Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bake: fix linking to targets with entitlements #2701

Merged
merged 1 commit into from
Sep 25, 2024

Conversation

tonistiigi
Copy link
Member

When linked target requires entitlement, same entitlement is also needed by the caller. Otherwise, the request will fail when the build is processed.

Example (before):

target "base" {
  target = "base"
  entitlements = ["network.host"]
}

target "default" {
  contexts = {
    base = "target:base"
  }
}

from alpine as base
run --network=host ip a

from alpine
copy --from=base /etc/passwd /foo
» docker buildx bake
[+] Building 0.0s (1/1) FINISHED                                                                                                     docker-container:gifted_dijkstra
 => [internal] load local bake definitions                                                                                                                       0.0s
 => => reading docker-bake.hcl 138B / 138B                                                                                                                       0.0s
Your build is requesting privileges for following possibly insecure capabilities:

 - Running build containers that can access host network

In order to not see this message in the future pass "--allow=network.host" to grant requested privileges.

Your full command with requested privileges:

docker buildx bake --allow=network.host

Do you want to grant requested privileges and continue? [y/N] y
[+] Building 0.8s (4/5)                                                                                                              docker-container:gifted_dijkstra
 => [default internal] load build definition from Dockerfile                                                                                                     0.0s
 => => transferring dockerfile: 128B                                                                                                                             0.0s
 => [default internal] load metadata for docker.io/library/alpine:latest                                                                                         0.5s
 => [default internal] load .dockerignore                                                                                                                        0.0s
 => => transferring context: 2B                                                                                                                                  0.0s
 => CANCELED [base base 1/2] FROM docker.io/library/alpine:latest@sha256:beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d                        0.1s
 => => resolve docker.io/library/alpine:latest@sha256:beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d                                           0.0s
ERROR: target default: failed to solve: failed to load LLB: network.host is not allowed

When linked target requires entitlement, same entitlement
is also needed by the caller. Otherwise, the request will
fail when the build is processed.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
@tonistiigi tonistiigi added this to the v0.17.2 milestone Sep 16, 2024
@crazy-max crazy-max merged commit 8e47387 into docker:master Sep 25, 2024
106 checks passed
@rodlima78
Copy link

the same problem happens with ssh and secrets, is it by design or a bug?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants