diff --git a/vendor.conf b/vendor.conf index 7d60b86871..12419d3b79 100644 --- a/vendor.conf +++ b/vendor.conf @@ -33,7 +33,7 @@ github.com/imdario/mergo 1afb36080aec31e0d1528973ebe6 golang.org/x/sync cd5d95a43a6e21273425c7ae415d3df9ea832eeb # buildkit -github.com/moby/buildkit 3a1eeca59a9263613d996ead67d53a4b7d45723d # v0.8.3-29-g3a1eeca5 +github.com/moby/buildkit c014937225cba29cfb1d5161fd134316c0e9bdaa # v0.8.3-31-gc0149372 github.com/tonistiigi/fsutil 0834f99b7b85462efb69b4f571a4fa3ca7da5ac9 github.com/tonistiigi/units 6950e57a87eaf136bbe44ef2ec8e75b9e3569de2 github.com/grpc-ecosystem/grpc-opentracing 8e809c8a86450a29b90dcc9efbf062d0fe6d9746 diff --git a/vendor/github.com/moby/buildkit/source/git/gitsource.go b/vendor/github.com/moby/buildkit/source/git/gitsource.go index 3d1bfe21f4..9245008aa8 100644 --- a/vendor/github.com/moby/buildkit/source/git/gitsource.go +++ b/vendor/github.com/moby/buildkit/source/git/gitsource.go @@ -129,7 +129,11 @@ func (gs *gitSource) mountRemote(ctx context.Context, remote string, auth []stri }() if initializeRepo { - if _, err := gitWithinDir(ctx, dir, "", "", "", auth, "init", "--bare"); err != nil { + // Explicitly set the Git config 'init.defaultBranch' to the + // implied default to suppress "hint:" output about not having a + // default initial branch name set which otherwise spams unit + // test logs. + if _, err := gitWithinDir(ctx, dir, "", "", "", auth, "-c", "init.defaultBranch=master", "init", "--bare"); err != nil { return "", nil, errors.Wrapf(err, "failed to init repo at %s", dir) } @@ -485,11 +489,14 @@ func (gs *gitSourceHandler) Snapshot(ctx context.Context, g session.Group) (out if err := os.MkdirAll(checkoutDir, 0711); err != nil { return nil, err } - _, err = gitWithinDir(ctx, checkoutDirGit, "", sock, knownHosts, nil, "init") + _, err = gitWithinDir(ctx, checkoutDirGit, "", sock, knownHosts, nil, "-c", "init.defaultBranch=master", "init") if err != nil { return nil, err } - _, err = gitWithinDir(ctx, checkoutDirGit, "", sock, knownHosts, nil, "remote", "add", "origin", gitDir) + // Defense-in-depth: clone using the file protocol to disable local-clone + // optimizations which can be abused on some versions of Git to copy unintended + // host files into the build context. + _, err = gitWithinDir(ctx, checkoutDirGit, "", sock, knownHosts, nil, "remote", "add", "origin", "file://"+gitDir) if err != nil { return nil, err } @@ -591,6 +598,7 @@ func git(ctx context.Context, dir, sshAuthSock, knownHosts string, args ...strin stdout, stderr := logs.NewLogStreams(ctx, false) defer stdout.Close() defer stderr.Close() + args = append([]string{"-c", "protocol.file.allow=user"}, args...) // Block sneaky repositories from using repos from the filesystem as submodules. cmd := exec.Command("git", args...) cmd.Dir = dir // some commands like submodule require this buf := bytes.NewBuffer(nil) @@ -603,6 +611,8 @@ func git(ctx context.Context, dir, sshAuthSock, knownHosts string, args ...strin "GIT_TERMINAL_PROMPT=0", "GIT_SSH_COMMAND=" + getGitSSHCommand(knownHosts), // "GIT_TRACE=1", + "GIT_CONFIG_NOSYSTEM=1", // Disable reading from system gitconfig. + "HOME=/dev/null", // Disable reading from user gitconfig. } if sshAuthSock != "" { cmd.Env = append(cmd.Env, "SSH_AUTH_SOCK="+sshAuthSock) diff --git a/vendor/github.com/moby/buildkit/util/contentutil/buffer.go b/vendor/github.com/moby/buildkit/util/contentutil/buffer.go index ac8c8baff3..834bdf487b 100644 --- a/vendor/github.com/moby/buildkit/util/contentutil/buffer.go +++ b/vendor/github.com/moby/buildkit/util/contentutil/buffer.go @@ -4,6 +4,7 @@ import ( "bytes" "context" "io/ioutil" + "strings" "sync" "time" @@ -18,12 +19,14 @@ import ( type Buffer interface { content.Provider content.Ingester + content.Manager } // NewBuffer returns a new buffer func NewBuffer() Buffer { return &buffer{ buffers: map[digest.Digest][]byte{}, + infos: map[digest.Digest]content.Info{}, refs: map[string]struct{}{}, } } @@ -31,9 +34,59 @@ func NewBuffer() Buffer { type buffer struct { mu sync.Mutex buffers map[digest.Digest][]byte + infos map[digest.Digest]content.Info refs map[string]struct{} } +func (b *buffer) Info(ctx context.Context, dgst digest.Digest) (content.Info, error) { + b.mu.Lock() + v, ok := b.infos[dgst] + b.mu.Unlock() + if !ok { + return content.Info{}, errdefs.ErrNotFound + } + return v, nil +} + +func (b *buffer) Update(ctx context.Context, new content.Info, fieldpaths ...string) (content.Info, error) { + b.mu.Lock() + defer b.mu.Unlock() + + updated, ok := b.infos[new.Digest] + if !ok { + return content.Info{}, errdefs.ErrNotFound + } + + if len(fieldpaths) == 0 { + fieldpaths = []string{"labels"} + } + + for _, path := range fieldpaths { + if strings.HasPrefix(path, "labels.") { + if updated.Labels == nil { + updated.Labels = map[string]string{} + } + key := strings.TrimPrefix(path, "labels.") + updated.Labels[key] = new.Labels[key] + continue + } + if path == "labels" { + updated.Labels = new.Labels + } + } + + b.infos[new.Digest] = updated + return updated, nil +} + +func (b *buffer) Walk(ctx context.Context, fn content.WalkFunc, filters ...string) error { + return nil // not implemented +} + +func (b *buffer) Delete(ctx context.Context, dgst digest.Digest) error { + return nil // not implemented +} + func (b *buffer) Writer(ctx context.Context, opts ...content.WriterOpt) (content.Writer, error) { var wOpts content.WriterOpts for _, opt := range opts { @@ -82,6 +135,7 @@ func (b *buffer) addValue(k digest.Digest, dt []byte) { b.mu.Lock() defer b.mu.Unlock() b.buffers[k] = dt + b.infos[k] = content.Info{Digest: k, Size: int64(len(dt))} } type bufferedWriter struct { diff --git a/vendor/github.com/moby/buildkit/util/contentutil/source.go b/vendor/github.com/moby/buildkit/util/contentutil/source.go new file mode 100644 index 0000000000..b544ed0aa3 --- /dev/null +++ b/vendor/github.com/moby/buildkit/util/contentutil/source.go @@ -0,0 +1,34 @@ +package contentutil + +import ( + "net/url" + "strings" + + "github.com/containerd/containerd/content" + "github.com/containerd/containerd/reference" +) + +func HasSource(info content.Info, refspec reference.Spec) (bool, error) { + u, err := url.Parse("dummy://" + refspec.Locator) + if err != nil { + return false, err + } + + if info.Labels == nil { + return false, nil + } + + source, target := u.Hostname(), strings.TrimPrefix(u.Path, "/") + repoLabel, ok := info.Labels["containerd.io/distribution.source."+source] + if !ok || repoLabel == "" { + return false, nil + } + + for _, repo := range strings.Split(repoLabel, ",") { + // the target repo is not a candidate + if repo == target { + return true, nil + } + } + return false, nil +} diff --git a/vendor/github.com/moby/buildkit/util/imageutil/config.go b/vendor/github.com/moby/buildkit/util/imageutil/config.go index a93c8ccd6b..00b57ff4fa 100644 --- a/vendor/github.com/moby/buildkit/util/imageutil/config.go +++ b/vendor/github.com/moby/buildkit/util/imageutil/config.go @@ -13,6 +13,7 @@ import ( "github.com/containerd/containerd/reference" "github.com/containerd/containerd/remotes" "github.com/containerd/containerd/remotes/docker" + "github.com/moby/buildkit/util/contentutil" "github.com/moby/buildkit/util/leaseutil" "github.com/moby/buildkit/util/resolver/retryhandler" digest "github.com/opencontainers/go-digest" @@ -23,6 +24,7 @@ import ( type ContentCache interface { content.Ingester content.Provider + content.Manager } var leasesMu sync.Mutex @@ -74,10 +76,15 @@ func Config(ctx context.Context, str string, resolver remotes.Resolver, cache Co if desc.Digest != "" { ra, err := cache.ReaderAt(ctx, desc) if err == nil { - desc.Size = ra.Size() - mt, err := DetectManifestMediaType(ra) + info, err := cache.Info(ctx, desc.Digest) if err == nil { - desc.MediaType = mt + if ok, err := contentutil.HasSource(info, ref); err == nil && ok { + desc.Size = ra.Size() + mt, err := DetectManifestMediaType(ra) + if err == nil { + desc.MediaType = mt + } + } } } } @@ -100,8 +107,14 @@ func Config(ctx context.Context, str string, resolver remotes.Resolver, cache Co children := childrenConfigHandler(cache, platform) + dslHandler, err := docker.AppendDistributionSourceLabel(cache, ref.String()) + if err != nil { + return "", nil, err + } + handlers := []images.Handler{ retryhandler.New(remotes.FetchHandler(cache, fetcher), func(_ []byte) {}), + dslHandler, children, } if err := images.Dispatch(ctx, images.Handlers(handlers...), nil, desc); err != nil {