Merge pull request #37620 from tonistiigi/buildkit-net-modes

buildkit: enable net modes and bridge

builder/builder-next/builder.go

@@ -3,6 +3,7 @@ package buildkit
 import (
 	"context"
 	"io"
+	"net"
 	"strings"
 	"sync"
 	"time"
@@ -15,21 +16,29 @@ import (
 	"github.com/docker/docker/daemon/images"
 	"github.com/docker/docker/pkg/streamformatter"
 	"github.com/docker/docker/pkg/system"
+	"github.com/docker/libnetwork"
 	controlapi "github.com/moby/buildkit/api/services/control"
 	"github.com/moby/buildkit/control"
 	"github.com/moby/buildkit/identity"
 	"github.com/moby/buildkit/session"
+	"github.com/moby/buildkit/solver/llbsolver"
+	"github.com/moby/buildkit/util/entitlements"
 	"github.com/moby/buildkit/util/tracing"
 	"github.com/pkg/errors"
 	"golang.org/x/sync/errgroup"
 	grpcmetadata "google.golang.org/grpc/metadata"
 )
 
+func init() {
+	llbsolver.AllowNetworkHostUnstable = true
+}
+
 // Opt is option struct required for creating the builder
 type Opt struct {
-	SessionManager *session.Manager
-	Root           string
-	Dist           images.DistributionServices
+	SessionManager    *session.Manager
+	Root              string
+	Dist              images.DistributionServices
+	NetworkController libnetwork.NetworkController
 }
 
 // Builder can build using BuildKit backend
@@ -228,6 +237,20 @@ func (b *Builder) Build(ctx context.Context, opt backend.BuildConfig) (*builder.
 		frontendAttrs["platform"] = opt.Options.Platform
 	}
 
+	switch opt.Options.NetworkMode {
+	case "host", "none":
+		frontendAttrs["force-network-mode"] = opt.Options.NetworkMode
+	case "", "default":
+	default:
+		return nil, errors.Errorf("network mode %q not supported by buildkit", opt.Options.NetworkMode)
+	}
+
+	extraHosts, err := toBuildkitExtraHosts(opt.Options.ExtraHosts)
+	if err != nil {
+		return nil, err
+	}
+	frontendAttrs["add-hosts"] = extraHosts
+
 	exporterAttrs := map[string]string{}
 
 	if len(opt.Options.Tags) > 0 {
@@ -243,6 +266,10 @@ func (b *Builder) Build(ctx context.Context, opt backend.BuildConfig) (*builder.
 		Session:       opt.Options.SessionID,
 	}
 
+	if opt.Options.NetworkMode == "host" {
+		req.Entitlements = append(req.Entitlements, entitlements.EntitlementNetworkHost)
+	}
+
 	aux := streamformatter.AuxFormatter{Writer: opt.ProgressWriter.Output}
 
 	eg, ctx := errgroup.WithContext(ctx)
@@ -424,3 +451,19 @@ func (j *buildJob) SetUpload(ctx context.Context, rc io.ReadCloser) error {
 		return fn(rc)
 	}
 }
+
+// toBuildkitExtraHosts converts hosts from docker key:value format to buildkit's csv format
+func toBuildkitExtraHosts(inp []string) (string, error) {
+	if len(inp) == 0 {
+		return "", nil
+	}
+	hosts := make([]string, 0, len(inp))
+	for _, h := range inp {
+		parts := strings.Split(h, ":")
+		if len(parts) != 2 || parts[0] == "" || net.ParseIP(parts[1]) == nil {
+			return "", errors.Errorf("invalid host %s", h)
+		}
+		hosts = append(hosts, parts[0]+"="+parts[1])
+	}
+	return strings.Join(hosts, ","), nil
+}

builder/builder-next/controller.go

@@ -90,7 +90,7 @@ func newController(rt http.RoundTripper, opt Opt) (*control.Controller, error) {
 		return nil, err
 	}
 
-	exec, err := newExecutor(root)
+	exec, err := newExecutor(root, opt.NetworkController)
 	if err != nil {
 		return nil, err
 	}

builder/builder-next/executor_unix.go

@@ -3,15 +3,113 @@
 package buildkit
 
 import (
+	"fmt"
 	"path/filepath"
+	"sync"
 
+	"github.com/docker/libnetwork"
 	"github.com/moby/buildkit/executor"
 	"github.com/moby/buildkit/executor/runcexecutor"
+	"github.com/moby/buildkit/identity"
+	"github.com/moby/buildkit/util/network"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )
 
-func newExecutor(root string) (executor.Executor, error) {
+const networkName = "bridge"
+
+func init() {
+	// FIXME: https://github.com/moby/moby/issues/37676
+	runcexecutor.DisableSubReaper()
+}
+
+func newExecutor(root string, net libnetwork.NetworkController) (executor.Executor, error) {
 	return runcexecutor.New(runcexecutor.Opt{
 		Root:              filepath.Join(root, "executor"),
 		CommandCandidates: []string{"docker-runc", "runc"},
+	}, &bridgeProvider{NetworkController: net})
+}
+
+type bridgeProvider struct {
+	libnetwork.NetworkController
+}
+
+func (p *bridgeProvider) NewInterface() (network.Interface, error) {
+	n, err := p.NetworkByName(networkName)
+	if err != nil {
+		return nil, err
+	}
+
+	iface := &lnInterface{ready: make(chan struct{})}
+	iface.Once.Do(func() {
+		go iface.init(p.NetworkController, n)
 	})
+
+	return iface, nil
+}
+
+func (p *bridgeProvider) Release(iface network.Interface) error {
+	go func() {
+		if err := p.release(iface); err != nil {
+			logrus.Errorf("%s", err)
+		}
+	}()
+	return nil
+}
+
+func (p *bridgeProvider) release(iface network.Interface) error {
+	li, ok := iface.(*lnInterface)
+	if !ok {
+		return errors.Errorf("invalid interface %T", iface)
+	}
+	err := li.sbx.Delete()
+	if err1 := li.ep.Delete(true); err1 != nil && err == nil {
+		err = err1
+	}
+	return err
+}
+
+type lnInterface struct {
+	ep  libnetwork.Endpoint
+	sbx libnetwork.Sandbox
+	sync.Once
+	err   error
+	ready chan struct{}
+}
+
+func (iface *lnInterface) init(c libnetwork.NetworkController, n libnetwork.Network) {
+	defer close(iface.ready)
+	id := identity.NewID()
+
+	ep, err := n.CreateEndpoint(id)
+	if err != nil {
+		iface.err = err
+		return
+	}
+
+	sbx, err := c.NewSandbox(id)
+	if err != nil {
+		iface.err = err
+		return
+	}
+
+	if err := ep.Join(sbx); err != nil {
+		iface.err = err
+		return
+	}
+
+	iface.sbx = sbx
+	iface.ep = ep
+}
+
+func (iface *lnInterface) Set(pid int) error {
+	<-iface.ready
+	if iface.err != nil {
+		return iface.err
+	}
+	return iface.sbx.SetKey(fmt.Sprintf("/proc/%d/ns/net", pid))
+}
+
+func (iface *lnInterface) Remove(pid int) error {
+	return nil
 }

builder/builder-next/executor_windows.go

@@ -5,11 +5,12 @@ import (
 	"errors"
 	"io"
 
+	"github.com/docker/libnetwork"
 	"github.com/moby/buildkit/cache"
 	"github.com/moby/buildkit/executor"
 )
 
-func newExecutor(_ string) (executor.Executor, error) {
+func newExecutor(_ string, _ libnetwork.NetworkController) (executor.Executor, error) {
 	return &winExecutor{}, nil
 }
 

cmd/dockerd/daemon.go

@@ -286,9 +286,10 @@ func newRouterOptions(config *config.Config, daemon *daemon.Daemon) (routerOptio
 		return opts, err
 	}
 	bk, err := buildkit.New(buildkit.Opt{
-		SessionManager: sm,
-		Root:           filepath.Join(config.Root, "buildkit"),
-		Dist:           daemon.DistributionServices(),
+		SessionManager:    sm,
+		Root:              filepath.Join(config.Root, "buildkit"),
+		Dist:              daemon.DistributionServices(),
+		NetworkController: daemon.NetworkController(),
 	})
 	if err != nil {
 		return opts, err

daemon/network.go

@@ -49,6 +49,11 @@ func (daemon *Daemon) NetworkControllerEnabled() bool {
 	return daemon.netController != nil
 }
 
+// NetworkController returns the network controller created by the daemon.
+func (daemon *Daemon) NetworkController() libnetwork.NetworkController {
+	return daemon.netController
+}
+
 // FindNetwork returns a network based on:
 // 1. Full ID
 // 2. Full Name

vendor.conf

@@ -26,7 +26,7 @@ github.com/imdario/mergo v0.3.6
 golang.org/x/sync 1d60e4601c6fd243af51cc01ddf169918a5407ca
 
 # buildkit
-github.com/moby/buildkit e57eed420c7573ae44875be98fa877175b4677a1
+github.com/moby/buildkit 46f9075ab68a07df2c40ae6e240ce4f9392b3a66 git://github.com/tiborvass/buildkit.git
 github.com/tonistiigi/fsutil b19464cd1b6a00773b4f2eb7acf9c30426f9df42
 github.com/grpc-ecosystem/grpc-opentracing 8e809c8a86450a29b90dcc9efbf062d0fe6d9746
 github.com/opentracing/opentracing-go 1361b9cd60be79c4c3a7fa9841b3c132e40066a7

vendor/github.com/moby/buildkit/api/services/control/control.pb.go

@@ -35,6 +35,7 @@ import pb "github.com/moby/buildkit/solver/pb"
 import moby_buildkit_v1_types "github.com/moby/buildkit/api/types"
 
 import time "time"
+import github_com_moby_buildkit_util_entitlements "github.com/moby/buildkit/util/entitlements"
 import github_com_opencontainers_go_digest "github.com/opencontainers/go-digest"
 
 import context "golang.org/x/net/context"
@@ -57,8 +58,10 @@ var _ = time.Kitchen
 const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
 
 type PruneRequest struct {
-	Filter []string `protobuf:"bytes,1,rep,name=filter" json:"filter,omitempty"`
-	All    bool     `protobuf:"varint,2,opt,name=all,proto3" json:"all,omitempty"`
+	Filter       []string `protobuf:"bytes,1,rep,name=filter" json:"filter,omitempty"`
+	All          bool     `protobuf:"varint,2,opt,name=all,proto3" json:"all,omitempty"`
+	KeepDuration int64    `protobuf:"varint,3,opt,name=keepDuration,proto3" json:"keepDuration,omitempty"`
+	KeepBytes    int64    `protobuf:"varint,4,opt,name=keepBytes,proto3" json:"keepBytes,omitempty"`
 }
 
 func (m *PruneRequest) Reset()                    { *m = PruneRequest{} }
@@ -80,6 +83,20 @@ func (m *PruneRequest) GetAll() bool {
 	return false
 }
 
+func (m *PruneRequest) GetKeepDuration() int64 {
+	if m != nil {
+		return m.KeepDuration
+	}
+	return 0
+}
+
+func (m *PruneRequest) GetKeepBytes() int64 {
+	if m != nil {
+		return m.KeepBytes
+	}
+	return 0
+}
+
 type DiskUsageRequest struct {
 	Filter []string `protobuf:"bytes,1,rep,name=filter" json:"filter,omitempty"`
 }
@@ -209,14 +226,15 @@ func (m *UsageRecord) GetShared() bool {
 }
 
 type SolveRequest struct {
-	Ref           string            `protobuf:"bytes,1,opt,name=Ref,proto3" json:"Ref,omitempty"`
-	Definition    *pb.Definition    `protobuf:"bytes,2,opt,name=Definition" json:"Definition,omitempty"`
-	Exporter      string            `protobuf:"bytes,3,opt,name=Exporter,proto3" json:"Exporter,omitempty"`
-	ExporterAttrs map[string]string `protobuf:"bytes,4,rep,name=ExporterAttrs" json:"ExporterAttrs,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
-	Session       string            `protobuf:"bytes,5,opt,name=Session,proto3" json:"Session,omitempty"`
-	Frontend      string            `protobuf:"bytes,6,opt,name=Frontend,proto3" json:"Frontend,omitempty"`
-	FrontendAttrs map[string]string `protobuf:"bytes,7,rep,name=FrontendAttrs" json:"FrontendAttrs,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
-	Cache         CacheOptions      `protobuf:"bytes,8,opt,name=Cache" json:"Cache"`
+	Ref           string                                                   `protobuf:"bytes,1,opt,name=Ref,proto3" json:"Ref,omitempty"`
+	Definition    *pb.Definition                                           `protobuf:"bytes,2,opt,name=Definition" json:"Definition,omitempty"`
+	Exporter      string                                                   `protobuf:"bytes,3,opt,name=Exporter,proto3" json:"Exporter,omitempty"`
+	ExporterAttrs map[string]string                                        `protobuf:"bytes,4,rep,name=ExporterAttrs" json:"ExporterAttrs,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	Session       string                                                   `protobuf:"bytes,5,opt,name=Session,proto3" json:"Session,omitempty"`
+	Frontend      string                                                   `protobuf:"bytes,6,opt,name=Frontend,proto3" json:"Frontend,omitempty"`
+	FrontendAttrs map[string]string                                        `protobuf:"bytes,7,rep,name=FrontendAttrs" json:"FrontendAttrs,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	Cache         CacheOptions                                             `protobuf:"bytes,8,opt,name=Cache" json:"Cache"`
+	Entitlements  []github_com_moby_buildkit_util_entitlements.Entitlement `protobuf:"bytes,9,rep,name=Entitlements,customtype=github.com/moby/buildkit/util/entitlements.Entitlement" json:"Entitlements,omitempty"`
 }
 
 func (m *SolveRequest) Reset()                    { *m = SolveRequest{} }
@@ -955,6 +973,16 @@ func (m *PruneRequest) MarshalTo(dAtA []byte) (int, error) {
 		}
 		i++
 	}
+	if m.KeepDuration != 0 {
+		dAtA[i] = 0x18
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(m.KeepDuration))
+	}
+	if m.KeepBytes != 0 {
+		dAtA[i] = 0x20
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(m.KeepBytes))
+	}
 	return i, nil
 }
 
@@ -1212,6 +1240,21 @@ func (m *SolveRequest) MarshalTo(dAtA []byte) (int, error) {
 		return 0, err
 	}
 	i += n4
+	if len(m.Entitlements) > 0 {
+		for _, s := range m.Entitlements {
+			dAtA[i] = 0x4a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
 	return i, nil
 }
 
@@ -1690,6 +1733,12 @@ func (m *PruneRequest) Size() (n int) {
 	if m.All {
 		n += 2
 	}
+	if m.KeepDuration != 0 {
+		n += 1 + sovControl(uint64(m.KeepDuration))
+	}
+	if m.KeepBytes != 0 {
+		n += 1 + sovControl(uint64(m.KeepBytes))
+	}
 	return n
 }
 
@@ -1801,6 +1850,12 @@ func (m *SolveRequest) Size() (n int) {
 	}
 	l = m.Cache.Size()
 	n += 1 + l + sovControl(uint64(l))
+	if len(m.Entitlements) > 0 {
+		for _, s := range m.Entitlements {
+			l = len(s)
+			n += 1 + l + sovControl(uint64(l))
+		}
+	}
 	return n
 }
 
@@ -2089,6 +2144,44 @@ func (m *PruneRequest) Unmarshal(dAtA []byte) error {
 				}
 			}
 			m.All = bool(v != 0)
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field KeepDuration", wireType)
+			}
+			m.KeepDuration = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.KeepDuration |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field KeepBytes", wireType)
+			}
+			m.KeepBytes = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.KeepBytes |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
 		default:
 			iNdEx = preIndex
 			skippy, err := skipControl(dAtA[iNdEx:])
@@ -3041,6 +3134,35 @@ func (m *SolveRequest) Unmarshal(dAtA []byte) error {
 				return err
 			}
 			iNdEx = postIndex
+		case 9:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Entitlements", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Entitlements = append(m.Entitlements, github_com_moby_buildkit_util_entitlements.Entitlement(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipControl(dAtA[iNdEx:])
@@ -4709,81 +4831,85 @@ var (
 func init() { proto.RegisterFile("control.proto", fileDescriptorControl) }
 
 var fileDescriptorControl = []byte{
-	// 1206 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x56, 0x4f, 0x6f, 0x1b, 0x45,
-	0x14, 0x67, 0x6d, 0xc7, 0x7f, 0x9e, 0x9d, 0x2a, 0x0c, 0x50, 0xad, 0x16, 0x48, 0xcc, 0x02, 0x92,
-	0x55, 0xb5, 0xbb, 0x6d, 0xa0, 0x52, 0x15, 0xa1, 0xaa, 0x75, 0x5c, 0x44, 0xaa, 0x44, 0x94, 0x75,
-	0x42, 0x25, 0x6e, 0x6b, 0x7b, 0xe2, 0xac, 0xb2, 0xde, 0x59, 0x66, 0x66, 0x43, 0xcd, 0xa7, 0xe0,
-	0xc0, 0x37, 0xe1, 0xc0, 0x27, 0x40, 0xea, 0x91, 0x33, 0x87, 0x14, 0xe5, 0x0e, 0x77, 0x6e, 0x68,
-	0xfe, 0xac, 0x3d, 0x8e, 0x9d, 0x38, 0x49, 0x4f, 0x99, 0x37, 0xf9, 0xbd, 0x9f, 0xdf, 0x7b, 0xbf,
-	0xb7, 0xf3, 0x1e, 0xac, 0xf6, 0x49, 0xc2, 0x29, 0x89, 0xbd, 0x94, 0x12, 0x4e, 0xd0, 0xda, 0x88,
-	0xf4, 0xc6, 0x5e, 0x2f, 0x8b, 0xe2, 0xc1, 0x71, 0xc4, 0xbd, 0x93, 0x07, 0xce, 0xbd, 0x61, 0xc4,
-	0x8f, 0xb2, 0x9e, 0xd7, 0x27, 0x23, 0x7f, 0x48, 0x86, 0xc4, 0x97, 0xc0, 0x5e, 0x76, 0x28, 0x2d,
-	0x69, 0xc8, 0x93, 0x22, 0x70, 0x36, 0x86, 0x84, 0x0c, 0x63, 0x3c, 0x45, 0xf1, 0x68, 0x84, 0x19,
-	0x0f, 0x47, 0xa9, 0x06, 0xdc, 0x35, 0xf8, 0xc4, 0x8f, 0xf9, 0xf9, 0x8f, 0xf9, 0x8c, 0xc4, 0x27,
-	0x98, 0xfa, 0x69, 0xcf, 0x27, 0x29, 0xd3, 0x68, 0xff, 0x42, 0x74, 0x98, 0x46, 0x3e, 0x1f, 0xa7,
-	0x98, 0xf9, 0x3f, 0x11, 0x7a, 0x8c, 0xa9, 0x72, 0x70, 0x1f, 0x41, 0xe3, 0x05, 0xcd, 0x12, 0x1c,
-	0xe0, 0x1f, 0x33, 0xcc, 0x38, 0xba, 0x0d, 0xe5, 0xc3, 0x28, 0xe6, 0x98, 0xda, 0x56, 0xb3, 0xd8,
-	0xaa, 0x05, 0xda, 0x42, 0x6b, 0x50, 0x0c, 0xe3, 0xd8, 0x2e, 0x34, 0xad, 0x56, 0x35, 0x10, 0x47,
-	0xf7, 0x0e, 0xac, 0x75, 0x22, 0x76, 0x7c, 0xc0, 0xc2, 0xe1, 0x32, 0x6f, 0xf7, 0x39, 0xbc, 0x6b,
-	0x60, 0x59, 0x4a, 0x12, 0x86, 0xd1, 0x43, 0x28, 0x53, 0xdc, 0x27, 0x74, 0x20, 0xc1, 0xf5, 0xcd,
-	0x8f, 0xbd, 0xf3, 0xc5, 0xf4, 0xb4, 0x83, 0x00, 0x05, 0x1a, 0xec, 0xfe, 0x57, 0x80, 0xba, 0x71,
-	0x8f, 0x6e, 0x41, 0x61, 0xa7, 0x63, 0x5b, 0x4d, 0xab, 0x55, 0x0b, 0x0a, 0x3b, 0x1d, 0x64, 0x43,
-	0x65, 0x2f, 0xe3, 0x61, 0x2f, 0xc6, 0x3a, 0xda, 0xdc, 0x44, 0xef, 0xc3, 0xca, 0x4e, 0x72, 0xc0,
-	0xb0, 0x5d, 0x94, 0xf7, 0xca, 0x40, 0x08, 0x4a, 0xdd, 0xe8, 0x67, 0x6c, 0x97, 0x9a, 0x56, 0xab,
-	0x18, 0xc8, 0xb3, 0xc8, 0xe3, 0x45, 0x48, 0x71, 0xc2, 0xed, 0x15, 0xc9, 0xab, 0x2d, 0xd4, 0x86,
-	0xda, 0x36, 0xc5, 0x21, 0xc7, 0x83, 0xa7, 0xdc, 0x2e, 0x37, 0xad, 0x56, 0x7d, 0xd3, 0xf1, 0x94,
-	0x82, 0x5e, 0xae, 0xa0, 0xb7, 0x9f, 0x2b, 0xd8, 0xae, 0xbe, 0x3e, 0xdd, 0x78, 0xe7, 0x97, 0x37,
-	0x1b, 0x56, 0x30, 0x75, 0x43, 0x4f, 0x00, 0x76, 0x43, 0xc6, 0x0f, 0x98, 0x24, 0xa9, 0x2c, 0x25,
-	0x29, 0x49, 0x02, 0xc3, 0x07, 0xad, 0x03, 0xc8, 0x02, 0x6c, 0x93, 0x2c, 0xe1, 0x76, 0x55, 0xc6,
-	0x6d, 0xdc, 0xa0, 0x26, 0xd4, 0x3b, 0x98, 0xf5, 0x69, 0x94, 0xf2, 0x88, 0x24, 0x76, 0x4d, 0xa6,
-	0x60, 0x5e, 0x09, 0x06, 0x55, 0xbd, 0xfd, 0x71, 0x8a, 0x6d, 0x90, 0x00, 0xe3, 0x46, 0xe4, 0xdf,
-	0x3d, 0x0a, 0x29, 0x1e, 0xd8, 0x75, 0x59, 0x2a, 0x6d, 0xb9, 0xbf, 0x96, 0xa0, 0xd1, 0x15, 0x6d,
-	0x97, 0x0b, 0xbe, 0x06, 0xc5, 0x00, 0x1f, 0xea, 0xea, 0x8b, 0x23, 0xf2, 0x00, 0x3a, 0xf8, 0x30,
-	0x4a, 0x22, 0xf9, 0xdb, 0x05, 0x99, 0xde, 0x2d, 0x2f, 0xed, 0x79, 0xd3, 0xdb, 0xc0, 0x40, 0x20,
-	0x07, 0xaa, 0xcf, 0x5e, 0xa5, 0x84, 0x8a, 0xa6, 0x29, 0x4a, 0x9a, 0x89, 0x8d, 0x5e, 0xc2, 0x6a,
-	0x7e, 0x7e, 0xca, 0x39, 0x65, 0x76, 0x49, 0x36, 0xca, 0x83, 0xf9, 0x46, 0x31, 0x83, 0xf2, 0x66,
-	0x7c, 0x9e, 0x25, 0x9c, 0x8e, 0x83, 0x59, 0x1e, 0xd1, 0x23, 0x5d, 0xcc, 0x98, 0x88, 0x50, 0x09,
-	0x9c, 0x9b, 0x22, 0x9c, 0xaf, 0x29, 0x49, 0x38, 0x4e, 0x06, 0x52, 0xe0, 0x5a, 0x30, 0xb1, 0x45,
-	0x38, 0xf9, 0x59, 0x85, 0x53, 0xb9, 0x52, 0x38, 0x33, 0x3e, 0x3a, 0x9c, 0x99, 0x3b, 0xb4, 0x05,
-	0x2b, 0xdb, 0x61, 0xff, 0x08, 0x4b, 0x2d, 0xeb, 0x9b, 0xeb, 0xf3, 0x84, 0xf2, 0xdf, 0xdf, 0x4a,
-	0xf1, 0x58, 0xbb, 0x24, 0xda, 0x2a, 0x50, 0x2e, 0xce, 0x13, 0x40, 0xf3, 0xf9, 0x0a, 0x5d, 0x8e,
-	0xf1, 0x38, 0xd7, 0xe5, 0x18, 0x8f, 0x45, 0xf3, 0x9f, 0x84, 0x71, 0xa6, 0x3e, 0x8a, 0x5a, 0xa0,
-	0x8c, 0xad, 0xc2, 0x23, 0x4b, 0x30, 0xcc, 0x87, 0x78, 0x1d, 0x06, 0xf7, 0x8d, 0x05, 0x0d, 0x33,
-	0x42, 0xf4, 0x11, 0xd4, 0x54, 0x50, 0xd3, 0xe6, 0x98, 0x5e, 0x88, 0xee, 0xdb, 0x19, 0x69, 0x83,
-	0xd9, 0x05, 0xf9, 0x52, 0x18, 0x37, 0xe8, 0x3b, 0xa8, 0x2b, 0xb0, 0xaa, 0x72, 0x51, 0x56, 0xd9,
-	0xbf, 0xbc, 0x28, 0x9e, 0xe1, 0xa1, 0x6a, 0x6c, 0x72, 0x38, 0x8f, 0x61, 0xed, 0x3c, 0xe0, 0x5a,
-	0x19, 0xfe, 0x6e, 0xc1, 0xaa, 0x16, 0x55, 0xbf, 0x5e, 0x61, 0xce, 0x88, 0x69, 0x7e, 0xa7, 0xdf,
-	0xb1, 0x87, 0x17, 0xf6, 0x83, 0x82, 0x79, 0xe7, 0xfd, 0x54, 0xbc, 0x73, 0x74, 0xce, 0x36, 0x7c,
-	0xb0, 0x10, 0x7a, 0xad, 0xc8, 0x3f, 0x81, 0xd5, 0x2e, 0x0f, 0x79, 0xc6, 0x2e, 0xfc, 0x64, 0xdd,
-	0xdf, 0x2c, 0xb8, 0x95, 0x63, 0x74, 0x76, 0x5f, 0x42, 0xf5, 0x04, 0x53, 0x8e, 0x5f, 0x61, 0xa6,
-	0xb3, 0xb2, 0xe7, 0xb3, 0xfa, 0x5e, 0x22, 0x82, 0x09, 0x12, 0x6d, 0x41, 0x95, 0x49, 0x1e, 0xac,
-	0x64, 0x5d, 0xd8, 0xca, 0xca, 0x4b, 0xff, 0xde, 0x04, 0x8f, 0x7c, 0x28, 0xc5, 0x64, 0x98, 0xab,
-	0xfd, 0xe1, 0x45, 0x7e, 0xbb, 0x64, 0x18, 0x48, 0xa0, 0x7b, 0x5a, 0x80, 0xb2, 0xba, 0x43, 0xcf,
-	0xa1, 0x3c, 0x88, 0x86, 0x98, 0x71, 0x95, 0x55, 0x7b, 0x53, 0x7c, 0x20, 0x7f, 0x9d, 0x6e, 0xdc,
-	0x31, 0xa6, 0x21, 0x49, 0x71, 0x22, 0x66, 0x77, 0x18, 0x25, 0x98, 0x32, 0x7f, 0x48, 0xee, 0x29,
-	0x17, 0xaf, 0x23, 0xff, 0x04, 0x9a, 0x41, 0x70, 0x45, 0x49, 0x9a, 0x71, 0xdd, 0x98, 0x37, 0xe3,
-	0x52, 0x0c, 0x62, 0xb4, 0x24, 0xe1, 0x08, 0xeb, 0x77, 0x4d, 0x9e, 0xc5, 0xd3, 0xda, 0x17, 0x7d,
-	0x3b, 0x90, 0x03, 0xa7, 0x1a, 0x68, 0x0b, 0x6d, 0x41, 0x85, 0xf1, 0x90, 0x72, 0x3c, 0x90, 0x4f,
-	0xd2, 0x55, 0x66, 0x42, 0xee, 0x80, 0x1e, 0x43, 0xad, 0x4f, 0x46, 0x69, 0x8c, 0x85, 0x77, 0xf9,
-	0x8a, 0xde, 0x53, 0x17, 0xd1, 0x3d, 0x98, 0x52, 0x42, 0xe5, 0x34, 0xaa, 0x05, 0xca, 0x70, 0xff,
-	0x2d, 0x40, 0xc3, 0x14, 0x6b, 0x6e, 0xd2, 0x3e, 0x87, 0xb2, 0x92, 0x5e, 0x75, 0xdd, 0xcd, 0x4a,
-	0xa5, 0x18, 0x16, 0x96, 0xca, 0x86, 0x4a, 0x3f, 0xa3, 0x72, 0x0c, 0xab, 0xe1, 0x9c, 0x9b, 0x22,
-	0x60, 0x4e, 0x78, 0x18, 0xcb, 0x52, 0x15, 0x03, 0x65, 0x88, 0xe9, 0x3c, 0xd9, 0x9e, 0xae, 0x37,
-	0x9d, 0x27, 0x6e, 0xa6, 0x0c, 0x95, 0xb7, 0x92, 0xa1, 0x7a, 0x6d, 0x19, 0xdc, 0x3f, 0x2c, 0xa8,
-	0x4d, 0xba, 0xdc, 0xa8, 0xae, 0xf5, 0xd6, 0xd5, 0x9d, 0xa9, 0x4c, 0xe1, 0x66, 0x95, 0xb9, 0x0d,
-	0x65, 0xc6, 0x29, 0x0e, 0x47, 0x52, 0xa3, 0x62, 0xa0, 0x2d, 0xf1, 0x9e, 0x8c, 0xd8, 0x50, 0x2a,
-	0xd4, 0x08, 0xc4, 0xd1, 0x75, 0xa1, 0xd1, 0x1e, 0x73, 0xcc, 0xf6, 0x30, 0x13, 0x4b, 0x89, 0xd0,
-	0x76, 0x10, 0xf2, 0x50, 0xe6, 0xd1, 0x08, 0xe4, 0xd9, 0xbd, 0x0b, 0x68, 0x37, 0x62, 0xfc, 0xa5,
-	0xdc, 0x45, 0xd9, 0xb2, 0xfd, 0xb1, 0x0b, 0xef, 0xcd, 0xa0, 0xf5, 0x2b, 0xf5, 0xd5, 0xb9, 0x0d,
-	0xf2, 0xb3, 0xf9, 0x57, 0x43, 0xae, 0xbc, 0x9e, 0x72, 0x9c, 0x5d, 0x24, 0x37, 0xff, 0x29, 0x42,
-	0x65, 0x5b, 0x6d, 0xf3, 0x68, 0x1f, 0x6a, 0x93, 0x05, 0x15, 0xb9, 0xf3, 0x34, 0xe7, 0x37, 0x5d,
-	0xe7, 0xd3, 0x4b, 0x31, 0x3a, 0xbe, 0x6f, 0x60, 0x45, 0x2e, 0xd7, 0x68, 0xc1, 0x33, 0x68, 0x6e,
-	0xdd, 0xce, 0xe5, 0xab, 0xef, 0x7d, 0x4b, 0x30, 0xc9, 0x19, 0xb2, 0x88, 0xc9, 0x5c, 0x36, 0x9c,
-	0x8d, 0x25, 0xc3, 0x07, 0xed, 0x41, 0x59, 0x7f, 0xce, 0x8b, 0xa0, 0xe6, 0xa4, 0x70, 0x9a, 0x17,
-	0x03, 0x14, 0xd9, 0x7d, 0x0b, 0xed, 0x4d, 0x36, 0xa9, 0x45, 0xa1, 0x99, 0x6d, 0xe0, 0x2c, 0xf9,
-	0x7f, 0xcb, 0xba, 0x6f, 0xa1, 0x1f, 0xa0, 0x6e, 0x08, 0x8d, 0x16, 0x08, 0x3a, 0xdf, 0x35, 0xce,
-	0xe7, 0x4b, 0x50, 0x2a, 0xd8, 0x76, 0xe3, 0xf5, 0xd9, 0xba, 0xf5, 0xe7, 0xd9, 0xba, 0xf5, 0xf7,
-	0xd9, 0xba, 0xd5, 0x2b, 0xcb, 0xbe, 0xff, 0xe2, 0xff, 0x00, 0x00, 0x00, 0xff, 0xff, 0x10, 0x8f,
-	0x03, 0xa4, 0xd1, 0x0d, 0x00, 0x00,
+	// 1279 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x57, 0x4f, 0x6f, 0x1b, 0x45,
+	0x14, 0xef, 0xda, 0x89, 0xed, 0x7d, 0x76, 0xaa, 0x30, 0x40, 0xb5, 0x5a, 0x20, 0x31, 0x0b, 0x48,
+	0x56, 0xd5, 0xee, 0xb6, 0x81, 0x22, 0x14, 0xa1, 0xaa, 0x75, 0x5c, 0x44, 0xaa, 0x46, 0x94, 0x49,
+	0x4b, 0x25, 0x0e, 0x48, 0x6b, 0x7b, 0xe2, 0xae, 0xb2, 0xde, 0x59, 0x66, 0x66, 0x43, 0xcd, 0x07,
+	0xe0, 0xcc, 0x77, 0xe1, 0xc0, 0x27, 0x40, 0xea, 0x91, 0x73, 0x0f, 0x29, 0xea, 0x1d, 0x4e, 0x5c,
+	0xb8, 0xa1, 0xf9, 0xb3, 0xce, 0x38, 0x76, 0xea, 0xa6, 0x3d, 0x65, 0xde, 0xe4, 0xf7, 0x7e, 0xfb,
+	0xfe, 0xcd, 0x7b, 0xcf, 0xb0, 0x36, 0xa0, 0x99, 0x60, 0x34, 0x0d, 0x73, 0x46, 0x05, 0x45, 0xeb,
+	0x63, 0xda, 0x9f, 0x84, 0xfd, 0x22, 0x49, 0x87, 0x87, 0x89, 0x08, 0x8f, 0xae, 0xfb, 0x57, 0x47,
+	0x89, 0x78, 0x5c, 0xf4, 0xc3, 0x01, 0x1d, 0x47, 0x23, 0x3a, 0xa2, 0x91, 0x02, 0xf6, 0x8b, 0x03,
+	0x25, 0x29, 0x41, 0x9d, 0x34, 0x81, 0xbf, 0x39, 0xa2, 0x74, 0x94, 0x92, 0x13, 0x94, 0x48, 0xc6,
+	0x84, 0x8b, 0x78, 0x9c, 0x1b, 0xc0, 0x15, 0x8b, 0x4f, 0x7e, 0x2c, 0x2a, 0x3f, 0x16, 0x71, 0x9a,
+	0x1e, 0x11, 0x16, 0xe5, 0xfd, 0x88, 0xe6, 0xdc, 0xa0, 0xa3, 0x33, 0xd1, 0x71, 0x9e, 0x44, 0x62,
+	0x92, 0x13, 0x1e, 0xfd, 0x44, 0xd9, 0x21, 0x61, 0x5a, 0x21, 0xf8, 0xc5, 0x81, 0xd6, 0x7d, 0x56,
+	0x64, 0x04, 0x93, 0x1f, 0x0b, 0xc2, 0x05, 0xba, 0x04, 0xb5, 0x83, 0x24, 0x15, 0x84, 0x79, 0x4e,
+	0xbb, 0xda, 0x71, 0xb1, 0x91, 0xd0, 0x3a, 0x54, 0xe3, 0x34, 0xf5, 0x2a, 0x6d, 0xa7, 0xd3, 0xc0,
+	0xf2, 0x88, 0x3a, 0xd0, 0x3a, 0x24, 0x24, 0xef, 0x15, 0x2c, 0x16, 0x09, 0xcd, 0xbc, 0x6a, 0xdb,
+	0xe9, 0x54, 0xbb, 0x2b, 0x4f, 0x8f, 0x37, 0x1d, 0x3c, 0xf3, 0x1f, 0x14, 0x80, 0x2b, 0xe5, 0xee,
+	0x44, 0x10, 0xee, 0xad, 0x58, 0xb0, 0x93, 0xeb, 0xe0, 0x32, 0xac, 0xf7, 0x12, 0x7e, 0xf8, 0x90,
+	0xc7, 0xa3, 0x65, 0xb6, 0x04, 0x77, 0xe1, 0x2d, 0x0b, 0xcb, 0x73, 0x9a, 0x71, 0x82, 0x6e, 0x40,
+	0x8d, 0x91, 0x01, 0x65, 0x43, 0x05, 0x6e, 0x6e, 0x7d, 0x10, 0x9e, 0xce, 0x4d, 0x68, 0x14, 0x24,
+	0x08, 0x1b, 0x70, 0xf0, 0x5f, 0x05, 0x9a, 0xd6, 0x3d, 0xba, 0x08, 0x95, 0xdd, 0x9e, 0xe7, 0xb4,
+	0x9d, 0x8e, 0x8b, 0x2b, 0xbb, 0x3d, 0xe4, 0x41, 0x7d, 0xaf, 0x10, 0x71, 0x3f, 0x25, 0xc6, 0xf7,
+	0x52, 0x44, 0xef, 0xc0, 0xea, 0x6e, 0xf6, 0x90, 0x13, 0xe5, 0x78, 0x03, 0x6b, 0x01, 0x21, 0x58,
+	0xd9, 0x4f, 0x7e, 0x26, 0xda, 0x4d, 0xac, 0xce, 0xd2, 0x8f, 0xfb, 0x31, 0x23, 0x99, 0xf0, 0x56,
+	0x15, 0xaf, 0x91, 0x50, 0x17, 0xdc, 0x1d, 0x46, 0x62, 0x41, 0x86, 0xb7, 0x85, 0x57, 0x6b, 0x3b,
+	0x9d, 0xe6, 0x96, 0x1f, 0xea, 0x82, 0x08, 0xcb, 0x82, 0x08, 0x1f, 0x94, 0x05, 0xd1, 0x6d, 0x3c,
+	0x3d, 0xde, 0xbc, 0xf0, 0xeb, 0x73, 0x19, 0xb7, 0xa9, 0x1a, 0xba, 0x05, 0x70, 0x2f, 0xe6, 0xe2,
+	0x21, 0x57, 0x24, 0xf5, 0xa5, 0x24, 0x2b, 0x8a, 0xc0, 0xd2, 0x41, 0x1b, 0x00, 0x2a, 0x00, 0x3b,
+	0xb4, 0xc8, 0x84, 0xd7, 0x50, 0x76, 0x5b, 0x37, 0xa8, 0x0d, 0xcd, 0x1e, 0xe1, 0x03, 0x96, 0xe4,
+	0x2a, 0xcd, 0xae, 0x72, 0xc1, 0xbe, 0x92, 0x0c, 0x3a, 0x7a, 0x0f, 0x26, 0x39, 0xf1, 0x40, 0x01,
+	0xac, 0x1b, 0xe9, 0xff, 0xfe, 0xe3, 0x98, 0x91, 0xa1, 0xd7, 0x54, 0xa1, 0x32, 0x52, 0xf0, 0xef,
+	0x0a, 0xb4, 0xf6, 0x65, 0x15, 0x97, 0x09, 0x5f, 0x87, 0x2a, 0x26, 0x07, 0x26, 0xfa, 0xf2, 0x88,
+	0x42, 0x80, 0x1e, 0x39, 0x48, 0xb2, 0x44, 0x7d, 0xbb, 0xa2, 0xdc, 0xbb, 0x18, 0xe6, 0xfd, 0xf0,
+	0xe4, 0x16, 0x5b, 0x08, 0xe4, 0x43, 0xe3, 0xce, 0x93, 0x9c, 0x32, 0x59, 0x34, 0x55, 0x45, 0x33,
+	0x95, 0xd1, 0x23, 0x58, 0x2b, 0xcf, 0xb7, 0x85, 0x60, 0xb2, 0x14, 0x65, 0xa1, 0x5c, 0x9f, 0x2f,
+	0x14, 0xdb, 0xa8, 0x70, 0x46, 0xe7, 0x4e, 0x26, 0xd8, 0x04, 0xcf, 0xf2, 0xc8, 0x1a, 0xd9, 0x27,
+	0x9c, 0x4b, 0x0b, 0x75, 0x82, 0x4b, 0x51, 0x9a, 0xf3, 0x15, 0xa3, 0x99, 0x20, 0xd9, 0x50, 0x25,
+	0xd8, 0xc5, 0x53, 0x59, 0x9a, 0x53, 0x9e, 0xb5, 0x39, 0xf5, 0x57, 0x32, 0x67, 0x46, 0xc7, 0x98,
+	0x33, 0x73, 0x87, 0xb6, 0x61, 0x75, 0x27, 0x1e, 0x3c, 0x26, 0x2a, 0x97, 0xcd, 0xad, 0x8d, 0x79,
+	0x42, 0xf5, 0xef, 0x6f, 0x54, 0xf2, 0xb8, 0x7a, 0x8a, 0x17, 0xb0, 0x56, 0x41, 0x3f, 0x40, 0xeb,
+	0x4e, 0x26, 0x12, 0x91, 0x92, 0x31, 0xc9, 0x04, 0xf7, 0x5c, 0xf9, 0xf0, 0xba, 0xdb, 0xcf, 0x8e,
+	0x37, 0x3f, 0x3f, 0xb3, 0xb5, 0x14, 0x22, 0x49, 0x23, 0x62, 0x69, 0x85, 0x16, 0x05, 0x9e, 0xe1,
+	0xf3, 0x6f, 0x01, 0x9a, 0x8f, 0xa7, 0xcc, 0xfb, 0x21, 0x99, 0x94, 0x79, 0x3f, 0x24, 0x13, 0xf9,
+	0xb8, 0x8e, 0xe2, 0xb4, 0xd0, 0x8f, 0xce, 0xc5, 0x5a, 0xd8, 0xae, 0x7c, 0xe1, 0x48, 0x86, 0xf9,
+	0x10, 0x9c, 0x87, 0x21, 0x78, 0xee, 0x40, 0xcb, 0x8e, 0x00, 0x7a, 0x1f, 0x5c, 0x6d, 0xd4, 0x49,
+	0xf1, 0x9d, 0x5c, 0xc8, 0xea, 0xde, 0x1d, 0x1b, 0x81, 0x7b, 0x15, 0xd5, 0x89, 0xac, 0x1b, 0xf4,
+	0x2d, 0x34, 0x35, 0x58, 0x67, 0xb1, 0xaa, 0xb2, 0x18, 0xbd, 0x3c, 0xe8, 0xa1, 0xa5, 0xa1, 0x73,
+	0x68, 0x73, 0xf8, 0x37, 0x61, 0xfd, 0x34, 0xe0, 0x5c, 0x1e, 0xfe, 0xee, 0xc0, 0x9a, 0x29, 0x1a,
+	0xd3, 0x1d, 0xe3, 0x92, 0x91, 0xb0, 0xf2, 0xce, 0xf4, 0xc9, 0x1b, 0x67, 0xd6, 0x9b, 0x86, 0x85,
+	0xa7, 0xf5, 0xb4, 0xbd, 0x73, 0x74, 0xfe, 0x0e, 0xbc, 0xbb, 0x10, 0x7a, 0x2e, 0xcb, 0x3f, 0x84,
+	0xb5, 0x7d, 0x11, 0x8b, 0x82, 0x9f, 0xd9, 0x12, 0x82, 0xdf, 0x1c, 0xb8, 0x58, 0x62, 0x8c, 0x77,
+	0x9f, 0x41, 0xe3, 0x88, 0x30, 0x41, 0x9e, 0x10, 0x6e, 0xbc, 0xf2, 0xe6, 0xbd, 0xfa, 0x4e, 0x21,
+	0xf0, 0x14, 0x89, 0xb6, 0xa1, 0xc1, 0x15, 0x0f, 0xd1, 0x69, 0x5d, 0xf8, 0x54, 0xb4, 0x96, 0xf9,
+	0xde, 0x14, 0x8f, 0x22, 0x58, 0x49, 0xe9, 0xa8, 0xcc, 0xf6, 0x7b, 0x67, 0xe9, 0xdd, 0xa3, 0x23,
+	0xac, 0x80, 0xc1, 0x71, 0x05, 0x6a, 0xfa, 0x0e, 0xdd, 0x85, 0xda, 0x30, 0x19, 0x11, 0x2e, 0xb4,
+	0x57, 0xdd, 0x2d, 0xf9, 0x00, 0x9f, 0x1d, 0x6f, 0x5e, 0xb6, 0x5e, 0x18, 0xcd, 0x49, 0x26, 0x57,
+	0x8d, 0x38, 0xc9, 0x08, 0xe3, 0xd1, 0x88, 0x5e, 0xd5, 0x2a, 0x61, 0x4f, 0xfd, 0xc1, 0x86, 0x41,
+	0x72, 0x25, 0x59, 0x5e, 0x08, 0x53, 0x98, 0xaf, 0xc7, 0xa5, 0x19, 0xe4, 0xe8, 0xca, 0xe2, 0x31,
+	0x31, 0x7d, 0x53, 0x9d, 0x65, 0xeb, 0x1e, 0xc8, 0xba, 0x1d, 0xaa, 0x81, 0xd6, 0xc0, 0x46, 0x42,
+	0xdb, 0x50, 0xe7, 0x22, 0x66, 0x82, 0x0c, 0x55, 0xcb, 0x7b, 0x95, 0x99, 0x53, 0x2a, 0xa0, 0x9b,
+	0xe0, 0x0e, 0xe8, 0x38, 0x4f, 0x89, 0xd4, 0xae, 0xbd, 0xa2, 0xf6, 0x89, 0x8a, 0xac, 0x1e, 0xc2,
+	0x18, 0x65, 0x6a, 0xda, 0xb9, 0x58, 0x0b, 0xc1, 0x3f, 0x15, 0x68, 0xd9, 0xc9, 0x9a, 0x9b, 0xe4,
+	0x77, 0xa1, 0xa6, 0x53, 0xaf, 0xab, 0xee, 0xf5, 0x42, 0xa5, 0x19, 0x16, 0x86, 0xca, 0x83, 0xfa,
+	0xa0, 0x60, 0x6a, 0xcc, 0xeb, 0xe1, 0x5f, 0x8a, 0xd2, 0x60, 0x41, 0x45, 0x9c, 0xaa, 0x50, 0x55,
+	0xb1, 0x16, 0xe4, 0xf4, 0x9f, 0x2e, 0x7b, 0xe7, 0x9b, 0xfe, 0x53, 0x35, 0x3b, 0x0d, 0xf5, 0x37,
+	0x4a, 0x43, 0xe3, 0xdc, 0x69, 0x08, 0xfe, 0x70, 0xc0, 0x9d, 0x56, 0xb9, 0x15, 0x5d, 0xe7, 0x8d,
+	0xa3, 0x3b, 0x13, 0x99, 0xca, 0xeb, 0x45, 0xe6, 0x12, 0xd4, 0xb8, 0x60, 0x24, 0x1e, 0xeb, 0xbd,
+	0x14, 0x1b, 0x49, 0xf6, 0x93, 0x31, 0x1f, 0xa9, 0x0c, 0xb5, 0xb0, 0x3c, 0x06, 0x01, 0xb4, 0xd4,
+	0x0a, 0xba, 0x47, 0xb8, 0x5c, 0x7a, 0x64, 0x6e, 0x87, 0xb1, 0x88, 0x95, 0x1f, 0x2d, 0xac, 0xce,
+	0xc1, 0x15, 0x40, 0xf7, 0x12, 0x2e, 0x1e, 0xa9, 0xd5, 0x99, 0x2f, 0xdb, 0x4f, 0xf7, 0xe1, 0xed,
+	0x19, 0xb4, 0xe9, 0x52, 0x5f, 0x9e, 0xda, 0x50, 0x3f, 0x9e, 0xef, 0x1a, 0x6a, 0x43, 0x0f, 0xb5,
+	0xe2, 0xec, 0xa2, 0xba, 0xf5, 0x77, 0x15, 0xea, 0x3b, 0xfa, 0xc7, 0x07, 0x7a, 0x00, 0xee, 0x74,
+	0x01, 0x46, 0xc1, 0x3c, 0xcd, 0xe9, 0x4d, 0xda, 0xff, 0xe8, 0xa5, 0x18, 0x63, 0xdf, 0xd7, 0xb0,
+	0xaa, 0x7e, 0x0a, 0xa0, 0x05, 0x6d, 0xd0, 0xfe, 0x8d, 0xe0, 0xbf, 0x7c, 0xb5, 0xbe, 0xe6, 0x48,
+	0x26, 0x35, 0x43, 0x16, 0x31, 0xd9, 0xcb, 0x8c, 0xbf, 0xb9, 0x64, 0xf8, 0xa0, 0x3d, 0xa8, 0x99,
+	0xe7, 0xbc, 0x08, 0x6a, 0x4f, 0x0a, 0xbf, 0x7d, 0x36, 0x40, 0x93, 0x5d, 0x73, 0xd0, 0xde, 0x74,
+	0x53, 0x5b, 0x64, 0x9a, 0x5d, 0x06, 0xfe, 0x92, 0xff, 0x77, 0x9c, 0x6b, 0x0e, 0xfa, 0x1e, 0x9a,
+	0x56, 0xa2, 0xd1, 0x82, 0x84, 0xce, 0x57, 0x8d, 0xff, 0xc9, 0x12, 0x94, 0x36, 0xb6, 0xdb, 0x7a,
+	0xfa, 0x62, 0xc3, 0xf9, 0xf3, 0xc5, 0x86, 0xf3, 0xd7, 0x8b, 0x0d, 0xa7, 0x5f, 0x53, 0x75, 0xff,
+	0xe9, 0xff, 0x01, 0x00, 0x00, 0xff, 0xff, 0xfe, 0x98, 0x98, 0x82, 0x80, 0x0e, 0x00, 0x00,
 }

vendor/github.com/moby/buildkit/api/services/control/control.proto

@@ -25,8 +25,10 @@ service Control {
 }
 
 message PruneRequest {
-	repeated string filter = 1; // FIXME: not implemented
+	repeated string filter = 1;
 	bool all = 2;
+	int64 keepDuration = 3 [(gogoproto.nullable) = true];
+	int64 keepBytes = 4 [(gogoproto.nullable) = true];
 }
 
 message DiskUsageRequest {
@@ -60,6 +62,7 @@ message SolveRequest {
 	string Frontend = 6;
 	map<string, string> FrontendAttrs = 7;
 	CacheOptions Cache = 8 [(gogoproto.nullable) = false];
+	repeated string Entitlements = 9 [(gogoproto.customtype) = "github.com/moby/buildkit/util/entitlements.Entitlement" ];
 }
 
 message CacheOptions {

vendor/github.com/moby/buildkit/cache/manager.go

@@ -2,6 +2,7 @@ package cache
 
 import (
 	"context"
+	"sort"
 	"sync"
 	"time"
 
@@ -321,14 +322,50 @@ func (cm *cacheManager) Prune(ctx context.Context, ch chan client.UsageInfo, opt
 		check = c
 	}
 
-	return cm.prune(ctx, ch, filter, opt.All, check)
+	totalSize := int64(0)
+	if opt.KeepBytes != 0 {
+		du, err := cm.DiskUsage(ctx, client.DiskUsageInfo{})
+		if err != nil {
+			return err
+		}
+		for _, ui := range du {
+			if check != nil {
+				if check.Exists(ui.ID) {
+					continue
+				}
+			}
+			totalSize += ui.Size
+		}
+	}
+
+	return cm.prune(ctx, ch, pruneOpt{
+		filter:       filter,
+		all:          opt.All,
+		checkShared:  check,
+		keepDuration: opt.KeepDuration,
+		keepBytes:    opt.KeepBytes,
+		totalSize:    totalSize,
+	})
 }
 
-func (cm *cacheManager) prune(ctx context.Context, ch chan client.UsageInfo, filter filters.Filter, all bool, checkShared ExternalRefChecker) error {
-	var toDelete []*cacheRecord
+func (cm *cacheManager) prune(ctx context.Context, ch chan client.UsageInfo, opt pruneOpt) error {
+	var toDelete []*deleteRecord
+
+	if opt.keepBytes != 0 && opt.totalSize < opt.keepBytes {
+		return nil
+	}
+
 	cm.mu.Lock()
 
+	gcMode := opt.keepBytes != 0
+	cutOff := time.Now().Add(-opt.keepDuration)
+
+	locked := map[*cacheRecord]struct{}{}
+
 	for _, cr := range cm.records {
+		if _, ok := locked[cr]; ok {
+			continue
+		}
 		cr.mu.Lock()
 
 		// ignore duplicates that share data
@@ -349,11 +386,11 @@ func (cm *cacheManager) prune(ctx context.Context, ch chan client.UsageInfo, fil
 			}
 
 			shared := false
-			if checkShared != nil {
-				shared = checkShared.Exists(cr.ID())
+			if opt.checkShared != nil {
+				shared = opt.checkShared.Exists(cr.ID())
 			}
 
-			if !all {
+			if !opt.all {
 				if recordType == client.UsageRecordTypeInternal || recordType == client.UsageRecordTypeFrontend || shared {
 					cr.mu.Unlock()
 					continue
@@ -367,23 +404,59 @@ func (cm *cacheManager) prune(ctx context.Context, ch chan client.UsageInfo, fil
 				Shared:     shared,
 			}
 
-			if filter.Match(adaptUsageInfo(c)) {
-				cr.dead = true
+			usageCount, lastUsedAt := getLastUsed(cr.md)
+			c.LastUsedAt = lastUsedAt
+			c.UsageCount = usageCount
 
-				toDelete = append(toDelete, cr)
-
-				// mark metadata as deleted in case we crash before cleanup finished
-				if err := setDeleted(cr.md); err != nil {
+			if opt.keepDuration != 0 {
+				if lastUsedAt != nil && lastUsedAt.After(cutOff) {
 					cr.mu.Unlock()
-					cm.mu.Unlock()
-					return err
+					continue
 				}
 			}
-		}
 
+			if opt.filter.Match(adaptUsageInfo(c)) {
+				toDelete = append(toDelete, &deleteRecord{
+					cacheRecord: cr,
+					lastUsedAt:  c.LastUsedAt,
+					usageCount:  c.UsageCount,
+				})
+				if !gcMode {
+					cr.dead = true
+
+					// mark metadata as deleted in case we crash before cleanup finished
+					if err := setDeleted(cr.md); err != nil {
+						cr.mu.Unlock()
+						cm.mu.Unlock()
+						return err
+					}
+				} else {
+					locked[cr] = struct{}{}
+					continue // leave the record locked
+				}
+			}
+		}
 		cr.mu.Unlock()
 	}
 
+	if gcMode && len(toDelete) > 0 {
+		sortDeleteRecords(toDelete)
+		var err error
+		for i, cr := range toDelete {
+			// only remove single record at a time
+			if i == 0 {
+				cr.dead = true
+				err = setDeleted(cr.md)
+			}
+			cr.mu.Unlock()
+		}
+		if err != nil {
+			return err
+		}
+		toDelete = toDelete[:1]
+		opt.totalSize -= getSize(toDelete[0].md)
+	}
+
 	cm.mu.Unlock()
 
 	if len(toDelete) == 0 {
@@ -443,7 +516,7 @@ func (cm *cacheManager) prune(ctx context.Context, ch chan client.UsageInfo, fil
 	case <-ctx.Done():
 		return ctx.Err()
 	default:
-		return cm.prune(ctx, ch, filter, all, checkShared)
+		return cm.prune(ctx, ch, opt)
 	}
 }
 
@@ -705,3 +778,63 @@ func adaptUsageInfo(info *client.UsageInfo) filters.Adaptor {
 		return "", false
 	})
 }
+
+type pruneOpt struct {
+	filter       filters.Filter
+	all          bool
+	checkShared  ExternalRefChecker
+	keepDuration time.Duration
+	keepBytes    int64
+	totalSize    int64
+}
+
+type deleteRecord struct {
+	*cacheRecord
+	lastUsedAt      *time.Time
+	usageCount      int
+	lastUsedAtIndex int
+	usageCountIndex int
+}
+
+func sortDeleteRecords(toDelete []*deleteRecord) {
+	sort.Slice(toDelete, func(i, j int) bool {
+		if toDelete[i].lastUsedAt == nil {
+			return true
+		}
+		if toDelete[j].lastUsedAt == nil {
+			return false
+		}
+		return toDelete[i].lastUsedAt.Before(*toDelete[j].lastUsedAt)
+	})
+
+	maxLastUsedIndex := 0
+	var val time.Time
+	for _, v := range toDelete {
+		if v.lastUsedAt != nil && v.lastUsedAt.After(val) {
+			val = *v.lastUsedAt
+			maxLastUsedIndex++
+		}
+		v.lastUsedAtIndex = maxLastUsedIndex
+	}
+
+	sort.Slice(toDelete, func(i, j int) bool {
+		return toDelete[i].usageCount < toDelete[j].usageCount
+	})
+
+	maxUsageCountIndex := 0
+	var count int
+	for _, v := range toDelete {
+		if v.usageCount != count {
+			count = v.usageCount
+			maxUsageCountIndex++
+		}
+		v.usageCountIndex = maxUsageCountIndex
+	}
+
+	sort.Slice(toDelete, func(i, j int) bool {
+		return float64(toDelete[i].lastUsedAtIndex)/float64(maxLastUsedIndex)+
+			float64(toDelete[i].usageCountIndex)/float64(maxUsageCountIndex) <
+			float64(toDelete[j].lastUsedAtIndex)/float64(maxLastUsedIndex)+
+				float64(toDelete[j].usageCountIndex)/float64(maxUsageCountIndex)
+	})
+}

vendor/github.com/moby/buildkit/client/build.go

@@ -0,0 +1,95 @@
+package client
+
+import (
+	"context"
+
+	"github.com/moby/buildkit/client/buildid"
+	gateway "github.com/moby/buildkit/frontend/gateway/client"
+	"github.com/moby/buildkit/frontend/gateway/grpcclient"
+	gatewayapi "github.com/moby/buildkit/frontend/gateway/pb"
+	"github.com/moby/buildkit/session"
+	"github.com/moby/buildkit/util/apicaps"
+	"github.com/pkg/errors"
+	"google.golang.org/grpc"
+)
+
+func (c *Client) Build(ctx context.Context, opt SolveOpt, product string, buildFunc gateway.BuildFunc, statusChan chan *SolveStatus) (*SolveResponse, error) {
+	defer func() {
+		if statusChan != nil {
+			close(statusChan)
+		}
+	}()
+
+	if opt.Frontend != "" {
+		return nil, errors.New("invalid SolveOpt, Build interface cannot use Frontend")
+	}
+
+	if product == "" {
+		product = apicaps.ExportedProduct
+	}
+
+	feOpts := opt.FrontendAttrs
+	opt.FrontendAttrs = nil
+
+	workers, err := c.ListWorkers(ctx)
+	if err != nil {
+		return nil, errors.Wrap(err, "listing workers for Build")
+	}
+	var gworkers []gateway.WorkerInfo
+	for _, w := range workers {
+		gworkers = append(gworkers, gateway.WorkerInfo{
+			ID:        w.ID,
+			Labels:    w.Labels,
+			Platforms: w.Platforms,
+		})
+	}
+
+	cb := func(ref string, s *session.Session) error {
+		g, err := grpcclient.New(ctx, feOpts, s.ID(), product, c.gatewayClientForBuild(ref), gworkers)
+		if err != nil {
+			return err
+		}
+
+		if err := g.Run(ctx, buildFunc); err != nil {
+			return errors.Wrap(err, "failed to run Build function")
+		}
+		return nil
+	}
+
+	return c.solve(ctx, nil, cb, opt, statusChan)
+}
+
+func (c *Client) gatewayClientForBuild(buildid string) gatewayapi.LLBBridgeClient {
+	g := gatewayapi.NewLLBBridgeClient(c.conn)
+	return &gatewayClientForBuild{g, buildid}
+}
+
+type gatewayClientForBuild struct {
+	gateway gatewayapi.LLBBridgeClient
+	buildID string
+}
+
+func (g *gatewayClientForBuild) ResolveImageConfig(ctx context.Context, in *gatewayapi.ResolveImageConfigRequest, opts ...grpc.CallOption) (*gatewayapi.ResolveImageConfigResponse, error) {
+	ctx = buildid.AppendToOutgoingContext(ctx, g.buildID)
+	return g.gateway.ResolveImageConfig(ctx, in, opts...)
+}
+
+func (g *gatewayClientForBuild) Solve(ctx context.Context, in *gatewayapi.SolveRequest, opts ...grpc.CallOption) (*gatewayapi.SolveResponse, error) {
+	ctx = buildid.AppendToOutgoingContext(ctx, g.buildID)
+	return g.gateway.Solve(ctx, in, opts...)
+}
+
+func (g *gatewayClientForBuild) ReadFile(ctx context.Context, in *gatewayapi.ReadFileRequest, opts ...grpc.CallOption) (*gatewayapi.ReadFileResponse, error) {
+	ctx = buildid.AppendToOutgoingContext(ctx, g.buildID)
+	return g.gateway.ReadFile(ctx, in, opts...)
+}
+
+func (g *gatewayClientForBuild) Ping(ctx context.Context, in *gatewayapi.PingRequest, opts ...grpc.CallOption) (*gatewayapi.PongResponse, error) {
+	ctx = buildid.AppendToOutgoingContext(ctx, g.buildID)
+	return g.gateway.Ping(ctx, in, opts...)
+}
+
+func (g *gatewayClientForBuild) Return(ctx context.Context, in *gatewayapi.ReturnRequest, opts ...grpc.CallOption) (*gatewayapi.ReturnResponse, error) {
+	ctx = buildid.AppendToOutgoingContext(ctx, g.buildID)
+	return g.gateway.Return(ctx, in, opts...)
+}

vendor/github.com/moby/buildkit/client/buildid/metadata.go

@@ -0,0 +1,29 @@
+package buildid
+
+import (
+	"context"
+
+	"google.golang.org/grpc/metadata"
+)
+
+var metadataKey = "buildkit-controlapi-buildid"
+
+func AppendToOutgoingContext(ctx context.Context, id string) context.Context {
+	if id != "" {
+		return metadata.AppendToOutgoingContext(ctx, metadataKey, id)
+	}
+	return ctx
+}
+
+func FromIncomingContext(ctx context.Context) string {
+	md, ok := metadata.FromIncomingContext(ctx)
+	if !ok {
+		return ""
+	}
+
+	if ids := md.Get(metadataKey); len(ids) == 1 {
+		return ids[0]
+	}
+
+	return ""
+}

vendor/github.com/moby/buildkit/client/llb/exec.go

@@ -2,6 +2,7 @@ package llb
 
 import (
 	_ "crypto/sha256"
+	"net"
 	"sort"
 
 	"github.com/moby/buildkit/solver/pb"
@@ -10,11 +11,13 @@ import (
 )
 
 type Meta struct {
-	Args     []string
-	Env      EnvList
-	Cwd      string
-	User     string
-	ProxyEnv *ProxyEnv
+	Args       []string
+	Env        EnvList
+	Cwd        string
+	User       string
+	ProxyEnv   *ProxyEnv
+	ExtraHosts []HostIP
+	Network    pb.NetMode
 }
 
 func NewExecOp(root Output, meta Meta, readOnly bool, c Constraints) *ExecOp {
@@ -127,13 +130,26 @@ func (e *ExecOp) Marshal(c *Constraints) (digest.Digest, []byte, *pb.OpMetadata,
 		return e.mounts[i].target < e.mounts[j].target
 	})
 
+	meta := &pb.Meta{
+		Args: e.meta.Args,
+		Env:  e.meta.Env.ToArray(),
+		Cwd:  e.meta.Cwd,
+		User: e.meta.User,
+	}
+	if len(e.meta.ExtraHosts) > 0 {
+		hosts := make([]*pb.HostIP, len(e.meta.ExtraHosts))
+		for i, h := range e.meta.ExtraHosts {
+			hosts[i] = &pb.HostIP{Host: h.Host, IP: h.IP.String()}
+		}
+		meta.ExtraHosts = hosts
+	}
+
 	peo := &pb.ExecOp{
-		Meta: &pb.Meta{
-			Args: e.meta.Args,
-			Env:  e.meta.Env.ToArray(),
-			Cwd:  e.meta.Cwd,
-			User: e.meta.User,
-		},
+		Meta:    meta,
+		Network: e.meta.Network,
+	}
+	if e.meta.Network != NetModeSandbox {
+		addCap(&e.constraints, pb.CapExecMetaNetwork)
 	}
 
 	if p := e.meta.ProxyEnv; p != nil {
@@ -346,6 +362,12 @@ func (fn runOptionFunc) SetRunOption(ei *ExecInfo) {
 	fn(ei)
 }
 
+func Network(n pb.NetMode) RunOption {
+	return runOptionFunc(func(ei *ExecInfo) {
+		ei.State = network(n)(ei.State)
+	})
+}
+
 func Shlex(str string) RunOption {
 	return Shlexf(str)
 }
@@ -386,6 +408,12 @@ func Dirf(str string, v ...interface{}) RunOption {
 	})
 }
 
+func AddExtraHost(host string, ip net.IP) RunOption {
+	return runOptionFunc(func(ei *ExecInfo) {
+		ei.State = ei.State.AddExtraHost(host, ip)
+	})
+}
+
 func Reset(s State) RunOption {
 	return runOptionFunc(func(ei *ExecInfo) {
 		ei.State = ei.State.Reset(s)
@@ -492,3 +520,9 @@ const (
 	CacheMountPrivate
 	CacheMountLocked
 )
+
+const (
+	NetModeSandbox = pb.NetMode_UNSET
+	NetModeHost    = pb.NetMode_HOST
+	NetModeNone    = pb.NetMode_NONE
+)

vendor/github.com/moby/buildkit/client/llb/meta.go

@@ -2,21 +2,25 @@ package llb
 
 import (
 	"fmt"
+	"net"
 	"path"
 
 	"github.com/containerd/containerd/platforms"
 	"github.com/google/shlex"
+	"github.com/moby/buildkit/solver/pb"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
 )
 
 type contextKeyT string
 
 var (
-	keyArgs     = contextKeyT("llb.exec.args")
-	keyDir      = contextKeyT("llb.exec.dir")
-	keyEnv      = contextKeyT("llb.exec.env")
-	keyUser     = contextKeyT("llb.exec.user")
-	keyPlatform = contextKeyT("llb.platform")
+	keyArgs      = contextKeyT("llb.exec.args")
+	keyDir       = contextKeyT("llb.exec.dir")
+	keyEnv       = contextKeyT("llb.exec.env")
+	keyUser      = contextKeyT("llb.exec.user")
+	keyExtraHost = contextKeyT("llb.exec.extrahost")
+	keyPlatform  = contextKeyT("llb.platform")
+	keyNetwork   = contextKeyT("llb.network")
 )
 
 func addEnv(key, value string) StateOption {
@@ -124,6 +128,40 @@ func getPlatform(s State) *specs.Platform {
 	return nil
 }
 
+func extraHost(host string, ip net.IP) StateOption {
+	return func(s State) State {
+		return s.WithValue(keyExtraHost, append(getExtraHosts(s), HostIP{Host: host, IP: ip}))
+	}
+}
+
+func getExtraHosts(s State) []HostIP {
+	v := s.Value(keyExtraHost)
+	if v != nil {
+		return v.([]HostIP)
+	}
+	return nil
+}
+
+type HostIP struct {
+	Host string
+	IP   net.IP
+}
+
+func network(v pb.NetMode) StateOption {
+	return func(s State) State {
+		return s.WithValue(keyNetwork, v)
+	}
+}
+
+func getNetwork(s State) pb.NetMode {
+	v := s.Value(keyNetwork)
+	if v != nil {
+		n := v.(pb.NetMode)
+		return n
+	}
+	return NetModeSandbox
+}
+
 type EnvList []KeyValue
 
 type KeyValue struct {

vendor/github.com/moby/buildkit/client/llb/state.go

@@ -3,6 +3,7 @@ package llb
 import (
 	"context"
 	"fmt"
+	"net"
 
 	"github.com/containerd/containerd/platforms"
 	"github.com/moby/buildkit/identity"
@@ -181,11 +182,13 @@ func (s State) Run(ro ...RunOption) ExecState {
 		o.SetRunOption(ei)
 	}
 	meta := Meta{
-		Args:     getArgs(ei.State),
-		Cwd:      getDir(ei.State),
-		Env:      getEnv(ei.State),
-		User:     getUser(ei.State),
-		ProxyEnv: ei.ProxyEnv,
+		Args:       getArgs(ei.State),
+		Cwd:        getDir(ei.State),
+		Env:        getEnv(ei.State),
+		User:       getUser(ei.State),
+		ProxyEnv:   ei.ProxyEnv,
+		ExtraHosts: getExtraHosts(ei.State),
+		Network:    getNetwork(ei.State),
 	}
 
 	exec := NewExecOp(s.Output(), meta, ei.ReadonlyRootFS, ei.Constraints)
@@ -247,6 +250,14 @@ func (s State) GetPlatform() *specs.Platform {
 	return getPlatform(s)
 }
 
+func (s State) Network(n pb.NetMode) State {
+	return network(n)(s)
+}
+
+func (s State) GetNetwork() pb.NetMode {
+	return getNetwork(s)
+}
+
 func (s State) With(so ...StateOption) State {
 	for _, o := range so {
 		s = o(s)
@@ -254,6 +265,10 @@ func (s State) With(so ...StateOption) State {
 	return s
 }
 
+func (s State) AddExtraHost(host string, ip net.IP) State {
+	return extraHost(host, ip)(s)
+}
+
 type output struct {
 	vertex   Vertex
 	getIndex func() (pb.OutputIndex, error)

vendor/github.com/moby/buildkit/client/prune.go

@@ -3,6 +3,7 @@ package client
 import (
 	"context"
 	"io"
+	"time"
 
 	controlapi "github.com/moby/buildkit/api/services/control"
 	"github.com/pkg/errors"
@@ -14,7 +15,11 @@ func (c *Client) Prune(ctx context.Context, ch chan UsageInfo, opts ...PruneOpti
 		o.SetPruneOption(info)
 	}
 
-	req := &controlapi.PruneRequest{Filter: info.Filter}
+	req := &controlapi.PruneRequest{
+		Filter:       info.Filter,
+		KeepDuration: int64(info.KeepDuration),
+		KeepBytes:    int64(info.KeepBytes),
+	}
 	if info.All {
 		req.All = true
 	}
@@ -54,8 +59,10 @@ type PruneOption interface {
 }
 
 type PruneInfo struct {
-	Filter []string
-	All    bool
+	Filter       []string
+	All          bool
+	KeepDuration time.Duration
+	KeepBytes    int64
 }
 
 type pruneOptionFunc func(*PruneInfo)
@@ -67,3 +74,10 @@ func (f pruneOptionFunc) SetPruneOption(pi *PruneInfo) {
 var PruneAll = pruneOptionFunc(func(pi *PruneInfo) {
 	pi.All = true
 })
+
+func WithKeepOpt(duration time.Duration, bytes int64) PruneOption {
+	return pruneOptionFunc(func(pi *PruneInfo) {
+		pi.KeepDuration = duration
+		pi.KeepBytes = bytes
+	})
+}

vendor/github.com/moby/buildkit/client/solve.go

@@ -15,6 +15,7 @@ import (
 	"github.com/moby/buildkit/session/filesync"
 	"github.com/moby/buildkit/session/grpchijack"
 	"github.com/moby/buildkit/solver/pb"
+	"github.com/moby/buildkit/util/entitlements"
 	opentracing "github.com/opentracing/opentracing-go"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -22,18 +23,19 @@ import (
 )
 
 type SolveOpt struct {
-	Exporter          string
-	ExporterAttrs     map[string]string
-	ExporterOutput    io.WriteCloser // for ExporterOCI and ExporterDocker
-	ExporterOutputDir string         // for ExporterLocal
-	LocalDirs         map[string]string
-	SharedKey         string
-	Frontend          string
-	FrontendAttrs     map[string]string
-	ExportCache       string
-	ExportCacheAttrs  map[string]string
-	ImportCache       []string
-	Session           []session.Attachable
+	Exporter            string
+	ExporterAttrs       map[string]string
+	ExporterOutput      io.WriteCloser // for ExporterOCI and ExporterDocker
+	ExporterOutputDir   string         // for ExporterLocal
+	LocalDirs           map[string]string
+	SharedKey           string
+	Frontend            string
+	FrontendAttrs       map[string]string
+	ExportCache         string
+	ExportCacheAttrs    map[string]string
+	ImportCache         []string
+	Session             []session.Attachable
+	AllowedEntitlements []entitlements.Entitlement
 }
 
 // Solve calls Solve on the controller.
@@ -52,6 +54,16 @@ func (c *Client) Solve(ctx context.Context, def *llb.Definition, opt SolveOpt, s
 		return nil, errors.Errorf("invalid definition for frontend %s", opt.Frontend)
 	}
 
+	return c.solve(ctx, def, nil, opt, statusChan)
+}
+
+type runGatewayCB func(ref string, s *session.Session) error
+
+func (c *Client) solve(ctx context.Context, def *llb.Definition, runGateway runGatewayCB, opt SolveOpt, statusChan chan *SolveStatus) (*SolveResponse, error) {
+	if def != nil && runGateway != nil {
+		return nil, errors.New("invalid with def and cb")
+	}
+
 	syncedDirs, err := prepareSyncedDirs(def, opt.LocalDirs)
 	if err != nil {
 		return nil, err
@@ -110,8 +122,12 @@ func (c *Client) Solve(ctx context.Context, def *llb.Definition, opt SolveOpt, s
 		return s.Run(statusContext, grpchijack.Dialer(c.controlClient()))
 	})
 
+	solveCtx, cancelSolve := context.WithCancel(ctx)
 	var res *SolveResponse
 	eg.Go(func() error {
+		ctx := solveCtx
+		defer cancelSolve()
+
 		defer func() { // make sure the Status ends cleanly on build errors
 			go func() {
 				<-time.After(3 * time.Second)
@@ -137,6 +153,7 @@ func (c *Client) Solve(ctx context.Context, def *llb.Definition, opt SolveOpt, s
 				ImportRefs:  opt.ImportCache,
 				ExportAttrs: opt.ExportCacheAttrs,
 			},
+			Entitlements: opt.AllowedEntitlements,
 		})
 		if err != nil {
 			return errors.Wrap(err, "failed to solve")
@@ -147,6 +164,28 @@ func (c *Client) Solve(ctx context.Context, def *llb.Definition, opt SolveOpt, s
 		return nil
 	})
 
+	if runGateway != nil {
+		eg.Go(func() error {
+			err := runGateway(ref, s)
+			if err == nil {
+				return nil
+			}
+
+			// If the callback failed then the main
+			// `Solve` (called above) should error as
+			// well. However as a fallback we wait up to
+			// 5s for that to happen before failing this
+			// goroutine.
+			select {
+			case <-solveCtx.Done():
+			case <-time.After(5 * time.Second):
+				cancelSolve()
+			}
+
+			return err
+		})
+	}
+
 	eg.Go(func() error {
 		stream, err := c.controlClient().Status(statusContext, &controlapi.StatusRequest{
 			Ref: ref,

vendor/github.com/moby/buildkit/control/control.go

@@ -2,12 +2,14 @@ package control
 
 import (
 	"context"
+	"time"
 
 	"github.com/docker/distribution/reference"
 	controlapi "github.com/moby/buildkit/api/services/control"
 	apitypes "github.com/moby/buildkit/api/types"
 	"github.com/moby/buildkit/cache/remotecache"
 	"github.com/moby/buildkit/client"
+	controlgateway "github.com/moby/buildkit/control/gateway"
 	"github.com/moby/buildkit/exporter"
 	"github.com/moby/buildkit/frontend"
 	"github.com/moby/buildkit/session"
@@ -34,29 +36,34 @@ type Opt struct {
 }
 
 type Controller struct { // TODO: ControlService
-	opt    Opt
-	solver *llbsolver.Solver
-	cache  solver.CacheManager
+	opt              Opt
+	solver           *llbsolver.Solver
+	cache            solver.CacheManager
+	gatewayForwarder *controlgateway.GatewayForwarder
 }
 
 func NewController(opt Opt) (*Controller, error) {
 	cache := solver.NewCacheManager("local", opt.CacheKeyStorage, worker.NewCacheResultStorage(opt.WorkerController))
 
-	solver, err := llbsolver.New(opt.WorkerController, opt.Frontends, cache, opt.ResolveCacheImporterFunc)
+	gatewayForwarder := controlgateway.NewGatewayForwarder()
+
+	solver, err := llbsolver.New(opt.WorkerController, opt.Frontends, cache, opt.ResolveCacheImporterFunc, gatewayForwarder)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to create solver")
 	}
 
 	c := &Controller{
-		opt:    opt,
-		solver: solver,
-		cache:  cache,
+		opt:              opt,
+		solver:           solver,
+		cache:            cache,
+		gatewayForwarder: gatewayForwarder,
 	}
 	return c, nil
 }
 
 func (c *Controller) Register(server *grpc.Server) error {
 	controlapi.RegisterControlServer(server, c)
+	c.gatewayForwarder.Register(server)
 	return nil
 }
 
@@ -120,8 +127,10 @@ func (c *Controller) Prune(req *controlapi.PruneRequest, stream controlapi.Contr
 		func(w worker.Worker) {
 			eg.Go(func() error {
 				return w.Prune(ctx, ch, client.PruneInfo{
-					Filter: req.Filter,
-					All:    req.All,
+					Filter:       req.Filter,
+					All:          req.All,
+					KeepDuration: time.Duration(req.KeepDuration),
+					KeepBytes:    req.KeepBytes,
 				})
 			})
 		}(w)
@@ -213,7 +222,7 @@ func (c *Controller) Solve(ctx context.Context, req *controlapi.SolveRequest) (*
 		Exporter:        expi,
 		CacheExporter:   cacheExporter,
 		CacheExportMode: parseCacheExporterOpt(req.Cache.ExportAttrs),
-	})
+	}, req.Entitlements)
 	if err != nil {
 		return nil, err
 	}

vendor/github.com/moby/buildkit/control/gateway/gateway.go

@@ -0,0 +1,127 @@
+package gateway
+
+import (
+	"context"
+	"sync"
+	"time"
+
+	"github.com/moby/buildkit/client/buildid"
+	"github.com/moby/buildkit/frontend/gateway"
+	gwapi "github.com/moby/buildkit/frontend/gateway/pb"
+	"github.com/pkg/errors"
+	"google.golang.org/grpc"
+)
+
+type GatewayForwarder struct {
+	mu         sync.RWMutex
+	updateCond *sync.Cond
+	builds     map[string]gateway.LLBBridgeForwarder
+}
+
+func NewGatewayForwarder() *GatewayForwarder {
+	gwf := &GatewayForwarder{
+		builds: map[string]gateway.LLBBridgeForwarder{},
+	}
+	gwf.updateCond = sync.NewCond(gwf.mu.RLocker())
+	return gwf
+}
+
+func (gwf *GatewayForwarder) Register(server *grpc.Server) {
+	gwapi.RegisterLLBBridgeServer(server, gwf)
+}
+
+func (gwf *GatewayForwarder) RegisterBuild(ctx context.Context, id string, bridge gateway.LLBBridgeForwarder) error {
+	gwf.mu.Lock()
+	defer gwf.mu.Unlock()
+
+	if _, ok := gwf.builds[id]; ok {
+		return errors.Errorf("build ID %s exists", id)
+	}
+
+	gwf.builds[id] = bridge
+	gwf.updateCond.Broadcast()
+
+	return nil
+}
+
+func (gwf *GatewayForwarder) UnregisterBuild(ctx context.Context, id string) {
+	gwf.mu.Lock()
+	defer gwf.mu.Unlock()
+
+	delete(gwf.builds, id)
+	gwf.updateCond.Broadcast()
+}
+
+func (gwf *GatewayForwarder) lookupForwarder(ctx context.Context) (gateway.LLBBridgeForwarder, error) {
+	bid := buildid.FromIncomingContext(ctx)
+	if bid == "" {
+		return nil, errors.New("no buildid found in context")
+	}
+
+	ctx, cancel := context.WithTimeout(ctx, 3*time.Second)
+	defer cancel()
+
+	go func() {
+		<-ctx.Done()
+		gwf.updateCond.Broadcast()
+	}()
+
+	gwf.mu.RLock()
+	defer gwf.mu.RUnlock()
+	for {
+		select {
+		case <-ctx.Done():
+			return nil, errors.Errorf("no such job %s", bid)
+		default:
+		}
+		fwd, ok := gwf.builds[bid]
+		if !ok {
+			gwf.updateCond.Wait()
+			continue
+		}
+		return fwd, nil
+	}
+}
+
+func (gwf *GatewayForwarder) ResolveImageConfig(ctx context.Context, req *gwapi.ResolveImageConfigRequest) (*gwapi.ResolveImageConfigResponse, error) {
+	fwd, err := gwf.lookupForwarder(ctx)
+	if err != nil {
+		return nil, errors.Wrap(err, "forwarding ResolveImageConfig")
+	}
+
+	return fwd.ResolveImageConfig(ctx, req)
+}
+
+func (gwf *GatewayForwarder) Solve(ctx context.Context, req *gwapi.SolveRequest) (*gwapi.SolveResponse, error) {
+	fwd, err := gwf.lookupForwarder(ctx)
+	if err != nil {
+		return nil, errors.Wrap(err, "forwarding Solve")
+	}
+
+	return fwd.Solve(ctx, req)
+}
+
+func (gwf *GatewayForwarder) ReadFile(ctx context.Context, req *gwapi.ReadFileRequest) (*gwapi.ReadFileResponse, error) {
+	fwd, err := gwf.lookupForwarder(ctx)
+	if err != nil {
+		return nil, errors.Wrap(err, "forwarding ReadFile")
+	}
+	return fwd.ReadFile(ctx, req)
+}
+
+func (gwf *GatewayForwarder) Ping(ctx context.Context, req *gwapi.PingRequest) (*gwapi.PongResponse, error) {
+	fwd, err := gwf.lookupForwarder(ctx)
+	if err != nil {
+		return nil, errors.Wrap(err, "forwarding Ping")
+	}
+	return fwd.Ping(ctx, req)
+}
+
+func (gwf *GatewayForwarder) Return(ctx context.Context, req *gwapi.ReturnRequest) (*gwapi.ReturnResponse, error) {
+	fwd, err := gwf.lookupForwarder(ctx)
+	if err != nil {
+		return nil, errors.Wrap(err, "forwarding Return")
+	}
+	res, err := fwd.Return(ctx, req)
+	return res, err
+}

vendor/github.com/moby/buildkit/executor/executor.go

@@ -3,8 +3,10 @@ package executor
 import (
 	"context"
 	"io"
+	"net"
 
 	"github.com/moby/buildkit/cache"
+	"github.com/moby/buildkit/solver/pb"
 )
 
 type Meta struct {
@@ -14,7 +16,8 @@ type Meta struct {
 	Cwd            string
 	Tty            bool
 	ReadonlyRootFS bool
-	// DisableNetworking bool
+	ExtraHosts     []HostIP
+	NetMode        pb.NetMode
 }
 
 type Mount struct {
@@ -28,3 +31,8 @@ type Executor interface {
 	// TODO: add stdout/err
 	Exec(ctx context.Context, meta Meta, rootfs cache.Mountable, mounts []Mount, stdin io.ReadCloser, stdout, stderr io.WriteCloser) error
 }
+
+type HostIP struct {
+	Host string
+	IP   net.IP
+}

vendor/github.com/moby/buildkit/executor/oci/hosts.go

@@ -1,10 +1,15 @@
 package oci
 
 import (
+	"bytes"
 	"context"
+	"fmt"
 	"io/ioutil"
 	"os"
 	"path/filepath"
+
+	"github.com/moby/buildkit/executor"
+	"github.com/moby/buildkit/identity"
 )
 
 const hostsContent = `
@@ -12,27 +17,53 @@ const hostsContent = `
 ::1	localhost ip6-localhost ip6-loopback
 `
 
-func GetHostsFile(ctx context.Context, stateDir string) (string, error) {
-	p := filepath.Join(stateDir, "hosts")
-	_, err := g.Do(ctx, stateDir, func(ctx context.Context) (interface{}, error) {
-		_, err := os.Stat(p)
-		if err == nil {
-			return "", nil
-		}
-		if !os.IsNotExist(err) {
-			return "", err
-		}
-		if err := ioutil.WriteFile(p+".tmp", []byte(hostsContent), 0644); err != nil {
-			return "", err
+func GetHostsFile(ctx context.Context, stateDir string, extraHosts []executor.HostIP) (string, func(), error) {
+	if len(extraHosts) == 0 {
+		_, err := g.Do(ctx, stateDir, func(ctx context.Context) (interface{}, error) {
+			_, _, err := makeHostsFile(stateDir, nil)
+			return nil, err
+		})
+		if err != nil {
+			return "", nil, err
 		}
+		return filepath.Join(stateDir, "hosts"), func() {}, nil
+	}
+	return makeHostsFile(stateDir, extraHosts)
+}
+
+func makeHostsFile(stateDir string, extraHosts []executor.HostIP) (string, func(), error) {
+	p := filepath.Join(stateDir, "hosts")
+	if len(extraHosts) != 0 {
+		p += "." + identity.NewID()
+	}
+	_, err := os.Stat(p)
+	if err == nil {
+		return "", func() {}, nil
+	}
+	if !os.IsNotExist(err) {
+		return "", nil, err
+	}
+
+	b := &bytes.Buffer{}
+
+	if _, err := b.Write([]byte(hostsContent)); err != nil {
+		return "", nil, err
+	}
 
-		if err := os.Rename(p+".tmp", p); err != nil {
-			return "", err
+	for _, h := range extraHosts {
+		if _, err := b.Write([]byte(fmt.Sprintf("%s\t%s\n", h.IP.String(), h.Host))); err != nil {
+			return "", nil, err
 		}
-		return "", nil
-	})
-	if err != nil {
-		return "", err
 	}
-	return p, nil
+
+	if err := ioutil.WriteFile(p+".tmp", b.Bytes(), 0644); err != nil {
+		return "", nil, err
+	}
+
+	if err := os.Rename(p+".tmp", p); err != nil {
+		return "", nil, err
+	}
+	return p, func() {
+		os.RemoveAll(p)
+	}, nil
 }

vendor/github.com/moby/buildkit/executor/oci/spec_unix.go

@@ -21,7 +21,7 @@ import (
 // Ideally we don't have to import whole containerd just for the default spec
 
 // GenerateSpec generates spec using containerd functionality.
-func GenerateSpec(ctx context.Context, meta executor.Meta, mounts []executor.Mount, id, resolvConf, hostsFile string, opts ...oci.SpecOpts) (*specs.Spec, func(), error) {
+func GenerateSpec(ctx context.Context, meta executor.Meta, mounts []executor.Mount, id, resolvConf, hostsFile string, hostNetwork bool, opts ...oci.SpecOpts) (*specs.Spec, func(), error) {
 	c := &containers.Container{
 		ID: id,
 	}
@@ -30,9 +30,9 @@ func GenerateSpec(ctx context.Context, meta executor.Meta, mounts []executor.Mou
 		ctx = namespaces.WithNamespace(ctx, "buildkit")
 	}
 
-	opts = append(opts,
-		oci.WithHostNamespace(specs.NetworkNamespace),
-	)
+	if hostNetwork {
+		opts = append(opts, oci.WithHostNamespace(specs.NetworkNamespace))
+	}
 
 	// Note that containerd.GenerateSpec is namespaced so as to make
 	// specs.Linux.CgroupsPath namespaced

vendor/github.com/moby/buildkit/executor/runcexecutor/executor.go

@@ -10,6 +10,7 @@ import (
 	"path/filepath"
 	"strconv"
 	"strings"
+	"sync"
 	"syscall"
 
 	"github.com/containerd/containerd/contrib/seccomp"
@@ -21,9 +22,12 @@ import (
 	"github.com/moby/buildkit/executor"
 	"github.com/moby/buildkit/executor/oci"
 	"github.com/moby/buildkit/identity"
+	"github.com/moby/buildkit/solver/pb"
+	"github.com/moby/buildkit/util/network"
 	rootlessspecconv "github.com/moby/buildkit/util/rootless/specconv"
 	"github.com/moby/buildkit/util/system"
-	"github.com/opencontainers/runtime-spec/specs-go"
+	runcsystem "github.com/opencontainers/runc/libcontainer/system"
+	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
@@ -39,13 +43,14 @@ type Opt struct {
 var defaultCommandCandidates = []string{"buildkit-runc", "runc"}
 
 type runcExecutor struct {
-	runc     *runc.Runc
-	root     string
-	cmd      string
-	rootless bool
+	runc            *runc.Runc
+	root            string
+	cmd             string
+	rootless        bool
+	networkProvider network.Provider
 }
 
-func New(opt Opt) (executor.Executor, error) {
+func New(opt Opt, networkProvider network.Provider) (executor.Executor, error) {
 	cmds := opt.CommandCandidates
 	if cmds == nil {
 		cmds = defaultCommandCandidates
@@ -65,6 +70,10 @@ func New(opt Opt) (executor.Executor, error) {
 
 	root := opt.Root
 
+	if err := setSubReaper(); err != nil {
+		return nil, err
+	}
+
 	if err := os.MkdirAll(root, 0700); err != nil {
 		return nil, errors.Wrapf(err, "failed to create %s", root)
 	}
@@ -89,24 +98,49 @@ func New(opt Opt) (executor.Executor, error) {
 	}
 
 	w := &runcExecutor{
-		runc:     runtime,
-		root:     root,
-		rootless: opt.Rootless,
+		runc:            runtime,
+		root:            root,
+		rootless:        opt.Rootless,
+		networkProvider: networkProvider,
 	}
 	return w, nil
 }
 
 func (w *runcExecutor) Exec(ctx context.Context, meta executor.Meta, root cache.Mountable, mounts []executor.Mount, stdin io.ReadCloser, stdout, stderr io.WriteCloser) error {
+	var iface network.Interface
+	// FIXME: still uses host if no provider configured
+	if meta.NetMode == pb.NetMode_UNSET {
+		if w.networkProvider != nil {
+			var err error
+			iface, err = w.networkProvider.NewInterface()
+			if err != nil || iface == nil {
+				meta.NetMode = pb.NetMode_HOST
+			}
+		} else {
+			meta.NetMode = pb.NetMode_HOST
+		}
+	}
+	if meta.NetMode == pb.NetMode_HOST {
+		logrus.Info("enabling HostNetworking")
+	}
+	defer func() {
+		if iface != nil {
+			w.networkProvider.Release(iface)
+		}
+	}()
 
 	resolvConf, err := oci.GetResolvConf(ctx, w.root)
 	if err != nil {
 		return err
 	}
 
-	hostsFile, err := oci.GetHostsFile(ctx, w.root)
+	hostsFile, clean, err := oci.GetHostsFile(ctx, w.root, meta.ExtraHosts)
 	if err != nil {
 		return err
 	}
+	if clean != nil {
+		defer clean()
+	}
 
 	mountable, err := root.Mount(ctx, false)
 	if err != nil {
@@ -145,6 +179,7 @@ func (w *runcExecutor) Exec(ctx context.Context, meta executor.Meta, root cache.
 		return err
 	}
 	defer f.Close()
+
 	opts := []containerdoci.SpecOpts{oci.WithUIDGID(uid, gid, sgids)}
 	if system.SeccompSupported() {
 		opts = append(opts, seccomp.WithDefaultProfile())
@@ -152,7 +187,7 @@ func (w *runcExecutor) Exec(ctx context.Context, meta executor.Meta, root cache.
 	if meta.ReadonlyRootFS {
 		opts = append(opts, containerdoci.WithRootFSReadonly())
 	}
-	spec, cleanup, err := oci.GenerateSpec(ctx, meta, mounts, id, resolvConf, hostsFile, opts...)
+	spec, cleanup, err := oci.GenerateSpec(ctx, meta, mounts, id, resolvConf, hostsFile, meta.NetMode == pb.NetMode_HOST, opts...)
 	if err != nil {
 		return err
 	}
@@ -184,32 +219,140 @@ func (w *runcExecutor) Exec(ctx context.Context, meta executor.Meta, root cache.
 		return err
 	}
 
-	logrus.Debugf("> running %s %v", id, meta.Args)
+	forwardIO, err := newForwardIO(stdin, stdout, stderr)
+	if err != nil {
+		return errors.Wrap(err, "creating new forwarding IO")
+	}
+	defer forwardIO.Close()
 
-	status, err := w.runc.Run(ctx, id, bundle, &runc.CreateOpts{
-		IO: &forwardIO{stdin: stdin, stdout: stdout, stderr: stderr},
+	pidFilePath := filepath.Join(w.root, "runc_pid_"+identity.NewID())
+	defer os.RemoveAll(pidFilePath)
+
+	logrus.Debugf("> creating %s %v", id, meta.Args)
+	err = w.runc.Create(ctx, id, bundle, &runc.CreateOpts{
+		PidFile: pidFilePath,
+		IO:      forwardIO,
 	})
-	logrus.Debugf("< completed %s %v %v", id, status, err)
-	if status != 0 {
+	if err != nil {
+		return err
+	}
+	forwardIO.release()
+
+	defer func() {
+		go func() {
+			if err := w.runc.Delete(context.TODO(), id, &runc.DeleteOpts{}); err != nil {
+				logrus.Errorf("failed to delete %s: %+v", id, err)
+			}
+		}()
+	}()
+
+	dt, err := ioutil.ReadFile(pidFilePath)
+	if err != nil {
+		return err
+	}
+	pid, err := strconv.Atoi(string(dt))
+	if err != nil {
+		return err
+	}
+
+	done := make(chan struct{})
+	defer close(done)
+
+	go func() {
 		select {
+		case <-done:
 		case <-ctx.Done():
-			// runc can't report context.Cancelled directly
-			return errors.Wrapf(ctx.Err(), "exit code %d", status)
-		default:
+			syscall.Kill(-pid, syscall.SIGKILL)
 		}
-		return errors.Errorf("exit code %d", status)
+	}()
+
+	if iface != nil {
+		if err := iface.Set(pid); err != nil {
+			return errors.Wrap(err, "could not set the network")
+		}
+		defer func() {
+			iface.Remove(pid)
+		}()
 	}
 
-	return err
+	err = w.runc.Start(ctx, id)
+	if err != nil {
+		return err
+	}
+
+	p, err := os.FindProcess(pid)
+	if err != nil {
+		return err
+	}
+
+	status := 0
+	ps, err := p.Wait()
+	if err != nil {
+		status = 255
+	}
+
+	if ws, ok := ps.Sys().(syscall.WaitStatus); ok {
+		status = ws.ExitStatus()
+	}
+	if status != 0 {
+		return errors.Errorf("exit code: %d", status)
+	}
+
+	return nil
 }
 
 type forwardIO struct {
-	stdin          io.ReadCloser
-	stdout, stderr io.WriteCloser
+	stdin, stdout, stderr *os.File
+	toRelease             []io.Closer
+	toClose               []io.Closer
+}
+
+func newForwardIO(stdin io.ReadCloser, stdout, stderr io.WriteCloser) (f *forwardIO, err error) {
+	fio := &forwardIO{}
+	defer func() {
+		if err != nil {
+			fio.Close()
+		}
+	}()
+	if stdin != nil {
+		fio.stdin, err = fio.readCloserToFile(stdin)
+		if err != nil {
+			return nil, err
+		}
+	}
+	if stdout != nil {
+		fio.stdout, err = fio.writeCloserToFile(stdout)
+		if err != nil {
+			return nil, err
+		}
+	}
+	if stderr != nil {
+		fio.stderr, err = fio.writeCloserToFile(stderr)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return fio, nil
 }
 
 func (s *forwardIO) Close() error {
-	return nil
+	s.release()
+	var err error
+	for _, cl := range s.toClose {
+		if err1 := cl.Close(); err == nil {
+			err = err1
+		}
+	}
+	s.toClose = nil
+	return err
+}
+
+// release releases active FDs if the process doesn't need them any more
+func (s *forwardIO) release() {
+	for _, cl := range s.toRelease {
+		cl.Close()
+	}
+	s.toRelease = nil
 }
 
 func (s *forwardIO) Set(cmd *exec.Cmd) {
@@ -218,6 +361,62 @@ func (s *forwardIO) Set(cmd *exec.Cmd) {
 	cmd.Stderr = s.stderr
 }
 
+func (s *forwardIO) readCloserToFile(rc io.ReadCloser) (*os.File, error) {
+	if f, ok := rc.(*os.File); ok {
+		return f, nil
+	}
+	pr, pw, err := os.Pipe()
+	if err != nil {
+		return nil, err
+	}
+	s.toClose = append(s.toClose, pw)
+	s.toRelease = append(s.toRelease, pr)
+	go func() {
+		_, err := io.Copy(pw, rc)
+		if err1 := pw.Close(); err == nil {
+			err = err1
+		}
+		_ = err
+	}()
+	return pr, nil
+}
+
+func (s *forwardIO) writeCloserToFile(wc io.WriteCloser) (*os.File, error) {
+	if f, ok := wc.(*os.File); ok {
+		return f, nil
+	}
+	pr, pw, err := os.Pipe()
+	if err != nil {
+		return nil, err
+	}
+	s.toClose = append(s.toClose, pr)
+	s.toRelease = append(s.toRelease, pw)
+	go func() {
+		_, err := io.Copy(wc, pr)
+		if err1 := pw.Close(); err == nil {
+			err = err1
+		}
+		_ = err
+	}()
+	return pw, nil
+}
+
+var subReaperOnce sync.Once
+var subReaperError error
+
+// DisableSubReaper prevents setting subreaper on the current process.
+// Do not rely on this function it may change or be removed.
+func DisableSubReaper() {
+	subReaperOnce.Do(func() {})
+}
+
+func setSubReaper() error {
+	subReaperOnce.Do(func() {
+		subReaperError = runcsystem.SetSubreaper(1)
+	})
+	return subReaperError
+}
+
 func (s *forwardIO) Stdin() io.WriteCloser {
 	return nil
 }

vendor/github.com/moby/buildkit/frontend/dockerfile/builder/build.go

@@ -4,8 +4,10 @@ import (
 	"archive/tar"
 	"bytes"
 	"context"
+	"encoding/csv"
 	"encoding/json"
 	"fmt"
+	"net"
 	"regexp"
 	"strconv"
 	"strings"
@@ -36,6 +38,8 @@ const (
 	keyTargetPlatform     = "platform"
 	keyMultiPlatform      = "multi-platform"
 	keyImageResolveMode   = "image-resolve-mode"
+	keyGlobalAddHosts     = "add-hosts"
+	keyForceNetwork       = "force-network-mode"
 )
 
 var httpPrefix = regexp.MustCompile("^https?://")
@@ -64,6 +68,16 @@ func Build(ctx context.Context, c client.Client) (*client.Result, error) {
 		return nil, err
 	}
 
+	extraHosts, err := parseExtraHosts(opts[keyGlobalAddHosts])
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to parse additional hosts")
+	}
+
+	defaultNetMode, err := parseNetMode(opts[keyForceNetwork])
+	if err != nil {
+		return nil, err
+	}
+
 	filename := opts[keyFilename]
 	if filename == "" {
 		filename = defaultDockerfileName
@@ -250,6 +264,8 @@ func Build(ctx context.Context, c client.Client) (*client.Result, error) {
 					BuildPlatforms:   buildPlatforms,
 					ImageResolveMode: resolveMode,
 					PrefixPlatform:   exportMap,
+					ExtraHosts:       extraHosts,
+					ForceNetMode:     defaultNetMode,
 				})
 
 				if err != nil {
@@ -413,3 +429,45 @@ func parseResolveMode(v string) (llb.ResolveMode, error) {
 		return 0, errors.Errorf("invalid image-resolve-mode: %s", v)
 	}
 }
+
+func parseExtraHosts(v string) ([]llb.HostIP, error) {
+	if v == "" {
+		return nil, nil
+	}
+	out := make([]llb.HostIP, 0)
+	csvReader := csv.NewReader(strings.NewReader(v))
+	fields, err := csvReader.Read()
+	if err != nil {
+		return nil, err
+	}
+	for _, field := range fields {
+		parts := strings.SplitN(field, "=", 2)
+		if len(parts) != 2 {
+			return nil, errors.Errorf("invalid key-value pair %s", field)
+		}
+		key := strings.ToLower(parts[0])
+		val := strings.ToLower(parts[1])
+		ip := net.ParseIP(val)
+		if ip == nil {
+			return nil, errors.Errorf("failed to parse IP %s", val)
+		}
+		out = append(out, llb.HostIP{Host: key, IP: ip})
+	}
+	return out, nil
+}
+
+func parseNetMode(v string) (pb.NetMode, error) {
+	if v == "" {
+		return llb.NetModeSandbox, nil
+	}
+	switch v {
+	case "none":
+		return llb.NetModeNone, nil
+	case "host":
+		return llb.NetModeHost, nil
+	case "sandbox":
+		return llb.NetModeSandbox, nil
+	default:
+		return 0, errors.Errorf("invalid netmode %s", v)
+	}
+}

vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/convert.go

@@ -22,6 +22,7 @@ import (
 	"github.com/moby/buildkit/frontend/dockerfile/parser"
 	"github.com/moby/buildkit/frontend/dockerfile/shell"
 	gw "github.com/moby/buildkit/frontend/gateway/client"
+	"github.com/moby/buildkit/solver/pb"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
 	"golang.org/x/sync/errgroup"
@@ -52,6 +53,8 @@ type ConvertOpt struct {
 	TargetPlatform   *specs.Platform
 	BuildPlatforms   []specs.Platform
 	PrefixPlatform   bool
+	ExtraHosts       []llb.HostIP
+	ForceNetMode     pb.NetMode
 }
 
 func Dockerfile2LLB(ctx context.Context, dt []byte, opt ConvertOpt) (*llb.State, *Image, error) {
@@ -282,6 +285,7 @@ func Dockerfile2LLB(ctx context.Context, dt []byte, opt ConvertOpt) (*llb.State,
 				return nil, nil, err
 			}
 		}
+		d.state = d.state.Network(opt.ForceNetMode)
 
 		opt := dispatchOpt{
 			allDispatchStates: allDispatchStates,
@@ -294,6 +298,7 @@ func Dockerfile2LLB(ctx context.Context, dt []byte, opt ConvertOpt) (*llb.State,
 			cacheIDNamespace:  opt.CacheIDNamespace,
 			buildPlatforms:    platformOpt.buildPlatforms,
 			targetPlatform:    platformOpt.targetPlatform,
+			extraHosts:        opt.ExtraHosts,
 		}
 
 		if err = dispatchOnBuild(d, d.image.Config.OnBuild, opt); err != nil {
@@ -397,6 +402,7 @@ type dispatchOpt struct {
 	cacheIDNamespace  string
 	targetPlatform    specs.Platform
 	buildPlatforms    []specs.Platform
+	extraHosts        []llb.HostIP
 }
 
 func dispatch(d *dispatchState, cmd command, opt dispatchOpt) error {
@@ -584,6 +590,9 @@ func dispatchRun(d *dispatchState, c *instructions.RunCommand, proxy *llb.ProxyE
 	}
 	opt = append(opt, runMounts...)
 	opt = append(opt, llb.WithCustomName(prefixCommand(d, uppercaseCmd(processCmdEnv(dopt.shlex, c.String(), d.state.Run(opt...).Env())), d.prefixPlatform, d.state.GetPlatform())))
+	for _, h := range dopt.extraHosts {
+		opt = append(opt, llb.AddExtraHost(h.Host, h.IP))
+	}
 	d.state = d.state.Run(opt...).Root()
 	return commitToHistory(&d.image, "RUN "+runCommandString(args, d.buildArgs), true, &d.state)
 }

vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/convert_nosecrets.go

@@ -0,0 +1,13 @@
+// +build dfrunmount,!dfsecrets
+
+package dockerfile2llb
+
+import (
+	"github.com/moby/buildkit/client/llb"
+	"github.com/moby/buildkit/frontend/dockerfile/instructions"
+	"github.com/pkg/errors"
+)
+
+func dispatchSecret(m *instructions.Mount) (llb.RunOption, error) {
+	return nil, errors.Errorf("secret mounts not allowed")
+}

vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/convert_runmount.go

@@ -57,6 +57,14 @@ func dispatchRunMounts(d *dispatchState, c *instructions.RunCommand, sources []*
 			st = llb.Scratch()
 			mountOpts = append(mountOpts, llb.Tmpfs())
 		}
+		if mount.Type == instructions.MountTypeSecret {
+			secret, err := dispatchSecret(mount)
+			if err != nil {
+				return nil, err
+			}
+			out = append(out, secret)
+			continue
+		}
 		if mount.ReadOnly {
 			mountOpts = append(mountOpts, llb.Readonly)
 		}

vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/convert_secrets.go

@@ -0,0 +1,32 @@
+// +build dfsecrets dfextall
+
+package dockerfile2llb
+
+import (
+	"path"
+
+	"github.com/moby/buildkit/client/llb"
+	"github.com/moby/buildkit/frontend/dockerfile/instructions"
+	"github.com/pkg/errors"
+)
+
+func dispatchSecret(m *instructions.Mount) (llb.RunOption, error) {
+	id := m.CacheID
+	if m.Source != "" {
+		id = m.Source
+	}
+
+	if id == "" {
+		if m.Target == "" {
+			return nil, errors.Errorf("one of source, target required")
+		}
+		id = path.Base(m.Target)
+	}
+
+	target := m.Target
+	if target == "" {
+		target = "/run/secrets/" + path.Base(id)
+	}
+
+	return llb.AddSecret(target, llb.SecretID(id)), nil
+}

vendor/github.com/moby/buildkit/frontend/dockerfile/instructions/commands_nosecrets.go

@@ -0,0 +1,7 @@
+// +build !dfsecrets
+
+package instructions
+
+func isSecretMountsSupported() bool {
+	return false
+}

vendor/github.com/moby/buildkit/frontend/dockerfile/instructions/commands_runmount.go

@@ -13,11 +13,13 @@ import (
 const MountTypeBind = "bind"
 const MountTypeCache = "cache"
 const MountTypeTmpfs = "tmpfs"
+const MountTypeSecret = "secret"
 
 var allowedMountTypes = map[string]struct{}{
-	MountTypeBind:  {},
-	MountTypeCache: {},
-	MountTypeTmpfs: {},
+	MountTypeBind:   {},
+	MountTypeCache:  {},
+	MountTypeTmpfs:  {},
+	MountTypeSecret: {},
 }
 
 const MountSharingShared = "shared"
@@ -40,6 +42,11 @@ func init() {
 }
 
 func isValidMountType(s string) bool {
+	if s == "secret" {
+		if !isSecretMountsSupported() {
+			return false
+		}
+	}
 	_, ok := allowedMountTypes[s]
 	return ok
 }
@@ -177,5 +184,20 @@ func parseMount(value string) (*Mount, error) {
 		return nil, errors.Errorf("invalid cache sharing set for %v mount", m.Type)
 	}
 
+	if m.Type == MountTypeSecret {
+		if m.From != "" {
+			return nil, errors.Errorf("secret mount should not have a from")
+		}
+		if m.CacheSharing != "" {
+			return nil, errors.Errorf("secret mount should not define sharing")
+		}
+		if m.Source == "" && m.Target == "" && m.CacheID == "" {
+			return nil, errors.Errorf("invalid secret mount. one of source, target required")
+		}
+		if m.Source != "" && m.CacheID != "" {
+			return nil, errors.Errorf("both source and id can't be set")
+		}
+	}
+
 	return m, nil
 }

vendor/github.com/moby/buildkit/frontend/dockerfile/instructions/commands_secrets.go

@@ -0,0 +1,7 @@
+// +build dfsecrets dfextall
+
+package instructions
+
+func isSecretMountsSupported() bool {
+	return true
+}

vendor/github.com/moby/buildkit/frontend/gateway/gateway.go

@@ -215,26 +215,72 @@ func (gf *gatewayFrontend) Solve(ctx context.Context, llbBridge frontend.Fronten
 		ReadonlyRootFS: readonly,
 	}, rootFS, lbf.Stdin, lbf.Stdout, os.Stderr)
 
-	if lbf.err != nil {
-		return nil, lbf.err
+	if err != nil {
+		// An existing error (set via Return rpc) takes
+		// precedence over this error, which in turn takes
+		// precedence over a success reported via Return.
+		lbf.mu.Lock()
+		if lbf.err == nil {
+			lbf.result = nil
+			lbf.err = err
+		}
+		lbf.mu.Unlock()
 	}
 
-	if err != nil {
-		return nil, err
+	return lbf.Result()
+}
+
+func (lbf *llbBridgeForwarder) Done() <-chan struct{} {
+	return lbf.doneCh
+}
+
+func (lbf *llbBridgeForwarder) setResult(r *frontend.Result, err error) (*pb.ReturnResponse, error) {
+	lbf.mu.Lock()
+	defer lbf.mu.Unlock()
+
+	if (r == nil) == (err == nil) {
+		return nil, errors.New("gateway return must be either result or err")
+	}
+
+	if lbf.result != nil || lbf.err != nil {
+		return nil, errors.New("gateway result is already set")
+	}
+
+	lbf.result = r
+	lbf.err = err
+	close(lbf.doneCh)
+	return &pb.ReturnResponse{}, nil
+}
+
+func (lbf *llbBridgeForwarder) Result() (*frontend.Result, error) {
+	lbf.mu.Lock()
+	defer lbf.mu.Unlock()
+
+	if lbf.result == nil && lbf.err == nil {
+		return nil, errors.New("no result for incomplete build")
+	}
+
+	if lbf.err != nil {
+		return nil, lbf.err
 	}
 
 	return lbf.result, nil
 }
 
-func newLLBBridgeForwarder(ctx context.Context, llbBridge frontend.FrontendLLBBridge, workers frontend.WorkerInfos) (*llbBridgeForwarder, error) {
+func NewBridgeForwarder(ctx context.Context, llbBridge frontend.FrontendLLBBridge, workers frontend.WorkerInfos) *llbBridgeForwarder {
 	lbf := &llbBridgeForwarder{
 		callCtx:   ctx,
 		llbBridge: llbBridge,
 		refs:      map[string]solver.CachedResult{},
+		doneCh:    make(chan struct{}),
 		pipe:      newPipe(),
 		workers:   workers,
 	}
+	return lbf
+}
 
+func newLLBBridgeForwarder(ctx context.Context, llbBridge frontend.FrontendLLBBridge, workers frontend.WorkerInfos) (*llbBridgeForwarder, error) {
+	lbf := NewBridgeForwarder(ctx, llbBridge, workers)
 	server := grpc.NewServer()
 	grpc_health_v1.RegisterHealthServer(server, health.NewServer())
 	pb.RegisterLLBBridgeServer(server, lbf)
@@ -297,6 +343,12 @@ func (d dummyAddr) String() string {
 	return "localhost"
 }
 
+type LLBBridgeForwarder interface {
+	pb.LLBBridgeServer
+	Done() <-chan struct{}
+	Result() (*frontend.Result, error)
+}
+
 type llbBridgeForwarder struct {
 	mu        sync.Mutex
 	callCtx   context.Context
@@ -305,6 +357,7 @@ type llbBridgeForwarder struct {
 	// lastRef      solver.CachedResult
 	// lastRefs     map[string]solver.CachedResult
 	// err          error
+	doneCh       chan struct{} // closed when result or err become valid through a call to a Return
 	result       *frontend.Result
 	err          error
 	exporterAttr map[string][]byte
@@ -465,13 +518,13 @@ func (lbf *llbBridgeForwarder) Ping(context.Context, *pb.PingRequest) (*pb.PongR
 
 func (lbf *llbBridgeForwarder) Return(ctx context.Context, in *pb.ReturnRequest) (*pb.ReturnResponse, error) {
 	if in.Error != nil {
-		lbf.err = status.ErrorProto(&spb.Status{
+		return lbf.setResult(nil, status.ErrorProto(&spb.Status{
 			Code:    in.Error.Code,
 			Message: in.Error.Message,
 			// Details: in.Error.Details,
-		})
+		}))
 	} else {
-		lbf.result = &frontend.Result{
+		r := &frontend.Result{
 			Metadata: in.Result.Metadata,
 		}
 
@@ -481,7 +534,7 @@ func (lbf *llbBridgeForwarder) Return(ctx context.Context, in *pb.ReturnRequest)
 			if err != nil {
 				return nil, err
 			}
-			lbf.result.Ref = ref
+			r.Ref = ref
 		case *pb.Result_Refs:
 			m := map[string]solver.CachedResult{}
 			for k, v := range res.Refs.Refs {
@@ -491,11 +544,10 @@ func (lbf *llbBridgeForwarder) Return(ctx context.Context, in *pb.ReturnRequest)
 				}
 				m[k] = ref
 			}
-			lbf.result.Refs = m
+			r.Refs = m
 		}
+		return lbf.setResult(r, nil)
 	}
-
-	return &pb.ReturnResponse{}, nil
 }
 
 func (lbf *llbBridgeForwarder) convertRef(id string) (solver.CachedResult, error) {

vendor/github.com/moby/buildkit/frontend/gateway/grpcclient/client.go

@@ -0,0 +1,457 @@
+package grpcclient
+
+import (
+	"context"
+	"encoding/json"
+	"io"
+	"net"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/gogo/googleapis/google/rpc"
+	"github.com/moby/buildkit/frontend/gateway/client"
+	pb "github.com/moby/buildkit/frontend/gateway/pb"
+	opspb "github.com/moby/buildkit/solver/pb"
+	"github.com/moby/buildkit/util/apicaps"
+	digest "github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/status"
+)
+
+const frontendPrefix = "BUILDKIT_FRONTEND_OPT_"
+
+type GrpcClient interface {
+	Run(context.Context, client.BuildFunc) error
+}
+
+func New(ctx context.Context, opts map[string]string, session, product string, c pb.LLBBridgeClient, w []client.WorkerInfo) (GrpcClient, error) {
+	resp, err := c.Ping(ctx, &pb.PingRequest{})
+	if err != nil {
+		return nil, err
+	}
+
+	if resp.FrontendAPICaps == nil {
+		resp.FrontendAPICaps = defaultCaps()
+	}
+
+	if resp.LLBCaps == nil {
+		resp.LLBCaps = defaultLLBCaps()
+	}
+
+	return &grpcClient{
+		client:    c,
+		opts:      opts,
+		sessionID: session,
+		workers:   w,
+		product:   product,
+		caps:      pb.Caps.CapSet(resp.FrontendAPICaps),
+		llbCaps:   opspb.Caps.CapSet(resp.LLBCaps),
+		requests:  map[string]*pb.SolveRequest{},
+	}, nil
+}
+
+func current() (GrpcClient, error) {
+	if ep := product(); ep != "" {
+		apicaps.ExportedProduct = ep
+	}
+
+	ctx, conn, err := grpcClientConn(context.Background())
+	if err != nil {
+		return nil, err
+	}
+
+	return New(ctx, opts(), sessionID(), product(), pb.NewLLBBridgeClient(conn), workers())
+}
+
+func convertRef(ref client.Reference) (string, error) {
+	if ref == nil {
+		return "", nil
+	}
+	r, ok := ref.(*reference)
+	if !ok {
+		return "", errors.Errorf("invalid return reference type %T", ref)
+	}
+	return r.id, nil
+}
+
+func RunFromEnvironment(ctx context.Context, f client.BuildFunc) error {
+	client, err := current()
+	if err != nil {
+		return errors.Wrapf(err, "failed to initialize client from environment")
+	}
+	return client.Run(ctx, f)
+}
+
+func (c *grpcClient) Run(ctx context.Context, f client.BuildFunc) (retError error) {
+	export := c.caps.Supports(pb.CapReturnResult) == nil
+
+	var (
+		res *client.Result
+		err error
+	)
+	if export {
+		defer func() {
+			req := &pb.ReturnRequest{}
+			if retError == nil {
+				if res == nil {
+					res = &client.Result{}
+				}
+				pbRes := &pb.Result{
+					Metadata: res.Metadata,
+				}
+				if res.Refs != nil {
+					m := map[string]string{}
+					for k, r := range res.Refs {
+						id, err := convertRef(r)
+						if err != nil {
+							retError = err
+							continue
+						}
+						m[k] = id
+					}
+					pbRes.Result = &pb.Result_Refs{Refs: &pb.RefMap{Refs: m}}
+				} else {
+					id, err := convertRef(res.Ref)
+					if err != nil {
+						retError = err
+					} else {
+						pbRes.Result = &pb.Result_Ref{Ref: id}
+					}
+				}
+				if retError == nil {
+					req.Result = pbRes
+				}
+			}
+			if retError != nil {
+				st, _ := status.FromError(retError)
+				stp := st.Proto()
+				req.Error = &rpc.Status{
+					Code:    stp.Code,
+					Message: stp.Message,
+					// Details: stp.Details,
+				}
+			}
+			if _, err := c.client.Return(ctx, req); err != nil && retError == nil {
+				retError = err
+			}
+		}()
+	}
+
+	if res, err = f(ctx, c); err != nil {
+		return err
+	}
+
+	if err := c.caps.Supports(pb.CapReturnMap); len(res.Refs) > 1 && err != nil {
+		return err
+	}
+
+	if !export {
+		exportedAttrBytes, err := json.Marshal(res.Metadata)
+		if err != nil {
+			return errors.Wrapf(err, "failed to marshal return metadata")
+		}
+
+		req, err := c.requestForRef(res.Ref)
+		if err != nil {
+			return errors.Wrapf(err, "failed to find return ref")
+		}
+
+		req.Final = true
+		req.ExporterAttr = exportedAttrBytes
+
+		if _, err := c.client.Solve(ctx, req); err != nil {
+			return errors.Wrapf(err, "failed to solve")
+		}
+	}
+
+	return nil
+}
+
+// defaultCaps returns the capabilities that were implemented when capabilities
+// support was added. This list is frozen and should never be changed.
+func defaultCaps() []apicaps.PBCap {
+	return []apicaps.PBCap{
+		{ID: string(pb.CapSolveBase), Enabled: true},
+		{ID: string(pb.CapSolveInlineReturn), Enabled: true},
+		{ID: string(pb.CapResolveImage), Enabled: true},
+		{ID: string(pb.CapReadFile), Enabled: true},
+	}
+}
+
+// defaultLLBCaps returns the LLB capabilities that were implemented when capabilities
+// support was added. This list is frozen and should never be changed.
+func defaultLLBCaps() []apicaps.PBCap {
+	return []apicaps.PBCap{
+		{ID: string(opspb.CapSourceImage), Enabled: true},
+		{ID: string(opspb.CapSourceLocal), Enabled: true},
+		{ID: string(opspb.CapSourceLocalUnique), Enabled: true},
+		{ID: string(opspb.CapSourceLocalSessionID), Enabled: true},
+		{ID: string(opspb.CapSourceLocalIncludePatterns), Enabled: true},
+		{ID: string(opspb.CapSourceLocalFollowPaths), Enabled: true},
+		{ID: string(opspb.CapSourceLocalExcludePatterns), Enabled: true},
+		{ID: string(opspb.CapSourceLocalSharedKeyHint), Enabled: true},
+		{ID: string(opspb.CapSourceGit), Enabled: true},
+		{ID: string(opspb.CapSourceGitKeepDir), Enabled: true},
+		{ID: string(opspb.CapSourceGitFullURL), Enabled: true},
+		{ID: string(opspb.CapSourceHTTP), Enabled: true},
+		{ID: string(opspb.CapSourceHTTPChecksum), Enabled: true},
+		{ID: string(opspb.CapSourceHTTPPerm), Enabled: true},
+		{ID: string(opspb.CapSourceHTTPUIDGID), Enabled: true},
+		{ID: string(opspb.CapBuildOpLLBFileName), Enabled: true},
+		{ID: string(opspb.CapExecMetaBase), Enabled: true},
+		{ID: string(opspb.CapExecMetaProxy), Enabled: true},
+		{ID: string(opspb.CapExecMountBind), Enabled: true},
+		{ID: string(opspb.CapExecMountCache), Enabled: true},
+		{ID: string(opspb.CapExecMountCacheSharing), Enabled: true},
+		{ID: string(opspb.CapExecMountSelector), Enabled: true},
+		{ID: string(opspb.CapExecMountTmpfs), Enabled: true},
+		{ID: string(opspb.CapMountSecret), Enabled: true},
+		{ID: string(opspb.CapConstraints), Enabled: true},
+		{ID: string(opspb.CapPlatform), Enabled: true},
+		{ID: string(opspb.CapMetaIgnoreCache), Enabled: true},
+		{ID: string(opspb.CapMetaDescription), Enabled: true},
+		{ID: string(opspb.CapMetaExportCache), Enabled: true},
+	}
+}
+
+type grpcClient struct {
+	client    pb.LLBBridgeClient
+	opts      map[string]string
+	sessionID string
+	product   string
+	workers   []client.WorkerInfo
+	caps      apicaps.CapSet
+	llbCaps   apicaps.CapSet
+	requests  map[string]*pb.SolveRequest
+}
+
+func (c *grpcClient) requestForRef(ref client.Reference) (*pb.SolveRequest, error) {
+	emptyReq := &pb.SolveRequest{
+		Definition: &opspb.Definition{},
+	}
+	if ref == nil {
+		return emptyReq, nil
+	}
+	r, ok := ref.(*reference)
+	if !ok {
+		return nil, errors.Errorf("return reference has invalid type %T", ref)
+	}
+	if r.id == "" {
+		return emptyReq, nil
+	}
+	req, ok := c.requests[r.id]
+	if !ok {
+		return nil, errors.Errorf("did not find request for return reference %s", r.id)
+	}
+	return req, nil
+}
+
+func (c *grpcClient) Solve(ctx context.Context, creq client.SolveRequest) (*client.Result, error) {
+	if creq.Definition != nil {
+		for _, md := range creq.Definition.Metadata {
+			for cap := range md.Caps {
+				if err := c.llbCaps.Supports(cap); err != nil {
+					return nil, err
+				}
+			}
+		}
+	}
+
+	req := &pb.SolveRequest{
+		Definition:        creq.Definition,
+		Frontend:          creq.Frontend,
+		FrontendOpt:       creq.FrontendOpt,
+		ImportCacheRefs:   creq.ImportCacheRefs,
+		AllowResultReturn: true,
+	}
+
+	// backwards compatibility with inline return
+	if c.caps.Supports(pb.CapReturnResult) != nil {
+		req.ExporterAttr = []byte("{}")
+	}
+
+	resp, err := c.client.Solve(ctx, req)
+	if err != nil {
+		return nil, err
+	}
+
+	res := &client.Result{}
+
+	if resp.Result == nil {
+		if id := resp.Ref; id != "" {
+			c.requests[id] = req
+		}
+		res.SetRef(&reference{id: resp.Ref, c: c})
+	} else {
+		res.Metadata = resp.Result.Metadata
+		switch pbRes := resp.Result.Result.(type) {
+		case *pb.Result_Ref:
+			if id := pbRes.Ref; id != "" {
+				res.SetRef(&reference{id: id, c: c})
+			}
+		case *pb.Result_Refs:
+			for k, v := range pbRes.Refs.Refs {
+				ref := &reference{id: v, c: c}
+				if v == "" {
+					ref = nil
+				}
+				res.AddRef(k, ref)
+			}
+		}
+	}
+
+	return res, nil
+}
+
+func (c *grpcClient) ResolveImageConfig(ctx context.Context, ref string, opt client.ResolveImageConfigOpt) (digest.Digest, []byte, error) {
+	var p *opspb.Platform
+	if platform := opt.Platform; platform != nil {
+		p = &opspb.Platform{
+			OS:           platform.OS,
+			Architecture: platform.Architecture,
+			Variant:      platform.Variant,
+			OSVersion:    platform.OSVersion,
+			OSFeatures:   platform.OSFeatures,
+		}
+	}
+	resp, err := c.client.ResolveImageConfig(ctx, &pb.ResolveImageConfigRequest{Ref: ref, Platform: p, ResolveMode: opt.ResolveMode, LogName: opt.LogName})
+	if err != nil {
+		return "", nil, err
+	}
+	return resp.Digest, resp.Config, nil
+}
+
+func (c *grpcClient) BuildOpts() client.BuildOpts {
+	return client.BuildOpts{
+		Opts:      c.opts,
+		SessionID: c.sessionID,
+		Workers:   c.workers,
+		Product:   c.product,
+	}
+}
+
+func (c *grpcClient) Opts() map[string]string {
+	return c.opts
+}
+
+func (c *grpcClient) SessionID() string {
+	return c.sessionID
+}
+
+func (c *grpcClient) WorkerInfos() []client.WorkerInfo {
+	return c.workers
+}
+
+type reference struct {
+	id string
+	c  *grpcClient
+}
+
+func (r *reference) ReadFile(ctx context.Context, req client.ReadRequest) ([]byte, error) {
+	rfr := &pb.ReadFileRequest{FilePath: req.Filename, Ref: r.id}
+	if r := req.Range; r != nil {
+		rfr.Range = &pb.FileRange{
+			Offset: int64(r.Offset),
+			Length: int64(r.Length),
+		}
+	}
+	resp, err := r.c.client.ReadFile(ctx, rfr)
+	if err != nil {
+		return nil, err
+	}
+	return resp.Data, nil
+}
+
+func grpcClientConn(ctx context.Context) (context.Context, *grpc.ClientConn, error) {
+	dialOpt := grpc.WithDialer(func(addr string, d time.Duration) (net.Conn, error) {
+		return stdioConn(), nil
+	})
+
+	cc, err := grpc.DialContext(ctx, "", dialOpt, grpc.WithInsecure())
+	if err != nil {
+		return nil, nil, errors.Wrap(err, "failed to create grpc client")
+	}
+
+	ctx, cancel := context.WithCancel(ctx)
+	_ = cancel
+	// go monitorHealth(ctx, cc, cancel)
+
+	return ctx, cc, nil
+}
+
+func stdioConn() net.Conn {
+	return &conn{os.Stdin, os.Stdout, os.Stdout}
+}
+
+type conn struct {
+	io.Reader
+	io.Writer
+	io.Closer
+}
+
+func (s *conn) LocalAddr() net.Addr {
+	return dummyAddr{}
+}
+func (s *conn) RemoteAddr() net.Addr {
+	return dummyAddr{}
+}
+func (s *conn) SetDeadline(t time.Time) error {
+	return nil
+}
+func (s *conn) SetReadDeadline(t time.Time) error {
+	return nil
+}
+func (s *conn) SetWriteDeadline(t time.Time) error {
+	return nil
+}
+
+type dummyAddr struct {
+}
+
+func (d dummyAddr) Network() string {
+	return "pipe"
+}
+
+func (d dummyAddr) String() string {
+	return "localhost"
+}
+
+func opts() map[string]string {
+	opts := map[string]string{}
+	for _, env := range os.Environ() {
+		parts := strings.SplitN(env, "=", 2)
+		k := parts[0]
+		v := ""
+		if len(parts) == 2 {
+			v = parts[1]
+		}
+		if !strings.HasPrefix(k, frontendPrefix) {
+			continue
+		}
+		parts = strings.SplitN(v, "=", 2)
+		v = ""
+		if len(parts) == 2 {
+			v = parts[1]
+		}
+		opts[parts[0]] = v
+	}
+	return opts
+}
+
+func sessionID() string {
+	return os.Getenv("BUILDKIT_SESSION_ID")
+}
+
+func workers() []client.WorkerInfo {
+	var c []client.WorkerInfo
+	if err := json.Unmarshal([]byte(os.Getenv("BUILDKIT_WORKERS")), &c); err != nil {
+		return nil
+	}
+	return c
+}
+
+func product() string {
+	return os.Getenv("BUILDKIT_EXPORTEDPRODUCT")
+}

vendor/github.com/moby/buildkit/solver/jobs.go

@@ -21,6 +21,7 @@ type ResolveOpFunc func(Vertex, Builder) (Op, error)
 type Builder interface {
 	Build(ctx context.Context, e Edge) (CachedResult, error)
 	Context(ctx context.Context) context.Context
+	EachValue(ctx context.Context, key string, fn func(interface{}) error) error
 }
 
 // Solver provides a shared graph of all the vertexes currently being
@@ -169,10 +170,22 @@ func (sb *subBuilder) Context(ctx context.Context) context.Context {
 	return progress.WithProgress(ctx, sb.mpw)
 }
 
+func (sb *subBuilder) EachValue(ctx context.Context, key string, fn func(interface{}) error) error {
+	sb.mu.Lock()
+	defer sb.mu.Lock()
+	for j := range sb.jobs {
+		if err := j.EachValue(ctx, key, fn); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
 type Job struct {
-	list *Solver
-	pr   *progress.MultiReader
-	pw   progress.Writer
+	list   *Solver
+	pr     *progress.MultiReader
+	pw     progress.Writer
+	values sync.Map
 
 	progressCloser func()
 	SessionID      string
@@ -446,6 +459,18 @@ func (j *Job) Context(ctx context.Context) context.Context {
 	return progress.WithProgress(ctx, j.pw)
 }
 
+func (j *Job) SetValue(key string, v interface{}) {
+	j.values.Store(key, v)
+}
+
+func (j *Job) EachValue(ctx context.Context, key string, fn func(interface{}) error) error {
+	v, ok := j.values.Load(key)
+	if ok {
+		return fn(v)
+	}
+	return nil
+}
+
 type cacheMapResp struct {
 	*CacheMap
 	complete bool

vendor/github.com/moby/buildkit/solver/llbsolver/bridge.go

@@ -75,7 +75,12 @@ func (b *llbBridge) Solve(ctx context.Context, req frontend.SolveRequest) (res *
 	}
 
 	if req.Definition != nil && req.Definition.Def != nil {
-		edge, err := Load(req.Definition, WithCacheSources(cms), RuntimePlatforms(b.platforms), WithValidateCaps())
+		ent, err := loadEntitlements(b.builder)
+		if err != nil {
+			return nil, err
+		}
+
+		edge, err := Load(req.Definition, ValidateEntitlements(ent), WithCacheSources(cms), RuntimePlatforms(b.platforms), WithValidateCaps())
 		if err != nil {
 			return nil, err
 		}

vendor/github.com/moby/buildkit/solver/llbsolver/ops/exec.go

@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
+	"net"
 	"os"
 	"path"
 	"path/filepath"
@@ -67,6 +68,11 @@ func NewExecOp(v solver.Vertex, op *pb.Op_Exec, cm cache.Manager, sm *session.Ma
 func cloneExecOp(old *pb.ExecOp) pb.ExecOp {
 	n := *old
 	meta := *n.Meta
+	meta.ExtraHosts = nil
+	for i := range n.Meta.ExtraHosts {
+		h := *n.Meta.ExtraHosts[i]
+		meta.ExtraHosts = append(meta.ExtraHosts, &h)
+	}
 	n.Meta = &meta
 	n.Mounts = nil
 	for i := range n.Mounts {
@@ -78,6 +84,11 @@ func cloneExecOp(old *pb.ExecOp) pb.ExecOp {
 
 func (e *execOp) CacheMap(ctx context.Context, index int) (*solver.CacheMap, bool, error) {
 	op := cloneExecOp(e.op)
+	for i := range op.Meta.ExtraHosts {
+		h := op.Meta.ExtraHosts[i]
+		h.IP = ""
+		op.Meta.ExtraHosts[i] = h
+	}
 	for i := range op.Mounts {
 		op.Mounts[i].Selector = ""
 	}
@@ -504,12 +515,19 @@ func (e *execOp) Exec(ctx context.Context, inputs []solver.Result) ([]solver.Res
 		return mounts[i].Dest < mounts[j].Dest
 	})
 
+	extraHosts, err := parseExtraHosts(e.op.Meta.ExtraHosts)
+	if err != nil {
+		return nil, err
+	}
+
 	meta := executor.Meta{
 		Args:           e.op.Meta.Args,
 		Env:            e.op.Meta.Env,
 		Cwd:            e.op.Meta.Cwd,
 		User:           e.op.Meta.User,
 		ReadonlyRootFS: readonlyRootFS,
+		ExtraHosts:     extraHosts,
+		NetMode:        e.op.Network,
 	}
 
 	if e.op.Meta.ProxyEnv != nil {
@@ -657,3 +675,18 @@ func (r *cacheRef) Release(ctx context.Context) error {
 	}
 	return nil
 }
+
+func parseExtraHosts(ips []*pb.HostIP) ([]executor.HostIP, error) {
+	out := make([]executor.HostIP, len(ips))
+	for i, hip := range ips {
+		ip := net.ParseIP(hip.IP)
+		if ip == nil {
+			return nil, errors.Errorf("failed to parse IP %s", hip.IP)
+		}
+		out[i] = executor.HostIP{
+			IP:   ip,
+			Host: hip.Host,
+		}
+	}
+	return out, nil
+}

vendor/github.com/moby/buildkit/solver/llbsolver/solver.go

@@ -7,11 +7,14 @@ import (
 	"github.com/moby/buildkit/cache"
 	"github.com/moby/buildkit/cache/remotecache"
 	"github.com/moby/buildkit/client"
+	controlgateway "github.com/moby/buildkit/control/gateway"
 	"github.com/moby/buildkit/exporter"
 	"github.com/moby/buildkit/frontend"
+	"github.com/moby/buildkit/frontend/gateway"
 	"github.com/moby/buildkit/identity"
 	"github.com/moby/buildkit/session"
 	"github.com/moby/buildkit/solver"
+	"github.com/moby/buildkit/util/entitlements"
 	"github.com/moby/buildkit/util/progress"
 	"github.com/moby/buildkit/worker"
 	digest "github.com/opencontainers/go-digest"
@@ -19,6 +22,8 @@ import (
 	"github.com/pkg/errors"
 )
 
+const keyEntitlements = "llb.entitlements"
+
 type ExporterRequest struct {
 	Exporter        exporter.ExporterInstance
 	CacheExporter   remotecache.Exporter
@@ -29,18 +34,22 @@ type ExporterRequest struct {
 type ResolveWorkerFunc func() (worker.Worker, error)
 
 type Solver struct {
+	workerController     *worker.Controller
 	solver               *solver.Solver
 	resolveWorker        ResolveWorkerFunc
 	frontends            map[string]frontend.Frontend
 	resolveCacheImporter remotecache.ResolveCacheImporterFunc
 	platforms            []specs.Platform
+	gatewayForwarder     *controlgateway.GatewayForwarder
 }
 
-func New(wc *worker.Controller, f map[string]frontend.Frontend, cache solver.CacheManager, resolveCI remotecache.ResolveCacheImporterFunc) (*Solver, error) {
+func New(wc *worker.Controller, f map[string]frontend.Frontend, cache solver.CacheManager, resolveCI remotecache.ResolveCacheImporterFunc, gatewayForwarder *controlgateway.GatewayForwarder) (*Solver, error) {
 	s := &Solver{
+		workerController:     wc,
 		resolveWorker:        defaultResolver(wc),
 		frontends:            f,
 		resolveCacheImporter: resolveCI,
+		gatewayForwarder:     gatewayForwarder,
 	}
 
 	// executing is currently only allowed on default worker
@@ -78,7 +87,7 @@ func (s *Solver) Bridge(b solver.Builder) frontend.FrontendLLBBridge {
 	}
 }
 
-func (s *Solver) Solve(ctx context.Context, id string, req frontend.SolveRequest, exp ExporterRequest) (*client.SolveResponse, error) {
+func (s *Solver) Solve(ctx context.Context, id string, req frontend.SolveRequest, exp ExporterRequest, ent []entitlements.Entitlement) (*client.SolveResponse, error) {
 	j, err := s.solver.NewJob(id)
 	if err != nil {
 		return nil, err
@@ -86,12 +95,38 @@ func (s *Solver) Solve(ctx context.Context, id string, req frontend.SolveRequest
 
 	defer j.Discard()
 
-	j.SessionID = session.FromContext(ctx)
-
-	res, err := s.Bridge(j).Solve(ctx, req)
+	set, err := entitlements.WhiteList(ent, supportedEntitlements())
 	if err != nil {
 		return nil, err
 	}
+	j.SetValue(keyEntitlements, set)
+
+	j.SessionID = session.FromContext(ctx)
+
+	var res *frontend.Result
+	if s.gatewayForwarder != nil && req.Definition == nil && req.Frontend == "" {
+		fwd := gateway.NewBridgeForwarder(ctx, s.Bridge(j), s.workerController)
+		if err := s.gatewayForwarder.RegisterBuild(ctx, id, fwd); err != nil {
+			return nil, err
+		}
+		defer s.gatewayForwarder.UnregisterBuild(ctx, id)
+
+		var err error
+		select {
+		case <-fwd.Done():
+			res, err = fwd.Result()
+		case <-ctx.Done():
+			err = ctx.Err()
+		}
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		res, err = s.Bridge(j).Solve(ctx, req)
+		if err != nil {
+			return nil, err
+		}
+	}
 
 	defer func() {
 		res.EachRef(func(ref solver.CachedResult) error {
@@ -105,6 +140,9 @@ func (s *Solver) Solve(ctx context.Context, id string, req frontend.SolveRequest
 		inp := exporter.Source{
 			Metadata: res.Metadata,
 		}
+		if inp.Metadata == nil {
+			inp.Metadata = make(map[string][]byte)
+		}
 		if res := res.Ref; res != nil {
 			workerRef, ok := res.Sys().(*worker.WorkerRef)
 			if !ok {
@@ -164,6 +202,7 @@ func (s *Solver) Solve(ctx context.Context, id string, req frontend.SolveRequest
 func (s *Solver) Status(ctx context.Context, id string, statusChan chan *client.SolveStatus) error {
 	j, err := s.solver.Get(id)
 	if err != nil {
+		close(statusChan)
 		return err
 	}
 	return j.Status(ctx, statusChan)
@@ -229,3 +268,31 @@ func notifyCompleted(ctx context.Context, v *client.Vertex, err error, cached bo
 	}
 	pw.Write(v.Digest.String(), *v)
 }
+
+var AllowNetworkHostUnstable = false // TODO: enable in constructor
+
+func supportedEntitlements() []entitlements.Entitlement {
+	out := []entitlements.Entitlement{} // nil means no filter
+	if AllowNetworkHostUnstable {
+		out = append(out, entitlements.EntitlementNetworkHost)
+	}
+	return out
+}
+
+func loadEntitlements(b solver.Builder) (entitlements.Set, error) {
+	var ent entitlements.Set = map[entitlements.Entitlement]struct{}{}
+	err := b.EachValue(context.TODO(), keyEntitlements, func(v interface{}) error {
+		set, ok := v.(entitlements.Set)
+		if !ok {
+			return errors.Errorf("invalid entitlements %T", v)
+		}
+		for k := range set {
+			ent[k] = struct{}{}
+		}
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	return ent, nil
+}

vendor/github.com/moby/buildkit/solver/llbsolver/vertex.go

@@ -7,6 +7,7 @@ import (
 	"github.com/moby/buildkit/solver"
 	"github.com/moby/buildkit/solver/pb"
 	"github.com/moby/buildkit/source"
+	"github.com/moby/buildkit/util/entitlements"
 	digest "github.com/opencontainers/go-digest"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
@@ -99,6 +100,25 @@ func RuntimePlatforms(p []specs.Platform) LoadOpt {
 	}
 }
 
+func ValidateEntitlements(ent entitlements.Set) LoadOpt {
+	return func(op *pb.Op, _ *pb.OpMetadata, opt *solver.VertexOptions) error {
+		switch op := op.Op.(type) {
+		case *pb.Op_Exec:
+			if op.Exec.Network == pb.NetMode_HOST {
+				if !ent.Allowed(entitlements.EntitlementNetworkHost) {
+					return errors.Errorf("%s is not allowed", entitlements.EntitlementNetworkHost)
+				}
+			}
+			if op.Exec.Network == pb.NetMode_NONE {
+				if !ent.Allowed(entitlements.EntitlementNetworkNone) {
+					return errors.Errorf("%s is not allowed", entitlements.EntitlementNetworkNone)
+				}
+			}
+		}
+		return nil
+	}
+}
+
 func Load(def *pb.Definition, opts ...LoadOpt) (solver.Edge, error) {
 	return loadLLB(def, func(dgst digest.Digest, pbOp *pb.Op, load func(digest.Digest) (solver.Vertex, error)) (solver.Vertex, error) {
 		opMetadata := def.Metadata[dgst]

vendor/github.com/moby/buildkit/solver/pb/caps.go

@@ -32,6 +32,7 @@ const (
 
 	CapExecMetaBase          apicaps.CapID = "exec.meta.base"
 	CapExecMetaProxy         apicaps.CapID = "exec.meta.proxyenv"
+	CapExecMetaNetwork       apicaps.CapID = "exec.meta.network"
 	CapExecMountBind         apicaps.CapID = "exec.mount.bind"
 	CapExecMountCache        apicaps.CapID = "exec.mount.cache"
 	CapExecMountCacheSharing apicaps.CapID = "exec.mount.cache.sharing"
@@ -162,6 +163,12 @@ func init() {
 		Status:  apicaps.CapStatusExperimental,
 	})
 
+	Caps.Init(apicaps.Cap{
+		ID:      CapExecMetaNetwork,
+		Enabled: true,
+		Status:  apicaps.CapStatusExperimental,
+	})
+
 	Caps.Init(apicaps.Cap{
 		ID:      CapExecMountBind,
 		Enabled: true,

vendor/github.com/moby/buildkit/solver/pb/ops.pb.go

@@ -29,6 +29,7 @@
 		ProxyEnv
 		WorkerConstraints
 		Definition
+		HostIP
 */
 package pb
 
@@ -53,6 +54,30 @@ var _ = math.Inf
 // proto package needs to be updated.
 const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
 
+type NetMode int32
+
+const (
+	NetMode_UNSET NetMode = 0
+	NetMode_HOST  NetMode = 1
+	NetMode_NONE  NetMode = 2
+)
+
+var NetMode_name = map[int32]string{
+	0: "UNSET",
+	1: "HOST",
+	2: "NONE",
+}
+var NetMode_value = map[string]int32{
+	"UNSET": 0,
+	"HOST":  1,
+	"NONE":  2,
+}
+
+func (x NetMode) String() string {
+	return proto.EnumName(NetMode_name, int32(x))
+}
+func (NetMode) EnumDescriptor() ([]byte, []int) { return fileDescriptorOps, []int{0} }
+
 // MountType defines a type of a mount from a supported set
 type MountType int32
 
@@ -82,7 +107,7 @@ var MountType_value = map[string]int32{
 func (x MountType) String() string {
 	return proto.EnumName(MountType_name, int32(x))
 }
-func (MountType) EnumDescriptor() ([]byte, []int) { return fileDescriptorOps, []int{0} }
+func (MountType) EnumDescriptor() ([]byte, []int) { return fileDescriptorOps, []int{1} }
 
 // CacheSharingOpt defines different sharing modes for cache mount
 type CacheSharingOpt int32
@@ -110,7 +135,7 @@ var CacheSharingOpt_value = map[string]int32{
 func (x CacheSharingOpt) String() string {
 	return proto.EnumName(CacheSharingOpt_name, int32(x))
 }
-func (CacheSharingOpt) EnumDescriptor() ([]byte, []int) { return fileDescriptorOps, []int{1} }
+func (CacheSharingOpt) EnumDescriptor() ([]byte, []int) { return fileDescriptorOps, []int{2} }
 
 // Op represents a vertex of the LLB DAG.
 type Op struct {
@@ -387,8 +412,9 @@ func (*Input) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{2}
 
 // ExecOp executes a command in a container.
 type ExecOp struct {
-	Meta   *Meta    `protobuf:"bytes,1,opt,name=meta" json:"meta,omitempty"`
-	Mounts []*Mount `protobuf:"bytes,2,rep,name=mounts" json:"mounts,omitempty"`
+	Meta    *Meta    `protobuf:"bytes,1,opt,name=meta" json:"meta,omitempty"`
+	Mounts  []*Mount `protobuf:"bytes,2,rep,name=mounts" json:"mounts,omitempty"`
+	Network NetMode  `protobuf:"varint,3,opt,name=network,proto3,enum=pb.NetMode" json:"network,omitempty"`
 }
 
 func (m *ExecOp) Reset()                    { *m = ExecOp{} }
@@ -410,15 +436,23 @@ func (m *ExecOp) GetMounts() []*Mount {
 	return nil
 }
 
+func (m *ExecOp) GetNetwork() NetMode {
+	if m != nil {
+		return m.Network
+	}
+	return NetMode_UNSET
+}
+
 // Meta is a set of arguments for ExecOp.
 // Meta is unrelated to LLB metadata.
 // FIXME: rename (ExecContext? ExecArgs?)
 type Meta struct {
-	Args     []string  `protobuf:"bytes,1,rep,name=args" json:"args,omitempty"`
-	Env      []string  `protobuf:"bytes,2,rep,name=env" json:"env,omitempty"`
-	Cwd      string    `protobuf:"bytes,3,opt,name=cwd,proto3" json:"cwd,omitempty"`
-	User     string    `protobuf:"bytes,4,opt,name=user,proto3" json:"user,omitempty"`
-	ProxyEnv *ProxyEnv `protobuf:"bytes,5,opt,name=proxy_env,json=proxyEnv" json:"proxy_env,omitempty"`
+	Args       []string  `protobuf:"bytes,1,rep,name=args" json:"args,omitempty"`
+	Env        []string  `protobuf:"bytes,2,rep,name=env" json:"env,omitempty"`
+	Cwd        string    `protobuf:"bytes,3,opt,name=cwd,proto3" json:"cwd,omitempty"`
+	User       string    `protobuf:"bytes,4,opt,name=user,proto3" json:"user,omitempty"`
+	ProxyEnv   *ProxyEnv `protobuf:"bytes,5,opt,name=proxy_env,json=proxyEnv" json:"proxy_env,omitempty"`
+	ExtraHosts []*HostIP `protobuf:"bytes,6,rep,name=extraHosts" json:"extraHosts,omitempty"`
 }
 
 func (m *Meta) Reset()                    { *m = Meta{} }
@@ -461,6 +495,13 @@ func (m *Meta) GetProxyEnv() *ProxyEnv {
 	return nil
 }
 
+func (m *Meta) GetExtraHosts() []*HostIP {
+	if m != nil {
+		return m.ExtraHosts
+	}
+	return nil
+}
+
 // Mount specifies how to mount an input Op as a filesystem.
 type Mount struct {
 	Input     InputIndex  `protobuf:"varint,1,opt,name=input,proto3,customtype=InputIndex" json:"input"`
@@ -864,6 +905,30 @@ func (m *Definition) GetMetadata() map[github_com_opencontainers_go_digest.Diges
 	return nil
 }
 
+type HostIP struct {
+	Host string `protobuf:"bytes,1,opt,name=Host,proto3" json:"Host,omitempty"`
+	IP   string `protobuf:"bytes,2,opt,name=IP,proto3" json:"IP,omitempty"`
+}
+
+func (m *HostIP) Reset()                    { *m = HostIP{} }
+func (m *HostIP) String() string            { return proto.CompactTextString(m) }
+func (*HostIP) ProtoMessage()               {}
+func (*HostIP) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{18} }
+
+func (m *HostIP) GetHost() string {
+	if m != nil {
+		return m.Host
+	}
+	return ""
+}
+
+func (m *HostIP) GetIP() string {
+	if m != nil {
+		return m.IP
+	}
+	return ""
+}
+
 func init() {
 	proto.RegisterType((*Op)(nil), "pb.Op")
 	proto.RegisterType((*Platform)(nil), "pb.Platform")
@@ -883,6 +948,8 @@ func init() {
 	proto.RegisterType((*ProxyEnv)(nil), "pb.ProxyEnv")
 	proto.RegisterType((*WorkerConstraints)(nil), "pb.WorkerConstraints")
 	proto.RegisterType((*Definition)(nil), "pb.Definition")
+	proto.RegisterType((*HostIP)(nil), "pb.HostIP")
+	proto.RegisterEnum("pb.NetMode", NetMode_name, NetMode_value)
 	proto.RegisterEnum("pb.MountType", MountType_name, MountType_value)
 	proto.RegisterEnum("pb.CacheSharingOpt", CacheSharingOpt_name, CacheSharingOpt_value)
 }
@@ -1122,6 +1189,11 @@ func (m *ExecOp) MarshalTo(dAtA []byte) (int, error) {
 			i += n
 		}
 	}
+	if m.Network != 0 {
+		dAtA[i] = 0x18
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.Network))
+	}
 	return i, nil
 }
 
@@ -1192,6 +1264,18 @@ func (m *Meta) MarshalTo(dAtA []byte) (int, error) {
 		}
 		i += n9
 	}
+	if len(m.ExtraHosts) > 0 {
+		for _, msg := range m.ExtraHosts {
+			dAtA[i] = 0x32
+			i++
+			i = encodeVarintOps(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
 	return i, nil
 }
 
@@ -1790,6 +1874,36 @@ func (m *Definition) MarshalTo(dAtA []byte) (int, error) {
 	return i, nil
 }
 
+func (m *HostIP) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *HostIP) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Host) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.Host)))
+		i += copy(dAtA[i:], m.Host)
+	}
+	if len(m.IP) > 0 {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.IP)))
+		i += copy(dAtA[i:], m.IP)
+	}
+	return i, nil
+}
+
 func encodeVarintOps(dAtA []byte, offset int, v uint64) int {
 	for v >= 1<<7 {
 		dAtA[offset] = uint8(v&0x7f | 0x80)
@@ -1912,6 +2026,9 @@ func (m *ExecOp) Size() (n int) {
 			n += 1 + l + sovOps(uint64(l))
 		}
 	}
+	if m.Network != 0 {
+		n += 1 + sovOps(uint64(m.Network))
+	}
 	return n
 }
 
@@ -1942,6 +2059,12 @@ func (m *Meta) Size() (n int) {
 		l = m.ProxyEnv.Size()
 		n += 1 + l + sovOps(uint64(l))
 	}
+	if len(m.ExtraHosts) > 0 {
+		for _, e := range m.ExtraHosts {
+			l = e.Size()
+			n += 1 + l + sovOps(uint64(l))
+		}
+	}
 	return n
 }
 
@@ -2197,6 +2320,20 @@ func (m *Definition) Size() (n int) {
 	return n
 }
 
+func (m *HostIP) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Host)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	l = len(m.IP)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	return n
+}
+
 func sovOps(x uint64) (n int) {
 	for {
 		n++
@@ -2871,6 +3008,25 @@ func (m *ExecOp) Unmarshal(dAtA []byte) error {
 				return err
 			}
 			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Network", wireType)
+			}
+			m.Network = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Network |= (NetMode(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
 		default:
 			iNdEx = preIndex
 			skippy, err := skipOps(dAtA[iNdEx:])
@@ -3070,6 +3226,37 @@ func (m *Meta) Unmarshal(dAtA []byte) error {
 				return err
 			}
 			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ExtraHosts", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ExtraHosts = append(m.ExtraHosts, &HostIP{})
+			if err := m.ExtraHosts[len(m.ExtraHosts)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipOps(dAtA[iNdEx:])
@@ -5260,6 +5447,114 @@ func (m *Definition) Unmarshal(dAtA []byte) error {
 	}
 	return nil
 }
+func (m *HostIP) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: HostIP: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: HostIP: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Host", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Host = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field IP", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.IP = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
 func skipOps(dAtA []byte) (n int, err error) {
 	l := len(dAtA)
 	iNdEx := 0
@@ -5368,88 +5663,94 @@ var (
 func init() { proto.RegisterFile("ops.proto", fileDescriptorOps) }
 
 var fileDescriptorOps = []byte{
-	// 1328 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x56, 0xcb, 0x6e, 0xdb, 0x46,
-	0x17, 0x36, 0xa9, 0x8b, 0xc9, 0x43, 0xdb, 0xd1, 0x3f, 0xb9, 0xfc, 0xfa, 0xfd, 0xa7, 0xb6, 0xcb,
-	0x14, 0x85, 0x13, 0xc7, 0x12, 0xa0, 0x00, 0x49, 0xd0, 0x45, 0x50, 0xeb, 0x12, 0x58, 0x4d, 0x53,
-	0x05, 0x23, 0xc3, 0x5d, 0x06, 0x14, 0x35, 0x92, 0x89, 0x48, 0x1c, 0x82, 0x1c, 0xa6, 0xd6, 0xa2,
-	0x5d, 0xe4, 0x09, 0x0a, 0x14, 0xe8, 0xbe, 0x2f, 0xd0, 0x37, 0xe8, 0x3e, 0xcb, 0x6e, 0xdb, 0x45,
-	0x5a, 0xa4, 0x2f, 0x52, 0x9c, 0x99, 0xe1, 0x25, 0x97, 0xa2, 0x09, 0xda, 0x15, 0x67, 0xce, 0xe5,
-	0x9b, 0x33, 0xdf, 0x39, 0x67, 0x0e, 0xc1, 0xe6, 0x51, 0xd2, 0x8a, 0x62, 0x2e, 0x38, 0x31, 0xa3,
-	0xc9, 0xf6, 0xe1, 0x3c, 0x10, 0x67, 0xe9, 0xa4, 0xe5, 0xf3, 0x65, 0x7b, 0xce, 0xe7, 0xbc, 0x2d,
-	0x55, 0x93, 0x74, 0x26, 0x77, 0x72, 0x23, 0x57, 0xca, 0xc5, 0xfd, 0xc1, 0x04, 0x73, 0x14, 0x91,
-	0x0f, 0xa1, 0x1e, 0x84, 0x51, 0x2a, 0x92, 0xa6, 0xb1, 0x57, 0xd9, 0x77, 0x3a, 0x76, 0x2b, 0x9a,
-	0xb4, 0x86, 0x28, 0xa1, 0x5a, 0x41, 0xf6, 0xa0, 0xca, 0xce, 0x99, 0xdf, 0x34, 0xf7, 0x8c, 0x7d,
-	0xa7, 0x03, 0x68, 0x30, 0x38, 0x67, 0xfe, 0x28, 0x3a, 0x5e, 0xa3, 0x52, 0x43, 0x3e, 0x86, 0x7a,
-	0xc2, 0xd3, 0xd8, 0x67, 0xcd, 0x8a, 0xb4, 0xd9, 0x40, 0x9b, 0xb1, 0x94, 0x48, 0x2b, 0xad, 0x45,
-	0x24, 0x9f, 0x47, 0xab, 0x66, 0xb5, 0x40, 0xea, 0xf1, 0x68, 0xa5, 0x90, 0x50, 0x43, 0xae, 0x41,
-	0x6d, 0x92, 0x06, 0x8b, 0x69, 0xb3, 0x26, 0x4d, 0x1c, 0x34, 0xe9, 0xa2, 0x40, 0xda, 0x28, 0x1d,
-	0xd9, 0x07, 0x2b, 0x5a, 0x78, 0x62, 0xc6, 0xe3, 0x65, 0x13, 0x8a, 0x03, 0x1f, 0x69, 0x19, 0xcd,
-	0xb5, 0xe4, 0x0e, 0x38, 0x3e, 0x0f, 0x13, 0x11, 0x7b, 0x41, 0x28, 0x92, 0xa6, 0x23, 0x8d, 0x2f,
-	0xa3, 0xf1, 0x97, 0x3c, 0x7e, 0xc2, 0xe2, 0x5e, 0xa1, 0xa4, 0x65, 0xcb, 0x6e, 0x15, 0x4c, 0x1e,
-	0xb9, 0xdf, 0x1b, 0x60, 0x65, 0xa8, 0xc4, 0x85, 0x8d, 0xa3, 0xd8, 0x3f, 0x0b, 0x04, 0xf3, 0x45,
-	0x1a, 0xb3, 0xa6, 0xb1, 0x67, 0xec, 0xdb, 0xf4, 0x15, 0x19, 0xd9, 0x02, 0x73, 0x34, 0x96, 0x44,
-	0xd9, 0xd4, 0x1c, 0x8d, 0x49, 0x13, 0xd6, 0x4f, 0xbd, 0x38, 0xf0, 0x42, 0x21, 0x99, 0xb1, 0x69,
-	0xb6, 0x25, 0x57, 0xc1, 0x1e, 0x8d, 0x4f, 0x59, 0x9c, 0x04, 0x3c, 0x94, 0x7c, 0xd8, 0xb4, 0x10,
-	0x90, 0x1d, 0x80, 0xd1, 0xf8, 0x3e, 0xf3, 0x10, 0x34, 0x69, 0xd6, 0xf6, 0x2a, 0xfb, 0x36, 0x2d,
-	0x49, 0xdc, 0x6f, 0xa0, 0x26, 0x73, 0x44, 0x3e, 0x83, 0xfa, 0x34, 0x98, 0xb3, 0x44, 0xa8, 0x70,
-	0xba, 0x9d, 0xe7, 0x2f, 0x76, 0xd7, 0x7e, 0x7d, 0xb1, 0x7b, 0xa3, 0x54, 0x0c, 0x3c, 0x62, 0xa1,
-	0xcf, 0x43, 0xe1, 0x05, 0x21, 0x8b, 0x93, 0xf6, 0x9c, 0x1f, 0x2a, 0x97, 0x56, 0x5f, 0x7e, 0xa8,
-	0x46, 0x20, 0xd7, 0xa1, 0x16, 0x84, 0x53, 0x76, 0x2e, 0xe3, 0xaf, 0x74, 0x2f, 0x6a, 0x28, 0x67,
-	0x94, 0x8a, 0x28, 0x15, 0x43, 0x54, 0x51, 0x65, 0xe1, 0x0e, 0xa1, 0xae, 0x4a, 0x80, 0x5c, 0x85,
-	0xea, 0x92, 0x09, 0x4f, 0x1e, 0xef, 0x74, 0x2c, 0xa4, 0xf6, 0x21, 0x13, 0x1e, 0x95, 0x52, 0xac,
-	0xae, 0x25, 0x4f, 0x91, 0x7a, 0xb3, 0xa8, 0xae, 0x87, 0x28, 0xa1, 0x5a, 0xe1, 0x7e, 0x0d, 0x55,
-	0x74, 0x20, 0x04, 0xaa, 0x5e, 0x3c, 0x57, 0x65, 0x68, 0x53, 0xb9, 0x26, 0x0d, 0xa8, 0xb0, 0xf0,
-	0xa9, 0xf4, 0xb5, 0x29, 0x2e, 0x51, 0xe2, 0x7f, 0x35, 0xd5, 0x64, 0xe2, 0x12, 0xfd, 0xd2, 0x84,
-	0xc5, 0x9a, 0x43, 0xb9, 0x26, 0xd7, 0xc1, 0x8e, 0x62, 0x7e, 0xbe, 0x7a, 0x8c, 0xde, 0xb5, 0x52,
-	0x85, 0xa0, 0x70, 0x10, 0x3e, 0xa5, 0x56, 0xa4, 0x57, 0xee, 0x8f, 0x26, 0xd4, 0x64, 0x40, 0x64,
-	0x1f, 0xaf, 0x1f, 0xa5, 0x8a, 0xc9, 0x4a, 0x97, 0xe8, 0xeb, 0x83, 0x24, 0x3a, 0xbf, 0x3d, 0x92,
-	0xbe, 0x0d, 0x56, 0xc2, 0x16, 0xcc, 0x17, 0x3c, 0xd6, 0xb9, 0xce, 0xf7, 0x18, 0xce, 0x14, 0xd3,
-	0xa1, 0x22, 0x94, 0x6b, 0x72, 0x00, 0x75, 0x2e, 0x39, 0x94, 0x41, 0xfe, 0x05, 0xb3, 0xda, 0x04,
-	0xc1, 0x63, 0xe6, 0x4d, 0x79, 0xb8, 0x58, 0xc9, 0xd0, 0x2d, 0x9a, 0xef, 0xc9, 0x01, 0xd8, 0x92,
-	0xb5, 0x93, 0x55, 0xc4, 0x9a, 0xf5, 0x3d, 0x63, 0x7f, 0xab, 0xb3, 0x99, 0x33, 0x8a, 0x42, 0x5a,
-	0xe8, 0xb1, 0x4b, 0x7c, 0xcf, 0x3f, 0x63, 0xa3, 0x48, 0x34, 0x2f, 0x15, 0x1c, 0xf4, 0xb4, 0x8c,
-	0xe6, 0x5a, 0x84, 0x4d, 0x98, 0x1f, 0x33, 0x81, 0xa6, 0x97, 0xa5, 0xa9, 0x84, 0x1d, 0x67, 0x42,
-	0x5a, 0xe8, 0xdd, 0x21, 0x58, 0x19, 0x04, 0x96, 0xfb, 0xb0, 0xaf, 0x1b, 0xc1, 0x1c, 0xf6, 0xc9,
-	0x21, 0xac, 0x27, 0x67, 0x5e, 0x1c, 0x84, 0x73, 0xc9, 0xcb, 0x56, 0xe7, 0x62, 0x7e, 0xe2, 0x58,
-	0xc9, 0x11, 0x2c, 0xb3, 0x71, 0x39, 0xd8, 0xf9, 0x11, 0x6f, 0x60, 0x35, 0xa0, 0x92, 0x06, 0x53,
-	0x89, 0xb3, 0x49, 0x71, 0x89, 0x92, 0x79, 0xa0, 0x72, 0xbf, 0x49, 0x71, 0x89, 0x64, 0x2f, 0xf9,
-	0x94, 0x49, 0x5a, 0x37, 0xa9, 0x5c, 0x23, 0x7f, 0x3c, 0x12, 0x01, 0x0f, 0xbd, 0x45, 0xc6, 0x5f,
-	0xb6, 0x77, 0xef, 0x41, 0x5d, 0xbd, 0x37, 0x64, 0x0f, 0x2a, 0x49, 0xec, 0xeb, 0x37, 0x6f, 0x2b,
-	0x7b, 0x88, 0xd4, 0x93, 0x45, 0x51, 0x95, 0x27, 0xd2, 0x2c, 0x12, 0xe9, 0x52, 0x80, 0xc2, 0xec,
-	0xdf, 0x29, 0x18, 0xf7, 0x3b, 0x03, 0xac, 0xec, 0xa9, 0xc4, 0xbe, 0x0f, 0xa6, 0x2c, 0x14, 0xc1,
-	0x2c, 0x60, 0xb1, 0x26, 0xa3, 0x24, 0x21, 0x87, 0x50, 0xf3, 0x84, 0x88, 0xb3, 0x76, 0xfa, 0x6f,
-	0xf9, 0x9d, 0x6d, 0x1d, 0xa1, 0x66, 0x10, 0x8a, 0x78, 0x45, 0x95, 0xd5, 0xf6, 0x5d, 0x80, 0x42,
-	0x88, 0xfc, 0x3d, 0x61, 0x2b, 0x8d, 0x8a, 0x4b, 0x72, 0x09, 0x6a, 0x4f, 0xbd, 0x45, 0xca, 0x74,
-	0x50, 0x6a, 0xf3, 0x89, 0x79, 0xd7, 0x70, 0x7f, 0x32, 0x61, 0x5d, 0xbf, 0xbb, 0xe4, 0x26, 0xac,
-	0xcb, 0x77, 0x57, 0x47, 0xf4, 0xf6, 0x9b, 0x66, 0x26, 0xa4, 0x9d, 0x0f, 0x94, 0x52, 0x8c, 0x1a,
-	0x4a, 0x0d, 0x16, 0x1d, 0x63, 0x31, 0x5e, 0x2a, 0x53, 0x36, 0xd3, 0x93, 0x43, 0xa6, 0xa2, 0xcf,
-	0x66, 0x41, 0x18, 0x60, 0xce, 0x28, 0xaa, 0xc8, 0xcd, 0xec, 0xd6, 0x55, 0x89, 0x78, 0xa5, 0x8c,
-	0xf8, 0xe6, 0xa5, 0x87, 0xe0, 0x94, 0x8e, 0x79, 0xcb, 0xad, 0x3f, 0x2a, 0xdf, 0x5a, 0x1f, 0x29,
-	0xe1, 0xd4, 0xd8, 0x2b, 0x58, 0xf8, 0x07, 0xfc, 0xdd, 0x06, 0x28, 0x20, 0xdf, 0xbd, 0x52, 0xdc,
-	0x67, 0x15, 0x80, 0x51, 0x84, 0x0f, 0xe2, 0xd4, 0x93, 0xef, 0xe7, 0x46, 0x30, 0x0f, 0x79, 0xcc,
-	0x1e, 0xcb, 0x66, 0x95, 0xfe, 0x16, 0x75, 0x94, 0x4c, 0xf6, 0x15, 0x39, 0x02, 0x67, 0xca, 0x12,
-	0x3f, 0x0e, 0x64, 0x91, 0x6b, 0xd2, 0x77, 0xf1, 0x4e, 0x05, 0x4e, 0xab, 0x5f, 0x58, 0x28, 0xae,
-	0xca, 0x3e, 0xa4, 0x03, 0x1b, 0xec, 0x3c, 0xe2, 0xb1, 0xd0, 0xa7, 0xa8, 0xf1, 0x7c, 0x41, 0x0d,
-	0x7a, 0x94, 0xcb, 0x93, 0xa8, 0xc3, 0x8a, 0x0d, 0xf1, 0xa0, 0xea, 0x7b, 0x91, 0x9a, 0x4d, 0x4e,
-	0xa7, 0xf9, 0xda, 0x79, 0x3d, 0x2f, 0x52, 0xa4, 0x75, 0x6f, 0xe1, 0x5d, 0x9f, 0xfd, 0xb6, 0x7b,
-	0x50, 0x1a, 0x48, 0x4b, 0x3e, 0x59, 0xb5, 0x65, 0xbd, 0x3c, 0x09, 0x44, 0x3b, 0x15, 0xc1, 0xa2,
-	0xed, 0x45, 0x01, 0xc2, 0xa1, 0xe3, 0xb0, 0x4f, 0x25, 0xf4, 0xf6, 0x3d, 0x68, 0xbc, 0x1e, 0xf7,
-	0xfb, 0xe4, 0x60, 0xfb, 0x0e, 0xd8, 0x79, 0x1c, 0x7f, 0xe7, 0x68, 0x95, 0x93, 0x77, 0x0d, 0x9c,
-	0xd2, 0xbd, 0xd1, 0xf0, 0x54, 0x1a, 0x2a, 0xf6, 0xd5, 0xc6, 0x7d, 0x86, 0xff, 0x06, 0x7a, 0x8a,
-	0x90, 0x0f, 0x00, 0xce, 0x84, 0x88, 0x1e, 0xcb, 0xb1, 0xa2, 0x0f, 0xb1, 0x51, 0x22, 0x2d, 0xc8,
-	0x2e, 0x38, 0xb8, 0x49, 0xb4, 0x5e, 0x45, 0x2a, 0x3d, 0x12, 0x65, 0xf0, 0x7f, 0xb0, 0x67, 0xb9,
-	0xbb, 0x1a, 0x1d, 0xd6, 0x2c, 0xf3, 0xfe, 0x1f, 0x58, 0x21, 0xd7, 0x3a, 0x35, 0xe5, 0xd6, 0x43,
-	0x2e, 0x55, 0xee, 0x01, 0xfc, 0xe7, 0x8d, 0x1f, 0x19, 0x72, 0x05, 0xea, 0xb3, 0x60, 0x21, 0x64,
-	0xbb, 0xe2, 0xe0, 0xd4, 0x3b, 0xf7, 0x17, 0x03, 0xa0, 0x68, 0x2d, 0x64, 0x04, 0xfb, 0x0e, 0x6d,
-	0x36, 0x54, 0x9f, 0x2d, 0xc0, 0x5a, 0xea, 0x0c, 0xea, 0x3a, 0xba, 0xfa, 0x6a, 0x3b, 0xb6, 0xb2,
-	0x04, 0xab, 0xdc, 0x76, 0x74, 0x6e, 0xdf, 0xe7, 0x67, 0x23, 0x3f, 0x61, 0xfb, 0x01, 0x6c, 0xbe,
-	0x02, 0xf7, 0x8e, 0x9d, 0x5a, 0x54, 0x59, 0x29, 0x65, 0x37, 0x3e, 0x05, 0x3b, 0x1f, 0x82, 0xc4,
-	0x82, 0x6a, 0x77, 0xf8, 0x45, 0xbf, 0xb1, 0x46, 0x00, 0xea, 0xe3, 0x41, 0x8f, 0x0e, 0x4e, 0x1a,
-	0x06, 0x59, 0x87, 0xca, 0x78, 0x7c, 0xdc, 0x30, 0x89, 0x0d, 0xb5, 0xde, 0x51, 0xef, 0x78, 0xd0,
-	0xa8, 0xe0, 0xf2, 0xe4, 0xe1, 0xa3, 0xfb, 0xe3, 0x46, 0xf5, 0xc6, 0x6d, 0xb8, 0xf0, 0xda, 0xa0,
-	0x92, 0xde, 0xc7, 0x47, 0x74, 0x80, 0x48, 0x0e, 0xac, 0x3f, 0xa2, 0xc3, 0xd3, 0xa3, 0x93, 0x41,
-	0xc3, 0x40, 0xc5, 0xe7, 0xa3, 0xde, 0x83, 0x41, 0xbf, 0x61, 0x76, 0x1b, 0xcf, 0x5f, 0xee, 0x18,
-	0x3f, 0xbf, 0xdc, 0x31, 0x7e, 0x7f, 0xb9, 0x63, 0x7c, 0xfb, 0xc7, 0xce, 0xda, 0xa4, 0x2e, 0x7f,
-	0xb0, 0x6f, 0xfd, 0x19, 0x00, 0x00, 0xff, 0xff, 0xa3, 0xba, 0x5c, 0x6e, 0xa0, 0x0b, 0x00, 0x00,
+	// 1415 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x57, 0xcd, 0x6f, 0x1b, 0x45,
+	0x14, 0x8f, 0xd7, 0x9f, 0xfb, 0x9c, 0xa4, 0x66, 0xfa, 0x81, 0x09, 0x25, 0x09, 0x5b, 0x40, 0x69,
+	0xd2, 0x38, 0x92, 0x2b, 0xb5, 0x15, 0x87, 0x8a, 0xf8, 0xa3, 0x8a, 0x29, 0x89, 0xa3, 0x71, 0x08,
+	0xc7, 0x6a, 0xb3, 0x1e, 0x3b, 0xab, 0x38, 0x3b, 0xab, 0xdd, 0x71, 0x1b, 0x5f, 0x38, 0xf4, 0x2f,
+	0x40, 0x42, 0xe2, 0xce, 0x91, 0x0b, 0xff, 0x01, 0xf7, 0x1e, 0xb9, 0xc2, 0xa1, 0xa0, 0xf2, 0x8f,
+	0xa0, 0xf7, 0x66, 0xd6, 0xbb, 0xfd, 0x40, 0xb4, 0x82, 0x93, 0xdf, 0xbc, 0xf7, 0x9b, 0xdf, 0xcc,
+	0xfc, 0xde, 0x9b, 0x79, 0x6b, 0xb0, 0x65, 0x18, 0x37, 0xc2, 0x48, 0x2a, 0xc9, 0xac, 0xf0, 0x64,
+	0x65, 0x7b, 0xec, 0xab, 0xd3, 0xe9, 0x49, 0xc3, 0x93, 0xe7, 0x3b, 0x63, 0x39, 0x96, 0x3b, 0x14,
+	0x3a, 0x99, 0x8e, 0x68, 0x44, 0x03, 0xb2, 0xf4, 0x14, 0xe7, 0x47, 0x0b, 0xac, 0x7e, 0xc8, 0x3e,
+	0x86, 0x92, 0x1f, 0x84, 0x53, 0x15, 0xd7, 0x73, 0xeb, 0xf9, 0x8d, 0x6a, 0xd3, 0x6e, 0x84, 0x27,
+	0x8d, 0x1e, 0x7a, 0xb8, 0x09, 0xb0, 0x75, 0x28, 0x88, 0x0b, 0xe1, 0xd5, 0xad, 0xf5, 0xdc, 0x46,
+	0xb5, 0x09, 0x08, 0xe8, 0x5e, 0x08, 0xaf, 0x1f, 0xee, 0x2d, 0x70, 0x8a, 0xb0, 0xcf, 0xa0, 0x14,
+	0xcb, 0x69, 0xe4, 0x89, 0x7a, 0x9e, 0x30, 0x8b, 0x88, 0x19, 0x90, 0x87, 0x50, 0x26, 0x8a, 0x4c,
+	0x9e, 0x0c, 0x67, 0xf5, 0x42, 0xca, 0xd4, 0x96, 0xe1, 0x4c, 0x33, 0x61, 0x84, 0xdd, 0x80, 0xe2,
+	0xc9, 0xd4, 0x9f, 0x0c, 0xeb, 0x45, 0x82, 0x54, 0x11, 0xd2, 0x42, 0x07, 0x61, 0x74, 0x8c, 0x6d,
+	0x40, 0x25, 0x9c, 0xb8, 0x6a, 0x24, 0xa3, 0xf3, 0x3a, 0xa4, 0x0b, 0x1e, 0x1a, 0x1f, 0x9f, 0x47,
+	0xd9, 0x5d, 0xa8, 0x7a, 0x32, 0x88, 0x55, 0xe4, 0xfa, 0x81, 0x8a, 0xeb, 0x55, 0x02, 0x5f, 0x45,
+	0xf0, 0x37, 0x32, 0x3a, 0x13, 0x51, 0x3b, 0x0d, 0xf2, 0x2c, 0xb2, 0x55, 0x00, 0x4b, 0x86, 0xce,
+	0x0f, 0x39, 0xa8, 0x24, 0xac, 0xcc, 0x81, 0xc5, 0xdd, 0xc8, 0x3b, 0xf5, 0x95, 0xf0, 0xd4, 0x34,
+	0x12, 0xf5, 0xdc, 0x7a, 0x6e, 0xc3, 0xe6, 0x2f, 0xf9, 0xd8, 0x32, 0x58, 0xfd, 0x01, 0x09, 0x65,
+	0x73, 0xab, 0x3f, 0x60, 0x75, 0x28, 0x1f, 0xbb, 0x91, 0xef, 0x06, 0x8a, 0x94, 0xb1, 0x79, 0x32,
+	0x64, 0xd7, 0xc1, 0xee, 0x0f, 0x8e, 0x45, 0x14, 0xfb, 0x32, 0x20, 0x3d, 0x6c, 0x9e, 0x3a, 0xd8,
+	0x2a, 0x40, 0x7f, 0xf0, 0x40, 0xb8, 0x48, 0x1a, 0xd7, 0x8b, 0xeb, 0xf9, 0x0d, 0x9b, 0x67, 0x3c,
+	0xce, 0xb7, 0x50, 0xa4, 0x1c, 0xb1, 0x2f, 0xa1, 0x34, 0xf4, 0xc7, 0x22, 0x56, 0x7a, 0x3b, 0xad,
+	0xe6, 0xb3, 0xe7, 0x6b, 0x0b, 0xbf, 0x3f, 0x5f, 0xdb, 0xcc, 0x14, 0x83, 0x0c, 0x45, 0xe0, 0xc9,
+	0x40, 0xb9, 0x7e, 0x20, 0xa2, 0x78, 0x67, 0x2c, 0xb7, 0xf5, 0x94, 0x46, 0x87, 0x7e, 0xb8, 0x61,
+	0x60, 0x37, 0xa1, 0xe8, 0x07, 0x43, 0x71, 0x41, 0xfb, 0xcf, 0xb7, 0x2e, 0x1b, 0xaa, 0x6a, 0x7f,
+	0xaa, 0xc2, 0xa9, 0xea, 0x61, 0x88, 0x6b, 0x84, 0x13, 0x42, 0x49, 0x97, 0x00, 0xbb, 0x0e, 0x85,
+	0x73, 0xa1, 0x5c, 0x5a, 0xbe, 0xda, 0xac, 0xa0, 0xb4, 0xfb, 0x42, 0xb9, 0x9c, 0xbc, 0x58, 0x5d,
+	0xe7, 0x72, 0x8a, 0xd2, 0x5b, 0x69, 0x75, 0xed, 0xa3, 0x87, 0x9b, 0x00, 0xfb, 0x14, 0xca, 0x81,
+	0x50, 0x4f, 0x64, 0x74, 0x46, 0x12, 0x2d, 0xeb, 0x9c, 0x1f, 0x08, 0xb5, 0x2f, 0x87, 0x82, 0x27,
+	0x31, 0xe7, 0xa7, 0x1c, 0x14, 0x90, 0x98, 0x31, 0x28, 0xb8, 0xd1, 0x58, 0x97, 0xab, 0xcd, 0xc9,
+	0x66, 0x35, 0xc8, 0x8b, 0xe0, 0x31, 0xad, 0x61, 0x73, 0x34, 0xd1, 0xe3, 0x3d, 0x19, 0x1a, 0xd1,
+	0xd1, 0xc4, 0x79, 0xd3, 0x58, 0x44, 0x46, 0x6b, 0xb2, 0xd9, 0x4d, 0xb0, 0xc3, 0x48, 0x5e, 0xcc,
+	0x1e, 0xe1, 0xec, 0x62, 0xa6, 0x92, 0xd0, 0xd9, 0x0d, 0x1e, 0xf3, 0x4a, 0x68, 0x2c, 0xb6, 0x09,
+	0x20, 0x2e, 0x54, 0xe4, 0xee, 0xc9, 0x58, 0xc5, 0xf5, 0x12, 0x9d, 0x86, 0x0a, 0x18, 0x1d, 0xbd,
+	0x43, 0x9e, 0x89, 0x3a, 0x3f, 0x5b, 0x50, 0xa4, 0x43, 0xb2, 0x0d, 0x94, 0x34, 0x9c, 0xea, 0xec,
+	0xe4, 0x5b, 0xcc, 0x48, 0x0a, 0x94, 0xbc, 0xb9, 0xa2, 0x98, 0xc8, 0x15, 0xa8, 0xc4, 0x62, 0x22,
+	0x3c, 0x25, 0x23, 0x53, 0x3f, 0xf3, 0x31, 0x6e, 0x7d, 0x88, 0x29, 0xd6, 0xa7, 0x21, 0x9b, 0x6d,
+	0x41, 0x49, 0x52, 0x5e, 0xe8, 0x40, 0xff, 0x90, 0x2d, 0x03, 0x41, 0xf2, 0x48, 0xb8, 0x43, 0x19,
+	0x4c, 0x66, 0x74, 0xcc, 0x0a, 0x9f, 0x8f, 0xd9, 0x16, 0xd8, 0x94, 0x89, 0xa3, 0x59, 0x28, 0xea,
+	0x25, 0xca, 0xc0, 0xd2, 0x3c, 0x4b, 0xe8, 0xe4, 0x69, 0x1c, 0x6f, 0x9e, 0xe7, 0x7a, 0xa7, 0xa2,
+	0x1f, 0xaa, 0xfa, 0x95, 0x54, 0xaf, 0xb6, 0xf1, 0xf1, 0x79, 0x14, 0x69, 0x63, 0xe1, 0x45, 0x42,
+	0x21, 0xf4, 0x2a, 0x41, 0x89, 0x76, 0x90, 0x38, 0x79, 0x1a, 0x77, 0x7a, 0x50, 0x49, 0x28, 0xf0,
+	0x0a, 0xf5, 0x3a, 0xe6, 0x72, 0x59, 0xbd, 0x0e, 0xdb, 0x86, 0x72, 0x7c, 0xea, 0x46, 0x7e, 0x30,
+	0x26, 0x5d, 0x96, 0x9b, 0x97, 0xe7, 0x2b, 0x0e, 0xb4, 0x1f, 0xc9, 0x12, 0x8c, 0x23, 0xc1, 0x9e,
+	0x2f, 0xf1, 0x1a, 0x57, 0x0d, 0xf2, 0x53, 0x7f, 0x48, 0x3c, 0x4b, 0x1c, 0x4d, 0xf4, 0x8c, 0x7d,
+	0x5d, 0x27, 0x4b, 0x1c, 0x4d, 0x14, 0xfb, 0x5c, 0x0e, 0x05, 0xc9, 0xba, 0xc4, 0xc9, 0x46, 0xfd,
+	0x64, 0xa8, 0x7c, 0x19, 0xb8, 0x93, 0x44, 0xbf, 0x64, 0xec, 0xdc, 0x87, 0x92, 0x7e, 0xc3, 0xd8,
+	0x3a, 0xe4, 0xe3, 0xc8, 0x33, 0xef, 0xe8, 0x72, 0xf2, 0xb8, 0xe9, 0x67, 0x90, 0x63, 0x68, 0x9e,
+	0x48, 0x2b, 0x4d, 0xa4, 0xc3, 0x01, 0x52, 0xd8, 0xff, 0x53, 0x30, 0xce, 0xf7, 0x39, 0xa8, 0x24,
+	0xcf, 0x2f, 0xbe, 0x25, 0xfe, 0x50, 0x04, 0xca, 0x1f, 0xf9, 0x22, 0x32, 0x62, 0x64, 0x3c, 0x6c,
+	0x1b, 0x8a, 0xae, 0x52, 0x51, 0x72, 0x45, 0xdf, 0xcf, 0xbe, 0xdd, 0x8d, 0x5d, 0x8c, 0x74, 0x03,
+	0x15, 0xcd, 0xb8, 0x46, 0xad, 0xdc, 0x03, 0x48, 0x9d, 0xa8, 0xdf, 0x99, 0x98, 0x19, 0x56, 0x34,
+	0xd9, 0x15, 0x28, 0x3e, 0x76, 0x27, 0x53, 0x61, 0x36, 0xa5, 0x07, 0x9f, 0x5b, 0xf7, 0x72, 0xce,
+	0x2f, 0x16, 0x94, 0xcd, 0x5b, 0xce, 0x6e, 0x41, 0x99, 0xde, 0x72, 0xb3, 0xa3, 0x37, 0x9f, 0x34,
+	0x81, 0xb0, 0x9d, 0x79, 0x93, 0xca, 0xec, 0xd1, 0x50, 0xe9, 0x66, 0x65, 0xf6, 0x98, 0xb6, 0xac,
+	0xfc, 0x50, 0x8c, 0x4c, 0x37, 0xa2, 0x54, 0x74, 0xc4, 0xc8, 0x0f, 0x7c, 0xcc, 0x19, 0xc7, 0x10,
+	0xbb, 0x95, 0x9c, 0xba, 0x40, 0x8c, 0xd7, 0xb2, 0x8c, 0xaf, 0x1f, 0xba, 0x07, 0xd5, 0xcc, 0x32,
+	0x6f, 0x38, 0xf5, 0x27, 0xd9, 0x53, 0x9b, 0x25, 0x89, 0x4e, 0xb7, 0xd2, 0x54, 0x85, 0xff, 0xa0,
+	0xdf, 0x1d, 0x80, 0x94, 0xf2, 0xed, 0x2b, 0xc5, 0x79, 0x9a, 0x07, 0xe8, 0x87, 0xf8, 0x78, 0x0e,
+	0x5d, 0x7a, 0x93, 0x17, 0xfd, 0x71, 0x20, 0x23, 0xf1, 0x88, 0x2e, 0x2b, 0xcd, 0xaf, 0xf0, 0xaa,
+	0xf6, 0xd1, 0xbd, 0x62, 0xbb, 0x50, 0x1d, 0x8a, 0xd8, 0x8b, 0x7c, 0x2a, 0x72, 0x23, 0xfa, 0x1a,
+	0x9e, 0x29, 0xe5, 0x69, 0x74, 0x52, 0x84, 0xd6, 0x2a, 0x3b, 0x87, 0x35, 0x61, 0x51, 0x5c, 0x84,
+	0x32, 0x52, 0x66, 0x15, 0xdd, 0xf2, 0x2f, 0xe9, 0x8f, 0x07, 0xf4, 0xd3, 0x4a, 0xbc, 0x2a, 0xd2,
+	0x01, 0x73, 0xa1, 0xe0, 0xb9, 0xa1, 0xee, 0x77, 0xd5, 0x66, 0xfd, 0x95, 0xf5, 0xda, 0x6e, 0xa8,
+	0x45, 0x6b, 0xdd, 0xc6, 0xb3, 0x3e, 0xfd, 0x63, 0x6d, 0x2b, 0xd3, 0xe4, 0xce, 0xe5, 0xc9, 0x6c,
+	0x87, 0xea, 0xe5, 0xcc, 0x57, 0x3b, 0x53, 0xe5, 0x4f, 0x76, 0xdc, 0xd0, 0x47, 0x3a, 0x9c, 0xd8,
+	0xeb, 0x70, 0xa2, 0x5e, 0xb9, 0x0f, 0xb5, 0x57, 0xf7, 0xfd, 0x2e, 0x39, 0x58, 0xb9, 0x0b, 0xf6,
+	0x7c, 0x1f, 0xff, 0x36, 0xb1, 0x92, 0x4d, 0xde, 0x0d, 0xa8, 0x66, 0xce, 0x8d, 0xc0, 0x63, 0x02,
+	0x6a, 0xf5, 0xf5, 0xc0, 0x79, 0x8a, 0xdf, 0x1b, 0x49, 0xc7, 0xf9, 0x08, 0xe0, 0x54, 0xa9, 0xf0,
+	0x11, 0xb5, 0x20, 0xb3, 0x88, 0x8d, 0x1e, 0x42, 0xb0, 0x35, 0xa8, 0xe2, 0x20, 0x36, 0x71, 0xbd,
+	0x53, 0x9a, 0x11, 0x6b, 0xc0, 0x87, 0x60, 0x8f, 0xe6, 0xd3, 0x75, 0xeb, 0xa8, 0x8c, 0x92, 0xd9,
+	0x1f, 0x40, 0x25, 0x90, 0x26, 0xa6, 0x3b, 0x62, 0x39, 0x90, 0x14, 0x72, 0xb6, 0xe0, 0xbd, 0xd7,
+	0x3e, 0x8e, 0xd8, 0x35, 0x28, 0x8d, 0xfc, 0x89, 0xa2, 0xeb, 0x8a, 0x4d, 0xd6, 0x8c, 0x9c, 0xdf,
+	0x72, 0x00, 0xe9, 0xd5, 0x42, 0x45, 0xf0, 0xde, 0x21, 0x66, 0x51, 0xdf, 0xb3, 0x09, 0x54, 0xce,
+	0x4d, 0x06, 0x4d, 0x1d, 0x5d, 0x7f, 0xf9, 0x3a, 0x36, 0x92, 0x04, 0xeb, 0xdc, 0x36, 0x4d, 0x6e,
+	0xdf, 0xe5, 0x03, 0x66, 0xbe, 0xc2, 0xca, 0x43, 0x58, 0x7a, 0x89, 0xee, 0x2d, 0x6f, 0x6a, 0x5a,
+	0x65, 0xd9, 0x94, 0xdd, 0x82, 0x92, 0x6e, 0xee, 0xf8, 0x6e, 0xa3, 0x65, 0x68, 0xc8, 0xa6, 0xde,
+	0x72, 0x98, 0x7c, 0xea, 0xf5, 0x0e, 0x37, 0x37, 0xa0, 0x6c, 0x3e, 0x5a, 0x98, 0x0d, 0xc5, 0xaf,
+	0x0f, 0x06, 0xdd, 0xa3, 0xda, 0x02, 0xab, 0x40, 0x61, 0xaf, 0x3f, 0x38, 0xaa, 0xe5, 0xd0, 0x3a,
+	0xe8, 0x1f, 0x74, 0x6b, 0xd6, 0xe6, 0x17, 0x60, 0xcf, 0x9b, 0x2b, 0xba, 0x5b, 0xbd, 0x83, 0x4e,
+	0x6d, 0x81, 0x01, 0x94, 0x06, 0xdd, 0x36, 0xef, 0x22, 0xb8, 0x0c, 0xf9, 0xc1, 0x60, 0xaf, 0x66,
+	0x21, 0x55, 0x7b, 0xb7, 0xbd, 0xd7, 0xad, 0xe5, 0xd1, 0x3c, 0xda, 0x3f, 0x7c, 0x30, 0xa8, 0x15,
+	0x36, 0xef, 0xc0, 0xa5, 0x57, 0x1a, 0x20, 0xcd, 0xde, 0xdb, 0xe5, 0x5d, 0x64, 0xaa, 0x42, 0xf9,
+	0x90, 0xf7, 0x8e, 0x77, 0x8f, 0xba, 0xb5, 0x1c, 0x06, 0xbe, 0xea, 0xb7, 0x1f, 0x76, 0x3b, 0x35,
+	0xab, 0x55, 0x7b, 0xf6, 0x62, 0x35, 0xf7, 0xeb, 0x8b, 0xd5, 0xdc, 0x9f, 0x2f, 0x56, 0x73, 0xdf,
+	0xfd, 0xb5, 0xba, 0x70, 0x52, 0xa2, 0x3f, 0x03, 0xb7, 0xff, 0x0e, 0x00, 0x00, 0xff, 0xff, 0x8c,
+	0x1e, 0x1e, 0x98, 0x4c, 0x0c, 0x00, 0x00,
 }

vendor/github.com/moby/buildkit/solver/pb/ops.proto

@@ -41,6 +41,7 @@ message Input {
 message ExecOp {
 	Meta meta = 1;
 	repeated Mount mounts = 2;
+	NetMode network = 3;
 }
 
 // Meta is a set of arguments for ExecOp.
@@ -52,6 +53,13 @@ message Meta {
 	string cwd = 3;
 	string user = 4;
 	ProxyEnv proxy_env = 5;
+	repeated HostIP extraHosts = 6;
+}
+
+enum NetMode {
+	UNSET = 0; // sandbox
+	HOST = 1;
+	NONE = 2;
 }
 
 // Mount specifies how to mount an input Op as a filesystem.
@@ -181,3 +189,8 @@ message Definition {
 	// A key must be an LLB op digest string. Currently, empty string is not expected as a key, but it may change in the future.
 	map<string, OpMetadata> metadata = 2 [(gogoproto.castkey) = "github.com/opencontainers/go-digest.Digest", (gogoproto.nullable) = false];
 }
+
+message HostIP {
+	string Host = 1;
+	string IP = 2;
+}

vendor/github.com/moby/buildkit/util/entitlements/entitlements.go

@@ -0,0 +1,70 @@
+package entitlements
+
+import "github.com/pkg/errors"
+
+type Entitlement string
+
+const (
+	EntitlementSecurityConfined   Entitlement = "security.confined"
+	EntitlementSecurityUnconfined Entitlement = "security.unconfined" // unimplemented
+	EntitlementNetworkHost        Entitlement = "network.host"
+	EntitlementNetworkNone        Entitlement = "network.none"
+)
+
+var all = map[Entitlement]struct{}{
+	EntitlementSecurityConfined:   {},
+	EntitlementSecurityUnconfined: {},
+	EntitlementNetworkHost:        {},
+	EntitlementNetworkNone:        {},
+}
+
+var defaults = map[Entitlement]struct{}{
+	EntitlementSecurityConfined: {},
+	EntitlementNetworkNone:      {},
+}
+
+func Parse(s string) (Entitlement, error) {
+	_, ok := all[Entitlement(s)]
+	if !ok {
+		return "", errors.Errorf("unknown entitlement %s", s)
+	}
+	return Entitlement(s), nil
+}
+
+func WhiteList(allowed, supported []Entitlement) (Set, error) {
+	m := map[Entitlement]struct{}{}
+
+	var supm Set
+	if supported != nil {
+		var err error
+		supm, err = WhiteList(supported, nil)
+		if err != nil { // should not happen
+			return nil, err
+		}
+	}
+
+	for _, e := range allowed {
+		e, err := Parse(string(e))
+		if err != nil {
+			return nil, err
+		}
+		if supported != nil {
+			if !supm.Allowed(e) {
+				return nil, errors.Errorf("entitlement %s is not allowed", e)
+			}
+		}
+		m[e] = struct{}{}
+	}
+
+	for e := range defaults {
+		m[e] = struct{}{}
+	}
+	return Set(m), nil
+}
+
+type Set map[Entitlement]struct{}
+
+func (s Set) Allowed(e Entitlement) bool {
+	_, ok := s[e]
+	return ok
+}

vendor/github.com/moby/buildkit/util/network/network.go

@@ -0,0 +1,22 @@
+package network
+
+// Provider interface for Network
+type Provider interface {
+	NewInterface() (Interface, error)
+	Release(Interface) error
+}
+
+// Interface of network for workers
+type Interface interface {
+	// Set the pid with network interace namespace
+	Set(int) error
+	// Removes the network interface
+	Remove(int) error
+}
+
+// NetworkOpts hold network options
+type NetworkOpts struct {
+	Type          string
+	CNIConfigPath string
+	CNIPluginPath string
+}

vendor/github.com/moby/buildkit/vendor.conf

@@ -6,7 +6,7 @@ github.com/davecgh/go-spew v1.1.0
 github.com/pmezard/go-difflib v1.0.0
 golang.org/x/sys 1b2967e3c290b7c545b3db0deeda16e9be4f98a2
 
-github.com/containerd/containerd a88b6319614de846458750ff882723479ca7b1a1
+github.com/containerd/containerd v1.2.0-beta.0
 github.com/containerd/typeurl a93fcdb778cd272c6e9b3028b2f42d813e785d40
 golang.org/x/sync 450f422ab23cf9881c94e2db30cac0eb1b7cf80c
 github.com/sirupsen/logrus v1.0.0
@@ -21,9 +21,9 @@ github.com/opencontainers/image-spec v1.0.1
 github.com/opencontainers/runc ad0f5255060d36872be04de22f8731f38ef2d7b1
 github.com/Microsoft/go-winio v0.4.7
 github.com/containerd/fifo 3d5202aec260678c48179c56f40e6f38a095738c
-github.com/opencontainers/runtime-spec v1.0.1
-github.com/containerd/go-runc f271fa2021de855d4d918dbef83c5fe19db1bdd5
-github.com/containerd/console 5d1b48d6114b8c9666f0c8b916f871af97b0a761
+github.com/opencontainers/runtime-spec d810dbc60d8c5aeeb3d054bd1132fab2121968ce # v1.0.1-43-gd810dbc
+github.com/containerd/go-runc edcf3de1f4971445c42d61f20d506b30612aa031
+github.com/containerd/console 4d8a41f4ce5b9bae77c41786ea2458330f43f081
 google.golang.org/genproto d80a6e20e776b0b17a324d0ba1ab50a39c8e8944
 golang.org/x/text 19e51611da83d6be54ddafce4a4af510cb3e9ea4
 github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9