Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

support for device entitlement in build and bake #2994

Merged
merged 2 commits into from
Feb 18, 2025
Merged

support for device entitlement in build and bake #2994

merged 2 commits into from
Feb 18, 2025

Conversation

tonistiigi
Copy link
Member

Buildx side of moby/buildkit#5742

Allow access to CDI Devices in Buildkit v0.20.0+ for devices that are not automatically allowed to be used by everyone in BuildKit configuration.

--allow device grants access to any device.
--allow device=kind|name grants access to specific device.
--allow device=kind|name,alias=kind|name allows mapping kind to a specific device or one device to another. Alias is the name requested by the build and device is the actual device that is being enabled.

@tonistiigi tonistiigi added this to the v0.21.0 milestone Feb 14, 2025
tonistiigi
tonistiigi commented Feb 14, 2025
View reviewed changes
commands/build.go
@@ -593,7 +593,7 @@ func buildCmd(dockerCli command.Cli, rootOpts *rootOptions, debugConfig *debug.D

flags.StringSliceVar(&options.extraHosts, "add-host", []string{}, `Add a custom host-to-IP mapping (format: "host:ip")`)

flags.StringSliceVar(&options.allow, "allow", []string{}, `Allow extra privileged entitlement (e.g., "network.host", "security.insecure")`)
flags.StringArrayVar(&options.allow, "allow", []string{}, `Allow extra privileged entitlement (e.g., "network.host", "security.insecure")`)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is technically a breaking change but I think StringSlice was accidental. Alias syntax can not be supported with the slice.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes I think it should have been StringArray type in the first place for build. With bake it looks good:

buildx/commands/bake.go

Line 470 in ef73c64

flags.StringArrayVar(&options.allow, "allow", nil, "Allow build to access specified resources")

Would need to adapt build push action to ignore comma:

Looking at https://grep.app/search?regexp=true&q=build.*--allow.*%28security%5C.insecure%7Cnetwork%5C.host%29 it seems people don't use csv values.

There are some in GHA workflows https://grep.app/search?f.path=.github%2Fworkflows%2F&regexp=true&q=allow%3A+.*%28security%5C.insecure%7Cnetwork%5C.host%29 but we can manage this in our action.

@tonistiigi @crazy-max
support for device entitlement in build and bake
0c296fe 
Allow access to CDI Devices in Buildkit v0.20.0+ for
devices that are not automatically allowed to be used by
everyone in BuildKit configuration.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
@tonistiigi tonistiigi mentioned this pull request Feb 14, 2025
Closed
@crazy-max
vendor: update buildkit to v0.20.0-rc3
d0d3433 
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
@crazy-max crazy-max marked this pull request as ready for review February 18, 2025 21:00
@crazy-max crazy-max merged commit cdfc1ed into docker:master Feb 18, 2025
129 checks passed
@crazy-max crazy-max mentioned this pull request Feb 18, 2025
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@crazy-max crazy-max crazy-max approved these changes

Assignees
No one assigned
Labels
area/bake area/build area/cli area/dependencies area/docs area/tests needs/docs-follow-up
Projects
None yet
Milestone
v0.21.0
Development

Successfully merging this pull request may close these issues.
3 participants
@tonistiigi @crazy-max @jsternberg