-
Notifications
You must be signed in to change notification settings - Fork 495
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Attestations from buildx #1412
Attestations from buildx #1412
Conversation
09349f1
to
191eff6
Compare
Could we consider some less verbose alternatives? The issue I have with current is that I don't think the common case is easy enough (with The other is with the provenance. We want to enable the "min mode"(one without the arguments and build steps) of provenance by default like the previous buildinfo implementation was. This would mean that users have two options: they can change it to max mode or they can disable it. With current syntax An alternative would be Or maybe allow Any ideas? @crazy-max @AkihiroSuda @cpuguy83 @sudo-bmitch |
This may be mixing two things that would be useful to keep separate. Build attestations, like in-toto, and the SBOM. The build attestations may be built directly into buildkit. Much of the data is already in the image config json, just in the wrong format, with the layers and history. For the SBOM, having that as "batteries included but swappable" feels like the best pattern. For the "included" version, a simple bool flag would be nice. For "swappable", I'm inclined to make one of those options to specify a target stage that creates the SBOM, and an optional filename. That way I can run one or more SBOM generators as a stage, e.g. one for the Go modules, and another for the alpine packages. The complexity will quickly grow with multiple SBOM formats, xml vs json, and SPDX vs cyclonedx. In OCI we're leaning towards each format being a separate artifact that can be separately pulled. I'm not sure how much that helps with this specific PR, but the result of it points to a flag that allows the SBOM part to get rather complex. |
I think the current format is fine and aligned with flags we currently have like So |
Agree with @crazy-max here Environment variables to set these would also be extremely useful, to me. |
1eee9bc
to
9c5cbed
Compare
I've prototyped an I think it would be a good idea to leave ourselves free to add more SBOM options in the future, so I think we probably want to explicitly have |
SGTM CI does not look happy, need to regen docs: |
9c5cbed
to
8570f21
Compare
8570f21
to
4b039d8
Compare
For bake, maybe we should also have the same shorthands like |
d2f6a5a
to
7e21294
Compare
Signed-off-by: Justin Chadwell <me@jedevc.com>
Signed-off-by: Justin Chadwell <me@jedevc.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now that moby/buildkit#3342 is merged could you update this to inline-only
by default?
Signed-off-by: Justin Chadwell <me@jedevc.com>
Signed-off-by: Justin Chadwell <me@jedevc.com>
Signed-off-by: Justin Chadwell <me@jedevc.com>
7e21294
to
25aa893
Compare
Have updated with inline-only - it's a little fiddly, because we want support in bake. Essentially, if we want If it's too messy with the |
if len(opt.Attests) > 0 { | ||
if !bopts.LLBCaps.Contains(apicaps.CapID("exporter.image.attestations")) { | ||
return nil, nil, errors.Errorf("attestations are not supported by the current buildkitd") | ||
} | ||
for k, v := range opt.Attests { | ||
if v == nil { | ||
continue | ||
} | ||
so.FrontendAttrs[k] = *v | ||
} | ||
} | ||
if _, ok := opt.Attests["attest:provenance"]; !ok { | ||
so.FrontendAttrs["attest:provenance"] = "mode=min,inline-only=true" | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Quick note to avoid confusion: we need opt.Attests
to have some way of signalling a value that was explicitly disabled - we do that with nil
.
This needs to be done here, so that we can ensure to only check the caps if we want something other than the default - otherwise, we want the mode=min,inline-only=true
provenance to be attached on a best-effort basis, since the user hasn't explicitly opted in.
I feel it worth mentioning that this changes breaks every multi-architecture build until the To preserve compatibility for those who rely on buildx for multi-architecture builds, these features should be disabled by default and only add attestations when explicitly set. At the very least, there should be a grace period in which the cli interface alerts the developer to a behavior change. |
If you have a repro please open an issue. Thanks. |
Adds an
--attest
flag to the build command, to add SBOM and provenance attestations. Example usage:Also adds an
attest
field to bake. Example usage:The attestation parameters are forwarded to buildkit, which should then include them in the build.