work with newer versions

Generating the util/stack protos failed when updating protoc-gen-go to v1.5.2;
it looks like this is the only proto that's not generated using protoc-gen-gogo):

    util/stack/generate.go
    protoc-gen-go: unable to determine Go import path for "stack.proto"

    Please specify either:
        • a "go_package" option in the .proto source file, or
        • a "M" argument on the command line.

    See https://developers.google.com/protocol-buffers/docs/reference/go-generated#package for more information.

    --go_out: protoc-gen-go: Plugin failed with status code 1.
    util/stack/generate.go:3: running "protoc": exit status 1

Newer protobuf versions expect a go package to be set. Other .proto files in
this repository use the bare package name, but with protoc-gen-go v1.5.2, this
produces an error (package names must at least have a "/"). In addition to
including the option to the .proto file also changes the generated result
(`options go_package "<package name>"`).

Using the `-go_opt=M<package name>` option on the other hand, didn't change the
result (while still on protoc-gen-go v1.3.5), so I used that option instead.

protoc-gen-go v1.5.2 also changed the behavior where the generated file is stored,
seemingly relative to the `../../vendor` path specified. This coud be fixed either
by setting `--go_out=../../`, which was a bit counter-intuitive, or setting the
`--go_opt=paths=source_relative` option. The latter also prevented v1.5.2 from
storing the file in `utils/stack/github.com/moby/buildkit/utils/stack/` (sigh).

Signed-off-by: Sebastiaan van Stijn <[email protected]>

* add missing ExtraHosts to gateway exec

Also adding tests for ExtraHosts and NetMode via gateway exec

Signed-off-by: Cory Bennett <[email protected]>

* add gateway.exec.extrahosts capability

Signed-off-by: Cory Bennett <[email protected]>

* cache: Fix flightcontrol use in computeBlobChain.

Previously, the flightcontrol group was being given a key just set to
the ref's ID, which meant that concurrent calls using different values
of compressionType, createIfNeeded and forceCompression would
incorrectly be de-duplicated.

The change here splits up the flightcontrol group into a few separate
calls and ensures that all the correct input variables are put into the
flightcontrol keys.

Signed-off-by: Erik Sipsma <[email protected]>

* solver: include cachemap index in flightcontrol.

Signed-off-by: Erik Sipsma <[email protected]>

* pull: use resolvemode in flightcontrol key.

Signed-off-by: Erik Sipsma <[email protected]>

* util: remove outdated flightcontrol test assertion.

The test was making an assertion that is no longer expected to always be
true after moby#2195, which purposely made flightcontrol less deterministic.
This lead to occasional failures.

Signed-off-by: Erik Sipsma <[email protected]>

* update go to 1.17

Signed-off-by: Tonis Tiigi <[email protected]>

* gomod: update to go1.17

Signed-off-by: Tonis Tiigi <[email protected]>

* Follow links in includedPaths to resolve incorrect caching when source path is behind symlink

As discussed in moby#2300, includedPaths does not resolve symlinks when
looking up the source path in the prefix tree. If the user requests a
path that involves symlinks (for example, /a/foo when a symlink /a -> /b
exists), includedPaths will not find it, and will expect nothing to be
copied. This does not match the actual copy behavior implemented in
fsutil, which will follow symlinks in prefix components of a given path,
so it can end up caching an empty result even though the copy will
produce a non-empty result, which is quite bad.

To fix this, use getFollowLinks to resolve the path before walking it.
In the wildcard case, this is done to the non-wildcard prefix of the
path (if any), which matches the behavior in fsutil.

Fixes the repro case here:
https://gist.github.com/aaronlehmann/64054c9a2cff0d27e200cc107bba3d69

Fixes moby#2300

Signed-off-by: Aaron Lehmann <[email protected]>

* cmd/buildkitd: replace BurntSushi/toml with pelletier/go-toml

The BurntSushi/toml project has been deprecated, and the ecosystem
is converging on using pelletier/go-toml as the "canonical" replacement.

Signed-off-by: Sebastiaan van Stijn <[email protected]>

* control: fix 64bit alignment for buildcount

Signed-off-by: Tonis Tiigi <[email protected]>

* Use fixed fileutils matching functions

This is important for two reasons:

1) Keeps caching logic consistent with recent fsutil changes to use
   these functions (also vendored here).

2) Allows us to move forward with removal of the original buggy Matches
   implementation in moby/moby.

Signed-off-by: Aaron Lehmann <[email protected]>

* Add `estargz` compression type

Signed-off-by: Kohei Tokunaga <[email protected]>

* Refactor cache metadata interface.

There are a few goals with this refactor:
1. Remove external access to fields that no longer make sense and/or
   won't make sense soon due to other potential changes. For example,
   there can now be multiple blobs associated with a ref (for different
   compression types), so the fact that you could access the "Blob"
   field from the Info method on Ref incorrectly implied there was just
   a single blob for the ref. This is on top of the fact that there is
   no need for external access to blob digests.
2. Centralize use of cache metadata inside the cache package.
   Previously, many parts of the code outside the cache package could
   obtain the bolt storage item for any ref and read/write it directly.
   This made it hard to understand what fields are used and when. Now,
   the Metadata method has been removed from the Ref interface and
   replaced with getters+setters for metadata fields we want to expose
   outside the package, which makes it much easier to track and
   understand. Similar changes have been made to the metadata search
   interface.
3. Use a consistent getter+setter interface for metadata, replacing
   the mix of interfaces like Metadata(), Size(), Info() and other
   inconsistencies.

Signed-off-by: Erik Sipsma <[email protected]>

* Use containerd/pkg/seccomp.IsEnabled()

This replaces the local SeccompSupported() utility for the implementation
in containerd, which performs the same check.

Signed-off-by: Sebastiaan van Stijn <[email protected]>

* Compute diff from the upper dir of overlayfs-based snapshotter

Signed-off-by: Kohei Tokunaga <[email protected]>

* go.mod: github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6

full diff: moby/term@bea5bbe...3f7ff69

updates Azure/go-ansiterm to fix integer overflow on arm

Signed-off-by: Sebastiaan van Stijn <[email protected]>

* go.mod: split the indirect packages

After go1.17, all indirect packages are listed in the go.mod file.

In addition, has been introduced the ability to list indirect packages separately.
Split the indirect packages to make the dependency packages clearer.

Signed-off-by: Koichi Shiraishi <[email protected]>

* exporter: support creating blobs with zstd compression

Signed-off-by: Tonis Tiigi <[email protected]>

* update getremote test for zstd

Estargz support has been removed from this test as
implementation does not guarantee digest stability
and only reason it passed were the exceptions in the
test via variant map that ignored cases where timing
resulted the digest to go wrong. This needs to be
addressed in the follow up if we want to keep estargz
support.

Signed-off-by: Tonis Tiigi <[email protected]>

* Add test case for symlink which is not final path component before wildcard

Signed-off-by: Aaron Lehmann <[email protected]>

* hack: allow mounting in workdir in shell

Signed-off-by: Tonis Tiigi <[email protected]>

* Handle the case of multiple path component symlinks (including last component) in wildcard prefix

Signed-off-by: Aaron Lehmann <[email protected]>

* Use getFollowLinksWalked

Signed-off-by: Aaron Lehmann <[email protected]>

* bklog: only log tracing ids when span exporter not nil

Signed-off-by: Morlay <[email protected]>

* Refactor url redacting util

Signed-off-by: CrazyMax <[email protected]>

* Clean up old TODOs

Signed-off-by: Tonis Tiigi <[email protected]>

* Move config parsing to a dedicated pkg

Signed-off-by: CrazyMax <[email protected]>

* Generate and embed build sources

Signed-off-by: CrazyMax <[email protected]>

* resolver: use different mutext for handlers and hosts

hosts mutex is called on initialization, meaning `GetResolver` might
block if it is in the middle of auth exchange. This is currently bad
in the case where Job initialization needs to register a name before
timeout is reached.

Signed-off-by: Tonis Tiigi <[email protected]>

* resolver: make sure authorizer is not overwritten on other resolvers 

Authorizer stores the current session.Group so if it is
overwritten for another resolver it means that session might
have been dropped and authentication will fail.

Signed-off-by: Tonis Tiigi <[email protected]>

* solver: increase timeout for job registration

Signed-off-by: Tonis Tiigi <[email protected]>

* go.mod: sort and move self-managed indirect dependencies to first block

Signed-off-by: Koichi Shiraishi <[email protected]>

* Fix issues moby#1980 and moby#2198

Signed-off-by: Jonathan Giannuzzi <[email protected]>

* Add BUILDKIT_SANDBOX_HOSTNAME build-arg

Signed-off-by: CrazyMax <[email protected]>

* Fix estargz compression loses the original tar metadata

Currently, eStargz compression doesn't preserve the original tar metadata
(header bytes and their order). This causes failure of `TestGetRemote` because
an uncompressed blob converted from a gzip blob provides different digset
against the one converted from eStargz blob even if their original tar (computed
by differ) are the same.
This commit solves this issue by fixing eStargz to preserve original tar's
metadata that is modified by eStargz.

Signed-off-by: Kohei Tokunaga <[email protected]>

* Enhance ANSI color for progress ui

Signed-off-by: CrazyMax <[email protected]>

* Move resolver config to a dedicated package

Signed-off-by: CrazyMax <[email protected]>

* Standard user umask for git process

Signed-off-by: CrazyMax <[email protected]>

* make sure ci runs on version branches

Signed-off-by: Tonis Tiigi <[email protected]>

* return an error instead of panicking when failing to get edge

Signed-off-by: Maxime Lagresle <[email protected]>

* Add support for shm size

Signed-off-by: CrazyMax <[email protected]>

* don't cast Value when pipe is errored

Signed-off-by: Maxime Lagresle <[email protected]>

* Apply Earthly changes to newer buildkit version

This commit squashes previous work done in the earthly-main branch
199ad6a into a single commit
which is rebased against moby/master branch d429b0b

Co-authored-by: Tõnis Tiigi <[email protected]>
Co-authored-by: Akihiro Suda <[email protected]>
Co-authored-by: Akihiro Suda <[email protected]>
Co-authored-by: Aaron Lehmann <[email protected]>
Co-authored-by: Cory Bennett <[email protected]>
Co-authored-by: Justin Chadwell <[email protected]>
Co-authored-by: Erik Sipsma <[email protected]>
Co-authored-by: CrazyMax <[email protected]>
Co-authored-by: Levi Harrison <[email protected]>
Co-authored-by: ktock <[email protected]>
Co-authored-by: masibw <[email protected]>
Co-authored-by: Morlay <[email protected]>
Co-authored-by: CrazyMax <[email protected]>
Co-authored-by: Claudiu Belu <[email protected]>
Co-authored-by: Sebastiaan van Stijn <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Sebastiaan van Stijn <[email protected]>
Co-authored-by: Anders F Björklund <[email protected]>
Co-authored-by: CrazyMax <[email protected]>
Co-authored-by: Koichi Shiraishi <[email protected]>
Co-authored-by: Jonathan Giannuzzi <[email protected]>
Co-authored-by: Maxime Lagresle <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
2 participants