Skip to content

Comments

bake: enable support for entitlements#2666

Merged
tonistiigi merged 2 commits intodocker:masterfrom
tonistiigi:bake-entitlements
Sep 3, 2024
Merged

bake: enable support for entitlements#2666
tonistiigi merged 2 commits intodocker:masterfrom
tonistiigi:bake-entitlements

Conversation

@tonistiigi
Copy link
Member

@tonistiigi tonistiigi commented Aug 29, 2024

Ref #179

Add support for security.insecure and network.host entitlements via bake. User needs to confirm elevated privileges through a prompt or CLI flags.

tonistiigi
tonistiigi commented Aug 29, 2024
View reviewed changes
bake/entitlements.go
const (
EntitlementKeyNetworkHost EntitlementKey = "network.host"
EntitlementKeySecurityInsecure EntitlementKey = "security.insecure"
EntitlementKeyFSRead EntitlementKey = "fs.read"
Copy link
Member Author

@tonistiigi tonistiigi Aug 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even though these additional entitlements are defined here, the current PR does not perform any validation for them yet.

@tonistiigi tonistiigi requested a review from crazy-max August 29, 2024 23:41
@tonistiigi tonistiigi added this to the v0.17.0 milestone Aug 29, 2024
@tonistiigi
Copy link
Member Author

tonistiigi commented Aug 29, 2024
edited
Loading

While the entitlements key in HCL is new and could not be used before, network: host was enabled via compose and may potentially break if entitlements is not passed by the user.

 # cat docker-compose.yml
services:
  app:
    build:
      network: "host"
 #
 # docker buildx bake app --print
[+] Building 0.0s (1/1) FINISHED
 => [internal] load local bake definitions                                                 0.0s
 => => reading docker-compose.yml 50B / 50B                                                0.0s
{
  "group": {
    "default": {
      "targets": [
        "app"
      ]
    }
  },
  "target": {
    "app": {
      "context": ".",
      "dockerfile": "Dockerfile",
      "entitlements": [
        "network.host"
      ]
    }
  }
}
 # docker buildx bake app
[+] Building 0.0s (1/1) FINISHED
 => [internal] load local bake definitions                                                 0.0s
 => => reading docker-compose.yml 50B / 50B                                                0.0s
Your build is requesting privileges for following possibly insecure capabilities:

 - Running build containers that can access host network

In order to not see this message in the future pass "--allow=network.host" to grant requested privileges.

Your full command with requested privileges:

docker buildx bake --allow=network.host app

Do you want to grant requested privileges and continue? [y/N]

Additionally, I guess we now want to expose network = "host" via HCL/JSON as well? Note that the recommended way is for Dockerfile to define when it needs host network by setting RUN --network=host instead of overwriting the network for the whole build here.

@tonistiigi
bake: enable support for entitlements
203fd8a 
Add support for security.insecure and network.host
entitlements via bake. User needs to confirm elevated
privileges through a prompt or CLI flags.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
@crazy-max
Copy link
Member

crazy-max commented Sep 2, 2024

While the entitlements key in HCL is new and could not be used before, network: host was enabled via compose and may potentially break if entitlements is not passed by the user.

I think this is fine looking at the recommendation printed during build.

Additionally, I guess we now want to expose network = "host" via HCL/JSON as well? Note that the recommended way is for Dockerfile to define when it needs host network by setting RUN --network=host instead of overwriting the network for the whole build here.

Yes we need that

crazy-max
crazy-max reviewed Sep 2, 2024
View reviewed changes
bake/entitlements.go Outdated
}

args := append([]string(nil), os.Args...)
if filepath.Base(args[0]) == "docker-buildx" {
Copy link
Member

@crazy-max crazy-max Sep 2, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the idea is to check if buildx runs as docker plugin, then it would be better to check for !plugin.RunningStandalone()

Copy link
Member Author

@tonistiigi tonistiigi Sep 3, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't quite it. It is because when docker invokes the command then the arg is always docker-buildx so we shouldn't just replace it based on any command name.

But I now see that there is DOCKER_CLI_PLUGIN_ORIGINAL_CLI_COMMAND . I'll see if I can reuse it for this.

@crazy-max
Copy link
Member

crazy-max commented Sep 2, 2024

@dvdksn Seems a docs link is broken: https://github.com/docker/buildx/actions/runs/10636095098/job/29487219028?pr=2666#step:6:467

 #29 [validate-upstream 5/5] RUN htmltest
#29 0.066 htmltest started at 04:36:56 on public
#29 0.066 ========================================================================
#29 1.050 reference/cli/docker/buildx_bake/index.html
#29 1.050   hash does not exist --- reference/cli/docker/buildx_bake/index.html --> /build/attestations/slsa-provenance/#provenance-attestation-example
#29 1.050 reference/cli/docker/buildx_build/index.html
#29 1.205   hash does not exist --- reference/cli/docker/buildx_build/index.html --> /build/attestations/slsa-provenance/#provenance-attestation-example
#29 1.205 reference/cli/docker/buildx/build/index.html
#29 1.923   hash does not exist --- reference/cli/docker/buildx/build/index.html --> /build/attestations/slsa-provenance/#provenance-attestation-example
#29 1.923 reference/cli/docker/buildx/bake/index.html
#29 1.954   hash does not exist --- reference/cli/docker/buildx/bake/index.html --> /build/attestations/slsa-provenance/#provenance-attestation-example
#29 1.954 ========================================================================
#29 12.36 ✘✘✘ failed in 12.29200319s
#29 12.36 4 errors in 2598 documents

@dvdksn
Copy link
Contributor

dvdksn commented Sep 3, 2024

@crazy-max let me fix those in a follow-up

@tonistiigi
Copy link
Member Author

tonistiigi commented Sep 3, 2024

I'm not sure what this error is about. buildx bake validate-docs passes for me locally.

@tonistiigi
bake: read original command name from the env for prompt
5ecff53 
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
@tonistiigi
Copy link
Member Author

tonistiigi commented Sep 3, 2024

Looks like the docs thing went away. Green now.

@crazy-max
Copy link
Member

crazy-max commented Sep 3, 2024

Looks like the docs thing went away. Green now.

Yes this has been sorted with #2652

@tonistiigi tonistiigi merged commit f369377 into docker:master Sep 3, 2024
@tonistiigi tonistiigi mentioned this pull request Sep 4, 2024
Merged
@crazy-max
Copy link
Member

crazy-max commented Oct 2, 2024

Needs follow-up on actions-toolkit repo https://github.com/docker/actions-toolkit/blob/38d1dce1ff8cfbf9c74491fd4bc3df0ca9b66b77/src/types/buildx/bake.ts#L26

@crazy-max crazy-max mentioned this pull request Oct 2, 2024
Merged
This was referenced Nov 26, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@crazy-max crazy-max crazy-max approved these changes

Assignees

No one assigned

Labels

area/bake area/cli area/docs area/tests status/needs-follow-up

Projects

None yet

Milestone

v0.17.0

Development

Successfully merging this pull request may close these issues.

3 participants

@tonistiigi @crazy-max @dvdksn